A High-Level Overview of the Proposed Rule To Align FDA's QSR with ISO 13485
By Marcelo Trevino, independent expert
Several months ago, the U.S. Food and Drug Administration (FDA) announced a new proposed rule —Harmonizing and
Modernizing Regulation of Medical Device Quality Systems — will be released this year. The rule’s intent is to blend the FDA’s Quality System Regulation (QSR) with ISO 13485:2016 in an effort to harmonize requirements while modernizing the former, which hasn’t been updated since 1996. For many years, medical device manufacturers have had to comply with both requirements, as well as other international requirements.
It is likely that, once the regulation is aligned with ISO 13485:2016, FDA will maintain its inspectional authority but the Quality System Inspection Technique (QSIT) will be revised.
AAMI TIR102:2019, the U.S. FDA 21 CFR mapping to the applicable regulatory requirement references in ISO 13485:2016, was released on Aug. 30, 2019 and it serves as the officially recognized mapping tool for the medical device industry. It is a bi-directional tool that will help organizations identify the requirements of 21 CFR 820 that can be addressed through a QMS that complies with ISO 13485.
The tool, available for purchase here, will assist FDA in the proposed rulemaking to revise 21 CFR to harmonize with ISO 13485.
The latest version of ISO 13485 (ISO 13485:2016) already contains several requirements that do not exist in 21 CFR 820. As we await the release of the new proposed rule, I’ve analyzed and prepared a summary of the potential changes’ impacts on medical device manufacturers once the proposed rule becomes final, making two assumptions: a) that a medical device manufacturer only complies with ISO 13485:2016 (absent additional international requirements), and b) that existing 21 CFR 820 requirements will remain the same. Below are some of the main requirements that will need to be reconciled with the new regulation.
ISO 13485:2016, Section 4 – Quality Management System (general requirements, documentation requirements, quality manual, control of documents and records)
Control of Documents and Record Management — 21 CFR § 820 specifies the need to document the date and signature of the individual(s) approving documents and communicating changes to appropriate personnel in a timely manner. In addition, FDA requires change records to include a description of the change, identification of the affected documents, the signature of the approving individual(s), the approval date, and when the change becomes effective.
The FDA regulation also requires that records be readily available for review and copying by FDA employees designated to perform inspections and stipulates that electronic records and documents have backups. FDA allows records to be marked as confidential so the agency can determine whether information can be disclosed under provisions of the Freedom of Information Act.
While US medical device regulations do not require a technical documentation, as defined in ISO 13485:2016, most of this data is kept under Design History File (DHF) and the Device Master Record (DMR) — two terms used only by FDA. Further, while ISO 13485:2016 specifies the need for a Quality Manual, FDA only requires an outline structuring the documentation used in the quality system.
Device History Records (DHR) — 21 CFR § 820 specifies Device History Record content beyond the record traceability requirements required by ISO 13485:2016. Namely:
- (a) The dates of manufacture
- (d) The acceptance records, which demonstrate the device is manufactured in accordance with the DMR
- (e) The primary identification label and labeling used for each production unit
- (f) Any unique device identifier (UDI) or universal product code (UPC), and any other device identification(s) and control number(s) used.
Acceptance records — Each manufacturer must document acceptance activities required by this part under the FDA Regulation. These records must include (as part of the DHR):
- The acceptance activities performed
- The dates acceptance activities are performed
- Acceptance activity results
- The signatures of any individual(s) conducting the acceptance activities
- The equipment used (where appropriate)
Distribution records — These records establish and maintain procedures for controlling and distributing finished devices, and must include or refer to the location of: the name and address of the initial consignee; the identification and quantity of devices shipped; the date shipped; and control numbers used [per 21 CFR 820.160(b)].
Since most documentation requirements are becoming more universal, it would not be difficult to adapt existing processes and procedures to comply with these changes. Several MDSAP and EU MDD requirements already address similar requirements.
ISO 13485:2016, Section 5 – Management Responsibility (policy, objectives, management review)
Management Review, Quality Policy and Quality Objectives — This section covers all management responsibility requirements addressed in 21 CFR 820 and already exceeds the FDA regulation’s requirements. ISO 13485:2016 specifies additional detailed requirements relative to the quality policy; for example: 5.3 b) indicates the quality policy shall include a commitment to comply with requirements and to maintain the QMS’ effectiveness. In addition, the quality objectives section specifies that objectives shall be measurable and consistent with the quality policy.
Although 21 CFR 820 is explicit in terms of reporting on quality system performance to management with executive responsibility, it is not explicit about other internal communication processes specified in ISO 13485:2016, such as the need to communicate whether customer and applicable regulatory requirements are being met.
21 CFR § 820 is not explicit in terms of management review inputs or outputs, while ISO 13485:2016 specifies inputs— such as assessing recommendations for improvement and the need for changes to the QMS — and outputs, such as documenting decisions related to resource needs and changes needed to address new regulatory requirements.
A unique FDA requirement under this section is an exception listed in 21 CFR 820.180, which states that, upon request from FDA, an employee in management with executive responsibility shall certify in writing that the management reviews, quality audits, and supplier audits were performed and documented. The certification must include the dates on which these activities were performed and explain whether any corrective actions were taken.
Overall, no additional requirements from FDA are associated with this section. Therefore, an organization currently complying with ISO 13485:2016 would not have to make any adjustments to its existing quality system to comply with existing FDA Management Review requirements.
ISO 13485:2016, Section 6 – Resource Management (human resources, facilities, work environment)
The main differences an organization complying with ISO 13485:2016 would have to address are associated with human resources. FDA specifies requirements for personnel performing verification and validation activities that an organization currently complying only with ISO 13485:2016 might need to further clarify in a documented procedure.
In addition, 21 CFR 820’s requirements include documenting evidence of the organization’s efforts to ensure personnel are made aware of device defects that may occur due to improper performance of their jobs, as well as errors that could result from personnel performing verification and validation activities. This could be done through training materials, evaluations, meeting agendas/minutes, etc.
Since ISO 13485:2016 places emphasis on competence, as opposed to training, it is not uncommon to see training matrixes and other methods capturing FDA’s expectations associated with quality awareness built as part of quality systems that comply with ISO 13485:2016.
Section 7 – Product Realization (contract, design, purchasing, production, calibration)
Design Controls — FDA’s regulation requires that procedures for design controls define the need to include participants that represent all relevant functions concerned with design, including an individual without direct responsibility for design and technical specialists, per 21 CFR 820.30(e).
It also specifies exclusions from design control requirements based on device risk [i.e., Class I devices are exempt, except the Class I devices listed under 820.30(a)]. The design control process requires dates and signatures of all individuals that approve design inputs and conduct verification and validation activities.
Traceability — FDA’s regulation states that if a control number is required for traceability, the organization must confirm the control number is either on or accompanies the device throughout distribution [21 CFR 820.120(e)].
Labeling, UDI, and UPC — Labeling should not be released for storage or use until a designated individual has examined the labeling for accuracy, including, where applicable, the correct UDI or UPC, expiration date, control number, storage instructions, handling instructions, and any additional processing instructions [21 CFR 820.120(b)].
Medical device product labels also must be stored in a manner that provides proper identification and prevents mix-ups; therefore, procedures must include specific provisions to cover this stipulation, in addition to requiring documentation of the labeling used for each production unit, lot, or batch.
Service Reports — Medical device manufacturers who receive a service report must assess whether the events reported should be considered compliant, as well as whether they should be reported to FDA. Service reports must be documented and must include the name of the device serviced, any UDI or UPC, any other device identification and/or control number(s) used, and the date of service. ISO 13485:2016 only addresses the need to review this information as part of the Analysis of Data requirements.
Product Storage/Preservation — When product quality deteriorates over time, the product must be stored in a manner that facilitates proper stock rotation, and its condition must be assessed as appropriate. Each manufacturer must establish and maintain procedures that describe the methods for authorizing receipt from, and dispatch to, storage areas and stock rooms. 21 CFR § 820 specifies that finished devices must be held in quarantine, or otherwise adequately controlled, until released.
While these requirements are not specifically prescribed in ISO 13485:2016, it is expected that manufacturers would take this into consideration as part of the preservation of product requirements defined under section 7.5.11.
Risk Management — Although Risk Management is referenced in the Preamble to the Regulation, it is not explicit in the regulation on how it should be applied across the QMS, as it is with ISO 13485. This is an area where FDA would greatly benefit from aligning with ISO 13485:2016. We should expect to see more emphasis and guidance in the revised regulation, outlining more specific requirements on risk management application in the design, manufacture, and distribution of medical devices.
Section 8 – Measurements, Analysis, and Improvements (monitoring, audit, control of NC, continual improvement, customer satisfaction)
Sampling — While statistical sampling requirements are included in ISO 13485:2016, FDA’s regulation requires a procedure in place to ensure that, when changes occur, the sampling plans are reviewed [21 CFR 820.250(b).
Complaint Handling — 21 CFR § 820 specifies that when no complaint investigation is made, and an investigation already has been performed for a similar complaint (making an additional investigation unnecessary), the name of the individual responsible for the decision not to investigate must be documented and maintained — a stipulation not required by ISO 13485:2016. FDA requires that complaints representing events to be reported under 21 CFR § 803 must be maintained in a separate portion of the complaint file.
As such, FDA requires procedures addressing the need to receive, review, and process complaints in a uniform and timely manner, to document oral complaints upon receipt, and to evaluate complaints to determine whether they meet FDA reportability requirements.
Although ISO 13485:2016 requires that complaint handling records be maintained, it does not provide the specific detail — relative to records of complaint investigations — specified in 21 CFR § 820, such as including determination of whether the device failed to meet specifications, and whether it was used for treatment or diagnosis. Additionally, investigation records must include the device name, date the complaint was received, associated UDI/UPC, complainant’s name and address, complaint details, investigation results, and corrective actions taken.
FDA requires that manufacturers whose formally designated complaint handling unit is located at a site separate from the manufacturing establishment must keep the investigated complaint(s) and the record(s) of investigation reasonably accessible to the manufacturing establishment [21 CFR 820.198].
Reporting to Regulatory Authorities — ISO 13485:2016 specifies that regulatory reporting requirements must be met, but does not specify details — as 21 CFR § 820 does — relative to the information that must be documented and maintained. Nor does ISO 13485:2016 contain the stipulation that complaints representing events that must be reported under 21 CFR § 803 be maintained in a separate portion of the complaint file.
Corrective and Preventive Action (CAPA) — Unlike FDA, ISO 13485:2016 contains specific clauses relative to “corrective action” (8.5.2) and “preventive action” — two concepts often misinterpreted with FDA’s use of CAPA.
Preventive actions are used to eliminate a potential nonconformity’s causes or other potential undesirable situations, while corrective actions are used to eliminate the cause of a nonconformity to prevent recurrence. Therefore, forcing a corrective action process to include preventive actions (to prevent recurrence) — as many in the medical industry have interpreted 21 CFR 820 — is an illogical practice that has caused confusion and frustration over the years.
This is an area of significant importance where FDA could benefit the most, in my opinion, by harmonizing the regulation.
ISO 13485:2016 emphasizes the need to implement corrective action “without undue delay,” while FDA specifies that information related to quality problems or nonconforming product must be disseminated to those directly responsible for assuring product quality, or those directly responsible for the prevention of such problems or non-conformances.
Finally, 21 CFR § 820 specifies the need to verify or validate the corrective and preventive actions to ensure said actions are effective and do not adversely affect the finished medical device. This direction is, in many instances, assumed by organizations, but is not explicitly required by ISO 13485:2016.
Conclusion
There is demonstrable benefit in harmonizing medical device compliance requirements and, while there might be some initial hesitation from device manufacturers, there is consensus among industry experts that an alignment would be a more efficient way to manage certain processes — including corrective and preventive actions, analysis of data, risk management, labeling, and complaint handling — where some differences exist.
In the event that FDA decides to fully adopt ISO 13485:2016, manufacturers that currently comply only with 21 CFR will likely have a significant amount of work to meet requirements in the following areas: risk management processes across the quality system, more prescriptive design control management, requirements for verification of interfaces with other medical devices, use of appropriate statistical techniques, cleanliness requirements, control of microorganisms for sterile devices, and clinical evaluation requirements.
Since medical device regulators in the EU, Japan, Canada, and Australia, among others, base their quality system requirements on ISO 13485:2016, FDA can utilize this opportunity to modernize the regulation to align with a more internationally accepted quality system standard. While changes to the rule might take some time to finalize — allowing time for public comment, impact analyses, and the update of existing FDA guidance and compliance programs — it is unclear at this point whether the agency would eliminate completely its existing regulation in favor of ISO 13485:2016, or instead lean towards creating a new regulation that aligns more with the international standard (due to copyright laws that need to be considered).
Finally, there is huge benefit in leveraging MDSAP (Medical Device Single Audit Program), which already aligns with other regulators’ requirements, and using this opportunity to add any other new or clarified requirements that are not currently part of ISO 13485:2016 to the MDSAP Companion Document. Regardless of the final format and approach used by the agency, manufacturers likely will have several years to comply with the changes.
About The Author
Marcelo Trevino is the President, Global Regulatory Affairs and Quality Systems, at TregMedical, a life sciences group focused on global medical device regulatory, quality, and compliance. Marcelo can be reached at marcelotrevino@outlook.com
Marcelo has 23+ years’ experience in quality and regulatory affairs, serving in multiple senior leadership roles with different organizations while managing a variety of medical devices: surgical heart valves, patient monitoring devices, insulin pump therapies, surgical instruments, orthopedics, medical imaging/surgical navigation amongst others. He has an extensive knowledge of medical device management systems and medical device regulations worldwide (ISO 13485:2016, ISO 14971:2019, EU MDD/MDR, MDSAP). Mr. Trevino holds a B.S. degree in Industrial and Systems Engineering and an MBA in Supply Chain Management from the W.P. Carey School of Business at Arizona State University. He is also a certified Quality Management Systems Lead Auditor by Exemplar Global.
He has experience working on Lean Six Sigma Projects and many Quality/Regulatory Affairs initiatives in the US and around the world including Third Party Auditing through Notified Bodies, Supplier Audits, Risk Management, Process Validation and remediation activities.
Additionally, he is a Certified Six Sigma Black Belt and Biomedical Auditor through the American Society for Quality (ASQ) and holds Certificates in Environmental & Sustainability Management Regulatory Affairs Management from University of California, Irvine.
He regularly publishes articles to assist corporations in their quest for exceptional quality and regulatory compliance.