If your company is a supplier of components or materials to a medical device manufacturer, here’s information you need to be aware of taken from ISO 13485 Regulations. And it’s about unannounced audits of your business by Notified Bodies.
Recommended Actions if You are Considered a Critical Subcontractor or Crucial Supplier
Sample Audit Scenario
During a recent ISO 13485 Certification Audit the Auditee, a supplier of moulded parts for a medical device manufacturer, was very surprised to discover that her premises could be subject to Unannounced Audits by a Notified Body. When asked what she would do if such an Audit Team came to the door, she said that they would be asked to leave. And that could have created a major regulatory problem for the customer, a major multinational (and a vital customer).
Could your business face a similar situation?
In 2013, the European Commission published a Recommendation (2013/473/EU) regarding assessments and audits to be performed by Notified Bodies in the medical device field. The purpose of the unannounced audits is to assure day-to-day compliance of the manufacturer’s product and quality management systems.
Note: Under medical device regulations the ‘manufacturer’ is the organization placing the product in the market and, consequently, the holder of the Marketing Authorizations. Suppliers to the ‘manufacturer’ are designated ‘Critical Subcontractors and Crucial Suppliers’, as appropriate.
A key aspect of this Recommendation is the mandatory requirement of unannounced audits for all manufacturers certified under one of the European medical device regulations (MDR or IVDR) at least once in every three years.
A Notified Body is a third-party organisation assigned by member countries of the European Union (EU) to evaluate if products conform to expected standards before they are released in the market.
In 2014, various European regulatory authorities, such as the Medicines and Healthcare products Regulatory Agency (MHRA) in the UK, Health Products Regulatory Authority (HPRA) in Ireland and others, required that Notified Bodies fully implement their unannounced audit programs. It is interesting to note in passing how a Regulatory Authority can convert a Recommendation, which by definition is non-mandatory, into a mandatory requirement!
And the situation has not changed since the introduction of the revised medical device regulations, MDR and IVDR, in 2017.
NOTE: After Brexit, the MHRA and former UK-based Notified Bodies no longer come under EU Regulations.
Unannounced audits must be performed at least once every three years, last at least a whole day, and should be conducted by a team of at least two auditors. They may take place on the premises of the manufacturer, of critical subcontractors, or of crucial suppliers.
The European Commission Recommendation specifies that a critical subcontractor or a crucial supplier must be audited “if this is likely to ensure more efficient control… in particular, if the main part of the design development, manufacturing, testing or another crucial process is located with the subcontractor or supplier” (clause 2, point c and Annex III, point 2). The official definition of "critical supplier" is provided by the Notified Bodies Operations Group (NBOG) Guide ‘Guidance for Notified Bodies auditing suppliers to medical device manufacturers’ (NBOG 2010- 1).
2.2 Critical supplier
A critical supplier is a supplier delivering materials, components, or services that may influence the safety and performance of the device.
Note: In the context of the audit of medical device manufacturers, a critical supplier is a supplier of a product or service, the failure of which to meet specified requirements could cause unreasonable risk to the patient, clinician or others or could cause a significant degradation in performance. This can include suppliers of services, which are needed for compliance with QMS or regulatory requirements, e.g. internal audit contractors or Authorised Representatives.
The usual interpretation is to consider that...
The manufacturer must provide the Notified Body with the list of critical subcontractors and crucial suppliers as per their risk management system. This list is reviewed during the planned audits of the certification cycle. There is no regulatory requirement for critical subcontractors and crucial suppliers to be informed of their inclusion on such a list.
The European Commission Recommendation states that the costs associated with unannounced audits are paid for by the manufacturer, including the audits performed on the premises of its critical subcontractors/crucial suppliers. In case the manufacturer refuses to pay, the contract between Notified Body and the manufacturer may potentially be breached, resulting in a suspension or even the withdrawal of certificates.
Notified Bodies have processes and procedures for the management and control of unannounced audits, as well as the training of relevant staff. This adds to the costs of the conformity assessment and manufacturers should factor these additional costs into their budgets.
Examples of candidates for unannounced audits include:
And samples may be taken during an unannounced audit at the supplier’s premises. The EU Recommendation requires performing tests at the premises of critical subcontractors or crucial suppliers. Such samples may only be taken at the site of the supplier with the manufacturer’s consent.
Many suppliers have proprietary processes and systems. Without a direct relationship (including a Confidentiality Agreement) established between a Notified Body and a firm’s supplier, how do Notified Bodies plan on conducting unannounced audits of proprietary processes? The unannounced auditing of critical suppliers has to be ensured by the legal manufacturer in supply contracts with the supplier.
And, if the supplier does not allow the auditor to see all the processes that are used for manufacturing the product certified by the Notified Body, the audit team will document this in their audit report and recommend to the certification board the suspension of the certification.
Mandatory elements to be audited in all unannounced audits include:
Although the company is not notified of the planning of an unannounced audit by the Notified Body beforehand, the methodology is identical to that of an announced audit within the certification cycle.
At the end of the audit, if any non-conformities are found, they will be presented to the company. The testing of any samples identified during the audit, and their transport to the place where they will be tested, is the responsibility of the manufacturer.
If your company is, or is intending to become, a supplier to a medical device manufacturer, we suggest:
Our ISO 13485 training courses include detailed information on the function and operation of Notified Bodies.
In
We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which in our opinion are commercially compromised), it is based on independent third-party assessment. It is a ‘university grade’ standard in use globally by schools, colleges, and universities to demonstrate their competence.