Featured Product
This Week in Quality Digest Live
FDA Compliance Features
Steven Brand
A crucial method for differentiation (and profitability) in a tight market
Peter Rose
A tardy response will be costly and painful
Stephen McCarthy
Data-driven decisions are only as good as the data that drive them
Jennifer Lopez
How manufacturers can best prepare as the FDA moves to adopt ISO 13485:2016
Stephanie McArdle
The agency seeks to balance expedient exemptions against public transparency about medical devices

More Features

FDA Compliance News
Creates adaptive system for managing product development and post-market quality for devices with software elements
VQIP allows for expedited review and importation for approved applicants that demonstrate safe supply chains
An invite from Alcon Laboratories
Intended to harmonize domestic and international requirements
The FDA wants medical device manufactures to succeed, new technologies in supply chain managment
Pharma quality teams will have performance-oriented objectives as well as regulatory compliance goals
Strategic investment positions EtQ to accelerate innovation efforts and growth strategy
The FDA’s RMAT designation goes live

More News

Richard A. Vincins

FDA Compliance

ISO 13485: Creating a Globally Harmonized Quality System

An overview of the standard's requirements and use around the world.

Published: Friday, July 17, 2009 - 16:44

Through the 1990s, the application of a quality system relied primarily upon the Food and Drug Administrations’ (FDA) good manufacturing practice requirements or the FDA 21 CFR Part 820 Quality System Regulation. At that time, the international standards for quality management systems (QMS) were ISO 9001, ISO 9002, or ISO 9003, depending upon the scope of the organization’s quality system. Fast forward to 2009 and in the medical devices manufacturing industry, we now rely primarily upon ISO 13485 and the FDA Part 820 Quality System Regulation (QSR) to assure compliance. ISO 13485 and the quality system regulation are the de facto standards utilized by medical device and in vitro diagnostic companies for compliance with QMS requirements. There are other regulatory standards that may be specific to regions or countries that must be reviewed separately for organizations specific needs.

In this article, we will discuss how to utilize these standards for assuring harmonized compliance and assist in marketing devices around the world. We will focus primarily on ISO 13485—"Medical devices—Quality management system—Requirements for regulatory purposes," and how this international standard is utilized for meeting global regulatory requirements.

The first question that most organizations ask is, "Do we need to have ISO 13485 certification to market our devices; and which countries require this?" One interesting aspect is the actual title of ISO 13485 states "requirements for regulatory purposes," indicating that regulatory agencies would use this standard for this purpose. And they do currently. Many countries outside of the United States and Europe don't have the resources to conduct inspections outside their own borders. Thus, they must rely upon a regulatory standard to assure organizations apply a QMS for compliance. (Refer to the table below for a comparison of regulatory standards by region.). The QMS of a medical device company is then certified by a registrar who audits the organization on a routine basis at least annually. This assures that medical device companies are complying with a known regulatory standard though there are some differences with regions around the world that will be discussed in this article.

Requirements in the EU and Canada

The European Union and Canada which will be combined as their requirements are similar in scope in discussing how to implement a harmonized quality system. Both of these areas utilize the implementation and certification of QMSs, which comes in the form of ISO 13485 (Canada requires it). However, this is only the first step in marketing devices within the European Union or Canada. These regions require additional processes in place such as adverse event reporting, submission activities, and notification to the regulatory agencies in certain circumstances.

In fact, to acquire a medical device license in Canada requires an ISO 13485 certificate plus compliance with Part 1 of the Canadian Medical Device Regulations. The European Union Medical Device Directive requires that a QMS must be implemented to assure the device is produced to be effective and safe as documented in the Technical File. Also, ISO 13485 certification isn't technically required for European compliance but most companies use this standard to meet the QMS requirements found in the Medical Devices Directive (93/42/EEC) and the In Vitro Diagnostic Medical Devices Directive (98/79/EC). These requirements have been in place since the publication of the Medical Devices Directives and Canadian regulations in the 1990s.

There are countries such as Australia, New Zealand, and others that have come to rely upon requirements similar to those found in the European Union. These countries have updated their national laws to require medical device manufacturers to implement QMSs. This means that part of the regulatory submission to allow marketing a medical device in their country may require an ISO 13485 certification as part of the submission process. There may be other methods for a medical device manufacturer to demonstrate compliance with a QMS requirement, but certification to ISO 13485 is the expectation. As stated, regulatory agencies such as Health Canada require proof of ISO 13485 certification before the company can apply for a medical device license. Though countries may not specifically require ISO 13485 certification, they do state QMS implementation, which by default is ISO 13485 as the internationally recognized standard.

Requirements in Japan

Japan is another country that requires ISO 13485 as the certification method to assure the organization has implemented a QMS. Japan’s requirements are designated in Ministerial Ordinance No. 169 issued by the Japanese Ministry of Health, Labour and Welfare (MHLW). As in the previous examples for other regions or countries, there are additional requirements for marketing medical devices in Japan. Some of these include the appointment of a marketing authorization holder, reporting of adverse events, and the Seihin Hyojun Sho (similar to the device master record required by the FDA). Japan requires ISO 13485 certification as part of their submission process because they also don't have the resources to inspect manufacturers around the world. There may be other hurdles an organization must overcome such as translating applications into Japanese, but certification to ISO 13485 provides a standard method for medical device companies to apply a harmonized quality management system.

Requirements in the United States

That leaves the United State to discuss how the ISO 13485 standard applies to the quality management systems of medical device manufacturers. The short answer is that ISO 13485 doesn't apply. However, the Part 820 QSR and the ISO 13485 standard were written to relate or agree with each other. Organizations often ask if they need two QMSs to meet the requirements of the Part 820 QSR and ISO 13485. When the current revision of ISO 13485 was in development, the International Organization for Standardization (ISO) had representatives from the United States, specifically the FDA, on the technical advisory group. The intent was that a company would be able to establish, implement, and maintain a single quality management system that could comply with both Part 820 QSR and ISO 13485. This does not mean that FDA will accept ISO 13485 certificates as evidence that the manufacturer complies with Part 820 QSR in the United States1. A company can implement a single quality management system that complies with the Part 820 QSR and ISO 13485 though there may be slight differences.

The current situation that medical device manufacturers must contend with is that an FDA inspector may not accept ISO 13485 certification although expectations do exist. The FDA inspectors may hold a medical device company to a higher standard if they are aware that the company is ISO 13485-certified. This also applies to some registrar auditors who may audit facilities during an ISO 13485 certification to requirements of the FDA QSR. Our own expectations as a medical device manufacturer are that these audits or inspections are performed to the scope of the proper regulatory standard. However, it doesn't mean that auditors expect medical device companies to meet the Part 820 QSR and ISO 13485 requirements simultaneously if they are marketing worldwide.

For the United States there may be some point in the future that the ISO 13485 standard may be adopted though this may be many years in the future. The differences between Part 820 QSR and ISO 13485 may not be extensive but there are differences such as labeling requirements, packaging requirements, inspection activities, or acceptance activities. Please keep in mind that these statements are generally made as the application of a QMS depends on the complexity of the device, risk of the device, and how a second-party auditor will audit the facility. The FDA requires a QMS to be implemented according to the QSR and there may be additional differences for an organization that also wants to implement an ISO 13485 QMS.

Implementing a single QMS

This leads to the last portion of the article discussing how an organization can implement a QMS to meet the regulatory requirements around the world. The first decision an organization must make is where they are planning to market their medical device or in vitro diagnostic medical device and what quality management standard must be applied (reference in table below). As ISO 13485 is recognized around the world, medical device manufacturers need to concentrate on the quality system regulation for the United States and ISO 13485 for the other regions. Medical device companies usually start out with either an FDA QSR-compliant system or an ISO 13485-compliant/certified system; they may already have a quality system developed for both. As stated the QMS implementation depends on the complexity and associated risk with the device. The organization doesn't need to create two distinct QMSs for compliance to Part 820 QSR or ISO 13485.

The second decision for the quality management implementation is to determine the scope that may be required for specific regulatory requirements. To create a single quality system, the organization may need to create additional procedures within the QMS. These individual procedures address the requirements specific for the European Union, Canada, Japan, United States, and other regions. The interesting fact is that an ISO 13485-certified system includes these additional requirements as part of the standard.

As an example, in the subclause 8.5.1 of the ISO 13485 standard, there is a requirement if national or regional regulations require notification of adverse events that meet specific reporting criteria, these must be met. In effect, those individual requirements from the United States, European Union, Canada, et al. can be met for notification of adverse events based on ISO 13845. An organization may decide to create a single procedure for adverse event reporting to satisfy the requirements of ISO 13485 and the individual regional regulations. Use caution in this approach though as the auditors will be specifically looking for how adverse events are reported in Canada or the European Union to ensure these regional regulations are being met. The organization must make decisions on the criteria and scope of their QMS to ensure they are meeting the national and regional regulatory requirements.

Conclusion

The ISO 13485 standard is utilized as the QMS standard that applies to many regions around the world for regulatory compliance. The implementation of a QMS is required in many cases for the marketing of a device in the different countries or regions. The organization’s QMS is certified by a second party to give assurance that a QMS conforms to regulatory requirements. Unlike the United States that has FDA investigators to assure compliance to the QSR, other countries must rely upon ISO 13485 certification for regulatory compliance.

In conclusion, a medical device company can implement a single harmonized QMS based on ISO 13485 to meet the regulatory requirements of the United States, the European Union, Japan, Canada, Australia, and many other countries.

Table 1: Compliance Standards and Regulatory Requirements by Region


Region

Compliance Standard

Regulation

Submission Method

Adverse Event Handling

United States

Quality System Regulation (current Good Manufacturing Practice)

21 CFR Part 820

510(k) or Pre-Market Authorization (PMA)

Medical Device Reporting (MDR)

European Union

ISO 13485:2003

Medical Devices Directive (MDD) 93/42/EEC as amended by 2007/47/EC

Summary Technical Document (STED) or Technical File/Design Dossier

Medical Device Vigilance (MDV)

Canada

ISO 13485:2003

Medical Device Regulations (MDR) SOP/98-282

Medical Device License (MDL)

Mandatory Problem Reporting (MPR)

Japan

ISO 13485:2003

Pharmaceutical Affairs Law (PAL) and MHLW Ordinance #169

Summary Technical Documentation (STED) and Seihin Hyojun Sho

Similar Vigilance reporting

Australia/New Zealand

ISO 13485:2003

Therapeutics Goods Act

Device with existing CE Marking or Summary Technical Document (STED)

Similar Vigilance reporting

Rest of World

Some rely on ISO 13485 / some rely on Quality System Regulation and some on both

Some have country specific regulations or rely on other regions methods

Device Master Record (DMR), Technical File, or country specific submission

Some have processes – rely on MDR or MDV

References
1. The FDA does have a Third-Party Inspection (Devices) program which allows organization to have their quality management system voluntary inspected by an Accredited Person, accessed 1 June 2009; http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/PostmarketRequirements/ThirdPartyInspection/default.htm

Discuss

About The Author

Richard A. Vincins’s picture

Richard A. Vincins

Richard A. Vincins is part of the Emergo Group as senior consultant responsible for quality assurance and regulatory affairs activities. In this role, he is responsible for the implementation of quality systems, conducting internal audits, and providing regulatory expertise in national and international regulations. He brings 19 years of experience in the medical industry, including worldwide regulatory compliance efforts for IVD, medical device, and pharmaceutical companies. His work experience at companies such as Medtronic and bioMerieux include establishing quality systems to ISO standards and CE marking of multiple product lines. Vincins is an ASQ-certified quality auditor and holds a regulatory affairs certification for U.S. regulations and European Union regulations through the Regulatory Affairs Professional Society.