Surprise, Your Notified Body has Magically Appeared for Coffee and an Audit
Dr. D is sure that just about everyone in industry that works with entering product into commerce in the European Union (EU) has read or heard about the PIP debacle and their willful intent to deceive their notified body with falsified data. The reason the doctor is mentioning this incident is because one of the byproducts of PIP’s debauchery is the recent requirement, originating from the Commission, to force notified bodies to perform unannounced inspections of device manufacturers, including their “critical” and “crucial” suppliers. Unannounced means they will magically appear on a device establishment’s door step for a cup of coffee and an audit.
That being said, the doctor has taken the liberty of extracting Annex III of the Commission Recommendation of 24 September 2013 (2013/473/EU) for your reading enjoyment. Although knowing that your notified bodies must be compensated for these unannounced visits, Dr. D can assure the readers this is no “zarzuela” (look-it-up). The cost of playing in the EU’s medical device sandbox is about to increase significantly.
ANNEX III – Unannounced audits
- Notified bodies should carry out unannounced audits at least once every third year. Notified bodies should increase the frequency of unannounced audits if the devices bear a high risk, if the devices of the type in question are frequently non-compliant or if specific information provides reasons to suspect non-conformities of the devices or of their manufacturer. The timing of the unannounced audits should be unpredictable. As a general principle an unannounced audit should not take less than one day and should be executed by at least two auditors.
- Notified bodies may, instead of or in addition to visiting the manufacturer, visit one of the premises of the manufacturer’s critical subcontractors or crucial suppliers if this is likely to ensure more efficient control. This applies in particular if the main part of the design development, manufacturing, testing or another crucial process is located with the subcontractor or supplier.
- Within the context of such unannounced audits, the notified bodies should check a recently produced adequate sample, preferably a device taken from the ongoing manufacturing process, for its conformity with the technical documentation and with legal requirements. The check of the conformity of the device should include the verification of the traceability of all critical components and materials and of the manufacturer’s traceability system. The check should encompass a file review and, if necessary in order to establish the conformity, a test of the device. To prepare the test, notified bodies should request from the manufacturer all the relevant technical documentation including previous test protocols and results. The test should be undertaken in accordance with the testing procedure defined by the manufacturer in the technical documentation which has to be validated by the notified body. The test may also be performed by the manufacturer, its critical subcontractor or crucial supplier under observation of the notified body.
- Notified bodies in charge of product assessment (1) should, in addition to the steps foreseen in Sections 1, 2 and 3, sample devices belonging to at least three different device types and, where the manufacturer produces more than 99 device types, devices belonging to at least every hundredth type at the end of the production chain or in the manufacturer’s warehouse with a view of testing the conformity of the device types. Variants containing a technical difference which might affect safety or performance of the device should be counted as a separate device type. Dimensional size variants should not be regarded as different types unless specific risks are linked to the dimension. These samples should be tested by the notified bodies or by qualified personnel under their observation on their own premises, or on the manufacturer’s premises, or on the premises of the manufacturer’s critical subcontractor or crucial supplier or in external laboratories. Sampling criteria and testing procedures should be defined in advance. In particular if a sampling in the manufacturer’s premises is not possible, notified bodies should take samples from the market, if necessary with support by the competent authorities, or should perform testing on a device installed at a customer location. To prepare the test, notified bodies should request from the manufacturer relevant technical documentation including final batch testing reports, previous test protocols and results.
- Notified bodies in charge of verifying the quality system of the manufacturer (2) should, in addition to the steps foreseen in Sections 1, 2 and 3, verify whether the manufacturing activity ongoing at the time of the unannounced audit is in line with the manufacturer’s documentation relevant for the manufacturing activity and that both are in conformity with legal requirements. In addition, these notified bodies should check in more detail at least two critical processes such as design control, establishment of material specifications, purchasing and control of incoming material or components, assembling, sterilization, batch-release, packaging, or product quality control. Amongst the suitable critical processes, notified bodies should select one which has a high likelihood of non-conformity and one which is particularly safety relevant.
General advice with regard to contractual arrangements between the notified body and the manufacturer for the organization of unannounced audits
In order to ensure that notified bodies are in a position to perform unannounced audits, some modalities, such as the following ones, should be considered. Unannounced audits in premises of the manufacturer or its critical subcontractors or crucial suppliers should be foreseen in the contractual arrangements between the notified bodies and the manufacturers. If a visa is needed to visit the country where the manufacturer is located, the contractual arrangements should contain, as an annex, an invitation to visit the manufacturer at any time and an invitation which leaves the date of signature and the date of visit open (to be filled-in by the notified body).
The contractual arrangements should also contain, as an annex, similar invitations issued by the critical subcontractors or crucial suppliers. The contractual arrangements should foresee that the manufacturers continuously inform the notified bodies on the periods when devices falling under the notified bodies’ certificates will not be manufactured. The contractual arrangements should authorize the notified bodies to end the contract as soon as their permanent unannounced access to the premises of the manufacturer or its critical subcontractors or crucial suppliers is no longer assured.
The contractual arrangements should furthermore cover the measures to be taken by notified bodies to ensure the security of their auditors. The contractual arrangements should provide for a financial compensation for the unannounced audits including, where applicable, the device acquisition, its testing and security arrangements.
Note 1 – According to Section 2(a) and Annex I to this Recommendation.
Note 2 – According to Section 2(b) and Annex II to this Recommendation.
Complying with the recommendation
Before you shoot the messenger, you need to know that unannounced audits are impacting all three Directives: (a) the AIMDD; (b) the IVDD; and (c) the MDD. The frequency will be at least one unannounced audit at the frequency of once every three years. Just an FYI – you will not be given any advance notice/warning so device establishments must work closely with their notified bodies when defining dates that should be excluded. Additionally, these unannounced audits will consist of at least two auditors and last at least one day. Furthermore, you will also need to work with your notified body in identifying critical subcontractors and crucial suppliers as they will also be included in the unannounced audit program. Can you say “cha-ching?” Dr. D knows that the notified bodies can. Simply stated, more audits equates to more money in the coffers of the notified bodies. That is why it is so important to define in writing (a.k.a. contract) critical and crucial suppliers. Otherwise, you will be paying dearly.
Takeaways
For this week’s guidance, the doctor will leave the readers with just one takeaway. Unannounced audits are now a reality. Dr. D believes that in practice, it is a great idea; unfortunately the doctor also believes that there are practicality issues for small device manufacturers. Regardless, it is imperative that you work closely with your notified bodies to ensure the transition to unannounced audits is a smooth one. Finally, remember – the notified bodies work for you; and your organizations pay notified bodies handsomely for their work. If your notified body is unreasonable and is not meeting your organization’s expectations, you can always move to another one.
In closing, thank you again for joining Dr. D and I hope you find value in the guidance provided. Until the next installment of DG – cheers from Dr. D. and best wishes for continued professional success.
References
- 2013/473/EU. (2013, September). Commission recommendation of 24 September 2013 on the audits and assessments performed by notified bodies in the field of medical devices. Retrieved May 17, 2014, from http://ec.europa.eu/health/medical-devices/documents/index_en.htm.
Related Articles
-
The new guidance is intended to establish confidence in automation used for production or quality assurance systems and describe various methods and testing activities that may be applied to establish computer software assurance and meet regulatory software validation requirements.
-
The updated guidance document clarifies what constitutes a statement of the basis for the deficiency and includes examples of well-constructed deficiencies and industry responses to facilitate a more efficient review process.
-
The revised cybersecurity draft publication is not intended to be a checklist for healthcare organizations to follow, but rather a guide to help them comply with the HIPAA Security Rule.
-
The draft guidance proposes updates to clarify how the Breakthrough Devices Program may be applicable to certain medical devices that promote health equity, as well as considerations in designating eligible devices that may benefit populations impacted by disparities in health…
About The Author
Dr. Christopher Joseph Devine
President
Dr. Christopher Joseph Devine is the President of Devine Guidance International, a consulting firm specializing in providing solutions for regulatory compliance, quality, supplier management, and supply-chain issues facing the device industry. Dr. Devine has 32 years of experience in quality assurance, regulatory compliance and program management. He is a senior member of the American Society for Quality (ASQ), a member of the Regulatory Affairs Professionals Society (RAPS), and a member of the Project Management Institute, and resides on several technical advisory boards. Dr. Devine received his doctorate from Northcentral University, with his doctoral dissertation titled, “Exploring the Effectiveness of Defensive-Receiving Inspection for Medical Device Manufacturers: A Mixed-Method Study.” Dr. Devine holds a graduate degree in organizational management (MAOM) and an undergraduate degree in business management (BSBM).