QMS question in regards to multiple medical devices/products and N/A activities

[bolesen]

We are Medical Device Software company in US with ISO 13485 certification and currently in process of getting our CE Mark for our Class IIa PACS Device.
We just went through a MDD /Technical File gap audit and are awaiting our MDD expansion audit with TUV-SUD.

Our other 2 devices are Class 1 low risk devices (MDDS & Intra-Oral Camera) which are only sold in US.
I am updating all our QMS docs for our other 2 products and have a couple questions on how to state or what is required for non-applicable activities, processes, and procedures.
1. Do we need to create any Technical Documentation for these other devices?
2. How do we state in our Procedures and/or Plans IE: Post Market Surveillance Procedure and Plan, Clinical Evaluation Plan… that certain activities are N/A?

I am new to Regulatory so any feedback is greatly appreciated.

 

[yodon]

For now, 13485 certification in the US is mostly meaningless (from a regulatory perspective).

Your QMS docs should effectively say that you comply with whatever regulations are applicable for the jurisdictions where you distribute. The FDA does require a Quality Management System and, by and large, if you build it around 13485 you'll be at least pretty close to meeting the Quality System Regulation (QSR). You still need to understand that and how it applies to your products.

You'll need to find out what product codes are applicable to your products to know for sure what technical documentation is required. There are several FDA guidance docs that may be helpful: premarket submission, software validation, and premarket cybersecurity (draft).

IEC 62304 (SW Lifecycle) is an FDA recognized consensus standard (and harmonized in the EU... although different versions) so you'd be well advised to look at that for how you document your software. (You'll still want to classify your software according to major / moderate / low per the FDA guidance.)

Cybersecurity is definitely becoming a focus and if you're handling any protected health info, you'd be wise to take a hard look at your security.

I would approach your second question by documenting it in the product development plan. Do note that 62304 does drive a "maintenance" activity whereby you are expected to get and assess feedback from users - so postmarket surveillance wouldn't be completely excluded.

 

[Ronen E]

For now, 13485 certification in the US is mostly meaningless (from a regulatory perspective).

Even if one goes through MDSAP?

 

[yodon]

Compliance in the US is still to the QSR. An MDSAP audit would cover all the QSR requirements. Of course, if you're getting an MDSAP audit, you'd be marketing outside the US - where 13485 is the standard.

 

[bolesen]

These two Class I devices are classified as very low risk devices and distributed only in US.
We also just went through a complete FDA audit in 2019 so I believe we should be good on QMS side.

I just wasn't sure how to best state that certain Post market Activities defined in our new Post Market Procedure are non-applicable for a device/product.

 

[Watchcat]

For now, 13485 certification in the US is mostly meaningless (from a regulatory perspective).

Ah, lightbulb moment! From what perspectives might it be meaningful?

 

[yodon]

13485 aligns pretty well with the QSR so if you do have certification, you're going to be pretty close to what FDA expects. However, they're not going to take a look at your cert and say "Oh, you're good."

 

[Watchcat]

For now, 13485 certification in the US is mostly meaningless (from a regulatory perspective).

From a business perspective, savvy contract manufacturers find it valuable, even if they only manufacture for the US market. This is because CDRH's QSR oversight is minimal to non-existent, and therefore FDA registration is not a big pitch for a contract manufacturer. I advise US startups to work only with contract manufacturers that are both FDA registered and ISO 13485 certified. I would advise US healthcare providers to purchase medical devices only from manufacturers that meet both of these criteria as well.

they're not going to take a look at your cert and say "Oh, you're good."

And long may she wave...

 

[Ronen E]

I would advise US healthcare providers to purchase medical devices only from manufacturers that meet both of these criteria as well.

They have to. It's illegal to sell medical devices in the USA where the manufacturer (including contract manufacturer) is not FDA registered.
Perhaps the recommendation to the purchaser should be to verify that they are indeed.

 

[Watchcat]

They have to.

They have to be FDA registered. They do not have to be ISO 13485 certified.