At a Glance: Today's issue breaks down the FDA's monumental shift to ISO 13485 and what it means for your QMS, then explores Mexico's new digital health and technovigilance regulations. We also look at a manufacturing process that promises stress free metal components for micro devices, potentially solving a common design headache.

DIGITAL HEALTH

The FDA is Tearing Up the QSR: What the ISO 13485 Shift Really Means for Your Team

The FDA just rewrote the rulebook for medical device quality systems, and the deadline is looming. By February 2026, the old Quality System Regulation (QSR) is out, and the new Quality Management System Regulation (QMSR), built around ISO 13485, is in. This is not just a paperwork change; it is a fundamental shift in philosophy from inspection driven compliance to lifecycle risk management.

For decades, US based manufacturers have lived in a two system world, managing a QSR compliant system for the FDA and a separate ISO 13485 compliant one for most of the rest of the world. Now, that duplication is ending. But if you think this is just about deleting a few old procedures, you might be in for a surprise.

What the Announcement Reports

According to the FDA's final rule published in February 2024, the agency is officially aligning its quality system requirements with the international standard ISO 13485:2016. The new QMSR incorporates the standard by reference, meaning its requirements become the FDA's requirements. The agency's goal is to harmonize with global regulatory bodies, reducing the burden on manufacturers who sell in multiple markets.

It is crucial to understand what this does not mean. The article from Quality Magazine clarifies that ISO 13485 certification will not be required by the FDA, nor will certified manufacturers be exempt from FDA inspections. The FDA remains the ultimate authority, and their inspections will not result in an ISO 13485 certificate. Instead, the FDA is acknowledging that a well implemented ISO 13485 system provides the necessary framework for producing safe and effective devices.

What This Means for Engineering Teams

The old QSR was famously inspection driven. You built your system to pass an audit, with a heavy focus on processes like Corrective and Preventive Action (CAPA). It was often a reactive framework. ISO 13485, by contrast, is built on a foundation of proactive risk management that must be integrated into the entire product lifecycle.

This is a huge mental shift for engineering teams. Risk management can no longer be a separate document you create before launch and then file away. Under the new QMSR, your risk management file (as defined in ISO 14971, which is a key companion to 13485) must be a living system. It needs to be directly connected to design inputs, supplier controls, production processes, and post market data.

For you, this means that every design decision, every change order, and every component selection needs to be viewed through the lens of risk. The question is no longer just 'Does it meet the spec?' but 'How does this decision affect the overall risk profile of the device, and how have we documented that?' This change elevates the role of the systems engineer from a technical expert to a central hub of risk management activity.

Regulatory & Standards Context

The key difference lies in the prescriptive nature of risk integration. While the old 21 CFR 820.30 (Design Controls) required design validation to ensure devices conform to user needs, ISO 13485 is more explicit about how risk management fits in. Specifically, ISO 13485:2016, Clause 7.1 (Planning of product realization) demands that you plan and document risk management activities throughout the entire process.

Furthermore, Clause 7.3.3 (Design and development inputs) requires that inputs include requirements from risk management. And Clause 7.3.4 (Design and development outputs) requires that the outputs are evaluated against those inputs. This creates a closed loop system where risk controls are not just suggested, but are implemented as verifiable design features. It is a much tighter integration than the old QSR framework, and it is what FDA inspectors will now be looking for.

Design Playbook - Learning from the Event

Audit: Is your risk management file a living document or a pre launch checklist? ISO 13485 expects risk to be managed throughout the product lifecycle. Your FMEAs and risk analyses need to be directly tied to your post market surveillance, complaint handling, and design change processes. An auditor should be able to pick a recent complaint and see it reflected as an input to your risk file.

Check: Are your design inputs and outputs explicitly linked to risk controls? The standard requires a clear thread from a potential hazard to a risk control measure implemented in the design. You should be able to trace a specific requirement in your verification and validation plan directly back to a mitigation strategy in your risk management file. If you cannot, you have a gap.

Audit: How integrated are your suppliers into your risk management process? ISO 13485 puts a heavy emphasis on supplier controls (Clause 7.4). You need to flow down risk based requirements and verify their effectiveness, not just accept a certificate of compliance. Ask yourself, 'Do we have objective evidence that our critical suppliers are managing risks that could impact our device?'

Check: Does your definition of 'customer requirements' include usability and human factors? The article notes ISO 13485 is more patient centric. This means your design inputs need to go beyond basic functional specs. They must include robust human factors engineering and usability data, treating them as key inputs to the risk management process, especially for identifying and mitigating use related hazards.

DIGITAL HEALTH

Mexico's New Health Law: What Engineers Need to Know About Digital Health and Technovigilance

If you are marketing devices in Mexico, a major legal overhaul just landed. The country's General Health Law has been amended, with significant new rules for digital health, technovigilance, and even how Good Manufacturing Practice (GMP) audits are conducted. This is not a minor update; it is a signal that regulators are moving to catch up with modern device technology.

The changes, published in the Federal Official Gazette in January 2026, formalize requirements that were previously ambiguous and introduce new constraints that could impact your operations. For engineering teams, the most critical pieces relate to the design and oversight of connected devices and software.

What the Decree States

According to the summary from Hogan Lovells, the amendment formally regulates digital health, covering everything from telemedicine and mobile health to electronic medical records. A key mandate is that all telehealth services must use secure systems that guarantee confidentiality and data protection, with specific mechanisms for informed consent.

Another major shift is that the Ministry of Health will now be the only entity allowed to conduct GMP verification, eliminating the use of authorized third parties. For device oversight, the law now elevates technovigilance, the process of monitoring medical device safety, to a statutory requirement. This moves it from a regulatory expectation to a legal mandate.

What Could Cause This Type of Change

This kind of regulatory modernization is happening worldwide. The formal inclusion of digital health is a direct response to the explosion in remote patient monitoring and telehealth, which accelerated during the pandemic. Governments are now scrambling to build legal frameworks that address the unique risks of connected health, especially around cybersecurity and data privacy.

Taking GMP verification in house is a move to centralize and strengthen regulatory control. While it may create bottlenecks, the goal is likely to ensure consistency and rigor in manufacturing oversight. The new legal requirement for technovigilance simply aligns Mexico with global best practices, where post market surveillance is a cornerstone of ensuring long term device safety and performance.

Regulatory & Standards Context

While the Mexican law itself does not name specific international standards, its intent points directly to established best practices. The requirement for 'secure systems' in digital health aligns perfectly with the principles of cybersecurity risk management outlined in standards like AAMI TIR57 and the FDA's own cybersecurity guidance. These documents provide a roadmap for threat modeling and designing resilient systems.

Similarly, the new technovigilance mandate echoes the post market surveillance requirements of ISO 13485, Clause 8.2.1 (Feedback). A robust technovigilance program is not just about logging complaints. It is about creating a proactive system to collect and analyze performance data from the field to feed back into your risk management and product improvement processes. This is a fundamental principle of any modern QMS.

Design Playbook - Learning from the Event

Check: Does your telehealth platform have a documented cybersecurity risk assessment? The new law requires secure systems. You need to go beyond just using basic encryption and perform a threat model analysis. Document potential attack vectors like unauthorized access to patient data, denial of service attacks, and data integrity breaches, and show how your design mitigates them.

Audit: Is your technovigilance process just complaint handling, or is it proactive? The law now mandates this. Your post market surveillance plan for devices sold in Mexico needs to be robust and active. Are you actively monitoring device performance data, or are you just sitting back and waiting for a complaint to come in?

Check: How do you manage and document informed consent on a digital platform? The law specifically calls this out. Your user interface for any telehealth service must have a clear, documented, and auditable workflow for obtaining and storing patient consent before a service is rendered. A simple checkbox might not be enough.

Audit: If you rely on third party GMP audits for your Mexican operations, what is your transition plan? The law is clear that the Ministry of Health is now the sole verifier. This could introduce significant scheduling delays or changes in inspection focus. You need a plan to engage with them directly and prepare your facility for their specific process.

DIGITAL HEALTH

Beyond Stamping: Can Photo-Chemical Etching Eliminate Burrs in Your Micro-Device?

We have all seen elegant designs compromised by the messy realities of manufacturing. Microscopic burrs, hidden stresses, and heat affected zones from traditional metal forming can ruin the performance of micro scale components. A process called photo chemical etching (PCE) is gaining traction as a way to avoid these headaches entirely.

As devices get smaller, especially in fields like minimally invasive surgery, drug delivery, and wearables, the tiny metal parts inside them become harder to make cleanly. An article from Med-Tech Insights highlights how PCE is being positioned as a solution for these demanding applications, promising a level of precision that is tough to achieve with conventional methods.

What the Company Reports

The Micro Component Group (MCG) is showcasing its PCE technology as an enabler for next generation medical devices. According to the company, the process produces stress free, burr free metal components with extremely fine features and tight tolerances. This is critical for parts like micro needles, diagnostic sensors, and components for implantables where surface integrity and cleanliness are paramount.

The core advantage is that PCE is a non contact, non thermal process. Unlike stamping, which induces mechanical stress and can create burrs, or laser cutting, which creates a heat affected zone, PCE removes metal chemically. This preserves the material's original properties and allows for complex, sharp geometries without compromising the part's integrity.

How This Process Works (In General)

Think of photo chemical etching as developing a photograph on a sheet of metal. The process starts by laminating a light sensitive polymer, called a photoresist, onto the metal. A 'phototool', which is a high resolution film negative of your part design, is placed over the sheet, which is then exposed to UV light.

Where the light passes through the phototool, the resist hardens. The unhardened resist is washed away, leaving a perfect stencil of your parts on the metal. The sheet is then sprayed with a chemical etchant that dissolves the unprotected metal. Because the etchant works on all exposed surfaces simultaneously, it creates clean, sharp edges with no mechanical or thermal stress. It is a highly repeatable and scalable process.

Regulatory & Standards Context

This technology does not introduce new regulatory hurdles; instead, it helps you more reliably meet existing ones. ISO 13485, Clause 7.5.1 (Control of production and service provision), requires that your manufacturing processes be validated to ensure they consistently produce conforming products. A process like PCE, which claims higher repeatability and fewer defects like burrs, can make your process validation (PQ) significantly more robust.

Furthermore, for implantable or fluid path components, surface characteristics are critical for biocompatibility, as defined in the ISO 10993 series. A burr free surface with no residual stress is less likely to harbor contaminants or create sites for corrosion. By delivering a cleaner part from the start, PCE can help you more easily pass the rigorous biocompatibility and sterilization validation requirements.

Design Playbook - Learning from the Event

Check: Have you specified surface finish and edge condition requirements on your component drawings? Do not just specify dimensions and tolerances. Add explicit notes like 'No burrs allowed under 10x magnification' or 'Component must be delivered in a stress free condition.' This forces a critical conversation with manufacturing about whether their chosen process can actually meet your full design intent.

Audit: Does your FMEA for micro components consider failures caused by manufacturing artifacts? You should add specific failure modes like 'Tissue damage from microscopic burr on catheter tip' or 'Fatigue failure originating from residual stress at a stamped edge.' Using a process like PCE could then become a documented mitigation for these identified risks.

Check: Are you applying Design for Manufacturability (DFM) principles for your chosen process? PCE is fantastic for complex 2D shapes but has its own set of rules, like minimum feature sizes related to material thickness. Before you finalize a design around PCE, consult with a vendor to make sure your geometry is optimized for the process to avoid surprises later.

Audit: When prototyping, are you using the same manufacturing process as your planned high volume production? A machined prototype might work perfectly in your bench tests, but a stamped production part could fail due to stress induced during forming. PCE offers a potential advantage here, as the process is often identical from a single prototype to millions of parts, significantly de risking your transition to mass production.