QMSR Compliance isn’t about ISO 13485, it’s about proving Risk-Based Decisions

What’s New, What’s Mandatory, and How to Get Audit-Ready Fast

FDA’s new Quality Management System Regulation (QMSR) represents the most significant shift in U.S. medical-device quality compliance in decades. Issued on February 2, 2024, QMSR replaces most 21 CFR Part 820 (QSR) by incorporating ISO 13485:2016 and ISO 9000:2015 Clause 3 by reference, with a two-year transition period ending February 2, 2026.

But here’s the reality many organizations are missing: QMSR compliance will not be determined by whether you have procedures, it will be determined by whether you can prove risk-based decisions were made, consistently and intentionally, across your entire QMS.

Under QMSR, risk-based thinking is no longer confined to design controls. FDA expects it to be embedded in day-to-day operations, supplier management, software validation, production controls, change management, complaint handling, CAPA, and management review. ISO 13485 certification gives you a head start, but it does not guarantee QMSR compliance. FDA inspections continue. No QMSR certificates will be issued. And inspectors will expect visible, defensible evidence of risk informed decisions. Organizations that wait until 2026 to operationalize this shift will find themselves scrambling during inspections. Those that act now can turn QMSR into a competitive advantage.

What is QMSR and how exactly does it align with ISO 13485:2016?

The short answer: QMSR keeps the scope of Part 820, but replaces most operational text with ISO 13485:2016 and ISO 9000:2015 (Clause 3) terminology, while adding targeted FDA-specific requirements to preserve U.S. regulatory expectations.

Key alignment points

• Incorporation by reference (IBR): ISO 13485:2016 and ISO 9000:2015 Clause 3 now have the force of law in Part 820 through IBR.
• Transition timeline: Final rule published Feb 2, 2024; effective Feb 2, 2026 (two year transition).
• Structure simplification: Many QSR subparts deemed “substantially similar” to ISO 13485 are removed. Differences are addressed primarily in:

• 820.35 – Control of Records
• 820.45 – Labeling and Packaging Controls
• Servicing clarification

• Global harmonization: FDA’s objective is to reduce duplicative compliance for global manufacturers and speed patient access.

Why it matters: FDA explicitly confirms ISO 13485:2016 is “substantially similar” to prior QSR, but QMSR is the governing regulation where differences occur. If you’re ISO 13485‑certified, you’re close—but you still must meet QMSR’s FDA‑specific provisions.

Key takeaway:

• ISO 13485 certification alone does not equal QMSR compliance.
• FDA inspections continue, and QMSR is now the governing regulation where differences exist.

QMSR vs. QSR — at a glance

Area	Old QSR (21 CFR 820)	QMSR (New Part 820)	What FDA will expect to see
Foundation	U.S. specific CGMP text	ISO 13485:2016 + ISO 9000:2015 Clause 3 via IBR	ISO-aligned language and structure
Effective Date	N/A	Feb 2, 2026 (two year transition)	Documented QMSR transition plan with implementation in progress
Core Risk Treatment	Design controls referenced risk	Risk integrated across the QMS; risk-based decision making expected	Documented risk rationale
Records	Subpart M + DHR/DMR/DHF constructs	820.35 Control of records; ISO Medical Device File concept & ISO record controls apply	Fast, consistent retrieval
Labeling & Packaging	Subpart K	820.45 clarifies ISO linkage to FDA labeling/packaging expectations	Traceability + UDI linkage
Servicing	Subpart N	Addressed via ISO clauses with QMSR clarifications	Risk-based servicing controls linked to complaints, CAPA, and risk management
Inspections & Guidance	QSIT basis evolving	FDA preparing updated inspection approach; new draft guidance for QMS info in PMA/HDE (Nov 2025)	Risk-based questioning

What does “risk based process approach” mean in real life

Definition in context: Under QMSR (via ISO 13485), “risk” and “risk based approach” are not limited to design—they pervade planning, purchasing, production, software validation, change control, and post market. FDA training emphasizes risk‑based decisions: make choices proportionate to risk using structured analysis and document the rationale.

What an FDA Inspector Will Ask Under QMSR:

• “Why was this supplier classified as low risk?”
• “Why did this software receive limited validation?”
• “How did postmarket data change your controls?”
• “Why did this issue not escalate to CAPA?”

If your answer is “It’s in the SOP”, you’re already in trouble.

Day‑to‑day examples you can implement now

Supplier controls

Weight your incoming inspection plans, audit cadence, and SCAR thresholds by supplier/device risk (e.g., critical sterile barrier supplier vs. low risk accessory). Document the risk logic in your purchasing procedure and approved supplier list notes.

Process & software validation

Validate manufacturing software in proportion to risk of failure (e.g., eDHR generator vs. label printer utility). Tie validation scope to hazards and residual risk tolerability.

Design verification/validation depth

Expand usability testing or clinical evaluation where hazardous situations carry high severity or reasonably foreseeable misuse is likely (align with ISO 14971:2019).

Nonconformance & CAPA triage

Route issues via risk tiered CAPA (e.g., high-risk goes to cross functional investigation with management visibility; low risk to contained corrective actions). Show how risk priority influenced containment, verification, and effectiveness checks.

Management review inputs

Present risk trends (e.g., top hazards, post market signals, field actions, supplier risk shifts) and how they altered QMS priorities or resource allocation.

Post market surveillance

Feed complaint data, MDRs, field corrections into the risk file and adjust controls (labeling updates, IFU clarifications, design mitigations) continuously.

Pro tip: Treat ISO 14971 as the lifecycle engine under QMSR—its terminology and practices (e.g., benefit risk, foreseeable misuse, post‑production monitoring) should be visibly linked to your procedures and records.

Mandatory updates you cannot ignore under QMSR

While ISO 13485 does most of the heavy lifting, QMSR adds/clarifies U.S.‑specific expectations you must bake into procedures and templates:

• Control of Records (820.35):
  Update record procedures to reflect ISO 13485 record controls plus FDA specific records (e.g., complaints, service, traceability for certain devices, UDI records) and confidentiality expectations.
• Device Labeling & Packaging Controls (820.45):
  Ensure procedures link ISO production/labeling controls to FDA labeling/packaging compliance, including storage, handling, and UDI application/maintenance where applicable.
• Definitions & Terminology (820.3) and ISO 9000 linkage:
  Align QMS terminology to ISO; QMSR supersedes certain ISO/ISO 9000 terms for FDA consistency (e.g., manufacturer, rework, safety and performance). Update your Quality Manual and SOP glossaries.
• Requirements for a QMS (820.10):
  Explicit cross references to other FDA requirements (e.g., MDR, UDI, Corrections & Removals, Tracking) must be clearly mapped in your QMS documentation and management responsibility processes.
• From DMR/DHR/DHF to ISO’s “Medical Device File” concept:
  Harmonize legacy QSR constructs to ISO’s MDF approach; update document architectures and templates so design, manufacturing, and postmarket records are organized per ISO language and IBR expectations.
• Premarket expectations (PMA/HDE) during transition to QMSR:
  Be prepared to map ISO 13485based QMS information into PMA/HDE submissions per FDA’s 2025 draft guidance; missing QMSR ready documentation may delay or jeopardize approvals.

Implementation Roadmap

• Step 1 — Gap Assessment (4–6 weeks).
  Map QSR → ISO 13485 → QMSR deltas. Identify where risk decisions are implied but not documented.
• Step 2 — Documentation & Data Model Refresh (6–12 weeks).
  Update Quality Manual, SOPs, templates, and MDF structures. Embed risk-based decision criteria directly into workflows.
• Step 3 — Validation & Training (ongoing).
  Revalidate QMS software proportionate to risk. Train teams on risk-based thinking, not just procedures.
• Step 4 — Inspection Readiness (Q4 2025).
  Prepare management review narratives and risk-based evidence. Align PMA/HDE submissions with FDA’s QMSR expectations.

Why Modern EQMS Is Essential for QMSR Transition

Spreadsheets, shared drives, and loosely connected systems cannot scale risk-based evidence.

Under inspection pressure, manual systems:

• Fragment risk rationale
• Slow record retrieval
• Increase inconsistent answers

Ten key EQMS features that facilitate QMSR compliance:

• Document & Record Centralization:
  Enforces version control, access rights, and compliance with 820.35.
• Digitized MDF Management:
  Unifies DMR/DHF/DHR into a Medical Device File structure.
• Risk Management Integration:
  Supports risk assessments, tracking, and cross-referencing with QMS processes.
• CAPA & Complaint Files:
  Structured management with risk linkage and traceability.
• Identification & Traceability:
  Enhances device identification, UDI, and reporting.
• SOPs & Training Automation:
  Automates distribution and tracking of updated procedures and training.
• Labeling & Packaging Modules:
  Embeds new clause requirements directly into workflows.
• Audit & Compliance Reporting:
  Streamlines record retrieval and audit trails.
• Eliminates Duplicates & Redundancy:
  Enhances efficiency and communication.
• Security & Data Protection:
  Robust confidentiality and privacy controls.

The ComplianceQuest Advantage

ComplianceQuest EQMS is pre-validated, ISO 13485-aligned, and QMSR-ready. It offers:

• AI-powered analytics for proactive risk management and continuous monitoring.
• Closed-loop quality management: Connects complaints, CAPA, audits, change management, and training in one platform.
• Automated workflows for labeling, packaging, document control, and regulatory reporting (eMDR).
• Real-time dashboards for audit readiness, risk trends, and compliance metrics.
• Mobile and multilingual access for global teams.
• Integration with Salesforce for unified product, quality, safety, and supplier management.

Frequently Asked Questions