Quality management system

Clarifications:

• There is no standard required for this certification criterion.
• All Health IT Modules must be certified to the QMS criterion.
• This criterion is applicable to self-developed and open source software as well.
• The focus and intent of the criterion is the identification of the QMS used, not a determination of compliance by the ONC Authorized Certification Body (ONC-ACB) with the identified QMS. [see also 80 FR 62673]

Technical outcome – The specific QMS used in the development, testing, implementation and maintenance for each criteria/capability that certification is being sought must be identified.

Clarifications:

• The QMS must be established by the federal government or an SDO; or mapped to one or more quality management systems established by the federal government or SDO(s). [see also 80 FR 62672]
• The "implementation" aspects of QMS requirements would be expected to include and address integrating with relevant capabilities such as software relied upon for certification.

Technical outcome – Identify the specific QMS used that was established by the federal government or an SDO.

Clarifications:

• Potential QMS standards as suggested in ONC’s rules [see also 80 FR 62672, 80 FR 16858, 77 FR 54190]:
  • FDA's quality system regulation in 21 CFR part 820 TITLE 21--FOOD AND DRUGS CHAPTER I--FOOD AND DRUG ADMINISTRATION DEPARTMENT OF HEALTH AND HUMAN SERVICES SUBCHAPTER H--MEDICAL DEVICES PART 820 QUALITY SYSTEM REGULATION, so long as the developer cites their compliance with FDA's Quality System regulations for certification
  • ISO 9001: ISO 9000 - Quality management
  • ISO 14971: ISO 14971:2019 Medical devices -- Application of risk management to medical devices
  • ISO 13485: ISO 13485:2016 Medical devices -- Quality management systems -- Requirements for regulatory purposes
  • IEC 62304: IEC 62304:2006 Medical device software -- Software life cycle processes
  • ISO 12207
  • IEEE 730
  • IEEE 1012
  • ISO 14764
  • ISO 80001

Technical outcome – If not using a specific federal government or SDO established QMS, the developer must map the QMS to one or more specific federal government or SDO established QMS.

Clarifications:

• For non-federal government or non-SDO QMS methods, such as a modified version of an established QMS, a “home grown” QMS, agile development or other method, the QMS/method must be mapped to one or more specific federal government or SDO established QMS(es). [see also 80 FR 62672-62673] The mapping must be done through documentation and explanation that links the components of their QMS/method to an established QMS and identifies any gaps in their QMS as compared to an established QMS. [see also 80 FR 62672]
• There is no expectation that there will be detailed documentation of historical QMS or its absence. The documentation of the current status of the health IT development organization will suffice. [see also 80 FR 16858]

Technical outcome – If a single QMS was used for all applicable capabilities/criteria for which certification is being sought, it would only need to be identified once.

Clarifications:

• In the case where the whole development organization uses the same QMS across all teams, then this certification criterion may be met with one report. [see also 77 FR 54191]

Technical outcome – If different QMS were applied to specific capabilities/criteria, each QMS applied would need to be identified for the respective capability/criteria.

Clarifications:

• Where there is variability across teams working on different functional components of the health IT, the health IT developer will need to indicate the individual QMS followed for the applicable certification criteria for which the technology is submitted for certification. [see also 77 FR 54191]