Preparing for a Notified Body Medical Device Clinical Audit
Yes, there are unicorns out there who actually enjoy audits, but most medical device regulatory professionals endure them as part of the job. While preparing for an audit is less than fun, going through an audit for which you were unprepared elevates “unfun” to a whole new level. You can only hide under your desk (or remain off camera) for so long.
Of course, you know by now that MEDDEV 2.7/1 rev 4 and the EU Medical Device Regulation (MDR) significantly tightened the requirements for clinical evaluation reports (CERs). As companies get products certified to the EU MDR, Notified Bodies will begin conducting surveillance audits focused on your clinical data and processes. If you have not yet experienced such an audit focused on clinical processes, you will soon enough.
Areas Likely to Be Covered During Your Clinical Evaluation Audit
Your Notified Body will inform you of the scope of the audit, which commonly includes parts of:
- EN ISO 13485:2016
- EN ISO 14155:2020
- EU MDR 2017/745
- MEDDEV 2.1/1 rev 4
- MDCG Guidance Documents
The audit will focus primarily on your clinical-related processes under EU MDR and the ability of your team and quality management systems (QMSs) to support ongoing compliance. Here is a general overview of what areas you can expect your Notified Body to cover, although this will vary by Notified Body, device classification, and other factors.
Notified Body Clinical Audit Areas of Focus
An Overview of Management Responsibilities
Your Notified Body wants to know that your senior management team is fully aware of your clinical processes and that associated compliance with the EU MDR, ISO 14155, and ISO 13485 is being taken seriously. For starters, your auditor will want to review your quality policy, organizational chart, and management review documentation. You will probably be asked to produce copies of your internal audit plans and audit reports, a list of products along with their classification, and your clinical development plan. If you have had any communication with your Notified Body or Competent Authority since your previous audit, you will want to have that on hand as well.
Review of Personnel Involved in Various Clinical Processes
You may think that your Notified Body auditor will focus entirely on processes and data, but they really want to make sure that you have qualified personnel in place to execute your processes effectively. As such, they are likely to ask you for resumes / CVs of your clinical evaluation team, people involved in clinical investigations, medical writers, etc. They are probably also going to ask you for copies of the job descriptions for those people to make sure that their qualifications are well-suited for the job. You need to demonstrate that you have documented requirements for qualification, training, and authorization of the team members involved in these processes, including your Person Responsible for Regulatory Compliance (PRRC).
Examining the Interlinks Between Processes
Your auditor is not going to be very impressed with your well-articulated clinical procedures if they are not interlinked with risk management, postmarket surveillance (PMS), and other key areas of your QMS. This is a very important part of the audit and one that many companies underestimate. You can expect your auditor to take a close look at your Corrective and Preventive Actions (CAPA), risk and change management procedures, and interlinks with clinical aspects of your QMS, such as your quality plan, management review documentation, and internal audits. This examination may also look at your clinical data that are typically used for marketing your device and how you control the claims and updates of your instructions for use (IFU), website pages, sales tools, social media, etc.
Which Regulations, Standards, and Guidance Documents You Are Following
Beyond the MDR, you should prepare a detailed list of every standard, technical report, or Medical Device Coordination Group (MDCG) guidance document you are following for your auditor, plus any relevant country-specific clinical guidelines.
A Review of Supplier Management and Outsourced Services
Most likely, you do not do everything in-house and you involve outside contractors for a variety of clinical-related processes. This can involve anyone from your European Authorized Representative (if applicable) to a clinical research organization (CRO). Your auditor will want to see copies of your contractual agreements with these key suppliers and your requirements for selecting and qualifying them. You will also need to show proof that you perform a yearly evaluation of clinical suppliers, inclusive of any audits you have done of critical suppliers.
Going Deep into Your Clinical Evaluation Processes
As if you were not having enough fun yet, this is where the auditor will really start to peel back the onion and reveal the health of your clinical processes. You will likely be asked to detail the types of clinical evaluations you are performing and which products they cover. You will be asked to produce a wide variety of documents, including:
- Clinical Development Plan (CDP)
- Clinical Evaluation Plan (CEP)
- Clinical Investigation Plan (CIP)
- Clinical Evaluation Report (CER)
- Postmarket Surveillance Plan (PMSP)
- Postmarket Clinical Follow-Up Plan (PMCFP)
- Postmarket Clinical Follow-Up (PMCF) Studies
- Periodic Safety Update Report (PSUR)
- And so many more!
- Methodology and criteria for data appraisal and analysis
- Procedures for writing clinical evaluation reports along with your template
- Protocols for conducting literature reviews
- How you engage medical experts and the approval process and checklist
- How you determine when new clinical data are needed
- Procedures for filing data and archiving it
- And of course, how the data links to your risk management system, PMS, etc.
In addition, your auditor may want to see an overview of the data that are held by the company. The depth of clinical evidence requested by the auditor may depend on how long the product has been in the marketplace. Naturally, you can expect that a high-risk Class IIb or III device that is newer to the EU market will invite more scrutiny. As a general rule, if the documentation is related in any way to your clinical processes, make sure you have it available for inspection.
Examining Your Medical Device Clinical Investigations and PMCF
If applicable, your auditor will certainly want to examine your clinical studies and postmarket clinical follow-up reports involving human subjects. Be prepared to review your procedures and templates for study planning and design, study risk assessment, statistical analyses, data management, monitoring efforts, and adverse event reporting. Your study, submissions, and approvals will also be examined, along with your supplier management agreements and procedures. Once again, demonstrating the interlinks with your clinical evaluation, PMS, risk management, and other processes is vital.
You are not alone. As you can see, the amount of information and preparation needed for a clinical audit is intense. No doubt assembling all this information and making sure you have your ducks in a row will take weeks of preparation. If you are unsure whether your clinical processes will hold up to Notified Body scrutiny, our clinical consultants can perform a EU MDR Notified Body Preassessment Audit to identify and correct gaps. Contact us to learn more.