QMSR for US-Only Companies: Complete Transition Playbook
If your medical device company sells exclusively in the US market, you've probably been operating under 21 CFR Part 820 without much thought about ISO 13485. You weren't selling in Europe or other markets that required ISO certification, so why bother? QMSR changes that calculation entirely.
Reading time: 13 minutes | Last updated: December 2024
If your medical device company sells exclusively in the US market, you've probably been operating under 21 CFR Part 820 without much thought about ISO 13485. You weren't selling in Europe or other markets that required ISO certification, so why bother?
QMSR changes that calculation entirely. On February 2, 2026, ISO 13485:2016 becomes US law regardless of whether you sell internationally. And if you've never worked with ISO 13485 before, you face a steeper learning curve than companies that already maintain certification.
This playbook addresses the specific challenges faced by US-only medical device companies transitioning to QMSR.
In this article:
- Why US-only companies face unique QMSR challenges
- The five critical gaps for US-only manufacturers
- Priority actions for companies new to ISO 13485
- How to leverage your QSR foundation
- Timeline and resource planning
The US-Only Company Challenge
Companies that have maintained ISO 13485 certification have been operating under these requirements for years. They've already separated corrective from preventive action. They already have customer feedback systems. Their management review records have been subject to third-party audit. The QMSR transition for them is largely about updating references and addressing the FDA-specific additions.
For US-only companies, the situation is different. You've been optimizing for FDA inspection under QSR—not ISO certification audits. Your systems work, they pass FDA inspection, but they may not align with ISO 13485's process-based framework.
The good news: If you've been maintaining compliant QSR systems, you have a solid foundation. Most ISO 13485 requirements have equivalents in QSR.
The challenge: The differences that do exist require actual operational changes, not just documentation updates. And you're likely encountering ISO 13485 terminology and structure for the first time.
The Five Critical Gaps for US-Only Companies
Based on assessments of US-only manufacturers, these five gaps appear most consistently:
Gap 1: Combined CAPA Procedures
Typical US-only approach: A single CAPA procedure that addresses both corrective and preventive actions. The procedure works. FDA has accepted it. Why change?
What ISO 13485 requires: Corrective Action (Clause 8.5.2) and Preventive Action (Clause 8.5.3) are distinct requirements with different purposes:
- Corrective Action: Eliminating causes of existing nonconformities to prevent recurrence
- Preventive Action: Eliminating causes of potential nonconformities to prevent occurrence
The distinction matters. Corrective action is reactive—something went wrong, find the root cause, fix it so it doesn't happen again. Preventive action is proactive—identify what could go wrong before it does, and prevent it.
Why this gap exists for US-only companies: QSR 820.100 combined these requirements. FDA inspectors haven't historically pushed for separation. So companies combined them for efficiency.
How to close it:
Option 1: Create two separate procedures
- Corrective Action SOP with reactive triggers (complaints, audit findings, nonconformances)
- Preventive Action SOP with proactive triggers (trending data, risk analysis, process observations)
Option 2: Revise existing CAPA procedure with clearly separated sections
- Distinct sections addressing each requirement
- Clear triggering criteria for CA vs PA
- Separate tracking and metrics
Either approach is acceptable if the requirements are clearly distinguished.
Timeline: 2-3 weeks to revise procedures and forms, plus training.
Gap 2: Management Review Records Not Inspection-Ready
Typical US-only approach: Management reviews are conducted, but records may be informal meeting notes, incomplete input coverage, or lacking documented follow-up. Since FDA couldn't inspect these records under QSR, there was no external pressure for formality.
What ISO 13485 requires: Management review records that demonstrate:
- All required inputs were considered (feedback, complaints, audits, CAPA, process monitoring, regulatory changes, etc.)
- Outputs include decisions and actions
- Follow-up on previous review actions is documented
- Resource decisions are recorded
Why this gap exists for US-only companies: QSIT explicitly exempted management review records from FDA inspection. Companies focused their documentation effort elsewhere.
How to close it:
- Review your last 2-3 management reviews for completeness
- If inadequate, consider conducting a comprehensive management review now
- Update your management review procedure with complete input/output requirements
- Create a standardized agenda and minutes template
- Establish action tracking mechanism with documented follow-up
Timeline: 1-2 weeks for procedure update, plus conducting a compliant review.
Gap 3: Internal Audit Records Not Inspection-Ready
Typical US-only approach: Internal audits are conducted but records may lack detail, findings may not be clearly tracked, and corrective action completion may be poorly documented.
What ISO 13485 requires: Internal audit records that demonstrate:
- Systematic audit program covering all QMS areas
- Qualified auditors (independent of areas being audited)
- Clear identification of findings
- Corrective actions tracked to completion
- Effectiveness verification for significant findings
Why this gap exists for US-only companies: Same reason as management review—QSIT exemption meant no external pressure.
How to close it:
- Review recent audit reports for completeness and clarity
- Verify all audit findings have documented corrective actions
- Ensure corrective actions are tracked to closure with evidence
- Document auditor qualifications and independence
- Update audit procedure if necessary
Timeline: 1-2 weeks for record cleanup and procedure updates.
Gap 4: No Customer Communication Procedure
Typical US-only approach: Customer complaints are handled per 820.198. Sales handles orders. Technical support handles questions. But there's no documented procedure for customer communication as required by ISO 13485 Clause 7.2.3.
What ISO 13485 requires: Documented arrangements for communication with customers about:
- Product information
- Inquiries, contracts, and order handling
- Amendments to orders or contracts
- Customer feedback
Why this gap exists for US-only companies: QSR didn't require this explicitly. These activities happen, but they're not documented as a QMS procedure.
How to close it:
- Identify who handles each type of customer communication
- Document the processes (doesn't need to be elaborate)
- Define responsibilities and authorities
- Integrate with complaint handling and feedback processes
- Train relevant personnel
Timeline: 1 week for procedure development.
Gap 5: No Formal Customer Feedback System
Typical US-only approach: Complaint handling procedure per 820.198. You react to customer problems. But you don't proactively collect and analyze customer feedback as a QMS input.
What ISO 13485 requires: A feedback system (Clause 8.2.1) that:
- Collects information from production and post-production activities
- Serves as an early warning mechanism
- Provides input to risk management and monitoring processes
Why this gap exists for US-only companies: QSR focused on complaint handling (reactive). ISO 13485 expands this to feedback (proactive and reactive).
How to close it:
- Document your feedback collection mechanisms (customer surveys, service reports, sales feedback, social media monitoring, etc.)
- Define how feedback is aggregated and analyzed
- Establish trending and reporting requirements
- Include feedback in management review inputs
- Define triggers from feedback to preventive action
Timeline: 1-2 weeks for procedure development plus implementation.
Leveraging Your QSR Foundation
The news isn't all challenging. If you've maintained QSR compliance, you have significant assets to build on:
What You Probably Already Have
Design controls (7.3): QSR 820.30 requirements are substantially equivalent to ISO 13485 Clause 7.3. Your design control procedures and files likely meet QMSR requirements with minimal changes.
Production controls (7.5): QSR 820.70 requirements for production and process controls align well with ISO 13485 Clause 7.5. Process validation, equipment maintenance, environmental controls—these should be in good shape.
Document control (4.2.3, 4.2.4): QSR 820.40 document control requirements are equivalent to ISO 13485. Your document control system should meet QMSR requirements.
Complaint handling (8.2.2): QSR 820.198 complaint handling aligns with ISO 13485 Clause 8.2.2. This foundation extends to the broader feedback requirements.
Purchasing controls (7.4): QSR 820.50 purchasing requirements are substantially equivalent to ISO 13485 Clause 7.4. You may need to enhance risk-based supplier control, but the foundation exists.
Calibration (7.6): QSR 820.72 calibration requirements align with ISO 13485 Clause 7.6.
Translation Guide: QSR to ISO 13485 Terminology
| QSR Term | ISO 13485 Term | Notes |
|---|---|---|
| Device Master Record (DMR) | Medical Device File (MDF) | Content equivalent; terminology change |
| Design History File (DHF) | Design and Development File | Content equivalent |
| Device History Record (DHR) | Batch Record / Medical Device Record | Content equivalent |
| Management Representative | Top Management | Higher organizational level implied |
| CAPA | Corrective Action + Preventive Action | Must be distinguished |
| Quality System | Quality Management System | Equivalent meaning |
| Establish | Varies by context | May mean document or implement |
Priority Actions for US-Only Companies
Given 57 days remaining, prioritize these actions:
Week 1-2: Assessment and Planning
- [ ] Complete gap analysis focusing on the five critical gaps above
- [ ] Inventory your QMS software for 820.35 compliance
- [ ] Secure executive commitment and resources
- [ ] Assign ownership for each gap
Week 2-4: Critical Documentation
- [ ] Separate CAPA procedure (highest priority)
- [ ] Customer communication procedure
- [ ] Customer feedback system procedure
- [ ] QMS software validation documentation
Week 4-6: Record Preparation
- [ ] Review and update management review records
- [ ] Review and update internal audit records
- [ ] Ensure supplier audit records are inspection-ready
- [ ] Document process interactions in Quality Manual
Week 6-8: Implementation and Verification
- [ ] Train personnel on updated procedures
- [ ] Train personnel on ISO 13485 terminology and structure
- [ ] Conduct verification audits on critical areas
- [ ] Address any findings
- [ ] Prepare inspection readiness package
Resource Planning for US-Only Companies
Internal resources needed:
- Quality Manager: 50-75% time for 8 weeks
- Process owners: 10-20% time for interviews, reviews, training
- Executive sponsor: Management review participation, obstacle removal
- Training coordinator: Training updates and delivery
External resources to consider:
- ISO 13485 training for quality team (if no prior experience)
- Gap analysis support (if limited internal bandwidth)
- Procedure development assistance (if resource constrained)
- Mock inspection (highly recommended)
Budget considerations:
- ISO 13485:2016 standard purchase: ~$200
- Training (if needed): $1,000-3,000 per person
- Consultant support (if needed): $5,000-25,000 depending on scope
- Internal time investment: significant regardless of external support
What Not to Worry About
Some things matter less than you might think:
Document naming: You don't have to rename your DMR to "Medical Device File." Content matters more than labels.
Complete restructuring: You don't need to reorganize your entire QMS around ISO 13485 clause numbers. Your existing structure can work if the content meets requirements.
Perfect documentation: Focus on substantive compliance over documentation perfection. Good-enough documentation of compliant processes beats perfect documentation of non-compliant processes.
ISO certification: You don't need to get certified. QMSR requires compliance with ISO 13485:2016 requirements, not certification. (Though certification may make sense for other reasons.)
The Bottom Line for US-Only Companies
US-only companies face genuine operational transitions—particularly around CAPA separation, risk management integration, and preparing previously-exempt records for FDA review.
The good news: the requirements aren't unreasonable. ISO 13485 represents industry consensus on medical device quality management. If you've been running a solid QMS under QSR, the foundation is there.
The challenge: you have 57 days to make changes that ideally would have happened over two years. Prioritize ruthlessly, focus on operational changes over documentation cleanup, and don't wait for perfect—get moving.
Related Resources
- Complete QMSR Compliance Guide 2025-2026
- How to Conduct a QMSR Gap Analysis (Free Template)
- QMSR vs QSR: 15 Critical Differences You Need to Know
- Take the QMSR Readiness Assessment
US-only company facing QMSR transition?
QMS.Coach specializes in helping domestic medical device companies transition to QMSR. Our team understands QSR inside and out—we can translate requirements and prioritize what matters for your specific situation.
Book a Free 15-Minute Consultation →
QMS.Coach LLC | neel@qms.coach