Regulatory Auditor: “How do you know your product is safe?”

Medical Device Manufacturer: “Our product must be safe for patients because it has been on the market for over 20 years.”

Auditor: “Can you show me your clinical data?”

Manufacturer: “We don’t have clinical data because our device is just like other devices on the market.  If theirs are safe, ours is safe.”

Auditor: “What product characteristics did you compare and what similar devices did you base your assessment on?”

Manufacturer: “It was a really long time ago.  I don’t think there is anybody still working here who would remember what was checked or which other devices were looked at.”

Auditor: “How about complaint data?”

Manufacturer: “We don’t get complaints.”

Auditor: “Can you show me your procedure for managing complaints?”

Manufacturer: “Why would we need a procedure for managing complaints we don’t receive?”

Auditor: “How would your employees recognize a complaint if they got one, or how to handle it?”

Manufacturer: “Trust me, that won’t happen.”

In a regulated industry, the prevailing posture of regulatory representatives, in my experience, has been “Show me proof.”  In fact, the philosophy I’ve heard repeated by regulators is “If it wasn’t documented, it didn’t happen.” 

ISO 13485:20161 requires control of records to provide evidence of conformity to requirements, that records remain legible and retrievable, and that records be retained for at least the lifetime of a medical device or as specified by applicable regulatory requirements, whichever is longest.

Similarly, the U.S. Quality System Regulation (QSR) for Medical Devices (21 CFR 820)2 requires that records providing evidence of regulatory compliance be made readily available for review, be legible and be retained for the expected life of the device, but in no case less than 2 years from the date of release.  

The European Medical Device Regulation (EU MDR)3, which became law in 2017, requires that, upon request, manufacturers provide regulators with “all the information and documentation necessary to demonstrate the conformity of the device.”

Alas, if only the device manufacturer’s representative responding to the regulatory auditor in the hypothetical conversation above had known…

Want more information about managing records required for regulatory compliance, or help with record control for your organization? EMMA International can help! Contact us via our website, by phone at 248-987-4497, or by sending an email to: info@emmainternational.com.


1ISO 13485:2016(en) Medical devices — Quality management systems — Requirements for regulatory purposes; Section 2.4.5 Control of records, ©2016, ISO, accessed 09/15/2022 via the ISO Online Browsing Platform (OBP) at https://www.iso.org/obp/ui#iso:std:iso:13485:ed-3:v1:en

2U.S. Code of Federal Regulations, 21 CFR 820, Subchapter H – Medical Devices, Quality System Regulation, Subpart M – Records; last updated March 29, 2022, by the U.S. Food and Drug Administration, Department of Health and Human Services, accessed on 09/15/2022 via https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfCFR/CFRSearch.cfm?CFRPart=820&showFR=1&subpartNode=21:8.0.1.1.12.13

3Regulation (EU) 2017/745 – 5 April 2017 on medical devices, Chapter II, Article 10, Item 14, last updated 04/24/2020 and accessed 09/15/2022 via the Portal of the Publications office of the EU at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:02017R0745-20200424&from=EN#tocId14

Diane Kulisek

Diane Kulisek

Ms. Kulisek serves as a Senior Quality Engineer and Senior Regulatory Affairs Specialist for EMMA International’s Technical Operations team. She has experience in technical writing, quality management systems, regulatory enforcement remediation, corrective and preventive action management, electronic data management systems, cybersecurity, and design controls for the medical device industry. Ms. Kulisek also has significant past experience in quality engineering and management for mass-produced consumer products, electronics, aerospace and commercial filtration industries. Ms. Kulisek holds a Master of Science in Engineering with a concentration in Civil, Industrial and Applied Mechanical Engineering Management from California State University, Northridge (CSUN) and a Bachelor of Arts in Biology with a concentration in Environmental Biology, also from CSUN. She also holds a Graduate Certificate in Program Management from West Coast University, a Lean Six Sigma Green Belt from Six Sigma Systems, Inc., and Certifications for multiple EU MDR and EU IVDR topics from Greenlight Guru. Ms. Kulisek maintained American Society for Quality Certifications for more than twenty consecutive years as a Quality Engineer (ASQ CQE) and as a Manager of Quality / Organizational Excellence (ASQ CMQ/OE).

More Resources

Pattern Recognition as a Quality Superpower

Pattern Recognition as a Quality Superpower

There are always new ways and reasons to apply pattern recognition to quality improvement. Better ensuring patient outcomes in health care facilities and improving accuracy for medical diagnoses are two such frontiers.
Record Control for a Regulated World

Record Control for a Regulated World

In a regulated industry, the prevailing posture of regulatory representatives, in my experience, has been “Show me proof.” In fact, the philosophy I’ve heard repeated by regulators is “If it wasn’t documented, it didn’t happen.”
EU MDR SSCP’s: The Importance of Readability

EU MDR SSCP’s: The Importance of Readability

Among many of the new requirements that EU MDR has introduced, the Summary of Safety and Clinical Performance (SSCP) is certainly one of the more confusing ones for many firms. SSCP’s are required for implantable and Class III devices under EU MDR and is intended to be a public document summarizing important safety and clinical performance information about the device.

Ready to learn more about working with us?

Pin It on Pinterest

Share This