30 January 2024

How to Prepare for the QMSR: A 7-Step Strategy

The FDA's Quality Management System Regulation (QMSR) final rule amends the Quality System Regulation (QSR) to harmonize and modernize the regulations.

This significant regulatory update seeks to align more closely with the international consensus standard for medical devices by incorporating the quality management system (QMS) requirements used by other regulatory authorities.

The QMSR is designed to promote consistency in device regulation, ensure the timely introduction of safe, effective, and high-quality devices for patients, and reduce regulatory burdens by aligning with ISO 13485:2016, an international standard specific for device quality management systems.

The effective date for this rule is set for February 2, 2026​.

Given the comprehensive nature of the QMSR final rule, a medical device firm impacted by these amendments should take a systematic approach to prepare for compliance.

Here's a step-by-step strategy to achieve compliance with the updated regulation.

1. Understand the QMSR Requirements in Detail

Begin by thoroughly reviewing the QMSR final rule to understand the new requirements and how they differ from the current regulations.

Focus on incorporating ISO 13485:2016—and the standards it references—into the FDA's regulatory framework, noting any specific additions or exceptions made by the FDA to align with the FD&C Act and other applicable FDA requirements.

Action items

  • Conduct a detailed review of the QMSR and ISO 13485:2016. Access the full text of the QMSR final rule from the Federal Register or FDA website.
  • Pay special attention to the sections detailing the incorporation of ISO 13485:2016, including any amendments or exceptions specific to the FDA's requirements.
  • Acquire the latest version of ISO 13485 to understand the international standards for quality management systems as they apply to medical devices. This document will be the foundation for aligning your QMS with global standards.

2. Conduct a Gap Analysis

Conduct a comprehensive gap analysis comparing your current quality management system against the new QMSR requirements, including the specifics of ISO 13485:2016, the standards it references and intersects with (such as ISO 14971,) and any additional FDA-specific requirements,

Identify areas of non-compliance and areas that require updates or changes in your procedures, documentation, and quality management practices.

Action items

  • Assemble a cross-functional team that includes members from quality management, regulatory affairs, manufacturing, engineering, and other relevant departments. This diversity ensures all aspects of the QMS are reviewed comprehensively.
  • Assign specific responsibilities to team members, such as leading the review of certain sections of ISO 13485:2016 or analyzing specific QMS processes.
  • Compile an inventory of all current QMS documentation, including quality manuals, SOPs, work instructions, and records.
  • Evaluate current quality management practices, including document control, risk management, design controls, supplier management, and corrective and preventive actions (CAPA)
  • Review each clause of ISO 13485:2016 in detail, understanding the expectations and how they apply to your operations.
  • Highlight any additional FDA-specific requirements in the QMSR that go beyond ISO 13485:2016, paying close attention to areas such as documentation, traceability, and reporting.
  • Compare your current QMS documentation and practices against the requirements of ISO 13485:2016 and the QMSR. Use a structured approach, such as a spreadsheet or matrix, to document this comparison. Clearly identify where current practices and documentation do not meet the new requirements. This includes areas of non-compliance, outdated procedures, insufficient documentation, or practices that require enhancement.
  • Prioritize the identified gaps based on risk to product quality, patient safety, and regulatory compliance. This prioritization helps focus efforts on the most critical areas first.
  • For each identified gap, develop a plan to achieve compliance. This plan should include specific actions, responsible individuals, resources required, and timelines.
  • Prepare a detailed report of the gap analysis findings, including the assessment methodology, identified gaps, prioritization, and proposed action plans.
  • Use a project management tool or spreadsheet to track the progress of action plan implementation. This tool should allow for monitoring of deadlines, responsible parties, and completion status.
  • Present the gap analysis findings and proposed action plans to senior management for review, input, and approval. Ensure that there is a clear understanding of the resource commitment and timelines required to achieve compliance.

3. Develop an Implementation Plan

Based on the gap analysis, develop a detailed implementation plan that outlines the steps needed to achieve compliance.

This plan should include timelines, responsibilities, resources required, and any training needs. Prioritize actions based on the gap analysis findings and the impact on your quality management system.

Action items

  • Classify the identified gaps based on their risk to product quality, patient safety, and regulatory compliance. Also, consider the impact of each gap on your overall QMS. Prioritize actions needed to address these gaps, focusing first on those that pose the highest risk or have the most significant impact on compliance.
  • Decompose each action into specific, manageable work projects and work tasks. For example, updating a procedure to comply with ISO 13485:2016 requirements might involve drafting the new procedure, reviewing it, training staff, and implementing it. For each task, develop a detailed action plan that includes the steps required, resources needed (e.g., personnel, technology, financial), and any dependencies on other tasks.
  • Assign a responsible owner for each task and action plan. This person will be accountable for completing the task on time and meeting the required standards. Where necessary, form cross-functional teams to address complex tasks that span multiple departments or areas of expertise.
  • Establish timelines for each task and action plan, considering the complexity of the task and the availability of resources. Be realistic to ensure timelines are achievable.  Identify key milestones within the plan, such as the completion of major task groups or critical steps toward compliance. Milestones help to track progress and provide checkpoints for review.
  • Based on the gap analysis, identify areas where staff training or re-education is required to meet the new QMSR and ISO 13485:2016 requirements. Create specific training programs for different roles and responsibilities within the organization. This might include workshops, seminars, e-learning modules, and hands-on training sessions.
  • For each task or action plan, estimate the resources required, including personnel, equipment, technology, and financial resources. Ensure that the necessary resources are allocated and available for the implementation plan. This may involve budget approvals, hiring additional staff, or purchasing new equipment or technology.
  • Implement tools or systems to monitor the progress of tasks against the plan. This could be a project management software, spreadsheets, or regular status meetings. Also, establish a regular reporting mechanism to update stakeholders on progress. This should include any deviations from the plan, challenges encountered, and corrective actions taken.
  • Schedule regular review meetings with the project team and stakeholders to assess the progress of the implementation plan. Be prepared to adjust the plan based on feedback, challenges encountered, and changes in regulatory guidance or business priorities.
  • Compare your current QMS documentation and practices against the requirements of ISO 13485:2016 and the QMSR. Use a structured approach, such as a spreadsheet or matrix, to document this comparison. Clearly identify where current practices and documentation do not meet the new requirements. This includes areas of non-compliance, outdated procedures, insufficient documentation, or practices that require enhancement.
  • Prioritize the identified gaps based on risk to product quality, patient safety, and regulatory compliance. This prioritization helps focus efforts on the most critical areas first.
  • For each identified gap, develop a plan to achieve compliance. This plan should include specific actions, responsible individuals, resources required, and timelines.
  • Prepare a detailed report of the gap analysis findings, including the assessment methodology, identified gaps, prioritization, and proposed action plans.
  • Use a project management tool or spreadsheet to track the progress of action plan implementation. This tool should allow for monitoring of deadlines, responsible parties, and completion status.
  • Present the gap analysis findings and proposed action plans to senior management for review, input, and approval. Ensure that there is a clear understanding of the resource commitment and timelines required to achieve compliance.

4. Train the Team

Educate and train your staff on the new requirements and any changes to your quality management system. This includes training on ISO 13485:2016 and specific FDA regulatory requirements that are now part of the QMSR.

Ensure that personnel involved in design, manufacturing, quality control, and regulatory compliance are fully aware of the new requirements and their roles in maintaining compliance.

Action items

  • Conduct a training needs analysis (TNA). Assess the knowledge gaps among employees regarding ISO 13485:2016, QMSR, and any FDA-specific requirements. Identify who needs training and what type of training is necessary, focusing on roles within design, manufacturing, quality control, and regulatory compliance.
  • Group employees by their roles and responsibilities to tailor the training content to their specific needs. Consider different training modules for executives, managers, and operational staff.
  • Develop comprehensive training materials that cover the essentials of ISO 13485:2016, QMSR, and FDA-specific requirements. Include real-world examples, case studies, and best practices to illustrate how the standards apply in various scenarios.
  • Schedule training sessions well in advance, ensuring they do not disrupt critical operations. Consider rolling out training in phases, starting with top management and working down to operational staff.
  • Identify internal experts or hire external consultants who are well-versed in ISO 13485:2016 and the QMSR to lead the training sessions. These individuals should have excellent communication skills and a deep understanding of the regulatory landscape.
  • Document all training activities, including attendee lists, training dates, materials used, and assessment results. These records are essential for demonstrating compliance during FDA inspections or audits.

5. Update Your Quality Management System

Implement the necessary changes to your quality management system based on the gap analysis and training.

This may involve updating or creating new procedures, documentation, quality policies, and practices to align with the QMSR and ISO 13485:2016 requirements.

Action items

  • Review and revise QMS documentation. Start with your quality manuals and overarching quality policies to ensure they reflect the principles and requirements of ISO 13485:2016 and the QMSR. Incorporate any new or revised regulatory requirements identified during the gap analysis. Then, review and update your SOPs to align with the updated quality manuals and policies. This may involve rewriting procedures to incorporate new work practices, compliance requirements, or improvements identified during training sessions.
  • Based on the gap analysis, develop new procedures required to fill in the gaps. This could include procedures for risk management, design control, supplier management, or any other area that was identified as lacking or inadequate. Ensure all new and revised documents are processed through your document control system. Assign document numbers, revision dates, and approval signatures to maintain traceability and accountability.
  • Establish or update your risk management framework in accordance with ISO 14971, as referenced by ISO 13485:2016. Integrate risk management principles into all stages of product life cycle, from design and development to post-market surveillance. Provide specific training on risk management processes and tools to relevant personnel, ensuring they understand how to identify, assess, and mitigate risks effectively.
  • Revise existing training programs to include any new procedures, policies, or compliance requirements. Ensure that all relevant personnel are trained on the updated aspects of the QMS.
  • Review and update your quality objectives to align with the new or revised QMS requirements. Develop quality plans that outline specific actions, resources, and timelines to achieve these objectives.
  • Update quality control procedures to ensure they are in line with the revised QMS requirements. This may involve adopting new inspection criteria, testing methods, or monitoring practices.
  • Conduct validation activities for any new processes or significant changes to existing processes, as required by ISO 13485:2016 and the QMSR. Ensure that validation activities are well documented and that results demonstrate that processes meet intended specifications.
  • Perform verification activities to ensure that the changes made to the QMS have been implemented correctly and are effective in meeting the updated requirements.

6. Plan and Conduct Internal Audits

Conduct internal audits to verify that the changes made to your quality management system are effectively implemented and that your system is fully compliant with the new requirements. Use the audit findings to make any necessary adjustments or corrections.

Action items

  • Determine the areas of your QMS to be audited and the frequency of audits. The scope should cover all aspects of the QMS, including the recent changes made to comply with QMSR and ISO 13485:2016.
  • Choose qualified auditors who are trained in internal auditing techniques and have a good understanding of QMSR and ISO 13485:2016 requirements. Consider using auditors who are independent of the areas being audited to ensure objectivity.
  • Develop an audit checklist based on the QMSR and ISO 13485:2016 requirements, including any specific FDA requirements incorporated into your QMS. The checklist should help auditors to verify compliance and assess the effectiveness of the implemented changes.
  • Inform the relevant departments and personnel of the upcoming audit, including the scope, schedule, and expectations. This communication helps to ensure cooperation and readiness.
  • Conduct the QMSR audit. Start by reviewing the updated QMS documentation to verify that it complies with the required standards and that it is properly implemented. Assess the practical implementation of the changes through observations, interviews with personnel, and review of relevant records. Pay special attention to areas where significant changes were made to ensure they are functioning as intended. Collect evidence to support the audit findings. This could include records, logs, completed checklists, and photographs.
  • Compile the audit findings into a report that clearly states compliance, non-compliance, and observations. Highlight the strengths of the QMS as well as areas needing improvement. Present the audit report to management and the departments audited. Discuss the findings, implications, and recommended corrective actions.
  • For any non-compliance issues identified, develop a corrective action plan that outlines the steps to resolve the issues, responsible personnel, and timelines.
  • Conduct follow-up audits to verify that corrective actions have been effectively implemented and that the underlying issues have been resolved.
  • Keep comprehensive records of the audit process, findings, corrective actions, and follow-up activities. These records are essential for demonstrating compliance during external audits or inspections.

7. Prepare for FDA Inspections

Ensure your firm is prepared for FDA inspections by maintaining comprehensive and accessible records of your quality management system activities, including training records, audit reports, corrective and preventive actions, and compliance documentation.

Action items

  • Familiarize yourself with the FDA's inspection guides and checklists, especially those related to QMSR and ISO 13485:2016. Understand the common focus areas, such as design controls, risk management, CAPA systems, and supplier management.
  • Ensure that all QMS documentation is organized and easily accessible. This includes quality manuals, SOPs, work instructions, and policies that reflect compliance with QMSR and ISO 13485:2016.
  • Maintain up-to-date records of training, internal audits, CAPAs, management reviews, and supplier evaluations. Ensure these records are easily retrievable for inspection.
  • Conduct mock inspections to simulate an actual FDA inspection. This can help identify potential gaps in your QMS and readiness. Use FDA inspection checklists to guide these simulations. Consider hiring consultants who are experienced with FDA inspections to conduct mock inspections. Their insights can provide valuable feedback on areas for improvement.
  • Train relevant personnel on how to effectively interact with FDA inspectors, including what to expect during an inspection, how to answer questions, and how to provide documentation.
  • Create a team responsible for interacting with FDA inspectors during an inspection. This team should include members from quality, regulatory affairs, manufacturing, and senior management.
  • Review your CAPA system to ensure it is effectively identifying, documenting, and addressing non-conformities. FDA inspectors often scrutinize the CAPA process closely. Maintain records that demonstrate the effectiveness of CAPA actions taken. This includes evidence of problem resolution and measures taken to prevent recurrence.
  • Ensure that documentation related to suppliers and contract manufacturers, including audits, evaluations, and quality agreements, are current and compliant. Verify that your supplier quality management processes align with QMSR and ISO 13485:2016 requirements, as the FDA may review how you manage and control your suppliers.

Topics: FDA Auditing