Hello Corey,
This is a conundrum which there has been many discussion and would dare say philosophical debate as well. I will keep this short because could definitely write a dissertation about this topic. There are two basic fundamentals concerning this which are ISO 13485 is a quality system standard and medical device manufacturers make medical devices which need to be safe and perform no matter where in the world they are sold. ISO 13485 standard title gives it away which is 'for regulatory purposes', but what does this actually mean? The 2016 version is riddled now with the, '... applicable regulatory requirements,' because it has been aligned to MDSAP, EU MDR, Part 820, MOH 169, and others. Then the fact remains the companies we work for, companies we support, and the products which are made are medical devices.
For the auditing this can be further debated as there needs to be more/better training in auditing which does not happen today. Because of the shortage of resources, there are insufficiently qualified individuals performing audits. Corey, I completely understand your point about being ISO 13485 certified, but what does that have to do with Malaysian or South Korean regulations? Can an auditor audit those requirements? First the issue is many auditors as mentioned are not properly qualified. What I have seen is questions asked about specific regulatory requirements which they get off a checklist having no idea about the background or read off a blog/white paper somewhere. However, these requirements can apply when you look from a quality system perspective such as processes regarding distribution, complaint handling, labelling, etc. Could there be valid questions for Taiwan or China? Yes, if a company distributes medical devices there. During a ISO 13485 audit questions regarding manufacturing, packaging, distribution, management review, post market, etc., can questions pertaining to the quality system processes. Now how this relates to regulatory requirements would then be specific to the country - going back to auditing would need to fully understand those regulatory requirements.
------------------------------
Richard Vincins ASQ-CQA, MTOPRA, RAC
Vice President Global Regulatory Affairs
------------------------------
Original Message:
Sent: 02-Mar-2022 19:46
From: Corey Jaseph
Subject: ISO 13485:2016 and MDR certification but not MDSAP
Hi Kevin,
Thanks for your response. Now I'm thinking a little deeper about this.
Many jurisdictions have their own quality requirements and don't call out ISO 13485:2016 as being their QMS. So if you don't need your Notified Body to certify your non-EU quality management system, and the countries in question don't require ISO 13485:2016 certification, having the EU/ISO 13485:2016 Notified Body require that you comply with it for these geographies that don't require 13485 and getting a finding on seems...excessive.
So I guess I'm still not quite getting how an auditing body can require you follow ISO 13485 requirements for a jurisdiction that doesn't require, or follow, ISO 13485.
Anyway, thanks for engaging me on this as I think it through.
Regards,
------------------------------
Corey Jaseph RAC
Senior Research Analyst
Wheatland CA
United States
Original Message:
Sent: 02-Mar-2022 17:00
From: Kevin Randall
Subject: ISO 13485:2016 and MDR certification but not MDSAP
Though I've never seen it done, I would be curious to know what would be the ISO Registrar's willingness to limit the scope of the ISO 13485 certificate to just a certain jurisdiction(s). Such a scope limitation doesn't clearly conflict with the Registrar's governing ISO 17021-1 which provides for up front agreement about the targeted scope.
Aside from such a scope limitation, ISO 13485 and EN ISO 13485 as amended both contain general requirements for compliance with applicable regulatory requirements. That generally means all applicable jurisdictions even if the recertification happens to be getting done in logistical association with an EU MDR certification audit. When an EU MDR certification is paired with an EN ISO 13485 certification, the EN ISO 13485 certification is merely a convenient / logistical option for showing conformity with the EU MDR's Article 10(9) quality management system requirements. Yet such a 13485 certification is generally not limited to the European jurisdiction; indeed, 13485 intrinsically applies to all applicable regulatory jurisdictions. For example, over the years I've repeatedly gotten EN ISO 13485 certifications that I then used for other non-EU jurisdictions. Consequently, if the requirements of all applicable jurisdictions are not met and if the scope of the certificate is jurisdictionally unlimited, then there is certainly a possibility of receiving a 13485 nonconformance unrelated to the European jurisdiction even if 13485 is being used to fulfill the EU MDR.
------------------------------
Kevin Randall, ASQ CQA, RAC (Europe, U.S., Canada)
Principal Consultant
Ridgway, CO
United States
© Copyright 2022 by ComplianceAcuity, Inc. All rights reserved.
Original Message:
Sent: 02-Mar-2022 15:06
From: Corey Jaseph
Subject: ISO 13485:2016 and MDR certification but not MDSAP
I'm going to ask what is maybe an ignorant question.
MDSAP audits include focus on specific regulatory requirements for the MDSAP geographies into which a company might distribute and is based on ISO 13485:2016 as the QMS.
ISO 13485:2016 also makes mention of country-specific regulatory requirements or at least "applicable regulatory requirements." (4.1.1)
That said, if a manufacturer were being audited for MDR certification and ISO 13485:2016 recertification, but the manufacturer does not have MDSAP certification:
Would the auditor be able to issue findings on inadequacies of regulatory processes in, say, Taiwan and China, or even US (manufacturer sells there)?
My thoughts were those geographies are out of scope of the QMS and MDR, but given the mention in 2016 of country-specific regulatory requirements, I became uncertain. MDSAP collided with ISO 13485:2016, so I'm not sure I've separated them correctly.
Thanks for helping me gain a better understanding.
------------------------------
Corey Jaseph RAC
Senior Research Analyst
Wheatland CA
United States
------------------------------