It’s every medical device manufacturer's favorite time…
… the arrival of an FDA inspector or ISO auditor to your facility.
Sometimes you’re lucky enough to know ahead of time, other times, surprise! There they are sitting in your lobby ready to begin delving into your operations.
While there is always a little stress involved with an inspection or audit, it helps if you’re in an “always ready” state and know what to expect. With that being said, there are differences to know depending on if you’re looking at an FDA inspection or ISO audit.
The recent updates to ISO 13485:2016 did add some extra similarities in it to 21 CFR Part 820, but these are still quite distinct from each other. When it comes to auditing or inspections, there are different approaches and interpretations taken, depending on whether you’re looking at ISO or FDA.
Here are some defining ideas you should know:
FDA Inspection vs. ISO Audit
First of all, while it might seem like semantics, people often confuse the terminology that is used between FDA and ISO. FDA conducts an inspection whereas ISO conducts an audit. The two are planned and conducted differently and their conduits have different levels of authority. It does matter to know the difference.
So, let’s take a look:
The biggest difference is that FDA inspectors are badge-carrying members of a law enforcement agency. Their job is to ensure that the law is upheld and medical device companies are compliant. They can take enforcement action that could lead to jail time, fines and other legal ramifications.
Probably for this reason, an FDA inspection tends to feel a lot more tense than an ISO audit. They can inspect anyone who manufactures medical devices, while the definition of “manufacturer” is fairly broad. It covers companies who may play just one role in the whole manufacturing process, such as sterilization or repackaging.
Is your company subject to FDA inspection?
An ISO audit is more like a proxy. Historically, in Europe specifically, there were medical device directives rather than specific regulations. Registrars who conduct audits are a third-party representative of the European body. They don’t have the same kind of enforcement abilities as the FDA; in fact, you’re paying them to come and conduct an audit so that you can be ISO certified.
ISO 13485 is not in itself a regulation. It is a voluntary quality standard, which makes it a bit confusing. There are now medical device regulations in Europe that are similar to the FDA; however, there is no regulatory body that is like the FDA with enforcement abilities.
Directives define the criteria that need to be addressed and ISO 13485 is an adaptation of the criteria. The requirement for Europe is that you comply with medical device directives or regulations. If you become ISO 13485 certified, it’s a de-facto acknowledgement that you comply with the regulations. The ISO standard is largely derived from European regulations, which is why organizations get certified and monitored.
Who performs ISO audits?
There are organizations known as registrars and notified bodies. Some are able to certify a company to say it conform with ISO 13485. Those bodies go through a formal process to be accredited as auditors by the European body.
Health Canada has its own spin on 13485 with a couple of extra clauses thrown in. It also accredits registrars. There’s always an outside body confirming auditors.
Examples of firms that can do ISO audits include BSI (largest in the world), TUV, Dekra, SGS and NASI.
What about Canada?
A note about Canada. If you plan to sell most medical devices into Canada, ISO 13485 certification is required. And starting in 2018, Health Canada is making a MDSAP audit mandatory prior to selling into Canada.
(Any ISO audits prior to then must include CMDCAS.)
Any differences in preparing for an FDA inspection or ISO audit?
In either case, whether you’re looking at a FDA inspection or an ISO audit, having a well-prepared team is essential. Is all documentation organized and easy to find?
The differences between the two lie in the approach and focus. If we look at customer complaints or feedback as an example; ISO talks about feedback in a more general sense, although 13485:2016 talks more about complaint handling than previous versions. Overall, ISO is usually more broadly focused on all types of feedback, whereas FDA is more narrowly focused on having processes in place for complaints.
ISO expects you to solicit feedback good and bad, whereas FDA takes a more reactive approach, in that it’s about your complaints process specifically.
Your management review is another example. In the FDA world, you must demonstrate that you’re performing annual management reviews, but your minutes aren’t part of their purview. Usually you can show them a cover page with date and attendee’s signatures as evidence of your compliance. In an ISO world, auditors will look at management review minutes and they are mandated to do so.
Internal audits are a similar scenario. FDA just wants proof that you’re conducting audits while the ISO want to see the details. Note that if the FDA has cause because of other issues they find, they might want to go deeper into your management reviews and internal audits. “Dirty laundry” may be kept in these - they want to see that you’re taking action to improve.
Why the different approach? FDA prefers you to self-police and in my opinion, they’re not usually looking too hard at your internal audits and management reviews because they feel that you’ll do that self-policing job more effectively if they don’t. Plus, FDA puts a great deal of weight on effective CAPA management and other quality events, such as complaints and non-conformances.
ISO is concerned with knowing that you have effective internal processes, so they take a slightly different angle. They want to know more depth and detail.
You could look at it as a bottom-up (FDA inspector) vs. top-down (ISO registrar) approach. FDA might take an instance of a quality issue, such as a complaint, then work their way up through your system to zero in on any specific problems and assess your actions. The ISO registrar will look at your quality management system in entirety and look to address your processes before they look for any specific problems that have come up.
Announced vs. Unannounced?
The FDA doesn’t have to announce ever that it's coming. Until a couple of years ago, you always knew in advance about ISO audits; however, there was concern that companies noted the day on the calendar and changed their behaviors. There are now unannounced ISO audits, too. In summary, if you know about your inspection or audit ahead, you’re lucky!
How long do they take?
Your FDA inspector won’t tell you how long he or she will be there, but a good yard stick is to count on the overall inspection lasting at least 5 days. I’ve seen shorter or longer, depending on the extent of what they want to dive into.
ISO will depend on scope. A regular audit is 3-5 days. If you’re including certification for Canada it might be longer (add half to a full day). If you’re being audited from a notified body, say for CE marking, they will focus on technical files and will add a day or more depending on the number of files. ISO may come back ever 6 months for 12-24 months until it is comfortable that you’re grasping your QMS well.
In terms of how often FDA will come, a ballpark is that every two years you’ll have at least 5 days dedicated to an FDA inspection.
Another twist unfolding is the MDSAP (Medical Device Single Audit Program) currently being implemented. This may impact on how you need to prepare, although one of the premises is a promise to help reduce compliance cost for device makers by eliminating the need for multiple quality system audits and inspections. The current word on the street is it will be frustrating to shift over, but time will tell. We have a free on-demand webinar on understanding and preparing for MDSAP here.
Worth noting, if pursuing a MDSAP audit, sources have quoted this type of audit could take 9 business days.
The idea of an FDA inspection or ISO audit may seem daunting, especially if you’ve never been through them before, but it definitely helps if you and your team are prepared ahead of time.
It really comes down to good practices and having an efficient, reliable quality management system. If your processes are well-documented and being followed, you should have little to worry about.
If there’s one thing you can count on, it’s that at the very least, the FDA is coming to inspect you. Treat your company operations as though that visit could be on any day.
Still using a manual or paper-based approach to manage your design controls or quality processes? Click here to learn more about how Greenlight Guru's modern eQMS software platform exclusively for medical device companies is helping devicemakers all over the globe in more than 320 cities and 26 countries get safer products to market faster with less risk while ensuring regulatory compliance.