We are in the middle of our 13485:2016 surv audit. We brought production in house from contract manufacturing.
During our planning stage, we talked about ESD requirements for production. We have never required contract manufacturing to use ESD based spec data from our board manufacturers.
Our ISO 13485 auditor considers himself to be the global expert on all things ESD. We submitted our device to ESD testing under IEC 61000-4-2:2008 Part 4-2 and IEC 60601-1-2:2014 Parts 1 and 2, We then tested those exact samples in our original functional V&V testing and they passed.
He is claiming the reports that the devices passed that testing and are not ESD sensitive is not enough to not use ESD protection in production. His follow up was "How do you know the testing didn't slightly damage the electronics slightly altering their performance and shortening their shelf life?
This seems ridiculous and appears to invalidate all of our required testing we did to meet ISO, FDA and CE years ago.
Opening note: those standards are EMC standards. ESD testing can partially be considered covered by it, but those standards do far more (and different) things. And yes, they still have their value, just not when it comes to this case. Those standards test the device in fully assembled conditions, including covers and all. This is not the typical condition for manufacture (as said by
@Pads38). Based solely on that, he can refuse those reports as being a valid defense, and rightly so. (Even though ""How do you know the testing didn't slightly damage the electronics slightly altering their performance and shortening their shelf life?" is silly. The unit sent to the test-lab would/should be representative and probably wasn't produced under significantly different conditions)
If there would be a reference to a specific ElectroStatic Discharge management standard, it would be ANSI/ESD S20.20 or IEC 61340-5-1 (and the useful IEC 61340-5-2). Neither is normative in the medical device sector to my knowledge. Thus, there is no regulatory expectation for you to implement them based purely on the fact that they are applicable.
It is likely that if any practices are implemented, they are without claiming compliance to either of those, so there would not be an entry for the auditor to claim deficiency against some specific part of them through your QMS. (And otherwise, the auditor might have a point; but you would be less mystified and not here).
Given that you do not claim it yourself, the auditor must have another channel to write a finding against.
The reasoning path to reach a finding of inadequate ESD control without regulatory or QMS claims have a varying amount of pre-conditions and hops to make.
Pre-condition 1 has been mentioned by
@Tidge:
For our products, electrostatic damage is recognized as a potential contributing factor to product defects.
He can get at you if you have not considered which hazardous situations could arise from electronic component failure, and thus not considered implementing any control such as ESD precautions in manufacture. That would be appropriate, though he should write it against risk management, not manufacturing control or facilities which auditors are prone to do (neural short-circuit in our brains).
Perhaps you have considered hazardous situations for which you either justified unacceptable risk per ISO 14971, while not implementing the known effective ESD management aspect. In this case the auditor has you, but knowing
@Ed Panek 's competence, this company is not in that state.
You might have considered hazardous situations and found your current level acceptable based on history. This is fully valid, and then it would be up to the auditor to find fault with that in your complaints, feedback (warranty claims) and post-market surveillance system. However, he needs to evidence the link from the shortcomings there to the initiating event of ESD at manufacture. Improbable by its nature, though not technically impossible. But if you show that you've considered and monitored it (or at least re-analyzed your data with this view over-night), your countercase is strong.
For devices distributed to the EU, you might not have implemented all of the options available to you which would reduce risk in a
cumulative fashion per EN ISO 14971 and its content deviations. If the auditor must adhere to the consensus statement version 1.1, there's still a way out: the above specific versions are non-harmonized industry standards at a level of protection. This means that any one risk control in the categories harmonized protective measure in the device or manufacturing process, or any inherent safety by design (whether from harmonized, industry or company-specific standards) beats it as an end-point. Thus, under the assumption of single-fault condition (which is still commonly accepted in the medical device industry, though a bit less under 60601-1) if you have a validated safe-state for those failures which might have been caused by ESD in manufacture (and it is present as such in your risk management file), then you have a company specific inherent safety by design.
That last one is a long haul of defense with a lot to prove (but you are saying you have a decent amount of supporting reports), but it is fully compliant. If he is not beholden to consensus statement version 1.1: tough luck, but then that would have been a losing battle anyway.
The core remains: he must not presuppose your device is risky without ESD. That surveillance audit is not for improvement, it is for certification. If you show you are meeting the requirements you are fine. If he wants to make a point, he must be specific about the requirement which he has found you not conforming to.
This does not take away the fact that, for the given cost, I would implement basic ESD management measures. There are practically no options to lead a field failure back to a manufacturing ESD failure on a case basis, but on a statistical base their advantage has been shown. However, I would select what controls to implement based on a risk-assessment which includes consideration of risky handling, warranty case reduction and risk of electronic failures not leading to safe-state.