QSR-to-QMSR Implementation Strategy
US manufacturers compliant with QSR and ISO 13485:2016
QMSR Implementation Strategy for U.S. Medical Device Manufacturers Compliant with the QSR and ISO 14385:2016
If your company is already compliant with the QSR and ISO 13485:2016, you’re ahead of the curve in the transition to FDA’s Quality Management System Regulation (QMSR). But don’t assume you’re all set—QMSR compliance still requires a formal review of FDA-specific expectations and alignment with 21 CFR Part 820.
While ISO 13485 provides the foundation, the QMSR will be enforced by the FDA, with its own vocabulary, recordkeeping expectations, and enforcement mechanisms. You’ll need to verify that your system addresses both the structure of the standard and the operational realities of FDA inspections.
Overview of Changes
QMSR Info Request Form
Definitions
Affected Regulations and Standards
Assembling the Puzzle
Implementation Strategies
Small Manufacturers
Key Challenges
Organizations transitioning to FDA’s Quality Management System Regulation (QMSR) must navigate several critical challenges to ensure full compliance.
First, MSDR-specific terminology—such as Device Batch Record and Design and Development File—must be adopted and consistently applied across documentation and procedures.
Additionally, existing procedures may require revision to align with MSDR postmarket surveillance requirements, particularly in areas like complaint handling and mandatory reporting.
Internal audit processes should also be reassessed to reflect the FDA’s upcoming new inspectional approach, which will replace the QSIT methodology with a focus more closely aligned to ISO 13485.
Risk management activities must be carefully tailored to address regulatory expectations specific to the U.S. market, including how risks are identified, mitigated, and monitored postmarket.
Lastly, while ISO certification may satisfy global requirements, documentation must be inspection-ready for FDA investigators, who will expect a different level of traceability, completeness, and clarity.
Implementation Considerations
Perform a QMSR-Focused Gap Audit
Even with ISO 13485 certification, a targeted audit can uncover QMSR-specific gaps and FDA expectations not emphasized during ISO audits.
Review FDA-Specific Processes
Reassess your complaint handling, postmarket surveillance, and CAPA procedures with U.S. enforcement in mind.
Update Documentation to QMSR Vocabulary
Ensure terms such as Design and Development File (DDF), Device Batch Record, and Medical Device File are adopted in SOPs and records.
Ensure FDA-Ready Audit Trails and Records
ISO audits often rely on sampling; FDA inspections are more detailed. Ensure documentation is ready for deeper scrutiny.
Prepare for New FDA Inspection Methods
Familiarize your team with upcoming changes to FDA inspection techniques replacing QSIT.
How Medical Devices and Pharma Can Help
Our firm understands the gap between ISO certification and FDA enforcement. We help medical device manufacturers perform QMSR-targeted paper audits, update procedures to reflect QMSR vocabulary and process requirements, reconcile ISO documentation with FDA expectations, prepare internal audit programs for FDA inspections, and train teams on QMSR nuances and inspection readiness.
Let’s Talk
Feel free to schedule a 15-minute discussion with our CEO Bruce Waldon regarding your QMSR transition and projects.
Comparison of FDA and ISO Quality Management System Requirements
| Aspect | QMSR (21 CFR 820.10) | ISO 13485 Clause 4 |
|---|---|---|
| Documentation Requirements | Requires manufacturers to document a QMS that complies with ISO 13485 and additional FDA regulations. | Requires organizations to document, implement, and maintain a QMS to meet ISO 13485 and applicable regulatory requirements. |
| Regulatory Compliance | Explicitly ties compliance to FDA regulations (e.g., UDI, traceability, MDR reporting). | Requires compliance with applicable regulatory requirements but does not specify FDA-specific mandates. |
| Design & Development | Mandates compliance with Clause 7.3 of ISO 13485 for certain device classes. | Requires organizations to define and control design and development processes as part of the QMS. |
| Risk-based Approach | Indirectly referenced in the application of ISO 13485 requirements. | Explicitly requires a risk-based approach to QMS processes. |
| Traceability | Additional requirements for unique device identification (UDI) and traceability per 21 CFR 821 & 830. | Requires traceability for implantable devices and risk-based traceability for other products. |
| Advisory Notices | Manufacturers must comply with 21 CFR 806 (recalls & advisory notices). | Organizations must establish procedures for issuing advisory notices but without referencing specific regulatory bodies. |
| Reporting to Regulatory Authorities | Explicitly mandates reporting to the FDA per 21 CFR 803 (MDR). | Requires a process for regulatory reporting but does not specify FDA requirements. |
| Software Validation | Implicitly required through ISO 13485 adoption. | Explicitly requires validation of software used in QMS processes. |
| Outsources Processes | Must comply with FDA requirements for supplier controls. | Requires organizations to monitor and ensure control over outsourced processes, with proportionality based on risk. |
| Regulatory Enforcement | Noncompliance renders the device adulterated under the FD&C Act, subject to FDA action. | ISO 13485 compliance alone does not imply regulatory enforcement unless mandated by a jurisdiction. |