CGMP and ISO 13485: Aligning Device Quality Worldwide

CGMP and ISO 13485: Aligning Device Quality Worldwide

Kari Miller, Vice President of Regulatory and Product Management, Pilgrim Quality Solutions

Regulators around the world commonly assess product design to ensure safety and efficacy in medical devices. The product approval process is key to ensuring the safety and efficacy of life-improving and life-saving products introduced into their market. However, oversight does not stop there. Worldwide, regulatory bodies are looking to ensure sustainability; they need to “see” that an organization can continuously produce and provide safe, quality product to their market. How do they do that? By auditing an organization’s quality system.

Around the globe, the standard most countries use is ISO 13485. In the United States, the FDA also requires a quality system for medical devices and that quality system is Current Good Manufacturing Practice (CGMP). Defined in Part 820 of the Code of Federal Regulation Title 21, CGMP is the official Quality System Regulation (QSR) of the FDA.

Regulatory compliance is key to the success of an organization and regulatory oversight is ever increasing. So what is a worldwide organization to do to keep up? What standard(s) do they follow? In 1990, the FDA worked to harmonize QSR with international standards, so there is commonality between FDA QSR and the most recent version of the global standard, ISO 13485: 2003. But a lot has changed since 1990, and ISO 13485: 2016 is now upon us.

The good news is that there is an apparent convergence of standards within the Medical Device Industry. To demonstrate, we could have included in this review UDI, MDSAP, and ISO 9001:2015, all current and joint global industry regulatory initiatives. Our focus, however, is going to be a high-level comparison of 21 CFR Part 820, the QSR of the FDA, and ISO 13485: 2016. Let’s take a look at some of the clauses in ISO 13485 that have changed and contrast them to 21 CFR Part 820.

ISO 13485: 2016, Clause 4 – Quality Management System

The first area of change, 4.1.2 b), states that the organization shall apply a risk-based approach to the control of the appropriate processes needed for the quality management system. Part 820 does not explicitly call out a risk-based approach for the quality management system. In fact, 820.40 (g) Design Validation, is the only place within Part 820 where risk is called out explicitly, however a risk-based approach is implied throughout the regulation.

The term “where appropriate” is used throughout Part 820. The 820 standard declares that a requirement will be “appropriate” unless the manufacturer can document justification to the contrary, and a risk-based approach will do just that.

Then there is clause 4.2.5 Control of Records, which protects confidential health information and calls out the requirement to ensure documents remain identifiable and retrievable. Anyone that has specifically abided by Part 820, knows that Document Control (820.40) and Records (820.180) are foundational to FDA’s CGMP.

ISO 13485: 2016 Clause 5 and the FDA’s 820.20 – Management Responsibility

With the recent ISO 13485:2016 changes, both regulations now tightly define responsibility and authority, as well as management representation for regulatory and quality management system requirements.

Training is addressed in ISO 13485: 2016 Clause 6.2 and addresses competency, training, and personnel awareness, as does the FDA’s 820.25.

ISO 13485: 2016 Clause 7

Clause 7 has two areas that have been revised. The first, Clause 7.2 – Customer Related processes, now calls out the need to communicate with regulatory authorities regarding product information, customer feedback/complaints, and advisory notices. For the FDA, Customer Related processes are addressed in three areas: 21 CFR Part 820.198 – Complaint Files; 21 CFR Part 803 – Medical Device Reporting; and, 21 CFR Part 806 – Reports of Corrections and Removals.

Also in Clause 7 of ISO 13485: 2016, Design and Development has been updated to further align with FDA 21 CFR 820.30 Design Controls. Finally, Clause 7.4 – Purchasing now is in better alignment with 21 CFR Part 820.50 and directly requires the following:

  • Establishment of criteria for the evaluation and selection of suppliers
  • Monitoring and re-evaluation of suppliers
  • Actions required when purchasing requirements are not met
  • Supplier Notifications of Change
  • Verification activities of purchased product

Supplier Management has been a focus for the FDA over the past few years, and the ISO 13485 changes really close the gap in regards to Purchasing requirements. Additionally, to address traceability, Clause 7.5.8 – Identification now requires documented procedures for production identification and status, and references use of unique device identification. This, of course, aligns very well with FDA 21 CFR Part 820.60.

ISO 13485: 2016 Clause 8

ISO 13485: 2016 Clause 8.2.2 – Complaint Handling, and Clause 8.2.3 – Reporting to Regulatory Authorities, are additions to ISO 13485:2016. As mentioned above, the FDA addresses these areas in 21 CFR Part 820.198 – Complaint Files, and 21 CFR Part 803 – Medical Device Reporting, respectively.

Quality in Harmony

So in this time of increased regulatory oversight and change, take comfort in the fact that the changes are actually moving the global medical device industry towards more harmonized requirements. As you can see from the overview above, the revisions to ISO 13485:2016 are well aligned to the FDA Quality System Regulation (QSR) for medical devices (21 CFR Part 820). If your organization has been using 21 CFR Part 820 as its guide, the new ISO 13485: 2016 revision should not pose a major challenge for your organization.

In organizations that already sell into the U.S. as well as other countries around the world, alignment of the ISO 13485:2016 requirements to the FDA’s Part 820 requirements should simplify compliance for everyone involved; and as compliance is required, every medical device company doing business into or out of the U.S. will have to focus and make the necessary improvements to not fall out of compliance.


ISO 13485:2016

On-Demand Webinar

First in a Four-Part Series. Will Your Transition be a Marathon or a Sprint?

ISO 13485:2016 Compliance


Kari Miller

Regulatory & Product Management Leader, IQVIA Quality Compliance