Changes to CFRs Will Focus on How Manufacturers Use Risk Management

FDA’s proposed amendment to 21 CFR 4 and 820, likely to go into effect before 2025, is meant to better align its medical device quality management system requirements with ISO 13485:2016, the international consensus standard for devices. According to Tim Gooch, Technical Director of Life Sciences Management Systems and Supply Chain at SGS North America, this will affect quality management systems (QMS) requirements for both medical devices and combination medical device and drug products.

MD+DI recently spoke with Gooch about his upcoming presentation at MD&M Minneapolis, in which he plans to highlight the importance of manufacturers being ready for the coming changes, especially in the area of risk management.

MD+DI: Can you provide some background on the proposed changes to 21 CFR 4 and 820?

Gooch: In February 2022, FDA published proposed amendments to 21 CFR 4 and 820 to harmonize with ISO 13485:2016. The regulation has not changed since 1997. Since that time, ISO 13485 has been republished twice. Most regulatory jurisdictions recognize ISO 13485 as the most current model for QMS models and it is accepted globally.

The agency is now adopting the standard as well. The most obvious difference in the current regulation is its lack of recognition of the role that Risk Management plays in current QMS models.

MD+DI: Why do you think the regulation has not been changed since 1997? And during that time ISO 13485 has changed twice.

Gooch: FDA is famously slowly to change unless there's a public emergency. And the standard back then pretty much reflected everything that was also in the Quality System Regulation (QSR), but when the updates came, there was no change and no perceived need to change in the QSR. There's only really one mention of risk management in the QSR, and that was in the planning and of design changes or any new design.

But when this latest 2016 version of 13485 was published, the tentacles of risk management were expanding into just about every area of the standard. Design, production, even training, there were mentions of risk management in there.

Now, what FDA wants manufacturers to do in view of the changes that are coming, is to make sure that their systems are built such that in their monitoring and measurement and feedback from devices is fed back into the QMS and the Risk Management System. That's the way it has been explained to me, is that “we're not really interested in their adopting all of the minutiae of what ISO 13485 says in terms of trying to be in conformity with those requirements, as an activity for preparation, but mostly we want you to look at systems in the way that you manage risk management especially from the standpoint of feedback.”

And that’s really what the bigger part of the message is, that [manufacturers] incorporate that into their thinking at this point in time, they need to be building those systems and having them be robust. Now the ones that are already using ISO 13485 are already using these types of systems, but they need to be aware that that's where the agency is focusing in terms of how they want to see manufacturers use risk management.

MD+DI: When should companies begin to prepare for the changes?

Gooch: The Agency has emphasized to me that they should actively be working on systems that incorporate monitoring and measurement of QMS effectiveness and how that feeds back to risk management.

One of the best ways of doing this is in participation in the Medical Device Single Audit Program (MDSAP) program that FDA has really been strongly focused on for the past six or seven years as an active participant and promoter of that program. Because one of the things that happens with manufacturers that are participating in MDSAP is that FDA no longer comes in to visit them on their regularly scheduled inspections, because FDA is now depending on the auditing organizations, like SGS, that goes in and inspects them every year or rather, performs an audit.

MD+DI: Who should attend your session at MD&M Minneapolis and why?

Gooch: All manufacturers that either currently legally market medical devices in the United States or have plans to. This presentation will include information directly from key individuals within FDA on what the expectations will be for current activities for the greatest impact toward compliance with the new requirements.

MD+DI: What do you hope attendees will take away from your session?

Gooch: A clear path of tasks that will help them be prepared to field the Agency’s expectations when the QSR replaces the QSReg and becomes a part of 21 CFR 4 and 820. We will be teaching about what the requirements are in ISO 13485 that relate to those requirements. Specifically risk management, feedback from monitoring measurement and analysis, and then quality planning.

Gooch’s session at MD&M Minneapolis is titled, “U.S. FDA Adoption of the Quality Management System Regulation--How Should You Prepare?” He will be presenting it on Tuesday, October 10, from 11 to 11:45 a.m., in the Tech Theater.