7 common problems with ISO 13485 and International Regulations

Manufacturing plant awaiting evaluation against ISO 13485 (Medical Device Management System)


In addition to a new ISO 13485 Standard in 2016 and the MDR/IVDR regulations in 2017 (with associated deadlines), we note other changes afoot that will affect Medical Device Manufacturers, Component Suppliers to Medical Device Manufacturers and to Distributors of Medical Devices. 

There are seven items of significant impact that you should note:

Table of Contents

  1. New ISO 13485 in preparation but stalled
  2. Risk Management in ISO 13485:2016 and implications for Suppliers to Medical Device Manufacturers
  3. MDR/IVDR Guide for Distributors of Medical Devices published
  4. MDSAP and the Problem with European Regulations
  5. Complexities in MDSAP implementation
  6. Canada to fully adopt MDSAP
  7. U.S. Regulatory Clearance Does Not Equal CE Mark/Worldwide Approval


#1 New ISO 13485 in preparation but stalled

Having published the EU Medical Devices Regulations EU 2017/745 and the In-Vitro Diagnostic Regulation EU 2017-746 (MDR & IVDR), the relevant technical committees are reviewing what technical changes are desirable and also addressing the new Annex ZA/ZZ for ISO 13485.

The template for the new Annex ZA/ZZ was agreed upon by CEN/CENELEC and the European Commission (EC).  We now await the publication date for the EN Harmonized version of ISO 13485 to incorporate the new Annexes. While an ISO Working Group was established in 2019 we still wait for the publication of a CD - Committee Draft, the first stage in preparing a revised Standard.

Is there a possibility that instead of the confusion of publishing a new version of the Standard with a new year of publication (say, EN ISO 13485:2023), they would publish the Annexes as a Supplement to the existing international version?

#2 Risk Management in ISO 13485:2016 and implications for Suppliers to Medical Device Manufacturers

ISO 13485:2016 introduces more rigorous risk management requirements. Medical device manufacturers are now required to consider the risk associated with a device from conception through to end-of-life disposal. Risk management must be incorporated into every aspect of the quality management system.

The Standard puts Risk Management in context for the industry as well as put it in context for the supply chain and the life cycle of the product.

Less is left to interpretation than in the previous version. The Medical Device Manufacturer is required to not only apply risk-based analysis and risk-based controls to its own operations, but also to Suppliers of critical services and critical components for their devices as they go to market.

#3 MDR/IVDR Guide for Distributors of Medical Devices published

Ireland’s HPRA has published a Guide that addresses and clarifies the obligations applicable to distributors of Medical Devices under the MDR and IVDR Regulations. 

The Guide includes important recommendations regarding the methods that can be used by distributors to comply with obligations and ensure good distribution practice.  The Guide recommends that distributors establish a quality management system to provide assurance that …

  • only medical devices which comply with the MDR and IVDR are distributed in the EU,
  • noncompliant, defective or unsuitable medical devices can be detected, that traceability is maintained and
  • non-conformances and the introduction of changes are controlled.  

An ISO 13485 quality system is referenced as a suitable basis for such a quality management system.

NOTE: For those not familiar with guidance from Regulatory Bodies, it should be noted that, while the dictionary will tell you that ‘guidelines’ are optional. Regulatory Bodies invariably treat them as mandatory and inspect for compliance against them!


#4 MDSAP and the Problem with European Regulations

Manufacturers selling their products in multiple countries must comply with regulations in each country, which can be a complex and time-consuming process; the challenge of achieving compliance in multiple markets can even lead manufacturers to refrain from expanding. In addition, regulatory variation from country to country means different audits and processes are required.

This is why a global approach to auditing has long been on the agenda of international regulators. This led the International Medical Device Regulators Forum (IMDRF) to initiate preparation for the Medical Device Single Audit Program (MDSAP) ten plus years ago.

Piloting the MDSAP Program

The participating countries started a trial of the single audit program in January 2014, and in June 2017 a report collated the outcomes of the prospective “proof-of-concept” criteria established to confirm the viability of the MDSAP. The international coalition of countries participating in the pilot included five organisations:

  • Australia’s Therapeutic Goods Administration (TGA)
  • Brazil’s Agência Nacional de Vigilância Sanitária (ANVISA)
  • Health Canada
  • Japan’s Ministry of Health and Labour and Welfare (MHLW)
  • US Food and Drug Administration (FDA)

Now that the trial period has come to an end, the program is officially active in these five countries (see #5, below).

The EU is an ‘Outlier’ as is MHRA and WHO

The EU was an observer to the MDSAP Pilot but could not fully participate because of the EU regulatory structure regarding Medical Devices. In order to register a device in the EU, a CE Mark Certificate is mandatory. Such a demonstration of compliance with EU Regulations was no part of MDSAP, where the objective was mutual recognition of compliance with regulations based on the MDSAP alone.


#5 Complexities in MDSAP implementation

One of the features of MDSAP is that certification of compliance is restricted to certain named certification bodies only, to be called Auditing Organizations (AOs).  As of August 2020, there were 14 organizations approved as AOs with two further applicant organizations.  It is interesting to note that nine of the approved AOs are European.

Another feature of implementation is the variation in the way the five regulators use the results of MDSAP audits.

In Australia, the Therapeutic Goods Administration (TGA) will accept an MDSAP certificate as proof of compliance with ISO 13485 when a TGA certificate of conformity (CAC) is not required. When a TGA CAC is required, TGA will still take MDSAP certificates into consideration and an MDSAP certificate may help a manufacturer avoid a routine inspection by TGA.

In Japan, Brazil and the US, MDSAP audit reports can be used as a substitute for routine inspections in certain circumstances.

Canada, on the other hand, hasn’t hesitated.

#6 Canada to fully adopt MDSAP

Health Canada is the only participating regulator requiring all companies to undergo MDSAP audits.

Beginning 1   January 2019, companies marketing Class II, Ill and IV medical devices in Canada need a valid MDSAP certificate to get, maintain or amend a medical device license. 

No doubt this is only the beginning of the MDSAP story, as the advantages of the scheme in reducing the burden on regulators and the regulated, while maintaining patient safety, is a modern Holy Grail for this sector.

#7 U.S. Regulatory Clearance Does Not Equal CE Mark/Worldwide Approval

Many North American organizations assume regulatory clearance in the U.S. can be used as a gateway to CE Mark approval in Europe, and all over the world. However, there is no mutual recognition among regulatory agencies and, particularly in Europe, there are significant regulatory barriers to be overcome in obtaining a Marketing Authorisation.  

While getting clearance from the FDA can make the CE Mark process easier (organizing technical files/design dossier), organizations should have a clear understanding that the approval process is judged by a different set of criteria.

To commercialize a medical device in Europe, the product must meet the essential requirements dictated by the appropriate Regulations (MDR, IVDR and others may apply) for that product. The same concept applies when commercializing products in other parts of the world.



Choose an ISO 13485 Course


Note: First published April 2018; updated and revised in August 2021.

Related Articles


deGRANDSON Global is an ISO Certified Educational Organization

InISO 21001 ISO 29993 ISO 29994  October 2021 we secured certification to three education-related ISO Standards.  We now have a university-grade management system in place conforming to the requirements of  …

  • ISO 21001, Educational Organizational Management System,
  • ISO 29993, Learning Services outside formal Education,  and
  • ISO 29994, Learning Services – additional requirements for Distance Learning.

We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which in our opinion are commercially compromised), it is based on independent third-party assessment.  It is a ‘university grade’ standard in use globally by schools, colleges, and universities to demonstrate their competence.


Written by Dr John FitzGerald

Director & Founder of deGRANDSON Global. Spent 15 years in the manufacturing industry and 25 years training, consulting & auditing management systems
Find me on:

Subscribe to Email Updates

Recent Posts