IMDRF/MDSAP WG/N8 FINAL: 2015

IMDRF/MDSAP WG/N8 FINAL: 2015

FINAL DOCUMENT

International Medical Device Regulators Forum

Title: GuidanceforRegulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations

Authoring Group: IMDRF MDSAP Working Group

Date: 2 October2015

ToshiyoshiTominaga, IMDRF Chair

This document was produced by the International Medical Device RegulatorsForum. There are no restrictions on the reproduction or use of this document;however, incorporation of this document, in part or in whole, into anotherdocument, or its translation into languages other than English, does not convey orrepresent an endorsement of any kind by the International Medical DeviceRegulators Forum.

Copyright © 2015 by the International Medical Device Regulators Forum.

IMDRF/MDSAP WG/N8 FINAL: 2015

Table of Contents

1.0Scope

2.0References

3.0Definitions

4.0Guidance on Assessment of Auditing Organization’s Processes

4.1Process: Management

4.2Process: Use of External Resources

4.3Process: Measurement, Analysis and Improvement

4.4Process: Competence Management

4.5Process: Audit and Certification Decisions Process

4.6Process: Information Management

ANNEX

Preface

The document herein was produced by the International Medical Device Regulators Forum (IMDRF), a voluntary group of medical device regulators from around the world.

There are no restrictions on the reproduction, distribution or use of this document; however, incorporation of this document, in part or in whole, into any other document, or its translation into languages other than English, does not convey or represent an endorsement of any kind by the International Medical Device Regulators Forum.

Introduction

This is one document in a collection of documents produced by the International Medical Device Regulators Forum (IMDRF) intended to implement the concept of a Medical Device Single Audit Program (MDSAP). Two documents, IMDRF/MDSAP WG/N3 – “Requirements for Medical Device Auditing Organizations for Regulatory Authority Recognition” and IMDRF/MDSAP WG/N4 – “Competence and Training Requirements for Auditing Organizations,” are complementary documents. These two documents N3 and N4 are focused on requirements for an Auditing Organization and individuals performing regulatory audits and other related functions under the respective medical device legislation, regulations, and procedures required in its regulatory jurisdiction.

Two additional documents, IMDRF/MDSAP WG/N5 – “Regulatory Authority Assessment Method for the Recognition and Monitoring of Medical Device Auditing Organizations” and IMDRF/MDSAP WG/N6 - “Regulatory Authority Assessor Competence and Training Requirements,” are complementary documents. These two documents N5 and N6 are focused on how Regulatory Authorities and their assessors will evaluate or “assess” medical device Auditing Organizations’ compliance to the requirements in the IMDRF/MDSAP WG/N3 and N4 documents.

The present document compliments the IMDRF/MDSAP WG/N5 and N6 documents. IMDRF/MDSAP WG/N8 – “Guidance for Regulatory Authority Assessors on theMethod of Assessment for MDSAP Auditing Organizations” provides guidance to the Regulatory Authority assessors when conducting the assessment of an Auditing Organization according to the method presented in IMDRF/MDSAP WG/N5, chapter 6.

In addition, IMDRF/MDSAP WG/N11–“MDSAPAssessment and Decision Process for the Recognition of an Auditing Organization”defines a method to “grade” nonconformities resulting from a Regulatory Authority assessment of an Auditing Organization and to document the decision process for recognizing an Auditing Organization or revoking recognition.

The document IMDRF/MDSAP WG/N24–“Medical Device Single Audit Program (MDSAP): Medical Device Regulatory Audit Reports”describes the format and content of MDSAP medical device regulatory audit reports submitted to regulatory authorities. The audit report serves as a written record of the audit team’s determination of the extent of fulfillment of specified requirements. It enables the Auditing Organization to capture in a consistent manner the evidence of a manufacturer’s conformity with the audit criteria for the MDSAP, and will facilitate the exchange of information between Regulatory Authorities.

This collection of IMDRF MDSAP documents provide the fundamental building blocks by providing a common set of requirements to be utilized by the Regulatory Authorities for the recognition and monitoring of entities that perform regulatory audits and other related functions. It should be noted that in some jurisdictions the recognition process is called designation, notification, registration, or accreditation.

IMDRF developed MDSAP to encourage and support global convergence of regulatory systems, where possible. It seeks to strike a balance between the responsibilities of Regulatory Authorities to safeguard the health of their citizens as well as their obligations to avoid placing unnecessary burdens upon Auditing Organizations or the regulated industry. IMDRF Regulatory Authorities may add additional requirements beyond this document when their legislation requires such additions.

To prevent the confusion between audits of manufacturers performed by auditors within an Auditing Organizations and audits of Auditing Organizations performed by medical device Regulatory Authority assessors, in this document, the latter are designated as “assessments.”

1.0Scope

This document provides guidance on the process-based assessment method described in section 6 of the document IMDRF/MDSAP WG/N5.

The assessment method specific to a particular medical device regulatory audit scheme may take into account additional requirements from the jurisdictions addressed in the scheme.

2.0References

  • IMDRF/MDSAP WG/N3– Requirementsfor Medical Device Auditing Organizations for Regulatory Authority Recognition
  • IMDRF/MDSAP WG/N4 – Competenceand Training Requirements for Auditing Organizations
  • IMDRF/MDSAP WG/N5– RegulatoryAuthority Assessment Method for the Recognition and Monitoring of Medical Device Auditing Organizations
  • IMDRF/MDSAP WG/N6–RegulatoryAuthority Assessor Competence and Training Requirements
  • IMDRF/MDSAP WG/N11– MDSAPAssessment and Decision Process for the Recognition of an Auditing Organization
  • IMDRF/MDSAP WG/N24–Medical Device Single Audit Program (MDSAP): Medical Device Regulatory Audit Reports
  • IMDRF/MDSAP WG/N29– Clarification of the Term “Legal Entity” for MDSAP Recognition Purposes
  • ISO/IEC 17000:2004 – Conformityassessment – Vocabularyand general principles
  • ISO/IEC 17021:2011 – ConformityAssessment – Requirementsfor bodies providing audit and certification of management system.
  • GHTF/SG1/N78:2012– Principlesof Conformity Assessment for Medical Device
  • GHTF/SG3/N19:2012– Qualitymanagement system – Medicaldevices – NonconformityGrading System for Regulatory Purposes and Information Exchange

3.0Definitions

3.1Audit: A systematic, independent, and documented process for obtaining records, statements of fact or other relevant information and assessing them objectively to determine the extent to which specified requirements are fulfilled. (ISO 17000:2004)

3.2Auditing Organization: An organization that audits a medical device manufacturer for conformity with quality management system requirements and other medical device regulatory requirements. Auditing Organizations may be an independent organization or a Regulatory Authority which perform regulatory audits.

3.3Regulatory Authority: A government body or other entity that exercises a legal right to control the use or sale of medical devices within its jurisdiction, and that may take enforcement action to ensure that medical products marketed within its jurisdiction comply with legal requirements. (GHTF/SG1/N78:2012)

4.0Guidance on Assessment of Auditing Organization’s Processes

This section is structured according to the sequence of processes and assessment tasks described in the document IMDRF/MDSAP WG/N5 – section 6 and supplements it by providing guidance to each assessment task.

When assessors detect a nonconformity, they shall follow the requirements of IMDRF/MDSAP WG/N11 – sections 6.1 and 6.2.

4.1Process: Management

N5 task 6.1.4.1– Reviewthe documentation on legal responsibility, liability, and financing. Verify the eligibility as a candidate Auditing Organization.

Applicable requirements

ISO/IEC 17021:2011 clauses: 5.1.1, 5.3.1, 5.3.2

IMDRF/MDSAP WG/N3 clauses: 5.1, 5.1.1, 5.1.2, 5.1.3, 5.3.1, 5.3.2

Legal entity

Guidance

It is important that the assessment team accurately understandsthe structure of the legal entity to which the Auditing Organization belongs. It is especially important in complex cases such as an Auditing Organization belonging to a larger group, where the delineation of the legal entities within the group may influenceimpartiality, ability to enter into contractual arrangements, and the use of external resources.

The types of legal entities and the meaning of registration of the legal entity may vary due to regional or country-specific laws and regulations.

The applicant must clearly delineate the perimeter of the legal entity, and establish a specific address, where the management responsible for the MDSAP recognition program is employed by that legal entity. (See IMDRF/MDSAP WG/N29)

Typical evidence

Informationregarding the legal entity to which the Auditing Organization belongs, its organizational structure, ownership, and the legal or natural persons exercising control over the entity. The information would include documentationmade publicly available by the Auditing Organization (for example website or promotional documentation), official documents (such as a record of business registration or certificate of insurance policy), or other internal documents.

Financial stability

Guidance

The assessors should verify that the Auditing Organization has sufficient resources to support its operations and enable it to fulfill recognition criteria.

Analysis of income sources is also important to assess independence from other entities.

The Auditing Organization’s business should be sufficiently diversified so that the loss of a single client does not seriously jeopardize its financial stabilityorcompromise impartiality.

Typical evidence

Annual report, fee structure, etc.

Liability insurance

Guidance

The Auditing Organization must provide evidence as to the method used to evaluate the risks from its activities, and utilized to determine the insurance level.

Regulatory Authority assessors should ensure that the elements listed in the requirements are documented, including:

-Geographic regions included in the coverage;

-Profile of risk for the range of medical devices that are subject to audit; and

-Scope of activities undertaken for medical device regulatory audits.

Where an Auditing Organization claims that their liability is insured through arrangements with a related legal entity, the Auditing Organization should document how those arrangements fulfill the elements of the requirement identified above.

Typical evidence

Documentation of the risk assessment, records of information provided to the insurer, certificate of insurance.

Eligibility

Guidance

Although an on-site assessment is unlikely to reveal legaljudgments against the Auditing Organization, the assessment team should still inquire about the Auditing Organization’s history with respect to these matters.

Typical evidence

Verbal confirmation.

N5 task 6.1.4.2 – Verifythat a quality manualand the required management systemdocumentation has been defined and documented.

Applicable requirements

ISO/IEC 17021:2011 clauses: 10.1, 10.2.1, 10.2.2, 10.2.3, 10.3.1, 10.3.2

IMDRF/MDSAP WG/N3 clauses: 6.1.2, 6.1.4, 6.1.5, 6.1.7, 10.1.1

Guidance

Most Auditing Organizations offer a broad range of management system certification services, beyond the medical device regulatory audit scheme. The assessor should verify that the Auditing Organization’s management system clearly identifieselements applicable to the medical device regulatory audit scheme.

The Auditing Organization’s management system documentation should state the documents or requirements to whichthe Auditing Organization claims compliance, including regulations, standards, and directives. The Auditing Organization’s management system must specify whether it satisfies option 1 or 2 of ISO/IEC 17021section 10.1.

The Auditing Organization’s management system should be appropriate to the nature, and scale of its auditing activities. The management system should be capable of supporting and ensuring consistent compliance with the requirements applicable to the audit and certification program for medical devices.

Typical evidence

Quality manual and a list of related documentation on the implementation, maintenance and operation of a quality management system, which would fulfill the requirements of IMDRF documents N3 and N4.

N5 task 6.1.4.3 – Verifythat a quality policy and objectives have been set at relevant functions and levels within the organization. Ensure the quality objectives are measurable and consistent with the quality policy. Confirm appropriate measures are taken to achieve the quality objectives.

Applicable requirements

ISO/IEC 17021:2011 clauses: 10.3.1, 10.3.5

IMDRF/MDSAP WG/N3 clauses: Not Applicable

Guidance

While the term “quality policy” is not explicitly used in ISO/IEC 17021 or IMDRF/MDSAP WG/N3, the Auditing Organization’s top management should express its overall intentions and direction related to the fulfilment of the requirements of the medical device regulatory audit scheme.

The assessor should verify that the Auditing Organization’s top management ensures that the quality policy, like other management system policies, is communicated and understoodat all levels of the organization.

The assessor should verify that the Auditing Organization basesquality objectives on parameters that are critical tothe conformity to requirements of the medical device regulatory audit scheme.Quality objectives relate to indicators that are critical to the ability of the Auditing Organization to conduct planned medical device regulatory audits and make informed decisions (for example: maintaining access to sufficient numbers of competent auditors and technical experts to fulfill audit obligations; and to auditors qualified for an technical area/product related to the number of audits in this technical area, etc.).

A quality objective should be expressed as a measurable target or goal in order to feedback into the management system to ensure effective implementation.

Typical evidence

Documented policy and objectives, which may include such things as: number of audit reports delivered on time, timely post audit decisions on the manufacturer's regulatory conformity that are made within a specified time after the audit, timely investigation and closure of complaints.

N5 task 6.1.4.4 Review the Auditing Organization's organizational structure and related documents to verify that they include provisions for responsibilities,authorities. This must include the identification of functions responsible for:the overall program; the timely exchange of information with regulatory authorities; and, ensuring that quality management system requirements are effectively established and maintained, reporting to top management on the performance of the quality management system, and on any need for improvement.

Applicable requirements

ISO/IEC 17021:2011 clauses: 6.1.1, 6.1.2, 6.1.3, 6.2.2, 7.2.1, 7.2.3, 10.3.1

IMDRF/MDSAP WG/N3 clauses: 5.1.3, 6.1.5, 6.1.6, 7.1.4, 8.7.1

Organizational structure

Guidance

The assessor should verify that the Auditing Organization hasdocumented its organizational structure to identify the different positions or roles, their responsibilities and authorities and the inter-relationships between them.It is important for the assessors to not only understand the internal organizational structure of the Auditing Organization, but also how the organization interacts with external resources.

Top management

Guidance

As part of the organizational structure review, the assessor should identify the job functions among the Auditing Organization’s top management that are responsible for:

-Implementation and reporting on the performance of the management system;

-Performance of audits;

-Decisions on conformity to regulatory requirements;

-Establishment of the contract with the medical device manufacturer and external resources;

-Responding to and investigating complaints;

-Timely exchange of information with regulatory authorities.

Top management has other responsibilities that will be assessed through other assessment tasks.

The Auditing Organization should ensure that the remuneration of top management does not depend on the result of audits. Otherwise this would affect the impartiality of the Auditing Organization.

Typical evidence

Organizational chart, job description, management system procedures, etc.

Responsibility and authority

Guidance

The Auditing Organization may document responsibilities and authorities for each individual involved in the audit and decision process in different ways including job descriptions, process descriptions, procedures, or individual assignments, project plans, etc.

For purposes of MDSAP recognition in accordance with IMDRF/MDSAP WG/N11, the applicant for recognition as an Auditing Organization is deemed to be the legal entity and is where the management responsible for the MDSAP recognition program is employed.

The management for the MDSAP program is directly responsible for, manages, and retains authority for the following:

-Establishment of the contract with the medical device manufacturer (including the requirements of N3 – 5.1.4, 5.1.5);

-Identification of competence requirements for any internal or external auditor or technical expert to perform specific activities (N3 – 7.5.1); and,

-Final review and decision-making on conformity to regulatory requirements (N3 – 7.5.1).

These listed activities cannot be delegated outside of the applicant’s legal entity, even to a related organization or a subsidiary. Under the MDSAP recognition program, these related organizations or subsidiaries are regarded as separate legal entities.

(See IMDRF/MDSAP WG/N4.)

Link with other assessment tasks

The organizational structure may be influenced by the definition of the Auditing Organization’s legal entity (see N5 task 6.1.4.1)

N5 task 6.1.4.5 – Verify that the Auditing Organization has analyzed the adequacy of the set of auditors (including technical experts and team leaders) and personnel to cover all of its activities and to handle the volume of audit work.

Applicable requirements

ISO/IEC 17021:2011 clauses: 7.2.2

IMDRF/MDSAP WG/N3 clauses: Not applicable

Guidance

The assessor should verify that the Auditing Organizationperiodically analyzestheneeds of the audit programwith regards to the number and scope of the competence of personnel taking into account the current number and profile of audited medical device manufacturer,and; expected changes, the evolution of auditing practices/requirements, identified issues necessitating additional resources/competence/expertise, the geographic location of their resources and clients, the time it takes to acquirenew competence (in nature or volume), etc.

This analysisis important to ensure the continuity of the Auditing Organization’s ability to provide auditing and certification serviceswithin the scope of recognition.

Indicators of inadequate number of auditors and personnel may include:

-Overdue audits

-Shortened audit time as compared to the planned arrangements

-Assignment of auditor with inadequate competence

-Delay in the delivery of final reports

-Delay in the issuance of certification documents

Typical evidence

Analysis report

N5 task 6.1.4.6- Verifythat the Auditing Organization has defined and implemented procedures for the management of impartiality.

Applicable requirements

ISO/IEC 17021:2011 clauses: 5.2.1 to 5.2.13, 5.3.2, 6.2.1 to 6.2.3, 7.3, 7.5.2

IMDRF/MDSAP WG/N3 clauses: 5.2.1 to 5.2.10, 6.2.1, 7.1.6, 7.3.1, 9.1.3

Sources of threatsto impartiality

Guidance

The Auditing Organization must ensure that their decisions are based on objective evidence of conformity obtained during the certification/audit activities and are not influenced by other interests or parties.