FDA Proposes to Harmonize the Quality System Regulation with ISO 13485
March 7, 2022On February 23, 2022, FDA published in the Federal Register a proposed rule that would replace the Quality System Regulation (QSR), at 21 C.F.R. Part 820, with a newly named Quality Management System Regulation (QMSR). The QMSR omits many of the specific QSR requirements that currently appear in the regulations, and instead incorporates by reference an international standard for medical device quality management systems. This international standard is the 2016 edition of ISO 13485, issued by the International Organization for Standardization (ISO).
The harmonization of the QSR with ISO 13485 has been in the works for some time. FDA initially announced this plan in 2018, and it has previously appeared in FDA’s regulatory agenda. The proposed rule, once finalized, will be the first time the QSR has been amended since 1996, when the QSR was updated pursuant to new authority granted to FDA via the Safe Medical Devices Act of 1990.
ISO 13485 is both widely used and largely duplicative of the QSR, with some slight differences. It is very common for a medical device manufacturing facility both to be certified as compliant with ISO 13485 and to have quality system procedures designed to comply with the FDA’s QSR. FDA acknowledges in the proposed rule that the “redundancy of effort to comply with two substantially similar requirements creates inefficiency.”
The proposed rule describes the history of ISO 13485, noting that it was first issued the same year as the last updates to the QSR—in 1996. ISO 13485 has continued to evolve since 1996, and as described by FDA in the proposed rule, “[w]ith each revision . . . has become more closely aligned with, and similar to, the requirements in part 820.” FDA now sees the alignment between the QSR and ISO 13485 as an “opportunity for regulatory harmonization.”
Interestingly, FDA says that it gained experience with ISO 13485 through the Medical Device Single Audit Program (MDSAP), which allows for inspections based on core ISO 13485 requirements. Through MDSAP, FDA determined that ISO 13485 “provides a comprehensive and effective approach to establish a QMS for devices.” Like MDSAP, the QMSR is FDA’s attempt to harmonize internationally recognized regulatory expectations with medical devices subject to US FDA jurisdiction.
The gap between QSR requirements and ISO standards has created confusion for companies that focused compliance only on ISO certification. FDA investigators expecting to see detailed procedures setting forth each of the requirements of the QSR have been confounded by procedures containing different terminology or lacking elements specifically required by the QSR. And FDA has issued Form 483s and Warning Letters to companies for failing to have adequate procedures in compliance with the QSR, despite those companies’ arguments that ISO compliance ensures safety and effectiveness. See, e.g., FDA Warning Letter to San Up S.A. (Nov. 25, 2013).
The proposed QMSR removes all QSR provisions that FDA determined were substantially similar to requirements in ISO 13485. These provisions are replaced instead with a new section that incorporates ISO 13485 into the regulations by reference. The proposed QMSR specifically references the 2016 version of the ISO 13485 standard. The proposed rule leaves open the possibility that FDA will need to amend the regulations in the future to incorporate by reference later versions of the standard.
ISO 13485, while largely duplicative to the QSR, is not a perfect fit with other existing FDA regulations. To adapt ISO 13485 to the existing FDA regulatory framework, the proposed QMSR retains definitions of some terms that do not appear in ISO 13485 but are necessary to ensure alignment with the Federal Food, Drug, and Cosmetic Act (FDCA), such as the definitions for component, finished device, design validation, remanufacturer, and nonconformity. Some existing terms have also been revised for better alignment with ISO 13485, such as replacing the defined term “management with executive responsibility” with “top management,” which is a term that appears in the ISO standard.
Additionally, the proposed QMSR includes a section on “clarification of concepts,” which draws parallels between terms used in the FDCA and implementing regulations and corresponding terms in ISO 13485. For example, the term “organization” in the ISO standard should be read as being equivalent to the term “manufacturer” under the FDA regulatory framework, and “safety and performance” is equivalent to “safety and effectiveness.”
Though FDA determined that ISO 13485 is an adequate replacement for most of the existing QSR provisions, there are a few additional FDA-specific requirements. The proposed QMSR includes sections on control of records and device labeling and packaging controls. The section on control of records outlines how FDA expects documents to be approved with a date and signature, such as under the existing document control provisions, and how Unique Device Identifiers (UDIs) (an FDA-specific requirement) should be recorded on certain complaint and servicing records. Additionally, the device labeling and packaging controls section align with other FDA requirements in 21 C.F.R. Part 801.
FDA has also included language in the QMSR to better adapt certain sections of ISO 13485 to other FDA requirements. For example, the proposed regulation provides that, for compliance with the ISO section on “Identification,” a device must be labeled with a UDI. Additionally, for compliance with the ISO section on “Reporting,” a manufacturer must submit medical device reports (MDRs) to FDA pursuant to 21 C.F.R. Part 803.
One area where ISO 13485 has additional requirements compared to the existing QSR is risk management. As it stands, risk analysis is only briefly mentioned in the QSR in the context of design validation (21 C.F.R. § 820.30(g)), and a comprehensive risk management process is only implicitly required by the QSR. In contrast, risk management is a key focus of ISO 13485. To adapt to the QMSR, device manufacturers will need to consider whether they need to establish new risk management procedures, which could be a significant change to a quality management system.
While, in other countries, receipt of a certification of compliance with ISO 13485 by an independent auditor may be sufficient to establish an adequate quality system, the proposed rule makes clear that FDA does not intend to alter its current approach to inspections. The proposed rule states that manufacturers with an ISO 13485 certificate are not exempt from FDA inspections, nor will FDA issue ISO 13485 certificates based on a successful FDA inspection.
FDA is providing 90 days for comment on the proposed rule, until May 24, 2022. Additionally, once the rule is finalized, FDA plans to allow one year for companies to adapt to the new QMSR, although this one-year period is subject to comment along with other aspects of the proposed rule. If finalized as is, companies that have limited its activities to FDA jurisdiction and have not focused on ISO certification will need to get up-to-speed on ISO 13485. Companies that already tailor their processes to meet both QSR and ISO standards likely will welcome the QMSR, but still will need to review and revise their procedures to update to the new regulation.