Auditing Organization (AO) versus Notified Body (NB) versus Registrar. What’s the difference?
With the introduction of the Medical Device Single Audit Program (MDSAP), you may have heard the term “Auditing Organization” tossed around. It seems like a pretty generic term and most people assume that it is synonymous with Notified Body and Registrar. Are they the same? Are they different? Yes.
Let us explain.
While these terms are often used interchangeably, you should understand the differences in nomenclature. We detail these differences in the table below but here is a high-level overview.
“Notified Body” is a European-centric term derived from EU legislation, and as such these third-party organizations focus on CE Marking compliance and quality system audits. The role of a Notified Body is to conduct a conformity assessment under the relevant EU Directives or Regulations. Conformity assessment typically involves an audit of the manufacturer’s quality system and depending on the device classification, an assessment of associated technical documentation.
Registrars only audit for QMS compliance related to an ISO standard such as ISO 13485 or ISO 9001.
If a Notified Body or Registrar conducts an audit in the context of the Medical Device Single Audit Program, they are considered an Auditing Organization (AO).
Choosing the right partner
Most of the larger audit and certification entities fulfill the role of Notified Body, Registrar and AO. Manufacturers selling their medical devices internationally may choose to work with an organization that holds all three designations. Why? If your company plans to take advantage of the Medical Device Single Audit Program (MDSAP) you will need to work with an AO. Since nearly all of the AOs are also EU Notified Bodies and Canadian Registrars, you gain flexibility by working with a larger organization. The downside is that you may give up something with regard to service or price. Consider your future expansion plans carefully, especially if they involve Brazil, Japan or Canada.
Yes, certification bodies have rules to follow too!
Auditing Organizations, Notified Bodies and Registrars all are subject to oversight of an Accreditation Body and/or Competent Authority. Example accreditation bodies include organizations such as ANSI National Accreditation Board (ANAB), Standards Council of Canada (SCC), and the United Kingdom Accreditation Service (UKAS). A current list of Accreditation Body Members can be found on the IAF (International Accreditation Forum) website. Certification Bodies must comply with ISO/IEC 17021-1 proving their competence to conduct audits and demonstrating their impartiality. Like manufacturers, certification bodies are also certified and this is one way for you to know that your chosen partner meets international requirements.
Each European country has a Competent Authority, a government agency responsible for overseeing the enforcement of medical device regulations. EU Notified Bodies are supervised by the Competent Authority (Ministry of Health or National Authority) in the European country in which they are based. For example, TÜV SÜD is based in Germany but if Germany’s Federal Institute for Drugs and Medical Devices (BfArM) decided that TÜV SÜD no longer meets the requirements of auditing companies against the MDD (93/42/EEC) or the MDR (2017/745) they could suspend their ability to conduct such audits. Ultimately, all Notified Bodies, Registrars and AOs operate under the watchful eye of Competent Authorities and accredited quality system certification bodies.
The interaction between certification bodies, accreditation bodies and competent authorities is a system of checks and balances. Each organization plays an important role in ensuring that you, the manufacturer, are audited fairly and by companies with the competence to do so. Ultimately, the process leads to safer and more effective medical devices.