Top Five Things Life Science Companies Need to Know about ISO and FDA Requirements

Compliance, quality, and serving the patient

Matthew M. Lowe

November 13, 2018

Life science companies play a major role in the global economy, with revenues expected to reach a staggering $1.5 trillion by 2020.1 Such a rosy forecast is likely to attract innovators and encourage current industry players to blaze new trails. Whether new or established, life science companies share a common need as a prerequisite to success: regulatory compliance.

A new medical product deemed unsafe or ineffective by regulators will never reach patients, no matter how innovative it is. Noncompliance can make or break a regulated company, especially if the violation leads to serious adverse events or a product recall.

Let’s focus on two critical factors that affect a large section of the life science industry: U.S. Food and Drug Administration (FDA) regulations and ISO international standards. The FDA is the regulatory gatekeeper to the lucrative American market, making it a crucial agency for most life science companies. Meanwhile, ISO standards have a far-reaching impact because they are applicable across regional and national jurisdictions.

Depending on the nature of a company’s product, an organization could be complying with FDA regulations and ISO standards at the same time. This is the case for medical device firms that comply with FDA regulations and ISO 13485:2016. They need FDA approval or clearance to sell their devices in the United States. To get a CE mark in Europe, they need ISO certification to demonstrate a compliant quality management system (QMS), plus compliance with the European Union’s device regulations.2

FDA regulations and ISO standards codify best practices that help ensure product quality and consumer safety.

Five things to remember
If your company is immersed in multiple regulations and standards, you might not see the forest for the trees. Here are five of the most important things you should keep in mind regardless of the regulatory phase you are in:

No. 1: Compliance means offering proof of compliance

It’s not enough that your organization is compliant; you must actually prove it through proper documentation. Both FDA regulations and ISO standards require that you establish documented procedures and follow them accordingly. Hence, the industry truism that goes, “If something is not documented, it doesn’t exist.”

Document control is key to compliant documentation and record keeping. It’s one of the most common reasons that companies get warning letters. A visit to the FDA website will show you that the agency cites many companies due to a lack of properly documented procedures, or failure to follow documented procedures, or failure to document that the company is following proper procedures.3

If your company has yet to make a switch from a legacy system to an electronic system, this is the best time to do it. Take advantage of a fully automated QMS to address FDA, ISO, and other document control requirements.

No. 2: Compliance is not synonymous with quality

FDA rules such as 21 CFR Part 211 (pharmaceuticals), 21 CFR Part 820 (medical devices) and quality standards such as ISO 13485:2016 and ISO 9001:2015 are meant to foster consistently high-quality products.

However, many companies are so focused on getting their medical products approved that they sometimes mistake compliance for quality. Compliance is not necessarily synonymous with quality. A company that has passed an audit could still be producing low-quality products.

The real burden of quality entails asking the tough question: Is this the best product you can make? Or are you simply marking the proverbial checklist to pass an inspection? In your compliance efforts, be sure your focus remains on achieving quality as the foundation of compliance and not the other way around.

Learn how digital compliance solutions can help you respond to new FDA and ISO regulations.

Get your free FDA/ISO Compliance toolkit now

No. 3: In a regulated environment, no man is an island

Collaboration among different teams is necessary for life science companies, but it’s difficult to overcome the silo mentality. It’s not uncommon for different teams (quality, clinical, regulatory, manufacturing, IT) to work amid undercurrents of antagonism.

Cross-functional collaboration can be especially challenging for companies that rely on unconnected manual processes or those with employees scattered in different cities or countries. In both instances, an integrated platform that connects stakeholders and provides a virtual collaboration space is crucial for an effective workflow.

No. 4: Validation is not a necessary evil but a quality safety net

In the FDA and ISO environments, software validation is required, though not everyone understands or appreciates it. Traditional validation is often lengthy and costly, so most people view it as a necessary evil.

Predicate FDA rules such as Part 820 and Part 211, as well as ISO 13485:2016, require validation to ensure that the software you are using is functioning as intended. The riskier and more complicated an automated system is, the more validation it requires. Validation serves as a quality safety net.

If your organization is struggling with validation or sacrificing a system update for fear of validation, remember that the FDA recommends the least burdensome approach. Most of all, make sure your validation is commensurate with your system’s complexity and the risk associated with its intended use.4 A risk-based validation conducted with the help of appropriate tools will lighten your burden considerably.

No. 5: The right technology can help you sustain compliance

We live in the digital age, but many life science companies still use outdated IT infrastructure. For example, “An infrastructure designed around an impermeable core may hamper external collaboration, an important element of open innovation in R&D,” according to a Deloitte report. “From a compliance perspective, outdated IT systems may stymie efforts to meet mandatory FDA GxP requirements for pharma manufacturing and product quality.”5

Regulatory bodies throughout the world are embracing technology, and they increasingly expect automation in compliance. In some cases, as with the electronic medical-device reporting (eMDR) and electronic common technical document (eCTD), the FDA has mandated the use of technology.6 The industry should anticipate more technology-facilitated standards and regulations.

Good manufacturing practices serve to protect patients and consumers.

Regulatory rationale

If you are in the trenches of regulatory compliance, it’s easy to see FDA regulations and ISO standards as a stumbling block. They could very well be unless you embrace their rationale.

First, remember that they exist for a good reason: They codify good manufacturing practices (GMP) that ensure medical product safety and quality. They serve to protect patients and consumers.

Second, let the numerous guidance documents and the latest tools and solutions help you in your compliance efforts. Following risk-based strategies and industry best practices, and leveraging the right technology will facilitate compliance for you and your organization. Last, if you keep the abovementioned tips in mind, you are more likely to see the forest for the trees.

1. “Global Life Sciences Outlook for 2018,” a report by Frost & Sullivan, a California-based business consulting firm that provides market research and analysis.
2. The EU’s new Medical Device Regulation will take full effect in May 2020. From “What the New European Med Device Regulation Means,” by Cindy Fazzi, June 27, 2017, GxP Lifeline.
3. To learn more about FDA Form 483 observations and warning letters, read these free white papers: “10 Most Common Reasons for FDA 483 Observations and Warning Letters (Medical Device”) and “10 Most Common Reasons for FDA 483 Inspectional Observations (Pharmaceutical Companies)”. Visit the FDA website for a list of warning letters by year.
4. From the FDA’s General Principles of Software Validation; Final Guidance for Industry and FDA Staff.
5. From Deloitte’s 2016 Global Life Sciences Outlook.
6. The FDA required device manufacturers and importers to submit mandatory reports of adverse events electronically, known as eMDR, in 2014. In 2015, the FDA finalized its guidance that required most eCTD submissions to be submitted electronically.

About The Author

Matthew M. Lowe’s picture

Matthew M. Lowe

Matt Lowe has served MasterControl for nearly two decades across several different executive leadership roles including product, engineering, sales, and marketing, and now will continue his tenure as chief strategy officer. In this role, Lowe brings vast institutional knowledge of the market, MasterControl’s products, and customers to identify growth strategies and expansion opportunities for the company. He also serves on the MasterControl board of directors.

Lowe is a medical device expert with experience in product development and product management at Ortho Development Corp. and Bard Access Systems, a subsidiary of Beckton Dickinson. Lowe has successfully launched more than a dozen medical devices and has five patents issued and one pending. His regulatory experience includes writing a 510(k) that was cleared by the U.S. Food and Drug Administration and managing a multisite, multiyear postmarket clinical study for orthopedic devices.

Lowe has a bachelor’s degree in mechanical engineering from the University of Utah, and an MBA from Indiana University.