Understanding Notified Bodies
Notified bodies are organizations designated by EU member states to perform conformity assessments under MDR and IVDR. They evaluate the quality management systems (QMS) and technical documentation of manufacturers to ensure that medical devices meet the required standards for safety, performance, and reliability. Each notified body is listed in the European Commission's NANDO database and is assigned specific tasks based on their expertise and scope of designation.Types of Audits
Notified bodies conduct several types of audits to assess compliance with MDR/IVDR:- Initial Audits: These are performed before the CE marking is granted. They include a comprehensive evaluation of the manufacturer’s QMS and technical documentation.
- Surveillance Audits: Conducted periodically (at least once a year) to ensure ongoing compliance with the QMS and the post-market surveillance plan.
- Unannounced Audits: These audits are performed without prior notice to ensure continuous compliance and to verify that the QMS is effectively implemented at all times.
Key Areas of Focus
During the audits, notified bodies focus on several critical areas to ensure comprehensive assessment:
- Quality Management System (QMS): Verification of compliance with ISO 13485 and other relevant standards, ensuring that the QMS covers all aspects of product design, production, and post-market activities.
- Risk Management: Evaluation of the manufacturer's risk management processes, ensuring risks are identified, assessed, and mitigated according to ISO 14971.
- Technical Documentation: Detailed review of the technical file in accordance with Annex-I, II & III of EU MDR 2017/745 & EU IVDR 2017/746, including design dossiers, clinical evaluation reports, and performance data to ensure the device meets safety and performance requirements.
- Post-Market Surveillance: Assessment of the manufacturer’s post-market surveillance activities, including procedures for monitoring device performance, managing adverse events, and implementing field safety corrective actions.
- Clinical Evaluation: Examination of clinical data to verify that the device's clinical benefits outweigh any risks and that it performs as intended under normal conditions of use.
Hybrid audits in the context of legislative requirements
Notified bodies are required to undertake on-site audits of manufacturer’s QMS both as part of the initial audit and surveillance audits. In relation to the initial audit, Annex IX section 2.3 of MDR/IVDR states:The assessment procedure shall include an audit on the manufacturer's premises and, if appropriate, on the premises of the manufacturer's suppliers and/or subcontractors to verify the manufacturing and other relevant processes.
In relation to surveillance audits, Annex IX section 3.3 of MDR/IVDR states:
- Notified bodies shall periodically, at least once every 12 months, carry out appropriate audits and assessments to make sure that the manufacturer in question applies the approved quality management system and the post-market surveillance plan. Those audits and assessments shall include audits on the premises of the manufacturer and, if appropriate, of the manufacturer's suppliers and/or subcontractors.
- In accordance with these requirements, where quality management system audits to MDR/IVDR are performed using alternative methods based on ICT, at least a portion of these audits must be performed on-site to cover the manufacturing and other relevant processes, i.e. the audit must be a hybrid audit as defined in MDCG 2022-17:
- A ‘hybrid audit’ should be understood as an audit on the premises of the manufacturer or its supplier(s) and/or subcontractor(s) with at least one auditor present on the premises and other members of the audit team participating from elsewhere using information and communication technologies (ICT).
While some aspects of the manufacturer’s QMS can be effectively audited using ICT, certain aspects should be addressed in the on-site part of a hybrid audit.
Examples of areas that can be effectively audited by using ICT and areas to be audited in the on-site part of the audit include (but are not limited to) those listed in the following table.
The table has been established considering the audit subsystems listed in Annex VII Section 4.5.2 b) and the requirements of Article 10 (9) of MDR/IVDR, as well as Section 6.2 of GHTF/SG4/N30, and has been partially adjusted to be compatible with the audit processes of the MDSAP Audit Approach, which are included in the following table for information.
Audit subsystem |
Areas that can be effectively audited by using ICT: |
Areas to be included in the on-site part of the audit: |
Management, including pre- market requirements and product documentation MDSAP Audit Processes: · Management · Device Marketing Authorization and Facility Registration |
· Verification that QMS covers all parts and elements of a manufacturer’s organisation dealing with the quality of processes, procedures and devices · Responsibility of the management · Strategy for regulatory compliance · Identification of the applicable general safety and performance requirements and exploration of options to address them · Resource management, qualification and training of human resources · Handling communications with authorities, notified bodies, other operators, customers and or other stakeholders |
Verification of the existence of facility NOTE: The overall on-site part of the audit must, as relevant, verify evidence of product compliance, such as purchasing documents, production and inspection records |
Corrective and preventive actions, including for post- market surveillance and PMCF MDSAP Audit Processes: · Measurement, Analysis and Improvement · Medical Device Adverse Events and Advisory Notices Notification |
· Post market clinical follow-up · Implementation and maintenance of a post-market surveillance system · Processes for monitoring and measurement of output, data analysis and product improvement · Processes for reporting serious incidents and field safety corrective actions · Management of corrective and preventive actions |
- |
MDSAP Audit Process: · Design and development |
Design and development activities not involving on-site facilities (design transfer should be audited on-site if on-site testing facilities are involved) |
Design transfer to production/manufacture, if on-site testing facilities are involved in verification and validation |
Production and process controls MDSAP Audit Process: · Production and Service Controls |
Traceability and batch records Process for the UDI assignment |
Planning, product realisation, infrastructure, implementation of device modifications, work environment, warehouse/ storage facilities, equipment calibration, servicing In-process and final inspection |
Purchasing controls including verification of purchased devices MDSAP Audit Process: Purchasing |
Purchasing activities not involving on-site facilities, such as review of supplier files |
Incoming inspection/ verification of purchased products |
- facilities where no production activities physically occur that would require an auditor to be on-site to review them, e.g. facilities only producing software as medical device (SaMD), where production activities only utilise simple processes or all production activities are fully outsourced (“virtual manufacturer”), and no product is physically handled
- facilities where only administrative activities take place such as human resources management, purchasing or other management processes without physical product handling