The US FDA (Food and Drug Administration) is known for many things. However, adaptability and the willingness to harmonize with other regulatory agencies worldwide might not be one of them. Nevertheless, in 2018 the FDA began work to reconcile the US regulation on quality systems, the Quality System Regulation (QSR, described in the Code of Federal Regulations Title 21, part 820), with the international standard on quality management systems ISO 13485 Medical Devices – Quality Management Systems – Requirements for Regulatory Purposes. On February 23rd, 2022, the FDA published a proposed rule in the Federal Register, declaring their intentions to replace the Quality System Regulation (QSR) with a new Quality Management System Regulation (QSMR). The FDA highlights that they first realized the "comprehensive and effective approach to establish a QMS for medical devices" in ISO 13485 through the Medical Device Single Audit Program (MDSAP), which allows inspections of medical device manufacturers based on ISO 13485 requirements.
US Quality System Regulation (QSR)
The US Quality System Regulation describes the requirements for quality management systems of medical device manufacturers based in the United States. It was launched in 1997, making it more than 25 years old. While the regulation originally shared many concepts with ISO13485:1996, it still needs to be updated sufficiently to encompass the changes in the industry.
Set to start work in 2018, the complexity of the update, paired with a global pandemic, has delayed the harmonization. However, we should be seeing the final rule soon.
ISO 13485
ISO 13485:2016 describes the requirements for a quality management system for medical device companies. The first version of ISO 13485, based on ISO 9001 Quality Management Systems, was issued in 1996. The standard is updated every five years.
Why harmonize?
Having harmonized regulatory systems in the major global markets significantly helps medical device manufacturers comply with international regulations. Furthermore, global harmonization work, such as the MDSAP, can more easily take steps to reach international regulatory alignment.
The FDA acknowledges the strength of the ISO 13485 approach to quality management and points to several ISO 13485 principles that are stronger than the FDA 21 CFR 820.
Medical device regulations aim to improve the safety and efficiency of medical devices on the market. The harmonization of standards helps medical device manufacturers streamline their processes and ensure the quality of their medical devices globally.
What will change?
While the two regulations have evolved to be substantially similar, there are some key differences that the FDA will need to address. In their communication from February 2023, FDA outlines the scope and proposed updates to the regulation. While most of the changes are about revising the regulation to mimic ISO 13485 closer, there are more extensive updates afoot:
- Definitions: The FDA is planning to revise some of the definitions in the US regulation, such as "management with executive responsibility," "Device Master Record (DMR)," "customer," and others, to match ISO 13485. Likewise, the FDA is choosing to retain some of its definitions that do not match the international standard, such as "manufacturer," "product," and "device."
- Incorporate ISO 13485 by reference: The FDA will remove all Quality System Regulation (QSR) provisions substantially similar to ISO 13485 and directly reference the standard.
- Quality system requirements: Currently, quality management systems in the US must comply with CFR 21 part 820. A proposed regulation modification will ensure that quality system requirements are standardized across regulations, highlighting compliance with FDA requirements where there are discrepancies.
- Clarification of concepts: the FDA is clarifying the concepts of organization, safety and performance, and validation of processes to explain how ISO 13485 relates to the statutory and regulatory framework in the US.
- Supplementary provisions: the FDA is looking to add additional requirements to ensure consistency and alignment with other regulations and laws in the US. These additional requirements fall within record control and controls for labeling and packaging.
- Conforming amendments: The FDA will amend other parts of the CFR, such as part 4, to reflect the modifications made to part 820.
- Language updates: The new Quality System Management Regulation (QSMR) also plans to update the language surrounding some concepts to adapt sections of ISO 13485 to existing FDA requirements. For example, to comply with the ISO 13485 section on the identification of medical devices, US manufacturers must label their devices with a Unique Device Identifier (UDI). Additionally, manufacturers must submit medical device reports (MDRs) to the FDA as described in 21 CFR 803 for compliance with the ISO 13485 section on reporting.
Impact on medical device manufacturers
So, how will this harmonization of regulations impact medical device manufacturers? The two regulations have evolved to resemble each other, and the day-to-day operations of medical device manufacturers will likely stay the same. However, quality departments will need to change their quality systems substantially.
Risk management activities must be increased. Several risk analyses are required in ISO 13485 to identify potential hazards in device design and hazards due to user errors. Essentially, US manufacturers must shift to a proactive risk management system instead of the reactive system of the past. A proactive risk management system actively monitors market behavior and trends to identify and mitigate risk, and it builds risk management plans that define how to handle any data that might impact the device's benefit-risk profile.
Harmonization to ISO 13485 will not change the authority of the FDA. Medical device manufacturers with an ISO 13485 certification will not be exempt from FDA inspections, nor will they be granted certificates of conformance based on their ISO 13485. However, obtaining ISO 13485 certification will significantly help companies comply with the FDA regulations, as having formalized and effective processes are required for both certifications. Likewise, having FDA certification will help manufacturers obtain ISO 13485 due to the similarity in process requirements.
Regulatory compliance is expensive. By harmonizing regulations and standards, the FDA ensures that manufacturers can obtain compliance with both the FDA requirements and ISO 13485 relatively quickly, as the quality system processes will be similar. Once the initial implementation is complete, medical device manufacturers can save significant resources on quality system compliance due to the reduced need for quality management systems that comply with different regulations. The FDA estimates annualized net cost savings of approximately $439 million due to the reduction in compliance efforts of medical device manufacturers who currently comply with both standards. This includes reductions in personnel training, information technology needs, and documentation requirements.
When will implementation be completed?
The big question is – when will this final rule be issued, and when will medical device manufacturers have to comply with it?
In February 2022, the FDA gave the public 90 days to comment on the proposed rule. They then suggested a one-year implementation time. A one-year implementation date is short for medical device manufacturers and the FDA; the industry has called for a more extended implementation period.
However, there has yet to be any news on the implementation date of the rule. The first anniversary of the proposed rule has come and gone and the QSR and QSMR were both missing from the FDAs semiannual regulatory agenda issued in February 2023. Based on that, it is unlikely we will see the harmonization rule published in 2023.
