ISO 13485, 21 CFR 820, QMSR and MDSAP.
Medical Device Regulators agree on a lot of the requirements for a manufacturer to keep patients safe; however, despite at least 60 years of developing and aligning on quality management system frameworks, there still isn’t a true international standard or framework for developing a quality management system.
For many businesses, scaling internationally is a ‘must-do’ activity, so considering the possible implications of taking a quality management system to a new market or new regulator, must be done so early. Whilst many countries recognise international standards like ISO 13485 as the de-facto standard for developing a quality management system, many countries have additional expectations. These include:
- 21 CFR 820 (USA until February 2026)
- QMSR (USA from February 2026)
- MDSAP (mandatory in Canada, recognised in USA, Australia, Japan and Brazil)
- EU MDR (EU)
Written by our Head of Quality and Regulatory Affairs, Daniel Mannion, this blog aims to breakdown some of the common quality management system frameworks which medical device manufacturers may consider as they take their product to market.
What is a Quality Management System?
ISO 13485:2016
“A Quality Management System ensures an organisation’s] ability to provide [products and services] that consistently meet customer and applicable regulatory”
ISO 90001:2015
“A Management System is the interacting elements of an organisation to establish policies, objectives and processes to achieve those objectives”.
A Quality Management System is how a company makes sure its products and/services meets the requirements of their customers and regulators – it includes setting targets that will support the company in ensuring customer satisfaction then setting up processes to meet those objectives It also covers the people employed by or contracted with the company, their skills, experience and knowledge and their understanding of customer requirements, the infrastructure, technology, financial and supplier resources the company has at its disposal. Furthermore, done well, a Quality Management System can often set the tone of company culture across the entire business and be the foundation on which a business can strive for continuous improvement.
Quality Management Systems tend to be broader in scope than most expect, reaching into requirements for Sales, Marketing, Customer Support, Finance and Purchasing as well as the Senior Management of the company – not just Development, Production and Release.
Also, don’t let the title fool you – just because it is a “Quality” Management System, that doesn’t mean only your Quality team are involved – it’s a requirement of ISO 13485 and 21 CFR Part 820 that “Top Management” establish the Quality Management System, its Policies and Objectives. Quality Management Systems only work well when the Management Team and the business are on board with them and they act as the centrepiece of quality assurance for all relevant departments
What is ISO 13485?
ISO 13485 is an international standard for quality management of medical devices that includes requirements that apply across a business and its suppliers to ensure its medical devices meet customer and regulatory requirements. It is based on ISO 9001 (which is a standard for quality management of any product or service) and is structured for ease of integration with other ISO Management System Standards.
Benefits
ISO 13485 is recognised across the globe in guiding compliance of medical devices. It is recognised by regulators in the UK and EU as well as Australia, Japan, Saudi Arabia, Singapore, Malaysia and many other countries as the primary or only method for demonstrating compliance with Quality Management System requirements under Medical Device Regulations.
Quality Management Systems for EU MDR.
The EU Medical Device Regulation (EU MDR 2017/745) requires the establishment of a Quality Management System. The European Commission (Executive Arm of the European Union) has adopted (harmonised) ISO 13485 as a standard to fulfil the Quality Management System requirements of the EU MDR.
So follow ISO 13485 and meet the Quality Management System requirements of EU MDR, right? Not quite.
EN ISO 13485:2016+A11:2021 includes Annex ZA (“Relationship between this European standards and the requirements of Regulation (EU) 2017/745 aimed to be covered”). This Annex includes an assessment of where ISO 13485 meets the Quality Management System requirements (specifically, the obligations of a manufacturer) of EU MDR and where it does not.
Unfortunately, in order to meet the EU MDR requirements, you’ll need to go through this table and perform a gap analysis of your Quality Management System to ensure the requirements in EU MDR that are not in ISO 13485 are also covered.
This is standard practice in harmonisation of standards in the EU and in fact, you’ll find a table much like this in most harmonised standards. I suppose it can be expected when trying to make an international standard and one that covers regional regulations and as you’ll see below with regards to the QMSR, the FDA have their own deviations from ISO 13485, but it’s not very well communicated/understood by many manufacturers and can cause a lot of problems when a Notified Body or Competent Authority comes to review your Quality Management System.
I’d recommend keeping a section in your Quality Manual to explain how you meet each of the Requirements of Article 10 (Obligations of Manufacturers) of EU MDR in a similar vein to how the Quality Manual explains you meet the requirements of ISO 13485 clauses.
Note for IVD Manufacturers – Annex ZB performs the same function for IVDs under EU IVDR 2017/746 as Annex ZA does for non-IVDs.
Quality Management Systems for the US FDA.
The Quality System Regulation (QSR), 21 CFR Part 820 and Medical Device Good Manufacturing Practices (CGMP) all refer to the US Food and Drug Administrations Regulation related to Quality Systems for medical device manufacturers.
Rather than adopting ISO 13485 like many other countries have done, the US had maintained its own document as a Regulation (which makes it free, rather than an ISO standard that you have to pay for) instructing medical device manufacturers what is required for a Quality System (broadly interchangeable with a Quality Management System).
There are a few reasons why the FDA did not adopt ISO 13485:
- They have a fair claim that ISO 13485 was somewhat copying the FDA’s homework – there are a large number of similarities between the two documents (more on this later) and that the FDA had done this first – if someone copies from you, why go to the effort of adopting their version.
- Resistance from manufacturers – for manufacturers in the US only serving the US market, the QSR is familiar and changing to meet new requirements would require at least some effort in terms of training and re-drafting documentation.
- Copyright – the FDA were insistent that if ISO 13485 were to replace the QSR, then ISO 13485 would become part of US law and US law must be available freely to the public; however ISO standards are copyrighted materials that are the primary source of ISO’s funding – without charging for standards, ISO would be unable to continue developing new standards and new versions of standards. As such, the FDA needed to agree with ISO a licensing agreement to make ISO 13485 available for free to the public and as this would be online, this would mean making ISO 13485 free essentially internationally.
There are some differences between ISO 13485 and QSR, for example:
- an FDA auditor will look for your Design History File, Device Master Record and Device History Record and expect you to know which is which (even I forget which is which on a bad day)
- ISO 13485 references a “Medical Device File” that is not found anywhere in the QSR.
- Both have specific language on when a consultant is a supplier or a Human Resource.
Along comes Quality Management System Regulation
In January 2024, to much trumpeting (at least amongst my LinkedIn contacts), the FDA Quality Management System Regulation was announced. “The FDA has finally adopted ISO 13485!”. Well, kind of.
As many people have known all along, QSR and ISO 13485 were so similar as to be nearly indistinguishable – in fact the FDA said so themselves in their comments on this Regulation:
“The previous QS requirements were, when taken in totality, substantially similar to the requirements of ISO 13485. Where ISO 13485 diverges from the QS regulation, these differences were generally consistent with the overall intent and purposes behind FDA’s regulation of QMSs. Almost all requirements in the QS regulation corresponded to requirements within ISO 13485.”
Unfortunately, as with the EU, it’s not that simple:
“We recognize, however, that reliance on ISO 13485 without clarification or modification could create inconsistencies with FDA’s statutory and regulatory framework. Therefore, as detailed in this rulemaking, we are adding additional definitions and provisions.”
So, similarly to Annex ZA and ZB tables in EN ISO 13485:2016+A11:2021, the “Final Rule” (the document which implements the Quality Management System Regulation) has some amendments to ISO 13485 you’ll need to take into account (and preferably record in your Quality Manual); however, for any company already undertaking MDSAP audits for the US market, they will look awfully familiar.
Many will be very glad to hear that they no longer need to remember the difference between a DHF, DMR and DHR – well in two years or so. The FDA is not implementing this rule immediately and nor are they allowing a “transition period” where you may switch across to the new regulation when you’re ready. You have to be compliant with QSR until February 1st 2026 and compliant to QMSR from February 2nd 2026. In practice, this means that you’ll need to keep running a QSR compliant Quality Management System until the deadline date, but work to incorporate changes under QMSR so that they are both in place by February 2026 – confused? I guess we’ll see how it goes. In their comments, the FDA have said they don’t expect it to be particularly difficult because of the similarities between the two regulations, but they did extend their timeline from 1-year to 2-years to allow more time for manufacturers to adapt.
Quality Management Systems for the Rest of the World.
The Medical Device Single Audit Program (MDSAP) is an agreement between the medical device regulatory agencies of the USA, Canada, Japan, Brazil and Australia to mutually recognise quality management system inspections of manufacturers and a method to carry out these inspections and qualify the companies and inspectors who perform them.
MDSAP is run by the International Medical Device Regulators Forum (IMDRF) and is being “observed” by the EU, Singapore, UK and WHO. It is only mandatory for the sale of medical devices in Canada, but can save a lot of time, effort and money for manufacturers hoping to reach multiple markets.
MDSAP is based on ISO 13485, but covers the US market, which does not (yet) recognise ISO 13485. It represents an international recognition that ISO 13485 and QSR and so similar that with a few “country-specific requirements” from the US (which are on the scale of other country-specific requirements from the other participating countries), ISO 13485 and QSR can be addressed in the same audit.
Integration with Other Standards?
ISO 13485 is an ISO Management System Standard. This may seem like an obvious statement given the name, but there is something specific about ISO Management System Standards that is worth mentioning – they are designed to be easy (easier?) to implement other Management System Standards alongside them. Need to manage Information Security in your company – why not Integrate ISO 27001 for Information Security Management. AI Development – why not Integrate ISO 42001 for an AI Management System?
Benefits
The standards are written to allow easy shared processes (e.g. document management, training and competence, auditing) and documents (e.g. policies, objectives, manuals) and to allow integrated certification audits (having external auditors audit to multiple standards at the same time, saving time and money from your external audit costs).
The ISO Management System Standards Model also allows you to integrate other company activities or objectives – for example international medical device regulations, the NHS Data Security and Protection Toolkit or UK government CyberEssentials, CQC requirements, ISO 14971 or DCB0129 Risk Management. By taking an integrated approach, businesses can take a comprehensive quality management approach to all standards and compliance requirements, using the management system as means of quality control.
Need Help?
Whether it’s developing a Quality Management System for multiple territories or adapting existing documentation ready for a new market, we can help. We go beyond the tick box to help businesses implement standards and harmonise their compliance requirements to de-duplicate work and reduce costs.
Get in Touch
We’re here to help with your Medical Device Quality related queries. Speak with a member of our team today to find out how we can support your global expansion or initial product registration.