While everybody is running around about the MDR and IVD regulations proposals another storm is brewing in the wings: unannounced audits, which I announced earlier. Currently notified bodies “may” do unannounced audits under the EU medical devices rules. Now they will be required to do a minimum amount of unannounced audits. Required? Yes, EU member states may require this as condition for accreditation of the notified bodies. Will they? Most certainly. Some have already started to require notified bodies to do unannounced audits already now, as a straight consequence of member state action requested by the Commission pursuant to the Commission’s Dalli market surveillance action plan. With all the political turmoil about EU medical devices regulation underperforming in the safety department, it is not an option for a member states to refrain from increasing market surveillance. If they can actually afford to – but that’s another discussion, because what has two thumbs and will be picking up the bill for unannounced audits? Correct: the manufacturer. As you will see below, member states are already planning to use notified bodies to indirectly inspect manufacturers for them.
I have puzzled together some information that gives you a look under the hood of the impending Commission Recommendation that we already had on the horizon. I also benefited a great deal from the insights of Gert Bos of BSi, one of the persons that really knows what is going on in devices regulation in Europe, that he presented at the MD Project event on 25 March in the Netherlands.
Timing and status
We know that the Commission Recommendation is almost finished, with an anticipated release date somewhere in May 2013. The release will concur with the anticipated Commission decision on the designation of notified bodies. The document is in version 18 now and has reportedly been approved by the service juridique (legal service) of the European Commission, so it is more or less in final form. It will be immediately applicable when published, which will trigger applicability of the unannounced audits section in the notified bodies code version 3.0 (more about that below). The instrument of a “recommendation” is a first in medical devices world, because none of the current guidance documents has this status. A recommendation is more ‘law’ than MEDDEV and carries far more political weight, because a MEDDEV is a consensus statement of the member states of the European member states’ authorities and a recommendation is issued by the Commission itself aimed at harmonising member state practice.
The recommendation has two goals:
- consistent application of conformity assessment
- laying down general principles for unannounced audits and inspections
The document has three annexes. Annex I applies to audits where the manufacturer applied for design dossier examination or type examination. Annex II applies to audits where the manufacturer applied for quality system assessment. Annex III concerns unannounced audit methods and methodology.
Annex I: design dossier / product assessment
This annex contains 7 points, of which some are new:
- Notably new: the notified body should review if there is an up to date and complete tech file for all variants and trade names of device (compared to the current usual question: does the documentation produced by the manufacturer check out?). The notified body should do verification of products, e.g. by means of taking and testing products on manufacturer’s costs. It will be big fun when a notified body schlepps off an entire MRI unit and bills you for it, and this is not a hypothetical possibility -said Gert.
Annex II: Quality system
18 points, points 15-18 new:
- Traceability must be implemented throughout supply chain – I presented about this subject on the same event and discussed how contracts in the supply chain must be structured to reflect this and what will change under the new MDR proposal.
- PMS: audit will also cover whether necessary improvement of devices was initiated.
- QMS: checks will address that QMS and changes are up to date.
- Mandatory annual surveillance audit is mentioned (“at each annual surveillance audit ntofied bodies should verify that the manufacturer correctly applies the approved QMS and PMS plan”)
This annex reflects a strong suspicion towards outsourced elements in supply chain. More specifically notified bodies are to refrain from working with manufacturers unless they receive access to all critical subcontractors and crucial suppliers (and, consequently, to all sites where the devices or its crucial components are produced) regardless of length of contractual chain between manufacturer and subcontractor or supplier. Manufacturers are to integrate their subcontractors’ QMS in their own as much as possible. You can imagine how nice this will be for subcontractors that produce for several manufacturers. The Commission wants Own Brand Labeling to end (piggybacking on other parties’ certificates). OBL is not acceptable in the eyes of the Commission if the OBL does not have full access to all documentation relating to the reference device. In my experience the supply chain contracts that regularly cross my desk are completely unprepared for this.
Annex III: principles of unannounced audits of manufacturers and subcontractors
- al least every 3 year unannounced audit
- critical subcontractors or suppliers can be visited (make sure you amend contracts – inability to visit subcontractor or critical supplier is ground for immediate revocation of certificate)
- production sample checking (file review and witness test – or take sample and outsource test on manufacturer if on site test not possible)
- high risk devices – sampling logical for spot tests
- activity on-going at time of audit will be audited
The manufacturer must always be ready to accommodate a notified body unannounced audit, also at third parties such as subcontractors and critical suppliers. As a notified body already commented at the RAPS conference last year: as soon as you start your production you must be ready for unannounced audit; if you are not, don’t start production. Supply chain parties must make this possible and account for it in their contracts. If they do not, there is no excuse and the notified body will issue a major nonconformity. In case of limited production runs, the notified body must know when the runs are to be able to show up unexpectedly. The manufacturer pays for notified body for local security measures required, for example body guards.
Member states are free to require application of the recommendation of their notified bodies – and they will in practice because of the pressure put on them in the Dalli action plan.
The recommendation requires that a notified body must establish secret audit plan for manufacturers. Notifed bodies are presently meeting regularly to compare notes on best practice and what works and does not between themselves in unannounced audits.
Notified body code v. 3.0; entry into force of recommendation and code
The new notified body code v 3.0 announced part enters into force immediately upon entry into force of the recommendation, which we already saw coming. The recommendation will enter into force upon publication, as far as I know – NO transitional period. The code has important language on risk management for audit frequency, and I have discussed that before here. It also contains a heading for devices that are often non-compliant – more visits. Gert informed us that authorities are now starting to use notified bodies as extension more and more: they tell notified bodies where to do an unannounced visit if they see spikes in trending of complaints.
Better start preparing pronto by writing procedures and amending those agreements in your supply chain, because as Gwen Stefani sings: “this sh*t is bananas”. And it will hit the fan this May – less than two months! – with no transition period. That just goes to show the political pressure behind all of this. Questions? I’m here.