The FDA, after nearly four years of reworking its Quality System Regulation (QSR)—21 CFR, Part 820—finally published a draft regulation on February 22, 2022, that harmonizes the QSR with ISO 13485:2016. Read it here.
With this proposed rule, the agency has officially announced its plans to change the QSR to enable broader worldwide harmonization of medical device quality management systems. The resulting regulation would be called the Quality Management System Regulation (QMSR).
- The agency says the draft, “if finalized, would harmonize quality management system requirements for devices with requirements used by many other regulatory authorities around the world.”
- According to the FDA's analysis, medical device businesses that comply with both standards will save $439 million to $533 million over the next ten years if the regulation is implemented as drafted.
The agency is also using this opportunity to update other areas of its regulations to better accord with the Federal Food, Drug, and Cosmetic Act, as well as to clarify GMP standards for combination products.
Stakeholders have until May 24, 2022 to comment on the draft rule at Regulations.gov under docket No. FDA-2021-N-0507.
Here, we distill some of the most significant components of the proposed rule with the caveat that everything and anything is subject to change.
Some Quick Background on QSR and ISO 13485 Harmonization
- Since early 2018, the FDA has been working to align its QSR with the worldwide quality systems standard ISO 13485. FDA has included the QSR revamp as one of its anticipated regulatory initiatives in each of its biannual unified agendas since this time.
- The stated goal date for harmonization has slipped with each passing year, most recently in the Fall 2021 unified agenda, when the proposed regulation was set to be released in December 2021.
- Part of FDA’s reasoning for harmonizing its regulations with ISO 13485 is reducing the regulatory burden for device makers by eliminating redundancies involved in complying with both the ISO and QSR standards.
What's Happening Now
- According to FDA, the first revision of ISO 13485 was established at the same time as the current QSR back in 1996, producing the first consensus standard exclusively addressing medical device QMS criteria. “Over time, ISO 13485 has evolved into a stand-alone standard outlining QMS requirements for devices. With each revision, ISO 13485 has become more closely aligned with, and similar to, the requirements in part 820,” FDA said.
- Following several years of review, FDA said it has “determined that the requirements in ISO 13485 are, when taken in totality, substantially similar to the requirements of the current Part 820, providing a similar level of assurance in a firm’s quality management system and ability to consistently manufacture devices that are safe and effective and otherwise in compliance with the FD&C Act.”
- FDA said it came to this conclusion in part because of its recent experience with ISO 13485, which it gained through participation in the Medical Device Single Audit Program (MDSAP) and a previous audit report pilot program in which the agency accepted manufacturers' audit reports based on ISO 13485:2003.
- The release of this draft rule comes just 11 days after the White House Office of Management and Budget completed a review of the regulation.
- FDA is proposing to give device makers one year from the publication of the final rule to adapt to the new regulatory requirements.
- On March 2, 2022, FDA's Device Good Manufacturing Practice Advisory Committee (DGMPAC) convened to discuss the “feasibility and reasonableness” of the proposed rule. Here are some key takeaways from this meeting, as reported in this article in RAPS. Access the meeting information and event materials here.
- FDA's Melissa Torres, associate director for international affairs at the Center for Devices and Radiological Health (CDRH) said that ISO 13485 represents a more modern QMS approach and “has greater integration of risk management activities and stronger ties to ISO 14971, the risk management standard for medical devices.”
- Torres noted that the requirements of ISO 13485 are “about 90-95% similar to those in the Quality System Regulation.” She also clarified that the agency would retain its inspectional authority and that FDA inspections “will not result in certificates of conformance to ISO 13485 and manufacturers who have ISO 13485 certificates are not exempt from FDA inspections.”
- Some industry representatives stressed that the one-year transition period proposed by FDA would not give industry enough time to adapt to the new requirements. Some suggested a two or three-year transition period, instead.
A Few Key Differences, Changes, and General Takeaways
#1 — An emphasis on risk management activities and risk-based decision making
One of the primary differences between the current Part 820 and ISO 13485 is the international standard’s “greater emphasis on risk management activities and risk-based decision making.”
The current QSR expressly addresses risk management activities primarily in the context of the risk analysis associated with design validation (Part 820.30(g)). In the draft rule, FDA clarifies that it has expected manufacturers to “integrate risk management activities throughout their QMS and across the total product lifecycle.”
From FDA's perspective, risk management is an “essential systematic practice” to ensure that devices are safe and effective. If the proposed rule is finalized, manufacturers will likely need to enhance risk management procedures in all aspects of their businesses to align with the QMSR.
#2 — Clarification on the application of certain rules to certain device types
The proposed rule would also clarify that Clause 7.3 of ISO 13485 on Design and Development only applies to manufacturers of certain listed Class I devices, in addition to manufacturers of Class II and III devices.
#3 — Extension of traceability requirements
FDA would extend the traceability requirements in Clause 7.5.9.2 for implantable medical devices to instead cover devices that support or sustain life. Such products are currently subject to traceability requirements in Part 820.65 but are not subject to traceability requirements in ISO 13485.
#4 — A focus for top management on establishing a culture of quality
FDA is proposing to change the term “management with executive responsibility” from the QSR to “top management,” which is established in ISO 13485.
However, under this proposed QMSR, “top management” would keep the current QSR definition of “management with executive responsibility.”
From the draft rule:
"This will maintain the principle and requirement that the most senior employees of a manufacturer are responsible for establishing and making changes to the quality policy and ensuring the manufacturer follows the policy,”
“FDA expects medical device manufacturers, led by top management, to embrace a culture of quality as a key component in ensuring safe and effective medical devices.”
Firms interested in the work being done here may want to familiarize themselves with—and potentially participate in—the Case for Quality Collaborative Community (CfQcc).
#5 — "Customer" has been introduced and formally defined
The proposed QMSR defines a “customer” as:
“persons or organizations, including users, that could or do receive a product or a service that is intended for or required by this person or organization. A customer can be internal or external to the organization.”
The draft further says a customer “can encompass many types of individuals and organizations throughout the device manufacturing process,” including contract manufacturers and makers of components.
#6 — An updated concept of a QMS
The current Part 820.5 requires manufacturers to establish and maintain a QMS that meets the requirements of Part 820. The QMSR would instead require manufacturers to develop a QMS that complies with ISO 13485, as modified by the proposed Part 820.
The QMS also would have to be documented (e.g., by recording quantitative data so manufacturers could analyze the performance of their processes and protocols).
#7 — QSIT replacement
If this proposal is adopted, FDA states it intends to replace its long-standing Quality System Inspection Technique, or QSIT.
QSIT would be replaced by an inspection approach that complies with the proposed Part 820 requirements. The agency describes a methodology that is comparable to QSIT (one that would involve information collection to support inspection observations, including Form FDA 483).
But it's yet unclear how this new method will differ from QSIT, specifically. The FDA further emphasizes that its inspection would not be a substitute for an ISO 13485 certification procedure if one is required, nor would those who hold an ISO 13485 certificate be exempt from FDA inspection.
While the new inspection approach is yet unknown, FDA has stated that if the proposal is implemented, it will engage in training and teaching programs.
#8 — Combination products
The agency proposes conforming amendments to the cGMP rules that apply to combination products and give manufacturers a simpler way to show cGMP compliance.
Single-entity and co-packaged combination products with device constituent parts may, in general, comply with the cGMP requirements of one of the applicable sets of standards (including the applicable provisions of Part 820), rather than demonstrating compliance with all cGMP requirements, under FDA's provisions.
Importantly, the proposed revisions have no effect on the combination product's cGMP requirements. Instead, the agency proposes amending the clauses in 21 CFR Part 4 to match the ISO 13485 references.
#9 — The final rule will take effect one year after it’s finalized
The proposed rule states it's giving this timeline to give manufacturers enough time to come into compliance. Contact us to get the expert compliance assistance you need.
Mapping the Similarities and Differences Between QSR Subparts and ISO 13485 Chapters
In a table provided in the proposed rule, FDA lays out how different chapters of ISO 13485 would be mapped to the current subparts of the QSR, and whether the proposed rule is substantially similar or different in each.
Where there are differences, FDA provides a reference to the subpart where those differences are addressed. For instance, the differences between the current part 820 subpart K – Labeling and Packaging Control and ISO 13485:2016 Chapter 7. Product Realization is detailed in part 820.45 of the proposed rule.
We’ve reproduced this table below, with these differences highlighted and their references spelled out in the subsequent section. Use the links provided to jump to the relevant sections for details on differences.
|
Current Part 820 |
ISO 13485 Requirements |
Proposed Rule (QMSR) |
|
Subpart A—General Provisions |
Clause 1. Scope, Clause 4. Quality Management System |
Requirements substantively similar. |
|
Subpart B—QS Requirements |
Clause 4. Quality Management System, Clause 5. Management Responsibility, Clause 6. Resource Management, Clause 8. Measurement, Analysis, and Improvement |
Requirements substantively similar. |
|
Subpart C—Design Controls |
Clause 7. Product Realization |
Requirements substantively similar. |
|
Subpart D—Document Controls |
Clause 4. Quality Management System |
Differences addressed in 820.35. Jump to details > |
|
Subpart E—Purchasing Controls |
Clause 7. Product Realization |
Requirements substantively similar. |
|
Subpart F—Identification and Traceability |
Clause 7. Product Realization |
Requirements substantively similar. |
|
Subpart G—Production and Process Controls |
Clause 4. Quality Management System, Clause 6.Resource Management, Clause 7. Product Realization |
Requirements substantively similar. |
|
Subpart H—Acceptance Activities |
Clause 7. Product Realization, Clause 8. Measurement, Analysis, and Improvement |
Requirements substantively similar. |
|
Subpart I—Nonconforming Product |
Clause 8. Measurement, Analysis, and Improvement |
Requirements substantively similar. |
|
Subpart J—Corrective and Preventive Action |
Clause 8. Measurement, Analysis, and Improvement |
Requirements substantively similar. |
|
Subpart K—Labeling and Packaging Control |
Clause 7. Product Realization |
Differences addressed in 820.45. Jump to details > |
|
Subpart L—Handling, Storage, Distribution, and Installation |
Clause 7. Product Realization |
Requirements substantively similar. |
|
Subpart M—Records |
Clause 4. Quality Management System |
Differences addressed in 820.35. Jump to details > |
|
Subpart N—Servicing |
Clause 7. Product Realization |
Differences addressed in 820.35. Jump to details > |
|
Subpart O—Statistical Techniques |
Clause 7. Product Realization, Clause 8. Measurement, Analysis, and Improvement |
Requirements substantively similar. |
Proposal for Control of Records (Proposed § 820.35)
Addresses differences between:
- Part 820’s Subpart D—Document Controls and ISO 13485’s Clause 4. Quality Management System
- Part 820’s Subpart M—Records and ISO 13485’s Clause 7. Product Realization
- Part 820’s Subpart N—Servicing and ISO 13485’s Clause 7. Product Realization
The following text is copied from the proposed rule, but has been reformatted and bolded for clarity and emphasis.
Proposed Controls for Device Labeling and Packaging (Proposed § 820.45)
Addresses differences between:
- Part 820’s Subpart K—Labeling and Packaging Control and ISO 13485’s Clause 7. Product Realization
The following text is copied from the proposed rule, but has been reformatted and bolded for clarity and emphasis.
A Closer Look at Terms and Concepts
FDA outlines differences in the terms and definitions used in part 820 and ISO 13485 and explains its decision to retain or revise certain definitions. See the chart below for many of the significant takeaways, but don't assume this is an exhaustive summary.
|
Term or Concept |
Action Proposed |
Details |
|
“Act” |
Retain with revision |
The term will be retained be but expanded to “more precisely reflect” its reference to the FD&C Act. |
|
“Customer Property” |
Clarification |
FDA would expect regulated companies to comply with this provision to the extent necessary to assure safety and effectiveness (ISO 7.5.10) |
|
“Customer” |
Addition |
ISO’s “Customer” would be added to Part 820 to encompass many types of customers such as components manufacturers, contract manufacturers, and end-users. |
|
“Design and Development” |
Clarification |
Maintains the definition of Part 820.30(a) for design control of certain Class I and all Class II & III devices unless excluded by the regulatory authority. Documentation of exclusion applies. |
|
“Device” and “Labeling” |
Supersede ISO definitions |
These terms may not conflict with Section 201 of the FD&C Act since FDA doesn’t intend to change their statutory definitions. “Device” (201(h)) supersedes “Medical Device.” “Labeling” (201 (m)) supersedes “Labelling.” |
|
“Establish” |
Withdrawn |
ISO Section 0.2 “documented” also requires a requirement to be “established, implemented, and maintained.” |
|
“Implantable Medical Devices” |
Revision |
Reference Part 820.65, "devices that support or sustain life, the failure of which to perform when properly used in accordance with instructions for use provided in the labeling can be reasonably expected to result in a significant injury" (ISO limited to "implantable"). |
|
"Management with Executive Responsibility" |
Replace |
Replaced with “top management” as per ISO 13485, though the definition in the current part 820 will be retained. “This will maintain the principle and requirement that the most senior employees of a manufacturer are responsible for establishing and making chances to the quality policy and ensuring the manufacturer follows the policy. |
|
"Organization" |
Clarification |
ISO "organization” is the entity that is creating a QMS. Clarify the term “organization” to also include the meaning of the term “manufacturer" as its defined in proposed Part 820.3. |
|
“Process Validation” |
Retain with clarification |
FDA is retaining the definition while clarifying that the term is synonymous with “validation of processes” as used in ISO 13485. |
|
“Quality System Regulation" (QSR) |
Replace |
“Quality Management System Regulation” (QMSR) |
|
“Rework” |
Retain with revision |
The definition is retained with the removal of the term “device master record (DMR)” as the concept “is adequately covered under the requirements for a medical device file under Clause 4.2.3 of ISO 13485. |
|
“Risk Management” |
Clarification |
Risk Management expectations of Part 820 are more broadly and clearly defined by ISO as expected to apply across the QMS throughout the total product lifecycle. |
|
"Safety and performance" |
Clarification |
The same concept as “safety and effectiveness” as presented in section 520(f) of the FD&C Act. |
|
“Validation of processes” |
Clarification |
"Validation of processes' as used in ISO to refer to “process validation,” since that term is defined in Part 820. ISO 13485 does not define "validation of processes.” |
|
“Applicable regulatory requirements” |
Clarification |
This term is used in multiple ISO clauses. Proposal to identify certain instances of the phrase “applicable regulatory requirements.” Regulated companies would be responsible for identifying and meeting all applicable requirements even if such requirements are not specified in the proposed Part 820.10. |
|
“Component” |
Retain |
Retained as necessary to implement Part 820 (820.3(c)). |
|
“Design validation” |
Retain |
Retained as necessary to implement Part 820 (820.3(z)(2)). |
|
“Finished device” |
Retain |
Retained as necessary to implement Part 820 (820.3(I)). |
|
“Human cell, tissue, or cellular or tisse0based product (HCT/P regulated as a device” |
Retain |
Retained as necessary to implement Part 820.3(bb). |
|
“Manufacturer” |
Retain and supersede ISO definitions |
Part 820 definition is more comprehensive (820.3(o)). |
|
“Noncomformity” |
Retain |
Retained as necessary to implement Part 820. |
|
“Product” |
Clarification |
FDA states that “we note that consistent with the clarification in clause 0.2, which specifies that “when the term ‘product’ is used, it can also mean ‘service’,” for the requirements of clause 7.4 Purchasing we expect that when ensuring purchased products conform to requirements, oversight for purchased services are also included.” Also, the Part 820 definition of “product” is cited as being more comprehensive. |
|
“Readily identifiable and retrievable” |
Clarification |
ISO 13485 Clause 4.2.5 is substantially similar to Part 820.180: "FDA expects that such records will be made available during the course of an inspection. If the foreign manufacturer maintains records at remote locations, such records would be expected to be produced by the next working day or 2, at the latest FDA has clarified that records can be kept at other than the inspected establishment provided that they are made ‘readily available’ for review and copying." |
|
“Remanufacturer” |
Retain |
Retained as necessary to implement Part 820.3(w). |
|
“Verification” |
Retain |
Retained as necessary to implement Part 820.3(aa). |
|
Establishing and maintaining a QMS |
Revision |
A QMS that complies with with ISO 13485 as nisdued vy the proposed Part 820 must be documented. (820.5) |
|
Complaint handling |
Clarification |
Manufacturers must record the listed information, at a minimum, for complaints that must be reported to FDA under Part 803, complaints that a manufacturer determines must be investigated, and complaints that the manufacturer investigated regardless of those requirements. |
|
Confidentiality of records FDA receives |
Supplementary provision |
FDA proetects such records (Part 820.180) in accordance with 21 CFR Part 20. Must meet ISO 13485 Clause 4.2.5 and proposed Part 820.35. |
|
Control of records |
Supplementary provision |
Signature and date requirements for records subject to Clause 4.2.5 of ISO 13485. |
|
Information reportability under MDR |
Supplementary provision |
Information to be captured on certain records of complaints and servicing activities. |
|
Labeling and packaging |
Retain |
Proposed Part 820.45 to maintain expectations for inspection of labeling. Must conform to ISO 7.5.1 (e), 4.2.5 and proposed Part 820.45. |
|
MDSAP |
No change |
FDA will maintain inspections, will not issue certificates of conformity, and is not developing a certification program. |
|
Part 4 Combination Products |
Mixed |
Proposal amends Part 4 to conform to ISO 13485. Definition of “device” is revised. Proposal removes definition of “QS regulation” and replaces with a definition for “QMSR for devices.” See full proposal for more revisions and additions. |
|
Quality System Inspection Technique |
Replace |
Replace with new inspection technique consistent with the Final Rule. |
|
Servicing activities |
Clarification |
Clause 7.5.4 and proposed Part 820.35(b). |
|
Unique Device Identifier |
Supplementary provision |
Under Proposed Part 820.35(c), “In addition to the requirements of Clauses 7.5.1, 7.5.8, and 7.5.9 in ISO 13485, the UDI must be recorded for each medical device or batch of medical devices.” |
Key Considerations and Next Steps for Manufacturers
The QMSR, in its currently proposed form, introduces a new framework for the medical device QSR, which the industry has been waiting for. If finalized without an extension to its current compliance timeline, there won't be much time to comply before the effective date. Certain suggested modifications, as summarized here, are likely to have a substantial impact for many firms.
Stakeholders should study the relevant revisions and consider engaging throughout the rulemaking process to enhance it. As noted, FDA is accepting both electronic and written comments to the proposed rule (Docket No. FDA-2021-N-0507), which are due by May 24, 2022.
Impacted companies may also want to consider strategizing harmonization efforts now.
We help thousands of life science companies access that top talent they need to navigate and manage regulatory initiatives like these through three convenient engagement models: consulting projects, staff augmentation, and FTE recruitment.
Contact us today and get the conversation started.
FREE WHITE PAPER
Gap Analysis Remediation: A Guide to Resourcing & Implementation
Get an expert strategy for planning the resources you need to make remediation successful. Learn where life science quality departments get stuck, the signals of resource-heavy work, models for implementation, and more.
