Medical Device Link.

Important similarities

The United States (US) Quality System Regulation (QSR) (21 CFR 820) is based on the Committee Draft version of ISO 13485:1996, Quality Systems, Medical Devices, Particular Requirements for the Application of ISO 9001. ISO 13485:1996 included specific requirements for medical device quality systems and had to be used with ISO 9001:1994. The quality system structure described in those standards was based on 20 distinct quality system elements. The US QSR is also largely based on those 20 quality system elements, but it includes additional provisions.

ISO 13485 was then revised to be a standalone standard that contains the medical device requirements and ISO 9001:2000 provisions in one standard. However, the revised standard was no longer based on distinct quality system elements, but on the process approach on which ISO 9001:2000 is based. The “process approach” is considered to be the application of a system of processes within an organisation, together with the identification and interactions of those processes and their management.

In spite of this difference, the QSR has much in common with ISO 13485:2003. This is because every effort was made by the developers of the revised version of ISO 13485 to maintain the level of quality system requirement for medical devices that had already been established. Thus, although the structure of the quality system described in ISO 13485:2003 differs from that described in the QSR, many of their requirements are similar. However, important differences exist, therefore, it is critical that companies understand that conformity with ISO 13485 alone will not fully satisfy US quality system requirements.

Differences in requirements

A discussion of all differences between ISO 13485:2003 and the QSR is beyond the scope of this article. Readers are encouraged to have an understanding of all differences that could lead to noncompliance with the QSR if merely the clauses of ISO 13485 are implemented.

Signatures. The QSR contains a number of provisions that require the signature and date of an individual, for example, the individual approving documents and document changes, design input requirements and the design output. ISO 13485 specifies that documents and document changes, design input requirements and the design output be approved, but there is no specification that the approval should include a signature and date. Therefore, companies that conform only to ISO 13485 sometimes fail to comply with the QSR requirement.

Change procedures. The US Food and Drug Administration (FDA) places considerable emphasis on the control of production and process changes. Manufacturers are required to establish and maintain procedures for changes to a specification, method, process or procedure. This includes changes to inprocess test methods or production equipment or test instruments. These changes must be verified or where appropriate validated in accordance with Sec. 820.75, Process Validation, before implementation of the change. These activities must be documented and the changes approved in accordance with document control procedures in Sec. 820.40, which requires the date and signature of the approving individual(s), the approval date and when the change becomes effective. When companies conform only to ISO 13485, this requirement is frequently not met, which is an important nonconformity.

Software validation. ISO 13485 requires that documented procedures for the validation of the application of computer software, and changes to this software and/or its application, for production and service provision that affect the ability of the product to conform to specified requirements. These software applications must be validated prior to initial use. However, the QSR requires the validation of software not only when computers or automated data processing systems are used as part of production, but also if they are used as part of the quality system. This means that computer systems used for controlling activities such as the identity and release of incoming goods, the release of incoming goods to production, the management of materials and components needed for a production work order, supplier evaluation and surveillance information and other activities must be validated. This requirement is often not met by companies that operate under a quality system certified to ISO 13485 and have not taken steps to ensure compliance with each provision of the QSR.

Differences in interpretation

In some instances, the requirements of ISO 13485 and the QSR are virtually identical, but how FDA interprets the correct compliance to a requirement can be significantly different from how ISO 13485 auditors do.

Process validation. Both ISO 13485 and the QSR have similar requirements for process validation. ISO 13485 requires the validation of any processes for production and service provision where the resulting output cannot be verified by subsequent monitoring or measurement. This includes any processes where deficiencies become apparent only after the product is in use or the service has been delivered. The QSR requires the validation of processes where the results of the process cannot be fully verified by subsequent inspection and test.

Companies that have not checked or do not have knowledge of FDA process validation expectations are often surprised to learn that they have not validated all processes that FDA believes should be validated, and/or their validation documentation is found to be inadequate to demonstrate validation with a high degree of assurance as required by the QSR. When this occurs, it may mean that significant resources and expertise are needed to correct the process validation deficiency.

Examples of other requirements where FDA may interpret the adequacy of compliance in a different manner from a quality system auditor include software validation, the control of design changes, the management of complaints, and management of corrective and preventive actions.

Single quality system structure

Medical device companies generally find that the most sensible means of complying with US and European quality system requirements is to establish a single quality system that complies with both the QSR and ISO 13485. A common method for implementing this type of system is to develop a matrix or map of corresponding requirements and procedures. For example, a company that operates under an ISO 13485 quality system, but needs to also comply with the QSR, can after establishment of the first system develop a matrix that lists the quality system processes and corresponding sections of the QSR. The addition of procedures and in some cases work instructions to this matrix increases its utility in demonstrating compliance with both sets of requirements.

Developing a matrix is not the only measure that should be taken. Many medical device companies fail to include the provisions of the QSR in their internal audit programmes. Audits are frequently conducted to evaluate the requirements of ISO 13485 and not of the QSR even if the company has been marketing in the US for years. Companies that do this are incurring a significant risk. If FDA determines, most commonly through a facility inspection, that important QSR requirements are not being met, costly enforcement actions may be taken, which are discussed below.

Another approach that companies are advised to take, which can increase the effectiveness of their internal audits, is to include a review of the ISO 13485 and QSR quality system requirement before proceeding with the audit. However, companies that have been operating for some time under a quality system tend to evaluate only whether or not company standard operating procedures (SOPs) and work instructions are being properly followed; this may not be sufficient to ensure an effective audit. This is because there are instances when SOPs or work instructions fail to meet the basic requirements of ISO 13485 or the QSR. In some cases, opinions regarding what may be an adequate procedure or work instruction to fulfil a particular requirement may have changed because of increased awareness or knowledge of the requirement. Thus, the underlying requirement as well as compliance with SOPs and work instructions should be checked during internal audits. Important compliance problems can be resolved or even avoided using this technique.

Consequences of noncompliance

With few exceptions, the QSR applies to medical devices marketed in the US. It is a regulation, in contrast with ISO 13485, which is a voluntary standard evaluated by means of a quality system audit by a European Notified Body. When nonconformities are identified by a Notified Body during a quality system audit, a list of nonconformities is provided to the company being audited. In some cases, the company is requested to provide a written corrective action plan, but in many cases the corrective actions are checked during the next audit. If the nonconformities are serious, withdrawal of the quality system certificate is possible. There is no public information on how often this occurs, but indications are that it is relatively uncommon.

In contrast, failure to comply with the QSR can lead to the medical device being considered adulterated and/or misbranded and subject to various enforcement actions depending on the seriousness of the violation. FDA investigators document noncompliance with the QSR on a form 483 that is provided to the company at the end of a facility inspection and the company is given a specified time to respond to the inspection findings. For manufacturers located outside the US, serious violations may lead to a Warning Letter and possibly a refusal to allow the device to be imported into the US. This can have devastating effects on a medical device company and is an important reason why companies need to ensure that they fully comply with US quality system requirements.

Maria E. Donawa Donawa Consulting, Piazza Albania 10, I-00153 Rome, Italy, tel. +39 06 578 2665, e-mail: medonawa@donawa.com, www.donawa.com