Customers NB (BSI) says certificate issued by a certified body is not valid

EmiliaBedelia

Quite Involved in Discussions
The company I work for provides services to medical device manufacturers and as such we do not place our own medical devices on the market. One of our customers is currently being audited by BSI and they are stating that BSI have told them that our ISO 13485:2016 certificate is not valid as has not been issued by a notified body but only by a certified body. Does anyone have any insight into this and is this correct?

Yes, this is correct. BSI has additional requirements for suppliers that have ISO 13485 certificates that are not issued by an NB.

See their MDR submission guidelines here:
Customers NB (BSI) says certificate issued by a certified body is not valid


So, the result (should be) that BSI will audit you as a supplier. It is not that the cert itself is not valid to demonstrate your conformity to ISO 13485, it's that that cert ALONE does not demonstrate all of the requirements to meet the MDR. The critical subcontractor/crucial supplier designation implies some level of manufacturer responsibility for product quality is being passed off to the supplier - so essentially that supplier must meet the requirements that would be imposed on a manufacturer for that activity.

I promise you that manufacturers don't like this requirement either, but I can confirm that this is normal behavior for BSI at least.
 

Sidney Vianna

Post Responsibly
Leader
Admin
Yes, this is correct. BSI has additional requirements for suppliers that have ISO 13485 certificates that are not issued by an NB.
Willing to be corrected, but as far as I know, the legal entities for the Notified Body and the Certification Body roles are distinct. For example, bsi Americas may issue an ISO 13485 certificate under an European Accreditation but they might NOT be a NB. So, what is the rule/policy for sure?

Also and once again, correct me if I’m wrong, but NB’s (the legal entity) don’t issue management system certificates, do they? Aren’t they solely involved with product certification (CE-marks)?
 

EmiliaBedelia

Quite Involved in Discussions
I don't know that the legal entities are necessarily different - the roles and accreditations are different but one group could hold both.

Both our ISO 13485 and CE certificates are issued by BSI Group based in the Netherlands, which is both an NB and a CB. Our MDSAP certificate, however, is issued by BSI Americas, which is the group that does the on-site surveillance auditing. So, I think this is highly dependent on how the NB is organized.

MDD/MDR both have quality system requirements for certain conformity routes, so yes, CE marking often involved quality management system certification. Some products don't require NB review to obtain a "product certificate" but you still need a QMS certified to the regulation (even if you have ISO 13485 certification, you also get an MDR QMS certificate).

To be clear, the statement about BSI not "recognizing" certs from non-NB issuing orgs is only in the context of MDR technical documentation review. It doesn't mean that BSI doesn't think the certificate is valid, it just doesn't meet BSI's interpretation of the MDR requirements for that specific portion of the tech doc.
 

Jean_B

Trusted Information Resource
I don't know that the legal entities are necessarily different - the roles and accreditations are different but one group could hold both.

Both our ISO 13485 and CE certificates are issued by BSI Group based in the Netherlands, which is both an NB and a CB. Our MDSAP certificate, however, is issued by BSI Americas, which is the group that does the on-site surveillance auditing. So, I think this is highly dependent on how the NB is organized.

MDD/MDR both have quality system requirements for certain conformity routes, so yes, CE marking often involved quality management system certification. Some products don't require NB review to obtain a "product certificate" but you still need a QMS certified to the regulation (even if you have ISO 13485 certification, you also get an MDR QMS certificate).

To be clear, the statement about BSI not "recognizing" certs from non-NB issuing orgs is only in the context of MDR technical documentation review. It doesn't mean that BSI doesn't think the certificate is valid, it just doesn't meet BSI's interpretation of the MDR requirements for that specific portion of the tech doc.

I think that it's inappropriate, or at least an uncommonly harsh, assumption made by BSI.

The qualification and control of non-critical suppliers is up to the supplier, and it is common some form of QMS certification results in less customer-specific qualification and control work.
The aspects of outsourced processes (especially design and virtual/contract manufacturing) and supplier production processes whose results cannot be validated are what make a supplier critical.
From the harmonized ISO 13485 A11 annex, no additional requirements are imposed on clauses relating to this (4.1.5; 4.1.6, 7.4, 7.5.6, 7.5.7)
The A11 even has clarifications such as "9, 1st paragraph, 1st sentence; 4,5,6,7,8; Covered. EN ISO 13485 requires the quality management system to comply with applicable regulatory requirements and that production is planned, carried, monitored, and controlled to ensure that product conforms to specification and regulatory requirements.", and "9, 3rd paragraph (d); 4.1.5, 6, 7.4.1; Covered. EN ISO 13485 includes specific requirements for provision of human resources including competence, infrastructure, work environment and contamination control", and "2.2 2nd pararagraph (b) indent 3; 4.1.5, 7.4.1; Covered. EN ISO 13485 has requirements for cases when an organization outsources an activity, and these requirements link with the requirements for evaluation and selection of suppliers, their monitoring and their re-evaluation".

The MDR itself concerns itself with suppliers and notified bodies
4.5.2. Quality management system auditing
(a) As part of the assessment of the quality management system, a notified body shall prior to an audit and in accordance with its documented procedures:
...
— identify links between, and allocation of responsibilities among, the various manufacturing sites, and identify relevant suppliers and/or subcontractors of the manufacturer, and consider the need to specifically audit any of those suppliers or subcontractors or both,
...
(b) Based on the audit programme it has drawn up, the notified body shall, in accordance with its documented procedures:
Besides the BSI one I have had some technical documentation review formats from SGS, DEKRA and Tuv Sud lying around.
Some (rightfully) look at special processes and the appropriate supplier controls, something for which generally validation documentation and control arrangements are useful.
...
— if not already covered by the audit programme, audit the control of processes on the premises of the manufacturer's suppliers, when the conformity of finished devices is significantly influenced by the activity of suppliers and, in particular when the manufacturer cannot demonstrate sufficient control over its suppliers,


The right to audit such critical suppliers is common, but as part of the arrangements to meet the regulatory obligations, and not as a 'to-do' by default with exemptions for Notified Body certificates.

I also have access to the MDR technical documentation guidances of Tuv Sud, DEKRA, SGS. In those, none of them have the kind of setup regarding critical suppliers that BSI has. Furthermore, I think the level stated only makes sense and can be argued to hold for design service suppliers and virtual manufacturing suppliers, as these can have more intense integration and ambiguity with respect to (continued) EU MDR compliance.
For suppliers who are critical merely due to a special process for a part, this would indicate a disbelief by BSI in the accreditation setup surrounding ISO 13485 certification.
 

Aliken

Involved In Discussions
When I worked for a German notified body, this was a big issue. The designating authority (ZLG) had concerns that the ISO 13485 assessment did not include the aspects of the MDD. They were also concerned that the auditors may not have been trained on the MDD and meet the qualification requirements of the notified body. As such, they required the NB to ensure that the EN ISO 13485 certificate from critical suppliers was issued by a notified body. The notified body must reside in the EU. Certificates with addresses from registrars in other countries were not accepted. At the time, BSi certificates were some of the most commonly rejected ones, as they were frequently issued from a US office. They were certificates from BSi America. Since then, I think other member states and notified bodies have taken this stance.

You can claim all you want that it isn't fair or that the certificate is valid. It doesn't really matter. The designating authority has all the control over the NB. The NB has to comply or risk restrictions or loss of designation (i.e. end of NB). The NB doesn't have any choice. Many people blame the NB for their actions, but it is often the designating authority or competent authority that is actually driving the decision.
Everybody could be concerned about everything. However, such concern doesn't give you a right to "invalidate" the ISO 13485 certificate issued by the non-NB accreditation body. Unless NBs live in a world where might is right and not right is might. If NB suspects that the non-NB party that issued the ISO 13485 certificate is unaware of MDR-related quality aspects, they should check them during their annual audit. After all, the manufacturer is expected to meet quality MDR expectations, and it can summarize them, e.g., in the Strategy for regulatory compliance procedure, which may include the control of your service providers.
 
Top Bottom