If your company is a supplier of components or materials to a medical device manufacturer, here’s information you need to be aware of taken from ISO 13485 Regulations. And it’s about unannounced audits of your business by Notified Bodies.

Table of Contents

• Sample Audit Scenario
• What is the Purpose of Unannounced Visits
• What are Notified Bodies?
• What are Mandatory Regulations Related to Notified Bodies?
• How Frequent are Unannounced Audits?
• What are Critical Subcontractors and Crucial Suppliers?
• Who Pays for Unannounced Audits?
• Who May Become Subject to Unannounced Audits?
• What about Contractual Agreements and Proprietary Processes?
• What do Unannounced Audits Check?

• Recommended Actions if You are Considered a Critical Subcontractor or Crucial Supplier

Sample Audit Scenario

During a recent ISO 13485 Certification Audit the Auditee, a supplier of moulded parts for a medical device manufacturer, was very surprised to discover that her premises could be subject to Unannounced Audits by a Notified Body. When asked what she would do if such an Audit Team came to the door, she said that they would be asked to leave.  And that could have created a major regulatory problem for the customer, a major multinational (and a vital customer).

Could your business face a similar situation?

What is the Purpose of Unannounced Visits?

In 2013, the European Commission published a Recommendation (2013/473/EU) regarding assessments and audits to be performed by Notified Bodies in the medical device field. The purpose of the unannounced audits is to assure day-to-day compliance of the manufacturer’s product and quality management systems.  

Note: Under medical device regulations the ‘manufacturer’ is the organization placing the product in the market and, consequently, the holder of the Marketing Authorizations.  Suppliers to the ‘manufacturer’ are designated ‘Critical Subcontractors and Crucial Suppliers’, as appropriate.

A key aspect of this Recommendation is the mandatory requirement of unannounced audits for all manufacturers certified under one of the European medical device regulations (MDR or IVDR) at least once in every three years.

What are Notified Bodies?

A Notified Body is a third-party organisation assigned by member countries of the European Union (EU) to evaluate if products conform to expected standards before they are released in the market.

What are Mandatory Regulations Related to Notified Bodies?

In 2014, various European regulatory authorities, such as the Medicines and Healthcare products Regulatory Agency (MHRA) in the UK, Health Products Regulatory Authority (HPRA) in Ireland and others, required that Notified Bodies fully implement their unannounced audit programs.  It is interesting to note in passing how a Regulatory Authority can convert a Recommendation, which by definition is non-mandatory, into a mandatory requirement!

And the situation has not changed since the introduction of the revised medical device regulations, MDR and IVDR, in 2017. 

NOTE: After Brexit, the MHRA and former UK-based Notified Bodies no longer come under EU Regulations.

How Frequent are Unannounced Audits?

Unannounced audits must be performed at least once every three years, last at least a whole day, and should be conducted by a team of at least two auditors. They may take place on the premises of the manufacturer, of critical subcontractors, or of crucial suppliers.

What are Critical Subcontractors and Crucial Suppliers?

The European Commission Recommendation specifies that a critical subcontractor or a crucial supplier must be audited “if this is likely to ensure more efficient control… in particular, if the main part of the design development, manufacturing, testing or another crucial process is located with the subcontractor or supplier” (clause 2, point c and Annex III, point 2). The official definition of "critical supplier" is provided by the Notified Bodies Operations Group (NBOG) Guide ‘Guidance for Notified Bodies auditing suppliers to medical device manufacturers’ (NBOG 2010- 1).   

2.2 Critical supplier

A critical supplier is a supplier delivering materials, components, or services that may influence the safety and performance of the device.

Note: In the context of the audit of medical device manufacturers, a critical supplier is a supplier of a product or service, the failure of which to meet specified requirements could cause unreasonable risk to the patient, clinician or others or could cause a significant degradation in performance. This can include suppliers of services, which are needed for compliance with QMS or regulatory requirements, e.g. internal audit contractors or Authorised Representatives.

The usual interpretation is to consider that...

• A critical subcontractor ensures all or part of the MD's design, or performs all or part of the manufacturing processes, or carries out all or part of an activity in relation to regulatory requirements (e.g., post-market data collection), and
  
  
• A crucial supplier provides finished devices or key subassemblies essential to the performance of the MD or critical raw materials.

The manufacturer must provide the Notified Body with the list of critical subcontractors and crucial suppliers as per their risk management system. This list is reviewed during the planned audits of the certification cycle.  There is no regulatory requirement for critical subcontractors and crucial suppliers to be informed of their inclusion on such a list.

Who Pays for Unannounced Audits?

The European Commission Recommendation states that the costs associated with unannounced audits are paid for by the manufacturer, including the audits performed on the premises of its critical subcontractors/crucial suppliers. In case the manufacturer refuses to pay, the contract between Notified Body and the manufacturer may potentially be breached, resulting in a suspension or even the withdrawal of certificates.

Notified Bodies have processes and procedures for the management and control of unannounced audits, as well as the training of relevant staff. This adds to the costs of the conformity assessment and manufacturers should factor these additional costs into their budgets.

Who may become subject to Unannounced Audits?

Examples of candidates for unannounced audits include:

• Original Equipment Manufacturers (OEM)
• Suppliers or subcontractors involved in the design and development of medical devices or software development
• Suppliers or subcontractors providing processes that require validation as sterilisation, sterile packaging, virus inactivation
• Suppliers or subcontractors providing critical raw materials that are not fully verified by receiving inspection and testing, e.g. component or raw material for an implant, animal tissue materials

And samples may be taken during an unannounced audit at the supplier’s premises. The EU Recommendation requires performing tests at the premises of critical subcontractors or crucial suppliers. Such samples may only be taken at the site of the supplier with the manufacturer’s consent.

What about Contractual Agreements and Proprietary Processes?

Many suppliers have proprietary processes and systems. Without a direct relationship (including a Confidentiality Agreement) established between a Notified Body and a firm’s supplier, how do Notified Bodies plan on conducting unannounced audits of proprietary processes? The unannounced auditing of critical suppliers has to be ensured by the legal manufacturer in supply contracts with the supplier.

And, if the supplier does not allow the auditor to see all the processes that are used for manufacturing the product certified by the Notified Body, the audit team will document this in their audit report and recommend to the certification board the suspension of the certification.

What do Unannounced Audits check?

Mandatory elements to be audited in all unannounced audits include:

• Conformity of selected device with the technical documentation and with legal requirements,
• Traceability of all critical components and materials,
• Traceability system,
• Conformity of manufacturing activity ongoing at the time of the unannounced audit with legal requirements, and
• Conformity of manufacturer’s documentation relevant to the manufacturing activity with legal requirements.

Although the company is not notified of the planning of an unannounced audit by the Notified Body beforehand, the methodology is identical to that of an announced audit within the certification cycle. 

At the end of the audit, if any non-conformities are found, they will be presented to the company. The testing of any samples identified during the audit, and their transport to the place where they will be tested, is the responsibility of the manufacturer.

Recommended Actions if you are considered a Critical Subcontractor or Crucial Supplier

If your company is, or is intending to become, a supplier to a medical device manufacturer, we suggest:

• Review or establish in your Supplier Contract whether your company is listed as a critical subcontractor or a crucial supplier in the documentation submitted to the Notified Body. And ensure that there is an obligation to inform you of any change in your status on such a list.
  
  
• Ask your customer to share their risk assessment information in relation to the product and/or services you provide.
  
  
• Develop a protocol/procedure for dealing with an unannounced audit.
  
  
• Train relevant staff in the protocol/procedure.
  
  
• Do a simulated unannounced visit (with your consultant as the auditor, perhaps) to give staff practice in the protocol/procedure and to ensure that your arrangements are robust.

Our ISO 13485 training courses include detailed information on the function and operation of Notified Bodies.

Related Articles

• ISO 13485 Certification: 26 FAQs Answered
• ISO 13485 to be a Requirement in Medical Device Regulations
• ISO 13485: Critical Subcontractors & Crucial Suppliers
• ISO 13485: What Medical Device Suppliers Need to Know

deGRANDSON Global is an ISO Certified Educational Organization

We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which in our opinion are commercially compromised), it is based on independent third-party assessment.  It is a ‘university grade’ standard in use globally by schools, colleges, and universities to demonstrate their competence.