Featured Product
This Week in Quality Digest Live
Health Care Features
Jón Bergsteinsson
Understanding the standard is essential
Rob Moorey
Efficient processes and technology are key
Stephanie Ojeda
The FDA’s new QMSR will harmonize with ISO 13485 for medical device quality management
Steve Thompson
An excellent technological tool that improves quality and compliance
Delivering quality to the health industry

More Features

Health Care News
Study of intelligent noise reduction in pediatric study
Streamlines annual regulatory review for life sciences
The company is also facilitating donations to the cause
Mass spectromic analysis from iotaSciences
Showcasing the latest in digital transformation for validation professionals in life sciences
An expansion of its medical-device cybersecurity solution as independent services to all health systems
Purchase combines goals and complementary capabilities
Better compliance, outbreak forecasting, and prediction of pathogens such as listeria or salmonella
Links ZEISS research and capabilities in automated, high-resolution 3D imaging and analysis

More News

Grant Ramaley

Health Care

It’s Time for the FDA to Fully Embrace ISO 13485

FDA seeks to align Part 820 with ISO 13485:2016; why that may not be enough.

Published: Tuesday, August 16, 2022 - 11:03

The FDA Quality System Regulation (QSR) 21 CFR Part 820 was written in 1997 to harmonize with ISO 13485:1996. The goal was to relieve some of the burden of manufacturers having to meet two different criteria, the FDA’s and ISO 13485.

But by 2003, ISO 13485 had changed so significantly that the FDA QSR was no longer aligned. Now the FDA wants to update the QSR to align it with ISO 13485:2016. But will that solve the problem? Can the FDA and industry use the new QSR in a cooperative way?

Why the FDA needs to cooperate better with industry

A 2008 U.S. Government Accountability Office (GAO) report indicated that foreign manufacturers see an FDA inspector about once every 26 years, unless they make high-risk devices. Overseas high-risk device makers are visited perhaps once every six years. These numbers haven’t significantly changed. A review of foreign inspections saw a bump in 2012, but a small bump—not one that would satisfy the mandate to audit all manufacturers, worldwide, every two years.

The issue is manpower: To say the FDA has “capacity issues” and is unable to meet its congressional mandate to inspect every two years is an enduring and extreme understatement.

The FDA has tried four different third-party programs since 1998 to solve this inspection deficiency. The latest and perhaps most successful is its Medical Device Single Audit (MDSAP) program. MDSAP is viewed as a single audit covering the United States, Canada, Brazil, Australia, and Japan. The intent was to establish one medical-device certification that would be accepted by multiple countries, thus cutting down on the number of inspections the FDA would have to perform. Despite that goal, most companies continue to turn a blind eye to the voluntary program, especially if they are smaller or don’t border Canada.

MDSAP: a good but scary idea

Why do so few medical-device companies support FDA third-party programs like MDSAP? There are a couple of reasons.

Canada alone requires it

Most manufacturers don’t sell enough products to Canada to justify the $50,000 cost of getting an MDSAP audit. Because 80 percent to 90 percent of the medical device industry are small companies and aren’t near Canada, MDSAP has limited value as a Canada-only requirement. The U.S. industry, which is mostly small manufacturers, would push back on any congressional move to make industry pay for what has been a free FDA inspection that is rarely visited.

Fear of the FDA

From an industry standpoint, companies fear giving any support to any FDA program, such as MDSAP, that puts information about their quality system into the FDA’s hands. The FDA can shut these companies’ doors and issue warning letters. Stocks do tumble. The consent decrees that the FDA issues can scuttle plans to sell new products. These are deal breakers that drive industry away from the FDA. In particular, FDA warning letters are public and indicate the company’s products are bad—even when they aren’t.

That said, very large companies have endorsed every third-party program the FDA has ever created while smaller companies never do.

Some of the largest companies have indicated that they get inspected by FDA investigators as often as every six months. So, accepting the risk that an MDSAP audit could go badly, only once a year is attractive.

Smaller companies, especially those overseas, wade into their quality system compliance using ISO 13485. These companies rarely see FDA investigators and are unfamiliar with the QSR Parts 803, Part 806, and Part 820, which are where all of the FDA warning letters are triggered. Thus, staying away from once-a-year, third-party audit systems such as MDSAP, the results of which are reported to the FDA, in favor of once-probably-never inspections from the FDA is a no-brainer for small companies.

Behind these opposing stances is one common view: It’s best to not be inspected by the FDA or have your audit data reported to the FDA. Fear is what keeps industry away from FDA programs or attracts large companies to use non-FDA inspectors hired at the steep prices that MDSAP demands.

In short, industry universally dreads FDA inspections because of the risk to business if something goes awry.

The FDA should accept ISO 13485 certificates

There’s an old Chinese proverb: “Heaven is high and the Emperor far away.” What’s even farther from the Emperor? The FDA. The FDA has cleared more devices from China in recent years than any other country, even though the FDA can’t conduct inspections there, or anywhere else for that matter, to close the gap mandated by Congress. This is important because it means the FDA is clearing those devices based on a company’s word alone.

The same is true of inspections around the world, or even here in the United States. The FDA is trusting that companies’ products are safe unless a red flag goes up. If you’re going to trust a company, wouldn’t it be better to trust a company that holds a certificate that’s recognized around the world and already aligns with FDA requirements?

There are no fewer than 600 activities that are part of the requirements that make up the current good manufacturing practices (cGMP) of Part 820. The same goes for ISO 13485:2016. So the FDA’s move to align with it makes good sense. But that alone is not the holy grail that industry and the FDA need from one another.

The FDA must entirely scrap the idea of promoting a third-party system of its own design. A tried-and-true, third-party system already exists: ISO 13485. The standard penetrates every nation and is backed by three tiers of accountability that now underwrite ISO 13485 certification worldwide; it even aligns with the European Regulations on Accreditation.

These ISO 13485 certificates are issued for a three-year period, with mandatory surveillance audits conducted annually. These certificates have been issued in more countries than most people can name, with the United States already holding 4,886 of them. Companies in China, India, Latin America, the Middle East, and nearly every country in Europe hold ISO 13485 certs that support medical devices used on U.S. patients. Most of those countries have accreditation bodies that assess the certification bodies. Most of these regions have more than enough capacity, as well as the ability to read procedures, ask questions fluidly in the native languages, and show due respect to the local culture.

The FDA can’t create and own a unique system and excite industry worldwide to use it. There’s too much at stake for small companies to consider using a voluntary system such as MDSAP that costs so much and poses so much risk. The FDA must do more than merely harmonize its regulation around ISO 13485; it needs to adopt the acceptance of ISO 13485 certificates issued, using all the international accreditation standards that the world has designed for regulators to use.

These mechanisms also provide communication obligations, which the FDA can benefit from, to deepen confidence in certs issued from so far away. The FDA can, within days, get audit reports from afar and use them to adjust its inspection priorities. The International Accreditation Forum has already built and is now populating a worldwide database to validate ISO QMS certs, including the 35,000 ISO 13485 certificates now issued by 150 certification bodies. By comparison, the MDSAP program has just 14 “Auditing Organizations.”

There are 34,954 sites that were audited and certified to ISO 13485, according to data provided by the International Organization for Standardization. The United States doesn’t have to create programs that never work.

If Congress knew that 35,000 audit reports were produced every year to support ISO 13485:2016, and the FDA adopted ISO 13485:2016, the opportunities to close the biggest gaps in the uncertainty of imported and locally made medical devices could be remedied. If the FDA tapped the worldwide database to validate ISO 13485 certificates of the companies it wanted to audit, even if just to adjust inspection priorities, then the only internationally accepted certification that’s truly a single audit, to one standard, would be accepted everywhere... well, almost.

The International Accreditation Forum hosts more than 100 countries that represent accreditation bodies and certification bodies that support the largest technical trade agreement for medical devices for ISO 13485. The www.IAFCertSearch.org database has been used by medical device regulators and industry to catch thousands of fake certs, especially during the pandemic. Although the IAF “initiative” for ISO 13485 wasn’t designed to meet FDA Part 820, as the FDA moves toward adopting ISO 13485 it makes good sense to consider taking novel steps forward to close the remaining gaps. The FDA is closing the gap between ISO 13485:2016 and Part 820. Will it close the gap on its inspections? There is a way.


About The Author

Grant Ramaley’s picture

Grant Ramaley

Grant Ramaley is the director of regulatory affairs for Aseptico Inc., a manufacturer and marketer of dental support equipment in the United States and Canada since 1975.  Ramaley also is co-chairman of the Regulatory Affairs and Standards Committee for the Dental Trade Alliance, Convener for the ISO 13485 Medical Device Working Group at the International Accreditation Forum, and Technical Committee Advisor to the Global Harmonization Working Party.