What Does “Risk-Based Process Approach” Mean in FDA QMSR Compliance?

What’s New, What’s Mandatory, and How to Get Audit-Ready Fast

The FDA’s new Quality Management System Regulation (QMSR) replaces most of 21 CFR Part 820 (the QSR) by incorporating ISO 13485:2016 and ISO 9000:2015 Clause 3 by reference. The final rule was issued February 2, 2024 with a two‑year transition, making February 2, 2026 the effective date. In practice, this means U.S. device manufacturers will operate an ISO 13485‑based QMS with a few FDA‑specific clarifications (e.g., records, labeling/packaging controls, servicing definitions, and explicit linkages to other FDA requirements like MDR, UDI, Corrections & Removals). Day‑to‑day, a risk‑based process approach requires you to plan, perform, and document decisions proportionally to risk across design, purchasing, production, software automation, change control, and postmarket surveillance—integrating ISO 14971‑style risk management into routine work and management review. Transitioning to QMSR means updating terminology, procedures, and documentation—especially around risk management, complaint handling, traceability, and electronic records. While ISO 13485 certification is a strong foundation, QMSR compliance requires additional FDA-specific controls and evidence. Modern EQMS platforms like ComplianceQuest streamline this transition, embedding risk-based thinking, automating compliance, and ensuring audit readiness.

What is QMSR and how exactly does it align with ISO 13485:2016?

The short answer: QMSR keeps the scope of Part 820, but replaces most operative text with ISO 13485:2016 and ISO 9000:2015 (Clause 3) terminology, while adding targeted FDA clauses so the U.S. framework remains consistent with other device regulations (e.g., MDR reporting, UDI, tracking).

Key alignment points

• Incorporation by reference (IBR): ISO 13485:2016 + ISO 9000:2015 Clause 3 now have the force of law in Part 820 through IBR.
• Transition timeline: Final rule published Feb 2, 2024; effective Feb 2, 2026 (two year transition).
• Structure simplification: Most “subparts” deemed substantively similar to ISO 13485 are removed; the differences are addressed in 820.35 (records) and 820.45 (labeling & packaging), and servicing clarifications.
• Global harmonization: FDA’s objective is to reduce duplicative compliance for global manufacturers and speed patient access.

Why it matters: FDA explicitly confirms ISO 13485:2016 is “substantially similar” to prior QSR, but QMSR is the governing regulation where differences occur. If you’re ISO 13485‑certified, you’re close—but you still must meet QMSR’s FDA‑specific provisions.

Key takeaway:

ISO 13485 certification alone does not guarantee QMSR compliance. FDA inspections will continue, and no QMSR certificates will be issued by FDA.

QMSR vs. QSR — at a glance

Area	Old QSR (21 CFR 820)	QMSR (New Part 820)
Foundation	U.S. written CGMP text	ISO 13485:2016 + ISO 9000:2015 Clause 3 via IBR
Effective Date	N/A	Feb 2, 2026 (two year transition)
Core Risk Treatment	Design controls referenced risk	Risk integrated across the QMS; risk based decision making expected
Records	Subpart M + DHR/DMR/DHF constructs	820.35 Control of records; ISO Medical Device File concept & ISO record controls apply
Labeling & Packaging	Subpart K	820.45 clarifies ISO linkage to FDA labeling/packaging expectations
Servicing	Subpart N	Addressed via ISO clauses with QMSR clarifications
Inspections & Guidance	QSIT basis evolving	FDA preparing updated inspection approach; new draft guidance for QMS info in PMA/HDE (Nov 2025)

What does “risk‑based process approach” mean in everyday operations?

Definition in context: Under QMSR (via ISO 13485), “risk” and “risk‑based approach” are not limited to design—they pervade planning, purchasing, production, software validation, change control, and postmarket. FDA training emphasizes risk‑based decisions: make choices proportionate to risk using structured analysis and document the rationale.

Day‑to‑day examples you can implement now

Supplier controls

Weight your incoming inspection plans, audit cadence, and SCAR thresholds by supplier/device risk (e.g., critical sterile barrier supplier vs. low risk accessory). Document the risk logic in your purchasing procedure and approved supplier list notes.

Process & software validation

Validate manufacturing software in proportion to risk of failure (e.g., eDHR generator vs. label printer utility). Tie validation scope to hazards and residual risk tolerability.

Design verification/validation depth

Expand usability testing or clinical evaluation where hazardous situations carry high severity or reasonably foreseeable misuse is likely (align with ISO 14971:2019).

Nonconformance & CAPA triage

Route issues via risk tiered CAPA (e.g., high risk goes to cross functional investigation with management visibility; low risk to contained corrective actions). Show how risk priority influenced containment, verification, and effectiveness checks.

Management review inputs

Present risk trends (e.g., top hazards, postmarket signals, field actions, supplier risk shifts) and how they altered QMS priorities or resource allocation.

Postmarket surveillance

Feed complaint data, MDRs, field corrections into the risk file and adjust controls (labeling updates, IFU clarifications, design mitigations) continuously.

Pro tip: Treat ISO 14971 as the lifecycle engine under QMSR—its terminology and practices (e.g., benefit‑risk, foreseeable misuse, post‑production monitoring) should be visibly linked to your procedures and records.

Which updated processes are mandatory under QMSR?

While ISO 13485 does most of the heavy lifting, QMSR adds/clarifies U.S.‑specific expectations you must bake into procedures and templates:

• Control of Records (820.35):
  Update record procedures to reflect ISO 13485 record controls plus FDA specific records (e.g., complaints, service, traceability for certain devices, UDI records) and confidentiality expectations.
• Device Labeling & Packaging Controls (820.45):
  Ensure procedures link ISO production/labeling controls to FDA labeling/packaging compliance, including storage, handling, and UDI application/maintenance where applicable.
• Definitions & Terminology (820.3) and ISO 9000 linkage:
  Align QMS terminology to ISO; QMSR supersedes certain ISO/ISO 9000 terms for FDA consistency (e.g., manufacturer, rework, safety and performance). Update your Quality Manual and SOP glossaries.
• Requirements for a QMS (820.10):
  Explicit cross references to other FDA requirements (e.g., MDR, UDI, Corrections & Removals, Tracking) must be clearly mapped in your QMS documentation and management responsibility processes.
• From DMR/DHR/DHF to ISO’s “Medical Device File” concept:
  Harmonize legacy QSR constructs to ISO’s MDF approach; update document architectures and templates so design, manufacturing, and postmarket records are organized per ISO language and IBR expectations.
• Premarket expectations (PMA/HDE) during transition to QMSR:
  Be prepared to map ISO 13485based QMS information into PMA/HDE submissions per FDA’s 2025 draft guidance; missing QMSR ready documentation may delay or jeopardize approvals.

Implementation Roadmap (before the Feb 2, 2026 effective date)

• Step 1 — Gap Assessment (4–6 weeks).
  Map your current QSR based QMS to ISO 13485 clauses; flag 820.35/820.45 deltas, terminology updates, and risk based decision points that need clearer criteria.
• Step 2 — Documentation & Data Model Refresh (6–12 weeks).
  Refactor quality manual, SOPs, forms, and MDF structure; embed risk based triage matrices in supplier, CAPA, validation, and postmarket procedures.
• Step 3 — Validation & Training (ongoing).
  Re validate quality system software proportionate to risk; train staff on risk based thinking and new terminology; update records management and labeling/packaging work instructions.
• Step 4 — Inspection Readiness (Q4 2025).
  Prepare management review evidence and risk based narratives for FDA inspections; if submitting PMA/HDE, align with QMSR draft guidance expectations.

Why Modern EQMS Is Essential for QMSR Transition

Ten key EQMS features that facilitate QMSR compliance:

• Document & Record Centralization:
  Enforces version control, access rights, and compliance with 820.35.
• Digitized MDF Management:
  Unifies DMR/DHF/DHR into a Medical Device File structure.
• Risk Management Integration:
  Supports risk assessments, tracking, and cross-referencing with QMS processes.
• CAPA & Complaint Files:
  Structured management with risk linkage and traceability.
• Identification & Traceability:
  Enhances device identification, UDI, and reporting.
• SOPs & Training Automation:
  Automates distribution and tracking of updated procedures and training.
• Labeling & Packaging Modules:
  Embeds new clause requirements directly into workflows.
• Audit & Compliance Reporting:
  Streamlines record retrieval and audit trails.
• Eliminates Duplicates & Redundancy:
  Enhances efficiency and communication.
• Security & Data Protection:
  Robust confidentiality and privacy controls.

The ComplianceQuest Advantage

ComplianceQuest EQMS is pre-validated, ISO 13485-aligned, and QMSR-ready. It offers:

• AI-powered analytics for proactive risk management and continuous monitoring.
• Closed-loop quality management: Connects complaints, CAPA, audits, change management, and training in one platform.
• Automated workflows for labeling, packaging, document control, and regulatory reporting (eMDR).
• Real-time dashboards for audit readiness, risk trends, and compliance metrics.
• Mobile and multilingual access for global teams.
• Integration with Salesforce for unified product, quality, safety, and supplier management.

Frequently Asked Questions