A Few ISO 13485 and ISO 14971 Questions Device Firms Should Ask Themselves in Preparation for the QMSR
As we continue to wait for the FDA to finalize its QMSR, here are a few questions to consider regarding the two intersecting ISO standards.
This is a bonus issue available to all subscribers. If you’re not already a paid subscriber, you can upgrade here.
In May of last year, RAPS reported that CDRH director Jeff Shuren was aiming to finalize the QMSR by the end of 2023. Despite the FDA’s efforts, the agency wasn’t able to hit that goal. The rule is still under review by the White House and will likely be released to the public by late January or early February.
Also last May, an excellent column appeared in MedDevice Online, revealing the intersections of ISO 13485 And ISO 14971 under the FDA’s proposed QMSR.
Authored by two experts in medical device risk management — Edwin L. Bills, a seasoned member of the ISO group responsible for ISO 14971:2019 and ISO TR 24971:2020, and Christie Johnson, who recently joined the ISO TC 210 committee for medical device risk standards — the piece artfully walks through the thrust of the harmonized regulation and points out where the two ISO standards intersect.
The main point: Since ISO 13485 directly references ISO 14971, harmonizing the existing QSR with ISO 13485 also means harmonizing it with ISO 14971. Impacted firms should assess against — and make sure they’re aligned with — both of these standards.
Also check out our 2022 deep-dive of the proposed QMSR.
Intersections at glance
While we strongly recommend reading the full column, here’s a high-level distillation of the main points of intersection between 13485:2016 (medical devices quality systems standard) and ISO 14971:2019 (medical device risk management standard) the authors point out:
Alignment on the Definition of Risk: The authors point out that ISO 13485:2016 refers to the definition of “risk” as per ISO 14971. This alignment ensures consistency in how risk is understood and managed in the context of medical device safety and performance.
Risk Management Integration into Product Realization: ISO 13485:2016 requires risk management activities to be incorporated throughout the product lifecycle, including the design and development stages. This is aligned with ISO 14971:2019, which focuses specifically on risk management for medical devices.
Design and Development Inputs: The authors note that ISO 13485:2016 requires the outputs of risk management activities to be considered as inputs in the design and development process of medical devices. This ensures that potential risks are evaluated and mitigated early in the product development phase.
Feedback and Post-Market Surveillance: ISO 13485:2016 emphasizes the importance of collecting and analyzing feedback from post-market surveillance. This feedback should be integrated into the ongoing risk management process as outlined in ISO 14971:2019 to maintain the safety and performance of medical devices throughout their lifecycle.
Documentation and Record Keeping: Both standards stress the importance of comprehensive documentation and record-keeping. ISO 13485:2016 focuses on the quality management system documentation, while ISO 14971:2019 requires a detailed Risk Management File for each medical device, documenting all risk management activities.
Quality Management System Requirements: ISO 13485:2016 outlines requirements for a quality management system that includes processes for risk management, aligning with the risk management principles and activities detailed in ISO 14971:2019.
Life Cycle Perspective: Both standards advocate for a life cycle approach to risk management. ISO 14971:2019 explicitly focuses on risk management throughout the entire lifecycle of a medical device, a principle that is also embedded within ISO 13485:2016.
A few questions to drive your gap assessment
The authors clearly state that firms should assess against both ISO standards:
With the upcoming revision of 21 CFR 820 into the QMSR, it is important that manufacturers conduct gap assessments for both ISO 13485:2016 and ISO 14971:2019 requirements to assure they will be ready when implementation of the new QMSR occurs. Following the gap assessments, a review of the proposed regulation as it appears in the Federal Register will be appropriate to note the additional items the FDA proposes to add in the QMSR and any other changes, such as in definitions. Implementation of the new regulation should reduce the burden on manufacturers from having to comply with the differing current regulations and should simplify documentation requirements as well.
We wholeheartedly agree that manufacturers should assess their current systems against ISO 13485:2016 and ISO 14971:2019 standards with a few key gaps in mind.
First, manufacturers should ensure that their risk management activities are conducted early in the product design process, as per ISO 13485:2016 requirements. This means integrating risk management considerations into the product development lifecycle from the design input stage. Manufacturers also need to make sure they’re maintaining an updated and comprehensive Risk Management File for each medical device, encompassing all aspects of risk throughout the product lifecycle.
Here are a few specific questions high-level questions to form a more focused gap assessment around that acknowledge these intersections:
Quality Management System (ISO 13485:2016) Compliance:
Have we documented our QMS processes comprehensively, and do these align with the requirements of ISO 13485:2016?
Does our system effectively address the management of records, documentation control, and management responsibilities? (ISO 13485:2016 often requires more extensive documentation and record-keeping than the QSR. This includes maintaining records for longer and more detailed documentation of design controls and changes. ISO 13485:2016 also requires regular management reviews with specific inputs and outputs. These reviews might need to be more frequent or detailed than what is required under the QSR.)
Risk Management Integration (ISO 14971:2019):
How effectively is risk management integrated into our QMS as required by ISO 13485:2016, and does it align with the risk management activities outlined in ISO 14971:2019?
Are we aligning with the definition of 'risk' as per ISO 13485 and ISO 14971, and is this definition consistently applied across all stages of product realization?
Do we have a process for identifying hazards, estimating and evaluating risks, and implementing risk controls?
How are residual risks managed and documented?
Design and Development (Alignment with ISO 13485:2016 and ISO 14971:2019):
Are risk management activities completed and documented before the design input stage?
How are the outputs of risk management activities used as inputs in the design and development process?
Is there a process for updating design requirements based on new risk information obtained during product realization?
Supplier and Outsourced Process Management:
How do we evaluate and select suppliers and manage outsourced processes in line with ISO 13485:2016?
Do we assess the risks associated with external suppliers and outsourced processes, and how are these risks managed?
Product Realization and Lifecycle Management:
In what ways does our current product realization process reflect the risk management requirements of ISO 13485 and ISO 14971, specifically in the stages of design, development, and post-production?
Does our product realization planning process adequately document risk management activities, and are these records maintained as per the requirements? (Clause 7 of ISO 13485)
How do we ensure that the product meets both customer and regulatory requirements throughout its lifecycle?
Feedback and Post-Market Surveillance:
Are our post-market surveillance activities effectively contributing to life cycle management and regulatory requirements in alignment with ISO 14971 and ISO 13485 standards?
How are feedback mechanisms from production and post-production stages feeding into our risk management system?
Documentation and Record Keeping:
Are our documentation and record-keeping practices in compliance with ISO 13485:2016 standards?
Do we have a comprehensive and up-to-date Risk Management File for each product as required by ISO 14971:2019?
Other considerations
In addition to assessing and updating the quality system to align with these standards, we’ve been suggesting a few other considerations for companies that market medical devices:
Consider participating in the Medical Device Single Audit Program (MDSAP). MDSAP allows firms to undergo a single audit that satisfies quality regulations for multiple regions (the US, Canada, Brazil, Japan, and Australia) and is based on ISO 13485:2016. Successfully passing an MDSAP audit can demonstrate compliance with ISO 13485, providing a smooth transition to the QMSR. We’ve helped many companies run MDSAP prep audits. Talk to us if you’re interested.
Don’t rely solely on existing ISO 13485 certification. Companies already compliant with ISO 13485 shouldn't be complacent and assume they’re prepared for the QMSR. These companies should actively review and understand the specifics of the upcoming QMSR to ensure full compliance.
Develop a cross-reference/matrix document. Both compliant and non-compliant companies should develop a cross-reference or matrix document. It should map the requirements of the QSR, ISO 13485, and the proposed QMSR. Use it to educate the team about the company’s quality system and its compliance targets. Check out our guide for a start on this — we created a generic comparison matrix that calls out key differences.
Understand the expanded role of risk management. Given that risk management plays a larger role in ISO 13485 and the forthcoming QMSR, companies should ensure that their risk management processes are robust and compliant with ISO 14971, the medical device risk management standard.
Talk to us about scheduling your gap assessment
The QMSR, in its currently proposed form, introduces a new framework for the medical device QSR, which the industry has been waiting for. If finalized without extending its current compliance timeline, there won't be much time to comply before the effective date. Certain suggested modifications, as summarized here, are likely to have a substantial impact on many firms.
Impacted companies may want to consider strategizing harmonization efforts now. We help thousands of life science companies access the top talent they need to navigate and manage regulatory initiatives like these through three convenient engagement models: consulting projects, staff augmentation, and FTE recruitment.
We’ve helped firms assess against both of these ISO standards and, when desired, plan and help execute the necessary quality system remediation and training on the other side of the assessment.
Get in touch with us to learn more and start the conversation.
Who is The FDA Group?
The FDA Group helps life science organizations rapidly access the industry's best consultants, contractors, and candidates. Our resources assist in every stage of the product lifecycle, from clinical development to commercialization, with a focus on Quality Assurance, Regulatory Affairs, and Clinical Operations.
With over 2,500 resources worldwide, over 225 of whom are former FDA, we meet your precise resourcing needs through a fast, convenient talent selection process supported by a Total Quality Guarantee.