On February 2, 2024, the US Food and Drug Administration (FDA) published a much-awaited final rule: the Quality Management System Regulation (QMSR).¹ By issuing this rule, FDA amended the medical device current good manufacturing practice (cGMP) requirements of 21 CFR Part 820 – the Quality System Regulation (QSR) – to align more closely with the quality management system (QMS) requirements used by other countries. The QMSR incorporates by reference the 2016 edition of ISO 13485, an international standard specific to device quality management systems set by the International Organization for Standardization (ISO). In addition, the QMSR incorporates by reference Clause 3 of ISO 9000:2015, “Quality management systems – Fundamentals and Vocabulary” (ISO 9000), which contains terms and definitions that are indispensable for the application of ISO 13485.

The QMSR establishes additional requirements that clarify certain expectations and concepts used in ISO 13485, which ensure consistency with other applicable requirements in the Federal Food, Drug, and Cosmetic Act (FDCA) and its implementing regulations. Moreover, the QMSR makes conforming edits to 21 CFR Part 4 to clarify that these device cGMP requirements apply equally to combination products.

The QMSR reflects FDA’s continued efforts to align FDA’s regulatory framework with that used by other regulatory authorities and promote consistency in the regulation of medical devices. ISO 13485 – an independent standard – is used internationally by many regulatory authorities to inform or govern quality management system requirements for device manufacturers, and also is used in regulatory harmonization programs, such as the Medical Device Single Audit Program (MDSAP). FDA and regulatory authorities from four other countries participate in the MDSAP.

Recognizing that the requirements in ISO 13485 have become more closely aligned with the QSR requirements, FDA seized upon the opportunity for regulatory harmonization and amended Part 820² to replace the QSR with the QMSR. FDA issued the proposed rule on February 23, 2022, nearly two years before the recently issued final version.

Important points to keep in mind while transitioning to the QMSR

1. Although the QMSR is ‘substantially similar’ to the QSR, there are some key differences.

FDA determined that the requirements in ISO 13485 are, when taken in totality, “substantially similar” to the requirements of the QSR and provide a similar level of assurance in a firm’s quality management system and in its ability to consistently manufacture devices that are safe, effective and otherwise in compliance with the FDCA. Although there are many similarities between the QMSR and QSR, there also are some key differences that should be noted, as discussed below.

Similarities

• The QMSR retains certain definitions from the QSR. These include the definitions for “component,” “finished device,” “human cell, tissue, or cellular or tissue-based product (HCT/P) regulated as a device,” “manufacturer” and “remanufacturer.” In addition, all definitions in section 201 of the FDCA – such as “device,” “label” and “labeling” – shall apply to and supersede the definitions in ISO 13485. This is to ensure that the definitions in the QMSR are consistent with the FDCA (FDA’s operative statute) and its implementing regulations.
• The QMSR has the same scope as the QSR. The QMSR, like the QSR, will apply only to manufacturers of finished devices, although, as was the case with the QSR, FDA has authority under the FDCA to extend QMSR requirements to manufacturers of components since “components” are part of the “device” definition under section 201(h) of the FDCA. In addition, the QMSR, like the QSR, will not apply to manufacturers of blood and blood components used for transfusion or for further manufacturing, even though such products may meet the definition of device under the FDCA. Rather, such manufacturers are subject to 21 CFR Parts 600 – 689, including the cGMP requirements for blood and blood components in 21 CFR Part 606.

• The QMSR uses the definition of “top management” set forth in ISO 9000 rather than the term “management with executive responsibility” or its definition from the QSR. FDA clarified, however, that this change in terminology does not change FDA’s expectation that manufacturers, led by individuals with executive responsibilities, embrace a culture of quality as a key component in ensuring the manufacture of safe and effective medical devices that otherwise comply with the FDCA.³

Differences

• The QMSR places more emphasis than the QSR on risk management throughout the life cycle of medical devices to ensure their safety and effectiveness. The QMSR, unlike the QSR, includes a specific requirement that device manufacturers “shall document one or more processes for risk management in product realization” and shall maintain records of risk management.⁴ Currently, risk management in the QSR is captured primarily in requirements concerning design controls in 21 CFR § 820.30. According to FDA, “the more explicit integration of risk management throughout ISO 13485 and incorporated into the QMSR will help best meet the needs of patients and users and facilitate access to quality devices along with the progress of science and technology.”⁵
• The QMSR will no longer use certain terms that are in the QSR. These terms include “design history file,” “device manufacturing record” and “device history record.” Moreover, the terms “safety and performance” in ISO 13485 will be used in lieu of, and be deemed to have the same meaning as, “safety and effectiveness” in the FDCA. Although it is debatable whether “performance” has the same meaning as “effectiveness” – and FDA acknowledged in the preamble to the QMSR that these terms are not interchangeable – FDA was satisfied that the provisions of the QMSR collectively are intended to assure that finished devices will be manufactured to meet the statutory requirement for safety and effectiveness under the FDCA.⁶ Thus, “safety and performance” shall have the meaning of “safety and effectiveness” in Clause 0.1 of ISO 13485. Moreover, the QMSR explicitly stated that “the phrase ‘safety and performance’ does not relieve a manufacturer from any obligation to implement controls or other measures that provide reasonable assurance of safety and effectiveness.”⁷
• The QMSR uses the term and definition of “customer” set forth in ISO 9000. Certain customer requirements in ISO 13485 are not grounded in the “safety and effectiveness” requirements of the FDCA. Thus, FDA noted in the preamble to the QMSR that FDA does not intend to enforce any customer requirements (e.g., requirements relating to customer property in Clause 7.5.10 of ISO 13485) to the extent that they are interpreted to go beyond the safety and effectiveness of the devices being manufactured.

2. Device manufacturers must continue to comply with the QSR until the QMSR becomes effective on February 2, 2026.

FDA had initially proposed that the QMSR would become effective one year after its issuance. However, in response to public comments, FDA determined that one year would not be enough and agreed to a two-year transitional period in the final rule.

While the QMSR is intended to streamline QMS regulations and harmonize these requirements with international standards by reducing the administrative burden of complying with multiple regulatory schemes, the QMSR may initially create disproportionate burden on small manufacturers that do not operate on an international scale and will need to adjust to the rule.

Although device manufacturers must continue to comply with the QSR until the QMSR becomes effective, those unfamiliar with ISO 13485 should begin to become familiar with the QMSR, train their employees, and update their procedures and practices to ensure an effective transition. Those who have not begun or are getting ready to launch their first medical device should begin transitioning to QMSR now.⁸

3. Although the QMSR incorporates by reference only ISO 13485 and Clause 3 of ISO 9000, other international standards may provide useful guidance.

ISO 13485 references ISO 14971 and other standards that are not incorporated by reference in the QMSR, but FDA noted that “such standards may be helpful in understanding application of ISO 13485,” and “organizations may choose to incorporate concepts, processes, or other aspects of ISO 9000 into their organization’s QS … so long as the resultant system is compliant with the QMSR established in this rulemaking.”⁹

4. FDA should continue to accept MDSAP audits in lieu of FDA inspections, but FDA will not require or rely solely on ISO 13485 certificates for regulatory oversight. ISO 13485 certificates from third-party auditing organizations are not substitutes for FDA inspections.

The MDSAP program is a voluntary certification program that allows for a single QMS audit based on ISO 13485, in addition to other applicable FDA device regulatory requirements. FDA should continue to accept MDSAP audits – which may discuss the manufacturer’s certification to ISO 13485 – in lieu of routine FDA surveillance inspections. MDSAP audits are conducted by third-party auditing organizations that have applied for participation in MDSAP and received “authorized” or “recognized” status after having been evaluated by the participating regulatory authorities. FDA uses the MDSAP audit reports as an additional tool for regulatory oversight of audited manufacturers.

While many device manufacturers undergo audits by third-party organizations outside of the MDSAP for compliance with ISO 13485, because FDA does not conduct oversight of non-MDSAP auditing organizations and does not evaluate the audit reports issued outside of the MDSAP, FDA will not require medical device manufacturers to obtain ISO 13485 certification and will not rely on ISO 13485 certificates to conduct its regulatory oversight of medical device manufacturers. Thus, FDA inspections will not result in the issuance of a certificate of conformity to ISO 13485, and FDA will not accept certification to ISO 13485 in place of FDA inspections.

5. The QMSR requires additional recordkeeping that had been exempted under the QSR regime.

In an effort to move toward global harmonization, FDA decided to forego certain exceptions, such as those for management review, quality audits and supplier audits, which are inspected by other regulators and auditing entities (e.g., MDSAP auditing organizations).

6. The QMSR continues to require certain information concerning complaints, as well as device labeling and packaging, to ensure consistency with the FDCA and FDA regulations.

The QMSR retains some QSR provisions that are not in ISO 13485 to avoid conflict with the existing requirements in the FDCA and implementing regulations. These include, for example, certain requirements for complaint records and device labeling and packaging controls. From a practical standpoint, the complaint handling requirements under the QSR will continue to apply with respect to entities serving as US agents of foreign manufacturers of medical devices.

7. FDA acknowledges the tension between ISO 13485 and provisions of the FDCA and/or its implementing regulations.

Acknowledging the conflicts between certain ISO 13485 provisions and the FDCA, FDA included in the QMSR an express preemption provision – namely, that any conflict will be resolved in accordance with the FDCA and/or its implementing regulations. For example:

• The definitions of “device” and “labeling” in section 201 of the FDCA supersede the correlating definitions for “medical device” and “labelling” in ISO 13485.
• The terms “safety and performance” in ISO 13485 shall be construed to mean the same as “safety and effectiveness” in section 520(f) of the FDCA.

The burden is on the manufacturers to comply with all relevant laws and regulations, so this is an issue manufacturers will need to be aware of as they make the transition to compliance with the QMSR.

Notes

1. Medical Devices; Quality System Regulation Amendments, 89 Fed. Reg. 7496 (February 2, 2024), which is to be codified at 21 CFR Part 820 and Part 4.
2. Using its authority under section 520(f) of the FDCA, FDA issued a final rule for device cGMP requirements in July 1978 and created Part 820 (43 Fed. Reg. 31508). Twenty years later, FDA significantly revised Part 820 in a final rule published in the Federal Register on October 7, 1996 (1996 Final Rule), which established the QSR still in effect today. See 61 Fed. Reg. 52602 (the QSR became effective on June 1, 1997). Until now, FDA had not undertaken a significant revision of Part 820 since then.
3. 89 Fed. Reg. at 7506.
4. 89 Fed. Reg. at 7500.
5. 89 Fed. Reg. at 7501.
6. 89 Fed. Reg. at 7513.
7. 89 Fed. Reg. at 7524.
8. Both ISO 13485 and ISO 9000 are available at the American National Standards Institute (ANSI) Incorporated by Reference (IBR) Portal, or a copy may be purchased from the International Organization for Standardization, BIBC II, Chemin de Blandonnet 8, CP 401, 1214 Vernier, Geneva, Switzerland; +41 22 749 01 11; customerservice@iso.org.
9. 89 Fed. Reg. at 7506.