ISO 13485 Unannounced Audits and Joined-up Thinking. Or Not.
I blame those faulty French breasts, and the criminal who sold them to unsuspecting surgeons worldwide. The issue of ISO 13485 unannounced audits seems to be a classic top-down, politically-driven response to an issue of dangers from medical devices. I suspect that Euro-Bureaucrats, several levels removed from the reality of the situation, have felt a need to be seen to be at least doing something, and hence they came up with the questionable idea of unannounced visits from the notified body.
And, rather than being some distant, yet-to-be-imposed directive, it was effective from 1st April 2014.
I have spent over 20 years of my life as an ISO Consultant, seeking to make standards relevant to the daily realities of business. And the whole issue of ISO13485 unannounced audits sits in the realm of the abstract, one that I try not to inhabit.
If you are concerned about unannounced audits, then we’re probably best to meet and talk. But, meanwhile, in no particular order, here are some of my questions and concerns.
Multiple Duplicate Visits? So you are a UK distributor of own brand labelled medical devices originally manufactured in China. The manufacturer has 49 other distributors based in various locations across Europe. To meet regulations the Chinese manufacturer has to be registered with a Notified Body, have their devices registered and be certified against ISO 13485. All the distributors who “own brand label” also need to be registered with a Notified Body and certified against ISO 13485. Now, the latest changes to the medical device regulations says that the certification body/notified body can decide they want to visit the original (Chinese) manufacturer. As the certification bodies make profit from such trips, auditors like travelling overseas, and after all, manufacturers are much more interesting to audit than distributors, they are quite likely to visit the manufacturer. But they already get visits from their own notified body, so are they likely to accept visits from up to 50 other Notified Bodies ? I think this may be questioned.
Who Pays? . Well its quite clear that the certified company pays, and the specified unannounced audits also require two auditors. These are extra visits from those currently in your contract. Plus, would you be happy that an independent third party is going to visit your manufacturers and make judgements affecting your ability to trade without you being present ? So that’s three people. Do lower end devices have sufficient margin to be able to swallow additional, non-contractual costs which could be in the tens of thousands of pounds ?
We’ve Been Here Before. Unannounced audits are not a new idea. Some certification bodies ran their ISO 9001 certification using unannounced visits. This eventually fell into disrepute as they turned up at a factory to find that key staff were off site or busy. Under the regime of ISO 13485 unannounced audits, manufacturers are expected to have staff available who can deal with an unannounced visit, and if you don’t you’ll be charged for the visit and your certification threatened. Clearly this isn’t practical among smaller, leaner companies.
So, I blame those French Fakes . The breast implant saga in France was a major reason for introducing unannounced visits. The regulators probably ought to bear in mind that the contravention was not discovered by an ISO 13485 audit, or a notified body at all. An internal whistle blower disclosed the crime, and as an auditor of many years experience, I’m less than confident that even in my best investigative moments I would have found it – if the client company lies well enough and has had the time to hide evidence, it is unlikely that an external audit will discover anything.
I’m all for standards such as ISO 13485 keeping us safe. However, I’m also a champion of the achievable and relevant. I have a number of ISO 13485-certified businesses as clients. But for ISO standards to work, they need regulation that is practical, relevant, and sustainable. ISO 13485 unannounced audits are not. I believe this is an incomplete story, and the process as being implemented at the present will not be sustainable, watch this space ! (Meanwhile, I’m always happy to talk.)
Written by Colin Brown of ISO Consultants