Customers NB (BSI) says certificate issued by a certified body is not valid

JamiecNoxfox

Registered
The company I work for provides services to medical device manufacturers and as such we do not place our own medical devices on the market. One of our customers is currently being audited by BSI and they are stating that BSI have told them that our ISO 13485:2016 certificate is not valid as has not been issued by a notified body but only by a certified body. Does anyone have any insight into this and is this correct?
 

Jean_B

Trusted Information Resource
I am very confused on the (small) bunch of threads suddenly active on this topic in the same way. See also:
As far as my knowledge extends the following interactions occur in the major regions:
  • ISO 13485 certification, by a Conformity Assessment Body (CAB) accredited by an accreditation body under the IAF MLA, assesses against additional documents specific to ISO 13485 (IAF MD 5, IAF MD 8, IAF MD 9) as well as generic (other IAF documents), plus accreditation body specific protocols, decisions etc. Certification to this.
    • The publicly available IAF MD 9 only notes some generic advice.
    • The general assessment standard for CAB activities is ISO 17021-1 (and other standards in the series). To my current knowledge they do not contain anything the like of the specificity described in this and the other threads.
  • EN ISO 13485 certification can stand in for part of the QMS requirement of the EU Medical Device Regulation. However, EN checks are only accepted if done by NBs, and then the question still is whether they check the Z annex aspects appropriately as they also tend to focus on the main body.
  • MDSAP ISO 13485 Certification. It does not combine.
    • It is the only one with a publicly available and very specific set of instructions and requirements on the certified scope. See "Scope of Certification Document" in document "MDSAP AU P0026: Certificate Document Requirements" at MDSAP AU P0026: Certificate Document Requirements
    • "10. Scope of Certification Document
      All MDSAP certification documents shall contain a scope of certification statement detailing the activities and devices covered by the certification document. Where there are multiple facilities or locations covered by the certification document, the certification document will contain, in addition to an overall scope of certification statement, relevant sub-scope statements for each location or facility that detail the devices manufactured and activities audited in each facility. The activities and devices in the sub-scope statements must be covered by the overall scope of certification statement.

      The scope of a certification document shall be clear and unambiguous as to the devices manufactured and the activities that were audited, and the requirements against which they were audited. The scope shall include any limitations or conditions that may apply. Therefore, the scope of a certification document shall clearly identify the applicability of the criteria where it is not universal, such as when certain devices are not marketed in certain jurisdictions, or where design controls are not applied to certain devices.

      Activities

      All the activities covered by the scope of certification statement should be relevant to the devices covered. In wording the scope statement of the certification document, only the following terms may be used:

      “Design, development, manufacture, production, servicing, installation, or distribution”

      More specific terms may be included in the sub-scope statements for individual locations. (e.g., assembly, packaging, sterilization, quality control, warehousing, etc.)

      All certification documents must include the terms "manufacture" or "production" in the overall scope statement. If design controls are included, the terms "design" or "design and development" must be included in the scope statement.

      Devices

      The scope statement shall list all devices covered by the certification document. In doing so, generic device group descriptors may be used. The listing shall be specific enough to determine whether a given device (e.g. paediatric bone biopsy needle, PFO closure device, gamma camera, etc.) is covered without resorting to the inclusion of trade-names, models, or device identifiers. Generic terms such as "medical device", "components", "accessories", or "parts" shall not be used. Specific descriptions shall be used for such items that are provided by the manufacturer of a medical device.

      See Appendix 1 for examples of generic device group descriptors."
  • IMDRF/GRRP WG/N59 FINAL:2024 provides a set of guidelines to which many competent authorities, CAB's, NB's etc tend to align. It is in essence a consensus document aligning activities, but not by itself a requirement.
    • 7.7.2. When a CAB issues certificates and regulatory review reports, they shall meet the requirements of the relevant Regulatory Authority.
    • 7.7.3. When a CAB issues reports and certificates intended for use by a specific Regulatory Authority, the reports and certificates shall accurately document: a. the scope of the regulatory review; b. the scope of certification issued, including clear identification of the certified medical device and its use; and c. the review criteria used to assess the regulatory submission, including which Regulatory Authority requirements have been assessed.
Over-integration of the MDSAP requirements to apply to all ISO certificates instead of only MDSAP ISO certificates might lead to these stories, and might be a consequence of renewed attention given that documented was updated 2024-03-07.
The unknown/unfamiliar factor might then be the Regulatory Authority publishing/issuing instructions, which could be (perhaps rightfully) construed as regulatory requirements, but us common folk are not privy to it. The IMDRF one which implies this was published 2024-04-26, but that would be too quick i think.

As for your case: an ISO 13485 certification granted by a conformity assessment body under accreditation by an accredited body is valid.
It might however not provide you presumption of conformity for the EU MDR specific aspects if it is not an EN ISO certificate, nor hold much clarity the FDA if it is not MDSAP ISO. EN ISO certificates are usually only attainable in combination with CE certificates for the quality system.
If you have a certificate mill ISO 13485 certification, then it might also not be valid.
However, the fact that it wasn't issued by a Notified Body is not a specific/unambiguous enough aspect to warrant the claim that it is not valid.
 
Last edited:

Chrisx

Quite Involved in Discussions
When I worked for a German notified body, this was a big issue. The designating authority (ZLG) had concerns that the ISO 13485 assessment did not include the aspects of the MDD. They were also concerned that the auditors may not have been trained on the MDD and meet the qualification requirements of the notified body. As such, they required the NB to ensure that the EN ISO 13485 certificate from critical suppliers was issued by a notified body. The notified body must reside in the EU. Certificates with addresses from registrars in other countries were not accepted. At the time, BSi certificates were some of the most commonly rejected ones, as they were frequently issued from a US office. They were certificates from BSi America. Since then, I think other member states and notified bodies have taken this stance.

You can claim all you want that it isn't fair or that the certificate is valid. It doesn't really matter. The designating authority has all the control over the NB. The NB has to comply or risk restrictions or loss of designation (i.e. end of NB). The NB doesn't have any choice. Many people blame the NB for their actions, but it is often the designating authority or competent authority that is actually driving the decision.
 

Jean_B

Trusted Information Resource
When I worked for a German notified body, this was a big issue. The designating authority (ZLG) had concerns that the ISO 13485 assessment did not include the aspects of the MDD. They were also concerned that the auditors may not have been trained on the MDD and meet the qualification requirements of the notified body. As such, they required the NB to ensure that the EN ISO 13485 certificate from critical suppliers was issued by a notified body. The notified body must reside in the EU. Certificates with addresses from registrars in other countries were not accepted. At the time, BSi certificates were some of the most commonly rejected ones, as they were frequently issued from a US office. They were certificates from BSi America. Since then, I think other member states and notified bodies have taken this stance.

You can claim all you want that it isn't fair or that the certificate is valid. It doesn't really matter. The designating authority has all the control over the NB. The NB has to comply or risk restrictions or loss of designation (i.e. end of NB). The NB doesn't have any choice. Many people blame the NB for their actions, but it is often the designating authority or competent authority that is actually driving the decision.

That would align with the IMDRF document's direction. However, as far as I know it now plays both for bodies in UK and the Netherlands, which would make it above any one authority.
Would you happen to have an idea on how to find out the directions given to the Notified Bodies on this, whether it is only the German one or other ones?
 

Chrisx

Quite Involved in Discussions
That would align with the IMDRF document's direction. However, as far as I know it now plays both for bodies in UK and the Netherlands, which would make it above any one authority.
Would you happen to have an idea on how to find out the directions given to the Notified Bodies on this, whether it is only the German one or other ones?
Unfortunately, I would not know. Some of these things are in the inspection reports of the NB and not necessarily a public document. As I recall ZLG used to have a guidance on this, but I could not locate it on their website anymore.
 

yodon

Leader
Super Moderator
This sounds like it's getting ridiculous. What's the point of using an accredited CAB if they ALSO have to be in a certain geographic region?

We're an engineering services provider holding an ISO 13485 cert (through BSI). One of the services we provide is software design and development - which, as I understand, is now considered a critical service (making us a critical supplier). Based on this discussion, our cert could be considered worthless.

How is this healthy for the industry? How does this make patients in the EU safer?

This is also getting to the insanity with the MDR that's causing devices to drop off the EU market.
 

JamiecNoxfox

Registered
Thanks for the great replies guys, very helpful.

Our certificate is through a reputable company (ex-NB) so definitely not a certificate mill by any means. I'm guessing the assumption by BSI is that we perhaps haven't considered/audited against the annex's within EN ISO 13485 so cannot presume we are compliant?

The crazy thing is this customer is being audited against the TGA! not MDD/MDR (I know they have mutual agreement with the EU regarding EN ISO 13485 certification...) It's all really odd considering we haven't had this from any of our other customers who all sell into Europe. Maybe a warning for what's coming down the line.
 

Chrisx

Quite Involved in Discussions
The MDR is insane. You will get no argument from me on that point. Just to clarify, the auditor doesn't necessarily have to be in the EU. However, all notified bodies have to be headquarted in the EU. Many have satellite offices around the world.
 

Jean_B

Trusted Information Resource
Just to make this a more complete resource of a funky moment in time.
Canada in 2017 in "Guidance Document GD207: Guidance on the Content of ISO 13485 Quality Management System Certificates Issued by Health Canada Recognized Registrars"
( Guidance Document GD207: Guidance on the Content of ISO 13485 Quality Management System Certificates Issued by Health Canada Recognized Registrars - Canada.ca )

gives:

2.6 Scope Statement​

For regulatory purposes, the certificate's scope statement consists of two components:
  • QMS processes, including related services; and
  • device listing.
It is incumbent upon the Manufacturer to draft the initial scope statement (ISO 17021-1:2015 9.2.1). The finalized scope statement will be subject to clarifications, audit findings, and the Registrar's certification decision. (ISO 17021-1:2015 9.3.1.2.2d )
Manufacturers and Registrars are strongly encouraged {emphasis mine} to employ the scope templates found in APPENDIX 1.

2.6.1 QMS Processes, Including Related Services​

A Manufacturer of a Class II device complies with MDR section 32(2)(f) by providing to Health Canada "a copy of the quality management system certificate certifying that the quality management system under which the device is manufactured..." A Manufacturer of a Class III or IV device complies with MDR sections 32(3)(j) or 32(4)(p) respectively by providing to Health Canada "a copy of the quality management system certificate certifying that the quality management system under which the device is designed and manufactured..."
Thus, depending on the class of the device(s) involved, the scope statement will contain "manufacture" or "design and manufacture". A certificate which lacks "design" in the scope statement that is submitted in relation to a Class III or IV device will not be accepted by Health Canada. A certificate which lacks "manufacture" in the scope statement, regardless of the device class involved, will not be accepted by Health Canada (see notes below). {emphasis mine}
Additional QMS processes and services pertaining to the device may also be listed in the scope statement, but in most situations should be limited to QMS processes per ISO 13485:2003 (see ISO 13485:2003, 0.1) or 13485:2016 (see ISO 13485:2016, 0.1). All processes listed in the scope statement will be supported by evidence of conformity (ISO 17021-1:2015 9.3.1.3a). Any listed processes outside the scope of ISO 13485:2003 or ISO 13485:2016 shall be auditable and will have been carried out by audit teams possessing the necessary competence (ISO 17021-1:2015 7.2.7). Additional audit time will have been allocated and justified.
  • NB1: Health Canada will not accept "development" in place of "design". "Design and development" is acceptable.
  • NB2: Health Canada considers manufacture and production to be interchangeable and thus use of either term is acceptable.

2.6.2 Device Listing​

All medical devices that are:
  • manufactured or designed and manufactured under an ISO 13485:2003 or ISO 13485:2016 QMS; and,
  • licenced for sale or will be licenced for sale in Canada,
shall be listed in the certificate's scope statement using generic device groups. Despite the use of generic device groups, the device descriptions shall be of sufficient detail such that there can be little to no reasonable doubt that the devices listed in the scope statement refer to the same device(s) in a licence application, renewal or amendment (the term "accessories" is not a generic device group).
{Emphasis mine}
The templates in Appendix 1 cover a broad range of generic device groups. Other generic device groups may also be listed, such as Class I devices or devices that fall outside of the Food and Drugs Act definition but meet an ISO, or other national, or regional definition.
In addition to being accurate and complete, the scope statement should be robust; that is, it should not have to be modified every time devices are added or removed from the generic device groups covered by the scope, or that a design or manufacturing change is made to one of the specific devices included in the groups. Consequently, the listing of product names, trade names, catalogue numbers, device licence numbers, or device classes in the scope statement is not permitted. Certificates bearing such information will not be accepted by Health Canada.
Separate quality management system certificates for each component or member of a device family, group, group family, system and test kit will not be accepted by Health Canada.
 
Top Bottom