Planned or unannounced, audits can be a stressful experience for medical device developers. Since non-compliance can be costly and slow down important projects, it is completely understandable that many MedTech developers feel uneasy about regulatory audits. However, with the right preparation, you can break down the complicated process and even use audits as tools to help improve your business by staying compliant, holding suppliers to a high standard, managing risks effectively, and continuously improving the maturity of your organization and processes. Read on to learn more on how to make the medical software compliance process a smooth one for your company!
A medical device audit is the systematic and documented evaluation of products to determine if they are compliant with regulatory requirements and industry standards. Most of the time, an audit by a notified body is required to go to market with a medical device.
In order to examine a medical device, auditors will typically visit the physical premises of the organization in question and do a full tour of both business operations as well as the digital tools used to manage the product development process.
Medical device audits can be announced or unannounced, and are carried out by both governmental and private authorities (like clients, for example). It is extremely important to make sure you meticulously document the device development process — as well as all your compliance efforts — so that you can make the auditing process smoother for everyone involved.
The purpose of medical device audits is to ensure that you are compliant with relevant laws, regulations, and standards which outline the requirements for developing medical devices that are safe and effective.
In short, what medical device auditors need to check for medical device regulatory compliance is:
In the EU, it is the organization’s responsibility to select an official Notified Body to audit them and see if their work is up to standard. This Notified Body will come and audit the company on its premises and if everything is in order to affirm MedTech compliance, they will issue a certification so that the company can get a CE marking to go to market.
One of the most important standards they will check is your ISO 13485 compliance (which is related to having a Quality Management System and using it properly) but you may also need to be audited for ISO 14971 (for risk management), IEC 62366 (regarding usability), and IEC 62304 (which covers software development processes). It depends on the category of medical device that you are developing. Besides, of course, you'll need to comply with the EU Medical Device Regulation (MDR).
In the US (similarly to other areas of the world) it works a little bit differently than in the EU because audits are conducted by the government itself. The government agency in the US responsible for audits is the FDA, which actually calls them “inspections''. These inspections do lead to reported findings, but not in certification, unlike the EU Notified Body audits.
In practice, what the FDA inspections do is evaluate medical devices against the standards specified in FDA 21 CFR PART 820. In order to trigger the inspection, a company must apply to the FDA to market a new product, which then leads to pre-approval inspections, routine inspections, follow-up inspections, and ‘for cause’ inspections in case a problem is reported by an employee, customer, or manufacturer. If the FDA approves, then the product can go to market.
These are also known as “second or third party audits”, and are typically performed by parties that have some sort of official interest in the company in question. Third-party audits are conducted by organizations that are separate and independent from the company developing the medical device. This can be certifiers, notified bodies, or governmental authorities, and extends even to customer and supplier audits.
This type of audit is also sometimes called a “first party audit”. Internal audits are carried out by the company itself, either to contribute to compliance efforts or for management purposes. Self-evaluation in the form of internal audits is also a requirement common to the ISO 13485 in the EU and the FDA 21 CFR Part 820 in the US. In general, internal audits are a good idea anyway to make sure your processes, systems, and documents are in order, so that when an unexpected audit arises, you know you will perform as needed.
Nowadays, audits conducted by Notified Bodies in the EU are actually typically unannounced. This means that they can show up at any time without warning and you need to be ready to walk them through your premises, operations, and systems so they can deduce if you are compliant or not. Most of the time, they will be coming to check a specific product, rather than everything at once. Things they will look at include all your documents and records, how you’re using the QMS you state you are using, and how compliant you are with the law.
Similarly to the EU Notified Bodies, the FDA can show up unannounced for an inspection at any time, except if you are based outside of the US in which case they will warn you a couple of months in advance since they need to plan the trip.
CE marking is a requirement for any medical device to be sold on the European market. It is basically an administrative label of sorts, which confirms that the product in question meets the necessary EU standards for health, safety, and environmental protection. In order to get the CE marking, first you need to determine the risk classification of your device, and then select a Notified Body to handle your medical devices' regulatory submission and ensuing audits.
In the US, the premarket submission you need to be concerned with is the 510(k). This is made to the FDA to show that the device is as safe and effective as an already existing legally marketed device, as a basis for comparison. To get started, you need to choose the correct FDA regulatory pathway, request a pre-submission meeting with the FDA, and determine when your new device needs to be submitted for regulatory approval.
Preparation is key for saving time, effort, and costs when it comes to regulatory compliance processes. Medical device compliance standards can seem very complex and daunting, so here are our top suggestions for how to tackle audits with confidence:
Create a process for audits and make sure your whole team is informed, train them on how to properly use your QMS (whether it is paper-based or digital, everyone needs to be on the same page), and conduct mock audits in advance to practice.
It is really difficult to gain the transparency you need for your compliance efforts if you’re still struggling with a paper-based documentation system or an ordinary eQMS. An integrated end-to-end Application Lifecycle Management platform can help you connect all the dots and demonstrate compliance much more smoothly.
Rigorous risk management will definitely simplify your compliance efforts. Rather than leaving it till the end as an afterthought, incorporate it in your design process from the very beginning, to demonstrate both design qualifications and your commitment to safety and compliance.
Just like risk management, audits focus heavily on assessing your QA and testing processes to make sure they are adequate to ensure that your product is safe to go to market. In other words, don’t skimp on these!
Unlike traditional eQMS tools which only cover part of the development lifecycle, Codebeamer is an integrated platform that fully covers Requirements, Risk, and Test Management for medical device development. MedTech quality assurance and regulatory compliance are complex tasks, but with the right tooling you can simplify the process of demonstrating compliance with ISO 13485, IEC 82304-1, ISO 14971, IEC 60812, IEC 62304, ISO 60601, EU MDR, FDA Title 21 CFR & more.
Hanna Taller is a content creator for PTC’s ALM Marketing team. She is responsible for increasing brand awareness and driving thought leadership for Codebeamer. Hanna is passionate about creating insightful content centered around ALM, life sciences, automotive technology, and avionics.