On February 2, 2026, the FDA's Quality Management System Regulation (QMSR) took effect, replacing 21 CFR Part 820 — the Quality System Regulation (QSR) that had governed US medical device manufacturing since 1996. It is the most significant change to US device quality requirements in nearly three decades.
The deadline has passed. But the transition is far from complete. FDA inspection data shows that a substantial portion of manufacturers have not finished updating their QMS documentation, and investigators are already citing gaps during routine inspections. If your team is still working through the transition — or isn't sure what changed — this article breaks it down.
What Is QMSR?
QMSR is the FDA's new quality management system framework for medical device manufacturers. The defining change: instead of specifying its own requirements in full, QMSR incorporates ISO 13485:2016 by reference. Manufacturers who are already certified to ISO 13485:2016 now have a significantly streamlined path to FDA compliance — but manufacturers who were relying on the old QSR framework without an ISO 13485 foundation face real work to close the gap.
The FDA's intent was to harmonize US requirements with the global standard most other major markets (EU, Canada, Japan, Australia) already require. In practice, this means the audit expectations, documentation requirements, and QMS structure now mirror what a notified body or Health Canada auditor would review.
February 2, 2026 — QMSR Is Now Enforceable
The transition period ended February 2, 2026. FDA investigators are now inspecting against QMSR requirements. Manufacturers still operating under legacy QSR documentation without a documented QMSR gap assessment face regulatory risk at their next inspection.
What Actually Changed: QSR vs. QMSR
The structural shift matters more than the line-item differences. The old QSR was a prescriptive, US-specific regulation with defined subparts for management, design controls, purchasing, production, and records. QMSR defers to ISO 13485:2016 for most of that content — and ISO 13485 uses a different clause structure, different terminology, and materially different requirements in several areas.
| Area | Old QSR (21 CFR 820) | QMSR (ISO 13485:2016) |
|---|---|---|
| Framework basis | Standalone US regulation | Incorporates ISO 13485:2016 by reference |
| Risk management | Implicit; referenced in design controls | Explicit throughout — ISO 14971 application required at QMS level |
| Design controls | 820.30 — detailed prescriptive requirements | ISO 13485 §7.3 — more flexible but requires documented process |
| Supplier controls | 820.50 — purchasing controls | ISO 13485 §7.4 — extends to entire supply chain with risk-based qualification |
| Post-market surveillance | Complaint handling + MDR reporting | Systematic PMS process required; feedback loops into design and risk |
| Management review | Required but loosely defined | Structured input/output requirements; must address QMS performance data |
| Sterile device requirements | Minimal in QSR itself | Explicit additional requirements in ISO 13485 §6–8 for sterile devices |
| Records retention | 2-year minimum or device lifetime | Defined per device type; aligns with ISO 13485 §4.2.5 |
The shift that catches most teams off guard is risk management integration. Under the old QSR, risk was primarily a design-controls concern. Under QMSR and ISO 13485, risk management principles are expected to permeate the entire QMS — including supplier qualification, process validation, and post-market activities. Teams that treated their DHF as the home of all risk documentation will need to restructure how risk thinking is documented and linked across the system.
What FDA Still Requires (That ISO 13485 Doesn't)
QMSR is not a pure ISO 13485 adoption. The FDA retained several US-specific requirements that sit alongside the ISO 13485 incorporation. These are easy to miss if your team focused only on the ISO 13485 transition:
- Medical Device Reporting (MDR) — 21 CFR 803. QMSR does not replace MDR obligations. You still must report malfunctions, serious injuries, and deaths under the existing 30-day/5-day timelines.
- Unique Device Identification (UDI) — 21 CFR 830. UDI requirements remain separate and unchanged under QMSR.
- Establishment Registration and Device Listing — 21 CFR 807. Unchanged. Still required annually.
- 510(k) and PMA requirements. QMSR affects QMS documentation, not the premarket pathway itself.
- Complaint files as a defined record type. FDA maintained complaint file requirements explicitly — they are not fully subsumed by ISO 13485's feedback processes.
QMSR + ISO 13485 Certification ≠ Full FDA Compliance
Manufacturers who achieved ISO 13485:2016 certification assume they have cleared the QMSR bar. ISO 13485 certification covers the quality system but does not address MDR, UDI, registration/listing, or FDA-specific complaint file requirements. QMSR compliance requires satisfying both the ISO 13485 core and these retained FDA requirements.
What Manufacturers Must Do Now
The inspection clock is running. FDA investigators have QMSR as their reference standard for any inspection after February 2, 2026. Here is the minimum transition work required:
- Conduct a documented gap analysis comparing your current QMS procedures to ISO 13485:2016 clause requirements
- Update your Quality Manual (or equivalent top-level QMS document) to reference QMSR and ISO 13485:2016 instead of 21 CFR 820
- Revise risk management procedures to reflect QMS-level risk integration (not just DHF-level) per ISO 14971
- Update supplier qualification procedures to align with ISO 13485 §7.4 risk-based supplier evaluation requirements
- Review and update management review procedure to capture ISO 13485 §5.6 input/output requirements
- Confirm post-market surveillance procedures include systematic feedback loops (not just complaint handling)
- Update SOPs to use ISO 13485 clause references where previously citing 21 CFR 820 subparts
- Train QA and regulatory staff on QMSR structure and key changes from QSR
- Document the transition: maintain a record showing when QMS was updated and what changed
- If ISO 13485:2016 certified: verify your certificate scope covers all device types and manufacturing activities FDA inspects
Gap Analysis: Where to Start
The most efficient approach is a clause-by-clause comparison of your existing procedures against ISO 13485:2016. Map each existing SOP to the ISO clause it satisfies. Identify clauses with no corresponding procedure (gaps) and clauses where existing procedures partially satisfy requirements (partial gaps). Prioritize by inspection risk: design controls, supplier controls, and risk management are historically the highest-citation areas in FDA quality system inspections.
If your organization already holds ISO 13485:2016 certification, your gap is primarily procedural: updating language and references rather than creating new processes. If you were operating on QSR alone without ISO 13485, expect 3–6 months of substantive QMS work depending on your device complexity and current documentation state.
The Mistake Teams Keep Making
The most common failure mode is treating QMSR as a documentation update rather than a structural change. Teams update their Quality Manual to say "ISO 13485:2016" instead of "21 CFR 820," change a few header references in their SOPs, and call it done. This passes a casual review but fails an FDA inspection.
Why? Because ISO 13485 expects a process approach — where procedures describe how processes interact, how risk informs process decisions, and how feedback from post-market activities feeds back into the QMS. The old QSR was a checklist. ISO 13485 asks you to demonstrate a living system. Investigators know the difference.
The "Relabel" Trap
FDA Form 483 observations since February 2026 include citations for QMS procedures that reference ISO 13485:2016 in their headers but retain QSR-era content that does not satisfy ISO 13485 clause requirements. Updating document headers is not the same as updating document content. Investigators read the procedures, not just the title page.
The second common mistake is scope creep in the gap analysis. Teams over-invest time in low-risk clauses (document control, record retention) and under-invest in high-risk ones (design controls, risk management, supplier qualification). Prioritize the clauses that drive 483 observations and Warning Letter citations — a quick scan of FDA's publicly available inspection data will confirm where the agency focuses.
How AI Tools Accelerate the Transition
QMSR gap analysis is document-intensive work: mapping procedures to clauses, identifying missing coverage, tracking remediation status across dozens of SOPs. Regulatory teams doing this manually spend significant time on cross-referencing that is fundamentally pattern-matching — which is exactly the kind of work AI handles well.
PrediClear is built for this. The platform reads your QMS documentation, maps it against ISO 13485:2016 clause requirements, identifies gaps, and surfaces them by inspection priority. For teams mid-transition, this cuts the initial gap analysis from weeks to days. For teams preparing for an upcoming FDA inspection, it provides a structured view of where documentation is thin and where it's solid.
AI doesn't replace your regulatory team's judgment — it removes the low-value document-scanning work so that judgment gets applied where it matters: deciding how to close the gaps, not finding them.
EU MDR Readiness Self-Assessment
Also navigating EU MDR? Check your readiness across 8 key compliance areas — technical documentation, EUDAMED, clinical evaluation, PMS, UDI — in 2 minutes.
Get PrediClear Before Launch
AI-powered regulatory intelligence for medical device teams. Gap analysis, deadline tracking, and compliance monitoring — built for how regulatory work actually gets done.
Join the Waitlist