The Saudi Food and Drug Authority (SFDA) has adopted an implementing rule regarding the requirements for Quality Management System (QMS) Auditing Organizations. The document is based on the Medical Devices Interim Regulation and is intended to clarify and specify the aspects related to the QMS Auditing Organizations, including their responsibilities, competence, and governance.

General Approach

First of all, the authority provides the definitions of the most important terms used in the context of the document including, inter alia, the following ones:

Audit – a systematic, independent, and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled. 

Auditor – a person with the demonstrated personal attributes and competence to conduct an audit. 

Conformity assessment – the systematic examination of evidence generated, and procedures undertaken, by the manufacturer, under requirements established in the Medical Devices Interim Regulation and its Implementing Rules, to determine that a medical device complies with all relevant requirements. 

Quality Management System (QMS) – a formalized system that documents processes, procedures, and responsibilities for achieving quality policies and objectives. 

Auditing Organization – an organization that audits a medical device manufacturer for conformity with quality management system requirements and other medical device regulatory requirements. 

According to the general rule, both domestic and foreign medical device manufacturers shall duly implement QMS as prescribed by the international standard ISO 13485:2016 «Medical Devices – Quality management systems – Requirements for regulatory purposes», or applicable national equivalent. The QMS auditing could be performed either directly by the SFDA, or by any of the auditing organizations duly designated by the regulating authority to perform such functions. The SFDA also emphasizes that the appropriate audit should be performed before the medical device in question would be made available in the country. 

Compliance with the applicable QMS requirements should be confirmed by the appropriate certificate to be issued by the auditing organization which carried out the audit. The auditing organization shall also provide an audit report – a special document containing information about any non-compliances and other important points identified in the course of the audit. It is also important to mention that such a certificate has a limited period of validity – as it is stated in the present SFDA guidance, it should not exceed 3 years. 

Another important rule relates to the rights of the SFDA in the context of auditing. According to the document, the regulating authority is entitled to require the auditing organization to perform an additional audit, providing that it is reasonably necessary due to some issues associated with the post-market performance of the medical device. 

Applying for Designation as a QMS Auditing Organization 

The document also describes in detail the procedure associated with the designation as a QMS auditing organization. In particular, the entity interested in designation as an auditing organization in the context of the Medical Devices Interim Regulation and Implementing Rules associated thereto shall submit the appropriate application to the regulating authority, accompanied by the following information:

  • The name and contact details of the applicant, including the indication of its registered address, as well as the details about its parent organization, and also the indication of contact persons,
  • The organizational and management structure of the applicant, including connections with other entities of the same group (if applicable), covering all important details related to the functions of management, and qualification of personnel, 
  • The organization chart describing connections existing between structure elements located in Saudi Arabia and abroad, 
  • The description of the applicant’s knowledge and experience with regard to the medical devices,
  • The details about the liability insurance,
  • The indication of the legal status of the applicant, 
  • Description of the internal measures and policies introduced in order to establish the necessary level of data protection and confidentiality,
  • Description of the internal measures and policies introduced in order to ensure the independence and impartiality,
  • The details about the quality management procedures introduced by the applicant, 
  • The documents demonstrating that the applicant has duly implemented any and all aforementioned policies and procedures. 

Responsibilities of the Auditing Organization 

Besides the application procedure, the SFDA implementation rule also describes the responsibilities of the auditing organizations with regard to their activity and applicable requirements they are obliged to follow. According to the document, an auditing organization shall: 

  • Maintain all necessary resources,
  • Duly inform the regulating authority about any changes to the information provided when applying for designation,
  • Ensure that the personnel participating in QMS audits has the necessary knowledge of the applicable act and regulations, including the present Implementing Rule, and also the general experience in the sphere of medical devices subject to review, 
  • Obtain approval for any QMS auditor and/or manager. 

Application for Designation: Review

According to the present SFDA implementation rule, the regulating authority would perform a rigorous assessment of the documents submitted by the entity applying for designation as an auditing organization to determine whether all necessary criteria are met. In the course of such an assessment, the regulating authority is entitled to require the applicant to provide additional information and documents. The fees payable for designation would be also determined by the regulating authority. 

In case a positive decision made, the SFA will issue a Certificate of designation certifying that the entity is authorized to carry out the activity of an auditing organization. The regulating authority also publishes and keeps up-to-date the list of entities designated as auditing organizations, including the indication of the scope of designation for each particular auditing organization. 

The SFDA remains responsible for supervision in the context of compliance with the applicable requirements, including professional competencies and impartiality. For this purpose, the SDFA carries out ongoing monitoring and surveillance with regard to the activity performed by the auditing organizations to ensure 

In case of certain non-compliances identified, the SFDA is entitled to withdraw the designation. In order to regain the status, the auditing organization would have to restore non-compliances highlighted by the regulating authority and inform it accordingly. 

According to the document, the regulating authority performs the following types of audits:

  • Initial audit – the very first audit conducted by the regulating authority at the initial assessment stage, when the entity applies for designation as an auditing organization, 
  • Surveillance audit – regular audits carried out in order to ensure continuous compliance with the applicable requirements, 
  • Witnessed/observed audit – a specific type of audits to be carried out by the regulating authority simultaneously with the audit performed by the auditing entity itself. In such a way the regulating authority may ensure the proper application of all procedures. 

It is also important to mention that the SFDA reserves the right to commence a special investigation with regard to any issues associated with the auditing organization. In the course of such an investigation, the regulating authority may carry out inspections, assess the records and documents kept by the organization, interview its employees, and third-party contractors.

Summarizing the information provided hereabove, the present SFDA Implementing Rule describes the most important aspects associated with the designation of the auditing organizations. In particular, the document provides the details regarding the application procedures and documents to be submitted in this context, outlines the responsibilities of the duly designated auditing organizations, and also describes the authorities of the SFDA in the sphere of surveillance and supervision.

How Can RegDesk Help?

RegDesk is a next-generation web-based software for medical device and IVD companies. Our cutting-edge platform uses machine learning to provide regulatory intelligence, application preparation, submission, and approvals management globally. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Applications that normally take 6 months to prepare can now be prepared within 6 days using RegDesk Dash(TM). Global expansion has never been this simple.