US: (888) 231-0816

A Few Surprises in FDA’s Quality Management System Regulation

A Few Surprises in FDA's Quality Management System Regulation

Learn about two issues that aren’t often discussed but are well worth reviewing.

Medical device manufacturers have watched intently as the U.S. Food and Drug Administration (FDA) pivots from the long-established Quality System Regulation (QSR) to ISO 13485:2016 – Medical devices, which specifies requirements for a quality management system according to FDA’s current Good Manufacturing Practice (cGMP). These medical device requirements are now called the Quality Management System Regulation (QMSR).

ISO 13485:2016 is the standard used by regulators globally, including in the Medical Device Single Audit Program (MDSAP), for which FDA was a participant. For most manufacturers, the new QMSR will simplify their approach to quality system compliance. And because many manufacturers are already maintaining both systems, the changes are relatively well understood.

However, there are two issues that are often not discussed, but worth reviewing: 1) traceability, recall scope, and recall effectiveness, and 2) the risk-based Computer Software Assurance (CSA) approach for Computer System Validation (CSV).

Similar but Limited Notions of Traceability

Globally, there is a lot of interest in tracing a device’s “pedigree” (e.g., where did the device come from, can it come into this country, where is it going, who was it used on or implanted into).

ISO 13485:2016 and the legacy QSR incorporate generally similar but limited notions of traceability:

  • ISO 13485:2016, section states, “The organization shall document procedures for traceability. These procedures shall define the extent of traceability in accordance with applicable regulatory requirements and the records to be maintained.”
  • FDA’s 21 CFR 820.160 states, “Each manufacturer shall maintain distribution records which include or refer to the location of … the name and address of the initial consignee.”

Interestingly, ISO 13485 (and therefore the QMSR) has additional requirements for implantable medical devices. Section states, “The organization shall require that … distributors maintain records of the distribution of [implantable] medical devices to allow traceability and that these records are available for inspection” (emphasis added).

The QMSR takes this a step further in section 820.10(d) and adds life supporting/life-sustaining devices to the list and states, “Manufacturers of devices that support or sustain life, the failure of which to perform when properly used in accordance with instructions for use provided in the labeling can be reasonably expected to result in a significant injury, must [also] comply with the requirements in Traceability for Implantable Devices, Clause in ISO 13485, in addition to all other applicable requirements in this part, as appropriate” (emphasis added).

Traceability Records Must Include UDIs

You may remember a similar group of class II implantable and life supporting/life-sustaining devices that comprised the second compliance date (after class III devices). The new European Union Medical Device Regulation/In Vitro Diagnostic medical device Regulation (EU MDR/IVDR) also incorporates very similar traceability requirements in Articles 22 and 25.

For class III implantables and other devices identified by the European Commission, the traceability records MUST include the device’s unique device identifier (UDI). The MDR/IVDR also incorporates requirements for the reporting of ALL recalls. That is, manufacturers are required to report “… any field safety corrective action [recall] … undertaken in a third country … if the reason for the [recall] is not limited to the device made available in the third country.”

The most efficient and effective way to manage the traceability of all devices and meet these growing requirements is to capture the device’s UDI throughout the distribution of a device, up to and including its use on, or implantation into, a patient.

A Risk-Based Approach to Validation

The second issue that’s not often discussed is the risk-based CSA approach to CSV; the FDA has encouraged the industry to shift to this approach for a few years now. In September 2022, FDA published the draft guidance Computer Software Assurance for Production and Quality System Software.

Now, however, the QMSR has enshrined this concept in regulation and ISO 13485 specifically includes this risk-based approach. Section 4.1.6 states, “The organization shall document procedures for the validation of the application of computer software used in the quality management system. Such software applications shall be validated prior to initial use and, as appropriate, after changes to such software or its application. The specific approach and activities associated with software validation and revalidation shall be proportionate to the risk associated with the use of the software” (emphasis added).

It is critical to note that the QMSR has established a true regulatory basis for the risk-based CSA approach and it does so with the emphasis added above. QMSR establishes in regulation the long-accepted risk-based approach that had been included in the FDA CSA (but only draft guidance) and earlier in 21 CFR Part 11 (but under enforcement discretion).

This approach is now sanctioned in the QMSR regulation. As such, it carries the full weight of the QMSR. CSA, as a concept, now has a true regulatory base. With this, companies that were unsure of the risk-based approach have a more solid foundation on which to build a true CSA program.

How USDM Can Help

USDM actively supports medical device companies in their adoption of the CSA approach and is a leader in addressing requirements for ISO 13485 Section 4.1.6 with offerings that include:

  • UDI guidance and implementation services
  • Assessments and revisions to standard operating procedures (SOPs) to align with QMSR and CSA
  • Services for CSA and validation, including:
    • Established partnerships with more than 40 Software-as-a-Service (SaaS) application vendors and cloud providers like Google Cloud Platform, Microsoft Azure, and Amazon Web Services (AWS) to validate and revalidate systems throughout their operational life.
    • Automation of validation and CSA activities on our Validation Lifecycle Management (VLM) platform.

Contact USDM to help your organization assess and optimize its validation processes and maintain continuous compliance in accordance with the FDA’s new QMSR.

Explore more on:


There are no comments for this post, be the first one to start the conversation!

Resources that might interest you