Notified Body (NB) Audits of Sub-Contractors and Critical Suppliers

Ronen E

Just a person
Super Moderator
#21
Re: NB Audits of Sub-Contractors and Critical Suppliers

We fully specify the component to our supplier (the distributor) who is on our approved supplier list, they supply and we check at goods-in that the correct parts have been supplied. Through this very simple process we have full and demonstrable control of the supply of critical components without the need for any NB intervention. The specification of the parts has to be precise.
This holds true as long as only identity is concerned. However identity verification doesn't necessarily guarantee that quality requirements have been met.

NB intervention, when warranted, is not another layer of QC. It is intended as a measure to ensure that the QMS (as a whole, including the supplier's quality practices) is effective in guaranteeing the required quality level (as such, it can be seen as a QA measure).

During the design process hazards are identified and, where appropriate, are mitigated by employing components which can be considered as safety critical. The efficacy of those components is verified and validated through in-house bench testing and type testing to the 60601 series of standards by an independent, accredited test house. Through that process the specifications of all components, including safety critical, are determined and detailed on the BoM. We can clearly demonstrate that if component part number 'A' with specification 'B' from manufacturer 'C' is fitted in position 'D' all the relevant safety criteria will be met irrespective of who the actual supplier is.
This is a good practice in terms of device design, but it doesn't address process control in the broader sense (which includes purchasing control) and doesn't guarantee consistent production.

In a way, when you say "from manufacturer 'C'... all the relevant safety criteria will be met", you are implying that that manufacturer has been assessed and qualified as a reliable and consistent supplier (regardless of whether they supply directly or through a distributor). If indeed that is the case, you have "just" a documentation gap, in the sense that that manufacturer didn't necessarily go through your documented process of supplier selection and approval. However, if such a process didn't occur (e.g. the manufacturer was selected merely on the basis of component adequacy, without considering the more general quality management aspects of that manufacturer), you might have a weak link in your argument.

We also sub-contract out the assembly of our surface mount PCBs. Contrary to some of the comments made earlier in this thread, our PCB sub-contractors are not classed as critical suppliers by our NB and are not in line for an unannounced audit. This is because of the way we manage them. They have been through our supplier approval process, so we are happy with the way they translate and transfer our BoM into their production control system, we are happy with their processes for managing engineering changes, we are happy with their manufacturing process controls and they supply us with a full traceability report for all of the components used in a manufacturing batch. We have a supply agreement in place with them which describes the regulatory requirements associated with the manufacture of the PCBs and assigns each one to either or both of our companies as appropriate. The crucial part of the process is that when the PCBs arrive we carry out 100% testing. This effectively transfers all of the risks away from the sub-contractor and onto us and for that reason our NB regards the sub-contractor as a significant supplier, but not a critical one.
This relates directly to what I wrote in previous posts. The (excessive?) use of the term "critical" hinders clarity in this case, in my opinion. What the MEDDEV essentially says is that the NB should consider the various suppliers based on the role the components the supply play. That doesn't say anything deterministic about auditing. the NB can and should review evidence regarding the quality performance of certain suppliers, and based on that evidence make the call regarding auditing those suppliers on site. In my understanding, in this process there is room for considering the bigger picture regarding such components (such as 100% verification), so a rational decision on auditing can be made. However, a rationalised decision not to audit in a given context doesn't take away the significance of the component or the need to monitor the quality record of the supplier (or the actual manufacturer). In a way, auditing your 100% verification records is monitoring the evidence on the supplier's quality performance.

We have consulted with our NB along the way and have no critical suppliers as a result.
That apparently settled the case for you, I just wonder how many other NBs operate along the same lines (I also wonder if yours and Pads38's is not by chance the same NB :)). To me a statement that no suppliers require on-site auditing is not exactly the same as a statement that there are no critical suppliers.
 
Last edited:

Laughing Pierre

Involved In Discussions
#22
Re: NB Audits of Sub-Contractors and Critical Suppliers

Hi Ronan,

Thanks for the considered input it is most useful and helps to expand the discussion.

Another issue is regulation vs. guidance. It's true that MEDDEV is the official guidance, and often it's applied by NBs as de-facto regulation, but it's not the regulation. As such it's open to interpretation, which may differ from one NB to another. It can also be challenged by manufacturers with alternative interpretation. The regulation can't be challenged as easily. NBOG is even less authoritative than MEDDEV, and GHTF guidance is mostly voluntary in nature.
We are based in the UK and our NB has informed us that they have been instructed by MHRA that MEDDEVS must be applied in full. They are to be treated as mandatory and not as guidance. They have, therefore, become de-facto regulation. The fact that this is regulation by the back door is another matter altogether. I suspect that the decision was driven, in part, by their desire to improve the standard of clinical evaluation as this is the area where I have seen the most impact.

Your point about QC versus QA is a valid one, however our PCB assembler does not have the capability to carry out the very complex testing required of our boards. Our 100% test regime is part of the production process. We could never expect to build a completed but untested PCB into a device and just hope it (the final product) would work and pass all the functional and safety tests and have all of the adjustable parameters set correctly.

I have to remind you that we have been discussing our NB audits to EN 13485 and 93/42/EEC, Annex II. Of course we have in place rigorous supplier selection and monitoring procedures, rigorous purchasing procedures and every other procedure required by those standards and required to pass our FDA audits in support of our 510(k)s. All of these procedures have been honed over the past couple of decades (+) since we gained our first certification as a medical device manufacturer and, whilst not necessarily absolutely perfect(no procedure ever is), they are absolutely fit for purpose.

To your point
In a way, when you say "from manufacturer 'C'... all the relevant safety criteria will be met", you are implying that that manufacturer has been assessed and qualified as a reliable and consistent supplier (regardless of whether they supply directly or through a distributor). If indeed that is the case, you have "just" a documentation gap, in the sense that that manufacturer didn't necessarily go through your documented process of supplier selection and approval. However, if such a process didn't occur (e.g. the manufacturer was selected merely on the basis of component adequacy, without considering the more general quality management aspects of that manufacturer), you might have a weak link in your argument.

If we identify an integrated circuit as 'being critical to safety' and, just for arguments sake, the IC is manufactured by Motorola; we don't have any purchasing contract with them and Motorola is not our supplier. We are not going to add them to our suppliers list and go and audit them and ask them to sign a supplier agreement which would, amongst other things allow out NB to go and audit them. Their component is fully evaluated as part of our design process and added to the BoM. Fully documented, fully verified, safety aspects fully validated. Each batch of ICs incorporated into our device is fully traceable, fully tested and fully documented. There is no documentation gap and no question about the adequacy of the component.

I hope that this is developing into what could be a useful thread for other Covers and there are some interesting points being made.

I joined in on this thread because there is a lot of anxiety about supplier audits (announced and unannounced) and I wanted to allay some fears by giving a practical example of the way we have dealt with it. This is not theory it is what we have done. If I can make others' lives a bit more sensible as a result I'll be happy.
 

Ronen E

Just a person
Super Moderator
#23
Re: NB Audits of Sub-Contractors and Critical Suppliers

Hi Pierre,

Thanks for your thorough response. I want to clarify upfront that I didn't in any way mean to criticise in specific your company or your practices. I'm relating to your descriptions to make more general points and maybe highlight opportunities for improvement for anyone who comes across this thread. It seems that you have a well-sorted operation that apparently stood the test of time and NB scrutiny, so whatever you do must be working fairly well for you. This is not the main issue here, as far as I'm concerned.

We are based in the UK and our NB has informed us that they have been instructed by MHRA that MEDDEVS must be applied in full. They are to be treated as mandatory and not as guidance. They have, therefore, become de-facto regulation.
I wasn't aware of that policy. In my view MHRA was always stricter than other CAs, and while in some cases it made for a more robust and consistent system it obviously causes some unwarranted extra burden for manufacturers. My comments were more general-EU in nature.

I wonder how things are going to unfold in the post-Brexit age, with the UK eventually moving away from EU legislation / regulation.

Your point about QC versus QA is a valid one, however our PCB assembler does not have the capability to carry out the very complex testing required of our boards. Our 100% test regime is part of the production process. We could never expect to build a completed but untested PCB into a device and just hope it (the final product) would work and pass all the functional and safety tests and have all of the adjustable parameters set correctly.
Please note that I didn't tag your (incoming) testing as QC. While according to strict theory it is, I see it as less of an issue because you test early on in the process (or so I understood). It's definitely more efficient than just testing at the end, where one needs to scrap / rework / concession a finished device.

I also understand that your supplier can't take on that role, and I don't criticise the fact you chose it despite that. Apparently you have considered that aspect during supplier evaluation and weighed the pros and cons to eventually select that supplier, and have put in place risk mitigation in the form of 100% incoming testing. Whether that makes more or less economic sense only you can say. The important point is that those things have been considered and documented.

The second half of that paragraph is interesting. I gather that your final testing reveals that some of the finished devices don't "work" on account of a faulty PCB, or fail functional or safety tests, or have some adjustable parameters set incorrectly. Have these issues been trended? Are they significant? If not, is it actually best practice to assume that "you could never expect" not to test? Could it be a self-fulfilling prophecy? And if, on the other hand, the issues are significant and no-testing is inconceivable, could some of the issues be related to the supply chain and the way you manage it? I'm not implying anything, it's just food for thought.

If we identify an integrated circuit as 'being critical to safety' and, just for arguments sake, the IC is manufactured by Motorola; we don't have any purchasing contract with them and Motorola is not our supplier. We are not going to add them to our suppliers list and go and audit them and ask them to sign a supplier agreement which would, amongst other things allow out NB to go and audit them. Their component is fully evaluated as part of our design process and added to the BoM. Fully documented, fully verified, safety aspects fully validated. Each batch of ICs incorporated into our device is fully traceable, fully tested and fully documented. There is no documentation gap and no question about the adequacy of the component.
I understand that in such a case Motorola wouldn't be your direct supplier and as such not subject to the "normal" supplier qualification provisions, however even at D&D level the supplier should be evaluated and qualified. Typically R&D focus on the technical / component aspects and more general QA aspects are sometimes neglected.

I'm sure that you don't have any documentation gap as to the adequacy of the component, but has the supplier been formally justified? This doesn't have to take the form of on-site audit or a supplier quality agreement; a documented desktop assessment might be all that's required. On the other hand, if you selected a direct supplier (distributor) that lacks technical ability and haven't assessed the original manufacturer in the broader sense then in my opinion there is some gap in the sourcing process. Risk-wise you are probably covered since you verify 100%, but in theory the ultimate goal of supplier qualification and monitoring is to be able to eliminate such extensive testing.

I also understand that suppliers like Motorola are perceived as "quality guaranteed" by nature, but I can't help but wonder if the "glory" associated with brand is always enough as a true guarantee of consistent quality. In fact, over the years I've seen such big names fail marvellously so I tend to be a little sceptic. Of course a small customer can't change Motorola or force its own quality practices on it, but a sound assessment of such "giants" as suppliers might sometimes be eye-opening.

I hope that this is developing into what could be a useful thread for other Covers and there are some interesting points being made.
Certainly.

I joined in on this thread because there is a lot of anxiety about supplier audits (announced and unannounced) and I wanted to allay some fears by giving a practical example of the way we have dealt with it. This is not theory it is what we have done. If I can make others' lives a bit more sensible as a result I'll be happy.
:applause:

My impression is (as noted earlier in this thread) that NBs want to keep their options open and they definitely don't want to end up being denied access into a supplier's premises on (unannounced) audit day; however I think that most NBs would take the supplier audit path only if well and truly warranted. I agree that their limited resources probably play a role as well.
 
Last edited:

somashekar

Staff member
Super Moderator
#24
Re: NB Audits of Sub-Contractors and Critical Suppliers

I would change the subject to "NB Audits of critical processes when subcontracted" ... This would clear some air and help companies to set better CM agreements with such suppliers. These audits could be scheduled or unscheduled .....
 

Charlotte Percy

Starting to get Involved
#25
Re: NB Audits of Sub-Contractors and Critical Suppliers

Hi Ronan,

The requirement comes from directly from the Medical Device Directive under Annex II section 3.3.
 

Ronen E

Just a person
Super Moderator
#26
Re: NB Audits of Sub-Contractors and Critical Suppliers

Hi Charlotte,

I believe that you referred to this clause:

The assessment procedure must include an inspection on the manufacturer's premises and, in duly substantiated cases, on the premises of the manufacturer's suppliers and/or subcontractors to inspect the manufacturing processes.
I am familiar with this clause. It speaks of auditing suppliers' premises in duly substantiated cases.

My question related to Pads38's post, in which he stated that NB unannounced audits apply only to "critical suppliers", who are identified to the NB on the front page of their Technical File, under "any other facilities involved in the design and manufacture of the device". It further claimed that they don't have any "critical suppliers" subject to unannounced audits since they didn't have any suppliers in that list (apparently with the NB's agreement). Since it was presented - at least in my impression - as though this should be the mainstay practice, and not a result of a specific negotiation/agreement between that company and its specific NB, I asked where the regulations prescribe such practice.

In my understanding the need to audit any specific supplier to a medical device manufacturer is established upon review of what they supply, what role the supplied element plays, and whether the evidence indicates any potential quality issues with the supply. This ties quite well with "duly substantiated cases" in s. 3.3 of Annex II, in my opinion.

Cheers,
Ronen.
 

Laughing Pierre

Involved In Discussions
#27
Re: NB Audits of Sub-Contractors and Critical Suppliers

The second half of that paragraph is interesting. I gather that your final testing reveals that some of the finished devices don't "work" on account of a faulty PCB, or fail functional or safety tests, or have some adjustable parameters set incorrectly. Have these issues been trended? Are they significant? If not, is it actually best practice to assume that "you could never expect" not to test? Could it be a self-fulfilling prophecy? And if, on the other hand, the issues are significant and no-testing is inconceivable, could some of the issues be related to the supply chain and the way you manage it? I'm not implying anything, it's just food for thought.
You're reading far too much into my words and reading between the lines where there is nothing to be read. Your suppositions are so wide of the mark they're not even on the same page. The variable parameters are set up during test. If we just plugged the board and went with it they couldn't possibly be right. Also testing is needed because there might be failures, not because there are failures.
 

Ronen E

Just a person
Super Moderator
#28
Re: NB Audits of Sub-Contractors and Critical Suppliers

Your suppositions are so wide of the mark they're not even on the same page.
Pierre,

There's no need to be defensive and there's definitely no need to be offensive.

As I noted my comments were made as food for thought, you are perfectly free to ignore them if you feel that they're useless to you.

Again, if there are absolutely no failures (or just very little) - and I completely take your word for that - that's great and I seriously suggest that maybe you could reduce your testing. It's not bantering, it's just good normal QA practice. I also thought it's common sense.

Please also consider that I don't write only to you even if I quote your posts. Having been in these forums for about 6.5 years I know that many times threads are of use to visitors other than the OP, sometimes years later and in significantly different contexts. For this reason I allow myself to push the discussion envelope sometimes, in order to make a more general point.

I didn't intend to suggest your practice is wrong in any way and if I offended you I apologise.

All the best,
Ronen.
 
Last edited:

Charlotte Percy

Starting to get Involved
#29
Re: NB Audits of Sub-Contractors and Critical Suppliers

Hi Ronen,

Yes I think there is a triage type system whereby only those suppliers/subcontractors with a large influence would be under ordinary circumstances considered for audits, and those are likely identified somewhere by the NB. Yet if a product recall occurs in Europe for a CE marked device the Competent Authority may rally the NB to pay a visit to a supplier if his supplied contribution to the product is identified as the cause of the recall...
 

Jeffers

Starting to get Involved
#30
Re: NB Audits of Sub-Contractors and Critical Suppliers

I was directed here from another thread on a similar topic. I would like to provide some input, while also posing a question. I initially posed a question about defining "critical suppliers". After reading through every thread I could locate, I thought I had a pretty good handle on the topic. With some feedback from other members, we are going to implement a new "supplier evaluation form". During our annual supplier evaluations, this form will help us to determine the level of supplier (and if they are considered a "critical supplier"). Because we do not outsource any steps that involve handling our final product, and every item received goes through an inspection process, none of our suppliers fall into the "critical supplier" category. As I understand 13485, if it is my prerogative to use this process, and it satisfies the guidance, then my NB cannot necessarily say this is "wrong".
An important point to note: during my last audit, one particular supplier was listed as a critical supplier by my NB, but they are NOT included on my CE Certificate.

I thought this was going to be a great approach UNTIL I read through "NBOG's Best Practice Guide: Guidance doe Notified Bodies auditing suppliers to medical device manufacturers", located at the following website:
www.nbog.eu/resources/NBOG_BPG_2010_1.pdf

Under section 5, there is the following note included:


"It is the responsibility of the manufacturer to determine which are critical items or processes and how their purchase is controlled. This depends on the manufacturer’s risk management activity. However, the auditing organization may decide to visit suppliers deemed by the manufacturer to be non-critical."

Based on this, it does not appear to be my prerogative to determine critical/non-critical supplier, or rather, those suppliers who I need to have contracts with provisions that allow for external audits (and therefore, unannounced audits).

How then, do I determine what suppliers need to have contracts that allow for unannounced audits if the NB has the authority to visit a supplier that I have not identified as critical?​
 
Last edited by a moderator:

Top