ISO 13485 vs. 21 CFR Part 820: How To Distinguish Between Standard Conformity And Regulatory Compliance

By Michael Wienholt, Halloran Consulting Group

Over the course of more than 20 years in regulatory affairs and quality compliance, we’ve learned how painful it can be to implement a quality management system that effectively enables efficient product development while complying with both domestic and international quality system requirements.

Recently, we’ve spent substantial time auditing quality management systems to 21 CFR Part 820, the FDA quality system regulation (QSR). These audits have been conducted in advance of an initial establishment registration, or in response to an anticipated FDA inspection in follow-up to a warning letter. In either case, many clients will have a professionally framed certificate hanging on the wall that documents conformity with the international standard for quality management systems (QMS) for medical devices, ISO 13485. Some companies have recently achieved this certification, and most have just passed a surveillance audit that resulted in only one or two minor non-conformances. In all cases, companies should be proud of the corporate achievement the certificate signifies. However, a certification to ISO 13485 neither equates to nor guarantees compliance with Part 820.

Recently, we performed a mock FDA inspection for a client who had been through a cycle of FDA enforcement actions in the preceding three years: a violative inspection, followed by a warning letter, followed by another violative inspection, followed by a warning letter close-out. The company expected another visit from FDA and — justifiably — wanted a fresh set of eyes to assess its readiness for another inspection.

FDA has developed an exquisite tool for assessing compliance with the QSR, the Quality System Inspection Technique (QSIT), and we employed it in this case to guide our mock inspection. Unfortunately, we found many repeat observations from the previous FDA inspection in the areas of corrective and preventive action (CAPA), complaint handling, design control and production, and process controls. In the closeout meeting, one of the company’s QA employees pointed out, "we just had our ISO surveillance audit, and we were fine!"

Our response? "Your ISO registrar is auditing for conformity to a standard, a service for which you voluntarily pay. FDA is inspecting for compliance to a regulation. There is a significant difference."

The basic message is that conformity to a standard does not equal compliance with a regulation. An auditor representing the registrar that issues your ISO certificate is trained to assess conformity to the standard by employing a methodology that is different from that of an FDA inspector, and the consequences for nonconformance are different.

Practical Differences Between ISO 13485 And CFR 21 Part 820

Consider the hypothetical example of design controls, a requirement found both in Clause 7.3 of ISO 13485 and Part 820.30 of the QSR. During an audit by your ISO registrar, the auditor documents a finding for “failure to control design and development changes, in that the review of the change did not include an evaluation of the effect of the change on product in the field (Clause 7.3.7, Control of design and development changes).” The finding is rated as Category 1 (Major) in the audit report and your registrar requires that you submit a corrective action plan within 30 calendar days, and evidence of effective closure within 90 calendar days.

After 90 calendar days, most registrars will return to verify your corrective action after receiving your Evidence of Action. This audit will focus only on the corrective action to your design change procedure. If the registrar receives your response beyond the required 90 days, the follow-up audit may be a comprehensive audit of your full quality system, and the auditor may look for other systemic nonconformances in your system. At this point, you may consider your certification to be at-risk. The loss of certification to ISO 13485 would impact your global regulatory licenses and the ability to conduct business in the specific international markets that require it.

Now let’s consider the same scenario in a FDA facility inspection. Most initial inspections of Class 3 and Class 2 manufacturers are Level 2 comprehensive inspections. The QSIT will sample the four major subsystems: management controls, design controls, CAPA, and production and process controls. In our example, the inspector documents an observation on FDA Form 483 stating that “procedures for design change have not been adequately established, in that your procedure does not address the identification, validation, or where appropriate, verification, review and approval of design changes before their implementation and does not document that risk analysis will be conducted (21 CFR Part 820.30(i)).”

Typically, you have 15 business days in which to respond in writing to this Form 483 observation, with evidence that would support a conclusion that your corrective actions are adequate and the violation has been corrected. This must include a risk assessment of any affected design changes for their impact on product performance and patient safety, as well as evidence of verification and, where necessary, validation of the changes has been documented.

Following receipt of your 483 Response, the FDA District Office makes a recommendation to a Center (e.g., CDRH, CBER, CDER) regarding the need for additional enforcement. This may be in the form of a follow-up inspection, a warning letter, or some other type of enforcement letter. You may expect another visit from FDA within 6 months, unless FDA deems your response to be inadequate or another issue (e.g., a recall) dictates a follow-up inspection sooner than this. The follow-up inspection will be a Level 3 Compliance Follow-Up inspection for previous inspections classified as Official Action Indicated (OAI).

If the enforcement action is in the form of a warning letter, either as a result of an initial violative inspection or an inadequate 483 response, the letter typically will arrive within 45 days, and you will have 10 business days to respond. A warning letter indicates that FDA has determined you are in violation of the law and may consider further enforcement actions, including seizure, injunction, prosecution, or civil penalties.

The principal differences between these two examples are the quality system’s level of scrutiny and the significant enforcement actions that FDA can employ as a result of a violative QSR inspection.

Four To-Do’s For ISO 13485 Audit Preparedness

If you are a medical device manufacturer regulated by FDA and delivering your product in international markets requiring certification to ISO 13485, consider the following advice:

• Do not rely on individuals with limited FDA regulatory compliance experience to write your ISO QMS documents, or to audit your system.
• Establish coherent linkages between the FDA QSR’s major subsystems (e.g., Design Controls, Purchasing Controls, CAPA, Statistical Techniques) and the equivalent clauses in ISO 13485 (e.g., Product Realization, Measurement, Analysis and Improvement).
• Strictly define functional roles and responsibilities, and link these to documented job descriptions with specified requirements for "education, background, training, and experience to assure that all activities required" by the QSR are correctly and consistently performed.
• Ensure that the auditors conducting your internal audits are trained and experienced in Part 820.  Nothing can replace your internal audit program to inform senior management of the true state of compliance with the QSR. 

Conclusion

An understanding of the differences between ISO 13485 and CFR 21 Part 820 is a key step toward creating a QMS that provides both conformity and compliance. These guidelines will keep manufacturers on the compliant side of those differences, and steer your medical devices down the road toward patients.

About The Author

Michael Wienholt, a principal consultant at Halloran Consulting Group, joined the company in 2015. He brings more than 25 years of experience in the medical device industry, including 15 years of experience in global regulatory affairs and quality management systems for medical devices and in vitro diagnostics. Michael provides expertise in regulatory strategies and submissions and the design, implementation, and audit of quality management systems.