FDA QMSRQuality Management System Regulation
FDA’s Quality Management System Regulation (QMSR) replaces 21 CFR Part 820 by incorporating ISO 13485:2016 with targeted U.S.-specific additions. Effective February 2, 2026, it harmonizes device quality expectations while preserving FDA postmarket, labeling, tracking, and electronic-records obligations.
How does FDA QMSR apply to your shop floor?
Pick your industry and scale — Ask V5 rewrites the definition in your context, gives a worked example, and shows what V5 does on day one.
01FDA QMSR: What it is and why it matters
The Quality Management System Regulation (QMSR) is FDA’s modernized device quality regulation, replacing the legacy Quality System Regulation. It incorporates ISO 13485:2016 by reference and adds targeted, U.S.-specific provisions to ensure continuity of FDA’s approach to device safety and effectiveness. The final rule provides a two‑year transition and becomes enforceable on February 2, 2026.
QMSR’s core aim is regulatory alignment. By anchoring to ISO 13485, FDA reduces duplicate expectations for global manufacturers who have already structured their quality systems to international standards. At the same time, FDA preserves U.S. legal constructs such as Medical Device Reporting, corrections and removals, unique device identification, labeling requirements, and electronic records controls.
For most organizations, the shift is evolutionary rather than revolutionary. If you operate an ISO 13485‑conforming QMS, your principal tasks are confirming coverage of FDA cross‑references, definitions harmonized with the Federal Food, Drug, and Cosmetic Act (FD&C Act), and U.S. recordkeeping and reporting. If your QMS was designed around the legacy Part 820 text, you will map and close gaps against ISO 13485 clauses while sustaining FDA’s postmarket and data integrity expectations.
The practical benefit is a single, risk‑based QMS vocabulary across design, manufacturing, purchasing, production, servicing, and postmarket activities. That shared vocabulary simplifies supplier oversight and auditing, streamlines multi‑jurisdiction compliance, and allows FDA inspections to focus on outcomes and documented evidence rather than terminology differences.
02Regulatory architecture and legal basis
QMSR is codified in 21 CFR part 820 and incorporates ISO 13485:2016 by reference, a mechanism authorized under 5 U.S.C. 552(a) and 1 CFR part 51. Incorporation by reference gives ISO 13485 the force of regulation within the scope of part 820, while FDA adds clarifying provisions and definitions needed to harmonize with the FD&C Act and other device regulations.
QMSR does not displace other device regulations. Manufacturers must continue to comply with Medical Device Reporting (21 CFR part 803), corrections and removals (21 CFR part 806), registration and listing (21 CFR part 807), device labeling (21 CFR parts 801 and 809), device tracking where applicable (21 CFR part 821), and unique device identification (21 CFR part 830). Electronic records and signatures remain subject to 21 CFR Part 11. Combination products remain governed by the streamlined quality provisions in 21 CFR Part 4.
FDA’s rationale for alignment is twofold: first, to promote medical device quality and safety by leveraging a mature, consensus standard; second, to reduce regulatory burden for stakeholders operating globally. The agency has emphasized that inspections will assess conformance to ISO 13485 clauses within the U.S. legal context, not replace statutory obligations such as reporting timelines or labeling rules.
Practically, your quality manual should explicitly reference ISO 13485 clauses and show how you meet them, while your procedures and records demonstrate compliance with cross‑referenced U.S. requirements. This architecture enables a coherent narrative whether you are responding to an FDA investigator, a notified body auditor, or a customer audit team.
03Scope and applicability
QMSR applies to domestic and foreign manufacturers of finished medical devices intended for commercial distribution in the United States, including specification developers, contract manufacturers, and remanufacturers. It also applies to reprocessors of single‑use devices and to firms performing critical processes that can affect device conformity to requirements. The scope mirrors ISO 13485’s end‑to‑end lifecycle coverage, extending from design and development through production, storage, installation, servicing, and postmarket surveillance.
Scope is risk‑based. The regulation expects controls proportionate to device risk, manufacturing complexity, and the intended use environment. Software as a Medical Device and embedded software are within scope through design controls, risk management, verification and validation, configuration management, and postmarket processes that close the loop from field performance back to design and production.
Device classification, premarket pathway, and regulatory jurisdiction do not change QMSR applicability. Class I exempt devices may have limited premarket requirements, but if they are finished devices, the manufacturer still needs an effective QMS under QMSR. Likewise, imported devices and private‑label arrangements must show that the legal manufacturer’s system conforms and that supply chain controls are adequate to assure quality and compliance.
Activities outside device manufacture—such as basic R&D, general laboratory testing services, or distribution without manufacturing—are not independently pulled into QMSR, though they may be impacted contractually or via supplier controls. Firms should map responsibilities across partners to avoid gaps, especially where labeling, packaging, sterilization, or complaint handling are outsourced. When in doubt, reassess based on intended use, manufacturing steps performed, and medical device classification.
04How it works in practice: mapping ISO 13485 to QMSR
Operationalizing QMSR begins by aligning your quality manual and procedures to ISO 13485 clauses, then layering in the U.S. provisions FDA retained. The practical effect is to speak the ISO 13485 language—context of the organization, risk‑based processes, competence, infrastructure, design and development planning—while ensuring U.S. definitions, reporting triggers, labeling controls, and recordkeeping rules are visible and auditable.
Your document set should explicitly cross‑reference which SOPs address each ISO 13485 clause and where related U.S. requirements are implemented. For example, your complaint and vigilance process will satisfy ISO 13485 clause 8.2.2, and will also implement Medical Device Reporting timelines and formats under 21 CFR part 803. Your design and development process will satisfy clauses 7.3.x while also supporting premarket submissions, labeling compliance, and traceability where required.
The table below illustrates typical alignments that manufacturers implement. Tailor these to your device technology, sterilization strategy, software architecture, and supply chain footprint. Ensure equivalence of terminology—for example, ISO 13485’s “medical device file” should clearly encompass the historical records U.S. stakeholders expect to see for design, production, and servicing.
| Topic | ISO 13485 Anchor | QMSR Treatment | U.S.-Specific Additions/Notes |
|---|---|---|---|
| Management responsibility and review | Clauses 5.1–5.6 | Required, evidence via management review inputs/outputs | Ensure linkage to U.S. complaint, MDR, recalls, field actions data |
| Risk management integration | Clauses 7.1, 7.3.2, 7.3.3, 7.3.7, 7.5.1 | Risk‑based planning across lifecycle | Expect alignment with ISO 14971 practices and trace to postmarket |
| Purchasing and supplier controls | Clauses 7.4.1–7.4.3 | Qualification, monitoring, and re‑evaluation | Document objective evidence for critical suppliers and sterilization providers |
| Complaint handling and feedback | Clauses 8.2.1–8.2.2 | Feedback systems and complaint evaluation | Implement MDR (21 CFR part 803) triggers, timelines, and record formats |
| Records and e-signatures | Clause 4.2, records across clauses 6–8 | Records controlled, retained, retrievable | Apply Part 11 to electronic records/signatures and audit trails |
05Key requirements and what changes versus legacy Part 820
Substantively, QMSR shifts from FDA’s prescriptive legacy text to ISO 13485’s risk‑based framework. The change emphasizes documented methods to achieve quality outcomes rather than adherence to a specific U.S. vocabulary. For compliant ISO 13485 organizations, the main work is ensuring that U.S.‑specific expectations—especially reporting, labeling, UDI, tracking, and electronic records—are tightly integrated and demonstrably effective.
Design and development controls remain central. You must plan, review, verify, and validate designs, manage interfaces, and maintain change control. Supplier controls must be demonstrably risk‑based, with qualification, monitoring, and re‑evaluation scaled to the impact on device safety and performance. Production and process controls require planning, validation where process outputs cannot be fully verified, and ongoing monitoring of acceptance activities and nonconforming product handling.
Postmarket feedback and complaint handling must feed risk management and CAPA. Trend analysis, vigilance triggers, corrections and removals, and recall readiness need to be codified. Data must be accurate, attributable, contemporaneous, and complete. Finally, management review should synthesize quality performance, regulatory feedback, and resource needs to drive continual improvement in the QMS.
- Anchor your quality manual to ISO 13485 clauses and show U.S. rule cross‑references.
- Demonstrate risk‑based supplier qualification and monitoring for critical inputs and services.
- Validate special processes and software used in manufacturing and QMS operations.
- Integrate complaint handling with MDR decision trees and CAPA escalation.
- Ensure labeling, UDI, and traceability controls are current and effective.
- Plan management reviews using measurable quality objectives and regulatory metrics.
- Track clarifications introduced by the ISO 13485:2024 Amendment where adopted by your organization.
06Documentation, records, and data integrity
QMSR expects the documentation discipline of ISO 13485 with the evidence rigor familiar to FDA investigators. Procedures must be controlled, current, and accessible. Records must be trustworthy, complete, and retained for the appropriate period. Electronic systems must ensure identity verification, audit trails, time‑stamped entries, and controls over creation, modification, and retrieval.
In practice, firms standardize the mapping between ISO 13485’s “medical device file,” design and development records, production records, installation and servicing records, and the datasets required for U.S. reporting or tracking. Harmonized templates reduce transcription and interpretation errors, while metadata, barcodes, or UDI linkages enable fast retrieval of exactly the record set an investigator requests. Where processes are automated, validation and change control must be commensurate with risk.
Digital device history and batch records accelerate investigations and reduce compliance risk when correctly implemented. Connect nonconformance, complaint, and CAPA records so trend signals are visible early. Establish a document hierarchy that clarifies ownership, effective dating, and training requirements, and couple it with periodic review to verify ongoing suitability and effectiveness.
- Use EBMR/eDHR to assemble complete, retrievable production evidence.
- Maintain controlled procedures and records in Document Control with periodic review and change history.
- Link genealogy and UDI data with Traceability to support investigations and field actions.
- Engineer audit trails and ALCOA principles through Data Integrity by Design.
- Validate QMS software and spreadsheets proportionate to risk and usage.
- Define retention times aligned to device risk, market life, and regulatory expectations.
07Risk management, complaint handling, and postmarket vigilance
QMSR expects risk management to be embedded in planning, design, manufacturing, and postmarket processes. While it does not incorporate ISO 14971 by reference, ISO 13485 requires risk‑based thinking and explicitly calls for risk management throughout design and production. Manufacturers operationalize this by establishing risk acceptability criteria, linking design verification and validation to risk controls, and using field data to reassess residual risk.
Complaint handling is a fulcrum that connects customers, clinical users, service teams, and regulators. Processes should classify and evaluate every complaint, perform medical device reporting assessments, and ensure prompt field corrections or removals when warranted. Trend analysis detects signals below individual reporting thresholds, and CAPA closes the loop by eliminating root causes and verifying effectiveness.
Premarket submissions and postmarket duties are complementary. Design documentation, risk files, usability engineering, software lifecycle records, and manufacturing validations that support a 510(k), De Novo, or PMA should populate the quality file and remain inspection‑ready. Postmarket surveillance and vigilance inform iterative design changes, labeling updates, or manufacturing improvements to sustain benefit‑risk over time.
08Common pitfalls and misinterpretations
A frequent misconception is that ISO 13485 certification alone guarantees QMSR compliance. Certification can help, but QMSR requires explicit coverage of U.S. requirements such as MDR, corrections and removals, UDI, tracking, labeling, and electronic records. Audit programs must test the effectiveness of those U.S. elements, not just presence of ISO 13485 paperwork.
Another trap is vendor complacency. Supplier approvals based solely on certificates or questionnaires are rarely sufficient for high‑risk components and sterilization services. Risk‑based qualification, performance monitoring, and re‑evaluation must be documented, including objective evidence of capability and capacity. When processes or software are validated, firms sometimes neglect revalidation after changes, a gap that is highly visible in inspections.
Definitions cause problems too. Complaint versus service event, advisory notice versus recall, and rework versus repair are often conflated. Establish clear decision trees, medical evaluation procedures, and labeling controls. Align terminology across SOPs so that investigators, auditors, and employees see one coherent system. Finally, do not overlook management review: weak inputs, missing metrics, and absent follow‑through will undermine an otherwise capable QMS.
09Relationship to EU MDR, UKCA, MDSAP, and other frameworks
QMSR’s anchor to ISO 13485 eases alignment with the European Union’s device regime, which also expects an ISO 13485‑based QMS as part of conformity assessment under Regulation (EU) 2017/745 (MDR). However, EU MDR imposes additional, prescriptive postmarket surveillance, periodic safety update reports, and clinical evaluation requirements that exceed ISO 13485’s baseline. Manufacturers supplying both markets should harmonize their QMS to the highest common denominator and manage dossier‑specific addenda for each jurisdiction.
Unlike the EU’s notified body oversight and EUDAMED modules, FDA retains centralized authority for the U.S. market, with establishment registration, premarket submissions, and postmarket reporting routed to FDA systems. Unique Device Identification is common in concept across jurisdictions, but data dictionaries, timelines, and system integrations differ. Coordinate master data management so that device identifiers and configurations reconcile across UDI databases and customer labeling.
For the United Kingdom, UKCA marking is transitioning with its own timelines, guidance, and acceptance of international standards. Canada, Australia, Japan, and Brazil operate within the Medical Device Single Audit Program (MDSAP), which leverages ISO 13485 while adding country‑specific requirements to the audit model. QMSR alignment simplifies MDSAP adoption, though firms must still address jurisdictional reporting, language, and labeling nuances.
Strategically, many companies operate a single core QMS mapped to ISO 13485 and then maintain regulatory registers that list country‑specific add‑ons such as vigilance timelines, language controls, importer or PRRC roles, and distribution records. This approach makes internal audits more efficient and reduces rework in technical documentation, while sustaining compliance across the U.S., EU, and other key markets such as the U.K. See the U.K. transition context in UKCA medical device transition.
10Transition planning and how V5 supports QMSR implementation
Transition time is limited, and the audit trail of your migration will be scrutinized. Begin with a structured gap assessment against ISO 13485 clauses and the U.S. cross‑references FDA retained. Update your quality manual and procedures so each ISO clause has clear owners, inputs, outputs, and linked records. Validate or revalidate QMS software proportionate to risk. Train personnel on updated roles, decision trees for vigilance, and documentation practices that meet both ISO and U.S. expectations.
Next, strengthen supplier controls and production records. For critical suppliers and sterilization partners, refresh qualification evidence, quality agreements, and performance metrics. For production and service, ensure device history, traceability, and nonconformance records are complete, searchable, and connected to CAPA. Prepare for inspection by substantiating management review inputs and outputs and by maintaining rapid retrieval of complaint, MDR, CAPA, and change control records for the last cycle.
Finally, test your readiness. Run mock inspections, verify MDR and field action playbooks, and confirm that labeling and UDI master data match device configurations. Where you operate globally, align with EU MDR and MDSAP artifacts so that your audit evidence supports multiple regulators without duplication. Document decisions and rationales to create a defensible trail through February 2, 2026 and beyond.
- Perform an ISO 13485/QMSR gap assessment and update the quality manual cross‑references.
- Revise complaint, MDR, and corrections/removals procedures with clear decision trees and timelines.
- Refresh supplier qualifications, quality agreements, and risk‑based monitoring plans.
- Validate QMS software and critical spreadsheets; revalidate after significant changes.
- Consolidate device history, traceability, CAPA, and change control into inspection‑ready records.
- Conduct management review with updated metrics and resource actions linked to risks.
Frequently asked questions
Q.When does QMSR take effect and is there a transition period?+
The final rule becomes enforceable on February 2, 2026. FDA provided a two‑year transition window to allow manufacturers to align their systems and documentation to ISO 13485 with U.S.‑specific provisions.
Q.Does ISO 13485 certification guarantee QMSR compliance?+
No. Certification can facilitate alignment, but QMSR requires explicit coverage of U.S. requirements, including MDR, corrections and removals, labeling, UDI and tracking, and Part 11 controls for electronic records and signatures.
Q.How will FDA inspections change under QMSR?+
Inspections will assess conformance to ISO 13485 clauses within the U.S. legal framework. Investigators will still verify compliance with MDR, corrections and removals, registration and listing, labeling, UDI, tracking, and data integrity expectations.
Q.What happens to Device History Records under QMSR terminology?+
ISO 13485 uses the term medical device file and requires controlled records across design, production, and servicing. FDA will expect equivalent evidence that a complete, retrievable production record exists and is linked to traceability and postmarket data.
Q.Do contract manufacturers and specification developers need to comply?+
Yes. QMSR applies to finished device manufacturers, specification developers, and remanufacturers. Quality agreements should allocate responsibilities for design controls, labeling, complaint handling, vigilance, and records retention.
Q.Does QMSR affect 510(k), De Novo, or PMA submissions?+
Premarket pathways remain unchanged. However, the design, risk, verification, validation, and manufacturing evidence that supports submissions should be organized within an ISO 13485‑aligned QMS to ensure inspection readiness.
Q.Is Part 11 still applicable to electronic records and signatures?+
Yes. Electronic records and signatures used to meet QMSR or other device requirements must comply with 21 CFR Part 11, including identity controls, audit trails, record integrity, and retention.
Primary sources
- FDA Medical Devices – Quality and Regulatory Information
- Federal Register – Medical Devices; Quality Management System Regulation
- Electronic Code of Federal Regulations (eCFR)
- ISO 13485:2016 – Medical devices — QMS requirements
- ISO – Standards and conformity information
- FDA Inspections, Compliance, Enforcement, and Criminal Investigations
- EUR-Lex – EU Medical Device Regulation (MDR) 2017/745
- European Commission – EudraLex and device guidance
- MHRA – Medicines and Healthcare products Regulatory Agency
- PIC/S – Pharmaceutical Inspection Co-operation Scheme
Further reading
- QMSR vs ISO 13485See how FDA’s QMSR maps to ISO 13485 and where U.S. additions apply.
- ISO 13485 Readiness GuideA structured checklist to align your QMS with ISO 13485 requirements.
- FDA QMSR Transition ReadinessPlan the gap assessment, document updates, and training for the 2026 deadline.
- 21 CFR Part 11 ReadinessEnsure your electronic records and signatures meet FDA expectations.
- ISO 14971 Risk Management ReadinessBuild a risk framework that integrates design, production, and postmarket data.
- Medical Device ClassificationUnderstand how device class influences controls and documentation depth.
- FDA 483 ResponseStructure effective responses and corrective actions after inspections.
- ISO 13485:2024 AmendmentReview clarifications and their impact on your quality manual.
- UKCA Medical Device TransitionTrack the U.K. timelines and expectations for QMS and device marking.
- 21 CFR Part 820 (Legacy)Review the outgoing QSR text to understand historical expectations.
Explore this topic
FDA QMSR sits inside this topic cluster in our glossary. Every neighbour is one click away.
Device-specific rules, submissions and the standards that bind them.
V5 Ultimate ships with the FDA QMSR controls already wired in — audit trail, e-signatures, validation evidence. Free trial, no credit card, onboard in days, not months.
