Insights & Intelligence for Regulatory Leaders

Last week, the entire U.S. Rimsys team gathered in our Pittsburgh offices for the first time in 2022. It was an incredible week of collaboration, learning, goal-setting, and meeting the more than 25 new team members who had joined since our last on-site in December. It was also an opportunity to reflect on the company that Brad (Co-Founder & CTO) and I started just a few years ago, how much we’ve changed, and where we want to go.

I founded Rimsys with a singular focus on medtech regulatory affairs, and solving all of the incredibly painful challenges that I experienced leading regulatory teams in the industry. In large organizations, regulatory affairs is directly linked to hundreds of millions dollars in revenue, yet RA teams still do most of their work manually using spreadsheets and other tools that aren’t remotely fit for purpose. 

The Rimsys platform is designed to digitize regulatory information, make it much more easily accessible, and allow regulatory affairs teams to use it to power a series of automated processes. As a result, our customers have dramatically reduced the administrative work associated with regulatory activities, from reducing release authorization time by 80% to reducing GSPR maintenance time by 99%! Rimsys 5, which we announced this week, introduces more streamlined workflows, a brand-new user interface, and adds even more time-saving capabilities like collaborative submission authoring, and integrated regulatory intelligence.

This focus on regulatory affairs was what drove the initial mission of the company to “digitize, automate, and create order for the medical technology industry”. This mission helped to drive alignment and focus as we were initially building out the company, but it also missed the broader picture of why we, and the industry, were doing this in the first place.

A life-saving shipment

This bigger picture began to take shape when I received an email from one of our customers during the horrific COVID-19 outbreak in India last spring. The customer is a large in-vitro diagnostic manufacturer, and they were working to quickly send humanitarian shipments of testing products to help with the crisis. In the email, along with some images of the initial shipment being loaded for transport, our customer noted that because all of their product and regulatory documentation was managed in Rimsys, they were able to expedite clearance and release authorization, avoiding import delays while paving the way for the life-saving diagnostics to be shipped more quickly.

We talk a lot about efficiency and the direct link that regulatory affairs has to revenue in the medtech industry, but there’s more to it of course. Much more. At the end of the day, medtech companies create products, and regulatory affairs teams work to place them on the market in order to give patients access to technologies that can dramatically improve and even save their lives. This is what we’re doing.

A bolder, broader mission

With this context, our initial mission felt a bit narrow. It spoke to what we were doing, but not really why. So, we decided to revise the company mission statement. Working with our team on-site we crafted a new mission that better aligns with the outcomes we’re helping to drive in the world:

Improve global health by accelerating delivery and increasing availability of life-changing medical technologies

The new mission clearly articulates the “why” behind what we’re doing, but it also deliberately doesn’t constrain our approach. Today we’re focused on using technology to streamline regulatory affairs, but there are many other areas across the industry that our technology can improve; from post-market, to clinical, to marketing. Our vision is for Rimsys to be the leading technology provider to the medical technology industry.

Why this matters

As our company grows, it’s critical to me to maintain the culture that we established in the early days. This isn’t something that happens on its own. Culture only grows organically with deliberate focus and attention. Whether it’s our company values, our focus on continuous learning, our regular on-site’s for remote team members, or our new revised mission, I’m constantly reflecting on how we will build a large, successful business that stays true to our purpose.

Our new mission clearly states our purpose, and explains why we think this industry is so vital. We’re honored to have the opportunity to help more life-changing technologies get into the hands of patients that need them. And, if this mission resonates with you, we’re hiring across all of our teams.

‍

The Rimsys team is both excited and very proud to introduce Rimsys 5 today. The latest version of Rimsys includes a comprehensive regulatory submission module and provides real-time, global regulatory intelligence through a partnership with Clarivate Cortellis. Additional new features include an updated and highly-flexible product hierarchy and the ability to link product, performance, and safety data across the organization through standardized integrations with PLM, eQMS, and ERP systems.

Many of these new features and capabilities were driven by input from our customers.  In addition to the big changes, we’ve also overhauled the user experience, making the entire platform more usable and intuitive.

Rimsys 5 brings a unique approach to regulatory submissions.  The platform now provides regulatory affairs teams with the ability to manage submission projects, collect documents and information, and directly author submission content in a single interface. In addition, customers have full access to their submissions archive without any additional cost. We believe this will lead to significant improvements in productivity for regulatory teams.

What we are most proud of is that only 3 years after introducing Rimsys software to the medtech industry, 10 of the top 30 medical device companies worldwide are trusting their critical regulatory processes to our RIM platform. As the global regulatory landscape becomes more and more complex, Regulatory Information Management (RIM) software will become increasingly critical for medical device companies to bring products to market quickly, and  ensure that they stay on the market. 

Rimsys 5 builds on an already established platform of product-centric regulatory tools, including standards management, UDI, expiration monitoring, market-specific sales status tracking, and more. With version 5 of the platform, regulatory teams can now:

• Access high-quality comprehensive regulatory information. Powered by Clarivate Cortellis, Rimsys 5 provides access to over 200,000 regulatory documents, updated daily.
• Build content plans based on government templates. Users have access to fully customizable submission templates for common market applications, including FDA 510(k), STED, NMPA, and PMDA.
• Collaboratively author submission content. Rimsys allows regulatory affairs teams and other collaborators the ability to work together to create structured submission content within the Rimsys application - without having to jump between outside documents and spreadsheets.
• Manage submission projects, approvals, and health authority communication. Submission features are wrapped in full project management capabilities, allowing regulatory teams to assign tasks, manage approvals, and track communications with internal teams, partners, and health authorities.
• Link product, performance, and safety data across the organization. Rimsys 5 provides open integration with PLM, eQMS, and ERP systems allowing regulatory affairs teams to directly pull design history, testing, and quality control documents into regulatory submissions without duplication. Automated alerts let teams know when source documents have been updated.

• Auto-generate complete regulatory submissions. Rimsys 5 provides automated publishing features that consolidate documents into submission packages in the correct PDF format, creates appendices for file attachments, and renders submissions ready for delivery to health authorities.

All of these features combine to provide a full record of submission history directly linked to individual products, countries, and registrations - giving regulatory teams the tools they need to fully administer, track, and generate regulatory information for every product in every market.

Learn more about the new release at our Rimsys 5 overview webinar on May 18th.

‍

This article is an excerpt from The beginner's guide to the FDA PMA submission process ebook.

Table of Contents

• Introduction
• PMA basics
• FDA interactions
• Contents of a traditional PMA submission
• PMA supplements and amendments
• PMA Quality Management System (QMS)
• Review process and timeline

If your organization is planning to market a new medical device in the United States, you first need to determine which regulatory class the device falls under. The vast majority of medical devices regulated by the FDA are either Class I or Class II medical devices, requiring a 510(k) premarket notification or a simple registration if exempt from 510(k) requirements. However, if your device sustains or supports life, is implanted, or presents a “potential unreasonable risk of illness or injury,” your device is likely a Class III device which will require Premarket Approval (PMA) from the FDA before it can be marketed in the United States. Novel devices, for which there are no existing substantially equivalent devices, are automatically classified as Class III as well. Novel devices with a lower risk profile, however, may qualify for the De Novo process instead of the PMA. Just 10% of devices regulated by the FDA are Class III devices.

This ebook provides an overview of the PMA process and its requirements, but it is not designed to be the only resource used in compiling a PMA submission. The FDA provides significant documentation on this process, starting with the regulation governing premarket approval that is located in Title 21 Code of Federal Regulations (CFR) Part 814.

FDA: Background and device oversight 

Before we explain what a PMA is, let’s first talk generally about the Food and Drug Administration (FDA) and device oversight. The FDA is the U.S. governmental agency responsible for overseeing medical devices, drugs, food, and tobacco products. When it comes to medical devices, the FDA’s mission is to “protect the public health by ensuring the safety, efficacy, and security of...medical devices.” At the same time, the FDA also has an interest in “advancing public health by helping to speed innovations.” In other words, the FDA’s goal is to make sure devices are safe and effective for public use, while also ensuring that devices have a quick and efficient path to market.

In order to achieve this balance of safety and efficiency, the FDA has three different levels of oversight depending on the risk level of the device: (1) exempt from premarket notification, (2) Premarket Notification, also known as 510(k), and (3) Premarket Approval (PMA). 

‍

‍

When is a PMA required?

The PMA process is the most stringent regulatory process for medical device approval under the FDA and applies to almost all Class III devices. To determine whether your device requires a PMA, you must first Classify your device by searching the Product Classification Database. The database will provide you with similar devices; their name, classification, and link to the Code of Federal Regulations (CFR) if applicable.

• If a substantial equivalent is found in the Product Classification Database with a submission type of 510(k), you should submit a 510(k), not a PMA.
• If the product classification database identifies your device as Class III and/or requiring a PMA - you should submit a PMA.
• If your device involves a new concept and does not have a classification regulation in the CFR, the database will list only the device type name and product code. In this case, the three-letter product code can be used to search the PMA database and the 510(k). 
• If  your device cannot be found in the product classification database because it is a new type of device and should be classified as a Class III device because of the level of risk it presents*.

Class III devices support or sustain human life, are of substantial importance in preventing impairment of human health, or present a potential and unreasonable risk of illness or injury.

Note that if your device is a new concept without a substantial equivalent, but does not present the level of risk of a class III device, it may be eligible for the De Novo process as a class I or class II device.

PMA vs 510(k)

Not only are PMA and 510(k) processes applicable to different types of devices, they have different purposes.

510(k): A 510(k) is intended to demonstrate that the device for which approval is being sought is as safe and effective as a currently marketed device that does not require a PMA.

PMA: A PMA is intended to prove that a new device is safe and effective for the end user. A PMA is much more detailed and in-depth than a 510(k). Device manufacturers are typically required to present human clinical trial data, in addition to laboratory testing data.

The difference in complexity between a PMA and 510(k) also affects the time needed to process the submissions. The FDA typically accepts or rejects a 510(k) submission within 30-90 days, at which point the device is posted to the FDA’s 510(k) database. A PMA submission can take up to 180 days to be processed, at which point the FDA can approve or deny the application. The FDA may also issue an “approvable” or “not approvable” letter, which the applicant can choose to respond to, thereby adding time to the submission process. 

PMA application methods

There are a number of types of PMA application methods. While most devices which require a PMA will follow the traditional process, be sure to verify that you are using the correct application process to maximize your chances for success and avoid unnecessary delays:

Traditional PMA

The most common method for attaining FDA clearance for Class III devices, the traditional PMA is the appropriate option for most devices that have completed clinical testing. 

Modular PMA

The modular PMA is the appropriate application method for devices that have not yet completed clinical testing. Applicants complete individual “modules,” with final confirmation granted once all sections are completed. For additional information on specific requirements of a modular PMA, read the FDA’s Premarket Approval Application Modular Review.

Product Development Protocol

Use the Product Development Protocol (PDP) with medical devices that are based on well-established technology. The PDP process for gaining market approval merges the clinical evaluation and development of information, and involves an agreement between the manufacturer and the FDA. The process provides the advantage of early predictability for the manufacturer and allows early interaction that can identifyFDA concerns as soon as possible in the development process. Because the PDP identifies the agreed upon design and development details, a completed PDP is considered to have an approved PMA. For additional information, read more about the FDA’s PMA Application Methods.

Humanitarian Device Exemption

A Humanitarian Use Device (HUD) is specifically defined as a device intended to benefit patients that are affected by a disease or condition that affects less than 8,000 individuals in the U.S. per year. TheHumanitarian Device Exemption (HDE) approval process is designed to encourage clinical activity around rare conditions, and does have certain restrictions, including:

• After receiving HDE approval, a HUD is eligible to be sold for profit only if the device is intended to address a disease or condition that occurs primarily in pediatric patients, or occurs in pediatric patients in small numbers.
• If an HDE is approved to be sold for profit, the FDA will determine an annual distribution number(ADN). Any devices sold beyond the ADN limit are required to be sold for no profit.

For more information see the FDA’s explanation of the Humanitarian Device Exemption.

CBER Submissions‍

There are two centers within the FDA responsible for evaluating medical devices. While the majority of devices will go through the Center for Devices and Radiological Health (CDRH), some will be managed by The Center for Biologics Evaluation and Research (CBER). CBER regulates medical devices related to blood and cellular products, including blood collection and processing procedures as well as cellular therapies. This ebook focuses on submissions made through the CDRH, but you can view CBER Regulatory Submissions – Electronic and Paper for more information on the CBER process.

To continue reading this eBook, including a walk through of the different types of required and optional FDA meetings and communications, a detailed list of the contents of a traditional PMA submission, and an overview of quality management system requirements, please register to download the full version.

FDA device registration overview

Registering a new medical device with the FDA can be a huge undertaking, and understanding the process and all of the requirements as early as possible is important. This article provides a high-level overview of the steps required before marketing and selling a medical device in the United States. We’ve done our best to include relevant links to both FDA documentation and educational materials wherever possible!

FDA medical device registration steps

Classify your medical device

Classifying your medical device should be one of the first steps in any FDA submission. The FDA classification system is a “predicate-based” system in which devices are classified based on similar devices that are already on the market in the U.S.

You may already have an idea as to which of the three device classes your product falls under, but you still need to determine the specific device category described within 21 CFR Parts 862-892. The FDA provides a good overview and listing of device categories that is searchable. This will allow you to determine which specific section of the regulation pertains to your device, which will then define the classification and relevant premarket requirements. While the majority of Class I devices require no premarket notification, the majority of Class II devices require 510(k) premarket notification, and the majority of Class III devices require a premarket authorization submission, however,this is not always the case. 

Medical device manufacturers can request information and guidance from the FDA regarding the classification of a device through a 513(g) request. For the classification of accessories to your device, a pre-submission may be more appropriate (discussed below) 

Collaborate with the FDA prior to your submission   

The FDA encourages pre-submission collaboration meetings and communication as early in the product development process as possible. It is in the best interest of organizations seeking approval of a medical device to have an open dialogue with the FDA, enabling the FDA to advise before and during the submission process, provide direction on Investigational Device Exemption (IDE) applications, and identify any potential concerns that may affect approval or clearance of the device. This is especially important for devices with novel technology.

There are a number of pre-submission activities defined in the FDA’s “Q-Submission” program (these were previously referred to as “pre-ide” meetings). Q-subs provide an organization with the opportunity to obtain feedback from the FDA before a premarket submission is made. The most common Q-subs are:

Pre-submission (pre-sub) requests provide an opportunity for an organization to obtain feedback from the FDA before completing a premarket submission. Pre-sub requests are made in writing to the agency and can involve a meeting if requested by the submitter. The submitter should have specific questions prepared regarding their submission and/or product development prepared for the FDA to review during this meeting. 

Informal Meetings are requests to share information with the FDA with no expectation of feedback. This may be helpful if your team has a variety of submissions planned, or if your company would like to explain the technology of your device. 

Early collaboration determination meetings are requests by a PMA applicant for the FDA’s determination of the type of valid scientific evidence required to demonstrate that the device in question is effective for its intended use.

Early collaboration agreement meetings are used to reach an agreement between the FDA and the submitter on key parameters of the investigational plan.

Results of early collaboration determination and agreement meetings are binding on the agency. For additional information, see “Early Collaboration Meetings Under the FDA Modernization Act: Final Guidance for Industry and for CDRH Staff”

Prepare the appropriate premarket submission for your medical device

Remember that most Class I devices, and some Class II devices require no premarket submission (though they are required to be listed with the FDA).

510(k) Premarket Notification is used for Class II and Class III devices with a medium risk profile for which there is a predicate, substantially equivalent, device on the market that requires a 510(k) submission.

The 510(k) submission is used to demonstrate that the predicate device is substantially equivalent to the new device and, if successful, results in an FDA “clearance” for the new device. You can read more in our FDA 510(K) beginner’s guide.

Premarket Approval (PMA) is used for Class III devices for which the identified predicate device requires a PMA. These are devices which are high risk; defined as a device that supports or sustains human life, is of substantial importance to preventing impairment in human health, or presents a potential and unreasonable risk of illness or injury. Novel devices which have no substantial equivalent on the market also require a PMA by default.

A PMA is intended to prove that a new device is safe and effective for the end user, and is much more detailed and in-depth than a 510(k). Device manufacturers are typically required to present human clinical trial data, in addition to laboratory testing data. A successful PMA results in an FDA “approved” device.

The De Novo classification process can be used for novel devices for which there is no substantial equivalent on the market, but which have the lower risk profile of a Class I or Class II device. A successful De Novo request is “granted” by the FDA and results in the classification of the device as Class I or Class II. You can read more in our De Novo classification process: a beginner’s guide.

Work with FDA staff during the review process

The more complex your submission to the FDA, the more opportunities you will have to interact with the agency during the review process. Take advantage of these opportunities and be sure to respond to any requests for additional information within the specified time frame. The 510(k) submission process and the PMA submission process both have defined procedures for requesting and submitting additional information during the review process. PMA submissions for devices with new technology may also require interaction with an expert review panel. 

If you need additional clarification from the FDA on your 510(k) or PMA submission, the following options are available: through the Q-submission process:

Submission Issue Requests (SIR) are Q-submission requests for feedback and clarification during a pre-marketing submission including 510(k), De Novo and PMA submissions. These are often held after a submitter receives letters from the FDA asking for additional information or deficiency letters. 

PMA day 100 meetings are Q-submission requests held within 100 days of a PMA submission and are used to discuss any deficiencies in the application, and to begin a conversation on the status of the application. FDA guidance on PMA day 100 meetings can be found here.

Complete a quality system audit

Most Class II and III devices, and some Class I devices will require a premarket quality system inspection. During most of the Covid pandemic, inspections were being conducted remotely, but the FDA resumed domestic onsite inspections in February 2022. 

A compliant quality system demonstrates that your facilities are capable of manufacturing the device as designed to meet its intended purpose, and the FDA will evaluate both design controls and manufacturing controls.

Current quality system requirements are defined in 21 CFR part 820 (quality system regulation or “QSR”), however the FDA is moving to harmonize their requirements with the generally accepted global standards of ISO 13485. In addition, the Medical Device Single Audit Program (MDSAP) can be used as an alternative allowing a single audit that is recognized by regulatory authorities in multiple countries, including the FDA.

Whichever path your inspection takes, it is important to put a strong quality system in place as early as possible.

List your medical device on your establishment registration

Any organization involved in the production or distribution of a medical device intended for use in the United States is required to register annually with the FDA. Establishment registration is defined in 21 CFR Part 807. There is an annual registration fee, which is $5,672 for 2022.

Most establishments that are required to register with the FDA must also list the devices and the activities performed on those devices at the establishment. Registration and listing information must be submitted to the FDA within 30 days of a device being put into commercial distribution. You cannot list your device until it has been cleared or approved through a premarket submission process, if required for your device.

The FDA provides detailed information on the device registration and listing process.

Post-market compliance

We will cover post-market surveillance and compliance in a future post, but here are a few things to keep in mind:

• If your device was approved via a PMA, expect a post-market inspection 8-12 months after approval.
• Changes to a cleared or approved product may trigger additional reporting and submissions. The significance of the change will dictate the type of reporting required for both 510(k) cleared devices and PMA approved devices.
• Your quality system should include a CAPA (corrective and preventive action) tracking system to record and address any issues that arise after the device is on the market.

For additional information on FDA submission processes, see our ebooks which cover the 510(k), and De Novo processes.

What is EU MDR?

The EU regulation 2017/745 on medical devices, or EU MDR, was a major update to medical device regulations introduced in 2017. The MDR replaces the previous EU Medical Device Directive (MDD), and is designed to modernize the EU regulatory system to better address the current needs of the market and new technologies. Devices that received a CE mark under MDD are allowed to continue to market in the EU, but will need to be recertified under MDR by a Notified Body before 2024.

The main objective of the new regulation is to strengthen protection against risks posed by medical devices and to update regulations to properly account for new technologies. Major themes of the MDR include:

• Expanded focus on regulating the entire lifecycle of a medical device
• Greater emphasis on clinical data
• Increased oversight of notified bodies

Major differences between EU MDR and MDD

The MDR is four times the size of the MDD and has an increased focus on device safety (the word safety appears 290 times in the MDR, but only 40 times in the MDD). Medical device manufacturers have found that they need to update clinical data, technical documentation, and labeling for all devices; and medical devices above class I need to be recertified by a notified body under MDR. For these reasons, companies may re-evaluate their portfolios and remove older devices from the market that don’t have adequate clinical information or yield insufficient sales to justify recertification.

Labeling (UDI and EUDAMED)

The EU MDR represents a major overhaul of medical device labeling requirements. Under the MDR, device manufacturers need to place a unique device identifier (UDI) on all devices marketed in the EU. The UDI is comprised of a UDI device identifier (‘UDI-DI’) specific to a manufacturer and a device and a UDI production identifier (‘UDI-PI’) that identifies device production characteristics. Note that there are exceptions for custom and investigational devices. In addition, UDI information must be uploaded to the new European Database on Medical Devices (EUDAMED). Together, UDI and EUDAMED are designed to allow for greater traceability and transparency of marketed devices, including improved incident reporting, field safety corrective actions, and monitoring by competent authorities. The goal is to reduce medical errors and make it more difficult for falsified devices to reach the market. 

EUDAMED registration is not yet required, and changes to the specific data requirements of the database are expected. While manufacturers can enroll their device in the EUDAMED database, once that is done it must be maintained for the device. Some companies are choosing to wait until EUDAMED data requirements are finalized.

Classification rules

The MDR includes 22 classification rules, including four new rules and many updates to existing rules. Manufacturers need to verify classifications of existing devices under MDR, and may find that some devices need to be “up-classified,” resulting in more stringent regulatory requirements. Rule 11, in particular, requires the attention of any manufacturer with a device that includes software. Software that plays a part in decision-making or patient monitoring will move from a Class I to a Class IIa device. For additional information, read our recent post on Software as a Medical Device.

In addition, there are devices which were not in scope of the MDD, but are classified as medical devices under the MDR. These include products “without an intended medical purpose,” such as contact lenses.

General safety and performance requirements

MDD “Essential Requirements” have been replaced with “General Safety and Performance Requirements” in the MDR. There are 23 requirements, many of which are new, that device manufacturers will need to demonstrate conformance to. These rules place significant emphasis on risk management and “are a set of product characteristics, which are considered by the European authorities as being essential to ensuring that any new device will be safe and perform as intended throughout its life.”

Clinical evidence

New to the EU MDR is a requirement that every medical device must include sufficient clinical evidence to demonstrate compliance, dependent on the device class. This new requirement will have a significant impact on manufacturers selling existing devices without readily available clinical data. 

Post-market surveillance system

MDR establishes new requirements for a post-market surveillance (PMS) system to be an integral part of the manufacturer’s Quality Management System (QMS). Post-market surveillance programs should be designed to proactively monitor safety and performance of a device, and to report any defects or issues appropriately, with all serious incidents being reported within 15 days. In addition to the many new PMS outputs, manufacturers of class IIa, IIb, and III devices are required to prepare a Periodic Safety Update Report for each device.

Person responsible for regulatory compliance (PRRC)

Under the MDR, a manufacturer needs to assign a single, qualified individual to be responsible for ensuring conformity to regulatory requirements. In addition, each Authorized Representative has to have its own PRRC. 

Risk management and quality management systems

Risk management and quality controls should be in place throughout the lifecycle of the device. EN ISO 14971:2019 and EN ISO 13485:2016+A11:2021 are aligned with MDR requirements for risk management and QMS. Note that the QMS necessarily includes post-market surveillance and clinical evaluation plans.

Monitoring of notified bodies

The MDR introduced significant changes to the role and the oversight of notified bodies. The addition of post-market surveillance activities, technical documentation requirements  and increased clinical requirements have placed a larger burden on the notified bodies that perform conformity assessments, which include quality system audits and technical documentation reviews. There is currently a shortage of notified bodies accredited under MDR and the industry is carefully watching for any additional extensions of MDR deadlines.

EU MDR timeline and deadlines

The MDR was published on April 5, 2017. Medical devices can currently obtain certification under MDR, but not all devices will be required to be certified under MDR until May 25, 2024.

Becoming compliant with EU MDR

Compliance with the EU MDR, EU 2017/745, requires medical device manufacturers to demonstrate that their device is designed, manufactured, and tracked according to the regulation’s requirements. Manufacturers must focus on three overall components when pursuing approval to market a medical device in the EU.

• Quality management system: A medical device must be developed with an appropriate QMS in place to ensure that a device meets its intended purpose through proper controls around design, manufacturing, and post-market surveillance.
• Clinical evidence: MDR requirements for clinical evidence are higher for most devices than in the MDD. All medical devices must demonstrate safety and efficacy for the device’s intended purpose, along with benefit-risk analysis supported by appropriate clinical evidence.
• Regulatory systems and process: The EU MDR requires more extensive processes and documentation than the MDD around quality systems, post-market surveillance tracking, risk management, on-going clinical evaluation reports, technical documentation, and more.

For more information on the EU MDR and IVDR requirements, read our Ultimate guide to the EU MDR/IVDR unique device identifier (UDI) system and Ultimate guide to the EU MDR GSPR - general safety and performance requirements.

What is ISO 13485?

ISO 13485:2016 defines quality management system (QMS) requirements for organizations producing medical devices. Based on ISO 9001, the ISO 13485 standard is a stand-alone document with specific requirements for medical device manufacturers, including a greater focus on risk management and additional documentation requirements.  

Note that this standard is based on ISO 9001:2008, not the more recent ISO 9001:2015, because of the focus on customer satisfaction and continuous improvement in the newer ISO standard. 

Globally, ISO 13485 is the most common regulatory standard addressing quality management systems for medical devices. The standard is focused on QMS effectiveness and meeting regulatory and customer requirements. For a good source of additional information, and step-by-step implementation guidance, see ISO 13485:2016 – Medical devices – A practical guide, published by the committee that drafted the standard.

Where is ISO 13485 compliance required?

Compliance with ISO 13485 is required of most medical devices by all European Union members, UK, Canada, Japan, Australia, and many other countries. ISO 13485 is the quality standard accepted as the basis for CE marking in the EU.  Medical devices marketed in the United States, however, must meet the requirements of the FDA’s Quality System Regulation (QSR), which is sometimes referred to as Current Good Manufacturing Practice (CGMP).

An audit of an organization’s QMS by an independent certifying body or registrar is required to demonstrate compliance with the ISO 13485  standard.

ISO 13485 vs FDA QSR

While the QSR and ISO 13485 are structured differently, they have no conflicting requirements. Currently, companies who are marketing a medical device in the U.S. and in other markets, will need to comply with both ISO 13485 and the FDA’s QSR, as defined in 21 CFR 820. 

However, the FDA is moving towards harmonizing these standards and on February 23, 2022 issued a proposed rule to amend the QSR to align more closely with the international consensus standard for Quality Management Systems, primarily by incorporating reference to the ISO 13485 standard. The FDA has published FAQ’s about the proposed rule.

On September 9, 2021, the European standardization bodies CEN and CENELEC published the 2021 amendment, EN ISO 13485:2016+A11:2021, “Medical devices. Quality management systems . Requirements for regulatory purposes”, featuring new annexes ZA and ZB that link the requirements of the Medical Device Regulation (MDR, EU 2017/745) and the In Vitro Diagnostics Regulation (IVDR, EU 2017/746), respectively, to specific clauses of the standard. Note that  EN ISO 13485 is a parallel standard issued by the European Union, which is identical in its requirements to the ISO 13485 international standard, with the exception of the new annexes.

ISO 13485 requirements

ISO 13485 contains eight sections. This article focuses on the last five sections as the first three are introductory, and include scope, definitions, and other general information.

Quality Management System (Clause 4)

• General requirements: General requirements set forth the overarching requirements for the implementation of a quality management system, including an adherence to the standard and the commitment to having written procedures around documentation and risk management—along with the assurance that those procedures are being followed.
• Documentation requirements: ISO 13485 documentation requirements include the creation of a quality manual, or its equivalent. In addition, this clause specifies unique record requirements for medical device manufacturers, including; product specifications and guidance on intended use, a document control plan that ensures document integrity, and a record control plan that ensures the security and authenticity of the data in the system.

Management Responsibility (Clause 5)

ISO 13485 details specific responsibilities that must be demonstrated by the management team of the organization implementing this standard. In general, Management must ensure that the organization is committed to the quality policy by:

• Focusing on the end user and ensuring that they have the tools they need to adhere to the standard.
• Ensuring that all rules are followed during the manufacturing process.
• Communicating to employees the importance of quality policies and procedures, and affirming Management's commitment to the system.
• Delegating authority as necessary to ensure the implementation of and adherence to the quality plan.
• Performing periodic reviews of the quality system and implementing any necessary improvements (Management Review).

Resource Management (Clause 6)

An organization’s top management must provide the necessary resources to ensure compliance with ISO 13485. It is not enough to put a quality system in place, it must be supported throughout the organization. Management must allow the proper resources to be assigned to quality system activities by providing proper personnel, infrastructure, tools and equipment, succession planning, and risk aversion planning. 

Product Realization (Clause 7)

The process of developing a new product includes everything from the original conceptualization through design and implementation. This clause of ISO 13485 places importance on communication and processes throughout the entire product life cycle. An organization with a strong quality system in place will have processes that detail how they capture initial ideas and requirements, plan and develop the product, and monitor customer use.

Measurement, Analysis, and Improvement (Clause 8)

ISO 13485 also stresses the importance of following your product once it is released by tracking customer feedback and then monitoring and measuring product performance by:

• Managing complaints.
• Making appropriate notifications and reports to regulatory authorities.
• Identifying and addressing any nonconforming products.
• Continually monitoring product performance and working to improve processes.

The importance of ISO 13485

ISO 13485 is the international standard for quality management systems within the medical device industry. Implementing this standard is not only required for market entry in the EU and other countries, but provides a solid foundation for quality throughout your product’s full life cycle.

Additional information on Rimsys standards management can be found here.

‍