QMSR Transition: Harmonizing FDA 21 CFR 820 with ISO 13485:2016— Post-Implementation Guide 2026

-

The QMSR Transition: Harmonizing FDA 21 CFR 820 with ISO 13485:2016

A Post-Implementation Compliance and Inspection Readiness Guide for Medical Device Manufacturers — March 2026

Updated March 2026  |  18-minute read  |  Sourced from FDA.gov, Federal Register, and peer-reviewed regulatory guidance

The Day the QSR Died — and What That Means for You Right Now

February 2, 2026 was not a quiet day in regulatory affairs circles. On that date, the FDA officially retired the Quality System Regulation (QSR) — the framework that had governed US medical device manufacturing since 1996. Three decades. Longer than some of the quality professionals who had been trained on it have been in the industry. Gone.

Illustration of the QMSR transition showing FDA 21 CFR Part 820 harmonized with ISO 13485:2016 quality management system regulation for medical device manufacturers in 2026


In its place: the Quality Management System Regulation (QMSR), an amended version of 21 CFR Part 820 that incorporates ISO 13485:2016 by reference — meaning the international standard is now enforceable as US federal law. The same day, the FDA's QMSR landing page went live with full enforcement guidance. The Quality System Inspection Technique (QSIT), the inspection playbook that shaped how a generation of quality professionals prepared for audits, was formally withdrawn. Compliance Program 7382.850 — a 78-page inspection manual that most companies are still digesting — took its place.

If your organization spent the two-year transition period treating QMSR as a terminology exercise — swapping "DMR" for "MDF" in your documents, updating a few headers, calling it done — this article is specifically for you. Because the substantive changes run considerably deeper than the language. The inspection model has been redesigned. Records that FDA investigators previously could not request are now fully within scope. Risk management has moved from a single footnote in §820.30(g) to the structural backbone of everything inspectors will evaluate. And the FDA has made explicit that it expects evidence of a genuine culture of quality — not a paper QMS that looks credible on the shelf.

The transition period is over. Enforcement is live. This is what you need to know.

⚠️ Enforcement Is Not Theoretical

The FDA has confirmed that investigators may review QMS records created before February 2, 2026 to assess QMSR compliance. A manufacturer cannot argue that pre-transition documentation is exempt from post-transition scrutiny. A comparative analysis demonstrating that existing documents satisfy the QMSR's requirements — even if they use legacy QSR terminology — is not just useful. At this point, it should be a completed deliverable sitting in your document control system.

Why the FDA Finally Made This Move

The QSR hadn't been substantially revised since 1996. In that same period, ISO 13485 went through two major revisions (2003 and 2016), each time becoming more risk-focused, more process-oriented, and more globally adopted. By 2022, when the FDA published its proposed rule, ISO 13485:2016 had already become the foundation for:

  • The European MDR and IVDR quality system requirements
  • The Medical Device Single Audit Program (MDSAP) — through which the FDA, Health Canada, TGA (Australia), ANVISA (Brazil), and PMDA (Japan) coordinate audits
  • Regulatory quality system requirements in dozens of other markets globally

For a US-headquartered manufacturer exporting to Europe, Canada, Japan, and Australia simultaneously, running a QSR-compliant system alongside ISO 13485:2016 meant maintaining two overlapping but non-identical frameworks. The duplication wasn't just administratively annoying — it introduced genuine compliance risk. Decisions made to satisfy QSR language didn't always map cleanly to ISO 13485's process-based requirements, and vice versa.

The QMSR resolves this. By incorporating ISO 13485:2016 as the regulatory text of Part 820, the FDA has effectively created a unified foundation. One QMS, built to ISO 13485, should now satisfy both US regulatory requirements and international market access requirements — subject to the FDA's specific supplemental provisions, which we'll cover below.

The December 2025 Federal Register technical amendment to the QMSR — which updated references to the new regulation across 179 sections of Title 21 CFR — illustrates the breadth of this change. This was not a targeted tweak. It was a comprehensive re-architecture of how the FDA regulates device quality.


Incorporation by Reference: What It Actually Means in Practice

"Incorporation by reference" is a legal mechanism authorized under the Freedom of Information Act (1 CFR Part 51). In plain terms: it means the FDA has adopted ISO 13485:2016 as the substance of the regulation without reprinting the entire standard in the Federal Register. The standard has the force and effect of law — as if it were published in full in the CFR.

The practical consequence is that the new Part 820 is a remarkably short document. Most of its clauses simply state: "See ISO 13485:2016, Clause [X]." The actual quality system requirements — process control, purchasing controls, inspection and testing, design and development — live in the ISO standard, not in the federal text.

Two Critical Points Every Compliance Team Must Understand

First: Compliance with ISO 13485 alone is not sufficient for QMSR compliance. The FDA retained several sections of Part 820 where it determined ISO 13485 did not fully cover existing regulatory expectations. These include:

  • §820.10 — Supplemental Requirements: Covers UDI, medical device reporting (MDR), corrections and removals, and device tracking — all specific to US regulatory requirements that have no direct equivalent in ISO 13485.
  • §820.35 — Control of Records: More explicit than ISO 13485 on complaint record content requirements — including when complaints must be investigated and what service records must contain. This section is worth reading carefully; it imposes more detail than its predecessor.
  • §820.45 — Device Labeling and Packaging Controls: The FDA found ISO 13485's labeling provisions insufficient and added requirements for label accuracy inspection prior to device release.

Second: Accessing ISO 13485:2016 is not free. The standard is available for purchase from the International Organization for Standardization (ISO), or in read-only format via the ANSI Incorporated by Reference Portal (free registration required). The FDA also incorporates Clause 3 of ISO 9000:2015 by reference, because ISO 13485's terms and definitions depend on it. If your team is working from memory about what the standard says, rather than from the actual text, that is a gap you need to close now.


The Terminology Shift: Legacy QSR vs. New QMSR

Terminology matters more than most people appreciate in a regulated environment. An FDA investigator trained on the new CP 7382.850 will use ISO 13485 language during your inspection. If your team responds to "show me your Design and Development File" by reaching for a binder labeled "Design History File," the substantive content may be identical — but the momentary confusion signals that your organization may not have genuinely internalized the new framework. That's the kind of signal that experienced investigators note.

More importantly, some terminology changes reflect substantive scope differences, not just labels. The shift from "Device History Record (DHR)" to "Device Record" (aligned with ISO 13485's "device record" concept) carries nuanced differences in what must be maintained and where. The move from "Management with Executive Responsibility" to "Top Management" carries ISO 13485's explicit expectation of demonstrated leadership commitment — not just designated authority.

Legacy 21 CFR 820 (QSR — Pre-Feb 2026) New QMSR / ISO 13485:2016 Aligned Practical Impact
Quality System Regulation (QSR) Quality Management System Regulation (QMSR) Title change throughout all regulatory references; 179 CFR sections updated
Design Controls (§820.30) Design and Development (ISO 13485 Clause 7.3) Scope expanded; traceability between inputs and outputs now explicitly required
Design History File (DHF) Design and Development File Equivalent content; ISO terminology must now be used in documents and front-room communications
Device Master Record (DMR) Medical Device File (MDF) Conceptually similar; ISO 13485 Clause 4.2.3 governs; MDF framing is broader in scope
Device History Record (DHR) Device Record (ISO 13485 Clause 4.2.5) Near-equivalent; subtle scope differences in what must be documented for each manufactured lot
Management with Executive Responsibility Top Management ISO 13485 places explicit accountability obligations on top management; passive designation is insufficient
Quality System (QS) Quality Management System (QMS) Reflects a process-based, integrated approach rather than a compliance-document-collection mindset
Quality System Inspection Technique (QSIT) Compliance Program 7382.850 Fundamentally different inspection architecture; 6 QMS Areas + 4 OAFRs; risk-based, TPLC-oriented
Design Validation (§820.30(g)) — risk analysis "where appropriate" Design and Development Validation — risk management integrated throughout Clause 7.3 Risk analysis elevated from optional annotation to core design requirement; ISO 14971 alignment strongly expected
Supplier / Purchasing Controls (§820.50) Outsourcing and Purchasing (ISO 13485 Clauses 7.4, 4.1.5) Broader scope under ISO 13485; now includes outsourced processes, not just purchased goods
Management Review (§820.20(c)) — exempt from FDA review under §820.180(c) Management Review (ISO 13485 Clause 5.6) — fully inspectable Critical change. Previous exemption eliminated. Management review minutes are now a primary inspection record
Internal Audits — exempt from FDA review under §820.180(c) Internal Audits (ISO 13485 Clause 8.2.4) — fully inspectable Major change with immediate compliance implications. Audit findings must now reflect genuine systemic assessment
Corrective and Preventive Action (CAPA) — mandatory element in all QSIT inspections Corrective Action / Preventive Action (ISO 13485 Clauses 8.5.2, 8.5.3) — required in Inspection Model 2 only Structural prominence of CAPA has shifted; risk management failures are now primary OAI triggers

ISO 14971 and Risk Management: The Connective Tissue of the New QMS

Here is the single most important conceptual shift in the QMSR — and the one that catches the most organizations underprepared. Under the old QSR, the word "risk" appeared exactly once: in §820.30(g), in the context of design validation, with the qualifier "where appropriate." Thirty years of regulatory practice trained quality professionals to treat risk management as a design phase deliverable — a risk analysis document you generated, filed in the DHF, and referenced in the 510(k). Task completed. Box ticked.

ISO 13485:2016 uses the word "risk" — or "risks" — over 25 times. It appears in Quality Management System planning (Clause 4.1.2), in resource management, in design and development, in purchasing controls, in production, in servicing, and in corrective action. The opening requirement of the standard's QMS approach (Clause 4.1.2) states explicitly that organizations shall "apply a risk-based approach to the control of the appropriate processes needed for the quality management system."

That's not a design deliverable. That's an operating philosophy. Risk management is the lens through which every process in your QMS is supposed to be designed, operated, monitored, and improved. Not a document. A discipline.

Where ISO 14971 Fits — and Why It Matters Even Though It's Not Formally Incorporated

ISO 14971:2019 — the international standard for the application of risk management to medical devices — is not directly incorporated by reference in the QMSR. The FDA was deliberate about this. However, ISO 13485:2016 references ISO 14971 throughout its risk management requirements. Demonstrating QMSR compliance through ISO 13485 therefore requires demonstrating that your risk management processes are substantively aligned with ISO 14971.

In practical terms: ISO 14971 provides the framework for what a risk management file should contain, how severity and probability estimates should be structured, how residual risk is evaluated against risk acceptance criteria, and how risk information flows into post-market surveillance. If your risk management documentation doesn't demonstrate these elements, it may not satisfy the ISO 13485 requirements that are now binding under Part 820 — even if the FDA hasn't formally cited ISO 14971 as the standard.

The FDA's official QMSR FAQ advises manufacturers to "assess the extent to which their risk management processes and procedures comply with ISO 14971 in order to demonstrate compliance with ISO 13485:2016." That is as close to a formal requirement as language gets without being a formal requirement.

What Risk Management Looks Like Under the New Inspection Framework

The new CP 7382.850 inspection diagram places "Patients and Users" at the center of the inspection model, surrounded by a "Risk Management" circle. That diagram is not decorative. An FDA investigator conducting a QMSR inspection is trained to use risk management as their roadmap through your QMS. They will not simply ask: "Did you follow your procedure?" They will ask: "Did your deviation from this procedure introduce risk to the patient — and how was that risk assessed and controlled?"

The new compliance program explicitly lists risk management failures among the "Situation 1" finding categories — the classification that drives Official Action Indicated (OAI) outcomes, warning letters, and import alerts. Risk management is no longer background context for an inspection. It is the primary evaluative framework.

✅ Risk Management Readiness Audit — Three Questions Your QA Team Should Answer Today
  1. Can you demonstrate, with documented evidence, how risk considerations influenced your most recent management review agenda — not just product decisions, but QMS process decisions?
  2. Does your supplier qualification process include risk-based criteria for selecting which suppliers receive enhanced controls? Not a tier list — documented risk rationale for each tier?
  3. When your CAPA system identifies a recurring nonconformance, does the resolution document include an explicit risk assessment of the systemic root cause — not just a corrective action plan?
If any of those answers is "not clearly" — that is where your inspection preparation effort should be concentrated.

Design and Development: The Most Substantive Change You May Have Missed

The transition from "Design Controls" to "Design and Development" is not cosmetic. Under the QSR, design traceability — specifically, documented linkage between design inputs, outputs, verification testing, and validation — was considered best practice. The FDA expected it, but the regulation didn't require explicit documentation of the traceability chain itself. Under ISO 13485:2016 Clause 7.3.3, traceability between design inputs and outputs is a formal requirement, not a recommendation. This is a substantive gap for manufacturers who built design documentation structures around what the QSR required rather than what ISO 13485 expects.

The Independent Reviewer Question

One nuance that frequently surprises experienced quality professionals: ISO 13485 does not require an independent reviewer for design reviews, unlike the QSR's §820.30(e), which mandated inclusion of "an individual(s) who does not have direct responsibility for the design stage being reviewed." The FDA acknowledged this difference in the QMSR preamble but made a specific choice: it retained the spirit of the QSR requirement by expecting that design reviews are conducted by individuals with "the qualifications necessary to evaluate and consider the results of the review" — and investigators will probe whether review participants can actually evaluate the design, not just rubber-stamp it.

IDE Devices and the End of Design Control Exemptions

An important clarification that affects development-stage companies: medical devices manufactured under an Investigational Device Exemption (IDE) are not exempt from design and development requirements under 21 CFR 820.10(c) of the QMSR and ISO 13485 Clause 7 subclauses. The FDA has made this explicit in its QMSR guidance. If you are building a regulatory strategy for a device under IDE and assuming design controls don't apply until 510(k) or PMA submission, that assumption is incorrect under the QMSR framework.

The Design and Development File — Practical Documentation Expectations

The Design and Development File (formerly DHF) under ISO 13485 Clause 7.3 must demonstrate:

  • The design and development plan, including stage-gate reviews, responsibilities, and timelines
  • Defined and documented design inputs, including functional, performance, safety, and regulatory requirements
  • Design outputs with explicit traceability back to inputs — this is the traceability matrix requirement that distinguishes QMSR from QSR
  • Design review records, including the identification of participants and the device's stage at each review
  • Design verification evidence demonstrating outputs meet inputs
  • Design validation evidence demonstrating the device meets user needs and intended uses under actual or simulated conditions
  • Design transfer documentation demonstrating that design outputs were correctly translated to production specifications
  • Design change control records for any modifications throughout the lifecycle

If your Design and Development File currently cannot be navigated by an FDA investigator who has never seen your product before — using its own table of contents and internal cross-references — that is a documentation problem that will surface in an inspection.


The End of QSIT — What CP 7382.850 Means for Your Next Inspection

For over 25 years, QSIT gave quality professionals a predictable inspection framework. It organized the FDA's review around four major subsystems — Management Controls, Design Controls, CAPA, and Production and Process Controls — plus three supporting subsystems. You could prepare a team for an inspection by knowing which subsystems the investigator was likely to probe in a given inspection level, and you could walk someone into the front room with a reasonably accurate mental map of what was coming.

That predictability is gone. As of February 2, 2026, CP 7382.850 is the operating manual. The change is structural and conceptual, not just procedural.

The New Architecture: 6 QMS Areas + 4 OAFRs

CP 7382.850 organizes inspections around six QMS Areas aligned with ISO 13485 clauses, plus four Other Applicable FDA Requirements (OAFRs):

6 QMS Areas (ISO 13485-Aligned) 4 Other Applicable FDA Requirements (OAFRs)
1. Management Oversight Medical Device Reporting (21 CFR Part 803)
2. Design and Development Corrections and Removals (21 CFR Part 806)
3. Change Control Medical Device Tracking (21 CFR Part 821)
4. Outsourcing and Purchasing Unique Device Identification (21 CFR Part 830)
5. Product and Service Provision  
6. Measurement, Analysis, and Improvement  

Under CP 7382.850, FDA investigators are not required to evaluate these areas in a fixed sequence. They move between them as risk dictates. The investigator begins by identifying the products and processes that represent the highest patient risk, then traces that risk thread through your QMS — following complaints into CAPA, following CAPA into management review, following management review into resource allocation decisions. This is a fundamentally different inspection experience from QSIT's predictable subsystem sequence.

The Culture of Quality Expectation

The QMSR preamble and CP 7382.850 both reference FDA's expectation of a culture of quality within manufacturing organizations. This is not regulatory boilerplate. Investigators are now explicitly trained to assess whether management's stated commitment to quality — in their quality policy, in management review minutes, in resource allocation decisions — is actually reflected in operational behavior throughout the facility. An organization where leadership signs off on the quality policy once per year but routinely deprioritizes CAPA resources in favor of production throughput will exhibit a culture of quality mismatch. That mismatch is now inspectable.


The Records FDA Can Now See That It Couldn't Before

This is the change with the most immediate practical compliance implications for many organizations, and it deserves direct treatment without softening.

Under the QSR, §820.180(c) provided a specific exemption: FDA investigators could not routinely request management review reports, internal audit reports, or supplier quality audit reports. This exemption was one of the most practically significant features of the old framework. It meant that internal quality system assessments — however candid or concerning — were protected from agency review. Management review minutes could document serious systemic issues without those issues becoming an immediate inspection finding.

That exemption does not exist in the QMSR. It was deliberately not carried forward. The FDA's own QMSR FAQ makes this explicit: "The QMSR gives the FDA the authority to inspect management review, quality audits, and supplier audit reports. The exceptions that existed in the QS regulation at §820.180(c) are not maintained in the QMSR."

The FDA's justification: since manufacturers are already required to make these documents available to other regulatory authorities (Health Canada under MDSAP, TGA, PMDA, ANVISA), making them available to FDA does not create additional burden. The reasoning is sound. The operational implication is significant.

What This Means for Your Documents Today

Management review minutes, internal audit reports, and supplier audit reports now need to be written as documents that could be reviewed by an FDA investigator — not as internal working documents where candid assessments are made informally. This does not mean sanitizing these records. It means ensuring they accurately and completely reflect the actual discussions, findings, and decisions made — because a sanitized management review that shows no systemic issues, followed by a facility with obvious systemic nonconformances, is precisely the kind of inconsistency that experienced investigators identify and pursue.

"The era of checklist compliance is over. FDA investigators will no longer simply verify you have procedures. They will test whether your quality system actually functions as an integrated, risk-driven whole."
— FDA Compliance Program 7382.850 Analysis, The FDA Group, February 2026

MDSAP, ISO Certification, and the Global Harmonization Play

Two questions come up in virtually every QMSR compliance conversation. Both deserve direct answers.

Does ISO 13485 Certification Satisfy QMSR Requirements?

No — not on its own. ISO 13485 certification demonstrates conformity with the international standard through a third-party certification body audit. It does not constitute compliance with the QMSR's supplemental FDA-specific requirements (§820.10, §820.35, §820.45), and it does not exempt a manufacturer from FDA inspections. The FDA has been unambiguous on this point. You can be ISO 13485-certified and still receive a Form 483 observation under the QMSR.

What About MDSAP Participation?

The Medical Device Single Audit Program (MDSAP) offers more protection, but not immunity. MDSAP is a program in which a single audit — conducted by an accredited auditing organization — satisfies the inspection requirements of multiple regulatory authorities simultaneously: FDA, Health Canada, TGA (Australia), ANVISA (Brazil), and PMDA (Japan). FDA participants in MDSAP may accept MDSAP audit reports as a substitute for routine surveillance inspections.

However, MDSAP does not prevent FDA from conducting inspections "for cause" — following a field safety corrective action, a significant MDR reporting pattern, or a specific compliance concern. And MDSAP audits are themselves evolving to reflect QMSR requirements, meaning that an MDSAP audit under the post-February 2026 standards will be substantively different from pre-QMSR MDSAP assessments.

For manufacturers currently in or considering MDSAP, the post-QMSR transition period is a natural moment to assess whether your MDSAP audit cycle is aligned with the new QMSR requirements — particularly on risk management integration and the newly inspectable management review and internal audit records.


5-Point Compliance Checklist for the Post-QMSR Era

The transition deadline has passed. These are the five priorities that should be driving compliance activity in every medical device manufacturer's quality organization right now.

✅ 1. Complete and Document Your Gap Analysis — If You Haven't Already

The FDA has confirmed that investigators may review records created before February 2, 2026. A formal comparative analysis demonstrating that your pre-QMSR documentation meets QMSR requirements is not optional — it is the evidence that protects you when an investigator asks about historical records. This analysis should be signed off by Quality leadership and filed in your document control system. If your organization has not yet completed this analysis, it is the most urgent item on this list.

✅ 2. Map Risk Management Through Your Entire QMS — Not Just the Design File

Audit every major QMS procedure — supplier qualification, production process controls, CAPA, management review, internal audit — and verify that each contains an explicit, documented risk-based rationale for how it operates. ISO 13485 Clause 4.1.2 requires risk-based thinking across all QMS processes. If risk only appears in your design documentation, your QMS does not meet the standard. Update procedures to reflect how risk is evaluated in each process, and train the relevant staff on the connection between their work and the risk management framework.

✅ 3. Prepare Your Newly Inspectable Records for Scrutiny

Management review minutes, internal audit reports, and supplier audit reports are now within FDA inspectional scope. Review the last two years of these records through the lens of an external investigator. Do they accurately reflect systemic issues and the responses taken? Are decisions documented with their risk-based rationale? Are supplier control decisions traceable to objective qualification criteria? Fix deficiencies now — before an inspection reveals them.

✅ 4. Conduct Front-Room Inspection Readiness Training Under the New Terminology

Every individual who might interact with an FDA investigator — quality, engineering, manufacturing, regulatory affairs, senior leadership — needs to speak fluent QMSR. They need to know that "Design History File" is now "Design and Development File," that "DMR" is now "Medical Device File," that investigators will use ISO clause references rather than QSR section numbers. Run mock inspections using CP 7382.850 as the investigator's playbook. If your team cannot navigate an inspector's questions in ISO terminology, your preparation is incomplete.

✅ 5. Review and Update Your Supplier Quality Agreements

All supplier quality agreements that reference the QSR should have been updated to reference the QMSR. Residual QSR references in supplier contracts create a compliance gap — the agreement describes a regulatory framework that no longer exists. Additionally, ISO 13485 Clause 4.1.5 now covers outsourced processes with a breadth that exceeds the QSR's purchasing controls. If you use contract manufacturers, service providers, or any outsourced QMS process, verify that your agreements reflect the broader QMSR/ISO 13485 scope — not just the former §820.50 requirements.


The Most Common Gap Categories Regulators Are Finding Right Now

Based on post-February 2026 early-stage inspection activity patterns and the categories highlighted in FDA's updated guidance, these are the gap areas where manufacturers are most frequently underprepared:

1. Terminology Substitution Without Substantive Process Alignment

The single most common superficial compliance failure: organizations updated document headers and procedure names from QSR to QMSR language but did not update the underlying process requirements. A procedure titled "Design and Development" that still describes a workflow built around QSR §820.30 — without a traceability matrix requirement, without explicit risk integration throughout design stages — is a terminology compliance with a substantive gap. Investigators will identify this within the first hour.

2. Risk Management Treated as a Design-Phase Activity Only

Organizations whose risk management files are complete, well-organized ISO 14971-aligned documents — but whose purchasing procedures, production process controls, and CAPA workflows contain no risk-based decision criteria — will struggle under CP 7382.850's integrated evaluation approach. Risk management under the QMSR is pervasive, not sequential.

3. Software Validation Gaps Under the Broader QMSR Scope

Under the QSR, software validation primarily applied to production equipment software (§820.75 process validation) and design controls (§820.30). Under the QMSR and ISO 13485, the validation scope is broader — encompassing quality system software, computerized systems used in any regulated process, and software as a medical device (SaMD/SiMD) subject to specific additional requirements under §820.10. Organizations that haven't audited their software validation inventory against the broader QMSR scope will find gaps.

4. Supplier Controls That Don't Reflect a Risk-Based Tiering Rationale

ISO 13485 Clause 7.4 requires that supplier selection and control activities be commensurate with the risk associated with the outsourced product or service. A supplier qualification program that applies the same controls to all suppliers regardless of their criticality — a flat-tier approach with no documented risk rationale — does not meet the standard's requirements, even if it was adequate under the QSR's §820.50.

5. Management Reviews That Don't Demonstrate Risk-Based Decision Making

Now that management review minutes are inspectable, reviews that consist primarily of metric reviews and action item tracking — without explicit discussion of systemic quality risks, resource adequacy, and leadership accountability — will draw attention. ISO 13485 Clause 5.6 specifies inputs to management review that go well beyond performance dashboards, including changes that could affect the QMS, process performance and product conformance, and audit results. If your management reviews have been structured as routine reporting events rather than risk-informed governance forums, that structure needs to change.


What Comes Next: ISO 13485 Version Updates and the Rulemaking Cycle

A final point that deserves attention: the QMSR incorporates ISO 13485:2016 — specifically the 2016 version. ISO standards are reviewed on a five-year cycle, meaning a revised version of ISO 13485 could be published as early as 2021 or 2022, which it wasn't, but an update is plausible in the 2026–2028 window. The FDA has been explicit about what happens when ISO 13485 is revised: the agency cannot automatically adopt a new version. It must initiate a new notice-and-comment rulemaking, publish a proposed rule, receive public comments, and publish a final rule before enforcing a revised version. Given that the QSR was essentially unchanged from 1996 to 2026, manufacturers should not assume that ISO 13485 version transitions will be rapid.

The practical implication: invest now in building a QMS that embodies the principles of ISO 13485 — the risk-based process approach, the integration of risk management throughout the system, the leadership accountability model — rather than a QMS designed to satisfy the literal text of any single version. Standards language changes. Regulatory philosophy is more durable.

It's also worth watching the International Medical Device Regulators Forum (IMDRF), through which the FDA coordinates with global regulatory authorities including the EMA, TGA, and Health Canada. The QMSR transition is explicitly framed as part of the FDA's IMDRF harmonization commitment. Future IMDRF guidance on QMS requirements, particularly as it relates to digital health devices, SaMD, and AI/ML-enabled devices, will likely influence how the FDA interprets and enforces the QMSR in technically complex product categories.


Frequently Asked Questions

❓ What is the QMSR and when did it take effect?

The Quality Management System Regulation (QMSR) is the FDA's amended version of 21 CFR Part 820, effective February 2, 2026. It replaces the Quality System Regulation (QSR) that had governed US device manufacturing since 1996 and incorporates ISO 13485:2016 by reference, making that international standard enforceable as US federal law for finished medical device manufacturers.

❓ Does ISO 13485 certification replace FDA QMSR compliance?

No. ISO 13485 certification does not exempt manufacturers from FDA inspections under the QMSR. The FDA retains full inspectional authority. MDSAP participation entitles manufacturers to substitution of routine FDA inspections with MDSAP audit reports, but even then, the FDA may conduct inspections when risk warrants it. Every manufacturer must independently meet the QMSR's supplemental FDA-specific requirements regardless of certification status.

❓ What replaced the QSIT inspection methodology?

The QSIT was formally withdrawn February 2, 2026 — with no "QSIT 2" replacement planned. It has been replaced by Compliance Program 7382.850 (CP 7382.850), a 78-page inspection manual organizing inspections around six QMS Areas and four Other Applicable FDA Requirements (OAFRs), using a Total Product Life Cycle (TPLC) and risk-based assessment approach. Investigators are no longer required to follow a fixed subsystem sequence — they follow risk.

❓ What are the major terminology changes from QSR to QMSR?

Key changes: Design History File (DHF) → Design and Development File; Device Master Record (DMR) → Medical Device File (MDF); Design Controls → Design and Development; Management with Executive Responsibility → Top Management; Quality System → Quality Management System. FDA investigators now use ISO 13485 terminology during inspections. Organizations must ensure front-room staff are fluent in the new language.

❓ Is ISO 14971 incorporated by reference in the QMSR?

No — ISO 14971 is not directly incorporated. However, ISO 13485:2016 (which IS incorporated) references ISO 14971 principles throughout its risk requirements, with "risk" appearing over 25 times in the standard. The FDA's own QMSR FAQ advises manufacturers to assess compliance with ISO 14971 to demonstrate compliance with ISO 13485. In practice, ISO 14971 alignment should be treated as functionally mandatory.

❓ Can FDA now inspect management review minutes and internal audit reports?

Yes. The §820.180(c) exemption that previously shielded these records has been eliminated in the QMSR. Management review minutes, internal audit reports, and supplier audit reports are now fully within FDA inspectional scope under CP 7382.850. These documents must accurately reflect actual risk-based discussions and decisions — sanitized summaries inconsistent with observable facility conditions are a significant inspection risk.


Closing Perspective: The Compliance Mindset the QMSR Was Designed to Produce

The QSR was built around documentation. Demonstrate you have the right procedures, maintain the required records, and your inspection would likely conclude without findings. Quality professionals learned to build systems that looked correct on paper — and many of those systems genuinely were correct, staffed by professionals who understood the intent behind the requirements.

But the framework also enabled the minimum viable compliance posture — organizations that produced the required documents with only a loose connection to actual manufacturing practice. The FDA has known this for decades. The QMSR, combined with CP 7382.850's risk-based, process-integrated inspection methodology, is a deliberate attempt to close that gap.

The QMSR does not ask whether you have a risk management procedure. It asks whether risk management thinking shapes how your organization makes decisions — about resources, suppliers, design changes, nonconformances, and market feedback. That's a harder question to answer with a document. It requires a quality culture that runs deeper than the QMS binder.

For organizations that have always operated that way — where quality is genuinely how decisions are made, not just how they're documented — the QMSR is largely a structural re-labeling exercise. For organizations where quality compliance has been primarily a documentation exercise, the post-February 2026 inspection environment will feel materially different. Not because investigators are more aggressive, but because the framework they're working from is designed to see through the paper.

How is your organization navigating the post-QMSR inspection environment? Are there specific implementation challenges — particularly around risk management integration or the newly inspectable records — that you'd like to discuss? Share your experience in the comments. Regulatory affairs and quality professionals have perspectives worth hearing on what this transition actually looks like in practice.


*     *     *

Comments

Post a Comment

Popular posts from this blog

Solubility Formulas, Solubility Charts, and Drug Delivery

-
Image
The Science Behind Solubility: Solubility Formula, Solubility Chart, and Drug Delivery system In the intricate world of pharmaceuticals, understanding solubility is crucial for effective drug development and delivery. Solubility, the ability of a substance to dissolve in a solvent, plays a pivotal role in determining a drug's bioavailability, efficacy, and even its safety profile.  In this article, we will delve into the science behind solubility, exploring solubility formulas, solubility charts, and their significance in drug delivery. The Basics of Solubility: Solubility forms the foundation of drug formulation. It is governed by various factors, including the drug's molecular structure, the solvent's properties, and temperature. When a drug's solubility is low, its absorption into the bloodstream can be compromised, resulting in suboptimal therapeutic effects. To overcome this, scientists employ solubility-enhancing techniques, making solubility formulas and charts i...
Read Full Article »

EU MedTech Innovation Pressure: What Professionals Need to Know in 2026

-
Image
The EU MedTech Innovation Pressure: Navigating 2026 "Crunch" and EY-DG SANTE Findings For years, the European Union was the global launchpad for EU MedTech Innovation, but recent data suggests a pivotal identity crisis is looming. A "CE Mark" was often the first major milestone for a startup before tackling the FDA. However, the tide has turned. As we move deeper into the mid-2020s, the medical technology landscape is facing a pivotal identity crisis.  The recent EY-DG SANTE study , commissioned by the European Commission, has provided the data to back up what many MedTech professionals have been whispering in boardrooms: the regulatory burden of the Medical Device Regulation (MDR) and In Vitro Diagnostic Regulation (IVDR) is creating an "innovation drain." The Data Speaks: Key Findings from the EY-DG SANTE Study The study was designed to monitor the availability of medical devices on the EU market. The results are a wake-up call. According to the ...
Read Full Article »

​AI Solubility Prediction & 2026 Formulation Trends

-
Image
If you are a pharmacy student or a researcher in 2026, the old textbooks aren't telling you the whole story. For decades, we learned that solubility was simple: "Like dissolves like." We memorized the Noyes-Whitney equation, looked at a solubility chart , and mixed powders in a beaker. But today, that approach is obsolete. With 90% of new drug candidates classified as "poorly soluble" (BCS Class II and IV), the industry faces an "insolubility crisis." The modern lab doesn't just "dissolve" drugs; it engineers them. We use Artificial Intelligence to predict solubility limits before a molecule is even synthesized. We use lasers and supercomputers to force "brick dust" molecules into the bloodstream. This article is your guide to the New Science of Solubility . We will decode the modern math, the AI tools like FastSolv , and the breakthrough technologies like Lipid Nanoparticles (LNPs) that are redefining drug delivery in ...
Read Full Article »