Medical device regulatory compliance FAQs
Product developers often ask: Is my product considered a medical device? Will I need to comply with medical device regulations, and if so, which ones?
FAQ: When is a product considered to be a medical device? Definitions
How do you know if your product classifies as a medical device?
According to medical device definitions published by Regulatory Authorities and other Government Agencies (e.g. the TGA, FDA, World Health Organisation), the definition of a medical device hinges on ‘intended use’ (device purpose).
A medical device is any product intended to be used for a medical purpose; including products intended to:
- Diagnose, prevent, monitor, investigate, treat or alleviate a disease or injury
- Replace, modify, and/or support the anatomy of a physiological process or bodily function (for example, a product designed to compensate for an injury or other medical condition)
Stand-alone software, for example, being used for medical purposes, is considered a medical device (subcategory: SaMD = Software as a Medical Device).
FAQ: What are some examples of medical devices?
A medical device can be “any instrument, apparatus, implement, machine, appliance, implant, reagent for in vitro use, software, material or other similar or related article, which is intended by the manufacturer to be used (alone or in combination) for a medical purpose.”
Source: Australia Therapeutics Good Administration (TGA). Medical devices thereby represent a diverse industry. There are thousands of different medical products and product types, from bandages and splints to implanted devices and other life-saving equipment.
Medical devices include medical equipment, prothesis, diagnostic software, monitoring tools, and other products which may achieve their purpose by a:
- Physical means (physical action)
- Mechanical means/action, and/or
- Chemical means/action
FAQ: Will I need to comply with medical device regulations, and if so, which ones?
The answer to the first question is typically a ‘YES’.
If you have a product that is intended to be used for a medical purpose, you will need to comply with the relevant medical device regulations.
- As to which regulations apply to your company and type of device, you will need to consult with the relevant Competent Authority (Regulatory Authority) in your manufacturing, servicing, and/or distribution regions.
- Examples of these Authorities include the FDA for the distribution of a medical device USA, the TGA for the distribution of your products in Australia, the EMA for distribution in Europe, the MHRA for distribution in the UK, and other relevant Government Authorities.
FAQ: What regulations do medical device companies need to comply with?
Medical device manufacturing is a component of the pharmaceutical industry and compliance with PIC/S GMP guidance is expected.
In general, Regulatory Authorities expect medical device companies to comply with GMP rules, including Good Recordkeeping Practice (GRK) as well as with ISO 13485 Quality Management System (QMS) requirements.
These regulations generally aim to ensure products perform as intended.
Compliance with medical device regulations also helps reduce potential risks to patients and other users of the device, such as their medical practitioners & other caregivers.
FAQ: Will my medical device company be audited by the Regulatory Authority?
Companies are also generally inspected by auditors from the Regulatory Authorities in the jurisdictions of their operation and/or distribution.
This includes the FDA in the USA, the TGA in Australia, the MHRA in the UK, and the EMA in the European Union (EU); and other Regulatory Authorities as applicable.
Most Regulatory Inspections will evaluate (audit) a medical device company’s compliance with PIC/S GMP rules, ISO 13485 QMS standards, and other relevant GxP guidelines, and/or medical device regulations specific to their jurisdiction.
- Click here to learn what’s required in a regulatory audit or GMP compliance inspection.
- Conformity Assessments for medical device products are generally required, but Conformity Assessment Programs may vary somewhat between jurisdictions.
- Note: MDSAP is a compliance auditing program for medical device companies, but is beyond the scope of this article. However, MDSAP is discussed in the ISO 13485 compliance training course).
Be sure your personnel comply with product-specific regulations and legal requirements in your jurisdiction of manufacture, product distribution and servicing.
Medical device approval processes must be considered for each jurisdiction where your company intends to manufacture, distribute and/or service your medical device product(s).
You must generally have approval from the Competent Authority before you can supply a medical device to the market.
FAQ: What is meant by medical device classification (product class or risk classification)?
The medical device “product class” is essentially a ‘product risk classification’. It indicates the inherent risks of various types of medical devices; and hence, the level of risk management activities/quality management resources expected to be put into place by the medical device company.
FAQ: Is there a single global product classification system that applies in every country?
No. Each jurisdiction may have its own risk classification system for medical device products. There may be similarities between ‘product class’ systems, but there are also differences.
Regulatory Authorities generally publish their own ‘medical device classification systems’ to cover the wide range of medical device product types being distributed in their regions. Generally, it is the responsibility of the manufacturer or distributor to determine which ‘product class’ is relevant for their medical device.
- The product class — relating to the product’s risk classification — will have an impact on regulatory expectations for:
- Quality management system procedures
- Risk management activities and controls
- Provision of resources (e.g., personnel qualifications, personnel training, role responsibilities, manufacturing facilities, equipment, etc.)
- Other quality assurance measures
- A Class III medical device in the USA falls into the highest risk category for a medical device, according to the FDA’s classification system for medical devices.
- Products in the FDA’s Class III category include items such as pacemakers and other life-sustaining devices.
FAQ: What is ISO 13485?
In general, most medical device companies will be audited to ISO 13485: Quality Management System requirements for Medical Device companies (including maintenance companies/service providers) — or similar standards — as well as any other product-specific and region-specific guidance.
This ISO standard describes the essential components of establishing and maintaining an effective Quality Management System, based on Risk Management principles (which are described in ISO 14971: Risk Management for Medical Device Companies).
To understand Quality Management System regulations for your medical device organisation, refer to this online Certificate Training course: ISO 13485: QMS for Medical Devices.
Note: The ISO 14971 Risk Management for Medical Devices course will be available by 30 July 2022.
FAQ: What does a company need to do when they receive a medical device complaint?
- Quality management responsibilities continue after release to market.
- Post-marketing (post-distribution) product quality monitoring is expected by any company that produces and/or distributes or services a medical device.
- Quality monitoring includes recording all complaints, and any other identified product issues, during and after manufacture and distribution; conducting appropriate root cause investigations; planning and implementing effective CAPAs; and monitoring the impact of such actions.
- Management reviews of the QMS and all related systems and procedures, including non-conformance events and complaints management, are required.
- An effective recall procedure must be put into place (and ready to implement by personnel).
Quality controls during manufacturing, as well as post-release quality monitoring activities, must meet regulatory requirements.
Courses are available relating to the management of deviations and non-conformance events, QMS documentation, complaints handling, and recalls.
Managing non-conformances in the medical device sector
As with all pharmaceutical industry manufacturing, deviations and non-conformances must be managed according to regulations. Adhere to ISO 13485 requirements and be sure you and your team are trained in compliance with the management of non-conformances in the medical device/pharmaceutical sector.
FAQ: What if my product doesn’t meet specifications, or something doesn’t go to plan during manufacturing?
Not all manufacturing goes to plan. For management of non-conformances and other types of product deviations involving therapeutic goods, click here.
Note: Complaint handling procedures must be included in your Quality Management System (QMS) for Medical Devices. This system and its procedures must be thorough, fully documented, validated where applicable, and kept up to date. Personnel must also be qualified and trained to fulfil their responsibilities.
Adequate resourcing by Management is required (from adequate personnel staffing levels through to workplace conditions/environmental controls, computerised system validation, data integrity measures, and equipment).
- The QMS must generally meet the standards listed in ISO 13485: Quality Management Systems for Medical Device organisations (or similar standards).
- Any exemptions from ISO 13485 requirements (Clause 7) must be documented/justified.
- All product quality complaints must be recorded and investigated. If an organisation deems it unnecessary to investigate a quality complaint, justification for this decision must be documented as part of the Quality Management System (QMS).
FAQ: What is expected in terms of being able to implement a medical device recall, when necessary?
Recall procedures for medical devices and other therapeutic products must be in place. These recall procedures, along with product complaints management procedures, must be reviewed by management (at least annually) to ensure they are appropriate and effective.
Appropriate implementation of investigations (root cause analysis), as well as CAPAs and continuous improvement initiatives, are expected by the Regulatory Authorities.
- Employees must be trained in recall procedures.
- Distribution records must be kept.
- Click here to learn common reasons for medical device recalls.
Complete the Therapeutic Goods Recalls Training Course (online).
Excerpt from article on Medical Device Recalls: When is a product recall necessary?
A product recall may become necessary after identifying a quality incident, such as a deviation/non-conformance (e.g. OOT/OOS), product defect, software malfunction, and/or tampering incident, presents an unacceptable risk to users (patients/consumers). Recalls may also be necessary when a product is not in compliance with national laws (e.g. the product does not have a Marketing Authority and/or is being misrepresented via packaging materials and advertisements/other marketing materials). Recalls may be voluntary in nature or they may be mandated by a Competent Authority/Regulatory Authority.
Recalls must be managed carefully, in accordance with your internal PQS/QMS procedures and in compliance with GMP regulations and national laws.
Read the rest of the article on Recalls of Medical Devices – common reasons for medical device recalls.
FAQ: What other quality control guidance is available for medical software product manufacturers & service providers?
Medical software issues:
Risk examples relating to medical device software include potential software failures (coding ‘bugs’), input errors/user errors, miscalculations, memory failure/data loss, power disruptions during a scan, for example, and other issues.
Does your device include medical-purpose software?
Complete the SaMD (Software as a Medical Device) regulatory compliance training module.
If you need help with your recall procedures and other GMP industry training, browse all available GMP education topics and course listings.
IMDFR definition of Software as a Medical Device: IMDRF.org
Quality systems for Software as a Medical Device – IMDFR guidance can be found by clicking here.