The US Food and Drug Administration (FDA) published its Medical Devices; Quality System Regulation Amendments proposed rule to amend the medical device Quality System Regulation (QSR) on February 23, 2022. While FDA generally frames the proposal as an effort to incorporate International Organization for Standardization (ISO) 13485 (2016) by reference, the proposal includes several key changes that medical device manufacturers should consider for potential comment. These include requirements relating to risk management within quality management systems (QMS), clarification and revisions to certain defined terms, recordkeeping requirements, current good manufacturing practice (cGMP) requirements for combination products, and changes to FDA’s long-standing Quality System Inspection Technique (QSIT) procedures.
The proposed rule amends the QSR at 21 CFR Part 820 to align with ISO 13485. FDA’s approach is consistent with its ongoing efforts to modernize and harmonize its medical device regulations. In the proposed rule, FDA expresses its intention to remove redundant regulatory requirements as well as barriers to market entry and patient access through harmonization with ISO 13485. Currently, device manufacturers that operate in multiple jurisdictions must comply with FDA’s Part 820 in addition to other requirements, such as ISO 13485. The timing of this proposed rule closely follows the effective date of the EU Medical Device Regulation (MDR), Regulation EU 2017/745, which took effect on May 26, 2021, and also incorporates ISO 13485.
Regulatory authorities around the world recognize ISO 13485 as the QMS standard for medical devices. ISO is an international nongovernment organization made up of experts and membership of standard-setting bodies from around the world. ISO works to develop standards that help ensure product quality and regulatory compliance across jurisdictions. The first version of ISO 13485, published in 1996 as a voluntary consensus standard, has evolved to provide a framework for quality management throughout the design and development processes for medical devices. As ISO 13485 has evolved, it has become more closely aligned with FDA’s Part 820.
In FDA’s view, ISO 13485 is substantially similar to FDA’s current regulatory framework, and differences between the current regulatory requirements and ISO 13485 are consistent with the intent behind FDA’s regulation. To accomplish harmonization, the proposed rule would incorporate the QMS requirements of ISO 13485 by reference and make certain changes to key areas of FDA’s regulatory framework. If the proposed rule is adopted, the name of the regulation at Part 820 would be updated from QSR to the Quality Management System Regulation (QMSR).
Key Takeaways and Concepts
Robust Risk Management Procedures
Risk management has long been a key component and central focus of quality assurance. The current QSR expressly addresses risk management activities primarily in the context of the risk analysis associated with design validation. See 21 CFR § 820.30(g).
Although Part 820 contemplates that manufacturers should address risk in various processes, such as corrective and preventive actions (CAPAs), through the incorporation of ISO 13485, FDA clarifies its intent to expressly address risk management and risk-based decision-making throughout the lifecycle of device manufacturing. According to FDA, ISO 13485 integrates risk management to a greater degree than FDA’s current regulatory framework. In the agency’s view, risk management is an “essential systematic practice” to ensure that devices are safe and effective. Therefore, if the proposed rule is adopted, manufacturers will likely need to enhance risk management procedures in all aspects of their businesses to align with the QMSR. FDA believes that this risk management approach results in ISO 13485 having a more flexible approach to quality, suggesting that the agency does not intend to change its longstanding position that the QSR provides a flexible “umbrella” approach to cGMP. ISO 13485, like current Part 820, must apply to many different types of devices, and manufacturers must determine how to appropriately implement the QSR according to the current state-of-the-art manufacturing for a specific device.
The proposed rule also would update the concept of QMS. The current 21 CFR § 820.5 requires manufacturers to establish and maintain a QMS that meets the requirements of 21 CFR Part 820. The proposed rule would instead require manufacturers to develop a QMS that complies with ISO 13485, as modified by the proposed Part 820. The QMS also would have to be documented (e.g., by recording quantitative data so manufacturers could analyze performance of their processes and protocols).
One open question is whether cybersecurity is considered to be a component of the enhanced risk management procedures required under the proposal. The agency has taken the position that cybersecurity is an important consideration to ensure quality when manufacturing and using medical devices. While the agency has been active in this area and has released many resources on the topic, the proposed rule is silent as to whether a QMS must include procedures to address cybersecurity. Likewise, ISO 13485 does not expressly address cybersecurity, but it may contemplate cybersecurity as a component of its risk management and software validation procedures.
Clarification Concerning Terminology
FDA highlights specific points of clarification in the proposed rule that may have implications for current company policies and quality management processes.
Top management. The proposed rule would replace the term “management with executive responsibility,” defined in 21 CFR § 820.3(n), with the term “top management,” which is currently used in ISO 13485 and defined in “Quality Management Systems – Fundamentals and Vocabulary,” ISO 9000:2015. FDA proposes to use the ISO term “top management” while retaining the current definition set out in 21 CFR § 820.3(n) (i.e., “those senior employees of a manufacturer who have the authority to establish or make changes to the manufacturer’s quality policy and quality system.”) This change, along with the rationale set forth in the proposed rule, emphasizes that senior employees of a device manufacturer’s business (including C-Suite or personnel at the most senior levels of the organization) are responsible for compliance with quality requirements and should promote a “culture of quality” in every aspect of the business. The proposed rule notes that a “culture of quality meets regulatory requirements through a set of behaviors, attitudes, activities, and processes.” This point of clarification supports the idea that FDA will continue to carry forward its trend of relying on the Park Doctrine principles to hold high-level executives within a business responsible for violations.
Product. The term “product” at 21 CFR § 820.3(r) would be modified to clarify that the definition encompasses services and, by extension, third parties that provide services related to the design, development and manufacture of medical devices. The extent to which QSR should apply to service providers and the degree of oversight or purchasing controls that FDA would expect for service providers is not clear.
Customer. FDA proposes to include a definition for the term “customer” that encompasses “persons or organizations, including users, that could or do receive a product or a service that is intended for or required by this person or organization . . . .” The term would include individuals inside or outside of the organization as well as individuals or organizations at many levels of the supply chain, including component manufacturers, contract manufacturers and end users. FDA emphasizes its expectation that component manufacturers comply with the QSR to the extent applicable, and that finished device manufacturers ensure the integrity of components they receive. The proposed rule also acknowledges that “customers” may impose requirements that do not directly impact safety or effectiveness, and indicates that FDA does not intend to enforce QSR for such activities. FDA does not provide examples of customer requirements that would exceed the scope of FDA’s authority. Therefore, manufacturers may want to request clarification on this point.
Clarification Concerning Certain Concepts
FDA specifically clarifies three concepts from ISO 13485 to describe their application to FDA’s regulatory regime:
Organization. ISO 13485 describes the term “organization” as the entity responsible for creating a QMS. FDA proposes that the term ‘‘organization,’’ as used in ISO 13485, includes a “manufacturer,” as the term is defined in proposed 21 CFR § 820.3. This proposed change emphasizes FDA’s long-established expectation that contract manufacturers or outsourced service providers that perform specific or discrete steps in the manufacturing process, such as relabeling, repackaging or specification development, are expected to create or maintain quality systems that apply to their activities and functions.
Safety and performance. FDA clarifies that the term “safety and performance,” which is used in ISO 13485 to refer to a standard to measure medical devices, has the same meaning as FDA’s “safety and effectiveness” standard set out in section 520(f) of the Federal Food, Drug, and Cosmetic (FD&C) Act. Acknowledging that some may “disagree about how two standards compare, whether one is more stringent than the other,” the agency does not intend to take a position on the comparison. Instead, it offers this point for the purpose of clarification when interpreting requirements under ISO 13485.
Validation of processes. Although ISO 13485 uses the term “validation of processes,” the term is not defined in the standard. FDA confirms that the term refers to “process validation,” as that term is currently defined in 21 CFR § 820.3(z)(1).
Certain QSR Requirements Are Retained
Despite the incorporation of ISO 13485, certain QSR requirements will be carried forward if the agency adopts the proposed rule, including the following:
The scope and application of ISO 13485’s “Design and Development” provisions. The scope of the current 21 CFR § 820.30(a) will remain the same if the proposed rule is adopted. Therefore, ISO 13485, Clause 7.3 (Design and Development), will apply only to the manufacturers of certain Class I devices (i.e., those listed in 21 CFR § 820.30(a)) in addition to manufacturers of Class II and Class III devices.
Labeling and packaging requirements. FDA will retain its current requirements at Part 820 that address labeling and packaging operations if the proposed rule is adopted. While Clause 7.5.1(e) of ISO 13485 requires that manufacturers implement procedures for labeling and packaging, it does not provide further guidance. FDA’s believes that its requirements (e.g., inspection of labeling by the manufacturer) establish safeguards to mitigate against device recalls related to labeling and packaging, and therefore should remain in the regulation.
FDA proposes additional record control requirements to ensure that records are established and maintained in a consistent and concise manner that demonstrates their validity and authenticity. FDA emphasizes that its focus is on the substance “and not the physicality of the record.” Proposals include the following:
Implementing the signature and date requirements for records subject to the records control provisions in Clause 4.2.5 of ISO 13485, underscoring FDA’s continued focus on ensuring the validity and authenticity of signatures and dating of quality and manufacturing records, including electronic records
Establishing requirements to ensure that the information required by 21 CFR Part 803 (Medical Device Reporting) is also documented and captured in complaints and servicing records
Requiring firms to document in their records the Unique Device Identification (UDI) for each medical device or batch of medical devices in accordance with 21 CFR Part 830 (Unique Device Identification)
Retaining clarification from the current 21 CFR § 820.180 concerning confidentiality and protection of records to emphasize that FDA will protect such records in accordance with the agency’s public information and disclosure regulations at 21 CFR Part 20.
The proposed rule also provides clarification concerning manufacturers’ obligations to make records available. ISO 13485, Clause 4.2.5, requires that records be “readily identifiable and retrievable,” which FDA considers to be substantially similar to current FDA requirements. FDA clarifies that records may be kept at a location separate from the inspected establishment as long as they are readily available (i.e., the records may be made available during the course of an inspection). Foreign manufacturers maintaining records at remote locations would be expected to produce records within two working days following a request.
FDA also proposes conforming amendments to 21 CFR Part 4, which codifies the cGMP requirements applicable to combination products and provides a streamlined option for combination product manufacturers to demonstrate compliance with cGMP. In general, under FDA’s provisions, single-entity and co-packaged combination products with device constituent parts may comply with the cGMP requirements of one of the applicable sets of standards (including the applicable provisions of Part 820), instead of demonstrating compliance with all cGMP requirements. The proposed amendments do not impact the cGMP requirements for combination products. Instead, the agency proposes conforming amendments to 21 CFR Part 4 clauses to the corresponding ISO 13485 references. FDA specifically requests comments on the proposed conforming amendments and whether further changes are necessary to ensure compliance with 21 CFR Part 4.
Impact on Inspection Procedures
The proposed rule would not impact FDA’s inspection authority under the FD&C Act. However, if the proposed rule is adopted, FDA intends to replace QSIT, which is the agency’s historical approach to inspection. FDA would replace QSIT with an inspection approach that is consistent with the requirements of the proposed Part 820. The agency describes an approach that would be similar to QSIT (e.g., it would involve information collection to support inspection observations, including Form FDA 483). However, it is unclear exactly how this new approach would differ from QSIT. FDA also notes that its inspection would not be a substitute for an ISO 13485 certification process where such certification is required, nor would those who hold an ISO 13485 certificate be exempt from FDA inspection. While the new approach to inspection remains unclear, FDA indicates that it will engage in training and education activities if the proposal is implemented.
Next Steps for Manufacturers
This proposed rule presents a revised framework to the medical device QSR that industry has long anticipated. The proposed effective date for the proposed rule (and any final rule based on this proposal) will be one year after the date of publication of the final rule in the Federal Register. Therefore, once final, there will not be much time to come into compliance prior to the effective date. As described herein, certain proposed changes likely will have a significant impact. Stakeholders should review the relevant changes and consider engaging throughout the rulemaking process to improve the proposal.