MDCG 2020-14 Rev.0
Guidance for notified bodies on the use of MDSAP audit reports in the context of surveillance audits carried out under the Medical Devices Regulation (MDR)/In Vitro Diagnostic medical devices Regulation (IVDR)
Disclaimer: This document is an interactive version of the original MDCG document. We will keep it up-to-date.
This document has been endorsed by the Medical Device Coordination Group (MDCG) established by Article 103 of Regulation (EU) 2017/745. The MDCG is composed of representatives of all Member States and it is chaired by a representative of the European Commission.
Background
In fulfilling the EU’s commitment to encourage notified bodies to make use of audit reports from the Medical Device Single Audit Program (MDSAP) in a manner that is compatible with EU legislative requirements, the Medical Device Coordination Group (MDCG) endorsed this guidance which has been developed by a group of experts comprised of interested Member State representatives, notified body associations and stakeholders.
Scope
The purpose of this document is to provide guidance to notified bodies on how to take into account MDSAP Medical Device Regulatory Audit Reports (1) (from hereafter “MDSAP audit reports”) issued by MDSAP auditing organisations (2) when performing surveillance audits under Regulation (EU) 2017/745 – Medical Devices Regulation (MDR) and Regulation (EU) 2017/746 – In Vitro Diagnostic medical devices Regulation (IVDR). This is of particular use when a manufacturer has undergone an MDSAP audit and wishes to present this audit report (including the associated attachments) in context of the regular surveillance audits performed in accordance to the MDR or IVDR.
General regulatory considerations
Under the MDR/IVDR, most conformity assessment procedures consist of both the quality management system audit and the assessment of a device’s safety and performance. Notified body’s conformity assessment activities, which are a prerequisite for the manufacturer’s declaration of conformity, when concluded successfully result in a conformity assessment certificate, a pre-market requirement for most classes of medical devices and IVDs. In that regard, notified bodies designated under the MDR/IVDR fulfil roles, which correspond to combined functions of both MDSAP auditing organisations and MDSAP participating regulatory authorities. (3) Therefore, the roles performed by notified bodies and MDSAP auditing organisations differ as the latter solely perform quality management system audits which are then utilised by regulatory authorities in their evaluation of a product’s safety and performance for the purpose of issuing a marketing authorisation.
Requirements of the MDR/IVDR
The MDR/IVDR clearly state that all manufacturers need to have a quality management system in place so as to ensure that devices manufactured in series are in conformity with the requirements of the respective regulation and that experience from the use of devices is taken into account in the production process (MDR Recital 32/IVDR Recital 31). This becomes an explicit requirement for manufacturers to establish, document, maintain, keep up to date and continually improve quality management systems so that to ensure compliance with the Regulations (MDR Article 10 (9)/IVDR Article 10(8)).
Notified bodies are charged with the assessment of quality management systems of devices in accordance with MDR Article 52 and IVDR Article 48. Specifically, notified bodies are responsible for auditing and certifying manufacturers’ quality management systems (MDR/IVDR Annexes IX and XI and Annex VII section 4.5 ), following up with appropriate surveillance audits (MDR/IVDR Annex IX section 3 and Annex VII section 4.5.1, 4.10) as well as conducting unannounced audits (MDR/IVDR Annex VII section 4.5.1). Notified bodies are also responsible for the development of their appropriate procedures for conformity assessments according to the MDR /IVDR.
The MDR/IVDR specifically state that notified bodies’ audit programmes should clearly identify the number and sequence of activities required to demonstrate complete coverage of a manufacturer’s quality management system (MDR/IVDR Annex VII 4.5.2) and that surveillance audits need to be carried out on at least an annual basis (MDR/IVDR Annex VII section 4.10 and Annex IX section 3.3). For each surveillance audit identified in the audit programme, the objectives, criteria and scope of the surveillance audit are defined in an audit plan which adequately addresses and takes into account specific requirements for the devices, technologies and processes involved (MDR/IVDR Annex VII section 4.5.2(a) – third bullet point). Surveillance audits are expected to gather sufficient information to verify the proper implementation of the quality management system and ensure that it continues to comply with the requirements of the MDR/IVDR.
When and how to take MDSAP audit reports into account
It is important to stress that the MDR/IVDR remain applicable in their entirety. The use of MDSAP audit reports within the EU legislative framework is possible only where the MDSAP audit covers similar or equivalent MDR/IVDR requirements. Designated notified bodies maintain the full authority over their judgement, conclusion and final decision about the conformity of quality management systems to the relevant provisions of the MDR/IVDR and the safety and performance of medical devices and IVDs intended to be placed on the market in the EU.
Given that surveillance audits, their periodicity and EU auditors’ competencies are mandated by law, yearly surveillance audits need to be maintained. However, it could be possible to take into account the scope and outputs of manufacturers’ recent MDSAP audit reports as an input for developing surveillance audit programmes. The taking into account of MDSAP audit reports could define in a more precise manner the activities to be performed during a surveillance audit. For example, the positive quality management system conformity appraisal through MDSAP might lead to a reduction of the focus on aspects already covered by MDSAP audit reports. The notified body may then focus their surveillance audit on specific MDR/IVDR requirements which are either not covered or only partially covered by the MDSAP audit report. Non-exhaustive list of examples (alphabetical order):
– clinical evaluation/performance evaluation process (including post-market clinical/performance follow-up),
– EU authorised representative contractual provisions,
– EU UDI assignments within the quality management system,
– manufacturer financial coverage in respect of potential liability,
– person responsible for regulatory compliance qualification and role,
– records control,
– system for risk management,
– vigilance and post market surveillance activities, including the associated corrective actions and preventive actions.
Similarly, non-conformities identified in recent MDSAP audit reports can trigger the notified body to pay particular attention to those aspects in the MDR/IVDR planned surveillance audit.
It is important to highlight the following details:
– The taking into account of MDSAP audit reports is not applicable to initial quality management system audits required for the issuing of EU QMS certificates. Notified bodies designated under the MDR/IVDR would always need to conduct these audits in their entirety.
– The taking into account of MDSAP audit reports is not applicable to MDR/IVDR unannounced audits.
– Reports of MDSAP unannounced audits or special audits should not be taken into account in the narrowing of focus in MDR/IVDR surveillance audits.
– Regular surveillance audits would still take place on a yearly basis. However, the positive QMS conformity appraisal through an MDSAP audit may lead to a limitation of the surveillance focus from aspects already covered by the MDSAP audit reports.
– When MDSAP audit reports are considered as input to the planning of an MDR/IVDR surveillance audit, these reports should be taken into account in their complete form, including all associated attachments. Both positive and negative statements about the conformity of the manufacturer should be incorporated in the planning of the MDR/IVDR audit.
If there is concern about the functioning of the quality management system, for instance due to information gathered through the assessment of vigilance cases or post market activities, previous surveillance audits or technical documentation assessments, a complete surveillance audit should be carried out.
Notified bodies may wish to determine and establish additional guidance in order to support their procedures for evaluating MDSAP audit reports. Such guidance could for example specify the content details of MDSAP audit reports considered acceptable (i.e. may be taken into consideration) in the notified body assessment programme and what modifications may be done to the notified body assessment programme after the taking into consideration of the MDSAP audit report (to ensure that any specific assessment items that are not covered in the MDSAP audit reports are performed by the notified body).
The notified body shall remain fully responsible for its decision, to whether or not, and to what extent, an MDSAP audit report can be taken into account.
The Annex to this guidance identifies and analyses aspects within MDSAP audit reports that are relevant in relation to the EU requirements. Part I focuses on providing an explanation of where to find relevant information in MDSAP audit reports that could be used to a greater or lesser extent as supporting evidence for MDR/IVDR quality management system requirements. Part II provides examples on how correlations between MDR requirements to sections of MDSAP audit reports may be established in the notified bodies’ additional guidance or procedures. Although the examples in Part II focus on MDR requirements, the same methodology could be applied for the IVDR.
Annex
Part I – Explanation of relevant information in MDSAP audit report
The following table shows where information with relevance for MDR/IVDR quality management system audits can be found in MDSAP audit reports and highlights specifics that should be understood by notified bodies when taking into account such information.
A comprehensive description of MDSAP audit report content can be found in MDSAP AU P0019 MDSAP Medical Device Regulatory Audit Reports and MDSAP AU G0019 Medical Device Regulatory Audit Report Form Guidelines (4)
Sections of MDSAP audit report | Relevant information |
|---|---|
Section 1 – Audit Information | Name of MDSAP auditing organisation, audit dates and duration, audit team |
Section 2 – Audited Facility | Audited facility name and address. In case of a multi-site audited organization, a separate audit report is generally required for each audited facility. This means, the audited facility described in Section 2 is not necessarily the manufacturer responsible for the overall product. Also see Section 4. |
Section 3 – Certification Schemes, Scopes & Criteria, Audit Types | Certification schemes with scope of certification, audit type and audit criteria. In some cases, a list of medical devices covered in the scope is attached to the audit report. The “CE marking” scheme may be referenced, but this is not mandatory. For unannounced audits, it is important to understand that they are commonly performed to verify effectiveness of corrective actions on non-conformities, and their content is not the same as that of unannounced audits under MDR/IVDR. |
Section 4 – Certification Holder and Multi-site Organization | Relationship between audited facilities and reference to other audited facilities included in the audit. Certification Holder is the main facility shown on the title page of the certificate. Campus is a group of facilities that can be described in one audit report by derogation from general requirement of separate audit reports for each facility. Related sites are other audited facilities that are described in separate audit reports. Corporate Information describes the use of multiple names and identities by the organization and its significant relationships of the manufacturer with related companies in the context of the audited QMS and its associated activities and devices. |
Section 5 – Audit Objectives | Additional audit objectives applying to schemes other than MDSAP may be included, but this is not mandatory. |
Section 6 – Audited Facility Description | Regulatory Roles of the audited facility are indicated separately for each MDSAP participating country. It may additionally include the roles in other countries, such as Europe, but this is not mandatory. Activities at the Audited Facility describe what is actually done at the audited site. Activities not included in the Scope of Certification are activities performed at the facility which are not required to be listed in the MDSAP certificate. |
Section 7 – Critical Suppliers | Critical suppliers of the audited facility that are relevant to the scope of audit, including products or services obtained from them and indication whether this audit extended to visit a supplier. Instead of a detailed description in this section, the list may be attached to the report. |
Section 8 – Audit History | Outcomes of previous audits that have been taken into consideration in preparation for this audit. |
Section 9 – Exclusion and Non-Applications of requirements in the QMS | Exclusion and non-application of ISO 13485 requirements in the QMS of the audited facility. |
Section 10 – Outcome of Pre-Audit Activities | Outcome of the preceding documentation review and/or stage 1 audit, if applicable. Instead of detailed description in this section, additional records may be attached to the report. |
Section 11 – Audit Findings | Sections 11.1-11.7 describe audit findings and evidence related to ISO 13485 and country-specific requirements. Please refer to MDSAP Audit Model and details of requirements (5) for more information. Section 11.7A is only included, if the critical suppliers were visited as part of the audit, to describe the audit findings made at the visited supplier locations. Section 11.8 may include findings according to schemes other than MDSAP, but this is not mandatory. |
Section 12 – Non-conformities | List of non-conformities, references to which are made in Section 11. Grade is a numeric classification of significance of non-conformity between 1 and 5 according to GHTF/SG3/N19:2012 – Quality Management System – Medical Devices – Non-conformity Grading System for Regulatory Purposes and Information Exchange |
Section 13 – Significant Deviations from the Audit Plan | Circumstances that lead to deviations from the audit plan and obstacles experienced by the audit team during the audit. |
Section 14 – Follow-up of Past Non- conformities | Results of audit team’s evaluation of effectiveness of actions taken in response to non-conformities identified in prior audits with the possible status Closed, Superseded of Left Open. A record with the details of this evaluation may be attached to the report. |
Section 15 – Summary of Major Changes to the Audited Facility | Summary description of major changes since previous audit, especially those changes not described in Section 11. |
Section 16 – Conclusions | Extensive conclusion of the audit, including the statement on the conformity of the QMS with the audit criteria and recommendations of the audit team. |
Section 17 – Attachments | List of records that are considered as part of the audit report, including those referenced in Section 6 (list of medical devices), Section 7 (list of critical suppliers), Section 10 (outcome of pre-audit activities), Section 11.2 (review of sampled technical documentation), Section 14 (updated non-conformity report relative to past non-conformities). |
Section 18 – Audit Report Approval | Date and signature of review and approval of the final audit report. |
Part II – Examples on how correlations between MDR requirements to sections of MDSAP audit reports may be established
The following examples of established correlations between MDR quality management system requirements and the MDSAP Audit Model show how certain overlapping requirements may be covered in MDSAP audit reports, and what specific MDR requirements are not covered. The references direct to MDSAP audit processes and tasks that overlap with MDR requirements and are linked to same or similar ISO 13485 requirements.
It is recommended that notified bodies develop more detailed guidance for determining the extent in which MDR/IVDR quality management system requirements correlate to those covered in MDSAP audit reports. Any such fully developed correlation should be revised in the event of a publication of changes to any basic criteria document including EN ISO 13485, MDSAP Audit Model and MDR/IVDR, or any document utilised to establish correlation, such as CEN/TR 17223 (6).
The examples provided in the below table cover only the following three blocks of MDR requirements: Clinical evaluation, Supplier controls, and Post-market surveillance.
MDR requirement | Sections of MDSAP audit report addressing this topic(s) | Particular MDR requirements not covered in an MDSAP audit |
|---|---|---|
Clinical evaluation MDR Article 10, paragraph 3 MDR Annex IX, Chapter I, 2.1, indents 10-11 MDR Annex XI, Part A, 6.1 indent 1 (7) | Section 11.5 – Design and Development, Task 11 | Specifics of Article 61 and Annex XIV Part A Clinical evaluation plan and procedures to keep up to date the clinical evaluation plan |
Supplier controls MDR Article 10, paragraph 9 (d) MDR Annex IX, Chapter I, 2.2 paragraph 2 b) indent 3 | Section 11.1 – Management, Task 5 Section 11.3 – Measurement, Analysis and Improvement, Tasks 2, 7, 13 Section 11.5 – Design and Development, Tasks 1, 7, 8, 16 Section 11.6 – Production and Service Controls, Tasks 7, 14, 19, 21, 22 Section 11.7 – Purchasing, all tasks | Annex II 3. (c) |
Post-market surveillance MDR Article 10, paragraph 10 MDR Annex IX, Chapter I, 2.1 indent 8-9 MDR Annex XI, Part A, 6.1 indent 1 (8) MDR Annex XI, Part B, 13 | Section 11.3 – Measurement, Analysis and Improvement, Task 12, 14, 15 Section 11.4 – Medical Device Adverse Events and Advisory Notices Reporting, Tasks 1, 2 | Specific requirements on the PMS system incl. PMS plan, PMS report, PSURs, and PMCF plan (Articles 83-86 and Part B of Annex XIV as well as obligations resulting from the provisions on vigilance (Articles 87 to 92) |
Footnotes
(1): MDSAP audits are recorded using the Medical Device Regulatory Audit Report form (MDSAP AU F0019.1). Final MDSAP audit reports are signed in section 18 of the form.
(2): Auditing Organization: An organization that audits a medical device manufacturer for conformity with quality management system requirements and other medical device regulatory requirements. Auditing Organizations may be an independent organization or a Regulatory Authority which perform regulatory audits. (IMDRF/MDSAP WG/N3 FINAL:2016)
(3): Regulatory Authority: A government body or other entity that exercises a legal right to control the use or sale of medical devices within its jurisdiction, and that may take enforcement action to ensure that medical products marketed within its jurisdiction comply with legal requirements. (GHTF/SG1/N78:2012, cited from IMDRF/MDSAP WG/N3 FINAL:2016)
(4): Both documents are available in the “MDSAP Documents” / “MDSAP Audit Procedures and Forms” section of the MDSAP program homepage (https://www.fda.gov/medical-devices/cdrh-international-programs/medical-device-single-audit-program-mdsap, accessed on 2020-03-25).
(5): The MDSAP Audit Model can be found in the “MDSAP Documents” / “MDSAP Audit Procedures and Forms” section of the MDSAP program homepage (https://www.fda.gov/medical-devices/cdrh-international-programs/medical-device-single-audit-program-mdsap, accessed on 2020-03-25).
(6): CEN/TR 17223:2018 Guidance on the relationship between EN ISO 13485: 2016 (Medical devices – Quality management systems – Requirements for regulatory purposes) and European Medical Devices Regulation and In Vitro Diagnostic Medical Devices Regulation.
(7): MDR Annex XI, Part A, 6.1 indent 1 refers back to MDR Annex IX, Chapter I, 2.1
(8): MDR Annex XI, Part A, 6.1 indent 1 refers back to MDR Annex IX, Chapter I, 2.1