Regulatory Auditor: “How do you know your product is safe?”
Medical Device Manufacturer: “Our product must be safe for patients because it has been on the market for over 20 years.”
Auditor: “Can you show me your clinical data?”
Manufacturer: “We don’t have clinical data because our device is just like other devices on the market. If theirs are safe, ours is safe.”
Auditor: “What product characteristics did you compare and what similar devices did you base your assessment on?”
Manufacturer: “It was a really long time ago. I don’t think there is anybody still working here who would remember what was checked or which other devices were looked at.”
Auditor: “How about complaint data?”
Manufacturer: “We don’t get complaints.”
Auditor: “Can you show me your procedure for managing complaints?”
Manufacturer: “Why would we need a procedure for managing complaints we don’t receive?”
Auditor: “How would your employees recognize a complaint if they got one, or how to handle it?”
Manufacturer: “Trust me, that won’t happen.”
In a regulated industry, the prevailing posture of regulatory representatives, in my experience, has been “Show me proof.” In fact, the philosophy I’ve heard repeated by regulators is “If it wasn’t documented, it didn’t happen.”
ISO 13485:20161 requires control of records to provide evidence of conformity to requirements, that records remain legible and retrievable, and that records be retained for at least the lifetime of a medical device or as specified by applicable regulatory requirements, whichever is longest.
Similarly, the U.S. Quality System Regulation (QSR) for Medical Devices (21 CFR 820)2 requires that records providing evidence of regulatory compliance be made readily available for review, be legible and be retained for the expected life of the device, but in no case less than 2 years from the date of release.
The European Medical Device Regulation (EU MDR)3, which became law in 2017, requires that, upon request, manufacturers provide regulators with “all the information and documentation necessary to demonstrate the conformity of the device.”
Alas, if only the device manufacturer’s representative responding to the regulatory auditor in the hypothetical conversation above had known…
Want more information about managing records required for regulatory compliance, or help with record control for your organization? EMMA International can help! Contact us via our website, by phone at 248-987-4497, or by sending an email to: firstname.lastname@example.org.
1ISO 13485:2016(en) Medical devices — Quality management systems — Requirements for regulatory purposes; Section 2.4.5 Control of records, ©2016, ISO, accessed 09/15/2022 via the ISO Online Browsing Platform (OBP) at https://www.iso.org/obp/ui#iso:std:iso:13485:ed-3:v1:en
2U.S. Code of Federal Regulations, 21 CFR 820, Subchapter H – Medical Devices, Quality System Regulation, Subpart M – Records; last updated March 29, 2022, by the U.S. Food and Drug Administration, Department of Health and Human Services, accessed on 09/15/2022 via https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfCFR/CFRSearch.cfm?CFRPart=820&showFR=1&subpartNode=21:126.96.36.199.12.13
3Regulation (EU) 2017/745 – 5 April 2017 on medical devices, Chapter II, Article 10, Item 14, last updated 04/24/2020 and accessed 09/15/2022 via the Portal of the Publications office of the EU at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:02017R0745-20200424&from=EN#tocId14