Summary
FDA is replacing the long-standing Quality System Regulation (QSR) with the Quality Management System Regulation (QMSR), which incorporates ISO 13485:2016 by reference. For most medical device manufacturers, this harmonization simplifies quality system compliance. But two issues rarely get the attention they deserve: (1) how traceability, recall scope, and recall effectiveness expand for implantable and life-supporting/life-sustaining devices, and (2) how the QMSR finally gives the risk-based Computer Software Assurance (CSA) approach a true regulatory foundation. This article unpacks both surprises and what they mean for your quality system.
Learn about two issues that aren't often discussed but are well worth reviewing
Medical device manufacturers have watched intently as the U.S. Food and Drug Administration (FDA) pivots from the long-established Quality System Regulation (QSR) to ISO 13485:2016 – Medical devices, which specifies requirements for a quality management system according to FDA’s current Good Manufacturing Practice (cGMP). These medical device requirements are now called the Quality Management System Regulation (QMSR).
ISO 13485:2016 is the standard used by regulators globally, including in the Medical Device Single Audit Program (MDSAP), for which FDA was a participant. For most manufacturers, the new QMSR will simplify their approach to quality system compliance. And because many manufacturers are already maintaining both systems, the changes are relatively well understood.
However, there are two issues that are often not discussed, but worth reviewing: 1) traceability, recall scope, and recall effectiveness, and 2) the risk-based Computer Software Assurance (CSA) approach for Computer System Validation (CSV).
Why this matters: The QMSR is more than a relabeling of 21 CFR 820. It changes what records you must keep for certain device classes and elevates the risk-based approach to validation from draft guidance to enforceable regulation. Reading the QMSR as “the QSR with a new name” risks missing obligations that carry the full weight of the rule.
Similar but Limited Notions of Traceability
Globally, there is a lot of interest in tracing a device’s “pedigree” (e.g., where did the device come from, can it come into this country, where is it going, who was it used on or implanted into).
ISO 13485:2016 and the legacy QSR incorporate generally similar but limited notions of traceability:
- ISO 13485:2016, section 7.5.9.1 states, “The organization shall document procedures for traceability. These procedures shall define the extent of traceability in accordance with applicable regulatory requirements and the records to be maintained.”
- FDA’s 21 CFR 820.160 states, “Each manufacturer shall maintain distribution records which include or refer to the location of … the name and address of the initial consignee.”
Interestingly, ISO 13485 (and therefore the QMSR) has additional requirements for implantable medical devices. Section 7.5.9.2 states, “The organization shall require that … distributors maintain records of the distribution of [implantable] medical devices to allow traceability and that these records are available for inspection” (emphasis added).
The QMSR takes this a step further in section 820.10(d) and adds life supporting/life-sustaining devices to the list and states, “Manufacturers of devices that support or sustain life, the failure of which to perform when properly used in accordance with instructions for use provided in the labeling can be reasonably expected to result in a significant injury, must [also] comply with the requirements in Traceability for Implantable Devices, Clause 7.5.9.2 in ISO 13485, in addition to all other applicable requirements in this part, as appropriate” (emphasis added).
The most efficient and effective way to manage the traceability of all devices and meet these growing requirements is to capture the device’s UDI throughout the distribution of a device, up to and including its use on, or implantation into, a patient.
Traceability Records Must Include UDIs
You may remember a similar group of class II implantable and life supporting/life-sustaining devices that comprised the second compliance date (after class III devices). The new European Union Medical Device Regulation/In Vitro Diagnostic medical device Regulation (EU MDR/IVDR) also incorporates very similar traceability requirements in Articles 22 and 25.
For class III implantables and other devices identified by the European Commission, the traceability records MUST include the device’s unique device identifier (UDI). The MDR/IVDR also incorporates requirements for the reporting of ALL recalls. That is, manufacturers are required to report “… any field safety corrective action [recall] … undertaken in a third country … if the reason for the [recall] is not limited to the device made available in the third country.”
The most efficient and effective way to manage the traceability of all devices and meet these growing requirements is to capture the device’s UDI throughout the distribution of a device, up to and including its use on, or implantation into, a patient. Because these obligations hinge on accurate, retrievable records, strong data integrity across your distribution and quality records is foundational to demonstrating compliance during an inspection.
A Risk-Based Approach to Validation
The second issue that’s not often discussed is the risk-based CSA approach to CSV; the FDA has encouraged the industry to shift to this approach for a few years now. In September 2022, FDA published the draft guidance Computer Software Assurance for Production and Quality System Software.
Now, however, the QMSR has enshrined this concept in regulation and ISO 13485 specifically includes this risk-based approach. Section 4.1.6 states, “The organization shall document procedures for the validation of the application of computer software used in the quality management system. Such software applications shall be validated prior to initial use and, as appropriate, after changes to such software or its application. The specific approach and activities associated with software validation and revalidation shall be proportionate to the risk associated with the use of the software” (emphasis added).
It is critical to note that the QMSR has established a true regulatory basis for the risk-based CSA approach and it does so with the emphasis added above. QMSR establishes in regulation the long-accepted risk-based approach that had been included in the FDA CSA (but only draft guidance) and earlier in 21 CFR Part 11 (but under enforcement discretion).
This approach is now sanctioned in the QMSR regulation. As such, it carries the full weight of the QMSR. CSA, as a concept, now has a true regulatory base. With this, companies that were unsure of the risk-based approach have a more solid foundation on which to build a true CSA program.
Two QMSR “Surprises” at a Glance
- Surprise 1 — Expanded traceability. Beyond the limited distribution records carried over from the QSR, the QMSR pulls in ISO 13485 Clause 7.5.9.2 for implantable devices and section 820.10(d) extends it to life-supporting/life-sustaining devices. Capturing the UDI through the full distribution chain is the practical way to meet these obligations.
- Surprise 2 — CSA gets a regulatory base. ISO 13485 Section 4.1.6 makes the risk-proportionate validation approach part of enforceable regulation, moving CSA from draft guidance and Part 11 enforcement discretion to the full weight of the QMSR.
How USDM Can Help
USDM actively supports medical device companies in their adoption of the CSA approach and is a leader in addressing requirements for ISO 13485 Section 4.1.6 with offerings that include:
- UDI guidance and implementation services
- Assessments and revisions to standard operating procedures (SOPs) to align with QMSR and CSA
- Services for CSA and validation, including:
- Established partnerships with more than 40 Software-as-a-Service (SaaS) application vendors and cloud providers like Google Cloud Platform, Microsoft Azure, and Amazon Web Services (AWS) to validate and revalidate systems throughout their operational life.
- Automation of validation and CSA activities on our Validation Lifecycle Management (VLM) platform.
Once systems are validated, keeping them in a state of continuous compliance is its own challenge. USDM’s Cloud Assurance approach is designed to help regulated organizations maintain compliant, validated systems across vendor updates and changes throughout their operational life.
FAQ: FDA's Quality Management System Regulation (QMSR)
What is the QMSR and how does it differ from the QSR?
The Quality Management System Regulation (QMSR) replaces FDA’s long-established Quality System Regulation (QSR) and incorporates ISO 13485:2016 as the basis for medical device quality system requirements under FDA’s current Good Manufacturing Practice (cGMP). For most manufacturers, the QMSR simplifies their approach to quality system compliance because it harmonizes FDA requirements with the ISO 13485 standard used by regulators globally.
What changes for traceability under the QMSR?
ISO 13485:2016 and the legacy QSR share generally similar but limited notions of traceability. The QMSR goes further: ISO 13485 Section 7.5.9.2 adds traceability requirements for implantable devices, and section 820.10(d) extends those requirements to devices that support or sustain life. Capturing the device’s unique device identifier (UDI) throughout distribution — up to and including use on or implantation into a patient — is the most efficient way to meet these growing requirements.
What is Computer Software Assurance (CSA) and why does the QMSR matter for it?
CSA is a risk-based approach to computer system validation (CSV) that FDA has encouraged for several years, including through its September 2022 draft guidance on Computer Software Assurance for Production and Quality System Software. The QMSR enshrines this concept in regulation through ISO 13485 Section 4.1.6, which requires that validation activities be proportionate to the risk associated with the software’s use. This gives the risk-based approach a true regulatory basis rather than relying on draft guidance or enforcement discretion.
How does 21 CFR Part 11 relate to the QMSR's risk-based approach?
The risk-based approach now established in the QMSR had earlier been reflected in 21 CFR Part 11, but only under enforcement discretion. With the QMSR, the long-accepted risk-based approach carries the full weight of regulation, giving companies a more solid foundation on which to build a true CSA program.
Does the QMSR affect devices sold in the European Union?
The EU Medical Device Regulation/In Vitro Diagnostic medical device Regulation (EU MDR/IVDR) incorporates very similar traceability requirements in Articles 22 and 25. For class III implantables and other devices identified by the European Commission, traceability records must include the device’s UDI, and the MDR/IVDR also requires reporting of recalls, including certain field safety corrective actions undertaken in third countries.
Ready to Align with the QMSR and CSA?
Contact USDM to help your organization assess and optimize its validation processes and maintain continuous compliance in accordance with the FDA’s new QMSR.