Auditor driving us nuts - ESD requirements

Ed Panek

QA RA Small Med Dev Company
Leader
Super Moderator
We are in the middle of our 13485:2016 surv audit. We brought production in house from contract manufacturing.

During our planning stage, we talked about ESD requirements for production. We have never required contract manufacturing to use ESD based spec data from our board manufacturers.

Our ISO 13485 auditor considers himself to be the global expert on all things ESD. We submitted our device to ESD testing under IEC 61000-4-2:2008 Part 4-2 and IEC 60601-1-2:2014 Parts 1 and 2, We then tested those exact samples in our original functional V&V testing and they passed.

He is claiming the reports that the devices passed that testing and are not ESD sensitive is not enough to not use ESD protection in production. His follow up was "How do you know the testing didn't slightly damage the electronics slightly altering their performance and shortening their shelf life?

This seems ridiculous and appears to invalidate all of our required testing we did to meet ISO, FDA and CE years ago.
 
Last edited:

Ed Panek

QA RA Small Med Dev Company
Leader
Super Moderator
Not yet...we are going to talk this AM about is this an OFI or?
 

Pads38

Moderator
I think there is a difference between ESD safe at a unit level and ESD safe at component level.

Good engineering practice would certainly demand ESD precautions in any (electronics?) assembly area - even things like diodes can be damaged by ESD.
We got taken to task during an FDA inspection. Had to banish all cardboard and ordinary plastic bags (even for nuts and bolts!).
 

Tidge

Trusted Information Resource
He is claiming the reports that the devices passed that testing and are not ESD sensitive is not enough to not use ESD protection in production. His follow up was "How do you know the testing didn't slightly damage the electronics slightly altering their performance and shortening their shelf life?

There is a difference between the finished device and the individual components. Perhaps this auditor didn't make it clear where the concerns lie.

I think there is a difference between ESD safe at a unit level and ESD safe at component level.

Good engineering practice would certainly demand ESD precautions in any (electronics?) assembly area - even things like diodes can be damaged by ESD.

I have approached ESD concerns in manufacturing within manufacturing pFMEA. For our products, electrostatic damage is recognized as a potential contributing factor to product defects. We have an assessment of our ES-sensitive components; we recognize the minimum level of concern that can lead to damage and we have an established program to mitigate ESD at the level necessary to address those levels. It has been a long time since I was directly involved with our ESD program so I can't remember precise levels and may get some specific terminology wrong.

In our specific case, we have a multi-tiered approach to ESD in manufacturing to control the risks associate with things discharging to the components (e.g. wrist straps, mats) as well as the components getting charged by external fields (e.g. ionizers, banishing cardboard). Our components are not extremely sensitive but they are sensitive enough that we have a rather robust program.
 

Jean_B

Trusted Information Resource
We are in the middle of our 13485:2016 surv audit. We brought production in house from contract manufacturing.

During our planning stage, we talked about ESD requirements for production. We have never required contract manufacturing to use ESD based spec data from our board manufacturers.

Our ISO 13485 auditor considers himself to be the global expert on all things ESD. We submitted our device to ESD testing under IEC 61000-4-2:2008 Part 4-2 and IEC 60601-1-2:2014 Parts 1 and 2, We then tested those exact samples in our original functional V&V testing and they passed.

He is claiming the reports that the devices passed that testing and are not ESD sensitive is not enough to not use ESD protection in production. His follow up was "How do you know the testing didn't slightly damage the electronics slightly altering their performance and shortening their shelf life?

This seems ridiculous and appears to invalidate all of our required testing we did to meet ISO, FDA and CE years ago.

Opening note: those standards are EMC standards. ESD testing can partially be considered covered by it, but those standards do far more (and different) things. And yes, they still have their value, just not when it comes to this case. Those standards test the device in fully assembled conditions, including covers and all. This is not the typical condition for manufacture (as said by @Pads38). Based solely on that, he can refuse those reports as being a valid defense, and rightly so. (Even though ""How do you know the testing didn't slightly damage the electronics slightly altering their performance and shortening their shelf life?" is silly. The unit sent to the test-lab would/should be representative and probably wasn't produced under significantly different conditions)

If there would be a reference to a specific ElectroStatic Discharge management standard, it would be ANSI/ESD S20.20 or IEC 61340-5-1 (and the useful IEC 61340-5-2). Neither is normative in the medical device sector to my knowledge. Thus, there is no regulatory expectation for you to implement them based purely on the fact that they are applicable.
It is likely that if any practices are implemented, they are without claiming compliance to either of those, so there would not be an entry for the auditor to claim deficiency against some specific part of them through your QMS. (And otherwise, the auditor might have a point; but you would be less mystified and not here).

Given that you do not claim it yourself, the auditor must have another channel to write a finding against.
The reasoning path to reach a finding of inadequate ESD control without regulatory or QMS claims have a varying amount of pre-conditions and hops to make.
Pre-condition 1 has been mentioned by @Tidge:
For our products, electrostatic damage is recognized as a potential contributing factor to product defects.
He can get at you if you have not considered which hazardous situations could arise from electronic component failure, and thus not considered implementing any control such as ESD precautions in manufacture. That would be appropriate, though he should write it against risk management, not manufacturing control or facilities which auditors are prone to do (neural short-circuit in our brains).

Perhaps you have considered hazardous situations for which you either justified unacceptable risk per ISO 14971, while not implementing the known effective ESD management aspect. In this case the auditor has you, but knowing @Ed Panek 's competence, this company is not in that state.

You might have considered hazardous situations and found your current level acceptable based on history. This is fully valid, and then it would be up to the auditor to find fault with that in your complaints, feedback (warranty claims) and post-market surveillance system. However, he needs to evidence the link from the shortcomings there to the initiating event of ESD at manufacture. Improbable by its nature, though not technically impossible. But if you show that you've considered and monitored it (or at least re-analyzed your data with this view over-night), your countercase is strong.

For devices distributed to the EU, you might not have implemented all of the options available to you which would reduce risk in a cumulative fashion per EN ISO 14971 and its content deviations. If the auditor must adhere to the consensus statement version 1.1, there's still a way out: the above specific versions are non-harmonized industry standards at a level of protection. This means that any one risk control in the categories harmonized protective measure in the device or manufacturing process, or any inherent safety by design (whether from harmonized, industry or company-specific standards) beats it as an end-point. Thus, under the assumption of single-fault condition (which is still commonly accepted in the medical device industry, though a bit less under 60601-1) if you have a validated safe-state for those failures which might have been caused by ESD in manufacture (and it is present as such in your risk management file), then you have a company specific inherent safety by design.
That last one is a long haul of defense with a lot to prove (but you are saying you have a decent amount of supporting reports), but it is fully compliant. If he is not beholden to consensus statement version 1.1: tough luck, but then that would have been a losing battle anyway.

The core remains: he must not presuppose your device is risky without ESD. That surveillance audit is not for improvement, it is for certification. If you show you are meeting the requirements you are fine. If he wants to make a point, he must be specific about the requirement which he has found you not conforming to.

This does not take away the fact that, for the given cost, I would implement basic ESD management measures. There are practically no options to lead a field failure back to a manufacturing ESD failure on a case basis, but on a statistical base their advantage has been shown. However, I would select what controls to implement based on a risk-assessment which includes consideration of risky handling, warranty case reduction and risk of electronic failures not leading to safe-state.
 

Ed Panek

QA RA Small Med Dev Company
Leader
Super Moderator
We are writing a memo with 3 mitigating factors

1)We do 100% product verification at the time of packaging. Power on the unit, Bluetooth QC app verifies the temperature and related circuitry is working and sending data (its a one way comm device)

2) The IEC reports

3) Current field data from contract manufacturers showing over 100,000 units inthe field and no failures due to the contract man not using esd in their production

We also received a signed letter from the chair of EE at Case Western Reserve University who reviewed our report and said we do not need to use ESD in our line

We hope this will be enough.
 

Jean_B

Trusted Information Resource
That won't factor into his concern. He sounds focused on the end of the bathtub curve, and that doesn't show in those snapshot tests and inspections at the beginning. Perhaps predictive failures or measurements of service checkups might give some indication, but that doesn't seem to apply to your description of the device and system around it.
 

Ed Panek

QA RA Small Med Dev Company
Leader
Super Moderator
Perhaps. We specifically asked our electronics manufacturer to design a board we could handle without ESD. The spec they signed states it isnt required. Just not sure what we can do.
 
Last edited:

Tidge

Trusted Information Resource
Perhaps. We specifically asked our electronics manufacturer to design a board we could handle without ESD. The spec they signed states it isnt required. Just not sure what we can do.

This is a very strong start. It would probably be more effective to have the manufacturer provide a statement as to what levels of sensitivity the board has. If you decide to implement an ESD controls program, you will have an idea how much effort you can expect to expend (for this component).
 
Top Bottom