FDA's proposed rule to align the QSR to 13485?

  • 2 March 2022
  • 5 replies

Userlevel 5
Badge +1

FDA released a proposed rule to change the current Quality System Regulation (QSR) to align with the ISO13485:2016 standard. 

 How is this going to impact companies in the U.S., or companies only focused on the U.S. market who have not gone through the ISO13485 certification process?

I’m curious to hear the potential positives and negatives of this proposed change.

5 replies

Userlevel 1

I’ll be providing an overview of the proposed rule at TrueQuality 2022 in San Diego this June.  I, too, would love to hear your biggest concerns, questions, and comments.  What are your thoughts on the one year transition period?  How difficult do you see the transition to (mostly) ISO 13485 compliance in your company?  What are your thoughts on the terminology clarifications and the additional requirements regarding document control, packaging, labeling, etc.?  What do you think about the DHF, DMR, and DHR going away?

In addition to the discussion on this forum, I will also make sure the big questions you mention here are addressed during the TrueQuality event.

Looking forward to your thoughts and to meeting many of you in San Diego in a couple of months.


Userlevel 1

As a contributor to our discussion, attached is a white paper I co-authored, which summarizes the proposed rule and discusses its impact on industry.



Hey Eric,


This harmonization to ISO 13485 is welcome and long overdue, but what are your feelings about the latest FDA premarket guidance on cybersecurity and it’s external referenced “standards”?

Specifically the FDA references many “consensus standards”, but few “real standards” (as issued by regulatory bodies).  I was hoping to see some harmonization with IEC 62443-4-1 and IEC81001-5-1, but they were not even mentioned.  Thanks.

Userlevel 1


Great to hear from you.  I’ve actually been spending quite a bit of time on the draft premarket cybersecurity guidance and will have a co-authored white paper on that coming out soon.  I’m sure you have tons of thoughts on it, given that this is your area of expertise (and world class expertise it is).

In terms of the lack of reference to other standards, that is not surprising.  FDA has a database that lists its recognized consensus standards:  Recognized Consensus Standards (fda.gov)

Any standard not on this list will likely not be referenced in an FDA guidance because FDA has not established that it supports U.S. regulatory requirements.

IEC 62443-4-1 (Security For Industrial Automation And Control Systems - Part 4-1: Secure Product Development Lifecycle Requirements) is recognized as of June 2021, and it is indeed referenced five times in the draft guidance.  I think the draft guidance does seek harmonization with this standard and makes note of its requirements when discussing the Secure Product Development Framework (SPDF), design inputs generation under security architecture, and cybersecurity testing.

Frankly, I’m a bigger fan of IEC 81001-5-1 (Health software and health IT systems safety, effectiveness and security - Part 5-1: Security – Activities in the product life cycle) because of how closely it ties to IEC 62304 (Medical device software – Software life cycle processes), with which many SiMD (Software in a Medical Device) and SaMD (Software as a Medical Device) manufacturers comply and which is also a recognized consensus standard by FDA.  I can provide a summary white paper of this standard that I authored if anyone is interested.

I believe IEC 81001-5-1 is not yet recognized by FDA because it is so new, having been released December 2021.  I do, however, expect that recognition by FDA is imminent, given its close ties to 62304.

Happy to discuss further, and thanks for bringing up this crucial parallel topic to the QMSR.


Yeah I am up to 61 items to send back as feedback on this new guidance!  This would make a good panel discussion for Greenlight Guru...