Vincent Cafiso, founder and managing consultant at Practical Compliance Results, spoke to MD+DI about what he expects the regulatory landscape to look like under the new QMSR.

Susan Shepard

March 22, 2024

11 Min Read
Medical technology
metamorworks / iStock / Getty Images Plus via Getty Images

On Feb. 2, 2024, FDA published its long-awaited amendment to its current good manufacturing practice requirements for medical devices. The new Quality Management System Regulation (QMSR) now harmonizes the existing requirements with those of ISO 13485:2016.

The idea of harmonizing FDA’s Quality System Regulation (QSR) with global standards is not a new one, said Vincent Cafiso, founder and managing consultant at Practical Compliance Results. He related that, in his opinion, FDA significantly revised 21 CFR Part 820 in 1996, which FDA based on the then current version of ISO 9001. “This actually showed some early signs of FDA’s intention to harmonize with some relevant global standard,” he explained.

Meanwhile, ISO was also creating the medical device–specific ISO 13485 standard, based on ISO 9001. “So basically ISO 13485:1996 and the 1996 revision to the QSR started life around the same time and they both have the same parent, which was ISO 9001,” Cafiso said. “Those two ‘children’ have been serving the same purpose, just for different companies depending on where they do business in the world.”

ISO 13485 has been revised several times over the years, and Cafiso said FDA has been very active in working with ISO on international task forces to help influence the evolution of the standard. “It was not a surprise that FDA decided all of the sudden to now adopt and harmonize with 13485,” he said.

Other signs of FDA’s intentions to conform its regulations with other standards appeared about 10 years ago, when FDA started to accept audit reports from Notified Bodies for audits that were performed in accordance with ISO 13485 in the United States, in lieu of doing an actual FDA inspection. “Then off of the back of that success, there was this harmonized program called the Medical Device Single Audit Program (MDSAP), which allows FDA and Australia, Brazil, Canada, and Japan to harmonize so that any time there's an inspection, we could use that report to satisfy the regulatory requirements of all of these countries,” Cafiso said.

“All of this really was the wave that finally gave FDA the comfort to do what they're [now] doing,” he said. “It's a pretty dramatic change and I think the reason FDA would give is because they want to reduce the burden of compliance on medical device manufacturers, so that they only have to comply with one standard, one regulation, and they believe that there is some benefit to harmonizing with ISO 13485.”

Following is MD+DI’s conversation with Cafiso on his thoughts about the QMSR and how it will affect medical device companies.

What can medical device companies expect from FDA’s newly harmonized regulation, the QMSR? What are some of the changes that companies will now have to comply with?

Cafiso: Basically, if you are a US company and you are interested in making a medical device, you have to open up the QMSR, and it will say you have to go look at ISO 13485. But it's not that easy. I wish it was. There are some differences. Companies will open up the QMSR and it will direct them to ISO 9000 Clause 3, which is essentially a list of definitions.

And then ISO 13485 has its own definitions, but it also refers back to ISO 9000. If you're going to be in compliance, you have to look at both of those standards. But there are also going to be some changes.

Some of the notable ones are some of the terminologies and the definitions. For one, FDA typically uses the terminology “safety and efficacy” or “safety and effectiveness.” Whereas ISO 13485 refers to “safety and performance.” In the QMSR, it clarifies to say that FDA is going to adopt the use of “safety and performance,” but it doesn’t relieve the manufacturer’s obligation to also make sure that their device is safe and effective.

So again, FDA was, I think, being overly accommodating to drop some of the legacy terminology that everyone has been very familiar with in lieu of putting their best foot forward to really harmonize.

There was also a shift in some of the other terminologies. Some of the acronyms that we see in the QSR would be a design history file (DHF), a device master record (DMR), and a device history record (DHR). Those three acronyms don't appear in ISO 13485, but they are replaced by some terminology that's basically similar. FDA said it doesn't matter what you call it. It's effectively the same.

There are a couple of other definition changes where FDA felt like ISO 13485 or 9000 doesn't really define a couple of things, so they define things like “component” or “remanufactured.” One of the important ones was actually “rework,” because FDA considers a rework to be a different thing than ISO 13485. A rework in FDA’s terminology is anything that you do to a product internally before you distribute it out the door and then if something were to go wrong with that product after it gets distributed then it's either going to be a correction, removal (that is a recall.) FDA’s definition of rework is a little bit more specific to that scenario and so FDA retains that terminology.

Because FDA has its own regulatory framework, there are a couple of other changes. In the United States and globally, there is a requirement for what is known as a unique device identifier (UDI). This ties into FDA’s 21 CFR part 830, and so FDA retained that in the QMSR. ISO 13485 does have requirements for device identification and to make sure that it's unique, but FDA just wanted to make sure that they called out these 830 requirements.

There's also another requirement for medical device tracking. There is a traceability requirement in ISO 13485, but FDA wanted to make sure that they retain a very specific tie-in to traceability of very high-risk devices, which is called out in 21 CFR part 821.

Other requirements that FDA calls out separately are medical device reporting and complaint handling. FDA wanted to make sure there was a review and evaluation of complaints, and if there is any device failure that there is an investigation — effectively retaining the current QSR requirements.

The other major change has to do with what FDA is retaining from the QSR. FDA feels very strongly around the controls of packaging and labeling because so many recalls or product mix-ups are due to some labeling mishap where some electronic barcode reader was malfunctioning and so we could have a product that has the wrong expiration date or the wrong lot number or the wrong product size on the package. Things like that. FDA retained some unique requirements around making sure that labeling is reviewed for accuracy by a human being prior to being applied to the product, and then obviously inspection of the labeling after the product has been manufactured prior to release. That's all very specific and just a little bit more beefed up than what ISO 13485 requires.

Since the QMSR will take effect in less than two years, what should companies be doing right now to prepare for these changes?

Cafiso: FDA will begin doing inspections in February 2026 according to the new QMSR. If you are a global medical device company doing business in the US and Europe, you are already in compliance with ISO 13485. You probably already have a risk management program based on ISO 14971. There are going to be some changes that you have to still make to your quality system and to some of your quality documentation, some of the quality records that you've actually created, to align mainly with some of the terminology requirements that we talked about.

If you're a European company that has no interest in doing business in the US, then this change is completely outside of your scope. You have nothing to worry about.

If you are a US-based company that only does business in the US, whose products do not bear a CE Mark, do not ship your product to any other country in the world, or is not part of MDSAP, this will be a bigger issue. This will be a big gap, because most of these companies that I just mentioned don't have a quality system that's based off ISO 13485 and they probably don't have a risk management program, let alone one that is in line with ISO 14971.

What I would say to any company that has to comply with the QSR today, which means that they will have to comply with the QMSR in two years, is that they should start now. Step one is to read and reread the QMSR and ISO 13485. The preamble to the QMSR really helps to fill in some of the FDA’s thinking around why the current regulation looks the way it looks and why they retained some of the requirements that they retained, and why they dropped some of the requirements that industry asked them to drop.

Then, looking at what those requirements are, you have to perform a gap analysis or some sort of an assessment of those requirements against your current quality management system. That gap assessment should take you no longer than a couple of months.

Then you're going to document in an action plan what the gaps are and who does what by when. You really must have a plan, from what procedures, starting with your top-level document, your quality manual, and then working your way down into your high-level procedures, your lower-level work instructions, and then into all your low-level forms and templates.

It's really to make sure that your current quality system complies with the requirements of 13485 and those few extra requirements that are in the QMSR.

In terms of time frames, I would strongly suggest that the gap assessment be happening between now and this summer. Then, have the actual execution of the who does what by when be done no later than the end of this year, or worst-case scenario, a year from now, like Q1 of 2025, at the absolute latest.

As companies really need to live with their new quality system for six to nine months prior to the effective date, and at the end of that 2025 time period, there really needs to be a mock FDA inspection. As a former FDA investigator, this is something I frequently do with my clients.

What can companies expect from FDA inspections/audits under the QMSR? Do you think there will be many changes?

Cafiso: Industry has really been kept in the dark about what FDA’s new quality system inspection technique (QSIT) will look like. We don't know if the QSIT will be coming out right before 2026, or if it will be coming out in 2025 to give FDA investigators time to learn their new technique and to give industry time to learn how they will be doing their inspections.

However, we know that one of the things that is going to be, I think, largely different from the standpoint of an inspection experience is that the QMSR now gives FDA access to records that they didn't have prior — internal audit records, supplier audit records, and evidence of management reviews. In the post QMSR world, those inspections will essentially require companies to hand FDA their internal audit reports, their supplier audit reports, their management review minutes, and their management review presentation.

Also, FDA inspections will still be different than Notified Body audits. I think they will continue to be more stringent and tougher to get through because it will not be time-bound like Notified Body and MDSAP audits are. FDA can just sit there for two days, two weeks, or two months. There's really no end to the inspection.

I think that's why FDA inspections will continue to be the standard for how companies have to present themselves and that will not change.

You will be presenting two sessions at the upcoming IME South conference in June. Can you tell the readers a little bit about what you’ll be presenting there and what you hope they’ll take away from your session?

Cafiso: What I hope that they come away with is a little bit more detail as to the changes that they will have to be making to their quality management systems. I really want to try to give them a little bit more than just what changed, but I also want to try to give them some actionable suggestions — how they can make the changes.

I plan to present an implementation plan and real-life examples of what they should be changing.

In the second session, I want to dive a little bit more into how to become inspection ready under the new QMSR and 13485. I want to dive into a little bit more detail about exactly what we should be thinking about from some of these new records that are going to be looked at by FDA.

I would highly encourage anyone who has already started this process to bring some of their real-life examples and I will certainly work with them right there at the session to see if we can help move them in the right direction.

About the Author(s)

Susan Shepard

Susan Shepard is a freelance contributor to MD + DI.

Sign up for the QMED & MD+DI Daily newsletter.

You May Also Like