eSTAR (electronic Submission Template and Resource) is an initiative launched by the US Food and Drug Administration in February 2020. It is a free, interactive PDF Form that provides assistance to the applicants in preparing the CDRH medical device submission for 510(k)s and De Novos. The content of the form is automated with an automatic verification feature, and the structure is complementary to the internal review and also harmonized with the IMDRF and guided construction for each submission section.
The US FDA has announced a pilot program in collaboration with Health Canada. The practicability of using eSTAR will be determined by the outcome of 9 participants. The pilot program has eligibility criteria as below:
Sponsorer must be in-process to submit an eSTAR application for the same medical device in Health Canada and US FDA within 6 months of acceptance into the pilot.
The submission must be for a new or significant change amendment to Class III or IV submission of Health Canada OR
A 510(k), De Novo or Pre-market Approval (PMA) original, 180-day, real-time or panel track supplement to FDA
The Sponsorer must complete the eSTAR application
The pilot program is NOT applicable to IVD devices, Combination products, CBER products or an FDA dual 510(k)/CLIA waiver application.
The limitations for the eSTAR pilot:
Health Canada will not accept Regulatory Enrollment Process (REP) submission
Submissions are accepted only in English at present.
Interested device sponsors can send in their participation request at [email protected] and [email protected] with the subject line “Request for participation in eSTAR Pilot”. The participation email should cover the following points:
A statement asking to participate in the pilot
Applicant name
Contact name and title
Device trade name(s) `
The FDA primary product code, Global Medical Device Nomenclature (GMDN) and Preferred Name Code (PNC) of your device
A statement that the same medical device using the eSTAR will be submitted within 6 months of acceptance in the eSTAR pilot to both Health Canada and the FDA:
For Health Canada: specify if it is a new or significant change amendment for a Class III or IV submission
For FDA: specify if it is a 510(k), De Novo or PMA submission (specify if the PMA submission is original, 180-day, real-time or a panel track supplement)
The FDA and Health Canada intend to revert to emails within 3 business days. The file size should be Less Than 1 GB, and images and videos to be submitted in compressed format. The fee structure is as follows:
Post Market surveillance requirements are set out in Title 21 Code of Federal Regulation (CFR) Part 822. This section aims to put an adequate post-market surveillance authority into practice to increase the possibility that post-market surveillance (PMS) plans will result in valuable data gathering. These data can show unanticipated adverse events, the actual frequency of anticipated adverse events, or other details important for public health protection.
FDA will assign a post-market surveillance (PS) order number (i.e., PS######) to each post-market surveillance order. Manufacturers should cite the assigned PS order number when submitting a proposed post-market surveillance plan. PMS plans are reviewed under the assigned PS order number. If the same PS order has multiple questions, manufacturers must provide a separate plan explaining the methodologies to address each question. The submission of the PMS plan must be made within 30 days of receipt of the 522 Order.
The FDA will review and respond within 60 days of receiving the plans. FDA intends to review post-market surveillance plans immediately and collaborate with the manufacturer to decide within 30 days of receiving the plan. To ensure that a full review of the surveillance plan can be completed within 60 calendar days of the 522-order date, the manufacturer should give any deficiencies in the plan identified by the agency top priority and collaborate actively with the FDA.
Sections of a PMS plan
The following sections must be included in a PMS plan. These sections are outlined in 21 CFR 822.10.
PMS plan objectives addressing surveillance questions
The surveillance approach, i.e., the design or methodology used
Variables and endpoints used to answer the surveillance questions
Subject of study
Sample size
Description of data source and its relevance
Description of the data collection plan
Data collection forms, informed consent forms and Institutional Review Board
(IRB) approval or IRB exemption documentation, where applicable
Patient follow-up plan or schedule
All data analysis and statistical tests planned
Investigators agreement
procedures for monitoring the conduct and progress of the surveillance,28 and estimate of the duration of the surveillance
content and timing of PMS reports
In addition to the above, FDA also recommends the following:
an interim data release plan which includes the frequency of interim analyses, type of analysis, data endpoints that will be assessed, content and frequency of posting on the FDA page for post-market surveillance
background on the device, including device description, indications of use and regulatory history
Evaluation of PMS plan
To determine whether the proposed surveillance plan is complete, whether the person designated to conduct the surveillance has the necessary training and experience to carry out such surveillance, and whether the plan will result in the collection of valuable data that can reveal unforeseen adverse events or other information required to protect the public health, FDA will assess the proposed surveillance plan. This evaluation will help FDA determine the answer to the surveillance question (s).
Considering this, FDA may send one of the subsequent letters:
Not acceptable letter
Approval letter
Major deficiency letter
Disapproval letter
The not-acceptable letter is issued when the submission is incomplete and does not include the items in 822.9 and 822.10.
The approval letter demonstrates the FDA’s approval of the proposed surveillance plan in its submitted form and any requirements or suggestions the agency may have had for the plan.
Major Deficiency Letter identifies grave deficiencies in the plan’s ability to produce the data necessary to address the surveillance issues. Before the surveillance plan is approved, the manufacturer must fix these issues and respond to requests for specific information within the allotted timeframe.
The disapproval Letter demonstrates the FDA’s disapproval of the proposed plan because, in FDA’s opinion, it is unlikely to result in the gathering of relevant data necessary to address the post-market surveillance issues raised by the 522 order. The letter instructs the manufacturer to update its post-market surveillance plan by submitting a completely new submission within the allotted timeframe that suggests a new post-market surveillance plan meant to address the post-market surveillance concerns in the 522 order.
FDA evaluation outcome of Post-Market Surveillance plan
Changes to the Approved PMS plan
Manufacturers must get FDA clearance in writing before making changes to approved post-market surveillance plans if those changes would impact the nature or validity of the data gathered. These changes could be changes to sample size, endpoints and so on
It is not recommended for a manufacturer to combine their surveillance approach along with any 522 reports, but instead should include the request in a supplement to the PS order number (PS######) with the updated post-market surveillance plan for FDA review.
FAQ
How is the review done for the PMS plan?
FDA reviews post-market surveillance plans and responds within 60 calendar days of receipt. FDA intends to promptly review post-market surveillance plans and work alongside manufacturers to issue a decision within 30 calendar days of receiving the plan. The checklist used by FDA to evaluate the PMS plan can be found in the guidance document for post-market surveillance.
The revolution in the digital sector has resulted in the Internet of Things (IoT), Software as a Medical Device (SaMD), Internet of Medical Things (IoMT) and other connected devices permeating the healthcare environment, both in hospital and home, has ended up with the possibility of cyberattacks and intrusions against the connected medical devices and the networks to which such a device is connected.
Most Medical devices are connected to the Internet, hospital networks, and other medical devices to provide health care and increase the ability of healthcare providers to treat patients. These features also increase potential risks for Cybersecurity. Medical devices, like other computer systems, are vulnerable to security breaches, potentially impacting the safety and effectiveness of the device.
Since 2005, the FDA has tried to accomplish and enhance medical device cybersecurity, and the latest FDA effort is to create draft guidance that expects security throughout the total product life cycle (TPLC). Another effort is the Protecting and Transforming Cyber Health Care Act of 2022 (PATCH Act of 2022),which, if passed, would revise the existing Federal Food, Drug, and Cosmetic Act.
The FDA guidance establishes six broad expectations on the Secure Product Development Framework (SPDF), which covers all aspects of a product’s life cycle, for the development, release, support, and decommission and satisfy Quality System Regulations (QSR) under 21 CFR Part 820:
Cybersecurity is a fundamental part of device safety and the QSR
Security by design
Transparency
Security risk management
Security architecture
Testing/objective evidence
The FDA draft guidance, under QSR, also declares that verification and validation activities by the medical device manufacturers shall include sufficient testing performed on the Cybersecurity of the system, which validates their inputs and outputs. Further, the FDA summarizes that cybersecurity controls require testing beyond standard software verification and validation to demonstrate that the device has a good assurance of safety and effectiveness.
The following cybersecurity testing and corresponding objective evidence would be considered as the minimum support for a premarket submission:
Security requirements
Evidence of their boundary analysis creates a rationale for their boundary assumptions.
Threat mitigation
Evidence that all the design input security requirements were implemented successfully
Evidence of testing their threat models that demonstrates effective risk control measures provided in the system and use case
Evidence of the adequacy of risk control.
Vulnerability testing – Evidence on the testing of malformed
Abuse case and unexpected inputs
Vulnerability chaining
Closed box testing of known vulnerability scanning
Software composition analysis of binary executable files
Static and dynamic code analysis
Penetration testing– Identify and characterize security-related issues that discover security vulnerabilities in the product.
Regular interval cybersecurity testing – It is performed at regular intervals to identify the potential vulnerabilities before exploitation
This draft guidance replaces the 2018 draft version, which emphasizes the importance of understanding that all medical devices are designed securely, enabling new cybersecurity risks to be mitigated throughout the Total Product Life Cycle, and it elaborates the outline of the FDA’s recommendations more clearly for premarket submission to address cybersecurity concerns.
03/08/2022 Cybersecurity Alert: Vulnerabilities identified in medical device software components: PTC Axeda agent and Axeda Desktop Server
The PTC Axeda agent and Axeda Desktop Server are cloud-based technologies that allow people to securely view and operate the same desktop through the Internet. The Axeda agent and its desktop server are owned by the computer software company PTC.
The FDA alerts all medical device users and manufacturers about a cybersecurity vulnerability identified for the Axeda agent and Axeda Desktop Server. The agent and desktop server of Axeda are used in many medical devices across several medical device manufacturers, and all the versions of the Axeda agent and Axeda Desktop Server are affected. On the 8th of March, 2022, the Cybersecurity and Infrastructure Security Agency (CISA) published an advisory, ICSA-22-067-01, on these vulnerabilities.
Any successful exploitation of this vulnerability could allow an unauthorized attacker to take complete control of the host operating system, resulting in full system access, remote code execution, reading or changing the configuration, system file access, accessing log information, and other denial condition. These vulnerabilities may result in changes to the functions of the medical device and impact the availability of the remote support functionality.
As a result, PTC recommends that affected manufacturers:
To upgrade Axeda agent Version 6.9.2 build 1049 or 6.9.3 build 1051 while running older versions of the Axeda agent.
Also, to configure the Axeda agent and Axeda Desktop Server to listen only on the local host interface 127.0.0.1.
Then, Provide a unique password in the AxedaDesktop.ini file for each and every unit.
Remove the installation file.
Make sure to delete the ERemoteServer file from the host device.
Never use ERemoteServer in production.
When running the Windows operating system, first configure Localhost communications (127.0.0.1) between ERemoteServer and Axeda Builder.
When running in Windows or Linux, only allow connections to ERemoteServer from trusted hosts and block all others.
Configure the Axeda agent for the authentication information required to log in to the Axeda Deployment Utility.
So, Cybersecurity is one of the crucial aspects of today’s fast pacing digital world. The threats caused by Cybersecurity, especially on medical devices, are hard to deny. It isimportant to learn how to defend themselves from them and create a safe environment for the usage of medical devices.
EU MDR and IVDR
In the EU, both the MDR and IVDR Annex I create requirements for mandate consideration of medical device cybersecurity, and the Medical Device Coordination Group (MDCG), in its guidance, explains to the manufacturers of medical devices how to fulfil all the relevant essential requirements regarding Cybersecurity.
Source: MDCG 2019-16 Guidance on Cybersecurity of medical devices Figure 1: Cybersecurity requirements contained in MDR Annex I
The NIS Directive also provides for legal measures to increase the overall level of Cybersecurity in the EU.
GDPR (General Data Protection Regulation) helps the manufacturers of medical devices in regulating, protecting and processing personal data by the individual, company or organization that relates to the EU.
The EU Cybersecurity Act certifies Cybersecurity for ICT products, services, and processes.
According to the Cybersecurity Act, manufacturers are required to demonstrate state of art in the design, development, and improvement of their medical devices throughout their life cycle. During that period, the manufacturers must consider the safety, security, and efficacy of the medical devices, and in vitro diagnostic safety mechanism design must be considered early during the manufacturing process.
Source: MDCG 2019-16 Guidance on Cybersecurity of medical devices Figure 4: Lifecycle stages
The MDCG has proposed some key philosophies of the staged security concept strategy (“defense in depth strategy”) as follows:
Security management
Specification of security requirements
Security by design
Secure implementation
Management of security-related issues
Security update management
Security risk management
The list of possible IT security requirements for the operating environment according to MDCG:
Compliance with national and EU regulations (e.g., GDPR).
Ensuring appropriate security controls are in place
Ensuring the physical security of the medical device through security measures
Ensure control and security of network traffic through proper measures
Life Cycle Aspects
Security measures specific to their workstations connected to the medical device.
Security vulnerabilities related to the device hardware/software and third-party hardware/software used with the medical device.
During the life of the devices, the manufacturer should implement the process to collect post-market information about the security of the device.
Source: MDCG 2019-16 Guidance on Cybersecurity of medical devices Figure 3: Cybersecurity measures may cause safety impacts
Based on the EU Cybersecurity Act, the manufacturer must provide the following information to the user of the medical device:
Specifications of the operating system
IT security risk assessment information.
Provisions for ensuring the integrity of software updates and security patches
Product installation
Security configuration options
Initial configuration guidelines
Step-by-step instructions for deploying security updates
Description of the backup and restore functions for data and configuration settings
Procedures for using all the medical devices in failsafe mode
The manufacturers are required to establish a post-market surveillance (PMS) system and actively keep these PMSs (Post Market Surveillance) up to date. Medical device cybersecurity requirements should be part of this PMS system.
Depending on the class of medical device, a PMS report or PSUR report will be generated, which concludes the analysis of all data from the market.
FAQs
How can we protect heath care from cyber-attacks?
· Vulnerability assessment and required testing · Training health care providers to protect from any breaches · Follow the standards of the regulations
Where is Cybersecurity used?
Cybersecurity helps in protecting the Datas, software or hardware connected with the system. This reduces unauthorized access to the data or the system.
What is the PATCH act?
PATCH act helps to meet all the Cybersecurity requirements for the manufacturer to complete FDA regulation standard.
What medical devices can be hacked?
MRI, Pacemakers, Implants, Heart rate monitors, Drug infusion pumps, medical records and other devices connected to the hospital network.
What are the new cybersecurity requirements according to EU MDR?
MDR Annex I explain the risks associated with the interaction between software and medical devices. Manufacturers should follow standard during life cycle, risk management, verification, and validation of the devices.
Disclaimer: Regulations/legislations are subjected to changes from time to time and the author claims no responsibility for the accuracy of information.
A Label is the written, printed, or graphic information that goes on the packaging of the medical device.
Instructions For Use (IFUs) or Package Insert is the essential information accompanying the medical device for its safe and effective use by the user. It can be a single to multiple-page document.
Labelling is the content that goes on the Label or IFUs.
What are the minimum requirements for labeling?
The ISO has published many standards applicable to the medical device industry. Some of them are as below:
Standard Number
Standard Name
ISO 18113
In vitro diagnostic medical devices – Information supplied by the manufacturer (labelling) – Part 1, 2, 3, 4 and 5
ISO 28219
Packaging – Labelling and direct product marking with linear bar code and two-dimensional symbols
Medical devices – Information to be supplied by the manufacturer
ISO 14025
Environmental labels and declarations – Type III environmental declarations – Principles and procedures
ISO 14021
Environmental labels and declarations – Self-declared environmental claims (Type II environmental labelling)
ISO 14020
Environmental labels and declarations – General principles
ISO 22742
Packaging – Linear barcode and two-dimensional symbols for product packaging
There are more specific product-oriented labelling standards available.
ISO 20417 has defines information to be disclosed by the manufacturer. Every medical device manufacturer, distributor, importer, or Authorized Representative is bound to comply with the standard before placing the device on market. The requirements are as follows:
Information on Label
Manufacturer details – Trade Name, address, country
Product description.
Product identification – model or catalogue number, Lot number, serial number, expiry date, UDI,
Storage instructions
Operating instructions
Warning or precautions
Presence of any harmful substances (>0.1% w/w), biological origin substances, medicinal substances, nanotechnology materials
Electronic IFUs (if available)
Mention of: Single-use/ Single patient multiple-use / Reuse / Limitation on reuse
If Sterile and method of sterilization
Explanation of safety-related colours
Information on Packaging
Name and address of the manufacturer or an authorized representative
UDI
Production controls – lot number, serial number, expiry date
Model number, catalog number, commercial name
Mention of: Single-use/ Single patient multiple-use / Reuse / Limitation on reuse
Storage or special handling requirements
Any special requirements for battery-powered medical device
Contraindications, warnings, or precautions
Information in IFUs
General information (as above)
Intended Use of the medical device
Safety information
Performance of the medical device
Any residual risk associated with the use of the medical device or its accessory
Any known contraindications
Document control number of the IFU
Safe disposal information
Any specific instructions for handling or preparatory treatment
Any warnings, precautions, or limitations
If any accessories or indicators are provided along with the device, instructions on their use to be provided in the IFU.
Technical description
The harmonized ISO standard makes sure true and uniform information is conveyed to a lay/common person.
Global Labelling Requirements
Most countries have a mandatory requirement for the IFUs or Labels in their local language. To streamline this requirement, ISO 15223 standard provides a list of signs and symbols that depict common terms such as Manufacturer, Lot number, storage conditions, Expiry, eIFU and many more.
The uniform symbols help in identifying the necessary information without the language barrier. Another advantage is it saves significant label space.
FAQs
Is it necessary to follow the ISO standards?
It is advisable to develop a medical device in compliance with the applicable harmonized standards. This shall favor in smooth marketing of the product along with its competitors.
Is it necessary to brief the symbols in IFU when symbols from standards are used?
Yes, it is required to brief every symbol in the IFU that is used on the label of the product.
Can a distributor or an importer label be affixed separately apart from the main label?
Yes, it is also allowed to affix these labels separately on the product. This is because one manufacturer may have several distributors or importers within EEA.
Is it necessary to create dedicated labels for accessories of medical devices?
Yes, it is. Not every time the accessory is shipped along with the medical device and it is required to identify them with appropriate labels.
If the manufacturer wants to provide an eIFU how to indicate this on the label?
Firstly, not all the medical devices are eligible for eIFU provision. Regulation 207/2012 states what are the categories of MDs that are eligible for eIFU.
What is the deadline to implement UDI carrier on device labelling?
Article 123.3.f states these timelines as:
Disclaimer: Regulations/legislations are subjected to changes from time to time and the author claims no responsibility for the accuracy of information.
The De novo request is a simpler marketing pathway to classify novel medical devices that provide a reasonable assurance of safety and effectiveness for the intended use and do not already have a predicate device on the market. FDA also declares that the devices marked as Class I or II as per De novo request can be further used as a predicate device for future premarket 510(k) notifications.
De Novo Request Procedure
There are two ways to submit a De Novo request to the FDA for a risk-based evaluation of the device’s classification into class I or II.
Method 1: In response to a previous 510(k) submission that determines the product as high-level not substantially equivalent (NSE).
Method 2: The requester determines that no legally marketed devices can be treated as substantially equivalent. Then without first submitting 510(k), the device can receive a high-level NSE determination.
The FDA recommends that sponsors follow a pre-submission to get feedback from the appropriate premarket review division.
Points to remember
FDA will reject the De novo request if:
The Coversheet of the request does not mention “Request for Evaluation of Automatic Class III Designation.”
Administrative Information about the device
Device description
Classification information and supporting files
Clinical data (if applicable)
Non-clinical data, including bench performance testing
Once applied, receive a Unique Document number assigned by CDER/CDRH
Within 7 days, the centre communicates the applicant with a DeNovo number via acknowledgement letter
Stage:01 Acceptance Review (Refer to the Acceptance checklist) which is an initial review to evaluate the availability of the document
Stage:02 Substantive review – a detailed review along with an interactive review to discuss with the applicant for the deficiencies to be resolved
De Novo request decision
The FDA will make a final decision on whether to grant or deny the De Novo request after reviewing it. In some cases, the FDA will consider withdrawing the De Novo request. If the FDA decides to withdraw a De Novo request, the requester is notified with the De Novo request number and the date the FDA decided to withdraw the De Novo request. These orders aren’t available on the FDA’s website.
De Novo Submission Fee Requirements
The Current fee requirements for De Novo request submission can be found here.
De Novo Submission Flowchart Representation
Refer to the final rule for more information on the content of the De Novo Request.
What are the immediate effects after the FDA grants the De Novo request?
The new device is authorized to be marketed and must be in compliance with applicable regulatory controls A new classification regulation for the device type is established The new device may now serve as a predicate device for 510(k) submissions of future devices of the same type, when applicable The FDA publishes in the Federal Register a notice that announces the new classification regulation and, for class II devices, the new special controls The FDA posts on its website a copy of the granting order notifying the requester we have granted marketing authorization The FDA generates and publicly discloses a decision summary
Why does the FDA decline the De Novo request?
General controls or general and special controls are insufficient to provide reasonable assurance of the safety and effectiveness of the device (or) The data provided in the De Novo request are insufficient to determine whether general controls or general and special controls can provide a reasonable assurance of the safety and effectiveness of the device (or) The probable benefits of the device do not outweigh the probable risks.
When does the FDA withdraw a De Novo request?
The requester submits a written notice to the FDA that the requester is withdrawing the De Novo request (or) The requester fails to provide a complete response to a request for additional Information (21 CFR 860.240), or deficiencies identified by the FDA (21 CFR 860.230) are not addressed within 180 days after the date the FDA issues such request (or) The requester does not permit an authorized FDA employee an opportunity to inspect the facilities (21 CFR 860.240) at a reasonable time and in a reasonable manner and to have access to copy and verify all records pertinent to the De Novo request.
Disclaimer: Regulations/legislations are subjected to changes from time to time and the author claims no responsibility for the accuracy of information.
ISO – International Organization for Standardization, is the international, non-governmental body for drafting and establishing technical and non-technical standards. These standards are developed by different committees within the ISO. Having around 165 member states, with one representative from each, ISO is a global entity catering to the needs of industry requirements.
Are ISO standards important?
The ISO medical device standards are the Bible for many countries, especially ones which do not have predefined regulations or processes. For regulated countries, in addition to their respective regulations and guidance, ISO standards are also preferred. The most popularly referred ISO standard is the ISO 13485:2016 Medical devices — Quality management systems — Requirements for regulatory purposes. In addition to general standards, ISO also publishes product-specific guidance such as for Implants, Orthopedic, Medical Electric Equipment, and many more.
Global ISO Requirements
In Europe, the European Commission has the Medical Device Regulation MDR 2017/745 and In-vitro Diagnostic Device Regulation IVDR 2017/746. These regulations provide a detailed framework for introducing a medical device in the European market. However, in addition to that, certain ISO standards may also be referred to for ensuring a better-quality product. Some of the many popularly used standards include:
ISO 14971:2019 Medical Devices – Application of Risk Management to medical devices
ISO 15223-1:2021 Medical devices – Symbols to be used with information to be supplied by the manufacturer – Part 1: General requirements
IEC 60601-2-83 Medical electrical equipment – Part 2-83: Particular requirements for the basic safety and essential performance of home light therapy equipment
IEC 60601-1 Medical electrical equipment – Part 1: General requirements for basic safety and essential performance
The European Commission also has Harmonized Standards, developed by European Standards Organization CEN, CENELEC, or ETSI, per the international standards. It provides a list of the applicable harmonized standards for enhanced product safety and quality.
In the USA, the US Food and Drug Administration (FDA) has a Code of Federal Regulations (CFR) and Guidance.
CFRs are legally binding. Manufacturers must comply with the requirements of CFR
The guidance provides Agency’s thinking on regulatory issues. They are NOT legally binding
In addition to these, the FDA also accepts certain recognized consensus standards from different organizations such as ISO, CLSI, ANSI, IEC, CEN, etc. These standards may be used to justify a Declaration of Conformity for a product. The widely accepted medical device ISO standards are, but are not limited to:
ISO 10993 – Biological Evaluation for Medical Devices
ISO 14160 – Sterilization of Healthcare Products
ISO 11737 – Sterilization of Medical Devices
In Canada, the Standards Council of Canada (SCC) is the ISO member body. Similar to the US FDA, the Therapeutic Products Directorate (TPD) of Health Canada periodically releases a list of acceptable international or national standards for medical devices. Manufacturers can use these recognized standards in conjunction with the Health Canada’s Medical Devices Regulations (SOR-98/282) and the Guidance Documents, to prove product conformity and safe use in the market.
China‘s National Medical Products Administration (NMPA) is developing indigenous standards that more closely align with those of ISO. Biocompatibility testing is one avenue where the scope and requirements for China are more than that of the US/EU. Hence, NMPA has developed various biocompatibility testing standards which are to be used in addition to the ISO standard.
For the rest of the world’s medical device industry,
India encourages ISO certification for all its industries. The medical sector must be ISO 13485 compliant while the pharmaceutical sector must be ISO 9001 compliant for Quality Management Systems, in addition to other relevant and applicable ISO standards.
Japan’s The Japanese Industrial Standards Committee (JISC) is an ISO member body. The regulatory authority, Pharmaceutical and Medical Device Agency (PMDA) revised its Ordinance No. 169 in 2021 to closely align with the ISO 13485:2016 standard. The transition period is 3 years and must comply by March 25, 2024
For the Korean regulatory authority, aligning the requirements of Korean Good Manufacturing Practice (GMP) to that of ISO 13485:2016 is believed to be a step closer to entering the Medical Device Single Audit Program (MDSAP)
Russia’s Federal Service for Surveillance in Healthcare (Roszdravnadzor) is known to accept ISO 13485:2016 certification. Information on acceptance of other ISO standards cannot be confirmed. It does not accept market approvals in the US, EU, or other countries as a reference for market authorization in Russia
Australia’s Standard Australia is a member of the ISO, IEC, and ICSID. It strongly encourages the use of international standards, except where their use is ineffective or inappropriate and does not develop any national Australian standard for which there is already an international standard in existence. In 2019, TGA published Therapeutic Goods (Conformity Assessment Standard for Quality Management Systems) Order 2019which provides a list of applicable conformity assessment standards.
Brazil’s ANVISA accepts Good Manufacturing Practices (GMP) along with the ISO 13485
FAQs
Can QMS be established solely based on ISO standards?
For countries that do not have their own QMS regulations, the ISO standard can be used as a reference. For countries with established local regulations, and that accepts ISO, both ISO standard and local/national regulations must be considered.
Are ISO standards freely available?
No. ISO standards are available for purchase from the ISO official website. However, they do have FREE read-only formats available.
Comparing ISO standards to local regulations, which one takes precedence?
The local or national regulation always takes precedence over the ISO standard.
Can the manufacturer use an older version of an ISO standard for compliance?
No. Manufacturers must make sure they comply with the active or most recent version of the ISO standard. This is not restricted just to ISO standards but applies to National regulations too. Manufacturers must keep their QMS up to date with the latest requirements of the industry. The ideal way to be updated is to refer to the latest version of any Standard or Regulation.
Disclaimer: Regulations/legislations are subjected to changes from time to time and the author claims no responsibility for the accuracy of information.