Impact of Adopting ISO 13485 in New QMSR for Medical Devices, Part 1 Artwork

Quality Grind Podcast

Welcome to The Quality Grind Podcast, presented by Medvacon! Join hosts Joe Toscano, President of Medvacon, and Mike Kent, Director of Learning Platforms, as they (we) have some fun while tackling topics related to the “everyday grind” within Life Science industries.

Featuring conversations with key industry players, they’ll dive into their unique problem-solving strategies, career paths and personal interests. Most importantly, their (our) goal is to cultivate a community where information and experiences can be shared with and for the benefit of all, emphasizing the diversity of approaches to industry challenges and the importance of continuous engagement and learning.

All Episodes

Quality Grind Podcast

Impact of Adopting ISO 13485 in New QMSR for Medical Devices, Part 1

December 11, 2024 • MEDVACON Life Sciences • Episode 15

Send us a text

In this episode of the Quality Grind Podcast, presented by Medvacon, Mike Kent welcomes Armin Beck, a consultant in the medical device field, to discuss FDA's recent adoption of ISO 13485 as part of its amended Quality Management System Regulation. This change, effective February 2, 2026, reinforces the FDA’s focus on harmonizing US regulations with global standards. The conversation covers the implications for medical device companies, including the expansion of FDA access to audit reports and Quality Management Review records, as well as potential new agency inspection and oversight tactics. The episode also highlights the importance of Risk Management under ISO 13485 and how organizations can adapt to these new requirements. Tune in to learn the steps your company can take to navigate these changes effectively.

Contact MEDVACON:

Message us at @MedvaconLifeSciences on LinkedIn
Visit our website at www.medvacon.com/contact
Email us at qualitygrind@medvacon.com

Thanks for listening! Don't forget to follow us @medvacon on all platforms for updates on blogs and podcasts!

Ep 15 Impact of Adopting ISO 13485 in New QMSR for Medical Devices, Part 1

Jessica Taylor: [00:00:00] This is the Quality Grind Podcast presented by Medvacon. Conversations that go beyond compliance. Sharing insights geared toward helping you navigate the everyday grind of regulated life science industries. Here are your hosts, Joe Toscano and Mike Kent.

Mike Kent: Welcome back to The Grind, everyone! Mike Kent flying solo with a special guest today. Armin Beck is a consultant in the medical device field and is here to guide us through the recent adoption of ISO 13485, an international standard, by the Food and Drug Administration as part of their amendment to the Quality System Regulation, which is now, or as of February 2nd, 2026, going to be the Quality Management System Regulation.

So Armin, it's [00:01:00] great to have you here on the Quality Grind Podcast. Welcome sir.

Armin Beck: Mike, thank you so much for inviting me. I'm more than happy to work with you. It's fantastic. I know you guys since many, many years. Always a pleasure working with you. And I'm more than thrilled to join, being part of this one and try to explain what's really going on in this industry.

Mike Kent: Outstanding, and knowing you've got a good handle on not only the US regulations, but I think we'll touch on a little bit as we go through the discussion, the European medical device regulations and how all of this may be coming together for folks and what organizations can expect.

So I think the first thing to start with in our discussion today might be the fact that back in January of 2024, FDA announced that they were amending 21 CFR 820, the Quality System Regulation for medical devices in the U S to, among other things, include the [00:02:00] adoption of ISO 13485, which is an international standard, not necessarily a regulation per se. So we're about a year into that post announcement era, and heading towards an effective date of February 2nd, 2026, when the final rule becomes effective. What are some things that people should know about what ISO 13485 is and why the FDA may have made this decision to adopt that standard as part of the regulation?

Armin Beck: So, I mean, the FDA is trying since many, many years to harmonize the US regulation with worldwide regulation. You had the MDSAP program. In my opinion, it was a failure from the beginning. I mean, it was costly. A lot of companies didn't try to do this. And in the end effect only Canada requires this [00:03:00] MDSAP program for devices class two or higher.

So the FDA had a voluntary program where companies can report or send in their audit reports from 13485 so that the FDA can harmonize their inspection techniques.

The FDA is moving forward now by adopting the 13485. In general, it, it's a great thing. I mean, I believe worldwide we need a harmonized quality system where every country in the world works under the same guidelines, under the same directions. In general, the FDA did a good thing by trying to harmonize with the world.

Mike Kent: So we're giving the regulatory agency a bit of credit here for doing a really good thing. And I'm right there with you. I remember when I first cut my teeth in this industry developing a drug device combination product. And one of our first exercises was sitting down with five or six different sets of [00:04:00] regulations, because we wanted to market it all over the globe and saying, okay, what does 21 CFR 820 say we need to do? Okay, what does the European medical device regulations say we need to do? What are the ISO standards? What are the ICH? And we put all of this on a huge grid and it was literally months of work where we dove in trying to tease all of this stuff out. So anything that gets us closer to in our obviously now very global environment and global market to something that is more simple to understand, more straightforward, more harmonized, is a great thing.

Armin Beck: You're absolutely right. And I mean, when you're looking at a pharmaceutical industry with combination product it's a totally different ballgame. You have a pharmaceutical, you have medical devices. Most pharmaceutical companies do not understand medical devices.

And there is actually comes one of my biggest [00:05:00] disappointments with the FDA. This is 13485. It's a great standard. I mean, it's really thoughtful design, but the FDA does not adopt the 13485 for the pharmaceutical, or for the combination product industry. They still stay with this four elements and they're missing everything. That means they don't have to do design control. They don't have to do a real management review. I don't know why the FDA doesn't want to change or want to touch the pharmaceutical industry. I mean, it could be so simple. We have the 13485, it's crystal clear forward. Let's apply it to the entire life science industry.

Why not? Why actually now exempt certain industries from a normal, simple standard where everybody can comply to?

Mike Kent: And really, that's been the question all along through my career, as well. The medical device industry always seemed to be further ahead in terms of focusing on systems and processes rather than individual [00:06:00] elements.

And so, I think it's only a matter of time before the pharma industry ultimately ends up under the scope of a more systems-based oversight process.

Let's jump into what this could potentially mean when the amended QMSR now comes into play. One of the things that I know we've talked about in our pre show prep and identified that we wanted to cover first is FDA, with the adoption of 13485, will now have access to some additional information and additional records. And this is going to be a really big deal. What sort of records are FDA going to now have access to that companies may be wanting to be aware of?

Armin Beck: So with this new regulation, with the adoption of the 13485, the FDA has the right to look at your audit report, which means [00:07:00] internal, external, supplier audits, as well as management review. It doesn't seem to be a big, big issue. But when you're really looking deeper, especially as a management review meeting, where you report to your executive management the status of your quality management system, where you're addressing issues, where you report CAPAs.

So now the FDA can look at it's a, well, let's say it's this way. Before the FDA was allowed to review CAPAs, but had no idea what is going on in your company outside of this record. Now the FDA can actually see, oh, you have the issue here. You should have opened the CAPA. You should have done this.

And that is where people are getting scared because now is this system really robust to withstand an FDA audit? Because now it's not, "Oh, I show a record and I'm fine. I made this record perfectly. The FDA can see it." Now the FDA say, well, you should have done much more. And this is the biggest issue that company is having, really going in their [00:08:00] CAPA system, going in the complaint system, the non-conformity system, bringing this together and try to make an FDA compliance from a point of view that the FDA can just assume that you have to do something. And this is always the problem with these records, if the FDA, if you don't have anything, the FDA cannot complain.

Mike Kent: Yeah. And for years, we've had this kind of inner shield that those documents were off limits. We knew that. And the basic premise there, as I understand it was, all right, FDA says, we're not going to look at these records because we don't want you keeping things out of them. We want you to do a really good job of doing your internal audits, doing your external audits, following up on things. That now expands to Quality Management Review records. We want you to be able to have those conversations and document things without the [00:09:00] fear of us coming in and taking a look at it. And now we've got all of your dirty laundry right in front of us.

Armin Beck: Right!

Mike Kent: So I understand the premise. Now it seems that premise has been withdrawn. Okay, now, to your point, if I'm understanding you correctly, now FDA can start there and say, all right, what are the general issues and did you follow up on these issues in a timely manner? Did you do everything that you should have known to do or could have done in order to address them fully, or did you give them lip service? Did you talk about them? Did you show a dashboard at your QMR? Everybody signs off on it. Nobody does anything for three months, which is obviously not what we want to have happen. That sounds like a really big deal. Am I capturing that new [00:10:00] paradigm accurately?

Armin Beck: Yes, pretty much. So, I believe in CAPAs, I love CAPAs. Most companies I know they don't, because they think a CAPA is too much work, it takes too much time, it needs these resources. But when you're seeing CAPA as a tool to improve your system, it's fantastic. And the FDA see it from the same way. The FDA say, well, a CAPA it's not a bad thing. It's a good thing because you have identified a non conformity, a non compliance. You want to fix a system. It's a good thing. And CAPA helps you to document this.

And a lot of, I know, I mean, we all know this in the industry, companies avoiding CAPAs. It's a devil. I don't want to do this. It's accountability, it's responsibility, and with 13485, you cannot avoid it anymore. That's why I think it's a really good thing. And I think the FDA should go to companies and really figure it out, what are you doing in your system, what you should do.

So it's the opposite. It's fantastic. And [00:11:00] companies needs to understand this and they need to figure it out right now. I mean, they have a year time or less than a year time to implement. What can they do to improve their CAPA system? And that's the key. And they need help with this. I mean, they need resources to do this. And that's, and yeah, it may cost money, I get it, take some resources, but in a couple of years, you'll see the benefits of this one.

Mike Kent: With that investment, comes the improvements in not only the removal and mitigation of issues, but also you further refine and improve your process for handling those sorts of things.

One of the things that I find an awful lot when I go into organizations to help with their CAPA systems or their audit systems is there tends to be a genuine, and I'm still not sure where it comes from, but it's palpable, a fear of we can't let FDA know we have [00:12:00] problems. Because if they know that we have problems, then we're under the gun. So there's an awful lot of energy, I think, in a lot of spheres, not everyone, but in a lot of organizations where so much energy is put into, "Well, let's make sure that we appear that we don't have issues." And I'm not saying people are trying to hide things intentionally. That's not what I mean here, let me be very clear. What I'm saying is, is that people get really anxious about, "Oh my gosh, we've got all of these things and they all point towards one or two key systems that we just can't seem to crack." And they have a lot of anxiety around that.

And I was thinking about this the other day while I was prepping for the show and thinking about conversations I used to have with my dad. Of all people in the world, right? You know, I would screw up, and like, I can't tell him. He's going to get mad at [00:13:00] me and he's going to yell at me and I may get grounded and I may not have access to the car for a week. And you know, what always came down from my dad was, look, I know you're going to screw up. You're a teenager. You're in your twenties. You're in your thirties. You're going to screw up. And I remember he would always say, it's not about what happened. It's about how you respond to what happens and what you do next to make sure that it doesn't happen again.

Now, I've thought long and hard over this for decades. Is it really that simple in that we as an industry, we as an organization, we as a Quality department or an Operations department or whatever, just need to get over the fact that things are going to go wrong. They're going to go wrong. So let's put all of our energy into having a system that helps us deal [00:14:00] with what goes wrong in a way that we can address it fully, not be shamed or scared of anybody else knowing, and then focus our efforts on preventing it from happening again. Am I oversimplifying this or do parents really have this figured out?

Armin Beck: I 100 percent agree and I'm the same way. I mean, I still screw up in my forties, fifties, sixties, that's human nature. So the thing is, part of this human nature is also to accept I'm screwing up, I'm not perfect and I need help. And a lot of humans cannot do this. They are so scared about when they're screwing up. They try to hide their mistake because nobody want to be ashamed. Nobody want to be blamed.

And this is also what we have in the industry. I mean, you're doing your job. You get paid. There's always a fear. You have to support your family. What is when I screw up really heavily, do I still have my job? All of these factors come together. I mean, I always believe a [00:15:00] Quality Management System works like with input and outputs. That's what human life is.

So long humans are involved, there will be a mistake. And let's focus on this. How can we help? Help the people not making more mistakes, making the system better, making this better. And this is why I believe a CAPA is a fantastic thing because you're going actually to the root cause. You really try to figure out what is actually the problem. Why did we make the mistake? And when you adopt this philosophy, why did we mistake? How can we avoid this in the future? Yeah, you invest time, you invest resources, but if this mistake happens 5,000 times a year and you try to invest one time to eliminate this, overall, you're saving resources, you're saving the world, you're saving money, and I don't know what it is with a lot of people, and I also from a consulting, you go in companies, everybody tries to avoid it, instead of saying, yeah we have a problem, let's fix it.

Mike Kent: There's always time to [00:16:00] fix it later, but you know, that gets filled pretty quickly.

Armin Beck: Yeah.

Mike Kent: When I go to conferences and I have the opportunity to meet with former FDA investigators or even current FDA investigators at some conferences, I always try and ask, if you walk into a place and you see all sorts of issues, and maybe Company A does their best to try and mitigate, does a really good investigation or does what they think is a really good investigation and they're obviously trying to get out in front of it. They're having some success, et cetera, but they're documenting all of this. They're getting it down in their record. Nothing is behind closed doors. It's all out there for anybody to see.

And then Company B, you know they have problems because the symptoms of those are out there in the marketplace, but there's not a lot of [00:17:00] records. There's not a lot of documentation. There's not a lot of internal evidence to suggest that they're going about doing really good investigations or that they're trying to fix the problem at a systemic level. I don't think I've ever had an investigator or a former investigator tell me that they aren't going to give the company who's trying to do things the right way a little bit more benefit of the doubt and some more coaching and some more help than the company who isn't going about doing all of that due diligence and really trying to fix the problem and really invest the resources, time and energy. They're going to think more favorably on that organization in terms of GMP mindset, quality mindset. So, I'm going to be more of a coach in this environment that than a hardcore investigator. Has that been your experience?

Armin Beck: You're absolutely right. [00:18:00] You need to think it this way, I mean, the FDA inspectors or Notified Body inspectors, they are humans. If they come in a company and everything is open, the company want to work with them, they are much more relaxed. They are much more eager to help you. If they go in a company where everybody is hiding something, they get suspicious. And I do the same way. If I'm auditing companies for any reason, like supplier audits, and somebody tried to hide everything, I get frustrated. I get suspicious. And I'm at one time, I don't want to help them anymore. It doesn't matter for anymore. I going strict what they writing. I write them up and I'm done.

The FDA inspectors are not the devil. They are there to help you.

Mike Kent: So while this could be viewed as a reason to panic, I think both what you and I are saying here is that getting past that fear, this is actually going to be a really good thing for organizations to spur continuous improvement through their quality systems.

So [00:19:00] big announcement, at least initially, is those internal and external audit reports, your QMR records are now going to be accessible for FDA. Organizations are going to want to take a look and plan for that. Be transparent and say, this is where we're at. Show them that you're making those efforts.

One of the other main elements, Armin, with the new Quality Management System Regulation, is ISO 13485 includes requirements for Risk Management. And this is one of those terms all across life sciences, but in the medical device field, risk management seems like most things to be a little bit more ahead of the game. Do organizations really have a good understanding on how to do quality risk management? Guidances have been out there like ICH Q9. Walk us through where you see the focus on Risk Management with ISO 13485? [00:20:00] What impact is that going to have on medical device companies going forward when the rule takes effect?

Armin Beck: Most companies, I mean, let's see about Risk Management. Everybody knows the Risk Management on 14971 and 24971. And, it is, it's a great standard, but it's only for design and development, for the actual device. And a quality management system is more than just the device. And the 13485 require risk management for everything.

Let's see, one of my favorite topic is supplier management. Although the FDA doesn't really say you have to do a supplier risk management, everybody do like, I go do a supplier audit. Do they have this cert, do they have that cert, and I'm done. But if you're really looking deeper in supplier management, this makes huge difference.

Let's say you have a single source supplier. This single source supplier is located in Malaysia, Kuala Lumpur next to the airport. Now you have the single, the same single source supplier, [00:21:00] 10 miles away from your company, somewhere in California, there are no fires, there is no earthquake, there's nothing. Perfect.

What is the risk of the suppliers? There is where your risk management comes in. So now you have to evaluate it actually based on this fact, where the location of the suppliers, who it is, how can you come up with some recovery plan? And this is what ISO requires. And this is the thing that a lot of people don't doing. They classify something, they're mixing everybody up. They try to have one risk management for everything, and you cannot. If you really look at this one on my, with my example, every supplier needs to be evaluated with a different risk.

Mike Kent: Based on what they're supplying, how they're supplying it, what their track records are, and the risks associated with that organization unto itself. And where are they getting their materials? You're talking about supply chain. It doesn't end with your supplier.

Armin Beck: It doesn't.

Mike Kent: It's all of their their all of their suppliers, etc. Yeah. So risk management then becomes very, very [00:22:00] complicated.

Armin Beck: It is complicated, yes.

Mike Kent: I've likened and heard that risk management can come down to asking a few fundamental questions. What could go wrong? How big of a deal is it if it goes wrong? Will we know if it's gone wrong? And how can we prevent it from going wrong?

Armin Beck: Exactly.

Mike Kent: A very simplistic view of risk management, but is that a good starting place for organizations to have the discussion? To also overcome this factor of intimidation that comes up with, Oh, my gosh, I've got to have piles of documentation and hours and days and months worth of people's time to do this. How do we get over that initial hump to say, okay, we're going to have to do risk management. We're going to have to do it better. How can organizations start that process?

Armin Beck: You, you nailed it down. It's comes to a simple [00:23:00] question and we have to be reasonable and we have to have common sense. The question with every single thing, like when I talk about supplier, it's what can go wrong and what is the impact on my company? I'm done. It's all what I need to figure it out. Every supplier, every product is different. So I need to really do it case by case. And it might be a lot of work, but in the long run, it would help because it's usually you want to sell your product. If a supplier doesn't supply their components, you cannot sell.

Mike Kent: Yeah. And a lot of the training that that we do here at Medvacon, when we focus on risk management, we try and keep things simple to the standpoint of these are the concepts you want to focus on rather than getting so involved or overwhelmed by, well, I've got to have this mountain of documentation, or I've got to use this huge, laborious tool here. You can simplify things with regard to the [00:24:00] concepts.

One of the things that I think is really important for us to understand and for our audience to understand is that this is another move from the FDA towards harmonizing. Globally, there's much more focus on risk management, Quality Risk Management and assessments up front. I think we could go into a lot of reasons why that is, but at the end of the day, this is the U.S. catching up and saying, all right, we're going to put a little bit more emphasis on this because organizations in the United States have been a bit slower on the uptake, especially in the pharma industry, but even in the med device industry. So we're going to sprinkle these things in where we can to make sure that organizations understand that these are absolutely important concepts that need to be a part of not only the development process, but your ongoing operations every day.

[00:25:00] To recap our discussion with Armin to this point, 21 CFR 820, the US Medical Device Quality System Regulation, has been amended. The new regulation, now called the Quality Management System Regulation, takes effect on February 2nd, 2026. One of the major updates is FDA's adoption of the international standard ISO 13485, which on the surface is not a major change, but there are some important and impactful changes that medical device firms should be evaluating right away.

Under ISO 13485, FDA will have access to your internal and external audit reports, as well as your Quality Management Review records. And ISO 13485 focuses heavily on Risk Management, meaning firms will have to assess and potentially shore up their systems for identifying, assessing, and mitigating risks.[00:26:00]

Part two of our chat with Armin Beck will describe the impact of the amended regulation on FDA inspection and oversight practices, as well as the need for more active and direct participation from executive management in both the assessment process and ongoing oversight of their firm's compliance gaps and mitigation activities.

We hope you'll join us for that and more next time here on The Grind.

Joe Toscano: If Medvacon can help you and your organization, we're happy to do so. We specialize in the following areas: Quality and Compliance, Validation and Qualification Services, Project Management, Tech Transfers, General and Specialized Training Programs, Engineering Services, and Talent Acquisition.

If you have general questions as well, feel free to give us a call at any time. We can easily be reached at 833 633 8226 or via our website at www. medvacon. com. Thanks so [00:27:00] much, and we look forward to speaking with you!

Jessica Taylor: Thank you for listening to the Quality Grind Podcast presented by Medvacon to learn more or to hear additional episodes, visit us at www. Medvacon. com.