Justification for Non-applicable clause at Stage 2, in clause 4.

[somashekar]

At stage 2 audit, when you come across a situation where a non-applicability is claimed and justified in clause 4.2.3 (In Clause 6,7,8 only, non-applicabality can be claimed, per the scope)., does this situation lead to a major NC / minor NC ?
Of course, the stage 1 has to be detecting such, but it was not captured in the stage 1.
Thoughts ...

 

[Sidney Vianna]

does this situation lead to a major NC / minor NC ?

If I were confronted with that situation I would STILL base my decision on a risk assessment. How critical is the missed process at hand? For example, if it were product design and development I would stop the stage 2 audit. If it is a minor sub clause, I would be concerned with the expected evidence that could be provided before a recommendation for certification would be triggered. Nevertheless, the CB should trigger a CAR to address the failure in identifying the issue during stage 1.

 

[Hi_Its_Matt]

At stage 2 audit, when you come across a situation where a non-applicability is claimed and justified in clause 4.2.3 (In Clause 6,7,8 only, non-applicabality can be claimed, per the scope)....

Just to make sure, you're saying the auditee claimed that 4.2.3 (Medical Device File) is not applicable? What was the justification?

 

[somashekar]

Just to make sure, you're saying the auditee claimed that 4.2.3 (Medical Device File) is not applicable? What was the justification?

The justification points to HQ responsibility, and the HQ is not a part of the QMS under audit.

 

[Hi_Its_Matt]

On the one hand you could call it a major due to the absence of a required part of the standard. If, however, the org can demonstrate that HQ actually maintains the required information and can provide it in a timely fashion, you could consider it a minor from a risk-based perspective. If the org maintains the portion of medical device file documents that are relevant to the work they perform, and there isn't a problem with missing documents/records throughout the inspection, I would likely go the latter route.

 

[Jean_B]

What is the scope the auditee is going for?Since the 2016 edition of 13485, companies that are not medical device manufacturers (whether legal or contract) are allowed to certify against it. Main targets were "supply chain(component/raw material manufacturers)/distribution" (see its section 0.3), because they were often already asked to comply by clueless purchasing requirements but could technically not comply. In that case non- applicability could be justifiable as they have no device to keep such a file for.
Other angle: the legal manufacturer must have the access to the technical file/or arranged for IP matters to be accessed by the relevant notified body (in the EU). There should be arrangements (agreements) that arrange that access that can be audited as evidence if it lies with another party.

 

[somashekar]

What is the scope the auditee is going for?.

The storage, distribution, installation and servicing of medical device...

 

[Jean_B]

The storage, distribution, installation and servicing of medical device...

That is a supply chain partner.
They would not have access nor responsibility to the usual file prescribed by 4.2.3, which is located at the legal manufacturer. The crucial takeaway from the clause is that the information relevant for a device is usable similarly to a DMR (to get this, do this), though not with such a nice sequence to it.

Installation and servicing, as well as competence evaluation instructions thereof are key, but would be provided and should be controlled as external documents, with arrangements to be kept up to date and select the right version/variant of device if applicable.
Should measurement be crucial, such as for devices that require calibration, those instructions and standards should be similarly controlled as well. Storage and shipping instructions would also be expected to be available linked to the product (if these are crucial).
Another set, usually not provided by the device manufacturer, should deal with relaying information for the devices: complaints up-chain, field safety notices etc downstream.


As for evidence of conformity, it would not have any direct means. It could request the relevant CoC/certification documentation (e.g. the EU Declaration of Conformity and the product list) of the device and verify it is on there. To be honest, this requirement depends far more on the regulatory regime whether it is representative of an actual requirement (in EU MDR it is).

Note that for the upstream component/raw material suppliers most of this would be provided by the purchase order specifications as usual, and far less or no device specific things would be expected.
When entire (sub)assemblies or devices are (contract) manufacturered it would tend more to a traditional DMR. However here that is not the case.

 

[somashekar]

Jean_B
In full agrement with what you say., can it be listed as non-applicable... ?
The Scope of the standard only permits non-applicable with justification in clause 6,7,8. The medical device file is in clause 4 (4.2.3)
To the extent of the activity, the client has to demonstrate that medical device file is maintained, even with the contents being external origin documents. Am I wrong in this interpretation ?

 

[LUFAN]

If this was an MDSAP audit, I think it will still fall under a "minor" score of 2. 1 point for Clause 4/5 + 1 point for a lack of procedure. Might be a better way to conceptualize it.