MDCG 2020-4 Rev.0
Guidance on temporary extraordinary measures related to medical device Notified Body audits during COVID-19 quarantine orders and travel restrictions
Disclaimer: This document is an interactive version of the original MDCG document. We will keep it up-to-date.
This document has been endorsed by the Medical Device Coordination Group (MDCG) established by Article 103 of Regulation (EU) 2017/745. The MDCG is composed of representatives of all Member States and it is chaired by a representative of the European Commission.
1. Introduction
In the context of the current COVID-19 global outbreak as well as the rapid spread of the virus across various regions of the globe, the resulting travel and quarantine restrictions have significantly affected the ability of notified bodies to conduct mandatory on-site audits under the medical devices legislation. Therefore, in the interest of public health, this document has been developed to outline temporary extraordinary measures for notified bodies to follow in this interim period in order to allow continued availability of safe medical devices to the market and assist in the prevention of the risk of medical device shortages. In this context, it is considered that alternative solutions to carrying out on-site audits by notified bodies under the medical devices Directives (1) should be allowed under specific circumstances, including the possibility to perform remote audits under certain conditions.
This guidance takes immediate effect and is valid for the whole period of duration of the pandemic COVID-19 as declared by the World Health Organisation.
2. Scope
This guidance is intended to cover the following audits notified bodies are requested to carry out as part of medical devices conformity assessments:
- surveillance audits under the medical devices Directives,
- audits conducted for re-certification purposes under the medical devices Directives,
- in cases where a manufacturer submits a change notification to a notified body that would typically require on-site audit or verification,
- in cases where a manufacturer terminates (voluntarily or involuntarily) its contract with a notified body and enters into a contract with another notified body in respect of the conformity assessment of the same device(s).
Although this guidance applies to the medical device Directives only, for Regulations (EU) 2017/745 (MDR) and 2017/746 (IVDR) in the event that the availability of devices is affected by COVID-19 restrictions the principles in this guidance may apply.
The temporary extraordinary measures proposed in this guidance should not apply to unannounced audits, or, to special audits which require on-site assessment (such as the verification of implementation of specific corrective actions which can only be assesed on-site). This does not prevent the use of the alternative measures for these types of audits in cases where doubt has been raised on the conformity / safety of a device and it is not in the interest of public safety to wait until the end of the restrictions put in place due to the COVID-19 pandemic.
In general, initial certification audits or audits to extend the scope of certification under the Directives should not be performed using these temporary extraordinary measures. However, notified bodies may apply these extraordinary measures on a case-by-case basis for such audits in cases where devices are considered relevant to ensure medical care, especially if clinically necessary during the period of COVID-19 restrictions.
3. Proposed temporary alternative extraordinary measures and arrangements to on-site audits
Notified bodies may introduce temporary alternative extraordinary measures in place of on-site conformity assessment audits that have been impacted by COVID-19 restrictions and that are within the scope of section 2 above.
Notified bodies should have documented procedures detailing the alternative temporary measures to be utilised and should define the criteria for implementing such measures (e.g. procedure for “force majeure”). The relevant procedures should also take into account the technologies to be used during such audits and also address the impact of the alternative measures on the audit duration.
These temporary alternative extraordinary measures may include the following principles and arrangements:
- Postponement of on-site surveillance audits under the Directives in line with documented procedures of the notified body for force majeure.
- On-site audits may be replaced by remote audits using the most advanced available Information and Communication Technologies as appropriate in accordance with legislation on information security and data protection.
- Assessment of all relevant and required documents/records off-site by the notified body.
- To take into account existing recent results from MDSAP audits (or other appropriate audits) in lieu of Directive audits, where available
- To consider published international guidance such as those issued by the International Accreditation Forum (IAF) e.g. on how to use information and communication technologies (2) and for alternative auditing methods in extraordinary circumstances (3).
4. Eligibility criteria and procedural aspects
To be eligible for these temporary alternative extraordinary measures the audits must be covered within the scope of section 2 above.
The possibility to make use of temporary alternative extraordinary measures to on- site audits should be carefully assessed and documented by notified bodies on a case-by-case basis and performed using a risk-based approach. In particular, when determining the possibility to use these alternative measures, the risk assessment should take into account the experience gained with a manufacturer. For example, manufacturers who have a history of a high number and/or critical non-compliances related to production/operational control may have an impact on the appropriateness to conduct such temporary measures. However, in these cases an alternative measure could be performed as a temporary measure to assess the progress of the manufacturer and should be be supplemented by an on-site audit once travel restrictions are lifted.
In order to assess which alternative extraordinary measure (as outlined in section 3 above) is most appropriate, the notified body should review their files relating to the status and operations of the manufacturer related to the audit in question, for example the activities conducted at the site to be audited, its quality management system, and its level of compliance from previous audits. Following this review, a risk analysis should be made as to whether or not the audit could be performed with alternative measures. Where a postponement cannot be justified, the notified body should assess which alternative extraordinary measure should be performed (e.g. remote audit; off-site document review; conference calls with relevant personnel of the manufacturer).
For remote audits, both the notified body and the manufacturer must have the required information and communication technologies or tools available and established (e.g. web conferences with document sharing, use of web cams for audits of production lines). Confidentiality of intellectual property aspects shall be safeguarded. Notified bodies should clearly document and communicate any such requirements for their audits with their auditees, along with the required documentation to be shared before and within such audits, including the necessary data protection and cybersecurity measures. The technological capability of the manufacturer to ensure that such an audit can be accomplished should be verified by the notified body in advance of the audit.
Designating Authorities may request to observe/witness such remote audits via information and communication technologies or tools available and established.
When establishing the audit plan, the notified body should adjust the duration for review of the areas on the audit plan, along with the overall duration of the audit, in coordination with the manufacturer in order to make effective use of these alternative extraordinary measures. The audit plan should also clearly indicate which alternative extraordinary measures will be used and what will be conducted remotely. When issuing their audit reports the notified body should also clearly indicate that the audit was conducted remotely and the method(s) used for such audits should also be specified.
Remote surveillance audits should cover all of the surveillance tasks that can be verified remotely, including an off-site review of all documents that would normally be assessed on-site.
Following such an alternative extraordinary measure the notified body should review and adjust the audit programme for each manufacturer to ensure that all required elements are assessed during the certification cycle.
5. Decisions taken on certification
Remote audits undertaken for re-certification purposes should cover all of the mandatory re-certification tasks that can be verified remotely. Subsequent to a succcessful remote audit a notified body may re-issue the certification with the condition that such audits should be followed up by an on-site verification audit at the next available opportunity to verify the elements that could not be assessed remotely (the timeline for the on-site verification audit should be justified by the notified body).
At the request of the notified body, the manufacturer may provide the notified body with records (e.g. product release documentation) on an ongoing or regular basis,. If the re-certification remote audit is unsuccessful, the certification should be suspended or should expire as appropriate.
Remote audits conducted by the incoming notified body in the context of cases where a manufacturer terminates its contract with a notified body and enters into a contract with another notified body in respect of the conformity assessment of the same device(s), should also cover all of the tasks that can be verified remotely to allow the incoming notified body to ensure a proper assessment of the conformity of the device. If the remote audit is unsuccessful (as per the notified body’s procedures for unsuccessful audits), the incoming notified body should not issue the certification.
In the exceptional circumstance of the issuance of an initial or extended scope certificate under these alternative extraordinary measures (as per section 2 Scope above), the notified body should consider the clinical risk / benefit of their decision and should clearly document their rationale for these decisions. At the request of the designating authority the notified body should inform the national authority of any such decisions and provide any supporting documentation.
Note: A task force established in March 2020 under the MDCG NBO working group is tasked with the development of guidance to define the operational implementation details of this guidance document.
Footnotes
(1): Directive 90/385/EEC, the AIMDD; Directive 93/42/EEC, the MDD; Directive 98/79/EC, the IVDD.
(2): Requirements on how to use information and communication technologies to support and maintain the integrity of the audit/assessment process may be found in International Accreditation Forum document IAF MD 4 (Mandatory Document for the Use of Information and Communication Technology (ICT) for Auditing/Assessment Purposes).
(3): ID3:2011 (IAF Informative Document For Management of Extraordinary Events or Circumstances Affecting ABs, CABs and Certified Organizations)