Medical Device ISO 13485:2003 Voluntary Audit Report Submission Program

Draft Guidance for Industry, Third Parties and FDA Staff: Medical Device ISO 13485:2003 Voluntary Audit Report Submission Program

Introduction 

This draft guidance provides information on the implementation of section 228 of the Food and Drug Administration Amendments Act of 2007 (FDAAA), which amends section 704(g)(7) of the Federal Food, Drug, and Cosmetic Act (the Act) (21 U.S.C. 374 (g)(7)).  Section 228 was amended to add the following provision:

“(F) For the purpose of setting risk-based inspectional priorities, the Secretary shall accept voluntary submissions of reports of audits assessing conformance with appropriate quality system standards set by the International Organization for Standardization (ISO) and identified by the Secretary in public notice.  If the owner or operator of an establishment elects to submit audit reports under this subparagraph, the owner or operator  shall submit all such audit reports with respect to the establishment during the preceding 2-year periods.”

This document will describe how the Food and Drug Administration’s (FDA) Center for Devices and Radiological Health (CDRH) and Center for Biologics Evaluation and Research (CBER) are implementing this provision of the law and providing public notice as required. 

Specifically, a device manufacturer, whose establishment has been audited under one of the regulatory systems implemented by the Global Harmonization Task Force (GHTF) founding members[1] using ISO 13485:2003 “Medical devices – Quality management systems – Requirements for regulatory purposes,” may voluntarily submit the resulting audit report to FDA.  If, based on that report, FDA determines there is minimal probability -- in light of the relationship between the quality system deficiencies observed and the particular device and manufacturing processes involved -- that the establishment will produce nonconforming and/or defective finished devices,[2] then FDA intends to use the audit results as part of its risk assessment to determine whether that establishment can be removed from FDA’s routine work plan for one (1) year.  The voluntarily submitted ISO 13485:2003 audit report provides FDA a degree of assurance of compliance with basic and fundamental quality management system requirements for medical devices.  Inspections conducted “for cause” however will not be affected.  Moreover, this inspectional work plan exclusion would not apply to any necessary pre-approval inspections for Premarket Approval (PMA) applications or to decisions under section 513(f)(5) of the Act (21 U.S.C. 360c(f)(5)) concerning the classification of a device.

It is important to note that participation in the Medical Device ISO 13485:2003 Voluntary Audit Report Submission Program is entirely voluntary.

FDA's guidance documents, including this guidance, do not establish legally enforceable responsibilities.  Instead, guidances describe the Agency's current thinking on a topic and should be viewed only as recommendations, unless specific regulatory or statutory requirements are cited.  The use of the word should in Agency guidances means that something is suggested or recommended, but not required.

Background

Inspections conducted by third parties and other regulators have been utilized by FDA in different circumstances.  The Medical Device User Fee Modernization Act of 2002 (MDUFMA), P.L. 107-250,  authorized a third party inspection program under which FDA trains and accredits third parties to perform inspections of eligible establishments that manufacture Class II or III devices. This third party inspection program, commonly referred to as the "Accredited Persons (AP) for Inspections" program, is a voluntary program. While all firms remain subject to inspection by FDA, eligible manufacturers have the option of requesting inspection by an AP.  FDA has committed significant resources to creating the AP for Inspections program and continues to maintain it.

In addition, on September 7, 2006, the U.S. FDA and Health Canada (HC) mailed a letter to accredited persons that FDA trained and accredited under its AP for Inspections program and HC's Third Party Auditing Organizations under the Canadian Medical Devices Conformity Assessment System (CMDCAS).  The letter announced a pilot multi-purpose audit program (PMAP) that allows qualified accredited persons and auditing organizations in both programs to perform a single inspection that both FDA and HC can utilize. The purpose of the PMAP is to evaluate the effectiveness of performing a single third party inspection of medical device manufacturers' quality systems that would meet the regulatory requirements of both countries.  Under the PMAP, the establishment is evaluated for compliance with the Quality System regulation under 21 CFR Part 820 and ISO 13485:2003.  If the inspection demonstrates compliance, the establishment will be removed from the routine FDA work plan for two years.[3]  FDA continues to work with HC and the eligible APs in this pilot program.

The medical device ISO 13485:2003 Voluntary Audit Report Submission Program outlined in this draft guidance is another way in which FDA may leverage audits performed by other GHTF regulators and accredited third parties in order to assist the agency in setting risk-based inspectional priorities.

Who Should Participate?

We recommend that a domestic or foreign device manufacturer that is subject to the requirements in 21 CFR Part 820, Quality System (QS) regulation be eligible to participate in the ISO 13485:2003 Voluntary Audit Report Submission Program under the following circumstances:

1. The audit report is submitted to the FDA within 60 days from the last day of the most recent ISO 13485:2003 audit;
2. The audit is performed using ISO 13485:2003: “Medical devices - Quality management systems – Requirements for regulatory purposes;” and
3. The audit was performed by an auditor under one of the GHTF founding members regulatory systems:

a.  The Canadian Medical Devices Conformity Assessment System (CMDCAS);

b.  The European Union Notified Body accreditation system;

c.  The Therapeutics Goods Administration of Australia Inspectorate; or

d.  The Japanese Medical Device Ministry of Health, Labour and Welfare system.

In order for FDA to ensure the validity of the audit report and the competence of the auditors, FDA is structuring the ISO 13485:2003 Voluntary Audit Report Submission Program around its founding partners in the GHTF.  FDA has over 18 years of experience working with these founding regulatory members and believes that the auditors under these programs can give FDA the assurances and information necessary to assist FDA in making important risk-based decisions for FDA inspections.

Accredited Persons under FDA’s AP for Inspections program should also be accredited by one of the above programs in order to audit conformance to the ISO 13485:2003 standard and for their audit report to be accepted under the ISO 13485:2003 Voluntary Audit Report Submission Program.

What Format is Recommended for the Audit Report?

1.  The ISO 13485:2003 audit and the resulting report should conform to the Global Harmonization Task Force (GHTF) Study Group 4 guidance documents[4] listed below to facilitate FDA’s evaluation and review of the audit report:

a.  Guidelines for Regulatory Auditing of Quality Management Systems of Medical Device Manufacturers - Part 1: General Requirements

b.  Guidelines for Regulatory Auditing of Quality Management
Systems of Medical Device Manufacturers – Part 2: Regulatory Auditing Strategy

c.  Guidelines for Regulatory Auditing of Quality Management Systems of Medical Device Manufacturers – Part 3: Regulatory Audit Reports

2.  The complete ISO 13485:2003 audit report and any other related responses or communications between the manufacturer and the auditors should be written in or translated to English.

How should the manufacturer submit the eligible ISO 13485:2003 audit report?

1. The ISO 13485:2003 audit report and any related responses or communications between the manufacturer and the auditor who conducted the ISO 13485:2003 audit should be submitted to the FDA within 60 days from the last day of the most recent audit.  The manufacturer must submit all reports of audits under ISO 13485:2003 of the relevant establishment that were issued during the preceding 2-year period.  The preceding 2-year period should be determined based on the last day of the most recent ISO 13485:2003 audit.  In addition, the manufacturer should submit the most recent copy of the ISO 13485:2003 certificate.  The ISO 13485:2003 certificate should clearly state the scope of the certification in order for the FDA to fully understand the scope of the audit(s).
2. The ISO 13485:2003 audit report(s), the copy of the ISO 13485:2003 certificate, and any related responses or communications between the manufacturer and the auditor should be scanned into a PDF file and submitted to the following email account: ISO13485AuditReports@fda.hhs.gov until FDA provides an electronic means to submit the reports through the “eSubmitter” system.[5]
3. If an individual does not have access to the internet or cannot scan the documents into PDF format, he or she may contact CDRH’s Office of Compliance Field Operations Branch at 301-796-5812 for assistance with the submission.
4. Along with the PDF file, the manufacturer should provide:
   1. The name, title, address, telephone number, fax number and email address of the manufacturer’s correspondent who is authorized to act on behalf of the manufacturer in the US on issues related to the audited establishment;
   2. The FDA registration number or FDA Federal Establishment Identifier (FEI) number, in order for FDA to relate the audit report to the specific manufacturing establishment registered with FDA; 
   3. The full mailing address of the establishment that was audited and for which an audit report is being submitted; and 
   4. Information about the ISO 13485:2003 audit, including: the name of the auditing organization and the auditor(s) that performed the audit and prepared the audit report; the start date and the completion date of the most recent audit; and the name(s) of the regulatory authority(s) for which the ISO 13485:2003 audit was performed.

---

[1] The GHTF founding members auditing systems include: the Canadian Medical Devices Conformity Assessment System; the European Union Notified Body accreditation system; the Therapeutics Goods Administration of Australia Inspectorate; and the Japanese Medical Device Ministry of Health, Labour and Welfare system. 

[2] See June 15, 2006, Compliance Program 7382.845 Inspection of Medical Device Manufacturers Part V. 

[3] Under the PMAP program, third parties are accredited by both FDA and HC and conduct their inspections under both ISO 13485:2003 and FDA’s Quality System (QS) regulations under Title 21 Code of Federal Regulations  (21 CFR) Part 820.  For that reason, FDA allows these establishments to be removed from the work plan for two years.  Under the ISO 13485:2003 Voluntary Audit Report Submission Program, as described in this guidance document, regulators or third parties conducting the ISO audit only conduct the audit under ISO 13485:2003 and do not evaluate the establishment for compliance with FDA’s QS regulation and other FDA regulations.  For this reason, under the ISO 13485:2003 Voluntary Audit Report Submission Program, FDA is planning to remove eligible establishments from the work plan for one year.  

[4] GHTF Study Group 4 documents can be found at http://www.ghtf.org/sg4/sg4-final.html