EU underscores remote notified body audit policy amid pandemic

Dive Brief:

The European Commission's Medical Device Coordination Group has clarified its position on the use of remote audits by notified bodies during the pandemic, permitted in some contexts in April.
The latest document addresses questions that have since arisen, such as what MDCG meant by its requirement that notified bodies use the "most advanced" information and communication technologies for audits.
Groups including MedTech Europe have pressured the Commission to expand remote audits to the incoming regulations on medical devices and in vitro diagnostics. However, the new Q&A reiterates that the scope is limited to the directives and devices considered "clinically necessary" during the pandemic.

Dive Insight:

Travel restrictions imposed early in the pandemic stopped notified bodies from performing on-site audits at a time when they were working flat out to get the industry ready for MDR. In response to the situation, the Commission delayed the MDR date of application by a year and MDCG published guidance on remote audits. The guidance only applied to MDR and IVDR "in the event that the availability of devices is affected by COVID-19 restrictions."

On Wednesday, MDCG clarified and expanded on the approach it set out in April but left the scope of the original guidance unchanged. Notified bodies can perform remote audits under the directives in certain circumstances, as well as when the device involved is on a list of essential products drawn up by the Commission. That list includes ventilators and oxygen equipment.

MDCG refers to incoming regulations in passing in the Q&A, for example by stating that "in line with the postponement of the MDR date of application by one year, the scope of the aforementioned guidance covers certificates issued under the directives."

The Q&A states unannounced audits are outside of the scope of the April guidance but "from a risk-based approach, it is recognized that these audits may be postponed and that the recommendations in Article 2(c) and Annex III of Commission Recommendation 2013/473 may not be followed during the period of the pandemic." The referenced Commission document requires that notified bodies carry out unannounced audits "at least once every third year."

Elsewhere in the Q&A, MDCG addresses the specifics of how notified bodies should perform remote audits, including by expanding on its requirement for the "most advanced" technology to be used. The Q&A states technology must "at a minimum ensure effective communication with the necessary levels of security, integrity, confidentiality and data protection" and be agreed on by both parties. MDCG is advising notified bodies to test the system ahead of the audit date.

The limitations of communication technology emerged as a common problem in a survey of notified bodies that have performed remote audits. Most of the polled notified bodies had encountered poor network connection problems, although issues have become less frequent over time.

The Q&A covers other preparatory steps notified bodies should take. The coordination group is recommending notified bodies send requests for documents before the audit. Notified bodies should ensure document records provide "a discernible audit trail for quality management system audits."