When does QMSR actually start, and what happens before then?

The final rule published on February 2, 2024 provides a two-year transition period. Enforcement begins on February 2, 2026. Until then, firms must comply with the current QSR while executing their transition plan. During this period, the FDA is updating guidance, training staff, and evolving inspection approaches.

We’re ISO 13485 certified. Are we done?

ISO 13485 certification aligns you closely with QMSR, but you are not fully done. You must still meet FDA-specific additions such as records and labeling/packaging controls, UDI/MDR program integration, and ensure risk-based decision making is documented across the system.

What exactly is the risk-based process approach under QMSR?

The risk-based process approach requires planning and scaling controls, verification, validation, and monitoring based on risk, supported by documented rationale. FDA training emphasizes integrating risk in supplier controls, software validation, design/verification, and postmarket analysis—not just in tools like FMEA.

What terminology should we change in our QMS?

Organizations should migrate from legacy DMR, DHR, and DHF terminology to ISO’s Medical Device File, adopt ISO 9000 terms, and update definitions where QMSR supersedes ISO. Ensure SOPs, forms, training materials, and templates are aligned.

Will FDA expect QMS evidence in marketing submissions?

For PMA and HDE submissions, FDA’s 2025 draft guidance indicates that ISO 13485 mapped QMS information, UDI implementation details, and other QMSR-aligned evidence may be required. Misalignment can lead to review delays or denials.

Does ISO 13485 certification guarantee QMSR compliance?

No. While ISO 13485 provides strong alignment, QMSR includes additional FDA-specific requirements such as records, labeling/packaging controls, UDI, MDR, and corrections/removals. FDA inspections will continue to verify full compliance.

What are the most critical SOPs to update for QMSR?

Key SOPs include the quality manual, risk management, device identification and UDI, complaint handling, labeling and packaging, traceability, regulatory reporting, and records management.

How does ComplianceQuest support QMSR transition?

ComplianceQuest supports QMSR transition with pre-validated workflows, AI-powered risk management, automated compliance reporting, and real-time dashboards. All modules are mapped to both QMSR and ISO 13485 requirements.

Tejas Puranik | February 18th, 2026

QMSR Compliance isn’t about ISO 13485, it’s about proving Risk-Based Decisions

What’s New, What’s Mandatory, and How to Get Audit-Ready Fast

FDA’s new Quality Management System Regulation (QMSR) represents the most significant shift in U.S. medical-device quality compliance in decades. Issued on February 2, 2024, QMSR replaces most 21 CFR Part 820 (QSR) by incorporating ISO 13485:2016 and ISO 9000:2015 Clause 3 by reference, with a two-year transition period ending February 2, 2026.

But here’s the reality many organizations are missing: QMSR compliance will not be determined by whether you have procedures, it will be determined by whether you can prove risk-based decisions were made, consistently and intentionally, across your entire QMS.

Under QMSR, risk-based thinking is no longer confined to design controls. FDA expects it to be embedded in day-to-day operations, supplier management, software validation, production controls, change management, complaint handling, CAPA, and management review. ISO 13485 certification gives you a head start, but it does not guarantee QMSR compliance. FDA inspections continue. No QMSR certificates will be issued. And inspectors will expect visible, defensible evidence of risk informed decisions. Organizations that wait until 2026 to operationalize this shift will find themselves scrambling during inspections. Those that act now can turn QMSR into a competitive advantage.

What is QMSR and how exactly does it align with ISO 13485:2016?

The short answer: QMSR keeps the scope of Part 820, but replaces most operational text with ISO 13485:2016 and ISO 9000:2015 (Clause 3) terminology, while adding targeted FDA-specific requirements to preserve U.S. regulatory expectations.

Key alignment points

Incorporation by reference (IBR): ISO 13485:2016 and ISO 9000:2015 Clause 3 now have the force of law in Part 820 through IBR.
Transition timeline: Final rule published Feb 2, 2024; effective Feb 2, 2026 (two year transition).
Structure simplification: Many QSR subparts deemed “substantially similar” to ISO 13485 are removed. Differences are addressed primarily in:

820.35 – Control of Records
820.45 – Labeling and Packaging Controls
Servicing clarification

Global harmonization: FDA’s objective is to reduce duplicative compliance for global manufacturers and speed patient access.

Why it matters: FDA explicitly confirms ISO 13485:2016 is “substantially similar” to prior QSR, but QMSR is the governing regulation where differences occur. If you’re ISO 13485‑certified, you’re close—but you still must meet QMSR’s FDA‑specific provisions.

Key takeaway:

ISO 13485 certification alone does not equal QMSR compliance.
FDA inspections continue, and QMSR is now the governing regulation where differences exist.

QMSR vs. QSR — at a glance

Area	Old QSR (21 CFR 820)	QMSR (New Part 820)	What FDA will expect to see
Foundation	U.S. specific CGMP text	ISO 13485:2016 + ISO 9000:2015 Clause 3 via IBR	ISO-aligned language and structure
Effective Date	N/A	Feb 2, 2026 (two year transition)	Documented QMSR transition plan with implementation in progress
Core Risk Treatment	Design controls referenced risk	Risk integrated across the QMS; risk-based decision making expected	Documented risk rationale
Records	Subpart M + DHR/DMR/DHF constructs	820.35 Control of records; ISO Medical Device File concept & ISO record controls apply	Fast, consistent retrieval
Labeling & Packaging	Subpart K	820.45 clarifies ISO linkage to FDA labeling/packaging expectations	Traceability + UDI linkage
Servicing	Subpart N	Addressed via ISO clauses with QMSR clarifications	Risk-based servicing controls linked to complaints, CAPA, and risk management
Inspections & Guidance	QSIT basis evolving	FDA preparing updated inspection approach; new draft guidance for QMS info in PMA/HDE (Nov 2025)	Risk-based questioning

What does “risk based process approach” mean in real life

Definition in context: Under QMSR (via ISO 13485), “risk” and “risk based approach” are not limited to design—they pervade planning, purchasing, production, software validation, change control, and post market. FDA training emphasizes risk‑based decisions: make choices proportionate to risk using structured analysis and document the rationale.

What an FDA Inspector Will Ask Under QMSR:

“Why was this supplier classified as low risk?”
“Why did this software receive limited validation?”
“How did postmarket data change your controls?”
“Why did this issue not escalate to CAPA?”

If your answer is “It’s in the SOP”, you’re already in trouble.

Day‑to‑day examples you can implement now

Supplier controls

Weight your incoming inspection plans, audit cadence, and SCAR thresholds by supplier/device risk (e.g., critical sterile barrier supplier vs. low risk accessory). Document the risk logic in your purchasing procedure and approved supplier list notes.

Process & software validation

Validate manufacturing software in proportion to risk of failure (e.g., eDHR generator vs. label printer utility). Tie validation scope to hazards and residual risk tolerability.

Design verification/validation depth

Expand usability testing or clinical evaluation where hazardous situations carry high severity or reasonably foreseeable misuse is likely (align with ISO 14971:2019).

Nonconformance & CAPA triage

Route issues via risk tiered CAPA (e.g., high-risk goes to cross functional investigation with management visibility; low risk to contained corrective actions). Show how risk priority influenced containment, verification, and effectiveness checks.

Management review inputs

Present risk trends (e.g., top hazards, post market signals, field actions, supplier risk shifts) and how they altered QMS priorities or resource allocation.

Post market surveillance

Feed complaint data, MDRs, field corrections into the risk file and adjust controls (labeling updates, IFU clarifications, design mitigations) continuously.

Pro tip: Treat ISO 14971 as the lifecycle engine under QMSR—its terminology and practices (e.g., benefit risk, foreseeable misuse, post‑production monitoring) should be visibly linked to your procedures and records.

Mandatory updates you cannot ignore under QMSR

While ISO 13485 does most of the heavy lifting, QMSR adds/clarifies U.S.‑specific expectations you must bake into procedures and templates:

Control of Records (820.35):
Update record procedures to reflect ISO 13485 record controls plus FDA specific records (e.g., complaints, service, traceability for certain devices, UDI records) and confidentiality expectations.
Device Labeling & Packaging Controls (820.45):
Ensure procedures link ISO production/labeling controls to FDA labeling/packaging compliance, including storage, handling, and UDI application/maintenance where applicable.
Definitions & Terminology (820.3) and ISO 9000 linkage:
Align QMS terminology to ISO; QMSR supersedes certain ISO/ISO 9000 terms for FDA consistency (e.g., manufacturer, rework, safety and performance). Update your Quality Manual and SOP glossaries.
Requirements for a QMS (820.10):
Explicit cross references to other FDA requirements (e.g., MDR, UDI, Corrections & Removals, Tracking) must be clearly mapped in your QMS documentation and management responsibility processes.
From DMR/DHR/DHF to ISO’s “Medical Device File” concept:
Harmonize legacy QSR constructs to ISO’s MDF approach; update document architectures and templates so design, manufacturing, and postmarket records are organized per ISO language and IBR expectations.
Premarket expectations (PMA/HDE) during transition to QMSR:
Be prepared to map ISO 13485based QMS information into PMA/HDE submissions per FDA’s 2025 draft guidance; missing QMSR ready documentation may delay or jeopardize approvals.

Implementation Roadmap

Step 1 — Gap Assessment (4–6 weeks).
Map QSR → ISO 13485 → QMSR deltas. Identify where risk decisions are implied but not documented.
Step 2 — Documentation & Data Model Refresh (6–12 weeks).
Update Quality Manual, SOPs, templates, and MDF structures. Embed risk-based decision criteria directly into workflows.
Step 3 — Validation & Training (ongoing).
Revalidate QMS software proportionate to risk. Train teams on risk-based thinking, not just procedures.
Step 4 — Inspection Readiness (Q4 2025).
Prepare management review narratives and risk-based evidence. Align PMA/HDE submissions with FDA’s QMSR expectations.

Why Modern EQMS Is Essential for QMSR Transition

Spreadsheets, shared drives, and loosely connected systems cannot scale risk-based evidence.

Under inspection pressure, manual systems:

Fragment risk rationale
Slow record retrieval
Increase inconsistent answers

Ten key EQMS features that facilitate QMSR compliance:

Document & Record Centralization:
Enforces version control, access rights, and compliance with 820.35.
Digitized MDF Management:
Unifies DMR/DHF/DHR into a Medical Device File structure.
Risk Management Integration:
Supports risk assessments, tracking, and cross-referencing with QMS processes.
CAPA & Complaint Files:
Structured management with risk linkage and traceability.
Identification & Traceability:
Enhances device identification, UDI, and reporting.
SOPs & Training Automation:
Automates distribution and tracking of updated procedures and training.
Labeling & Packaging Modules:
Embeds new clause requirements directly into workflows.
Audit & Compliance Reporting:
Streamlines record retrieval and audit trails.
Eliminates Duplicates & Redundancy:
Enhances efficiency and communication.
Security & Data Protection:
Robust confidentiality and privacy controls.

The ComplianceQuest Advantage

ComplianceQuest EQMS is pre-validated, ISO 13485-aligned, and QMSR-ready. It offers:

AI-powered analytics for proactive risk management and continuous monitoring.
Closed-loop quality management: Connects complaints, CAPA, audits, change management, and training in one platform.
Automated workflows for labeling, packaging, document control, and regulatory reporting (eMDR).
Real-time dashboards for audit readiness, risk trends, and compliance metrics.
Mobile and multilingual access for global teams.
Integration with Salesforce for unified product, quality, safety, and supplier management.

Organizations using ComplianceQuest report:

45% reduction in CAPAs,
46% fewer audit findings, and
32% fewer customer complaints.

“ComplianceQuest helped us save 9 days of labor per quarter with predefined reports we can run with the click of a button. We were immediately confident that ComplianceQuest was the right fit. They were miles ahead of the other vendors because they understood the challenges of our industry and had a deep knowledge of quality and regulatory requirements.”

— Director of Regulatory Affairs and Quality Assurance, Canon Medical Systems Europe

Frequently Asked Questions

- The final rule published Feb 2, 2024 provides a two year transition; enforcement begins Feb 2, 2026. Until then, firms must comply with the current QSR while executing their transition plan. FDA is updating guidance, training staff, and evolving inspection approaches during this period.
- Almost—but not entirely. You must still meet QMSR’s FDA specific additions (e.g., records and labeling/packaging controls and integration with FDA programs like MDR/UDI). Also ensure risk based decision making is visible throughout your system.
- It means you plan and scale controls, verification, validation, and monitoring based on risk—and document the rationale. FDA’s learning modules emphasize integrating risk in supplier control, software validation, design/verification, and postmarket analysis—not just FMEA.
- Migrate away from legacy DMR/DHR/DHF naming toward ISO’s Medical Device File, adopt ISO 9000 terms, and update definitions where QMSR supersedes ISO. Align all SOPs, forms, and training materials.
- For PMA/HDE, FDA’s 2025 draft guidance signals an expectation to include ISO 13485 mapped QMS information and plans for UDI, etc. Not aligning may cause delays or denials.
- No. QMSR adds FDA-specific requirements (records, labeling/packaging, UDI, MDR, corrections/removals) and mandates risk-based evidence in all processes. FDA inspections will continue.
- Quality manual, risk management, device identification/UDI, complaint handling, labeling/packaging, traceability, regulatory reporting, and records management.
- Pre-validated workflows, AI-powered risk management, automated compliance reporting, and real-time dashboards—all mapped to QMSR and ISO 13485 requirements.

Request a Free Demo

Learn about all features of our Product, Quality, Safety, and Supplier suites. Please fill the form below to access our comprehensive Demo Video.

Please confirm your details

By submitting this form you agree that we can store and process your personal data as per our Privacy Statement. We will never sell your personal information to any third party.

Enter Captcha

ProductQuest

QualityQuest

SafetyQuest

PartnerQuest

Quality First

Compliance First

Safety First

Partner First

Salesforce

Validation

Middle Office Platform on Salesforce

CQ Platform

CQ Platform Technology