FDA Recognizes It's Time for QSR 2.0
22 years after it became effective, medical device Quality System Regulation is ready for a makeover.
FDA first announced its intention to “harmonize and modernize” the Quality System Regulation (QSR) for medical devices in Spring of 2018. The idea is to modernize the regulatory framework and harmonize the requirements with the newly revised ISO 13485:2016, the international standard for medical device quality management systems.
Well, it’s about time!
Implementation of the QSR under 21 CFR Part 820 in 1997 was a major step as it added significant new Design Control requirements for device design and development. MedTech industry at the time considered these new requirements to be a significant compliance burden. FDA justified these new requirements through a cost-benefit analysis and claimed that the estimated average annual benefit of $180-$220 million in “lives saved” was economically significant compared to the estimated incremental cost of about $82 million to the industry. In the final rule announcement, FDA declared that “the objective of this rule is to reduce the number of fatalities and injuries attributable to defective medical devices.”
It is arguable if the QSR has succeeded in accomplishing this objective. According to recent reporting by Associated Press, more than 1.7 million injuries and nearly 83,000 deaths suspected of being linked to medical devices reported to the FDA over a 10-year period since 2017. Industry track record on compliance, especially with respect to the Design Control requirements, is also not particularly noteworthy. FDA warning letters routinely cite deficiencies in Design Control and CAPA, two of the most critical elements of an effective Quality Management System (QMS). A warning letter from the FDA is serious business, but these warnings have failed to fundamentally improve industry practices.
One of the major deficiencies of the QSR relates to consideration of risks and requirements for risk management. Although there is a fair amount of discussion about risk in the preamble to the QSR, there is only one specific requirement of risk analysis tucked away within requirements for design validation in 820.30(g). Nowhere in the preamble, or within the regulation, is the concept of lifecycle risk management even mentioned. Risk analysis is only one part of the lifecycle risk management required by ISO 14971, the FDA-recognized international standard for risk management of medical devices. Understanding and implementation of risk management principles, as a result, has been very limited in the industry.
Risk is a fundamental concept behind ISO 13485:2016 requirements for a medical device QMS to ensure safe and effective products (and services). Interesting to note that ISO 13485 defines the term “risk” exactly as in ISO 14971, and for all practical purposes, also expects conformity to the risk management requirements. In this context, it is very surprising that FDA opted to require only a limited portion of these requirements in the QSR and still expected to achieve its mission of enabling safe and effective products in the US market.
As the Medical Device Single Audit Program (MDSAP) expands across the world with an exponential rise in the number of participating firms, it is yet another reason for FDA to harmonize the QSR with evolving international standards. Although, FDA now accepts MDSAP audit reports from participating firms as a substitute for routine inspections, the Agency can still decide to conduct additional for-cause or other types of inspections. Compliance burden on medical device manufacturers have not yet reduced since their QMS must continue to comply with the QSR.
FDA has recently taken many steps towards adapting a least burdensome approach to regulatory oversight. Harmonizing and modernizing the QSR is the next logical step, but it is not likely to be a quick process. Joseph Tartal, Deputy Director in the CDRH Office of Communication and Education shared his thoughts in a recent FDA Regulatory Education for Industry (REdI) conference and compared the QSR with ISO 13485:2016 using the CAPA system requirements. The main point of the discussion was to highlight the similarity in intent and purpose, but also acknowledge significant differences in the structural layout of the QSR and ISO 13485. In short, the harmonization process will take time to fully develop, which will then be followed by a period of public comment. He did not provide a timeline, but it is unlikely to happen in the next couple of years.
FDA intends to harmonize and modernize the Quality System regulation for medical devices. The revisions will supplant the existing requirements with the specifications of an international consensus standard for medical device manufacture, ISO 13485:2016. The revisions are intended to reduce compliance and recordkeeping burdens on device manufacturers by harmonizing domestic and international requirements. The revisions will also modernize the regulation.
- Proposed Rule announcement by FDA RIN 0910-AH99
In the meantime, manufacturers are advised to “keep current” on potential regulatory changes being proposed by FDA and understand how these changes may relate to their QMS. A good understanding of the similarities and differences in QSR and ISO 13485 requirements will be important to identify redundancies and gaps in the QMS. See links below for Association for the Advancement of Medical Instrumentation (AAMI) and NSF International resources that can be used to guide these efforts.
In conclusion, changes are coming to the medical device Quality System Regulations. The best way to prepare is to focus on implementing an effective risk management system and integrating it within your QMS. Compliance to regulatory requirements follows naturally when risk management is effective. No matter what changes to the QSR are made in future, you have a much higher chance of sustaining a high level of compliance with an effective risk management system.
Medical Device Single Audit Program (MDSAP), June 2019