Medical Device QMS: What It Is, Where It’s Required, and Key Regulations to Know
If you’re new to the medical device industry or simply need to brush up on quality system compliance, you probably have many questions that begin with what, where, why, and how. WHAT regulations do we need to follow? WHERE do these regulations apply? WHY do we need to follow them? HOW do we start? In this series of blog posts, we will address all of these questions and many more.
What Is a Medical Device Quality Management System (QMS)?
Let’s start with the basics. In simple terms, a medical device quality management system (QMS) is a structured system of procedures and processes covering all aspects of design, manufacturing, supplier management, risk management, complaint handling, clinical data, storage, distribution, product labeling, and more. Most medical devices will require some form of a QMS; the complexity of the QMS will vary based on the classification of the device. For example, companies making medium-risk (Class II) or high-risk devices (Class III) devices will require a different QMS implementation than companies making low-risk, non-sterile, non-measuring, non-reusable surgical instrument devices (Class I). We won’t get into the specifics of product registration or classification in this post, but you will want to understand the classification of your devices before building a QMS.
International Regulations Governing a Medical Device QMS
Nearly every major market requires the implementation and maintenance of a quality management system as a condition of product registration. Device manufacturers in Europe tend to follow the ISO 13485 standard, while US companies comply with the US FDA’s Quality System Regulation (QSR).
What’s the difference?
In a nutshell, ISO 13485 is an international quality management system standard followed by companies selling in Europe, Canada, Australia, and other markets. Except for Canada, application of ISO 13485 is not actually required, but it is the de facto means by which most companies comply with the specific QMS requirements set forth in national medical device regulations.
The US has its own set of regulations for medical device companies. The US FDA QSR, also known by its US regulation number 21 CFR Part 820, preceded the original publication of ISO 13485. US medical device companies that distribute their products internationally need to meet the requirements of both. Similarly, countries outside the US that distribute products in the US must also comply with US FDA 21 CFR Part 820.
Other countries such as Brazil and Japan have their own nuanced QMS requirements, but those are based on ISO 13485 or the FDA QSR. The good news is that many of the requirements of ISO 13485 and the FDA QSR are very similar. As such, companies can have a single, harmonized quality management system that meets US, Canadian, European, and any other regulatory QMS requirements. Harmonizing disparate quality management systems into one integrated system may seem daunting but in the long run the effort is well worth it. We will talk about the requirements of ISO 13485 and FDA QSR in more detail later.
Will US FDA Move to ISO 13485?
In the spring of 2018, the Office of Management and Budget (OMB) indicated that as part of an effort to modernize and harmonize the QSR for medical devices, it would aim to “supplant” existing requirements with ISO 13485. This news has led to a lot of speculation, including questions such as: What is the timing of such a change? Will FDA will throw out the QSR entirely? Will they incorporate all major components of ISO 13485:2016 into a completely new version of 21 CFR Part 820, with addendums to suit the specific requirements of US law? As of publication of this post in June 2018, the answers are unknown but we will continue to monitor the situation.
Relationship Between Medical Device Approval and Your QMS
You may wonder what a QMS has to do with getting approval for your product(s) from the US FDA or obtaining CE Marking in the European Union. They are inextricably linked. The US FDA requires compliance with 21 CFR Part 820 at the time your product is registered with FDA. The majority of companies making medium-risk devices will go through the 510(k) process. When you submit your 510(k), you are expected to be in compliance with 21 CFR Part 820. Ironically, although QSR compliance is required, FDA does not require proof of compliance when registering your Class I or Class II device. Why? The US FDA enforces compliance through random inspections. As such, FDA inspectors may come knocking on the door of the manufacturer of a newly registered medical device at any time. If you are not fully prepared, you won’t like the consequences.
It’s a different process in most European countries, where you need to obtain CE Marking for the device as a condition of distribution. If you are seeking to obtain CE Marking for anything other than a Class I nonsterile, nonmeasuring, nonreusable surgical instrument device, you cannot get CE Marking without proving you meet the requirements of Article 10 (General obligations of manufacturers) and Annex IX (Conformity assessment based on QMS and technical documentation) of the new EU Medical Device Regulations (EU MDR). The most common way companies meet the requirements of Article 10 and Annex IX is through third-party certification to ISO 13485. Third-party certification is conducted by auditing organizations known as Notified Bodies (NBs). We should note that there are other ways to meet European QMS requirements, including the requirements listed in Annexes X (Conformity assessment based on type examination) and XI (Conformity assessment based on product conformity verification).
Finally, Health Canada (the Ministry of Health) will require conformance to ISO 13485:2016 through MDSAP certification starting January 1, 2019. If you have plans to sell in Canada, you will need to implement a QMS compliant with ISO 13485:2016!
Want to learn more about medical device QMS?
In our next post, we will delve into the key players and elements of a medical device QMS that meets US FDA and EU requirements. Also, if you are interested in taking a deep dive into QMS compliance, check out the Oriel STAT A MATRIX three-day training class: Quality Systems for Medical Devices: FDA’s QSR and ISO 13485:2016