It’s finally public: the Code of Conduct for Notified Bodies under Directives 90/385/EEC and 93/42/EEC “Improving implementation of the European CE certification of medical devices through harmonization of quality and competence of Notified Bodies”. It has been much awaited (see here, here and here for example) and in the end has been authored by BSI, DEKRA/KEMA, LNE/G-MED, TÜV Rheinland and TÜV SÜD. Other notified bodies are invited to join.
Apart from a general statement and general principles of conduct the Code contains rules on:
- Implementation and monitoring of the Code of Conduct;
- Qualification and Assignment of Notified Body Assessment Personnel;
- Minimum time for Notified Body assessments;
- Sampling of class IIa and IIb technical files;
- Design Dossier Reviews;
- Rules for subcontracting; and
- Rules for Certification Decisions.
The authoring notified bodies aim to address the current weaknesses in the notified body system with this code, more particularly
“to ensure a harmonized quality of work amongst the participating Notified Bodies, to gain trust in this work in public perception as well as from political and policy stakeholders, to contribute to ensure the trustworthiness of the system amongst international partners of the European Union and to support the reputation of the participating Notified Bodies.”
Interesting features I found are the following.
There is the scope of the Code. It states as non-limitative list of topics that still need to be addressed:
• Incorporating of the IVD Directive
• Defining requirements for review of devices incorporating material from animal / human origin
• Covering the Conformity Assessments defined in MDD Annex III or AIMD Annex 3 (Type Examination) as well as MDD Annex IV or AIMD Annex 4 (Batch Verification)
• Differences between Notified Bodies in review of clinical evaluations according to MEDDEV 2.7.1
• Requirements for Own Brand Labeling (OBL) manufacturers.
Board of Compliance
The notified bodies intended to take non-compliance with the code seriously and announce to set up a Board of Compliance and accompanying enforcement measures before 1 January 2012. I would imagine that they could easily adapt the Eucomed Code of Ethical Business Practice’s procedural framework. although there might be advantages of embedding the Code in the national notified body accreditation decision one way or the other. In any event the Board of Compliance implementation should seek to avoid the situation that the Eucomed code has been in since its enforcement mechanism was set up: no enforcement except clarification on its own accord because no one complains about each other. Whether that will be the case will depend on what parties will have standing to file complaints or request enforcement. I can imagine that notified bodies are not enthusiastic about their customers suddenly having recourse other than contractual against their notified body. On the other hand, notified body services contracts are normally imprecise on the exact notified body service level that the Code would be a very welcome addition.
Time limits for audits
It is a good thing that the notified bodies agreed on time limits for notified body assessments in the Code based on the principles of IAF MD5:2009. This will make the audit durations a lot more predictable for companies, allow for better planning and subsequently smoother cooperation. Although the time limits are not set in stone and depend on many factors that may cause the notified body to adjust the duration, it is a good start that there is a methodology to start from and that the factors that influence the duration are transparent.
It is not a secret that not all notified bodies have all expertise in house at all times and that they may therefore need to subcontract parts of the review to third parties. This is addressed in the Code as well. Subcontracting takes place under the full responsibility of the notified body, as the Code states that it considers separate accreditation or designation of subcontractors not necessary. In my view this remains a weak spot that member states must watch. A notified body should not be too dependent on subcontractors. This has been addressed to a point by defining a core competence of notified bodies by identifying what processes may not be outsourced:
“The qualification of personnel involved in the Conformity Assessment cannot be outsourced. Decisions on qualification, suspension, withdrawal and renewal ofsenior staff of the Notified Body meeting the same requirements as staff taking certification decisions.”
This is elaborated upon in the certification decision paragraph:
“To ensure that the Notified Body has sufficient internal competence among its own staff to take certification decision and not rely solely on external expertise for certain product categories, the following requirement applies also. This competence shall be related to the scope of designation of the Notified Body for the product categories as defined in NBOG document 2009-3 (e.g. MD 0200 Non-active implants).
• For each product category (e.g. MD 1100) for which the Notified Body is designated, there shall be in-house product expertise by having at least one qualified Product Assessor or Product Specialist in that product category.”
Are we fully there now and are all problems remedied? I think this will depend to a large extent on how many and moreover which of the other notified bodies subscribe to the code and how the Board of Compliance works in practice. As Eucomed has shown, having a Board of Compliance is one thing, but getting companies to use itis another. The more precise commitments on the service level of a notified body will benefit the medical devices industry and in the end the end users and patients, especially if courts are willing to have resort to these in case of disputes between non-signatory notified bodies and their clients, as well as member states that may make observance of the Code a condition for accreditation as notified body.