This article explains what to look at and what to look for when you are auditing technical files to the new Regulation (EU) 2017/745 for medical devices.
On August 8th, 2019, we recorded a live webinar teaching you what to look at and what to look for when you are auditing technical files (a link for purchasing the webinar is at the end of this article). Technical files are the technical documentation required for CE Marking of medical devices. Most quality system auditors are trained on how to audit to ISO 13485:2016 (or an earlier version of that standard), but very few quality system auditors have the training necessary to audit technical files.
Why you’re not qualified to auditing technical files
If you are a lead auditor, you are probably a quality manager or a quality engineer. You have experience performing verification testing and validation testing, but you have not prepared a complete technical file yourself. You certainly can’t describe yourself as a regulatory expert. You are a quality system expert. A couple of webinars on the new European regulations are not enough to feel confident about exactly what the content and format of a technical file for CE marking should be.
Creating an auditing checklist
Most auditors attempt to prepare for auditing the new EU medical device regulations by creating a checklist. The auditor copies each section of the regulation into the left column of a table. Then the auditor plans to fill in the right-hand columns of the table (i.e., the audit checklist), with the records they looked at and what they looked for in the records. Unfortunately, if you have never created an Essential Requirements Checklist (ERC) before, you can only write in your audit notes that the checklist was completed and what the revision date is. How would you know if the ERC was correctly completed?
In addition to the ERC, now called the Essential Performance and Safety Requirements (i.e., Annex I of new EU regulations), you also need to audit all the Technical Documentation requirements (i.e., Annex II), all the Technical Documentation on Post-Market Surveillance (i.e., Annex III), and the Declaration of Conformity (i.e., Annex IV). These four annexes are 19 pages long. If you try to copy and paste each section into an audit checklist, you will have a 25-page checklist with more than 400 things to check. The result will be a bunch of checkboxes marked “Yes,” and your audit will add no value.
Audits are just samples
Every auditor is trained that audits are just samples. You can’t review 100% of the records during an audit. You can only sample the records as a “spot check.” The average technical file is more than 1,000 pages long, and most medical device manufacturers have multiple technical files. A small company might have four technical files. A medium-sized company might have 20 technical files, and a large device company might have over 100 files. (…and you thought the 177-page regulation was long.)
Instead of checking many boxes, “Yes,” you should look for specific things in your audit records. You also need a plan for what records to audit. Your plan should focus on the essential records and any problem areas identified during previous audits. You should always start with a list of the previous problem areas because there should be corrective actions that were implemented, and the effectiveness of corrective actions needs to be verified.
Which records are most valuable when auditing technical files?
I recommend selecting 5-7 records to sample. My choices would be: 1) the ERC checklist, 2) the Declaration of Conformity, 3) labeling, 4) the risk management file, 5) the clinical evaluation report, and 6) post-market surveillance reports, and 7) design verification and validation testing for the most recent design changes. You could argue that my choices are arbitrary, but an auditor can always ask the person they are planning to audit if these records would be the records that the company is most concerned about. If the person has other suggestions, you can change which records your sample. However, you don’t want to sample the same records every year. Try mixing it up each year by dropping the records that looked great the previous year, and adding a few new records to your list this year.
What to look for when auditing technical files
The first thing to look for when you audit records: has the record been updated as required? Some records have a required frequency for updating, while other records only need to be updated when there is a change. If the record is more than three years old, it is probably outdated. For clinical evaluation reports and post-market surveillance reports, the new EU regulations require updating these reports annually for implantable devices. For lower-risk devices, these reports should be updated every other year or once every three years at a minimum.
Design verification and design validation report typically only require revisions when a design change is made, but a device seldom goes three years without a single change–especially devices containing software. However, any EO sterilized product requires re-validation of the EO sterilization process at least once every two years. You also need to consider any process changes, supplier changes, labeling changes, and changes to any applicable harmonized standards.
Finally, if there have been any complaints or adverse events, then the risk management file probably required updates to reflect new information related to the risk analysis.
Which record should you audit first?
The ERC, or Essential Performance and Safety Requirements checklist, is the record you should audit first. First, you should verify that the checklist is organized for the most current regulations. If the general requirements end with section 6a, then the checklist has not been updated from the MDD to the new regulations–which contains nine sections in the general requirements. Second, you should make sure that the harmonized standards listed are the most current versions of standards. Third, you should ensure that the most current verification and validation reports are listed–rather than an obsolete reports.
More auditor training on technical files…
We recorded a live webinar intended to teach internal auditors and consultants how to perform a thorough audit of CE Marking Technical Files against the requirements of the new European regulations–Regulation (EU) 2017/745.
With access to this training webinar, we are also providing a native presentation slide deck, and an audit report template, including checklist items for each of the requirements in Annex I, II, III, and IV of the MDR.
We also provide an exam (i.e., a 10-question quiz) to verify training effectiveness for internal auditors performing technical file auditing. If you submit the completed exam to us by email in the native MS Word format, we will correct the exam and email you a training certificate with your corrected exam. If you have more than one person that requires a training certificate, we charge $49/exam graded–invoiced upon completion of grading.
In addition to this webinar on auditing technical files, other training webinars are available. For example, we have a webinar on risk management training. If your firm is preparing for compliance with the new MDR, you might also be interested in the following information provided on this website:
- A CE Marking procedure including templates for the Essential Requirements, a Declaration of Conformity, and a Technical File Index.
- A blog outlining how to create your Quality Plan for compliance with the MDR
- A blog explaining three significant differences between the requirements of a Technical File for CE Marking and a 510(k) submission
- An 8-part webinar-based course reviewing the requirements of Regulation (EU) 2017/745 and comparing the requirements with the MDD (93/42/EEC as modified by 2007/47/EC).
Please note: A link for logging into this Zoom webinar will be delivered to the email address provided in the shopping cart transaction. After verifying the transaction, please check your email for the login information. To view the available webinars, click here. If you cannot participate in the live Zoom webinar, a link for downloading the recording will be emailed to you.