Overview of QMSR Quality Management System Requirements
The QMSR (Quality Management System Regulation) under 21 CFR 820.10 aligns U.S. medical device manufacturers with ISO 13485 while maintaining FDA-specific requirements. This hybrid framework ensures international harmonization while upholding U.S. regulatory oversight.
Overview of Changes
QMSR Info Request Form
Definitions
Affected Regulations and Standards
Assembling the Puzzle
Implementation Strategies
Small Manufacturers
ISO 13485:2016 Clauses
1 Scope
2 Normative references
3 Terms and definitions
4 Quality management system
5 Management responsibility
6 Resource management
7 Product realization
♦ 7.3 Design and development
♦ 7.4 Purchasing controls
8 Measurement, analysis & improvement
QMSR Quality Management System Requirements
The QMSR (Quality Management System Regulation) under 21 CFR 820.10 aligns U.S. medical device manufacturers with ISO 13485 while maintaining FDA-specific requirements. This hybrid framework ensures international harmonization while upholding U.S. regulatory oversight.
Key Requirements:
QMS Documentation & Compliance
- Manufacturers must establish and maintain a QMS per ISO 13485 and applicable FDA regulations.
- Required documentation includes a quality manual, quality procedures, risk management approaches, and software validation records.
Regulatory Alignment & Compliance Mandates
- Unique Device Identification (UDI): Compliance with 21 CFR 830.
- Traceability: Compliance with 21 CFR 821 where applicable.
- Medical Device Reporting (MDR): Complaints meeting reporting criteria must follow 21 CFR 803.
- Recalls & Advisory Notices: Must comply with 21 CFR 806.
Design & Development Controls
- Mandatory for Class II, III, and certain Class I devices.
- Must comply with Clause 7.3 of ISO 13485, including design planning, verification, validation, and change control.
Risk-Based Approach
- Organizations must identify, control, and monitor processes based on risk.
- Risk-based decision-making applies to supplier controls, traceability, and software validation.
Control of Outsourced Processes
- Manufacturers retain responsibility for compliance, even when outsourcing.
- Written quality agreements and proportionate supplier controls are required.
Enforcement & FDA Oversight
- Failure to comply results in device adulteration under Section 501(h) of the FD&C Act.
- The FDA retains enforcement authority, ensuring compliance through inspections and regulatory actions.
Conclusion
The QMSR framework integrates ISO 13485 while reinforcing FDA-specific requirements, providing a globally harmonized yet U.S.-compliant quality management system for medical device manufacturers. This alignment reduces redundancy for companies operating in multiple jurisdictions while ensuring regulatory oversight by the FDA.
Comparison of FDA and ISO Quality Management System Requirements
| Aspect | QMSR (21 CFR 820.10) | ISO 13485 Clause 4 |
|---|---|---|
| Documentation Requirements | Requires manufacturers to document a QMS that complies with ISO 13485 and additional FDA regulations. | Requires organizations to document, implement, and maintain a QMS to meet ISO 13485 and applicable regulatory requirements. |
| Regulatory Compliance | Explicitly ties compliance to FDA regulations (e.g., UDI, traceability, MDR reporting). | Requires compliance with applicable regulatory requirements but does not specify FDA-specific mandates. |
| Design & Development | Mandates compliance with Clause 7.3 of ISO 13485 for certain device classes. | Requires organizations to define and control design and development processes as part of the QMS. |
| Risk-based Approach | Indirectly referenced in the application of ISO 13485 requirements. | Explicitly requires a risk-based approach to QMS processes. |
| Traceability | Additional requirements for unique device identification (UDI) and traceability per 21 CFR 821 & 830. | Requires traceability for implantable devices and risk-based traceability for other products. |
| Advisory Notices | Manufacturers must comply with 21 CFR 806 (recalls & advisory notices). | Organizations must establish procedures for issuing advisory notices but without referencing specific regulatory bodies. |
| Reporting to Regulatory Authorities | Explicitly mandates reporting to the FDA per 21 CFR 803 (MDR). | Requires a process for regulatory reporting but does not specify FDA requirements. |
| Software Validation | Implicitly required through ISO 13485 adoption. | Explicitly requires validation of software used in QMS processes. |
| Outsources Processes | Must comply with FDA requirements for supplier controls. | Requires organizations to monitor and ensure control over outsourced processes, with proportionality based on risk. |
| Regulatory Enforcement | Noncompliance renders the device adulterated under the FD&C Act, subject to FDA action. | ISO 13485 compliance alone does not imply regulatory enforcement unless mandated by a jurisdiction. |