2017-01-06 MDSAP AU G0002.1.004_revised 2017-04-13
Annex 1 – Audit of Technical Documentation……………………………………………………………………………………. 104
Annex 2 – Audit of Requirements for Sterile Medical Devices…………………………… 113
Summary of Changes from Prior Revision…………………………………………………… 118
2
The intent of the Management process is to provide adequate resources for device design, manufacturing, quality assurance, distribution, installation, and servicing activities; to assure the quality management system is functioning properly and effectively; and to monitor the quality management system and make necessary adjustments. A quality management system that has been implemented effectively and is monitored to identify and address existing and potential problems is more likely to produce medical devices that function as intended.
The management representative is responsible for ensuring that the requirements of the quality management system have been effectively defined, documented, implemented, and maintained. Prior to the review of any process, interview the management representative (or designee) to obtain an overview of the process and a feel for management’s knowledge and understanding of the process.
The Management process is the first process to be audited per the MDSAP audit sequence.
Auditing the Management Process
Identified processes needed for the quality management system, their application throughout the organization, and their sequence and interaction
Defined, documented, and implemented procedures and instructions to ensure the development and maintenance of an effective quality management system
Established quality objectives at relevant functions and levels within the organization consistent with the quality policy and ensured that these are periodically reviewed for continued suitability
Determined the criteria and methods needed to ensure the operation and control of quality management system processes, including the identification and management of interrelated processes
Committed the appropriate personnel and resources for infrastructure to the quality management system
Assigned responsibility and authority to personnel and established the organizational structure to ensure processes assuring quality are not compromised
Performed risk management planning and ongoing review of the effectiveness of risk management activities to ensure that policies, procedures and practices are established for analyzing, evaluating and controlling risk
Ensured the continued effectiveness of the quality management system and its processes
I.) Established a quality management system which is capable of producing devices that are safe, effective and suitable for their intended use.
Clause and Regulation: [ISO 13485:2016: 4.1.1, 4.1.2, 4.1.3, 4.2.2, 4.1.4, 5.4.2; TG(MD)R Sch3 P1
1.4(4); RDC ANVISA 16/2013: 2.1, 5.6; MHLW MO169: 5, 7, 14; 21 CFR 820.20]
Additional country-specific requirements: None
Links: Measurement, Analysis and Improvement; Design and Development Purchasing; Production and Service Controls; Device Marketing Authorization and Facility Registration
During the audit, whenever a change is identified, verify that the organization has implemented appropriate change controls.
Assessing conformity:
Manufacturers of medical devices are required to establish a quality management system (including quality system procedures and instructions) that is tailored to the regulatory roles assumed by the manufacturer and the medical devices they are manufacturing or designing. The manufacturer’s quality management system must properly implement all applicable requirements of Medical devices – Quality management systems – Requirements for regulatory purposes (ISO 13485:2016), the Quality Management System requirements of the Conformity Assessment Procedures of the Australian Therapeutic Goods (Medical Devices) Regulations (TG(MD)R Sch3), Brazilian Good Manufacturing Practices (RDC ANVISA 16/2013), Japanese QMS Ordinance (MHLW MO 169), the Quality System Regulation (21 CFR Part 820) and specific requirements of medical device regulatory authorities participating in the MDSAP program, as well as other necessary controls to assure its finished devices, the design and manufacturing processes, and all related activities conform to approved specifications.
The organization may refer to these as Level 1 documents. They are typically high-level, non- product and non-process specific documents and can usually be found in the Quality Manual. These procedures and instructions may contain information on the sequence and interaction of various quality management system processes. The Quality Manual is to outline the structure of the documentation and to describe the interaction of processes (e.g. the processes for identifying nonconformities and corrections and the processes for investigating nonconformities to determine root cause and corrective actions).
Quality Management System Planning
Quality planning is concerned with the design and implementation of the quality management system. Such planning typically occurs during the initial development and implementation of a quality system, but also occurs when there are changes in quality policy, quality objectives, QMS and regulatory requirements, or when changes are necessary to for the QMS to continue to be effective. Quality planning at this level shouldn’t be confounded with quality planning as described in clause 7.1 of ISO 13485:2016.
The inputs to quality planning can include:
quality policy
quality objectives
quality management system standards (e.g. ISO 13485:2016)
regulatory requirements
product-specific requirements (e.g. servicing, installation, etc.)
risk mitigation strategies (e.g. user training)
required changes (e.g. identified during audits or management review)
The outputs of quality planning can include, amongst others:
a description of the QMS processes and their inputs, outputs, sequence, and interactions
the quality manual and associated procedures
a gap analysis
identification or resources needed to implement the QMS
identification of competences and training needed to implement the QMS
implementation and action plans
Quality management system planning should also be used when changes to the quality management system are contemplated or required in order to ensure the continuing conformity of the QMS.
Clause and Regulation: [ISO 13485:2016: 5.5.2; TG(MD)R Sch3 P1 1.4(5)(b)(ii); RDC ANVISA 16/2013: 2.2.5; MHLW MO169: 16; 21 CFR820.20(b)]
Additional country-specific requirements: None
Assessing conformity:
It is important to confirm that top management has appointed a management representative and that the responsibilities and authorities of the management representative have been defined, documented, and implemented. The appointment of the management representative must be documented.
The organization may document the appointment of a management representative in an organizational chart, Quality Manual, memorandum to file, position description, or other appropriate manner. The appointment of the management representative may be made by name or title.
Confirm that the management representative has established responsibility and authority for ensuring that the quality management system is effectively defined, documented, implemented, and maintained. The management representative must also have established responsibility
and authority for reporting to top management on the performance of the quality management system. Confirmation can be accomplished by interviewing the management representative and top management and reviewing the Quality Manual, the management representative’s position description, or similar documents.
Additional examples of evidence of the management representative’s responsibilities and authorities may include:
Sign-off authority for changes to procedures, processes, designs, etc.
Authority to act on behalf of top management during the audit
Authority to place products or processes on hold
Responsibility for managing quality audit functions
Responsibility for contributing to corrective and preventive action activities, complaint handling and the handling of nonconforming product, etc.
Where the activities performed personally by the management representative result in a determination of whether product meets requirements, including regulatory requirements, the management representative must be competent to perform such activities. In such cases, verify that training and experience includes the relevant regulatory requirements.
Clause and Regulation: [ISO 13485:2016: 5.3, 5.4.1; TG(MD)R Sch3 P1 1.4(5)(a); RDC ANVISA 16/2013: 2.2.1; MHLW MO169: 12, 13; 21CFR 820.20(a)]
Additional country-specific requirements: None
Assessing conformity:
A quality policy is comprised of one or more statements of the organization’s intentions and direction with respect to meeting agreed requirements. Top management must establish the quality policy and ensure quality objectives are established that are consistent with the quality policy. Top management must ensure that the quality policy is understood and communicated at all levels of the organization. An assessment of whether the organization’s quality system is satisfying the established quality policy and objectives should be a topic addressed during management reviews.
An effective way of determining whether quality objectives have been implemented is to ask for examples of quality objectives and the status of these objectives. Typically, a quality objective is expressed as a measurable target or goal. An example of an organization’s quality objective could be “to have all essential components meet specifications at a defined reliability rate or better.”
To accomplish this objective, the organization will have to identify, evaluate, and approve reliable suppliers or bring the manufacturing of that component in-house.
Clause and Regulation: [ISO 13485:2016: 5.1, 5.5.1, 5.5.2, 6.1, 6.2; TG(MD)R Sch3 P1 1.4(5)(b); RDC ANVISA
16/2013: 2.2.2, 2.2.3. 2.2.4, 2.3; MHLW MO169: 10, 15, 16, 21, 22, 23; 21 CFR 820.20(b), 820.25]
Additional country-specific requirements: None
Assessing conformity:
Methods for completing this audit task include reviewing the organizational chart(s) and asking authority and responsibility questions. The responsibilities and authorities of various individuals within the organization are also typically described within the Quality Manual, position descriptions, and job postings.
Top management is responsible for ensuring that resources necessary to maintain an effective quality management system are provided. Resources include money, equipment, supplies, and personnel. One method for confirming that adequate resources are made available is to ask the management representative to provide several examples of recent requests for different types of resources and describe the outcomes of these requests.
Clause and Regulation: [ISO 13485:2016: 4.1.5, 4.2.1; TG (MD)R Sch3 P1 1.4(5) (b)(iii), (d)(ii); RDC ANVISA 16/2013: 2.5; MHLW MO169: 5, 6; 21 CFR 820.50]
Additional country-specific requirements: Australia (TGA):
If an Australian Sponsor undertakes an activity that is outsourced by the manufacturer, or required, to be under the control of the manufacturer, verify that the roles and responsibilities of the Australian Sponsor are documented in the manufacturer’s quality management system and that the Sponsor is qualified and controlled as a supplier. For example, but not limited to; a labeling activity to ensure that the name and
address of the Australian Sponsor accompanies the device [TG(MD)R Reg 10.2], the installation of a device, or the servicing of a device.
Canada (HC):
Verify that the roles and responsibilities of any regulatory correspondents, importers, distributors, or providers of a service are clearly documented in the organization’s quality management system and are qualified as suppliers and controlled, as appropriate.
Assessing conformity:
Most organizations outsource at least some products (including services) that affect the ability of the medical device to conform to specified requirements. Some organizations outsource the
majority of products. During interview of the management representative, ascertain the extent to which the organization outsources processes essential for the proper functioning of the finished medical device. Process performance and product conformity, including the performance of supplied product, must be included in management review. The organization must ensure control over outsourced products and processes that affect product conformance with specified requirements.
Link: Purchasing
During audit of the organization’s Purchasing process, ensure that management has assured the appropriate level of control over suppliers, including an assessment of the relationship between supplied products and product risk.
Clause and Regulation: [ISO 13485:2016: 4.2.1, 6.2; RDC ANVISA 16/2013: 2.2.3, 2.2.4, 2.3; MHLW MO169: 6,
22,23, 25.4; 21 CFR 820.20(b)(2), 820.25]
Additional country-specific requirements: Brazil (ANVISA):
Confirm that the manufacturer ensures that any consultant who gives advice regarding design, purchasing, manufacturing, packaging, labeling, storage, installation, or servicing of medical devices has proper qualification to perform such tasks. Those consultants shall be contracted as a formal service supplier, according to purchasing controls defined by the manufacturer [RDC ANVISA 16/2013: 2.3.3].
Assessing conformity:
A review of employee training records can be performed to ensure that employees have been trained regarding the organization’s quality policy and objectives. In particular, this should be done for employees involved in key operations that affect product realization and product quality.
Link: Production and Service Controls
During the audit of the Production and Service Controls process, ensure that employees who are involved in key operations that affect product realization and product quality have been trained in their specific job tasks, as well as the quality policy and objectives. When appropriate, review the training records for those employees whose activities have contributed to process nonconformities.
Clause and Regulation: [ISO 13485:2016: 4.1.2 (b), 7.1; TG(MD)R Sch1 P1 2; RDC ANVISA 16/2013: 2.4; MHLW MO169: 26; 21 CFR 820.30(g)]
Additional country-specific requirements: None
Assessing conformity:
Confirm that top management has shown commitment to the risk management process by ensuring the provision of adequate resources and the assignment of qualified personnel for risk management activities. Risk-based decisions occur throughout the various quality management system processes. Top management is responsible for defining and documenting the policy
for determining criteria for risk acceptability. Additionally, ensure top management reviews the suitability of the risk management process. This review may be part of the management review. Previously unidentified risks discovered during production and post-production of the medical device may indicate a need to improve the risk management process. Each organization must decide how much risk is acceptable.
When appropriate, assess the role of top management when risk-based decisions are made that appear to justify levels of risk that do not meet the organization’s previously established risk- acceptance criteria.
Link: Design and Development
Risk management usually starts in conjunction with the design and development planning process at a point in the development when the results of risk analysis can affect the design process. During audit of the Design and Development process, evaluate top management’s commitment to risk management activities. Evidence of commitment to risk management may include the implementation of new or more stringent controls, external controls (e.g. additional supplier-related controls), or design changes to maintain an acceptable level of product risk.
Clause and Regulation: [ISO 13485:2016: 4.1.4, 4.2.1, 4.2.4, 4.2.5; TG(MD)R Sch3 P1 1.4(4); RDC ANVISA 16/2013:
3.1; MHLW MO169: 5, 6, 8, 9,; 21 CFR 820.40, 820.180]
Additional country-specific requirements: Australia (TGA):
Confirm that Quality Management System documentation and records in relation to a device described in TG(MD)R Sch3 P1 1.9 are retained by the manufacturer for at least 5 years.
Brazil (ANVISA):
Verify that change records include a description of the change, identification of the affected documents, the signature of the approving individual(s), the approval date, and when the change becomes effective [RDC ANVISA 16/2013: 3.1.5].
Confirm that the manufacturer maintains a master list of the approved and effective documents [RDC ANVISA 16/2013: 3.1.5].
Verify that electronic records and documents have backups [RDC ANVISA 16/2013: 3.1.6].
Japan (MHLW)
Confirm that Quality Management System documentation and records in relation to a device are retained for the following periods (5 years for training records and documentation). [MHLW MO169: 8.4, 9.3, 67, 68].
15 years for ‘specially designated maintenance control required medical devices’ [or one year plus the shelf life for products when the shelf life or the expiry date (hereinafter simply referred to as the "shelf life") plus one year exceeds 15 years]
5 years for the products other than the ‘specially designated maintenance control required medical devices’ (or one year plus the shelf life for the products of which the shelf life plus one year exceeds 5 years).
Note: The ‘specially designated maintenance control required medical device’ is defined as below in PMD Act 2.8: A medical device designated by the Minister of Health, Labour and Welfare after hearing the opinion of the Pharmaceutical Affairs and Food Sanitation Council as those whose potential risk to the diagnosis, treatment or
prevention of disease is significant without proper control since this kind of equipment requires expert knowledge and skill in examination for maintenance and inspection, repair and other management
United States (FDA)
Verify that electronic records and documents have backups [21 CFR 820.180].
Assessing conformity:
Confirm that the organization has defined, documented, and implemented procedures for control of quality management system documents and records. Evidence that these controls are effective can be ascertained through the audit of the other quality management system processes. For example, evidence that the document controls process is ineffective might be the observation of obsolete procedures being used or required records being unavailable.
Ensure at least one copy of obsolete controlled documents is maintained.
Clause and Regulation: [ISO 13485:2016: 5.6; TG(MD)R Sch3 P1 1.4(5)(b)(iii)(f); RDC ANVISA 16/2013: 2.2.6; MHLW MO169: 18, 19, 20; 21 CFR820.20(c)]
Additional country-specific requirements: None
Assessing conformity:
It is important to verify that the organization has documented and implemented effective management review procedures. Top management must review the suitability, adequacy and effectiveness of the organization’s quality management system at defined intervals and with sufficient frequency to ensure that the quality management system satisfies applicable requirements of Medical devices – Quality management systems – Requirements for regulatory purposes (ISO 13485:2016), Brazilian Good Manufacturing Practices (RDC ANVISA 16/2013), Japanese QMS Ordinance (MHLW MO 169), the Quality System Regulation (21 CFR Part 820) and specific requirements of medical device regulatory authorities participating in the MDSAP program, in addition to the organization’s own established quality policy and objectives. The dates and results of the management reviews must be documented. These documentation requirements must be included in the management review procedure.
Other requirements commonly seen in management review procedures include a fixed agenda of topics to be discussed (with flexibility for unique agenda items to be added), the necessary attendees who are to participate in the management review, and how action items resulting from the management review are to be addressed and input into the Measurement, Analysis and Improvement process when necessary. Ensure that the quality policy and objectives have been reviewed for continued suitability and that any changes to regulatory requirements have been identified. Other inputs to management review include results of internal and external audits, customer feedback, process performance and product conformity, status of preventive and
corrective actions, follow-up actions from previous management reviews, changes that could affect the quality management system, and recommendations for improvement.
Link: Measurement, Analysis and Improvement
During audit of the Measurement, Analysis and Improvement process, confirm when necessary that action items resulting from Management review are considered for corrective or preventive action.
Confirm that the organization has defined and implemented controls to ensure that only devices that have received the appropriate marketing authorization are distributed or otherwise offered for commercial distribution into the applicable markets.
Clause and Regulation: [ISO 13485:2016: 4.1.1, 4.2.1, 5.2, 7.2.1, 7.2.3]
Additional country-specific requirements: None
Assessing conformity:
During the audit of the Management process, verify that the organization has identified and documented the responsibilities of employees and personnel for ensuring proper registration, listing, licensing, notification and approval information is accurately submitted to regulatory authorities or authorized representatives (e.g. Australian Sponsor) participating in the MDSAP.
Verify that the organization has identified and documented the responsibilities and authorities of personnel who are responsible for implementing controls to ensure that devices are only distributed in participating MDSAP jurisdictions where market authorizations have been obtained.
Verify that these obligations are being carried out by competent personnel.
Verify that the organization has identified, documented, and implemented controls to ensure that only devices that have received market authorization are released for distribution, or otherwise offered for commercial distribution, into participating MDSAP jurisdictions where the organization intends to supply the product.
Controls can include, but are not limited to:
Change control processes that ensure that changes are assessed for their impact on existing marketing authorizations;
Procedures and/or work instructions that clearly identify the jurisdictions in which products can be sold;
Separate part numbers for devices, by jurisdictions;
Review of purchase orders to assure the customer requests and receives only product with the appropriate market clearance;
Review of sales and marketing practices and materials (including internet pages) to assure product is promoted only for markets where the product maintains appropriate market clearance;
Segregation of finished devices in warehousing and shipping areas, by jurisdictions;
Business rules in software to prevent the acceptance of purchase orders where marketing
authorization is absent;
Specific language in distribution agreements limiting devices that can be distributed in certain jurisdictions;
Jurisdiction-specific marketing materials (catalogues, websites, etc.);
The availability of accurate information on marketing authorizations obtained by jurisdiction. The effectiveness of these controls can be verified by, for example:
Interviewing sales and customer-support personnel;
Interviewing personnel in shipping and distribution;
Challenging sales / ERP software;
Reviewing distribution agreements;
Reviewing marketing material;
Reviewing distribution records and/or DHR records against lists of valid market authorizations.
The verification of the effectiveness of these controls should be specific to the device identifier(s) (e.g. model number) as listed in the marketing authorization(s). A broad sample covering many products and jurisdictions should be selected, particularly when reviewing distribution records.
In order to prepare for this audit task, audit teams should ensure that they have current lists of market authorizations held by the organization as well as the names of all authorised representatives in the MDSAP jurisdictions prior to coming on site.
The appropriate application of registration, listing, licensing, notification and approval processes, and the accuracy of information for Device Marketing Authorization for submission to Regulatory Authorities or authorized representatives (e.g. Australian Sponsor) participating in the MDSAP will be verified under the Device Marketing Authorization and Facility Registration process. A preliminary review of device marketing authorization and facility registration may be made during the audit of the Management process, followed by comprehensive coverage for specific medical devices selected for review under the Design and Development process.
Link: Device Marketing Authorization and Facility Registration
Clause and Regulation: [ISO 13485:2016:4.1.1, 4.1.4, 5.1, 5.5.3; RDC ANVISA 16/2013: 2.1, 2.2.1; MHLW MO169:
5, 10, 17; 21 CFR 820.20(a), 820.5]
Assessing conformity:
During the audit of the other MDSAP processes, the audit team will have the opportunity to assess whether management is appropriately carrying out its responsibilities; whether the quality policy is understood, implemented, and maintained at all levels of the organization; if the necessary resources are being provided to maintain an effective quality management system; if the management representative has the necessary responsibilities and authorities; the adequacy of the organizational
structure; and whether management reviews and quality audits are effective, etc.
Remember that a quality management system that has been implemented effectively, monitored to identify and address existing and potential problems, and has an integrated risk management process utilizing risk-based decision-making is more likely to produce medical devices that function as intended.
Process: Device Marketing Authorization and Facility Registration
The Device Marketing Authorization and Facility Registration process may be audited as a linkage from the Management process and/or the Design and Development process.
Complied with requirements to register and/or license device facilities
Submitted device listing information to regulatory authorities when applicable
Obtained device marketing authorization in the appropriate jurisdictions
Arranged for assessment of changes (where applicable) and obtained marketing authorization for changes to devices or the quality management system which require amendment to existing marketing authorization
Links to Other Processes: Management, Design and Development
Note: In some jurisdictions Device Market Authorization is the responsibility of the importer / Marketing Authorization Holder / Sponsor. Market Authorization however may only be appropriate if the manufacturer and importer fulfil obligations that have been placed upon them by the relevant legislation, including obligations to each other (e.g. communications concerning feedback, adverse event reporting and the management of advisory notices and recalls) Prior to an audit, an Auditing Organization shall independently investigate the identity and range of products, facilities and importers (e.g. Importer, MAH, Sponsor, etc.) that are known to the Regulatory Authority of each jurisdiction where the manufacturer / organization intends to supply product. Verify at, or prior to, audit that the regulatory requirements to register and/or license device facilities and submit device listing information have been appropriately applied for each manufacturer / importer arrangement. Note that some importers / MAHs / Sponsors may have provided information to Regulatory Authorities indicating that a manufacturer is the “legal manufacturer” even though the manufacturer inappropriately considers themselves to be an Original Equipment Manufacturer or an Original Device Manufacturer. A review of labelling for product being supplied to a particular jurisdiction may assist with determining if appropriate market authorization processes have been applied.
Clause and regulation: [ISO 13485:2016: 4.1.1, 4.2.1, 5.2, 7.2.1, 7.2.3; see the country-specific requirements below]
Country specific requirements: Australia (TGA):
Manufacturer of a medical device is the person who is responsible for the design, production, packaging and labeling of the device before it is supplied under the person’s name, whether or not it is the person, or another person acting on the person’s behalf, who carries out those operations.
Australian importers (Sponsors) are required to include (register) medical devices from non-Australian manufacturers in the Australian Register of Therapeutic Goods (ARTG). Sponsors are required to register the manufacturers that they represent and to obtain a Client ID for the manufacturer from the TGA.
To assist the Australian sponsor, non-Australian manufacturers must undertake the following to demonstrate that they have met the obligations on manufacturers who wish to supply to Australia;
Classify the device using the Australian classification rules
Identify an Australian conformity assessment procedure that is to be applied in accordance with the classification of the device
Obtain 3rd party assessment of their QMS and the device in accordance with the selected conformity assessment procedure or an equivalent EU MDD, AIMD or IVDD procedure
Prepare an Australian Declaration of Conformity in accordance with the requirements of the Conformity Assessment Procedure that has been applied [TG(MD)R Sch 3 P1 Cl1.8].
Either provide to the Australian Sponsor, or enter into a written agreement with the Sponsor that requires the manufacturer to provide to the Sponsor, or the TGA, on request;
Evidence that their device complies with the Australian Essential Principles
Evidence that the manufacturer has applied an Australian Conformity Assessment Procedure, or equivalent MDD / AIMD / IVDD conformity assessment procedure.
information to assist the Sponsor with annual reporting for specified high risk devices (AIMD, Class III, Implantable Class IIb, Class 4 IVDs)
information about feedback to the manufacturer (including complaints), reportable adverse events, advisory notices or recalls
Permit the TGA to inspect the manufacturer’s premises at any reasonable time, to inspect medical devices of any kind on those premises and to examine, take measurements of, conduct tests on, require tests to be conducted on or take samples of medical devices of any kind on those premises or anything on those premises that relates to medical devices of any kind. While on those premises, to make any still or moving image or any recording of those premises or anything on those premises; and
If requested to do so by an authorized person, produce to the person such documents relating to devices of the kind included in the Register as the person requires and allow the person to copy the documents
That the manufacturer will comply with any conditions imposed on the manufacture of devices
Note that Sponsors are required to provide the manufacturer with information in relation to the manufacturer’s obligations under a conformity assessment procedure and information in relation to whether the devices comply with the Essential Principles [TG Act 41FN(3)(e)].
Refer to:
Therapeutic Goods Act 1989
Part 4-2 – Essential Principles and medical device standards o Part 4-3 – Conformity Assessment Procedures
Section 41FD – Matters to be certified
Section 41FN – Conditions applying automatically
Section 41FO – Conditions imposed when kinds of medical devices are included in the Register o Section 41FP – Conditions imposed after kinds of medical devices are included in the Register
Therapeutic Goods (Medical Devices) Regulations 2002
Regulation 3.5 – Medical devices manufactured outside Australia o Regulation 5.8 - Conditions applying automatically
Schedule 1 – Essential Principles o Schedule 2 – Classification Rules
Schedule 3 – Conformity Assessment Procedures
Brazil (ANVISA):
For a domestic manufacturer, confirm that the establishment has ANVISA’s authorization to manufacture medical devices (AFE - Autorização de Funcionamento da Empresa). For domestic and international manufacturers, verify that the products already distributed in the Brazilian market are registered/notified with ANVISA [Brazilian Federal Law nº 6360/76].
Manufacturer means any person who designs, manufactures, assembles or processes finished devices, including those who only perform sterilization process, labeling and packaging [RDC ANVISA 16/2013: 1.2.9]. |
According Brazilian Legislation, the Good Manufacturing Practice (GMP) certification is a prerequisite for medical device registration. Therefore, the facility site inspection precedes the device registration request. Medical devices subject to notification do not need the GMP certificate, but even not being certified, their manufacturers shall comply with the GMP requirements. |
Device marketing authorization shall be requested to ANVISA by the domestic manufacturer or importer (legal representative) formally established in Brazil. |
Registration is a comprehensive process for market authorization, applied to medical devices in classes III and IV. [ANVISA RDC nº 36/2015, RDC nº 40/2015]. |
Notification is a simplified market authorization process, applied to all medical device classes I and II. [ANVISA RDC nº 36/2015, RDC nº 40/2015]. |
Registration is valid for 5 years, while notification have no expire date. Renewal of the registration shall be requested upon time defined at Brazilian Law 6360/1976. Device marketing authorization shall be requested to ANVISA by the domestic manufacturer or importer (legal representative) formally established in Brazil. Registration is a comprehensive process for market authorization, applied to medical devices in classes III and IV. [ANVISA RDC nº 36/2015, RDC nº 40/2015] Notification is a simplified market authorization process, applied to all medical device classes I and II. [ANVISA RDC nº 36/2015, RDC nº 40/2015] Registration is valid for 5 years, while notifications have no expire date. Renewal of the registration shall be requested upon time defined at Brazilian Law 6360/1976. |
Medical devices registration/notification:
Domestic manufacturer: shall be authorized by ANVISA, at a minimum, as a manufacturer of medical devices. This license includes authorization to store and distribute medical devices. |
Importer: the importer is considered the legal representative of the international manufacturer in Brazil and shall be authorized by ANVISA to import, store, and distribute medical devices. In the case of outsourcing the storage, the importer does not need authorization for this activity. |
Establishment license:
Canada (HC):
Manufacturer means a person who sells a medical device under their own name, or under a trade-mark, design, trade name or other name or mark owned or controlled by the person, and who is responsible for designing, manufacturing, assembling, processing, labeling, packaging, refurbishing or modifying the device, or for assigning to it a purpose, whether those tasks are performed by that person or on their behalf [CMDR 1].
No person shall import or sell a Class II, III or IV medical device unless the manufacturer of the device holds a license in respect of that device or, if the medical device has been subjected to a change described in section 34, an amended medical device license [CMDR 26].
An application for a medical device license shall be submitted to the Minister by the manufacturer of the medical device in a format established by the Minister [CMDR 32].
An application for a medical device license shall include a copy of a quality management system certificate certifying that the quality management system under which the medical device is manufactured (class II) or designed and manufacturer (class III or IV) satisfies National Standard of Canada CAN/CSA-ISO 13485:2016. [CMDR 32(2)(f); 32(3)(j); 32(4)(p)].
Japan (MHLW)
“Marketing Authorization Holder” means a person who resides in Japan and is granted a license for marketing from a prefectural government [PMD Act 23-2.1].
Application or Notification for marketing
(Class 2, class 3, and class 4 medical devices except for the ones specified by the requirement of PMD Act 23-2-23.1)
An” Application for Marketing Approval” shall be submitted to PMDA by the Marketing Authorization Holder to get authorization for marketing a medical device in Japan. [PMD Act 23-2-5.1]
An “Application for QMS Audit” shall also be submitted to PMDA by the Marketing Authorization Holder, when they do not have an effective QMS Certificate for the device. [PMD Act 23-2-5.6, 7]
(Class 2 and class 3 medical devices which are specified by the requirement of PMD Act 23-2-23.1)
An” Application for Marketing Certification” shall be submitted to a Registered Certification Body (RCB) by the Marketing Authorization Holder to get authorization for marketing a medical device in Japan. [PMD Act 23-2-23.1]
An “Application for QMS Audit” shall also be submitted to an RCB by the person, when the person does not have a valid QMS Certificate for the device. [PMD Act 23-2-23.3, 4].
(Class 1 medical device)
A “Notification for Marketing” shall be submitted to PMDA by the Marketing Authorization Holder for marketing a class 1 device in Japan [PMD Act 23-2-12].
A class 1 medical device doesn’t need anyQMS Certificate for marketing.
Facility Registration (Registered Manufacturing Site)
A medical device manufacturing site which conducts one of the designated manufacturing processes listed below shall be registered:
Main Designing,
Main assembly,
Sterilization, and
Domestic storage before final release.
The site is called “Registered Manufacturing Site”. It has to submit an application to PMDA for registration by itself [PMD Act 23-2-3.1, 23-2-4].
United States (FDA):
21 CFR 807 - Establishment Registration and Device Listing for Manufacturers and Initial Importers of Devices:
Establishment means a place of business under one management at one general physical location at which a device is manufactured, assembled, or otherwise processed.
Owner or operator means the corporation, subsidiary, affiliated company, partnership, or proprietor directly responsible for the activities of the registering establishment.
Owner or operator must register the establishment and submit listing information to Food and Drug Administration (FDA) for those devices in commercial distribution, regardless of classification—
The registration and listing requirements must pertain to any person who:
Initiates or develops specifications for a device that is to be manufactured by a second party for commercial distribution by the person initiating specifications;
Manufactures for commercial distribution a device either for itself or for another person; regardless of whether the manufacturer places the device into commercial distribution or returns the device to the customer;
Repackages or relabels a device;
Acts as an initial importer, except that initial importers may fulfill their listing obligation for any device for which they did not initiate or develop the specifications for the device or repackage or relabel the device by submitting the name and address of the manufacturer.
Manufactures components or accessories which are ready to be used for any intended health-related purpose and are packaged or labeled for commercial distribution for such purpose;
Sterilizes or otherwise makes a device for or on behalf of a specifications developer or any other person;
Acts as a complaint file establishment; or
Is a device establishment located in a foreign trade zone
Link: Management
During audit of the Management process, confirm that management is aware of and has made arrangements for device marketing authorization and facility registration.
Clause and regulation: [ISO 13485:2016: 4.1.1, 4.2.1, 5.2, 7.2.1, 7.2.3; see the country-specific requirements below]
Country specific requirements: Australia (TGA):
Marketing authorization (inclusion in the Australian Register of Therapeutic Goods [ARTG]) is granted to the Australian Sponsor. Non-Australian manufacturers will need to assist the Sponsor through the provision of information. A Sponsor is not permitted to import a device until market authorization has been granted.
A non-Australian manufacturer’s procedures should ensure that product is not released for export and supply to Australia unless the Australian Sponsor has been issued with a “Certificate of Inclusion in the Australian Register of Therapeutic Goods” that identifies each kind of medical device that has been approved for supply to the Australian market [TG Act s41FJ].
Brazil (ANVISA):
In Brazil there are two kinds of marketing clearance, registration and notification:
Device market clearance shall be requested to ANVISA by the domestic manufacturer or importer (legal representative) formally established in Brazil.
Registration is a comprehensive process for market authorization, applied to medical devices in classes III and IV. [ANVISA RDC nº 36/2015, RDC nº 40/2015]
Notification is a simplified market authorization process, applied to all medical devices classes I and
II. [ANVISA RDC nº 36/2015, RDC nº 40/2015]
Registration is valid for 5 years, while notifications have no expire date, - renewal of the registration s hal l be requested upon time defined at Brazilian Law 6360/1976.
Canada (HC):
No person shall import or sell a Class II, III or IV medical device unless the manufacturer of the device holds a license in respect of that device or, if the medical device has been subjected to a change described in section 34, an amended medical device license [CMDR 26].
Japan (MHLW)
Any person who intends to market a medical dev i ce f or b usi nes s i n Japan shall have a license for marketing granted by the prefectural government. This person is called a “Marketing Authorization Holder” (MAH) and shall reside in Japan [PMD Act 23-2.1]. The person has to submit an Application for Marketing Approval/Certification (class 2, 3 or 4 medical device) or a Notification for Marketing (class 1 medical device) to get marketing clearance for the medical device. No person shall market a medical device in Japan, unless the Marketing Authorization Holder of the device has been granted the marketing clearance [PMD Act 23-2-5.1, 23-2-23.1, 23-2-12].
United States (FDA):
21 CFR 807.81- Premarket Notification:
Each person who is required to register his establishment pursuant to 807.20 must submit a premarket notification submission to the Food and Drug Administration at least 90 days before he proposes to begin the introduction or delivery for introduction into interstate commerce for
commercial distribution of a device intended for human use which meets any of the following criteria:
The device is being introduced into commercial distribution for the first time; that is, the device is not of the same type as, or is not substantially equivalent to, (i) a device in commercial distribution before May 28, 1976, or (ii) a device introduced for commercial distribution after May 28, 1976, that has subsequently been reclassified into class I or II.
The device is being introduced into commercial distribution for the first time by a person required to register
21 CFR 814 – Premarket Approval
A Premarket approval is required for any FDA class III device that was not on the market (introduced or delivered for introduction into commerce for commercial distribution) before May 28, 1976, and
is not substantially equivalent to a device on the market before May 28, 1976, or to a device first marketed on, or after that date, which has been classified into class I or class II.
Link: Management, Design and Development
During the audit of the Management and Design and Development processes, ensure that management is aware of requirements for device marketing authorization and facility registration, and that these are considered when designing the device. Confirm that management obtains marketing authorization in the appropriate jurisdictions prior to commercial distribution of the device.
Clause and regulation: [ISO 13485:2016: 4.1.1, 4.2.1, 5.2, 7.2.1, 7.2.3, 7.3.9; see the country-specific requirements below]
Country specific requirements: Australia (TGA):
The manufacturer is required to notify their assessment body of: A proposed substantial change to their QMS
A proposed change to the kinds of medical devices to which the system is to be applied For Class III or AIMD, a proposed change to design, or intended performance of the device
Refer to:
Therapeutic Goods (Medical Devices) Regulations 2002 Regulation 3.5 – Medical devices manufactured outside Australia
Schedule 3 - The relevant conformity assessment procedure chosen by the manufacturer
Note: An entry in the Australian Register of Therapeutic Goods (inclusion) in the name of the Australian Sponsor is in effect until cancelled.
Brazil (ANVISA):
Changes involving medical devices already approved by ANVISA, shall be submitted for a new approval [Brazilian Law nº 6360/76 - Art. 13]. Changes/modifications that shall be submitted are those ones classified as significant change, which affects: a) features of safety and effectiveness, including measures to communicate information (ex. residual risk); b) identification of the device or its manufacturer or manufacturing site; c) indication for use, including its purpose, patient type (adult, pediatric, newborn)
or environment to be used (domestic, hospital, ambulance, etc.); e) device classification; f) technical specification of the device, including composition and other operational/technical/physical features; g) manufacturing method.
Examples of modifications that may require a new submission include, but are not limited to, the following:
Sterilization method;
Structural material / composition;
New or additional manufacturer;
Manufacturing method;
Manufacturing site;
Operating parameters or conditions for use;
Patient or user safety features;
Sterile barrier packaging material;
Stability or expiration claims;
Design;
Labels and instructions of use (if modification is regarding information);
Commercial name;
Indication for use;
New software version;
Commercial presentation;
Inclusion of a new device in a family of medical devices already approved;
Inclusion of new accessories.
Canada (HC):
If the manufacturer proposes to make one or more changes, the manufacturer shall submit to the Minister, in a format established by the Minister, an application for a medical device license amendment including the information and documents set out in section 32 that are relevant to the change [CMDR 34].
Every manufacturer of a licensed medical device shall, annually before November 1 and in a form authorized by
the Minister, furnish the Minister with a statement signed by the manufacturer or by a person authorized to sign on the manufacturer’s behalf describing any change to the information and documents supplied by the manufacturer with respect to the device, other than those to be submitted under section 34 or 43.1 [CMDR 43].
If the holder of a medical device license discontinues the sale of the medical device in Canada, the licensee shall inform the Minister within 30 days after the discontinuance, and the license shall be cancelled at the time that the Minister is informed [CMDR 43(3)].
Subject to section 34, if a new or modified quality management system certificate is issued in respect of a licensed medical device, the manufacturer of the device shall submit a copy of the certificate to the Minister within 30 days after it is issued [CMDR 43.1].
Japan (MHLW)
A change to a medical device which is approved/certified by PMDA/a Registered Certification Body may require the Marketing Authorization Holder to submit a new application, a change application, or a change notification [PMD Act 23-2-5.1, 23-2-5.11, 23-2-5.17, 23-2-23.1, 23-2-23.6, 23-2-23.7]. Changes that
require the application or the notification are those ones which directly impact the safety and efficacy of the device and/or the substantial identity of the fact approved during marketing approval / certification.
The Registered Manufacturing Site shall communicate with the Marketing Authorization Holder about the change when the Registered Manufacturing Site plans such changes, so that the Marketing Authorization Holder could take any necessary regulatory actions mentioned above [MHLW MO169; 29].
Examples of changes that may require an application or a notification include, but are not limited to, the following:
Design;
Composition;
Raw material;
Sterilization method;
Manufacturing method;
Manufacturing site;
Patient or user safety features;
Operating Parameters or conditions for use;
Indication for use;
Shelf life;
Performance Specification;
United States (FDA):
21 CFR 807 - Establishment Registration and Device Listing for Manufacturers and Initial Importers of Devices:
Update the device listing information during each June and December or, at its discretion, at the time the change occurs. Conditions that require updating and information to be submitted for each of these updates are as follows:
If an owner or operator introduces into commercial distribution a device identified with a classification name not currently listed by the owner or operator
If an owner or operator discontinues commercial distribution of all devices in the same device class
Update registration if changes in individual ownership, corporate or partnership structure, or location of at the time of annual registration, or by letter if the changes occur at other times. This information must be submitted within 30 days of such changes. Changes in the names of officers and/or directors of the
corporation(s) must be filed with the establishment’s official correspondent and must be provided to the Food and Drug Administration upon receipt of a written request for this information.
21 CFR 807.81- Premarket Notification:
A new complete 510(k) application is required for changes or modifications to an existing device, where the modifications could significantly affect the safety or effectiveness of the device, or the device is to be marketed for a new or different indication. All changes in indications for use require the submission of a 510(k).
Examples of modifications that may require a 510(k) submission include, but are not limited to, the following:
Sterilization method
Structural material
Manufacturing method
Operating parameters or conditions for use
Patient or user safety features
Sterile barrier packaging material
Stability or expiration claims
Design
21 CFR 814.39 – PMA Supplements
After FDA’s approval of a PMA, an applicant shall submit a PMA supplement for review and approval by FDA before making a change affecting the safety or effectiveness of the device for which the applicant has an approved PMA. While the burden for determining whether a supplement is required is primarily on the PMA holder, changes for which an applicant shall submit a PMA supplement include, but are not limited to, the following types of changes if they affect the safety or effectiveness of the device:
New indications for use of the device
Labeling changes
The use of a different facility or establishment to manufacture, process, or package the device
Changes in sterilization procedures
Changes in packaging
Changes in the performance or design specifications, circuits, components, ingredients, principle of operation, or physical layout of the device
Extension of the expiration date of the device based on data obtained under a new or revised stability or sterility testing protocol that has not been approved by FDA
An applicant may make a change in a device after FDA's approval of a PMA for the device without submitting a PMA supplement if the change does not affect the device's safety or effectiveness and the change is reported to FDA in post approval periodic reports required as a condition to approval of the device, e.g., an editorial change in labeling which does not affect the safety or effectiveness of the device.
Link: Design and Development
During the audit of the Design and Development process, the audit team should confirm the organization has considered regulatory requirements for device marketing authorization and facility registration; and has complied with these requirements prior to marketing the changed device in the applicable regulatory jurisdictions.
Process: Measurement, Analysis and Improvement
One of the most important activities in the quality management system is the identification of existing and potential causes of product and quality problems. Such causes must be identified so that appropriate and effective corrective or preventive actions can take place. These activities are carried out under the Measurement, Analysis and Improvement process.
The purpose of an organization’s Measurement, Analysis and Improvement process is to collect and analyze information, identify and investigate existing and potential causes of product and quality problems, and take appropriate and effective corrective or preventive action to prevent recurrence or occurrence. It is essential that an organization verify or validate these actions, communicate corrective and preventive action activities to responsible people, provide relevant information for management review, and document these activities. These activities will help the organization deal effectively with existing or potential product and quality problems, prevent their recurrence and/or occurrence, and prevent or minimize device failures or other quality problems.
The management representative is responsible for ensuring that the requirements of the quality management system have been effectively defined, documented, implemented, and maintained. Prior to the audit of any process, interview the management representative (or designee) to obtain an overview of the process and a feel for management’s knowledge and understanding of the process.
The Measurement, Analysis and Improvement process is the second primary process to be audited per the MDSAP audit sequence. When applicable, information regarding device or identified quality management system nonconformities observed during the audit of the Measurement, Analysis and Improvement process should be used to make decisions as to design projects or design changes to assess during audit of the Design and Development process, suppliers to evaluate during audit of the Purchasing process, and processes to review during audit of the Production and Service Controls process.
Auditing the Measurement, Analysis and Improvement Process
Defined, documented, and implemented procedures for measurement, analysis and improvement that address the requirements of the quality management system standard and participating MDSAP regulatory authorities
Identified, analyzed, and monitored appropriate sources of quality data to identify nonconformities or potential nonconformities and determined the need for corrective or preventive action
Ensured investigations are conducted to identify the underlying cause(s) of nonconformities and potential nonconformities, where possible
Implemented appropriate corrective action to eliminate the recurrence or preventive action to prevent the occurrence of product or quality system nonconformities, commensurate with the risks associated with the nonconformities or potential nonconformities encountered
Reviewed the effectiveness of corrective action and preventive action
Utilized information from the analysis of production and post-production quality data to amend the analysis of product risk, as appropriate
Clause and regulation: [ISO 13485:2016: 4.2.1, 8.1, 8.2.1, 8.2.6, 8.5; TG(MD)R Sch3 P1 1.4(3)(a),(b), (5)(b)(iii), (f);
; RDC ANVISA 16/2013: 5.3.1, 7.1, 7.2; MHLW MO169: 6, 54, 55, 58, 62, 63, 64; 21 CFR 820.100(a)]
Additional country-specific requirements: Brazil (ANVISA):
Verify that the manufacturer has ensured that information about quality problems or nonconforming products are properly disseminated to those directly involved in the maintenance of product quality and to prevent occurrence of such problems [RDC ANVISA 16/2013: 7.1.1.6].
United States (FDA):
Verify procedures ensure that information related to quality problems or nonconforming product is disseminated to those directly responsible for assuring the quality of such product or the prevention of problems [21 CFR 820.100(a)(6)].
Confirm procedures provide for the submission of relevant information on identified quality problems, as well as corrective and preventive actions, for management review [21 CFR 820.100(a)(7)].
Assessing conformity:
Each organization must establish and maintain procedures for analyzing data and implementing corrective action and preventive action. The procedures must include requirements for:
Analyzing feedback, conformity to product requirements, characteristics and trends of processes and products (including opportunities for preventive action), and conformity of suppliers
Reviewing nonconformities, including customer complaints
Evaluating the need for action to prevent recurrence or occurrence of nonconformities
Recording the results of any investigations and of actions taken
Identifying the action(s) needed to correct and prevent recurrence or occurrence of nonconforming product and other quality problems
Ensure that action is effective and does not adversely affect the finished device (g)Implementing and recording changes in methods and procedures needed to correct and
prevent identified quality problems
(h)Ensuring that information related to quality problems or nonconforming product is disseminated to those directly responsible for assuring the quality of such product or the prevention of such problems
Determine if appropriate sources of quality data have been identified for input into the measurement, analysis and improvement process, including customer complaints, feedback, service records, returned product, internal and external audit findings, nonconformities from regulatory audits and inspections, and data from the monitoring of products, processes, nonconforming products, and suppliers. Confirm that data from these sources are accurate and analyzed according to a documented procedure for the use of valid statistical methods (where appropriate) to identify existing and potential product and quality management system nonconformities that may require corrective or preventive action.
Clause and regulation: [ISO 13485:2016: 7.5.4, 8.1, 8.2.1, 8.2.6, 8.4; TG(MD)R Sch3 P1 1.4(3)(a),(b), (5)(b)(iii), (f); RDC
ANVISA 16/2013: 7.1.1.1, 9.1; MHLW MO169: 43, 54, 55, 58, 61; 21 CFR 820.100(a)]
Additional country-specific requirements: None
Assessing conformity:
Complaints, records of acceptance activities and concessions, nonconformities identified in internal audits, service records, acceptability of supplied product and supplier performance, and data presented in management review are common quality data sources that are useful in identifying quality problems, among others.
Some sources of quality data that may be useful in identifying potential problems are acceptance activities, such as component, in-process, or finished device testing; environmental monitoring, and statistical process control (SPC). Results of acceptance activities may indicate an unfavorable trend that left unattended may result in product nonconformity.
During the audit of the Measurement, Analysis and Improvement process, it is recommended that the auditor(s) review the previous audit report if there is one for the organization. If this information
is available, the audit team should use the information in the report when selecting some quality data sources to review during the audit. For example, if service records were reviewed during the previous audit and the organization was handling the data appropriately, the audit team may wish to select a different data source for review during the audit. However, if the previous audit documented that the data from service records were not being entered into the Measurement, Analysis and Improvement process appropriately, the audit team should consider reviewing service records again to determine whether the previous deficiency was effectively addressed.
Select some sources of quality data. Determine if the data from these sources were entered into the organization’s Measurement, Analysis and Improvement process for analysis and whether the information was complete, accurate, and entered in a timely fashion. Be mindful of quality problems that appear in more than one data source. For example, device nonconformities noted in complaints should be compared with similar nonconformities noted during the organization’s analysis of data from other data sources such as product reject reports, or nonconforming product or process reports. This comparison will help the organization and the audit team understand the full extent of the quality problem.
An organization should use data from a variety of quality data sources to identify the causes of existing product and quality problems. Not all organizations will have the same sources of quality data. For example, service records and installation reports are quality data sources that may not be found at every device manufacturer. As the audit team is conducting the audit, determine what sources of quality data the organization has identified. The audit team will also determine whether the sources identified by the organization are appropriate and if the organization is analyzing quality data from these sources to identify existing product problems as well as existing problems within its quality system. Later in the evaluation of the Measurement, Analysis and Improvement process, the audit team will be sampling raw quality data to determine how the organization analyzed the quality data and responded to the results of its analysis.
An organization should also use data from a variety of quality data sources to identify the causes of potential product and quality problems. The organization should be looking for trends or other indications of potential problems before the problems actually occur. The organization may choose to perform analysis of competing devices, including reviewing advisory notices related to competing devices, to determine whether similar nonconformities could occur in the organization’s devices. Determine whether the organization can identify potential product and quality problems that may require preventive action.
An organization has the flexibility to use whatever methods of analysis are appropriate to identify existing and potential causes of nonconforming product or other quality problems. However, an organization must use appropriate statistical methodology where necessary to detect recurring quality problems.
An organization must also use appropriate statistical tools when it is necessary to use statistical methodology. It should not misuse statistics in an effort to minimize the problem or avoid addressing the problem.
Link: Purchasing
During the audit of the Measurement, Analysis and Improvement process, the audit team may encounter data involving product nonconformities, including complaints involving finished devices, where the underlying cause of the quality problem has been traced to a supplied product. During the audit of the Purchasing process, the audit team should consider selecting suppliers to audit that have corrective action indicators of nonconformities with supplied components or processes.
Clause and regulation: [ISO 13485:2016: 8.5.2; TG(MD)R Sch3 P1 1.4(3)(a),(b), (5)(b)(iii),(f), TG(MD)R Sch1 P1 2; RDC ANVISA 16/2013: 2.4, 6.5.1, 7.1.1.2; MHLW MO169: 63; 21 CFR 820.100 (a)(2)]
Additional country-specific requirements: None
Assessing conformity:
Organizations must define and implement a process for investigations. The process should consist of a structured, risk-based approach (in a mature QS) intended to determine the root or underlying cause(s) of a quality problem. Criteria should be defined to determine when an investigation is necessary and the extent of the investigation. The investigation should be based on a pre-approved plan or other defined approach, timelines should be defined, roles and responsibilities should be assigned, and the course of action should be assessed when the underlying cause cannot be determined. The results of the investigation must be recorded. The depth of the organization’s investigation of a process, product, or other quality system nonconformity should be commensurate with the significance and risk of the nonconformity. The process for determining the extent of an investigation may be linked to the organization’s risk management system and the design outputs essential to the proper functioning of the device.
A correction is not the same as a corrective action. In order for an organization to take a corrective action (i.e., action taken to prevent recurrence of an existing nonconformity), an investigation
must be conducted to determine the cause of the nonconformity. Often an organization will only make a correction to handle the immediate problem (e.g. relabeling a lot of mislabeled finished devices). Determining the cause of the lot of mislabeled finished devices is more difficult and may be overlooked. Where possible, the organization should identify the underlying cause or causes of the nonconformity so that appropriate corrective action can be taken.
When selecting records of investigations to review, be mindful of the risk of the nonconformity to the product or process. Select records of investigations where the nonconformity has a higher risk of adversely affecting the ability of the finished device to meet its essential design outputs or the nonconformity affects the safety and efficacy of the product.
Clause and regulation: [ISO 13485:2016: 8.5.3; TG(MD)R Sch3 P1 1.4(3)(a),(b), (5)(b)(iii),(f),TG(MD)R Sch1 P1 2; RDC ANVISA 16/2013: 2.4, 7.1.1.1; MHLW MO169: 64; 21 CFR
820.100(a)(2)]
Additional country-specific requirements: None
Assessing conformity:
The depth of the organization’s investigation into potential process, product, or other quality system nonconformities should be commensurate with the risk of the nonconformity if it were to occur. The process for determining the extent of an investigation may be linked to the organization’s risk management system and outputs essential to the proper functioning of the device.
When selecting records of investigations to review, be mindful of the risk of the potential nonconformity to the product or process. Select records of investigations where the potential
nonconformity has a higher risk of adversely affecting the ability of the finished device to meet its essential design outputs or the potential nonconformity could affect the safety and efficacy of the product.
Clause and regulation: [ISO 13485:2016: 8.2.1, 8.2.5, 8.3.1,8.5.2, 8.5.3; TG(MD)R Sch1 P1 2, TG(MD)R Sch3 P1
1.4(3)(a),(b), (5)(b)(iii), (f);; RDC ANVISA 16/2013: 2.4, 6.5, 7.1.1.3, 7.1.1.4, 7.1.1.5; MHLW MO169: 55, 57, 60, 63,
64; 21 CFR 820.100(a)(3), 820.100 (a)(4),820.100(a)(6), 820.100(b)]
Additional country-specific requirements: None
Assessing conformity:
Corrective actions taken by an organization can vary depending on the situation. Corrective actions are intended to correct and also prevent recurrence of not only nonconforming product but also poor practices, such as inadequate training.
In developing corrective action addressing nonconforming product, the organization should consider corrections to be taken regarding the affected products, whether distributed or not. Corrections and corrective actions must be commensurate with the risk associated with the nonconformity.
The audit team may encounter situations where a quality problem has been identified, but the organization’s management has decided not to undertake corrective actions. Confirm that the organization’s decision not to take corrective action has been made using appropriate risk-based decision making, including a determination that the finished device meets risk acceptability criteria.
During the audit of the Measurement, Analysis and Improvement process, review the mechanisms by which the organization assessed effectiveness of the corrective and preventive actions.
Compare the records of significant and/or higher risk corrective actions and preventive actions to the organization’s product and quality data analyses, such as trend results. Look for product or quality problems or trends that continued or began after the actions were implemented. This may indicate that the corrective actions or preventive actions were not effective.
Review how the organization has determined that the actions do not adversely affect the finished device(s).
Link: Medical Device Adverse Events and Advisory Notices Reporting
Determine whether any of the organization’s corrective actions require reporting to participating MDSAP authorities.
Clause and regulation: [ISO 13485:2016: 7.1, 7.3.9; TG(MD)R Sch1 P1 2; RDC ANVISA 16/2013: 2.4, 4.1.10; MHLW
MO169: 26, 36; 21 CFR 820.30(i), 820.30(g)]
Additional country-specific requirements: None
Assessing conformity:
Completing this audit task may involve linkages to other subsystems. Verification and validation are important elements in assuring that corrective actions and preventive actions that result in design changes are effective and do not introduce new hazards.
Link: Design and Development
If the corrective action or preventive action involves changing the design, design controls should be applied to the change where applicable. When necessary, confirm that design controls were applied to the change according to the organization’s procedures. In addition, design changes should be evaluated under the organization’s risk management process to ensure that changes do not introduce new hazards.
Clause and regulation: [ISO 13485:2016: 4.1.2, 4.1.4, 4.1.6, 4.2.1, 7.1, 7.5.2, 7.5.6, 7.5.7; TG(MD)R Sch1 P1 2; Sch3
P1 1.5(4); RDC ANVISA 16/2013: 2.4, 5.6, 7.1.1.4; MHLW MO169: 5, 6, 26, 45, 46; 21 CFR 820.100(a)(4), 820.100(a)(5), 820.70(b), 820.75(c)]
Additional country-specific requirements: Australia (TGA):
Confirm that when a manufacturer plans to make a substantial change to a critical process (e.g. sterilization, processing materials of animal origin, processing materials of microbial or recombinant origin, or processes that incorporate a medicinal substance in a medical device), the manufacturer notifies the auditing organization who will determine if an assessment of the change is required before implementation [TG(MD)R Sch3 P1 1.5(2)].
Canada (HC):
Verify that the manufacturer has a process or procedure for identifying a “significant change” to a class III or IV device. Verify that information about “significant changes” is submitted in a medical device license amendment application [CMDR 1, 34].
Japan (MHLW):
Confirm that when the Registered Manufacturing Site plans to make a significant change to a manufacturing processes (e.g. sterilization site change, manufacturing site change), the Registered Manufacturing Site notifies the Marketing Authorization Holder so as the Marketing Authorization Holder can take appropriate regulatory actions [MHLW MO169: 29].
Assessing conformity:
Completing this audit task may involve linkages to other quality management system processes. Production processes require at least some degree of qualification, verification, or validation. If the change involves a validated process, review the organization’s evaluation of the process change to determine if revalidation is needed.
For changes to production processes that are performed by suppliers, the audit team should consider selecting those suppliers for evaluation during audit of the Purchasing process. In cases where the organization makes a change to a validated process performed by a supplier, the audit team should evaluate whether re-validation is required. If re-validation of production processes is required, confirm the results show the process meets the planned result.
Links: Production and Service Controls, Purchasing
If the corrective action or preventive action involves changing a production process, the audit team should consider selecting this change for evaluation during audit of Production and Service Controls.
Clause and regulation: [ISO 13485:2016: 8.3.1, 8.3.2; TG(MD)R Sch3 P1 1.4(5)(b)(iii); RDC ANVISA 16/2013: 6.5, 7.1.1.6; MHLW MO169: 60; 21CFR 820.90(a)]
Additional country-specific requirements: None
Assessing conformity:
The audit team should review procedures and controls for preventing the unintended distribution of nonconforming product. The auditor(s) may choose to select a sample of records involving nonconforming product that was in stock or returned to review how the procedures and controls were applied to control the nonconforming product.
Confirm the organization has established and maintained procedures that define the responsibility for review and the authority for the disposition of nonconforming product, as well as the execution of the review and disposition process. Disposition of nonconforming product must be documented.
The audit team may encounter situations where the organization’s management has decided to authorize the use of nonconforming product under concession. Documentation must include the justification for use of nonconforming product and the signature of the individual(s) authorizing the use. Confirm that the organization’s decision to use nonconforming product under concession
has been made using appropriate risk-based decision making, including a determination that the finished device meets specified requirements. Be mindful of instances where the use of nonconforming product under concession has led to devices not meeting specifications.
When selecting records of nonconforming products to review, be mindful of the risk of the nonconformity to the finished device and the patient or user. Select records of nonconforming products to review where the nonconformity has a higher risk of adversely affecting the ability of the finished device to meet its essential design outputs or the nonconformity affects the safety and efficacy of the product.
Clause and regulation: [ISO 13485:2016: 8.3.3, 8.5.2; TG(MD)R Sch1 P1 2, TG(MD)R Sch3 P1 1.4(3)(a),(b), (5)(b)(iii), (f); RDC ANVISA 16/2013: 2.4, 7.1.1.8; MHLW MO169: 60, 63; 21 CFR 820.100(a)]
Additional country-specific requirements: None
Assessing conformity:
During this audit task, confirm that the organization has determined the control and actions to be taken on nonconforming products detected after delivery or use, commensurate with the risk associated with a product failure.
While it may not be necessary for the organization to recall nonconforming product from distribution as part of its identified actions needed to correct and prevent recurrence of the problem, confirm that the decision is made using an adequate risk justification.
Link: Medical Device Adverse Events and Advisory Notices Reporting
If the organization has taken field action on products already distributed, confirm that the appropriate MDSAP regulatory authorities have been notified, as necessary.
Clause and Regulation: [ISO 13485:2016: 6.2, 8.2.4; TG(MD)R Sch3 P1 1.4(5)(b)(iii); RDC ANVISA 16/2013: 7.3; MHLW MO169: 22, 23, 56; 21 CFR 820.22, 820.100]
Additional country-specific requirements: None
Assessing conformity:
Internal audits are systematic, independent examinations of an organization’s quality management system that are performed at defined intervals and at sufficient frequency to determine whether both quality management system activities and the results of such activities comply with quality management system procedures. Internal audits should also determine whether these procedures are implemented effectively and whether they are suitable to achieve quality management system objectives.
Internal audits are to be conducted according to established procedures by appropriately trained individuals not having direct responsibility for the matters being audited. If possible, interview auditors and ask how audits are conducted, how long audits typically last, what documents are typically reviewed, etc.
Internal audit procedures typically include requirements for auditor qualifications, requirements for the frequency of audits, specified functional areas to be audited, and audit plans (or
the requirement to establish audit plans prior to the audit). Procedures should also include requirements for how audit activities and results are to be communicated, addressed, and followed up (including re-audit, if necessary) and for how audit activities are to be documented.
Management having responsibility for the matters audited must review the report of the quality audit. The dates and results of all quality audits (and subsequent re-audits, if necessary) must be documented, as well as any corrective or preventive actions resulting from the internal audits.
Link: Management
During the audit of the Management process, the audit team should confirm that the output of internal audits is an input to management review.
Clause and regulation: [ISO 13485:2016: 5.6.2; TG(MD)R Sch3 P1 1.4(5)(b)(iii); RDC ANVISA 16/2013: 2.2.6, 7.1.1.7; MHLW MO169: 19; 21 CFR 820.100 (a)(7)]
Additional country-specific requirements: None
Assessing conformity:
During the performance of this audit task, the auditor(s) may choose to select a recent, significant corrective or preventive action and determine which records or information regarding the event was submitted for management review.
Link: Management
During the audit of the Management process, the audit team should have confirmed that the status of corrective and preventive actions is an input to the management review. During the audit of the Measurement, Analysis and Improvement process, determine that top management is aware of higher-risk quality problems, as well as significant corrective and preventive actions, when necessary.
Clause and regulation: [ISO 13485:2016: 4.2.1, 7.2.3, 7.5.4 (a), 8.2.1, 8.2.2; TG(MD)R Sch1 P1 2, Sch3 P1 1.4(3),
1.4(5)(b)(iii) &1.4(5)(f); RDC ANVISA 16/2013: 7.2; CMDR 57-58; MHLW MO169: 6, 29, 43, 55, 62.6; 21 CFR 820.198]
Additional country-specific requirements: Australia (TGA):
Verify that the organization has procedures for a post-marketing system that includes a systematic review of post-production experience (e.g. from; expert user groups, customer surveys, customer complaints and warranty claims, service and repair information, literature reviews, post-production clinical trials, user feedback other than complaints, device tracking and registration schemes, user reactions during training, adverse event reports). Investigation should take place in a timely manner to ensure that reporting timeframes for adverse events or the implementation of advisory notices (recalls) may be met by the Australian Sponsor [TG(MD)R Sch3 P1 1.4(3)(a)].
Note: In Australia the conduct of a recall is the responsibility of the Australian Sponsor in accordance with the Australian Uniform Recall Procedure for Therapeutic Goods.
Brazil (ANVISA):
Verify that each manufacturer has established and maintains procedures to receive, examine, evaluate, investigate and document complaints. Such procedures must ensure that:
Complaints are received, documented, analyzed, evaluated, investigated and documented by a formally designated unit;
Where applicable, complaints must be reported to the competent health authority;
Complaints must be examined to determine whether an investigation is necessary. When an investigation is not done, the unit must maintain a record that includes the reason that the investigation was not performed and the name of the responsible for that decision;
Each manufacturer must examine, evaluate and investigate all complaints involving possible nonconformities of the product. Any claim for death, injury or threat to public health must be immediately reviewed, evaluated and investigated.
The records of the investigation must include: Product name;
Date of receipt of the complaint;
Any control number used;
Name, address and telephone number of the complainant; Nature of complaint;
Data and research results including actions taken [RDC ANVISA 16/2013: 7.2].
Canada (HC):
Verify that the manufacturer maintains records of reported problems related to the performance characteristics or safety of a device, including any consumer complaints received by the manufacturer after the device was first sold in Canada, and all actions taken by the manufacturer in response to the problems referred to in the complaints [CMDR Section 57].
Verify that the manufacturer has established and implemented documented procedures that will enable it to carry out an effective and timely investigation of the problems reports through the customer complaints, and to carry out an effective and timely recall of the device [CMDR Section 58].
Japan (MHLW/PMDA)
Confirm that the person operating the Registered Manufacturing Site has determined and implemented effective arrangement for communicating with the Japanese Marketing Authorization Holder in relation to customer feedback, including customer complaints, and advisory notices [No.169: 29].
United States (FDA):
Verify procedures have been defined, documented, and implemented for receiving, reviewing, and evaluating complaints by a formally designated unit. Procedures must ensure that:
All complaints are processed in a uniform and timely manner
Oral complaints are documented upon receipt
Complaints are evaluated to determine whether the complaint represents an event which is required to be reported to FDA
Each manufacturer must review and evaluate all complaints to determine whether an investigation is necessary. When no investigation is made, the manufacturer must maintain a record that includes the reason no investigation was made and the name of the individual responsible for the decision not to investigate.
Any complaint of the failure of the device, labeling, or packaging to meet any of its specifications must be reviewed, evaluated, and investigated, unless such investigation has already been made for a similar complaint and another investigation is not necessary.
Any complaint that represents an event which must be reported to FDA must be promptly reviewed, evaluated, and investigated by a designated individual(s) and must be maintained in a separate portion of the complaint files or otherwise clearly identified. Records of investigation must include a determination of:
Whether the device failed to meet specifications
Whether the device was being used for treatment or diagnosis
The relationship, if any, of the device to the reported incident or adverse event
When an investigation is made, a record of the investigation must be maintained by the formally designated unit. The record of investigation must include:
The name of the device
The date the complaint was received
Any uniqueidentifier(UDI),orUniversalProductCode(UPC)oranyotherdevice identification(s) and control number(s) used
The name, address, and telephone number of the complainant
The nature and details of the complaint
The dates and results of investigation
Any corrective action taken
When the manufacturer’s formally designated unit is located at a site separate from the manufacturing establishment, the investigated complaint(s) and the record(s) of investigation must be reasonably accessible to the manufacturing establishment [21 CFR 820.198].
Assessing conformity:
During the review of quality data sources that serve as inputs to the Measurement, Analysis and Improvement process, the audit team may choose to review complaints and customer feedback. Confirm that complaints are handled as required by the MDSAP participating regulatory authorities. Complaints can be an important source of information regarding quality problems and are often indicative that distributed devices (or their packaging or labeling) did not meet specified requirements.
One method to analyze complaints and customer feedback is to review the analysis of complaint data and select one or more complaint failure modes, preferably failure modes associated with higher risk to the patient or user. Once the audit team has selected complaint failure modes, the auditor(s) can select a sample of complaints from those failure modes and confirm the complaints are handled appropriately, including investigation and implementation of corrective action when necessary.
Information from post-production sources, including complaints and customer feedback, can provide important information for the risk management activities for the device. In particular, previously unidentified risks discovered during the post-production monitoring may indicate a need for improving the risk management process or may indicate a need for design changes. Additionally, on the basis of post-production quality data, the organization may choose to enact new or more stringent controls to maintain an acceptable level of product risk.
Link: Medical Device Adverse Events and Advisory Notices Reporting
During the review of complaints and feedback, confirm that individual medical device reports were made to the appropriate regulatory authorities when necessary.
Clause and regulation: [ISO 13485:2016: 4.1.5, 7.4.1, 8.3.1; RDC ANVISA 16/2013: 7.1.1.6; MHLW MO169: 5, 37, 60; 21 CFR 820.100(a)(6)]
Additional country-specific requirements: None
Assessing conformity:
Confirm that information related to quality problems or nonconforming product, including complaints, is disseminated to those directly responsible for assuring the quality of product. This includes instances where investigation reveals the underlying cause of the complaint or nonconforming product to be related to supplied product. The organization should notify the
supplier of the quality problem and appropriate corrective action must be taken when necessary. Failure of an outside organization to provide products that meet specified requirements may disqualify them as an acceptable or approved supplier.
During the audit of the Measurement, Analysis and Improvement process, if significant nonconformities are related to supplied product, the audit team should consider selecting those suppliers for evaluation during the audit of the organization’s Purchasing process.
Clause and regulation: [ISO 13485:2016: 4.2.1,7.2.3, 8.2.3; TG(MD)R Sch3 P1 1.4(3)(c); RDC ANVISA 16/2013: 7.1.1.8, RDC ANVISA 67/2009; CMDR 59-61.1; MHLW MO169: 6, 29, 62; 21 CFR 803]
Additional country-specific requirements: Refer to MDSAP process Medical Device Adverse Events and Advisory Notices Reporting
Assessing conformity:
An output of the activities associated with the Measurement, Analysis and Improvement process, such as complaint handling, may be the reporting of individual adverse events to regulatory authorities in which the device is marketed. When applicable, select complaint records that meet criteria for reporting and confirm the appropriate reports and information was provided to the regulatory authority. Ensure the individual adverse event reports contain accurate information by comparing the submitted reports to the associated complaint and complaint investigation.
Reportable events are often an important Measurement, Analysis and Improvement process quality data source since these events are indicative that the finished device has caused death, serious injury, or has malfunctioned in a manner such that if the malfunction were to recur, the result could be death or serious injury. Any death, even if the organization attributes it to user error, is considered to have potentially high risk associated with it. Confirm that reportable events were evaluated for corrective action when necessary.
Clause and regulation: [ISO 13485:2016: 4.2.1, 7.2.3, 8.3.3; TG(MD)R Sch3 P1 1.4(3)(c); RDC ANVISA 16/2013: 7.1.1.8, RDC ANVISA 23/2012; CMDR 63-65.1; MHLW MO169: 6, 29, 60; 21 CFR 806]
Additional country-specific requirements: Refer to MDSAP process Medical Device Adverse Events and Advisory Notices Reporting
Assessing conformity:
An output of the activities associated with the Measurement, Analysis and Improvement process, including complaint handling and the discovery of nonconforming product that has been distributed, may be the reporting of advisory notices to regulatory authorities in which the device is marketed. When applicable, select advisory notices that meet criteria for reporting and confirm that the appropriate reports and information were provided to the regulatory authority.
The quality problems that led to an advisory notice is often an important quality data source for the corrective actions process since these events are indicative that the finished device does not meet specified requirements and has the potential for unreasonable risk to the user. Confirm that quality problems that resulted in advisory notices were evaluated for corrective action. If corrective action was taken, evaluate the mechanism by which the organization assured the action is effective and does not adversely affect the ability of the device to meet specified
requirements. If corrective action was not taken for quality problems associated with a correction, removal, or advisory notice, review the organization’s rationale for not undertaking corrective action and confirm that the decision is appropriate using a risk-based decision making process.
The audit team may encounter instances where the organization has performed activities involving issuance of advisory notices without notifying regulatory authorities in the markets in which the device is marketed. In these situations, review the organization’s rationale for not reporting
these actions and ensure that the rationale is appropriate. Verify that records of the action are maintained.
Clause and regulation: [ISO 13485:2016: 4.1.3, 5.2, 8.1, 8.5.1; RDC ANVISA 16/2013: 2.2.1; MHLW MO169: 5, 11,
54, 62]
Process: Medical Device Adverse Events and Advisory Notices Reporting
The Medical Device Adverse Events and Advisory Notices Reporting process may be audited as a linkage from the Measurement, Analysis and Improvement process.
Defined processes to ensure individual device-related adverse events are reported to regulatory authorities as required
Ensured that advisory notices are reported to regulatory authorities and authorized representatives when necessary
Maintained appropriate records of individual device-related adverse events and advisory notices
Links to Other Processes: Measurement, Analysis and Improvement
meet the timeframes required by each regulatory authority where the product is marketed. Clause and regulation: [ISO 13485:2016: 4.2.1, 7.2.3, 8.2.2, 8.2.3; see the country-specific requirements below] Country-specific requirements:
Australia (TGA):
Manufacturers are required to implement a post-marketing system that includes provisions for adverse event reporting – e.g. Therapeutic Goods (Medical Devices) Regulations 2002 Schedule 3 Part 1 Clause 1.4(3)(c)(i). In view of the written agreement between Manufacturers and the Australian Sponsor [TG Act 41FD], events must be reported by the manufacturer to the TGA, or to the Sponsor in a timely manner to ensure that a Sponsor can meet their reporting obligations under the Therapeutic Goods (Medical Devices) Regulation 5.7:
Verify that the manufacturer or other person becoming aware of an event that represents a serious threat to public health provides information as soon as practicable. The Sponsor is to report the event within 48 hours.
Verify that the manufacturer or other person becoming aware of an event that led to the death or serious deterioration in the state of health of a patient, a user, or other person provides information as soon as practicable. The Sponsor is to report the event within 10 days.
Verify that the manufacturer or other person becoming aware of an event that the recurrence of which might lead to the death or serious deterioration in the state of health of a patient, a user, or other person provides information as soon as practicable. The Sponsor is to report the event within 30 days.
Note: An event that leads to a serious threat to human health is a hazard arising from a systematic failure of the devices or an event or other occurrence that may lead to death or serious injury.
Note: Adverse events may be reported on-line to the TGA, by the Manufacturer or Sponsor, at https://www.tga.gov.au/reporting-problems.
Note: It is a condition on Australian Sponsors of Class AIMD, Class III and Implantable Class IIb devices that they provide three consecutive annual reports to the TGA following inclusion of the device in the ARTG. Annual reports are due 1 October each year. Reports should be for the period 1 July to 30 June. The report is to include:
• | ARTG no. |
• | Product name |
• | Model no(s) |
• | Number supplied in Australia |
• | Number supplied worldwide (Numbers should include devices that are the same but supplied under a different name in another jurisdiction) |
• | Number of complaints in Australia |
• | Number of complaints worldwide |
• | Number of adverse events and incident rates in Australia (Rate= No. of events/ No. Supplied x 100 = Rate%) |
• | Number of adverse events and incident rates world wide |
• | A list of the more common complaints and all of the adverse events |
• | Device Incident Report (DIR) number of those adverse events reported to the TGA |
• | Regulatory/corrective action/notification by manufacturer |
Note: Australian Sponsors are required to provide manufacturers with any information that will assist the manufacturer to comply with the obligations of a conformity assessment procedure (e.g. information in relation to adverse events) [TG(MD)R Reg 5.8].
Brazil (ANVISA):
Verify that a post-market surveillance system is established and implemented in the organization and integrated into the Quality System, with procedures and work flows established to ensure the correct and the prompt identification of adverse events, the performance of investigations and use of the results to improve the safety and effectiveness of the device when necessary [RDC ANVISA 67/2009 – Art. 6º].
For domestic manufacturers (also applies to legal representatives in Brazil) - verify that top management has designated a professional to be responsible for the post-market surveillance system. This designation shall be documented [RDC ANVISA 67/2009 – Art. 5º].
Verify that the organization has mechanisms for processing and recording complaints, conducting investigations, and providing feedback directly to the complainant, or in the case of an international manufacturer, to their legal representative in Brazil, as necessary [RDC ANVISA 67/2009 – Art. 6º, Art. 7º, Art. 9º].
Verify that the organization has notified the regulatory authority about problems associated with their devices, including adverse events (critical or non-critical), any technical defect that was identified regarding products already marketed, anything that can cause a serious hazard to public health, or cases of counterfeit [RDC ANVISA 67/2009 – Art. 8º].
For international manufacturer, verify that the legal representative in Brazil is aware about the occurrence of possibility of death, serious hazard to public health or cases of counterfeit, associated with their products exported to Brazil [RDC ANVISA 67/2009 – Art. 8º].
Canada (HC):
Medical Device Regulations SOR/98-282, Section 59-61.1:
Verify that the manufacturer and the importer of a medical device make a preliminary and final report to the minister concerning any incident occurring inside or outside Canada involving a device sold in Canada.
Related to the failure of the device or deterioration in its effectiveness or any inadequacy in its labeling or in its directions for use.
Has led to death or serious deterioration in the state of health of a patient, user, or other person, or could do so if it were to occur [CMDR 59].
Verify that the manufacturer or other person becoming aware of an event that led to the death or serious deterioration in the state of health of a patient, a user, or other person provides information in a preliminary report within 10 days after the person becomes aware of the event or occurrence [CMDR 60 (1) (a) (i)].
Verify that the manufacturer or other person becoming aware of an event that the recurrence of which might lead to the death or serious deterioration in the state of health of a patient, a user, or other person provides information in a preliminary report within 30 days after the person becomes aware of the event or occurrence [CMDR 60 (1) (a) (ii)].
Verify that manufacturer has made effective arrangements to submit preliminary reports to the Minister and that the reports contain [CMDR 60 (2)]:
the identifier of any medical device that is part of a system, test kit, medical device group, medical device family or medical device group family;
if the report is made by
the manufacturer: the name and address of that manufacturer and of any known importer, and the name, title and telephone and facsimile numbers of a representative of the manufacturer to contact for any information concerning the incident, or
the importer of the device: the name and address of the importer and of the manufacturer, and the name, title and telephone and facsimile numbers of a representative of the importer to contact for any information concerning the incident;
the date on which the incident came to the attention of the manufacturer or importer;
the details known in respect of the incident, including the date on which the incident occurred and the consequences for the patient, user or other person;
the name, address and telephone number, if known, of the person who reported the incident to the manufacturer or importer;
the identity of any other medical devices or accessories involved in the incident, if known;
the manufacturer’s or importer’s preliminary comments with respect to the incident;
the course of action, including an investigation, that the manufacturer or importer proposes to
follow in respect of the incident and a timetable for carrying out any proposed action and for submitting a final report; and
a statement indicating whether a previous report has been made to the Minister with respect to the device and, if so, the date of the report.
If a preliminary report required by section 60 is submitted to the Minister and/or Importer, verify that the manufacturer has submitted a final report to the Minister in writing in accordance with the timetable established under CMDR 60(2)(h) and the final report contains [CMDR 61(1)]:
a description of the incident, including the number of persons who have experienced a serious deterioration in the state of their health or who have died;
a detailed explanation of the cause of the incident and a justification for the actions taken in respect of the incident; and
any actions taken as a result of the investigation, which may include: (i) increased post-market surveillance of the device,
corrective and preventive action respecting the design and manufacture of the device, and
recall of the device.
If the reports required by section 60 and 61 are submitted to the Minister just by the Importer, verify that the manufacturer has advised the Minister in writing that the reports the manufacturer and importer would have submitted were identical and that the manufacturer has permitted the importer to prepare and submit reports to the Minister on the manufacturer’s behalf [CMDR 61.1].
Japan (MHLW):
Marketing Authorization Holders are required to implement post market safety activities in accordance with domestic (Japanese) regulatory requirements in addition to the QMS requirements.
The persons operating the Registered Manufacturing Sites are not required to report any adverse event directly to a Regulatory Authority, but shall report any adverse event which meets the criteria specified by the Ordinance for Enforcement of PMD Act Article 228-20.2 to the Marketing Authorization Holder [MHLW MO169: 62.6] .
Verify that the person operating the Registered Manufacturing Site provides events which meets the following criteria defined by the Ordinance for Enforcement of PMD Act Article 228-20.2 (see below), to the Marketing Authorization Holder in a timely manner.
The following malfunction events which may cause or may have caused health damage:
Serious event (domestic and foreign)
Unlabeled non-Serious event (domestic)
The following Adverse Reaction events which was caused or might have been caused by the malfunction of a medical device.
Serious event (domestic and foreign)
Unlabeled non-Serious event (domestic)
Any action taken for preventing the occurrence or expansion of public health hazard in relation to a medical device which is marketed in foreign countries and is equivalent to the one marketed in Japan. The action includes but not limited to:
Suspension of manufacturing, importing or selling,
Recall and
Abolishment.
Study report that indicates:
Possibility of event of cancer and other serious illness, injury or death caused by malfunction of a medical device (domestic and foreign), or by infectious disease arising from usage of a device (domestic and foreign),
Significant occurrence rate change of event etc. caused by malfunction of a medical device (domestic and foreign),
Significant occurrence rate change of infectious disease caused by usage of a medical device (domestic and foreign) and
The fact that a medical device is less effective than claimed when approved.
United States (FDA):
21 CFR 803: Medical Device Reporting
Determine whether the manufacturer has developed a process for reporting to FDA incidents involving device-related deaths, serious injuries, and reportable malfunctions that occur within and outside the United States if the same or similar device is marketed to the United States.
Confirm that the manufacturer has developed, maintained, and implemented written medical device reporting (MDR) procedures for the following:
Internal processes that provide for:
Timely and effective identification, communication, and evaluation of events that may be subject to MDR requirements;
A standardized review process or procedure for determining when an event meets the criteria for reporting; and
Timely transmission of complete medical device reports to FDA
Documentation and recordkeeping requirements for:
Information that was evaluated to determine if an event was reportable;
All medical device reports and information submitted to FDA
Processes that ensure access to information that facilitates timely follow-up and audit.
Verify that any reports are made within 30 calendar days after the day that the manufacturer receives or otherwise becomes aware of information, from any source, that reasonably suggests that a device that is marketed:
May have caused or contributed to a death or serious injury; or
Has malfunctioned and this device or a similar device that is marketed would be likely to cause or contribute to a death or serious injury, if the malfunction were to recur. Confirm the manufacturer’s MDR files contain the following:
Information (or references to information) related to the adverse event, including all documentation of deliberations and decision-making processes used to determine if a device-
related death, serious injury, or malfunction was or was not reportable to FDA.
Copies of all MDR forms and other information related to the event submitted to FDA.
If the manufacturer maintains MDR event files as part of the complaint file, ensure that the manufacturer has prominently identified these records as MDR reportable events. FDA will not consider a submitted MDR report to comply with 21 CFR 803 unless the manufacturer evaluates an event in accordance with the quality management system requirements. Confirm that the manufacturer has documented and maintained in the MDR event files an explanation of why the manufacturer did not submit or could not obtain any information required by 21 CFR 803, as well as the results of the evaluation of each event.
Compare the information submitted on the individual medical device report to the information contained in the associated complaint and confirm the medical device report contains all information related to the event that is reasonably known to the manufacturer.
Verify the manufacturer has submitted reports to FDA no later than 5 work days after the day that the manufacturer becomes aware that:
An MDR reportable event necessitates remedial action to prevent an unreasonable risk of substantial harm to the public health. The manufacturer may become aware of the need for remedial action from any information, including any trend analysis; or
FDA has made a written request for the submission of a 5-day report. If the manufacturer receives such a written request from FDA, the manufacturer must submit, without further requests, a 5-day report for all subsequent events of the same nature that involve substantially similar devices for the time period specified in the written request. FDA may extend the time period stated in the original written request if FDA determines it is in the interest of the public health.
Verify the manufacturer submitted supplemental reports within one month of obtaining information that was not submitted in an initial report.
Confirm that medical device reports include the unique device identifier (UDI) that appears on the device label or on the device package.
Medical device reports submitted to FDA must be submitted electronically via the Electronic Submissions Gateway (ESG) using eSubmitter or the AS2 Gateway-to-Gateway using HL7 ICSR XML software.
Link: Measurement, Analysis and Improvement
Reports of individual adverse events are a form of feedback and must be analyzed as appropriate for trends requiring improvement or corrective action. During the audit of the Measurement, Analysis and Improvement process, confirm that the organization has considered individual adverse events and trends of adverse events in the analysis of data.
Clause and regulation: [ISO 13485:2016: 4.2.1, 7.2.3, 8.2.3, 8.3.3; see the country-specific requirements below] Country specific requirements:
Australia (TGA):
Manufacturers are required to implement a post-marketing system that includes provisions for the
recovery of devices – e.g. Therapeutic Goods (Medical Devices) Regulations 2002 Schedule 3 Part 1 Clause 1.4(3)(c)(ii). In view of the written agreement between Manufacturers and the Australian Sponsor [TG Act 41FD] proposed recalls must be reported by the manufacturer to the TGA, or to the Sponsor in a timely manner to ensure that a Sponsor can meet their reporting obligations [Therapeutic Goods (Medical Devices) Regulation 5.7, Therapeutic Goods Act Part 4-9 and the Uniform Recall Procedure for Therapeutic Goods (URPTG)].
Note: Further information concerning the Australian requirements for advisory notices and the recovery of devices is available at https://www.tga.gov.au/recalls.
Note: Australian Sponsors are required to provide manufacturers with any information that will assist the manufacturer to comply with the obligations of a conformity assessment procedure (e.g. information in relation to the recovery of devices) [TG(MD)R Reg 5.8].
Brazil (ANVISA):
Verify that procedures and work flows were established in order to identify when field actions (recalls and corrections) are necessary, in accordance with the organization’s post-market surveillance system and quality system [RDC ANVISA 67/2009 - Art. 6º; RDC ANVISA 23/2012 – Art. 1º, Art. 5º].
Verify that the organization keeps records regarding field actions performed, including those that do not need to be reported to regulatory authorities [RDC ANVISA 23/2012 – Art. 4º; Art. 6º, Art. 10, Art. 11, Art. 16].
For domestic manufacturers (also applies to legal representatives in Brazil) - verify that the organization has sent to the regulatory authority the reports requested, according Brazilian regulation [RDC ANVISA 23/2012– Art. 10, Art. 11].
Verify that the organization has performed field actions based on potential or concrete evidence that their product does not comply with essential requirements of safety and effectiveness [RDC ANVISA 23/2012 – Art. 4º, Art. 6º, Art. 7º, Art. 13, Art. 14, Art. 15].
For domestic manufacturers (also applies to legal representatives in Brazil) - verify that the organization has performed field actions when required by the regulatory authority [RDC ANVISA 23/2012 – Art. 6º].
For domestic manufacturers (also applies to legal representatives in Brazil) - verify that the organization notified the regulatory authority regarding field actions, in accordance with requirements and deadlines established per Brazilian regulation [RDC ANVISA 23/2012 – Art. 7º, Art. 8º].
For international manufacturers, verify that the legal representative in Brazil was aware about the occurrence of field actions performed on products exported to Brazil [RDC ANVISA 67/2009 – Art. 8º].
Canada (HC):
Medical Device Regulations SOR/98-282, Section 63 – 65.1:
Verify that the manufacturer and the importer of a medical device, on or before undertaking a recall of a device provide the minister with the following information [CMDR 64]:
the name of the device and its identifier, including the identifier of any medical device that is part of a system, test kit, medical device group, medical device family or medical device group family;
the name and address of the manufacturer and importer, and the name and address of the establishment where the device was manufactured, if different from that of the manufacturer;
the reason for the recall, the nature of the defectiveness or possible defectiveness and the date on and circumstances under which the defectiveness or possible defectiveness was discovered;
an evaluation of the risk associated with the defectiveness or possible defectiveness;
the number of affected units of the device that the manufacturer or importer
manufactured in Canada,
imported into Canada, and
sold in Canada;
the period during which the affected units of the device were distributed in Canada by the manufacturer or importer;
the name of each person to whom the affected device was sold by the manufacturer or importer and the number of units of the device sold to each person;
a copy of any communication issued with respect to the recall;
the proposed strategy for conducting the recall, including the date for beginning the recall, information as to how and when the Minister will be informed of the progress of the recall and the proposed date for its completion;
the proposed action to prevent a recurrence of the problem; and
the name, title and telephone number of the representative of the manufacturer or importer to contact for any information concerning the recall.
Verify that as soon as possible after the completion of the recall the manufacturer and the importer reports to the minister the results of the recall and the action taken to prevent a recurrence of the problem [CMDR 65].
If the reports required by section 64 and 65 are submitted to the Minister just by the Importer, verify that the manufacturer has advised the Minister in writing that the reports the manufacturer and importer would have submitted were identical and that the manufacturer has permitted the importer to prepare and submit reports to the Minister on the manufacturer’s behalf [CMDR 65.1].
Japan (MHLW):
Marketing Authorization Holders are required to report advisory notices to Regulatory Authorities [PMD Act 68- 11].
Confirm that the person operating the Registered Manufacturing Site has determined and implemented effective arrangement for communicating with the Marketing Authorization Holder in relation to advisory notices [MHLW MO169: 29].
Note: Persons operating Registered Manufacturing Sites are not required to report any advisory notice directly to regulatory authority, but shall communicate with the Marketing Authorization Holder, so they can take necessary regulatory actions.
United States (FDA):
21 CFR 806: Medical Devices; Reports of Corrections and Removals
Verify that the manufacturer has a process in place to notify FDA in the event of actions concerning device corrections and removals and to maintain records of those corrections and removals.
Verify that the written report to FDA of any correction or removal initiated to reduce a risk to health or remedy a violation of the U.S. Food, Drug and Cosmetic Act is reported within 10 working days of initiating the correction or removal. Confirm that the report contains the unique device identifier (UDI) that appears on the device label or on the device package, or the device identifier, universal product code (UPC), model, catalog, or code number of the device and the manufacturing lot or serial number of the device or other identification number.
Confirm that the manufacturer maintains records of any correction and removal not required to be reported to FDA (e.g. corrections and removals conducted to correct a minor violation of the U.S. Food, Drug and Cosmetic Act or no risk to health). Confirm that records of corrections and removals not required to be reported contain the unique device identifier (UDI) that appears on the device label or on the device
package, or the device identifier, universal product code (UPC), model, catalog, or code number of the device and the manufacturing lot or serial number of the device or other identification number.
Link: Measurement, Analysis and Improvement
Corrections and removals are indicative that the product or process does not meet specified requirements or planned results and the nonconformity was not detected prior to distribution. When specified requirements or planned results are not achieved, correction and corrective action must be taken as necessary. During the audit of the Measurement, Analysis and Improvement process, confirm the organization has taken appropriate correction regarding devices already distributed, and taken appropriate corrective action to prevent recurrence of the condition(s) that caused the nonconformity.
Process: Design and Development
The purpose of the Design and Development process is to control the design process and to assure that devices meet user needs, intended uses, and specified requirements. Attention to design and development planning, identifying design inputs, developing design outputs, verifying that design outputs meet design inputs, validating the design, controlling design changes, reviewing design results, transferring the design to production, and compiling the appropriate records will help an organization assure that resulting designs will meet user needs, intended uses, and requirements.
The management representative is responsible for ensuring that the requirements of the quality management system have been effectively defined, documented, implemented, and maintained. Prior to the audit of any process, interview the management representative (or designee) to obtain an overview of the process and a feel for management’s knowledge and understanding of the process.
Audit of the Design and Development process will follow audit of the Measurement, Analysis and Improvement process per the MDSAP audit sequence. Information regarding product or quality system nonconformities noted during audit of the Measurement, Analysis and Improvement process should be considered when making decisions as to the design and development projects, including design changes resulting from corrective actions, to be reviewed during the audit of the Design
and Development process. Review of the Design and Development process will also provide an opportunity to evaluate how the organization has utilized risk management activities to ensure design inputs are comprehensive and meet user needs, to confirm that risk control measures that were planned have been implemented in the design, and to verify that risk control measures are effective in controlling or reducing risk. Additionally, review of design and development activities will assist
the audit team during the audit of the organization’s Purchasing process because the auditor(s) has an opportunity to select suppliers for review whose activities are associated with higher risk to the product or whose activities are critical to the essential design outputs. The review of design and development activities also provides information to assist the audit team in performing a final evaluation of the Management process at the conclusion of the audit.
Auditing the Design and Development Process
Defined, documented and implemented procedures to ensure medical devices are designed according to specified requirements
Effectively planned the design and development of a device
Established mechanisms, including systematic review, for addressing incomplete, ambiguous or conflicting requirements
Determined the internally or externally imposed requirements for safety, function, and performance for the intended use, including regulatory requirements, risk management, and human factors requirements
Verified that design outputs satisfy design input requirements
Identified and mitigated, to the extent practical, the risks associated with the device, including the device software
Ensured that changes to the device design are controlled, the risks associated with the design change are identified and mitigated, to the extent practical, and that the device will continue to perform as intended
Performed design validation to ensure devices conform to user needs and intended use
Confirmed that the design is correctly translated into production methods and procedures
Links to Other Processes: Purchasing; Production and Service Controls; Measurement, Analysis and Improvement; Device Marketing Authorization and Facility Registration
Clause and regulation: [ISO 13485:2016: 4.1.1, 4.2.1, 7.1, 7.3.10; TG(MD)R Regs Division 3.2; MHLW MO169:5, 6, 26; 21 CFR 820.30(a)]
Additional country-specific requirements: Australia (TGA):
When amanufacturer applies TG(MD)RRegs Division 3.2 and selects the Full Quality Assurance conformity assessment procedures [TG(MR)RSchedule 3, Part1], procedures for design and development mustbeavailable.
Inaddition, for all classesof devices, the guidance provided for theaudit of technical documentation in Annex 1 is to be followed to ensure the availability of objective evidence that demonstrates compliance with the Essential Principles of Safety and Performance.
Brazil (ANVISA):
According to Brazilian legislations, there is no exception to design control.
If design activities are outsourced, verify that the manufacturer has a complete device master record for the device and records of the design transfer to production [RDC ANVISA 16/2013: 4.1.7, 4.2].
Canada (HC):
With respect to Class II devices that are not subject to Design and Development controls, verify that the manufacturer has objective evidence to establish that Class II devices meet the safety and effectiveness requirements of section 10 to 20 [CMDR 9, 10 to 20].
Japan (MHLW):
Class 1 devices are not required to comply with the requirements of MHLW MO169:30-36, which are equivalent to the requirement of design and development in ISO13485 [MHLW MO169:4.1].
Assessing conformity:
The audit team may encounter situations where the organization has not completed any design projects, has no ongoing or planned design projects, and has not made any design changes (i.e., there has been no design activity). At the minimum, verify that the organization maintains a defined and documented design change procedure. An organization may also have defined and documented other design control procedures. For that type of organization — an organization with no design activity, including no design changes — assess the procedures the organization has in place. The audit team can then proceed to the audit of the next process.
In cases where design activities (development and changes) are completely outsourced by the organization, the audit team must verify (at a minimum) that the controls and records
related to the design transfer to production have been determined and that the production line, implemented in the manufacturer site, meets the production requirements established during the design and development of the device. In these cases, the manufacturer shall ensure that the contracted organization complies with the requirements of design and development, established by Medical devices – Quality management systems – Requirements for regulatory purposes (ISO 13485:2016), the Quality Management System requirements of the Conformity Assessment Procedures of the Australian Therapeutic Goods (Medical Devices) Regulations (TG(MD)R Sch3), Brazilian Good Manufacturing Practices (RDC ANVISA 16/2013), Japanese QMS Ordinance (MHLW MO 169), the Quality System Regulation (21 CFR Part 820), and any other specific requirements of medical device regulatory authorities participating in the MDSAP program.
Link: Purchasing
If the organization outsources design and development activities, or any portion of the design and development, confirm that the organization treats the outsourced organization as a supplier, has appropriately qualified and maintains control over the supplier, communicates requirements to the supplier, including regulatory requirements, and has arrangements to verify that the design and development activities satisfy those requirements.
Priority criteria for selection:
complaints or known problems with a particular device
recent design changes, particularly design changes made to correct quality problems
associated with the device design
age of design (prefer most recent)
designs that have not been recently audited
Link: Measurement, Analysis and Improvement
At this point in the audit, the audit team will have already reviewed the Measurement, Analysis and Improvement process. If the auditors noted corrective actions that resulted in design changes,
or noted product nonconformities that have been attributed to the design of the device, the audit team should consider selecting those designs for review. The audit team should be particularly mindful of how the identified quality problems from the Measurement, Analysis and Improvement process are related to specific aspects of the design and development of the device. For example, if the auditors review complaints related to a safety feature of the device that is not performing as intended, the audit team should consider selecting for review the design verification of that safety feature and determine whether appropriate risk control methods were confirmed to be effective.
Clause and regulation: [ISO 13485:2016: 4.2.1, 7.1, 7.3.2; TG(MD)R Sch3 P1 Cl 1.4(4)&(5)(c); RDC ANVISA 16/2013: 4.1.2, 4.1.11; MHLW MO169: 6, 26, 30; 21 CFR 820.30(b), 820.30(j)]
Additional country-specific requirements: Australia (TGA):
Verify that effective planning for design and development is documented, typically as part of a Quality Plan [TG(MD)R Sch3 P1 Cl 1.4(4)].
Canada (HC):
Verify that manufacturers of Class IV devices maintain a quality plan that sets out the specific quality practices, resources, and sequence of activities relevant to the device [CMDR 32].
Assessing conformity:
Review the design plan for the selected project to understand the layout of the design and development activities, including assigned responsibilities and interfaces.
The design plan for the selected project can be used by the audit team as a roadmap for the review of the project. Plans may vary depending on the type or size of the project. Some design plans may be expressed as simple flowcharts, or for larger projects, Gantt or Program Evaluation Review Technique (PERT) charts may be used. Plans do not have to show starting or completion dates for activities covered. However, plans must define responsibility for
implementation of the design and development activities and describe the interfaces with different groups or activities. Expect to see interfacing between research and development, marketing, regulatory, manufacturing, and quality departments. The audit team might also see interfacing with purchasing, installers, and servicers. When external institutions (e.g. universities or research and development centers) are involved in the design and development activities, the interfaces between the organization and those external institutions must also be defined.
Design and development plans may change while the design and development process evolves; however, all changes on the plan must be documented and approved.
Clause and regulation: [ISO 13485:2016: 4.2.1, 7.3.1, 7.3.10; TG(MD)R Sch3 P1 Cl 1.4(4)&(5)(c); RDC ANVISA 16/2013: 4.1.1; MHLW MO169: 6, 30; 21 CFR 820.30(a), 820.30(j)]
Additional country-specific requirements: United States (FDA):
Verify that the design input procedures contain a mechanism for addressing incomplete, ambiguous, or conflicting requirements [21 CFR 820.30(c)].
Assessing conformity:
Design and development procedures set the structure, provide the framework, and support the organization’s Design and Development process. The purpose of auditing the procedures is to determine if the organization has that framework in place. If procedures have not been defined and documented, or are deficient, the organization’s devices may not meet user needs and intended use.
In accomplishing this audit task, the audit team is to review the organization’s procedures and verify that the procedures address the requirements of the Medical devices – Quality management systems – Requirements for regulatory purposes (ISO 13485:2016), the Quality Management System requirements of the Conformity Assessment Procedures of the Australian Therapeutic Goods (Medical Devices) Regulations (TG(MD)R Sch3), Brazilian Good Manufacturing Practices (RDC ANVISA 16/2013), Japanese QMS Ordinance (MHLW MO 169), the Quality System Regulation (21 CFR Part 820), and specific requirements of medical device regulatory authorities participating in the MDSAP program. For example, verify that the design input procedure includes a mechanism for addressing incomplete, ambiguous, or conflicting requirements. Verify that the output procedure ensures that essential outputs are identified. Verify that the design review procedure ensures that each design review includes an individual who does not have responsibility for the design stage being reviewed.
If the organization has no ongoing or planned design projects, has not made any design changes, then ensure that, at a minimum, the organization maintains defined and documented design change procedures.
Clause and regulation: [ISO 13485:2016: 4.2.1, 5.2, 7.2.1, 7.3.3; TG(MD)R Sch1 P1 2, Sch3 P1 Cl 1.4(2)&(5)(c);
RDC ANVISA 16/2013: 2.4, 4.1.3, 4.1.11; CMDR 10-20, 21-23, 66, 67,68; MHLW MO169: 6, 11, 27, 31; 21 CFR820.30(c), 820.30(g)]
Additional country-specific requirements: Australia (TGA):
Verify that the manufacturer has identified the relevant Essential Principles that apply to the medical device [TG(MD)R Sch1 Essential Principles].
United States (FDA):
For the selected device(s), verify that the organization has the appropriate marketing clearance [510(k)] or pre-market approval (PMA) if distributing the devices in the United States [21 CFR 807].
Assessing conformity:
Inputs are the physical and performance requirements of a device that are used as a basis for device design. Inputs must be documented and approved by appropriate personnel. The audit team should review the sources used to develop the inputs and determine that relevant aspects of the requirements for the device were covered. These sources must include the relevant regulations where safety and performance criteria have been defined (e.g. safety and efficacy requirements or Essential Principles of Safety and Performance). Examples of relevant aspects include intended use, performance characteristics, intended user, risk mitigation, biocompatibility, compatibility with the environment of intended use (including electromagnetic compatibility), software, radiation protection, human factors, and sterility. Organizations must take into account the current thinking of experts where published information is available (e.g. Standards).
Design inputs are the basis of the design verification and validation; therefore, design inputs need to be defined and recorded as formal requirements that allow for confirmation to the design outputs.
Relevant information for design input can also come from post-production data or experience from similar devices. Complaints and adverse events form a feedback system that can help drive quality improvements in new designs and changes to current designs.
Link: Device Marketing Authorization and Facility Registration
Confirm the organization has considered regulatory requirements for registration, listing, notification and licensing; and has complied with these requirements prior to marketing the device in the applicable regulatory jurisdictions.
Clause and regulation: [ISO 13485:2016: 7.3.3; TG(MD)R Sch 3 Part 1.4(4), RDC ANVISA 16/2013: 4.1.3; MHLW
MO169: 31; 21 CFR820.30(c)]
Additional country-specific requirements: None
Assessing conformity:
Design inputs must be defined and recorded as verifiable requirements, approved by the appropriate personnel. If the organization does not have accurate and complete design inputs, the final design may not meet user needs and intended use.
A common method for an organization to confirm the design inputs for a design and development project are complete, unambiguous, and not in conflict with each other is to perform a design review after the initial requirements are determined.
Clause and regulation: [ISO 13485:2016: 4.2.1, 4.2.3, 7.3.4; TG(MD)R Sch3 P1 Cl 1.4(5)(c); RDC ANVISA 16/2013: 4.1.5, 4.1.4, 4.1.11; MHLW MO169: 6, 32; 21 CFR 820.30(d), 820.30(f)]
Additional country-specific requirements: Australia (TGA):
Confirm that documentation identifies whether relevant state of the art standards have been applied in full
or in part. If standards have not been applied, ensure that the manufacturer has documented a rationale to explain why alternative methods have been applied to demonstrate compliance with the Essential Principles [TG(MD)R Sch3 Part 1.4(5)(c)(iii)(C)].
For devices incorporating a medicinal substance, verify that documentation also identifies the data to be derived from tests conducted in relation to the substance, and its interaction with the device [TG(MD)R Sch 3 Part 1.4(5)(c)(v)].
Assessing conformity:
Design outputs are the work products or deliverables of a design stage. Design outputs
can include documents such as diagrams, drawings, specifications, and procedures. The outputs from one stage may become inputs to the next stage. The total finished design output consists of the specifications for the device, its packaging and labeling, quality management system requirements, the manufacturing process, and if applicable, installation and servicing requirements. During this design stage, a tremendous number of records, or outputs, can be produced. Only the approved outputs need to be retained. However, if an organization chooses to retain other records, for historical or other purposes, they may do so.
Outputs that are essential for the proper functioning of the device must be identified. Typically, an organization can use a risk management tool to determine the essential outputs. To verify that this has been done, the auditor(s) may review the organization’s process for determining how
the essential outputs were identified and if it was done in accordance with their design output procedures. The identification of essential outputs may influence other quality system activities. For example, the establishment of manufacturing process tolerances, the degree of purchasing controls and acceptance activities applied to a supplier or the priority and depth of a failure investigation may be influenced by whether or not the component (assembly, material, etc.) is considered an output essential for the proper functioning of the device.
Design and development of medical devices that are intended to be sterile should ensure compatibility of the sterilization process with the device, compatibility of the device packaging and the sterilization process, ability of the device to be sterilized or re-sterilized, and (if applicable), rationale for adding the device to a product family covered by a validated sterilization process.
In design verification, the organization obtains objective evidence (i.e., data) that design outputs
meet design inputs. An organization generates this objective evidence by conducting verification activities such as tests, measurements, and analyses. These activities should be explicit and thorough in their execution. An organization’s verification activities should be predictive, not empiric. In other words, acceptance criteria need to be stated in advance of the verification activity. The establishment of pre-determined acceptance criteria may be found in a verification protocol or similar document. During the review of design verification activities, the auditor(s)will determine if the design verification data confirms that design outputs met the design input requirements.
Complex designs will require more and different types of verifications than simple designs. Sometimes an organization has to use its own expertise to develop (in-house) a way to verify a particular aspect of a design. Any approach selected by an organization is acceptable as long as it provides reliable objective evidence that the output met the input.
In accomplishing this audit task, select records generated from design verification activities associated with a number of design inputs and design outputs. The review of these records will determine whether design outputs met design input requirements. When possible, select documentation of design verification activities that are associated with outputs that are considered essential for the proper functioning of the device.
Links: Purchasing, Production and Service Controls
During the review of a design project, the audit team should be mindful of production processes and supplied products that are essential to the proper functioning of the device. Production processes can include not only the manufacturing instructions, but also internal controls, such as the type and extent of acceptance activities, equipment calibration and maintenance intervals, environmental controls, and personnel controls. For suppliers that provide products and services related to the essential design outputs, the degree of purchasing controls necessary is commensurate with the effect of the supplied product on the proper functioning of the finished device.
During the audits of the Purchasing process and Production and Service Controls process, the audit team should consider reviewing production processes and supplied products that have the highest risk or greatest effect on the essential design outputs.
Clause and regulation: [ISO 13485:2016: 4.2.1, 7.1, 7.3.3, 7.3.4; TG(MD)R Sch1 P1 2, Sch3 P1 Cl 1.4(5)(c)(iii); RDC
ANVISA 16/2013: 2.4, 4.1.11, RDC ANVISA 56/2001; CMDR 10, 11, 15, 16; MHLW MO169: 6, 26, 31,32; 21 CFR 820.30(g)]
Additional country-specific requirements: Brazil (ANVISA):
Verify that the manufacturer has established and maintains a continuous process of risk management which covers the entire life cycle of the product. Possible hazards must be identified in both normal and fault conditions, including those arising from human factors issues. The risk associated with those hazards, shall be calculated. Risks must be analyzed, evaluated and controlled, as necessary.
Effectiveness of risk controls implemented shall be evaluated [RDC ANVISA 56/2001, RDC ANVISA 16/2013: 2.4].
United States (FDA):
Confirm that the manufacturer has identified the possible hazards associated with the device in both normal and fault conditions. The risks associated with the hazards, including those resulting from user error, should be calculated in both normal and fault conditions. If any risk is judged to be unacceptable, it should be reduced to acceptable levels by the appropriate means. Ensure changes to the device to eliminate or minimize hazards do not introduce new hazards [21 CFR 820.30(g); preamble comment 83].
Assessing conformity:
Each organization must determine how much risk is acceptable. The actual use of any medical device includes some measure of risk to users or patients. Determining an acceptable level of risk depends on the intended use of the device, including the particular health concern of the patient population, the training of the users involved, and the use environment. For example, pediatric patients may have less ability to detect a device malfunction. A device used by consumers generally has less medical oversight than a device used in a hospital setting. The goal of a risk management program is to ensure the device is as safe as practical and the safety of the device is acceptable for the intended use.
Effective risk management usually starts in conjunction with the design and development process, proceeds through product realization, including the selection of suppliers, and continues until the time the product is decommissioned. Risk management should be initiated at a point early in the design and development process. This includes defining the intended use of the device, considering risk under normal use and reasonably foreseen misuse. Starting the risk management process after the design has progressed beyond a point where reasonable
risk mitigation features can be included in the design can lead to devices that do not meet customer needs and the organization’s requirements for safety. Records of risk management should demonstrate that risks that have been identified as unacceptable have been mitigated to an acceptable level.
There are a number of mechanisms that can be used to mitigate product risk. These risk mitigation mechanisms, in descending order of effectiveness, include safety features inherent in the device design, protective measures in the design (e.g. alarms), and user notifications (e.g. labeled warnings). Review of risk management activities
During the review of the design project selected, verify that risk management is initiated early in the design and development process. Confirm that the organization’s risk management process involves the proactive evaluation, control, and monitoring of product risk, followed by the reactive response to quality data that indicates new or changing product risk.
Clause and regulation: [ISO 13485:2016: 7.1, 7.3.6, 7.3.7; TG(MD)R Sch1 P1 2, Sch3 P1 Cl 1.4(5)(c); RDC ANVISA 16/2013: 2.4, 4.1.4, 4.1.8, 4.1.11; CMDR 10,11, 15, 16; MHLW MO169: 26, 34, 35; 21 CFR 820.30(f), 820.30(g)]
Additional country-specific requirements: None
Assessing conformity:
During the review of design verification activities for the chosen design project, confirm that the identified risk control measures are actually effective in reducing or controlling risk. For example, a design for an enteral feeding tube may have a unique connector to prevent the potential for misconnection to other types of devices, such as suction catheters. Design verification should show that it is difficult or impossible to connect non-related devices to the enteral feeding tube.
Clause and regulation: [ISO 13485:2016: 4.2.1, 7.3.7; TG(MD)R Sch1 P1 2; Sch3 P1 Cl1.4(5)(d); RDC ANVISA 16/2013: 2.4, 4.1.8, 4.1.11; CMDR 12, 18, 19; MHLW MO169: 6, 35; 21 CFR 820.30(g)]
Additional country-specific requirements: None
Assessing conformity:
Design validation is performed to provide objective evidence that design specifications (outputs) conform to user needs and intended uses. Design validation must be completed before commercial distribution of the product. The design validation activities should be predictive, not empiric. In other words, acceptance criteria need to be stated in advance of the validation activity. The establishment of pre- determined acceptance criteria may be found in a validation protocol or similar document.
Design validation must be performed under defined operating conditions on initial production
units, lots, or batches, or their equivalents. Design validation shall ensure that devices conform to defined user needs and intended uses and includes testing of production units under actual or simulated use conditions. The results of the design validation, including identification of the design, method(s), the date, and the individual(s) performing the validation, must be recorded.
Design validation must address the needs of all relevant parties, such as the patient, healthcare worker, biomedical engineer, and storage clerk. Consideration must be given to the environment in which the device will be stored, transported, and used. Design validation needs to be performed for each intended use. Design validation must also confirm that user needs and intended uses associated with the device’s packaging and labeling are met. These outputs have human factors
implications and unless they are adequately considered during design validation, they may adversely affect the device and its use. Confirm that design validation data show that the approved design met the predetermined user needs and intended uses. The intended uses must include the purpose of the device, patient type (adults, pediatrics or newborn) and the environment in which the device is to be transported and used (domestic use, hospitals, ambulances, etc.).
Clause and regulation: [ISO 13485:2016: 4.2.1, 7.3.7; TG(MD)R Reg 3.11, Sch3 P1 Cl 1.4(5)(c)(vii), Sch3 P8; RDC ANVISA 16/2013: 4.1.8, 4.1.11, RDC ANVISA 56/2001; CMDR 12, 18, 19; MHLW MO169: 6, 35; 21 CFR 820.30(g)]
Additional country-specific requirements: Australia (TGA):
Verify that records of the validation include clinical evidence as required by the clinical evidence procedures [TG(MD) Sch3 P1 Cl 1.4(5)(c)(vii) and TG(MD) Sch3 P8].
Assessing conformity:
Design validation may involve the performance of some sort of clinical evaluation, including testing under actual or simulated use conditions. Clinical evaluations may involve full clinical studies. Clinical evaluations may also consist of other evaluations in a clinical or non-clinical setting, provision of historical evidence that similar designs are clinically safe, or reviews of scientific literature.
The audit team should limit their review of clinical evaluations to verifying whether clinical evaluations have been performed as part of design validation, when necessary, and whether the organization has established acceptance criteria for the results in order to validate the device and that the results obtained meet the defined acceptance criteria.
When applicable, review the clinical evaluations, if performed, to validate the design. The audit team should confirm that the data from clinical evaluations demonstrates that the user needs and intended uses for the device and its packaging and labeling were met.
Clause and regulation: [ISO 13485:2016: 7.3.2, 7.3.10; TG(MD)R Sch1 P1 2, Sch1 EP12.1; RDC ANVISA 16/2013: 2.4, 4.1.8, 4.1.11; CMDR 20; MHLW MO169: 30; 21 CFR 820.30(g)]
Additional country-specific requirements: None
Assessing conformity:
Many devices are at least partially controlled by software. Some devices consist almost entirely of software. For the device software, confirm that the software is part of the design and development plan for the device. The life cycle requirements for medical device software must be defined, including the intended use.
“Software verification” is a term often used to describe the testing of the software. During the review of the software development, confirm that the organization has conducted appropriate verification activities. Verification is often accomplished by performing test cases at the unit, subsystem, and integration levels; as well as system functional testing. Software verification can include the testing of the software product installed on the target hardware. As with other types of design verification, verification of software is
a predictive activity. The acceptance criteria must be determined prior to performing the testing. The predetermined acceptance criteria are often found in a verification protocol or similar document. Confirm that the predetermined acceptance criteria have been met by reviewing the actual results of the selected software tests. The risk management activities for the device and software can help guide the audit team as to which verification tests involve the essential design outputs of the device and software.
Software validation is a “confirmation by examination and provision of objective evidence that software specifications conform to user needs and intended uses, and that the particular requirements implemented through software can be consistently fulfilled.” It involves checking for proper operation of the software in its actual or simulated use environment, including integration into the final device where appropriate. Testing of device software functionality in a simulated use environment, and user site testing are typically included as components of an overall design validation program for a software automated device.
The audit team may encounter times when the software has been installed at user sites as part of validation, often referred to as “beta testing”. Beta testing can be a method to confirm the device, including the software, meets the user needs and intended uses.
Clause and regulation: [ISO 13485:2016: 4.2.1, 4.2.3, 7.1, 7.3.9, 7.3.10; TG(MD)R Sch1 P1 2, Sch3 P1 Cl 1.4(5)(f),
Sch3 P1Cl1.5(4); RDC ANVISA 16/2013: 2.4, 4.1.4, 4.1.8, 4.1.10, 4.1.11, Brazilian Law 6360/76 - Art. 13; CMDR 1,
34; MHLW MO169: 6, 26, 36; 21 CFR 820.30(i)]
Additional country-specific requirements: Australia (TGA):
Verify that the manufacturer has a process or procedure for notifying the auditing organization of a
substantial change to the design process or the range of products to be manufactured [TG(MD)R Sch3 Cl1.5].
Verify that the manufacturer has a process or procedure for identifying a proposed substantial change to the design, or the intended performance, of a Class AIMD or Class III device, and to notify the assessment body prior to implementing the change [TG(MD)R Sch3 P1 Cl 1.6(4)].
Brazil (ANVISA):
If the medical device evaluated is already registered/notified with ANVISA, verify that the design change was correctly and promptly submitted to ANVISA for approval, when applicable [Brazilian Law 6360/76 - Art. 13].
Canada (HC):
Verify that the manufacturer has a process or procedure for identifying a “significant change” to a Class III or IV medical device. Verify that information about “significant changes” is submitted in a medical device license amendment application [CMDR 1, 34].
Japan (MHLW):
For the Marketing Authorization Holder, confirm if the Marketing Authorization Holder has submitted a new application, a change application, or a change notification to PMDA/ a Registered Certification Body, when applicable.[PMD Act 23-2-5.1, 23-2-5.11, 23- 2-5.17, 23-2-23.1, 23-2-23.6, 23-2-23.7].
For the Registered Manufacturing Site, confirm if the site has a mechanism to communicate with the Marketing Authorization Holder about device modifications, so the Marketing Authorization Holder can take appropriate actions. If a critical medical device modification has happened in the Registered Manufacturing Site, confirm if the Registered Manufacturing Site has communicated with Marketing Authorization Holder about the change [MHLW MO169: 29].
United States (FDA):
Verify that the organization obtained a new 510(k) or supplement to the pre-market approval if required [21 CFR 807].
Assessing conformity:
An organization may have separate change control procedures to handle the post-production and pre-production changes, or an organization may have one procedure that handles both.
The documentation and control of changes begins when the initial design inputs are approved and continues for the life of the product. Design change control applies to changes to inputs or outputs as a result of design verification or design validation, changes to labeling or packaging, changes to enhance a product’s performance, changes of production process(es), and changes that result from product complaints. Change can be acceptable as long as it is controlled.
The control of changes is not complete until the results of the review of changes and any updates to
product specifications or changed processes are documented or amended.
Changes need to be effectively communicated and requirements for any consequential actions should be defined (e.g. training or communication to design or production staff
Link: Measurement, Analysis and Improvement process (if a design change was made to correct a quality problem with the device); Device Marketing Authorization and Facility Registration
During the audit of the Measurement, Analysis and Improvement process, the auditors may encounter corrective actions or preventive actions that resulted in design changes. When corrective action or preventive action involves changing the design, confirm that design controls have been applied to the change, in accordance with the organization’s procedures. Confirm these design changes were effective in addressing the quality issues or potential quality issues identified in corrective or preventive action. In addition, the design change should be evaluated under the organization’s risk management process to ensure that changes do not introduce new hazards. Some changes may require revalidation where it is not possible to verify that requirements have been met after the change has been implemented.
The audit team should also confirm the organization has considered regulatory requirements for registration, listing, notification and licensing; and has complied with these requirements prior to marketing the changed device in the applicable regulatory jurisdictions.
Clause and regulation: [ISO 13485:2016: 4.2.1, 7.3.2, 7.3.5; TG(MD)R Sch3 P1 C1.4(5)(c)(i); RDC ANVISA 16/2013: 4.1.6, 4.1.11; MHLW MO169: 6, 30, 33; 21 CFR 820.30(e)]
Additional country-specific requirements: United States (FDA):
Verify that procedures ensure that participants include representatives of all functions concerned with the design stage being reviewed and an individual(s) who does not have direct responsibility for the design stage being reviewed, as well as any specialists needed [21 CFR 820.30(e)].
Assessing conformity:
Design reviews typically occur at the end of each design stage or phase or after the completion of project milestones. The number of design reviews can vary, but at a minimum, one formal review must be conducted. Reviews should provide feedback to the design team on emerging problems, assess the progress of the design and development project, and confirm that the design is ready to move to the next phase of development or for transfer to the manufacturing phase.
It is not necessary to have fully convened meetings for all design reviews. For simple designs or minor changes, desk reviews and sign-offs may be adequate. Design reviews must include
an individual who does not have direct responsibility for the design stage being reviewed and representation from manufacturing to ensure that design and development outputs are verified as suitable for manufacturing before becoming final production specifications.
During the review of design review activities for the selected design project, confirm that the reviews included an individual who did not have direct responsibility for the design stage being reviewed. The audit team should also confirm that outstanding action items are being resolved or have been resolved.
Clause and regulation: [ISO 13485:2016: 7.3.9; RDC ANVISA 16/2013: 4.1.10; MHLW MO169: 36; 21 CFR 820.30(i)]
Additional country-specific requirements: None
Assessing conformity:
There are situations where a design change can affect constituent parts. For example, a change to a disposable portion of an aspiration system might affect the ability of the disposable to connect to the console. When necessary, ensure the design change does not negatively impact products in distribution.
Clause and regulation: [ISO 13485:2016: 4.2.1, 4.2.3, 7.3.8; RDC ANVISA 16/2013: 4.1.7, 4.1.9, 4.1.11, 4.2; MHLW
MO169: 6, 30; 21 CFR 830.30(h)]
Additional country-specific requirements: Brazil (ANVISA):
Confirm that the manufacture ensures that the design is not released for production until its approval by the persons assigned by the manufacturer and that the persons assigned review all records required to the design history file in order to ensure it is complete and the final design is compatible with the approved plans, prior to its release. Confirm that this release, including date and manual or electronic signature of the responsible is documented [RDC ANVISA 16/2013: 4.1.9, 4.1.11].
Assessing conformity:
During this phase, the design is translated into production specifications. This can take place in steps or phases. The audit team should review how the design for the selected project was transferred into production specifications. Based on the organization’s identification of essential outputs and risk management activities, review significant elements of the manufacturing processes, including products from suppliers and the established tolerances for processes, and compare them with the approved design outputs contained within the design records. These activities can confirm whether or not the design was correctly transferred.
Design transfer is a process that may be initiated not only at the end of the design and development process, but may also be initiated immediately before validation stages and may continue as design and development evolves. This early initiation of design transfer is helpful in order to have production processes and device validations conducted properly and allow for corrections during the process.
At the end, design and development process is “finalized” by a “final design transfer.”
Verify that production processes for the device, including process validation (if required) have been defined, documented, and implemented. Confirm that potential hazards that could be introduced or exacerbated by the production process have been identified, and production controls have been established. Production processes include not only the manufacturing instructions, but also internal controls, such as the type and extent of acceptance activities, equipment calibration and maintenance intervals, environmental controls, and personnel controls.
Confirm that the manufacturer has determined the type and extent of supplier controls based on the relationship between the supplied products and services and product risk.
Clause and regulation: [ISO 13485:2016: 4.1.3, 5.1, 5.5.1; TG(MD)R Sch3 P1 Cl 1.4(5)(b)(ii); RDC ANVISA 16/2013: 2.2.1; MHLW MO169: 5, 10, 15]
Process: Production and Service Controls
The purpose of the Production and Service Controls process is to manufacture products that meet specifications. Developing processes that are adequate to produce devices that meet specifications, validating (or fully verifying the results of) those processes, and monitoring and controlling those processes are all steps that help assure the result will be devices that meet specified requirements. After completing the audit of the organization’s Production and Service Controls process, the audit team will return to the Management process to make a final decision of whether top management ensures that an adequate and effective quality management system has been established and maintained at the organization.
In order to meet the Production and Service Controls requirements of Medical devices – Quality management systems – Requirements for regulatory purposes (ISO 13485:2016), the Quality Management System requirements of the Conformity Assessment Procedures of the Australian Therapeutic Goods (Medical Devices) Regulations (TG(MD)R Sch3), Brazilian Good Manufacturing Practices (RDC ANVISA 16/2013), Japanese QMS Ordinance (MHLW MO 169), the Quality System Regulation (21 CFR Part 820), and specific requirements of medical device regulatory authorities participating in the MDSAP program, the organization must understand when deviations from device specifications could occur as a result of the production process or environment.
The management representative is responsible for ensuring that the requirements of the quality management system have been effectively defined, documented, implemented, and maintained. Prior to the audit of any MDSAP process, interview the management representative (or designee) to obtain an overview of the process and a feel for management’s knowledge and understanding of the process.
Audit of the Production and Service Controls process will follow audit of the Measurement, Analysis and Improvement process and the Design and Development process per the MDSAP audit sequence. Information the audit team has learned about device and quality management system nonconformities during audit of the Measurement, Analysis and Improvement process, as well as higher risk elements and essential design outputs from the design projects reviewed during audit
of the Design and Development process, should be used to make decisions as to the production processes to be reviewed during the audit of the Production and Service Controls process.
Auditing the Production and Service Controls Process
Defined, documented and implemented procedures to ensure production and service processes are planned, developed, conducted, controlled, and monitored to ensure conformity to specified requirements
Developed production and service process controls commensurate with the potential effect of the process on product risk
Ensured that when the results of a process cannot be verified by subsequent monitoring or measurement, the process is validated with a high degree of assurance that the process will consistently achieve the planned result
Implemented procedures for the validation of the application of computer software for production and service processes that affect the ability of the product to conform to specified requirements, including validation of computer software used in the quality management system
Maintained records for each batch of medical devices that provides information for traceability and confirmation that the batch meets specified requirements
Implemented controls to protect customer property, including intellectual property, confidential health information, and other forms of customer property that is used or incorporated into products
Links to Other Processes: Management; Design and Development; Measurement, Analysis and Improvement; Purchasing
Verify that the product realization processes are planned, including any necessary controls, controlled conditions, and risk management activities required for the product to meet the specified or intended uses, the statutory and regulatory requirements related to the product, and (when applicable) unique device identifier requirements. Confirm that the planning of product realization is consistent with the requirements of the other processes of the quality management system and performed in consideration of the quality objectives.
Clause and regulation: [ISO 13485:2016: 7.1, 7.2.1, 7.5.1; TG(MD)R Sch 1 P1 2, Sch3 P1 Cl1.4(4), Sch3 P1
Cl1.4(5)(d)&(e); RDC ANVISA 16/2013: 2.2.1, 2.4, 4.1.2, 4.1.7, 5.1; MHLW MO169: 26, 27, 40; 21 CFR 801, 820.30(b), 820.20(a), 820.30(h), 820.70(a), 830]
Additional country-specific requirements:
United States (FDA):
Confirm that the organization has determined the applicability of unique device identifier requirements per 21 CFR 801 and 21 CFR 830, has obtained the unique device identifiers from an FDA-accredited UDI-issuing agency, and the required data elements have been entered in the Global Unique Device Identification Database (GUDID) [21 CFR 801, 830].
Assessing conformity:
In planning product realization, the organization must determine as appropriate the quality objectives and requirements for the product, the processes, documents, and resources specific to the product, the criteria for product acceptance, and the required verification, monitoring, inspection, and test activities specific to the product. Planning of product realization often begins in the design and development of the product, including the translation of the design into
production specifications.
The planning of product realization should be consistent with the risk control and mitigation strategies identified by the organization during risk management activities.
During the audit, be mindful of requirements for the product that relate to statutory and regulatory requirements, requirements necessary for the product to meet specified or intended uses, and requirements for safe and efficacious use of the product. The organization must ensure their processes, and the monitoring of processes, inspection, and test activities are planned and developed to ensure these requirements are met.
Unique Device Identifier
A UDI is a coded representation of specified information. It appears on the device label, packaging, or in some cases on the device itself. The UDI should be presented in two forms: easily readable plain text, and automated identification and data capture (or AIDC) format.
Many types of AIDC compliant codings are available and are permissible provided they can be entered into an electronic patient record or other computer system via an automated process.
The requirements of the rule are generally directed at labelers. Labeler is defined in 21 CFR
801.3. Two main factors determine if a party is a labeler: (1) a labeler causes a label to be applied to a device with the intent that the device will be commercially distributed without any intended subsequent replacement or modification of the label, or, (2) a labeler causes a label to be replaced or modified with the intent that the device will be commercially distributed. Manufacturers, contract manufacturers, private label distributors, and convenience kit assemblers are the most common types of organizations that are considered labelers. Some small exceptions apply, such as adding a name or contact information to the already existing label.
The UDI program requires labelers to work with an FDA accredited issuing agency to produce their UDIs. The issuing agency provides a portion of the UDI to identify the labeler, as well as providing a standards compliant format for the display of the UDI in easily readable plain text and AIDC code.
The UDI rule requires device labelers to meet two basic requirements: (1) the devices must bear a UDI in the appropriate location, (2) and certain data elements must be entered in the Global Unique Device Identification Database (GUDID). The GUDID is a database maintained by the UDI team at FDA that serves as a public facing repository for UDI related device information.
Under the UDI rule, all medical devices, regardless of class (and including unclassified devices) must comply with the requirements of the rule. The requirements become applicable for a given device at the point that a device that is in commercial distribution in the United States reaches the compliance date specified by the rule. As of September 24, 2016, all FDA class 2 and 3 devices (unless covered by an exemption) are required to comply with UDI requirements. FDA Class 1 and unclassified devices (unless covered by an exemption) must comply with UDI requirements by September 24, 2018.
Quality objectives are typically expressed as a measurable target or goal. The planning of product realization should include consideration of how the production processes, the criteria for product acceptance, and the required verification, validation, monitoring, inspection, and test activities specific to the product will achieve the quality objectives. Confirm that the organization has defined quality objectives for the device.
Link: Management
Confirm when necessary that the quality objectives related to the product were considered for inclusion in management review.
Corrective and preventive action indicators of process problems or potential problems
Use of production processes that directly impact the ability of the device to meet its essential
design outputs
New production processes or new technologies
Use of the process in manufacturing multiple products
Processes that operate over multiple shifts
Processes not covered during previous audits
the availability of information describing product characteristics
the availability of documented procedures, requirements, work instructions, and reference materials, reference measurements, and criteria for workmanship
the use of suitable equipment
the availability and use of monitoring and measuring devices
the implementation of monitoring and measurement of process parameters and product characteristics during production
the implementation of release, delivery and post-delivery activities
the implementation of defined operations for labeling and packaging
the establishment of documented requirements for changes to methods and processes
Clause and regulation: [ISO 13485:2016: 7.5.1, 8.2.5, 8.2.6; TG(MD)R Sch3 P1 Cl1.4(5)(d)&(e); RDC ANVISA 16/2013: 3.1.3, 4.2, 5.1, 5.2, 5.3, 5.4, 5.6, 5.6.1; 5.6.2; MHLW MO169: 40, 57, 58, 59; 21 CFR 820.70(a),
820.70(b), 820.75, 820.120, 820.130]
Additional country-specific requirements: None
Assessing conformity:
Production processes that may cause a deviation to a device specification and all validated processes must be controlled and monitored. The planning of production includes the establishment of procedures and work instructions for the control and monitoring of the production processes, including service controls when necessary. Control and monitoring procedures may include in-process and finished device acceptance activities as well as environmental and contamination control measures. The establishment of procedures and work instructions to control the production of the device should provide the controls and tolerances necessary to ensure finished devices conform to product specifications.
Clause and regulation: [ISO 13485:2016: 4.2.1, 4.2.3, 6.4.2, 7.5.2; TG(MD)R Sch3 P1 Cl1.4(5)(d); RDC ANVISA
16/2013: 5.1.3.1, 5.1.3.4, 5.1.5.3; MHLW MO169: 6, 25, 41; 21 CFR 820.70(c), 820.70(d), 820.70(e), 820.70(h)]
Additional country-specific requirements: Brazil (ANVISA):
Confirm that a pest control program has been established and where chemicals are used as part of the pest control program, the company must ensure that they do not affect product quality [RDC ANVISA 16/2013: 5.1.3.4].
Verify that the manufacturer has established and maintains housekeeping procedures and schedules for production areas and warehouses, in conformance with production specifications [RDC ANVISA 16/2013: 5.1.3.1].
Assessing conformity:
The goal of establishing requirements for product cleanliness is to minimize contamination of the finished device and the manufacturing environment. Sterile devices may require a higher level of control in terms of minimizing the bioburden and particulate contamination in order to assure the desired sterility assurance level is met. Each organization must evaluate the extent of cleanliness required for the proper functioning and intended use of the finished device and implement the
necessary control measures. Examples of control measures include, but are not limited to, cleaning procedures, environmental controls (e.g. cleanrooms, or other controlled environments), requirements for attire, and training of personnel. When necessary, confirm the organization has identified the cleanliness requirements for the finished device and the proper controls to achieve the required level of cleanliness.
Process agents, also known as manufacturing materials, are generally defined as materials or substances used to facilitate the manufacturing process, which are present in or on the finished devices as a residue or impurity. Examples of process agents include cleaning agents, mold- release agents, lubricating oils, latex proteins, sterilant residues, etc. The organization must evaluate process agents used during the manufacturing process when the process agent could potentially have an adverse effect on the product. During the design of the product and the development of the manufacturing process, the potential effect of process agents should be considered. If the audit team encounters situations where process agents are being utilized in the manufacturing of the product, and the process agent could potentially have an adverse effect on the product, confirm that the organization has made effective arrangements to control the process agent in a manner commensurate with the risk the agent poses to the finished device.
For example, the organization may need to validate a cleaning process to ensure cutting oil is removed from an orthopedic implant prior to packaging and sterilization.
Clause and regulation: [ISO 13485:2016: 4.2.1, 6.3, 7.5.1; RDC ANVISA 16/2013: 5.1.2, 5.1.5; CMDR 14; MHLW
MO169: 6, 24, 40; 21 CFR 820.70(g), 820.70(f)]
Additional country-specific requirements: Brazil (ANVISA):
Verify that manufacturing facilities are configured in order to provide adequate means for people flow [RDC ANVISA 16/2013: 5.1.2].
Assessing conformity:
The organization is responsible for evaluating the manufacturing facility to ensure that the buildings, utilities, and space allow for the achievement of product conformity. The organization is responsible for ensuring adequate space to prevent mix-ups and ensure orderly handling of products.
The organization must consider whether maintenance of production equipment may affect product quality. Procedures, including the frequency of maintenance and the records of maintenance must be available for these items of equipment.
Verify documented requirements have been established, implemented and maintained for:
health, cleanliness, and clothing of personnel that could have an adverse effect on product quality
monitoring and controlling work environment conditions that can have an adverse effect on product quality
training or supervision of personnel who are required to work under special environmental conditions
controlling contaminated or potentially contaminated product (including returned products) in order to prevent contamination of other product, the work environment, or personnel
Clause and regulation: [ISO 13485:2016: 4.2.1, 6.4; TG(MD)R Sch1 P2 7.2, 8; RDC ANVISA 16/2013: 5.1.3; MHLW
MO169: 6, 25; 21 CFR 820.70(c), 820.70(d), 820.70(e)]
Additional country-specific requirements: Brazil (ANVISA):
Verify that biosafety standards are used, when applicable [RDC ANVISA 16/2013: 5.1.3.6].
Assessing conformity:
The organization is responsible for establishing and maintaining procedures to prevent contamination of products, equipment, and personnel by substances that could adversely affect the device. If contamination control measures are necessary to meet specified requirements, cleaning and sanitation procedures and schedules may be required to ensure the contamination control measures are properly functioning. The organization should consider the segregation and decontamination of returned product.
Personnel practices must address personnel health, cleanliness, and attire if these could adversely affect product quality or the work environment. In the event that maintenance or other personnel are required to work temporarily under special environmental conditions, these individuals must be appropriately trained or supervised by a trained individual.
Clause and regulation: [ISO 13485:2016: 4.2.1, 4.1.6, 7.5.6; TG(MD)R Sch1 P2 8.2, 8.3; Sch3 P1 1.4(5)(d), RDC
ANVISA16/2013: 5.5.2, 5.5.3; MHLW MO169: 6, 45; 21 CFR 820.75(a)]
Additional country-specific requirements: Brazil (ANVISA):
Verify that analytical methods, supporting auxiliary systems for production and environmental control that can adversely affect product quality or the quality system are validated, periodically reviewed and, when necessary, revalidated according to documented procedures [RDC ANVISA 16/2013: 5.5.2, 5.5.3].
United States (FDA):
Process validation is required for sterilization, aseptic processing, injection molding, and welding [21 CFR 820.75; preamble comment 143].
Assessing conformity:
During the planning of product realization, the organization must determine which production processes require validation and which processes can be verified. Process validation may apply to processes that generate components, subassemblies, or finished devices. Process validation is required for processes where the results of the process cannot be fully verified. Processes that cannot be fully verified include processes where clinical or destructive testing is necessary to show that the process produced the desired result, where routine inspection and/or testing does not examine quality attributes essential to the proper functioning of the finished device, or where routine testing has insufficient sensitivity to verify the desired safety and efficacy of the finished product.
Examples of processes that require validation include, but are not limited to sterilization, aseptic processing, welding, and injection molding. When applicable, confirm that the organization has identified processes which require validation, including validation requirements for any outsourced processes.
When validating processes, organizations must take into account the current thinking of experts where published information is available (e.g. though the application of ISO standards for sterilization validation).
Link: Purchasing
The audit team may encounter situations where the organization outsources processes that require validation. During the review of the Purchasing process, review the controls the organization has instituted over suppliers that perform validated processes. This can be
particularly important for higher risk validated processes performed by suppliers, since the finished device manufacturer does not have immediate control over those processes.
Clause and regulation: [ISO 13485:2016: 4.2.1, 7.5.6; TG(MD)R Sch1 P1 2(1), Sch3 P1 1.4(5)(d); RDC ANVISA 16/2013: 1.2.18, 5.5.1; MHLW MO169: 6, 45; 21 CFR 820.75(a), 820.75(c)]
Additional country-specific requirements: Australia (TGA):
Confirm that methods of validation have regard to the generally acknowledged state of the art (e.g. current Medical Device Standard Orders - MDSO, ISO/IEC Standards, BP, EP, USP etc.) [TG Act s41CB, TG(MD)R Sch 1 P1 2(1)].
Assessing conformity:
Process validation means establishing by objective evidence (i.e. data) that a process consistently produces a result (e.g., sterility assurance level) or product meeting predetermined specifications. Remember that the term “product” applies to components and in-process devices as well as finished devices. Therefore, process validation may apply to processes that generate components, in-process devices, or finished devices.
Some organizations have general process validation procedures. Other organizations establish separate procedures for each individual process validation study. Both methods for establishing process validation procedures are acceptable.
During review of a validation study, determine when applicable whether:
The instruments used to generate the data were properly calibrated and maintained;
Predetermined product and process specifications were established;
Sampling plans used to collect test samples are based on a statistically valid rationale;
Data demonstrates predetermined specifications were met consistently;
Process tolerance limits were challenged;
Process equipment was properly installed, adjusted, and maintained;
Process monitoring instruments were properly calibrated and maintained;
Changes to the validated process were appropriately challenged (if applicable); and
Process operators were appropriately qualified.
Process validation activities are predictive, rather than empiric. In order for a process validation study to show the process achieves the planned result, the acceptance criteria must be stated in advance of performing the validation. The data from the process validation study must show the predetermined acceptance criteria have been met.
Process validation studies may also provide valuable insight into process or product nonconformities. For example, the process validation study must demonstrate not only that the process can produce a result or product meeting predetermined specifications but also that the process will consistently produce a result or product meeting predetermined specifications. If process or product nonconformities related to a validated process are encountered at a higher than anticipated rate, it may indicate the process validation study did not confirm that the process could consistently produce a result or product meeting predetermined specifications. Unless the
organization recognized this during the process validation study, they may not have investigated the cause of the process inconsistency.
If product is supplied sterile (see Annex 2):
Verify the sterilization process is validated, periodically re-validated, and records of the validation are available
Verify that devices sold in a sterile state are manufactured and sterilized under appropriately controlled conditions
Determine if the sterilization process and results are documented and traceable to each batch of product
Clause and regulation: [ISO 13485:2016: 4.2.1, 7.5.5, 7.5.6, 7.5.7; TG(MD)R Sch1 2(1) & 8.3, Sch3 P1 1.4(5)(d);
RDC ANVISA 16/2013: 5.1.6, 5.5; CMDR 17; MHLW MO169: 6, 44, 45, 46; 21 CFR 820.75, 820.184(d)]
Additional country-specific requirements: Australia (TGA):
Verify that methods of sterilization validation have regard to the generally acknowledged state of the art (e.g. current Australian Medical Device Standard Orders - MDSO, ISO 11135, ISO 11137) [TG(MD)R Sch1 P1 2(1)].
Assessing conformity:
Sterilization processes include terminal sterilization methods (such as radiation and ethylene oxide) as well as aseptic processing methods. Sterilization processes must be validated, with periodic revalidation as required by established standards or requirements established by the organization.
Control of the manufacturing processes for devices intended to be sterile
In addition to ensuring the cleaning, packaging, and sterilization processes are validated, auditors should ensure the manufacturer maintains appropriate controls over the following:
routine monitoring and measurement of the cleaning, packaging and sterilization processes
routine acceptance criteria of the cleaning, packaging and sterilization processes,
(re-)qualification, (re-)verification, (re-)calibration and maintenance of the cleaning, packaging and sterilization equipment
environmental control of production areas (cleanroom design and monitoring)
storage of device parts, components, and packaging material
storage of finished sterile product and management of shelf life
handling processes for non-sterile devices for re-sterilization
Clause and regulation: [ISO 13485:2016: 7.1, 7.5.1, 8.1, 8.2.6; TG(MD)R Sch1 P1 2, Sch3 P1 1.4(5)(b)&(e); RDC
ANVISA 16/2013: 2.4, 5.1.1, 9.1; MHLW MO169: 26, 40, 54, 58; 21 CFR 820.70(a), 820.250(a)]
Additional country-specific requirements: None
Assessing conformity:
The general goal of monitoring processes and product characteristics during production is to ensure that products conform to the specified requirements defined and approved during the
design and development of the device. The organization has the flexibility to determine the controls that are necessary, commensurate with the risk to the finished device if processes or product characteristics do not meet specified requirements. During the audit of production processes, confirm that the control measures are suitable for detecting process or product nonconformities.
Clause and regulation: [ISO 13485:2016: 7.1, 7.5.1, 8.1, 8.2.5; TG(MD)R Sch1 P1 2, Sch3 P1 1.4(5)(b)&(e); RDC
ANVISA 16/2013: 2.4, 5.1.1, 5.1.6, 8.2, 9.1; MHLW MO169: 26, 40, 54, 57; 21 CFR 820.70(a), 820.75(b), 820.250]
Additional country-specific requirements: None
Assessing conformity:
Processes that may cause a deviation to device specifications and validated processes must be controlled and monitored. Control and monitoring procedures may include in-process and finished device acceptance activities as well as environmental and contamination control measures.
Compare the process monitoring and acceptance procedures contained or referenced within the records of production specifications with those available to the production personnel. Confirm that the procedures available to the production personnel are the most current approved revisions.
While in the production area, verify that the building is of suitable design and contains sufficient space to perform necessary operations. Also, verify that the results of control and monitoring activities demonstrate that the process is currently operating in accordance with applicable procedures. This can be done by comparing work instructions with what is actually being done, comparing product acceptance criteria with acceptance activity results, reviewing control charts against specified requirements, etc.
Link: Design and Development
The design outputs for a device include documents such as diagrams, drawings, specifications, procedures, and the production processes that are essential to the proper manufacturing of
the device. Production processes can include not only the manufacturing instructions, but also internal controls, such as the type and extent of acceptance activities, equipment calibration and maintenance intervals, environmental controls, and personnel controls. During the audit of the Production and Service Controls process, consider reviewing production processes that have the highest risk or greatest effect on the essential design outputs.
Clause and regulation: [ISO 13485:2016: 6.2; RDC ANVISA 16/2013: 2.3.2; MHLW MO169: 22; 21 CFR 820.25, 820.70(d), 820.75(b)]
Additional country-specific requirements: None
Assessing conformity:
Production processes must be performed by adequately trained personnel. The organization must establish procedures for identifying training needs and ensure that all personnel are trained to adequately perform their assigned responsibilities. This training must be documented. In addition, personnel who perform validated processes must be qualified. It is management’s responsibility to determine what qualifications are necessary for personnel who perform validated processes.
Link: Management
During the audit of the Production and Service Controls process, ensure that employees who are involved in key operations that affect product realization and product quality have been trained in their specific job tasks, as well as the quality policy and objectives. When appropriate, review the training records for those employees whose activities have contributed to process nonconformities.
Clause and regulation: [ISO 13485:2016: 7.5.1, 7.6; TG(MD)R Sch3 P1 1.4(5)(e); RDC ANVISA 16/2013: 5.1.5, 5.4; MHLW MO169: 40, 53; 21 CFR 820.70(g), 820.72]
Additional country-specific requirements: None
Assessing conformity:
While reviewing the selected production process, make note of significant pieces of process equipment and significant pieces of measuring or test equipment. Consider selecting process and test equipment that, if not properly controlled, could cause devices to not meet specified requirements; or produce inaccurate results that could lead to unrecognized nonconformities. Confirm that the production and test equipment selected for review is suitable for its intended purpose and capable of giving valid results.
Review the maintenance, control, and calibration procedures (and records) for the equipment selected for review. The initial frequency with which measuring and test equipment is calibrated and maintained is usually based on the equipment manufacturer’s recommendations. As the organization gains experience with the piece of equipment, the frequency of calibration and maintenance may be adjusted, based on a documented rationale.
When accuracy and precision is a factor in the validity of the result of the measuring equipment, the required accuracy and precision should be defined during the planning of product realization to ensure the equipment is suitable and capable of providing valid results.
If production equipment or test equipment is found to be outside of its maintenance or calibration requirements, verify that the organization made an assessment of the effect of the out-of- tolerance situation on in-process, finished, or released devices, based on risk. Equipment adjustment, calibration, and maintenance procedures and records may provide insight into nonconformities.
Review these procedures and records to determine whether inadequate procedures or the organization’s failure to comply with adequate procedures contributed to the nonconformity. For example, determine whether the lack of specified equipment adjustment or maintenance contributed to the production of nonconforming product.
Clause and regulation: [ISO 13485:2016: 7.6; TG(MD)R Sch3 P1 1.4(5)(e); RDC ANVISA 16/2013: 5.4; MHLW MO169: 53; 21 CFR 820.72(a)]
Additional country-specific requirements: None
Assessing conformity:
Organizations must maintain proper calibration, storage, and handling controls for measuring, monitoring, and test equipment used in the development, production, installation, and servicing of product. Calibration must be traceable to a national or international measurement standard if one is available. If calibration services are provided by a supplier, the supplier controls are to be applied to ensure calibration is performed competently. Proper controls will help instill confidence in results obtained from the use of the equipment.
Organizations must define, implement, and maintain procedures for the control of monitoring and measuring devices. The organization may choose to develop general policies for the control of monitoring and measuring devices, along with separate, more specific procedures for the actual calibration and control of each piece of equipment. Procedures must account for any environmental controls necessary for the equipment to produce valid results, as well as
any specific storage or handling requirements when necessary. For example, a set of calibrated calipers may require storage in a padded case to maintain the required accuracy and precision. Confirm that the organization has the proper procedures and controls in place to preserve the proper functioning of monitoring, measuring, and test equipment.
The organization may discover that monitoring or measuring equipment is no longer within its adjustment or calibration tolerance. In these situations, the organization must assess and record the validity of previous measuring results and take appropriate action on the equipment and any product affected.
Clause and regulation: [ISO 13485:2016: 4.1.6, 7.5.6, 7.6; RDC ANVISA 16/2013: 5.5.2; MHLW MO169: 45, 53; 21 CFR 820.70(i)]
Additional country-specific requirements: None
Assessing conformity:
Production process control software (and any other software used in the organization’s quality system) must be validated for its intended use according to an established protocol. If the production process the audit team selected for review is controlled with software, review the software validation documents and records. Software validation documents and records should include:
A software requirements document describing the intended use(s) and user needs associated with the software.
An established validation protocol or similar document describing the activities necessary to demonstrate that the software requirements can be met.
Records of the results of the software validation activities described in the software validation protocol or similar document.
Records that software changes are appropriately controlled (where applicable).
For off-the-shelf quality management system software and software-controlled production or test equipment, it may not be possible, practical, or necessary for the device manufacturer to review the software code or the various software verification test cases that are typically performed by the software or equipment manufacturer. However, the device manufacturer must still ensure the software is capable of functioning according to the device manufacturer’s needs. The validation to confirm the software meets the device manufacturer’s needs must be performed according to a protocol or similar document with predetermined acceptance criteria.
If multiple software driven systems are used in the production process, be sure to assess the system(s) most likely to have an impact on the finished device’s ability to meet specified requirements. Not all software driven systems used in a production process will need to be audited during each audit.
Clause and regulation: [ISO 13485:2016: 4.2.1, 4.2.3, 7.1, 7.5.8, 7.5.9.1; TG(MD)R Sch3 P1 1.4(5) (c),(d),(e) & 1.9;
RDC ANVISA 16/2013: 1.2.26, 2.4, 4.2, 5.2, 6.4; CMDR 9(2), 21-23, 52-56, 66-68; MHLW MO169: 6, 26, 47, 48;
21 CFR 820.65, 820.181]
Additional country-specific requirements: Brazil (ANVISA):
Verify that the manufacturer has established and maintains procedures to ensure integrity and to prevent accidental mixing of labels, instructions, and packaging materials [RDC ANVISA 16/2013: 5.2.2.1].
Confirm that the manufacturer has ensured that labels are designed, printed and, where applicable, applied so that they remain legible and attached to the product during processing, storage, handling and use [RDC ANVISA 16/2013: 5.2.2.2].
Canada (HC):
Verify that the manufacturer maintains objective evidence that devices meet the safety and effectiveness requirements of the CMDR [CMDR 9(2)].
Verify that devices sold in Canada have labeling that conforms to Canadian English and French language requirements and contains the manufacturer’s name and address, device identifier, control number (for Class III and IV devices), contents of packaging, sterility, expiry, intended use, directions for use and any special storage conditions [CMDR 21-23].
Verify that the manufacturer maintains distribution records in respect of a device that will permit a complete and rapid withdrawal of the device from the market [CMDR 52-56].
United States (FDA):
If a control number is required for traceability, confirm that such control number is on or accompanies the device throughout distribution [21 CFR 820.120(e)].
Assessing conformity:
The required records for each type or model of device include documents such as diagrams, drawings, specifications, and procedures associated with the device, its packaging and labeling; as well as, quality management system and production process requirements; and if applicable,
installation and servicing requirements. Documents and records associated with production processes can include not only the manufacturing instructions, but also internal controls, such as the type and extent of acceptance activities, equipment calibration and maintenance intervals, environmental controls, and personnel controls. These documents and records provide the requirements and instructions for the proper manufacturing, labeling, packaging, and testing of the device to assure specified requirements are met during the production of each batch of devices. For the device(s) the audit team has selected to review, confirm that the required records have been established.
It is the responsibility of the organization to establish procedures for traceability. For devices that are not implanted and are not life-supporting or life-sustaining, the organization has the flexibility to determine which raw materials and components are required to be traceable, commensurate with the risk posed by the device in the event the component does not meet specified requirements.
Traceability systems commonly include elements such as written procedures describing the control numbering system to be used, as well as the documentation of lot numbers, control numbers, or
serial numbers identifying the batch of components, subassemblies, finished devices, packaging, and labeling in order to aid their identification in the manufacturing process.
Link: Design and Development
During the design and development of the device, the essential design outputs for the proper functioning of the device should have been identified. Raw materials, components, and subassemblies should have been considered for traceability if their nonconformity could result in the finished device not meeting its specified requirements and essential functions.
Clause and regulation: [ISO 13485:2016: 4.2.1, 7.5.1, 7.5.8, 7.5.9.1, 8.2.6; RDC ANVISA 16/2013: 3.2, 5.2, 6.4; MHLW
MO169: 6, 40, 47, 48, 58; 21 CFR 820.120, 820.184]
Additional country-specific requirements: Brazil (ANVISA):
Verify that the device history record of the product includes or refers to the following information: date of manufacture; components used; quantity manufactured; results of inspections and tests; parameters of special processes; quantity released for distribution; labeling; identification of the serial number or batch of production; and final release of the product [RDC ANVISA 16/2013: 3.2.1].
Verify that labeling has not been released for storage or use until a designated individual has examined the labeling for accuracy. The approval, including the date, name, and physical or electronic signature of the person responsible, must be documented in the device history record [RDC ANVISA 16/2013: 5.2.2.3].
United States (FDA):
Verify that labeling is not released for storage or use until a designated individual has examined the labeling for accuracy including, where applicable, the correct unique device identifier (UDI) or Universal Product Code (UPC), expiration date, control number, storage instructions, handling instructions, and any additional processing instructions [21 CFR 820.120(b)].
Confirm that labeling is stored in a manner that provides proper identification and prevents mix-ups. Verify labeling and packaging operations are controlled to prevent labeling mix-ups [21 CFR 820.120(c) and (d)].
Verify that the label and labeling used for each production unit, lot, or batch are documented in the batch record, as well as any control numbers used [21 CFR 820.120(e), 820.184(e)].
Assessing conformity:
Verify that each batch of devices was manufactured in accordance with product and production specifications, being mindful that in some instances, a batch can be a single device. This verification should include a review of the purchasing controls and receiving acceptance activities applied to at least one significant component or raw material, in-process and final finished device acceptance activities and results, environmental and contamination control records (if applicable), and sampling plans for process and environmental controls and monitoring.
The record for each batch of devices must include, or refer to the location of, the following
information:
The dates of manufacture;
The quantity manufactured;
The quantity released for distribution;
The acceptance records which demonstrate the device has been manufactured in accordance with the planned arrangements and defined product specifications;
The primary identification label and labeling used for each production unit;
Any device identification(s) and control number(s) used, including unique device identifiers when applicable; and
A provision to indicate that the record has been verified and approved.
If, during the accomplishment of this audit task, the audit team observes evidence that the process is outside the organization’s acceptance range for operating parameters or that product nonconformities exist, confirm that the nonconformities were handled appropriately, with input into the Measurement, Analysis and Improvement process when appropriate.
Clause and regulation: [ISO 13485:2016: 4.2.1, 7.5.9.2, 8.2.6; MHLW MO169: 6, 49, 59; 21 CFR 820.65]
Additional country-specific requirements: Canada (HC):
Verify that the manufacturer has identified Schedule 2 implants and provides implant registration cards with devices or employs another suitable system approved by Health Canada [CMDR 66-68].
Verify that the manufacturer of devices that are listed on Schedule 2 of the Medical Devices Regulations maintains distribution records of these devices as well as any information received on implant registration cards related to these Schedule 2 devices [CMDR 54].
United States (FDA):
Verify that the manufacturer has implemented a tracking system for devices for which the manufacturer has received a tracking order from FDA. The tracking system must ensure the manufacturer is able to track the device to the end-user. The manufacturer must conduct periodic audits of the tracking system [21 CFR 821].
Assessing conformity:
Manufacturers of finished devices whose failure could result in serious injury or harm to the user must implement a traceability system. The traceability system must allow for each batch of finished devices to be traced by a control number or similar mechanism throughout the
distribution chain. Organizations must also provide for the control and traceability of components and materials used in the manufacture of the device, as well as documentation of the manufacturing conditions when manufacturing conditions could cause the finished device to not meet specified requirements (e.g. cleanroom conditions).
The determination of which components and raw materials may be required to be traceable may be made by the organization using risk management tools, such as risk analysis, or by identification of the components and processes used to fulfill the essential design outputs.
Some regulatory authorities participating in the MDSAP have requirements for tracking certain types of devices to the end-user. For regulatory authorities that have tracking requirements, these requirements generally apply to a small subset of devices that are life-sustaining or life supporting, intended for implant longer than one year, or are considered by the regulatory authority to be
high risk. If the organization manufactures or distributes a device that falls under a tracking requirement, confirm that the organization has the necessary systems in place to provide for tracking each device to the end-user. The organization’s tracking system must be periodically reviewed and audited by the organization to confirm that the tracking system is effective. The tracking system must contain the unique device identifier (UDI), lot number, batch number, model number, or serial number of the device or other identifier necessary to provide for effective tracking of the devices.
Clause and regulation: [ISO 13485:2016: 7.5.8; RDC ANVISA 16/2013: 6.1.2, 6.4; MHLW MO169: 47, 50; 21 CFR
820.86]
Additional country-specific requirements: None
Assessing conformity:
Identification is generally defined as the description of the product that distinguishes it from other product. Organizations must define, document, and implement processes for the identification and control of product, including components, process agents, subassemblies, finished devices, packaging, and labeling. This can be accomplished through the use of part numbers, lot numbers, batch numbers, work order numbers, quantities, supplier name, as well as other means. The extent of identification activities should be based on the complexity and risk of the product.
Clause and regulation: [ISO 13485:2016: 7.5.10; MHLW MO169: 51]
Additional country-specific requirements: None
Assessing conformity:
The organization is responsible for safeguarding customer property while it is under the organization’s control. If any customer property is lost, damaged, or otherwise unsuitable for use, this must be reported to the customer and records maintained.
Clause and regulation: [ISO 13485:2016: 4.2.1, 7.4.3, 7.5.8, 8.2.6; TG(MD)R Sch1 P1 2, Sch3 P1 Cl1.4(5)(d);
RDC ANVISA 16/2013: 5.3.1, 5.3.2, 5.3.3, 5.3.4, 9.2; MHLW MO169: 6, 39, 47,58, 59; 21 CFR 820.80, 820.250(b)]
Additional country-specific requirements: Brazil (ANVISA):
Verify that sampling plans are defined and based on valid statistical rationale. Each manufacturer must establish and maintain procedures to ensure that sampling methods are suitable for their intended use and are reviewed regularly. A review of sampling plans should consider the occurrence of nonconforming product, quality audit reports, complaints and other indicators [RDC ANVISA 16/2013: 9.2].
United States (FDA):
Verify that the manufacturer establishes and maintains procedures to ensure that sampling methods are adequate for their intended use and ensure that when changes occur, the sampling plans are reviewed [21 CFR 820.250(b)].
Assessing conformity:
Organizations are expected to define, document, and implement systems and procedures for acceptance activities to verify that products, including finished devices, in-process devices, components, packaging, and labeling conform to specified requirements. Recognized acceptance activities include, but are not limited to, inspections, tests, review of certificates of analysis, and supplier audits. Effective acceptance procedures and systems directly affect the ability of an organization to demonstrate that the process and product meets specifications. During the audit of acceptance
activities for the devices selected for audit, confirm that the organization has defined processes for receiving, in-process, and final acceptance activities. Determine if the acceptance activities have been implemented. One way to accomplish this audit task is to review a sample of batch records and confirm that the acceptance activities have been documented and that the acceptance activities show
specified requirements have been met. Records should identify who conducted acceptance activities.
The acceptance status of incoming, in-process, and finished devices must be identified. The identification of acceptance status must be maintained throughout manufacturing, packaging, labeling, and where applicable, installation and servicing to ensure that only product which has passed the required acceptance activities is distributed, used, or installed.
The audit team may encounter situations where the organization receives incoming product from a financial or corporate affiliate. It is the receiving organization’s responsibility to perform and record the necessary acceptance activities to ensure the received product conforms to specified requirements, as well as applying the necessary purchasing controls to the supplier. Acceptance activities and purchasing controls apply to all product received from outside of the finished manufacturer, whether a payment occurs or not, and regardless of the corporate or financial relationship of the supplier to the finished device manufacturer.
The audit team may encounter the use of sampling during acceptance activities. For example, an organization might choose to use sampling to perform receiving acceptance on a large lot of incoming components. When used, sampling plans must be written and based on a valid statistical rationale and a risk-based methodology.
An important concept to remember is that quality cannot be inspected or tested into products. Organizations must establish an appropriate mix of acceptance activities and purchasing controls to ensure products will meet specified requirements. The type and extent of acceptance activities can be based in part on the amount of purchasing controls applied to the supplier, the
demonstrated capability of the supplier to provide quality products, and the potential impact of the product on the finished device, including the risk the device poses to the patient or user if specified requirements are not met. Organizations that conduct quality control solely in-house must still assess the capability of suppliers to provide acceptable products.
The audit team may encounter instances where product has been deemed acceptable by the successful completion of acceptance activities but the product is later shown to not meet specified requirements (i.e. failure of the device leading to product complaint). This can be an
indication that the acceptance activities are not sufficient to identify nonconformities. Confirm that the organization has taken the appropriate action to determine the suitability of the acceptance activities.
Link: Purchasing, Design and Development
The audit team should consider reviewing the purchasing controls and requirements for suppliers of higher risk products. The audit team should also consider reviewing the purchasing controls and requirements for suppliers of products that undergo minimal acceptance activities at the device manufacturer, particularly if the supplied product is manufactured using a process that requires validation. During the review of acceptance activities, if the audit team encounters situations where records of acceptance activities for supplied product reveal products that do not meet specified requirements, consider selecting those suppliers for review during the audit of the organization’s Purchasing process.
The establishment of the necessary purchasing controls and required acceptance activities is a design output. The degree of the purchasing controls necessary and extent of acceptance activities should be based on the risk posed by the product not meeting its specified requirements and essential design outputs.
Clause and regulation: [ISO 13485:2016: 7.5.8, 8.3; TG(MD)R Sch1 P1 2, Sch3 P1 Cl1.4(5)(b); RDC ANVISA 16/2013: 6.5.1, 6.5.2; MHLW MO169: 47, 50, 60; 21 CFR 820.60, 820.90(a), 820.86, 820.100(a)]
Additional country-specific requirements: None
Assessing conformity:
The purpose of controlling nonconforming product is to prevent the unintended use and distribution of nonconforming product, including components, processing agents, in-process devices, and finished devices. Confirm that the organization has defined and implemented procedures for the identification, control, segregation, evaluation, and disposition of nonconforming product.
The organization can address nonconforming product by taking action to eliminate the detected nonconformity (e.g. sorting an incoming lot of components to remove components that do not meet specifications), authorizing its use, release, or acceptance under concession, or by taking action to prevent its original intended use (e.g. allowing the components or devices to be used as demonstration units at marketing conferences).
Until a disposition can be made, the organization must have a process to properly identify nonconforming product to prevent its accidental or unauthorized use. One example is tagging and moving the nonconforming product to a controlled enclosure away from the production area.
If nonconforming product is accepted under concession, the records of the identity of the person authorizing the concession must be maintained.
If nonconforming product has been detected after a product has been released and put into use the organization must consider the risks associated with the device and may need to consider an advisory notice or recall.
The evaluation of a nonconformity must include a determination of the need for an investigation and notification of the persons or organizations responsible for the nonconformity, such as a supplier. Ensure that the organization has adequately established an interface / interaction between the processes for the identification of non-conforming product and the processes for corrective action. These interactions should be evident in the quality manual.
Link: Measurement, Analysis and Improvement
The audit team should be mindful of any instances where the acceptance of nonconforming product has led to finished devices not meeting specified requirements. This information can often be found in records of acceptance activities and complaint records. During the review of the organization’s corrective and preventive actions, the auditors may have noted instances
where nonconforming products were found to be the underlying cause of quality problems and complaints. The audit team should consider reviewing the organization’s handling and evaluation of nonconforming products that were determined to be the underlying cause of quality problems. Ensure that the analysis of data regarding nonconforming product is considered as an input to the organization’s Measurement, Analysis and Improvement process and that corrective or preventive actions have been implemented when necessary.
Clause and regulation: [ISO 13485:2016: 8.3.4; RDC ANVISA 16/2013: 6.5.3; MHLW MO169: 60; 21 CFR 820.90(b)]
Additional country-specific requirements: None
Assessing conformity:
The audit team may encounter instances where the organization has chosen to address nonconforming product by means of reworking the component, subassembly or finished device. The organization must have suitable approved procedures in place to address nonconforming product destined for rework. Reworked product must be re-evaluated or re-tested to ensure it meets its original specified requirements. Rework must be documented.
Be mindful of instances where the underlying cause of quality problems, such as complaints that finished devices do not meet specified requirements, are traced to devices that have been reworked. This can be an indication that the rework process was not adequate to ensure the finished device meets specifications.
Additionally, rework of products manufactured using validated processes can be an indication that
the process cannot consistently produce product that meets specified requirements. If the audit team notes a pattern of reworking products that are manufactured using a validated process, consider reviewing the process validation to confirm that the organization has data to show the process is effective, reproducible, and stable; and that the organization is operating the process within the validated parameters.
Clause and regulation: [ISO 13485:2016: 7.5.8, 7.5.11; TG(MD)R Sch1 P1 5; RDC ANVISA 16/2013: 5.2.1,
6.1.1, 6.2.1; CMDR 14; MHLW MO169: 47, 52; 21 CFR 820.130, 820.140, 820.150, 820.160(a)]
Additional country-specific requirements: None
Assessing conformity:
The organization must have a documented system that defines product handling requirements at all stages of manufacturing to prevent mix-ups, damage, and deterioration. This can include specified requirements for storage and shipping to ensure the preservation of the product to its destination. For example, an in-vitro diagnostic device may need to be stored and shipped in a frozen state to maintain proper shelf-life of the reagents. These handling requirements should have been considered during the planning of product realization for the device. When necessary, confirm that the needed control measures are implemented to ensure the conformity of product to its specified requirements.
Clause and regulation: [ISO 13485:2016: 4.2.1, 5.2, 7.2.2, 7.5.9; RDC ANVISA 16/2013: 6.3; MHLW MO169: 6, 11,
28, 48, 49; 21 CFR 820.160(a)]
Additional country-specific requirements: Brazil (ANVISA):
Verify that the manufacturer maintains distribution records which include or make reference to: the name and address of the consignee, the identification and quantity of products shipped, the date of dispatch, and any numerical control used for traceability [ANVISA RDC 6.3].
Canada (HC):
Verify that the manufacturer maintains distribution records that contain sufficient information to permit complete and rapid withdrawal of the medical device from the market [CMDR 52-53].
Verify that distribution records of a device are retained by the manufacturer in a manner that will allow for timely retrieval, for the longer of (a) the projected useful life of the device; and (b) two years after the date the device was shipped [CMDR 55-56].
United States (FDA):
Verify that the manufacturer maintains distribution records which include or refer to the location of the name and address of the initial consignee, the identification and quantity of devices shipped; and any control numbers used [21 CFR 820.160(b)].
Assessing conformity:
The organization must maintain distribution records which include or refer to the location of the initial consignee, the identification and quantity of devices shipped, the date shipped, and any control numbers used.
Clause and regulation: [ISO 13485:2016: 7.5.3; RDC ANVISA 16/2013: 8.1; MHLW MO169: 42; 21 CFR 820.170]
Additional country-specific requirements: None
Assessing conformity:
When a device must be installed for suitable functioning, the organization must establish procedures and instructions to ensure proper installation. These instructions must be made available to personnel performing the installation. Installation activities must be documented.
In the absence of identified quality problems related to the installation of the selected device, the audit team may choose to limit the review of the installation process to confirming the necessary procedures are in place.
Clause and regulation: [ISO 13485:2016: 4.2.1, 7.5.4, 8.4; RDC ANVISA 16/2013: 8.2; MHLW MO169: 6, 43, 61; 21
CFR 820.200]
Additional country-specific requirements: Brazil (ANVISA):
Confirm that the manufacturer has established and maintains procedures to ensure that records of servicing activities are kept with the following information: the product serviced; the control number of the product serviced; the date of completion of service; identification of the service provider; description of service performed; and results of inspections and tests performed [RDC ANVISA 16/2013: 8.2.1].
Verify that the manufacturer periodically reviews the records of servicing activities. In cases where the analysis identifies trends that pose danger or records involving death or serious injury, a corrective or preventive action must be initiated [RDC ANVISA 16/2013: 8.2.2].
United States (FDA):
Verify that each manufacturer who receives a service report that represents an event that must be reported to FDA as a medical device report automatically considers the report a complaint [21 CFR 820.200(c)].
Confirm that service reports are documented and include the name of the device serviced, any unique device identifier (UDI) or universal product code (UPC), and any other device identification(s) and control number(s) used; and the date of service [21 CFR 820.200(d)].
Assessing conformity:
When servicing is a specified requirement, the organization must define and maintain procedures, instructions, and processes for performing and verifying that servicing activities meet specified requirements.
When organizations implement servicing programs, the organization must ensure components used for repair are acceptable for the intended use, inspection and test procedures are available, and test equipment is properly maintained to ensure serviced devices will perform as intended after servicing. Personnel performing service activities must have the appropriate training.
The audit team may observe instances where nonconformities occurred and/or complaints were received after the servicing of the device. This can be an indication that the service activity was not properly controlled or that service personnel do not have the proper equipment, instructions, or training to perform the required service.
Service reports can be an important source of quality data for input into the organization’s Measurement, Analysis and Improvement process. When necessary, confirm data regarding service reports is analyzed for possible corrective action or preventive action. Service reports must also be analyzed to determine if the service event represents an adverse event that is reportable to regulatory authorities.
In some instances, product complaints may be initially recorded by the organization as a service report. For example, a user may report to the device manufacturer that a patient blood parameter monitoring device is not working correctly and requires service. Upon receipt of the device from the user by the organization’s service function, the service function notes the reason the monitoring device is not working is that an essential component within the device failed prematurely. This service report should be considered by the organization to be a complaint and analyzed by the manufacturer to determine if an adverse event report needs to be submitted to regulatory authorities.
Link: Measurement, Analysis and Improvement
During the audit of the organization’s Measurement, Analysis and Improvement process, the
audit team may have already confirmed that quality data from the analysis of servicing activities is analyzed for possible corrective or preventive action. When reviewing the organization’s service reports, the audit team should be mindful of service reports that appear to be product complaints. Ensure that service reports that appear to be complaints have been appropriately addressed.
In some instances, a similar quality problem for a particular device may be found in the service reports and the complaint records. In these instances, confirm that the organization is taking appropriate corrections and/or corrective actions considering a similar quality problem is observed in multiple data sources.
Clause and regulation: [ISO 13485:2016: 7.1, 7.5.1, 7.5.3, 7.5.4, 7.5.11; TG(MD)R Sch1 P1 2; RDC ANVISA
16/2013: 2.4; MHLW MO169: 26, 40, 42, 43, 52; 21 CFR 820.160(a), 820.170(a), 820.200(a)]
Additional country-specific requirements: None
Assessing conformity:
The requirements for delivery, installation, and servicing of a particular device should have already been evaluated and addressed by the organization during design and development and planning for product realization. If risk control measures were identified involving the delivery, installation, and servicing for a particular device, confirm that the necessary processes have been implemented to ensure the risk control measures are in place. For example, an organization may have identified that in order for a medical imaging device to give accurate images, servicing must
be performed by trained personnel according to specific instructions. Risk control measures might include warnings on the imaging device that only authorized personnel should service the device and the design of a unique tool to access the inside of the device that is only provided to authorized service personnel.
Clause and regulation: [ISO 13485:2016: 5.1, 5.2; RDC ANVISA 16/2013: 2.2.1; MHLW MO169: 10, 11]
The intent of the Purchasing process is to ensure that purchased, subcontracted, or otherwise received products and services conform to specified requirements. The organization is expected to establish and maintain documented controls for planning and performing purchasing activities.
The controls necessary depend on the effect of the product on the quality, safety, and effectiveness of the finished device. Effective purchasing processes incorporate purchasing requirements and specifications, the selection of acceptable suppliers based on the capability of the suppliers to provide acceptable product, the performance of necessary acceptance activities, and maintenance of the required quality records.
The management representative is responsible for ensuring that the requirements of the quality management system have been effectively defined, documented, implemented, and maintained. Prior to the audit of any MDSAP process, interview the management representative (or designee) to obtain an overview of the process and a feel for management’s knowledge and understanding of the process.
The Purchasing process is integral to the other processes of the MDSAP audit sequence. As the audit is being performed of the organization’s Measurement, Analysis and Improvement process, Design and Development process, and Production and Service Controls process, the audit team should be assessing the affect purchased product has on the quality of the finished device. The audit team should be using information learned about actual and potential product and process nonconformities during the audit of the Measurement, Analysis and Improvement process, higher risk elements and essential design outputs from the design projects reviewed during audit of the Design and Development process, in addition to significant outsourced product and production processes identified during the audit of the Production and Service Controls process to make decisions as to supplier evaluation files to be reviewed during the audit of the Purchasing process.
The organization’s Purchasing process may be reviewed in conjunction with the Measurement, Analysis and Improvement process, the Design and Development process, and the Production and Service Controls process, being mindful of the MSDAP process linkages. The Purchasing process should be considered a critical process for those organizations that outsource essential activities such as design and development and/or production to one or more suppliers.
(e.g. sterilization services). Suppliers include those providers of any product received from outside the manufacturer, including corporate or financial affiliates, where the product has an effect on subsequent product realization or the final product.
Defined, documented and implemented procedures to ensure purchased or otherwise supplied products conform to specified purchase requirements
Established criteria for the selection, evaluation and re-evaluation of suppliers based on the type and significance of the product purchased and the impact of the supplied product on subsequent product realization or the quality of the finished device
Performed the evaluation and selection of suppliers based on the capability of the supplier to meet specified requirements
Ensured the continued capability of suppliers to provide quality products that meet specified purchase requirements through re-evaluation
Determined and implemented an appropriate combination of controls applied to suppliers in conjunction with acceptance verification activities to ensure conformity to product and quality management system requirements, based on the impact of the supplied product on the finished device
Links to Other Processes: Management; Design and Development; Measurement, Analysis and Improvement; Production and Service Controls
Clause and regulation: [ISO 13485:2016: 4.1.2, 4.1.3, 4.1.5, 7.1, 7.4.1, 7.4.2, 7.4.3; TG(MD)R Sch1 P1 2, Sch3 P1
Cl1.4(5)(d)(ii); RDC ANVISA16/2013: 2.5.1, 2.4; MHLW MO169: 5, 26, 37, 38, 39; 21 CFR 820.20, 820.50]
Additional country-specific requirements: None
Assessing conformity:
In planning product realization, the organization must determine as appropriate the quality objectives and requirements for the purchased products, the processes, documents, and resources specific to the purchased products, the criteria for purchased product acceptance, and the required verification, monitoring, inspection, and test activities specific to the purchased products. Planning of product realization often begins in the design and development of the product, including the translation of the design into production specifications. The translation of the design into production specifications includes the establishment of specified requirements for purchased product.
Quality objectives are typically expressed as a measurable target or goal. The planning of product realization should include consideration of how the purchased product, the criteria for purchased product acceptance, and the required verification, monitoring, inspection, and test activities specific to the purchased product will achieve the quality objectives.
Links: Design and Development, Management
During the review of a design project, confirm that the organization has considered the effect of purchased product on the essential design outputs. For suppliers that provide product and services related to the essential design outputs, the degree of purchasing controls necessary is commensurate with the effect of the supplied product on the proper functioning of the finished device. During the audit of the Purchasing process, confirm when necessary that the degree of control over suppliers of purchased product has been made based on the risk the supplied product poses to the ability of the finished device to meet specified requirements.
Additionally, confirm when necessary that the quality objectives related to the purchased product were considered for inclusion in management review.
Priority criteria for selection:
Indications of problems with supplied products or processes from audit of the Measurement, Analysis and Improvement process
Suppliers who provide products or services that directly impact the design outputs required for proper functioning of the device
Suppliers of processes that require validation or revalidation
Newly approved suppliers of products or services
Suppliers of products or services used in the manufacturing of multiple products
Suppliers of components or services not covered during previous audits
Clause and regulation: [ISO 13485:2016: 7.4.1; TG(MD)R Sch3 P1 Cl1.4(5)(d)(ii); RDC ANVISA 16/2013: 2.5.1; MHLW MO169: 37; 21 CFR 820.50]
Additional country-specific requirements: None
Assessing conformity:
The organization must define, document, and implement procedures to ensure that purchased product conforms to specified requirements. These procedures commonly contain information as to the mechanisms by which the organization is going to categorize suppliers based on the risk the supplied product has on the ability of the finished device to meet specified requirements, the criteria the organization intends to use to evaluate the suppliers, the means of determination that a supplier is acceptable, the methods for supplier monitoring, the requirements for re-evaluating suppliers, and the means by which a supplier might be determined to be unacceptable.
It is important to remember that the requirements for purchasing controls apply to all product received from an outside source by the finished device manufacturer that have an impact on product realization, whether a payment occurs or not, and regardless of the corporate or financial affiliation between the supplier and finished device manufacturer.
Clause and regulation: [ISO 13485:2016: 7.4.1; RDC ANVISA 16/2013: 2.5.2, 2.5.3; MHLW MO169: 37; 21
CFR 820.50]
Additional country-specific requirements: None
Assessing conformity:
The type and extent of control applied to the supplier must take into consideration the affect the supplied product has on the finished device. Procedures commonly contain methods to categorize suppliers, based on the importance of the supplied product to the proper functioning of the finished device and the past history (if applicable) of the supplier.
Be mindful of organizations that use a “one-size-fits-all” approach to managing their suppliers, as these systems may not provide the necessary amount of evaluation and oversight over suppliers of products essential for the proper functioning of the finished device.
The organization must define, document, and implement procedures outlining the criteria for the selection, evaluation and re-evaluation of suppliers. The procedures for supplier evaluation and selection typically include such items as the methods by which suppliers will be evaluated and the means and frequency by which supplier performance will be monitored.
The evaluation of suppliers must provide a means to assess the capability of the supplier to supply products that meet specified requirements. The organization can assess a supplier’s capability to supply quality product in a number of ways, including but not limited to performing supplier audits, first-article inspections, supplier surveys, and reviewing the supplier’s past history in supplying a similar product or service if applicable.
The organization may also choose to consider the supplier’s conformity with quality management system requirements through third party certifications; however, third party certification should not be relied on exclusively in initially evaluating a supplier.
Controls over suppliers of sterilization processes
For devices intended to be sterile, the organization must determine the criteria the supplier must meet to be selected, with regards to the control of the sterility of the device and perform selection and monitoring of suppliers considering the identified criteria.
Clause and regulation: [ISO 13485:2016: 4.2.1, 7.1, 7.4.1; TG(MD)R Sch1 P1 2; RDC ANVISA 16/2013:
2.3,3, 2.5.3, 2.4; MHLW MO169: 6, 26, 37; 21 CFR 820.50(a)]
Additional country-specific requirements: Australia (TGA):
If the manufacturer outsources to the Australian Sponsor; a quality management system requirement, an obligation on the manufacturer from the Australian regulations, or where the manufacturer appoints the Sponsor to act on their behalf for dealings with the TGA, verify that the manufacturer treats the Sponsor as a supplier and has adequate supplier controls included in a written agreement [TG Act 41FN] for those activities. For example, making applications on behalf of the manufacturer to the TGA [TG Act s41EB], representing the manufacturer in interactions with the TGA [TG Act s41FN(3)], adverse event reporting, as the first point for handling customer complaints, or as an intermediary in recalls of products [TG(MD) Regs Schedule 3 - Part 1:1.4(3)], in the notification of substantial changes to a kind of medical device (TG Act s41BE) that may require a variation to an entry in the Australian Register of Therapeutic Goods (TG Act s9D), for the provision of records [TG(MD) Regs Schedule 3 - Part 1:1.5, 1.9 ], or other matters that may be required to allow the Sponsor to fulfill market authorisation conditions [TG Act Part 4-5 Div 2].
Canada (HC):
Verify that any regulatory correspondent used by the manufacturer is treated as a supplier and is adequately qualified.
Japan (MHLW):
(For Marketing Authorization Holder)
If the Marketing Authorization Holder (MAH) has outsourced any process that affects product conformity with requirements, to a Registered Manufacturing Site(RMS), then verify the MAH has performed the necessary verification that the RMS has an appropriate quality management system. If the site of a supplier is a Registered Manufacturing Site, then verify the MAH has performed the necessary verification that the supplier has an appropriate quality management system [MHLW MO169: 65].
(For Registered Manufacturing Site)
If the RMS has outsourced any process that affects product conformity with requirements, to another RMS, then verify the outsourcing RMS has performed the necessary verification that the outsourced RMS has
an appropriate quality management system. If the site of a supplier is a RMS, then verify the purchase controlling RMS has performed the necessary verification that the supplier has an appropriate quality management system [MHLW MO169: 65].
Assessing conformity:
The selection of suppliers must be based on defined criteria. An important concept to remember is that quality cannot be inspected or tested into products. Finished device manufacturers who choose to conduct product quality control solely in-house must still assess the capability of suppliers to provide acceptable product.
Some organizations require suppliers to maintain various types of certifications or registrations. While registrations and third-party certifications may be considered in supplier evaluations, the organization should not exclusively rely on these methods to perform the initial evaluation of suppliers.
For the supplier(s) the audit team has chosen to review, confirm that the organization’s selection of the supplier was based on defined criteria commensurate with the risk posed if the supplied product causes the finished device to not meet specified requirements.
The organization must maintain records of the evaluation of the capability of the supplier to meet specified requirements. The records should include the mechanism by which the supplier was evaluated, the results of the evaluation, and the determination of whether the supplier was deemed to be acceptable.
For the supplier(s) the audit team has selected, review the organization’s evaluation of the supplier(s). Confirm that the evaluation was made according to defined
criteria and is commensurate with the effect the supplied product has on the essential design outputs.
Links: Design and Development, Production and Service Controls
The establishment of the necessary purchasing controls and required acceptance activities is a design output. The degree of the purchasing controls necessary and extent of acceptance activities should be based on the risk posed by the product not meeting its specified requirements and essential design outputs.
Auditors may encounter situations where the organization outsources processes that require validation.
During the review of the Purchasing process, review the controls the organization has instituted over suppliers that perform validated processes. This typically includes confirming that the finished device manufacturer has reviewed the process validation data generated by the supplier to ensure the process is effective, reproducible, and stable. This can be particularly important for higher risk validated processes performed by suppliers, since the finished device manufacturer does not have immediate control over those processes.
The audit team should also consider reviewing the purchasing controls and requirements for suppliers of products that undergo minimal acceptance activities at the device manufacturer.
Clause and regulation: [ISO 13485:2016: 7.4.1; RDC ANVISA 16/2013: 2.5.3; MHLW MO169: 37; 21 CFR 820.50(a)]
Additional country-specific requirements: None
Assessing conformity:
The organization must define and implement processes to monitor the performance of suppliers. The monitoring of supplier performance should not be based solely on cost considerations or on- time deliveries. The monitoring of suppliers should take into consideration the actual performance of the supplier in terms of providing products that meet specified requirements. Examples of supplier monitoring activities may include, but are not limited to supplier re-audits, statistical analysis of incoming acceptance results, monitoring of complaints and nonconformities related to supplied product, independent confirmation of certificate of conformance data, and consideration of the supplier’s responses to requests for corrective action.
In order for the supplier to maintain a status as an acceptable supplier, the supplier must be capable of supplying product that consistently meets the manufacturer’s specified requirements. If supplier monitoring does not demonstrate that the supplier has the capability to provide acceptable products, the organization must have a means to undertake appropriate action, including such activities as requesting corrective action from the supplier, and in some cases, removing the supplier from records of acceptable suppliers.
For the supplier(s) the audit team has chosen to review, confirm that the supplier monitoring is documented and reviewed by the appropriate individuals responsible for supplier selection.
97
Be particularly mindful of instances where supplied product has caused complaints and/or product nonconformities. Verify that the organization has performed the appropriate monitoring of the supplier and taken actions when necessary, such as requesting the supplier undertake a corrective action.
Links: Production and Service Controls, Measurement, Analysis and Improvement Organizations are expected to define, document, and implement systems and procedures for acceptance activities to verify that supplied products conform to specified requirements. Effective acceptance procedures and systems directly affect the ability of an organization to demonstrate that supplied products meets specifications.
During the audit of the Production and Service Controls process, confirm that the appropriate acceptance activities have been implemented and monitored to ensure the received product meets specified requirements.
Additionally, organizations are required to determine, collect, and analyze appropriate data to demonstrate the ability of suppliers to provide acceptable product. During the audit of the Measurement, Analysis and Improvement process, confirm that analysis of supplier performance data has been performed and considered for corrective or preventive action when necessary.
Clause and regulation: [ISO 13485:2016: 7.4.1; TG(MD)R Sch1 P1 2; RDC ANVISA 16/2013: 2.5.2, 2.4;
MHLW MO169: 37; 21 CFR820.50(a)]
Additional country-specific requirements: None
Assessing conformity:
Organizations must implement the appropriate combination of supplier evaluation, supplier monitoring, and acceptance activities to provide the necessary confidence in the acceptability of supplied product. However, supplier evaluation is not a “one-time” assessment. The organization must ensure the continued capability of the supplier to provide product that meets specified requirements. The frequency of re-evaluation must be performed according to the organization’s procedures and at intervals consistent with the significance of the product or service on the finished device. The frequency of re- evaluation may change based on identified quality problems with the supplied product.
For the supplier(s) the audit team has chosen to review, confirm that the re-revaluation of the supplier was performed commensurate with the risk the supplied product poses to the ability of the finished device to meet specifications.
Link: Measurement, Analysis and Improvement
The frequency and extent of supplier re-evaluation activities may be based, in part, on the performance of the supplier as demonstrated by such activities as statistical monitoring of the supplier, monitoring of complaints and nonconformities related to supplied product, and corrective or preventive actions related to the supplier.
Clause and regulation: [ISO 13485:2016: 4.2.1, 7.4.2, TG(MD)R Sch1 P1 2; RDC ANVISA 16/2013: 2.4,
2.5.4, 2.5.6; MHLW MO169: 6, 38; 21 CFR 820.50(b)]
Additional country-specific requirements: Brazil (ANVISA):
Confirm that purchase orders are approved by a designated person. This approval, including date and signature, shall be documented [RDC ANVISA 16/2013: 2.5.4].
Assessing conformity:
Purchasing information is commonly provided to suppliers in documents such as, but not limited to, specification sheets, drawings, contracts, purchase orders, and quality agreements. The amount of detail required in the purchasing information must be commensurate with the effect of the supplied product on the performance of the finished device.
The finished device manufacturer is responsible for the quality and performance of the finished device. The specified requirements for the finished device cannot be met unless the individual parts of the finished device meet specifications. While the finished device manufacturer may require certain risk management activities to be adopted by the supplier to help ensure acceptability of incoming product, the ultimate responsibility for the finished device is borne by the finished device manufacturer. The finished device manufacturer is responsible for identifying any risk control measures that are required for the supplied product. For suppliers that provide product and services related to the essential design outputs, the degree of necessary risk control measures is commensurate with the effect of the supplied product on the proper functioning of the finished device.
Some examples of risk control measures related to supplied product include, but are not limited to, requiring the supplier to use quality assurance procedures approved by the device manufacturer, the establishment of inspections or testing of supplied product before shipment to the manufacturer, requiring each incoming shipment be accompanied by a certificate of conformance, periodic verification of the certificate of conformance by third-party laboratory analysis, implementation of acceptance activities at the finished device manufacturer based on the risk the supplied product poses to the ability of the finished device to meet specifications, and the verification of validation data by the finished device manufacturer for validated processes performed by a supplier.
For the supplier(s) files the audit teams has selected for review, confirm that risk control measures have been identified when appropriate and the risk control measures have been implemented and are effective. If the auditor(s) observe that supplied product has been identified as an underlying cause of complaints and nonconformities, this can be an indication that the risk control measures are inadequate or ineffective.
Clause and regulation: [ISO 13485:2016: 7.4.2, 7.5.9; RDC ANVISA 16/2013: 2.3.3, 2.5.4, 2.5.5, 6.4; MHLW
MO169: 38, 48, 49; 21 CFR 820.50(b), 820.65, 820.160]
Additional country-specific requirements: None
Assessing conformity:
Purchasing information must describe the product to be purchased, including (when appropriate) the requirements for approval of product, procedures, processes, and equipment, the requirements for qualification of personnel, and quality management system requirements related to the purchased product. Where possible, the purchasing information must contain an agreement that the supplier agrees to notify the manufacturer of changes in products or services that may affect the quality of the finished device. The manufacturer should approve or reject these changes, based on the impact of the change on the essential design outputs of the finished device.
Purchasing information may be recorded in written or electronic format, but must be documented.
It is the responsibility of the organization to establish procedures for traceability. For devices that are not implanted and are not life-supporting or life-sustaining, the organization has the flexibility to determine which raw materials and components are required to be traceable, commensurate with the risk posed by the device in the event the component does not meet specified requirements.
Manufacturers of finished devices whose failure could result in serious injury or harm to the user, or are implanted or life-supporting or life-sustaining must implement a traceability system. The traceability system must allow for each batch of finished devices to be traced by a control number or similar mechanism throughout the distribution chain. Organizations must provide for the control and traceability of components and materials used in the manufacture of the device when these could cause the finished device to not meet specified requirements.
The determination of which components and raw materials may be required to be traceable may be made by the organization using risk management tools, such as risk analysis, or by the identification of the components and processes used to fulfill the essential design outputs.
Clause and regulation: [ISO 13485:2016: 4.2.1, 7.1, 7.4.3; TG(MD)R Sch1 P1 2, Sch3 1.4(5)(e); RDC ANVISA
16/2013: 2.4, 2.5.2, 3.35.3.1, 5.3.2, 5.3.3; MHLW MO169: 6, 26, 39; 21 CFR 820.50, 820.80(b)]
Additional country-specific requirements: Brazil (ANVISA):
Verify that the manufacturer has established and maintains procedures to ensure the retention of components, raw materials, in-process products and returned products until inspections, tests or other specified verifications have been performed and documented [RDC ANVISA 16/2013: 5.3.3].
Assessing conformity:
The organization must establish an appropriate combination of supplier assessment and receiving acceptance activities to ensure products and services, including sterilization services are acceptable for their intended use. After a supplier has been approved, the necessary acceptance activities for the supplied product must be implemented. The degree of acceptance activities may vary with the type and significance of the product or service on the quality of the finished device and the extent of measures performed by the supplier to ensure product acceptability.
Organizations are expected to define, document, and implement processes and procedures for acceptance activities to verify that supplied products conform to specified requirements. Recognized acceptance activities include, but are not limited to, inspections, tests, reviews of certificates of analysis, and supplier audits. Effective acceptance procedures and systems directly affect the ability of an organization to demonstrate the process and product meet specifications.
It is important to remember that acceptance activities apply to any incoming component, subassembly, or service, whether a payment occurs or not, and regardless of the manufacturer’s financial or business arrangement with the supplier.
The records of verification activities must show the supplied product is in conformity with specified requirements. If nonconformities are found by the organization, confirm the organization has appropriately handled the nonconformity according to the organization’s established procedures.
The organization can address nonconforming product by taking action to eliminate the detected nonconformity (e.g. sorting an incoming lot of components to remove components that do not meet specifications), authorizing its use, release, or acceptance under concession, or by taking action to prevent its original intended use (e.g. allowing the components to be used as training aids to show production personnel the difference between an acceptable and unacceptable component).
For the supplied product(s) the audit team has chosen to review, confirm the records of verification activities have been maintained. One way to perform this task is to request a sample of verification records for the chosen product and confirm the acceptance activities have been documented, including the documentation and appropriate disposition of nonconforming product.
Link: Production and Service Controls
The audit team may encounter instances where product has been deemed acceptable by the successful completion of acceptance activities but the product is later shown to not meet specified requirements (e.g. failure of the device due to nonconforming component leading to product complaint). This can be an indication that the acceptance activities are not sufficient to identify nonconformities; or were not appropriately conducted. Confirm that the organization has taken the appropriate action to determine the suitability of the acceptance activities. For example, the organization may need to validate the test method used for incoming acceptance to ensure the test method is actually capable of identifying nonconforming product.
Clause and regulation: [ISO 13485:2016: 8.4; RDC ANVISA 16/2013: 7.1.1.1; MHLW MO169: 61; 21 CFR
820.100]
Additional country-specific requirements: None
Assessing conformity:
The organization is responsible for assuring the supplied product meets specified requirements. In addition to supplier evaluation, the assurance that the supplied product meets specified requirements is accomplished with the implementation of appropriate acceptance activities and monitoring complaints and nonconformities associated with purchased product. The data regarding acceptance activities and nonconformities must be analyzed as appropriate to determine the need for corrective or preventive action.
Links: Measurement, Analysis and Improvement
The organization must determine the appropriate acceptance activities for supplied product, based on the essential design outputs of the device and the risk the device poses if specified requirements are not met. Confirm as necessary that supplied product was evaluated as to the effect on the essential design outputs. Additionally, verify that the appropriate acceptance activities were implemented based on the potential effect the supplied product poses to the essential design outputs.
Organizations are required to determine, collect, and analyze appropriate data to demonstrate the ability of suppliers to provide acceptable product. During the audit of the Measurement, Analysis and Improvement process, confirm that analysis of supplier performance data from evaluation and monitoring supplier process activities has been performed and considered for corrective or preventive action when necessary.
Clause and regulation: [ISO 13485:2016: 4.1.3, 4.1.5, 5.2; RDC ANVISA 16/2013: 2.2.1; MHLW MO169: 5,
11]
Medical Device Single Audit Program Annex 1
Audit of Technical Documentation
The requirements for Auditing Organizations in IMDRF/MDSAP WG/N3FINAL:2016 (Edition
include, to the extent possible during on-site audits and in accordance with the applicable regulatory system, aspects of evaluation including:
product/process related technologies (e.g. injection molding, sterilization); and
evidence of adequate product technical documentation in relation to relevant regulatory requirements.
It should be noted that:
IMDRF/MDSAP WG/N3FINAL:2016 (Edition 2) does not provide additional requirements for product certification (ISO/IEC 17065:2012) or the requirements of product testing (ISO/IEC 17025:2005).
The following is explicitly excluded from the scope of IMDRF/MDSAP WG/N3FINAL:2016 (Edition 2) due to the lack of regulatory convergence:
the premarket reviews (e.g. Design Dossier Examinations, Premarket Applications, Shounin Applications, Product Registration/Notifications) typically performed by product specialist(s); and,
the final decisions of safety and performance/effectiveness of a medical device made by any Regulatory Authority.
Definitions Technical Documentation:
Documented evidence, normally an output of the quality management system (QMS), which demonstrates compliance of a device to the regulatory requirements for products and processes.
(Adapted from IMDRF/ MDSAP WG/ N3FINAL:2016 (Edition 2) – Section 3.5)
An individual who carries out the following functions at an Audit:
evaluation of product/process related technologies;
evaluation of Technical Documentation;
evaluation of compliance with Regulations.
(IMDRF/ MDSAP WG/ N3FINAL:2016 (Edition2) – Table 1) MDSAP Requirements
IMDRF/ MDSAP WG/ N3FINAL:2016 (Edition 2)
Clause 7.1.2 - An Auditing Organization shall have access to the necessary administrative, technical, and scientific personnel with technical knowledge and sufficient and appropriate experience relating to medical devices and the corresponding technologies.
Clause 7.1.5 - An Auditing Organization shall be capable of carrying out all the tasks assigned to it with the highest degree of professional integrity and the requisite technical competence in the specific field, whether those tasks are carried out by the Auditing Organization itself or on its behalf and under its responsibility.
Clause 9.2.4 - Stage 2 audit objectives shall specifically include evaluation of:
the effectiveness of the manufacturer’s QMS incorporating the applicable regulatory requirements;
product/process related technologies (e.g. injection molding, sterilization);
adequate product technical documentation in relation to relevant regulatory requirements; and,
the manufacturer’s ability to comply with these requirements.
Clause 9.3.2 - Surveillance audit objectives during the audit cycle shall specifically include evaluation of the effectiveness of the manufacturer’s QMS incorporating the applicable regulatory requirements and the manufacturer’s ability to comply with these requirements. In addition:
new or changed product/process related technologies (e.g. injection molding, sterilization); and
new or amended product technical documentation in relation to relevant regulatory requirements.
Clause 9.4.1 - Recertification audit objectives shall specifically include evaluation of:
the effectiveness of the manufacturer’s QMS incorporating the applicable regulatory requirements;
product/process related technologies (e.g. injection molding, sterilization);
adequate product technical documentation in relation to relevant regulatory requirements; and
the manufacturer’s continued fulfillment of these requirements.
Clause 4.2.3 – Medical Device File
For each medical device type or medical device family, the organization shall establish and maintain one or more files either containing or referencing documents generated to demonstrate conformity to the requirement of this International Standard and compliance with applicable regulatory requirements.
The content of the file(s) shall include, but is not limited to:
general description of the medical device, intended use/purpose, and labelling, including any instructions for use;
specifications for product;
specifications or procedures for manufacturing, packaging, storage, handling and distribution;
procedures for measuring and monitoring;
as appropriate, requirements for installation;
as appropriate, procedures for servicing.
Clause 7.3.10 - Design and development files
The organization shall maintain a design and development file for each medical device type or medical device family. This file shall include or reference records generated to demonstrate conformity to the requirements for design and development and records for design and development changes.
Assessing Technical Documentation
The Medical Device File (ISO13485:2016 Cl 4.2.3) and the Design and Development Files (ISO13485:2016 Cl 7.3.10) are to contain or reference documents to demonstrate compliance with requirements for design and applicable regulatory requirements. For compliance with the requirements of N3(Ed2) these records should contain product technical documentation that includes, but not limited to:
Outputs from the design and development process, such as: design outputs, design verification data with acceptance criteria, design validation data with acceptance criteria, a risk management file, human factors analysis, software validation etc.),
Inputs to the production and service controls process, such as: device production specifications including appropriate drawings, composition, formulation, component specifications, and software specifications;
Specifications for a production processes including the appropriate equipment specifications, production methods, production procedures, and production environment specifications;
Quality assurance procedures and specifications including acceptance criteria and the quality assurance equipment to be used;
Specifications for packaging and labeling, including methods and processes used;
Procedures and methods for installation, maintenance, and servicing; and
Jurisdiction-specific statements (such as a declaration of conformity, statement on the presence of specific substances, essential principles checklist, etc.)
The information may be a compilation of documented information or, if the documents constituting the technical documentation are maintained separately, may be a summary that includes an explicit reference to each of these documents.
Auditors are not expected to fully evaluate the data that substantiates the final decisions of safety and performance/effectiveness of a medical device made by any Regulatory Authority. However the auditor is expected to apply the MDSAP model for the review of Technical Documentation when auditing:
the Design and Development Process (See Audit Task #3 and following, in chapter 5 of documents MDSAP AU P0002 – Audit Model, and MDSAP AU G0002.1 – Companion Document),
the Production and Service Controls Process (See audit task #16, in chapter 6 of documents MDSAP AU P0002 – Audit Model, and MDSAP AU G0002.1 – Companion Document); and
the Jurisdiction-specific statements identified in the Device Marketing Authorization and Facility Registration Process (See audit task #2, in chapter 2 of documents MDSAP AU P0002 – Audit Model, and MDSAP AU G0002.1 – Companion Document).
The Audit Model requires the auditor to select design documentation and manufacturing process documentation for review. The selection is to be based on information collected earlier in the audit, and taking into account the risks (risk classification) associated with the device, the novelty of technology used in the device and the associated manufacturing processes or sterilization methods, along with any changes to the device or associated manufacturing processes that have been implemented by the manufacturer since the last on-site audit, including non-reported changes controlled under the QMS. A minimum of one review should be undertaken per audit. Additional reviews may be undertaken if time permits or the auditor suspects that the technical documentation previously reviewed is not a representative sample. (See tasks #2 in chapters 5 and 6).
A technical documentation review is required at least at initial and recertification audits to verify that the manufacturer has established evidence of conformity with regulatory requirements. Surveillance audits should also confirm that the manufacturer has
arrangements in place to maintain the currency of the technical documentation for all devices. For example:
a procedure for reviewing the currency of relevant standards and conducting gap analyses as required;
a requirement to assess design changes and the need for further technical testing; and,
a plan for post-market clinical trials, where necessary, or periodic literature reviews.
The following table summarizes the tasks that an MDSAP auditor will use to review information that constitutes the Technical Documentation.
Information | Audit Model: Process, Task# |
Medical device general description, including variants and accessories | Design and Development, task #5, 7 |
Information that confirms that design and development outputs for the product are traceable to, and satisfy, design input requirements | Design and Development, task #7 |
Intended use, and indication of use, of the medical device | Design and Development, task #5, 7, 10, 11 |
Labelling, (i.e. information that accompanies a medical device that is located on the device, its packaging, the instructions for use and in promotional material) | Design and Development, task #1, 7, 8, 16 |
Confirmation that the product is a medical device | Device Marketing Authorization and Facility Registration, task #1 Design and Development, task #5 |
Classification | Device Marketing Authorization and Facility Registration, task #1 Design and Development, task #5 |
Risk management file | Design and Development, task #8 |
Pre-clinical data (studies in animal models, testing to support compliance with relevant standards, technical performance tests etc.) | Design and Development, task #10 |
Clinical evidence | Design and Development, task #11 |
Manufacturing processes | Design and Development, task #7, 16 Production and Service Controls, task #3, 16 |
Process validation | Design and Development, task #16 Production and Service Controls, task #7, 8, 9 |
Evidence of compliance with specified regulatory requirements for products or processes.1 | Device Marketing Authorization and Facility Registration, task #1 |
Device Marketing Authorization and Facility Registration, task #1 |
Note: this table may not exhaustively cover all information expected under all jurisdictions. Auditors are expected to verify:
the existence and the coherence of the information listed in this table;
the applicability of this information to the medical device subject to marketing authorization;
that the methods implemented throughout the Design and Development to generate this information are sound and commensurate to the risk associated with the medical device;
that conclusions are substantiated.
1 Australia - Essential Principles, Canada - Safety and Effectiveness Requirements
2 For Australia
Although the auditors are not expected to make final device safety and effectiveness decisions based on a review of technical documentation, if an auditor suspects that device safety and effectiveness concerns exist, or that the evidence supporting compliance with safety and effectiveness requirements is lacking, the concerns should be explicitly described in the audit report. If a public health threat is suspected, an early awareness communication notice (“MDSAP 5-day Notice”) must be submitted according to MDSAP AU P0027.001 Post-Audit Activities and Timeline Policy.
The depth and extent of this review should be commensurate with the classification of the medical device, the novelty of the intended use, the novelty of the technology or construction materials, and the complexity of the design and/or technology.
Expectations from participating Regulatory Authorities
Each participating regulator may have different requirements for the review of technical documentation and for the assessment of the adequacy of that technical documentation at audit.
If inadequacies are identified, nonconformities should be raised in the normal manner, using the most specific and relevant clause of ISO13485, [see especially ISO 13485:2016
§4.2.3 and §7.3.10] including those raised against technical documentation under country specific requirements [see ISO 13485:2016 §4.2.1.e, §7.2.1.c or §7.3.3.b]. Refer GHTF SG3 N19 for further guidance on the grading of nonconformities. NCs from the review of technical documentation shall be included in the Nonconformity Grading and Exchange Form (MDSAP AU F0019.2)
Further guidance on the expectations for the evidence of compliance with regulatory requirements is provided in the following sections.
The assessment of product requirements for Australian Class I (supplied sterile), I (with a measuring function), IIa and IIb medical devices, and Class 1-3 IVDs, is performed by the regulator on a sampling basis prior to market authorization; hence technical documentation review is expected to be performed in the context of audit to increase the pool of sampled devices and strengthen the sampling based approach. Technical documentation review should take into consideration the provisions of IMDRF/MDSAP WG/N3 – 9.3.1. This documentation shall contain sufficient detail to allow for an evaluation of the data and for the purpose of demonstrating:
fulfillment of the requirement; or
where an appropriate standard exists, fulfilment of the requirements of the relevant Standard that the manufacturer has chosen as the means for demonstrating compliance with regulatory requirements for products and processes
In the case of Class III, Active Implantable and Class 4 In Vitro Diagnostic medical devices
that have been subject to a Design Examination separately from the QMS audit, the on-site audit should ensure that the technical documentation for these devices is maintained.
The technical documentation should contain, or reference, evidence of compliance with the Essential Principles and the following requirements. An Essential Principles checklist3, although not mandatory, is often used as an index to identify the applicable Essential Principles, any standard or validated method that has been used to demonstrate compliance, and a reference to the document that contains the evidence of compliance.
The assessment of each set of technical documentation selected for compliance with the Essential Principles, as a minimum, should consist of a review of:
A detailed description of the product, including the intended use, intended user, risk classification and assigned Global Medical Device Nomenclature (GMDN) code.
For IVD medical devices, the description should also include specimen types, a list of kit components, methodology and any instrumentation to be used;
an index of the compilation of documents, or if documentation is not collated, a reference to the relevant documentation;
a risk management file (e.g. select a particular risk and confirm that it has been managed in accordance with the requirements of ISO 14971);
selected report(s) of pre-clinical data and/or bench testing (including studies in animal models, testing to support compliance with relevant standards, technical performance and safety tests for electrical safety, mechanical safety, radiation safety etc.) identified by the manufacturer as evidence of compliance with relevant Essential Principles;
a selected clinical evaluation report to confirm that it is current and was prepared by an appropriately qualified expert ;
any other documentation required for the type of device (e.g.- special requirements for devices incorporating medicinal substances or materials of animal origin);
the information that accompanies a device (labelling, instructions for use);
the declaration of conformity (this may be in a draft form for development devices that do not have marketing authorization).
Brazilian regulations require that product registration/market authorization is entirely performed by ANVISA for all medical device classes.
ANVISA expects that the Auditing Organization follows the Audit Model for reviewing technical documentation, including the Brazilian specific requirements defined in the document MDSAP AU P0002.003 – Audit Model. There are no additional requirements to
3 For reference, manufacturers may choose to complete an Essential Principles Checklist as one way of indexing their evidence of conformity to requirements. The checklist is not mandatory however it provides a succinct way of identifying the relevant evidence. A sample template is available at http://www.tga.gov.au and by searching for “Essential Principles Checklist”
be reviewed during an MDSAP audit.
The Medical Devices Bureau, Health Canada has assigned the responsibility for the review of technical documentation to the Devices Evaluation Division. For Health Canada the objective of the audits conducted by MDSAP Auditing Organizations is to determine that manufacturers who intend to license their devices in Canada have implemented a QMS in conformity with the requirements of the international standard ISO 13485 and Part 1 of the Canadian Medical Devices Regulations. Similarly a holder of a medical device license is to maintain an effective QMS. Health Canada expects Auditing Organizations to confirm during their audits that the manufacturer maintains evidence of safety and effectiveness and not to make a determination that the devices are safe and effective.
The assessment of product requirements is performed prior to market authorization by the regulator or registered certification bodies, hence technical documentation review, as assessment of conformity to the Essential Principles of Safety and Performance of Medical Devices, is not performed in the context of MDSAP audit.
The US medical device regulations do not require a technical documentation as defined in the present document, although most data composing the technical documentation are direct output of the Design History File (820.30(j) and the Device Master Record (820.181).
Medical Device Single Audit Program
Audit of Requirements for Sterile Medical Devices
Overview:
The control of the sterility of a medical device is the result of a series of controlled processes including (but not limited to):
Design and Development:
device cleanliness and sterility requirements
compatibility of the device with the sterilization process
transport, storage, and presentation of the device at point of use o compatibility of the device packaging with the sterilization process o ability of the device to be sterilized or re-sterilized
shelf-life and device life user requirements
rationale for adding the device to a product family covered by a validated sterilization process
Production and Process Controls, as applicable:
process validation of the cleaning, sterile barrier packaging, and sterilization processes
routine monitoring and measurement of the cleaning, packaging and sterilization processes
routine acceptance criteria of the cleaning, packaging and sterilization processes
(re-)qualification, (re-)verification, (re-)calibration and maintenance of the cleaning, packaging and sterilization equipment
environmental control of production areas (cleanroom design and monitoring)
storage of device parts, components, and packaging material o storage of finished sterile product and management of shelf life o handling process of non-sterile device for re-sterilization
lot / batch release of terminally sterilized devices
Purchasing, depending on the purchased product or service:
Determination of criteria the supplier must meet to be selected, with regards to the control of the sterility of the device
Selection and monitoring of suppliers considering the identified criteria
Purchasing information
Verification of the purchased product/service (and associated documentation)
Therefore, the audit of the control of the sterility of a medical device requires a holistic approach.
Competencies:
It is up to the Auditing Organization to determine the competencies required to achieve the audit objectives and to assign a competent audit team. However, the AO should identify auditors and/or technical experts having the competencies identified below. The subsequent table identifies the competencies required to audit various aspects of sterilization.
The auditing of activities and processes contributing to the sterility of a medical device may involve the following competencies:
Microbiology: Ability to assess the validation of sterilization processes and methods regardless of the availability of an established standard (or the lack of such a standard). Ability to assess the validation of environmental and microbial contamination controls. Ability to assess the validation of packaging activities and sterile barrier systems. A person deemed to have this competency would likely be educated as a medical microbiologist.
Packaging and Sterile Barrier Systems: Ability to assess the validation of activities and processes for packaging and sterile barrier systems.
Environmental and Contamination Control: Ability to evaluate the adequacy of environmental and microbial contamination control programs.
Routine Sterilization: Ability to assess the validation of sterilization processes and methods where an existing established standard on the method exists other than aseptic processes. Ability to verify the implementation of non-standard sterilization activities and processes previously audited by someone having the microbiology competency. Ability to assess the implementation of activities and processes for packaging and sterile barrier systems previously audited by someone having the packaging and sterile barrier systems or microbiology competency. Ability to assess the implementation of environmental and microbial control activities previously assessed by someone having the microbiology or environmental and contamination control competency.
An auditor may possess several of these competencies
The following table summarizes the competencies required to audit the requirements for sterile medical devices:
Topic being evaluated | Microbiology | Packaging and Sterile Barrier Systems | Environmental and contamination control | Routine Sterilization |
Sterilization process (re-) validation according to well- established standards (excluding aseptic processes) | | | ||
Sterilization process (re-) validation according to less common standards, or using less common sterilant, sterilization technologies, validation methods (including aseptic processes) | | |||
Packaging process validation and sterile barrier systems | | | ||
Environmental and microbial contamination controls | | | ||
Routine implementation of sterilization processes according to previously audited validated | | |
processes | ||||
Routine implementation of environmental controls and monitoring (including maintenance) | | | | |
Routine implementation of packaging activities according to previously validated processes | | | |
Audit of the Requirements for Sterility and Audit Cycle Considerations:
All ISO 13485 and regulatory requirements for sterile medical devices must be audited at least once during the certification cycle. While Auditing Organizations have flexibility in deciding when these requirements are audited during the certification cycle, they should ensure that the requirements for sterility of a device have been audited before including this device in the scope of certification.
All sterilization methods used by a manufacturer should be covered throughout the certification cycle.
Objectives for the audit of requirements for sterile medical devices should include, but not be limited to, verification that:
all processes that contribute to a device’s sterility are controlled through the organization’s QMS and validation has been completed, where applicable (e.g. cleaning, disinfection, aseptic processing, sterile barrier systems, terminal sterilization, storage)
criteria for re-validation are defined and are followed, (e.g. at defined periodicity, following significant changes and trends)
processes are implemented and monitored to ensure compliance to their validated parameters
routine environmental and product cleanliness controls are implemented and monitored
results are consistent from batch to batch
batch records(e.g. a device history file) are maintained for each sterilization batch per an approved device master record
lot release is performed for each batch according to a procedure and by a designated person
adequate control of suppliers is observed where sterilization is outsourced (process for selection of critical suppliers defined and followed, valid agreements, supplier audits, etc.)
In the absence of significant changes with potential impact on the validated status or new (re)validation activities since the previous audit, the audit should be focused on records review to determine that the validated processes are followed, monitoring is performed, batch records are maintained.
While some aspects may be audited remotely (e.g. review of sterilization process validation documentation), the audit of requirements for sterile medical devices must be conducted on-site.
The outcome of such remote review activities must serve as input to the on-site audit and be incorporated or attached to the MDSAP audit report. The off-site assessment of the controls of the product sterility should not prevent the on-site audit team from following audit trails, including audit trails necessitating the review of documents that had previously been assessed remotely.
The audit of processes for validation of sterilization and sterile barrier systems performed according to well-established standards (e.g. steam sterilization, 25 kGy gamma irradiation, Ethylene Oxide in chambers with traditional release) can be performed by someone having either the microbiology competency or the routine sterilization competency.
The audit of a validation performed according to less common standards, or using less common sterilant/sterilization technologies/validation methods (e.g. Ethylene oxide sterilization in a bag, ethylene oxide in chambers with parametric release, plasma sterilization, low dose gamma sterilization) should be performed by a person having the microbiology competency This also applies to the evaluation of aseptic process validation or to the sterilization process validation of the microbiologic safety of devices incorporating substances, cells, tissues of animal or human origin.
Routine implementation of sterilization processes according to previously audited validation studies may be conducted by a person having the routine sterilization competency. This applies to all previously validated and audited sterilization processes including processes conducted according to less common standards, or using less common sterilant/sterilization technologies/validation methods.
If the requirements for sterile medical devices are audited separately by a competent auditor or technical expert, this shall cover all the applicable requirements and the results of this audit shall be part of the MDSAP audit report. This must not prevent the MDSAP audit team from following leads relative to requirements for sterile medical devices.
Medical Device Single Audit Program – Companion Document Summary of Changes from Prior Revision
Management Process
Task 1 has been completely revised to reflect the requirement in ISO 13485:2016 for identifying the organization’s roles under applicable regulatory requirements and for quality management system planning, with text added to Companion Document for Assessing Conformity.
Task 6 has been revised to remove the additional country-specific requirement for the United States to verify that resources include the assignment of trained personnel to meet the requirements of 21 CFR Part 820, including management, performance of work, assessment activities, and internal quality audits.
Task 8 now contains clarifying text that document and record controls apply to documents and records of both internal and external origin, and an additional country-specific requirement for the United States to confirm that electronic document and record systems are backed-up.
The requirement to verify that management review procedures have been documented was moved from task 1 to task 9.
Task 10 has been rewritten to eliminate redundancy with the Device Marketing Authorization and Facility Registration Process. Text was added to the Companion Document to assist auditors in accomplishing the task.
Device Marketing Authorization and Facility Registration Process
Task 1 has been revised to include a note, regarding the responsibilities of importers
/ marketing authorization holders / Sponsors. Text was added to the Companion Document to assist auditors in accomplishing the task and an additional item was added to the list of Therapeutic Goods (Medical Devices) Regulations 2002 referenced. The requirement for the United States regarding registration and listing has been updated to align with wording changes in 21 CFR 807.
Task 2 has been updated regarding the country-specific requirements for Australia to verify that the manufacturer maintains a list of their Australian Sponsors and the products those Sponsors have included in the Australian Register of Therapeutic Goods.
The Companion Document now contains in task 3 additional explanation of changes that can be reported in post-approval periodic reports for the United States.
Changes made for Chapter 2 - Device Marketing Authorization and Facility Registration Process 2017-04-13
It was verified there is an error in ANVISA specific requirements related to the process “Device Marketing Authorization and Facility Registration”, tasks 1 and 2.
The tasks # 1 [page 17] and #2 [page 20] inform that registration and notification in Brazil are valid for 5 years and the renewal of these authorizations shall be requested upon time defined at Brazilian Law 6360/1976.
However, Anvisa Resolution RDC n. 40, of August 26/2015, art. 10th and 13th define that medical product subject to notification (Class I and II) are exempt from renewal.
Measurement, Analysis and Improvement Process
The specific requirement for Brazil regarding ensuring that information about quality problems or nonconforming products is properly disseminated has been moved from Task 13 in the prior version of the MDSAP Audit Model to Task 1.
Task 2 has been updated to include a statement that the auditor should confirm that data is accurate and analyzed according to a documented procedure for the use of valid statistical methods. Additional country-specific requirements requiring procedures for identifying valid statistical techniques have been removed, as procedures for identifying valid statistical techniques have been included in ISO 13485:2016, clause 8.4.
Task 3 has been updated in the Companion Document to clarify expectations for the audited organization’s process for investigations of nonconformities.
Task 8 has been updated to include the statement to confirm that an appropriate disposition was made, justified, documented and that any external party responsible for the nonconformity was notified, and to remove the additional country-specific requirements for Brazil and the United States to confirm that the evaluation of non- conforming product includes a determination of the need for an investigation and notification of the persons or organizations responsible for the nonconformance.
Task 9 has been updated to move the additional country-specific requirement for Brazil to verify that the manufacturer has procedures to determine the product recall and other field actions that are relevant in the case of products already distributed to task 15.
Task 10 has been updated to remove the additional country-specific requirements for Brazil and the United States regarding verifying that resources include the assignment of trained personnel for performance of work, assessment activities, and internal quality audits.
Task 11 has been updated to remove the additional country-specific requirement for Brazil to confirm that relevant information about quality problems is identified and corrective and preventive actions are submitted to executive management for information and monitoring, as well as the competent health authority.
Task 12 contains clarifications for requirements for investigations and the responsibility for recalls as pertaining to Australian regulatory requirements and to add the requirements for Unique Device Identifier for the United States.
Task 13 has been updated to remove the additional country-specific requirements for Brazil and the United States regarding verifying that information related to quality problems or nonconforming product is disseminated to those directly responsible for assuring the quality of such product or the prevention of such problems. The Brazilian requirement is also included in task 1.
Task 15 has been updated to include a statement to confirm that reporting of advisory notices is established in a documented procedure and performed according to the applicable regulatory requirements.
Medical Device Adverse Events and Advisory Notices Process
Task 1 has been updated to include additional clarifying text for the Australian requirements for manufacturers and Sponsors regarding written agreements between the Sponsor and the Manufacturers regarding reporting requirements and timeframes. Task 1 in the Companion Document regarding Australia has a note that Adverse events may be reported on-line to the TGA, by the Manufacturer or Sponsor, at https://www.tga.gov.au/reporting-problems. Text was added to the Companion Document to address changes in 21 CFR 803 due to unique device identifier requirements and the file rule which requires organizations to submit MDRs electronically using eSubmitter or the AS2 Gateway-to-Gateway.
Task 2 has been updated to include clarifying text for the Australian requirement regarding written agreements between the manufacturer and Sponsors regarding compliance with recall requirements and timeframes. In the Companion Document, a note was added for the Australian requirements as to the website for information for Australian requirements for advisory notices and recalls. Text was added to the Companion Document to address changes in 21 CFR 806 due to unique device identifier requirements.
Design and Development Process
Task 1 has been revised regarding the additional country-specific requirements for Australia pertaining to the availability of procedures for design and development in situations when a manufacturer applies TG(MD)R Regs Division 3.2 and selects the Full Quality Assurance conformity assessment procedures [TG(MR)R Schedule 3, Part1]. In addition, for all classes of devices, the guidance provided for the audit of technical documentation in Annex 1 is to be followed to ensure the availability of objective evidence that demonstrates compliance with the Essential Principles of Safety and Performance.
Task 7 has been updated to include additional text regarding medical device specifications as an output of the design and development process to include specifications for the sterilization process, when applicable. Task 7 of the Companion Document has additional text regarding the design and development of medical devices to include design outputs for sterilization processes, including ensuring compatibility of the sterilization process with the device, compatibility of the device packaging and the sterilization process, ability of the device to be sterilized or re-sterilized, and (if applicable), rationale for adding the device to a product family covered by a validated sterilization process.
Task 10 has been updated to remove the additional country-specific requirements for Brazil and the United States regarding verifying that design validation has been performed on initial production units, lots, or batches, or their equivalents.
The additional country-specific requirement for Brazil task 16 has been modified to better align with the translated version of RDC 16/2013.
Production and Service Controls Process
Task 1 has been updated to include requirements for unique device identifier in planning for product realization. The additional requirement for the United States has been added to confirm that the organization has determined the applicability of unique device identifier requirements per 21 CFR 801 and 21 CFR 830, has obtained the unique device identifiers from an FDA-accredited UDI-issuing agency, and the
required data elements have been entered in the Global Unique Device Identification Database (GUDID) [21 CFR 801, 830]. Explanation regarding UDI has been added to the Companion Document regarding the requirements of the UDI rule, the requirement for labelers to use an FDA-accredited UDI-issuing agency, and the requirements for labelers.
Task 3 has been updated regarding the additional country-specific requirement for Brazil to determine whether the manufacturer has established and maintained a procedure for change control in order to track changes in auxiliary systems, software, equipment, processes, methods or other changes that may affect the quality of products, including risk assessment within the risk management process. This task was moved to the Management process task 1 as a linkage.
Task 5 has been updated for the country-specific requirement for Brazil. With the revision of ISO 13485 to the 2016 version, clause 6.3, only the portion of the Brazilian requirement for people flow remains as a country-specific task.
The additional country-specific requirement for Brazil in Task 7 was updated to reflect the English translation of RDC 16/2013. Additionally, the country-specific requirement for Canada to verify that sterilization methods for devices sold in a sterile state have been validated was removed.
Task 8 has been updated in accordance with changes to ISO 13485, clause 7.5.6. It is now required for organizations to not only validate processes that cannot be fully verified, but now there is a requirement to validate processes whose result can be verified, but is not. Additional country-specific requirements for Brazil and the United States were removed from this task because the requirements are included in clause 7.5.6 of ISO 13845: 2016.
Task 9 has additional text in the Companion Document regarding validation of sterilization and associated processes.
Task 11 has been updated to include a statement to verify that the processes used in production and service are appropriately controlled, monitored, operated within specified limits and documented in the product realization records, and to remove additional country-specific requirements for Brazil and the United States regarding monitoring of processes and use of statistical techniques because they are covered in clauses 7.1 and 7.5.1 of ISO 13485:2016.
Task 16 has been updated to include a statement to determine if the manufacturer has established and maintained a file for each type of device that includes or refers to the location of device specifications, production process specifications, quality assurance procedures, traceability requirements, and packaging, labeling specifications, and when applicable requirements for installation and servicing, in order to allow for the exclusion of the Brazilian requirement from task 16 of the design and development process.
Task 17 was updated to include a statement regarding ensuring the requirements for product release were met and documented, and to include the Unique Device Identifier requirements for the United States.
The information in the Companion Document has been updated for task 18 regarding Medical Device Tracking to include the UDI requirements.
Task 24 has been updated to remove the additional country-specific requirements for Brazil and the United States regarding packaging, dispatch of products from stock rooms, and ensuring purchase orders are reviewed before fulfillment. These requirements are largely now included in clauses 7.5.8 and 7.5.11 in ISO 13485:2016.
Task 27 has been updated to include the requirements for Unique Device Identifier for the United States.
Purchasing
Substantial changes were made to the MDSAP Purchasing Process to consolidate tasks.
Task 4 has been updated to include a statement to verify that criteria for the selection, evaluation and re-evaluation of suppliers have been established and documented to allow for consolidation of tasks 4 and 5 from the previous version of Audit Model and to allow the Brazilian-specific requirements to be excluded from task
7. The Companion Document was updated to consolidate information from previous task 5 into task 4.
Task 5 has been updated to include a statement to verify that records of supplier evaluations are maintained to allow for the consolidation of this task with task 7 in the previous versions of the MDSAP Audit Model. Text was moved from task 7 in the previous version of the MDSAP Companion Document to task 5, to align with the consolidation of tasks.
Task 8 has been updated to include a statement to verify that written agreement with the supplier is established in which suppliers has to notify the organization about changes in the product in accordance with clause 7.4.2 of ISO 13485: 2016 and to exclude Brazil specific requirement from task 9.
In order to consolidate task 9 with task 12 of the previous revision of the MDSAP Audit Model and Companion Document, task 9 was revised to verify that the organization documents purchasing information, including where appropriate the requirements for approval of product, procedures, processes, equipment, qualification of personnel, sterilization services, and other quality management system requirements and to confirm that documents and records for purchasing are consistent with traceability requirements where applicable. The additional country- specific requirements for Brazil and the United States were removed since the 2016 revision of ISO 13485; clause 7.4.2 explicitly addresses notification of changes by suppliers. Text was moved from task 12 of the previous revision of the MDSAP Companion Document to task 9, in alignment with the consolidation of tasks.
Task 10 was updated to include a statement to verify that records of verification activities are maintained to allow for consolidation of this task with task 14 in the prior version of the Audit Model. A statement to include providers of sterilization services in the establishment of an appropriate combination of supplier acceptance and receiving activities has been added to task 10 of the Purchasing process in the Companion document. Text was moved from task 14 in the prior revision of the MDSAP Companion Document to task 10, in order to align with the consolidation of tasks.
Annex 1 - Audit of technical documentation for the Quality Management System requirements of the Conformity Assessment Procedures of the Australian Therapeutic Goods (Medical Devices) Regulations (TG(MD)R Sch3).
Annex 2 - Expectations for audit of sterilization processes.