Compliance

What it is

Compliance is an organization’s adherence to applicable medical device and IVD laws, regulations, standards, and approvals across the product lifecycle. It covers premarket obligations, market placement, and post-market duties, and it is evidenced through documented processes, records, and outcomes (e.g., ISO 13485 QMS, MDR/IVDR, FDA QMSR). Clear ownership and traceability are essential so regulators can verify conformity.

Regulatory framework

• US (FDA): Registration/listing (21 CFR 807); labeling/UDI (21 CFR 801, 830); Quality Management System Regulation aligned with ISO 13485 (21 CFR 820 “QMSR”); corrections/removals (21 CFR 806); MDR adverse event reporting (21 CFR 803); premarket pathways (e.g., 510(k) 21 CFR 807 Subpart E; De Novo FD&C §513(f)(2); PMA 21 CFR 814).
• EU (MDR/IVDR): Manufacturer responsibilities and QMS (MDR Art. 10(9); IVDR Art. 10(8)); technical documentation (MDR/IVDR Annex II–III); conformity assessment and CE marking (MDR Annex IX–XI; IVDR Annex IX–XI); PMS/PSUR and vigilance (MDR Arts. 83–92; IVDR Arts. 78–87); UDI and EUDAMED duties (MDR Arts. 27–33; IVDR Arts. 24–30).
• Canada: Licensing and compliance under Medical Devices Regulations SOR/98-282; reporting (Part 1 §§59–61); recalls and records (§§57–65); MDSAP recognized for QMS evidence.
• Japan (PMDA/MHLW): PMD Act with QMS Ordinance (MHLW Ordinance No. 169/2004) and GVP (No. 135/2004) covering manufacturing control, vigilance, and recalls.
• Australia (TGA): Conformity assessment and ARTG inclusion under Therapeutic Goods (Medical Devices) Regulations 2002; post-market monitoring and incident reporting (e.g., r. 5.7–5.8).

Key elements

• QMS: ISO 13485-based system that controls documents, training, risk, design, production, and CAPA.
• Technical documentation: Current, complete, and aligned with intended purpose and risk controls (MDR/IVDR Annex II–III; US submissions).
• Regulatory approvals/conformity: Correct route (e.g., CE mark, 510(k)/PMA/De Novo) with ongoing conditions.
• Labeling & UDI: Accurate claims, symbols, IFU, and device identification (21 CFR 801/830; MDR/IVDR Arts. 23/27).
• PMS & vigilance: Continuous data collection, trend analysis, reporting, and effectiveness checks.

Process — how it works

• Determine requirements: Classify the device, markets, and economic operators; then map legal and standards obligations.
• Build systems: Establish an ISO 13485 QMS, risk management (ISO 14971), and technical documentation.
• Obtain market access: Complete the correct review/assessment (e.g., NB audit and CE marking, FDA submission) and register as required.
• Control operations: Manufacture under controlled processes, maintain records, and keep labeling/UDI accurate.
• Monitor & act: Run PMS, handle complaints, report events/recalls, and drive CAPA; then verify effectiveness and update files.

Common pitfalls

• Using the wrong market pathway or class, which delays access and increases risk.
• Technical files that do not match actual design, claims, or manufacturing reality.
• Labeling or UDI errors that lead to reportable issues or recalls.
• PMS and vigilance processes that are reactive, not trend-driven.
• Weak CAPA that treats symptoms and omits effectiveness checks.

Quick checks

• Can you show, quickly, the intended purpose, classification, and the chosen route?
• Is the technical file complete and consistent with labeling and risk controls?
• Do PMS and vigilance feed into risk management, CAPA, and management review?
• Are roles, records, and timelines clear for events, corrections, and removals?