The FDA’s Quality Management System Regulation (QMSR): An Introduction and Compliance Guide

Section 820.1 (Scope)

The new QMSR's scope remains practically identical to the current QSR.

The new QMSR covers finished devices and human cells, tissues, and cellular and tissue-based products (HCT/Ps) regulated as devices. However, components and parts of finished devices and blood and blood components are not included. It's important to note that although components or parts of finished devices are not part of the scope, the FDA has the authority to extend the rule to those components or parts should it be necessary.

The QMSR applies to manufacturers, contract sterilizers, installers, relabelers, remanufacturers, repackers, specification developers, and initial distributors of foreign manufacturers. Additionally, component manufacturers are encouraged to voluntarily comply with the QMSR.

This particular section of the QMSR outlines the guidelines for manufacturers to resolve conflicts between the FD&C Act and its implementing regulations, and ISO 13485.

It's crucial to note that in case of any conflict with ISO 13485, the FD&C Act and FDA regulations will have priority.

The FDA has given two examples of such conflicts in the preamble:

• the definitions of “device” and “labeling” in the FD&C Act are more authoritative than the definitions of “medical device” and “labelling” in ISO 13485; and
• it's clarified that the term “safety and performance” in ISO 13485 is equivalent to the term “safety and effectiveness” in the FD&C Act.

📋 A few key action items:

• Review and Update Scope Understanding: Ensure your organization's understanding of the QMSR's scope aligns with the final rule, covering finished devices and HCT/Ps regulated as devices.
• Assess and Prepare for Potential Expansion: If necessary, the FDA may extend the rule to components or parts of finished devices.
• Voluntary Compliance for Component Manufacturers: To align with industry standards and expectations, component manufacturers should consider voluntarily complying with the QMSR.

Section 820.3 (Definitions)

The final rule includes Clause 3 of ISO 9000, which is a part of Quality management systems – Fundamentals and Vocabulary (2015), in addition to ISO 13485.

Clause 3 of ISO 9000 is considered the primary source for definitions in ISO 13485, except for those that are explicitly defined in ISO 13485. Although the proposed rule did not mention ISO 9000, after receiving feedback, the FDA clarified that only Clause 3 of ISO 9000 (terms and definitions) is incorporated in the QMSR.

• Component
• Federal Food, Drug, and Cosmetic Act
• Finished Device
• Human cell, tissue, or cellular or tissue-based product (HCT/P) regulated as a device
• Implementable Medical Device
• Remanufacturer
• Manufacturer
• Organization
• Rework
• Safety and Performance

The FDA had to make several adjustments to regulatory definitions as a result of incorporating ISO 9000 terms and definitions in the final rule:

• The FDA has removed definitions for several terms from the proposed rule, opting instead for the corresponding definitions and concepts found in ISO 9000 and ISO 13485. These terms include "customer," "design validation," "non-conformity," "process validation," "product," and "verification." Additionally, "top management" in ISO standards replaces the QSR's term "management with executive responsibility."
• The industry resisted the FDA's replacement of the QSR term "establish" with the ISO 13485 term "document" in the proposed rule. The FDA acknowledged the slight differences in definitions but argued that the terms are close enough that separate definitions would be redundant.
• The QMSR has eliminated the traditional terms Device Master Record (DMR), Design History File (DHF), and Device History Record (DHR) in favor of the term Medical Device File (MDF) from ISO 13485:2016. Although the terms are changing, the FDA emphasizes that the record-keeping requirements remain largely the same. ISO 13485:2016 clauses cover the necessary documentation:
  
  • Clause 4.2.3 (MDF): General device description, specifications, manufacturing procedures, and more, aligning with DMR requirements.
  • Clause 7.3: Design and development records, akin to DHF.
  • Clause 7.5.1: Production records and traceability, similar to DHR.|
    
    While the FDA is moving away from these terms, many in the industry may continue using DMR, DHF, and DHR due to familiarity. However, for the sake of clarity, especially for new professionals and auditors, it is advisable to update QMS documents to reflect the new terminology and include synonyms where appropriate.

• ISO 13485 incorporates the definition of "risk" from ISO 14971, which is focused on the probability and severity of harm. While the FDA does not adopt ISO 14971 in this rulemaking, it acknowledges that ISO 13485's conception of risk includes safety or performance requirements and applicable regulatory compliance. This approach encourages manufacturers to integrate regulatory compliance risk into their safety risk management processes.
• The final rule maintains the FD&C Act definitions of "device" and "labeling," which precede those in ISO 13485. Similarly, the definition of "manufacturer" in the QMSR supersedes the ISO standard definition, aligning with the QSR definition.

📋 A few key action items: 

• Update Definitions: Update your QMS documentation to reflect the new and adjusted definitions from ISO 9000 and ISO 13485, ensuring consistency with the QMSR.
• Reevaluate "Establish" vs. "Document": Understand the alignment between the terms "establish" and "document" in your QMS procedures and records.
• Align Risk Management: Integrate regulatory compliance risk into your safety risk management processes, acknowledging the broader definition of "risk," incorporating safety, performance, and regulatory compliance.

Section 820.10 (Requirements for a Quality Management System)

This section of the QMSR final rule incorporates ISO 13485 Quality System requirements while maintaining additional FDA medical device-related regulatory requirements.

• Clause 7.5.8. Identification: Unique Device Identification requirements are provided (21 CFR Part 830, Unique Device Identification).
• Clause 7.5.9 Traceability: Traceability/Medical Device Tracking is provided (21 CFR Part 821, Medical Device Tracking).
• Clause 8.2.3 Reporting to Regulatory Authorities: FDA MDR requirements are provided (21 CFR Part 803, Medical Device Reporting).
• Clause 7.2.3 Communication, 8.2.3 Reporting to Regulatory Authorities, and 8.3.3 Actions in Response to Nonconforming Product Detected After Delivery: FDA Advisory Notices requirements have been included (21 CFR Part 806, Corrections and Removals).

This section specifies the devices subject to the design and development requirements of ISO 13485 (clause 7.3). These requirements replace the design control requirements of QSR, which are outlined in 21 CFR Part 820.30.

The scope of the devices subjected to these requirements includes Class II and Class III devices, along with specific Class I devices. Note that this scope remains the same as outlined in the QSR.

Furthermore, ISO 13485 (clause 7.5.9.2) provides traceability requirements for implantable devices. This QMSR section specifies that these traceability requirements extend to devices that support or sustain life.

Lastly, but very importantly, failure to comply with the requirements of the new QMSR found in the amended 21 CFR Part 820 (and, by extension, ISO 13485) renders a device adulterated.

📋 A few key action items: 

• Implement ISO 13485 Requirements: Ensure your QMS incorporates the ISO 13485 Quality System requirements, especially those not explicitly identified in ISO 13485 but necessary under FDA regulations (e.g., Unique Device Identification, Traceability, Reporting to Regulatory Authorities).
• Design and Development Requirements: Verify that your devices subject to design and development requirements align with ISO 13485 (clause 7.3), replacing the design control requirements from the previous QSR.

Section 820.35 (Control of Records)

This section of the proposed rule initially stated that in addition to the requirements of Clause 4.2.5 in ISO 13485, the manufacturer must obtain the signature of each individual who approved or re-approved the record, along with the date of approval. This statement caused anxiety for some commenters who argued that the proposed rule was more stringent and burdensome than the approval requirements of ISO 13485. In response, the FDA agreed and removed this requirement from the final rule. Therefore, the approval requirements for a particular record will be as defined in ISO 13485.

This section outlines specific content requirements for complaint records and service records. The final rule adds additional language that defines when a complaint investigation must be initiated, in line with the existing requirement in 21 CFR Part 820.198(c).

• Specifically, complaints that involve the possible failure of a device, labeling, or packaging to meet any of its specifications must be investigated.
• The FDA also clarified how organizations should manage multiple complaint-handling units by emphasizing the importance of defining a corporate complaint-handling procedure to ensure consistency throughout different complaint-handling units and identifying a single group or unit responsible for coordinating all complaint-handling functions.

The FDA has recognized the differences between the QSR’s corrective and preventive action CAPA requirements and the separate Corrective Action and Preventive Action requirements in the ISO standard. As a result, the agency has decided to align itself with the ISO standard.

Regarding complaints, the QMSR requires that complaints records include the corrections and corrective actions taken to address the complaint. Furthermore, the section also outlines Unique Device Identification (UDI) requirements that are in addition to those in the ISO standard. It also reminds manufacturers to mark their records as “confidential” to aid the FDA in determining what records may be disclosed to the public under 21 CFR Part 820.

📋 A few key action items: 

• Adopt ISO 13485 Approval Requirements: Align your record approval processes with ISO 13485's requirements.
• Enhance Complaint and Service Record Procedures: Implement procedures for initiating complaint investigations as specified, and ensure comprehensive management of complaint-handling units for consistency and coordination.

Section 820.45 (Device Labeling and Packaging Controls)

The FDA identifies a critical area in the Quality System where ISO 13485 falls short: overseeing the control and inspection of device labeling and packaging.

This concern is addressed in the QMSR because ISO 13485 lacks specific requirements for labeling and packaging and fails to address manufacturer labeling inspection. To remedy this, the QMSR mandates that manufacturers inspect device labels for accuracy against specific criteria before release, aligning with current regulatory requirements outlined in 21 CFR Part 820.120(b)e.

For instance, the FDA highlights instances where medical device recalls occurred due to errors missed by automated readers.

Therefore, the QMSR mandates that a person must physically examine a representative sample of labels before release, even if automated readers previously checked them.

📋 A few key action items: 

• Inspect Device Labels Before Release: Integrate a process for physical examination of a representative sample of device labels for accuracy before release, even if automated readers are used.
• Align Labeling and Packaging Controls: Ensure your QMS addresses the control and inspection of device labeling and packaging to fill gaps not covered by ISO 13485, according to QMSR mandates.

• First, the FDA emphasizes elsewhere in the preamble that incorporating risk management throughout the product lifecycle, as outlined in ISO 13485, was a significant factor driving the development of the QMSR. Even though ISO 13485 doesn't mandate compliance with ISO 14971, it does reference this risk management standard as a valuable resource when establishing a risk management process.
• Second, independent of the QMSR, the FDA has already recognized the 2019 revision of ISO 14971 as a consensus standard. This recognition doesn't mandate medical device firms to adhere to ISO 14971. Still, it does acknowledge that the FDA considers compliance with it as a means to fulfill regulatory requirements for risk management.

• Minimal Impact for ISO 13485:2016 Certified or Aligned Companies: Businesses already certified or aligned with ISO 13485:2016 will encounter minimal adjustments due to the introduction of the QMSR. Their main tasks involve updating documents to reference the QMSR and making minor modifications to ensure complete compliance. These companies, particularly those marketing devices in jurisdictions where ISO 13485 is the accepted GMP standard (such as the EU, Australia, Canada, and Japan), will likely see a reduction in both the complexity and cost of QMS compliance. However, they must revise procedures and work instructions to eliminate outdated QSR requirements and terminology references. Contact us today to get the expert QMSR support you need.
• Significant Impact for Companies Primarily Under QSR: Companies currently operating under the 21 CFR Part 820 QSR and not in compliance with ISO 13485 will face a significant overhaul. The transition to QMSR demands substantial updates to procedures and documentation to reconcile differences between the QSR and QMSR frameworks. Notably, the QMSR emphasizes risk management and risk-based decision-making more strongly than the QSR. Adopting ISO 14971 for risk management practices is highly recommended to align with QMSR expectations. These firms must adapt their procedures to meet international standards while incorporating necessary provisions to remain compliant with the revised 21 CFR Part 820, including specific FDA requirements enhancing or clarifying ISO 13485 standards. Contact us today to get the expert QMSR support you need.
• Additionally, the QMSR modifies 21 CFR Part 4 concerning the regulation of combination products by updating references from the QSR to relevant clauses in ISO 13485. This underscores the need for firms to thoroughly understand the QMSR, including the FDA's interpretations outlined in the rule's preamble, to effectively prepare for updates in quality management systems, inspection management, and regulatory compliance strategies. Contact us today to get the expert QMSR support you need.

Understanding how the new rule applies is crucial for firms navigating these changes or those seeking assistance with revising procedures. We can help; contact us.

• QSR: Applies mainly to medical devices marketed in the U.S., focusing specifically on manufacturing processes and quality assurance.
• QMSR: Broadens the scope to include additional stakeholders like contract sterilizers and remanufacturers, aligning more closely with international standards.

Regulatory Alignment

• QSR: Follows older FDA-specific regulations, tailored primarily to U.S. requirements.
• QMSR: Seeks to harmonize U.S. regulations with global standards, particularly ISO 13485:2016, facilitating easier compliance for global market access.

• QSR: Utilizes FDA-specific terminology, including terms like DHF, DMR, and DHR.
• QMSR: Adopts international terminology from ISO 13485:2016, updating many traditional terms to align with global standards while maintaining the requirements under new terminologies.

• QSR: Focuses on detailed FDA-specific documentation requirements.
• QMSR: Emphasizes system-wide documentation and record-keeping in line with ISO 13485, incorporating broader criteria for maintaining and protecting records.

• QSR: Contains specific and detailed requirements for labeling and packaging to meet FDA standards.
• QMSR: Retains stringent FDA requirements but integrates ISO 13485 standards for labeling, with increased emphasis on verification and inspection processes by manufacturers.

• QSR: Primarily addresses risk management during design validation.
• QMSR: Places a stronger emphasis on integrating risk management throughout the device lifecycle, aligning with ISO 14971 standards (although compliance with ISO 14971 is not directly required).

• QSR: Uses the FDA’s Quality System Inspection Technique (QSIT) for inspections.
• QMSR: Updates inspection methodologies to better align with ISO 13485, although specific changes are still being finalized.

• QSR: Requires compliance with FDA-specific regulatory standards.
• QMSR: Does not require ISO 13485 certification but encourages compliance to facilitate market access globally.

• QSR: Established with periodic updates over the years.
• QMSR: Enacted in 2024 with a transition period ending in 2026, allowing organizations time to adjust to the new regulations.

• QSR: Focuses on ensuring product safety and effectiveness with rigorous FDA oversight.
• QMSR: Aims to reduce regulatory redundancies and simplify processes by aligning more closely with international standards, promoting a more unified approach to global market access.