Regulatory Open Forum

It is clear that if there wasn't a connection to COVID, there was little movement and resources have been diverted to help with those directly related (IVD tests and masks are the most common thread to CDRH). However, I do believe there are people that will come back to this as we move forward. What is not clear is if they would actually make a certificate a requirement (I somewhat doubt this could be done), but rather if you don't have a ISO 13485 (assume MDSAP) certificate, you will now be on the FDA list (which would be shorter as they take off the ones that do have a certificate). This would have an effect to focus the FDA inspector resources on those that choose not to get a certificate. Since the QS Regulation is so close to ISO 13485 (see AAMI TIR 102), it is not too far for the inspectors to simply use that as the audit/inspection criteria requirements.

As for the comments on MDSAP, it surprises me that people still resist the MDSAP audit approach. I know the notified bodies have made this difficult by charging more and increasing auditor days (increasing cost of the audit as well), but this really is the best approach to auditing (it is ISO 13485:2016 with the applicable regulatory requirements specifically identified). You should also note the updated document (MDSAP audit approach) that replaced the two separate documents (audit model and companion document) in September of this year. Clearly there are still resources working on this and improving the audit approach.

In addition, I could foresee that both the EU (as their notified bodies are doing the MDSAP audits) and China likely recognizing the MDSAP approach in the (somewhat near) future. The prepared (best practice) would be to ensure you meet the MDSAP requirements to not get left behind.

Good day,

I was not going to comment on this thread, but MDSAP is not the end all - be all - of conducting audits as many people think.  First, I will comment that I am not a proponent of MDSAP because there are still many issues.  Now with that said, I think it could be a good programme, but there are many activities which still need to be greatly improved.  Yes, the cost of MDSAP audits is out of control; as stated above one was 1/3 the cost of the other - how can that be?  Until the 5 countries start putting in absolute cost structures with adjustment each year and more importantly metrics for Auditing Organisations.  How many companies have waited months even over a year for their certificate?  We need complete transparency and public metrics on performance of Auditing Organisations and to be held to those metrics.  If I do not get my audit report in 1 month and my certificate in <3 months, then as a company I can start deducing the fee I am paying.  And Julie you are absolutely correct about the last stakeholder meeting to say how great MDSAP is doing - why keep it on the low-down if everything is going so great?

The worst is the audit performance, how many of these audits are done just using the MDSAP Companion document as a checklist?  A lot.  Because I have seen them performed that way.  These are no where near how FDA performs inspections, so ISO 13845 (and basis of MDSAP) definitely can not replace 21 CFR 820.  Until there is consistent training provided where all Auditing Organisation auditors go through the same certified training just like FDA inspectors, PMDA inspectors, or the other regulatory inspectors do, then there will not be the proper auditing approach from a regulatory perspective.

Coming back to the original post about FDA accepting ISO 13485 certificates and revising 21 CFR 820 to reflect the use of ISO 13485, yes that will happen at some point.  21 CFR 820 is not going to go away, but it was envisioned by the original FDA publications where a further harmonisation would occur.  21 CFR 820 would read something like 820.30 - follow ISO 13485 section 7.3, except for a and b.  Using the ISO 13485 certificate as a way to "get off a list" is perfectly fine, but as a company I do not like how the audit finding is written, what can I do?  Wait until FDA shows up conducting a "for cause inspection" because of how they read or interpreted the meaning of the audit finding(s)?  I am not convinced the independence is fully there yet.  Yes, I will use ISO 13485 standard as a way to establish, implement, and maintain a good quality system.  Yes, I will use ISO 13485 certificate as a means to support other regulatory requirements.  Though I will let FDA put my company on a "to inspect" list because I would rather deal directly with FDA inspector knowing the inspection approach they are taking.

It is clear that if there wasn't a connection to COVID, there was little movement and resources have been diverted to help with those directly related (IVD tests and masks are the most common thread to CDRH). However, I do believe there are people that will come back to this as we move forward. What is not clear is if they would actually make a certificate a requirement (I somewhat doubt this could be done), but rather if you don't have a ISO 13485 (assume MDSAP) certificate, you will now be on the FDA list (which would be shorter as they take off the ones that do have a certificate). This would have an effect to focus the FDA inspector resources on those that choose not to get a certificate. Since the QS Regulation is so close to ISO 13485 (see AAMI TIR 102), it is not too far for the inspectors to simply use that as the audit/inspection criteria requirements.

As for the comments on MDSAP, it surprises me that people still resist the MDSAP audit approach. I know the notified bodies have made this difficult by charging more and increasing auditor days (increasing cost of the audit as well), but this really is the best approach to auditing (it is ISO 13485:2016 with the applicable regulatory requirements specifically identified). You should also note the updated document (MDSAP audit approach) that replaced the two separate documents (audit model and companion document) in September of this year. Clearly there are still resources working on this and improving the audit approach.

In addition, I could foresee that both the EU (as their notified bodies are doing the MDSAP audits) and China likely recognizing the MDSAP approach in the (somewhat near) future. The prepared (best practice) would be to ensure you meet the MDSAP requirements to not get left behind.

Thank you all for the insightful comments!

Good to know that the general consensus is that the FDA will not require 13485/MDSAP for establishment / device registrations in the near future.

Based on my experience with MDSAP, I agree with Richard that I would rather have the FDA at my site than go through MDSAP audits simply due to the prescriptive nature of the audit requirements - i.e. mandatory time on site, checklists, etc. At least the FDA can make a risk-based decision regarding the amount of time to spend during an inspection.

------------------------------
Joshua Lust
Director of Quality Assurance & Regulatory Affairs
Caledonia MI
United States

Original Message:
Sent: 21-Dec-2020 05:52
From: Richard Vincins
Subject: FDA & ISO 13485 MDSAP

Good day,

I was not going to comment on this thread, but MDSAP is not the end all - be all - of conducting audits as many people think.  First, I will comment that I am not a proponent of MDSAP because there are still many issues.  Now with that said, I think it could be a good programme, but there are many activities which still need to be greatly improved.  Yes, the cost of MDSAP audits is out of control; as stated above one was 1/3 the cost of the other - how can that be?  Until the 5 countries start putting in absolute cost structures with adjustment each year and more importantly metrics for Auditing Organisations.  How many companies have waited months even over a year for their certificate?  We need complete transparency and public metrics on performance of Auditing Organisations and to be held to those metrics.  If I do not get my audit report in 1 month and my certificate in <3 months, then as a company I can start deducing the fee I am paying.  And Julie you are absolutely correct about the last stakeholder meeting to say how great MDSAP is doing - why keep it on the low-down if everything is going so great?

The worst is the audit performance, how many of these audits are done just using the MDSAP Companion document as a checklist?  A lot.  Because I have seen them performed that way.  These are no where near how FDA performs inspections, so ISO 13845 (and basis of MDSAP) definitely can not replace 21 CFR 820.  Until there is consistent training provided where all Auditing Organisation auditors go through the same certified training just like FDA inspectors, PMDA inspectors, or the other regulatory inspectors do, then there will not be the proper auditing approach from a regulatory perspective.

Coming back to the original post about FDA accepting ISO 13485 certificates and revising 21 CFR 820 to reflect the use of ISO 13485, yes that will happen at some point.  21 CFR 820 is not going to go away, but it was envisioned by the original FDA publications where a further harmonisation would occur.  21 CFR 820 would read something like 820.30 - follow ISO 13485 section 7.3, except for a and b.  Using the ISO 13485 certificate as a way to "get off a list" is perfectly fine, but as a company I do not like how the audit finding is written, what can I do?  Wait until FDA shows up conducting a "for cause inspection" because of how they read or interpreted the meaning of the audit finding(s)?  I am not convinced the independence is fully there yet.  Yes, I will use ISO 13485 standard as a way to establish, implement, and maintain a good quality system.  Yes, I will use ISO 13485 certificate as a means to support other regulatory requirements.  Though I will let FDA put my company on a "to inspect" list because I would rather deal directly with FDA inspector knowing the inspection approach they are taking.

It is clear that if there wasn't a connection to COVID, there was little movement and resources have been diverted to help with those directly related (IVD tests and masks are the most common thread to CDRH). However, I do believe there are people that will come back to this as we move forward. What is not clear is if they would actually make a certificate a requirement (I somewhat doubt this could be done), but rather if you don't have a ISO 13485 (assume MDSAP) certificate, you will now be on the FDA list (which would be shorter as they take off the ones that do have a certificate). This would have an effect to focus the FDA inspector resources on those that choose not to get a certificate. Since the QS Regulation is so close to ISO 13485 (see AAMI TIR 102), it is not too far for the inspectors to simply use that as the audit/inspection criteria requirements.

As for the comments on MDSAP, it surprises me that people still resist the MDSAP audit approach. I know the notified bodies have made this difficult by charging more and increasing auditor days (increasing cost of the audit as well), but this really is the best approach to auditing (it is ISO 13485:2016 with the applicable regulatory requirements specifically identified). You should also note the updated document (MDSAP audit approach) that replaced the two separate documents (audit model and companion document) in September of this year. Clearly there are still resources working on this and improving the audit approach.

In addition, I could foresee that both the EU (as their notified bodies are doing the MDSAP audits) and China likely recognizing the MDSAP approach in the (somewhat near) future. The prepared (best practice) would be to ensure you meet the MDSAP requirements to not get left behind.

Having hosted multiple MDSAP audits and FDA inspections, MDSAP audits are much easier to get through with minimal observations. With MDSAP you know exactly what is going to be audited, whereas you have no clue if the FDA is going to inspect per QSIT or CAPA+1 and what threads they are going to follow during the inspection.

Thank you all for the insightful comments!

Good to know that the general consensus is that the FDA will not require 13485/MDSAP for establishment / device registrations in the near future.

Based on my experience with MDSAP, I agree with Richard that I would rather have the FDA at my site than go through MDSAP audits simply due to the prescriptive nature of the audit requirements - i.e. mandatory time on site, checklists, etc. At least the FDA can make a risk-based decision regarding the amount of time to spend during an inspection.

------------------------------
Joshua Lust
Director of Quality Assurance & Regulatory Affairs
Caledonia MI
United States

Original Message:
Sent: 21-Dec-2020 05:52
From: Richard Vincins
Subject: FDA & ISO 13485 MDSAP

Good day,

I was not going to comment on this thread, but MDSAP is not the end all - be all - of conducting audits as many people think.  First, I will comment that I am not a proponent of MDSAP because there are still many issues.  Now with that said, I think it could be a good programme, but there are many activities which still need to be greatly improved.  Yes, the cost of MDSAP audits is out of control; as stated above one was 1/3 the cost of the other - how can that be?  Until the 5 countries start putting in absolute cost structures with adjustment each year and more importantly metrics for Auditing Organisations.  How many companies have waited months even over a year for their certificate?  We need complete transparency and public metrics on performance of Auditing Organisations and to be held to those metrics.  If I do not get my audit report in 1 month and my certificate in <3 months, then as a company I can start deducing the fee I am paying.  And Julie you are absolutely correct about the last stakeholder meeting to say how great MDSAP is doing - why keep it on the low-down if everything is going so great?

The worst is the audit performance, how many of these audits are done just using the MDSAP Companion document as a checklist?  A lot.  Because I have seen them performed that way.  These are no where near how FDA performs inspections, so ISO 13845 (and basis of MDSAP) definitely can not replace 21 CFR 820.  Until there is consistent training provided where all Auditing Organisation auditors go through the same certified training just like FDA inspectors, PMDA inspectors, or the other regulatory inspectors do, then there will not be the proper auditing approach from a regulatory perspective.

Coming back to the original post about FDA accepting ISO 13485 certificates and revising 21 CFR 820 to reflect the use of ISO 13485, yes that will happen at some point.  21 CFR 820 is not going to go away, but it was envisioned by the original FDA publications where a further harmonisation would occur.  21 CFR 820 would read something like 820.30 - follow ISO 13485 section 7.3, except for a and b.  Using the ISO 13485 certificate as a way to "get off a list" is perfectly fine, but as a company I do not like how the audit finding is written, what can I do?  Wait until FDA shows up conducting a "for cause inspection" because of how they read or interpreted the meaning of the audit finding(s)?  I am not convinced the independence is fully there yet.  Yes, I will use ISO 13485 standard as a way to establish, implement, and maintain a good quality system.  Yes, I will use ISO 13485 certificate as a means to support other regulatory requirements.  Though I will let FDA put my company on a "to inspect" list because I would rather deal directly with FDA inspector knowing the inspection approach they are taking.

It is clear that if there wasn't a connection to COVID, there was little movement and resources have been diverted to help with those directly related (IVD tests and masks are the most common thread to CDRH). However, I do believe there are people that will come back to this as we move forward. What is not clear is if they would actually make a certificate a requirement (I somewhat doubt this could be done), but rather if you don't have a ISO 13485 (assume MDSAP) certificate, you will now be on the FDA list (which would be shorter as they take off the ones that do have a certificate). This would have an effect to focus the FDA inspector resources on those that choose not to get a certificate. Since the QS Regulation is so close to ISO 13485 (see AAMI TIR 102), it is not too far for the inspectors to simply use that as the audit/inspection criteria requirements.

As for the comments on MDSAP, it surprises me that people still resist the MDSAP audit approach. I know the notified bodies have made this difficult by charging more and increasing auditor days (increasing cost of the audit as well), but this really is the best approach to auditing (it is ISO 13485:2016 with the applicable regulatory requirements specifically identified). You should also note the updated document (MDSAP audit approach) that replaced the two separate documents (audit model and companion document) in September of this year. Clearly there are still resources working on this and improving the audit approach.

In addition, I could foresee that both the EU (as their notified bodies are doing the MDSAP audits) and China likely recognizing the MDSAP approach in the (somewhat near) future. The prepared (best practice) would be to ensure you meet the MDSAP requirements to not get left behind.

Having hosted multiple MDSAP audits and FDA inspections, MDSAP audits are much easier to get through with minimal observations. With MDSAP you know exactly what is going to be audited, whereas you have no clue if the FDA is going to inspect per QSIT or CAPA+1 and what threads they are going to follow during the inspection.

Thank you all for the insightful comments!

Good to know that the general consensus is that the FDA will not require 13485/MDSAP for establishment / device registrations in the near future.

Based on my experience with MDSAP, I agree with Richard that I would rather have the FDA at my site than go through MDSAP audits simply due to the prescriptive nature of the audit requirements - i.e. mandatory time on site, checklists, etc. At least the FDA can make a risk-based decision regarding the amount of time to spend during an inspection.

------------------------------
Joshua Lust
Director of Quality Assurance & Regulatory Affairs
Caledonia MI
United States

Original Message:
Sent: 21-Dec-2020 05:52
From: Richard Vincins
Subject: FDA & ISO 13485 MDSAP

Good day,

I was not going to comment on this thread, but MDSAP is not the end all - be all - of conducting audits as many people think.  First, I will comment that I am not a proponent of MDSAP because there are still many issues.  Now with that said, I think it could be a good programme, but there are many activities which still need to be greatly improved.  Yes, the cost of MDSAP audits is out of control; as stated above one was 1/3 the cost of the other - how can that be?  Until the 5 countries start putting in absolute cost structures with adjustment each year and more importantly metrics for Auditing Organisations.  How many companies have waited months even over a year for their certificate?  We need complete transparency and public metrics on performance of Auditing Organisations and to be held to those metrics.  If I do not get my audit report in 1 month and my certificate in <3 months, then as a company I can start deducing the fee I am paying.  And Julie you are absolutely correct about the last stakeholder meeting to say how great MDSAP is doing - why keep it on the low-down if everything is going so great?

The worst is the audit performance, how many of these audits are done just using the MDSAP Companion document as a checklist?  A lot.  Because I have seen them performed that way.  These are no where near how FDA performs inspections, so ISO 13845 (and basis of MDSAP) definitely can not replace 21 CFR 820.  Until there is consistent training provided where all Auditing Organisation auditors go through the same certified training just like FDA inspectors, PMDA inspectors, or the other regulatory inspectors do, then there will not be the proper auditing approach from a regulatory perspective.

Coming back to the original post about FDA accepting ISO 13485 certificates and revising 21 CFR 820 to reflect the use of ISO 13485, yes that will happen at some point.  21 CFR 820 is not going to go away, but it was envisioned by the original FDA publications where a further harmonisation would occur.  21 CFR 820 would read something like 820.30 - follow ISO 13485 section 7.3, except for a and b.  Using the ISO 13485 certificate as a way to "get off a list" is perfectly fine, but as a company I do not like how the audit finding is written, what can I do?  Wait until FDA shows up conducting a "for cause inspection" because of how they read or interpreted the meaning of the audit finding(s)?  I am not convinced the independence is fully there yet.  Yes, I will use ISO 13485 standard as a way to establish, implement, and maintain a good quality system.  Yes, I will use ISO 13485 certificate as a means to support other regulatory requirements.  Though I will let FDA put my company on a "to inspect" list because I would rather deal directly with FDA inspector knowing the inspection approach they are taking.

It is clear that if there wasn't a connection to COVID, there was little movement and resources have been diverted to help with those directly related (IVD tests and masks are the most common thread to CDRH). However, I do believe there are people that will come back to this as we move forward. What is not clear is if they would actually make a certificate a requirement (I somewhat doubt this could be done), but rather if you don't have a ISO 13485 (assume MDSAP) certificate, you will now be on the FDA list (which would be shorter as they take off the ones that do have a certificate). This would have an effect to focus the FDA inspector resources on those that choose not to get a certificate. Since the QS Regulation is so close to ISO 13485 (see AAMI TIR 102), it is not too far for the inspectors to simply use that as the audit/inspection criteria requirements.

As for the comments on MDSAP, it surprises me that people still resist the MDSAP audit approach. I know the notified bodies have made this difficult by charging more and increasing auditor days (increasing cost of the audit as well), but this really is the best approach to auditing (it is ISO 13485:2016 with the applicable regulatory requirements specifically identified). You should also note the updated document (MDSAP audit approach) that replaced the two separate documents (audit model and companion document) in September of this year. Clearly there are still resources working on this and improving the audit approach.

In addition, I could foresee that both the EU (as their notified bodies are doing the MDSAP audits) and China likely recognizing the MDSAP approach in the (somewhat near) future. The prepared (best practice) would be to ensure you meet the MDSAP requirements to not get left behind.