Save 20% on accredited ISO 13485 course exams.
Limited-time offer – ends July 18, 2024
Use promo code:

What are the consequences of noncompliance with ISO 13485 for manufacturers of medical devices?

Today’s business owners have a wide array of concerns, not the least of which is turning a profit in what can be a volatile economy. However, financial success is of little consequence if the government compels you to dissolve your company for failing to comply with legal requirements, or if you lose customer because you failed to comply with his requirements. Often included with customer requirements for medical device manufacturers is ISO 13485.

Failing to meet all guidelines for compliance can result in serious consequences for your business. It  can also alter your company’s legal status, leaving you vulnerable to lawsuits, government agencies audits, fines or even having your business dissolved entirely.

Compliance with legal requirements

Because of the vast number of government guidelines for compliance, it can be easy for business owners to find themselves in violation, leaving their companies open to penalties and even dissolution. Having a complete and thorough understanding of compliance requirements is crucial to protecting your business in the years to come.

Our analysis of FDA (Food and Drug Administration) warning letters issued to medical device manufacturers and importers has revealed that the FDA’s focus remains primarily on noncompliance with QSR (Quality System Requirements) and US medical device reporting requirements. Our review identified that the key areas of QSR noncompliance cited in FDA warning letters were:

  • Complaints – 21 CFR 820.198
  • CAPAs – 21 CFR 820.100
  • Control of nonconforming product – 21 CFR 820.90
  • Process Validation – 21 CFR 820.75
  • Design Control, Specifically Design verification and validation – 21 CFR 820.30 (f) & (g)

Other popular QSR related noncompliances included incoming inspection, document control and maintenance of DHRs (Design History Records), DMRs (Device Management Records) and DHFs (Design History Files).

Compliance with ISO 13485 requirements

When it comes to noncompliance with the requirements of the standard, the consequences don’t have to be severe, as they would be in a case when the organization is not compliant with legal requirements. As a result of certification audit, you will get the audit report that will list all minor and major nonconformities found during the audit. The certification body will also give you a  timeframe to conduct corrective actions and, after you provide the evidence that the nonconformities have been resolved, your organization will get the certificate. Here are some areas that I find the most problematic when it comes to complying with requirements of the standard:

  • Management review
  • Design and development verification
  • Design and development validation
  • Validation of processes for production and service provision
  • Monitoring and measuring of processes
  • Analysis of data

Nonconformity doesn’t just mean that the organization failed to meet some formal requirements, it can also imply that the processes are not controlled properly, and there is a good chance that the product or service will fail to meet the requirements of the organization itself or the customer. Depending on the type of product or service the company delivers, the consequences can be severe to the customer and ultimately to the organization.

Practical differences between ISO 13485 and legal requirements

Consider a hypothetical example of design controls, a requirement found both in Clause 7.3 of ISO 13485 and Part 820.30 of the QSR. During an audit by your certification body (CB), the auditor documents a finding for “failure to control design and development changes, in that the review of the change did not include an evaluation of the effect of the change on the product in the field (Clause 7.3.7, Control of design and development changes).” The finding is rated as Major in the audit report and your CB requires that you submit a corrective action plan within 30 calendar days. You must also provide evidence of effective closure within 90 calendar days.

After 90 calendar days, most CBs will return to verify your corrective action when they have received your evidence of action. This follow-up audit will focus only on the corrective action to your design change procedure. At this point, you may consider your certification to be at-risk. The loss of certification to ISO 13485 would impact your global regulatory licenses and the ability to conduct business in the specific international markets that require it.

Now let’s consider the same scenario in an FDA facility inspection. Most initial inspections of Class 3 and Class 2 manufacturers are Level 2 comprehensive inspections. The QSIT (Quality System Inspection Technique) will sample the four major subsystems: management controls, design controls, CAPA (Corrective and Preventive Actions), and production and process controls. In our example, the inspector documents an observation stating that “procedures for design change have not been adequately established, in that your procedure does not address the identification, validation, or where appropriate, verification, review and approval of design changes before their implementation and does not document that a risk analysis will be conducted.”

Typically, you have 15 business days in which to respond in writing, with evidence that your corrective actions are adequate and the violation has been corrected. This must include a risk assessment of any affected design changes for their impact on product performance and patient safety. It must also provide evidence of verification and, where necessary, validation of the changes must be documented.

Following receipt of your response, the FDA District Office makes a recommendation to a Center regarding the need for additional enforcement. This may be in the form of a follow-up inspection, a warning letter, or some other type of enforcement letter. You may expect another visit from the FDA within 6 months, unless they deem your response to be inadequate or another issue (e.g. a recall) dictates a follow-up inspection sooner. The follow-up inspection will be a Level 3 Compliance Follow-Up inspection for previous inspections classified as Official Action Indicated (OAI).

If the enforcement action is in the form of a warning letter, either as a result of an initial violation inspection or an inadequate response, the letter will typically arrive within 45 days, and you will have 10 business days to respond. A warning letter indicates that the FDA has determined you are in violation of the law and may consider further enforcement actions, including seizure, injunction, prosecution, or civil penalties.

Protect your business from noncompliance

Compliance requirements can be complex, and business owners may not always be fully educated about the latest rules and regulations. If you’re concerned about your company’s compliance status, consider hiring a human resources expert to protect your business’ legal and financial standing. After all, when it comes to noncompliance issues, ignorance of the law is no defense.

Click here to download a free white paper Clause by clause explanation of ISO 13485 to learn the detailed requirements of this standard to avoid noncompliance.

Advisera Strahinja Stojanovic
Strahinja Stojanovic

Strahinja Stojanovic is certified as a lead auditor for the ISO 13485, ISO 9001, ISO 14001, and OHSAS 18001 standards by RABQSA. He participated in the implementation of these standards in more than 100 SMEs, through the creation of documentation and performing in-house training for maintaining management systems, internal audits, and management reviews.