Unannounced Audits: When Your Clinical File Fails in Real Time
The notification comes without warning. A Notified Body auditor arrives at your site for an unannounced surveillance audit. Within hours, they request your clinical evaluation documentation. By the end of day one, they have identified gaps that trigger a major non-conformity. Your certificate status shifts from active to under review. This is not a theoretical scenario. This happens.
In This Article
Most manufacturers prepare for announced audits. They schedule reviews, update documents, and rehearse responses. This preparation creates a false sense of readiness. Unannounced audits under MDR expose what actually exists in your quality system, not what can be assembled before an audit date.
Clinical documentation receives intense focus during these unannounced visits. Auditors know that clinical evaluation is where compliance gaps hide most effectively. The question is not whether your clinical file looks complete. The question is whether it demonstrates continuous compliance when examined without preparation time.
Why Clinical Files Become Audit Targets
Under MDR Article 78, unannounced audits are mandatory for certain device classes and risk profiles. Notified Bodies must conduct these audits as part of their assessment activities. The goal is to verify that the quality management system operates as described in routine conditions.
Clinical evaluation documentation is a primary focus for three reasons.
First, it requires continuous maintenance. Your Clinical Evaluation Report is not a static document. MDR Annex XIV Part A mandates that manufacturers continuously update clinical evaluation throughout the lifecycle of the device. An unannounced audit tests whether this actually happens.
Second, clinical data integration reveals system maturity. How post-market data flows into your clinical evaluation shows whether your quality system functions as designed or only activates before scheduled audits. Auditors look for evidence of regular reviews, not evidence of pre-audit updates.
Third, clinical evaluation connects to multiple processes. Your CER links to risk management, PMCF, vigilance, trend analysis, and periodic safety update reports. Gaps in any of these areas become visible through clinical documentation review. An auditor examining your clinical file is simultaneously auditing your entire post-market surveillance system.
Manufacturers treat the CER as a certification document rather than a living file. During unannounced audits, auditors request evidence of updates since the last assessment. When the only changes are cosmetic formatting or version number updates, it signals that clinical evaluation exists on paper but not in practice.
What Auditors Examine First
When an auditor requests your clinical documentation during an unannounced visit, they follow a pattern. They do not start by reading your entire CER. They look for specific evidence points that reveal system health.
They check the document date and revision history. If your CER was last updated eighteen months ago, but your PMCF plan indicates quarterly data reviews, there is an immediate disconnect. They will ask why clinical evaluation has not been updated despite ongoing data collection.
They examine your PMCF report dating. MDR Article 86 and MDCG 2020-7 establish that PMCF must be an ongoing activity with regular reporting. If your PMCF reports are prepared only at annual intervals, or worse, only before scheduled audits, this indicates minimal compliance rather than continuous surveillance.
They review vigilance integration. Your clinical evaluation must account for incidents, field safety corrective actions, and trend analysis. Auditors cross-reference your CER against your vigilance database. If a FSCA was issued six months ago but your clinical evaluation does not address it, this is a direct MDR violation. MDCG 2020-10 makes clear that clinical evaluation must continuously incorporate safety data.
They assess equivalence claim validity. If your device relies on equivalence for clinical evaluation, auditors verify that you monitor the equivalent device’s performance. They check whether you are aware of any incidents, recalls, or safety communications related to the equivalent device. If the equivalent device has had field actions that you have not addressed, your entire clinical evaluation foundation becomes questionable.
Auditors in unannounced visits do not expect perfection. They expect evidence of systematic activity. A CER that shows monthly review notes, quarterly data integration, and clear decision trails demonstrates compliance. A CER that appears static demonstrates ceremony.
The State of the Art Problem
State of the art presents a specific challenge during unannounced audits. MDR Annex I requires that devices meet the performance and safety standards currently achievable. Your clinical evaluation must demonstrate awareness of evolving standards, technologies, and clinical practice.
During announced audits, manufacturers can quickly update their SOTA section before the visit. During unannounced audits, this is not possible. Auditors review your SOTA documentation as it exists at the moment of their arrival.
Here is what triggers findings.
Your SOTA section references clinical guidelines from five years ago, but updated guidelines were published eighteen months ago. This indicates that your clinical evaluation is not tracking current knowledge. Even if your device remains safe and effective, you have not demonstrated that it meets current performance benchmarks.
Your literature search protocol shows the last search was conducted two years ago. MDR and MDCG 2020-13 expect regular literature surveillance. If you are not searching at defined intervals, you cannot demonstrate that you are aware of new clinical evidence, alternative technologies, or emerging safety signals.
Your competitor landscape has changed, but your clinical evaluation does not address new devices with superior performance claims. This does not mean your device is non-compliant, but it means your evaluation has not considered whether your device still represents an acceptable risk-benefit profile compared to current alternatives.
Auditors understand that SOTA is not about having the most advanced device. It is about demonstrating that you continuously assess where your device stands relative to current knowledge and practice. Static SOTA sections signal that this assessment is not happening.
PMCF Documentation Under Scrutiny
PMCF is where most unannounced audit findings occur. This is because PMCF requires continuous execution, not just planning. Your PMCF plan may be excellent, but if the plan is not being followed, the plan becomes evidence against you.
Auditors request your PMCF execution records. They want to see data collection logs, analysis reports, review meeting minutes, and decision records. They compare what your PMCF plan promised against what your records show actually happened.
If your plan states that you will review complaint data monthly for clinical trends, auditors check whether those reviews occurred in the months leading up to the audit. If they see gaps or inconsistent execution, this indicates that PMCF exists as documentation but not as activity.
They examine how PMCF data influences your clinical evaluation. The purpose of PMCF under Article 86 is to confirm device safety and performance throughout its lifecycle. If your PMCF reports contain data that should trigger CER updates but those updates have not occurred, this demonstrates a broken feedback loop.
One of the most damaging findings is when PMCF reports contain contradictory information to what appears in the CER. For example, your PMCF report identifies a performance concern that requires investigation, but your CER contains no mention of this concern. This indicates that PMCF and clinical evaluation are managed as separate documentation exercises rather than integrated processes.
Manufacturers generate PMCF reports as isolated documents that summarize data but do not connect to decision-making. During unannounced audits, when auditors ask “what changed in your risk management or clinical evaluation based on this PMCF finding,” there is no answer. PMCF without consequences is not surveillance.
The Traceability Test
Unannounced audits test traceability in real time. Auditors select a clinical claim from your IFU or marketing materials and trace it backward through your technical documentation.
They start with the claim. Then they check whether this claim appears in your CER with supporting evidence. Then they verify that the evidence is current, relevant, and properly analyzed. Then they check whether post-market data confirms the claim remains valid.
This traceability test reveals whether your clinical evaluation is actually controlling your device’s clinical claims or whether claims and evaluation exist in parallel.
A common finding: marketing materials state that the device is suitable for a specific patient population, but the CER does not provide data for that population. Or the CER references a clinical study, but that study excluded the patient population mentioned in the IFU. This is not a documentation error. This is a compliance failure that creates patient risk.
Auditors also trace safety claims. If your IFU states that no serious adverse events have been reported, they check your vigilance database. If serious events exist but are not classified as device-related, they examine your causality assessment. If the causality reasoning is weak or inconsistent, this undermines your safety claims and your clinical evaluation credibility.
Traceability works in both directions. Auditors also select a significant post-market event and trace forward to see if it reached your clinical evaluation. If a pattern of complaints exists but is not addressed in the CER, this indicates that your quality system is collecting data but not learning from it.
How to Build Audit-Ready Clinical Files
Audit-ready does not mean perfect. It means defensible and current. Your clinical documentation should demonstrate continuous activity even when examined without warning.
Establish scheduled review cycles for your CER. Do not wait for audits or annual reviews. Review your clinical evaluation quarterly at minimum. Document these reviews even if no changes result. A review record that states “no significant new data identified this quarter” is evidence of compliance. No review record is evidence of neglect.
Integrate PMCF reporting into your clinical evaluation process. Each PMCF report should trigger a CER review to determine if updates are needed. Document this review and the decision outcome. If the PMCF data confirms existing conclusions, document that confirmation. If it raises questions, document the investigation plan.
Maintain active literature surveillance. MDCG 2020-13 provides the framework. Execute searches at defined intervals. Document the results. Even if new publications do not change your clinical evaluation conclusions, they must be reviewed and documented. An up-to-date literature review log is powerful evidence during unannounced audits.
Connect vigilance to clinical evaluation explicitly. When incidents occur, your incident investigation should include a step that assesses impact on clinical evaluation. This does not mean every incident triggers a CER update, but every incident must be considered. Document that consideration.
Update SOTA sections regularly. Subscribe to updates from relevant professional societies, regulatory bodies, and standard-setting organizations. When new guidelines or technologies emerge, assess their impact on your clinical evaluation. Document the assessment even if no action is required.
Train your team to operate without audit preparation. If your clinical evaluation process only activates before scheduled audits, it will fail during unannounced audits. Your team should execute clinical evaluation activities as routine operations, not as special projects.
The companies that handle unannounced audits well are those that do not distinguish between audit preparation and normal operation. Their clinical files are continuously maintained because that is how their quality system functions. There is no difference between their audit-day documentation and their Tuesday-morning documentation.
What Happens After a Major Finding
When an unannounced audit identifies major non-conformities in clinical documentation, consequences accelerate quickly. The auditor issues the finding before leaving your site. You receive formal notification within days.
Your certificate status may be suspended or restricted depending on the severity. If the clinical evaluation gaps create patient safety concerns, the Notified Body must inform competent authorities. This can trigger market surveillance actions independent of the audit finding.
You must provide a corrective action plan typically within thirty days. But here is the difficulty: the root cause of clinical documentation failures is usually systemic. You cannot fix systemic problems with a quick document update. You must demonstrate that you have redesigned your processes to ensure continuous compliance.
This means implementing new review schedules, training staff, establishing new workflows, and proving through execution that the changes are effective. This can take months. During this time, your ability to launch new products or extend certificates may be limited.
The reputational impact extends beyond the immediate finding. Notified Bodies share information. Competent authorities monitor audit results. A major non-conformity in clinical evaluation signals to the broader regulatory community that your quality system has fundamental gaps. This affects how future submissions are reviewed and how much scrutiny your company receives.
The Real Standard
The standard for clinical documentation under MDR is not perfection. It is continuous, systematic engagement with clinical evidence throughout your device’s lifecycle. Unannounced audits test whether this engagement is real or ceremonial.
Your clinical evaluation must reflect what you actually know about your device’s performance, not what you wish to claim. It must integrate post-market data, address safety signals, track state of the art, and support your risk-benefit analysis with current evidence. When these activities happen continuously, unannounced audits become routine verification rather than crisis events.
The manufacturers who struggle are those who treat clinical evaluation as a document production exercise. They create impressive reports before audits but do not maintain the evidence between audits. When an auditor arrives without warning and asks basic questions about recent data, recent literature, or recent safety assessments, there are no answers.
The manufacturers who succeed are those who have integrated clinical evaluation into their quality culture. Their teams discuss clinical data in regular meetings. Their processes automatically trigger CER reviews when relevant data appears. Their documentation reflects ongoing work rather than periodic preparation.
If an unannounced audit happened at your company tomorrow, and the auditor requested your clinical evaluation file, what would they find? Would they see evidence of continuous compliance, or evidence that compliance activities cluster around scheduled audit dates? That difference determines whether unannounced audits are manageable events or existential threats.
The regulatory environment is moving toward more unannounced audits, not fewer. Notified Bodies are under pressure from authorities to verify real-world compliance. Clinical documentation will remain a primary focus because it reveals so much about quality system effectiveness. Building clinical files that withstand unannounced scrutiny is no longer optional. It is the baseline expectation under MDR.
Peace,
Hatem
Clinical Evaluation Expert for Medical Devices
Follow me for more insights and practical advice.
Frequently Asked Questions
What is a Clinical Evaluation Report (CER)?
A CER is a mandatory document under MDR 2017/745 that demonstrates the safety and performance of a medical device through systematic analysis of clinical data. It must be updated throughout the device lifecycle based on PMCF findings.
How often should the CER be updated?
The CER should be updated whenever significant new clinical data becomes available, after PMCF activities, when there are changes to the device or intended purpose, and at minimum during annual reviews as part of post-market surveillance.
What causes CER rejection by Notified Bodies?
Common reasons include inadequate equivalence demonstration, insufficient clinical data for claims, poorly structured SOTA analysis, missing gap analysis, and lack of clear benefit-risk determination. Structure and logical flow are as important as the data itself.
Which MDCG guidance documents are most relevant for clinical evaluation?
Key documents include MDCG 2020-5 (Equivalence), MDCG 2020-6 (Sufficient Clinical Evidence), MDCG 2020-13 (CEAR Template), MDCG 2020-7 (PMCF Plan), and MDCG 2020-8 (PMCF Evaluation Report).
Need Expert Help with Your Clinical Evaluation?
Get personalized guidance on MDR compliance, CER writing, and Notified Body preparation.
✌
Peace, Hatem
Your Clinical Evaluation Partner
Follow me for more insights and practical advice.
– MDR 2017/745 Article 78, Article 86, Annex XIV Part A
– MDCG 2020-7 Post-Market Clinical Follow-up
– MDCG 2020-10 Vigilance and Post-Market Surveillance
– MDCG 2020-13 Clinical Evaluation Assessment Report
Deepen Your Knowledge
Read Complete Guide to Clinical Evaluation under EU MDR for a comprehensive overview of clinical evaluation under EU MDR 2017/745.
