Regulatory Open Forum

 View Only
Reg Intel Conference 2024
Back to discussions
Expand all | Collapse all

ISO 13485:2016 and MDR certification but not MDSAP

  • 1.  ISO 13485:2016 and MDR certification but not MDSAP

    Posted 02-Mar-2022 15:06
    I'm going to ask what is maybe an ignorant question.

    MDSAP audits include focus on specific regulatory requirements for the MDSAP geographies into which a company might distribute and is based on ISO 13485:2016 as the QMS.

    ISO 13485:2016 also makes mention of country-specific regulatory requirements or at least "applicable regulatory requirements." (4.1.1)

    That said, if a manufacturer were being audited for MDR certification and ISO 13485:2016 recertification, but the manufacturer does not have MDSAP certification:

    Would the auditor be able to issue findings on inadequacies of regulatory processes in, say, Taiwan and China, or even US (manufacturer sells there)?

    My thoughts were those geographies are out of scope of the QMS and MDR, but given the mention in 2016 of country-specific regulatory requirements, I became uncertain. MDSAP collided with ISO 13485:2016, so I'm not sure I've separated them correctly.

    Thanks for helping me gain a better understanding.

    ------------------------------
    Corey Jaseph RAC
    Senior Research Analyst
    Wheatland CA
    United States
    ------------------------------


  • 2.  RE: ISO 13485:2016 and MDR certification but not MDSAP

    Posted 02-Mar-2022 15:35

    I'm not clear on who the third-party auditor is, but I infer it is not from an MDSAP AO.

    There are three possibilities.

    In the first, the third-party auditor is an EU Notified Body, the scope includes both EU-MDR and ISO 13485:2016, and, after a successful audit, issues an ISO 13485:2016 certificate and an EU-MDR QMS certificate.

    In the second, there is an EU NB audit with a scope that covers the EU-MDR only and, after a successful audit, issues an EU QMS certificate.

    In the third there is a third-party audit with a scope that covers ISO 13485:2016 only and, after a successful audit, issues an ISO 13485:2016 certificate.

    In any case, the ISO 13485:2016 audit covers the manufacturer's compliance with applicable regulatory requirements. This means the manufacturer should know the regulatory regions served, the manufacturer's role in each regulatory region, and the regulatory requirements for each role. In addition, Top Management communicates the importance of meeting the regulatory requirements (5.1.a) and establishes quality objectives including those needed to meet applicable regulatory requirements (5.4.1).

    The ISO 13485:2016 auditor should issue non-conformances on inadequacies of regulatory processes for Taiwan, China, the US, the EU, etc. because these are regulatory regions the manufacturer serves.



    ------------------------------
    Dan O'Leary CQA, CQE
    Swanzey NH
    United States
    ------------------------------

    Original Message


  • 3.  RE: ISO 13485:2016 and MDR certification but not MDSAP

    Posted 02-Mar-2022 16:21
    Thanks, Dan. In the past, we had been able to gently steer auditors away from non-MDSAP, non-EU countries, but I see where ISO 13485:2016 might let them in. (Generally, we tried to get a single auditor for EU, MDD/MDR, MDSAP, and ISO 13485:2016. You know, the holy grail.)


    ------------------------------
    Corey Jaseph RAC
    Senior Research Analyst
    Wheatland CA
    United States
    ------------------------------

    Original Message


  • 4.  RE: ISO 13485:2016 and MDR certification but not MDSAP

    Posted 02-Mar-2022 17:00
    Though I've never seen it done, I would be curious to know what would be the ISO Registrar's willingness to limit the scope of the ISO 13485 certificate to just a certain jurisdiction(s).  Such a scope limitation doesn't clearly conflict with the Registrar's governing ISO 17021-1 which provides for up front agreement about the targeted scope.

    Aside from such a scope limitation, ISO 13485 and EN ISO 13485 as amended both contain general requirements for compliance with applicable regulatory requirements.  That generally means all applicable jurisdictions even if the recertification happens to be getting done in logistical association with an EU MDR certification audit.  When an EU MDR certification is paired with an EN ISO 13485 certification, the EN ISO 13485 certification is merely a convenient / logistical option for showing conformity with the EU MDR's Article 10(9) quality management system requirements.  Yet such a 13485 certification is generally not limited to the European jurisdiction; indeed, 13485 intrinsically applies to all applicable regulatory jurisdictions.  For example, over the years I've repeatedly gotten EN ISO 13485 certifications that I then used for other non-EU jurisdictions.  Consequently, if the requirements of all applicable jurisdictions are not met and if the scope of the certificate is jurisdictionally unlimited, then there is certainly a possibility of receiving a 13485 nonconformance unrelated to the European jurisdiction even if 13485 is being used to fulfill the EU MDR.

    ------------------------------
    Kevin Randall, ASQ CQA, RAC (Europe, U.S., Canada)
    Principal Consultant
    Ridgway, CO
    United States
    © Copyright 2022 by ComplianceAcuity, Inc. All rights reserved.
    ------------------------------

    Original Message


  • 5.  RE: ISO 13485:2016 and MDR certification but not MDSAP

    Posted 02-Mar-2022 19:47
    Edited by Corey Jaseph 02-Mar-2022 19:50

    Hi Kevin,

    Thanks for your response. Now I'm thinking a little deeper about this.

    Many jurisdictions have their own quality requirements and don't call out ISO 13485:2016 as being their QMS. So if you don't need your Notified Body to certify  your non-EU quality management system, and the countries in question don't require ISO 13485:2016 certification, having the EU/ISO 13485:2016 Notified Body require that you comply with it for these geographies that don't require 13485 and getting a finding on  seems...excessive.

    So I guess I'm still not quite getting how an auditing body can require you follow ISO 13485 requirements for a jurisdiction that doesn't require, or follow, ISO 13485.

    Anyway, thanks for engaging me on this as I think it through.

    Regards,



    ------------------------------
    Corey Jaseph RAC
    Senior Research Analyst
    Wheatland CA
    United States
    ------------------------------

    Original Message


  • 6.  RE: ISO 13485:2016 and MDR certification but not MDSAP

    Posted 03-Mar-2022 07:07
    Hello Corey,

    This is a conundrum which there has been many discussion and would dare say philosophical debate as well.  I will keep this short because could definitely write a dissertation about this topic.  There are two basic fundamentals concerning this which are ISO 13485 is a quality system standard and medical device manufacturers make medical devices which need to be safe and perform no matter where in the world they are sold.  ISO 13485 standard title gives it away which is 'for regulatory purposes', but what does this actually mean?  The 2016 version is riddled now with the, '... applicable regulatory requirements,' because it has been aligned to MDSAP, EU MDR, Part 820, MOH 169, and others.  Then the fact remains the companies we work for, companies we support, and the products which are made are medical devices.

    For the auditing this can be further debated as there needs to be more/better training in auditing which does not happen today.  Because of the shortage of resources, there are insufficiently qualified individuals performing audits.  Corey, I completely understand your point about being ISO 13485 certified, but what does that have to do with Malaysian or South Korean regulations?  Can an auditor audit those requirements?  First the issue is many auditors as mentioned are not properly qualified.  What I have seen is questions asked about specific regulatory requirements which they get off a checklist having no idea about the background or read off a blog/white paper somewhere.  However, these requirements can apply when you look from a quality system perspective such as processes regarding distribution, complaint handling, labelling, etc.  Could there be valid questions for Taiwan or China?  Yes, if a company distributes medical devices there.  During a ISO 13485 audit questions regarding manufacturing, packaging, distribution, management review, post market, etc., can questions pertaining to the quality system processes.  Now how this relates to regulatory requirements would then be specific to the country - going back to auditing would need to fully understand those regulatory requirements.

    ------------------------------
    Richard Vincins ASQ-CQA, MTOPRA, RAC
    Vice President Global Regulatory Affairs
    ------------------------------

    Original Message


  • 7.  RE: ISO 13485:2016 and MDR certification but not MDSAP

    Posted 03-Mar-2022 11:22
    I look forward to your dissertation. :)

    ------------------------------
    Corey Jaseph RAC
    Senior Research Analyst
    Wheatland CA
    United States
    ------------------------------

    Original Message


  • 8.  RE: ISO 13485:2016 and MDR certification but not MDSAP

    Posted 03-Mar-2022 08:30
    Hi Corey

    So, in countries where I have created marketing submissions,  the regs may or may not call out ISO 13485:2016, BUT guidance often does, and when you do submit, the expectation is to file a copy of your ISO cert.

    Can't get away from it.   And remember there are many MDSAP observer countries, even if only 5 are accepting it now (US, Canada, Australia, Brazil, Japan).

    Good luck.   In the time an auditor has to review records in this area, sometimes they can't,  they run out of time during the audit.   I personally like to go there and poke the bear when I do a third party internal audit to see if the company realizes the potential awful scope of that wording " all relevant regulatory requirements " ( but I do it in a friendly way).



    ------------------------------
    Ginger Cantor, MBA, RAC
    Founder/Principal Consultant
    Centaur Consulting LLC
    River Falls, Wisconsin 54022 USA
    715-307-1850
    centaurconsultingllc@gmail.com
    ------------------------------

    Original Message


  • 9.  RE: ISO 13485:2016 and MDR certification but not MDSAP

    Posted 03-Mar-2022 09:19
    Corey,

    I think it is more subtle than that. If your jurisdictions don't require ISO 13485, the NB should not cite you for "13485 issues" related to those jurisdictions. But what they CAN look for (at least if the ISO cert is not restricted in some way) would be that you have documentation regarding what the requirements ARE in those geographies, and also some documentation showing how you meet them - so for instance, if they have registration requirements you have a dossier or certificate or something. And if they have recall requirements you include them in your recall SOP. They should not call out something that is in 13485 that does not apply in that jurisdiction.

    As a practical matter, NBs have limited audit time and key geographies that they do have to verify that you meet requirements if you are doing a "combined" audit. Thus, generally if you simply can show that you know what the requirements in other geographies are and you have some system for showing you meet them and don't sell products that don't meet them there, they probably are not going to dive into great detail about those geographies.

    Ginger

    ------------------------------
    Ginger Glaser RAC
    Chief Technology Officer
    MN
    ------------------------------

    Original Message


  • 10.  RE: ISO 13485:2016 and MDR certification but not MDSAP

    Posted 03-Mar-2022 11:20
    I appreciate all the replies on this threat - thank you for sharing your experience and expertise.

    It just seems strange that a party you engage to audit for particular regions because it's required would audit for other regions that you didn't engage them for and which regions may not even recognize that auditing body, quality system or auditing technique.

    But I get that 13485:2016 opened that can of worms, obviously to converge on a single QMS system, which I support. Still, we aren't at a place where we have a single audit and QMS yet.

    Anyway, I appreciate all the input in helping me understand where the edges are. :)

    ------------------------------
    Corey Jaseph RAC
    Senior Research Analyst
    Wheatland CA
    United States
    ------------------------------

    Original Message


  • 11.  RE: ISO 13485:2016 and MDR certification but not MDSAP

    Posted 03-Mar-2022 14:29
    Hey Corey.  Neither ISO 13485 nor EN ISO 13485 is required at all for EU MDR conformity; those standards are merely options that can be applied for showing such conformity.  That general concept has been discussed before quite a bit here in the Forum.  If you have a Notified Body demanding ISO 13485 or EN ISO 13485 as a condition for conformity with the EU MDR, then such a Notified Body is operating outside the permitted legislative boundaries of the EU MDR...

    ------------------------------
    Kevin Randall, ASQ CQA, RAC (Europe, U.S., Canada)
    Principal Consultant
    Ridgway, CO
    United States
    © Copyright 2022 by ComplianceAcuity, Inc. All rights reserved.
    ------------------------------

    Original Message


Related Content