The Medical Device Authority (MDA), the department of the Ministry of Health Malaysia responsible for medical device regulations, has published guidance dedicated to the registration of conformity assessment bodies (CABs). The document consists of two parts: general requirements for conformity assessment bodies, and procedures related to the registration process itself.

Conformity Assessment Body Registration Procedure

According to the guidance, an interested entity intended to register as a conformity assessment body, shall submit its application using the online Medical Device Centralised Online Application System (MeDC@St) available at MDA Portal. 

The information to be provided in the course of registration includes the information on:

  1. Applicant entity, 
  2. Responsible person,
  3. Contact person,
  4. The larger organization the applicant is a part of, 
  5. Scope to be applied (e.g. QMS ISO 13485, QMS Good Distribution Practice Medical Device, Medical Device Technical area),
  6. Technical competency (procedures used to identify, evaluate and monitor personnel competency),
  7. Subcontractor (procedure and record on subcontractor control, procedure on assessment, monitoring, and verification of the subcontractor), 
  8. Independence and impartiality (procedure applied to ensure the impartiality/independence of employees and subcontractors),
  9. Liability (e.g. copy of insurance policy and insurance certificate),
  10. Confidentiality (procedures on maintaining confidentiality between the organization and the client, organization and subcontractor, organization, and personnel. 

The list of the documents to be provided includes:

  1. Management Quality Manual,
  2. Procedure on Document Control,
  3. Procedure on Record Control,
  4. Procedure on Management Review,
  5. Procedure on Internal Audit,
  6. Procedure on Corrective Action, 
  7. Procedure on Preventive Action,
  8. Procedure on Sales and Marketing,
  9. Procedure on Certification Process,
  10. Procedure on Appeal, Complaint, and Dispute,
  11. Procedure on Suspension, Withdrawal, and Refusal of Issued Certificate,
  12. Procedure of Conformity Assessment on Technical documentation,
  13. Procedure of Conformity Assessment on QMS ISO 13485,
  14. Procedure of Conformity Assessment on GDPMD Audit,
  15. Procedure of Conformity Assessment by Way of Verification. 
  16. Attestation Letter.

The authority also emphasizes that the application fee in the amount of RM1500 should be paid when submitting the application.

In case if the application submitted online is not complete, the authority will issue the appropriate notice requesting the applicant to provide the necessary information. The applicant will have 30 days from the date of such a request to provide additional information or document. Otherwise, the application will be deemed withdrawn and the applicant will have to submit a new application (except the cases when the extension to the aforementioned request period has been explicitly granted by the authority). 

As an additional step of the application review process, the regulating authority is entitled to carry out an inspection of the premises the applicant intends to use. Upon approval of the application, the authority will inform the applicant about the decision made, and also require to pay the registration fee in the amount of RM8000. Only after the payment will be duly received by the authority, the latter would issue a registration certificate. 

CAB Registration Conditions 

Besides the conformity assessment body registration process itself, the document also describes the specific conditions associated with the registration itself. 

Upon registration, the conformity assessment body shall be subject to surveillance audits to be carried out by the regulating authority on a regular basis (annually, or at least once within the initial registration period, which is three years, providing that the frequency of audits should be determined by the authority itself). These audits are intended to verify that the CAB sustains compliance with any and all applicable requirements. Moreover, the authority may commence visits or inspections without notifying the CAB in advance.

All records related to the competence of auditors and technical personnel of the conformity assessment body should be duly kept. The CAB should be able to provide such records to the authority upon request. 

According to the guidance, the regulating authority is entitled to suspend or revoke the registration certificate, or impose other sanctions, or take other actions necessary, in case if the conformity assessment body:

  • Fails to comply with the provisions of Act 737 or the regulations associated thereto, 
  • Commits a violation of any of the registration conditions, or
  • Has been convicted of an offense under Act 733 or the regulations associated thereto. 

The authority additionally emphasizes that the conformity assessment body is not allowed to transfer the registration certificate to any third party. The certificate should be stored on the premises of the organization and accessible upon request. 

In order to ensure uninterrupted operations,  the conformity assessment body shall apply for new registration in 12 months before the current registration will lapse. 

The document also outlines other important points to be taken into consideration by the registered conformity assessment bodies, namely:

  • The authority reserves the right to request any information it deems necessary, at any time,
  • Upon expiration of the appropriate registration term, the conformity assessment body shall return the registration certificate to the authority; additionally, any issues related to the hard copy of the registration certificate (e.g. its loss or damage) should be notified to the authority,
  • The conformity assessment body shall take all necessary measures to prevent any abuse related to the registration certificate. 

Additional Requirements Regarding Personnel 

Aside from the requirements and registration conditions related to the conformity assessment body itself, the guidance also contains the annexes describing in detail certain additional important points, including the requirements regarding knowledge and skills for technical personnel and the way they should be verified. 

The appropriate procedures shall include, inter alia, the following steps:

  1. Identification of the functions of the body,
  2. Determination of the competence criteria for each function respectively, 
  3. Determination of the methods to be used to assess these criteria, 
  4. Identification of the knowledge and skills gap,
  5. Appropriate training and mentoring (special program), 
  6. Demonstration of knowledge and skills, 
  7. Assessment of sector-specific requirements, including the risk-based criteria,
  8. Periodic review of competencies,
  9. Carrying out the training necessary to cover the gaps identified in the course of periodic review. 

The document also provides a list of required types of knowledge and skills for personnel. In particular, depending on the functions, the personnel shall have the following knowledge and skills: 

  • Knowledge of generic quality management system practices,
  • Knowledge of the legal framework of regulations and the role of the conformity assessment body,
  • Knowledge of medical device risk management, e.g. ISO 14971,
  • Knowledge of intended use of the medical device,
  • Knowledge of risks associated with the medical device,
  • Knowledge of relevant product standards in the assessment of medical devices,
  • Knowledge of CAB`s ISO 13485 processes,
  • Knowledge of medical device business/technology. 

In order to assist conformity assessment bodies in achieving and sustaining compliance with the applicable requirements and regulations, the guidance also provides several examples (templates) of the documents to be used by the CABs in the course of their activities. 

For instance, one of the annexes to the guidance provides a template of an audit log – the document to be issued upon conducting the assessment of a medical device. According to the template, an audit log should be served on the letterhead of the company and contain the following information:

  • Name and address of the company subject to the audit,
  • Name of the medical device in question,
  • Details about the audit team, 
  • Roles in the audit, 
  • Indication of the type of audit, 
  • References to the applicable standards, 
  • Dates of the audit (on-site),
  • Number of days (on-site), and
  • Number of days (off-site).

Summarizing the information provided here above, the MDA guidance on the registration of conformity assessment bodies describes the registration procedure, the requirements for the application to be submitted, and also additional conditions for the registration as a CAB. The document also describes in detail the requirement the CAB`s personnel shall meet and provides examples of the documents to be used by conformity assessment bodies.

How Can RegDesk Help?

RegDesk is a next-generation web-based software for medical device and IVD companies. Our cutting-edge platform uses machine learning to provide regulatory intelligence, application preparation, submission, and approvals management globally. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Applications that normally take 6 months to prepare can now be prepared within 6 days using RegDesk Dash(TM). Global expansion has never been this simple.