Standards, Guidance Documents, and Regulations

Your quality system will have a defined set of rules that it will have to follow. Unfortunately, every single system has a slightly different ruleset. What rules you need to follow will depend on your location, the type of device you are manufacturing, and where you plan to sell your device.

Authorities of markets will have set regulations that you will have to comply with to market your device in the geographic area they control. For example, the U.S. FDA has authority over the United States of America. The FDA requires all medical device manufacturers to have a quality system compliant with Title 21 of the Code of Federal Regulations, Section 820, Quality System Requirements. That is an example of a set of regulations. Everyone participating in that market must comply.

Then there are accepted standards, such as ISO 14971, which is a voluntary standard on Risk Management. ISO does not require any manufacturer to comply with its standards. AHJs such as the FDA may, though.

Because there are so many different types of medical devices, it is challenging to develop regulations that apply to all devices. Because of this, those same AHJs that set regulations also release guidance documents for how to apply those regulations to specific device types. MDCG 2019-16 is a guidance document for participating member states of the European Union on cybersecurity for medical devices. If your device is hardware, only this guidance may not apply to your operations.

As an Audit Program Manager, it will be essential to know and understand which regulations, standards, and guidance documents apply to your operations.