If you’ve missed the 2014 RAPS conference you’ve missed out on the opportunity to learn a lot about unannounced audits by notified bodies. Not only were the notified bodies themselves out and about at the conference and very approachable to discuss all kinds of technicalities, there were also several very practical sessions with a lot of good information on the subject, notably the enforcement / unannounced audits session and the product sampling during unannounced audits session were very informative.
If there is one thing that I took away from these sessions it’s the absolute need to take a good look at your relations with critical suppliers and crucial subcontractors. Sounds like a broken record, but it keeps being confirmed.
Here are my main takeaways from the conference sessions on unannounced audits:
Don’t forget to inform your notified body about critical supplier’s production windows, otherwise the notified body shows up there and can’t complete the audit if production is not ongoing that day – result: suspension of your certificate. Also make sure your critical supplier tells you so you can inform the notified body, otherwise: same result.
And how about production locations? Make sure that your critical supplier does not change production locations for a raw material or component without telling you because the notified body will show up in the wrong place and will not be able to complete the audit, resulting in suspension of your device certificate and it’s likely a non-conformity in your QMS if your supplier can do this without telling you. This an actual example from one of the notified bodies I spoke with at the conference, by the way. In that case you can only hope that the critical supplier did not move the production too far away and the notified body can quickly get there and complete the audit after all.
Not only do you have to have a procedure for unannounced audits (otherwise it’s a QMS non-conformity for which you will be written up by your notified body), also your critical supplier has to have one. You may be written up for a non-conformity if they don’t.
Your own procedure and that of your critical supplier should typically cover these three main subjects:
- Notification of notified body of production windows and changes
- Coordination with supplier / manufacturer
- Training of staff regarding responsibilities and requirements during unannounced audits
Unannounced audits can happen at night if the device is (also) produced in night shifts. Sounds obvious but it means that your management has to be available at night too and your unannounced audits process has to accommodate this. They may not like it, but you have to make provision for management to be on call 24/7 if you or your critical suppliers also produce at night and in the weekend.
Since the unannounced audits are product sampling audits that involve testing, it is actually possible to agree testing methods with your notified body beforehand. Even though you cannot define the sampling criteria, you can define the test methods used, e.g. by reference to the ones you are using already in your production. If those are good already, why subject your devices to something else that may produce unexpected results, right? This may be well worth your while as it takes a degree of unpredictability and risk out of the equation. If the testing method is unclear or not agreed, the notified body will need to haul off the samples and test elsewhere. The same applies for the critical supplier test methods for their production process.
An authorised representative can also be a crucial subcontractor, depending on what they take on in terms of roles and responsibilities, especially where they do vigilance cases reporting for the manufacturer (as this impacts performance and safety of the device).
How to deal with suppliers that refuse unannounced audits? As I have blogged here and here, you should have changed your supply contracts with critical suppliers by now to accommodate unannounced audits.
But what if the supplier doesn’t want to cooperate because they just see it as hassle (for example because you are just a small customer compared to the rest of their customers)? That happens even to the biggest of devices companies, we learned at the RAPS conference. The only thing you can do then is work with the critical supplier to find a value proposition that triggers the supplier, and this can differ from one supplier to the other. The problem is that suppliers may know that you have to agree with them or source from elsewhere, so be prepared for some arm-twisting in the negotiations.
Change management regarding the supplied material is vital: make sure that you know when the critical supplier changes material specs or production methods, also if you are too of a small customer to influence this choice, because may have to be reflected in the tech file.
Since the notified body will audit the critical supplier, the supplier had better have their documentation in order, and you have to make sure they do, so cover this in the supply / quality agreement.
Thanks for this very interesting update.
I have a question from a legal point of view: how can notify bodies writte you up for a non-conformity if you don’t have a Procedure for unexpected audit? This procedure is not listed as mandatory in any standard, directive, etc… We will be non-conform towards what?
Thanks for your comments.
Hi Anne, you would be non-conform against the terms and conditions of the notified body. Also, if the lack of procedure leads to the audit not being completed in time, they will suspend the certificate for the device because the audit could not be completed. Best regards, Erik
Thanks for this great summary! I too found the sessions on unannounced audits among the most informative (and perhaps the scariest!) at this year’s conference. There were many issues brought forward that I hadn’t yet considered.
Best content which is worth reading it and useful . Thanks