FDA’s QMSR: 3 Experts Read Draft Rule Comments So You Don’t Have To. Here’s What They Saw

As of 25 May the US Food and Drug Administration has released online 50 stakeholder comments on its draft Quality Management System Regulation. When finalized, the QMSR will replace the agency’s aging Quality System Regulation (QSR).

The QMSR is a result of the FDA’s years-long initiative to harmonize the QSR with international quality systems standard ISO 13485:2016.  (Also see "10 Things You Need To Know About FDA’s Proposed Quality Management System Regulation" - Medtech Insight, 23 Feb, 2022.)

Longtime industry experts spoke with Medtech Insight on 25 May about comments they found particularly interesting or insightful. The experts include Kim Trautman, an ex-FDA official who was the lead author of the QSR in the 1990s; Steve Niedelman, lead quality systems and compliance consultant at the law firm King & Spalding, who worked at the FDA for 34 years in both the Office of Regulatory Affairs and the Center for Devices and Radiological Health; and Dennis Gucciardo, a partner at the law firm Morgan Lewis.

This feature, which is the first of two parts, looks at comments from Cook Group Inc., NuVasive Inc. and the American Society for Quality. (Part two can be found here.)

Comments From Cook Group (Cook Medical)

Posted Online: 24 May

Draft QMSR Says: “Customer” is defined in the rule as “persons or organizations, including users, that could or do receive a product or a service that is intended for or required by this person or organization. A customer can be internal or external to the organization.”

Cook’s Comment Says: “The proposed rule makes the definition much wider than ISO 13485. The reference to ‘internal to the organization’ is exceptionally broad and far beyond the requirements of ISO 13485. While it is a laudable goal to focus on customers internal to an organization, it would create an exceptional amount of paperwork to document compliance with such a requirement, with limited benefit.”

Proposal From Cook: “We suggest deleting the last sentence: ‘A customer can be internal or external to the organization.”

Medtech Expert Weighs In: “Now this is different: ‘A customer can be internal or external to the organization.’ When you go to the ISO definition those two differences are actually just covered in an example in a note. So the ISO definition is pretty much the exact same thing,” says Kim Trautman, who’s currently managing director and VP of consulting firm MEDIcept Inc. “But then it says, ‘Example: consumer, client, end user retailer, receiver of product and servicing.’ And then it says, ‘Note: A customer can be internal or external to the organization.’ So I mean, I know in ISO world that notes aren't enforceable per se, but in definitions, they're giving context. So if the context is the same, why does FDA feel like they have to be so prescriptive?

“Some people I've heard from were concerned about the customers are internal or external to the organization. They shouldn't be because anybody who is using 13485 should already inherently have that, the same way they should be doing internal and external suppliers the same way. So I've seen some of those comments. But I would have to tell you that in the strictest interpretation of 13855, it's already identical.”

Draft QMSR Says: “For the requirements of [ISO 13485] clause 7.4, Purchasing, we expect that when ensuring purchased products conform to requirements, oversight for purchased services are also included.”

Cook’s Comment Says: “ISO 13485 includes a note indicating that ‘services’ can also be considered products under the definition of ‘product,’ but ‘services’ are not included in the QSMR definition. In the preamble to the proposed rule, FDA notes: ‘[C]onsistent with the clarification in [ISO 13485] clause 0.2, which specifies that ‘when the term “‘product’” is used, it can also mean “‘service’”; for the requirements of clause 7.4, Purchasing, we expect that when ensuring purchased products conform to requirements, oversight for purchased services are also included.” However, other types of ‘services’ are included in the current QSR, including current 820.170, Installation, and 820.200, Servicing, and have equivalent section in ISO 13845 (Section 7.5.3, Installation activities and Section 7.5.4, Servicing activities). Thus, the reason for changing the definition is not clear.”

Proposal From Cook: “We propose the following definition of ‘product’: ‘Product means the result of a process and can include components, process agents, in-process devices, finished devices and returned devices. Products can include hardware, software and services.”

Medtech Expert Weighs In: “Cook is making an attempt to give FDA a definition by combining the 13485 definition with the proposed one, or what was the 1996 one,” Trautman says. “So they are in effect broad. But, again, to me, I understand that notes in ISO aren't, quote, mandatory. But in definitions it's different. And if all of that is basically already in 13485, even though it’s in the notes, why do why would we propagate a country-specific definition when inherently the intent is exactly the same?

“I would say you don't need to do a unique definition for ‘product.’ And you are losing out on the opportunity for services to be added by the definition that’s being proposed. So I would say just keep it at 13485 and express in the preamble that the whole definition, including the notes, is the intent for the agency. Cook is giving them an option by making a new definition. So it's going to still be a new country-specific definition that really kind of pushes the two together.”

Comment From NuVasive

Posted Online: 24 May

Draft QMSR Says: “In general, when ISO 13485 refers to documenting evidence we recommend that manufacturers record quantitative data, as appropriate, because such information will assist manufacturers in monitoring the performance of their processes and effectiveness of their process controls.”

NuVasive’s Comment Says: The rule should not call out “quantitative” data only.

Proposal From NuVasive: “Consider replacing ‘record quantitative data’ with ‘record data’ to allow manufacturers to determine the type of data that may be most appropriate (e.g. qualitative versus quantitative).” The company also said that the word “recommend” “leaves too much room for interpretation.”

Medtech Expert Weighs In: “NuVasive is basically bringing up a very good suggestion that the term ‘recommend’ is not defined anywhere in the regulation. And historically the agency has used the words ‘should’ or ‘shall’ – should meaning you may; shall meaning it's absolutely required,” King & Spalding’s Steve Niedelman says.

“So I think the company picked up on a good point there, as well as the fact that the proposal just focuses on manufacturers recording only quantitative data. Certainly manufacturers need to record all sorts of data, not just quantitative data. They need factual data with regard to, for example, MTE – measurement and test equipment – and they need to have manufacturing specifications to assure that they met that. It's not necessarily quantitative, but it's qualitative as well. So I think removing quantitative data, as they're recommending, to allow all data, both qualitative and quantitative, is appropriate.

“And also, you know, the word ‘recommend’ leaves a little bit too much room for interpretation and the agency should stick to their traditional ‘should’ or ‘shall.’ And it's required that they maintain this data. So I think NuVasive picked up just on two simple wordsmithing changes that had a significant impact on the effectiveness of the rule.”

Comment From The Medical Device Division Of The American Society For Quality

Posted Online: 24 May

Draft QMSR Says: The proposed rule does not say if current QSR Sec. 820.180(c), which limits the types of reports FDA investigators can review during an inspection, will be kept in place.

ASQ’s Comment Says: “We would like clarification on whether FDA would have access to internal audits, supplier audits, and management review material as it is permitted under ISO 13485. Today, these documents are off limits to FDA’s inspectors for encouraging manufacturers to improve their quality management systems. We are concerned if this long-standing FDA policy would change after the 21 CFR 820 amendment is finalized.”

Proposal From ASQ: No proposal offered.

Medtech Expert Weighs In: “It will be interesting to see what they do with this piece. Because I do think this is a difference between ISO audits and the fact that, you know, ISO doesn't have this prohibition. And I think it is sort of standard practice to provide this information,” says Morgan Lewis’ Dennis Gucciardo. “And look, I do think it will have a chilling effect. If for some reason companies think that their management review records or internal audit records will be subject to inspection, I think that's a concern.

“I don't know necessarily yet whether this will be a policy change directly that they want to see these records. I highly doubt that. I think this might be good feedback, and they will need to address it. I don't get the sense somehow that somehow FDA is going to open the box. And if you participate in MDSAP [the Medical Device Single Audit Program], this is fair game.

“But I think it's different when you have an FDA investigator versus an MDSAP auditor. And I think companies may feel more comfortable sharing this information with MDSAP auditors because they're not so concerned about the ramifications. Versus if I [show everything] to an FDA investigator, now I'm giving direct information to the government, and they're seeing my internal discussions. And I do think that's different.”