The European Commission’s Medical Device Coordination Group (MDCG) has posted an update on its policy for remote audits, which offers an expansive use of remote audits during the COVID-19 pandemic. There are several potential issues with these audits, including problems with compatibility between the two parties’ IT systems and, perhaps needless to say, the reliability of internet connections.
The April 2020 MDCG memo for remote audits was immediately in effect and will remain in effect so long as the World Health Organization sustains its declaration of pandemic. MDCG said notified bodies (NBs) should document their procedures for justifying the selection of a remote audit in lieu of an on-site audit, but should also tailor the type of audit to the technologies available to conduct a given audit type.
The scope of the MDCG remote audit policy includes:
- Surveillance audits;
- Re-certification audits; and
- Audits for change notification when such changes would typically require on-site audit.
The NB must also take into account that site’s regulatory history before deciding whether a virtual audit is appropriate, but the NB and the owner of the manufacturing site will have to document a remote audit plan. That pre-audit plan will have to include several specifics, including provisions to protect intellectual property, the choice of technologies used for video conference calls, and the locations of webcams needed for live review of production processes.
The MDCG updated the April guidance in December 2020 with answers to a number of questions, and confirmed that a remote audit can be used to extend the scope of a certification, so long as the NB documents its justification for doing so. However, NBs must make a determination of appropriateness on a case-by-case basis, a stipulation that is also applied to audits of existing and new suppliers and contract manufacturers.
The MDCG policy still does not support the use of remote audits for unannounced audits, however, and does not apply for audits used to verify a site’s corrective actions taken to address the results of a prior audit. It might be noted that the European Commission’s standing policy is that unannounced audits should be undertaken every three years, more frequently in some instances. The December update also reiterates that the scope of the remote audit policy is “not limited to COVID-19 essential medical equipment.”
Test Run Advised Prior to Audit
The MDCG makes no recommendation regarding the technology used during remote audits, but does recommend the NB and the operator of the inspected site undertake a dry run to evaluate the reliability of both the internet connection and the software used for the audit. The IT staff responsible for setting up and monitoring the connection may have to be available at all times during the course of the audit, and the MDCG states that the NB and the manufacturer may want to draft a formal agreement regarding the use of personal data, images and recordings. Any such documents and recordings should be retained by the NB per the requirements that pertain to in-person audits.
The December update seems to address one of the key elements of any inspection or audit, the duration of the process. However, the MDCG offered little more insight into this question than to observe that the duration may be affected by the complexity of the audit and the technology used to conduct the audit. The auditing NB is liable for providing some justification for the audit duration, however.
FDA Pilot Underway When Pandemic Struck
Companies with products in the U.S. market may have had a head start on the use of remote audits, thanks to a program announced shortly before the onset of the pandemic by the FDA’s Center for Devices and Radiological Health (CDRH). The Jan. 13, 2020, notice by the CDRH advises that the scope of the pilot remote audit project is limited to a subset of audit processes under the Medical Device Single Audit Program (MDSAP).
The objective of this pilot was to evaluate the use of remote audits for the device marketing authorization/facility registration process under the MDSAP regime (MDSAP is administered by the International Medical Device Regulators Forum, or IMDRF). Under the terms of the 18-month pilot, the remote audit time cannot affect the overall audit time determination under the MDSAP inspection program, although any remote audits have to be conducted within the 10 days just prior to the commencement of a live inspection/audit.
CDRH subsequently assembled a pandemic-driven remote audit program as announced in several notifications, the most recent of which appears to be the Dec. 31, 2020, notice. This version of the agency’s remote audit program includes several different variations on the theme, starting with the remote “desktop audit” of the audited site’s documentation.
Other versions of a remote audit under the FDA program include:
- The standard remote audit, using information and communication technology (ICT);
- The hybrid audit, which combines the standard remote audit with an in-person MDSAP-qualified auditor who is on site “during a portion” of the remote audit; and
- The surrogate audit, essentially identical to the hybrid audit, with the exception that the on-site auditor is not qualified under the MDSAP program.
Unlike the pre-pandemic pilot, this audit framework requires that the in-person auditor’s time on site run concurrently with the remote portion of the audit. As is the case with the MDCG approach, the FDA recommends the auditing organization consider the facility’s regulatory history in selecting one or more of these virtual audit approaches. The auditor will have to retain all records so that any regulatory authority can review those documents on request.
CDRH said auditors need not necessarily be qualified to conduct ISO 13485 audits to take part in this program, assuming they are documented to possess an alternative and equivalent competence. However, the calculation of elapsed audit time is dependent on the functions served by the in-person audit: CDRH said that when the in-person auditor has to serve as the “eyes and ears” of the remote auditor, that in-person auditor’s time on site is not counted toward the total audit time. The exception in this case is when the eyes-and-ears time is within the scope of that in-person auditor’s qualified area of technical expertise.