1. You are here:
  2. Homepage
  3. News & Insights Search
  4. QMSR: Start now to be ready for final rule, slated for December

rf-fullcolor.png

 

Regulatory News
March 28, 2023
by Shawn M. Schmitt

QMSR: Start now to be ready for final rule, slated for December

The US Food and Drug Administration (FDA) asserts that it is on track to release a final rule this December that harmonizes the agency’s decades-old Quality System Regulation (QSR) with international standard ISO 13485:2016. Despite that deadline being roughly eight months away, it’s never too early for industry to prep for its arrival, two longtime experts say.
 
The FDA released its draft Quality Management System Regulation (QMSR) in February 2022; the agency had been busy combining the QSR with ISO 13485 since early 2018 (RELATED: QMSR: FDA proposes QSR overhaul after years of delays, Regulatory Focus 22 February 2022). The QMSR, when finalized, should be shorter in length than the QSR because the current regulation’s requirements are already “substantively similar” to what’s found in the quality systems standard from the International Organization for Standardization (ISO).
 
“I’m skeptical that the QMSR will be finalized by December,” Eric Henry, senior quality and regulatory compliance advisor at the law firm King & Spalding, said in an interview with Focus. However, “it wouldn't surprise me if [the FDA did release it then] because it gives people time to absorb it. …I’ve seen the FDA [issue] things right at the beginning of the holiday season, right before they go on holiday, and drop it on the lap of industry.”
 
Henry said he has spoken with several veteran FDA staffers who aren’t thrilled about the plan to replace the QSR (21 CFR Part 820), which has been the agency’s bedrock regulation for manufacturing safe and effective medical devices in the US since 1996.
 
“The people that have been with the agency for a long time are comfortable with Part 820 in its current form, and they feel that all of the infrastructure built around it – the preamble, the guidance documents, the links to other regulations – those provide a way for the FDA to enforce the safety and efficacy of [products] that they believe is superior to the mechanisms that exist in other parts of the world,” Henry said. “They look at ISO 13485, and although it is similar [to the QSR], they see enough little differences that they feel that if we went with ISO 13485, they would lose some of what they believe are the advantages that the current Part 820 provides.”
 
Henry doesn’t share that sentiment, though. He said he believes the QMSR will be superior to the current regulation. “I’m excited about [the QMSR] because … it will reduce the overall burden to industry,” Henry said. “There could be some places that ISO 13485 isn’t as strong … as the current Part 820, and some of those gaps are addressed in the [proposed QMSR rule]. On balance, the gaps in the QSR that ISO 13485 fills bring a greater value. And the big elephant in the room when I say that is risk management.”
 
The QSR makes only a passing mention of risk management and risk analysis despite the agency considering the overall concept to be an inherent part of the decision process throughout the regulation.
 
“Risk management in the QSR is buried in design validation under design controls, and it’s the one and only place risk management is ever addressed in Part 820,” Henry explained. “And FDA is, as it should be, very focused on good risk management, both premarket and postmarket, by the manufacturers.”
 
Risk management plays a much larger role in the forthcoming final QMSR because it’s aligned with ISO 13485, which calls out to ISO 14971. ISO 14971 instructs device manufacturers on how to best put together a risk management program; it was originally released in 2000 and was most recently revised in 2020. The FDA currently can’t require companies to implement ISO 14971, although the agency strongly endorses the international standard’s risk management guidelines.
 
“In ISO 13485, not only does it say you have to have good risk management, but it says you [must have] risk management compliance with ISO 14971,” Henry said. The finalization of the QMSR “moves ISO 14971 beyond just a recognized consensus standard in the FDA database to an enforceable element of the regulation.”
 
Preparing for QMSR
Companies that market devices outside the US are likely already compliant with ISO 13485 and will have a leg up in the transition moves from QSR to QMSR.
 
However, “if you’re one of those companies that market strictly within the US, or just happens to avoid the ISO 13485 countries, my recommendation is one of two things: either go ahead now and make the updates to your quality system to comply with ISO 13485 directly, or second, sign up for the [Medical Device Single Audit Program (MDSAP].”
 
MDSAP, developed by the International Medical Device Regulators Forum (IMDRF), allows firms to undergo one audit by an accredited third party to satisfy quality regulations for the US, Canada, Brazil, Japan, and Australia; the auditing approach maps to ISO 13485.
 
“If you look at [the MDSAP] audit checklist, its foundational element is ISO 13485:2016. So even if you’ve never received an ISO 13485 [certification], but you went with an MDSAP audit certification instead, that would do two things within the US,” Henry said. “First, you now have a mechanism for replacing routine inspections from the FDA with a notified body, which has some advantages. [And second,] through that notified body audit, against the MDSAP criteria, you have effectively met the ISO 13485 criteria as well. And when the proposed [QMSR] rule becomes final, you will already be ahead of the game.”
 
Vincent Cafiso, a former FDA staffer who’s currently senior director of regulatory compliance and global audit at device maker Smith & Nephew, warned that companies that already comply with ISO 13485 should not be lulled into a false sense of security.
 
“Don't just assume you know everything just because you’re already ISO 13485 certified,” he said. “Don’t just say, ‘We have our notified body audits every year, so we’re good. So, whenever the FDA publishes the final QMSR rule, we’re just going to slap that into our quality manual and say we’re good.’”
 
Cafiso strongly suggested that manufacturers that are already compliant to the QSR and ISO 13485 – and even those that aren’t but are learning about both the rule and the standard – develop a cross-reference/matrix document.
 
“That’s very high level and what most companies should have,” he said. “A matrix will really help to educate existing employees and new employees about the company’s quality system and what it’s designed to comply with. Developing a cross-reference sheet or matrix should be the first thing manufacturers should do.”
 

Related topics

Compliance Medical Devices Quality Assurance and Control
Return to listing

Recommended content

Regulatory Affairs Professionals Society (RAPS)
5635 Fishers Lane, Suite 400
Rockville, Maryland 20852

Telephone: +1 301 770 2920
Fax: +1 301 841 7956

Email:  [email protected]

Design & Development by Pixl8
Membership software by ReadyMembership

Regulatory Affairs Professionals Society (RAPS)

© 2026 Regulatory Affairs Professionals Society

×

Welcome to the new RAPS Digital Experience

We have completed our migration to a new platform and are pleased to introduce the updated site.

What to expect: If you have an existing login, please RESET YOUR PASSWORD before signing in. After you log in for the first time, you will be prompted to confirm your profile preferences, which will be used to personalize content.

We encourage you to explore the new website and visit your updated My RAPS page. If you need assistance, please review our FAQ page.

We welcome your feedback. Please let us know how we can continue to improve your experience.