ComplianceAcuity

Blog

FDA QMSR: More than Meets the Eye. Are You Ready?

Posted by Kevin Randall In FDA, FDA Inspections, FDA QMS, FDA QMSR, ISO 13485, Medical Devices, QMS 0 comment

January 2, 2026

 

FDA QMSR: More than Meets the Eye. Are You Ready?

 

Introduction:

 

FDA’s new Quality Management System Regulation (QMSR) is nearly upon us. The QMSR replaces the current Quality System Regulation (QS Regulation). Specifically, after a generous two-year transitional period, the QMSR becomes effective in just a few weeks on February 2, 2026.

 

The QMSR represents a number of changes compared to the existing QS Regulation. Although FDA generally states that the QMSR is substantially similar to the outgoing QS Regulation, it nonetheless contains some significant changes about which firms need to be aware and for which specific QMS solutions need to be documented in the QMS.

 

As noted in previous blog posts, the QMSR amends FDA’s device current good manufacturing practice (CGMP) requirements of the 1996 QS Regulation (21 CFR Part 820) to harmonize and modernize it primarily by incorporating by reference ISO 13485:2016 3rd Ed., March 1, 2016. But it also includes additional unique requirements and conforming edits to clarify the device CGMP requirements. The devil is in the details of those additional requirements.

 

Although FDA’s QMSR doesn’t require firms to have an ISO 13485 certification, and although conformity with FDA’s QMSR doesn’t result in an ISO 13485 certification, it remains true for practical intents and purposes that conformity with the principles and contents of ISO 13485 is still of paramount importance. Moreover, FDA’s various unique aspects that FDA has retained or added on top of ISO 13485’s core elements, and in variation from the current Part 820, mean that firms have their work cut out for them during their transitional efforts.

 

Indeed, there are some 83 separate stakeholder/FDA interpretive discussions that FDA recorded in the QMSR preamble when promulgating the revised Part 820 QMSR. Thus, in addition to getting carefully familiar with the revised Part 820, and on top of building / assuring an ISO 13485 QMS, firms need to also be intimately familiar with the QMSR’s preamble so as to see how the QMSR differs from ISO 13485 and from the outgoing QS Regulation. It is not sufficient to simply read the revised Part 820 and ISO 13485, as such details are not published there. Remember that the preamble can be used by FDA (a law enforcement agency) in court to show FDA’s intentions. Thus, it is geneally understood that the additional requirements stated in the preamble are considered to have the same force and authority as the regulation itself.

 

Here is a snapshot of some key take-aways from the revised Part 820 itself along with particulars from the QMSR preamble:

 

Overview of QMSR Basic Structure/Contents:

 

Subpart A—General Provisions

      • 820.1 Scope.

      • 820.3 Definitions.

      • 820.5 [Reserved]

      • 820.7 Incorporation by reference (see ISO 13485:2016).

      • 820.10 Requirements for a quality management system: (a) document a QMS; (b) partial identification of other FDA regulatory requirements related to ISO 13485; (c) design control device scope; (d) traceability of life supporting/sustaining devices; (e) adulteration warning

 

Subpart B—Supplemental Provisions

      • 820.20–820.30 [Reserved]

      • 820.35 Control of records: (a) complaint handling and records; (b) service records; (c) UDI and UDI records; (d) Confidentiality of records

      • 820.40 Reserved]

      • 820.45 Device labeling and packaging controls.

 

Subparts C–O [Reserved]

 

QMSR Requirements Unique From ISO 13485:

      • Scope

      • Terminology/definitions (one example is that FDA is adopting ISO 13485’s definition of “product” as stated in the new Part 820, but FDA is also keeping its legacy definition)

      • Device traceability (Part 821, life-supporting/sustaining, initial consignee)

      • Complaint investigation scope, records,

      • Service records,

      • UDI and UDI records

      • Confidentiality of records

      • Labeling and packaging controls (prescriptive, copy of primary label/labeling)

      • Design reviews in general and regarding reviews of design verification

      • Design change control time-zero

      • “Clinical evaluation” is limited to FDA IDE / GCP scope

      • All processes require some form of qualification, verification, or validation

      • Customer property handling shall assure S&E

      • Scientific evidence for, and close monitoring of, acceptance by concession

      • Verify or validate process/device CAPA

 

New Items Not Covered by the Current QS Regulation:

      • Structure, order, descriptions, of ISO 13485

      • QMSR has a different structure and order than the QS Reg

      • QS Reg now called QMSR

      • DHF, DMR, DHR are still required, yet not called by these names

      • MDF (analogous to QS Regulation DMR) has some differences

      • “established” (defined, documented, and implemented) is now “documented” (established, implemented, and maintained)

      • FDA no longer taking enforcement discretion for review of internal audit, management review, and supplier audit reports

      • Process validation required where the process cannot be or is not fully verified

      • All processes require some form of qualification, verification, or validation

      • Risk-based storage added to existing extensive QS Reg risk-based approach

      • Requested records to be provided by FDA’s deadline

      • Electronic records/signatures (Part 11) allowed but must meet ISO 13485 too

      • Automated readers for labels/packaging must be supplemented by human sampling inspection

      • Clarification of existing practice: Packaging to be included in the label accuracy inspection

      • Corporate procedural control required for multi-site complaint handling operations

 

Implementation Approach Recommended by FDA:

      • Familiarize yourself with FDA regulations and applicable standards

      • Gap Analysis

      • Revise and implement robust documentation

      • Foster a culture of compliance

        • Train

        • Implement

        • Monitor

 

Feel free to reach out to ComplianceAcuity for help with your FDA QMSR transition!

Continue Reading

MDSAP QMS Internal Auditing Must Verify Regulatory Compliance

Posted by Kevin Randall In Certification, ISO 13485, ISO QMS, MDSAP, QMS 0 comment

November 24, 2025

 

MDSAP QMS Internal Auditing Must Verify Regulatory Compliance

 

If an organization performs internal auditing only to its SOPs but not also to check the SOPs’ and the organization’s regulatory compliance, then it would be in violation of MDSAP’s requirements for internal auditing. Such an approach would, upon discovery, result in an official nonconformity issued by the MDSAP AO. I explain further below.

 

First, remember that an MDSAP internal audit shall determine whether the MDSAP QMS conforms to planned and documented arrangements and QMS requirements established by the organization (i.e., auditing to the organization’s own SOPs), but also to requirements of ISO 13485 and applicable regulatory requirements. Remember also that “applicable regulatory requirements” is officially defined (in part) as requirements contained in any law applicable to the ISO 13485 organization (e.g., statutes, regulations, ordinances or directives). In addition, MDSAP elaborates on, and requires conformity with, applicable regulatory requirements like vigilance, recall, premarket authorization, registrations, etc., etc. So be sure your internal audit program covers all these.

 

Note also that internal audits are mandatory in addition to any external audits (except for colloquial “external” audits that are outsourced internal audits such as our clients do with us). True external audits (e.g., by the MDSAP Auditing Organization) do not fulfill the requirement for you to do internal audits. The longstanding general reasoning for this is because the external audits are relatively limited sampling opportunities to assess the QMS, whereas it is expected that the organization’s internal audit program will fill the gaps.

 

Finally, neither MDSAP nor ISO 13485 prohibit the organization from doing audits in phases. Thus, if the organization chooses to do a procedural audit first and an implementation audit separately, or in any other phased approach, then that is fully acceptable. Therefore, if a phased approach works best for your organization, then by all means, do so. The most important thing is that it works for the organization to meet applicable requirements. Avoid overly strict logistical mandates. Indeed, ISO 13485 and MDSAP specifically and intentionally allow for this kind of flexibility.

 

Feel free to reach out to ComplianceAcuity for help with your MDSAP QMS!

Continue Reading

FDA 483 Responses: How to Avoid a Warning Letter

Posted by Kevin Randall In FDA, FDA 483, FDA Inspections 0 comment

November 12, 2024

FDA 483 Responses: How to Avoid a Warning Letter

 

 

A firm’s proper actions in response to receiving a Form FDA 483 (“FDA 483”) is a broad subject that we can do training on for hours or even days. Thus, it may not be possible to cover all of the details here in a blog post. However, here is a high-level overview which necessarily starts before the FDA 483 is ever issued:

 

 

Even before any FDA inspection, be sure the firm is already proactively trained about the proper way to respond to an FDA 483. Consider supplementing this with an SOP explaining what to do when the time comes. This way, the firm isn’t scrambling and doesn’t misstep at that critical moment when the FDA 483 is presented.


During the opening meeting of the FDA inspection, request that the investigator inform the firm in real time if objectionable conditions were observed and are being noted by the investigator. It is common for the investigator to do so already; but it is still advisable to make this request anyway.


During the FDA inspection, request daily wrap-up discussions so as to facilitate preemptive dialogue between the agency and the firm regarding any questions that either party has about objectionable conditions that have been observed. A goal of this is that there be no surprises or new information presented at the closing meeting when the FDA 483 is officially issued.

 

At the closeout meeting when the FDA 483 is officially presented:

 

Politely and thankfully and respectfully acknowledge receipt. Have each FDA 483 Observation annotated to establish the firm’s cooperative and interactive stance. FDA’s standard operating procedure is to invite the firm into the annotation process; however, I have seen FDA investigators fail to follow their own SOP on multiple occasions before. Thus, be sure the firm takes the lead if needed to assure that the Observations are annotated. Some typical annotations (not comprehensive) are “Corrected and verified”, “Promised to correct” or, less commonly, and to be avoided if possible, yet definitely needed for an Observation with which the firm isn’t yet in agreement, “Under consideration”. Express the firm’s intent to provide FDA with a written response to the FDA 483 within 15 business days. By procedure, FDA looks for and expects this as part of deciding whether further FDA escalation is needed. Thank the investigator again for the inspection. Closeout.


 

After the inspection:


 

Prepare and submit to FDA a comprehensive written initial response to the FDA 483. Specifically,


 

Be sure the response is officially from Management with Executive Responsibility (MER), preferably the top officer (CEO/President) [though the response is actually generally ghost-written by the firm’s qualified FDA regulatory expert(s)]. MER needs to reiterate the firm’s intent to cooperate, to protect public health, and that it takes FDA’s Observations seriously. Address each FDA 483 Observation in itemized fashion. Specifically,

 

Open and cite a CAPA for each one including appropriate background or clarifying explanation. Process each CAPA at least through the risk assessment, root cause analysis, and planning of the required correction(s) and corrective action(s). Include a copy of the CAPA; don’t make the mistake of making promises or advising FDA about actions taken (e.g., CAPAs) without providing the corresponding objective evidence/proof. Include the firm’s intended closure date for each CAPA. Be realistic about the intended closure date; don’t rush things in a fit of good intentions to show commitment only to wind up having made promises that the firm can’t fulfill. FDA wants genuine proper action, and this oftentimes takes time; sometimes even a year for larger FDA 483s. For any corrections or corrective actions already taken, include evidence as mentioned above.

 

In cases where all of the CAPAs can’t be fully and properly processed and closed within the 15-business-day window, then provide FDA a promise of progress reports. Submit the response to FDA at the directed office and email address [e.g., Office of Regulatory Affairs’ Office of Medical Device and Radiological Health Operations (OMDRHO) Division 3 – West at [email protected]]. FDA will generally give a handout explaining which office is assigned for the firm’s geographical location.

 

Prepare and submit the promised progress reports, again to the same office as before. Do this until you receive a “VAI Letter”.


 

The process starts all over again.

Continue Reading

FDA’s QMSR Final Rule Issued

Posted by Kevin Randall In FDA, FDA QMS, ISO 13485, Medical Devices, QMS 0 comment

January 31, 2024

 

FDA’s QMSR Final Rule Issued

 

FDA has issued its Final Rule on its new Quality Management System Regulation (QMSR) amending its device current good manufacturing practice (CGMP) requirements of the 1996 Quality System (QS) regulation (21 CFR Part 820) to harmonize and modernize it primarily by incorporating by reference ISO 13485:2016 3rd Ed., March 1, 2016, but with additional requirements and conforming edits to clarify the device CGMP requirements.  The Final Rule is scheduled to be officially published in the Federal Register this Friday, February 2, 2024.  It will have a generous two-year transitional period whereby the Final Rule becomes effective on February 2, 2026.

 

The Final Rule contains FDA’s formal responses to 83 comment groups. For those of us who had already performed gap assessments using the Proposed Rule, here is a summary of the changes between the Proposed Rule and the Final Rule:

 

  • Various non-substantive clarifications that won’t impact the gap assessments performed by my firm

  • More broadly citing (but not changing) the FD&C Act’s existing adulteration basis for refusal of entry of foreign devices

  • Vocabulary

  • Adding additional parameters to be met for granting of a statutory variance(s)

  • More prescriptive complaint handling and records

  • Packaging and labeling controls adjusted (to prevent, among other things, mixups rather than errors, and to allow inspection any time before use rather than immediately before use)

 

Remember that the foregoing explanation compares the QMSR Proposed Rule to the QMSR Final Rule.  It doesn’t compare the current outgoing Part 820 (which the remains in effect through Feb. 1, 2026) to the QMSR Final Rule.  Stay tuned for that ultimate comparison.

Continue Reading

EU MDR Virtual Importers

Posted by Kevin Randall In CE Mark, EU MDR, Import 0 comment

January 25, 2024

 

EU MDR Virtual Importers

 

While I can see potential benefits of voluntarily creating an importer (along with the additional regulatory burden) to add a layer of compliance checks and balances, I strongly advise against the basis being an assertion that end users need regulation because they have, as one person said, “taken up responsibilities regarding safety and performance”. That in my opinion opens the door to more frivolous litigation against healthcare providers and/or manufacturers, and to more burdensome overregulation. It also seems to run contrary to a most fundamental tenet of Europe’s longstanding “common framework” and regulatory approach, which is to distinguish regulated economic operators and protect the public stakeholders on whom, or by whom, the devices are used.

 

If such a “virtual” (my terminology) importer is voluntarily invented/created by the stakeholders, then the manufacturer needs to remember that it will be required to execute a placing on the market of those devices to said virtual importer.  Specifically, the manufacturer and importer would be required to execute (and thereafter be able to prove) that there was an offer or an agreement (written or verbal) by the manufacturer to transfer ownership, possession or other property right concerning the product in question to the importer rather than the end user.  Again, such an arrangement could certainly be of value to reduce liability risk in those cases where the manufacturer has the bandwidth for such voluntary additional regulatory burden.  In fact, I have advised clients to do this at times, though not based on asserting that the end users had taken up responsibilities regarding safety and performance.

Continue Reading

UK and EU End Users Are Not Importers

Posted by Kevin Randall In EU MDD, EU MDR, Import, UK MDR 0 comment

January 25, 2024

 

UK and EU End Users Are Not Importers

 

Generally speaking, end users are not considered to be importers.  This is the same for the UK and the MDD/MDR alike.  For example, the European Commission’s Directorate-General (DG) for Health and Food Safety advised me of that interpretation regarding the MDR, specifically saying, in part, that in both Regulations [(EU) 2017/745 (Article 2(33)) and (EU) 2017/746 (Article 2(26)], “importer” is defined as “any natural or legal person established within the Union that places a device from a third country on the Union market”.  And therefore that, if a manufacturer established outside the EU places a device on the EU market directly to a user, in such a case there is no importer, as there is no person established within the Union placing a device from a third country.

 

For the UK, end users don’t generally meet the UK regulations’ trigger for “supply” or placing on the market.  If instead the end user places the devices on the market or makes them further available on the market, then UK MDR regulatory obligations would ensue.  As long as the end user only uses the devices for their own particular end use, then they aren’t supplying or placing the devices on the market.

Continue Reading

Are DoC Updates Required for Software Version Changes?

Posted by Kevin Randall In Declaration of Conformity, EU IVDR, Software, Technical Documentation, UK MDR 0 comment

January 22, 2024

 

Are DoC Updates Required for Software Version Changes?

 

In general, yes.  I explain:

 

Remember that the MDR requires the manufacturer to “continuously update the EU declaration of conformity”.  For example, if the Technical Documentation (TD) is different for version 3.0 compared to 3.1 to 3.1.1 to 3.2, then the DoC needs to be updated accordingly along the way. Indeed, as soon as the TD is updated, the prior corresponding DoC is no longer valid.  The Blue Guide states that the DoC is specific to each individual product, even if they are manufactured in series. The Blue Guide also states that, in practice, the same version of the DoC may be applicable to many individual products (or versions) which are manufactured in series. However, as soon as any of the elements of the EU declaration of conformity changes, the version of the DoC will have to be updated.

 

But we do have some flexibility with the format of the DoC. Ultimately, multiple different devices or versions may be encompassed by a single DoC.  This is based on traditional precedent from the Blue Guide, EN ISO/IEC 17050-1, etc.  As long as all the required fundamental DoC contents/elements (e.g., per Annex IV of 2017/745) are clearly distinguished for each subject device or version, then multiple devices or device versions can be present on the DoC.

Continue Reading

U.S. FDA 510(k) Clinical Data Requirements

Posted by Kevin Randall In 510(k), Clinical Evaluation Reports, Clinical Investigations, FDA 0 comment

January 19, 2024

 

U.S. FDA 510(k) Clinical Data Requirements

 

I always reminded clients that clinical data may not be required at all for a 510(k) subject device even though clinical data may have been required for the predicate.  A pre-sub(s) is generally a good idea and in all parties’ best interest for unusual scenarios rather than cutting corners, rushing, and/or guessing.

 

Ultimately, a 510(k) sponsor is expected to employ clinical data when necessary to meet the statutory “substantially equivalent” threshold compared to the predicate.  But that is easier said, than explained or done.  For example, FDA says that the need for 510(k) device clinical testing typically depends on many factors including device type, intended use, design, safety profile, and clinical experience. I’ll give some basic principles below.  But a careful expert regulatory analysis is needed for the exact subject device in order to help flush out the various attributes of each case.

 

 

In guidance, FDA explains that, while substantial equivalence is generally a “comparative” concept between subject and predicate rather than a PMA’s independent demonstration of the subject’s safety and effectiveness, FDA reminds us that the principles of safety and effectiveness still underlie the substantial equivalence determination in every 510(k) review.  FDA reminds us that its 510(k) review decision must reflect a determination of the level of control (e.g., clinical data) necessary to provide a “reasonable assurance of safety and effectiveness”.  Therein lies a junction where FDA’s requirements for clinical data (and/or increased non-clinical data) can be triggered for a 510(k) device.  Thus, the substantial equivalence concept can be awkward and ambiguous for all parties, as the goal of a 510(k) is not to show safety and effectiveness, yet, in a sense, actually is. In practice over the years, this underlying safety and effectiveness requirement for 510(k) devices appears to have caused 510(k)s to evolve into something more like mini-PMAs as compared to a few decades ago.  But I digress.

 

The simplest and most reliable way I can think of to explain when clinical data might be needed for an unusual 510(k) device is for us to approach it statutorily; a 510(k) is after all a statutory instrument.

 

Specifically, clinical data may be needed when the subject device has a different intended use and/or different technological characteristics that raise new questions of safety and effectiveness as compared to the predicate.  The expert regulatory strategy/analysis for each case needs to carefully draw out these considerations for the subject device as compared to the predicate.

 

FDA has a basic thought process it applies when reaching a decision that clinical data are needed for a 510(k) device. In a nutshell, it is when descriptive and non-clinical data are insufficient to meet the statutory substantial equivalence threshold.  FDA in guidance tries to bring further clarity on this threshold by giving some examples, including new or modified indications, technological differences, and limited or inappropriate non-clinical data.

 

We also need to be keenly focused on the output from the subject device’s design validation step.  The aforesaid purely theoretical/statutory principles need to be combined with the subject device’s own organic requirements as driven by its design control process.

 

I’ll pause here as the specifics of each case really do need to be known and expertly analyzed in order to derive the best regulatory strategy.

Continue Reading

Notifying Your European Notified Body About Non-Significant Changes

Posted by Kevin Randall In Change Management, EU MDR, QMS 0 comment

January 11, 2024

 

Notifying Your European Notified Body About Non-Significant Changes

 

Europe’s Union MDR (Regulation 2017/745) includes legislative authority (e.g., in Annex VII sec. 4.9) for Notified Bodies (NBs) to require a manufacturer to notify the NB about certain kinds of changes [e.g., QMS, product range, device design (including labeling), intended use or claims, type, and chemical substances) without clear regard to significance. This is to enable the NB to assess the impact. Because that includes a concomitant requirement for the NB to have in place corresponding documented procedures and contractual arrangements, you should be sure you understand your particular NB’s change notification requirements by reviewing your NB contract to see about the possibility for negotiation and to double check that any of the NB’s related requests are within the parameters of the contract.  The best time to negotiate is before the contract is executed.  Once executed, it is more difficult to realize deviations if either party doesn’t like what’s in the contract.

 

 

Internally, you need to be sure your QMS has corresponding interfaces.  First is in your change management process whereby you need to screen changes against the NB’s notification requirements.  For those changes that meet the regulator’s (e.g., the NB’s or other agency’s such as Health Canada’s) notification thresholds, I have in the past set up a database and form to record such changes in a strategic way for presentation to the regulator for this context.  Then these strategic record(s) of change(s) are submitted to the regulator (e.g., the NB) in accordance with its applicable procedures and timelines that will be in your contract.

Continue Reading

Difficulty Submitting Part 806 Report via FDA’s ESG Gateway

Posted by Kevin Randall In FDA, FDA ESG Gateway 0 comment

December 12, 2023

 

Difficulty Submitting Part 806 Report via FDA’s ESG Gateway

 

If for various reasons you are unable to submit your FDA Part 806 Report of Correction or Removal via FDA’s ESG Gateway, then another option is to have a third party submit your 806 report using the third party’s active ESG production account. For example, due to submitters’ various ESG account issues of late, my firm has had clients approach us to submit their ESG submissions using my firm’s valid account.  We’d be glad to do that for you too if you’d like to reach out to me further.

 

Regarding format, two typical choices regarding Part 806 reports are to use the eSubmitter, or to prepare the Part 806 report the traditional way with a word processer using a proven format.  My firm’s Part 806 format has been proven to lead to reliable recall closure concurrence from FDA and I’d be glad to discuss that further with you as well.  Or, if you already have an eSubmitter output file for your Part 806 report and the various attachments and data are sensibly associated with the body of the report via proper document publishing, labels and/or bookmarks such that the FDA recall coordinator can easily navigate the document, then you could also submit it that way directly to the recall coordinator’s contact point.

Continue Reading
© Compliance Acuity. Website by Modernize My Site
This website uses GeoLite2 data created by MaxMind, available from https://www.maxmind.com.
Search
Generic filters
Exact matches only
* Type a keyword then press Enter