On 02-Feb-24, the FDA published its Final Rule, amending the Current Good Manufacturing Practice (CGMP) requirement of the Quality System Regulation (QSR) of medical device manufacture.

The amendments incorporate by reference (and so align more closely with) the international standard ISO 13485:2016, Medical Devices - Quality Management Systems - Requirements for regulatory purposes. The new regulations will be called QMSR (or Quality Management System Regulation Final Rule).

The FDA's intention is to harmonize quality management system requirements for medical devices with requirements used by other regulatory authorities, thereby reducing unnecessary duplication of effort in meeting compliance requirements.

The Transition Period for QMSR will be two years and not one year, as was speculated about previously. That means that before 02-Feb-26, FDA inspections will continue to be against QSR requirements.

The Final Rule amends 21 CFR 820 by 'incorporating by reference' the QMS requirements defined by ISO 13485:2016. Most of the current requirements in Part 820 are withdrawn, and the referenced ISO 13485 requirements are considered to be substantially similar to the provisions of the QS Regulation in the consistent manufacture of devices that are safe and effective and otherwise in compliance with the Federal Food, Drug, and Cosmetic Act (FD&C Act).  

The FDA has also revised 21 CFR part 4 to clarify the Quality Management System requirements for combination products.

Note that certification to ISO 13485, while undoubtedly beneficial, is not a requirement.

What, then, do you need to do to prepare for compliance with QMSR? In this Post, we will consider three situations:

• What needs to be done if you don't have ISO 13485 Certification?
• What needs to be done if you have ISO 13485 Certification?
• What needs to be done if you have MDSAP Certification?

But let's begin by considering the changes that are being introduced.

FDA QSR vs. QMSR – the changes

In the table below are the 'headline' changes. For detailed changes, including instances where there are differences in definition between ISO 13485 and QMSR (the latter takes precedence), you will need to consult the FDA's 'Medical Devices; Quality System Regulation Amendments' website.

Revised Part 820—QUALITY MANAGEMENT SYSTEM REGULATION

Subpart A - General Provisions

• 820.1 Scope – Retained from QSR but reworded
• 820.3 Definitions – Retained from QSR but reworded to include where definitions from ISO 13485 and ISO 9000 do and do not apply.
• 820.5 (Reserved)
• 820.7 Incorporation by reference – details the clauses incorporated from ISO 13485 plus some definitions from ISO 9000.
• 820.10 Requirements for a quality management system include documentation requirements and compliance with applicable regulatory requirements.

Subpart B - Supplemental Provisions

• 820.20–820.30 (Reserved)
• 820.35 Control of records – requirements in addition to Clause 4.2.5 of ISO 13485.
• 820.40 (Reserved)
• 820.45 Device labeling and packaging controls are requirements in addition to the requirements of Clause 7.5.1 of ISO 13485.

Subparts C - O (Reserved) – these sub-parts were used in the QSR and are now withdrawn.

There is also a requirement to comply with other applicable 21 CFR requirements, namely,

Part 830: Unique Device Identification Requirements (Clause 7.5.8)

Part 821: Traceability Requirements, if applicable (Clause 7.5.9)

Part 803: Reporting to Regulatory Authorities (Clause 8.2.3)

Part 806: Advisory Notices (Clauses 7.2.3, 8.2.3, 8.3.3)

What needs to be done if you don't have ISO 13485 Certification?

You are not required to have ISO 13485 Certification, but you are strongly advised to get it.

Be sure to choose a Certification Body (CB) that can provide accredited Certification. This may be more difficult than you might expect as your chosen CB may not have the required Scope of Accreditation, there being so many different types of medical devices.

With so many of the clauses of ISO 13485 being included in QMSR 'by reference,' you cannot avoid ISO 13485 requirements. So, even if you decide not to secure ISO 13485 Certification, you should implement and maintain a QMS that meets its requirements.

Pay particular attention to the requirement for a risk-based approach in Parts 4 through 8 of ISO 13485 and the specific requirement in Clause 7.1 for risk management concerning operations, especially regarding patient/user safety.

So, where do you begin?

1. Implement an ISO 13485-compliant QMS without compliance with QMSR.
2. Obtain certification from an accredited CB.
3. Complete a Gap Analysis against the detailed requirements of the FDA's 'Medical Devices; Quality System Regulation Amendments’ and other applicable FDA Regulations.
4. Modify the QMS to ‘fill the gaps.’
5. Obtain certification from an accredited CB for the QMSR-compliant QMS.

What needs to be done if you have ISO 13485 Certification?

You should maintain your ISO 13485 Certification but note that this alone does not meet all the QMSR requirements. You will, therefore, need to include these additional requirements, especially regarding 21 CFR 820.45, Device Labeling and Packaging Controls, and 21 CFR 820.35, Control of Records.

You will also need to change your Internal Audit Program to include all QMSR requirements in addition to those of ISO 13485.

So, where do you begin?

1. Complete a Gap Analysis against the detailed requirements of the FDA’s ‘Medical Devices; Quality System Regulation Amendments’ and other applicable FDA Regulations.
2. Modify the QMS to ‘fill the gaps.’
3. Obtain certification from an accredited CB for the QMSR-compliant QMS

What needs to be done if you have MDSAP Certification?

The Medical Device Single Audit Program was developed in 2012 by the IMDRF with the full participation of the FDA. Under MDSAP, audits performed by third parties are conducted based on core ISO 13485 requirements with additional country-specific requirements. This participation has allowed the FDA to participate in MDSAP and accept certain MDSAP audits as a substitute for its routine surveillance of device quality systems under QSR.

This acceptance of MDSAP Reports will continue to be the case under QMSR in most cases. The exceptions will be Class 3 devices and/or manufacturers with a poor compliance record. Note that acceptance of MDSAP audits is based on the MDSAP Audit Report content (which is highly structured) and not on the MDSAP Certificate itself.

Where do you begin?

1. Complete a Gap Analysis against the detailed requirements of the FDA’s ‘Medical Devices; Quality System Regulation Amendments’ and other applicable FDA Regulations.
2. Modify the QMS to ‘fill the gaps.’
3. Obtain MDSAP certification from a recognized Auditing Organization (OA) for the QMSR-compliant QMS.

Future FDA Inspections

Inspections against QMSR will start from 02-Feb-26. In the meantime, the current regulations will apply.

While the structure of FDA Inspections will not change, you should pay particular attention to the new sub-clauses, particularly 21 CFR 820.45 and 21 CFR 820.35.

As FDA inspections are risk-based, you can expect that if certification to ISO 13485 is maintained, the frequency of such inspections will be reduced.

Other Issues to note

MDSAP Certification: Compliance with ISO 13485 requirements is integral to MDSAP Certification. FDA notes that MDSAP is a certification program that allows for a single QMS audit based on ISO 13485 and other applicable FDA device regulatory requirements, which the FDA may accept in lieu of routine surveillance inspections conducted by FDA investigators.

ISO 13485 Certification: As such, the FDA does not intend to require medical device manufacturers to obtain ISO 13485 certification and will not rely on ISO 13485 certificates to conduct its regulatory oversight of medical device manufacturers. FDA inspections will not result in issuing a certificate of conformity to ISO 13485. Regardless of ISO 13485 certification, manufacturers must also comply with any additional and applicable requirements set forth in the FD&C Act.

Risk management: This is required throughout the medical device’s lifecycle and is another requirement introduced by alignment with ISO 13485.

ISO 14971: You should consider the use of ISO 14971 for the management of medical device risk. While this standard is not mandatory in ISO 13485, it is suggested (see Note to Clause 7.1) and would provide objective evidence of meeting this requirement.

Competency Records: Under QMSR, the FDA considers Clause 6.2 of ISO 13485 to capture the intent of the previous §820.75(b)(1) adequately by requiring that any individuals doing work that impacts quality should be competent based on appropriate education, training, skills, and expertise. That is, the ISO 13485 definition of competency applies.

Correction vs. Corrective vs. Preventive Action: The FDA agrees that ISO 13485 has one Clause outlining expectations regarding corrective action (Clause 8.5.2) and another Clause outlining the expectations regarding preventive action (Clause 8.5.3). Despite a surprising claim that it was already the case, the FDA has incorporated the corrective action and preventive action requirements of ISO 13485 by reference into the QMSR. It should be noted that Clause 8.2.2, Complaint Handling, also allows for the use of Corrections in addition to Corrective Actions.

Exit Device master record (DMR), design history file (DHF), and device history record (DHR): These terms become obsolete and are replaced by the ISO 13485 terms the Design & Development Files (Clause 7.3.10) and the Medical Device Files (Clause 4.2.3).

So, when do you start?

If you already have ISO 13485 certification, there will be few changes to make at an operational level. Starting the switch to the new regulations in early 2025 would seem reasonable.

However, if you do not have ISO 13485 certification, you should start the transformation immediately, starting with securing ISO 13485 certification. The documentation requirements of this standard can be onerous (with up to 139 references to the documentation of various types), and the possibility of significant operational changes exists.

Best of luck!

Related Courses

• ISO 13485 Lead Implementer Course
• ISO 13485 Lead Auditor Course
• ISO 13485 Internal Auditor Course

Related Articles

• ISO 13485 for Suppliers to the Medical Device Sector
• ISO 13485 Certification Process: How and What to Prepare
• ISO 13485 to be a Requirement in Medical Device Regulations

deGRANDSON Global is an ISO Certified Educational Organization

We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which, in our opinion, are commercially compromised), it is based on independent third-party assessment.  It is a ‘university grade’ standard in use globally by schools, colleges, and universities to demonstrate their competence.