Since the beginning of this year, Dr. D has had the opportunity or let’s say misfortune in some cases, of sitting through notified body audits for my clients or receiving disturbing phone calls from clients about audit issues.

Let the doctor begin by stating, you pay for this abuse so your organization might as well get their money’s worth. For starters, Dr. D is seeing a recurrence of auditors that just do not understand ISO 13485; ISO 14971; ISO 19011; or even worse 93/42/EEC. How can you be an effective notified body auditor if you do not understand the Medical Device Directive? The doctor is truly seeing the good, the bad, and the ugly when it comes to notified body audits.

Before I dive into this week’s guidance, please remember: “You pay the notified bodies and they work for you.” If you do not like the relationship with your notified body, by all means file for that divorce and move on. If you are unhappy with BSI then move to SGS. If SGS is giving you fits, then move to DEKRA. If DEKRA isn’t working for you then try TUV-R or UL. If TUV-R or UL is giving your organization severe indigestion then move to BSI. People, you have choices, so just like a marriage, pick a notified body that you are comfortable working with or continue to suffer in silence. It’s your device company, so it’s your pain!

For you notified bodies reading this week’s guidance, remember Dr. D loves you man and would never intentionally “fustigate” (look-it-up) your efforts to drive the quality and regulatory compliance of your clients. However, for those notified body auditors making stuff up as you pretend to know what you are doing, the gig is up my friends. It is time for all of you wannabes to move on to another industry. If you cannot correctly interpret standards and regulations, you are clearly in the wrong industry. That being said, I hope you enjoy this week’s guidance.

Flawed comments/observations

There is no doubt most auditors possess a plethora of knowledge that they rely on during the course of an audit. Frankly, the doctor’s expectation is that auditors have a fundamental understanding of the regulations, standards, and even more important, the processes they are assessing. However, some of the comments and observations I see coming from notified body auditors, frightens this old doctor, especially if the auditees do not push back on such nonsensical non-conformances or perceived requirements. That being said, Dr. D is going to share some of the more egregious comments and findings coming from notified body audits in 2013.

• Failure to comply with harmonized standards. Folks, there is no requirements to do so. Harmonized standards are strongly recommended but not mandated by 93/42/EEC, the European Medical Device Directive.
• The MDD requires that the notified bodies audit your critical suppliers. Beep, beep, beep; wrong again folks. There is no such requirement just another money maker for the notified bodies. If medical device manufacturers accept this type of comment as a mandated requirement, then the cost of playing in this sand box will quickly escalate.
• ISO 13485:2003 is no longer a valid standard. Beep, beep, beep; wrong again. Although EN ISO 13485:2012 has been harmonized, outside of the EU in places such as the United States, ISO 13485:2003 remains a valid standard. In fact, Health Canada specifically references 13485:2003 in SOR/98-282 (The Canadian Medical Device Regulation).
• It is required that your auditors must be certified by a recognized accreditation board. Once again, this nonconformance would be incorrect. ISO 19011 requires that auditors be competent, period! Formal certification for all auditors is a noble pursuit; however, it is also an expensive one. Dr. D strongly recommends an in-house training of auditors occur or when in doubt, outsource the entire internal audit program.
• ISO 9001 requires written procedures in support of all clauses. Sorry, wrong again. ISO 9001 requires a quality manual and high-level procedures for the following clauses:
  
  • 4.2.3 Control of Documents
  • 4.2.4 Control of Records;
  • 8.2.2 Internal Audits;
  • 8.3 Control of Nonconforming Product;
  • 8.5.2 Corrective Action; and
  • 8.5.3 Preventive Action.

What can you do?

Folks, the best advice Dr. D can give during an audit is to push back if the nonconformance is not clear or the nonconformance is not valid. Demand that the auditor give you the specific regulation or standards title, clause, section, paragraph, or sentence for which your organization is failing to comply. If the auditor cannot give you the specific requirement, repeat after the doctor: “Your observation is not valid, please move on.” If the auditor is persistent in his or her ignorance of a standard or regulation, elevate your concern to the notified body’s home office. Remember, you pay for this abuse and deserve to receive a fair assessment based on actual regulations and standards. 

The doctor will leave two takeaways from this week’s guidance. (1) Notified bodies are not created equal nor are their auditors. If you are having issues with a notified body, it is acceptable to change notified bodies. However, depending on the number of products entered into the European device market, changing notified bodies could be an expensive endeavor. (2) Do not be afraid to push back. If you feel the nonconformance is not premised on a regulation or standard or the auditor’s interpretation of a regulation or standard is incorrect, call them out and clearly state your concern. If your concern falls on deaf ears, elevate your concern to the notified body’s home office.

In closing, the doctor hopes you have found some value in this week’s guidance. Cheers from Dr. D. and best wishes for continued professional success.

References: 

1. Devine, C. (2012). Devine guidance for complying with the European medical device directive – MDD. Charleston, SC: Amazon.