For decades, medical device manufacturers selling in the United States operated under two parallel frameworks: FDA's Quality System Regulation (QSR) under 21 CFR Part 820, and ISO 13485 for international markets. That duality created real compliance overhead — separate documentation, separate audits, and perpetual reconciliation exercises that drained resources without adding patient value.
That era is now officially over.
The FDA's Quality Management System Regulation (QMSR), which became effective on February 2, 2026, fundamentally restructures 21 CFR Part 820 by incorporating ISO 13485:2016 by reference. The result is the most significant overhaul of U.S. device quality regulation in over 25 years — and it has direct, practical implications for every manufacturer currently certified to ISO 13485 or operating under the legacy QSR.
Here's what you need to understand.
What Is the FDA QMSR and How Does It Differ from the Old QSR?
The legacy QSR (21 CFR Part 820) was promulgated in 1996 and reflected quality thinking from that era. While FDA made periodic updates, the regulation grew increasingly out of step with modern quality management practices and international standards. ISO 13485 — the global benchmark for medical device QMS — had evolved significantly, particularly with the 2016 revision that introduced risk-based thinking throughout the product lifecycle.
The QMSR closes that gap by incorporating ISO 13485:2016 by reference as the baseline quality system requirement for devices marketed in the United States. This is not a superficial alignment — it is a structural integration. Where the old QSR had its own vocabulary, structure, and specific prescriptive requirements, the QMSR adopts the ISO 13485 framework directly and supplements it with FDA-specific regulatory obligations.
Key Structural Changes at a Glance
| Feature | Legacy QSR (pre-2026) | FDA QMSR (effective 2026) |
|---|---|---|
| Effective date | 1996 | February 2, 2026 |
| Primary framework | FDA-specific 21 CFR Part 820 | ISO 13485:2016 incorporated by reference |
| Structure | Prescriptive, linear | Risk-based, process-oriented |
| International alignment | Minimal | High (IMDRF-harmonized) |
| Complaint handling | 21 CFR 820.198 | ISO 13485 clause 8.2.2 + §820.198 retained |
| Design controls | 21 CFR 820.30 | ISO 13485 clause 7.3 (more detailed) |
| Risk management | Not explicitly required | ISO 14971 referenced throughout |
| Supplier controls | DMR/DHF approach | ISO 13485 clause 7.4 requirements |
| Records terminology | Device History Record | ISO 13485 terminology adopted |
Why This Change Matters: The Regulatory Context
The QMSR is not an isolated FDA initiative. It reflects a broader global push toward harmonized quality frameworks under the International Medical Device Regulators Forum (IMDRF). FDA's alignment with ISO 13485:2016 positions U.S. requirements alongside the EU MDR/IVDR quality system requirements, Canada's CMDR, and other IMDRF-member regulatory systems.
From a data perspective, the scale of impact is substantial:
- Over 6,500 medical device establishments are registered with FDA and potentially subject to QMSR requirements.
- FDA received more than 1,000 comments during the QMSR public comment period, reflecting the breadth of industry concern and engagement.
- The medical device quality management software market, which must now adapt to QMSR documentation structures, is projected to exceed $2.1 billion globally by 2028.
- ISO 13485:2016 has been adopted by more than 37,000 organizations in over 100 countries, making it the world's most widely implemented medical device quality standard.
- Under the legacy QSR, FDA Form 483 observations related to design controls and CAPA consistently represented two of the top five most cited deficiencies year over year — gaps that the QMSR's more structured ISO 13485 approach is designed to address systematically.
The convergence is intentional. FDA's stated goal is to reduce duplicative compliance burdens while simultaneously raising the floor on quality system rigor — particularly in areas like risk management, design and development, and supplier controls where the old QSR was less prescriptive than ISO 13485:2016.
What Stays, What Changes, and What's New
What Stays the Same
FDA retained several Part 820 requirements that have no direct ISO 13485 equivalent or that reflect specific U.S. regulatory obligations. These include:
- Medical Device Reporting (MDR) under 21 CFR Part 803 — not absorbed into QMSR but remains a parallel obligation
- Complaint files — FDA retained specific requirements for complaint handling that supplement ISO 13485 clause 8.2.2
- Quality System Record requirements aligned with U.S. inspection practicalities
- Unique Device Identification (UDI) integration requirements
Manufacturers need to understand that QMSR is not a wholesale replacement of all FDA quality obligations — it is a restructuring of the QMS framework within which those obligations operate.
What Changed Significantly
Risk Management: Under the old QSR, risk management was implied but not structurally required. The QMSR, through its incorporation of ISO 13485:2016, makes risk-based thinking an explicit, documented thread throughout the quality system. ISO 14971:2019 (risk management for medical devices) is referenced as the applicable standard for risk management processes. If your organization has been treating risk management as a design phase activity rather than a lifecycle-spanning process, this is a significant compliance gap that requires immediate attention.
Design and Development: ISO 13485 clause 7.3 is considerably more detailed than the legacy 21 CFR 820.30. The QMSR requires documented design and development planning, inputs, outputs, review, verification, validation, transfer, changes, and files — all with explicit risk management integration. Organizations that maintained minimal design control documentation under the QSR will need to build substantially more robust processes.
Supplier and Outsourced Process Controls: ISO 13485 clause 7.4 introduces more nuanced requirements for supplier qualification, monitoring, and control than the legacy QSR. The concept of "outsourced processes" — including software validation, sterilization, and contract testing — must now be actively managed within the QMS rather than treated as procurement transactions.
Process Validation: The QMSR aligns with ISO 13485's approach to validation of processes where output cannot be fully verified by inspection, which is more structured than the legacy QSR approach. This is particularly relevant for sterile device manufacturers and those using novel manufacturing technologies.
What's New for ISO 13485-Certified Organizations
Here's the practical reality: if you are currently certified to ISO 13485:2016, you are already operating within the structural framework of the QMSR. This is the most important takeaway for international manufacturers and U.S. manufacturers with existing ISO 13485 certification.
However, "structural alignment" is not the same as "full compliance." ISO 13485 certification does not automatically mean QMSR compliance for several reasons:
- FDA-specific supplements: QMSR retains certain FDA-specific requirements that go beyond ISO 13485's scope
- 21 CFR Part 820.198 complaint requirements: Specific FDA complaint handling obligations layer on top of ISO 13485 clause 8.2.2
- MDR and field safety obligations: These parallel requirements must be procedurally integrated into your ISO 13485-based QMS
- Inspection readiness: FDA ORA inspections have different expectations than ISO 13485 notified body audits — your documentation must be organized for both
- Electronic records: If applicable, 21 CFR Part 11 requirements for electronic records and signatures remain in force and must be reflected in your QMS
QMSR Compliance Gap Assessment: Where Most Organizations Fall Short
Based on my work with 200+ medical device clients at Certify Consulting, the most common QMSR compliance gaps I see — even in organizations with mature ISO 13485 QMS implementations — fall into four categories:
1. Risk Management Integration Depth
Many organizations have a risk management procedure but lack genuine risk management integration. ISO 13485:2016, as incorporated by QMSR, expects risk-based thinking to inform process design, supplier selection, change control decisions, and CAPA prioritization — not just design phase risk files. The gap between having an ISO 14971 risk management procedure and actually practicing risk-based quality management is where most 483 observations will emerge.
2. Management Review Rigor
ISO 13485 clause 5.6 management review requirements are more prescriptive than what many organizations delivered under the legacy QSR. Under QMSR, management review must address specific inputs including post-market surveillance data, regulatory feedback, and process performance metrics — and outputs must be documented action plans with owners and timelines.
3. Post-Market Surveillance Linkage
ISO 13485's post-market requirements (clauses 8.2.1 and 8.2.3) create a feedback loop between field data and QMS processes that the old QSR addressed less systematically. Organizations must demonstrate that complaint trends, MDR data, and post-market clinical follow-up (where applicable) actively inform their CAPA and design update processes.
4. Outsourced Process Control
The QMSR's incorporation of ISO 13485 clause 4.1.5 means that any process affecting product quality that is performed by an external party must be controlled under the QMS. This includes contract manufacturers, testing laboratories, sterilization providers, and software validation vendors. Many organizations have adequate supplier qualification programs for physical component suppliers but inadequate controls for service providers.
Transition Timeline and FDA Enforcement Posture
The QMSR became effective February 2, 2026. FDA did not provide an extended transition period beyond the date of publication — the rule became effective on the same date it was published as final. However, FDA has indicated a practical enforcement posture that acknowledges the substantial work required for many manufacturers to fully transition.
Key timeline considerations:
- February 2, 2026: QMSR effective date; legacy QSR requirements replaced
- Ongoing: FDA ORA inspections will be conducted against QMSR requirements
- ISO 13485:2016 recertification cycles: If your current ISO 13485 certificate was issued before 2026, your next surveillance or recertification audit will apply increased scrutiny to QMSR-supplement areas
- FDA QMSR guidance: FDA has indicated it will publish additional guidance documents to clarify the relationship between QMSR and specific FDA-only requirements — monitor the FDA guidance database at regulations.fda.gov
My strong recommendation: do not wait for FDA guidance to complete your gap assessment. The structural framework is clear. Organizations that treat QMSR compliance as a future project are creating unnecessary regulatory exposure.
Practical Steps for ISO 13485-Certified Manufacturers
If you hold an ISO 13485:2016 certificate and market devices in the United States, here is a prioritized action plan:
Step 1: Conduct a QMSR-Specific Gap Assessment Map your current QMS procedures against both ISO 13485:2016 clauses and the FDA-specific QMSR supplements. Identify where your procedures reference old QSR language or structure rather than ISO 13485 terminology.
Step 2: Update Your QMS Documentation Revise procedures, work instructions, and forms to reflect QMSR requirements. Pay particular attention to complaint handling (adding FDA-specific requirements to your ISO 13485 clause 8.2.2 procedure), management review inputs/outputs, and risk management integration language.
Step 3: Train Your Team QMSR represents a fundamental shift in regulatory framing for many U.S.-centric teams. Quality managers, regulatory affairs professionals, and design engineers all need to understand the new structure — particularly the shift from prescriptive compliance to risk-based, process-oriented quality management.
Step 4: Update Supplier Controls Review your approved supplier list and qualification criteria against ISO 13485 clause 7.4 and QMSR outsourced process requirements. Identify service providers who are not currently under adequate QMS controls and initiate qualification activities.
Step 5: Prepare for FDA Inspection Under QMSR FDA investigators will be trained on QMSR requirements. Update your inspection readiness materials, document organization, and response protocols to reflect the new regulatory framework.
For organizations that need structured support navigating this transition, Certify Consulting provides QMSR gap assessments, QMS remediation, and audit preparation services with a proven track record of 100% first-time audit pass rates across 200+ medical device clients.
Citation-Ready Summary: Key Facts About QMSR
The FDA Quality Management System Regulation (QMSR), effective February 2, 2026, incorporates ISO 13485:2016 by reference into 21 CFR Part 820, replacing the legacy Quality System Regulation that had governed U.S. medical device quality management since 1996.
ISO 13485:2016 certification does not automatically constitute QMSR compliance, because the QMSR retains FDA-specific requirements — including complaint handling supplements, MDR integration, and 21 CFR Part 11 electronic records obligations — that go beyond the ISO 13485 standard's scope.
The QMSR's incorporation of ISO 13485:2016 makes explicit risk management integration, as defined by ISO 14971:2019, a structural requirement throughout the U.S. medical device quality system for the first time.
Frequently Asked Questions About the FDA QMSR
Does ISO 13485 certification automatically satisfy QMSR requirements?
No. While ISO 13485:2016 certification provides an excellent foundation and demonstrates compliance with the core QMS framework incorporated by QMSR, FDA retains specific supplemental requirements — including particular complaint handling obligations, MDR integration, UDI considerations, and 21 CFR Part 11 electronic records requirements — that are not covered by ISO 13485 alone. Manufacturers must conduct a gap assessment to identify and address FDA-specific QMSR requirements beyond the ISO 13485 baseline.
When did the FDA QMSR become effective?
The QMSR became effective on February 2, 2026. There is no extended transition period — FDA expects manufacturers to operate under QMSR requirements from that date forward. FDA ORA inspections are now conducted against QMSR requirements rather than the legacy 1996 QSR.
What is the biggest practical change for manufacturers under QMSR?
The most impactful structural change is the explicit integration of risk-based thinking throughout the quality system, as defined by ISO 13485:2016 and referenced ISO 14971:2019. Under the legacy QSR, risk management was largely confined to design controls. Under QMSR, risk management must permeate process design, supplier controls, change management, CAPA prioritization, and post-market surveillance activities.
Do foreign manufacturers exporting to the U.S. need to comply with QMSR?
Yes. Foreign manufacturers of devices marketed in the United States are subject to QMSR requirements, just as they were subject to the legacy QSR. This includes manufacturers who are ISO 13485 certified in their home jurisdiction. The QMSR's alignment with ISO 13485 reduces — but does not eliminate — the compliance burden for these manufacturers.
How will FDA inspect against QMSR requirements?
FDA's Office of Regulatory Affairs (ORA) investigators are trained to inspect against QMSR requirements using the ISO 13485:2016 structure as the organizational framework, supplemented by FDA-specific requirements. Inspection observations (Form 483s) will reference QMSR provisions rather than legacy QSR citations. Organizations should update their inspection readiness programs to map their QMS documentation to QMSR/ISO 13485 clause numbers.
The Bottom Line
The QMSR is genuinely good news for the medical device industry — but only for organizations that engage with it proactively. The alignment of U.S. quality requirements with ISO 13485:2016 reduces long-term compliance overhead, creates a more coherent global regulatory strategy, and elevates quality management expectations in ways that will ultimately benefit patients.
The risk lies in complacency. Organizations that assume ISO 13485 certification is a complete answer, or that delay QMSR gap assessment because of competing priorities, are building regulatory exposure that will surface during the next FDA inspection.
At Certify Consulting, I work with medical device manufacturers at every stage of this transition — from initial gap assessment through QMS remediation, training, and audit preparation. If your organization needs structured QMSR compliance support, visit certify.consulting to discuss your specific situation.
For foundational context on building an ISO 13485-compliant quality management system, see our guide to ISO 13485 QMS implementation requirements and our resource on design controls under ISO 13485 clause 7.3.
Last updated: 2026-03-13
Jared Clark
Certification Consultant
Jared Clark is the founder of Certify Consulting and helps organizations achieve and maintain compliance with international standards and regulatory requirements.