Copy to clipboard 
FDA issued the Quality Management System Regulation (QMSR) final rule earlier this year to harmonize quality management system requirements for medical devices with the guidance used by other international regulatory authorities.
The new rule amends FDA’s current good manufacturing practice (CGMP) requirements of the Quality System Regulation (QSR) by incorporating elements set by the international standard ISO 13485:2016. FDA will begin to enforce the QMSR final rule on February 2, 2026. Until then, medical device manufacturers must still comply with the QSR.
Outside the U.S., nearly the whole world uses ISO 13485:2106 to build Quality Management Systems (QMS) for medical devices. In the U.S., FDA uses the QSR to govern QMS. The QSR was established as 21 CFR Part 820 in June 1997, and it hasn’t changed significantly since then.
So, what does this all mean? I have an old friend who’s an epidemiologist in clinical practice in New England. In the first year of the COVID pandemic, she told me, “I spend half my time calming down people who are too scared and the other half scaring people who are too calm.”
That’s sort of how I feel about the QMSR final rule. Below, I’ll focus on calming readers’ nerves about its requirements. I’ll also highlight a few actual challenges to medical device quality compliance that readers should be aware of moving forward.
Steps Toward Compliance
Here’s the key point about the final QMSR rule: You have two years to comply, and the new directives won’t require a heavy lift. I’m amused to see articles describing a “cottage industry” of consultants springing up to help clients “beat the deadline” for this low-burden, long-timeline project. Focus on these key factors and you’ll get up to speed on the new rule long before the mandated deadline.
Include risk assessments. FDA is replacing the QSR with the QMSR, which “incorporates by reference” the requirements of ISO 13485:2016 and adds most of the QSR requirements that were missing from ISO 13485:2016. The QMSR requires the same activity that MCRA and other consultancies have been performing for years as clients transition to serving customers in the U.S. and internationally.
ISO 13485:2016 includes additional requirements, most of which focus on risk management. For example, the QSR merely requires you to ensure that personnel are trained to perform their jobs. ISO 13485:2016 requires you to evaluate the effectiveness of training proportionately to the risk associated with the work that you’re training the personnel to perform.
In other words, when you train someone to operate a radiation sterilization chamber, you should evaluate them with more scrutiny than the staff members who take inventory in a warehouse. Training effectiveness can be evaluated through quizzes and on-the-job supervision, among other methods.
Similarly, the QSR requires you to select potential suppliers based on their ability to meet quality requirements. ISO 13485:2016 requires you to do this proportionately to the risk associated with the medical device.
So, to add international customers to a U.S.-only system, you must add risk-based requirements to various Standard Operating Procedures (SOP).
Map the changes. The biggest challenge in these transitions isn’t adding new requirements to SOPs and forms, but rather understanding the disparate structures of the QSR and ISO 13485:2016. Even if the requirements are very similar, the tables of contents are not.
For example, ISO 13485:2016 (sensibly) places document control and records control next to each other, whereas the QSR puts them at nearly opposite ends of the regulation. If you’ve always worked in an ISO 13485:2016-based system, it might not occur to you to thumb to the back of the QSR to find that second half.
Although the QSR (sensibly) keeps incoming, in-process and final inspections together, ISO 13485:2016 makes incoming inspection part of the purchasing process. This does not mean that a company that adds international requirements must break up a QSR-based SOP that combines incoming, in-process and final inspections. We always recommend that if a client’s QMS organization works well, the new requirements should be added to the relevant SOPs in situ.
FDA investigators and notified body auditors are perfectly capable of navigating any QMS with a little guidance, regardless of how it’s structured. Because the QMSR final rule adds some new section numbers to the regulation (820.35 Control of Records and 820.45 Device Labeling and Packaging Controls), it will make life easier for everyone if your QMS has a mapping chart to aid in that navigation.
For companies that are already compliant with the QSR and ISO 13485:2016 — which is many medical device manufacturers in the U.S. — the QMSR requires no change at all, other than perhaps that helpful mapping chart.
Focus on Urgent Requirements. There are a few pressing challenges to medical device quality compliance that focus on software documentation and cybersecurity, and they are high-burden, short-timeline projects.
BONEZONE has published multiple articles about FDA’s new guidance documents for medical device software documentation and cybersecurity. Orthopedic companies that develop devices that contain any level of software or the simplest firmware must immediately take the new guidance documents into account.
This work involves not only updates to SOPs, but also updated reassessments of software risk (two tiers instead of three), new and unfamiliar types of testing for cybersecurity and ongoing maintenance activities that can’t fall behind schedule. Unlike the QMSR, these changes don’t need to wait for the Quality System Inspection Technique (QSIT) to be replaced. FDA inspectors can immediately apply the new software and cybersecurity requirements using the old QSIT.
There’s Plenty of Time
Incorporating ISO 13485:2016 into the QMSR is indeed a sea change in FDA’s approach to quality management, but it shouldn’t be a significant burden to medical device manufacturers.
Generally, adding international requirements to a QSR-based system adds about 5% of new material to the QMS, while adding U.S. requirements to an ISO 13485:2016-based system adds about 2% of new material. When we help clients comply with the new rule, we can add international requirements in under a week and U.S. requirements in a few days.
At some point, FDA will have to replace its old QSIT manual to reflect the QMSR. This might be one of the reasons for the lengthy compliance timeline. Device manufacturers don’t need all that time to make minor QMS changes, but FDA might need it to make a major shift in its inspection paradigm. We’ll let you know when something definitive is released in that regard.
In the meantime, keep your eyes on the immediate changes already mandated by FDA for medical device software development and don’t let the hype overwhelm you as you work to comply with the rest of the final rule’s requirements.
For specific questions or additional information about the requirements, email Keisha Thomas or Melissa Torres of FDA’s Center for Devices and Radiological Health.
