Brought to You by the Letter M: Operational Considerations for Transitioning From the QSR to the QMSR

We used the publication of the final rule amending the US Quality System Regulations (QSR) as an example in our recent blog titled Enhancing Competitiveness in MedTech: Smart Strategies with Regulatory Intelligence. Here we will look at the final rule, and its implications in a little more detail.

The FDA has now issued the final rule for the Quality Management System Regulation (QMSR) that amends the existing Quality System Regulations (QSR, 21 CFR 820). This amendment incorporates the requirements of ISO 13485:2016 by reference into the US regulations. ISO 13485:2016 has been incorporated by reference on the basis that ISO 13485:2016 is considered ‘substantially similar’ to the existing QSR. The requirements for the QMSR will therefore be ISO 13485:2016 requirements plus a few additional, US-specific, requirements that are laid out in the QMSR.

The rule will be effective, and the FDA will begin to enforce the QMSR requirements, from 2nd February 2026. Until then device manufacturers are required to comply with the QSR. This gives device manufacturers two years to prepare and implement before the QMSR is enforced during FDA establishment inspections.

Whirlwind tour: What has changed?

The title of the regulation has changed from Quality System Regulation (QSR) to the Quality Management System Regulation (QMSR).

The scope of the QMSR is unchanged from the QSR (i.e. QMS requirements do not apply to previously exempt products, and no new exemptions).

The written content of the regulation has been reduced significantly, as shown by the reduction of the contents table in Figure 1, but the changes to specific requirements are mostly not significant as this is the basis for the FDA’s decision to incorporate by reference.

Figure 1. Change in contents from QSR to QMSR

As ISO 13485:2016 references ISO 9000:2015 as a normative reference for terms and definitions used within ISO 13485:2016, then the FDA has also incorporated by reference ISO 9000:2015. There are five terms that are not used, or not defined, in ISO 13485:2016 or in clause 3 of ISO 9000:2015 that are defined in the QMSR (21 CFR 820.3). All the terms and definitions given in section 201 of the Federal Food, Drug, and Cosmetic Act apply, and they supersede the correlating terms and definitions in ISO 13485:2016. Additionally, there are five terms that are defined in the QMSR, where those definitions supersede the correlating terms and definitions in ISO 13485:2016 or ISO 9000:2015; these are:

• Implantable medical device,
• Manufacturer,
• Organization,
• Rework,
• Safety and Performance.

The phrase ‘applicable regulatory requirements’ is littered throughout ISO 13485:2016, but what does it mean for the QMSR if ISO 13485:2016 is incorporated in full? The FDA has provided some examples of where there are other US-specific regulatory requirements, outside of 21 CFR part 820, that come into play within the quality management system (§820.10 (b)). One example given is for clause 8.2.3 of ISO 13485:2016, reporting to regulatory authorities, where the manufacturer must notify FDA of complaints that meet the reporting criteria of 21 CFR part 803 in addition to the requirements of ISO 13485:2016 §8.2.3.

Design controls are dead (well, will be soon), long live ‘design and development’. Ok please forgive me for the attention grabbing opening; only the term ‘design controls’ is going, not the concept and established principles. The incorporation by reference of ISO 13485:2016 means that design controls will now called by the ISO 13485 term, ‘design and development’. For the US, the applicability of these requirements to certain device classifications remains the same as it did under the QSR (§820.10 (c)).

The QMSR maintains the requirement from the QSR that the ‘extra’ level of traceability for implantable devices from ISO 13485:2016 clause 7.5.9.2 also applies to ‘devices that support or sustain life’ (§820.10 (d)).

The FDA considers there to be a need for additional requirements on top of those from ISO 13485:2016 regarding the control of records. Manufacturers must meet the requirements of ISO 13485:2016 clause 4.2.5 (and other applicable clauses) and the requirements of §820.35 of the QMSR. This includes specific requirements for records including complaint records and servicing records (§820.35).

ISO 13485:2016 clause 7.5.1 requires production controls to include “implementation of defined operations for labelling and packaging”. The FDA does not think that ISO 13485:2016 sufficiently addresses the inspection of labelling by a device manufacturer, and thus more specific requirements are included in the QMSR (§820.45).

By incorporating ISO 13485:2016 by reference, there is a perceived shift in the FDA’s approach to risk management. In the responses to the comments on the proposed rule, the FDA disagreed with this in their response to the comments received. Whilst there is no shift in philosophy, the clear requirements for integrating risk management principles throughout the total product life cycle is an advancement on the unspecified expectations documented in the QSR of 1996 (e.g. the requirement for risk analysis as part of Design Validation under §820.30 (g)). The incorporation of ISO 13485:2016 establishes a more explicit requirement for risk management throughout the quality management system, especially in design and development and post market surveillance (feedback) and enables a reference point for sound (and risk-based) decision making.

As well as 21 CFR 820, the final rule also amends 21 CFR Part 4, which is the regulation of combination products. Subpart A (current Good Manufacturing Practice, cGMP, requirements for combination products) has been amended to reflect the changes made to 21 CFR 820 (i.e. reference to QMSR rather than QSR and inclusion by adoption of ISO 13485:2016 and ISO 9000:2015).

Under §820.180 (General requirements) there was a requirement for records (required by the QSR) to be maintained, reasonably accessible and readily available for review and copying by FDA employees. There were some exemptions to this requirement, whereby §820.180 (c) permitted reports from Management review, internal quality audits and supplier audits did not have to be presented during FDA inspections. The QMSR removes this exemption.

Fans of acronyms/initialisms (whichever you prefer to call them) will be disappointed to hear that the following terms have been dropped: Design History File (DHF), Device Master Record (DMR) and Device History Record (DHR). The requirement to document and maintain the records that made-up these three items has not been removed, as it is covered by the requirements of ISO 13485:2016, including clauses 4.2.3, 4.2.5, 7.3 and 7.5.

What does this mean?

It depends!

Ok, back up. Why is this important? Well the US is the largest market for medical devices and IVDs ¹, and survey data over the last few years points towards a shift away from Europe (EU and the UK) to the US and Canada as the first entry point for new medical devices ^2-4. The continued issues with implementation of the MDR and IVDR in the EU, and the uncertainty of the UK regulatory landscape in the near-term is not going to turn that trend around in a short space of time.

The effort involved in transitioning to new requirements is all proportionate to the gap between the old and the new. The size of that gap, and the impact of these changes depend on the following:

• the status of your quality management system (i.e. does it already conform to ISO 13485:2016 or not),
• your location, and
• your (current/prospective) sales markets. 

At one end of the scale, an organisation whose quality management system currently complies with 21 CFR 820 but does not conform to ISO 13485:2016 will likely have the biggest challenge. The FDA believes that that the QSR and ISO 13485:2016 are substantially similar, which is true (in my opinion), but that does not guarantee that all of the requirements of ISO 13485:2016 are currently being met by the current quality management system.

Somewhere in the middle, are those organisations that do not currently sell into the US but plan to in the future. These organisations likely have ISO 13485:2016 certification to support market access elsewhere but will now have to identify and close those gaps with the QMSR, particularly all of those related to the applicable US regulatory requirements (e.g. UDI, registration, medical device reporting, recalls).

At the other end of the scale, if an organisation already has conformity to ISO 13485:2016 and compliance with 21 CFR 820 (QSR) then there is very little difference at a practical level. Sure, remediation work will be required but it will likely focus on documentation updates (e.g. for references or nomenclature) rather than new or updated quality system processes.

The QMSR does not apply to suppliers, e.g. suppliers of raw materials, components, sterilisation services. The FDA, however, has suggested that it would good practice for suppliers to apply the requirements of the QMSR. Also, as part of supplier management and control over outsourcing, a manufacturer is likely to encourage their suppliers to work to similar quality system requirements. This trickle-down effect may see a wider adoption of the QMSR than just those to whom it is directly applicable.

Now for some practical advice on what to do next…

QMS Remediation

The journey to update your quality management system to align with the new regulations may seem like another burden forced onto a quality team who are still recovering from implementing QMS changes for EU MDR and/or IVDR. In this instance, the gap is not so vast because the requirements of the QSR and ISO 13485:2016 are ‘substantially similar’. Regardless, all quality management system transitions begin with a gap assessment!

A gap assessment is not strictly the same as an audit, because it is not based on sampling, it needs to look at all requirements to determine if they are met or not. The assessment should be performed by those who have made themselves familiar with the requirements of the QMSR and are knowledge in the interpretation and implementation of ISO 13485:2016 requirements. It is beneficial to use a well-structured assessment template, especially if the assessment is being performed by more than one individual.

Given that the reason behind this move from the FDA is global harmonisation, it would be prudent to also look for opportunities to harmonise and consolidate processes or records if those for the US were previously kept separate from those for other markets. Consider the scope of the assessment: it needs to cover all of the quality system processes that support products being placed on the US market and/or manufactured within the US, but also consider future product launches etc. and whether other sites or processes will be affected in the future. As gaps are identified, they can be triaged in terms of the size and/or criticality of the gap to enable prioritisation at a later stage.

Now it is time for the plan! How are you going to close those gaps? Who is going to close those gaps? In which order are you going to close those gaps? It is good practice to involve process owners and those with key responsibilities in determining the specifics of these actions to ensure that they are proportionate and feasible, and likely to be effective once implemented. As these efforts are aimed at addressing potential nonconformities (i.e. QMSR is not in effect yet), these efforts could be considered to be preventive actions. So whether this falls under a general quality plan, or a CAPA plan, that depends on your quality management system and/or preferences.

That plan does need to include training of personnel. At a simple level, awareness of the changes and the scope of the changes for all potentially affected personnel. At a more functional level, those that are responsible for processes or tasks that are affected by the updates need to understand why the updates have occurred, and what the changes entail.

And lastly effectiveness checks…

• Verify that all gaps had actions assigned to them.
• Verify that the actions have been completed as planned.
• Verify that the actions were effective.

Audit & Inspection Readiness

Two specific areas of your quality management system that will need to be thoroughly reviewed and potentially updated are internal audits and supplier management. At a simple level, references may need to be updated or removed. There may be a need for new or updated audit tools, templates and/or checklists.

As described in the previous section, training of personnel is a key activity. This includes those auditors performing internal audits and supplier audits. Auditors will need to be familiar with the updated/new requirements of your processes, as well as the underlying requirements of ISO 13485:2016 and the QMSR.

The changes and training need to be in place in advance of the QMSR effective date. Why?

• You don’t want to be facing a FDA inspection in March 2026 with an untried audit system;
• You need to have evidence in advance of the QMSR effective date that your changes have been successful and that procedures can be followed and implemented as intended.

As discussed in the earlier section, the FDA hopes that the supply chain that supports a device manufacturer will also adopt many of the approaches required by ISO 13485:2016 and the QMSR. Whilst this is not a regulatory requirement, it is a common approach in supplier management to push quality requirements down onto suppliers to reduce the risk associated with purchases and service provision. It also helps to reduce the burden of incoming inspections and may improve the effectiveness of complaint investigations that stem from supplier issues.

To improve your confidence in your compliance status and your supply chain, consider:

• utilising different internal auditors, or different combinations of internal auditors;
• bringing in third-party auditors to give a fresh perspective on things, including opportunities for improvement that are sometimes overlooked during internal audits where the focus can tend towards conformity rather than improvement.

Due Diligence in Mergers & Acquisitions (M&A)

No one likes nasty surprises. Transparency reduces uncertainty and helps build confidence.

For those organisations looking to acquire and for those organisations hoping to be acquired, readiness for the QMSR is a key topic. When performed by either party, the gap assessment and resulting quality plans discussed above are vital if M&A activities are on your organisation’s agenda in the next two years. All parties want to understand the number, size and impact of those gaps, and the effort (and cost) to close them effectively. Being able to show potential investors or purchasers that you understand your transition towards the QMSR and have the actions under control, or have completed all the work, will be beneficial.

No organisation wants to complete an acquisition and then months later be mired in quality management system remediation because of multiple 483s stemming from their establishment inspection. For smaller organisations hoping to be acquired, utilising trusted third-parties in completing or confirming your actions for transitioning to the QMSR gives greater assurance of compliance status for the acquiring company.

Frequently Asked Questions

What is the impact on QSIT?

The FDA is in the process of developing a new inspection methodology suitable for the QMSR. The training of FDA inspectors on ISO 13485:2016 has already begun. It is possible that the new inspection methodology may be very similar to the MDSAP audit approach. The FDA will provide further guidance on this, but no specific timeframe has been given.

What is the impact on FDA guidance documents that reference the QSR or specific clauses of 21 CFR 820?

The FDA has stated that the change from QSR to QMSR does not substantially affect any of their existing guidance but now the final rule has been published, they will be working through implementing updates to the affected guidance.

For example, the FDA’s Design Control guidance was published in 1997 and has not been updated in light of changes to ISO 13485, ISO 9001, the technological advances in the products being designed, or the introduction of software applications to aid the design and development process. The amendment to 21 CFR 820 would seem like the appropriate prompt for the Design Control guidance to be updated, especially the replacement of the terms Design Control (ISO 13485 refers to it as ‘design and development’) and Design History File.

What is the impact on MDSAP?

The impact is likely to be minimal in terms of the purpose of the MDSAP audits and the methodology. The changes to specific references within 21 CFR 820 will require an update to the MDSAP Audit Approach document, and with that there will be training required for the auditors at the auditing organisations.

Will manufacturers get ISO 13485:2016 certification?

No. The FDA will not issue ISO 13485:2016 certificates due to their inspections; they will continue to issue Establishment Inspection Reports (EIR). Third party certification to ISO 13485 is not required for compliance with the QMSR.

Do manufacturers need ISO 13485:2016 certification to meet the new requirements of 21 CFR 820?

No; primarily because ISO 13485:2016 on its own is insufficient to demonstrate compliance with the applicable US regulatory requirements in the QMSR and other applicable US regulations. Third party certification to ISO 13485 is not required for compliance with the QMSR.

Will the FDA now accept an ISO 13485:2016 certificate as evidence of compliance with 21 CFR 820?

No, as the FDA cannot guarantee that the certification body has audited against the specific US regulatory requirements: “an ISO 13485 certificate will not be considered or accepted as a substitute for any oversight processes.”

What happens when/if ISO 13485 is revised?

Only ISO 13485:2016 has been incorporated by reference, so the QMSR cannot automatically change if ISO 13485 is revised. The systematic review of ISO 13485:2016 is to take place at the end of 2024, so even if there is a decision to update the standard it will be several years for any revision to be published. If/when ISO 13485 is revised, the FDA will assess those changes and determine whether they want to update the QMSR or not. If they do not, it could create an odd situation, with ANSI AAMI having to publish both an outdated national standard and the national adoption of the new version of ISO 13485. The likelihood of a prolonged divergence is probably low given the FDA’s active involvement, at ISO level, in the direction and content of ISO 13485. 

RQM+ Can Help Smooth Your QMSR Transition

FDA Strategy and Submissions: RQM+ delivers business-balanced FDA guidance and support for medical device and IVD manufacturers across all classifications, technologies, and clinical specialties.

Quality System Regulations and Standards: Regulatory requirements for quality management systems are constantly evolving, and it is up to manufacturers to stay abreast of the changes and stay compliant. The RQM+ team can help you implement best practices for keeping products and associated documentation up to date and compliant.

Comprehensive Audit Programs: From internal audits to multiyear agreements auditing your entire supply chain, RQM+ has you covered. Learn all of the ways we help with auditing everywhere in the world and in any language.

Acquisition Integration for Medical Devices and IVDs: Acquiring a new company or product line can have a positive business impact, but it also comes with regulatory and quality challenges. RQM+ uses a customized, business-balanced approach and proven practices to integrate new acquisitions into your quality systems.

More RQM+ Resources at Your Fingertips

• Read our blog on Enhancing Competitiveness in MedTech: Smart Strategies with Regulatory Intelligence
• Register for our March Live! show: Get Ahead of the Crisis: How Your Quality System Can Prevent Negative Impacts on Customers, Patients, and Reputation
• Follow RQM+ on LinkedIn for all of our updates!
  

References:

1.    The European Medical Technology Industry in figures (MedTech Europe, Oct 2023) 
2.    The Pulse of Healthtech: 2023 Business Survey (ABHI & CPI, Dec 2023)
3.    Challenges and Opportunities for the UK HealthTech Industry (CPI, ABHI & Catapult, Jan 2023)
4.    MedTech Europe Survey Report - Analysing the Availability of Medical Devices in 2022 in Connection to the Medical Device Regulation (MDR) Implementation (MedTech Europe, Jul 2022)