ISO 13485 for Device Manufacturers
ISO 13485 for FDA Device Manufacturers- New Quality System
ISO 13485 requirements will soon become obligatory for FDA medial device manufacturers.
On January 31, 2024, FDA issued a final rule amending the device current good manufacturing practice (CGMP) requirements of the Quality System (QS) Regulation under 21 CFR 820 to align more closely with the international consensus standard for Quality Management Systems for medical devices used by many regulatory authorities worldwide – ISO 13485:2016. You can see the final rule here.
The FDA has determined that the requirements of ISO 13485 are substantially similar to the requirements of the QS regulation, and therefore provide a similar level of assurance in a company’s quality management system and ability to consistently manufacture safe and effective devices.
Although similar to 21 CFR 820 requirements, ISO 13485 introduces additional expectations. We hope to clarify these expectations in one of our next articles on the topic. If you need immediate assistance, don’t hesitate to contact us. ISO 13485 for Device Manufacturers
ISO 13485 for Device Manufacturers – Saving Time, Efforts and Resources
This initiative is a major step forward and a part of the ongoing efforts of the FDA to align its regulatory framework with other medical device regulatory authorities. Harmonizing two quality systems is expected to prevent redundant efforts of manufacturers in complying with the QS regulation and ISO 13485 and maintaining two similar quality systems within the company in parallel.
In practice, many companies had integrated these two systems in one for efficiency. Among these are manufacturers that market their products in U.S. and European Union (EU). Now, these companies have easier job and need to maintain their current company system.
In addition, the aligned requirements between QS and ISO 13485 are expected to reduce the burden on manufacturers to prepare documents and/or records for inspections and audits. The final rule will result in conducting internal audits and management reviews based on aligned requirements instead of auditing and assessing separately to comply with the requirements of the previous QS regulation and ISO 13485 standard. The harmonization of requirements will reduce training costs of industry in that internal training can now cover an aligned set of requirements.
Opportunity for Expansion into EU and Other Markets
This rule may encourage U.S. based manufacturers, previously focused only on the domestic market, to expand their marketing horizons into EU and other territories that require ISO 13485 standard for the medical device registration. Israel medical device regulation e.g., requires ISO 13485 certificate for the manufacturer (manufacturing site) that apply for the medical device registration in Israel via Israel Registration Holder (IRH). Medical devices must also comply with the new Medical Device Regulation (MDR) requirements to place medical devices on the EU market.
Timelines for ISO 13485 Implementation – Start Now
Medical device manufacturers who already market their products in the U.S. or intend to do so will have two years to upgrade they quality system to include ISO 13485:2016 requirements. FDA will begin to enforce the QMSR requirements at the beginning of February 2026. From our experience, two-years period is a sufficient time for medical device manufacturers of all sizes to implement ISO 13485 requirements, even if they don’t have any QS in place. It is sufficient, but not too much time – therefore, you should better start now!
Frequently Asked Questions
Question: A medical device manufacturer service provider wrote that a US-based customer (medical device manufacturer that markets medical devices in the EU) was audited by a Notified Body (NB). NB told them their ISO 13485:2016 certificate was invalid as it had not been issued by an NB. They explain that non-NB parties are unaware of MDR quality issues and, therefore, they don’t accept such certificates. Is such a Notified Body approach correct?
Answer: No, such NB approach is not correct. We received similar complaints from our clients. NBs could be concerned about everything. However, such concern doesn’t give them the right to “invalidate” the ISO 13485 certificate issued by the non-NB accreditation body. If NB suspects that the non-NB party that issued the ISO 13485 certificate is unaware of MDR-related quality aspects, they should check them during their annual audit. After all, the manufacturer is expected to meet quality MDR expectations, and it can summarize them, e.g., in the Strategy for regulatory compliance procedure, which may include the control of your service providers.
Question: During the audit our Notified Body (NB) reviewer asked to see CE certification (according to MDR Article 23) for the critical part included in our device. We don’t agree with such an opinion. Is our NB correct?
Answer: According to MDR Article 23 (Parts and components) only “An item that is intended specifically to replace a part or component of a device and that significantly changes the performance or safety characteristics or the intended purpose of the device shall be considered to be a device” and needs to comply with MDR.
This means that company which repairs the device by replacing a part or component of a device that significantly changes the performance or safety characteristics or the intended purpose of the device – such item/part/component will be considered medical device and be CE certified; and such entity would be regarded as – a legal entity.
Question: Does a company need to designate a person or persons responsible for cybersecurity within the company?
Answer: According to IEC 81001-5-1: 2021-12 Health software and health IT systems safety, effectiveness and security — Part 5-1: Security — Activities in the product life cycle (see clause 4.1.2) – the Company needs to designate a person (personnel) responsible for the cybersecurity, same as for other organizational roles. Likewise, a Company should define and document all cybersecurity activities and processes in the Company.
Question: Does the personnel carrying out cybersecurity tasks need to have appropriate education, experience and/or training?
Answer: Certainly, like for all other job positions in the Company. This is ISO 13485 (6.2 Human Resources) requirement: “Personnel performing work affecting product quality shall be competent with appropriate education, training, skills, and experience. The organization shall document the process(es) for establishing competence, providing needed training, and ensuring awareness of personnel.”
Question: Do penetration testing laboratories (suppliers), must be accredited?
Answer: The recommendation is to use Penetration testing laboratories which are accredited, if possible. The company is usually not requested to audit these suppliers. Instead, for the criteria for evaluation and selection of suppliers (as per ISO 13485 cl. 7.4.1), the company could use other means for rating performance and ability of penetration-testing suppliers, such as penetration test report reviews and questionnaires.
BioReg Services
Don’t hesitate to contact us if you need any assistance with ISO 13485 Transition, CE EU-MDR Certification or other Quality & Regulatory Consulting tasks.
BioRegards,
Daniel