So, you have a certificate hanging on your wall showing that you’ve passed an audit and conform with the standards of ISO 13485.
Congratulations! That must mean you’re ready for an FDA inspection, right?
This is an important topic to talk about because many companies have assumed that having the ISO certification means they shouldn’t have any problems being compliant with 21 CFR Part 820. Unfortunately, many find that this is not true. When they’re left sorting out 483 observations, and possibly even warning letters, as a result of an FDA inspection, they genuinely feel that they’ve done nothing to warrant the fuss - if ISO approves, why doesn’t the FDA?
Medical device companies need to have a fundamental understanding of this; what is the difference between standard conformity and regulatory compliance?
ISO 13485 vs. 21 CFR Part 820
First of all, it helps to understand one of the first key differences between ISO and FDA; ISO audits for conformity to a standard, whereas FDA inspects for compliance with regulations. The methodology of the ISO auditor is different to that of the FDA inspector and of course, while you voluntarily pay for ISO, FDA compliance is an expectation.
While an ISO auditor might find that you conform with a standard, that does not automatically mean you’ll be compliant with FDA regulations.
Voluntary standard vs. the law
For US-based medical device manufacturers, ISO 13485 is entirely voluntary, although it is generally accepted a defacto requirement if you want your device to go into markets such as the EU, Canada, and some other parts of the world. In the US, 21 CFR Part 820 is the law (CFR = Code of Federal Regulations). When an FDA inspector enters your premises, they carry a badge and have law enforcement authority, while an ISO auditor does not.
ISO 13485 put out a new version in 2016 and in many respects, parts of it were brought closer to FDA regulation. For example, the ISO standard takes a risk-based approach toward quality management systems, which is consistent with the interpretation and application of the FDA expectations. (Note: FDA doesn’t explicitly define risk-based requirements for QMS).
The FDA QSIT (Quality System Inspection Techniques) looks at four major subsystems; management controls, design controls, CAPA and production and process controls. Under the 2016 update, many ISO standards were brought closer into alignment with the regulations under these subsystems (for example, adding a specific clause pertaining to complaint handling); however, there are still differences in interpretation between the two. Conformity is not the same as compliance.
Consequences for noncompliance vs. nonconformance
This is where device manufacturers can really start seeing a difference. Let’s say you have an ISO audit and they find an issue, the usual procedure is to issue you with a finding on your audit report. If you get a Category 1 (Major) finding, then your registrar will require you to submit a corrective action plan within 30 calendar days. You’ll need to provide evidence of effectively closing the issue within 90 calendar days.
Most registrars will then return after that 90 days to verify the corrective action with a follow-up audit. The focus of that audit is solely on the issue that was raised. However, let’s say you get back to the registrar beyond the 90 days they require, there’s a good chance they’ll want to conduct a more thorough repeat audit and scrutinize your full QMS for any other systemic issues. Your ISO certification may be at risk.
Bottom line consequences through ISO: You lose your ISO certification and are unable to participate in global markets that require it.
Let’s flip to the same scenario under an FDA inspection. You undergo a comprehensive inspection following QSIT guidelines, under which the inspector documents a form 483 observation. On receiving it, you have 15 business days to respond in writing, including explaining your corrective actions and providing evidence that they are an appropriate response.
Once FDA has received your form 483 response, they make a recommendation as to any follow-up enforcement. Typically, this may include follow-up inspection, issuing a warning letter or some other type of enforcement. Expect to see the FDA back within 6 months, or sooner for very serious issues.
If you have received a warning letter, you need to comprehend the seriousness of it. A warning letter indicates that the FDA has determined you are in violation of the law and may consider further enforcement actions, including seizure, injunction, prosecution or civil penalties.
Bottom line consequences through the FDA: Your operation gets shut down, you face civil penalties or prosecution, including the possibility of prison time.
Preparing for audits and inspections
A key message is that it is your responsibility as the medical device manufacturer to know the differences between ISO and FDA to ensure that your company can meet them. Never assume that meeting one covers both.
As a first step, get familiar with the regulations. They’re available to download so there’s really no excuse or saying that you were unaware of them. We wrote an article outlining how to prepare for both FDA and ISO here, including a checklist available for download.
Here are some further tips to get prepared for audits and inspections:
1. Establish linkages
You’re always going to need to be FDA compliant, but if you’re going for ISO certification, you need to conform with ISO standards, too. While these are not exactly the same, many aspects do clearly overlap.
One thing you can do is establish clear linkages between the two, that is, the major FDA subsystems and the equivalent ISO clauses. Document everything and clearly demonstrate compliance.
2. Define roles and responsibilities
One thing to keep in mind is that FDA can turn up at any time, completely unannounced, whereas you will know when an ISO auditor is coming because you booked and paid for it. This means that realistically, on any given day your company should be prepared for inspection.
Having clearly defined roles and responsibilities is important for being prepared. Who is in charge of what and whose responsibility is it to ensure that everything is kept updated for inspection? It’s also helpful to have a clear process for what to do when you walk in and find an FDA inspector waiting at the reception desk. Everyone should know what their part will be, including things like preparing a room for them and getting the documentation they require.
3. Get experienced people
There can be a tendency among startups to try to DIY everything in order to save money, but we’d suggest that investing in some valuable experience to help you out will be worth every penny.
You need people with extensive knowledge and experience of the FDA and ISO so that you can ensure you’re pointed in the right direction. If you don’t have anyone on staff, consider hiring a qualified consultant to help you out. (Tip: The earlier you make this decision, the less likely it is that you’ll have to do any time-consuming rework).
Experienced consultants and/or team members can help you to ensure that you have correct systems and documentation in place. They can also help you to conduct internal audits so that you identify any issues early. Your internal audits, if conducted well, can be your best form of advance preparation.
The big takeaway here is that you shouldn’t be relying on your ISO certification as evidence that you’re prepared for an FDA inspection. While the two feature many similarities, they are different in their focus and application.
Know the rules and regulations well and don’t assume one will cover the other. Prepare well in advance to give your company a better chance at a positive result.
Still using a manual or paper-based approach to manage your design controls or quality processes? Click here to learn more about how Greenlight Guru's modern eQMS software platform exclusively for medical device companies is helping device makers all over the globe in more than 50 countries get safer products to market faster with less risk while ensuring regulatory compliance.