A guide to quality and regulatory compliance during COVID-19

19 May 2020 16min read

Team Discussion

Multiple authors

On 11th March 2020, the World Health Organization (WHO) declared the COVID-19 outbreak a pandemic. In the face of a global public health crisis, the healthcare industry and its regulators have rallied together to address the urgent needs for supply of diagnostics and treatment of COVID-19.

Despite new restrictions, it is crucial that quality and regulatory groups continue to meet quality standards (ISO13485:2016) and remain compliant to the Medical Devices Directive. The critical challenge is that of maintaining healthcare provisions to medical settings and compliance to regulations to ensure products remain safe and effective.

But, with mandatory social distancing and lock-downs in place across the globe, how can we keep up the standards? This situation is affecting all organisations – according to The Chartered Quality Institute/Research Quality Association, 89% have already changed their working practices to adapt . For us at Team Consulting, the shift has been virtually seamless, with robust IT systems already in place and now daily meetings online to discuss any barriers to operations and compliance. This article will take a look at the key impacts on medical devices organisations, and the response by regulatory bodies to explore how we can maintain compliance through the crisis.

Response by regulatory bodies

In response to COVID-19, the UK’s healthcare regulator – the Medicines and Healthcare Products Regulatory Agency (MHRA) – published valuable guidance documents on flexible approaches to regulation, to support the continuation of device and drug development in the current climate. These covered topics ranging from blood components for transfusion, clinical trials, inspections and good distribution practices. For example, the MHRA guidance outlined potential deviations for use of critical equipment outside routine validation plans or calibration schedules – due to the impossibility of engineers to attend on-site.

Importantly, this guidance touches on maintaining Good x Practices (GxP) compliance in an unprecedented time, where the quality department cannot physically be on-site to do any of the routine due-diligence and compliance exercises expected by regulators. It has been made clear that these regulatory flexibilities are temporary and will be kept under review, that they have been offered to provide flexibility in exceptional circumstances and, crucially, were effective immediately.

“These regulatory flexibilities are temporary and will be kept under review, they have been offered to provide flexibility in exceptional circumstances and were effective immediately.”

Across the world, regulatory bodies have reviewed the routes for market access of medical products, in several cases expediting regulatory pathways on special access routes in the interest of protecting public health.

In the UK, the MHRA communicated in late March that it may authorise the supply of non-CE marked devices to accelerate market access and avoid shortages of key medical products in the crisis. Personal Protection Equipment (PPE – face masks in particular) was one key focus area , as well as ventilators. In collaboration with MHRA, the British Standards Industry (BSI) worked with international standards organisations to make standards accessible for the purposes of organisations that are involved in the UK COVID-19.

In the US, the FDA have invoked the Emergency Use Authorization (EUA). This has enabled the use of unapproved medical products, or unapproved use of approved medical products, to diagnose, treat or prevent life-threatening diseases when there are no adequate, approved, and available alternatives. This is particularly relevant to ventilators.

Another important change was the European Parliament’s decision to postpone the implementation of the new Medical Devices Regulations by one year, until May 2021. In light of the current pressure on national health authorities and manufacturers of medical devices, this decision will allow health authorities and manufacturers to focus entirely on fighting COVID-19 and hopefully prevent shortages or delays in getting key medical devices on the market. It is also very likely that similar delays will be made to the In Vitro Diagnostics Regulations (IVDR), due to come into place in 2022. This would similarly allow the industry and regulators some breathing space whilst we work through this period of COVID-19 uncertainty.

The response by regulatory bodies as the crisis has unfolded has been significant. All guidance and modifications to regulatory processes has been welcome support for the industry in ensuring consistent management of key quality issues during these unprecedented times.

The wet signature dilemma

Practical aspects of quality control have had to be quickly identified and partnered with a compliant work-around. The inability to sign paper documents in person (wet sign) – in the context of lock downs and social distancing – is a key obstacle for quality during COVID-19. Normally, the quality department of a medical device organisation is physically “round the corner of operations”. They ensure compliance and wet sign quality critical documents “on the go” to maintain compliance with ISO13485:2016 standards section 4.2.5. “Wet status” signatures are a critical part of demonstration of compliance to GxP and ALCOA+ principles for data integrity. With the onset of the COVID-19 crisis, this role was suddenly expected to be performed remotely.

ISO13485:2016 standards section 4.2.5 – “Records shall remain legible, readily identifiable and retrievable”

At Team, we rapidly identified the issue of providing wet signatures for the subset of documents that could not be signed via our validated electronic signature system, DocuSign. Our Quality Assurance group interpreted the MHRA guidance by issuing staff with clear guidance on a temporary deviation of document signatures. This involves the use of MS Outlook 365 emails to provide “declarations of signatures”, or photographs taken with iPhones of documents wet signed by quality representatives. For training sessions carried out online with Microsoft Teams, training records have been similarly returned in email format, instead of the usual practice of being completed in person after a classroom training.

We are fortunate, however, to have a robust electronic signatures system already validated and in place. Smaller medical devices organisations have likely suffered the most from this aspect of compliance to document and record control requirements set by ISO13485:2016, as they may not have fully validated electronic systems for managing compliance and are therefore more reliant on wet signatures.

Nevertheless, all sizes of organisations will have suffered from the COVID-19 pandemic. In crisis or not, maintenance of compliance is linked to well-maintained systems and dedicated quality individuals who can ensure adherence to standards and regulations relevant to the device under development, ensuring that patient safety is always put first.

Audits in lockdown – maintaining ISO requirements for internal audits

Auditing a quality management system (QMS) is a key requirement of ISO13485:2016 certification for medical devices. Audits are a fundamental compliance activity for Quality Assurance to capture non-conformances, address issues and identify opportunities for improvement.

Three days after the WHO’s announcement of the pandemic, the Association of Certified Bodies (ABCB) called for the immediate suspension of all physical audits in the interests of the safety of auditors. Certain certification and notified bodies had already pre-empted this move, communicating this likelihood to their clients back in February. With companies having set their audit programme for the whole year, remote auditing has been considered as a potential alternative.

“The feasibility of a remote audit must be determined, and should only be considered when the auditor and auditee are satisfied that audit objectives can be fulfilled.”

Remote audits aren’t completely new; the process has already been used in the industry, but sparingly (traditional on-site physical audits are the expectation from regulators and certification bodies). Decisions to either carry out a remote audit, or defer an audit to a later ‘post COVID-19’ period, may have been made through risk assessments of organisations’ compliance track records and the type of visit, in line with guidelines on extraordinary events or circumstances affecting them. The feasibility of a remote audit must be determined, and should only be considered when the auditor and auditee are satisfied that audit objectives can be fulfilled. Key considerations include the technology available, the scope of the audit (as defined in the audit plan), and the type of audit evidence that needs to be gathered to meet the audit criteria. A remote audit sees audit evidence obtained and shared electronically, rather than face to face; for example, via file sharing and data analysis techniques. Therefore, an audit of a laboratory facility where most records are paper-based may not be possible with a remote auditor and auditees physically away from the lab. As such, the assessment of the feasibility of an audit must be made on a case by case basis in order to remain aligned with the audit scope.

Standard auditing techniques – including diplomacy, active listening skills, probing questioning techniques and a versatile and collaborative approach – are as essential to remote audits as to on-site ones. However, remote audits inherently lack direct interaction with the auditee. This ability to fully engage, as well as read body language, within the same room can be essential to exploring issues and audit trails further during an on-site audit, opportunity that is absent during a remote audit.

Remote audits are nonetheless likely to be used during current times of COVID-19. Desktop audits are already increasingly common, with facility tours being held on camera phones and laptops being carried around by auditees. The alternative would be to postpone audit programmes, leaving many audits to be held later in the year, which could put a strain on auditor and auditee resources. We will certainly see significant change in business practices through 2020, with companies adopting a more risk based approach to incorporate remote (low risk) vs on site (high risk) audit activity, as a more efficient approach to general audit management.

Supplier control

Supplier qualification requirements have increased in recent decades and are a regular point of scrutiny by certification bodies during audits. As such, the COVID-19 situation led to a new wave of challenges in order to comply with ISO 13485:2016.

The crisis has hindered the auditing programmes in place to qualify suppliers, or maintain them approved. Remote auditing was immediately considered as a potential alternative. However, compared to internal remote audits, qualifying suppliers is more complex due to the management of external stakeholders, their availability on site (or not) and the availability of the records.

“Compared to internal remote audits, qualifying suppliers is more complex due to the management of external stakeholders, their availability on site (or not) and the availability of the records.”

As discussed earlier, numerous organisations (especially small ones) use paper records requiring a wet ink signature, records that would not be available for a remote audit without a person on-site to share them online. All organisations have certain records – calibration certificates, for example – which cannot be replicated electronically and displayed remotely.

Furthermore, some smaller suppliers may not have the resource for hosting remote auditing, nor the technological platforms for sharing records and procedures. Remote auditing also poses the challenge of how to share evidence with an auditor while also ensuring that confidentiality is not breached.

It is fair to say that, with respect to supplier audits, the long-term future of remote auditing is uncertain. Potential alternatives include the use of questionnaires to pre-approve suppliers and – though this could be quickly arranged – the value of such assessments would be limited, and this route should be considered with caution and based on supplier risk.

Cybersecurity threats to data integrity

Another side-effect of the COVID-19 pandemic has been a wave of COVID-19 related cyber-crime. Cyber criminals have taken advantage of the confusion that remote working is bringing, as we all adjust to new working practices, methods and tools. The medical devices industry is not exempt from this threat; organisations have had to address the potential impact on data integrity, compliance and potential personal data breaches (GDPR), including patient data, or participant data in research and development projects.

Attackers have preyed on people’s fears and concerns about the pandemic; for example masquerading as trusted entities such as government bodies, banks or retailers. They have captured victim’s credentials to access databases, or even hacked into classified calls on certain software platforms which did not have a high level of protection. Threats have contained coronavirus or COVID-19 related wording as a lure, including phishing and malware attacks, registration of new domain names and attacks against newly deployed remote working infrastructure.


The COVID-19 pandemic has had a number of costly impacts on the quality and regulatory processes of medical devices organisations. Professionals across all sectors are having to consider compliance risks carefully and it is likely that, even after “normal” working practices are resumed, we will see long term impacts.

Product development companies selecting new partners may find supplies unavailable for some time and there will no doubt be delays with engineers catching up on calibrations and qualifications of equipment, as well as large backlogs of audits, ISO certifications and possibly registrations of new products.

Falling out of compliance can easily lead to costly scrutiny from Notified Bodies, who are tasked to verify the conformity of the quality system with the Medical Devices Directive. As unannounced audits are a requirement of the regulations, it is likely that only the next 12 months of audits and inspections will unveil the true impact of COVID-19 on medical devices quality systems.

Though many things are unknown right now, we can be sure that the medical device industry needs to brace itself for long-term change and uncertainty.

This article was written by our Quality Assurance team.

Sarah Mardle, QA Director

Deanne Vaughan, QA Manager

Ellen Mascall, QA Officer

Join the conversation

Looking for industry insights? Click below to get our opinions and thoughts into the world of
medical devices and healthcare.