While everybody in the medical devices industry is still reeling from the ENVI vote results (of which we still don’t know what they are in detail because the documents have not been published yet), the Commission finally issued the recommendation on unannounced audits – I was starting to get worried it would never be issued and that I have been crying wolf since March this year.
In this blog I’m not going to completely summarize the recommendation, because I already did prospectively here and here. Instead, I’d like to discuss a subject that I know manufacturers and notified bodies alike have difficulties getting to grips with: dealing with subcontractors and suppliers. This needs to improve because the recommendation says that
“Directive 90/385/EEC, Directive 93/42/EEC and Directive 98/79/EC do not provide any exceptions for outsourced production compared to in-house production.for outsourced production compared to in-house production. Accordingly, it is necessary to include in duly substantiated cases the most important subcontractors and suppliers in the conformity assessment procedures.”
However, we already knew that since 1998 from MEDDEV 2. 5/3 Rev 2, so nothing radically new so far. Except nobody really seriously implemented this so far. Now we have the Joint Immediate Action Plan being rolled out that requires this to be implemented, and now it’s serious.
What is new?
Newish is obviously the unannounced audit element:
“To verify the day-to-day compliance with legal obligations, notified bodies should, in addition to the initial, surveillance or renewal audits, visit the manufacturer or, if this is likely to ensure more efficient control, one of its subcontractors in charge of processes which are essential for ensuring compliance with legal requirements (“critical subcontractor”) or a supplier of crucial components or of the entire devices (both: “crucial supplier”) without prior notice (“unannounced audits”).”
it says in article 2 (c). Newish? Yes, because the current legislation already allows notified bodies to do unannounced audit. It’s just that this was not enthusiastically implemented.
How does that translate?
“The quality system assessment should include audits on the premises of the manufacturer and, if this is also necessary to ensure efficient control, on those of its critical subcontractors or of its crucial suppliers. Notified bodies should establish a risk-based approach to identify such subcontractors and suppliers and should clearly document this decision process.” (Annex II, point 2)
So how does that work in practice?
“Notified bodies should verify whether the manufacturer’s business organization is appropriate for ensuring the conformity of the quality system and of the medical devices. In particular, the following aspects should be examined: the organizational structure, the qualification of managerial staff and their organisational authority, the qualification and the training of other staff, the internal auditing, the infrastructure, and the monitoring of the quality system in operation, including with regard to involved third parties such as suppliers or subcontractors.” (Annex II, point 6)
This relates to all critical subcontractors or crucial suppliers in the sully chain for the device concerned – these may be suppliers of suppliers or even suppliers further down the supply chain (Annex II point 19). The recommendation specifically provides that:
“Notified bodies should refrain from signing arrangements with manufacturers unless they receive access to all critical subcontractors and crucial suppliers and thus to all sites where the devices or its crucial components are produced, regardless of the length of the contractual chain between the manufacturer and the subcontractor or supplier.
Notified bodies should note that manufacturers:
(a) have to fulfil their obligations themselves regardless of any partial or total outsourcing of the production via subcontractors or suppliers;
(b) do not fulfil their obligation to have at their disposal the full technical documentation and/or of a quality system by referring to the technical documentation of a subcontractor or supplier and/or to their quality system;
(c) should integrate the quality system of critical subcontractors and of crucial suppliers with their quality system;
(d) need to control the quality of services provided and of components supplied and the quality of production thereof regardless of the length of the contractual chain between the manufacturer and the subcontractor or supplier.”
How to control?
How do you control this as manufacturer? Why, with a contract of course because why else would anyone in your supply chain cooperate to implement a recommendation? And they will need to, because notified bodies should carry out unannounced audits at least once every third year. (Annex III, point 1), which may well happen at one of your subcontractors or suppliers:
“Notified bodies may, instead of or in addition to visiting the manufacturer, visit one of the premises of the manufacturer’s critical subcontractors or crucial suppliers if this is likely to ensure more efficient control. This applies in particular if the main part of the design development, manufacturing, testing or another crucial process is located with the subcontractor or supplier.” (Annex III, point 2)
Subcontractors that have already undergone an unannounced visit in the last 12 months, may be eligible for waiving the need to undergo another unannounced visit, which is at the discretion of the notified body performing the unannounced visit, says the notified body code on this point.
Manufacturer – notified body
This is where the recommendation stops with guidance regarding the supply chain, and only focuses on the relationship between the notified body and the manufacturer, saying that the contract must be renegotiated to accommodate for implementation of unannounced audits. At least you’ll see that coming – your notified body will try to make you accept their new conditions. This will involve:
- implementing unannounced audits at critical suppliers and subcontractors in the relation between the notified body and the manufacturer;
- information about when you are not producing the devices concerned so they don’t take a trip to China to find that the factory is closed for Chinese new year and standard – it means that a manufacturer must know about production cycles for all critical parties in his supply chain;
- contractual arrangements must include financial compensation for the unannounced audits including, where applicable, the device acquisition, its testing and security arrangements. So if your notified body hires Blackwater to escort it to your Mexican production site, you are picking up the bill with no mentioning in the recommendation about whether the costs have to be proportionate, justifiable or anything.
Can you negotiate? Good question. Notified bodies will say you can’t because otherwise they may suspend or revoke the certificates of your products. On the other hand, these additional flexible requirements should create room for notified bodies to compete on conditions and associated costs. Increased competition between notified bodies was one of the more rational wishes of the ENVI Committee.
How do you control?
This is where the magic happens, because you have to do several things as manufacturer:
- redefine your relationship with your notified body to implement practicalities for unannounced audits as described above;
- amend contracts for the inevitable MAID system coming your way in the new regulations;
- identify critical suppliers and subcontractors in your whole supply chain – this might go as far as identifying the Indian company that actually codes your software to your design specs;
- amend contracts for control of the immediate contract party that is a critical supplier or subcontractor, because why would they otherwise cooperate with a notified body audit;
- amend contracts to extend your QMS in both directions all the way to reach all critical subcontractors and subcontractors;
- amend contracts for control of the critical suppliers and subcontractors with whom you do not have a direct relationship (and that you often don’t even know about because your direct subcontractor or supplier will not tell you who they are). This will be difficult because of legal dependencies, for example the law governing the contract. Also you have to map your entire supply chain, while this is currently something that is largely untransparent to the manufacturer. Manufacturers may do audits at their direct suppliers and subcontractors and seek to control these, but in practice I don’t see them control the whole supply chain up and down.
If there is one thing that this recommendation makes abundantly clear it’s that you really have to take contracts seriously in your quality system. This was something that always should have happened, but now it will really count. For this to count however it also means that notified bodies have to start to understand contracts in order to audit effectively – I am not so sure whether they realize that they cannot complete audits anymore without including an element of proper legal due diligence of contracts. Their code says in this respect that “all elements of unannounced visits shall be conducted by appropriately qualified auditors”, so I guess they are sending auditors to study lawnow. Otherwise your contracts can say whatever, and they would not be able to tell. As manufacturer you have to make sure that you can explain contracts to the notified body, which means involving legal department in your audits, and training your legal department to understand the regulatory implications of the contracts (which I often find manufacturers do not pay sufficient attention to).
Better start now
All of this is already in effect as you read this. Better start getting the manufacturer’s act together now before you or anyone in your supply chain receives the first audit and it’s Confusion Everywhere, as we sometimes refer to the CE mark.