For years, US FDA has been talking about aligning the existing FDA Quality System Regulation (QSR) with ISO 13485. FDA has finally pushed the updated 21 CFR Part 820 across the finish line with the publication of the new Quality Management System Regulation (now called “QMSR”) on February 2, 2024. Here is what you need to know to transition from QSR to QMSR.
FDA’s mission is to promote and protect the safety of patients and users, not to make life easier for medical device manufacturers. However, this is a rare case where FDA recognizes the inefficiency of having manufacturers comply with two nearly identical quality system requirements. This was not always the case though. ISO 13485 was introduced in 1996, which happens to be the last time a major update to 21 CFR Part 820 (QSR) occurred. Since that time, ISO 13485 has been modified a few times, and the most recent version – ISO 13485:2016 – is very similar to FDA QSR. FDA says it is now time to harmonize the two by replacing the QSR with the QMSR. The primary change here is that Subpart A of the new QMSR incorporates ISO 13485:2016 by reference as the basis for compliance with the QMSR but with some additions and differences as discussed below. This means that all companies required to comply with the QMSR will essentially be following ISO 13485:2016 – even if not certified by a third-party to the standard. Where differences exist between ISO 13485 and QMSR – the QMSR will prevail.
OK, so it is all well and good that the QMSR will essentially be the same as ISO 13485:2016, but what if you do not know the requirements of ISO 13485? What do you need to do? First, it would be a good idea to buy a copy of ISO 13485:2016. You can see the standard via the American National Standards Institute (ANSI) Incorporated by Reference (IBR) Portal, https://ibr.ansi.org/Standards/iso1.aspx. This version is a read-only format, though, and you must register on the site each time you wish to see the document – not very convenient for your day-to-day work. Once you have the standard, read it through from beginning to end – including the introduction (Clause 0).
In most cases, FDA is adopting the terminology used in ISO 13485:2016 as-is where a corresponding definition or requirement exists in the standard. This means that some common terms you have been using for many years are being eliminated and replaced by those used in ISO 13485:2016. Examples include device master record (DMR), device history record (DHR), and design history file (DHF). In the current QSR, these terms are used to define specific documents and records that are required as evidence that a company has designed products in accordance with design control requirements (DHF), documented the way to manufacture a product (DMR), and manufactured the product following the documented methods (DHR). While the specific terms would be eliminated, you will still be required to maintain and retain these types of documentation through the ISO 13485:2016 requirements for the medical device file, design and development files, and product realization records, including those that show the product meets its requirements (ISO 13485:2016 clauses 4.2.3, 7.3.10, 7.5.1, and 8.2.6). The good news is that you do not need to change how you are keeping your DHF, DMR, and DHR documentation (in other words, it’s okay to keep calling them by those names) – you just will not see those names in the regulation anymore.
QMSR is also incorporating Clause 3 of ISO 9000:2015(E) Quality Management Systems – Fundamentals and vocabulary by reference as part of the 820.3 Definitions section. You can see this document through the ANSI IBR Portal (like ISO 13485:2016), also as a read-only format. ISO 9000:2015 definitions will be helpful for some basic quality management systems terms that are used in ISO 13485:2016 but are not more specifically defined in the standard for medical device quality use. Some current Part 820 definitions (like remanufacturer) will be retained as part of the QMSR because they are not defined in ISO 13485:2016. Others (like manufacturer and product) are being kept because FDA’s definitions supersede the ISO 13485:2016 definition for legal reasons. In fact, all the terms and definitions in FD&C Act section 201 will apply to the new QMSR and will supersede any correlating terms and definitions in ISO 13485:2016 (like labeling and device). Plus, if the new QMSR did not include these definitions, the FD&C Act would have to be changed by US Congress to make this all work – and that is not going to happen anytime soon.
Overall, you can see which terms are being carried into the QMSR in section 820.3 of the QMSR.
After the QMSR is implemented, FDA will adopt the records control requirements found in clause 4.2.5 of ISO 13485:2016.
The QMSR also includes specific content requirements for complaints and service records to ensure these records continue to meet the requirements that are in the current QSR sections 820.198 and 820.200. A particular item still required under QMSR 820.35 for both types of records is the related device’s unique device identifier (UDI), unique product code (UPC), or any other device identification. This section of the QMSR also clarifies that the UDI must be recorded for each device or batch of devices (under the ISO 13485:2016 applicable clauses 7.5.1, 7.5.8, and 7.5.9).
One last important thing that the agency includes in this section of the Final rule is the requirement around the confidentiality of your documents. Since FDA is a US federal agency, it is subject to the Freedom of Information Act (FOIA). The Public Information section in 21 CFR Part 20 is the set of rules that FDA follows in this area, including the protection of trade secrets and proprietary information. So, this last part of the QMSR 820.35 is for manufacturers to mark any of their documents as “confidential” prior to providing them to the agency during an inspection, in a submission, etc.
In the eyes of FDA, ISO 13485 does not adequately “address the inspection of labeling by the manufacturer.” As such, FDA will be retaining its provisions from the existing QSR as it believes them to be superior. This means that manufacturers will need to follow ISO 13485 clause 7.5.1 and section 820.45 of the QMSR. As noted earlier, where conflicts exist between the two, the QMSR wins.
FDA acknowledges that “ISO 13485 has a greater emphasis on risk management activities and risk-based decision making than the current part 820.” Currently, the QSR only addresses risk management in the risk analysis requirements within design validation in 820.30(g), but it is far more integrated throughout ISO 13485:2016. ISO 13485 includes requirements for risk management throughout the entire life cycle of the device. Risk management compliance can be tricky and is one area of the QMSR where manufacturers may want to seek outside help from a consultant experienced with ISO 14971:2019 risk management requirements and ISO 13485 compliance.
Most likely FDA inspections will feel different once the FDA completes their training and preparation for QMSR. FDA currently uses and inspection approach called the Quality System Inspection Technique (QSIT). This is being eliminated or revised to align with the QMSR but this work is not yet complete and/or public information. In any case, you should not assume that FDA inspections will be any less strenuous following the amended regulation or that companies that have existing ISO 13485:2016 certificates will be exempt from inspections. Note that FDA will not be issuing QMSR compliance certificates.
NO! Even though the FDA is incorporating ISO 13485 within the QMSR, you are not required to have ISO 13485 certification to comply with the QMSR. Yes, you will still need to modify your QMS to meet ISO 13485:2016 (if you do not already), but you are not required to seek certification if you only sell in the US market. Here’s the thing: if you plan to sell in Canada, Europe or Australia as well as in the US, in most cases you will need to seek ISO 13485 quality management system certification.
FDA defined a 2-year transition for the QMSR with the amended regulation coming into effect on February 2, 2026.
The 2026 date does not mean that you should put off your planning and actions to be ready for the QMSR to be effective. Even if you are not interested in getting ISO 13485:2016 QMS certification, you should modify your QMS now to comply with ISO 13485. If your organization already holds ISO 13485 certification, you have a great start to QMSR compliance – but still need to take action to prepare! In either case, make sure you conduct a thorough gap analysis (or have us do it for you) to get a much clearer understanding of what needs to happen to get your QMS in conformance with the new QMSR.
The good news is that although changes most likely need to be made in your QMS, US FDA QMSR will eventually be more harmonized with other global QMS requirements, making access to new markets less burdensome for small medical device companies.
If you are looking for more information related to the QMSR, we are pleased to offer two different instructor-led training courses to meet your needs. The first is a one-day high-level course on QMSR, which you can find here. The second is a two-day in-depth course on both QMSR and ISO13485:2016, which you can find here.
US OfficeWashington DC
EU OfficeCork, Ireland
UNITED STATES
1055 Thomas Jefferson St. NW
Suite 304
Washington, DC 20007
Phone: 1.800.472.6477
EUROPE
4 Emmet House, Barrack Square
Ballincollig
Cork, Ireland
Phone: +353 21 212 8530