1 January 1970

FDA's QSR to ISO 13485:2016: Key Areas to Focus On for Alignment

At a glance
  • Upcoming FDA QMSR Alignment: Firms are preparing for the FDA Quality Management System Regulation (QMSR) to harmonize with ISO 13485:2016, necessitating changes in their quality systems.
  • Documentation and Management Commitment: ISO 13485:2016 demands more extensive documentation and clear evidence of management’s active involvement in the Quality Management System, compared to FDA QSR.
  • Risk Management and Design Controls: ISO standards require an ongoing, comprehensive risk management process and detailed design and development controls throughout the product lifecycle.
  • Supplier Management and Customer Focus: Enhanced focus on systematic supplier management and formalized processes for customer feedback and satisfaction under ISO 13485:2016.
  • Continual Improvement and Training: ISO 13485:2016 emphasizes structured continual improvement processes and detailed training requirements, surpassing the expectations of FDA QSR.

With the forthcoming FDA Quality Management System Regulation (QMSR) which is set to harmonize FDA's Quality System Regulation (QSR) with the ISO 13485:2016 standards, we're hearing from many device and medtech firms about plans to harmonize their own quality systems accordingly.

Having condicted many gap anaylssis and remediartion projects to bring firms into alignment with ISO 13485:2016, we wrote this guide to give a high-level dissection of the  differences between the current QSR and ISO 13485:2016, highlighting the gaps we often spot and offering specific recommendations to bridge them.

Understanding these nuances is crucial for firms looking to not only comply with the current FDA's Quality System Regulation (QSR) but also to align with the ISO 13485:2016 standards, thereby enhancing their global market presence and ensuring adherence to the highest quality standards.

Need to align with ISO 13485:2016? Get in touch.

We've helped many firms align with ISO 13485:2016 standards. We offer a comprehensive suite of services, from initial gap analysis to full implementation and ongoing support, tailored to help your firm align with ISO 13485:2016 standards effectively and efficiently. Their expertise can be invaluable in navigating the complexities of regulatory compliance and quality management system optimization.

Contact us to share your goals, learn more about our QSR/ISO compliance services.

1. Documentation and Record Keeping (Clause 4.2)

FDA QSR focuses on essential documentation, such as device master records and device history records, with an emphasis on maintaining records for specific periods.

ISO 13485:2016 requires more extensive documentation, including a Quality Manual, detailed procedures, and documentation for all QMS processes. It also emphasizes document control and record retention.

A few specific gaps we see here include:

  • Existing documentation does not cover all the processes as extensively as ISO 13485 requires. For instance, the process for controlling records is often discovered to be less stringent than what ISO 13485 mandates.
  • Lack of a documented procedure for the timely review, update, and approval of all changes to critical documents.
  • Insufficient control over external documents (e.g., standards, customer specifications) that are relevant to the QMS.

Key questions:

  • Do we have a comprehensive list of all QMS documents required by ISO 13485:2016?
  • Are document control procedures in place for approval, review, updating, and distribution of documents?
  • How are records maintained, and do they meet the retention and accessibility requirements of ISO 13485?

We recommend creating a comprehensive list of all required documents and records as per ISO 13485 and establishing a controlled documentation system. Also, implementing a document management software system is crucial to ensure proper control, accessibility, and retention of documents.

2. Management Responsibility (Clause 5)

FDA QSR requires management involvement but is less prescriptive about how this should be demonstrated.

ISO 13485:2016 explicitly requires documented evidence of management’s commitment, including regular (documented) management reviews of the QMS, setting quality objectives, and maintaining customer focus.

A few specific gaps we see here include:

  • Insufficient evidence of top management’s involvement in the QMS. For example, management reviews under FDA QSR might not cover all the inputs and outputs required by ISO 13485, such as monitoring of preventive and corrective actions.
  • Insufficient communication processes regarding the effectiveness of the QMS to all levels of the organization.

Key questions:

  • Does top management regularly review the QMS for effectiveness and suitability, and are these reviews documented as per ISO 13485 requirements?
  • Are quality objectives set, measured, and aligned with the quality policy?
  • How does management ensure that customer requirements and regulatory obligations are met?

We recommend scheduling regular and documented management review meetings, explicitly focusing on the QMS's effectiveness and improvement opportunities.
Develop a clear communication strategy to ensure QMS awareness and understanding at all levels of the organization.

3. Risk Management (Clause 7.1)

FDA QSR includes general provisions for risk management but does not integrate it as a continuous process throughout the product lifecycle.

ISO 13485:2016 mandates an ongoing risk management process aligned with ISO 14971, integrated into all stages of the product lifecycle, including post-market surveillance.

A few specific gaps we see here include:

  • Risk management processes limited to certain stages of product development, whereas ISO 13485 requires risk management throughout the product lifecycle, including post-market surveillance.
  • Not integrating risk management into all decision-making processes, including strategic and operational levels.
  • Inadequate or undocumented procedures for risk assessment and mitigation in new or changed processes.

Key questions:

  • Is there a formal risk management process throughout the product lifecycle, including post-market activities?
  • How are risks identified, evaluated, controlled, and monitored, and do these processes comply with ISO 14971?
  • Are risk management activities documented and integrated into the QMS?
We recommend integrating a formal risk management process into all stages of the product lifecycle, compliant with ISO 14971. Train key personnel on risk management principles and ensure documentation of all risk management activities.

4. Design and Development (Clause 7.3)

FDA QSR focuses on ensuring that design controls are in place but is less detailed about specific stages of the design and development process.

ISO 13485:2016 provides detailed requirements for each stage of design and development, including planning, inputs, outputs, review, verification, validation, and control of design changes.

A few specific gaps we see here include:

  • Design validation not including testing under actual or simulated use conditions, which is a requirement of ISO 13485. We also often find that design and development changes aren't as rigorously documented and reviewed as ISO 13485 requires.
  • Inadequate involvement of key stakeholders (e.g., suppliers, customers, end-users) in the design and development process.
  • Insufficient traceability of design changes to customer needs and regulatory requirements.

Key questions:

  • Are design and development processes documented, including stages of design planning, input, output, review, verification, validation, and control of design changes?
  • How are design changes documented and approved?
  • Is there a process for validating designs under actual or simulated use conditions?

We recommend documenting each stage of the design and development process, including design inputs, outputs, verification, validation, and design changes. Involve cross-functional teams, including representatives from quality, engineering, and end-users, in the design and development process.

5. Supplier Management (Clause 7.4)

FDA QSR requires controls over suppliers but does not specify the extent or nature of these controls.

ISO 13485:2016 requires a more systematic approach to supplier management, including criteria for selection, performance monitoring, re-evaluation, and documentation.

A few specific gaps we see here include:

  • Current supplier evaluations might not be as thorough. For example, under FDA QSR, there may not be a formal re-evaluation process for suppliers, whereas ISO 13485 requires ongoing re-assessment based on performance.
  • Lack of a systematic approach to manage and evaluate supplier performance against agreed criteria over time.
  • Absent or inadequate contingency plans for critical suppliers or lack of risk assessment in the supplier selection process.

Key questions:

  • Are supplier evaluation and selection processes documented and aligned with ISO 13485 requirements?
  • Is there a process for ongoing supplier monitoring, re-evaluation, and documentation of their performance?
  • How are supplier-related nonconformities handled?

We recommend developing a supplier evaluation and monitoring program that includes criteria for selection, performance evaluation, and re-evaluation. Implement a supplier quality agreement that clearly defines quality and regulatory responsibilities.

6. Product Realization and Planning (Clause 7.1)

FDA QSR focuses on ensuring that product realization processes meet specified requirements.

ISO 13485:2016 requires detailed planning of product realization processes, aligning them with quality objectives, and documenting each step.

A few specific gaps we see here include:

  • Firms often lack a detailed plan that aligns the product realization processes with quality objectives, or there might be inadequate documentation of such plans.
  • Absent or inadequate processes for updating planning documents as new information about product realization becomes available.
  • Poor alignment between product realization processes and overall strategic objectives of the organization.

Key questions:

  • Are quality objectives defined for each product realization process, and are these processes adequately planned and documented?
  • How do we ensure that product realization processes meet customer and regulatory requirements?
  • Are resources needed for product realization identified, provided, and maintained?

We recommend documenting and regularly reviewing the planning of product realization processes, ensuring alignment with quality objectives. Ensure resource availability (including human, infrastructure, and environment) for effective product realization.

7. Customer Focus and Feedback (Clauses 7.2 and 8.2.1)

FDA QSR requires consideration of customer needs and feedback but is less specific about how this should be managed.

ISO 13485:2016 requires a formal process for gathering, analyzing, and integrating customer feedback into the QMS, emphasizing customer satisfaction and continual improvement.

A few specific gaps we see here include:

  • The current system often doesn't have a formal process for capturing and analyzing customer feedback, including complaints, or using this data to drive improvements in the QMS.
  • Inadequate process for systematically incorporating customer feedback into product design and development.
  • Lack of a formal process for monitoring customer satisfaction trends over time and responding to changes in customer expectations.

Key questions:

  • Is there a formal process for gathering and analyzing customer feedback, including complaints?
  • How is customer feedback integrated into QMS processes for continual improvement?
  • Are there documented procedures for ensuring customer requirements are determined and met?

We recommend implementing a formal process for collecting, analyzing, and incorporating customer feedback into product and process improvement. Develop a methodology for regularly assessing customer satisfaction and responding to customer complaints.

8. Internal Audit (Clause 8.2.4)

FDA QSR requires regular quality audits but is less specific about the methodology, frequency, and documentation.

ISO 13485:2016 specifies detailed requirements for conducting internal audits, including planning, execution, follow-up, and documentation.

A few specific gaps we see here include:

  • Internal audits under FDA QSR aren't as comprehensive as ISO 13485 requires, particularly regarding the audit planning process, execution, and follow-up.
  • Internal audits not covering all aspects of the QMS or being performed at intervals not frequent enough to ensure continuous compliance.
  • Ineffective communication of audit results to relevant management, leading to delayed or inadequate corrective actions.

Key questions:

  • Is there a documented internal audit program that covers all QMS processes and is conducted at planned intervals?
  • How are audit findings documented and communicated to management?
  • Is there a process for follow-up activities, including corrective action implementation and verification?

We recommend establishing a comprehensive internal audit program with a defined frequency, methodology, and documentation process. Make sure audit findings are effectively communicated and followed up with appropriate corrective actions.

9. Continual Improvement (Clause 8.5)

FDA QSR emphasizes the need for corrective and preventive actions but lacks explicit requirements for continuous improvement processes.

ISO 13485:2016 requires a formal, documented process for continual improvement, based on the analysis of data, corrective and preventive actions.

A few specific gaps we see here include:

  • The existing QMS doesn't have a structured approach for continual improvement or has inadequate processes for monitoring and measuring QMS performance.
  • Lack of a structured approach to identify potential areas for improvement through data analysis.
  • Inadequate mechanisms to track the implementation and effectiveness of improvement actions.

Key questions:

  • How is data analyzed to identify areas for improvement in the QMS?
  • Are there documented procedures for implementing corrective and preventive actions?
  • How do we measure the effectiveness of improvements made?

We recommend implementing a structured continual improvement process, utilizing data from various sources (like audits, customer feedback, and process monitoring).

10. Training and Awareness (Clause 6.2)

FDA QSR requires training to ensure employees can competently perform their duties but is less specific about documentation and evaluation of training effectiveness.

ISO 13485:2016 stipulates detailed requirements for competency, training, awareness, and maintaining records of education, training, skills, and experience.

A few specific gaps we see here include:

  • Employees might not have sufficient training or awareness about the ISO 13485 requirements, especially in areas that differ significantly from FDA QSR, such as risk management and design controls.
  • Insufficient training or retraining processes for employees when changes are made to the QMS, products, or processes.
  • Inadequate evaluation of training effectiveness in ensuring competent operation and compliance with QMS requirements.

Key questions:

  • Are training needs identified, and is there a process for providing, documenting, and evaluating the effectiveness of training?
  • How does the company ensure employees are aware of the relevance and importance of their activities and how they contribute to the achievement of quality objectives?
  • Is there a process for maintaining records of education, training, skills, and experience?

We recommend developing a formal training program that includes identification of training needs, delivery of training, and evaluation of its effectiveness. Also, be sure to maintain comprehensive records of all training activities, including attendance and assessments of training effectiveness.

11. Control of Nonconforming Product (Clause 8.3)

FDA QSR requires procedures to control nonconforming product but is less specific about documentation and analysis of such products.

ISO 13485:2016 specifies detailed processes for handling, documenting, and analyzing nonconforming products, and for taking corrective actions.

A few specific gaps we see here include:

  • The process for handling nonconforming products under FDA QSR doesn't include all the steps required by ISO 13485, like determining the need for an advisory notice.
  • Insufficient processes for the timely identification and segregation of nonconforming products to prevent unintended use.
  • Inadequate review of nonconforming product trends to identify systemic issues or the need for corrective action.

Key questions:

  • How are nonconforming products identified, segregated, documented, and dealt with?
  • Is there a process for deciding the disposition of nonconforming products (e.g., rework, reject, accept with concession)?
  • Are data related to nonconformity analyzed to identify causes and take preventive actions?
We recommend closely reviewing your process for handling nonconforming products, including identification, documentation, evaluation, segregation, and disposition. Also, regularly analyzeyour  nonconformity data to identify trends and implement preventive measures.

12. Regulatory Compliance (Clause 7.2.1 and 8.2.1)

FDA QSR focuses on compliance with FDA regulations but does not explicitly require a process for ensuring ongoing regulatory compliance in other markets.

ISO 13485:2016 explicitly requires that the QMS complies with applicable regulatory requirements in all markets where products are sold, and mandates processes to maintain this compliance.

A few specific gaps we see here include:

  • The firm doesn't have processes in place that ensure the QMS conforms to all applicable regulatory requirements in the markets where the products are sold.
  • Inadequate processes for continuously monitoring and implementing changes in regulatory requirements in different markets.
  • Insufficient documentation proving compliance with specific regulatory requirements for each market where products are sold.

Key questions:

  • How does the company ensure the QMS complies with applicable regulatory requirements in all markets where products are sold?
  • Are there processes in place for keeping up-to-date with changing regulatory requirements?
  • How is regulatory compliance monitored and maintained?

We recommend developing a process for staying updated with regulatory requirements in all markets where products are sold and ensure compliance with these regulations. Regularly train employees on relevant regulatory requirements and how they impact their specific roles.

Need to align with ISO 13485:2016? Let's talk.

We've helped many firms align with ISO 13485:2016 standards. We offer a comprehensive suite of services, from initial gap analysis to full implementation and ongoing support, tailored to help your firm align with ISO 13485:2016 standards effectively and efficiently. Their expertise can be invaluable in navigating the complexities of regulatory compliance and quality management system optimization. Use the form below to get the conversation started.

Here's our typtical alignment process:

  • ISO 13485:2016 Gap Analysis and Assessment: We first conduct a comprehensive gap analysis to identify areas where your current practices under FDA QSR differ from ISO 13485:2016 requirements. We review your existing processes, documentation, and quality management systems to pinpoint specific areas needing improvement.
  • Consulting and Advisory Services: Leveraging our deep understanding of both FDA regulations and ISO standards as well as insights gatherd through past alignment projects, we provide tailored advice on how to align your practices with ISO 13485. We'll deliver strategic insights into risk management, design controls, supplier management, and other critical areas where alignment is necessary.
  • Implementation Support: If desired, we can assist in implementing the necessary changes to comply with ISO 13485. This includes revising documentation, improving quality management processes, and ensuring proper training and awareness among staff. We also help set up and integrate new systems and processes, ensuring they are compliant and efficient.
  • Training and Development: We also provide specialized training programs to educate your employees about ISO 13485 requirements, focusing on areas such as risk management, internal auditing, and continual improvement processes. Training engagements can be customized to various levels within the organization, from top management to operational staff.
  • Quality System Overhaul: If needed, we can plan and guide a complete overhaul of your quality systems to ensure full compliance with ISO 13485. This includes developing a comprehensive quality manual, detailed procedures, and effective record-keeping systems. We can also assist in establishing a culture of quality and continual improvement within the organization.
  • Documentation and Record Keeping Assistance: We can assist in setting up and maintaining proper documentation and record-keeping practices that meet ISO 13485 standards. This includes developing procedures for controlling and updating documentation and ensuring accessibility and retention as per the standard.
  • Regulatory Liaison and Support: We also serve as a liaison between your firm and regulatory bodies, facilitating smoother communication and compliance processes. We routinely assist in preparing for external audits and inspections, ensuring that your organization is ready to meet regulatory scrutiny.
  • Ongoing Compliance and Support: We provide ongoing support to ensure that your organization remains compliant with ISO 13485 as regulations evolve and your business grows. We assist in regular internal audits, management reviews, and continuous process improvement initiatives.

Gap Analysis Webinar

Watch the Webinar »

Watch our free webinar to learn more about conducting a thorough gap analysis as well as a step-by-step process for resourcing and implementing remediation afterward.

Submit the form below to contact us about ISO 13485:2016 support. We'll be in touch within one business day.

Topics: FDA Auditing