The amendments incorporate by reference (and so align more closely with) the international standard ISO 13485:2016, Medical Devices - Quality Management Systems - Requirements for regulatory purposes. The new regulations will be called QMSR (or Quality Management System Regulation Final Rule).
The FDA intends to harmonize quality management system requirements for medical devices with requirements used by other regulatory authorities, thereby reducing unnecessary duplication of effort in meeting compliance requirements.
The Transition Period for QMSR will be two years and not one year, as was speculated about previously. That means that before 02-Feb-26, FDA inspections will continue to be against QSR requirements.
The Final Rule amends 21 CFR 820 by 'incorporating by reference' the QMS requirements defined by ISO 13485:2016. Most of the current requirements in Part 820 are withdrawn, and the referenced ISO 13485 requirements are considered to be substantially similar to the provisions of the QS Regulation in the consistent manufacture of devices that are safe and effective and otherwise in compliance with the Federal Food, Drug, and Cosmetic Act (FD&C Act).
The FDA has also revised 21 CFR part 4 to clarify the Quality Management System requirements for combination products.
Note that certification to ISO 13485, while undoubtedly beneficial, is not a requirement.
What, then, do you need to do to prepare for compliance with QMSR? In this post, we will consider three situations:
But let's begin by considering the changes that are being introduced.
In the table below are the 'headline' changes. For detailed changes, including instances where there are differences in definition between ISO 13485 and QMSR (the latter takes precedence), you will need to consult the FDA's 'Medical Devices; Quality System Regulation Amendments' website.
Revised Part 820—QUALITY MANAGEMENT SYSTEM REGULATION
Subpart A-General Provisions
Subpart B - Supplemental Provisions
Subparts C - O (Reserved) – these sub-parts were used in the QSR and are now withdrawn.
There is also a requirement to comply with other applicable 21 CFR requirements, namely,
Part 830: Unique Device Identification Requirements (Clause 7.5.8)
Part 821: Traceability Requirements, if applicable (Clause 7.5.9)
Part 803: Reporting to Regulatory Authorities (Clause 8.2.3)
Part 806: Advisory Notices (Clauses 7.2.3, 8.2.3, 8.3.3)
You are not required to have ISO 13485 Certification, but you are strongly advised to get it.
Be sure to choose a Certification Body (CB) that can provide accredited Certification. This may be more difficult than you might expect, as your chosen CB may not have the required Scope of Accreditation, as there are so many different types of medical devices.
With so many of the clauses of ISO 13485 being included in QMSR ''by reference,'' you cannot avoid ISO 13485 requirements. So, even if you decide not to secure ISO 13485 Certification, you should implement and maintain a QMS that meets its requirements.
Pay particular attention to the requirement for a risk-based approach in Parts 4 through 8 of ISO 13485 and the specific requirement in Clause 7.1 for risk management concerning operations, especially regarding patient/user safety.
So, where do you begin?
You should maintain your ISO 13485 Certification, but note that this alone does not meet all the QMSR requirements. You will, therefore, need to include these additional requirements, especially regarding 21 CFR 820.45, Device Labeling and Packaging Controls, and 21 CFR 820.35, Control of Records.
You will also need to change your Internal Audit Program to include all QMSR requirements in addition to those of ISO 13485.
So, where do you begin?
The Medical Device Single Audit Program was developed in 2012 by the IMDRF with the full participation of the FDA. Under MDSAP, audits performed by third parties are conducted based on core ISO 13485 requirements with additional country-specific requirements. This participation has allowed the FDA to participate in MDSAP and accept certain MDSAP audits as a substitute for its routine surveillance of device quality systems under QSR.
This acceptance of MDSAP Reports will continue to be the case under QMSR in most cases. The exceptions will be Class 3 devices and/or manufacturers with a poor compliance record. Note that acceptance of MDSAP audits is based on the MDSAP Audit Report content (which is highly structured) and not on the MDSAP Certificate itself.
Where do you begin?
Inspections against QMSR will start from 02-Feb-26. In the meantime, the current regulations will apply.
While the structure of FDA Inspections will not change, you should pay particular attention to the new sub-clauses, particularly 21 CFR 820.45 and 21 CFR 820.35.
As FDA inspections are risk-based, you can expect that if certification to ISO 13485 is maintained, the frequency of such inspections will be reduced.
MDSAP Certification: Compliance with ISO 13485 requirements is integral to MDSAP Certification. FDA notes that MDSAP is a certification program that allows for a single QMS audit based on ISO 13485 and other applicable FDA device regulatory requirements, which the FDA may accept in lieu of routine surveillance inspections conducted by FDA investigators.
ISO 13485 Certification: As such, the FDA does not intend to require medical device manufacturers to obtain ISO 13485 certification and will not rely on ISO 13485 certificates to conduct its regulatory oversight of medical device manufacturers. FDA inspections will not result in issuing a certificate of conformity to ISO 13485. Regardless of ISO 13485 certification, manufacturers must also comply with any additional and applicable requirements set forth in the FD&C Act.
Risk management: This is required throughout the medicaldevice'ss lifecycle and is another requirement introduced by alignment with ISO 13485.
ISO 14971: You should consider the use of ISO 14971 for the management of medical device risk. While this standard is not mandatory in ISO 13485, it is suggested (see Note to Clause 7.1) and would provide objective evidence of meeting this requirement.
Competency Records: Under QMSR, the FDA considers Clause 6.2 of ISO 13485 to capture the intent of the previous §820.75(b)(1) adequately by requiring that any individuals doing work that impacts quality should be competent based on appropriate education, training, skills, and expertise. That is, the ISO 13485 definition of competency applies.
Correction vs. Corrective vs. Preventive Action: The FDA agrees that ISO 13485 has one Clause outlining expectations regarding corrective action (Clause 8.5.2) and another Clause outlining the expectations regarding preventive action (Clause 8.5.3). Despite a surprising claim that it was already the case, the FDA has incorporated the corrective action and preventive action requirements of ISO 13485 by reference into the QMSR. It should be noted that Clause 8.2.2, Complaint Handling, also allows for the use of Corrections in addition to Corrective Actions.
Exit Device master record (DMR), design history file (DHF), and device history record (DHR): These terms become obsolete and are replaced by the ISO 13485 terms the Design & Development Files (Clause 7.3.10) and the Medical Device Files (Clause 4.2.3).
If you already have ISO 13485 certification, there will be few changes to make at an operational level. Starting the switch to the new regulations in early 2025 would seem reasonable.
However, if you do not have ISO 13485 certification, you should start the transformation immediately, starting with securing ISO 13485 certification. The documentation requirements of this standard can be demanding (with up to 139 references to the documentation of various types), and the possibility of significant operational changes exists.
Best of luck!
In
We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which, in our opinion, are commercially compromised), it is based on independent third-party assessment. It is a '‘university grade'’ standard used globally by schools, colleges, and universities to demonstrate their competence.
We offer Certified Courses for ISO 9001, ISO 13485, ISO 14001, ISO 17025, ISO 27001, ISO 45001, Data Protection and Risk Management.