FDA´s QMSR: ISO 13485:2016 and beyond

In our previous article we described FDAs effort to align the Quality System Regulation with the global Quality Management System standard ISO 13485:2016. Although this is still a proposal, it is planned to be a Final Rule in December 2023, with implementation 2024.

Even though ISO 13485:2016 will largely replace a lot of the requirements in the QSR, many other regulatory requirements still apply. The new Quality Management System Regulation (QMSR) also includes several new sections.

The main differences between ISO 13485 and the proposed QSMR are in Clause 4: Quality Management System and clause 7: Product Realization. FDA has added requirements from the current Document Controls, Labelling and Packaging Control, Records, and Servicing. The differences have been addressed in the new § 820.35 and § 820.45.

In the proposed § 820.35 FDA has added a requirement that require signature and date for records subject to Clause 4.2.5 of ISO 13485. They also added specific requirements to ensure that the information required by part 803, Medical Device Reporting, is captured in certain records of complaints and servicing activities. Unique Device Identification (UDI) is also a requirement which is not defined in 13485, only mentioned briefly in clause 7.5.8.  An interesting addition is also a clarification from the current 820.180 that reminds firms that FDA protects confidentiality of records it receives.

The additions in the proposed new section Device labelling and packaging controls, § 820.45, FDA primarily emphasises the importance of control of labelling. Manufacturers must ensure labelling and packaging has been examined for accuracy prior to release and the results of the labelling inspection must be documented. The release of the labelling for use must also be documented.

Further clarifications have been added in §820.15, for example that;

  • the term safety and performance mean the same as safety and effectiveness,
  • the organization also includes the term manufacturer,
  • validation of processes should be understood to be the same as process validation.

This is in not a complete list of the changes but highlights the main differences.

Our conclusion is that if you have an ISO 13485:2016 certificate already, and especially if your quality management system already includes requirements from the current QSR 820, the changes will be more of administrative character than a system overhaul. But for manufacturers with only ISO 13485-certificates that want to expand to the US, things may become a little bit easier. We keep our fingers crossed.

If you have any question, contact us at info@qadvis.com.

Swedish Medtech Summit 2023

QAdvis är så klart representerade på höstens Swedish Medtech Summit den 21 november i Stockholm. Kom och prata med våra konsulter Ladan Amiri och Krishnadev Moothandassery Ramdevan.

Konferensen kommer ge en belysning av hur vården– och omsorgen håller på att utvecklas och hur stor betydelse de nya teknikerna kommer ha i framtiden.

Som konsultföretag inom Medtech och med fokus på bland annat cybersäkerhet, mjukvara och klinisk utvärdering vill vi ta del av det som händer och de utmaningar som industrin och sjukvården står inför. Med vår kompetens och förståelse av komplexiteten kan vi på ett effektivt sätt bidra med den regulatoriska analysen och hjälpa till att identifiera vilka aktiviteter som behövs för CE-märkning av medicintekniska produkter. Inte minst med avseende på kraven för egentillverkning som med MDR 2017/745 och IVDR 2017/746 är tydligare reglerat.

Kontakta oss om du vill veta mer info@qadvis.com

Is it time to scrap the DHF, DMR and DHR?

To successfully navigate an inspection by FDA, it’s essential to maintain three separate buckets for your device files: the Design History File (DHF), the Device Master Record (DMR) and the Device History Record (DHR). However, with the upcoming update to the US Quality System Regulation, these terms may no longer be used.

Since 2018, the FDA has been working to align its Quality System Regulation QSR 21 Part 820 with the global standard for Quality Management Systems, ISO 13485:2016. And this is for a very good reason. The FDA played a key role in developing this standard and is also a member of the Medical Device Single Audit Program (MDSAP)accepting audit reports from MDSAP-recognized Auditing Organizations instead of FDA audits.

The implementation of this new regulation, Quality Management System Regulation (QMSR)  has however faced repeated delays. But in May 2023 Dr. Jeff Shuren, director of FDA’s Center for Devices and Radiological Health (CDRH) stated that the publication of the QSMR is a “high priority” for the FDA and should be out by the end of this year. So maybe the new QSMR will be a long-anticipated Christmas present.

The new regulation will eliminate most of the requirements in the current Part 820. Changes in the QSMR will primarily be made by referencing ISO 13485 rather than duplicating the exact text of the standard. However, some sections will include clarifications, and it’s crucial to remember that the other regulatory requirements will still apply. For instance:

  • 21 CFR Part 830: Unique Device Identification Requirements
  • 21 CFR Part 821: Traceability Requirements, if applicable
  • 21 CFR Part 803: Reporting to Regulatory Authorities
  • 21 CFR Part 806, Advisory Notices

A significant difference between the QS regulation and ISO 13485 is that the risk management requirements are integrated throughout all aspects of the quality management system in ISO 13485. This contrasts with 21 CFR 820, where the risk-specific requirements are only listed in §820.30(g) as part of design validation.

If you’re already ISO 13485 certified, changes to your system will be minimal. If you only operate within the US, changes will be more substantial.  If you plan to remain solely within the US, you don’t need to obtain a notified body or 13485 certifications. You can continue as before but follow the QMSR instead of the QSR. The FDA will continue its usual site inspections but will use its new audit method based on QMSR (i.e., ISO 13485) instead of QSIT.

It’s important to note that an inspection from FDA won’t result in a 13485 certificate since this is a government inspection and not a Notified Body audit. It’s also crucial to understand that even if you already have a 13485 certificate, the FDA will continue to inspect your site as long as you sell in the US, unless you participate in the MDSAP audit program.

While it’s uncertain whether the QMSR will indeed be published by the end of 2023, we will certainly keep a close watch on this development and hope that “a watched pot never boils” proves to be incorrect in this case.

In the next follow up article we will go through the major differences between the ISO 13485:2016 and the proposed QSMR.

If you have any question, contact us at info@qadvis.com.