One Year to Go! FDA’s New Quality Management System Regulation (QMSR) Is Getting Closer

The Quality Management System Regulation (QMSR) – FDA’s long-awaited update to the medical device quality system requirements in 21 CFR Part 820 – is just one year away from becoming effective. The two-year transition period ends on February 2, 2026, when the Agency will begin enforcing the QMSR requirements.

The major change coming for those organizations who fall within the scope of the Regulation is the “incorporation by reference” of the requirements of ISO 13485:2016 Medical devices—Quality management systems—Requirements for regulatory purposes. ISO 13485 was introduced in 1996, which happens to be the last time a major update to 21 CFR Part 820 (QSR) occurred. Since that time, ISO 13485 has been modified a few times, and the most recent version – ISO 13485:2016 – is very similar to FDA QSR. In fact, many people with knowledge of the QSR and ISO 13485:2016 talk about the two containing nearly the same requirements.

This incorporation of ISO 13485:2016 by reference in the QMSR makes the ISO 13485:2016 requirements the basis for quality system compliance for manufacturers of medical devices, in-vitro diagnostics, and combination products with a device constituent marketed in the US. This approach means that all companies required to comply with the QMSR will essentially be following ISO 13485:2016 – even if they are not certified to the standard by a third party.

What Should You Do First?
Of course, first you should read the QMSR and become familiar with the new structure and content of 21 CFR Part 820. The entire Regulation has been replaced with a new structure in QMSR – it is not just a revision of the existing QSR with sections taken out or replaced.

You also need to make sure you understand the full requirements of ISO 13485:2016. Even though it is “substantially similar” (in FDA’s opinion, as outlined in QMSR Supplementary Information Section I, Executive Summary, B. Summary of the Major Provisions of the Final Rule), there are still details within the standard that are not included explicitly in the QSR today.

If you are new to ISO 13485:2016 and need a copy quickly, you can view the standard content online via the American National Standards Institute (ANSI) Incorporated by Reference (IBR) Portal, https://ibr.ansi.org/Standards. However, this online version is a read-only format, and you must register on the site each time you wish to see the document – not very convenient for your day-to-day work. For longer-term use, you need to purchase the standard for your organization. Once you have the standard, read it through from beginning to end, including the introduction (Clause 0).

From FDA QSR to QMSR: Changes and Questions
One of the first questions you may have when you’re looking through the ISO 13485:2016 requirements is about the phrase “applicable regulatory requirements.” That phrase is used throughout the standard to require organizations to identify all of the global regulatory requirements that are relevant to their organization’s quality system. But if FDA is following this requirement, does that mean they will be asking you about how you meet the quality system requirements for all the countries where you market your devices? Fortunately, no. FDA has made it clear in QMSR 820.10(b) that the “applicable regulatory requirements” for FDA will be only other US regulations (e.g., 21 CFR Part 803 for reporting to regulatory authorities).

Other areas that are garnering a lot of attention in discussions of the QMSR include:
1. Terminology – see QMSR 820.3. In most cases, FDA is adopting the terminology used in ISO 13485:2016 as-is where a corresponding definition or requirement exists in the standard. This means that some common terms you may have been using for many years are being eliminated and replaced by those used in ISO 13485:2016. Some examples are the terms device master record (DMR), device history record (DHR), and design history file (DHF). While these specific terms are no longer used in the QMSR, you still will be required to maintain and retain these types of documentation as part of the ISO 13485:2016 requirements for the medical device file (clause 4.2.4), design and development files (clause 7.3.10), product realization records (clause 7.5.1), and those that show your product meets its requirements (clause 8.2.6). The good news is that you do not need to change how you actually keep the documentation that meets these requirements (in other words, it’s okay to keep calling things your DHF, DMR, and DHR) – you just will not see those terms in the regulation moving forward.

QMSR is also incorporating Clause 3 of ISO 9000:2015 Quality management systems – Fundamentals and vocabulary by reference as part of the 820.3 Definitions section. ISO 9000:2015 definitions will be helpful for some basic quality management system terms that are used in ISO 13485:2016 but note that they are not specifically defined as terms for medical device quality system use.

Some current Part 820 definitions (like that for remanufacturer) will be retained as part of the QMSR because they are not defined in ISO 13485:2016. Others (like manufacturer and product) are being retained because, for legal reasons, FDA’s definitions supersede the ISO 13485:2016 definition. In fact, all the terms and definitions in FD&C Act section 201 will apply to the new QMSR and will supersede any correlating terms and definitions in ISO 13485:2016 (like labeling and device).

Overall, you can see which terms are being carried into the QMSR in section 820.3 of the QMSR.

2. Records control – see QMSR 820.35. After the QMSR is implemented, FDA will adopt the records control requirements found in clause 4.2.5 of ISO 13485:2016. The QMSR also includes specific content requirements for complaints and service records to ensure these records continue to meet the requirements that are in the current QSR sections 820.198 and 820.200. A particular item still required under QMSR 820.35 for both types of records is the related device’s unique device identifier (UDI), unique product code (UPC), or any other device identification. This section of the QMSR also clarifies that the UDI must be recorded for each device or batch of devices (under the ISO 13485:2016 applicable clauses 7.5.1, 7.5.8, and 7.5.9).

One last important thing that the agency includes in this section of the QMSR is the requirement around the confidentiality of your documents. Because FDA is a US federal agency, it is subject to the Freedom of Information Act (FOIA). The Public Information section in 21 CFR Part 20 is the set of rules that FDA follows in this area, including the protection of trade secrets and proprietary information. So, this last part of the QMSR 820.35 tells manufacturers to mark any of their documents as “confidential” prior to providing them to the agency during an inspection, in a submission, etc.

3. Labeling and packaging – see QMSR 820.45. In the eyes of FDA, ISO 13485 does not adequately “address the inspection of labeling by the manufacturer.” As such, FDA will be retaining its provisions from the existing QSR because it believes them to be superior. This means that manufacturers will need to follow ISO 13485 clause 7.5.1 and the more detailed section 820.45 of the QMSR.

4. Risk management – FDA acknowledges that “ISO 13485 has a greater emphasis on risk management activities and risk-based decision making than the current part 820.” Currently, the QSR only addresses risk management in the risk analysis requirements within design validation in 820.30(g), but risk management is far more integrated throughout ISO 13485:2016. The standard includes requirements for risk management throughout the entire life cycle of the device, with a reference to ISO 14971 Medical devices – application of risk management to medical devices for further information. Risk management compliance can be tricky and is one area of the QMSR where manufacturers may want to seek outside help from a consultant experienced with ISO 14971 risk management requirements and ISO 13485 compliance.

Do We Need ISO 13485 Certification to Comply With the QMSR?
The simple answer is no. Even though FDA is incorporating ISO 13485 within the QMSR, you are not required to have ISO 13485 certification to comply with the QMSR. Yes, you will still need to modify your QMS to meet ISO 13485:2016 (if it does not already), but you are not required to seek certification to comply with the QMSR.

Audit vs. Inspection: How We Need to Shift Our Thinking About ISO 13485:2016 Requirements Under the QMSR
Your QMS may be certified already in some way to the requirements of ISO 13485:2016 by a recognized auditing organization for MDSAP (Medical Device Single Audit Program), by a designated Notified Body as part of your conformity assessment for CE Marking in the EU, or by an accredited certification body for a stand-alone ISO 13485:2016 certification. All of these certifications are achieved through audits, but FDA will be doing regulatory inspections. The reality is that a regulatory authority inspection has a different objective and “feel” than a certification audit.

For starters, an FDA inspection can be more thorough than an audit – remember, an FDA investigator is not limited by a contracted audit plan like the person who conducted your certification audit. If the investigator has identified potential issues with your QMS, they can extend the inspection (by days or even weeks) until they have collected the objective evidence needed to complete their assessment of your facility.

An FDA inspection also can have specific regulatory implications for your organization that you would not experience from a certification audit. If you are not meeting the QMSR requirements, FDA could use their available tools (warning letters, import alerts, injunctions, seizures, civil money penalties) to address the observed issues with your company.

Taking all of this into consideration, everyone who is comfortable with their current ISO 13485:2016 QMS audits needs to assess how well their existing processes and documentation will fare under this different type of scrutiny.

How Can We Help?
If you are looking for more information related to the QMSR or the requirements of ISO 13485:2016, our ELIQUENT experts have done the work to identify all the details you need to know about the shift from the QSR to the QMSR and ISO 13485:2016. We offer two different instructor-led training courses focused on the QMSR to meet your needs. The first is a one-day high-level course on QMSR. The second is an in-depth course on both QMSR and ISO13485:2016. Both of these courses include the information that you need to jumpstart your transition to the QMSR.

We also can help you evaluate your initial readiness for next February when QMSR goes into effect by assisting with a gap analysis (have us do it for you) to get a much clearer understanding of what needs to happen to get your QMS in conformance with the new QMSR.