By Neelank Tiwari — 07 Dec 2025

COMPLETE QMSR Compliance Guide

QMS.Coach provides QMSR transition consulting for medical device manufacturers—from startups building their first QMS to Fortune 500 companies navigating complex FDA inspections.

Last Updated: December 2024 | Compliance Deadline: February 2, 2026 | Days Remaining: 57

Executive Summary

The FDA's Quality Management System Regulation (QMSR) replaces 21 CFR Part 820 on February 2, 2026. This regulation incorporates ISO 13485:2016 by reference, fundamentally changing how FDA regulates medical device quality management systems.

Key dates:

February 2, 2026: QMSR takes effect; QSR no longer applies
Now through January 2026: Critical transition period
No grace period: Full compliance required from day one

Critical action items:

Complete gap analysis against ISO 13485:2016 requirements
Separate combined CAPA procedures into distinct corrective and preventive action processes
Prepare management review and internal audit records for FDA inspection (previously exempt)
Integrate risk-based thinking throughout your QMS (not just design controls)
Document customer communication and feedback procedures (new requirement)
Validate any QMS software supporting regulated processes
Update supplier qualification procedures to align with ISO 13485 Clause 7.4
Train personnel on terminology changes and new procedural requirements

Who must comply: All medical device manufacturers subject to FDA Quality System requirements under 21 CFR Part 820—including domestic manufacturers, specification developers, contract manufacturers, and foreign manufacturers importing devices into the US.

What is QMSR and Why It Matters

The Quality Management System Regulation represents the most significant change to FDA medical device quality requirements in nearly three decades. When 21 CFR Part 820 was finalized in 1996, it established quality system requirements unique to FDA. While the agency consulted ISO 9001:1994 during development, the QSR remained a distinctly American approach to medical device quality management.

QMSR changes this paradigm. Rather than maintaining separate FDA-specific requirements, QMSR incorporates ISO 13485:2016—Medical devices — Quality management systems — Requirements for regulatory purposes—by reference. The practical effect is that ISO 13485:2016 becomes federal law for medical device manufacturers under FDA jurisdiction.

Why FDA Made This Change

FDA's stated rationale centers on international harmonization. Medical device manufacturers operating globally have long maintained dual systems: one optimized for FDA inspections and another for ISO certification and other regulatory bodies. This duplication created unnecessary burden without improving device quality or patient safety.

The Global Harmonization Task Force (now the International Medical Device Regulators Forum) developed ISO 13485 specifically for medical device regulatory purposes. Unlike ISO 9001, which applies broadly across industries, ISO 13485 incorporates medical device-specific requirements including design controls, risk management, sterility, and traceability. FDA participated in its development and has long recognized it as a suitable foundation for medical device quality management.

Beyond reducing regulatory burden, QMSR reflects FDA's recognition that the quality management landscape has evolved. ISO 13485:2016 incorporates lessons learned from two decades of implementation, including explicit requirements for risk-based thinking that extend beyond design controls and requirements for software validation that reflect modern quality system technology.

What Actually Changes

The changes fall into three categories: additions, removals, and restructuring.

Additions under QMSR include:

Risk-based thinking throughout the QMS, not just in design controls. ISO 13485:2016 requires organizations to apply risk-based approaches to process decisions, supplier evaluation, outsourced process management, and QMS planning. This represents a philosophical shift—from demonstrating compliance with prescriptive requirements to demonstrating that your quality system effectively manages risk.

QMS software validation requirements are now explicit. If you use software to manage quality records, training, CAPA, complaints, or other regulated activities, you must validate that software and maintain documentation of the validation approach.

Customer communication and feedback requirements extend beyond complaint handling. You need documented procedures for handling customer inquiries, communicating product information, processing orders and amendments, and gathering customer feedback as a QMS monitoring mechanism.

Management review and internal audit records become FDA-inspectable. Under QSR, these were explicitly exempt from FDA review. Under QMSR, they're fair game—and you need to ensure they demonstrate systematic follow-up on identified issues.

Removals under QMSR:

Finished device testing requirements (820.90) are removed as a standalone requirement, though they remain part of product realization requirements under ISO 13485 Clause 7.1 and 8.2.6.

Explicit critical device requirements are gone. QMSR eliminates the prescriptive distinction between critical and non-critical devices that drove different documentation requirements.

Restructuring:

Perhaps most significantly, QMSR reorganizes requirements according to ISO 13485's process-based structure rather than the QSR's requirement-based organization. Corrective action and preventive action become distinct requirements rather than the combined "CAPA" approach most companies have adopted. Documentation requirements are structured around the medical device file concept rather than the device master record/design history file/device history record framework.

Why This Matters for Your Organization

The practical impact depends on your current situation:

If you're ISO 13485:2016 certified: Your QMS likely already meets most QMSR requirements. Focus on the FDA-specific additions in 820.35 (Quality Management System Software Requirements) and 820.45 (Device Labeling Inspections), verify your management review and internal audit records are inspection-ready, and update your QMS to explicitly reference QMSR rather than QSR.

If you're QSR-compliant but not ISO certified: You have substantive work ahead. The gap analysis methodology in Section 6 will help you identify specific deficiencies. Common gaps include: combined CAPA procedures that don't adequately separate corrective and preventive action requirements, inadequate customer communication procedures, missing QMS software validation, and management review records that aren't suitable for external review.

If you're a startup or new market entrant: Build to QMSR from the start. Don't waste resources building a QSR-based system that will need immediate revision.

QMSR vs QSR: Complete Comparison Table

This comparison identifies the 15+ most significant differences between QSR and QMSR, focusing on changes that require actual operational modifications rather than simple terminology updates.

Category	QSR (21 CFR 820)	QMSR (ISO 13485:2016 + FDA Additions)	Action Required
Regulatory Framework	Standalone FDA regulation with prescriptive requirements	ISO 13485:2016 incorporated by reference plus FDA-specific additions (820.35, 820.45)	Update QMS to reference QMSR and ISO 13485:2016
Risk Management Scope	Required in design controls only (820.30(g))	Required throughout QMS: process decisions, supplier evaluation, outsourced processes, quality planning	Integrate risk-based thinking across all QMS processes
CAPA Structure	Combined requirement (820.100)	Separate Corrective Action (8.5.2) and Preventive Action (8.5.3)	Split CAPA procedure into distinct CA and PA processes
Management Review Records	Exempt from FDA inspection	Subject to FDA inspection	Review and prepare records for external review
Internal Audit Records	Exempt from FDA inspection	Subject to FDA inspection	Review and prepare records for external review
Supplier Audit Records	Exempt from FDA inspection	Subject to FDA inspection	Review and prepare records for external review
QMS Software	Implied under general software validation	Explicit requirement (820.35) with specific documentation	Document QMS software validation and maintain records
Customer Communication	Not explicitly required	Required procedure (7.2.3)	Create customer communication procedure
Customer Feedback	Limited to complaint handling (820.198)	Broader feedback system requirement (8.2.1)	Establish proactive feedback collection and analysis
Documentation Structure	DMR, DHF, DHR framework	Medical Device File (MDF), Design and Development File, Batch Record	Update terminology; verify content meets requirements
Process Validation	Must validate processes where results cannot be fully verified (820.75)	Same concept but with explicit risk-based application criteria	Review validation decisions against risk framework
Labeling Inspections	Implicit requirement	Explicit requirement (820.45) with FDA-specific criteria	Verify labeling inspection procedures and records
Statistical Techniques	Required where applicable (820.250)	Required where appropriate for analysis of data (8.4)	Review statistical method justification
Traceability	Required (820.65)	Required (7.5.9) with clearer scope definition	Verify traceability extent is appropriate for device risk
Servicing	Required if applicable (820.200)	Required (7.5.4) with clearer connection to feedback	Review servicing procedure for feedback integration
Record Retention	Specific retention periods defined	Defined by organization based on device lifetime and regulatory requirements	Review retention periods against ISO 13485 criteria
Top Management	Management representative concept (820.20)	Top management with personal accountability (5.1, 5.5)	Ensure executive engagement and accountability

Understanding the Comparison

The High-Impact Changes

Four changes require immediate attention and substantial effort:

First, the CAPA separation requirement isn't merely organizational—it reflects a fundamental difference in how ISO 13485 views corrective versus preventive action. Corrective action addresses existing problems (reactive); preventive action addresses potential problems (proactive). Most QSR-based systems conflate these, leading to preventive action programs that are actually just extensions of corrective action.

Second, the management review and internal audit record accessibility represents both an operational and cultural change. Many organizations have treated these as internal-only documents, sometimes using candid language that assumes no external audience. Under QMSR, assume these records may be reviewed during FDA inspection.

Third, risk-based thinking integration goes beyond adding "risk" to procedure titles. It requires demonstrating that risk considerations actually influence decisions—in process design, supplier selection, validation scope, CAPA prioritization, and resource allocation.

Fourth, QMS software validation is no longer optional or implicit. If you manage CAPA, training, complaints, documents, or other quality activities in software, that software requires validation, and you need documentation to prove it.

The Lower-Impact Changes

Some differences are primarily structural or terminological. The shift from DMR to Medical Device File, for example, doesn't necessarily require renaming documents—the content matters more than the label. Similarly, the restructuring of requirements according to ISO clause numbering doesn't change what you need to do, just how the requirements are organized.

However, don't dismiss structural changes entirely. FDA inspectors will reference ISO 13485 clause numbers during inspections. Personnel need to know where to find requirements in the new structure. Training programs need updating to reflect the new organization.

Section-by-Section QMSR Breakdown with Practical Implications

QMSR incorporates ISO 13485:2016 by reference, meaning the standard's clause structure becomes the regulatory framework. This section maps each major ISO 13485 clause to practical implementation requirements.

Clause 4: Quality Management System

4.1 General Requirements

Organizations must establish, document, implement, maintain, and continually improve a QMS. The practical implications include defining QMS scope, documenting the interaction between QMS processes, and establishing criteria for evaluating outsourced processes.

Key difference from QSR: The explicit requirement to document process interactions and apply risk-based approaches to outsourced process control. If you outsource sterilization, testing, design activities, or other processes, you need documented criteria for evaluating and controlling those suppliers.

4.1.5 Software Used in the Quality Management System

This is referenced by FDA's 820.35 addition. If you use software to manage any aspect of your QMS—document control, training records, CAPA management, complaint handling, audit scheduling—you must validate that software and document the validation approach.

Action required: Inventory all QMS software, assess validation status, create or update validation documentation, and establish revalidation criteria for software changes.

4.2 Documentation Requirements

The documentation hierarchy under ISO 13485 includes: quality policy, quality objectives, quality manual, documented procedures required by the standard, documents needed for effective planning and control, and records required by the standard.

Key difference from QSR: The Medical Device File (MDF) concept replaces the Device Master Record as the central product documentation repository. The MDF must contain or reference documents demonstrating conformity to regulatory requirements and records of QMS procedures.

Clause 5: Management Responsibility

5.1 Management Commitment

Top management must demonstrate commitment through establishing quality policy, ensuring quality objectives are established, conducting management reviews, ensuring resource availability, and communicating the importance of meeting regulatory requirements.

Key difference from QSR: "Top management" implies higher organizational level than "management representative." The requirement for personal accountability at executive level is more explicit.

5.6 Management Review

Management review inputs now explicitly include feedback, complaints, regulatory reporting, audit results, process and product monitoring, corrective and preventive actions, previous review follow-up, QMS changes, and new or revised regulatory requirements.

Critical change: Management review records are no longer exempt from FDA inspection. Review your records for completeness, professionalism, and evidence of systematic follow-up on identified actions.

Clause 6: Resource Management

6.2 Human Resources

Personnel performing work affecting product quality must be competent based on appropriate education, training, skills, and experience. You must determine necessary competence, provide training or take actions to achieve competence, evaluate effectiveness of actions taken, and maintain appropriate records.

Key difference from QSR: The emphasis on competence evaluation and effectiveness verification goes beyond simply documenting training completion.

6.4 Work Environment and Contamination Control

Beyond general work environment requirements, ISO 13485 requires documented procedures for health, cleanliness, and clothing of personnel if contact could adversely affect product; and documented requirements for contamination control if relevant.

Clause 7: Product Realization

7.1 Planning of Product Realization

Product realization planning must address quality objectives, requirements for establishing processes and documentation, required verification, validation, monitoring, measurement, inspection, test, and handling activities, and records needed to demonstrate conformity.

Key difference from QSR: The explicit requirement for risk management application throughout product realization planning, not just in design controls.

7.2 Customer-Related Processes

This clause includes requirements for determining customer requirements (7.2.1), reviewing those requirements (7.2.2), and communication with customers (7.2.3).

New requirement: 7.2.3 requires documented arrangements for communication with customers about product information, inquiries, contracts, order handling, amendments, and feedback. Most QSR-based systems don't have this documented.

7.3 Design and Development

Design control requirements under 7.3 align closely with QSR 820.30, but with clearer process integration. The requirements include planning, inputs, outputs, review, verification, validation, transfer, control of changes, and design and development files.

Key difference from QSR: Design History File becomes "Design and Development File" with equivalent content requirements but clearer integration with risk management throughout.

7.4 Purchasing

Purchasing control requirements include purchasing process documentation, purchasing information specification, and verification of purchased product. Supplier evaluation must consider supplier's ability to provide product meeting specifications and requirements, supplier performance, effect on device quality and QMS, and risk proportionate to the risk of the final device.

Key difference from QSR: The explicit risk-based approach to supplier control extent and the now-inspectable supplier audit records.

7.5 Production and Service Provision

Requirements cover control of production, cleanliness, installation, servicing, sterile device requirements, process validation, sterilization validation, identification, traceability, customer property, and product preservation.

7.6 Control of Monitoring and Measuring Equipment

Calibration requirements under 7.6 align with QSR 820.72 requirements. Equipment must be calibrated or verified at specified intervals against traceable standards.

Clause 8: Measurement, Analysis and Improvement

8.2 Monitoring and Measurement

This clause includes feedback (8.2.1), complaint handling (8.2.2), regulatory reporting (8.2.3), internal audit (8.2.4), process monitoring (8.2.5), and product monitoring (8.2.6).

New requirement: 8.2.1 requires a feedback system as an early warning mechanism and input into risk management and product realization. This goes beyond complaint handling to proactive information gathering.

Critical change: Internal audit records (8.2.4) are now FDA-inspectable. Review your audit reports and corrective action tracking.

8.3 Control of Nonconforming Product

Requirements align with QSR 820.90 but are integrated with the broader ISO structure.

8.4 Analysis of Data

Analysis requirements expand to include feedback, product conformity, process and product characteristics and trends, suppliers, and audit results. Statistical techniques must be appropriate and documented.

8.5 Improvement

8.5.2 Corrective Action requires procedures for reviewing nonconformities (including complaints), determining causes, evaluating action need, planning and implementing action, recording results, and reviewing effectiveness.

8.5.3 Preventive Action requires procedures for determining potential nonconformities and their causes, evaluating prevention need, planning and implementing action, recording results, and reviewing effectiveness.

Critical change: These are separate requirements. Your combined "CAPA" procedure likely doesn't adequately distinguish between them.

ISO 13485 Alignment: Clause-by-Clause Mapping

For organizations already maintaining ISO 13485 certification, this mapping identifies where ISO 13485:2016 requirements align with former QSR requirements and where FDA-specific additions apply.

ISO 13485:2016 Clause	Former QSR Reference	Key Changes Under QMSR	Notes
4.1 General requirements	820.5, 820.20	Explicit risk-based outsourcing control	Document process interactions
4.1.5 QMS software	820.70(i) implied	Explicit validation requirement per 820.35	FDA-specific addition
4.2.1 Documentation general	820.180	Medical Device File concept	Content over format
4.2.2 Quality Manual	820.186	No significant change	May reference ISO 13485 directly
4.2.3 Medical device file	820.181 (DMR)	Terminology shift	Content requirements equivalent
4.2.4 Control of documents	820.40	No significant change	Minor formatting alignment
4.2.5 Control of records	820.180	Retention period determination criteria	Organization determines periods
5.1 Management commitment	820.20	Top management accountability explicit	Personal responsibility
5.2 Customer focus	820.20	More explicit customer emphasis	Links to 7.2 requirements
5.3 Quality policy	820.20(a)	No significant change	Document and communicate
5.4 Planning	820.20(b)	Risk integration explicit	Quality objectives required
5.5 Responsibility and authority	820.20(b)	Top management vs. management rep	Higher organizational level
5.6 Management review	820.20(c)	Records now inspectable	Critical preparation needed
6.1 Provision of resources	820.20	No significant change	Adequate resources required
6.2 Human resources	820.25	Competence evaluation emphasis	Effectiveness verification
6.3 Infrastructure	820.70	No significant change	Maintain suitable equipment
6.4 Work environment	820.70	Contamination control explicit	Document requirements
7.1 Planning	820.30(a)	Risk throughout realization	Broader than design only
7.2 Customer-related	N/A (820.198 partial)	New customer communication requirement	7.2.3 procedure needed
7.3 Design and development	820.30	Design file vs. DHF	Integration with risk
7.4 Purchasing	820.50	Risk-based supplier control	Records now inspectable
7.5.1 Production control	820.70, 820.75	Integration of requirements	Process focus
7.5.4 Servicing	820.200	Feedback integration explicit	Link to 8.2.1
7.5.8 Identification	820.60	No significant change	Throughout realization
7.5.9 Traceability	820.65	Risk-based extent	Document decisions
7.6 Monitoring equipment	820.72	No significant change	Calibration requirements
8.2.1 Feedback	N/A	New requirement	Beyond complaints
8.2.2 Complaint handling	820.198	Integrated with feedback	Process integration
8.2.3 Reporting	820.198	Integrated requirement	MDR links
8.2.4 Internal audit	820.22	Records now inspectable	Critical preparation
8.2.6 Product monitoring	820.90	No separate finished device testing	Integrated approach
8.3 Nonconforming product	820.90	No significant change	Process requirements
8.4 Analysis of data	820.250	Statistical techniques where appropriate	Broader analysis scope
8.5.2 Corrective action	820.100 (combined)	Separate requirement	Must distinguish from PA
8.5.3 Preventive action	820.100 (combined)	Separate requirement	Must distinguish from CA

FDA-Specific Additions (Not in ISO 13485)

QMSR retains certain FDA-specific requirements not covered by ISO 13485:2016:

820.35 Quality Management System Software

Requires validation of software used in the quality management system with documented approaches. This codifies expectations previously implied under general software validation requirements.

820.45 Device Labeling

Requires inspections to verify labeling conformance, including inspection procedures, label accuracy verification, contamination prevention, and release procedures. This maintains QSR labeling inspection requirements.

For ISO 13485 Certified Organizations

Your certification demonstrates compliance with the ISO 13485:2016 requirements. Under QMSR, focus on:

FDA-specific additions (820.35, 820.45)
Management review record inspection-readiness
Internal audit record inspection-readiness
Supplier audit record inspection-readiness
QMS software validation documentation
Regulatory reference updates (cite QMSR, not QSR)

Highest-Priority Documentation Gaps

Based on analysis of common QSR-based systems, these documentation gaps appear most frequently:

QMS Software Documentation (4.1.5) — New explicit requirement
Management Review Records (5.6) — Now inspectable by FDA
Internal Audit Records (8.2.4) — Now inspectable by FDA
Customer Communication Procedure (7.2.3) — May not exist
Corrective Action (8.5.2) — Must be separated from combined CAPA
Preventive Action (8.5.3) — Must be separated from combined CAPA
Customer Feedback System (8.2.1) — Broader than complaint handling

[Continued in Part 2: Gap Analysis Methodology, Implementation Roadmap, Documentation Transition, Risk Management, FDA Inspection Preparation, and FAQ]

Next Section: Gap Analysis Methodology →

Free Resources:

Need Expert Support?
QMS.Coach provides QMSR transition consulting for medical device manufacturers. Book a Free 15-Minute Consultation →

Gap Analysis Methodology with Free Downloadable Worksheet {#gap-analysis}

A structured gap analysis is the foundation of any successful QMSR transition. Without understanding exactly where your current QMS falls short, you're guessing at priorities and likely wasting resources on low-impact changes while missing critical deficiencies.

The Three-Phase Gap Analysis Approach

Phase 1: Documentation Review (Week 1-2)

Collect and inventory your existing QMS documentation:

Quality Manual
All SOPs and work instructions
Design control procedures and templates
CAPA procedures and records
Complaint handling procedures and records
Management review procedures and records
Internal audit procedures and reports
Training records and competency matrices
Supplier qualification records

Compare each document against the corresponding ISO 13485:2016 clause requirements. Use the clause mapping table in Section 5 above as your guide.

Phase 2: Process Verification (Week 2-3)

Documentation compliance doesn't equal operational compliance. For each major process area:

Interview process owners to understand how activities actually occur
Observe processes in action where feasible
Review recent records for evidence of procedure execution
Compare documented procedures to actual practice
Identify disconnects between documentation and reality

Common findings include: procedures that exist but aren't followed, records that don't match procedure requirements, and tribal knowledge that was never documented.

Phase 3: Risk Assessment and Prioritization (Week 3-4)

Not all gaps are equal. Prioritize based on:

High Priority (Address immediately):

Gaps that would result in 483 observations or warning letter citations
Gaps affecting product safety or efficacy
Missing required procedures or records
Management review or internal audit records unprepared for inspection

Medium Priority (Address within 30 days):

Gaps affecting process efficiency or consistency
Documentation that exists but needs updating
Training gaps for new requirements

Low Priority (Address before deadline):

Terminology updates
Document format standardization
Organizational refinements

Gap Analysis Template Structure

Our free downloadable Excel template includes worksheets for:

ISO 13485 Clause Checklist: Every clause with compliance status, evidence location, and gap description
Gap Register: Detailed description, priority rating, responsible party, and target closure date for each gap
Action Tracker: Implementation tasks with status, due dates, and completion evidence
Risk Matrix: Severity and probability assessment for prioritization
Summary Dashboard: Visual overview of compliance status by clause

Download: QMSR Gap Analysis Template (Excel) →

10-Step Implementation Roadmap with Timeline {#roadmap}

This roadmap assumes 60 days remaining before the February 2, 2026 deadline. Adjust timelines based on your situation and gap analysis findings.

Step 1: Executive Briefing and Commitment (Days 1-3)

Before any implementation work, secure executive commitment. Present to leadership:

QMSR requirements and deadline
Gap analysis findings and risk assessment
Resource requirements and timeline
Consequences of non-compliance

Deliverables: Executive sign-off, resource allocation, project authority

Step 2: Project Planning and Team Formation (Days 3-7)

Establish your transition team:

Project Lead: Quality management authority with project management capability
Subject Matter Experts: Representatives from each affected functional area
Executive Sponsor: C-level accountability and obstacle removal
Documentation Coordinator: Manages document updates and approvals

Create project plan with:

Task breakdown from gap analysis
Resource assignments
Milestone dates
Communication plan
Risk mitigation strategies

Deliverables: Project charter, team assignments, detailed project plan

Step 3: CAPA Procedure Separation (Days 5-14)

The most operationally significant change for most organizations. Create distinct procedures for:

Corrective Action (8.5.2):

Identification of existing nonconformities
Investigation and root cause analysis
Action planning to eliminate causes
Implementation and verification
Effectiveness review and closure

Preventive Action (8.5.3):

Identification of potential nonconformities
Risk-based prioritization
Action planning to prevent occurrence
Implementation and verification
Effectiveness review and closure

Key distinction: Corrective action responds to actual problems; preventive action anticipates potential problems. Different triggers, different evidence, different success metrics.

Deliverables: Separate CA and PA procedures, updated forms, training materials

Step 4: Management Review Record Preparation (Days 10-20)

Review existing management review records for inspection readiness:

Assess current state:

Are all required inputs addressed?
Are decisions and actions documented?
Is follow-up on previous actions evident?
Is language appropriate for external review?

Update if necessary:

Add missing input categories
Document action items with owners and due dates
Create follow-up tracking mechanism
Conduct a new management review if recent records are inadequate

Deliverables: Inspection-ready management review records, updated procedure if needed

Step 5: Internal Audit Record Preparation (Days 10-20)

Parallel to management review preparation:

Assess audit program:

Are audits scheduled and conducted per procedure?
Do audit reports identify findings clearly?
Is corrective action tracking documented?
Are auditor qualifications recorded?

Address deficiencies:

Conduct additional audits if coverage is inadequate
Document corrective action status for all findings
Ensure auditor training and qualification records exist
Update audit schedule if not current

Deliverables: Complete audit records with corrective action evidence, current audit schedule

Step 6: Customer Communication and Feedback Procedures (Days 15-25)

Create or update documentation for:

Customer Communication (7.2.3):

Product information provision
Inquiry handling
Contract and order handling
Amendment processing
Feedback reception

Customer Feedback System (8.2.1):

Feedback collection mechanisms
Data aggregation and trending
Analysis and reporting
Integration with management review
Connection to preventive action triggers

Deliverables: Customer communication procedure, feedback system procedure, implementation evidence

Step 7: QMS Software Validation (Days 15-30)

Inventory all software supporting QMS activities:

Document control systems
Training management systems
CAPA/complaint management systems
Audit management systems
ERP/MRP systems (quality-relevant functions)

For each system, document:

Intended use and functional requirements
Validation approach and rationale
Validation evidence (IQ/OQ/PQ or risk-based alternative)
Ongoing maintenance and revalidation criteria

Deliverables: QMS software inventory, validation documentation for each system

Step 8: Supplier Quality Integration (Days 20-35)

Update supplier management to align with ISO 13485 Clause 7.4:

Supplier Evaluation Updates:

Risk-based evaluation criteria
Performance monitoring requirements
Re-evaluation frequency and triggers

Documentation Updates:

Supplier qualification records
Audit reports (now FDA-inspectable)
Performance data and trending

Deliverables: Updated supplier procedure, supplier risk assessments, inspection-ready records

Step 9: Risk Management Integration (Days 25-40)

Extend risk management beyond design controls:

Process Areas Requiring Risk Integration:

Quality planning (7.1)
Supplier evaluation (7.4)
Process validation decisions (7.5.6)
Monitoring and measurement (8.2)
CAPA prioritization (8.5)

Documentation Requirements:

Evidence of risk consideration in decision records
Risk-based justifications for process control extent
Periodic risk review and update triggers

Deliverables: Updated procedures with risk integration, decision records showing risk consideration

Step 10: Training and Implementation Verification (Days 35-57)

Training Requirements:

QMSR overview for all quality-affecting personnel
Procedure-specific training for affected roles
Terminology and document reference updates
Inspection preparation for key personnel

Implementation Verification:

Process audits against updated procedures
Record review for compliance evidence
Mock inspection for key areas
Corrective action for any gaps identified

Deliverables: Training records, audit evidence, inspection readiness confirmation

Documentation Transition Guide: DMR→MDF, DHF→Design Files {#documentation}

One of the most visible QMSR changes is terminology. Here's what's actually changing and what you need to do about it.

Device Master Record → Medical Device File

QSR Definition (820.3(j)): DMR means a compilation of records containing the procedures and specifications for a finished device.

ISO 13485 Definition (3.10): Medical device file means a compilation of records and documents for each medical device type demonstrating conformity to regulatory requirements.

Practical Difference: The MDF concept is broader, explicitly including regulatory conformity evidence beyond just specifications and procedures. However, a well-maintained DMR likely contains equivalent content.

Action Required: Verify your DMR content addresses regulatory conformity demonstration. You don't necessarily need to rename documents—content matters more than labels.

Design History File → Design and Development File

QSR Concept: DHF contains or references design history records demonstrating design control compliance.

ISO 13485 Concept: Design and development file contains records demonstrating design and development requirements were met.

Practical Difference: Essentially equivalent. The ISO terminology integrates more naturally with the design and development process description in Clause 7.3.

Action Required: Verify content completeness; terminology update is optional.

Device History Record → Medical Device Record / Batch Record

QSR Definition (820.3(i)): DHR means a compilation of records containing the production history of a finished device.

ISO 13485 Reference: Clause 7.5.1 references records of amount manufactured, approved quantity, and identity for traceability; Clause 7.5.9 addresses traceability records.

Practical Difference: ISO 13485 doesn't use a single-document concept equivalent to DHR. Instead, production records are distributed across various clause requirements.

Action Required: Ensure production records meet traceability and release requirements. Structural reorganization is optional.

Three Approaches to Documentation Transition

Approach 1: Minimal Change (Recommended for Most)

Keep existing document names and structures
Update Quality Manual to acknowledge terminology equivalence
Train personnel on term mapping
Focus effort on content compliance, not cosmetic changes

Approach 2: Parallel Documentation

Create new documents with ISO 13485 terminology
Maintain legacy documents during transition
Phase out old terminology over time
Higher initial effort but cleaner long-term state

Approach 3: Full Restructuring

Rename and reorganize all documentation
Align document structure to ISO 13485 clause structure
Significant effort with limited compliance benefit
Consider only if planning major QMS overhaul anyway

Risk Management Integration Requirements {#risk}

Under QMSR, risk management extends beyond design controls to influence decisions throughout your QMS. This represents a philosophical shift—from demonstrating compliance with prescriptive requirements to demonstrating that your quality system effectively manages risk.

Where Risk Management Applies Under QMSR

Quality Planning (4.1, 7.1)

Risk consideration in QMS process design
Risk-based determination of process controls
Resource allocation based on risk

Outsourced Process Control (4.1)

Supplier selection criteria based on device risk
Control extent proportionate to risk impact
Monitoring frequency based on risk assessment

Design and Development (7.3)

Risk management per existing design control requirements
Risk file maintenance and updates
Integration with design decisions

Supplier Evaluation (7.4)

Risk-based supplier qualification requirements
Evaluation criteria reflecting device risk
Performance monitoring proportionate to risk

Production and Service Control (7.5)

Process validation decisions based on risk
Control extent determined by process risk
Special process identification and control

CAPA Prioritization (8.5)

Risk-based investigation prioritization
Action scope proportionate to risk
Effectiveness verification extent based on risk

ISO 14971 Connection

ISO 14971:2019 (Medical devices — Application of risk management to medical devices) provides the methodology framework. While ISO 13485 doesn't mandate ISO 14971, FDA has recognized it as a consensus standard, making it the de facto expectation.

Key ISO 14971 elements applicable beyond design controls:

Risk analysis methodology
Risk evaluation criteria
Risk control options
Residual risk acceptability
Risk review and monitoring

Documentation Requirements

Demonstrate risk-based thinking through:

Procedure language referencing risk consideration
Decision records showing risk evaluation
Risk assessments for supplier qualification
Risk-based justification for process control extent
Periodic risk review evidence

FDA Inspection Preparation Under QMSR {#inspection}

FDA inspections under QMSR will differ from QSR inspections in several important ways. Prepare now to avoid findings.

What's Newly Inspectable

Management Review Records
Previously exempt under QSIT. Inspectors may now request:

Management review meeting records
Input data and analysis
Decisions and action items
Follow-up evidence

Internal Audit Records
Previously exempt. Inspectors may now request:

Audit schedule and coverage
Audit reports and findings
Corrective action evidence
Auditor qualification records

Supplier Audit Records
Previously exempt. Inspectors may now request:

Supplier audit reports
Finding and corrective action tracking
Auditor qualification for supplier audits

Inspection Reference Changes

Inspectors will reference ISO 13485:2016 clause numbers rather than QSR section numbers. Personnel should know:

Where to find requirements in ISO 13485
How ISO clauses map to your procedures
Where evidence is located for each requirement

Preparation Recommendations

Review and organize newly-inspectable records:

Management review: complete, professional, showing follow-up
Internal audits: scheduled, executed, findings addressed
Supplier audits: documented, findings tracked to closure

Update procedure references:

Quality Manual should reference QMSR and ISO 13485
Procedures should cite ISO 13485 clauses where applicable
Training materials should use current terminology

Train key personnel:

Quality management on inspection scope changes
Process owners on records that may be requested
Front-line personnel on terminology and document location

Consider mock inspection:

Engage qualified auditor for pre-deadline assessment
Focus on newly-inspectable record areas
Address findings before February 2026

Comprehensive FAQ Section {#faq}

General Questions

What is the QMSR compliance deadline?
February 2, 2026. On this date, QMSR replaces QSR (21 CFR Part 820). There is no grace period—full compliance is required from day one.

Does QMSR apply to my company?
If you're subject to FDA Quality System requirements under 21 CFR Part 820, QMSR applies to you. This includes domestic manufacturers, specification developers, contract manufacturers, initial distributors, repackagers/relabelers, and foreign manufacturers exporting to the US.

Is there a grace period or transition period?
No. FDA finalized QMSR with a two-year implementation period (February 2024 to February 2026). After February 2, 2026, only QMSR applies.

What if I'm already ISO 13485 certified?
Your certification demonstrates compliance with ISO 13485:2016 requirements. Focus on FDA-specific additions (820.35, 820.45), ensure your management review and internal audit records are inspection-ready, and update regulatory references in your QMS.

Documentation Questions

Do I need to rename my DMR to Medical Device File?
No. The content matters more than the label. Verify your DMR content meets MDF requirements; you don't need to rename documents.

What records do I need that I might not have?
Common gaps include: QMS software validation documentation, customer communication procedure, customer feedback system documentation, and separated corrective/preventive action records.

How long should I retain records under QMSR?
ISO 13485:2016 allows organizations to determine retention periods based on device lifetime and regulatory requirements. At minimum, retain records for the lifetime of the device plus any applicable regulatory period. Document your retention rationale.

ISO 13485 Questions

Do I need to get ISO 13485 certified?
No. QMSR requires compliance with ISO 13485:2016 requirements, not certification. However, certification demonstrates compliance and may satisfy other regulatory needs.

My ISO 13485 certificate is for an older version. Does that matter?
Yes. QMSR incorporates ISO 13485:2016 specifically. If your certification is to ISO 13485:2003, you need to transition to the 2016 version.

What if there's a conflict between ISO 13485 and FDA requirements?
FDA requirements in QMSR (including 820.35 and 820.45) take precedence. Follow FDA definitions where they differ from ISO definitions. When in doubt, apply the more stringent requirement.

Inspection Questions

Will FDA inspections change under QMSR?
Yes. FDA will reference ISO 13485 clause numbers. Management review, internal audit, and supplier audit records—previously exempt—are now subject to FDA review.

Does MDSAP participation exempt me from FDA inspections?
MDSAP may substitute for routine surveillance inspections, but FDA retains authority to conduct for-cause inspections. MDSAP participation remains voluntary.

What documents should I prepare for a QMSR inspection?
In addition to standard inspection documentation, ensure management review records, internal audit reports, and supplier audit records are complete, organized, and demonstrate systematic follow-up on findings.

Risk Management Questions

Does QMSR require ISO 14971 compliance?
Not explicitly. ISO 13485:2016 references ISO 14971 as a resource but doesn't mandate it. However, FDA has recognized ISO 14971:2019 as a consensus standard, and using it fulfills QMSR risk management expectations.

How do I integrate risk management throughout my QMS?
Document risk considerations in product realization planning, supplier evaluation, process validation decisions, CAPA prioritization, and management review. Evidence of risk-based thinking should appear in decision records.

CAPA Questions

Do I need separate corrective and preventive action procedures?
Yes. ISO 13485 addresses corrective action (Clause 8.5.2) and preventive action (Clause 8.5.3) separately. You may keep them in one document with clearly separated sections, but the requirements must be distinctly addressed.

What's the difference between corrective and preventive action?
Corrective action eliminates causes of existing nonconformities to prevent recurrence. Preventive action eliminates causes of potential nonconformities to prevent occurrence. CA is reactive; PA is proactive.

Next Steps

You've reached the end of this guide, but your QMSR transition is just beginning—or hopefully well underway.

Immediate actions:

Take the QMSR Readiness Assessment — 5 minutes, instant results
Download the Gap Analysis Template — Free Excel worksheet
Book a consultation — 15 minutes, no obligation

Resources:

About QMS.Coach:
We provide QMSR transition consulting for medical device manufacturers. QMS.Coach has built QMS programs at companies ranging from startups to Fortune 500 medical device manufacturers and has guided organizations through dozens of FDA inspections.

Book a Free 15-Minute Consultation →

This guide is provided for informational purposes and does not constitute legal or regulatory advice. Consult with qualified regulatory professionals for guidance specific to your situation.

QMS.Coach LLC | neel@qms.coach | qms.coach

Last updated: December 2024