FDA QSR vs. QMSR: What Medical Device Manufacturers That DO NOT Have ISO 13485 Certification Need to Know

June 14, 2022

For years, US FDA has been talking about aligning the existing FDA Quality System Regulation (QSR) with ISO 13485. FDA has finally taken concrete steps to do so by issuing a draft version of the new Quality Management System Regulation (now called “QMSR”). For US companies that export and have ISO 13485 certification, the update is welcome news. For the roughly 22%* of medical device companies that sell only in the US market, the impact on their QMS will go well beyond the addition of the word “management” to the title. If you fall into that bucket, here is what you need to know to transition from QSR to QMSR.

Why Is FDA Changing the Quality System Regulation (21 CFR Part 820)?

FDA’s mission is to promote and protect the safety of patients and users, not to make life easier for medical device manufacturers. However, this is a rare case where FDA recognizes the inefficiency of having manufacturers comply with two nearly identical quality system requirements. This was not always the case though. ISO 13485 was introduced in 1996, which happens to be the last time a major update to 21 CFR Part 820 (QSR) occurred. Since that time, ISO 13485 has been modified a few times, and the most recent version – ISO 13485:2016 – is very similar to FDA QSR. FDA says it is now time to harmonize the two by replacing the QSR with the QMSR. The primary change here is that Subpart A of the new proposed QMSR makes reference to ISO 13485:2016 as the basis for compliance with the QMSR but with some minor modifications as discussed below. This means that all companies required to comply with the QMSR will essentially be following ISO 13485:2016 even if not certified by a third-party. Where differences exist between ISO 13485; the Food, Drug, and Cosmetic Act (FD&C Act); and QMSR; the QMSR will prevail.

From FDA QSR to QMSR: The Big Changes

OK, so it is all well and good that the QMSR will essentially be the same as ISO 13485:2016, but what if you do not know the requirements of ISO 13485? What do you need to do? First, it would be a good idea to buy a copy of ISO 13485:2016. The standard is copyrighted, so FDA cannot simply post the standard on its website because all content on US federal websites is in the public domain and not protected by copyright. This is why FDA “incorporate(s) by reference” the standard.

Here are the most significant changes that manufacturers need to be aware of:

1. Terminology – See QMSR 820.3

In most cases, FDA is adopting the terminology used in ISO 13485:2016 as-is where a corresponding definition or requirement exists in the standard. This means that some common terms you have been using for many years are being eliminated and replaced by those used in ISO 13485. Examples include device master record (DMR), device history record (DHR), and design history file (DHF). In the current QSR, these terms are used to define specific documents and records that are required as evidence that a company has designed products in accordance with design control requirements (DHF), documented the way to manufacture a product (DMR), and manufactured the product following the documented methods (DHR). While the specific terms would be eliminated, you will still be required to maintain and retain these types of documentation through the ISO 13485:2016 requirements for the medical device file, design and development files, and product realization records, including those that show the product meets its requirements (ISO 13485:2016 clauses 4.2.3, 7.3.10, 7.5.1, and 8.2.6). The good news is that you do not need to change how you are keeping your DHF, DMR, and DHR documentation – you just will not see those names in the regulation anymore.

Some current Part 820 definitions (like process validation or remanufacturer) will be retained as part of the QMSR because they are not defined in ISO 13485:2016. Others (like manufacturer and product) are being kept because FDA’s definitions supersede the ISO 13485:2016 definition for legal reasons. All these terms are defined today in the Federal FD&C Act – the law that governs FDA regulations. In fact, all the terms and definitions in FD&C Act section 201 will apply to the new QMSR and will supersede any correlating terms and definitions in ISO 13485:2016 (like labeling and device). Plus, if the new QMSR did not include these definitions, the FD&C Act would have to be changed by US Congress to make this all work – and that is not going to happen anytime soon.

You can see which terms are being carried into the QMSR in section 820.3 of the proposed QMSR.

2. Records Control – See QMSR 820.35 – NEW!

After the proposed QMSR is implemented, FDA will adopt the records control requirements found in clause 4.2.5 of ISO 13485 as well as some additional signature and date requirements for regulatory compliance.

FDA-proposed QMSR also includes specific content requirements for complaints and service records to ensure these records continue to meet the requirements that are in the current QSR sections 820.198 and 820.200. A particular item still required under QMSR 820.35 for both types of records is the related device’s unique device identifier (UDI), unique product code (UPC), or any other device identification. This section of the QMSR also clarifies that the UDI must be recorded for each device or batch of devices (under the ISO 13485 applicable clauses 7.5.1, 7.5.8, and 7.5.9).

One last important thing that the agency includes in this section of the proposed rule is the requirement around the confidentiality of your documents. Since FDA is a US federal agency, it is subject to the Freedom of Information Act (FOIA). The Public Information section in 21 CFR Part 20 is the set of rules that FDA follows in this area, including the protection of trade secrets and proprietary information. So, this last part of the QMSR 820.35 is for manufacturers to mark any of their documents as “confidential” prior to providing them to the agency during an inspection, in a submission, etc.

Records can be retained on paper or electronically as best fits the company requirements. The QMSR is not focusing on the electronic records requirements (21 CFR Part 11). The focus of addressing this in the QSMR is on clarity of the records and to help ensure validity for FDA. Also, physical documents are not required onsite and may be stored online in the cloud. If this is done, the records must be produced within 1 to 2 business days.

3. Labeling and Packaging – See QMSR 820.45

In the eyes of FDA, ISO 13485 does not adequately “address the inspection of labeling by the manufacturer.” As such, FDA will be retaining its provisions from the existing QSR as it believes them to be superior. This means that manufacturers will need to follow ISO 13485 clause 7.5.1 and section 820.45 of the QMSR. As noted earlier, where conflicts exist between the two, the QMSR wins.

4. Risk Management

FDA acknowledges that “ISO 13485 has a greater emphasis on risk management activities and risk-based decision making than the current part 820.” Currently, the QSR only addresses risk management in the risk analysis requirements within design validation in 820.30(g), but it is far more integrated throughout ISO 13485. ISO 13485 simply places more emphasis on risk management throughout the entire life cycle of the device. Risk management compliance can be tricky and is one area of the QMSR where manufacturers may want to seek outside help from a consultant experienced with ISO 14971:2019 risk management requirements and ISO 13485 compliance.

(21 CFR PART 820)
Subpart A – General Provisions Clause 1 (Scope)
Clause 4 (Quality Management System)
Subpart B – QS Requirements Clause 4 (Quality Management System)
Clause 5 (Management Responsibility)
Clause 6 (Resource Management)
Clause 8 (Measurement, Analysis and Improvement)
Subpart C – Design Controls Clause 7 (Product Realization)
Subpart D – Document Controls Clause 4 (Quality Management System) + QMSR 820.35
Subpart E – Purchasing Controls Clause 7 (Product Realization)
Subpart F – Identification and Traceability Clause 7 (Product Realization)
Subpart G – Production and Process Controls Clause 4 (Quality Management System)
Clause 6 (Resource Management)
Clause 7 (Product Realization)
Subpart H – Acceptance Activities Clause 7 (Product Realization)
Clause 8 (Measurement, Analysis and Improvement)
Subpart I – Nonconforming Product Clause 8 (Measurement, Analysis and Improvement)
Subpart J – Corrective and Preventive Action Clause 8 (Measurement, Analysis and Improvement)
Subpart K – Labeling and Packaging Control Clause 7 (Product Realization) + QMSR 820.45
Subpart L – Handling, Storage, Distribution, and Installation Clause 7 (Product Realization)
Subpart M – Records Clause 4 (Quality Management System) + QMSR 820.35
Subpart N – Servicing Clause 7 (Product Realization) + QMSR 820.35
Subpart O – Statistical Techniques Clause 7 (Product Realization)
Clause 8 (Measurement, Analysis and Improvement)

*See Table 1 on this webpage outlining proposed QMSR changes.

Will FDA Inspections Change Under the QMSR?

Maybe. FDA uses an inspection approach called the Quality System Inspection Technique (QSIT). This is being eliminated under the QMSR and will be replaced by a new inspection approach yet to be determined. We do not yet know whether these inspections will be planned and predictable (as with European Notified Bodies for example) or whether they will remain random with little advanced notice. In any case, you should not assume that FDA inspections will be any less strenuous or that companies that have existing ISO 13485 certificates will be exempt from inspections. FDA will not be issuing QMSR compliance certificates.

Does It Now Make Sense to Seek ISO 13485 Certification?

Perhaps. If you have been putting off ISO 13485:2016 certification due to the additional cost of getting ready and getting audited, now may be the time to reconsider. The QMSR will essentially require companies that only sell in the US to fully adopt ISO 13485 and invest the time and money to make that change happen. FDA fully acknowledges that most of the burden of this change will fall on smaller device companies that do not have ISO 13485 certification. However, with that investment made in QMSR compliance, a logical next step toward implementing a broader export strategy might be to target the Canadian and Australian markets. Those markets require ISO 13485 too but are not as heavy a lift for compliance as Europe.

Your Next Step

The changes to the QMSR are still a proposal and could change in final form. However, since these changes largely benefit medical device manufacturers, the only likely serious pushback on what has been proposed is the implementation timelines. FDA has proposed a 1-year transition but given that the workload (even by FDA estimates) disproportionately falls upon companies that do NOT have ISO 13485 certification, do not be surprised if the implementation period stretches to 2 years.

This does not mean that you should adopt a wait-and-see attitude. Even if you are not interested in getting actual ISO 13485 certification, you should modify your QMS now, so you are ready. Conduct a thorough gap analysis (or have us do it for you) to get a much clearer understanding of what needs to happen to get your QMS in conformance with ISO 13485. The new QMSR demands it so you might as well not fight it. Also, keep in mind that if you have plans to enter the UK or EU market, you will need a long runway to get ready, and ISO 13485 is among the first steps in that process. We can help with that.

The good news is that although changes need to be made, US FDA QMSR will eventually be more harmonized with other global QMS requirements, making access to new markets less burdensome for small medical device companies.

Our team is here to help. Call 1.800.472.6477 or contact us online ›