News & Commentary on ISO Management System Standards

    Unannounced Audits by Notified Bodies: What You Should Know

    Management System Audit

    If your company is a supplier of components or materials to a medical device manufacturer, here’s information you need to be aware of taken from ISO 13485 Regulations. And it’s about unannounced audits of your business by Notified Bodies.

    Table of Contents


    Sample Audit Scenario

    During a recent ISO 13485 Certification Audit the Auditee, a supplier of moulded parts for a medical device manufacturer, was very surprised to discover that her premises could be subject to Unannounced Audits by a Notified Body. When asked what she would do if such an Audit Team came to the door, she said that they would be asked to leave.  And that could have created a major regulatory problem for the customer, a major multinational (and a vital customer).

    Could your business face a similar situation?

    What is the Purpose of Unannounced Visits?Strict auditor checking items against a checklist

    In 2013, the European Commission published a Recommendation (2013/473/EU) regarding assessments and audits to be performed by Notified Bodies in the medical device field. The purpose of the unannounced audits is to assure day-to-day compliance of the manufacturer’s product and quality management systems.  

    Note: Under medical device regulations the ‘manufacturer’ is the organization placing the product in the market and, consequently, the holder of the Marketing Authorizations.  Suppliers to the ‘manufacturer’ are designated ‘Critical Subcontractors and Crucial Suppliers’, as appropriate.

    A key aspect of this Recommendation is the mandatory requirement of unannounced audits for all manufacturers certified under one of the European medical device regulations (MDR or IVDR) at least once in every three years.

    What are Notified Bodies?

    A Notified Body is a third-party organisation assigned by member countries of the European Union (EU) to evaluate if products conform to expected standards before they are released in the market.

    What are Mandatory Regulations Related to Notified Bodies?

    In 2014, various European regulatory authorities, such as the Medicines and Healthcare products Regulatory Agency (MHRA) in the UK, Health Products Regulatory Authority (HPRA) in Ireland and others, required that Notified Bodies fully implement their unannounced audit programs.  It is interesting to note in passing how a Regulatory Authority can convert a Recommendation, which by definition is non-mandatory, into a mandatory requirement!

    And the situation has not changed since the introduction of the revised medical device regulations, MDR and IVDR, in 2017. 

    NOTE: After Brexit, the MHRA and former UK-based Notified Bodies no longer come under EU Regulations.

    How Frequent are Unannounced Audits?

    Unannounced audits must be performed at least once every three years, last at least a whole day, and should be conducted by a team of at least two auditors. They may take place on the premises of the manufacturer, of critical subcontractors, or of crucial suppliers.

    What are Critical Subcontractors and Crucial Suppliers?

    The European Commission Recommendation specifies that a critical subcontractor or a crucial supplier must be audited “if this is likely to ensure more efficient control… in particular, if the main part of the design development, manufacturing, testing or another crucial process is located with the subcontractor or supplier” (clause 2, point c and Annex III, point 2). The official definition of "critical supplier" is provided by the Notified Bodies Operations Group (NBOG) Guide ‘Guidance for Notified Bodies auditing suppliers to medical device manufacturers’ (NBOG 2010- 1).   

    2.2 Critical supplier

    A critical supplier is a supplier delivering materials, components, or services that may influence the safety and performance of the device.

    Note: In the context of the audit of medical device manufacturers, a critical supplier is a supplier of a product or service, the failure of which to meet specified requirements could cause unreasonable risk to the patient, clinician or others or could cause a significant degradation in performance. This can include suppliers of services, which are needed for compliance with QMS or regulatory requirements, e.g. internal audit contractors or Authorised Representatives.

    The usual interpretation is to consider that...

    • A critical subcontractor ensures all or part of the MD's design, or performs all or part of the manufacturing processes, or carries out all or part of an activity in relation to regulatory requirements (e.g., post-market data collection), and

    • A crucial supplier provides finished devices or key subassemblies essential to the performance of the MD or critical raw materials.

    The manufacturer must provide the Notified Body with the list of critical subcontractors and crucial suppliers as per their risk management system. This list is reviewed during the planned audits of the certification cycle.  There is no regulatory requirement for critical subcontractors and crucial suppliers to be informed of their inclusion on such a list.

    Path to ISO 13485 Certification Infographic


    Who Pays for Unannounced Audits?

    The European Commission Recommendation states that the costs associated with unannounced audits are paid for by the manufacturer, including the audits performed on the premises of its critical subcontractors/crucial suppliers. In case the manufacturer refuses to pay, the contract between Notified Body and the manufacturer may potentially be breached, resulting in a suspension or even the withdrawal of certificates.

    Notified Bodies have processes and procedures for the management and control of unannounced audits, as well as the training of relevant staff. This adds to the costs of the conformity assessment and manufacturers should factor these additional costs into their budgets.

    Who may become subject to Unannounced Audits?

    Examples of candidates for unannounced audits include:

    • Original Equipment Manufacturers (OEM)
    • Suppliers or subcontractors involved in the design and development of medical devices or software development
    • Suppliers or subcontractors providing processes that require validation as sterilisation, sterile packaging, virus inactivation
    • Suppliers or subcontractors providing critical raw materials that are not fully verified by receiving inspection and testing, e.g. component or raw material for an implant, animal tissue materials

    And samples may be taken during an unannounced audit at the supplier’s premises. The EU Recommendation requires performing tests at the premises of critical subcontractors or crucial suppliers. Such samples may only be taken at the site of the supplier with the manufacturer’s consent.

    Table thumbnail showing a chart of available ISO 13485 training and certification courses and a button leading to the ISO 13485 courses overview page
    Click on the image thumbnail to see the table of courses in full size or click on the buttons on the other side to go to our ISO 13485 course overview or FAQ pages.


    What about Contractual Agreements and Proprietary Processes?

    Many suppliers have proprietary processes and systems. Without a direct relationship (including a Confidentiality Agreement) established between a Notified Body and a firm’s supplier, how do Notified Bodies plan on conducting unannounced audits of proprietary processes? The unannounced auditing of critical suppliers has to be ensured by the legal manufacturer in supply contracts with the supplier.

    And, if the supplier does not allow the auditor to see all the processes that are used for manufacturing the product certified by the Notified Body, the audit team will document this in their audit report and recommend to the certification board the suspension of the certification.

    What do Unannounced Audits check?

    Mandatory elements to be audited in all unannounced audits include:

    • Conformity of selected device with the technical documentation and with legal requirements,
    • Traceability of all critical components and materials,
    • Traceability system,
    • Conformity of manufacturing activity ongoing at the time of the unannounced audit with legal requirements, and
    • Conformity of manufacturer’s documentation relevant to the manufacturing activity with legal requirements.

    Although the company is not notified of the planning of an unannounced audit by the Notified Body beforehand, the methodology is identical to that of an announced audit within the certification cycle. 

    At the end of the audit, if any non-conformities are found, they will be presented to the company. The testing of any samples identified during the audit, and their transport to the place where they will be tested, is the responsibility of the manufacturer.

    Recommended Actions if you are considered a Critical Subcontractor or Crucial Supplier

    If your company is, or is intending to become, a supplier to a medical device manufacturer, we suggest:

    • Review or establish in your Supplier Contract whether your company is listed as a critical subcontractor or a crucial supplier in the documentation submitted to the Notified Body. And ensure that there is an obligation to inform you of any change in your status on such a list.

    • Ask your customer to share their risk assessment information in relation to the product and/or services you provide.

    • Develop a protocol/procedure for dealing with an unannounced audit.

    • Train relevant staff in the protocol/procedure.

    • Do a simulated unannounced visit (with your consultant as the auditor, perhaps) to give staff practice in the protocol/procedure and to ensure that your arrangements are robust.


    ISO 13485 Training and certification course CTA

    Our ISO 13485 training courses include detailed information on the function and operation of Notified Bodies.

    Related Articles

    deGRANDSON Global is an ISO Certified Educational Organization

    In October 2021 we secured certification to three education-related ISO Standards.  We now have a university-grade management system in place conforming to the requirements of  …

    • ISO 21001, Educational Organizational Management System,
    • ISO 29993, Learning Services outside formal Education,  and
    • ISO 29994, Learning Services – additional requirements for Distance Learning.

    We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which in our opinion are commercially compromised), it is based on independent third-party assessment.  It is a ‘university grade’ standard in use globally by schools, colleges, and universities to demonstrate their competence.


    Written by Dr John FitzGerald

    Director & Founder of deGRANDSON Global. Spent 15 years in the manufacturing industry and 25 years training, consulting & auditing management systems
    Find me on:

    Subscribe to Email Updates

    Recent Posts