United States: Top 10 Takeaways From FDA's Revised Quality System Requirements For Medical Devices

On February 2, 2024, the U.S. Food and Drug Administration ("FDA") published a final rule¹ to amend the current good manufacturing practice requirements for medical devices by harmonizing the existing requirements with ISO 13485:2016, the international consensus standard for device quality management systems used by regulatory authorities in many countries throughout the world. The revised requirements will be known as the Quality Management System Regulation ("QMSR").

FDA's final rule announcing the QMSR is generally consistent with the proposed rule issued in February 2022 (refer to our prior Ropes & Gray Alert). FDA determined that the requirements in ISO 13485:2016 are substantially similar to the requirements of FDA's existing Quality System Regulation ("QSR") in 21 C.F.R. Part 820 and provide a similar level of assurance that devices are safe and effective and otherwise in compliance with the Federal Food, Drug, and Cosmetic Act ("FDCA"). To reduce the regulatory burden on many global device manufacturers that must comply with both the QSR and ISO 13485, FDA is amending Part 820 to replace its QSR with the new QMSR that incorporates ISO 13485:2016 by reference. The QMSR also includes several additional definitions and requirements that clarify certain expectations and concepts from ISO 13485 and avoid potential inconsistencies with the FDCA and other applicable FDA requirements.

This Alert summarizes our top 10 takeaways for medical device industry stakeholders to consider as they plan for compliance with the new QMSR.

1. The QMSR will become effective in two years.

The QMSR will become effective in two years on February 2, 2026. Until then, device manufacturers must continue to comply with the existing QSR.

FDA's proposed rule had targeted a one-year transition period to the QMSR, but industry stakeholders commented that one year would not be enough time to train their personnel, revise procedures, and update their practices. FDA's final rule acquiesced to these concerns by extending the transition period to two years for all device manufacturers. FDA declined to provide any additional time for small or midsize device companies to come into compliance.

2. The QMSR will have the same scope as the QSR.

The scope of the QMSR is consistent with the applicability of the QSR.² Like the QSR, the QMSR will apply only to manufacturers of finished devices. FDA declined to extend QMSR requirements to manufacturers of components or parts of devices, although FDA maintained in the final rule that it would have the legal authority to do so under the FDCA. Additionally, like the QSR, the QMSR will not apply to third-party servicers and refurbishers.

3. Say goodbye to QSR-specific terminology like "design history file," "device manufacturing record," and "device history record."

As a result of incorporating ISO 13485 by reference, many QSR-specific terms, like design history file, device manufacturing record, and device history record, will be eliminated. In the final rule, FDA explained that it eliminated terms associated with these record types because ISO 13485 imposes analogous record requirements. For example, FDA views the "design and development file" described in ISO 13485 as consistent with the QSR requirements for a design history file. FDA also views the "medical device file" required by ISO 13485 as including the records covered by a device master record under the QSR.

4. Management reviews, internal quality audit reports, and supplier audit reports will no longer be exempt from inspection by FDA.

The QSR excludes management reviews, internal quality audit reports from the scope of documents manufacturers are required to maintain and make readily available to FDA for inspection..³ ISO 13485 contains no such exceptions from its recordkeeping requirements. FDA received numerous comments requesting the agency maintain the confidentiality of these types of records during FDA inspections. In response, FDA declined to retain the QSR exceptions, reasoning that (i) the QSR exceptions are not available to manufacturers that are already being inspected by other regulatory authorities and (ii) these records are already maintained in the regular course of business so it should not be burdensome to make them available to FDA.

FDA explained that it "intends to modify its inspectional processes consistent with this rulemaking" but did not provide any details (see also takeaway #10 below). Consequently, whether FDA in practice will begin inspecting management reviews, quality audit reports, and supplier audit reports under the QMSR remains to be seen. Separate and apart from the regulatory exception in the QSR, FDA has for decades had a policy of not reviewing internal quality assurance audits during routine inspections.⁴ FDA's final rule does not address whether it will continue to apply this policy during device inspections.

5. The QMSR may provide more flexibility in certain respects than under the QSR.

While FDA views the QSR and ISO 13485 as "substantially similar," the two standards do not perfectly overlap, and every requirement in the QSR does not necessarily map to an express requirement in ISO 13485. Thus, the QMSR may provide more flexibility in certain areas than under the QSR.

For example, the QSR requires that each stage of design review include an individual who does not have direct responsibility for the design stage being reviewed.⁵ However, ISO 13485 does not contain this explicit requirement. In the final rule, FDA explained that ISO 13485 contains a more general requirement that design review include representatives of functions concerned with the stage under review as well as other specialist personnel. FDA acknowledged that under the QMSR, manufacturers may choose which individuals to include in each stage of design review.

6. The QMSR retains several QSR requirements pertaining to complaint records and device labeling and packaging controls.

The QMSR includes several provisions from the QSR that supplement ISO 13485 to ensure consistency and alignment with other requirements in the FDCA and FDA regulations. For example, the QMSR includes specific requirements for complaint records—consistent with the existing QSR requirements⁶—that supplement the more limited requirements of ISO 13485. Additionally, the QMSR retains specific requirements for device labeling and packaging controls from the QSR⁷ because ISO 13485 does not specifically address the inspection of labeling and packaging by the manufacturer.

7. FDA may continue to utilize Medical Device Single Audit Program ("MDSAP") audits as a substitute for routine FDA inspections.

MDSAP is a voluntary certification program under which audits of participating medical device manufacturers are performed by third-party auditing organizations according to core ISO 13485 requirements and additional country-specific requirements. FDA participates in MDSAP and has a policy that it "may" accept MDSAP audit reports in lieu of routine surveillance inspections conducted by FDA. FDA's final rule explained that the implementation of the QMSR will not change the voluntary nature of MDSAP or FDA's policy regarding MDSAP audit reports.

8. FDA will not accept ISO 13485 certificates from third-party auditing organizations in lieu of FDA inspections, nor will FDA inspections result in the issuance of ISO 13485 certificates.

To comply with regulatory requirements in certain jurisdictions outside the U.S. or to satisfy contractual obligations with business partners, many medical device manufacturers are audited by third-party organizations (outside of MDSAP) for compliance with ISO 13485 and receive ISO 13485 certificates following satisfactory completion of such audits. FDA explained in the final rule that it will not rely on ISO 13485 certificates to conduct oversight of device manufacturers, meaning that FDA will not accept an ISO 13485 certificate as a substitute for an FDA inspection. Additionally, FDA stated that FDA inspections will not result in the issuance of ISO 13485 certificates.

9. Implementation of the QMSR is likely to impose a meaningful burden on U.S. manufacturers without prior ISO 13485 experience.

By harmonizing medical device quality system requirements with ISO 13485, FDA expects that the QMSR will reduce administrative burdens on manufacturers, eliminate redundant efforts resulting from complying with multiple regulatory schemes, and lower manufacturers' compliance costs. However, device manufacturers that conduct business exclusively in the United States and that have not previously dealt with ISO 13485 will likely have a more difficult adjustment when implementing changes to their processes and practices that are required by the QMSR. While ISO 13485 and the existing QSR are "substantially similar" in FDA's view, the regulatory schemes use different terminology and are organized differently. U.S.-based device manufacturers that lack specific experience with ISO 13485 should develop a QMSR transition plan now, well in advance of the effective date in February 2026.

10. How FDA will apply the QMSR during inspections is unclear.

Numerous industry stakeholders commented that FDA should explain the inspection procedures it intends to follow after the implementation of the QMSR. In the final rule, FDA explained that it will replace its current inspection approach for medical devices, the Quality System Inspection Technique, with an inspection approach that is consistent with the QMSR. FDA added that it intends to update its IT systems, train personnel, finalize its inspection approach, and assess relevant regulations and "other documents" impacted by the rulemaking. But FDA otherwise declined to provide any details regarding what this inspection approach will look like or even when such details might be released.

As a result, device companies—even those familiar with ISO 13485—are left wondering how FDA will apply the QMSR in practice during inspections. This lack of clarity will make it more difficult for companies to determine the precise extent to which they need to update their processes and systems to align with the agency's expectations under the QMSR.

Footnotes

1. 89 Fed. Reg. 7496 (Feb. 2, 2024).

2. 21 C.F.R. § 820.1(a).

3. 21 C.F.R. § 820.180(c).

4. FDA, CPG Sec. 130.300 FDA Access to Results of Quality Assurance Program Audits and Inspections (June 2007), available at https://www.fda.gov/regulatory-information/search-fda-guidance-documents/cpg-sec-130300-fda-access-results-quality-assurance-program-audits-and-inspections.

5. 21 C.F.R. § 820.30(e).

6. 21 C.F.R. § 820.198.

7. 21 C.F.R. § 820.120.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.