发布时间:2023-09-27 人气:679 作者:天之恒
IMDRF/MDSAP WG/N5FINAL:2013
Final Document
Title: Regulatory Authority Assessment Method for the Recognition and Monitoring of Medical Device Auditing Organizations
Authoring Group: IMDRF Medical Device Single Audit Program Work Group
Date: 9 December 2013
Despina Spanou, IMDRF Chair
This document was produced by the International Medical Device Regulators Forum. There are no restrictions on the reproduction or use of this document; however, incorporation of this document, in part or in whole, into another document, or its translation into languages other than English, does not convey or represent an endorsement of any kind by the International Medical Device Regulators Forum.
Copyright © 2013 by the International Medical Device Regulators Forum.
Table of Contents
1.0 Scope
2.0 References
3.0 Definitions
4.0 Assessment Cycle and Assessment Program
4.1 Assessment Program Roles and Responsibilities
4.2 Purpose of Assessments within the Assessment Program
4.3 Assessment Activities throughout the Assessment Cycle
5.0 Assessment Method
5.1 Conducting an assessment
5.2 Navigating the Assessment
6.0 Assessment of Auditing Organization’s Processes
6.1 Process: Management
6.2 Process: Use of External Resources
6.3 Process: Measurement, Analysis and Improvement
6.4 Process: Competence Management
6.5 Process: Audit and Decisions Process
6.6 Process: Information Management
The document herein was produced by the International Medical Device Regulators Forum (IMDRF), a voluntary group of medical device regulators from around the world.
There are no restrictions on the reproduction, distribution or use of this document; however, incorporation of this document, in part or in whole, into any other document, or its translation into languages other than English, does not convey or represent an endorsement of any kind by the International Medical Device Regulators Forum.
Introduction
This is one document in a collection of documents produced by the International Medical Device Regulators Forum (IMDRF) intended to implement the concept of a Medical Device Single Audit Program (MDSAP). Two documents, IMDRF MDSAP WG N3 – “Requirements for Medical Device Auditing Organizations for Regulatory Authority Recognition” and IMDRF MDSAP WG N4 – “Competence and Training Requirements for Auditing Organizations,” are complementary documents. These two documents N3 and N4 are focused on requirements for an Auditing Organization and individuals performing regulatory audits and other related functions under the respective medical device legislation, regulations, and procedures required in its regulatory jurisdiction.
Two additional documents, this document IMDRF MDSAP WG N5 – “Regulatory Authority Assessment Method for the Recognition and Monitoring of Medical Device Auditing Organizations” and IMDRF MDSAP WG N6 - “Regulatory Authority Assessor Competence and Training Requirements,” are complementary documents. These two documents N5 and N6 are focused on how Regulatory Authorities and their assessors will evaluate or “assess” medical device Auditing Organizations’ compliance to the requirements in the IMDRF MDSAP N3 and N4 documents.
In addition, IMDRF MDSAP WG N11 will define a method to “grade” nonconformities resulting from a Regulatory Authority assessment of an Auditing Organization and to document the decision process for recognizing an Auditing Organization or revoking recognition.
This collection of IMDRF MDSAP documents will provide the fundamental building blocks by providing a common set of requirements to be utilized by the Regulatory Authorities for the recognition and monitoring of entities that perform regulatory audits and other related functions. It should be noted that in some jurisdictions the recognition process is called designation, notification, registration, or accreditation.
IMDRF developed MDSAP to encourage and support global convergence of regulatory systems, where possible. It seeks to strike a balance between the responsibilities of Regulatory Authorities to safeguard the health of their citizens as well as their obligations to avoid placing unnecessary burdens upon Auditing Organizations or the regulated industry. IMDRF Regulatory Authorities may add additional requirements beyond this document when their legislation requires such additions.
The purpose of this document is to describe the assessment program and assessment method implemented by Medical Device Regulatory Authorities under the framework of the IMDRF MDSAP. To prevent the confusion between audits of manufacturers performed by auditors within an Auditing Organizations and audits of Auditing Organizations performed by medical device Regulatory Authority assessors, in this document, the latter are designated as “assessments.”
This document defines the content of the Regulatory Assessment Program. The Assessment Program defines how Regulatory Authorities will recognize, monitor, and re-recognize Auditing Organization under the framework of the IMDRF MDSAP.
Recognition, monitoring and re-recognition is based on a process based assessment method utilizing assessment tasks related to the requirements found in IMDRF MDSAP WG N3 and N4. The assessment method defined in this document will be used to perform the different assessment activities within the Assessment Program.
· IMDRF MDSAP N3 - Requirements for Medical Device Auditing Organizations for Regulatory Authority Recognition
· IMDRF MDSAP N4 - Competence and Training Requirements for Auditing Organizations
· IMDRF MDSAP N6 - Regulatory Authority Assessor Competence and Training Requirements
· ISO/IEC 17000:2004 - Conformity assessment - Vocabulary and general principles
· ISO/IEC 17021:2011 - Conformity Assessment - Requirements for bodies providing audit and certification of management system.
· GHTF/SG1/N78:2012 - Principles of Conformity Assessment for Medical Device
· GHTF/SG3/N19:2012 - Quality management system - Medical devices - Nonconformity Grading System for Regulatory Purposes and Information Exchange
This document defines a consistent Assessment Cycle and Assessment Program for Regulatory Authorities to assess Auditing Organizations for recognition and for the maintenance of recognition through monitoring activities. A key element is to ensure consistency in the Assessment Program implementation, regardless of the designated assessment team and the Auditing Organization.
ISO 17011:2005 allows for an Assessment Program with the maximum of a 5-year cycle. For the regulated medical device sector an Auditing Organization Assessment Program should follow a 3 or 4-year cycle. Regardless of whether a 3 or 4-year cycle is chosen, the Assessment Program described in this document makes provision for additional Special Assessments, if required, to provide confidence in a recognition decision. The recognizing Regulatory Authority should assess the resources required for a 3 or 4 year cycle, considering assessor personnel, assessment management, travel budgets etc., before committing to a particular cycle length for their Assessment Program. A 4-year cycle is illustrated in Figure 1.
Figure 1: 4-year Assessment Cycle
The Assessment Cycle includes an Initial Assessment, annual Surveillance Assessments, and a Re-recognition Assessment. Figure 2 identifies the different assessment activities within each aspect of the Assessment Program.
Figure 2: Assessment Program with Assessment Activities through the Assessment Cycle
The application of the Assessment Program may be modified as needed, for example with additional Special Assessments, to take into account information collected throughout the Assessment Cycle of a particular Auditing Organization.
Regulatory Authority assessment planning should consider:
· Past performance of the Auditing organization including the previous assessment and identified nonconformities;
· A review of documentation for any significant changes at the Auditing Organization including those necessary to account for any changes in the recognizing regulatory program or requirements;
· The key procedures of the Auditing Organization; and,
· A selection of medical device manufacturer client files, where possible, that may be identified by the report of adverse events, compliance issues, and other regulatory signals.
The key roles and responsibilities in the Assessment Program are as follows:
Assessment team including, as necessary, an assessment team leader and assessor(s):
· Performs the assessment activity, according to the Assessment Program;
· Provides a recommendation relative to the recognition status of the Auditing Organization;
· Makes recommendations for changes to or adjustments to the application of the Assessment Program for specific Auditing Organizations, as necessary;
· Makes recommendations for critical location assessments and witnessed audits; and,
· Reviews and approves the Auditing Organization’s response to assessment findings.
Assessment Program Manager:
· Interfaces with the Auditing Organization to collect the application and associated information, communicate outcome of assessment activities;
· Drafts, maintains and updates an Assessment Program for each Auditing Organization;
· Ensures the assessment activities are planned and implemented according to the Assessment Program;
· Assigns the assessment team members, specifies their role, and provides them with necessary information for the assessment activity; and,
· Reviews assessment outcomes, performs quality checks of the assessment activities, and prepares a final assessment outcome recommendation.
Note: if the recognizing Regulatory Authority chooses to have more than one Assessment Program Manager, an Assessment Program Manager may not act as an assessor for an Auditing Organization for which he/she manages the Assessment Program, in order to remain independent from the outcome of the assessment activities.
Recognizing function within the Regulatory Authority:
· Approves application of the Assessment Program to an Auditing Organization; and,
· Makes recognition decisions.
The purpose of the Initial Assessment includes the following:
· Define an individual Assessment Program plan for the particular Auditing Organization; and,
· Assessment of the compliance of the particular Auditing Organization’s management system to all regulatory requirements including IMDRF MDSAP WG N3 and N4 documents, in order to enable the recognizing Regulatory Authority to make a decision on whether to recognize the Auditing Organization.
The purpose of the Surveillance Assessment includes maintaining confidence that the Auditing Organization continues to fulfill the regulatory requirements including IMDRF MDSAP WG N3 and N4 documents between re-recognition assessments.
The purpose of the Re-recognition Assessment includes the assessment of the continued compliance of the Auditing Organization’s management system to satisfy all regulatory requirements including IMDRF MDSAP WG N3 and N4 documents, in order to enable the recognizing Regulatory Authority to make a decision on whether to renew the recognition of the Auditing Organization.
Before proceeding with the assessment of the Auditing Organization, the recognizing Regulatory Authority shall conduct a review of the application and related information to ensure that the information about the Auditing Organization and its management system is sufficient for the conduct of the assessment.
The Stage 1 Assessment shall be performed to:
· Review the Auditing Organization’s management system documentation to confirm that it covers all regulatory requirements including IMDRF MDSAP WG N3 and N4 documents;
· Evaluate the Auditing Organization’s understanding of regulatory requirements including IMDRF MDSAP WG N3 and N4 documents;
· Collect information necessary to define the scope of recognition;
· Identify the Auditing Organization’s locations and site-specific conditions;
· Evaluate if the Auditing Organization has planned and/or performed internal audits and management reviews;
· Gain sufficient understanding of the Auditing Organization’s structure, operations, and management system to define the individual Assessment Program plan;
· Evaluate the preparedness of the Auditing Organization to submit to the Stage 2 On-Site Assessment; and,
· Review the need for specific resources during the Stage 2 On-Site Assessment.
A recognizing Regulatory Authority may carry out part of the Stage 1 Assessment at the Auditing Organization’s head office.
Stage 1 Assessment findings shall be documented and communicated to the Auditing Organization, including the identification of any identified areas of concern that could be classified as a nonconformity during the Stage 2 On-Site Assessment.
The Stage 2 On-Site Assessment is to evaluate the implementation, including effectiveness, of the Auditing Organization's management system.
The Stage 2 On-Site Assessment shall take place at the Auditing Organization's head office.
It shall include at least the following:
· Evaluate the conformity of the Auditing Organization’s management system documentation to meet all the regulatory requirements including IMDRF MDSAP WG N3 and N4 documents;
· Evaluate the evidence of implementation, monitoring, measuring, reporting and reviewing by the Auditing Organization of its activities against policies, procedures and objectives from its management system (consistent with the expectations for recognition);
· Review the operational controls of the Auditing Organization’s processes, including when implemented by external resources;
· Confirm that the Auditing Organization conducted internal audits and management reviews; and,
· Confirm the competence of the Auditing Organization and the resources available necessary to fulfill the obligations for the scope of recognition.
The recognizing Regulatory Authority shall observe the performance of the Auditing Organization during an audit of a medical device manufacturer during the Assessment Cycle.
The purpose of witnessed audits is to verify the performance of an Auditing Organization with regards to:
· Conformity of the practices to the requirements of section 9 of IMDRF MDSAP WG documents N3;
· Ability of the Auditing Organization to determine the conformity of medical device manufacturers to regulatory requirements;
· Ability of the Auditing Organization to reliably report on the audit findings including the nonconformities; and,
· Ability of the Auditing Organization to select audit teams with the necessary competence.
The recognizing Regulatory Authority shall select the audits to observe and inform the Auditing Organization. The recognizing Regulatory Authority shall make an attempt to perform Witnessed Audits across a variety of different medical device manufacturers.
When selecting an Audit to observe, the following factors should be considered:
· The classification of the devices manufactured;
· The type of audit being conducted, either initial or re-certification audit;
· Geographical location of the audit;
· The identity of the auditors assigned;
· Manufacturing processes and technology being used; and,
· Known problems with the manufacturer being audited or their devices that have been identified from adverse events, post-market surveillance data, etc.
Prior to performing the Witnessed Audit, the Auditing Organization shall provide to the recognizing Regulatory Authority the following information:
· Medical device manufacturer contact information;
· Medical device manufacturer’s quality manual and if requested, other documents;
· Scope for which the medical device manufacturer is being audited;
· Previous audit report(s) of the medical device manufacturer;
· Status of nonconformities identified during previous audits;
· Composition of the audit team, including the rationale for their selection;
· Copy of the information provided by the Auditing Organization to the audit team for planning the audit;
· Rationale for the audit’s duration; and,
· Audit plan.
During the Witnessed Audit, the assessors shall refrain from interfering and influencing the conduct and conclusion of the audit. There should be no direct communication between the assessor and the audited medical device manufacturers. Any communication between the assessor and the auditing team regarding the audit should occur after the conclusion of the audit.
Witnessed audit findings shall be documented and communicated to the Auditing Organization after the review of the audit report by the assessment team.
When any of the critical functions listed below are undertaken at locations other than the head office, including by external organizations, the recognizing Regulatory Authority shall consider the performance of an assessment at such critical locations throughout the assessment cycle.
Critical functions include:
· The development and approval of the management system policies, processes, and procedures for the audit of medical device manufacturers under the recognition program;
· The review and acceptance of applications from medical device manufacturers and the issuance of contracts, and including the determination of the scope and duration of the audit.
· The assignment of audit teams;
· The technical review of audit reports;
· Competence management activities that apply to auditors, technical experts, and final reviewers; and,
· The management, monitoring, and oversight by the Auditing Organization of the medical device audit program.
On-Site Assessment of Critical Locations is performed to:
· Review the relationship between the head office of the Auditing Organization and the Critical Location;
· Review, if applicable, the arrangements between the head office of the Auditing Organization and the Critical Location;
· Evaluate the management system operated at the Critical Location to satisfy the requirements of the Auditing Organization;
· Evaluate the conformity of the activities undertaken by the Critical Location on behalf of the Auditing Organization to the requirements of the Auditing Organization’s management system or to the arrangements between the head office of the Auditing Organization and the Critical Location;
· Evaluate the conformity of activities undertaken by the Critical Location on behalf of the Auditing Organization to the corresponding regulatory requirements including IMDRF MDSAP WG N3 and N4 documents; and,
· Evaluate the controls in place at the Critical Location that would enable the Auditing Organization to monitor the activities at that location.
The Surveillance On-Site Assessment is to evaluate the implementation, including effectiveness, of the Auditing Organization's management system.
The Surveillance On-Site Assessment shall take place at the Auditing Organization's head office.
It shall include at least the following:
· Review of internal audits and management review;
· Review of Competence Management activities;
· Review of actions taken on nonconformities identified during the previous audit;
· Treatment of complaints and appeals;
· Evaluation of the effectiveness of the management system with regard to achieving the Auditing Organization’s objectives as it relates to the scope of recognition;
· Evaluate records of audit and decision on conformity of medical device manufacturer to regulatory requirements;
· Evaluate continuing operational control; and,
· Review any changes.
Surveillance On-Site Assessment shall be conducted annually at the anniversary date of the Stage 2 Assessment, with a tolerance of +/- 3 months.
It is recommended that the recognizing Regulatory Authority, as part of the assessment planning and preparation, reviews a sample of audit reports made available by the Auditing Organization.
The Re-Recognition On-Site Assessment shall consider the performance of the Auditing Organization’s management system over the period of recognition and include the review of assessment reports from the last assessment cycle.
The Re-Recognition On-Site Assessment may need to have a Stage 1 Assessment in situations where there have been significant changes to the Auditing Organization, its management system, or of the requirements from the recognizing Regulatory Authority.
The Re-Recognition On-Site Assessment shall include the following:
· Evaluate the effectiveness of the Auditing Organization’s management system in its entirety in the light of internal and external changes and its continued relevance and applicability to the scope of recognition;
· Confirm the continued conformity of the Auditing Organization’s management system to regulatory requirements including IMDRF MDSAP WG N3 and N4 documents; and,
· Confirm the commitment of the Auditing Organization to maintain the effectiveness of the management system.
A Special Assessment is in addition to other assessment activities defined in the typical assessment cycle. A Special Assessment may be triggered by:
· The Auditing Organization requesting a change of the scope of recognition or following a notice of change potentially affecting the result of prior assessments;
· The recognizing Regulatory Authority based on signals indicating concerns with regards to the Auditing Organization’s activities; or,
· The results of previous regulatory assessment activities.
Figure 3 presents the Assessment Method implemented by the recognizing Regulatory Authority assessors through six processes. This method will be applied regardless of how the Auditing Organization defines its operations and quality management system.
The Auditing Organization must address the requirements specified in IMDRF MDSAP WG N3 and N4, as well as the ISO/IEC 17021:2011 standard. The recognizing Regulatory Authority assessors should utilize the assessment method described here for assessments at the head offices or critical locations. The suggested assessment sequence was designed and developed to allow assessors to conduct the assessment activities in a focused and efficient manner. The sequence of the assessment is less important however, as compared to ensuring the necessary coverage of the six processes. The initial and re-recognition assessment reports must address all six processes.
The Assessment Method is a process approach and includes the following processes: (1) Management, (2) Use of External Resources, (3) Measurement, Analysis and Improvement, (4) Competence Management, (5) Audit and Decisions, and (6) Information Management.
Figure 3: Assessment method
During the assessment of the Auditing Organization's quality management system as identified in the six processes, the assessment team should be mindful of "linkages." In order for an Auditing Organization’s quality management system to function effectively, it has to identify and manage numerous interrelated (linked) processes. The output of one process often directly forms the input to other processes, or the activities of some processes are relevant to other processes.
The goal of an assessment is to ensure Auditing Organizations make decisions that provide confidence in the conformity of medical devices to regulatory requirements when placed on the market.
Each process will require the assessment team to accomplish assessment tasks to determine if the process outcomes and the process purpose are achieved and the corresponding risks appropriately addressed. Within the description of the assessment tasks, there are references to the applicable clause(s) of the ISO/IEC 17021:2011 standard and to the clauses of the IMDRF MDSAP WG N3 and N4 documents. These references have been provided to assist the assessors in assuring all the requirements are addressed during the assessments.
During the assessment, it is important that the assessors are mindful of any instances where the Auditing Organization demonstrates failure to fulfil any of the defined requirements listed in the assessment tasks, and that these nonconformities are recorded in appropriate detail.
Particular attention should be paid to the potential interrelationship of the nonconformities. For example, assessment nonconformities in both the Audit and Decisions process and the Competence Management process may in combination be significant since the planning of medical device manufacturer audits, the assignment of competent auditors and the systematic characterization of the decision making, are essential for determining a medical device manufacturer’s conformity to regulatory requirements.
This section describes the processes evaluated by the assessment team. The assessment processes are each presented with a purpose, outcome, risks relative to the process, and the list of specific tasks for that processes.
The purpose of assessing the Management process is to verify that top management ensures that an adequate and effective quality management system has been established and maintained by the Auditing Organization for the control of all activities related to the audit and the decisions on conformity of medical device manufacturers to regulatory requirements. The assessment should conclude with a reflection on the Management process in order to confirm the commitment of top management and the effective implementation of the Auditing Organization’s management system.
As a result of the assessment of the Management process, objective evidence will show whether the Auditing Organization has:
A) Identified processes needed for their management system, their application throughout the organization, and their sequence and interaction.
B) Established a management system to support the effective auditing of medical device manufacturers and decisions with regards to the manufacturers;
1) conformity to regulatory requirements; and,
2) ability to ensure adherence with legal and contractual requirements and other requirements to which the organization is committed.
C) Established quality objectives at relevant functions and levels within the organization consistent with the quality policy and ensured that these are periodically reviewed for continued suitability.
D) Committed sufficient resources and competent personnel.
E) Assigned responsibility and authority to personnel and established the organizational structure to ensure quality is not compromised.
F) Defined, documented, and implemented procedures for the control of impartiality, the protection of confidential information, and the transparency with regards to auditing and decisions.
G) Ensured the continued effectiveness of the management system and its processes.
The failure of the management process poses the following risks:
· Lack of consistency in the Auditing Organization’s practices;
· Lack of impartiality of the auditors and staff involved in the auditing and decision activities;
· Lack of competency of the auditors and staff involved in the auditing and decision activities;
· Lack of reliability in the audits;
· Lack of credibility of the decision; and/or,
· Lack of proper communication with the recognizing Regulatory Authorities, preventing the implementation of targeted enforcement actions towards delinquent medical device manufacturers.
6.1.4 Assessment Tasks
Applicable requirements
ISO/IEC 17021:2011 clauses: 5.1.1, 5.3.1, 5.3.2
IMDRF MDSAP WG N3 clauses: 5.1, 5.1.1, 5.1.2, 5.1.3, 5.3.1, 5.3.2
Applicable requirements
ISO/IEC 17021:2011 clauses: 10.1, 10.2.1, 10.2.2, 10.2.3, 10.3.1, 10.3.2
IMDRF MDSAP WG N3 clauses: 6.1.2, 6.1.4, 6.1.5, 6.1.7, 10.1.1
Applicable requirements
ISO/IEC 17021:2011 clauses: 10.3.1, 10.3.5
IMDRF MDSAP WG N3 clauses: Not Applicabl
Applicable requirements
ISO/IEC 17021:2011 clauses: 6.1.1, 6.1.2, 6.1.3, 6.2.2, 7.2.1, 7.2.3, 10.3.1
IMDRF MDSAP WG N3 clauses: 5.1.3, 6.1.5, 6.1.6, 7.1.4, 8.7.1
Applicable requirements
ISO/IEC 17021:2011 clauses: 7.2.2
IMDRF MDSAP WG N3 clauses: Not applicable
Applicable requirements
ISO/IEC 17021:2011 clauses: 5.2.1 to 5.2.13, 5.3.2, 6.2.1 to 6.2.3, 7.3, 7.5.2
IMDRF MDSAP WG N3 clauses: 5.2.1 to 5.2.10, 6.2.1, 7.1.6, 7.3.1, 9.1.3
Applicable requirements
ISO/IEC 17021:2011 clauses: 10.2.4, 10.3.5
IMDRF MDSAP WG N3 clauses: Not Applicable
The purpose of the Use of External Resources process is to ensure that all activities performed on behalf of the Auditing Organization by external auditors or technical experts, or external organizations remain under the control of the Auditing Organization.
As a result of the assessment of the Use of External Resources process, objective evidence will show whether the Auditing Organization has:
Defined, documented and implemented appropriate methods (i.e. procedures and criteria) for the control of external resources activities, including the control of competency, impartiality and confidentiality.
Documented and implemented appropriate arrangements with external resources ensuring that the competency requirements for the auditing activities, and the final review and decision making on conformity to regulatory requirements are retained by the Auditing Organization.
Established written arrangements with external resources including their commitment to apply the Auditing Organization’s requirements and provisions ensuring the control of confidentiality and impartiality.
Adequate competency to review the outcome of activities performed by external resources.
The failure of the Use of External Resources Process poses the following risks:
· Lack of control of activities directly affects the ability of the external resources to provide the expected service; and/or,
· Lack of control by the Auditing Organization on the conformity of the external resources activities to the requirements of the recognizing Regulatory Authority.
Applicable Requirement
ISO/IEC 17021:2011 clauses: 7.5, 8.5.1
IMDRF MDSAP WG N3 clauses: 5.2.7, 7.2.1, 7.5.1, 7.5.2, 8.5.1, 8.5.2
Applicable Requirement
ISO/IEC 17021:2011 clauses: 5.1.3, 7.3, 7.5, 8.5.1
IMDRF MDSAP WG N3 clauses: 5.2.7, 7.1.6, 7.2.1, 7.3.1, 7.3.3, 7.5.1, 7.5.3, 8.5
Applicable Requirement
ISO/IEC 17021:2011 clauses: Not applicable
IMDRF MDSAP WG N3 clauses: 7.3.2, 7.5.2
The purpose of the Measurement, Analysis and Improvement process is to verify that:
· Information relative to the audits, competence of the auditors, decisions on conformity to regulatory requirements, and the Auditing Organization’s management system is collected;
· This information is analysed to identify actual and potential nonconformities;
· Actual and potential nonconformities are investigated; and,
· Effective corrections, corrective actions and preventive actions are taken, as appropriate.
If trends in the information collected above are unfavourable and nonconformities are observed during the assessment, then this information can be used to select:
· Auditor qualification files to review during the assessment of the Competence Management process;
· Medical device manufacturer files; and,
· Agreement and monitoring records during the assessment of the Use of External Resources process.
As a result of the assessment of the Measurement, Analysis and Improvement process, objective evidence will show whether the Auditing Organization has:
Defined, documented, and implemented procedures for measurement, analysis and improvement that address the requirements of the ISO/IEC 17021:2011 standard and the IMDRF MDSAP WG N3 and N4 documents;
Identified, analysed, and monitored appropriate sources of quality data including internal audits, external assessments, and complaints, to identify actual and potential nonconformities;
Investigated actual and potential nonconformities;
Implemented corrections, corrective actions and preventive actions, as appropriate; and,
Reviewed the effectiveness of such actions.
The failure of the Measurement, Analysis and Improvement process poses the following risks:
· Lack of assurance in the Auditing Organization’s ability to identify and remediate nonconformities and potential nonconformities as necessary; and/or,
· Lack of assurance on the Auditing Organizations decisions relating to the medical device manufacturer’s conformance to regulatory requirements.
Applicable requirements
ISO/IEC 17021:2011 clauses: 7.2.10, 7.5.4
IMDRF MDSAP WG N3 clauses: 6.1.4, 7.1.6, 10.1.1, 10.1.3, 10.1.4
Applicable requirements
ISO/IEC 17021:2011 clauses: 5.2.10, 7.1.3, 7.2.10 – 7.2.12, 7.5.4
IMDRF MDSAP WG N3 clauses: 5.2.4, 6.1.5, 7.1.3, 7.1.6, 10.1.3, 10.1.4
Applicable requirements
ISO/IEC 17021:2011 clauses: 10.3.7, 10.3.8
IMDRF MDSAP WG N3 clauses: Not applicable
Applicable requirements
ISO/IEC 17021:2011 clauses: Not applicable
IMDRF MDSAP WG N3 clauses: 8.7.3, 8.7.4, 8.7.5
Applicable requirements
ISO/IEC 17021:2011 clauses: 9.1.15, 9.3, 10.2
IMDRF MDSAP WG N3 clauses: 9.1.1, 9.1.2, 10.1.3
Applicable requirements
ISO/IEC 17021:2011 clauses: 10.2
IMDRF MDSAP WG N3 clauses: 8.7.3, 8.7.4, 9.6.1
Applicable requirements
ISO/IEC 17021:2011 clauses: 10.3.6.1, 10.3.6.2, 10.3.6.3, 10.3.6.4,
IMDRF MDSAP WG N3 clauses: 10.1.4
Applicable requirements
ISO/IEC 17021:2011 clauses: 9.7, 9.8
IMDRF MDSAP WG N3 clauses: 9.5.2.2, 9.8.1
Applicable Requirements
ISO/IEC 17021:2011 clauses: 9.8, 10.3.7, 10.3.8
IMDRF MDSAP WG N3 clauses: Not applicable
Applicable Requirements
ISO/IEC 17021:2011 clauses: 10.2.4, 10.3.5
IMDRF MDSAP WG N3 clauses: Not applicable
The purpose of the Competence Management process is to ensure that auditors, technical experts, the program administrator and final reviewer, and all other personnel involved in the audit and related activities have demonstrated competence, according to pre-established criteria. The Competence Management Process is also to ensure that the Auditing Organization has access to competent personnel to cover the scope of their recognition. This is essential in ensuring the credibility of the Audit and Decisions Process outcomes.
As a result of the assessment of the Competence Management process, objective evidence will show whether the Auditing Organization has:
A. Identified the necessary competence to be an effective organization for their scope of recognition.
B. Defined, documented and implemented methods (i.e. procedures and criteria) for the evaluation and monitoring of the competence of auditors, technical experts, the program administrator and final reviewer, and all other personnel involved in the management and performance of audits and related activities.
C. Identified training needs and access to training for auditors, technical experts, the program administrator and final reviewer, and all other personnel involved in the management and performance of audits and related activities.
D. Maintained records demonstrating the effective implementation of the competence management process.
E. Demonstrated the effectiveness of its evaluation methods and of the overall competence management process.
The failure of the Competence Management process poses the following risks:
- Lack of competence may not allow the auditors, technical experts, program administrator, and final reviewer to identify the critical elements to assess, make appropriate judgement on conformity to regulatory requirements and make appropriate decisions.
Applicable Requirement
ISO/IEC 17021:2011 clauses: 7.1.1, 7.1.4, 7.2.1, 7.2.9,
IMDRF MDSAP WG N3 clauses: 6.1.1, 6.1.3, 7.1.1, 7.1.2, 7.1.3, 7.1.5, 7.2.1, 7.3.2
IMDRF MDSAP WG N4 clauses: Not applicable
Applicable Requirement
ISO/IEC 17021:2011 clauses: 7.1.2, 7.1.3, 7.2.4, 7.3, 7.5
IMDRF MDSAP WG N3 clauses: 6.1.1, 7.1.1, 7.2.1, 7.3.2, 7.3.4, 7.5.2, 7.5.4
IMDRF MDSAP WG N4 clauses: 6, 9
Applicable Requirement
ISO/IEC 17021:2011 clauses: 7.1.3, 7.1.4.1, 7.2.3, 9.2.2.5,
IMDRF MDSAP WG N3 clauses: 6.1.6, 7.2.1, 7.3.2, 7.5.2
IMDRF MDSAP WG N4 clauses: 11
Applicable Requirement
ISO/IEC 17021:2011 clauses: 7.2.3, 7.2.6, 7.2.8
IMDRF MDSAP WG N3 clauses: 6.1.3, 7.1.3, 7.2.1
IMDRF MDSAP WG N4 clauses: 7, 8
Applicable Requirement
ISO/IEC 17021:2011 clauses: 7.2.10, 7.2.11, 7.2.12,
IMDRF MDSAP WG N3 clauses: 6.1.1, 6.1.6, 7.4.1
IMDRF MDSAP WG N4 clauses: 9, 12
Applicable Requirement
ISO/IEC 17021:2011 clauses: 5.2.13, 7.4
IMDRF MDSAP WG N3 clauses: 5.2.9, 7.1.6, 7.4.1
IMDRF MDSAP WG N4 clauses: 4, 5, 10, 1
Applicable Requirement
ISO/IEC 17021:2011 clauses: 7.1.3, 7.2.5, 7.2.7, 7.2.8
IMDRF MDSAP WG N3 clauses: Not applicable
IMDRF MDSAP WG N4 clauses: Not applicable
The purpose of the Audit and Decisions Process is to control the management of the medical device manufacturer’s request for audit and other related activities. This process includes the review of the application, the definition of the audit program, the planning and performance of the audit, the review of the report, the decision making, the review of the audit program, the planning of next audits, including special audits, necessary for the maintenance of the certification.
As a result of the assessment of the Audit and Decisions Process, objective evidence will show whether the Auditing Organization has:
A. Defined, documented and implemented methods (i.e. procedures and criteria) for the control of the Audit and Decisions process.
B. Established and implemented audit Programs for each manufacturer in accordance with the prescribed recognizing Regulatory Authority audit cycle.
C. Planned and conducted audits according to the audit program including the assignment of a competent audit team.
D. Reviewed corrections and corrective actions implemented by the manufacturer in response to the audit findings.
E. Made reliable and consistent decisions based on the outcome of the audits and the review of the manufacturers’ responses.
F. Conducted follow-up activities according to the decisions.
G. Effectively evaluated and made appropriate decision regarding appeals.
H. Maintained records demonstrating the effective implementation of the Audit and Decisions process.
The failure of the Audit and Decisions Process poses the following risks:
· Lack of control regarding the Audit and Decisions Process may cause inconsistency in the outcome and affect the reliability of the outputs of the Auditing Organization.
Applicable Requirement
ISO/IEC 17021:2011 clauses: 9.1.4.1, 9.6.1, 9.7.1
IMDRF MDSAP WG N3 clauses: 9.1.1
Applicable Requirement
ISO/IEC 17021:2011 clauses: 8.6.3, 9.1.1, 9.1.2.2.1, 9.1.2.2.2, 9.1.2.2.3, 9.1.2.3, 9.1.4, 9.1.5, 9.1.7, 9.1.8, 9.2.1, 9.2.2.1, 9.2.2.2, 9.2.3, 9.3.1, 9.4.1, 9.5
IMDRF MDSAP WG N3 clauses: 8.8.1, 9.2.1, 9.2.2, 9.2.3, 9.3.1, 9.4.2, 9.4.4, 9.4.5, 9.5.1, 9.5.2(1&2)
Applicable Requirement
ISO/IEC 17021:2011 clauses: 7.2.4, 7.2.5, 7.2.7, 9.1.3.1 to 9.1.3.4, 9.1.6, 9.1.7, 9.1.8, 9.2.2.3, 9.2.2.4
IMDRF MDSAP WG N3 clauses: 5.2.8, 7.3.1, 7.4.1, 7.5.1, 9.1.4, 9.5.2(1)
Applicable Requirement
ISO/IEC 17021:2011 clauses: 9.1.9, 9.1.10, 9.2.3, 9.3.2.1, 9.3.2.2, 9.4.2
IMDRF MDSAP WG N3 clauses: 8.2, 9.1.2, 9.1.3, 9.2.1, 9.2.2, 9.2.4, 9.2.5, 9.3.1, 9.4.1
Applicable Requirement
ISO/IEC 17021:2011 clauses: 9.1.11, 9.1.12, 9.1.13, 9.5.2
IMDRF MDSAP WG N3 clauses: 9.5
Applicable Requirement
ISO/IEC 17021:2011 clauses: 5.1.3, 9.1.14, 9.1.15, 9.2.2.5, 9.2.4, 9.2.5, 9.3.3, 9.4.3, 9.6.1, 9.6.2, 9.6.4, 9.6.5,
IMDRF MDSAP WG N3 clauses: 6.1.7, 7.3.1, 7.5.1, 9.2.6, 9.4.3, 9.4.5
Applicable Requirement
ISO/IEC 17021:2011 clauses: 9.1.13, 9.5.2, 9.6.3, 9.6.4
IMDRF MDSAP WG N3 clauses: 9.5, 9.6.1
Applicable Requirement
ISO/IEC 17021:2011 clauses: 9.7
IMDRF MDSAP WG N3 clauses: 6.1.7, 9.1(Exceptions)
Applicable Requirement
ISO/IEC 17021:2011 clauses 9.9
IMDRF MDSAP WG N3 clauses: Not applicable
The purpose of the Information Management Process is to ensure effective documentation control and communication, between the Auditing Organization and the medical device manufacturers, the Regulatory Authorities and the public. The Information Management Process must ensure the necessary level of confidentiality.
As a result of the assessment of the Information Management process, objective evidence will show whether the Auditing Organization has:
A. Established an effective process for documentation control.
B. Made appropriate information available about its activities and clients to Regulatory Authorities and the public.
C. Established appropriate contractual arrangements with its clients.
D. Implemented appropriate arrangements to safeguard confidentiality.
The failure of the Information Management Process poses the following risks:
· Lack of control of internal documentation leading to inappropriate audits and decisions;
· Lack of control of information shared with external parties, potentially providing inaccurate, obsolete or misleading information; and/or,
· Leak of confidential information.
Applicable requirements
ISO/IEC 17021:2011 clauses: 9.9.3, 9.9.4, 10.3.3, 10.3.4
IMDRF MDSAP WG N3 clauses: 10.1.2
Applicable Requirement
ISO/IEC 17021:2011 clauses: 8.1.1, 8.1.2, 9.7.2, 9.8.1
IMDRF MDSAP WG N3 clauses: 5.2.6
Applicable Requirement
ISO/IEC 17021:2011 clauses: 8.6.1, 8.6.2,
IMDRF MDSAP WG N3 clauses: 5.2.6
Applicable Requirement
ISO/IEC 17021:2011 clauses: 5.1.2, 8.4, 8.5, 8.6.3, 9.5.1, 9.6.3, 9.6.6
IMDRF MDSAP WG N3 clauses: 5.1 (Exceptions), 5.1.4, 5.1.5, 8.7.4, 8.8.1, 9.5.1, 9.5.2(3)
Applicable Requirement
ISO/IEC 17021:2011 clauses: 8.2
IMDRF MDSAP WG N3 clauses: 6.1.3, 8.2, 8.7, 9.2.2, 9.4.6, 9.5.3, 9.6.1, 9.8.1
Applicable Requirement
ISO/IEC 17021:2011 clauses: 8.1.3, 8.1.4, 8.3, 9.6.3, 9.6.7, 9.8.10
IMDRF MDSAP WG N3 clauses: 8.3.1, 8.8.1
Applicable Requirement
ISO/IEC 17021:2011 clauses: 8.5, 9.9.3
IMDRF MDSAP WG N3 clauses: 8.5, 8.7, 8.8
imdrf-tech-131209-assessment-method-140901 (1).doc