Blog

Posts Tagged Notified Body

Notified Body Unannounced Audits Have Begun

This article provides an update on the status of unannounced audits by Notified Bodies for CE Marking of medical devices.

unannounced audits Notified Body Unannounced Audits Have Begun

The EU Commission provided recommendations to Notified Bodies last Fall on how they should conduct three different kinds of audits: 1) product assessments, 2) quality system assessments, and 3) unannounced audits (http://bit.ly/Audit-Recommendations). The recommendations do not propose any changes to existing practices for product assessments (i.e., review of CE Marking applications) that are being conducted in accordance with the European Directives, or quality system assessments that are being conducted in accordance with ISO 17021 (http://bit.ly/ISO-17021-2006). The recommendation does, however, propose new auditing practices specific to conducting unannounced audits (http://bit.ly/Unannounced-Audits).

The recommendation is addressed to Member States, rather than Notified Bodies, because the intent is for Competent Authorities in each member state to enforce these recommendations when they are reevaluating existing Notified Bodies for renewal. The intent is that the EU Commission and Member States will use compliance with the “recommendation” for unannounced audits as one of the criteria for deciding which Notified Bodies will retain their status when the new European Medical Device Regulations are approved in 2015. Therefore, all of the Notified Bodies are scrambling to complete a number of unannounced audits before the end of 2014.

Who will be audited in 2014?

In 2014, the primary targets for unannounced audits will be manufacturers of high-risk, Class III devices. The primary targets for unannounced audits are unlikely contract manufacturers, because Notified Bodies may not have access to all the technical documentation while they are auditing a contract manufacturer. I expect each of the Notified Bodies to plan at least one unannounced audit of a contract manufacturer for a Class III device that is outsourced, but I don’t expect this to be the focus of unannounced auditing activities in 2014.

It is already July and only a handful of unannounced audits have been performed as “pilots.” Most of the Notified Bodies trained auditors on how to conduct unannounced audits in May or June during their annual auditor training. Therefore, we can expect a dramatic increase in the number of unannounced audits during the remaining months of 2014. If your firm has recently had CE Marking compliance issues with a Class III device, you should expect an auditor soon.

4 Ways unannounced audits are different

Unannounced audits differ from traditional quality system audits in four ways.

1. Unannounced audits are truly unannounced–with no warning at all. Even the US FDA inspectors have the courtesy to call on Friday to inform manufacturers of their intent to visit the following Monday or Tuesday. In order to ensure that auditors are able to conduct unannounced audits as planned, Notified Bodies are asking manufacturers to provide information about when production activities will be shut-down.

2. Unannounced audits will always be conducted by an auditing team with at least one person that is qualified to review the technical documentation (i.e., Technical File or Design Dossier) and compare it to the actual production activities. This is similar in some ways to how FDA inspectors review a Device Master Record (DMR) and then compare the DMR to production and process controls they observe in manufacturing. However, the technical experts from Notified Bodies typically have a minimum of five years experience designing similar devices, and a two-person team can spread your resources dangerously thin if you are a smaller company that is used to providing a guide for only one auditor or inspector.

3. Unannounced audits will involve more time spent by auditors in production areas, instead of reading documents in conference rooms. You can expect brief opening meetings, because auditors need to review critical processes as quickly as possible. Specifically, the auditors are required to use a risk-based approach to select two of the following processes:

  • design controls
  • establishment of material specifications
  • purchasing control and incoming inspection
  • assembling
  • sterilization
  • batch-release
  • packaging
  • product quality control

If a company conducts sterilization on-site, I would expect this to be a likely prospect for sampling. However, the two areas I expect to be sampled most frequently are: 1) purchasing control & incoming inspection, and 2) batch-release. These two processes are expected to be sampled frequently, because these processes facilitate ad hoc sampling and demonstration of testing. This is important, because Notified Bodies are expected to observe product testing.

4. Unannounced audits will be conducted at suppliers when critical processes are outsourced. Therefore, if Class III device manufacturers outsource final inspection, packaging and sterilization–the suppliers providing these services may be unannounced audit targets for multiple Notified Bodies. ISO 13485 certified suppliers have enjoyed a decade of little direct involvement by regulators, but unannounced audits are about to change this.

How will unannounced audits change in the future?

In 2015, and beyond, unannounced audits will be conducted at contract manufacturers and manufacturers. Unannounced audits will also be conducted for all risk classifications of devices–unless the device does not have Notified Body involvement (i.e., Class I, non-sterile and non-measuring devices). The number of unannounced audits will also increase, because Notified Bodies are required to conduct an unannounced audit for each client at least once during a three-year period–and more frequently for high-risk, Class III devices.

What should be done to prepare?

Preparation for unannounced audits should be very similar to your preparation for FDA inspections (http://bit.ly/FDA-Inspection-Webinar), but you will now need to evaluate your suppliers more rigorously to ensure they are also prepared for unannounced audits. The FDA rarely visits suppliers and they are not allowed to review supplier auditing records. Notified Bodies will not have these restrictions. You will need to demonstrate a good balance between incoming inspection activities and other types of supplier controls. If your incoming inspection activities consist primarily of reviewing paperwork, then you need to balance this with supplier auditing (http://bit.ly/Supplier-Audits) and monitoring of in-process and final inspection nonconformities caused by supplier quality problems.

If you are interested in learning more about unannounced audits by Notified Bodies, please click on this link to pre-register for our webinar recording on the topic: http://bit.ly/unannounced-audits-webinar. Pre-registration pricing is $79, compared to our normal webinar price of $129. The pre-registration period ends July 18.

Posted in: CE Marking

Leave a Comment (2) →

CE marking 4 digit number for medical devices

fourdigitquestion CE marking 4 digit number for medical devicesThis article explains the purpose and use of a CE marking 4 digit number for medical devices, minimum size requirements and other considerations. 

CE marking 4 digit number

The CE marking 4 digit number that is displayed next to the CE mark on some medical devices is the Notified Body (NB) number. If there is no CE marking 4 digit number, this means that the medical device is a Class I device that does not require NB involvement (i.e., self-declaration). If the device is a Class I device, and there is a NB number next to the CE mark, then the device either has a measuring function or is sterile.

Requirements for CE marking 4 digit number

The Medical Device Directive is divided into Articles and Annexes. Section 1 of Article 16 indicates that the European Commission is responsible for assignment of NB numbers. In Article 17, ¨CE Marking,¨ it states: ¨[The CE] shall be accompanied by the identification number of the notified body responsible for implementation of the procedures set out in Annexes II, IV, V and VI.¨ Annex XII defines the minimum size (i.e., 5 mm) of the CE. The requirements for the size of the NB identification number is not included in Annex XII, but NBs interpret the requirements for size as half the height of the ¨CE.¨

Companies are responsible for reproducing the CE Mark on their labeling and the product–including the 4-digit number. However, if the space available on the product is too small to allow a 5 mm ¨CE,¨ then the company is not required to reproduce it on the product. Instead, it is sufficient to reproduce the CE Mark on product labeling and the Instructions For Use (IFU). One source of the artwork for the ¨C¨ and ¨E¨ is the Europa website.

If a NB number is required, usually there are a couple of different orientations that are allowed by the NB. Most NBs specify that the NB number shall be to the right or beneath the “C” and “E”. However, most NBs have specific instructions available for reproduction of the CE Mark and the proper orientation of their NB number. Often, the NB will also provide artwork for downloading that includes the NB number in one or more orientation.

Product Failure Investigations

Identification of the NB may not seem important, however, the NB number can help caregivers to identify the NB that approved CE Marking of a product when there is an investigation of product failures with an unknown manufacturer. In that case, the NB will then share this information with the appropriate manufacturer in order to facilitate an investigation. The NB number is also used to differentiate when the oversight by one NB stops, and a new one begins, after transferring from one NB to another.

If a someone wants to know which NB is associated with each NB number, the EU Commission operates the NANDO information system as a database, allowing you to search each of the 60+ NBs by CE marking 4 digit number. The database also allows searching by: country, annex/article, product and horizontal technical competence.

If your company is selecting a NB, you can search the product and technical competency categories to identify which NBs are able to issue CE certificates for your product. There are ten possible technical competencies to use as search criteria. For example, if your company manufactures absorbable sutures (i.e., competency, MDS 7009) there are only 32 NBs (shrinking every day) that have the technical competence to assess your Design Dossier for conformity with the MDD.

If your company is developing porcine-based collagen implants (i.e., competency, MDS 7010), then there are only 24 NBs (shrinking every day) able to issue a Design Examination Certificate for CE Marking. If your company needs additional guidance on how to select a NB, you might consider reading a blog on certification body selection.

Posted in: CE Marking

Leave a Comment (0) →

A 6 Step Approach if You Disagree With a Notified Body Auditor

The author’s first certification audit experience is discussed, and we review six different approaches to take if you disagree with a notified body auditor.

My first certification audit ever didn’t go so well. The reason it didn’t go well is that the auditor wrote nonconformities that my boss and our regulatory consultant didn’t agree with. At the time, I was too inexperienced to know how to handle it. My boss and the consultant, however, totally lost it. I’ve never seen veins that big in someone’s forehead–even in cartoons.

I asked them both to leave the room, because I was afraid to “push back” on the auditor. Many Management Representatives feel the same way that I did during that initial certification audit. The best way to summarize our concerns is with the following picture:

kodiak A 6 Step Approach if You Disagree With a Notified Body Auditor

Recently another LinkedIn group member emailed me to say that they have seen several auditors for registrars identifying nonconformities that represented their own personal opinions, rather than specific requirements of the Standard. For example: there is a requirement to assign management responsibilities and document it, but there is no requirement to have an organization chart.

Another common mistake is when auditors insist that a company must create a turtle diagram for every single process. I support the use of turtle diagrams 100%, but the only requirement in the Standard is to use the process approach–not turtle diagrams specifically.

My favorite is my own personal mistake. I wrote a nonconformity for not having a process for implant registration cards for a company that was planning to ship a high-risk implant product to Canada. There is a requirement for implant registry cards, but I forgot that Canada defines “implants” in this case as only a very short list of implant devices–not implants in general.

Auditors are human. These are audit findings–not a jail sentence. Everyone needs to remember that the worst that can happen is that you receive a nonconformity. If the auditor finds a nonconformity, then you need to develop a CAPA plan. If the auditor finds nothing, you still need to do your own internal audits to identify nonconformities and continuously improve processes.

What Should You Do When an Auditor is Wrong?

I recommend that you “push back”, but you need to know how. Many consultants suggest saying, “Can you show me in the Standard where it says I have to do that?” That’s just like poking a bear. If you do it once, it’s annoying. If you do it multiple times, an auditor might just eat you.

One Management Representative did that to me after I had taken the time to review the requirements with him. I responded by holding the ISO 13485 Standard in front of him and reciting clause 7.3.2. He responded by saying, “Well that’s up for interpretation.” I offered to recite the ISO 14969 guidance document for him, but his boss told him to  shut up.

This certainly wasn’t the only time a client pushed back during a registration audit, but other clients have had the sense to argue about things they actually understood.

One of the clients I audited said that he would change the topic to the auditor’s favorite sports team. That’s one approach. I’m sure that more than one client has taken the approach of asking me to explain where they can learn about best practices. I’m sure that they were somewhat successful. Another approach is to slide the lunch menu in front of them; I have only met one auditor that would not be distracted by a lunch menu.

6 Step Approach When You Disagree With an Auditor

1. Shut-up and look it up (before you open your mouth, grab the applicable external standard and locate the information you are looking for).

2. If you are still convinced that the auditor is wrong, then tell that you are having trouble finding the requirement. Show them where you are looking, and then ask them to help you find the requirement.

3. If the auditor can’t show you where you are wrong, or it appears that the auditor is interpreting the Standard as they see fit, then focus on asking the auditor for guidance on what they will be looking for in your CAPA plan.

4. If the CAPA plan the auditor is looking for is something you think is a good idea, then shut up and implement the improvements. If the CAPA plan is not acceptable to you, then you should ask what the process is for resolution of disputes.

5. No matter what, don’t start an argument with the registrar. They actually enjoy it. They like a challenge  and resent people with less experience criticizing them.

6. If you still disagree with your auditor, then you should ask if the auditor can explain the process for appealing findings and follow that process.

Posted in: ISO Certification

Leave a Comment (0) →

Preparing for ISO 13485 Certification in 5 Steps

The author provides 5 steps in preparing for the ISO 13485 certification process, and his own insights and tips for each step are reviewed.

A LinkedIn connection of mine recently asked for sources of good guidance on ISO 13485 registration. I wrote a blog recently about Quality Management Systems in General, but I had trouble finding resources specific to the ISO 13485 registration process. Therefore, I decided to write a blog to answer this question.

Typically, people learn the hard way by setting up a system from scratch. The better way to learn it is to take a course on it. I used to teach a two-day course on the topic for BSI. The link for this course is: http://bit.ly/Get13485; I shortened the link to the BSI website.

Other registrars offer this course too. I suspect you can find a webinar on this through TUV SÜD, BSI, SGS, LNE/GMED, Dekra, etc. from time to time.

The only registrar I could find that described the process step-by-step was Dekra. I have copied their steps below:

 ISO 13485 Certification: Inquiry to Surveillance in 5 Steps

1. Inquiry

An initial meeting between [THE REGISTRAR] and the client can take place on site or via teleconference. At this time, the client familiarizes [THE REGISTRAR] with company specifics and its quality assurance certification requirements; [THE REGISTRAR] explains its working methods and partnering philosophy, and previews the details of the process.

%name Preparing for ISO 13485 Certification in 5 Steps

Rob’s 2 Cents

As a client I have completed two initial certifications personally and three transfers, but I have only once had the sales representative actually visit my company. I think this process is typically accomplished by phone and email. If any registrars are reading this, you will close on more accounts if you visit prospective clients personally. In fact, the one that actually visited my company (Robert Dostert) has been on speed dial for almost a decade and he’s received repeat business.

 

 

2. Application Form

The client chooses to move forward by filling out an online application form. Based on the information obtained during the inquiry stage, along with the application form, [THE REGISTRAR] prepares a quote, free of charge, for the entire certification process. A client-signed quotation or purchase order leads to the first stage of the certification process.

my two cents1 Preparing for ISO 13485 Certification in 5 Steps

Rob’s 2 Cents

For both of the Notified Body transfers I completed, I completed application forms and requested quotes from multiple Notified Bodies. During the quoting process, my friend Robert was more responsive and able to answer my questions better than the competition. Robert was also able to schedule earlier audit dates than the competition. To this day, I am still amazed that Notified Bodies are not more responsive during this initial quoting process. All of the Notified Bodies are offering a certificate (a commodity). The customer service provided by each Notified Body, however, is not a commodity. Each Notified Body has its own culture, and every Notified Body has good and bad auditors. Therefore, you need to treat this selection process just like any other supplier selection decision. I have provided guidance on this specific selection process on more than one occasion, but I am definitely biased.

 3. Phase One: Document Review and Planning Visit

%name Preparing for ISO 13485 Certification in 5 Steps

LNE/GMED Flow Diagram for the process of ISO 13485 Certification

At this stage, [THE REGISTRAR] performs a pre-certification visit, which entails verifying the documented quality systems against the applicable standard. [THE REGISTRAR] works with the client to establish a working plan to define the [THE REGISTRAR] quality auditing process. If the client wishes, [THE REGISTRAR] will perform a trial audit or “dress rehearsal” at this stage. This allows the client to choose business activities for auditing, and to test those activities against the applicable standard. It also allows the client to learn and experience [THE REGISTRAR] ‘s quality auditing methods and style. The results of the trial audit can be used toward certification. Most clients elect for one or two days of trial auditing.

%name Preparing for ISO 13485 Certification in 5 Steps

Rob’s 2 Cents

Dekra’s statement that, “The results of the trial audit can be used toward certification,” is 100% opposite from BSI’s policy. BSI calls this a pre-assessment. The boilerplate wording used in BSI quotations is, “The pre-assessment is an optional service that is an informal assessment activity intended to identify areas of concern where further attention would be beneficial and to assess the readiness of the quality management system for the initial formal assessment.” During these pre-assessments, BSI auditors explain that any findings during the pre-assessment will not used during the Stage 1 and Stage 2 certification audits, and the client will start with a “clean slate.” Most of the clients I conducted pre-assessments for were skeptical of this, but most auditors are ethical and make every effort to avoid even the perception of biasing their sampling during the Stage 1 and Stage 2 audits.

I highly recommend conducting a pre-assessment. You want an extremely thorough and tough pre-assessment, so that the organization is well prepared for the certification audits. If the auditor that will be conducting the Stage 1 and Stage 2 audit is not available to conduct a pre-assessment, try to find a consultant that knows the auditor’s style and “hot buttons” well. FYI…You can almost always encourage me to do a little teaching when I’m auditing (I just can’t resist), and my “hot buttons” are CAPA,  internal auditing and design controls.

 4. Phase Two: Final Certification Audit

Once the client’s documented systems have met the applicable standards, [THE REGISTRAR] will conduct an audit to determine its effective implementation.  [THE REGISTRAR] uses a professional auditing interview style instead of a simple checklist approach. This involves interviewing the authorized and responsible personnel as designated in the documented quality system.

%name Preparing for ISO 13485 Certification in 5 Steps

Rob’s 2 Cents

For certification audits, ISO 17021 requires a Stage 1 and Stage 2 audit to be conducted. The combined duration of the certification audits must be in accordance with the IAF MD9 guidance document–which is primarily based upon the number of employees in the company. The “interview style” that Dekra is referring to is called the “Process Approach.” This is required in section 0.2 of the ISO 13485 Standard, and this is the primary method recommended by the ISO 19011 Standard for auditing–although other methods of auditing are covered, as well.

 

5. Surveillance

[THE REGISTRAR] arranges for surveillance audits semi-annually or annually, as requested by the client.

%name Preparing for ISO 13485 Certification in 5 Steps

Rob’s 2 Cents

I highly recommend annual surveillance audits, because the short duration of surveillance audits becomes unrealistically short when the auditor is asked to split their time between two semi-annual visits. A few clients have indicated that the semi-annual audits help them by maintaining pressure on the organization to be ready for audits all year-round, and prevents them from procrastinating to implement corrective actions. This is really an issue of management commitment that needs to be addressed by the company. Scheduling semi-annual surveillance audits doesn’t address the root cause. The only good argument I have for semi-annual cycles is if you have very large facilities that would have an audit duration of at least two days on a semi-annual basis.

The most important consideration related to scheduling surveillance audits is to ensure that you schedule the audits well before the anniversary date. I recommend 11 months between audits. By doing this, you end up scheduling the re-certification audits three months before the certificate expires. BSI has a different policy. They want auditors to schedule the first surveillance audit 10 months after the Stage 2 audit, the second surveillance audit 12 months after the first surveillance audit, and then the re-certification audit must be scheduled at least 60 days prior to certificate expiration (i.e.,  – no more than 12 months after the second surveillance audit). No matter what, schedule early.

If you have additional questions about becoming ISO 13485 registered, please post a discussion question in the following LinkedIn subgroup: Medical Device: QA/RA. For example, on Monday a new discussion question was posted asking for help with selection of a Notified Body for CE Marking. You will need to become a member of the parent group (Medical Device Group)–if you are not already one of the 140,000+ members connected with Joe Hage. George Marcel and I manage this subgroup for Joe. George is out in the Bay Area and I’m in the Green Mountains.

Posted in: ISO Certification

Leave a Comment (5) →

What is an NB-MED?

The author defines what an NB-MED is, Team NB and their role, provides a regulatory update and some information sources.

Each time I review a list of external standards I notice at least a few references that are out-of-date. Occasionally, I am surprised and everything appears to be current, but it is almost impossible to stay current with all the external standards. The most difficult standards to maintain are those that are untracked. Untracked standards are difficult to stay current with because it requires manually checking each source to determine if a standard has been updated. One of these sources is Team NB.

Team NB

Team NB describes itself as the “European Association of Notified Bodies for Medical Device.” Team NB is an organization comprised by Notified Bodies (NBs). These NBs create guidance documents in order to clarify the interpretation of regulations in the EU. Since NBs are generating the documents, rather than Competent Authorities (CAs), it is possible for Team NB to reach a consensus more quickly than CAs. Since these documents are guidance documents, the NB-MED documents are not enforceable or binding. However, in all likelihood, your NB will interpret ISO 13485 and the MDD (93/42/EEC as modified by 2007/47/EC) in accordance with these guidance documents.

The website link I provide in my “Helpful Links” page includes many links to important guidance documents. Among the recently updated NB-MED documents is: NB-MED 2.5.2/rec 2. The “rec” is not the same as a revision. For example, rec 2 is “Reporting of design changes and changes of the quality system,” while rec 1 is “Subcontracting – QS related.” The link I have provided will land you directly on the list of NB-MED documents and the right-hand column identifies the date the document was added to the list. Therefore, if you want to know about new and revised NB-MED documents, you merely need to read the documents that are identified as being added since your last visit.

NB-MED 2.4.2/rec 2

At this time, NB-MED 2.5.2/rec 2 is the only recent addition—and you should read it. Many companies struggle with design changes, and they don’t know if the change is significant or not. Revision 8 of this document includes helpful examples. I recommend reading this document carefully, and then revising your own change notification procedure to match the document. If you don’t have a change notification procedure, your QMS auditor has been lazy. Don’t let them give you the excuse of “It’s just a sampling.” This document has been published for a long time, and the intent has not changed since 2008—just new examples to clarify the interpretations.

There is a posting from 1/14/11. This is an excellent list of all the NB-MED documents. I recommend printing this document and using it to compare against your current external standards list. There is a very recent posting from 2/7/12 that answers frequently asked questions about the implementation of EN 60601. If you don’t know what this is, you probably don’t have an active device.

On 3/27/12 there was a letter from Team NB indicating that they condemn Poly Implant Prothèse (PIP) for committing fraud (well duh). Who would endorse them?

Finally, on April 17, 2012, meeting minutes were posted from an April 5th meeting of Team NB. The NBs indicated that the medical device authorization system is good! This is not a surprise, since any other response would be a self-criticism and potentially career limiting. The minutes also indicate that the Team wants as many of the members to endorse the “Code of Conduct” (CoC) that was recently drafted by the “Big 5” NBs. So far, the acceptance of this Code is limited, but the Competent Authorities have other plans.

Competent Authorities (CAs) are currently evaluating the NBs with regard to competency for handling Class III devices. In addition, there is a plan to revise the regulations in Europe (2014 is the guess). These changes will be major. The Team NB website could be a source of information about rapid changes in the next 12 months, but for now, it’s the quiet before the storm. The Great Consolidation of European Regulators is about to begin (or maybe all the NBs will endorse the CoC and the CAs will forget about it).

 

Posted in: CE Marking

Leave a Comment (3) →
Follow

Get every new post on this blog delivered to your Inbox.

Join other followers:

Simple Share Buttons
Simple Share Buttons