§170.315(g)(4) Quality management system
§ 170.315 (g)(4) Quality management system—
- For each capability that a technology includes and for which that capability's certification is sought, the use of a Quality Management System (QMS) in the development, testing, implementation, and maintenance of that capability must be identified that satisfies one of the following ways:
- The QMS used is established by the Federal government or a standards developing organization.
- The QMS used is mapped to one or more QMS established by the Federal government or standards developing organization(s).
- When a single QMS was used for applicable capabilities, it would only need to be identified once.
- When different QMS were applied to specific capabilities, each QMS applied would need to be identified.
None
Additional Resources
Recognized list of Federal Government or Standards Development Organization (SDO) established QMSes:
ISO 9001: ISO 9000 - Quality management
ISO 14971: ISO 14971:2019 Medical devices -- Application of risk management to medical devices
ISO 13485: ISO 13485:2016 Medical devices -- Quality management systems -- Requirements for regulatory purposes
IEC 62304: IEC 62304:2006 Medical device software -- Software life cycle processes
Design and Performance: This certification criterion was adopted at § 170.315(g)(4), and is required for all developers seeking certification to any certification criteria.
| Version # | Description of Change | Version Date |
|---|---|---|
| 1.0 |
Initial publication |
03-11-2024
|
- Regulation Text
-
Regulation Text
§ 170.315 (g)(4) Quality management system—
- For each capability that a technology includes and for which that capability's certification is sought, the use of a Quality Management System (QMS) in the development, testing, implementation, and maintenance of that capability must be identified that satisfies one of the following ways:
- The QMS used is established by the Federal government or a standards developing organization.
- The QMS used is mapped to one or more QMS established by the Federal government or standards developing organization(s).
- When a single QMS was used for applicable capabilities, it would only need to be identified once.
- When different QMS were applied to specific capabilities, each QMS applied would need to be identified.
- For each capability that a technology includes and for which that capability's certification is sought, the use of a Quality Management System (QMS) in the development, testing, implementation, and maintenance of that capability must be identified that satisfies one of the following ways:
- Standard(s) Referenced
-
None
Additional Resources
Recognized list of Federal Government or Standards Development Organization (SDO) established QMSes:
ISO 9001: ISO 9000 - Quality management
ISO 14971: ISO 14971:2019 Medical devices -- Application of risk management to medical devices
ISO 13485: ISO 13485:2016 Medical devices -- Quality management systems -- Requirements for regulatory purposes
IEC 62304: IEC 62304:2006 Medical device software -- Software life cycle processes
- Certification Dependencies
-
Design and Performance: This certification criterion was adopted at § 170.315(g)(4), and is required for all developers seeking certification to any certification criteria.
- Revision History
-
Version # Description of Change Version Date 1.0 Initial publication
03-11-2024
This Test Procedure illustrates the test steps required to certify a Health IT Module to this criterion. Please consult the most recent ONC Final Rule on the Certification Regulations page for a detailed description of the certification criterion with which these testing steps are associated. ONC also encourages developers to consult the Certification Companion Guide in tandem with the test procedure as it provides clarifications that may be useful for product development and testing.
Note: The test step order does not necessarily prescribe the order in which the tests should take place.
Testing components
Paragraphs (g)(4)(i)(A)–(B) (Alternative)
- The health IT developer identifies the QMS used in the development, testing, implementation, and maintenance for all criteria, for which certification is being sought, from among one of the recognized federal government or SDO established QMSes, including, but not limited to: 21 CFR part 820, ISO 9001, ISO 14971, ISO 13485, and IEC 62304.
- The health IT developer illustrates how their QMS maps to one or more recognized federal government or SDO established QMSes through documentation and explanation linking the components of their QMS to an established QMS, identifying any gaps.
- The tester verifies the QMS used is one of those that have been established by the federal government or an SDO, including, but not limited to: FDA’s quality system regulation in 21 CFR part 820, ISO 9001, ISO 14971, ISO 13485, and IEC 62304.
- The tester verifies the QMS is mapped to one or more of the standards established by the federal government or an SDO. The tester verifies that any identified gaps have been documented and explained.
Testing must be conducted for one of the Alternatives outlined below to satisfy the requirements for this criterion.
| System Under Test | Test Lab Verification |
|---|---|
|
|
Paragraph (g)(4)(ii) (Alternative)
The health IT developer identifies the single QMS used for all criteria for which they are seeking certification.
The tester verifies the QMS identified is used for all criteria for which the health IT developer is seeking certification.
| System Under Test | Test Lab Verification |
|---|---|
|
The health IT developer identifies the single QMS used for all criteria for which they are seeking certification. |
The tester verifies the QMS identified is used for all criteria for which the health IT developer is seeking certification. |
Paragraph (g)(4)(iii) (Alternative)
The health IT developer identifies each QMS applied to the specific corresponding criteria, for which certification is being sought.
The tester verifies each QMS applied to a specific criterion for which certification is being sought, is identified.
| System Under Test | Test Lab Verification |
|---|---|
|
The health IT developer identifies each QMS applied to the specific corresponding criteria, for which certification is being sought. |
The tester verifies each QMS applied to a specific criterion for which certification is being sought, is identified. |
§ 170.315 (g)(4) Quality management system—
- For each capability that a technology includes and for which that capability's certification is sought, the use of a Quality Management System (QMS) in the development, testing, implementation, and maintenance of that capability must be identified that satisfies one of the following ways:
- The QMS used is established by the Federal government or a standards developing organization.
- The QMS used is mapped to one or more QMS established by the Federal government or standards developing organization(s).
- When a single QMS was used for applicable capabilities, it would only need to be identified once.
- When different QMS were applied to specific capabilities, each QMS applied would need to be identified.
None
Additional Resources
Recognized list of Federal Government or Standards Development Organization (SDO) established QMSes:
ISO 9001: ISO 9000 - Quality management
ISO 14971: ISO 14971:2019 Medical devices -- Application of risk management to medical devices
ISO 13485: ISO 13485:2016 Medical devices -- Quality management systems -- Requirements for regulatory purposes
IEC 62304: IEC 62304:2006 Medical device software -- Software life cycle processes
Design and Performance: This certification criterion was adopted at § 170.315(g)(4), and is required for all developers seeking certification to any certification criteria.
| Version # | Description of Change | Version Date |
|---|---|---|
| 1.0 |
Initial publication |
03-11-2024
|
- Regulation Text
-
Regulation Text
§ 170.315 (g)(4) Quality management system—
- For each capability that a technology includes and for which that capability's certification is sought, the use of a Quality Management System (QMS) in the development, testing, implementation, and maintenance of that capability must be identified that satisfies one of the following ways:
- The QMS used is established by the Federal government or a standards developing organization.
- The QMS used is mapped to one or more QMS established by the Federal government or standards developing organization(s).
- When a single QMS was used for applicable capabilities, it would only need to be identified once.
- When different QMS were applied to specific capabilities, each QMS applied would need to be identified.
- For each capability that a technology includes and for which that capability's certification is sought, the use of a Quality Management System (QMS) in the development, testing, implementation, and maintenance of that capability must be identified that satisfies one of the following ways:
- Standard(s) Referenced
-
None
Additional Resources
Recognized list of Federal Government or Standards Development Organization (SDO) established QMSes:
ISO 9001: ISO 9000 - Quality management
ISO 14971: ISO 14971:2019 Medical devices -- Application of risk management to medical devices
ISO 13485: ISO 13485:2016 Medical devices -- Quality management systems -- Requirements for regulatory purposes
IEC 62304: IEC 62304:2006 Medical device software -- Software life cycle processes
- Certification Dependencies
-
Design and Performance: This certification criterion was adopted at § 170.315(g)(4), and is required for all developers seeking certification to any certification criteria.
- Revision History
-
Version # Description of Change Version Date 1.0 Initial publication
03-11-2024
Certification Companion Guide: Quality management system
This Certification Companion Guide (CCG) is an informative document designed to assist with health IT product certification. The CCG is not a substitute for the requirements outlined in regulation and related ONC final rules. It extracts key portions of ONC final rules’ preambles and includes subsequent clarifying interpretations. To access the full context of regulatory intent please consult the Certification Regulations page for links to all final rules or consult other regulatory references as noted. The CCG is for public use and should not be sold or redistributed.
The below table outlines whether this criterion has additional Maintenance of Certification dependencies, update requirements and/or eligibility for standards updates via SVAP. Review the Certification Dependencies and Required Update Deadline drop-downs above if this table indicates “yes” for any field.
| Base EHR Definition | Real World Testing | Insights Condition | SVAP | Requires Updates |
|---|---|---|---|---|
| Not Included | No | No | No | No |
Applies to entire criterion
Clarifications:
- There is no standard required for this certification criterion.
- All Health IT Modules must be certified to the QMS criterion.
- This criterion is applicable to self-developed and open source software as well.
- The focus and intent of the criterion is the identification of the QMS used, not a determination of compliance by the ONC Authorized Certification Body (ONC-ACB) with the identified QMS. [see also 80 FR 62673]
|
Clarifications:
|
Paragraph (g)(4)(i) Using QMS
Technical outcome – The specific QMS used in the development, testing, implementation and maintenance for each criteria/capability that certification is being sought must be identified.
Clarifications:
- The QMS must be established by the federal government or an SDO; or mapped to one or more quality management systems established by the federal government or SDO(s). [see also 80 FR 62672]
- The "implementation" aspects of QMS requirements would be expected to include and address integrating with relevant capabilities such as software relied upon for certification.
|
Technical outcome – The specific QMS used in the development, testing, implementation and maintenance for each criteria/capability that certification is being sought must be identified. Clarifications:
|
Paragraph (g)(4)(i)(A) Federal government or SDO QMS
Technical outcome – Identify the specific QMS used that was established by the federal government or an SDO.
Clarifications:
- Potential QMS standards as suggested in ONC’s rules [see also 80 FR 62672, 80 FR 16858, 77 FR 54190]:
- FDA's quality system regulation in 21 CFR part 820, so long as the developer cites their compliance with FDA's Quality System regulations for certification
- ISO 9001
- ISO 14971
- ISO 13485
- IEC 62304
- ISO 12207
- IEEE 730
- IEEE 1012
- ISO 14764
- ISO 80001
|
Technical outcome – Identify the specific QMS used that was established by the federal government or an SDO. Clarifications:
|
Paragraph (g)(4)(i)(B) Map QMS
Technical outcome – If not using a specific federal government or SDO established QMS, the developer must map the QMS to one or more specific federal government or SDO established QMS.
Clarifications:
- For non-federal government or non-SDO QMS methods, such as a modified version of an established QMS, a “home grown” QMS, agile development or other method, the QMS/method must be mapped to one or more specific federal government or SDO established QMS(es). [see also 80 FR 62672-62673] The mapping must be done through documentation and explanation that links the components of their QMS/method to an established QMS and identifies any gaps in their QMS as compared to an established QMS. [see also 80 FR 62672]
- There is no expectation that there will be detailed documentation of historical QMS or its absence. The documentation of the current status of the health IT development organization will suffice. [see also 80 FR 16858]
|
Technical outcome – If not using a specific federal government or SDO established QMS, the developer must map the QMS to one or more specific federal government or SDO established QMS. Clarifications:
|
Paragraph (g)(4)(ii) Single QMS
Technical outcome – If a single QMS was used for all applicable capabilities/criteria for which certification is being sought, it would only need to be identified once.
Clarifications:
- In the case where the whole development organization uses the same QMS across all teams, then this certification criterion may be met with one report. [see also 77 FR 54191]
|
Technical outcome – If a single QMS was used for all applicable capabilities/criteria for which certification is being sought, it would only need to be identified once. Clarifications:
|
Paragraph (g)(4)(iii) Different QMS
Technical outcome – If different QMS were applied to specific capabilities/criteria, each QMS applied would need to be identified for the respective capability/criteria.
Clarifications:
- Where there is variability across teams working on different functional components of the health IT, the health IT developer will need to indicate the individual QMS followed for the applicable certification criteria for which the technology is submitted for certification. [see also 77 FR 54191]
|
Technical outcome – If different QMS were applied to specific capabilities/criteria, each QMS applied would need to be identified for the respective capability/criteria. Clarifications:
|