When the US Food and Drug Administration’s (FDA) new Quality Management System Regulation (QMSR) comes into force in early 2026, medical device manufacturers run the risk of falling down if they failed to start the process of updating standard operating procedures (SOPs) for quality systems right now, industry experts advise.
The QMSR will replace the FDA’s current decades-old Quality System Regulation (QSR), which is the agency’s bedrock rule for ensuring that only safe and effective devices make their way to market. In developing the QMSR over a number of years, the FDA created a hybrid regulation that combines agency-specific requirements with those of quality systems standard ISO 13485:2016 from the International Organization for Standardization (ISO).
“Start procedures work early so people have the maximum amount of time to familiarize and get comfortable with any alterations in processes or procedures,” said MedTech industry expert Ricki Chase, who is president of R. Chase Consulting. “If you do that, then by the time the QMSR is valid, you’ll be ready, and your people will be ready and feel comfortable.”
That’s just one tip from Chase, who offers advice alongside Eric Henry, senior quality and regulatory compliance advisor for the law firm King & Spalding’s FDA and life sciences practice. Part 1 of this story, which covers tips one through four from Chase and Henry, can be found here. Tips five through eight are below.
5. Review risk management procedures and templates and make sure they’re aligned with risk standard ISO 14971:2019. Henry said one of the primary motivators for the FDA harmonizing the QSR with ISO 13485 is that the standard is much more explicit regarding full lifecycle risk management. The agency under its QSR only strongly recommends that manufacturers use ISO 14971.
“That being said, ISO 13485 references the ISO 14971 risk management standard but does not come right out and say that companies must be compliant to it to do risk management,” he said. “The FDA takes a very similar tack in the preamble to the QMSR by saying, ‘We're so proud that we have been involved in ISO 14971 since its beginning, and we are still involved. However, we are not incorporating ISO 14971 by reference to the QMSR, and a ‘however to the however’ is that we still believe ISO 14971 is valuable to better understand how to implement ISO 13485.’”
He added that the FDA “dances around the standard” because there can be special circumstances when a company under agency oversight might not find ISO 14971 to be the right fit. “But I strongly recommend that companies just bite the bullet and adopt ISO 14971, and if you haven't already adopted ISO 14971 as your driver for risk management, make it part of your QMSR implementation plan,” he said.
“It should also be noted that the FDA has recognized ISO 14971:2019 as a consensus standard, so you will be in good graces with the FDA if you adopt it.”
6. Update complaint handling procedures to meet new QMSR requirements around the management of multiple complaint handling units. “You must have a single complaint handling unit that is ultimately responsible for coordinating all the other complaint handling units and the complaint handling functions. And the QMSR goes into some detail around when it believes that a complaint investigation must be initiated,” Henry said. “So that that may make some significant changes in your procedures around complaint management.”
7. Corrective and Preventive Action (CAPA) procedures should reflect the QMSR’s requirement that the CA be separated from the PA. “The FDA adopted the ISO 13485 idea of CAPA, which is not corrective and preventive actions, but corrective actions as one concept and preventive actions as a separate concept,” Henry said. “And the agency went further to adopt the idea of corrections in a CAPA program, especially as it relates to complaint investigations, which is a step up in maturity in terms of how you characterize all the things you do in a CAPA system.”
8. Inspection procedures should be updated when the FDA eventually releases a retooled Quality System Inspection Technique (QSIT). In use since 1999, the current QSIT is a roadmap for investigators as they inspect manufacturing facilities. In addressing stakeholder comments around its new quality systems rule, the FDA said it “intends to replace its current inspection approach for medical devices, QSIT, with an inspection approach that will be consistent with the requirements of the QMSR.”
Consultant Chase, who is also a former FDA investigations branch director, said device company procedures should take into consideration a new QSIT, although it could take the agency a few years to release an updated inspection model.
“Industry doesn’t want to admit it, but notified body audits are not anywhere near the challenge of an inspection by good FDA investigator. With the new QSIT, I’m concerned that it will become more aligned with what you would see during a notified body audit,” she said, claiming that investigators “often just check the box” when conducting QSIT-based inspections.
“I was never a huge fan of QSIT from the very beginning because I believe it puts blinders on investigators,” Chase added.
While it’s not yet known how the FDA will change QSIT, Chase said she’s “absolutely certain” that risk management will play a key role. “A big challenge here is that the FDA will have to find a way to not have investigators sitting in a firm domestically for two or three weeks. The agency will want to maintain control over a risk-based assessment where investigators could get in and get out, and get more work done with fewer people. But other than a certainty that it will be risk-based, there’s no clue yet what the new QSIT will look like.”