Reading time: 14 minutes | Last updated: December 2024

A gap analysis is the first real step in QMSR transition—and possibly the most important. Without understanding exactly where your current QMS falls short of QMSR requirements, you're guessing at priorities, likely wasting effort on low-impact changes, and potentially missing critical deficiencies that could result in FDA findings.

This guide walks you through a systematic approach to QMSR gap analysis, including a free downloadable Excel template you can use immediately.

In this article:

• Why most gap analyses fail (and how to avoid it)
• The three-phase gap analysis methodology
• Clause-by-clause assessment approach
• Prioritization framework for findings
• Free downloadable gap analysis template (below)

Why Most Gap Analyses Fail

Before diving into methodology, let's address why many gap analyses don't deliver value:

Problem 1: Documentation review only

Reviewing procedures against requirements tells you what your documents say—not what actually happens. A procedure can be perfectly aligned to ISO 13485 while the actual process completely ignores it.

Solution: Include process verification. Interview process owners, observe activities, review recent records. Compare what's documented to what's done.

Problem 2: Checkbox mentality

Going through ISO 13485 clause by clause and marking "compliant" or "non-compliant" produces a list, not insight. It doesn't tell you what to do or in what order.

Solution: Document specific gaps with evidence, not just compliance status. Assess risk level and prioritize accordingly.

Problem 3: Wrong benchmarks

Some companies assess against their own procedures rather than the actual regulatory requirements. Your procedure might be followed perfectly—and still not meet QMSR requirements.

Solution: Use ISO 13485:2016 plus FDA-specific QMSR requirements (820.35, 820.45) as your benchmark, not your existing procedures.

Problem 4: No ownership

Gap analyses that produce a list of findings without assigning responsibility and due dates become shelf documents. Nobody owns the findings, so nobody closes them.

Solution: Assign every gap to a specific owner with a specific target closure date. Track progress.

The Three-Phase Gap Analysis Methodology

Effective gap analysis requires three distinct phases:

Phase 1: Documentation Review (Week 1-2)

Objective: Understand what your documented QMS requires versus what ISO 13485:2016 requires.

Activities:

1. Inventory your QMS documentation
   • Quality Manual
   • All SOPs and work instructions
   • Forms and templates
   • Design control procedures and templates
   • CAPA procedures and records
   • Complaint handling procedures
   • Management review procedures
   • Internal audit procedures
   • Training procedures and records
   • Supplier qualification records
   • Validation protocols and reports
2. Map documentation to ISO 13485 clausesFor each ISO 13485 clause, identify which of your documents addresses it. Note:
   • Which document(s) address this requirement?
   • Does the documented process meet the requirement?
   • Are there requirements with no corresponding documentation?
3. Identify documentation gapsCommon documentation gaps include:
   • No customer communication procedure (7.2.3)
   • No customer feedback system procedure (8.2.1)
   • Combined CAPA without clear CA/PA separation (8.5.2, 8.5.3)
   • No QMS software validation documentation (820.35)
   • Missing process interaction documentation (4.1)

Output: Documentation gap list with clause references.

Phase 2: Process Verification (Week 2-3)

Objective: Verify that documented processes reflect actual practice and produce required outputs.

Activities:

1. Interview process ownersFor each major process area, discuss:
   • How does this process actually work day-to-day?
   • What triggers the process? What are the outputs?
   • Where do you struggle with compliance?
   • What would you change if you could?
2. Observe processes in actionWhere feasible, watch processes being executed:
   • Are procedures followed as written?
   • Do forms capture required information?
   • Are records being created as required?
3. Review recent recordsFor each process area, examine recent records:
   • Do records demonstrate procedure execution?
   • Are all required fields completed?
   • Is follow-up documented to closure?
4. Compare documentation to practiceIdentify disconnects:
   • Documented but not done (procedures that aren't followed)
   • Done but not documented (processes without procedures)
   • Done differently than documented (procedure drift)

Output: Process gap list with specific findings and evidence.

Phase 3: Risk Assessment and Prioritization (Week 3-4)

Objective: Prioritize gaps based on regulatory risk and operational impact.

Risk Assessment Criteria:

For each gap, assess:

1. Regulatory severity (What would FDA do if they found this?)
   • Critical: Warning letter potential, product safety impact
   • Major: 483 observation likely, requires corrective action
   • Minor: Observation possible, limited regulatory consequence
2. Probability of detection (How likely is FDA to find this?)
   • High: Obvious in routine inspection, common focus area
   • Medium: May be found during detailed review
   • Low: Unlikely to be examined unless triggered
3. Operational impact (How does this affect quality?)
   • High: Directly affects product quality or customer safety
   • Medium: Affects process efficiency or consistency
   • Low: Administrative or documentation concern

Prioritization Framework:

Output: Prioritized gap register with ownership and target dates.

Clause-by-Clause Assessment Approach

When reviewing against ISO 13485:2016, focus on these high-priority areas:

Clause 4: Quality Management System

4.1 General requirements

• [ ] QMS scope documented?
• [ ] Process interactions documented?
• [ ] Outsourced processes identified and controlled?
• [ ] Risk-based approach to outsourced process control?

4.1.5 Software (via 820.35)

• [ ] QMS software inventory exists?
• [ ] Validation documentation for each system?
• [ ] Revalidation criteria defined?

4.2 Documentation requirements

• [ ] Quality Manual current?
• [ ] Required procedures documented?
• [ ] Records demonstrate QMS operation?

Clause 5: Management Responsibility

5.1-5.5 Management commitment

• [ ] Quality policy documented and communicated?
• [ ] Quality objectives established and measurable?
• [ ] Responsibilities and authorities defined?
• [ ] Top management accountability evident?

5.6 Management review

• [ ] Reviews conducted per schedule?
• [ ] All required inputs addressed?
• [ ] Outputs include decisions and actions?
• [ ] Follow-up on actions documented?
• [ ] Records inspection-ready?

Clause 6: Resource Management

6.2 Human resources

• [ ] Competence requirements defined?
• [ ] Training effectiveness evaluated?
• [ ] Competence records maintained?

6.4 Work environment

• [ ] Requirements documented where applicable?
• [ ] Contamination control documented if relevant?

Clause 7: Product Realization

7.1 Planning

• [ ] Product realization planning documented?
• [ ] Risk management applied throughout realization?

7.2 Customer-related processes

• [ ] Customer requirements determined and reviewed?
• [ ] Customer communication procedure documented? (Common gap)
• [ ] Arrangements for feedback documented?

7.3 Design and development

• [ ] Design controls implemented per procedure?
• [ ] Design files complete and current?
• [ ] Risk management integrated throughout design?

7.4 Purchasing

• [ ] Supplier evaluation criteria documented?
• [ ] Risk-based control extent defined?
• [ ] Supplier performance monitored?
• [ ] Supplier audit records inspection-ready?

7.5 Production and service provision

• [ ] Production controls documented?
• [ ] Processes validated where required?
• [ ] Traceability requirements met?

Clause 8: Measurement, Analysis and Improvement

8.2.1 Feedback

• [ ] Feedback system documented? (Common gap)
• [ ] Feedback collected and analyzed?
• [ ] Feedback integrated with risk management?

8.2.2-8.2.3 Complaints and reporting

• [ ] Complaint handling procedure complete?
• [ ] Regulatory reporting requirements addressed?

8.2.4 Internal audit

• [ ] Audit program current?
• [ ] Audits conducted per schedule?
• [ ] Findings tracked to closure?
• [ ] Records inspection-ready?

8.5.2 Corrective action

• [ ] Separate procedure for corrective action? (Common gap)
• [ ] Process addresses existing nonconformities?
• [ ] Root cause analysis required?
• [ ] Effectiveness verification documented?

8.5.3 Preventive action

• [ ] Separate procedure for preventive action? (Common gap)
• [ ] Process addresses potential nonconformities?
• [ ] Proactive identification mechanisms defined?
• [ ] Distinct from corrective action?

The Five Most Common QMSR Gaps

Based on assessments across multiple medical device companies, these gaps appear most frequently:

Gap 1: Combined CAPA Procedure

What you likely have: A single "CAPA" procedure addressing corrective and preventive action together.

What QMSR requires: Corrective Action (8.5.2) and Preventive Action (8.5.3) as distinct requirements.

How to close it:

• Create separate procedures OR clearly separate sections
• Define different triggers (CA: actual problems; PA: potential problems)
• Establish different evidence requirements
• Train personnel on the distinction

Gap 2: No Customer Communication Procedure

What you likely have: Complaint handling procedure covering customer problems.

What QMSR requires: Documented arrangements for communication about product information, inquiries, contracts, order handling, amendments, and feedback (7.2.3).

How to close it:

• Document how customer inquiries are handled
• Document order and contract processing
• Define responsibility for customer communication

Gap 3: No Customer Feedback System

What you likely have: Complaint handling (reactive).

What QMSR requires: Feedback system as early warning mechanism (8.2.1), broader than complaints.

How to close it:

• Document feedback collection mechanisms
• Define how feedback is analyzed and trended
• Link feedback to management review and preventive action

Gap 4: QMS Software Not Validated

What you likely have: Document control, CAPA, training, or other QMS software with limited or no validation documentation.

What QMSR requires: Validated QMS software with documented approach (820.35).

How to close it:

• Inventory all QMS software
• Create validation documentation for each system
• Establish revalidation criteria for changes

Gap 5: Management Review/Audit Records Not Inspection-Ready

What you likely have: Internal records that were never intended for external review.

What QMSR requires: Inspection-ready records demonstrating systematic operation.

How to close it:

• Review records for completeness and professionalism
• Ensure follow-up on actions is documented
• Update procedures if records are inadequate

Free Download: Gap Analysis Template

Our Excel template includes everything you need for a comprehensive QMSR gap analysis:

Worksheet 1: ISO 13485 Clause Checklist

• Every ISO 13485:2016 clause
• Compliance status dropdown
• Evidence location field
• Gap description field
• Notes column

Worksheet 2: Gap Register

• Gap ID and description
• ISO clause reference
• Severity and priority rating
• Responsible owner
• Target closure date
• Current status
• Completion evidence

Worksheet 3: Action Tracker

• Action items derived from gaps
• Task descriptions
• Owner and due date
• Status tracking
• Completion documentation

Worksheet 4: Risk Matrix

• Severity criteria definitions
• Probability criteria definitions
• Risk matrix for prioritization

Worksheet 5: Summary Dashboard

• Compliance status by clause
• Gap count by priority
• Progress tracking charts

Download: QMSR Gap Analysis Template (Excel) →

Related Resources

• Complete QMSR Compliance Guide 2025-2026
• QMSR vs QSR: 15 Critical Differences You Need to Know
• QMSR Timeline: Every Critical Date Before February 2026
• Take the QMSR Readiness Assessment

Need help with your QMSR gap analysis?

QMS.Coach provides expert-led QMSR gap analysis services. We identify your specific compliance gaps, prioritize them by risk, and create a practical implementation roadmap—all backed by 41+ years of medical device quality experience.

Book a Free 15-Minute Consultation →

QMS.Coach LLC | neel@qms.coach & ian@qms.coach