Regulatory Authority Assessment Method for Recognition and Surveillance of Conformity Assessment Bodies Conducting Medical Device Regulatory Reviews

Document: IMDRF/GRRP WG/N61 FINAL:2024 (Edition 2)

Official Source

https://www.imdrf.org/documents/regulatory-authority-assessment-method-recognition-and-surveillance-conformity-assessment-bodies-conducting-medical-device-regulatory-reviews

Full Text

Regulatory Authority Assessment Method for Recognition and Surveillance of Conformity Assessment Bodies Conducting Medical Device Regulatory Reviews

Document Number: IMDRF/GRRP WG/N61 FINAL:2024 (Edition 2)

Source: https://www.imdrf.org/documents/regulatory-authority-assessment-method-recognition-and-surveillance-conformity-assessment-bodies-conducting-medical-device-regulatory-reviews

Final Document

IMDRF/GRRP WG/N61 FINAL:2024 (Edition 2)
Regulatory Authority Assessment Method for Recognition and Surveillance of Conformity Assessment Bodies Conducting Medical Device Regulatory Reviews
Authoring Group
IMDRF Good Regulatory Review Practices

Preface

This work is copyright. Subject to these Terms and Conditions, you may download, display, print, translate, modify and reproduce the whole or part of this work for your own personal use, for research, for educational purposes or, if you are part of an organisation, for internal use within your organisation, but only if you or your organisation do not use the reproduction for any commercial purpose and retain all disclaimer notices as part of that reproduction. If you use any part of this work, you must include the following acknowledgement (delete inapplicable):

“[Translated or adapted] from [insert name of publication], [year of publication], International Medical Device Regulators Forum, used with the permission of the International Medical Device Regulators Forum. The International Medical Device Regulators Forum is not responsible for the content or accuracy of this [adaption/translation].”

All other rights are reserved and you are not allowed to reproduce the whole or any part of this work in any way (electronic or otherwise) without first being given specific written permission from IMDRF to do so. Requests and inquiries concerning reproduction and rights are to be sent to the IMDRF Secretariat.

Incorporation of this document, in part or in whole, into another document, or its translation into languages other than English, does not convey or represent an endorsement of any kind by the IMDRF.

Jeffrey Shuren, IMDRF Chair

Contents

Introduction 4

1. Scope 6

2. References 8

3. Definitions 9

4. Assessment Cycle and Program 12

4.1. Assessment Program Roles and Responsibilities 14

4.2. Purpose of Assessments within the Assessment Program 15

4.3. Assessment Activities throughout the Assessment Cycle 15

5. Navigating the Assessment 20

6. Assessment of CAB Processes 22

6.1. Process: Management 22

6.2. Process: Use of External Resources 35

6.3. Process: Measurement, Analysis and Improvement 39

6.4. Process: Competence Management 47

6.5. Process: Regulatory Review and Decisions 55

6.6. Process: Information Management 64

Appendix 1: List of Assessment Tasks and Applicable Requirements 69

Introduction

This is one document in a collection of documents produced by the International Medical Device Regulators Forum (IMDRF) intended to improve the efficiency and effectiveness of the regulatory review of medical devices, including in vitro diagnostic (IVD) medical devices.

IMDRF/GRRP WG/N47 (Essential Principles of Safety and Performance of Medical Devices and IVD Medical Devices) and IMDRF/GRRP WG/N52 (Principles of Labeling for Medical Devices and IVD Medical Devices) are complementary documents. These two documents are focused on the fundamental design, manufacturing, and labeling requirements for medical devices that, when met, provide assurance the device is safe and performs as intended, offers significant benefits to, among others, manufacturers, users, patients/consumers, and regulatory authorities.

IMDRF/GRRP WG/N40 (Competence, Training, and Conduct Requirements for Regulatory Reviewers), IMDRF/GRRP WG/N59 (Requirements for Medical Device Conformity Assessment Bodies for Regulatory Authority Recogn ition) and IMDRF/GRRP WG/N71 (Medical Device Regulatory Review Report: Guidance Regarding Information to be Included) are complementary documents. IMDRF/GRRP WG/N40 and IMDRF/GRRP WG/N59 are focused on requirements for organizations conducting regulatory review(s) of medical devices and IVD medical devices and individuals performing regulatory reviews and other related functions under their respective medical device legislation, regulations, and procedures required in their regulatory jurisdiction. IMDRF/GRRP WG/N71 expands upon section 7.5.2 of IMDRF/GRRP WG/N59 by articulating exactly the type of information a regulatory review report should include to address the requirements of section 7.7 of N59.

This document, IMDRF/GRRP WG/N61, – Regulatory Authority Assessment Method for Recognition and Surveillance of Conformity Assessment Bodies Conducting Medical Device Regulatory Reviews is complementary to IMDRF/GRRP WG/N63 (Competence and Training Requirements for Regulatory Authority Assessors of Conformity Assessment Bodies Conducting Medical Device Regulatory Reviews) and IMDRF/GRRP WG/N66 (Assessment and Decision Process for the Recognition of a Conformity Assessment Body Conducting Medical Device Regulatory Reviews). Together, these three documents are focused on how Regulatory Authorities and their Assessors will evaluate or “assess” medical device Conformity Assessment Bodies’ (CAB) compliance to the requirements of IMDRF/GRRP WG/N59 and IMDRF/GRRP WG/N40.

Specifically, the purpose of IMDRF/GRRP WG/N61 is intended to define the requirements for CABs performing regulatory reviews and other related functions for medical devices, including IVD medical devices. Both the regulatory review process and the decisions made by a CAB may be subject to further review by the applicable Regulatory Authority in the countries and regions where the medical device is manufactured and/or placed on the market.

This collection of IMDRF GRRP documents will provide the fundamental building blocks by providing a common set of requirements to be utilized by the Regulatory Authorities for the recognition and surveillance of entities that perform regulatory reviews and other related functions. It should be noted that in some jurisdictions the recognition process is called designation, notification, registration, or accreditation.

IMDRF developed these GRRP documents to encourage and support global convergence of regulatory systems, where possible, seeking to strike a balance between the responsibilities of Regulatory Authorities to safeguard the health of their citizens as well as their obligations to avoid placing unnecessary burdens upon medical device CABs or the regulated industry. IMDRF Regulatory Authorities may add additional requirements beyond this document when their legislation requires such additions.

To prevent confusion between regulatory review activities performed by a CAB and the activities performed by medical device Regulatory Authority Assessors for CAB recognition and surveillance, in this document, the latter are designated as “assessments.”

Scope

This document defines the content of the Regulatory Assessment Program and provides guidance on the process-based assessment method. The Assessment Program defines how Regulatory Authorities will recognize, conduct surveillance on, and re-recognize CABs that review medical devices or IVD medical device regulatory submissions and may perform other related functions, as shown in Figure 1.

Figure 1. Typical Roles and Responsibilities of CABs and Regulatory Authorities

The scope of activities for which the CAB will be recognized is limited to the regulatory review activities performed by CABs and not to any subsequent review activities or decisions made by Regulatory Authorities, and is indicated by the dotted box in Figure 1. In some cases, the final decision on a regulatory submission is made by the recognizing Regulatory Authority after the CAB completes their review. In these cases, “certification decision” as used in this document refers to the final regulatory review recommendation made by the CAB that is subsequently communicated to the Regulatory Authority.

Recognition, surveillance, and re-recognition is based on a process-based assessment method utilizing assessment tasks related to the requirements found in IMDRF/GRRP WG/N59 and IMDRF/GRRP WG/N40. The assessment method defined in this document will be used to perform the different assessment activities within the Assessment Program. The assessment method specific to the regulatory review of a medical device or IVD medical device may consider additional requirements from the jurisdictions addressed in the Assessment Program.

References

Normative Reference:

International Organization for Standardization (ISO)/ International Electrotechnical Commission (IEC) ISO/IEC 17065:2012 - Conformity Assessment – Requirements for bodies certifying products, processes and services

General References:

IMDRF/GRRP WG/N40:2024 – Competence, Training, and Conduct Requirements for Regulatory Reviewers
IMDRF/GRRP WG/N47:2024 – Essential Principles of Safety and Performance of Medical Devices and IVD Medical Devices
IMDRF/Standards WG/N51:2018 – Optimizing Standards for Regulatory Use
IMDRF/GRRP WG/N52:2024 – Principles of Labelling for Medical Devices and IVD Medical Devices
IMDRF/GRRP WG/N59:2024 – Requirements for Medical Device Conformity Assessment Bodies for Regulatory Authority Recognition
IMDRF/GRRP WG/N63:2024 – Competence and Training Requirements for Regulatory Authority Assessors of Conformity Assessment Bodies Conducting Medical Device Regulatory Reviews
IMDRF/GRRP WG/N66:2024 – Assessment and Decision Process for the Recognition of a Conformity Assessment Body Conducting Medical Device Regulatory Reviews
IMDRF/GRRP WG/N71:2024 – Medical Device Regulatory Review Report: Guidance Regarding Information to be Included
GHTF/SG1/N78:2012 – Principles of Conformity Assessment for Medical Devices.
GHTF/SG1/N46:2008 – Principles of Conformity Assessment of In Vitro Diagnostic (IVD) Medical Devices.
GHTF/SG1/N71:2012 – Definition of the Terms 'Medical Device' and 'In Vitro Diagnostic (IVD) Medical Device.'
GHTF SG1/N077:2012 – Principles of Medical Device Classification
GHTF SG1/N045:2007 – Principles of In Vitro Diagnostic (IVD) Medical Device Classification
ISO/IEC 17000:2020 – Conformity assessment – Vocabulary and general principles
ISO/IEC 17011:2017 – Conformity assessment - General requirements for accreditation bodies accrediting conformity assessment bodies
ISO/IEC 17067:2013 – Conformity assessment -- Fundamentals of product certification and guidelines for product certification schemes
ISO 9000:2015 – Quality Management Systems – Fundamentals and Vocabulary
ISO 9001:2015 – Quality Management Systems — Requirements
ISO 13485:2016 – Medical Devices – Quality Management Systems – Requirements for Regulatory Purposes

Definitions

Assessor: An employee of a Regulatory Authority with the demonstrated personal attributes and competence to conduct an assessment of a Conformity Assessment Body.

Audit: Process for obtaining relevant information about an object of conformity assessment and evaluating it objectively to determine the extent to which specified requirements are fulfilled. (ISO 17000:2020)

NOTE: In this document, “audit” refers to an internally or externally activity performed by the CAB itself, and not to activities performed by non-Regulatory Authorities to determine a medical device manufacturer’s conformity with quality management system requirements or other medical device regulatory requirements.

Competence : Ability to apply knowledge and skills to achieve intended results. (ISO 9000:2015, Clause 3.10.4)

Conformity Assessment Body (CAB): A body other than a Regulatory Authority engaged in determining whether the relevant requirements in technical regulations or standards are fulfilled. (IMDRF/GRRP WG/N40:2024)

diagnosis, prevention, monitoring, treatment or alleviation of disease,
diagnosis, monitoring, treatment, alleviation of, or compensation for, an injury,
investigation, replacement, modification, or support of the anatomy, or of a physiological process,
supporting or sustaining life,
control of conception,
cleaning, disinfection, and sterilization of medical devices,
providing information by means of in vitro examination of specimens derived from the human body;

and does not achieve its primary intended action by pharmacological, immunological, or metabolic means, in or on the human body, but which may be assisted in its intended function by such means.

NOTE 1: Products which may be considered to be medical devices in some jurisdictions but not in others include:

disinfection substances,
aids for persons with disabilities,
devices incorporating animal and/or human tissues,
devices for in-vitro fertilization or assisted reproduction technologies.

(Modified from GHTF/SG1/N71:2012)

NOTE 2: For clarification purposes, in certain regulatory jurisdictions, devices for cosmetic/aesthetic purposes are also considered medical devices.

NOTE 3: For clarification purposes, in certain regulatory jurisdictions, the commerce of devices incorporating human tissues is not allowed.

Quality Management System : A QMS comprises activities by which the organization identifies its objectives and determines the processes and resources required to achieve desired results. The QMS manages the interacting processes and resources required to provide value and realize results for relevant interested parties. The QMS enables top management to optimize the use of resources considering the long and short term consequences of their decision. A QMS provides the means to identify actions to address intended and unintended consequences in providing products and services. (ISO 9000:2015, Clause 2.2)

Recognition Manager: A person(s) that is responsible for conducting a review of the application for recognition to determine assessment team competence requirements, select assessment team members, and determine assessment duration. This person is also responsible for the reviews of the assessment activities and for the approval of the assessment results.

Regulatory Authority: A government body or other entity that exercises a legal right to control the use or sale of medical devices within its jurisdiction, and that may take enforcement action to ensure that medical products marketed within its jurisdiction comply with legal requirements. (GHTF/SG1/N78:2012)

Regulatory Review : A review of a medical device that is conducted to assess conformity with regional regulations or standards.

NOTE 1: A regulatory review is performed by Regulatory Reviewer(s), and on occasion, the Regulatory Authority and/or recognized Conformity Assessment Body may consult with Technical Expert(s) to assist in specific aspects of the regulatory review process.

NOTE 2: Depending on the complexity of the medical device, it may be necessary for a team of Regulatory Reviewer(s) and/or Technical Expert(s) to conduct the regulatory review to ensure all required competencies are addressed.

NOTE 3: A regulatory review consists of an assessment of documentation and/or evaluation/testing of physical medical devices and includes the recommendation and associated decision-making processes. The scope of the review is dependent on the Regulatory Authority’s requirements.

(IMDRF/GRRP WG/N40:2024)

Regulatory Review Assessment (RRA): The stage of CAB assessment in which the recognizing Regulatory Authority specifically assesses the CAB regulatory review methods and Regulatory Reviewer competence via the direct evaluation of a sampling of completed regulatory reviews.

Regulatory Reviewer: An individual from a Regulatory Authority and/or their recognized CAB responsible for routinely performing regulatory reviews of medical devices. This may include for example, premarket reviewers, product specialists, assessors, etc. (IMDRF/GRRP WG/N40:2024)

Technical Documentation: The documented evidence, normally an output of the quality management system, that demonstrates compliance of a device to the Essential Principles of Safety and Performance of Medical Devices. (GHTF/SG1/N78:2012 and GHTF/SG1/N46:2008)

Technical Expert : For the purposes of this document, a Technical Expert is an individual who is consulted on an ad hoc basis to provide specific technical knowledge or expertise to the regulatory review process. This may include an individual employed by the Regulatory Authority or their recognized CAB or external to these organizations, as permitted by the Regulatory Authority.

NOTE: Areas of expertise could include, for example, clinical, design, manufacturing, etc.

(IMDRF/GRRP WG/N40:2024)

Assessment Cycle and Program

This document defines a consistent Assessment Cycle and Assessment Program for Regulatory Authorities to assess CABs for recognition and for the maintenance of recognition through surveillance activities. A key element is to ensure consistency in the Assessment Program implementation, regardless of the designated assessment team and the CAB.

ISO/IEC 17011:2017 allows for an Assessment Program with the maximum of a 5-year cycle. For the regulated medical device sector, a CAB Assessment Program should follow a 3- or 4-year cycle. Regardless of whether a 3- or 4-year cycle is chosen, the Assessment Program described in this document makes provision for additional Special Assessments, if required, to provide confidence in a recognition decision. The recognizing Regulatory Authority should assess the resources required for a 3- or 4- year cycle, considering Assessor personnel, assessment management, travel budgets, etc., before committing to a particular cycle length for their Assessment Program. A 4-year cycle is illustrated in Figure 2.

Figure 2: 4-Year Assessment Cycle

Please note that “nonconformity” as used throughout this document refers to observations related to the CAB’s management system and processes. The term “deficiency” is used to refer to technical or regulatory inadequacies noted during the CAB’s review of specific regulatory submissions.

The Assessment Cycle includes an Initial Assessment, annual Surveillance Assessments, and a Re-Recognition Assessment. Figure 3 identifies the different assessment activities within each aspect of the Assessment Program.

Assessment Program

Initial

Assessment

Re-Recognition Assessment

Application Review

Stage 1 Assessment IncludingDocumentation Review

Stage 2 On-Site Assessment(Head Office)

On-Site Assessments of Critical Locations

Regulatory Review Assessment (RRA)

On-Site Assessments of Critical Locations

Surveillance On-Site Assessment(Head Office)

Stage 1 Assessment IncludingDocumentation Review for Changes

Re-Recognition On-Site Assessment(Head Office)

On-Site Assessments of Critical Locations

Regulatory Review Assessment (RRA)

Assessments

Assessment Activities

Surveillance

Assessment

Figure 3: Assessment Program with Assessment Activities through the Assessment Cycle

The application of the Assessment Program may be modified as needed, for example with additional Special Assessments, to take into account information collected throughout the Assessment Cycle of a particular CAB.

Regulatory Authority assessment planning should consider:

The resources available to the Regulatory Authority for conducting assessments;
Past performance of the CAB, including the previous assessment and identified nonconformities;
A review of documentation for any significant changes at the CAB, including those necessary to account for any changes in the recognizing regulatory program or requirements;
The key procedures of the CAB; and
A selection of medical device regulatory submissions, where possible, that may be identified by safety concerns, observed nonconformities, and other signals associated with medical devices that the CAB reviewed or other medical devices of the same type.

Stage 2 Recognition, Surveillance, and Re-Recognition assessments are typically conducted on-site. However, the assessment plan should incorporate risk-based principles to determine which modes of assessments are suitable at each stage of the Assessment Program on a case-by-case basis and following any applicable regional regulatory requirements, including the Regulatory Authority’s resources available for assessment activities and the necessity and sufficiency of off-site documentation/records review, remote assessment, and on-site assessment. In addition, modifications to this plan can be considered in extraordinary or emergent circumstances.

Assessment Program Roles and Responsibilities

The key roles and responsibilities in the Assessment Program are as follows:

Assessment Team including, as necessary, a Lead Assessor and Assessor(s):

Performs the assessment activity, according to the Assessment Program;
Provides a recommendation relative to the recognition status of the CAB;
Makes recommendations for changes to or adjustments to the implementation of the Assessment Program for specific CABs, as necessary;
Makes recommendations for other location assessments and regulatory review sampling; and
Reviews and approves the CAB’s response to assessment findings.

Recognition Manager:

Interfaces with the CAB to collect the application and associated information, communicate outcome of assessment activities;
Drafts, maintains and updates an Assessment Program for each CAB;
Ensures the assessment activities are planned and implemented according to the Assessment Program;
Assigns the assessment team members, specifies their role, and provides them with necessary information for the assessment activity; and
Reviews assessment outcomes, performs quality checks of the assessment activities, and prepares a final assessment outcome recommendation.

Note: The duties of a Recognition Manager can be assigned to more than one person. If the recognizing Regulatory Authority chooses to have more than one Recognition Manager, a Recognition Manager may not act as an Assessor of a CAB for which he/she manages the Assessment Program, in order to remain independent from the outcome of the assessment activities.

Recognizing function within the Regulatory Authority:

Approves implementation of the Assessment Program to a CAB; and
Makes recognition decisions.

Purpose of Assessments within the Assessment Program

The purpose of the Initial Assessment includes the following:

Define an individual Assessment Program plan for the particular CAB; and
Assessment of the compliance of the particular CAB’s management system to all regulatory requirements including IMDRF/GRRP WG/N59 and N40 documents, in order to enable the recognizing Regulatory Authority to make a decision on whether to recognize the CAB.

The purpose of the Surveillance Assessment includes maintaining confidence that the CAB continues to fulfill the regulatory requirements including IMDRF/GRRP WG/N59 and N40 documents between re-recognition assessments.

The purpose of the Re-Recognition Assessment includes the assessment of the continued compliance of the CAB’s management system to satisfy all regulatory requirements including IMDRF/GRRP WG/N59 and N40 documents, in order to enable the recognizing Regulatory Authority to make a decision on whether to renew the recognition of the CAB.

The scope of recognition may include medical device categories established by the Regulatory Authority having jurisdiction, or by future IMDRF guidance.

Assessment Activities throughout the Assessment Cycle

Application Review

Before proceeding with the assessment of the CAB, the recognizing Regulatory Authority shall conduct a review of the application and related information to ensure that the information about the CAB and its management system is sufficient for the conduct of the assessment. The information provided by the CAB should fulfill the requirements in ISO/IEC 17011:2017 Clause 7.2.1 a) – d) and allow the Regulatory Authority to perform the Stage 1 Assessment described in Section 4.3.2 of the current document.

Stage 1 Assessment

The Stage 1 Assessment shall be performed to:

Review the CAB’s management system documentation to confirm that it covers all regulatory requirements, including IMDRF/GRRP WG/N59 and N40 documents;
Collect information necessary to define the scope of recognition, including the types of medical devices to be covered by the CAB’s reviews;
Evaluate the CAB’s understanding of regulatory requirements, technical standards, and guidelines relevant to the proposed scope of recognition, including IMDRF/GRRP WG/N59 and N40 documents;
Identify the CAB’s locations and site-specific conditions, including the address of the legal entity responsible for the CAB program;
Evaluate if the CAB has planned and/or performed internal audits and management reviews;
Gain sufficient understanding of the CAB’s structure, operations, and management system to define the individual Assessment Program plan;
Evaluate the preparedness of the CAB to submit to the Stage 2 On-Site Assessment; and
Determine the allocation of resources during the Stage 2 On-Site Assessment.

A recognizing Regulatory Authority may carry out part of the Stage 1 Assessment at the CAB’s head office.

Stage 1 Assessment findings shall be documented and communicated to the CAB, including the identification of any areas of concern that could be classified as a nonconformity during the Stage 2 On-Site Assessment.

Stage 2 On-Site Assessment

The Stage 2 On-Site Assessment is to evaluate the implementation, including effectiveness, of the CAB's management system.

The Stage 2 On-Site Assessment shall take place at the CAB's head office, which is defined as the main business location for the CAB responsible for management, monitoring, and oversight of the medical device regulatory review program. The assessment shall include at least the following:

Evaluate the conformity of the CAB’s management system documentation to meet all the regulatory requirements including IMDRF/GRRP WG/N59 and N40 documents;
Evaluate the evidence of implementation, monitoring, measuring, reporting and reviewing by the CAB of its activities against policies, procedures and objectives from its management system (consistent with the expectations for recognition);
Review the operational controls of the CAB’s processes, including when implemented by external resources;
Confirm that the CAB conducted internal audits and management reviews; and
Confirm the competence of the CAB and the resources available necessary to fulfill the obligations for the scope of recognition.

The assessment shall move to the next phase of the assessment process once the recognizing Regulatory Authority has determined that no significant nonconformities are present. At this stage, or after the completion of any additional on-site assessments as described in Section 4.3.4 below if any such assessments are performed, the CAB is initially authorized to undertake regulatory reviews and proceeds to the next stage of assessment. The recognizing Regulatory Authority may require that the CAB successfully complete the recognition process prior to issuing final certification decisions.

On-Site Assessment at Critical Locations of the CAB

When any of the critical functions listed below are undertaken at locations other than the head office, including by external organizations, the recognizing Regulatory Authority shall consider the performance of an assessment at such critical locations throughout the assessment cycle.

Critical locations are those locations that perform any of the following functions on behalf of the CAB:

The development and approval of the management system policies, processes, and procedures for the regulatory review of medical device regulatory submissions under the recognition program;
The review and acceptance of submissions from medical device manufacturers and the issuance of contracts, including the determination of the scope and timing of the reviews;
The assignment of review teams;
The conduct of the regulatory review process (Sections 7.3 – 7.7 of IMDRF/GRRP WG/N59);
Competence management activities that apply to Regulatory Reviewers, Technical Experts, and final Regulatory Reviewers; and
The management, monitoring, and oversight by the CAB of the medical device regulatory review program.

On-Site Assessment of critical locations is performed to:

Review the relationship between the head office of the CAB and the critical location;
Review, if applicable, the arrangements between the head office of the CAB and the critical location;
Evaluate the management system operated at the critical location to satisfy the requirements of the CAB;
Evaluate the conformity of the activities undertaken by the critical location on behalf of the CAB to the requirements of the CAB’s management system or to the arrangements between the head office of the CAB and the critical location;
Evaluate the conformity of activities undertaken by the critical location on behalf of the CAB to the corresponding regulatory requirements including IMDRF/GRRP WG/N59 and N40 documents; and
Evaluate the controls in place at the critical location that would enable the CAB to monitor the activities at that location.

Regulatory Review Assessment (RRA)

After initial authorization, the recognizing Regulatory Authority shall evaluate the competence of the personnel performing regulatory reviews and the methods used during all stages of the regulatory review process, as outlined in Table 1 of IMDRF/GRRP WG/N59, during a regulatory review of a medical device regulatory submission during the Assessment Cycle. This includes screening, evaluation, recommendation, and certification decision (if applicable), as well as documentation of these steps.

The purpose of assessed reviews is to verify the performance of a CAB with regards to:

Conformity of the practices to the requirements of section 7 of IMDRF/GRRP WG/N59;
Ability of the CAB to determine the conformity of medical device manufacturers to regulatory requirements, standards, and guidelines;
Ability of the CAB to reliably report on the review findings including the nonconformities; and
Ability of the CAB to select review teams with the necessary competence.

The recognizing Regulatory Authority shall select the reviews to assess. This selection will depend on the desired scope of recognition. The mode of assessment of the reviews can include on-site assessments at the CAB’s facilities, and the Regulatory Authority conducting the assessment will make a decision about the mode.

After selection of the reviews to be assessed, the CAB shall provide to the recognizing Regulatory Authority the following information for each such review:

Regulatory submission provided by the manufacturer, as defined in N59; and
All of the CAB’s documentation related to the regulatory review process and decision-making.

As part of this assessment, the Regulatory Authority will confirm the regulatory review certification decisions made by the CAB.

There should be no direct communication between the Regulatory Authority Assessors and the medical device manufacturers during the assessment activities regarding the reviews being assessed.

Additional Assessment Considerations after Initial Recognition

In addition to the assessment factors listed above, the on-site and review assessments performed as part of surveillance and re-recognition activities shall include the following factors:

Avoiding assessments involving the same Regulatory Reviewers or regulatory reviews assessed in previous cycles
Sufficient diversity and complexity of medical devices within the scope of recognition (classification, technological characteristics, medical specialties involved)
The CAB’s activities related to handling of new safety information involving medical devices that the CAB certified, or known problems with manufacturers of certified medical devices that have been identified from adverse events, post-market surveillance data, etc.
Assessments involving new certifications as well as changes in certification
Ensuring that any actions taken to address nonconformities identified in previous recognition and surveillance cycles were effective

Surveillance On-Site Assessment

The Surveillance On-Site Assessment is to evaluate the implementation, including effectiveness, of the CAB’s management system.

The Surveillance On-Site Assessment shall take place at the CAB's head office, and should be considered for other locations where the critical functions listed in Section 4.3.4 are performed. It shall include at least the following:

Review of internal audits and management review;
Review of Competence Management activities;
Review of actions taken on nonconformities identified during the previous assessment;
Treatment of complaints and appeals;
Evaluation of the effectiveness of the management system with regard to achieving the CAB’s objectives as it relates to the scope of recognition;
Evaluate records of review and decision on conformity of medical device manufacturers to regulatory requirements;
Evaluate continuing operational control; and
Review any changes.

Surveillance On-Site Assessment shall be conducted annually at the anniversary date of the Stage 2 Assessment, with a tolerance of +/- 3 months.

Per ISO/IEC 17011:2017 Clause 7.4.5, as part of assessment planning and preparation prior to on-site surveillance, it is recommended that the recognizing Regulatory Authority consider the scope of the CAB’s recognition in deciding on a representative sample of regulatory review activities to be assessed.

Re-Recognition On-Site Assessment

The Re-Recognition On-Site Assessment shall consider the performance of the CAB’s management system over the period of recognition and include the review of assessment reports from the last assessment cycle.

The Re-Recognition On-Site Assessment may need to have a Stage 1 Assessment in situations where there have been significant changes to the CAB, its management system, or of the requirements from the recognizing Regulatory Authority.

The Re-Recognition On-Site Assessment shall take place at the CAB's head office, and should be considered for other locations where the critical functions listed in Section 4.3.4 are performed. It shall include the following:

Evaluate the effectiveness of the CAB’s management system in its entirety in the light of internal and external changes and its continued relevance and applicability to the scope of recognition;
Confirm the continued conformity of the CAB’s management system to regulatory requirements including IMDRF/GRRP WG/N59 and N40 documents; and
Confirm the commitment of the CAB to maintain the effectiveness of the management system.

Special Assessments

A Special Assessment is in addition to other assessment activities defined in the typical assessment cycle. A Special Assessment may be triggered by:

The CAB requesting a change of the scope of recognition or following a notice of change potentially affecting the result of prior assessments;
The recognizing Regulatory Authority based on signals indicating concerns with regards to the CAB’s activities, such as complaints; or
The results of previous regulatory assessment activities.

Navigating the Assessment

The goal of an assessment is to ensure CABs make decisions that provide confidence in the conformity of medical devices to regulatory requirements when placed on the market.

Each process will require the assessment team to accomplish assessment tasks to determine if the process outcomes and the process purpose are achieved and the corresponding risks appropriately addressed. Within the description of the assessment tasks, there are references to the applicable clause(s) of the ISO/IEC 17065:2012 standard and to the clauses of the IMDRF/GRRP WG/N40 and N59 documents. If the clause is listed without subclauses, then all subclauses apply to the task. For example, if the applicable clause for a task is listed as IMDRF/GRRP WG/N59: 6.1, then all subclauses of 6.1 (6.1.1, 6.1.2, etc.) apply to the task. If specific subclauses are listed for a task (for example, IMDRF/GRRP WG/N59: 10.1.1), then the entire clause 10.1 may not apply to a particular task, only specific subclauses. These references have been provided to assist the Assessors in ensuring all the requirements are addressed during the assessments. The referenced clauses are not intended to be an all-inclusive list of clauses that may apply to a given task, but are intended to guide the Assessor to specific clauses that are most directly applicable.

For the management system requirements discussed in IMDRF/GRRP WG/N59 Clause 8 and ISO/IEC 17065:2012 Clause 8.0, both documents allow these requirements to be met through one of two options:

Option A: Establishing and maintaining a management system that meets the requirements stated in ISO/IEC 17065:2012 Clauses 8.2 through 8.8; or
Option B: Establishing and maintaining a management system in compliance with ISO 9001, as stated in ISO/IEC 17065:2012 Clause 8.1.3 (Option B).

The applicable requirements in the following section include clauses relevant to Option A. If the CAB follows Option B, these clauses are not applicable and ISO 9001 requirements apply.

During the assessment, it is important that the Assessors are mindful of any instances where the CAB demonstrates failure to fulfill any of the defined requirements listed in the assessment tasks, and that these nonconformities are recorded in appropriate detail.

Particular attention should be paid to the potential interrelationship of the nonconformities. For example, assessment nonconformities in both the Evaluation and Recommendation processes and in competence management may in combination be significant since the planning of medical device manufacturer regulatory reviews, the assignment of competent reviewers and the systematic characterization of the decision-making, are essential for determining a medical device manufacturer’s conformity to regulatory requirements.

This document makes uses of electronic cross-references. In instances where tasks are linked, an electronic cross-reference has been imbedded. Simply use Ctrl-click to access the task cross-reference when needed.

Assessment of CAB Processes

This section describes the processes evaluated by the assessment team. The assessment processes are each presented with a purpose, outcome, risks relative to the process, and the list of specific tasks for that process.

Process: Management

Purpose

The purpose of assessing the Management process is to verify the CAB’s top management has ensured that the CAB has implemented and maintained an effective quality management system for the control of all activities related to regulatory review and the decisions on conformity of medical device manufacturers to regulatory requirements. The assessment should include a reflection on the Management process in order to confirm the commitment of top management and the effective implementation of the CAB’s management system.

Outcomes

As a result of the assessment of the Management process, objective evidence will show whether the CAB has:

Identified processes needed for their management system, their application throughout the organization, and their sequence and interaction.
Established a management system to support the effective regulatory review of medical device regulatory submissions and decisions regarding the manufacturers’ conformity to regulatory requirements and ability to ensure adherence with legal and contractual requirements and other requirements to which the organization is committed.
Established quality objectives at relevant functions and levels within the organization consistent with the quality policy and ensured that these are periodically reviewed for continued suitability.
Committed sufficient resources and competent personnel.
Assigned responsibility and authority to personnel and established the organizational structure to ensure quality is not compromised.
Defined, documented, and implemented procedures for the control of impartiality, the protection of confidential information, and the transparency with regards to regulatory reviews and decisions.
Ensured the continued effectiveness of the management system and its processes.

Risks Relative to this Process

The failure of the management process poses the following risks:

Lack of consistency in the CAB’s practices;
Lack of impartiality of the Regulatory Reviewers and staff involved in the regulatory review and decision activities;
Lack of competency of the Regulatory Reviewers and staff involved in the regulatory review and decision activities;
Lack of reliability in the regulatory reviews;
Lack of credibility of the decision; and/or
Lack of proper communication with the recognizing Regulatory Authorities, preventing the implementation of targeted enforcement actions towards delinquent medical device manufacturers.

Assessment Tasks

6.1.4.1****Review the documentation on legal responsibility, liability, and financing. Verify the eligibility as a candidate CAB.

Applicable requirements

ISO/IEC 17065:2012 clauses: 4.1.1, 4.3

IMDRF/GRRP WG/N59 clauses: 4.1.1, 4.1.2, 4.1.3, 4.3.1

Legal entity

Guidance

It is important that the assessment team accurately understands the structure of the legal entity to which the CAB belongs. It is especially important in complex cases such as a CAB belonging to a larger group, where the delineation of the legal entities within the group may influence impartiality, ability to enter into contractual arrangements, and the use of external resources.

The types of legal entities and the meaning of registration of the legal entity may vary due to regional or country-specific laws and regulations.

The applicant must clearly delineate the perimeter of the legal entity, and establish a specific address, where the management responsible for the conformity assessment program is employed by that legal entity. (See IMDRF MDSAP WG/N29 for a discussion of “legal entity” as it applies to audits.)

Typical evidence

Information regarding the legal entity to which the CAB belongs, its organizational structure, ownership, and the legal or natural persons exercising control over the entity. The information would include documentation made publicly available by the CAB (for example, website or promotional documentation), official documents (such as a record of business registration or certificate of insurance policy), or other internal documents.

Financial stability

Guidance

The Assessors should verify that the CAB has sufficient resources to support its operations and enable it to fulfill recognition criteria.

Analysis of income sources is also important to assess independence from other entities.

The CAB’s business should be sufficiently diversified so that the loss of a single client does not seriously jeopardize its financial stability or compromise impartiality.

Typical evidence

Annual report, fee structure, etc.

Liability insurance

Guidance

The CAB must provide evidence as to the method used to evaluate the risks from its activities, and utilized to determine the insurance level.

Regulatory Authority Assessors should ensure that the elements listed in the requirements are documented, including:

Geographic regions included in the coverage;
Profile of risk for the range of medical devices that are subject to regulatory review; and
Scope of activities undertaken for medical device regulatory reviews.

Where a CAB claims that their liability is insured through arrangements with a related legal entity, the CAB should document how those arrangements fulfill the elements of the requirement identified above.

Typical evidence

Documentation of the risk assessment, records of information provided to the insurer, certificate of insurance.

Eligibility

Guidance

Although an on-site assessment is unlikely to reveal legal judgments against the CAB, the assessment team should still inquire about the CAB’s history with respect to these matters.

Typical evidence

Verbal confirmation.

6.1.4.2 Verify that the required management system documentation has been defined and documented.

Applicable requirements

ISO/IEC 17065:2012 clauses: 8

IMDRF/GRRP WG/N59 clauses: 8.0

Guidance

Most CABs offer a broad range of management system certification services, beyond the medical device regulatory review scheme. The Assessor should verify that the CAB’s management system clearly identifies elements applicable to the medical device regulatory review scheme.

The CAB’s management system documentation should state the documents or requirements to which the CAB claims compliance, including regulations, standards, and directives. The CAB’s management system must specify whether it satisfies option A or B of ISO/IEC 17065:2012 Section 8.1.

The CAB’s management system should be appropriate to the nature and scale of its regulatory review activities. The management system should be capable of supporting and ensuring consistent compliance with the requirements applicable to the regulatory review and certification program for medical devices.

Typical evidence

A list of related documentation on the implementation, maintenance and operation of a quality management system, which would fulfill the requirements of IMDRF/GRRP WG/N59.

6.1.4.3 Verify that a quality policy and objectives have been set at relevant functions and levels within the organization. Ensure the quality objectives are measurable and consistent with the quality policy. Confirm appropriate measures are taken to achieve the quality objectives.

Applicable requirements

ISO/IEC 17065:2012 clauses: 8.1, 8.2

IMDRF/GRRP WG/N59 clauses: 8.1.1, 8.1.3

Guidance

While the term “quality policy” is not explicitly used in ISO/IEC 17065:2012 or IMDRF/GRRP WG/N59, the CAB’s top management should express its overall intentions and direction related to the fulfilment of the requirements of the medical device regulatory review scheme.

The Assessor should verify that the CAB’s top management ensures that the quality policy, like other management system policies, is communicated and understood at all levels of the organization.

The Assessor should verify that the CAB bases quality objectives on parameters that are critical to the conformity to requirements of the medical device regulatory review scheme. Quality objectives relate to indicators that are critical to the ability of the CAB to conduct planned medical device regulatory reviews and make informed decisions (for example: maintaining access to sufficient numbers of competent Regulatory Reviewers and Technical Experts to fulfill regulatory review obligations; and to Regulatory Reviewers qualified for a technical area/product related to the number of regulatory reviews in this technical area, etc.).

A quality objective should be expressed as a measurable target or goal in order to feedback into the management system to ensure effective implementation.

Typical evidence

Documented policy and objectives, which may include such things as: number of regulatory review reports completed on time, timely investigation and closure of complaints regarding regulatory review-related activities.

6.1.4.4 Review the CAB's organizational structure and related documents to verify that they include provisions for responsibilities and authorities. This must include the identification of functions responsible for:

▪ the overall program;

▪ the timely exchange of information with regulatory authorities;

▪ ensuring that quality management system requirements are effectively established and maintained;

▪ reporting to top management on the performance of the quality management system; and

▪ on any need for improvement.

Applicable requirements

ISO/IEC 17065:2012 clauses: 5.1, 8.1.1, 8.2.1, 8.2.2, 8.2.3

IMDRF/GRRP WG/N59 clauses: 5.1, 6.1.2, 6.1.11, 9.1.1

Organizational structure

Guidance

The Assessor should verify that the CAB has documented its organizational structure to identify the different positions or roles, their responsibilities and authorities and the inter-relationships between them. It is important for the Assessors to not only understand the internal organizational structure of the CAB, but also how the organization interacts with external resources.

Typical evidence

Organizational chart, job description, management system procedures, etc.

Top management

Guidance

As part of the organizational structure review, the Assessor should identify the job functions among the CAB’s top management that are responsible for:

Implementation and reporting on the performance of the management system;
Performance of regulatory reviews;
Decisions on conformity to regulatory requirements;
Establishment of the contract with the medical device manufacturer and external resources;
Responding to and investigating complaints and appeals; and
Timely exchange of information with regulatory authorities.

Top management has other responsibilities that will be assessed through other assessment tasks.

The CAB should ensure that the remuneration of top management does not depend on the result of regulatory reviews. Otherwise, this would affect the impartiality of the CAB.

Typical evidence

Organizational chart, job description, management system procedures, etc.

Responsibility and authority

Guidance

The CAB must make clear to each person concerned their duties, responsibilities and authorities. Assessors should review the CAB's organizational structure and related documents to verify that they include provisions for responsibilities and authorities. This must include the identification of functions responsible for: the overall program; the timely exchange of information with regulatory authorities; and, ensuring that quality management system requirements are effectively established and maintained.

The CAB may document responsibilities and authorities for each individual involved in the regulatory review and decision process in different ways including job descriptions, process descriptions, procedures, or individual assignments, project plans, etc.

For purposes of regulatory review, the applicant for recognition as a CAB is deemed to be the legal entity and is where the management responsible for the regulatory review program is employed.

The management for the regulatory review program is directly responsible for, manages, and retains authority for the following:

Establishment of the contract with the medical device manufacturer (including the requirements in IMDRF/GRRP WG/N59 Clauses 5.1.4 and 5.1.5);
Identification of competence requirements for any internal or external Regulatory Reviewer or Technical Expert to perform specific activities (including the requirements in IMDRF/GRRP WG/N40); and,
Final review and decision-making on conformity to regulatory requirements (including requirements in IMDRF/GRRP WG/N59 Clauses 7.5 and 7.6).

These listed activities cannot be delegated to personnel outside of the applicant’s legal entity, even to a related organization or a subsidiary. Under the regulatory review program, these related organizations or subsidiaries are regarded as separate legal entities.

(See IMDRF/GRRP WG/N40.)

Link with other assessment tasks

The organizational structure may be influenced by the definition of the CAB’s legal entity (see Management 6.1.4.1).

6.1.4.5 Verify that the CAB has evaluated its Regulatory Reviewers (including Technical Experts), regulatory decision makers, and other personnel to ensure that it has adequate resources with the competencies to fulfill the requirements and volume of its regulatory review program, and that there are processes in place to ensure continual professional development

Applicable requirements

ISO/IEC 17065:2012 clauses: 6.1.1.1, 6.1.1.2, 6.2

IMDRF/GRRP WG/N59 clauses: 5.1.3

IMDRF/GRRP WG/N40 clauses: 10.3

Guidance

The Assessor should verify that the CAB periodically analyzes the needs of the regulatory review program with regards to the number and scope of personnel and their competence, taking into account the current number and profile of medical device manufacturer clients, and; expected changes, the evolution of regulatory review practices/requirements, identified issues necessitating additional resources/competence/expertise, the geographic location of their resources and clients, the time it takes to acquire new competence (in nature or volume), etc.

This analysis is important to ensure the continuity of the CAB’s ability to provide regulatory review and certification services within the scope of recognition.

Indicators of inadequate number of Regulatory Reviewers and personnel may include:

Overdue regulatory reviews
Assignment of Regulatory Reviewers with inadequate competence
Delay in the issuance of final reports or certification documents to clients, regulatory authorities, or other groups

Typical evidence

Analysis report

6.1.4.6****Verify that the CAB has defined and implemented procedures for the management of impartiality.

Applicable requirements

ISO/IEC 17065:2012 clauses: 4.2, 4.4, 5.1.1, 5.2, 6.1.3, 6.2.1

IMDRF/GRRP WG/N59 clauses: 4.2, 6.1.13

IMDRF/GRRP WG/N40 clauses: 6.0

Sources of threats to impartiality

Guidance

The CAB must ensure that their decisions are based on objective evidence of conformity obtained during regulatory review activities and are not influenced by other interests or parties.

The Assessor should verify that the impartiality and independence of the CAB is established at all levels via:

Structure of the organization and its relationship with superior (parent), peer or subordinate (sister) organizations;
The relationship of individuals involved in regulatory review-related activities, including top management; and
Policies, processes and procedures on regulatory review-related activities.

Threats to impartiality may come from a large number of sources, including:

Additional services offered, or other activities and interests of the CAB;
The activities or personal interests of the individuals involved in the regulatory review and decision processes, including external Regulatory Reviewers and external Technical Experts;
The activities of other organizations with whom the CAB has a relationship;
The CAB’s own processes, if they do not properly enable the CAB to identify and mitigate actual conflict of interest or prevent potential conflict of interest;
The influence that a manufacturer client may have on the CAB;
The influence that other external factors (for example large tenders, epidemics, shortages) may have on the CAB;
The remuneration or performance evaluation of personnel involved in the regulatory review activities, which shall not depend on the number or the results of regulatory reviews performed or on the identification of deficiencies during regulatory reviews;
Ownership of the organization (e.g. clients being owners or co-owners); and
Influence on the direction of the organization (e.g. clients being represented on the board).

Typical evidence

Remuneration reports: Income or performance targets, performance reviews, contracts

Threats to impartiality from consultancy services

Guidance

In accordance with IMDRF/GRRP WG/N59, a CAB shall not offer or provide any consultancy services to the manufacturer, its authorized representative, a supplier or a commercial competitor as regards to the design, manufacture or construction, marketing, installation, use or maintenance of the product or processes under regulatory review.

A significant threat to the CAB’s impartiality comes from the self-review threat arising from the incompatibility of the provision of management system regulatory review and consultancy services, even if the consultancy services are provided by a separate department or even a legally independent entity of the same group of enterprises. In the context of medical device regulatory reviews, medical device regulatory consultancy cannot be offered by the same legal entity providing regulatory review services.

Consultancy includes:

Quality management system (or good manufacturing practices);
Medical device marketing and facility registration;
Medical device adverse events and advisory notices reporting; and
Company or product specific training.

EXAMPLES:

Preparing the documentation, or part of it, to be submitted as a regulatory submission, with the exception of the testing reports per recognized standard or a specific pre-established protocol
Giving specific advice, instructions, or solutions regarding the preparation of documentation to be provided to regulatory authorities to support the marketing of medical devices, or regarding the resolution of any deficiencies identified by regulatory authorities during their regulatory review
Giving specific advice, instructions or solutions towards the development and implementation of a medical device design validation plan
Acting as Clinical Research Organization for the preparation of a clinical research protocol

COUNTER-EXAMPLES:

Testing a device and issuing the corresponding report per a recognized standard or a specific pre-established protocol, as long as the organization does not provide any specific advice, instructions or solutions addressing the deficiencies detected by the testing
Acting as a clinical research organization implementing clinical research developed by the manufacturer or another entity separate from the CAB
Arranging training and participating as a trainer, including training about regulatory reviews, or exchanging technical or regulatory information is not considered consultancy, provided that, where the course or exchanged information relates to medical device technical or regulatory requirements or to regulatory reviews, it is confined to the provision of generic information that does not provide manufacturer-specific solutions.

Any reference in ISO/IEC 17065:2012 or IMDRF/GRRP WG/N59 to management system consultancy is to be interpreted as medical device regulatory consultancy.

Typical evidence

Organizational structure, website, advertisements, contractual agreements with external resources.

Link with other assessment tasks

See also Measurement, Analysis and Improvement Tasks in 6.3.4.

Organizational level

Guidance

As a legal entity, the CAB must analyze the services offered and ensure none of its activities introduces a bias in its regulatory reviews and decisions.

The CAB needs independence (financially and organizationally) from all parties interested in the outcome of regulatory review activities, including the manufacturer under review, its representatives, suppliers, importers, clients, and competitors.

A CAB can offer an accelerated regulatory review timeline as an alternative to the standard process, including accelerated review based on a higher fee or on device-specific factors. However, such accelerated review shall not be predicated on an abridged review process as compared to the standard process, or otherwise influence the final regulatory review decision. This practice is perceived as an inducement and represents a risk to the CAB’s ability to conduct the regulatory review under appropriate conditions.

The CAB may receive business by referral, provided the referral does not arise from a relationship with external individuals or organizations having an unacceptable interest in the medical device manufacturers using the CAB’s regulatory review and certification services.

Typical evidence

Organizational structure, website, advertisements, fee structure.

Individual level

Guidance

Policies, procedures, training and individual commitment to a Code of Conduct (see IMDRF/GRRP WG/N59 Clause 6.1.13) ensure awareness of unacceptable behaviors by individuals involved in the regulatory review and certification processes. The CAB should be aware of potential conflicts of interest affecting all individuals involved in the regulatory review and certification processes and have policies in place to mitigate these.

Any individual employed by a medical device manufacturer potentially being considered as a Regulatory Reviewer would be viewed by the Regulatory Authorities as a conflict of interest or at least an appearance of conflict of interest, and hence a threat to impartiality that would prohibit that individual from partaking in any medical device regulatory reviews as long as they are also employed by the manufacturer.

Any individual involved in the design or conduct of the testing of the medical device should not be involved in the regulatory review of this device.

Typical evidence

Policies, procedures, training material, personnel file and individual commitment to a Code of Conduct (see IMDRF/GRRP WG/N59 Clause 6.1.13).

Policies, processes, procedures and practices

Guidance

The Assessor should verify that the CAB has a publicly accessible statement that it understands the importance of impartiality in carrying out its regulatory review and certification decision activities, and that it monitors and addresses any potential or actual conflict of interest.

The CAB’s processes and procedures must ensure that any real or potential threat to impartiality is identified, documented, investigated, analyzed and effectively managed. When a CAB subcontracts parts of the regulatory review-related activities, processes should be in place to ensure that the use of the external organization does not affect its impartiality.

A CAB that only relies on signed statements from personnel involved in conformity assessment for identifying and monitoring potential conflicts of interests, and does not keep updated records of past and present consultancy activities, would fail (a) to implement an effective system (as no verification would be possible) and (b) to document consultancy activities prior to personnel taking employment, both being requirements of Clauses 4.2.2, 4.2.4, and 4.2.5 of IMDRF/GRRP WG/N59.

The CAB’s policies must ensure that an individual is not involved in regulatory review activities involving a specific medical device manufacturer if:

the individual, their spouse, or their children has used the services of any organization or individual that has provided consultancy services to the manufacturer, its authorized representative, or its supplier during the past 3 years. (IMDRF/GRRP WG/N59 Clause 4.2.3); or
the individual was an employee of, or provided medical device consultancy services to, the manufacturer or of any company belonging to the same organization during the past 3 years (IMDRF/GRRP WG/N59 Clause 4.2.5).

Some regulatory jurisdictions may have their own requirements regarding the impact of the timing of past consultancy or other activities.

The CAB should have methods in place to prevent the offering of regulatory review services to a medical device manufacturer that (within the previous three years – see IMDRF/GRRP WG/N59 Clause 4.2.3) benefited from medical device consultancy services, including internal audits from the CAB, an employee or external resource.

Policies, processes and procedures must ensure that an individual does not review his or her own work (see ISO/IEC 17065:2012 Clauses 7.5.1 and 7.6.2, and IMDRF/GRRP WG/N59 Clause 5.1.7).

Typical evidence

Documentation of a process for monitoring impartiality at planned intervals.

Evidence of disclosure of any past or present relationship that would potentially represent a conflict of interest.

Records of investigation and actions taken when incidents of actual loss of impartiality have occurred

Link with other assessment tasks

See also Competence Management Task 6.4.4.4.

Mechanisms for the safeguard of impartiality

Guidance

The CAB must have mechanisms for safeguarding impartiality. ISO/IEC 17065:2012 provides detailed requirements for managing and safeguarding impartiality. The individuals involved in the process for managing threats on impartiality (see ISO/IEC 17065:2012 Clause 4.2) shall have access to individual(s) who have experience and knowledge related to medical devices in order to obtain independent expert opinions. If the CAB chooses to utilize a committee to manage impartiality concerns, this committee should be aware of the specificities of the medical device regulatory scheme.

Typical evidence

The Assessors can verify the activity of the impartiality committee (if used by the CAB) by:

Reviewing the agenda, the minutes or other documents from the meetings of the impartiality committee and activities;
Checking the participation at the meetings (including the presence of technical or other specific expertise, where necessary); and/or
Reviewing the files of the committee members, meeting records to determine that the members were provided with information about the CAB (structure, business, certification process) and the fundamentals of the regulatory review program.

If the CAB does not utilize a committee, Assessors should review the mechanisms by which potential threats to impartiality were identified, assessed, and mitigated. Assessors should ask for examples of issues that were raised as potential threats to impartiality, how those threats were mitigated, and who made the ultimate decision on the impartiality decision.

Information on safeguarding impartiality is a required input to management review. Assessors can review the information presented on impartiality concerns that were included in management reviews.

Link with other assessment tasks

Threats on impartiality shall be assessed taking into account the definition of the CAB’s legal entity (see Management Task 6.1.4.1) and the CAB’s organizational structure (see Management Task 6.1.4.4). Impartiality is also a required input to Management Review (see Management Task 6.1.4.7).

6.1.4.7 Verify that management reviews are being conducted at planned intervals, that they include a review of the suitability and effectiveness of the quality policy, quality objectives, and management system to ensure that the quality management system meets all applicable requirements from ISO/IEC 17065:2012 and IMDRF/GRRP WG/N59.

Applicable requirements

ISO/IEC 17065:2012 clauses: 8.5

IMDRF/GRRP WG/N59 clauses: 8.1.3

Guidance

The Assessor should verify that the CAB’s management review procedure specifies participants, roles and responsibilities, frequency (at least once a year), agenda inputs and deliverables.

The procedure may also specify:

A standard agenda of topics to be discussed (with flexibility for unique agenda items to be added);
The necessary attendees who are to participate in the management review and the quorum for decisions;
The management review objectives, including a review of the progress on meeting the stated objectives,
How action items resulting from the management review are recorded (including responsibilities and due dates and specifying which tracking tool to use, if any) and followed up until completion (including their review during the following management review); and
The relevant outputs of the Measurement, Analysis & Improvement process, such as corrective and preventive actions.

Changes that could affect the quality management system may include:

any change to recognition criteria; or
regulatory requirements applicable to the medical device manufacturers and impacting the CAB’s regulatory review program or practices.

The Assessor should ensure that the CAB uses relevant outputs from the Measurement, Analysis and Improvement process (see Section 6.3.4) as inputs to management review.

The Assessor should verify that action items resulting from the management reviews are recorded (including responsibilities and due dates and specifying which tracking tool to use, if any) and followed up until completion (including the review of effectiveness during the following management review).

The management review may cover activities outside the scope of the medical device regulatory review scheme. A management review is expected to present, synthesize and analyze sufficient information for the management team to evaluate the implementation, performance, conformity and effectiveness of the activities applicable to the medical device regulatory review scheme.

The outputs of the management review should include decision and action regarding the adequacy of the set of regulatory reviews and personnel to cover all of its activities and to handle the volume of regulatory review work.

Typical evidence

Management review records should document dates, attendees, and results of the management reviews, including a conclusion regarding the suitability, adequacy and effectiveness of the CAB’s management system.

Link with other assessment tasks

Inputs to the assessment of the management review should include the analysis of the adequacy of the set of Regulatory Reviewers (see Management Task 6.1.4.5), and outcomes from the management of impartiality (see Management Task 6.1.4.6).

Process: Use of External Resources

Purpose

The purpose of the Use of External Resources process is to ensure that all activities performed on behalf of the CAB by external Regulatory Reviewers, Technical Experts, or organizations remain under the control of the CAB.

Outcomes

As a result of the assessment of the Use of External Resources process, objective evidence will show whether the CAB has:

Defined, documented and implemented appropriate methods (i.e. procedures and criteria) for the control of external resources activities, including the control of competency, impartiality and confidentiality.
Documented and implemented appropriate arrangements with external resources ensuring that the competency requirements for the regulatory review activities, including the final review and decision-making on conformity to regulatory requirements, are retained by the CAB.
Established written arrangements with external resources including their commitment to apply the CAB’s requirements and provisions ensuring the control of confidentiality and impartiality.
Adequate competency to review the outcome of activities performed by external resources.

Risks relative to this process

The failure of the Use of External Resources Process poses the following risks:

Lack of control of activities directly affects the ability of the external resources to provide the expected service; and/or
Lack of control by the CAB on the conformity of the external resource activities to the requirements of the recognizing Regulatory Authority.

Assessment Tasks

6.2.4.1 Identify when and how the CAB utilizes external resources. Verify that the controls implemented for the utilization of external resources by the CAB address competence, impartiality, confidentiality and conflict of interest.

Applicable Requirement

ISO/IEC 17065:2012 clauses: 6.2.2

IMDRF/GRRP WG/N59 clauses: 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7

Guidance

General

The CAB may use external resources, provided it does not delegate any of the following responsibilities outside the CAB’s management system:

Establishment of the contract with the medical device manufacturer;
Identification of competence requirements for the Regulatory Reviewer or Technical Expert to perform specific activities; and
Recommendation and certification decision on conformity to regulatory requirements.

The CAB should ensure that the use of external resources does not compromise its ability to:

make an independent review and decision on the manufacturer's regulatory conformity; and
demonstrate conformity to recognition criteria.

The extent of the use of external resources is an important characteristic of the CAB. The use of external resources poses increased challenges in terms of control of services to the medical device manufacturer, and control of the CAB impartiality and the adherence to the Code of Conduct.

Controls over the use of external resources should cover both the evaluation of the competency of the individual or organization as a resource, and the assignment of a specific regulatory review activity to this external resource.

External persons

External resources may be individuals (e.g. contracted Regulatory Reviewers or Technical Experts) or organizations (e.g. a CAB recognized under different medical device regulatory review schemes). An external individual or organization is one that does not operate under the CAB’s management system.

The process by which a CAB ensures the suitability of an external Regulatory Reviewer or an external Technical Expert typically includes: (1) the evaluation and ongoing monitoring of the individual’s competence; (2) training in the CAB’s processes and procedures; and, (3) the evaluation of potential threats to impartiality.

External organization

The process by which a CAB ensures the suitability of an external organization typically includes the evaluation of the following considerations:

nature and range of the services the external organization is to perform on behalf of the CAB;
legally enforceable agreements covering the service arrangements;
if applicable, the impact of any additional services offered to the CAB by the external organization (for example: technical consultancy activities);
potential conflicts of interests and other threats on the CAB’s impartiality, due to, for example:
- the range of services or products offered by the external organization;
- the organizational structure, ownership of the external organization, and any relationships with other organizations that may provide medical device consultancy; and
- the personal interests of the external organization’s top management;
the internal and external human resources available to conduct the activities on behalf of the CAB;
the infrastructure, including information systems;
the competence and impartiality of the individuals that the external organization uses to conduct the service for the CAB;
procedures and legally enforceable arrangements by which confidentiality will be ensured;
processes implemented by the external organization, and their compatibility with the CAB’s processes;
ability of the CAB to control and monitor activities undertaken on its behalf by the external organization; and
access to the records relative to the performance of the service.

The evaluation of this information, including any concerns and their resolution, and the rationale for approving the external organization as a resource should be documented.

The relationship between the CAB and the external organization may be a partnership where both organizations may be responsible for separate regulatory review schemes involving a specific medical device manufacturer. For example, one CAB may act as a CAB for the European Union and the other as CAB for the Japanese market. When this is the case, each organization may make independent decisions on the conformity of the medical device to the regulatory requirements that are relevant in the jurisdiction for which the regulatory review is being conducted . The CAB must ensure that the decision made by the external organization does not compromise its ability to make an independent review and decision regarding the conformity of the medical device under review with the relevant regulatory requirements.

On a periodic basis, the CAB should re-evaluate the external organization’s ability to satisfy contractual agreements and expectations.

The Assessors should verify that the CAB implements documented arrangements (such as a memorandum of understanding, or contractual agreement) with external resources for the supply of competent services.

Typical evidence

Organizational structure, contractual arrangements with external individuals and external organizations, and competence evaluation records.

Link with other assessment tasks

The evaluation of the competency of external resources includes the identification of potential threats to impartiality (see Management Task 6.1.4.6).

6.2.4.2 Verify that the CAB has contractual arrangements with external resources.

The arrangements shall allow the recognizing Regulatory Authority to assess or witness the activities of the external resources.

The arrangements shall include a commitment by the external resource to apply the CAB’s requirements and provisions ensuring the control of confidentiality and impartiality.

Applicable Requirement

ISO/IEC 17065:2012 clauses: 4.2.7, 6.1.3, 6.2.2

IMDRF/GRRP WG/N59 clauses: 6.1.13, 6.2.5

Guidance

The Assessors should verify that the contractual arrangements do not enable the delegation to external resources of functions identified in Use of External Resources Task 6.2.4.1.

The Assessors should verify that the contractual arrangements are comprehensive and adequately implemented.

External Regulatory Reviewer and external Technical Expert

Since an external Regulatory Reviewer or external Technical Expert may have other professional activities (including consultancy activities), the external Regulatory Reviewer or external Technical Expert should confirm the absence of any conflict of interest prior to assignment to a particular regulatory review activity.

Contractual arrangements should be documented and approved by the CAB’s top management. The CAB should not assign any activity to an external Regulatory Reviewer or external Technical Expert before the contractual arrangements are agreed.

External organization

Contractual arrangements should be documented and approved by the CAB’s top management. The CAB should not assign any activity to the external organization before the contractual arrangements are agreed.

Typical evidence

Contractual arrangements, list of competent personnel that may identify external individuals, list of external organization if available.

6.2.4.3 Verify that the CAB has adequate internal competence to review the outcome and appropriateness of the activities performed by external resources and to verify the validity of the objective evidence provided in order to make decisions.

Applicable Requirement

ISO/IEC 17065:2012 clauses: 6.1.2

IMDRF/GRRP WG/N59 clauses: 6.2.4

Guidance

The confidence of the CAB in the reliability of outsourced regulatory review activities is only achieved if the CAB has sufficient competence internally to direct the regulatory review activities; verify the appropriateness and validity of opinions from external Technical Experts; verify the competence of the external resources; critically evaluate the outcome of the outsourced activities; and understand the significance of the findings and conclusions.

The absence of such internal competence would be equivalent to delegating the certification decision to external resources. Such a delegation is not acceptable as it would not fulfill the requirements of IMDRF/GRRP WG/N59 Clauses 6.1.8 and 7.6.

The Assessor should evaluate the extent of expertise expected by a CAB of an external resource and verify that the CAB can demonstrate sufficient internal competence to verify the appropriateness and validity of objective evidence provided by the external resource.

Typical evidence

Competency files for assigned individuals that can demonstrate experience and suitability can be proven for the assigned responsibility.

Process: Measurement, Analysis and Improvement

Purpose

The purpose of the Measurement, Analysis and Improvement process is to verify that:

Information relative to the regulatory reviews, competence of the Regulatory Reviewers, decisions on conformity to regulatory requirements, and the CAB’s management system is collected;
This information is analyzed to identify actual and potential nonconformities;
Actual and potential nonconformities are investigated; and
Effective corrections and corrective actions are taken, as appropriate.

If trends in the information collected above are unfavorable and nonconformities are observed during the assessment, this information can be used to select:

Regulatory Reviewer qualification files to review during the assessment of the Competence Management process;
Medical device manufacturer files; and
Agreement and monitoring records during the assessment of the Use of External Resources process.

Outcomes

As a result of the assessment of the Measurement, Analysis and Improvement process, objective evidence will show whether the CAB has:

Defined, documented, and implemented procedures for measurement, analysis and improvement that address the requirements of the ISO/IEC 17065:2012 standard and the IMDRF/GRRP WG/N59 document;
Identified, analyzed, and monitored appropriate sources of quality data including internal audits, external assessments, and complaints, to identify actual and potential nonconformities;
Investigated actual and potential nonconformities;
Implemented corrections, corrective actions and preventive actions, as appropriate; and
Reviewed the effectiveness of such actions.

Risks relative to this process

The failure of the Measurement, Analysis and Improvement process poses the following risks:

Lack of assurance in the CAB’s ability to identify and remediate nonconformities and potential nonconformities as necessary; and/or
Lack of assurance on the CABs decisions relating to the medical device manufacturer’s conformance to regulatory requirements.

Assessment Tasks

6.3.4.1 Verify that the CAB has a defined and documented procedure(s) for measuring, monitoring, analyzing and improving the relevance, compliance, consistent implementation and effectiveness of the CAB’s management system.

Applicable requirements

ISO/IEC 17065:2012 clauses: 8.5, 8.7, 8.8

IMDRF/GRRP WG/N59 clauses: Not applicable

Guidance

Assessors should be mindful that while ISO/IEC 17065:2012 does not specifically use the terminology “Measurement, Analysis and Improvement”, Clauses 8.7 and 8.8 of ISO/IEC 17065:2012 refer to “corrective actions” and “preventive actions.” Additionally, most data presented during the management review discussed in ISO/IEC 17065:2012 Clause 8.5 are outputs of a Measurement, Analysis & Improvement process.

The CAB should have procedures to collect and monitor data relative to:

Conflicts of interest
Regulatory Reviewer conduct
Regulatory Reviewer competence
Implementation of the review and certification processes

The CAB may use various methods to collect such data, including the review of regulatory review documentation, solicitation of feedback from manufacturer clients, internal and external audits and assessments, and recording complaints or unsolicited feedback from manufacturer clients or users of the regulatory review reports or certification documents including those prepared by regulatory authorities.

These procedures should enable the CAB to detect individual nonconformities or potential nonconformities, as well as unfavorable trends.

The Assessor should verify that the CAB has procedures to address any nonconformity and potential nonconformity, including the investigation of their cause, and the determination of corrections and corrective actions, as applicable.

Typical evidence

Procedures and resulting records for these processes.

Link with other assessment tasks

The monitoring, analysis and improvement processes provide input to the management review (see Management Task 6.1.4.7)

6.3.4.2****Determine if appropriate sources of data and processes have been monitored by the CAB, to identify actual and potential nonconformities. This data must include internal audits, external assessments, complaints, and the use of external resources.

Confirm that monitoring and measurement activities cover Regulatory Reviewer competence, regulatory review performance, decisions on conformity to regulatory requirements and adherence to the Code of Conduct throughout the Competence Management and Regulatory Review and Decisions Processes.

Applicable requirements

ISO/IEC 17065:2012 clauses: 8.7, 8.8

IMDRF/GRRP WG/N59 clauses: 6.1.12, 6.1.13, 8.1.3

Data sources

Guidance

It is the CAB’s responsibility to determine appropriate monitoring and analysis activities.

The data sources should at least include:

Complaints;
Nonconformities from internal or external audits, and other sources;
Appeals;
Competence and conduct of the Technical Experts, Regulatory Reviewers and other personnel;
Performance of the regulatory reviews according to planned arrangements; and
Corrective actions.

The Assessor should be mindful of quality problems that appear in more than one data source. It is essential that the CAB understands the full extent of the quality problem. For example, nonconformities noted in complaints or customer feedback should be compared with similar nonconformities noted during the organization's analysis of data from other data sources such as Regulatory Reviewer competence assessment reports, regulatory review records, internal audit reports, etc.

Typical evidence

See list above

Analysis of data

Guidance

The CAB has the flexibility to use whatever methods of analysis are appropriate to identify existing and potential causes of nonconformities or other quality problems. However, the CAB should use appropriate statistical methods where necessary to detect potential, emerging or recurring quality problems. The CAB should not use statistics to minimize a problem or avoid addressing a problem.

Typical evidence

Records resulting from the processes. Additional record on the analysis of the data.

6.3.4.3 Determine if investigations are conducted to identify the root cause(s) of detected nonconformities as well as of potential nonconformities.

Confirm investigations and corrective actions taken are commensurate with the risk of the nonconformity or potential nonconformity.

Confirm that corrections, corrective actions, and preventive actions, as appropriate, are determined, implemented, documented, effective, and do not adversely affect the regulatory reviews performed and decisions made.

Applicable requirements

ISO/IEC 17065:2012 clauses: 8.7, 8.8

IMDRF/GRRP WG/N59 clauses: 7.12.1

Guidance

The Assessor should verify that the CAB’s procedures ensure that data to detect existing or potential nonconformities are analyzed and effectively reacted to when applicable.

When the CAB detects a nonconformity, it must investigate, determine and record:

The root causes of the nonconformity;
Any necessary correction to control or limit the effects of the nonconformity; and
Any necessary corrective action to prevent the re-occurrence of the nonconformity.

Potential nonconformities do not need correction; however, the CAB must still investigate, determine and record:

The root causes of the potential nonconformity; and
Any necessary preventive action to prevent the nonconformity from occurring.

The depth of the CAB’s investigation of the quality problem should be commensurate with the risk. An assessment team should be mindful of the risk of the nonconformity on the reliability of the regulatory reviews and the credibility of the decisions made by the CAB.

Considering the nature of the services offered by CABs, the investigation conclusion of a nonconformity’s root cause should not be limited to “human error”, in particular if there is pattern of such human errors. The Assessor should verify that the CAB evaluates whether such human error originates from a lack of (or ineffective) training, insufficient competency, poor practices, or other causes (e.g. a lack of effective supervision).

The investigation of a nonconformity should include a determination of whether the nonconformity adversely affects certification documents or regulatory review deliverables already released to the client or any Regulatory Authority.

A nonconformity or potential nonconformity may not always warrant correction, corrective, and preventive action.

Where a quality problem has already been identified and investigated by the CAB, and the CAB had decided not to undertake any corrective actions, the Assessor should verify that records include a risk-based rationale for not taking action, and be approved by a designated individual.

The CAB is expected to implement in a timely manner the actions it decided to address an existing or potential nonconformity, including correction, corrective action, and/or preventive action. The time to implement these actions, especially the immediate correction intended to limit the effects of the nonconformity, should be inversely related to the risk of the nonconformity. The extensive nature of some actions, corrective and preventive actions in particular, may necessitate extended time to implement on the part of the CAB.

The Assessor should verify that the CAB evaluates the effectiveness of any implemented corrective or preventive action. These actions should not be considered complete until this evaluation has been conducted and the actions have been confirmed to be effective. If the CAB determines that a correction, corrective action, or preventive action was not effective, such as through the recurrence of the observed nonconformity, the Assessor should verify that the CAB further investigates how to remediate the original problem, and, as appropriate, the causes that prevented the actions from being effective.

Typical evidence

Records resulting from correction, corrective actions, and preventive actions.

Link with other assessment tasks

The output of the corrective and preventive actions is an input to management review (see Management Task 6.1.4.7).

6.3.4.4 Determine whether any of the CAB's corrective actions require reporting to the recognizing Regulatory Authorities (such reporting may include changes relevant to its recognition).

Applicable requirements

ISO/IEC 17065:2012 clauses: Not applicable

IMDRF/GRRP WG/N59 clauses: 9.0

Guidance

The Assessor should verify that the CAB reports to the recognizing Regulatory Authority(s) if a corrective action represents a change that may affect the organization’s recognition (e.g. legal, commercial, organizational or ownership status; top management or key personnel; resources; or premises and critical location) or its operating processes (e.g., policies and procedures submitted to the recognizing Regulatory Authority in the application package for recognition as a CAB).

Typical evidence

Records of corrective action, competence record, record of organizational structure

6.3.4.5 Verify that a process is in place to ensure that a regulatory review that does not conform to regulatory reviewing requirements is identified and managed to ensure that subsequent decisions on conformity to regulatory requirements are based on sufficient information.

Confirm that appropriate decisions were made, justified, and documented.

Applicable requirements

ISO/IEC 17065:2012 clauses: 7.5, 7.6, 7.7, 8.7

IMDRF/GRRP WG/N59 clauses: 7.5.2, 7.6.1, 7.7, 7.12.1

Guidance

If the CAB determines as part of the final review that the prerequisite information or method taken for making a decision of conformity to regulatory reviewing requirements are incomplete or contain error, the Assessor should verify that a nonconformity is recorded and resolved prior to the making of a decision.

The resolution of the CAB’s nonconformity may require revisions to the regulatory review documentation, which may necessitate requesting and reviewing new information from the manufacturer. In addition, re-training of Regulatory Reviewers or Technical Experts may be necessary to reduce the possibility of future nonconformities.

Typical evidence

Client files, record of the review of regulatory review decisions, if available.

6.3.4.6 Confirm that when a nonconformity is detected after the decision of conformity to regulatory requirements, appropriate action is taken commensurate with the risk, or potential risks, of the nonconformity.

Confirm appropriate notification to the relevant Regulatory Authority was made.

Applicable requirements

ISO/IEC 17065:2015 clauses: 8.7

IMDRF/GRRP WG/N59 clauses: 7.12.1, 9.0

Guidance

If a nonconformity affecting a regulatory review or the decision regarding the regulatory conformity of a medical device is observed after this decision has been shared with the recognizing Regulatory Authority(s), the CAB should determine if an amendment to the regulatory review report or the decision is necessary.

If the CAB decides to amend the regulatory review report, the decision on the manufacturer’s regulatory conformity, or any other information shared with the recognizing Regulatory Authority(s), it should inform the recognizing Regulatory Authority(s) and the manufacturer of the change, and the reason for the change (i.e. the nonconformity).

A modification of the decision on a manufacturer’s regulatory conformity may include the suspension or withdrawal of certification documents.

The communication between the CAB and the recognizing Regulatory Authority(s) should enable the Regulatory Authority to evaluate the impact of the nonconformity on regulatory actions undertaken based on the regulatory review information initially provided by the CAB. This could affect marketing authorizations, as well as regulatory actions.

Typical evidence

Internal audits, complaints

6.3.4.7 Verify that internal audits are being conducted according to planned arrangements and documented procedures to ensure the management system is in compliance with the established requirements set out in ISO/IEC 17065:2012 and IMDRF/GRRP WG/N59, as well as any other applicable recognizing Regulatory Authority requirements.

Confirm the internal audits include provisions for auditor independence over the areas being audited, corrections, corrective actions, follow-up activities, and the verification of corrective actions.

Applicable requirements

ISO/IEC 17065:2012 clauses: 8.6

IMDRF/GRRP WG/N59 clauses: 8.1.4

Guidance

The CAB must conduct periodic, independent and systematic examination of its management system to determine whether:

The management system as defined, meets all applicable requirements;
The CAB conducts its activities according to the management system; and
The management system as implemented, produces the expected deliverables and outcomes, and is suitable to achieve the CAB’s quality objectives.

Internal audits may not be specific to a medical device regulatory review scheme but the internal audit program should demonstrate sufficient coverage of this scheme. At a minimum, the entire medical device regulatory review scheme is to be covered within the duration of the recognition cycle.

Typical evidence

The records should demonstrate that the CAB implemented the internal audits according to the internal audit program (including its schedule).

6.3.4.8****Confirm that the CAB has effective processes for handling complaints, and investigating the cause of nonconformities related to complaints.

Verify that procedures are implemented that require the CAB to forward to the recognizing Regulatory Authority information on any complaint about a medical device manufacturer that could indicate an issue related to the safety and effectiveness of medical devices or a public health risk.

Evaluate how the complaint process allows for forwarding to the appeals process.

Applicable requirements

ISO/IEC 17065:2012 clauses: 7.13

IMDRF/GRRP WG/N59 clauses: 7.13

Guidance

The Assessors should verify that the complaint handling process includes:

Any feedback from a manufacturer client or from users of the certification documents, including Regulatory Authorities, alleging that the CAB did not fulfill all applicable requirements for recognition (i.e. from IMDRF/GRRP WG/N59, ISO/IEC 17065:2012, or any additional requirement specific to the medical device regulatory review scheme); and
Any feedback from a user of the certification documents, including Regulatory Authorities, alleging that the reviewed devices from the manufacturer do not meet their specifications, or that the manufacturer fails to satisfy its quality system and regulatory obligations.

The CAB may receive feedback through different channels. A complaint may result from broader feedback, and may not be designated by the sender as a complaint. For example, the appeal of a CAB decision should be supported by a rationale for reconsidering a decision on a manufacturer’s conformity. This rationale may include a statement that the CAB did not fulfill its obligations, which may be handled similarly to a complaint.

The Assessor should verify that when communicating with a complainant other than the recognizing Regulatory Authority, the CAB does not share confidential information about any third party.

Typical evidence

Complaint handling records

Link with other assessment tasks

The determination of the complaint validity may be part of the investigation of the nonconformity (See Measurement, Analysis and Improvement Task 6.3.4.9).

6.3.4.9 Where an investigation by the CAB determines that activities from external resources contributed to a nonconformity or a complaint, verify that records show that relevant information was exchanged between the parties involved.

Applicable Requirements

ISO/IEC 17065:2012 clauses: 7.13

IMDRF/GRRP WG/N59 clauses: Not applicable

Guidance

External resources may be essential to the ability of the CAB to conduct many types of regulatory review activities. By nature, external resources are not controlled as directly as internal resources, which introduces an increased risk factor.

When an external resource contributed to a nonconformity or a complaint, the Assessor should verify that the CAB has made the external organization aware of the nonconformity or complaint.

The Assessor should ensure that the CAB has requested information from the external organization regarding the implementation of remediation actions.

Typical evidence

Records of correction, corrective action or complaints

Process: Competence Management

Purpose

The purpose of the Competence Management process is to ensure that Regulatory Reviewers, Technical Experts, the program administrator, and all other personnel involved in the regulatory review and related activities have demonstrated competence, according to pre-established criteria. The Competence Management Process is also to ensure that the CAB has access to competent personnel to cover the scope of their recognition. This is essential in ensuring the credibility of the Regulatory Review and Decision Process outcomes.

Outcomes

As a result of the assessment of the Competence Management process, objective evidence will show whether the CAB has:

Identified the necessary competence to be an effective organization for their scope of recognition.
Defined, documented and implemented methods (i.e. procedures and criteria) for the evaluation and monitoring of the competence of Regulatory Reviewers, Technical Experts, and the program administrator, and all other personnel involved in the management and performance of regulatory review and related activities.
Identified training needs and access to training for Regulatory Reviewers, Technical Experts, and the program administrator, and all other personnel involved in the management and performance of regulatory reviews and related activities.
Maintained records demonstrating the effective implementation of the competence management process.
Demonstrated the effectiveness of its evaluation methods and of the overall competence management process.

Risks relative to this process

The failure of the Competence Management process poses the following risk:

Lack of competence may not allow the Regulatory Reviewers, Technical Experts, and program administrator to identify the critical elements to assess, make appropriate judgement on conformity to regulatory requirements and make appropriate decisions.

Assessment Tasks

6.4.4.1 Verify that the CAB has identified the necessary competencies for the scope of its recognition.

Verify that the CAB has access to the necessary technical expertise for advice on matters directly relating to decisions of conformity to regulatory requirements.

Applicable Requirement

ISO/IEC 17065:2012 clauses: 6.1.1.1, 6.1.1.2, 6.1.2, 7.3.1

IMDRF/GRRP WG/N59 clauses: 6.1, 6.2.3, 6.2.4, 7.3.2

IMDRF/GRRP WG/N40 clauses: 5.0, 7.0, 8.0, 9.0

Guidance

Competence needs for the organization

The Assessor should verify the following:

The CAB should identify the competence needed at all levels of the organization and for all functions involved in regulatory review-related activities, to operate as a recognized CAB.
The CAB should use expert opinions to identify these competencies. Such experts may be internal or external. The necessary competence may vary depending on the range of technical areas for which the CAB seeks recognition, and on the number and profile of medical device manufacturer clients and their medical devices.
The CAB should have an appropriate workforce, in competence and number, to operate as a CAB.
If the CAB has several sites with separate organizational structures within the scope of the same management system, the same competence criteria are consistently applied to all sites.
Identifying Competence criteria

The Assessor should verify that the documented process allows the CAB to:

Determine the requirements that should be met as part of each regulatory review, and ensure that conformity to these requirements has been demonstrated. This assessment should consider each area of technical knowledge for which the CAB is seeking recognition;
Document competency criteria expressed in terms of the requisite knowledge, skills, behavior, values and experience that will ensure requirements are adequately assessed. Criteria may also include an ability to analyze and adapt to new situations. The criteria should allow for an objective and measurable assessment of competency. (IMDRF/GRRP WG/N40 Section 7 provides an example of a scheme for the classification of foundational knowledge); and
Maintain the competence criteria.

The IMDRF/GRRP WG/N40 Sections 8 and 9 specify prerequisite education and experience for Regulatory Reviewers and Technical Experts.

Some competence criteria may apply to all technical areas (horizontal criteria). For example, all medical device Regulatory Reviewers should have demonstrated competence in medical device regulations, quality management systems, and risk management applied to medical devices.

Conversely, competence criteria may only apply to specific technical areas (vertical criteria). For example, not all medical device Regulatory Reviewers need to have competence in the safety of electrical medical devices or software.

If the CAB excludes some technical areas from its application to the recognizing Regulatory Authority(s), the CAB would not be expected to have competent Regulatory Reviewers for these technical areas. The CAB must not commit to undertake the assessment of products where it does not have the requisite competence under its scope of recognition.

For each regulatory review function, the CAB should identify the criteria that may be used to demonstrate competence, prior to the assessment of competence against the criteria.

Technical and regulatory expertise

The Assessor should verify that the CAB has access to sufficient technical expertise necessary for the scope of its regulatory review-related activities (e.g. medical devices reviewed, their performance and safety, clinical use, manufacture, and the regulations applicable to those devices).

The necessary expertise should serve the following purposes:

Provide guidance while defining appropriate regulatory review and certification practices and processes;
Provide guidance during the development of the CAB’s management system to ensure compliance to the recognition requirements;
Define necessary competence criteria and to train individuals involved in the regulatory review and certification activities;
Support the Regulatory Reviewers when facing challenging issues during a regulatory review; and
Enable the CAB to critically review technical documentation, request additional information from the manufacturer when needed, and review this additional information.

While defining regulatory review and certification practices and processes, and the CAB management system, the CAB should consider guidance documents that are acceptable to Regulatory Authorities.

Using external resources to meet the scope of expertise

The outcome of the identification of competence needs should serve as an input to the selection of an external resource and to define operational processes between the CAB and the external resource.

Typical evidence

Competence management procedures and criteria

Link with other assessment tasks

See Management Task 6.1.4.5 (analysis of the adequacy of the set of Regulatory Reviewers) and Use of External Resources Task 6.2.4.3 (internal resources necessary to verify the work of external resources)

6.4.4.2 Verify that the CAB has defined, documented and implemented procedures and criteria for initial competence evaluation of Regulatory Reviewers, Technical Experts, program administrators, and all other personnel involved in regulatory review-related activities.

Applicable Requirement

ISO/IEC 17065:2012 clauses: 6.1.2

IMDRF/GRRP WG/N59 clauses: 6.1.3, 6.1.10, 6.2.6

IMDRF/GRRP WG/N40 clauses: 10.1, 11.0, 12.0

Guidance

Competence evaluation criteria

Compliance with competency criteria may be demonstrated by an individual (or organization) through a combination of practical and theoretical knowledge, skills, behavior and values that are used to act effectively in regulatory review activities.

Competence evaluation process

The Assessor should verify that the CAB has a defined process for the initial evaluation of the competence of a candidate Regulatory Reviewer, Technical Expert, or any other individual involved in regulatory review and decision activities.

Competence cannot strictly be confirmed through a document review. The evaluation process should consider various methods to initially evaluate the individual’s competence, using a combination of the following:

Review of records of education and training;
Review of records of regulatory reviews conducted, if relevant to the function;
Review of evidence of technical expertise (for example, involvement in medical device design or testing, publications), if relevant to the function;
Feedback from peers, and supervisors, and if relevant, from manufacturers whose medical devices were reviewed;
Interviews with CAB personnel; and
Evaluation against competency criteria, e.g. testing.

The Assessor should verify that the individual(s) involved in the evaluation of competence should themselves possess the necessary competence to do so effectively. Specifically, the individual(s) involved in the evaluation of the competence of regulatory reviews or Technical Experts should meet the competence criteria of a Regulatory Reviewer with adequate education, skill and experience.

Before undertaking independent regulatory reviews, each Regulatory Reviewer must undergo a confirmation of skills and personal attributes through the CAB’s assessment of their regulatory reviews in accordance with IMDRF/GRRP WG/N40 Sections 11 and 12.

Assessors may find that an effective way to assess Regulatory Reviewer competence is to select Regulatory Reviewers during the regulatory review assessment (MRA) portion of the assessment. As the Assessors are reviewing the regulatory review documentation, those Regulatory Reviewers can be selected and evaluated for the required technical competency to do the regulatory review.

Note that the CAB may define different degrees of Regulatory Reviewer competence, using designations such as Regulatory Reviewer, lead Regulatory Reviewer, senior Regulatory Reviewer, or supervising Regulatory Reviewer. If applicable, the CAB should define the competence criteria for each of these designations, as well as determining competency criteria for different technical areas (e.g. sterilization processes, electronic devices, devices containing nanomaterials, etc.).

Typical evidence :

Procedure for the initial evaluation of competence, and related records

6.4.4.3****Verify that the CAB maintains records of personnel to include Regulatory Reviewers, Technical Experts, and the program administrator that have been assessed as competent to perform the duties associated with the regulatory review and related activities, including external resources.

Verify that the records are current at all times.

Applicable Requirement

ISO/IEC 17065:2012 clauses: 6.1.2.2

IMDRF/GRRP WG/N59 clauses: 6.1.1

IMDRF/GRRP WG/N40 clauses: 13.0

Guidance

The Assessor should verify that:

These records are available and current for all personnel; and
The CAB has implemented the scheme for the classification of technical knowledge if prescribed by the recognizing Regulatory Authority.

Typical evidence

List of competent personnel

Link to other assessment tasks

The list must include external resources (see Use of External Resources Task 6.2.4.1).

6.4.4.4****Verify that records demonstrate the implementation of the competence evaluation, training, commitments to confidentiality, impartiality, and Code of Conduct for Regulatory Reviewers, Technical Experts, the program administrator, and all other personnel involved in the regulatory reviews and related activities.

Applicable Requirement

ISO/IEC 17065:2012 clauses: 6.1.2.2

IMDRF/GRRP WG/N59 clauses: 6.1.13, 6.1.14

IMDRF/GRRP WG/N40 clauses: 13.0

Guidance

The Assessors should verify records of initial and ongoing competence evaluation as well as training records. These files should include external Regulatory Reviewers and external Technical Experts, including those used by external organizations.

When assessing the CAB, the recognizing Regulatory Authority’s assessment team should select a representative sample of individual files, with a preference for Regulatory Reviewers and Technical Experts, including both internal personnel and external resources. The completion of previous assessment tasks may direct the selection to specific functions or individuals.

Typical evidence

Individual files

Link with other assessment task

See Management Task 6.1.4.6 regarding commitment to impartiality.

6.4.4.5 Verify that the CAB has identified training needs, has provided access to such training, and has ensured the identified training has been undertaken by its Regulatory Reviewers, Technical Experts, the program administrator, and all other personnel involved in the regulatory reviews and related activities, including the external resources. Training shall include IMDRF-specific requirements.

The CAB must ensure that personnel have access to an up-to-date set of procedures.

Applicable Requirement

ISO/IEC 17065:2012 clauses: 6.1.2

IMDRF/GRRP WG/N59 clauses: 6.1.1, 6.1.3, 6.1.5, 6.1.6

IMDRF/GRRP WG/N40 clauses: 10.0

Guidance

The Assessor should verify that as a result of either the evaluation of an individual’s competence, the recruitment of new personnel (including Regulatory Reviewers, Technical Experts, or program administrators), or the evaluation of the adequacy of the set of Regulatory Reviewers, Technical Experts and personnel with respect to the organization needs, the CAB made arrangements to complement the competence of the individual or the organization with additional training. This includes the provision of Continual Professional Development per IMDRF/GRRP WG/N40 Clause 10.3.

Training arrangements should ensure that:

Any gaps identified in the competence evaluation are resolved;
Any needs for future professional development are identified; and
The training is effective, for example through knowledge tests, examinations, review of work by a tutor or supervisor, observation of regulatory reviews, interviews, etc.

Typical evidence

Training plans, job-specific predefined training curriculum, etc. are examples of documented arrangement.

6.4.4.6 Verify that the CAB has defined, documented and implemented a method (i.e. procedures and criteria) for the ongoing monitoring of competence and performance of all personnel involved in regulatory reviews and related activities.

Verify that when personnel no longer meet the competence criteria, their competence status is revised.

Verify if any remediation plan has been implemented.

Applicable Requirement

ISO/IEC 17065:2012 clauses: 6.1.2

IMDRF/GRRP WG/N59 clauses: 6.1.10

IMDRF/GRRP WG/N40 clauses: 11.0, 14.0

Guidance

Monitoring of the competence

The Assessor should verify that the CAB has defined methods and criteria for the ongoing monitoring of the competence of personnel according to documented procedures.

Regulatory Reviewers must undergo confirmation of skills and personal attributes through the CAB’s assessment of their regulatory reviews in accordance with IMDRF/GRRP WG/N40 Section 11 every year.

The monitoring should be adapted to the expected level of competence, and to the potential impact of the lack of competence of the individual(s).

The Assessor should verify that if the CAB identifies concerns that relate to a lack of competence of a Regulatory Reviewer(s) or a Technical Expert(s), the CAB documents the concern. The procedures should specify how these concerns should be recorded and handled (e.g. through the corrective action process).

Response to the outcomes of the competence monitoring activities

The Assessor should verify that the outcome of the competence monitoring activities is a decision on whether to renew the recognition of competence of personnel.

The decision may be either to renew the recognition of competence or to place the individual into remediation.

The Assessor should verify that the CAB adjusts the monitoring methods and training arrangements of a particular individual that has been placed in remediation. For example, the monitoring methods may be changed to monitor the improvement of a particular competency.

The work performed by an individual that has been placed in remediation should be evaluated by the CAB to ensure its validity. If the outcomes of a regulatory review performed by an individual that has subsequently been placed in remediation (i.e. the regulatory review documentation and the decision on the medical device’s conformity) should be invalidated, the CAB should record it as a nonconformity and inform the recognizing Regulatory Authority(s) and affected manufacturers of the situation and the remediation plan.

Typical evidence

Competence re-evaluation procedures and records, regulatory review documentation

Link with other assessment tasks

The competence monitoring process is a source of quality data for the Measuring, Analysis and Improvement process (see Measurement, Analysis and Improvement Tasks 6.3.4.1 and 6.3.4.2)

Decision on the competence of CAB personnel may impact the list of available Regulatory Reviewers and Technical Experts (see Competence Management Task 6.4.4.3).

6.4.4.7 Verify that the CAB has demonstrated the effectiveness of the competence evaluation methods and of the competence management process.

Applicable Requirement

ISO/IEC 17065:2012 clauses: 6.1.2.1

IMDRF/GRRP WG/N59 clauses: 6.1.10

IMDRF/GRRP WG/N40 clauses: 11.0

Guidance

Demonstrating the effectiveness of the competence evaluation methods is intrinsically difficult for both the CAB and the recognizing Regulatory Authority’s assessment team. However, if the CAB or the recognizing Regulatory Authority’s assessment team identifies a lack of competence of the CAB or of an individual, this may reflect a lack of the effectiveness of the competence evaluation methods and competence management process.

Typical evidence

Records on regulatory reviews, internal audits, records of client feedback

Link with other assessment tasks

The individual’s file includes information relevant to the assignment of position, including responsibilities and authorities (see Management Task 6.1.4.4), and to the management of impartiality (see Management Task 6.1.4.6)

Process: Regulatory Review and Decisions

Purpose

The purpose of the Regulatory Review and Decisions process is to control the management of the medical device manufacturer’s request for regulatory review and other related activities. This process includes the review of the regulatory submission, the definition of the regulatory review program, the planning and performance of the regulatory review, the decision-making, and the review of the regulatory review program.

Outcomes

As a result of the assessment of the Regulatory Review and Decisions process, objective evidence will show whether the CAB has:

Defined, documented and implemented methods (i.e. procedures and criteria) for the control of Regulatory Review and Decisions.
Established and implemented regulatory review processes for specific medical device types in accordance with the prescribed recognizing Regulatory Authority requirements.
Planned and conducted regulatory reviews according to the regulatory review program, including the assignment of a competent regulatory review team.
Reviewed additional information provided by the manufacturer in response to deficiencies observed during regulatory reviews.
Made reliable and consistent decisions based on the outcome of the regulatory reviews and the review of the manufacturers’ responses.
Conducted follow-up activities according to the decisions.
Effectively evaluated and made appropriate decision regarding appeals.
Maintained records demonstrating the effective implementation of the Regulatory Review and Decisions processes.

Risks relative to this process

The failure of the Regulatory Review and Decisions process poses the following risk:

Lack of control regarding the Regulatory Review and Decisions process may cause inconsistency in the outcome and affect the reliability of the outputs of the CAB.

Assessment Tasks

6.5.4.1 Verify that the CAB has documented procedures as required in the IMDRF/GRRP WG/N59 for Clause 7 of ISO/IEC 17065:2012.

Applicable Requirement

ISO/IEC 17065:2012 clauses: 7

IMDRF/GRRP WG/N59 clauses: 7.1.1

Guidance

The Assessor should verify that any specific requirements for the regulatory review of technical documentation or any other requirement that has been prescribed by a Regulatory Authority has been incorporated by the CAB’s procedures for their regulatory review and certification processes.

Typical evidence

Review procedures (see IMDRF/GRRP WG/N59 Clause 7.0)

6.5.4.2 Verify that the CAB established, reviewed and updated (as needed) regulatory review processes specific to each medical device type the CAB is recognized to review.

Verify that the CAB has conducted the regulatory reviews according to these processes, including the incorporation of relevant regulatory requirements and IMDRF principles.

Applicable Requirement

ISO/IEC 17065:2012 clauses: 6.2.1, 7, 8.2.3

IMDRF/GRRP WG/N59 clauses: 7.0

Guidance

The Assessor should verify that the CAB has established a regulatory review process for each medical device type they are recognized to review.

The Assessor should in particular verify that the CAB takes into account considerations such as:

The need for GMP/QMS certification in a given regulatory jurisdiction;
The scope of marketing certification to ensure that it adequately reflects the intended use of the device and any specific regulatory requirements in the jurisdiction where marketing authorization is sought; and
Device-specific considerations impacting the regulatory review such as the medical device classification, manufacturing processes, software, the presence of substances of human or animal origin or medicinal substances.

The Assessor should verify that the CAB reviews and revises the regulatory review processes as necessary when new information about medical devices subject to regulatory review becomes available to the CAB. Such information could include changes to regulatory requirements, directives from regulatory authorities, changes to relevant standards, newly available safety information.

Typical evidence

Sample of specific regulatory review procedures, client files

6.5.4.3 Verify that the CAB selected and assigned regulatory review teams with the competence required for each regulatory review.

Verify that the CAB communicated to the regulatory review teams the desired scope of regulatory review, objectives and tasks for planning the regulatory review and for the assignment of responsibilities among the regulatory review team members.

Applicable Requirement

ISO/IEC 17065:2012 clauses: 6.2, 7.2, 7.3, 7.4, 7.5, 7.6

IMDRF/GRRP WG/N59 clauses: 6.1.8, 6.2.7, 7.3, 7.4, 7.5, 7.6

Guidance

The Assessor should verify that the CAB has a procedure for the selection of regulatory review team members that ensures the regulatory review team possesses the competence necessary to conduct a specific regulatory review of the medical device, taking into account the scope of the regulatory review and in accordance with the medical device regulatory review scheme.

Per IMDRF/GRRP WG/N59 Clause 6.1.8 and as shown in Table 1, the Assessor should verify that the personnel assigned to the recommendation and certification decision processes are employed by the CAB, such that the CAB maintains control of the activities of these personnel and owns the responsibility for these decisions. These individuals are typically expected to have a direct labor contract with the CAB, to be functionally and hierarchically incorporated in the CAB, and to receive their salary from the CAB. In some regulatory jurisdictions, non-CAB employees who are contracted directly to the CAB under a legally enforceable arrangement under the CAB’s quality management system may also be permitted to perform these functions.

This task can often be efficiently assessed by selecting regulatory review files for assessment and confirming that the regulatory review scope and objectives were correct and agreed upon between the CAB and the client, the regulatory review team that was selected has all the required technical competency, and that the regulatory review process was followed.

Typical evidence

Client files

Link with other assessment tasks

See management of impartiality in Management Task 6.1.4.6.

Table 1: Permissible Regulatory Review Duties for Different CAB Resources1

Entity	Type of Arrangement	Permissible Regulatory Review Duties2
Identification of Regulatory Reviewer Competence Requirements	Evaluation	Recommendation
CAB’s legal entity	CAB employee	Y
Other entity under the CAB’s organizational control3	Employee of the entity with agreement to perform work under CAB’s QMS	N
Separate individual or other organization	Operating under CAB’s QMS	N
Not operating under CAB’s QMS	N	Y

1: These permissible duties and this categorization of resources differ from those presented in ISO/IEC 17065:2012

2: Permissible duties as specified in IMDRF/GRRP WG/N59 Clause 6.1.8. In some regulatory jurisdictions, non-CAB resources who are contracted directly to the CAB under a legally enforceable arrangement under the CAB’s quality management system may be permitted to perform additional functions

3: As defined in ISO/IEC 17065:2012 Clause 7.6.4

4. As stated in Section 1.0 of this document and in IMDRF/GRRP WG/N59 Section 7.6, in some regulatory jurisdictions only the Regulatory Authority can make the final decision regarding medical device regulatory reviews

6.5.4.4****Verify that the CAB conducted regulatory reviews according to the regulatory review program and the requirements of the recognizing Regulatory Authority.

Verify that the requirements for regulatory review reports, including the identification and communication of any deficiencies observed in the technical documentation, and any requirements of the recognizing Regulatory Authority were met.

Applicable Requirement

ISO/IEC 17065:2012 clauses: 6.2, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7

IMDRF/GRRP WG/N59 clauses: 6.2.7, 7.3, 7.4, 7.5, 7.6, 7.7

Guidance

The Assessor should verify that the regulatory review program has been implemented as planned and if regulatory reviews were delayed or not performed, that the CAB has provided a rationale or taken measures to rectify the problem.

The Assessor should verify that the CAB has followed relevant IMDRF principles for conformity assessment when conducting regulatory reviews of medical devices.

The Assessor should select a sample of regulatory review files to audit their content. The sampling should take into account:

The outcome of their assessment of prior processes (e.g. Management, Measurement, Analysis & Improvement and Competence Management processes);
The outcomes of previous assessments of the CAB;
The class and type of the device under review;
Postmarket information (e.g. recalls);
Different type of regulatory reviews (e.g. initial marketing certification, changes in certification scope or device design/use);
Different regulatory jurisdictions; and
Various Regulatory Reviewers, including internal and external resources.

Typical evidence

Regulatory review documentation

6.5.4.5 Verify that the CAB reviewed any responses to deficiencies identified during a medical device regulatory review.

Verify that the CAB has verified the sufficiency of any information requested from the manufacturer as part of the regulatory review process.

Applicable Requirement

ISO/IEC 17065:2012 clauses: 7.4.6, 7.4.7, 7.4.8

IMDRF/GRRP WG/N59 clauses: 7.4.3, 7.6.1

No additional guidance

Typical evidence

Regulatory review documentation

Link with other assessment tasks

See Regulatory Review and Decision Process Task 6.5.4.4

6.5.4.6 Verify that the CAB ensures consistent application of regulatory review and decision-making procedures.

Verify that the decisions made for suspending, withdrawing, or reducing the scope of any certification is consistent with the recognizing Regulatory Authority’s requirements.

Applicable Requirement

ISO/IEC 17065:2012 clauses: 7.4.9, 7.5, 7.6, 7.7, 7.10

IMDRF/GRRP WG/N59 clauses: 7.6, 7.7, 7.10, 7.11, 9.1

Guidance

Review of the technical documentation

The Assessor should verify that any deficiencies identified during the regulatory review were relevant to the scope of the regulatory review and supported by evidence, and that this review is documented. The regulatory review records should document whether each applicable requirement for the regulatory review was met.

Decision on the manufacturer’s regulatory conformity

The Assessor should evaluate whether the provision of ISO/IEC 17065:2012 Clauses 7.5.1 and 7.6.2 regarding the independence of CAB personnel performing recommendations and certification decisions is met. If the decision is made by a committee, this does not necessarily prohibit the Regulatory Reviewer(s) from participating in committee meetings, provided the rules governing the committee ensure the overall independence of the committee.

The Assessor should evaluate on the basis of a sample of files, whether the CAB ensures the consistency and accuracy of the certification decisions made.

For review processes that result in granting marketing certification, the Assessor should verify that the CAB ensures that marketing certification is only granted after the regulatory review process is completed.

Assessors should be mindful that IMDRF/GRRP WG/N59 Clause 9.1.4 requires that the CAB notify the recognizing Regulatory Authority(s) in writing within 5 working days from the date of a decision to refuse, suspend, reinstate, restrict, or withdraw a certificate. The notification shall include a rationale for such action.

Typical evidence

Client files

6.5.4.7 Verify that the CAB communicated the certification decisions and conducted any associated follow-up duties as appropriate, including communication with the manufacturer or Regulatory Authorities.

Applicable Requirement

ISO/IEC 17065:2012 clauses: 7.6, 7.7, 7.11

IMDRF/GRRP WG/N59 clauses: 7.6, 7.7, 7.12.1, 9.0

Guidance

The Assessor should verify that the CAB’s follow-up activities, including communication of certification decisions, are conducted to fulfill specified objectives, according to a specified timeline, and by individuals with the necessary competence.

The Assessor should verify that the CAB communicates in a timely manner with the relevant recognizing Regulatory Authority(s) in case of a decision to request a restriction, suspension, or withdrawal of marketing certification, or to communicate any other concerns as discussed in IMDRF/GRRP WG/N59.

Typical evidence

Client files

6.5.4.8 Verify that the CAB ensured that any follow-up activities required by manufacturers as part of the regulatory review process were completed as appropriate.

Applicable Requirement

ISO/IEC 17065:2012 clauses: 7.10, 7.11

IMDRF/GRRP WG/N59 clauses: 7.10, 7.11

Guidance

The Assessor should verify that in cases where the manufacturer is required to follow up with the CAB after a certification decision has been made, these duties were fulfilled with appropriate timeliness. Examples of such activities can include medical device stability reports or postmarket safety information required by the relevant regulatory review scheme.

Typical evidence

Client files, regulatory review procedures

6.5.4.9 Verify that the CAB evaluated and made decisions on appeals.

Verify that appeals are input to the Measurement, Analysis and Improvement process.

Applicable Requirement

ISO/IEC 17065:2012 clauses: 7.13

IMDRF/GRRP WG/N59 clauses: 7.13, 8.0

Guidance

The Assessor should verify that the CAB’s process ensures a fair review of the request, taking into account internal jurisprudence, and should prevent any pressure on the decision-makers that could impact their independence.

The Assessor should verify that the CAB investigates appeals as potential indicators of the need for improvement through the Measurement, Analysis & Improvement process.

The Assessor should verify correction and corrective action if appropriate has been taken by the CAB.

Trends on appeal decisions may reveal signs of lack of independence.

Typical evidence

Records of appeal

Link with other assessment tasks

See Measurement, Analysis and Improvement Task 6.3.4.8 regarding complaints.

See Management Task 6.1.4.6 on impartiality.

6.5.4.10 Verify that the CAB maintained records on the regulatory review and decision activities.

Applicable Requirement

ISO/IEC 17065:2012 clauses: 7.12

IMDRF/GRRP WG/N59 clauses: 7.12

No additional guidance

6.5.4.11 Verify the effectiveness of the regulatory review and decision process.

Applicable Requirement

ISO/IEC 17065:2012 clauses: Not applicable

IMDRF/GRRP WG/N59 clauses: 8.1.3

Guidance

The CAB must perform measuring, monitoring and the analysis of their regulatory review program to provide information relating to the characteristics and trends of their processes such as: consistency in regulatory review reports, bias in identified deficiencies, feedback from medical device manufacturers, etc.

The Assessors should review the process by which the CAB monitors the performance of the regulatory review program. This information can often be found by reviewing the information evaluated in management review, or as part of the CAB’s corrective actions.

Typical evidence

Records of corrective actions, management review inputs

Link with other assessment tasks

See Measurement, Analysis and Improvement Task 6.3.4.2 regarding analysis of data, and Management Task 6.1.4.7.

Process: Information Management

Purpose

The purpose of the Information Management Process is to ensure effective documentation control and communication, between the CAB and the medical device manufacturers, the Regulatory Authorities and the public. The Information Management Process must ensure the necessary level of confidentiality.

Outcomes

As a result of the assessment of the Information Management process, objective evidence will show whether the CAB has:

Established an effective process for documentation control.
Made appropriate information available about its activities and clients to Regulatory Authorities and the public.
Established appropriate contractual arrangements with its clients.
Implemented appropriate arrangements to safeguard confidentiality.

Risks relative to this process

The failure of the Information Management Process poses the following risks:

Lack of control of internal documentation leading to inappropriate regulatory review decisions;
Lack of control of information shared with external parties, potentially providing inaccurate, obsolete or misleading information; and/or
Leak of confidential information.

Assessment Tasks

6.6.4.1 Verify that procedures have been defined, documented, and implemented for the control of documents and records required by the quality management system.

Confirm the organization retains records for an appropriate time period.

Applicable requirements

ISO/IEC 17065:2012 clauses: 7.12, 8.3, 8.4

IMDRF/GRRP WG/N59 clauses: 7.12.2, 8.1.2

Guidance

If the CAB uses an electronic document control system, including the use of electronic signatures, the Assessor should verify that the CAB ensures that the electronic signature has the same value as a handwritten signature, and validates the system to ensure the authenticity of the signature, and that a signed document cannot be tampered with.

Records related to certification activities should be retained for a time frame specified by the recognizing Regulatory Authority. Records related to conformity to the requirements in N59 should be retained for at least 15 years from their creation.

The Assessor should verify that regulatory review records are uniquely identified, including their version and any amendments. If a regulatory review record needs to be amended, the changes and their author should also be identifiable. The version of the regulatory review record shall be traceable to the decision on the manufacturer’s conformity.

Typical evidence

Document Control and record controls procedures, client file

6.6.4.2 Verify that the CAB made publicly accessible, or provided upon request, information describing its regulatory review programs.

Applicable Requirement

ISO/IEC 17065:2012 clauses: 4.6, 7.8

IMDRF/GRRP WG/N59 clauses: 4.6

Guidance

The Assessor should identify the ways in which the CAB provides information about its regulatory review programs.

Link with other assessment tasks

Publicly available information may affect the CAB’s impartiality (see Management Task 6.1.4.6).

6.6.4.3 Verify that the CAB has provided detailed information to the medical device manufacturer regarding the regulatory review and decisions process, including the process addressing complaints and appeals, as well as fees.

Applicable Requirement

ISO/IEC 17065:2012 clauses: 4.6

IMDRF/GRRP WG/N59 clauses: 4.6.2, 4.6.3

No additional guidance

Typical evidence

This information may be found in contracts, conditions on certificates, website, etc.

6.6.4.4 Verify that the CAB has established contractual arrangements with the medical device manufacturers specifying the responsibilities of both parties.

Verify that the contractual arrangements allow for the recognizing Regulatory Authority to assess the CAB's regulatory reviews to the necessary extent.

Verify that the contractual arrangements allow the recognizing Regulatory Authority to exchange information with other Regulatory Authorities that maintain Confidentiality Agreements.

Verify that the contractual arrangements specify requirements regarding the reference to their conformity status and potential action to deal with misuse or misrepresentation of the conformity status.

Applicable Requirement

ISO/IEC 17065:2012 clauses: 4.1.2, 4.1.3

IMDRF/GRRP WG/N59 clauses: 4.1.4, 4.1.5, 4.1.6

Guidance

The Assessor should verify that the contractual arrangements do not restrict the exchange of information in relation to the manufacturer between the Regulatory Authorities that maintain Confidentiality Agreements. Because a manufacturer’s intellectual property and other confidential information will be exposed to an external resource, contractual arrangements between the CAB and the manufacturer should ensure that the CAB has the agreement of the manufacturer to engage specified external resources for regulatory review services.

In situations where the regulatory review includes granting marketing authorization, if marketing authorization can only be granted by the recognizing Regulatory Authority, the Assessor should verify that a contractual arrangement does not imply that a certification document issued by the CAB represents marketing authorization of the medical device.

Typical evidence

Contractual arrangements

6.6.4.5. Verify that the CAB provides the recognizing Regulatory Authorities with regulatory review reports and certificates that meet each Regulatory Authority’s individual regulatory requirements, as well as other required and requested reports and communications.

Applicable Requirement

ISO/IEC 17065:2012 clauses: Not applicable

IMDRF/GRRP WG/N59 clauses: 7.6, 7.7, 7.8, 7.11, 7.13.1, 9.0

Guidance

The Assessor should verify that the CAB communicates to the recognizing Regulatory Authority(s) within 5 working days of becoming aware of any of the following, regardless of the source of information that makes the CAB aware of such reportable situations:

Any fraudulent activities by, or counterfeit products from, any medical device manufacturer;
Information that may require safety-related regulatory action (such as design changes that do not adequately address a postmarket issue involving marketed devices);
A decision to refuse, suspend, reinstate, restrict or withdraw a certificate; or
Significant changes relevant to the CAB’s recognition, in any aspect of its status or operations (see the list in IMDRF/GRRP WG/N59 Clause 9.1.5).

Typical evidence

Records of communication between the CAB and the recognizing Regulatory Authority, client file, suspended/withdrawn certificates

6.6.4.6 Verify that the CAB made information on certifications granted, suspended or withdrawn publicly accessible or provided upon request.

Applicable Requirement

ISO/IEC 17065:2012 clauses: 7.8, 7.11

IMDRF/GRRP WG/N59 clauses: 4.6

Specific Guidance

Per IMDRF/GRRP WG/N59, this task may not apply to CABs operating in a jurisdiction where final certification decisions are made by recognizing Regulatory Authority and not the CAB.

Typical Evidence

Procedures for sharing information with the public, records of such communications

6.6.4.7 Verify that the CAB has defined, documented and implemented procedures and legally enforceable arrangements to safeguard confidentiality, unless disclosure is required by IMDRF documents or by law.

Applicable Requirement

ISO/IEC 17065:2012 clauses: 4.5, 6.1.1.3, 6.1.3

IMDRF/GRRP WG/N59 clauses: 4.5

No additional guidance

Typical evidence

Procedures, contractual agreements between a CAB and a manufacturer, and contractual agreements between a CAB and its employees or external resources.

Appendix 1: List of Assessment Tasks and Applicable Requirements

The following tables include the assessment tasks listed in this document, along with the applicable requirements from ISO/IEC 17065:2012 and IMDRF/GRRP WG/N59 and N40. This appendix may serve as a useful reference for planning CAB initial recognition or re-recognition assessments.

Task Number	Task Topic	Applicable ISO/IEC 17065: 2012 Clauses	Applicable IMDRF/ GRRP WG/N59 Clauses	Applicable IMDRF/ GRRP WG/N40 Clauses
6.1	Process: Management
6.1.4.1	Legal entity, legal responsibility, liability, financing and eligibility	4.1.14.3	4.1.14.1.24.1.34.3.1
6.1.4.2	Management System documents	8	8.0
6.1.4.3	Quality policy, objectives, and planning	8.18.2	8.1.18.1.3
6.1.4.4	Organizational structure, responsibility, authority	5.18.1.18.2.18.2.28.2.3	5.16.1.26.1.119.1.1
6.1.4.5	Adequacy of regulatory review resources	6.1.1.16.1.1.26.2	5.1.3	10.3
6.1.4.6	Management of impartiality	4.24.45.1.15.26.1.36.2.1	4.26.1.13	6.0
6.1.4.7	Management review	8.5	8.1.3
6.2	Process: Use of External Resources
6.2.4.1	Extent of use and controls of external resources	6.2.2	6.2.26.2.36.2.46.2.56.2.66.2.7
6.2.4.2	Contractual arrangements with external resources	4.2.76.136.2.2	6.1.136.2.5
6.2.4.3	Internal competence to review the outcome of outsourced activities	8.18.2	8.1.18.1.3
6.3	Process: Measurement, Analysis & Improvement
6.3.4.1	Procedures relative to measurement, analysis and improvement	8.58.78.8
6.3.4.2	Sources of quality data	8.78.8	6.1.126.1.138.1.3
6.3.4.3	Investigation, corrections, corrective actions and preventive actions to address nonconformities and potential nonconformities	8.78.8	7.12.1
6.3.4.4	Reporting of corrective actions impacting the recognition		9.0
6.3.4.5	Decision on conformity to regulatory requirements supported by nonconforming regulatory reviews or review reports	7.57.67.78.7	7.5.27.6.17.77.12.1
6.3.4.6	Management of nonconforming review reports or certification documents after their sharing and publication	8.7	7.12.19.0
6.3.4.7	Internal audits	8.6	8.1.4
6.3.4.8	Complaint handling and management	7.13	7.13
6.3.4.9	Communication with external resources having contributed to a nonconformity or complaint	7.13
6.4	Process: Competence Management
6.4.4.1	Identification of necessary competence to operate as a recognized CAB	6.1.1.16.1.126.1.27.3.1	6.16.2.36.2.47.3.2	5.07.08.09.0
6.4.4.2	Procedure and criteria for competence evaluation of all personnel involved in regulatory review and certification related activities	6.12	6.1.36.1106.2.6	10.111.012.0
6.4.4.3	Identified personnel with demonstrated competence	6.1.2.2	6.1.1	13.0
6.4.4.4	Personnel’s individual file	6.1.2.2	6.1.136.1.14	13.0
6.4.4.5	Training to the regulatory review process and certification requirements and access to corresponding current documents	6.1.2	6.1.16.1.36.1.56.1.6	10.0
6.4.4.6	Monitoring of personnel’s competence and performance	6.1.2	6.1.0	11.014.0
6.4.4.7	Effectiveness of the competence evaluation methods and the competence management process	6.1.2.1	6.1.10	11.0
6.5	Process: Review & Decision
6.5.4.1	Procedures for the control of the regulatory review process	7	7.1.1
6.5.4.2	Regulatory review program establishment and update; planning of regulatory reviews	6.2.178.2.3	7.0
6.5.4.3	Selection and assignment of competent regulatory review team, and communication prior to the review	6.27.27.37.47.57.6	6.1.86.2.77.37.47.57.6
6.5.4.4	Regulatory review performance and report	6.27.27.37.47.57.67.7	6.2.77.27.37.47.57.67.7
6.5.4.5	Review of deficiencies identified as part of the regulatory review	7.4.67.4.77.4.8	7.4.37.6.1
6.5.4.6	Consistency in regulatory review procedures and changes in certification status	7.4.97.57.67.77.10	7.67.77.107.119.1
6.5.4.7	Communication and follow-up of the decision	7.67.77.11	7.67.77.12.19.0
6.5.4.8	Ensuring follow-up required by manufacturers	7.107.11	7.107.11
6.5.4.9	Appeals	7.13	7.138.0
6.5.4.10	Regulatory review and decision records	7.12	7.12
6.5.4.11	Effectiveness of the regulatory review and decision process		8.13
6.6	Process: Information Management
6.6.4.1	Control of documents and records	7.128.38.4	7.12.28.12
6.6.4.2	Public information on the regulatory review program	4.67.8	4.6
6.6.4.3	Provision to the medical device manufacturers of detailed information on the regulatory review- and decision-related processes	4.6	4.6.24.6.3
6.6.4.4	Contractual agreements with the medical device manufacturer	4.1.24.1.3	4.1.44.1.54.1.6
6.6.4.5	Sharing of information with recognizing Regulatory Authorities on regulatory review activities, decisions on regulatory conformity and certification status		7.67.77.87.117.13.19.0
6.6.4.6	Provision to the public of information on certification status or certifications granted, suspended or withdrawn	7.87.11	4.6
6.6.4.7	Control of confidential information	4.56.1.1.36.1.3	4.5

Disclaimer

All other rights are reserved, and you are not allowed to reproduce the whole or any part of this work in any way (electronic or otherwise) without first being given specific written permission from IMDRF to do so. Requests and inquiries concerning reproduction and rights are to be sent to the IMDRF Secretariat.

Incorporation of this document, in part or in whole, into another document, or its translation into languages other than English, does not convey or represent an endorsement of any kind by the IMDRF.

Please visit our website for more details.

Regulatory Authority Assessment Method for Recognition and Surveillance of Conformity Assessment Bodies Conducting Medical Device Regulatory Reviews ​

Full Text ​

Regulatory Authority Assessment Method for Recognition and Surveillance of Conformity Assessment Bodies Conducting Medical Device Regulatory Reviews ​

Final Document ​

Introduction ​

Scope ​

Figure 1. Typical Roles and Responsibilities of CABs and Regulatory Authorities ​

References ​

Definitions ​

Assessor: An employee of a Regulatory Authority with the demonstrated personal attributes and competence to conduct an assessment of a Conformity Assessment Body. ​

Audit: Process for obtaining relevant information about an object of conformity assessment and evaluating it objectively to determine the extent to which specified requirements are fulfilled. (ISO 17000:2020) ​

Competence : Ability to apply knowledge and skills to achieve intended results. (ISO 9000:2015, Clause 3.10.4) ​

Conformity Assessment Body (CAB): A body other than a Regulatory Authority engaged in determining whether the relevant requirements in technical regulations or standards are fulfilled. (IMDRF/GRRP WG/N40:2024) ​

Lead Assessor: The individual responsible for leading the assessment team. The Lead Assessor manages an assessment team, prepares the assessment plan, conducts any assessment-related meetings, and submits the formal assessment report.__ ​

Regulatory Review : A review of a medical device that is conducted to assess conformity with regional regulations or standards. ​

NOTE 1: A regulatory review is performed by Regulatory Reviewer(s), and on occasion, the Regulatory Authority and/or recognized Conformity Assessment Body may consult with Technical Expert(s) to assist in specific aspects of the regulatory review process. ​

NOTE 2: Depending on the complexity of the medical device, it may be necessary for a team of Regulatory Reviewer(s) and/or Technical Expert(s) to conduct the regulatory review to ensure all required competencies are addressed. ​

NOTE 3: A regulatory review consists of an assessment of documentation and/or evaluation/testing of physical medical devices and includes the recommendation and associated decision-making processes. The scope of the review is dependent on the Regulatory Authority’s requirements. ​

Regulatory Review Assessment (RRA): The stage of CAB assessment in which the recognizing Regulatory Authority specifically assesses the CAB regulatory review methods and Regulatory Reviewer competence via the direct evaluation of a sampling of completed regulatory reviews. ​

Regulatory Reviewer: An individual from a Regulatory Authority and/or their recognized CAB responsible for routinely performing regulatory reviews of medical devices. This may include for example, premarket reviewers, product specialists, assessors, etc. (IMDRF/GRRP WG/N40:2024) ​

Technical Documentation: The documented evidence, normally an output of the quality management system, that demonstrates compliance of a device to the Essential Principles of Safety and Performance of Medical Devices. (GHTF/SG1/N78:2012 and GHTF/SG1/N46:2008) ​

NOTE: Areas of expertise could include, for example, clinical, design, manufacturing, etc. ​

Assessment Cycle and Program ​

Figure 2: 4-Year Assessment Cycle ​

Figure 3: Assessment Program with Assessment Activities through the Assessment Cycle ​

Assessment Program Roles and Responsibilities ​

Purpose of Assessments within the Assessment Program ​

Assessment Activities throughout the Assessment Cycle ​

Application Review ​

Stage 1 Assessment ​

Stage 2 On-Site Assessment ​

On-Site Assessment at Critical Locations of the CAB ​

Regulatory Review Assessment (RRA) ​

Additional Assessment Considerations after Initial Recognition ​

Surveillance On-Site Assessment ​

Re-Recognition On-Site Assessment ​

Special Assessments ​

Navigating the Assessment ​

Assessment of CAB Processes ​

Process: Management ​

Purpose ​

Outcomes ​

Risks Relative to this Process ​

Assessment Tasks ​

Process: Use of External Resources ​

Purpose ​

Outcomes ​

Risks relative to this process ​

Assessment Tasks ​

Process: Measurement, Analysis and Improvement ​

Purpose ​

Outcomes ​

Risks relative to this process ​

Assessment Tasks ​

Process: Competence Management ​

Purpose ​

Outcomes ​

Risks relative to this process ​

Assessment Tasks ​

Process: Regulatory Review and Decisions ​

Purpose ​

Outcomes ​

Risks relative to this process ​

Assessment Tasks ​

Table 1: Permissible Regulatory Review Duties for Different CAB Resources1 ​

Process: Information Management ​

Purpose ​

Outcomes ​

Risks relative to this process ​

Assessment Tasks ​

Appendix 1: List of Assessment Tasks and Applicable Requirements ​

Regulatory Authority Assessment Method for Recognition and Surveillance of Conformity Assessment Bodies Conducting Medical Device Regulatory Reviews

Full Text

Regulatory Authority Assessment Method for Recognition and Surveillance of Conformity Assessment Bodies Conducting Medical Device Regulatory Reviews

Final Document

Introduction

Scope

Figure 1. Typical Roles and Responsibilities of CABs and Regulatory Authorities

References

Definitions

Assessor: An employee of a Regulatory Authority with the demonstrated personal attributes and competence to conduct an assessment of a Conformity Assessment Body.

Audit: Process for obtaining relevant information about an object of conformity assessment and evaluating it objectively to determine the extent to which specified requirements are fulfilled. (ISO 17000:2020)

Competence : Ability to apply knowledge and skills to achieve intended results. (ISO 9000:2015, Clause 3.10.4)

Conformity Assessment Body (CAB): A body other than a Regulatory Authority engaged in determining whether the relevant requirements in technical regulations or standards are fulfilled. (IMDRF/GRRP WG/N40:2024)

Lead Assessor: The individual responsible for leading the assessment team. The Lead Assessor manages an assessment team, prepares the assessment plan, conducts any assessment-related meetings, and submits the formal assessment report.__

Regulatory Review : A review of a medical device that is conducted to assess conformity with regional regulations or standards.

NOTE 1: A regulatory review is performed by Regulatory Reviewer(s), and on occasion, the Regulatory Authority and/or recognized Conformity Assessment Body may consult with Technical Expert(s) to assist in specific aspects of the regulatory review process.

NOTE 2: Depending on the complexity of the medical device, it may be necessary for a team of Regulatory Reviewer(s) and/or Technical Expert(s) to conduct the regulatory review to ensure all required competencies are addressed.

NOTE 3: A regulatory review consists of an assessment of documentation and/or evaluation/testing of physical medical devices and includes the recommendation and associated decision-making processes. The scope of the review is dependent on the Regulatory Authority’s requirements.

Regulatory Review Assessment (RRA): The stage of CAB assessment in which the recognizing Regulatory Authority specifically assesses the CAB regulatory review methods and Regulatory Reviewer competence via the direct evaluation of a sampling of completed regulatory reviews.

Regulatory Reviewer: An individual from a Regulatory Authority and/or their recognized CAB responsible for routinely performing regulatory reviews of medical devices. This may include for example, premarket reviewers, product specialists, assessors, etc. (IMDRF/GRRP WG/N40:2024)

Technical Documentation: The documented evidence, normally an output of the quality management system, that demonstrates compliance of a device to the Essential Principles of Safety and Performance of Medical Devices. (GHTF/SG1/N78:2012 and GHTF/SG1/N46:2008)

NOTE: Areas of expertise could include, for example, clinical, design, manufacturing, etc.

Assessment Cycle and Program

Figure 2: 4-Year Assessment Cycle

Figure 3: Assessment Program with Assessment Activities through the Assessment Cycle

Assessment Program Roles and Responsibilities

Purpose of Assessments within the Assessment Program

Assessment Activities throughout the Assessment Cycle

Application Review

Stage 1 Assessment

Stage 2 On-Site Assessment

On-Site Assessment at Critical Locations of the CAB

Regulatory Review Assessment (RRA)

Additional Assessment Considerations after Initial Recognition

Surveillance On-Site Assessment

Re-Recognition On-Site Assessment

Special Assessments

Navigating the Assessment

Assessment of CAB Processes

Process: Management

Purpose

Outcomes

Risks Relative to this Process

Assessment Tasks

Process: Use of External Resources

Purpose

Outcomes

Risks relative to this process

Assessment Tasks

Process: Measurement, Analysis and Improvement

Purpose

Outcomes

Risks relative to this process

Assessment Tasks

Process: Competence Management

Purpose

Outcomes

Risks relative to this process

Assessment Tasks

Process: Regulatory Review and Decisions

Purpose

Outcomes

Risks relative to this process

Assessment Tasks

Table 1: Permissible Regulatory Review Duties for Different CAB Resources1

Process: Information Management

Purpose

Outcomes

Risks relative to this process

Assessment Tasks

Appendix 1: List of Assessment Tasks and Applicable Requirements