MDSAP Assessment and Decision Process for the Recognition of an Auditing Organization
Document: IMDRF/MDSAP WG/N11FINAL:2014
Official Source
Full Text
MDSAP Assessment and Decision Process for the Recognition of an Auditing Organization
Document Number: IMDRF/MDSAP WG/N11FINAL:2014
IMDRF/MDSAP WG/N11FINAL:2021 (Edition 2)
Final Document
Title: MDSAP Assessment and Decision Process for the Recognition of an Auditing Organization
Authoring Group: IMDRF MDSAP Working Group
Date: 16 September 2021
Oh-Sang Kwon, IMDRF Chair
This document was produced by the International Medical Device Regulators Forum. There are no restrictions on the reproduction or use of this document; however, incorporation of this document, in part or in whole, into another document, or its translation into languages other than English, does not convey or represent an endorsement of any kind by the International Medical Device Regulators Forum.
Copyright © 2021 by the International Medical Device Regulators Forum.
Table of Content
1.0 Scope 5
2.0 References 5
3.0 Definitions 5
4.0 Overview 6
4.1 MDSAP Assessment Cycle 6
4.2 MDSAP Assessment Program 6
5.0 MDSAP Assessment Criteria and Overview 7
5.1 MDSAP Assessment Criteria 7
5.2 MDSAP Assessment Overview 8
6.0 MDSAP Assessment Deliverable 9
6.1 Communicating Nonconformities During an Assessment 9
6.2 Nonconformity Reporting 9
6.3 Grading Assessment Nonconformities 9
6.4 Final List of Nonconformities 9
6.5 Remediation Plan 9
6.6 Review of the Remediation Plan 9
6.7 Recommended Closure of Nonconformities 9
6.8 Assessment Report 9
7.0 Technical Review 9
8.0 Verification of Effectiveness of Corrections and Corrective Actions 9
9.0 Review and Decision Process 9
9.1 Inputs to the Review and Decision Process 9
9.2 Decision criteria and Outcomes of the Review and Decision Process 9
10.0 Communication Following Review and Decision Process 9
10.1 Notification 9
10.2 Notification of Cessation of Recognition 9
11.0 Appeals Process 9
12.0 Publication of Recognition Decisions 9
Preface
This document was produced by the International Medical Device Regulators Forum (IMDRF), a voluntary group of medical device regulators from around the world.
There are no restrictions on the reproduction, distribution or use of this document; however, incorporation of this document, in part or in whole, into any other document, or its translation into languages other than English, does not convey or represent an endorsement of any kind by the International Medical Device Regulators Forum.
Introduction
This is one document in a collection of documents produced by the International Medical Device Regulators Forum (IMDRF) intended to implement the concept of a Medical Device Single Audit Program (MDSAP).
Two documents, IMDRF MDSAP WG N3 – “Requirements for Medical Device Auditing Organizations for Regulatory Authority Recognition” and IMDRF MDSAP WG N4 – “Competence and Training Requirements for Auditing Organizations,” are complementary documents. These two documents N3 and N4 are focused on requirements for an Auditing Organization and individuals performing regulatory audits and other related functions under the respective medical device legislation, regulations, and procedures required in its regulatory jurisdiction.
The purpose of this document, IMDRF MDSAP WG N11 is to explain the assessment process and outcomes, including the method to “grade and manage” nonconformities resulting from a recognizing Regulatory Authority(ies)’s assessment of an Auditing Organization; and, to document the decision process for recognizing an Auditing Organization or cessation of recognition. To prevent the confusion between audits of manufacturers performed by auditors within an Auditing Organizations and audits of Auditing Organizations performed by medical device Regulatory Authority assessors, in this document, the latter are designated as “assessments.”
This collection of IMDRF MDSAP documents will provide the fundamental building blocks by providing a common set of requirements to be utilized by the Regulatory Authorities for the recognition and monitoring of entities that perform regulatory audits and other related functions. It should be noted that in some jurisdictions the recognition process is called designation, notification, registration, or accreditation.
IMDRF developed MDSAP to encourage and support global convergence of regulatory systems, where possible. It seeks to strike a balance between the responsibilities of Regulatory Authorities to safeguard the health of their citizens as well as their obligations to avoid placing unnecessary burdens upon Auditing Organizations or the regulated industry. IMDRF Regulatory Authorities may add additional requirements beyond this document when their legislation requires such additions.
Scope
This document defines:
- The process and lifecycle for recognizing, maintaining, or ceasing recognition of an Auditing Organization.
- The process of managing, grading, and closure of assessment nonconformities issued to an Auditing Organization; and,
- The outcomes of an initial, surveillance, or re-recognition assessment process of an Auditing Organization.
References
- IMDRF/MDSAP WG/N3– Requirements for Medical Device Auditing Organizations for Regulatory Authority Recognition
- IMDRF/MDSAP WG/N4 - Competence and Training Requirements for Auditing Organizations
- IMDRF/MDSAP WG/N6 - Regulatory Authority Assessor Competence and Training Requirements
- MDSAP AS P0034 - Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
NOTE: When referring to the above listed documents, the most current revision should be consulted.
Definitions
Assessment: A systematic, independent, and documented process for obtaining assessment evidence and evaluating it objectively to determine the extent to which assessment criteria are fulfilled.
Assessor: An employee of a Regulatory Authority with the demonstrated personal attributes and competence to conduct an assessment of an Auditing Organization.
Auditing Organization: An organization that audits a medical device manufacturer for conformity with quality management system requirements and other medical device regulatory requirements. Auditing Organizations may be an independent organization or a Regulatory Authority which perform regulatory audits.
Nonconformity: A non-fulfillment of a requirement. (ISO 9000:2015)
Regulatory Authority: A government body or other entity that exercises a legal right to control the use or sale of medical devices within its jurisdiction, and that may take enforcement action to ensure that medical products marketed within its jurisdiction comply with legal requirements. (GHTF/SG1/N78:2012)
Overview
MDSAP Assessment Cycle
As discussed in MDSAP AS P0034, for an Auditing Organization conducting audits for the regulated medical device sector, the MDSAP Assessment Program should follow a 3 or 4-year cycle. A 4-year cycle is illustrated in Figure 1.
Figure 1 - 4-year Assessment Cycle
The Assessment Cycle includes an Initial Assessment, annual Surveillance Assessments, and a Re-Recognition Assessment.
MDSAP Assessment Program
Figure 2 identifies the different assessment activities within each aspect of the MDSAP Assessment Program, as discussed in MDSAP AS P0034.
Figure 2 - Assessment Program with Assessment Activities through the Assessment Cycle
It is important to note that additional Special Assessments performed on-site or remotely may also be necessary as described in MDSAP AS P0034.
A written request for extending or reducing the scope of recognition may be submitted by the Auditing Organization at any time within the assessment cycle. Prior to the end of the recognition cycle,**** the Auditing Organization may need to submit a new application for re-recognition depending upon the requirements of the recognizing Regulatory Authority(s). Any desired change of scope of recognition can be included within the re-recognition application.
MDSAP Assessment Criteria and Overview
MDSAP Assessment Criteria
The recognizing Regulatory Authority(s) will assess the Auditing Organization through the various assessment activities against the assessment criteria. The MDSAP assessment criteria are:
- IMDRF/MDSAP WG/N3 – “Requirements for Medical Device Auditing Organizations for Regulatory Authority Recognition” (Note: ISO/IEC 17021-1:2015 is incorporated as a normative reference except for the two exceptions listed in N3 – clauses 5.1 and 9.1.);
- IMDRF/MDSAP WG/N4– “Competence and Training Requirements for Auditing Organizations”; and,
- particular additional regulatory requirements issued by the recognizing Regulatory Authority(s).
Guidance and best practice documents should not be considered assessment criteria, unless specifically incorporated into the recognizing Regulatory Authority(s) particular regulatory requirements. Particular regulatory requirements may include requirements on such topics as:
- Audit process or technique;
- Audit duration calculations;
- Audit and sampling of product technical documentation;
- Audit planning to include determination of sites to be audited;
- Audit report requirements; or,
- Certification document requirements.
As noted in IMDRF/MDSAP WG/N3, criteria established by the International Accreditation Forum (IAF) holds no particular relevance to the IMDRF MDSAP Assessment Program or recognition process, unless such requirements have been explicitly incorporated into the IMDRF MDSAP documents or recognizing Regulatory Authority(s) particular regulatory requirements.
MDSAP Assessment Overview
Figure 3 provides a general overview of the Auditing Organization’s application, assessment program/activities and the recognition decision related processes including an appeals process.
The recognizing Regulatory Authority(s) must ensure that the threat of self-review is minimized as further described in this document (See 7.0 and 9.1).
Figure 3 - Overview of Auditing Organization Assessment and Recognition Decision Related Processes[1]
MDSAP Assessment Deliverable
Communicating Nonconformities During an Assessment
The Regulatory Authority(s) assessments of Auditing Organizations may include the identification of nonconformities against the assessment criteria.
Nonconformities identified against particular regulatory requirements may be raised under Clauses 6.1.1 (current audit practices and knowledge of medical device technologies), 8.2.1 (audit reports and certification documents) or other relevant clauses of IMDRF MDSAP WG N3.
The Auditing Organization should be invited to discuss potential nonconformities as part of the daily wrap up meetings between the Auditing Organization and the recognizing Regulatory Authority(s) assessment team during the assessment performed on-site at Head Office and Critical Location(s) or after Witnessed Audit(s). Comments on nonconformities enable the Auditing Organization to indicate its agreement on any nonconformity, to contest part or all of the nonconformity, or to provide additional clarification on the extent or significance of nonconformity.
Nonconformity Reporting
In order for the significance of Auditing Organization’s nonconformities to be characterized utilizing the assessment nonconformity grading system described in this document, it is essential that the reporting of a nonconformity is clearly worded with factual and precise language. The nonconformity must enable the reader to comprehend the actual non-fulfillment that was detected during the assessment.
Each statement of nonconformity should:
- identify the specific requirement which has not been met or adequately fulfilled. The statement must:
- document the source of the requirement from the assessment criterion; or,
- where multiple requirements from the assessment criterion documents are related, document, at least, the most relevant clauses of the assessment criterion documents. (Where possible, related clauses from additional assessment criterion documents may be included.)
- state how the specific requirement was not fulfilled. The statement should:
- be clear and concise;
- use the words of the unsatisfied assessment criterion; and,
- be self-explanatory and related to the issue, not just be a restatement of the audit evidence, or used in lieu of audit evidence.
- be supported by objective evidence. The statement should:
- identify the extent of evidence (e.g. number of records) and - what exactly was found or not found, with an example(s)
- identify the location or basis (source document) for the evidence (e.g. in a record, procedure, interview, or visual observation)
Nonconformities identified against particular regulatory requirements may be raised under Clauses 6.1.1 (current audit practices and knowledge of medical device technologies), 8.2.1 (audit reports and certification documents) or other relevant clauses of IMDRF MDSAP WG N3.
Multiple instances of non-fulfillment of any single requirement should be combined into a single nonconformity unless the instances originate or relate to different aspects of a clause.
A clause of an assessment criteria document may include several distinct requirements. The non-fulfillment of multiple distinct requirements within a clause may be recorded as separate nonconformities.
When a nonconformity was already identified by the Auditing Organization, for example during an internal audit, prior to the recognizing Regulatory Authority(s)’s assessment, the assessors should refrain from documenting a separate nonconformity if:
- the identified nonconformity is recorded by the Auditing Organization;
- the remediation action plan, including correction and corrective action, as necessary, is appropriate;
- the specified timeline for implementing the planned remediation actions is respected and consistent with the significance of the nonconformity and the nature of the planned remediation actions; and,
- the Auditing Organization has a process to assess the effectiveness of the remediation actions implemented.
The assessors shall note the information in the report for future verification of implementation and effectiveness.
If during the following assessment there is evidence that the remediation steps listed above have not been implemented or are not effective, then the reporting of a nonconformity shall be written against the ineffective remediation of the identified problem.
Grading Assessment Nonconformities
The grade of a nonconformity may be used by the recognizing Regulatory Authority for two purposes:
- to identify possible actions a recognizing Regulatory Authority(s) will take with regards to an Auditing Organization’s recognition status. See clause 9.0 for a description of how nonconformity grading is used to support the categorization of the assessment outcomes; and to,
- assist in prioritizing the order in which nonconformities must be addressed.
A nonconformity should be given one of four grades. Grade 1 is the lowest level of severity with Grade 4 the highest.
If there is a recurrence of nonconformity of Grades 1, 2 or 3 then the grade is escalated by one. Recurrence is when a nonconformity has been identified against the same sub-clause, or particular regulatory requirement, at two assessments activities (see Figure 2) within the same Assessment Cycle (see Figure 1).
The guiding principles for grading assessment nonconformities are the following:
- All nonconformities cited against ISO/IEC 17021:2015 will start as a minimum Grade 1;
- All nonconformities cited against IMDRF N3 and N4 will start as a minimum Grade 2. (N3 and N4 contain regulatory requirements);
- Assessors may elevate any minimum grade to a Grade 2, 3, or 4 if in their assessment they believe the grading rules below are met;
- If there is a recurrence of nonconformity of grade 1, 2 or 3 then the grade is escalated by one;
If the assessor lowers the assigned grade with respect to the above guiding principles, the assessor must document the rationale in the assessment report. The table in Appendix 1 is a list of examples for guidance purposes of how assessment nonconformities could be graded under the scheme described in this document.
Grade 1
A Grade 1 nonconformity:
- a nonconformity that is unlikely to have a direct impact on the Auditing Organization’s ability to routinely operate an effective, ethical, impartial and competent organization that produces acceptable audit conclusions, audit reports, and certification documents.
Grade 2
A Grade 2 nonconformity:
- a nonconformity that is likely to have a direct impact on the Auditing Organization’s ability to routinely operate an effective, ethical, impartial and competent organization that produces acceptable audit conclusions, audit reports, and certification documents; and is unlikely to allow deficiencies in the manufacturer’s quality management system, or its implementation, to have a direct impact on the safety and performance of the medical device.
- a recurrence of a Grade 1 nonconformity.
Grade 3
A Grade 3 nonconformity:
- a nonconformity that is likely to have a direct impact on the Auditing Organization’s ability to routinely operate an effective, ethical, impartial and competent organization that produces acceptable audit conclusions, audit reports, and certification documents; and is likely to allow deficiencies in the manufacturer’s quality management system, or its implementation, to have a direct impact on the safety and performance of the medical device.
- when an Auditing Organization operates outside of the recognized and designated scope.
- a recurrence of a Grade 2 nonconformity.
Grade 4
A Grade 4 nonconformity:
- evidence involving possible fraud, misrepresentation or falsification of evidence of conformity per IMDRF/MDSAP WG/N3 clause 5.1.
- a recurrence of a Grade 3 nonconformity.
Final List of Nonconformities
At the conclusion of any assessment activity, the recognizing Regulatory Authority(s) will issue a final list of any nonconformities to the Auditing Organization that have been graded according to the grading system described in 6.3.
The Auditing Organization may contest the validity of a nonconformity issued as a result of an assessment through the recognizing Regulatory Authority(s) complaint or appeal process. A rationale for the complaint or appeal must be provided including supporting evidence. Until the complaint or appeal is resolved the nonconformity must be addressed in the remediation plan.
Remediation Plan
The Auditing Organization shall respond to nonconformities issued by the recognizing Regulatory Authority(s) assessors by providing a documented remediation plan which includes:
- Investigation and cause analysis of the nonconformity(s) to date;
- Correction plan, as appropriate; and,
- Corrective action plan to include plans for systemic corrective actions and verification of effectiveness, as appropriate.
The documented remediation plan must be submitted within 15 working days from the day the nonconformity(s) was issued. Priority shall be given to any nonconformity graded as a 3 or 4. Upon request, additional time may be granted by the recognizing Regulatory Authority for responses to Grade 1 or 2 nonconformities.
The Auditing Organization shall subsequently provide the recognizing Regulatory Authority(s) with evidence of implementation of correction and corrective actions for any nonconformities graded 3 or 4, according to the timeline confirmed by the recognizing Regulatory Authority(s) as an outcome of the review of the remediation plan. Any nonconformities graded 1 or 2 will be followed up on the next Assessment.
Review of the Remediation Plan
The recognizing Regulatory Authority(s)’s assessment team shall review the Auditing Organization’s remediation plan and determine if it is acceptable, in terms of: cause of nonconformity, actions identified, and the timeline for implementation of those actions. This review shall be documented.
If deemed necessary, the recognizing Regulatory Authority(s) may require adjustments to the time limits specified in the submitted remediation plan to provide evidence of its implementation and effectiveness.
Recommended Closure of Nonconformities
The recognizing Regulatory Authority(s) assessment team shall recommend closure of the nonconformity only when the following criteria are met:
- for all nonconformities , the remediation plan, including the investigation and cause analysis has been deemed acceptable; and,
- for nonconformities graded 3 or 4, the recognizing Regulatory Authority(s) has verified the evidence that the actions have been implemented as planned.
Verification of acceptable implementation of the remediation plan can be performed:
- by the assessment team as a documentation review; or,
in accordance with the assessment team’s recommendation for follow-up during a Special On-Site Assessment, Special Remote Assessment, an additional Witnessed Audit, or during the next On-Site Assessment. A recommendation for closure of the nonconformity means that the assessment team is satisfied that information on the remediation of the nonconformity is sufficient to perform the Technical Review. It does not prevent the recognizing Regulatory Authority(s) from re-assessing the topic and, in the light of additional information collected or observed, issue a new nonconformity on the topic.
Assessment Report
Every assessment activity shall result in an assessment report. The type of assessment activity will dictate the assessment report format. The assessment report may be composed of multiple documents.
The assessment report shall include at a minimum the following information:
- the assessment plan, including the identification of the assessment team, assessment date(s) and essential information about the Auditing Organization;
- the type, scope, and objectives, of the assessment;
- the requested or approved scope of recognition;
- the identification of the assessment criteria;
- a narrative or summary of each process(s) assessed;
- any nonconformities, their grade, and any corrections or corrective action(s) taken during the assessment;
- the respective evaluation of any remediation; and,
- the assessment conclusions and recommended outcome.
The assessment team will recommend to the Technical Review process:
- closure of the nonconformity;
- continued follow-up of nonconformities;
- scope restriction of the recognition; or,
- not to recognize, or cease recognition, due to the inability of the Auditing Organization to satisfactorily remediate nonconformities.
Technical Review
The Technical Review process includes gathering the outcomes of the assessment activity, the verification of the completion of the individual assessment activities, and then generation of a written recommendation for Review and Decision (see clause 5.2).
The Technical Review process must be conducted by an independent person, or a panel/committee led by an independent person, who is separate from the assessment team(s). The assessment team(s) may contribute in such a panel/committee.
The Technical Review shall include:
- Verification that any written nonconformities comply with the requirements in clause 6.2;
- Verification that the grading of nonconformity(s) complies with the requirements in clause 6.3;
- Verification that the remediation plans for Grade 1 or Grade 2 nonconformity(s) complies with the requirements of clause 6.5 and 6.6;
- Verification of the implementation of the remediation plans for Grade 3 and Grade 4 nonconformity(s) (where Grade 4 nonconformities are the result of recurrence) and that they comply with the requirements of clause 6.5 and 6.6;
- Any recommendation(s) where there is evidence of possible fraud, misrepresentation or falsification of evidence resulting in a Grade 4 nonconformity;
- Verification and evaluation of the Assessment Report(s);
- If applicable, the outcomes of any complaint or appeal from the Auditing Organization on a particular nonconformity; and,
- Decision on closure of any nonconformity, and any appropriate follow-up which may include Special Remote Assessment or Special On-site Assessment.
The recognizing Regulatory Authority shall inform the Auditing Organization of any necessary follow-up actions.
Verification of Effectiveness of Corrections and Corrective Actions
The recognizing Regulatory Authority(s) assessment team shall verify the effectiveness of any correction and corrective action taken. Verification of the effectiveness of any correction and corrective action can be performed, as decided during the Technical Review, as:
- a documentation review by the assessment team; or,
- a Special On-Site Assessment, a Special Remote Assessment, an additional Witnessed Audit, or part of the next On-Site Assessment.
Review and Decision Process
Inputs to the Review and Decision Process
The outputs of the Technical Review process are made available as an input to the individuals or panel/committee making the Review and Decision on the status of the Auditing Organization.
The Review and Decision process must be conducted by an independent person, or a panel/committee led by an independent person, who is separate from the Assessment activities. The Review and Decision process may be performed by the same individual or panel/committee as the Technical Review process or by an independent panel/committee.
The recognizing Regulatory Authority(s) shall initiate the Review and Decision process for the following situations:
- Initial Recognition, Re-recognition, or Extension of Scope : All planned assessment activities are completed and the Technical Review has accepted all of the Auditing Organization’s remediation plans and activities;
- Restriction of Scope : The outcome of an assessment activity includes information suggesting that the recognized Auditing Organization no longer meets the minimum expected level of compliance for their full scope of recognition; or, the recognized Auditing Organization has requested a reduction of their scope of recognition;
- Safety Issue : The outcome of an assessment activity includes information on a public health threat;
- Fraud/Misrepresentation/Falsification of Evidence Confirmed by the Technical Review : The outcome of an assessment activity includes evidence of fraud, misrepresentation or falsification of evidence[2] or there is evidence that the legal entity has been found guilty of an offense against national laws or regulations related to medical devices or relating to any fraudulent or dishonest practices.[3]
In cases of potential cessation of recognition, a recommendation from the Technical Review process is to be immediately submitted to the individual or the panel/committee undertaking the Review and Decision process.
Decision criteria and Outcomes of the Review and Decision Process
Recognizing Regulatory Authority(s) shall use the criteria below to make their decision on the recognition status of Auditing Organizations. The decisions include:
- Initial recognition with scope
- Maintenance of recognition
- Extension or restriction of scope
- Re-recognition with scope maintained, restricted or extended
- Cessation of recognition
- No recognition
The recognition decision may include additional conditions imposed by the recognising Regulatory Authority(s). If any additional conditions are imposed, the maintenance of the recognition is subject to the Auditing Organization fulfilling all the requirements identified in the condition.
Decision Following Initial Assessment Activities (See Figure 2)
Recognition - The applicant is granted recognition for a specified scope when:
The Technical Review process found any nonconformities (Grade 1, 2, 3 were brought to closure (see 6.7) for all Initial Assessment Activities.
The applicant is recognized as an Auditing Organization for the duration of the assessment cycle and may:
- Undertake all audit activities within the scope of the application; or,
- Undertake audit activities within a restricted scope of the application.
The Auditing Organization may request to vary the scope of their recognition application (extend or restrict) at any time. The recognizing Regulatory Authority(s) may grant recognition for the new scope after it has performed relevant Assessment Activities in order to assess the new scope, and when any nonconformities (Grade 1, 2, or 3) are brought to closure (see 6.7)
Refusal - The applicant is refused recognition when:
- The application process has been terminated by the assessment team(s) before completion of the Initial Assessment Activities due to the inability of the Auditing Organization to satisfactorily comply with regulatory requirements;
- The Technical Review process found the remediation plan(s) inadequate and unable to bring closure (see 6.7) for any nonconformities (Grade 1, 2, 3 or 4) after the conclusion of the Assessment Process which included exchange(s) between the assessment team(s) and the Auditing Organization; or,
- There is evidence of fraud, misrepresentation or falsification of evidence (Grade 4).
The applicant is not to be recognized as an Auditing Organization and may not audit under the recognition program. A new application from the same Auditing Organization is required if the applicant is to be reconsidered. With a written justification, a recognising Regulatory Authority(s) may specify a timeframe within which a re-application will not be accepted.
Decision Following a Surveillance Assessment (See Figure 2)
Maintenance of Recognition - The Auditing Organization’s recognition is maintained when the Technical Review process found any nonconformities (Grade 1, 2, 3 or a Grade 4 issued due to recurrence) were brought to closure (see 6.7) for all Surveillance Assessment Activities.
The recognized Auditing Organization may continue to undertake all audit activities within the scope of the application.
The recognizing Regulatory Authority(s) may add or vary any conditions on the existing recognition decision.
Extension of Scope of Recognition - The Auditing Organization has requested an extension of scope and the recognizing Regulatory Authority(s) has performed relevant Assessment Activities in order to assess the new scope. The Technical Review process found any nonconformities (Grade 1, 2, or 3) were brought to closure (see 6.7) for all relevant Assessment Activities. If the Review and Decision Process approves the amended scope, the expiry date of the initial or re-recognition decision is not changed.
Restricted Scope - The recognizing Regulatory Authority(s) may decide to restrict specific elements of the scope of recognition, either:
- in response to a request from the Auditing Organization; or
- after the Assessment Process has been exhausted and as an alternative to ceasing recognition, when the Technical Review process concludes that the Auditing Organization can no longer satisfy the requirements for recognition in relation to those specific elements.
Cease Recognition : The recognition is withdrawn when:
- the Auditing Organization can no longer satisfy the requirements for recognition; or,
- There is evidence of fraud, misrepresentation or falsification of evidence (Grade 4).
An Auditing Organization no longer satisfies the requirements for recognition when, after the Assessment Process has been exhausted, the Technical Review process concludes that:
- The remediation plan of any repeat nonconformity graded 3 or 4 is inadequate; or
- The implementation of remediation for a first time nonconformity graded 2 or 3 proves to be ineffective and the Auditing Organization is unable, or unwilling, to develop and implement effective remediation.
A decision to change the recognition status of an Auditing Organization, may potentially affect a larger number of manufacturers that have been audited by the Auditing Organization. In this event, recognizing Regulatory Authority(s) may need to consider individual or collective transitional arrangements to ensure existing or potential public health risks are mitigated.
Decision Following a Re-recognition Assessment (See Figure 2)
Re-Recognition - The recognition remains valid and is renewed for the duration of the next recognition cycle. The Auditing Organization’s recognition is renewed when the Technical Review process found any nonconformities (Grade 1, 2, 3 or a Grade 4 issued due to recurrence) were brought to closure (see 6.7) for all Re-recognition Assessment Activities.
The recognized Auditing Organization may continue to undertake all audit activities within the scope of the application.
Extension of Scope of Recognition - The Auditing Organization has requested an extension of scope and the recognizing Regulatory Authority(s) has performed relevant Assessment Activities in order to assess the new scope. The Technical Review process found any nonconformities (Grade 1, 2, or 3) were brought to closure (see 6.7) for all relevant Assessment Activities. If the Review and Decision Process approves the amended scope, the expiry date of the initial or re-recognition decision is not changed.
Restricted Scope - The recognizing Regulatory Authority(s) may decide to restrict specific elements of the scope of recognition, either:
- in response to a request from the Auditing Organization; or
- after the Assessment Process has been exhausted and as an alternative to ceasing recognition, when the Technical Review process concludes that the Auditing Organization can no longer satisfy the requirements for recognition in relation to those specific elements.
Cease Recognition : The recognition is withdrawn when:
- the Auditing Organization can no longer satisfy the requirements for recognition; or,
- There is evidence of fraud, misrepresentation or falsification of evidence (Grade 4).
An Auditing Organization no longer satisfies the requirements for recognition when, after the Assessment Process has been exhausted, the Technical Review process concludes that:
- The remediation plan of any repeat nonconformity graded 3 or 4 is inadequate; or
- The implementation of remediation for a first time nonconformity graded 2 or 3 proves to be ineffective and the Auditing Organization is unable, or unwilling, to develop and implement effective remediation.
A decision to change the recognition status of an Auditing Organization, may potentially affect a larger number of manufacturers that have been audited by the Auditing Organization. In this event, recognizing Regulatory Authority(s) may need to consider individual or collective transitional arrangements to ensure existing or potential public health risks are mitigated.
Decision Following a Special Assessment
The need for – and the type of – decision following a Special Remote Assessment or a Special On-Site Assessment depends on the scope and objectives of this assessment.
Communication Following Review and Decision Process
Notification
The recognizing Regulatory Authority shall notify the Auditing Organization of the decision made on their recognition status. In the case of an adverse decision, the recognizing Regulatory Authority(s) must include in the notification the rationale of the decision. The Auditing Organization may appeal the decision through the Appeals Process.
Notification of Cessation of Recognition
When a previously recognized Auditing Organization no longer satisfies the requirements for recognition, the notification of the decision will provide details for the cessation of recognition, including the date it becomes effective in the absence of an appeal, and will outline the Appeal provisions. Once the notice to cease recognition is received, the Auditing Organization may not:
- Accept any new applications, including transfers from manufacturers from another Auditing Organization;
- Perform an initial audit for any manufacturer whose application has already been accepted; or
- Extend the scope of a manufacturer’s certification.
In cases where a public health issue is involved, the Appeals Process may be adjusted to very short time frames that are commensurate to the risk. Some recognizing Regulatory Authority(s) may impose other urgent actions in these cases. These actions would be detailed in a notification of cessation of recognition.
The cessation of recognition becomes effective either:
- In the absence of an appeal, on the date identified in the notification, OR
- Immediately after the appeals process confirms the decision to cease recognition.
When the cessation of recognition becomes effective, the Auditing Organization shall not perform any audit.
After the decision to cease recognition is confirmed, the Auditing Organization is required to submit a new application if they wish to be reconsidered for recognition.
Appeals Process
Auditing Organizations may appeal a decision within a timeframe defined by the recognizing Regulatory Authority(s).
The recognizing Regulatory Authority(s) shall establish procedures to receive and address appeals submitted by Auditing Organizations. The procedures shall take into account any policy, general legal requirements or practices applicable to appeals in their jurisdiction.
Appeal procedures shall provide that, upon receipt of the appeal, the recognizing Regulatory Authority(s) shall as a minimum:
- Acknowledge receipt of the appeal;
- Review the decision;
- Decide on the validity of the appeal;
- Advise the Auditing Organization of the final decision(s) of the recognizing Regulatory Authority(s);
- Take follow-up action where required; and,
- Maintain records of all appeals, final decisions and follow-up actions.
Publication of Recognition Decisions
The recognizing Regulatory Authority shall make publicly available information about the current recognition status, and changes to the recognition status, of Auditing Organizations. This information shall be updated regularly. The information shall include the following for each recognized Auditing Organization:
- name and address of the Auditing Organization;
- scope of recognition.
If the recognizing Regulatory Authority(s) decide to cease recognition of the AO, the change of status shall be published only after the cessation of recognition becomes effective.
Appendix 1 – Examples of Grades For Nonconformities Against the Clauses of IMDRF MDSAP WG documents N3 and N4, and ISO/IEC 17021-1:2015.
This table is meant for guidance purposes only, situations and objective evidence will dictate the grade according to the procedures and criteria in this document.
The Table lists clauses from IMDRF MDSAP WG documents N3 and**** N4 and the Standard ISO/IEC 17021-1:2015. The line items in the table are brief statements to capture the general intent of the particular clauses. The user shall refer to the full text of these three foundation documents when utilizing this table.
| SectionISO/IEC 17021-1:2015 IMDRF N3** IMDRF N4** | Title or Intent of the clause | Grade 3 | Grade 2 | Grade 1 |
|---|---|---|---|---|
| 5 | General requirements | |||
| 5.1 | Legal and contractual matters | |||
| ** 5.1**** (IMDRF-N3)** | _Country specific laws and regulations, outside the medical device Regulatory Authority’s purview, may be applicable._Organization found guilty of an offence against national laws or regulations related to medical devices, or relating to any fraudulent or dishonest practices is ineligible to become an AO. | |||
| 5.1.1 | **Legal responsibility | |||
| ** Legal entity | X | |||
| ** 5.1.1 (IMDRF-N3)** | Organizational structure, ownership and legal or natural persons exercising control over the AO | X | ||
| ** 5.1.2 (IMDRF-N3)** | If part of a larger organization; activities, structure, governance and relationship with AO | X | ||
| ** 5.1.3 (IMDRF-N3)** | If AO owns (whole or part) other entities; activities, structure, governance and relationship with AO | X | ||
| 5.1.2 | **Certification agreement. | |||
| **(IMDRF Exception to ISO 17021) | X | |||
| ** 5.1.4**** (IMDRF-N3)** | Legal agreement with manufacturers to allow RAs to observe and assess AO audits | X | ||
| ** 5.1.5 (IMDRF-N3)** | Legal agreement with manufacturers to share info between RAs | X | ||
| 5.1.3 | **Responsibility for certification decisions. | |||
| **AO retains authority for its certification decisions, including granting, maintaining, renewing, extending, reducing, suspending and withdrawing of certification | X | |||
| 5.2 | Management of impartiality | |||
| 5.2.1 | AO responsible for the impartiality of its conformity assessment activities | X | ||
| 5.2.2 | Top management commitment to impartiality. | X | ||
| 5.2.3 | _Process to identify, analyze, evaluate, treat, monitor, and document the risks related to conflict of interests._Top management reviews residual risk to determine acceptability | X | ||
| 5.2.4 | Not certifying another AO for management systems. | X | ||
| 5.2.5 | No management systems consultancy. | X | ||
| 5.2.6 | No internal audits of certified clients. | X | ||
| 5.2.7 | Not certifying a client when the AO’s relationship with a management systems consultancy poses an unacceptable threat to impartiality. | X | ||
| 5.2.8 | Not outsourcing audits to a management system consultancy organization. | X | ||
| 5.2.9 | No AO marketing linked to management systems consultancy. | X | ||
| 5.2.10 | Ensuring no conflict of interest of personnel with prior consultancy activities. | X | ||
| 5.2.11 | Response to any threats to impartiality. | X | ||
| 5.2.12 | Personnel, internal and external, and committees, shall act impartially. | X | ||
| 5.2.13 | Requiring personnel, internal and external, to reveal any potential conflict of interest. | X | ||
| 5.2.1 (IMDRF-N3) | Financial and organizational independence from manufacturers | X | ||
| 5.2.2 (IMDRF-N3) | Organization structured to safeguard independence, objectivity, and impartiality of its activities. Documentation of any investigation, outcome and resolution. | X | ||
| 5.2.3 (IMDRF-N3) | Top-level management and responsible personnel not involved in manufacturer’s processes | X | ||
| 5.2.4 (IMDRF-N3) | Documentation of personnel formerly involved in device consulting and general conflict of interest mitigation | X | ||
| 5.2.5 (IMDRF-N3) | Three years between consultancy services and assignment of tasks related to serviced companies | X | ||
| 5.2.6 (IMDRF-N3) | Not advertising, committing to, guaranteeing or implying outcome of audits based on financial or other inducement | X | ||
| 5.2.7 (IMDRF-N3) | Action of subsidiaries, subcontractors or any associated body does not affect independence | X | ||
| 5.2.8**(IMDRF-N3)** | Change of audit team assigned to audit a manufacturer over period of time | X | ||
| 5.2.9 (IMDRF-N3) | Formal commitment of personnel to comply with confidentiality rules, independence and association with manufacturer | X | ||
| 5.2.10 (IMDRF-N3) | If AO is part of a larger organization, impartiality requirements apply to the whole organization | X | ||
| 5.2.11 (IMDRF-N3) | Access by individuals managing threats to impartiality to experienced and knowledgeable independent experts in medical devices | X | ||
| 5.3 | Liability and financing | |||
| 5.3.1 | Risk and liability analysis. | X | ||
| 5.3.2 | Evaluation of finances and sources of income for threats to impartiality, and review by the impartiality committee. | X | ||
| 5.3.1 (IMDRF-N3) | Liability insurance | X | ||
| 5.3.2 (IMDRF-N3) | Financial resources | X | ||
| 6.0 | Structural requirements | |||
| 6.1 | Organizational structure and top management | |||
| 6.1.1 | Documented organizational structure, duties, responsibilities and authorities for personnel and committees; and relationships to any other parts of the organization. | X | ||
| 6.1.2 | Certification activities structured and managed to safeguard impartiality | |||
| 6.1.3 | Top management authority and responsibility. | X | ||
| 6.1.4 | Rules for committees. | X | ||
| 6.1.1 (IMDRF-N3) | Personnel are current in practices and knowledge in relation to medical device technologies and regulatory requirements | X | ||
| 6.1.2 (IMDRF-N3) | Organizational capacity to include management, administrative support, and infrastructure to undertake all contracted activities | X | ||
| 6.1.3 (IMDRF-N3) | Participation in regulatory coordination group | X | ||
| 6.1.4 (IMDRF-N3) | Consideration of relevant guidance and best practice documents | X | ||
| 6.1.5 (IMDRF-N3) | Adopt and adhere to a code of conduct Violations to the code of conduct must be investigated and appropriate action taken | X | ||
| 10.0**(IMDRF-N4)** | Annual reaffirmation of a Code of Conduct | X | ||
| 6.1.6**(IMDRF-N3)** | Document roles, responsibilities, and lines of reporting for all personnel | X | ||
| 6.1.7**(IMDRF-N3)** | Procedures for independent review of work | X | ||
| 6.2 | Operational control | |||
| 6.2.1 | Process for the effective control of certification activities delivered by branch offices, partnerships, agents, franchisees, etc. | X | ||
| 6.2.2 | Appropriate level and method of control of activities. | X | ||
| 7.0 | Resource requirements | |||
| 7.1 | Competence of personnel | |||
| 7.1.1 | General considerations __Processes to ensure personnel competence. | X | ||
| 7.1.1 (IMDRF-N3) | Auditor competence requirements specified in IMDRF N4 document. | X | ||
| 4.0 §1**(IMDRF-N4)** | Auditing Organization to collect and maintain evidence that demonstrates that personnel involved in auditing activities meet the specified competence requirements contained within this document. | X | ||
| 7.1.2 (IMDRF-N3) | AO to have access to the necessary administrative, technical, and scientific personnel | X | ||
| 7.1.3 (IMDRF-N3) | Management have appropriate knowledge and processes for the selection of auditing personnel, the evaluation and monitoring of their competence, the assignment of their tasks, and their training. | X | ||
| 7.1.4 (IMDRF-N3) | Senior management member having responsibility for medical device regulatory audits | X | ||
| 7.1.5**(IMDRF-N3)** | Professional integrity and technical competence | X | ||
| 7.1.6**(IMDRF-N3)** | Adherence of auditors and staff to Code of Conduct | X | ||
| 5.0**(IMDRF-N4)** | _The employing Auditing Organization shall implement appropriate arrangements to manage perceived or actual conflicts of interest._Each person involved in auditing activities shall sign a Code of Conduct | X | ||
| 7.1.2 | Determination of competence criteria Documented process for determining competence criteria. | X | ||
| 4.0 §2**(IMDRF-N4)** | The Auditing Organization shall have documented processes to initially qualify, maintain, provide support and maintain records. | X | ||
| 4.0 §2**(IMDRF-N4)** | On request, Auditing Organizations are to provide feedback of their experiences with regards to the competence requirements for personnel involved in auditing activities to the recognizing Regulatory Authority(s) | X | ||
| 6.1**(IMDRF-N4)** | Pre-requisite Education | X | ||
| 6.2**(IMDRF-N4)** | Pre-requisite Experience | X | ||
| 6.3**(IMDRF-N4)** | Pre-requisite Competence Requirements – Foundational, functional and technical | X | ||
| 7.0**(IMDRF-N4)** | Competence levels for personnel involved in audits and decision making functions | X | ||
| 8.0**(IMDRF-N4)** | Auditor, Technical Expert and Final Reviewer Experience Requirements | X | ||
| 7.1.3 | Evaluation processes Documented processes for the initial evaluation and ongoing monitoring of competence and performance of all personnel involved in management and performance of audits and other certification activities. | X | ||
| 9.0**(IMDRF-N4)** | Competence evaluation: Criteria, methods, frequency | X | ||
| 7.1.4 | Other considerations Access to technical expertise. | X | ||
| 7.2 | Personnel involved in the certification activities | |||
| 7.2.1 | Competence of personnel managing audit programs. | X | ||
| 7.2.2 | Access to sufficient auditors. | X | ||
| 7.2.3 | Informing each person of their duties, responsibilities and authorities. | X | ||
| 7.2.4 | Defined processes for selecting, training, authorizing and monitoring of auditors, and selection of experts, including the observation of an on-site audit for initial competence evaluation. | X | ||
| 7.2.5 | Processes for demonstrating effective auditing, including the use of auditors with generic auditing knowledge and skills and knowledge and skills for auditing in specific technical areas. | X | ||
| 7.2.6 | Ensuring auditors and technical experts knowledgeable of processes and requirements, and have access to up-to-date documented procedures and instructions. | X | ||
| 7.2.7 | Offer or provide access to specific training for auditors, technical experts and others in certification activities, as needed, to ensure competence. | X | ||
| 7.1**(IMDRF-N4)** | Requirements for mandatory initial training for Final Reviewers, Lead Auditors, Auditors and Technical Experts, | X | ||
| 7.2**(IMDRF-N4)** | Continual Professional Development | X | ||
| 7.2.8 | Competence of person(s) making certification decisions. | X | ||
| 7.2.9 | Ensure satisfactory performance of all personnel involved in audit and certification according to documented procedures and criteria. | X | ||
| 12.0**(IMDRF-N4)** | Remediation when competency requirements have not be met | X | ||
| 7.2.10 | Procedure to monitor auditors including on-site observation, review audit reports, and client feedback | X | ||
| 7.2.11 | Periodically observe performance of each auditor on-site | X | ||
| 7.2.1 (IMDRF-N3) | Functions that cannot be outsourced and associated competence requirements | X | ||
| 7.3 | Use of individual external auditors and external technical experts Written agreement for external auditors/experts. | X | ||
| 7.3.1 (IMDRF-N3) | External auditors and experts not responsible for identifying competency requirements or performing final review | X | ||
| 7.3.2 (IMDRF-N3) | AO requires competence to verify appropriateness and validity of evidence provided by external technical expert | X | ||
| 7.3.3 (IMDRF-N3) | Contractual arrangements between the AO and the external auditor or technical expert, including clause for audits and witnessed audits by RA. | X | ||
| 7.3.4**(IMDRF-N3)** | External auditors and external technical experts are directly assessed by the Auditing Organization to ensure consistency with the IMDRF MDSAP WG N3 and N4 requirements. | X | ||
| 7.4 | **Personnel records. | |||
| **Records of qualification, training, experience, affiliation, professional status, competence, consultancy activities, for all personnel. | X | |||
| 7.4.1 (IMDRF-N3) | Up to date records of auditing assignments and evidence of knowledge and experience. Records should include rationale for scope of auditor responsibilities. | X | ||
| 11.0**(IMDRF-N4)** | Records of Pre-requisites, Competence Evaluation and Monitoring | X | ||
| 7.5 | Outsourcing | |||
| 7.5.1 | Process and legally enforceable arrangements for outsourcing. | X | ||
| 7.5.2 | No outsourcing of the certification decision. | X | ||
| 7.5.3 | AO responsibility for outsourced certification activities. | X | ||
| 7.5.4 | Process for approval and monitoring of bodies providing outsourced services; records of the qualification of auditors. | X | ||
| 7.5.1 (IMDRF-N3) | Subcontractor not responsible for identifying competency requirements or performing final review | X | ||
| 7.5.2 (IMDRF-N3) | AO requires competence to verify appropriateness and validity of evidence provided by subcontractor | X | ||
| 7.5.3 (IMDRF-N3) | Contractual arrangements between the AO and the subcontractor, including clause for witnessed audits by RA. | X | ||
| 7.5.4 (IMDRF-N3) | Auditing Organization responsible for ensuring that all individuals within an outsourced organization that are involved in a regulatory audit are directly assessed by the Auditing Organization to ensure consistency with the IMDRF MDSAP WG N3 and N4 requirements. | X | ||
| 8.0 | Information requirements | |||
| 8.1 | Public information | |||
| 8.1.1 | Publicly accessible information on certification schemes, processes for audit, certification decision, complaints, appeals, and on policy on impartiality | X | ||
| 8.1.2 | Information provided upon request, including status of a certification and details on a client’s certificate information | X | ||
| 8.1.3 | Information provided by AO (including advertising) not misleading | X | ||
| 8.1.1(IMDRF-N3) | AO to comply with RA requirements related to methods of making information on certified manufacturer publicly accessible. | X | ||
| 8.2 | Certification documents | |||
| 8.2.1 | Provision of certification documents to certified clients | X | ||
| 8.2.2 | Details of certification document content | X | ||
| 8.2.1 (IMDRF-N3) | Audit reports and certificates conform to RA requirements | X | ||
| 8.2.2 (IMDRF-N3) | Certificate must reflect the scope of the audit, including regulations covered. Certificate shall not exclude part of processes, products or services from scope of certification | X | ||
| 8.3 | Reference to certification and use of marks (title only) | |||
| 8.3.1 | AO rules governing any management system certification mark it authorizes certified clients to use. | X | ||
| 8.3.2 | AO shall not permit its marks to be applied to laboratory test, calibration or inspection reports. | X | ||
| 8.3.3 | Conditions for referencing the certification on the product packaging or in accompanying information. | X | ||
| 8.3.4 | Legally enforceable arrangement between the AO and the certified client on rules applicable to the client about referring to their certification. | X | ||
| 8.3.5 | AO ownership of marks and reports and control of use and references. | X | ||
| 8.4 | Confidentiality | |||
| 8.4.1 | Policy and arrangements to safeguard confidentiality | X | ||
| 8.4.2 | Inform clients in advance of information to be placed in public domain | X | ||
| 8.4.3 | Written consent to release information | X | ||
| 8.4.4 | Inform client of sharing of confidential information, unless prohibited by law | X | ||
| 8.4.5 | Information from sources other than client (e.g. complainant, regulator) treated as confidential | X | ||
| 8.4.6 | Personnel (internal or external) to keep all information confidential | X | ||
| 8.4.7 | Processes, equipment and facilities to keep confidential information secure | X | ||
| 8.4.1(IMDRF-N3) | Documented procedures in place ensuring confidentiality of information | X | ||
| 8.4.2(IMDRF-N3) | Personnel of AO observe professional secrecy and protect manufacturer’s proprietary rights or trade secrets | X | ||
| 8.5 | Information exchange between a certification body and its clients | |||
| 8.5.1 | Information on the certification activity and requirements _ | |||
| Information provided by the AO to its clients:_ | X | |||
| 8.5.1a8.5.1b8.5.1c8.5.1d8.5.1e****8.5.1f | - Detailed description of all certification activity - Normative requirements for certification - Information on the fees for application, initial certification and continuing certification - Requirements for clients - Rights and duties of certified clients - Complaint and appeal process | X | ||
| 8.5.2 | Notice of changes by the AO (to clients).AO to verify that certified clients comply with new requirements. | X | ||
| 8.5.3 | Notice of changes by a certified client (to the AO)Legally enforceable agreements to include client notification to AO of changes. | X | ||
| **8.6 | ||||
| (IMDRF-N3)** | Information exchange between the auditing organization and regulatory authorities | |||
| 8.6.1**(IMDRF-N3)** | Designation of a regulatory correspondent | X | ||
| 8.6.2 (IMDRF-N3) | AO provides information on audits and certification decisions and reports fraudulent activity within 5 working days | X | ||
| 8.6.3(IMDRF-N3) | Auditing Organization shall provide information to the recognizing Regulatory Authority(s) about the audits and decision on conformity to quality management system requirements. | X | ||
| 8.6.4 (IMDRF-N3) | AO shall notify RAs of certificate suspension/withdrawal decisions within 5 working days | X | ||
| 8.6.5**(IMDRF-N3)** | AO shall notify RAs of specific changes within AO within five (5) working days | X | ||
| **8.7 | ||||
| (IMDRF-N3)** | Information exchange between Auditing Organizations | |||
| 8.7.1**(IMDRF-N3)** | AO shall make audit reports available to new AOs upon transfer | X | ||
| 9 | Process requirements | |||
| 9.0.1(IMDRF-N3) | Documented procedures covering at least the following:- The request for audits by a manufacturer...- Application review for classification of medical device - The language of the request...__- Where appropriate, terms of agreement with manufacturer - Where appropriate, any fees to be charged for audits - The process by which the AO determines which sites of manufacturer will be audited - The assignment of auditors to a specific activity … | X | ||
| 9.1 | Pre-certification activities | |||
| 9.1.1 | Application Required application information. | X | ||
| 9.1.1 (IMDRF-N3) | Gather information related to name and location of critical suppliers | X | ||
| 9.1.2 | Application review | |||
| 9.1.2.1 | Purpose of the application review by the AO. | X | ||
| 9.1.2.2 | Following the review, AO accepts or declines the application. AO to document reasons for declining an application | X | ||
| 9.1.2.3 | Based on the application review, determination of competence needed for the audit team and certification decision. | X | ||
| 9.1.3 | Audit programme | |||
| 9.1.3.1 | Development of an audit program for the full certification cycle. | X | ||
| 9.1.3.2 | Audit program for initial, surveillance and recertification. Three year certification cycle. Adjustments to audit program. | X | ||
| 9. 1.3.3 | Surveillance audits to be conducted at least once a year. | X | ||
| 9.1.3.4 | Taking account of other audits or certification schemes. | X | ||
| 9.1.4 | Determining audit time | |||
| 9.1.4.1 | Documented procedures to determine audit time | X | ||
| 9.1.4.2 | Parameters influencing the audit time | X | ||
| 9.1.4.3 | Documented audit duration and its rationale | X | ||
| 9.1.4.4 | Determined audit duration not to include time from audit team members that are not assigned as auditors (technical experts, auditors-in-training). | X | ||
| 9.1.5 | Program for multi-site sampling. | X | ||
| 9.1.6 | Multiple management systems standards | X | ||
| 9.2 | Planning audits | |||
| 9.2.1 | Determining audit objectives, scope and criteria | |||
| 9.2.1.1 | Audit objectives shall be determined | X | ||
| 9.2.1.2 | Audit objective contents | X | ||
| 9.2.1.3 | Audit scope contents | X | ||
| 9.2.1.4 | Audit criteria contents | X | ||
| 9.2.2 | Audit team selection and assignments | |||
| 9.2.2.1 | General | |||
| 9.2.2.1.1 | Process to select and appoint audit team to achieve audit objectives and impartiality requirements | X | ||
| 9.2.2.1.2 | Considerations when determining the size and composition of audit team | X | ||
| 9.2.2.1.3 | Technical experts, translators and interpreters to operate under direction of an auditor. Translators and interpreters not to influence auditors. | X | ||
| 9.2.2.1.4 | Participation of auditors-in-training only if an auditor is assigned as an evaluator. | X | ||
| 9.2.2.1.5 | Audit team leader shall assign responsibility | X | ||
| 9.2.2.2 | Observers, technical experts and guides. | |||
| 9.2.2.2.1 | Observers Observer not to influence or interfere in the audit process or outcome | X | ||
| 9.2.2.2.2 | Technical experts Technical expert not to act as an auditor; to be accompanied by an auditor | X | ||
| 9.2.2.2.3 | Guides Guide not to influence or interfere in the audit process or outcome | X | ||
| 9.2.3 | Audit plan | |||
| 9.2.3.1 | **General | |||
| ** Audit plan to be established prior to each audit | X | |||
| 9.2.3.2 | Preparing the audit plan.Content of an audit plan. | X | ||
| 9.2.3.3 | **Communication of audit team tasks | |||
| ** AO to communicate to the client the tasks given to the audit team: a)****Verifying structure, policies, processes, procedures, records and related documents related to QMS b) Determining 9.2.3.3a meets requirements relevant to scope of certification c) Determining processes and procedures are established, implemented and maintained effectively d) Communicating inconsistencies with client | X | |||
| 9.2.3.4 | Communication of audit plan to client. | X | ||
| 9.2.3.5 | Communication concerning audit team members Providing information about audit team members to provide the client sufficient time to object. | X | ||
| 9.2 Exception (IMDRF-N3) | Manufacturer cannot object the composition of the audit team, but may excess concerns related to the audit team composition using the appeals process. | X | ||
| 9.3 | Initial Certification | |||
| 9.3.1 | Initial certification audit | |||
| 9.3.1.1 | General Initial certification audit in two stages. | X | ||
| 9.3.1(IMDRF-N3) | AO to determine how best to accomplish tasks of Stages 1 and 2 (off-site review and on-site verifications). Stages 1 and 2 audits may be combined | X | ||
| 9.3.2 (IMDRF-N3) | All sites covered by the certificate must be audited | X | ||
| 9.3.1.2 | Stage 1 audit | |||
| 9.3.1.2.1 | Planning to ensure objectives can be met; client to be informed of any on-site activity | X | ||
| 9.3.1.2.2 | Stage 1 audit objectives. | X | ||
| 9.3.1.2.3 | Conclusions and findings of Stage 1 audit to be documented and communicated to the client. | X | ||
| 9.3.1.2.4 | Considerations for stage 2 audit arrangements based on stage 1 audit findings. | X | ||
| 9.3.1.3 | Stage 2 audit Stage 2audit objectives – evaluation of the implementation and effectiveness of the QMS – and requirements. | X | ||
| 9.3.3(IMDRF-N3) | Stage 2 audit objectives include verification that manufacturer’s QMS includes regulatory requirements and ensures compliance with these requirements | X | ||
| 9.3.1.4 | Initial certification audit conclusions Analysis of stage 1 and stage 2 audits for initial certification audit conclusions. | X | ||
| 9.4 | Conducting audits | |||
| 9.4.1 | General Process for conducting on-site audits. Considerations for audits conducted by electronic means or audits of virtual sites. | X | ||
| 9.4.2 | Conducting the opening meeting.Objectives and content of the opening meeting | X | ||
| 9.4.3 | Communication during the audit | |||
| 9.4.3.1 | Assess progress and exchange information | X | ||
| 9.4.3.2 | Where available audit evidence indicates a presence of an immediate and significant risk. | X | ||
| 9.4.3.3 | On site audit evidence requires changes to audit scope | X | ||
| 9.4.4 | Obtaining and verifying information | |||
| 9.4.4.1 | Information relevant to the audit objectives, scope and criteria to obtained by sampling and verified. | X | ||
| 9.4.4.2 | Methods to obtain information | X | ||
| 9.4.5 | Identifying and recording audit findings | |||
| 9.4.5.1 | Audit findings summarizing conformity and detailing nonconformity to be identified, classified and recorded | X | ||
| 9.4.5.2 | Restrictions on opportunities for improvement | |||
| 9.4.1 (IMDRF-N3) | Audit reports shall not contain “Opportunities for Improvement” | X | ||
| 9.4.5.3 | Details on findings of nonconformities | X | ||
| 9.4.2 (IMDRF-N3) | Use of GHTF nonconformity grading system (N19 document) | X | ||
| 9.4.3 (IMDRF-N3) | The grade of the nonconformity must take into account any prior audit. | X | ||
| 9.4.5.4 | Audit team leader to attempt to resolve any diverging opinions; unresolved points to be recorded. | X | ||
| 9.4.6 | Preparing audit conclusions | X | ||
| 9.4.7 | Conducting the closing meeting. | |||
| 9.4.7.1 | Closing meeting to present conclusions including recommendations and nonconformities. | X | ||
| 9.4.7.2 | Additional content | X | ||
| 9.4.7.3 | The client has opportunity for questions and expression of diverging opinions | X | ||
| 9.4.8 | Audit Report | |||
| 9.4.8.1 | Written audit report for each audit. | X | ||
| 9.4.8.2 | _Audit team leader responsible for the content of the audit report._The report shall provide an accurate, concise and clear record of the audit to enable an informed decision. Details on report content. | X | ||
| 9.4.8.3 | Audit report conclusions | X | ||
| 9.4.9 | Cause analysis of nonconformities AO to require client to analyse cause and describe correction and corrective actions within a defined time. | X | ||
| 9.4.10 | ** _Effectiveness of corrections and corrective actions | |||
| _** AO to review of corrections, identified causes, and corrective action by client and verify actions effectiveness. Evidence shall be recorded. Client to be informed of the review and verification.AO to inform the client of additional audits or documented evidence to verify actions effectiveness. | X | |||
| 9.5 | Certification decision __ | |||
| 9.5.1 | General | |||
| 9.5.1.1 | Certifiers to be different from those that carried out the audits and be competent. | X | ||
| 9.5.1.2 | Certifiers to be employed or under legally enforceable arrangement with either the certification body or an entity under the organizational control of the certification body | X | ||
| 9.5 Exception (IMDRF-N3) | A legally enforceable arrangement with an entity other than the Auditing Organization is not acceptable | X | ||
| 9.5.1.3 | Certifier to fulfil requirements regardless whether employed or under legally enforceable arrangement with either the certification body or an entity under the organizational control of the certification body | X | ||
| 9.5.1.4 | Certification decision to be recorded | X | ||
| 9.5. | Actions prior to making a decision Prior to granting certification, verification of correction and corrective action for significant nonconformities and acceptable plans for other nonconformities must be reviewed and accepted by the AO. | X | ||
| 9.5.3 | Information for the initial certification decision | |||
| 9.5.3.1 | Minimum information to be provided by audit team for the initial certification decision | X | ||
| 9.5.3.2 | AO to conduct another stage 2 prior to recommending certification if not able to verify the implementation of corrections and corrective actions of any major nonconformity within 6 months | X | ||
| 9.5.3.3 | Process for the transfer of certification from another AO. | X | ||
| 9.5.1 (IMDRF-N3) | Minimal criteria for getting certified or recertified, considering the grade and number of nonconformities. | X | ||
| 9.5.2 (IMDRF-N3) | The AO must have sufficient and reliable evidence to support a decision on conformity to regulatory requirements | X | ||
| 9.5.3 (IMDRF-N3) | The AO must not conclude that the manufacturer complies with regulatory requirements when information indicates a public health threat. Such information must be reported within 5 days. | X | ||
| 9.5.4 | Information for granting recertification Decisions on renewing certification based on the review of the recertification audit plus results over the period of certification plus complaints from users. | X | ||
| (IMDRF-N3) | 9.5.1 to 9.5.3 above | |||
| 9.6 | Maintaining certification | |||
| 9.6.1 | General The AO to maintain certification based on demonstration that the client continues to satisfy the QMS requirements. | X | ||
| 9.6.3(IMDRF-N3) | The AO must perform an independent review of the audit report when the audit team leader is an external resource | X | ||
| 9.6.2 | Surveillance activities | |||
| 9.6.2.1 | General | |||
| 9.6.2.1.1 | Surveillance activities to monitor representative areas and functions covered by the QMS | X | ||
| 9.6.2.1.2 | Surveillance activities to include, but not limited to, on-site audits. | X | ||
| 9.6.2.2 | Surveillance audit Surveillance audit minimum content | X | ||
| 9.6.1(IMDRF-N3) | Surveillance audits shall also include review of issues related to safety and effectiveness | X | ||
| 9.6.2(IMDRF-N3) | Surveillance audit objectives during the audit cycle shall include evaluation of the effectiveness of the manufacturer’s QMS incorporating the applicable regulatory requirements and the manufacturer’s ability to comply with these requirements | X | ||
| 9.6.3 | Recertification | |||
| 9.6.3.1 | Recertification audit planning | |||
| 9.6.3.1.1 | Recertification audit planned to evaluate continued fulfilment and effectiveness of the management system. | X | ||
| 9.6.3.1.2 | Recertification audit to include the review of surveillance audit reports and consider the performance of the QMS over the period of certification. | X | ||
| 9.6.3.1.3 | Recertification audit activities may need a stage 1 in case of significant changes. | X | ||
| 9.6.4**(IMDRF-N3)** | All sites recorded on the certificate must be audited | X | ||
| 9.6.3.2 | Recertification audit | |||
| 9.6.3.2.1 | Recertification audit shall include an on-site audit that addresses effectiveness, improvement, and achievement of policies and objectives. | X | ||
| 9.6.5**(IMDRF-N3)** | Recertification audits objectives | X | ||
| 9.6.3.2.2 | For major nonconformities, AO to define time limits for correction and corrective action to be implemented and verified prior to expiration of certification. | X | ||
| 9.6.3.2.3 | When recertification activities are successfully completed before expiry date of existing certification, expiry date of the new certification to be based on expiry date of existing certification. | X | ||
| 9.6.3.2.4 | Certification cannot be renewed or extended if the AO has not completed the recertification audit or is unable to verify the implementation of corrections and corrective actions for any major nonconformity prior to the expiry date of the certification | X | ||
| 9.6.3.2.5 | AO can restore certification within 6 months after expiration if outstanding recertification activities are completed. | X | ||
| 9.6 Exception**(IMDRF-N3)** | AO to schedule recertification audit with sufficient time to complete the recertification process before the certificate expires | X | ||
| 9.6.4 | Special audits | |||
| 9.6.4.1 | Extensions to scope | X | ||
| 9.6.4.2 | Short-notice audits AO documented process for short notice audits in response to complaints or suspension. | X | ||
| 9.6.6(IMDRF-N3) | Special audits requested by RA | X | ||
| 9.6.7(IMDRF-N3) | Criteria for regulatory unannounced audits | |||
| 9.6.7(1) (IMDRF-N3) | Triggering criteria: previous audit findings | X | ||
| 9.6.7(2) (IMDRF-N3) | Triggering criteria: suspicion of serious nonconformities | X | ||
| 9.6.(3) (IMDRF-N3) | Contractual arrangements with the manufacturer for unannounced audits | X | ||
| 9.6.8(IMDRF-N3) | Reports of unannounced audit performed per RA’s request must be provided to the RA. | X | ||
| 9.6.5 | Suspending, withdrawing or reducing the scope of certification | |||
| 9.6.5.1 | Policy and procedure for suspension, withdrawal or reduction of scope of certification | X | ||
| 9.6.5.2 | Motives for suspending a certificate | X | ||
| 9.6.5.3 | Under suspension, the certification is temporarily invalid. | X | ||
| 9.6.5.4 | AO to restore certification if the issue has been resolved in specified time. AO to withdraw certification or reduce the scope of certification otherwise. | X | ||
| 9.6.5.5 | Reduce scope to exclude parts of QMS that do not meet requirements | X | ||
| 9.6.9(IMDRF-N3) | AO informs RA of actions taken on certificate | X | ||
| 9.7 | Appeals | |||
| 9.7.1 | Documented process on appeals | X | ||
| 9.7.2 | AO responsible for all appeal decisions. Persons engaged in appeal handling to be different from those who carried out the audit. | X | ||
| 9.7.3 | No discriminatory actions against appellant | X | ||
| 9.7.4 | Appeals process to include specified elements and methods | X | ||
| 9.7.5 | AO responsible for gathering and verifying all necessary information to validate the appeal. | X | ||
| 9.7.6 | Acknowledge receipt of appeals and provide progress reports | X | ||
| 9.7.7 | Final decision made by, or reviewed and approved by independent party | X | ||
| 9.7.8 | AO to give formal notice at end of process | X | ||
| 9.8 | Complaints | |||
| 9.8.1 | AO responsible for all decisions of the complaint-handling process. | X | ||
| 9.8.2 | No discriminatory actions against complainant | X | ||
| 9.8.3 | AO confirm complaint relates to certification activities | X | ||
| 9.8.4 | AO to refer valid complaints about a client to that client | X | ||
| 9.8.5 | Documented process to receive, evaluate and make decisions on complaints, including considerations for confidentiality. | X | ||
| 9.8.6 | Complaint-handling process to include specified elements and methods | X | ||
| 9.8.7 | AO responsible for gathering and verifying all necessary information to validate the complaint. | X | ||
| 9.8.8 | Whenever, possible, AO to acknowledge receipt of complaint and provide progress reports and outcome | X | ||
| 9.8.9 | Final decision made by, or reviewed and approved by independent party | X | ||
| 9.8.10 | Whenever, possible, AO to give formal notice at end of process | X | ||
| 9.8.11 | Determining whether to announce complaint and resolution publicly | X | ||
| 9.8.1 (IMDRF-N3) | AO sends RA copy of any safety and effectiveness, or public health risk complaint related to a medical device manufacturer | X | ||
| 9.9 | Client records | |||
| 9.9.1 | AO to maintain records on all audit and other certification activities, for all organizations that submitted an application. | X | ||
| 9.9.2 | List of records on certified clients | X | ||
| 9.9.3 | Records to be maintained in a secure area to ensure confidentiality | X | ||
| 9.9.4 | Documented policy and procedure on record retention | X | ||
| 10.0 | Management system requirements for certification bodies | |||
| 10.1 | Options AO establish and maintain an ISO 9001 (10.2) or general management system (10.3) | X | ||
| 10.1.1 (IMDRF-N3) | AO’s management system capable of consistent achievement of applicable medical device legislation or regulatory policies or programs | X | ||
| 10.1.2 (IMDRF-N3) | AO shall retain records of conformity to this document for a period of time not less than 15 years. | X | ||
| 10.1.3 (IMDRF-N3) | AO measure, monitor and analyse audit program | X | ||
| 10.1.4 (IMDRF-N3) | Internal audits must cover all locations involved in medical device regulatory auditing. | X | ||
| 10.2 | Option A: General management system requirements | |||
| 10.2.1 | General AO to establish, document, implement and maintain a management system that is capable of supporting and demonstrating the consistent achievement of the requirements of 17021-1:2015 | X | ||
| 10.2.2 | Management system manual Applicable requirements addressed in a manual or associated documents | X | ||
| 10.2.3 | Control of documents Procedures to control documents | X | ||
| 10.2.4 | Control of records Procedures to control records | X | ||
| 10.2.5 | Management review | |||
| 10.2.5.1 | General _ | |||
| Management shall establish procedures to review its management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness._ | X | |||
| 10.2.5.2 | Review inputs _ | |||
| List of inputs to management review._ | X | |||
| 10.2.5.3 | Review outputs List of outputs to management review. | X | ||
| 10.2.6 | Internal audits | |||
| 10.2.6.1 | AO shall establish procedures for internal audits. | X | ||
| 10.2.6.2 | Considerations for the planning of the audit program. | X | ||
| 10.2.6.3 | Internal audits shall be performed at least once every 12 months. | X | ||
| 10.2.6.4 | AO to ensure competent and independent auditors, appropriate communication of audit outcomes, resulting actions taken in a timely and appropriate manner, and any opportunities for improvement are identified. | X | ||
| 10.2.7 | Corrective actions AO to establish procedures for identification and management of nonconformities and for taking corrective actions to eliminate their causes | X | ||
| 10.3 | Option B: Management system requirements in accordance with ISO 9001 | |||
| 10.3.1 | General AO’s management system is in accordance with ISO 9001 | X | ||
| 10.3.2 | Scope Scope of management system includes design and development of certification services | X | ||
| 10.3.3 | Customer focus AO to consider credibility of certification and address needs of all parties that rely upon its audit and certification services | X | ||
| 10.3.4 | Management review AO include in management review information on relevant appeals and complaints | X |
*** Decisions can be one of the following:** Initial recognition with scope; Maintenance of recognition; Extension or restriction of scope; Re-recognition with scope maintained, restricted or extended; Cessation of recognition; or, No recognition. ↑
Such evidence may also need to be forwarded to legal authorities for verification and/or for potential additional legal action. ↑
See IMDRF/MDSAP WG/N3– clause 5.1 ↑