Understanding Your Most Important Obligations in ISO 13485:2016 and the US FDA QSR
Five Broad Topics Covered in the ISO Standard and FDA Regulation
We can’t cover all aspects of the ISO standard and 21 CFR Part 820 regulation in this post, so we will focus on five key areas:
- Document control
- Management responsibility
- Resource management
- Product realization
- Measurement analysis and improvement
A QMS cannot function without solid document control. Section 4.2 and other specific sections of ISO 13485:2016 outline your obligations, and so do various subparts of the FDA QSR, as indicated below. There are several important documents you must maintain – this is only a partial list:
- Quality manual (ISO 13485:2016 section 4.2.2) – Provides an overall guide to your QMS and defines key information like the scope of your system. Your quality manual can serve as a guide to the system for an outside auditor. A quality manual is not required by FDA but is highly recommended to help summarize your QMS.
- Design history file (ISO 13485:2016 section 7.3.10, 21 CFR Part 820.30) – Covers the plans, requirements, design review records, and design verification results. You can think of this as the history of how you concocted the “recipe” for your device.
- Medical device file (ISO 13485:2016 section 4.2.3, 21 CFR Part 820.181) – Documents that demonstrate your conformity to the standard and regulation, including device description, labeling, IFU, intended use, specifications for manufacturing, storage, packaging, and much more. FDA calls this the device master record. This is the actual “recipe” for your device.
- Device history record – (ISO 13485:2016 section 7.5.1, 21 CFR Part 820.184) – Requires you to maintain records of dates of manufacture, quantities manufactured, quantity released, lots, acceptance records, and more. This is your record of how you followed the “recipe” to produce your device.
You may have excellent control over your records, but without the full support of executive management your QMS will not be effective at maintaining product safety and promoting continuous improvement of your processes. You’ll notice that we used the word “executive.” FDA and the ISO standard are serious about this. FDA states in 820.12, “Management with executive responsibility shall establish its policy and objectives for, and commitment to, quality. Management with executive responsibility shall ensure that the quality policy is understood, implemented, and maintained at all levels of the organization.”
The primary difference between the QSR and ISO 13485 is that the standard emphasizes management responsibility in the context of meeting customer requirements in addition to regulatory requirements. The QSR is focused entirely on meeting requirements on design, manufacturing, distribution, and support of safe and effective medical devices. You will find the requirements for management responsibility in section 5 of ISO 13485:2016.
Section 6 of ISO 13485:2016 and subparts 820.20/25/70 deal with this topic, and touch on a variety of issues. Essentially, they require the company to identify the need for and to allocate qualified personnel, overall infrastructure, and work environment to ensure product safety. You also have an obligation to ensure the competency of your staff, which includes establishing formal competency and training procedures, maintaining records related to employee competency, and providing training as needed. Don’t take these requirements lightly. FDA often finds that failure to comply with these subparts of the regulation leads to other significant regulatory violations.
Section 7 of ISO 13485:2016 is really important, along with corresponding subparts of the FDA QSR. One of the more important areas covered here concerns your obligations to maintain design controls. While the objective of maintaining control over your product design (which includes software) is consistent between the ISO standard and the QSR, the standard applies to all medical devices whereas the QSR requires a design history file primarily for medium- and high-risk devices only.
Purchasing controls (21 CFR Part 820.50) are covered under product realization. This includes a requirement to document supplier controls, subcontractors, purchasing data, receiving, etc. The focus here is on ensuring that purchased product doesn’t have a negative effect on the quality of your medical device.
Section 7.1 specifically requires the use of risk management in product realization and references a related standard, ISO 14971:2012. If you are not already familiar with this standard, you’ll need to be. Risk management is hugely important and is critical to ensuring a safe and effective device. The new European Medical Device Regulation also places much more emphasis on this topic.
Section 7.5 of ISO 13485:2016 on production and service provision covers topics including the acceptance criteria for products and parts, contamination control, installation, product servicing, and even particular requirements for sterile medical devices – all of the activities that you actually perform to make or deliver your device. Read 21 CFR Parts 820.70, 820.80, 820.170, and 820.200 for specific information on FDA requirements for these areas.
The topic of process validation could be its own book, but at a high level, here’s what you need to know. Process validation is the process by which you establish objective evidence that a process consistently produces a result or product that meets predetermined specifications. Section 7.5.6 of the standard outlines the requirements along with 21 CFR Part 820.75. Validation requirements also apply to software you use throughout your processes.
Identification (section 7.5.8) and traceability (section 7.5.9) are also critical subsections of the standard and correlate with several sections of the QSR, including 820.60 and 820.65, respectively. The emphasis here is on making sure you know where your devices/components came from, how they were distributed, and where they are now. This issue has become far more important in the last five years. The US FDA has specific requirements for unique device identification (UDI). The European Union soon will have similar requirements for device tracking, information that will be added to the new EUDAMED database to be officially launched in 2020.
Measurement, Analysis, and Improvement
Of course, a quality management system would be worthless without an effective means of measuring its performance in meeting planned results.
Section 8 of 13485 covers this topic and outlines your responsibility to collect feedback on your QMS from various sources, properly handle customer complaints, conduct regular internal audits, deal with nonconforming products, analyze data, and establish an effective corrective and preventive action (CAPA) program. You’ll find several sections of the QSR that take on these issues.
Want to learn more about ISO 13485:2016 and FDA QSR?
Establishing a quality management system and understanding the differences between ISO 13485:2016 and the FDA Quality System Regulation can seem daunting. However, once you start to understand the principles behind the standard and the regulation, you will find plenty of overlap. Oriel STAT A MATRIX specializes in making sense of medical device quality system requirements and we have been doing it since 1968. If you need help with ISO 13485:2016 and/or FDA QSR compliance, our team is ready to assist. If you would like to really get up to speed on these two critical compliance requirements, consider our intensive 3-day class on QMS requirements for medical device companies.