While everybody is running around about the MDR and IVD regulations proposals another storm is brewing in the wings: unannounced audits, which I announced earlier. Currently notified bodies “may” do unannounced audits under the EU medical devices rules. Now they will be required to do a minimum amount of unannounced audits. Required? Yes, EU member states may require this as condition for accreditation of the notified bodies. Will they? Most certainly. Some have already started to require notified bodies to do unannounced audits already now, as a straight consequence of member state action requested by the Commission pursuant to the Commission’s Dalli market surveillance action plan. With all the political turmoil about EU medical devices regulation underperforming in the safety department, it is not an option for a member states to refrain from increasing market surveillance. If they can actually afford to – but that’s another discussion, because what has two thumbs and will be picking up the bill for unannounced audits? Correct: the manufacturer. As you will see below, member states are already planning to use notified bodies to indirectly inspect manufacturers for them.
I have puzzled together some information that gives you a look under the hood of the impending Commission Recommendation that we already had on the horizon. I also benefited a great deal from the insights of Gert Bos of BSi, one of the persons that really knows what is going on in devices regulation in Europe, that he presented at the MD Project event on 25 March in the Netherlands.
Timing and status
We know that the Commission Recommendation is almost finished, with an anticipated release date somewhere in May 2013. The release will concur with the anticipated Commission decision on the designation of notified bodies. The document is in version 18 now and has reportedly been approved by the service juridique (legal service) of the European Commission, so it is more or less in final form. It will be immediately applicable when published, which will trigger applicability of the unannounced audits section in the notified bodies code version 3.0 (more about that below). The instrument of a “recommendation” is a first in medical devices world, because none of the current guidance documents has this status. A recommendation is more ‘law’ than MEDDEV and carries far more political weight, because a MEDDEV is a consensus statement of the member states of the European member states’ authorities and a recommendation is issued by the Commission itself aimed at harmonising member state practice.
The recommendation has two goals:
- consistent application of conformity assessment
- laying down general principles for unannounced audits and inspections
The document has three annexes. Annex I applies to audits where the manufacturer applied for design dossier examination or type examination. Annex II applies to audits where the manufacturer applied for quality system assessment. Annex III concerns unannounced audit methods and methodology.
Annex I: design dossier / product assessment
This annex contains 7 points, of which some are new:
- Notably new: the notified body should review if there is an up to date and complete tech file for all variants and trade names of device (compared to the current usual question: does the documentation produced by the manufacturer check out?). The notified body should do verification of products, e.g. by means of taking and testing products on manufacturer’s costs. It will be big fun when a notified body schlepps off an entire MRI unit and bills you for it, and this is not a hypothetical possibility -said Gert.
Annex II: Quality system
18 points, points 15-18 new:
- Traceability must be implemented throughout supply chain – I presented about this subject on the same event and discussed how contracts in the supply chain must be structured to reflect this and what will change under the new MDR proposal.
- PMS: audit will also cover whether necessary improvement of devices was initiated.
- QMS: checks will address that QMS and changes are up to date.
- Mandatory annual surveillance audit is mentioned (“at each annual surveillance audit ntofied bodies should verify that the manufacturer correctly applies the approved QMS and PMS plan”)
This annex reflects a strong suspicion towards outsourced elements in supply chain. More specifically notified bodies are to refrain from working with manufacturers unless they receive access to all critical subcontractors and crucial suppliers (and, consequently, to all sites where the devices or its crucial components are produced) regardless of length of contractual chain between manufacturer and subcontractor or supplier. Manufacturers are to integrate their subcontractors’ QMS in their own as much as possible. You can imagine how nice this will be for subcontractors that produce for several manufacturers. The Commission wants Own Brand Labeling to end (piggybacking on other parties’ certificates). OBL is not acceptable in the eyes of the Commission if the OBL does not have full access to all documentation relating to the reference device. In my experience the supply chain contracts that regularly cross my desk are completely unprepared for this.
Annex III: principles of unannounced audits of manufacturers and subcontractors
- al least every 3 year unannounced audit
- critical subcontractors or suppliers can be visited (make sure you amend contracts – inability to visit subcontractor or critical supplier is ground for immediate revocation of certificate)
- production sample checking (file review and witness test – or take sample and outsource test on manufacturer if on site test not possible)
- high risk devices – sampling logical for spot tests
- activity on-going at time of audit will be audited
The manufacturer must always be ready to accommodate a notified body unannounced audit, also at third parties such as subcontractors and critical suppliers. As a notified body already commented at the RAPS conference last year: as soon as you start your production you must be ready for unannounced audit; if you are not, don’t start production. Supply chain parties must make this possible and account for it in their contracts. If they do not, there is no excuse and the notified body will issue a major nonconformity. In case of limited production runs, the notified body must know when the runs are to be able to show up unexpectedly. The manufacturer pays for notified body for local security measures required, for example body guards.
Member states are free to require application of the recommendation of their notified bodies – and they will in practice because of the pressure put on them in the Dalli action plan.
The recommendation requires that a notified body must establish secret audit plan for manufacturers. Notifed bodies are presently meeting regularly to compare notes on best practice and what works and does not between themselves in unannounced audits.
Notified body code v. 3.0; entry into force of recommendation and code
The new notified body code v 3.0 announced part enters into force immediately upon entry into force of the recommendation, which we already saw coming. The recommendation will enter into force upon publication, as far as I know – NO transitional period. The code has important language on risk management for audit frequency, and I have discussed that before here. It also contains a heading for devices that are often non-compliant – more visits. Gert informed us that authorities are now starting to use notified bodies as extension more and more: they tell notified bodies where to do an unannounced visit if they see spikes in trending of complaints.
Better start preparing pronto by writing procedures and amending those agreements in your supply chain, because as Gwen Stefani sings: “this sh*t is bananas”. And it will hit the fan this May – less than two months! – with no transition period. That just goes to show the political pressure behind all of this. Questions? I’m here.
I find this interesting as I use to work for a small start up IVD company and am going to be interviewing for a very well known, large IVD company. I will keep this in mind.
Also, could you send me a MDR/Vigilance Decision Tree? I tried to register but gave up.
Hi Connie, I don’t think I understand your question. Can you tell me where you tried to register? If it’s on my blog, there is a “sign me up!” button on the right side of the screen.
It is interesting to me that the Code of Conduct specifies a backwards traceability audit from final release to incoming materials and components.
This will be, in my experience, a different approach from the traditional surveillance audit. This audit type would not cover Management Review, for example. There is a strong focus on product and less focus on management methods.
I recommend that manufacturers add this audit type to their regular internal quality program. If an internal quality program uses an element approach from ISO 13485:2013.
Hi Dan, I think you’re spot on. It’s the logical consequence of the PIP scandal: more focus on the product itself during unannounced audits to catch out any non-conformities that may not be spotted during the announced audits.
Thanks for another illuminating article. What is the situation for manufacturers with no requirement currently for Notified Body involvement – will they be subject to unannounced visits also?
Good question! No, if you’re currently not dealing with a notifoed body nothing will change for the moment. However, a lot of IVDs will transition to notified body supervision upon entry into force of the IVD regulation. Also, I have seen national competent authorities increase inspections on class I devices, just to check if they are classified appropriately and should not have been subject to notified body oversight.
Erik, thanks for the prompt response. I am confident that my clients products will remain outside the remit of a Notified Body but the possibility of an audit to confirm that is interesting! This is certainly a rapidly changing situation and I, for one, am grateful that you are providing a continuing commentary on it.
Mind you: competent authority inspections are not elective, nor are surprise notified body audits! You can always ask a notified body to confirm that your product does not need to be checked by them however, but that’s not an audit.
Erik, thanks for this article. In light of the changing regulatory landscape, what is your opinion on the impact on authorized representatives. Do you think they can expect any unannounced audits in the future? For manufacturers with their manufacturing site abroad, I understand that the main focus of unannounced audits will be on the manufacturing site, but will there also be audits at the headquarters then?
Thanks a lot for your comments!
Hi Ann, thanks for the question! It’s difficult to say what the impact on ARs will be. The focus of the unannounced audits will be on “verifying conformity of a recently produced adequate sample (product, batch, lot) of an approved device type.”, according to the Notified Bodies Code of Conduct v 3.0 that will enter into force upon the Commission Recommendation entering into force. Normally such samples will not be found at the AR. From what I understand the unannounced audits will always be aimed at production sites, because that is where the notified bodies and authorities hope to catch out any non-conforming production (like happened in the PIP scenario, which unannounced audits hope to prevent in the future). So unless the AR also produces as a subcontractor to the legal manufacturer or imports, I would not expect great impact on the AR. But we won’t know for sure until we see the text of the recommendation.
Thank you very much for the insight provided.
We are a small manufacturing Company and having just been through a very slow Annex IV process, it is difficult be believe that there are enough resources available for the successful implementation of these changes.
We had a formal ISO 13485 system in place for a number of years but because we only manufacture batches every couple of years, a decision was made to revert to an informal QMS compliant with ISO 13485.
This works well for us and we now send each batch for approval under Annex IV of the MDD.
My question is – would the Notified Body conduct an on-site, unannounced audit similar to our previous annual surveillance audits in line with our formal ISO 13485 system (focused on production) even though we are now running an informal system, or would they conduct an off-site, unannounced audit on our Technical Files/Devices as per the Annex IV assessment process? The cost implications are quite different.
Also, would the manufacturer be liable for the cost of re-verification of products (i.e. safety, EMC testing etc.) which can be quite exorbitant?
Hi Mia, as I understand the process as set out in the Notified Bodies Code 3.0 and what I know about the draft Commission communication, the focus is on audit of production. The Notified Body will look at the products (batch), production process and documentation allowing it to assess traceability and equivalence between the manufactured lot or batch and the approved device as set out in the tech file and supported by the QS. Costs of any testing commissioned by the notified body will be passed on to the manufacturer, but we can’t be entirely sure about this until the recommendation is out. However, this is to be expected to be the case.
Thank you Erik