What is the QMSR and when did it take effect?

The Quality Management System Regulation (QMSR) is FDA's update to 21 CFR Part 820, published February 2, 2024 (89 FR 7496). It replaces the old Quality System Regulation (QSR) by aligning with ISO 13485:2016. The compliance deadline was February 2, 2026, meaning all medical device manufacturers subject to 21 CFR Part 820 must now operate under the QMSR framework.

What are FDA investigators most commonly citing in medical device inspections?

CAPA deficiencies consistently appear in roughly 40% of FDA Form 483 observations for medical device manufacturers. Design History File gaps, supplier control deficiencies, inadequate management reviews, and change control failures are also among the most frequently cited areas under QMSR.

How does QMSR differ from the old QSR?

QMSR incorporates ISO 13485:2016 by reference, replacing much of the QSR's standalone prescriptive language. Key changes include embedded risk management throughout the QMS (not siloed in one procedure), stronger software lifecycle process expectations, and post-market surveillance integration. The language shift from 'documents and records' to 'documented information' also reflects the ISO 13485:2016 framework.

QMSR Is Live: What FDA Device Auditors Are Checking Right Now

The QMSR compliance deadline passed February 2, 2026. Here's exactly what FDA investigators are scrutinizing in medical device QMS audits today.

The February 2, 2026 compliance deadline for FDA’s Quality Management System Regulation (QMSR) came and went without the fanfare it deserved. For manufacturers who treated it as a documentation exercise — swapping “QSR” for “QMSR” in their SOPs and calling it done — FDA investigators are about to deliver an expensive correction.

This isn’t a procedural refresh. The QMSR, published in the Federal Register on February 2, 2024 (89 FR 7496), fundamentally restructures 21 CFR Part 820 around ISO 13485:2016. That’s a meaningful shift in how FDA frames quality expectations, and it changes what investigators look for when they walk through your door.

Here’s what’s actually getting scrutinized in medical device quality system audits right now.

What Changed When QSR Became QMSR

The old Quality System Regulation (QSR) was FDA’s own framework — prescriptive, specific, and largely standalone. The QMSR replaces much of that prescriptive language by incorporating ISO 13485:2016 by reference. In plain terms: if your QMS already met ISO 13485:2016, you’re not starting from zero. But FDA layered on additional requirements — particularly around unique device identification (UDI), software as a medical device (SaMD), and post-market surveillance integration — that the ISO standard alone doesn’t address.

The structural change that catches people off guard is the language shift. ISO 13485:2016 uses “documented information” to cover what QSR called “documents and records” separately. That sounds minor until an FDA investigator asks to see your documented information control procedure and your team hands them two separate binders from 2019 labeled “Document Control” and “Record Control.” It signals, immediately, that your QMS hasn’t been genuinely updated.

Three other QMSR changes deserve particular attention:

Risk management is now embedded throughout, not siloed in a single procedure. ISO 13485:2016 expects risk-based thinking in supplier selection, change control, CAPA prioritization, and design decisions — all cross-referenced to ISO 14971. FDA investigators will probe whether your risk management process actually informs decisions or just generates paperwork.

Software lifecycle processes are addressed more explicitly. Whether you’re manufacturing SaMD or a device with embedded firmware, QMSR aligns with the expectation that software development, verification, and validation follow a structured lifecycle (IEC 62304 is the relevant standard, though not mandated by name).

Post-market surveillance integration is stronger. Complaint handling, MDR reporting, and post-market clinical follow-up are expected to feed back into design outputs and risk files in a closed loop — not sit in separate departmental processes.

The Five Areas Getting the Most Scrutiny Right Now

Based on FDA’s own 483 observation data and the patterns we see across regulatory compliance consulting engagements, five areas are drawing the most investigator attention in post-QMSR inspections.

1. CAPA Effectiveness Verification

CAPA deficiencies appear in roughly 40% of all FDA Form 483 observations issued to medical device manufacturers. That figure hasn’t meaningfully improved in a decade, and QMSR hasn’t softened FDA’s position. What’s changed is the standard for “effectiveness.” Under QMSR, investigators aren’t just checking that a CAPA was opened and closed — they’re verifying that root cause analysis was rigorous and that effectiveness checks used measurable, predetermined criteria.

The failure mode we see most often: CAPAs closed on the basis of “retraining completed” with no data demonstrating that the underlying deficiency was resolved. An FDA investigator who pulls three closed CAPAs and finds that pattern is going to write a 483. Every time.

2. Design History File Completeness

Design controls (now aligned with ISO 13485:2016 Clause 7.3) remain the second most commonly cited area. The Design History File (DHF) must trace a device from initial design inputs through verification, validation, and final design output in a way that a reviewer — internal or external — can follow without needing to interview the original engineers.

Gaps that investigators flag regularly: design input records that are vague or post-hoc, verification protocols that weren’t approved before testing began, and risk management files that weren’t updated after design changes. Under QMSR, the risk file must be a living document, not a snapshot from the original 510(k) or PMA submission.

3. Supplier Controls and Qualification

Under 21 CFR 820.50 (now aligned with ISO 13485:2016 Clause 7.4), manufacturers must evaluate and select suppliers based on their ability to meet specified requirements. That evaluation needs to be risk-stratified — a contract manufacturer of Class III device components warrants more scrutiny than a supplier of packaging materials.

What investigators are finding: approved supplier lists that haven’t been updated in 3+ years, qualification records that consist of a single certificate of conformance, and no defined criteria for supplier re-evaluation. The QMSR expectation is that supplier control is a dynamic process, not a one-time qualification event.

4. Management Review Substance

ISO 13485:2016 Clause 5.6 requires management review to cover a defined list of inputs — customer feedback, product conformity data, process monitoring results, regulatory updates, and the status of actions from previous reviews, among others. FDA investigators are increasingly sitting in on management review records and testing whether the review covers all required inputs and produces documented outputs with assigned actions and timelines.

The red flag isn’t missing a review. It’s conducting reviews that are superficial — no trend data, no quality objectives reviewed against actual performance, no corrective actions with owners and due dates. A 30-minute management review with a sign-off page is likely to draw a 483 observation.

5. Change Control and Risk Re-evaluation

Change control failures have moved up the 483 observation rankings in recent inspections, largely because QMSR and ISO 13485:2016 make explicit what QSR implied: any change that could affect device safety or performance requires a formal risk assessment update. That includes software changes, material substitutions, manufacturing process changes, and — critically — organizational changes that affect quality responsibilities.

Manufacturers who implemented changes during the 2024–2026 QMSR transition period without triggering a proper change control review are particularly exposed. Investigators will pull change logs and cross-reference them against risk files and DHFs.

How to Prepare Before an FDA Investigator Shows Up

A few things worth doing now, not after you receive the EIR.

Run a gap assessment against ISO 13485:2016 clause by clause. Don’t just compare your existing SOPs to the old QSR. Map your documented information to each ISO 13485:2016 clause and identify where your procedures, records, or practices fall short. This is the foundational step in any serious laboratory consulting services engagement for medical devices, and it usually surfaces 15–25 gaps in a mid-size manufacturer’s QMS.

Pull your last five 483 observations and warning letters from similar manufacturers. FDA’s inspection database (accessible through the FDA FOIA Electronic Reading Room) is public. Reviewing 483s from manufacturers in your device class and manufacturing category gives you a reliable preview of investigator focus areas. Pay attention to the specific language used — investigators are trained to cite observations in ways that map to regulatory text.

Stress-test your CAPA effectiveness criteria. Before your next inspection, open your five most recently closed CAPAs and ask one question for each: how do you know it worked? If the answer is “we retrained the operator” without follow-up data, you have a problem. Define measurable effectiveness criteria at the time a CAPA is opened, not retroactively.

Audit your DHF against your current device, not the original submission. If your device has changed since the initial 510(k) or PMA — and most devices evolve through their market life — your DHF and risk file need to reflect those changes. Discrepancies between the regulatory submission and the current device configuration are a significant finding.

Brief your operations team on documentation expectations. Investigators aren’t limited to quality personnel. They will interview production operators, engineers, and managers. If your team members can’t describe the quality procedures relevant to their work, or if they contradict what’s in your SOPs, that creates credibility problems that are hard to recover from during an inspection.

The QMSR transition isn’t finished just because February 2, 2026 passed. FDA views that date as the point when your QMS should already reflect ISO 13485:2016 alignment. Inspections in the next 12–18 months will be the real test of whether the industry made the shift or just updated its letterhead.

Written by Sam Sammane, Founder & CEO, Aurora TIC | Founder, Qalitex Group. Learn more about our team

Talk to our compliance consultants Contact us

Supplement and pharmaceutical testing to ISO 17025 standards — Qalitex Laboratories provides accredited analytical testing that supports device component qualification and supplier verification programs.
Health Canada medical device regulatory consulting for Canadian manufacturers — Androxa offers GMP and regulatory support for device manufacturers seeking Canadian market access alongside FDA compliance.