V5 Ultimate
Guide

FDA QMSR: Turning 21 CFR 820 into ISO 13485, Without Breaking What Works

On 2 February 2026, FDA's Quality Management System Regulation replaces the long-standing 21 CFR Part 820 Quality System Regulation. The headline change is the incorporation of ISO 13485:2016 by reference, harmonising US device QMS expectations with the rest of the world. The detail is messier: certain Part 820 sections remain, terminology shifts, design controls effectively expand, and the agency has been explicit that this is not a softening — it's a re-alignment. This guide walks through what actually changes, what stays the same, and a realistic 12-month transition path. It is written for QA directors, regulatory affairs leads, and operations VPs at device companies already living under Part 820.

Start free trial Free trial, no credit card, onboard in days, not months.

What QMSR actually does to Part 820

QMSR keeps the Part 820 codification but rewrites most subparts to incorporate ISO 13485:2016 by reference. The agency retained certain US-specific requirements that aren't in 13485 — Part 803 Medical Device Reporting, Part 806 corrections and removals, Part 821 device tracking, and the UDI requirements — and added clarifying definitions in §820.3 to bridge between 13485 vocabulary and FDA vocabulary. Records still have to be available to FDA on inspection, electronic records still fall under Part 11, and the Quality System Inspection Technique (QSIT) is being replaced by a new inspection model aligned to the 13485 clause structure. The practical effect: your QMS becomes a 13485 QMS with FDA hooks, not a 820 QMS with 13485 paint.

Terminology shifts that trip teams up

QMSR pulls terminology toward 13485, and the small word changes are surprisingly disruptive. 'Design history file' becomes 'medical device file' in many contexts (though DHF persists for design records). 'Management with executive responsibility' becomes 'top management'. 'Quality system record' is largely absorbed by the broader documentation requirements of 13485 clause 4. The agency added §820.3 cross-walk definitions so an inspector reading a 13485-flavoured SOP can match it to the predicate-rule language — but your SOPs need to use one consistent vocabulary, not switch between 820 and 13485 mid-paragraph. Pick the 13485 terms, update every SOP, and add a glossary cross-reference for transition.

Risk-based thinking becomes structural

Part 820 mentioned risk in a few places — most notably in design validation and CAPA. QMSR, by adopting 13485, pulls risk-based thinking into every clause: management review, resource planning, supplier evaluation, document control, training, infrastructure. In practice you are expected to be able to show, on any process, why the controls you apply are proportionate to the risk of the device and the risk of the process failing. This is also the area where ISO 14971 becomes effectively mandatory — not because QMSR explicitly requires it, but because it's the only methodology the inspectorate (and any notified body in a parallel audit) recognises.

Design controls: similar, but tightened

Part 820.30 design controls and 13485 clause 7.3 cover the same territory, but 13485 is more prescriptive about design transfer, change control, and the design history file's contents. The biggest practical change is that 13485 requires a documented design and development plan covering all stages — not just the inputs and outputs Part 820 emphasised — and explicit verification that design outputs meet design inputs at each review. Companies who built their DHF around 820's lighter touch will need to expand the plan documentation, formalise design reviews with attendee lists and signed decisions, and prove that the design transfer review happened before manufacturing started, not after the first batch.

Supplier control gets a real upgrade

Part 820.50 supplier control was famously thin — 'evaluate and select potential suppliers on the basis of their ability to meet specified requirements'. 13485 clause 7.4 is much more demanding: documented criteria for selection, evaluation, and re-evaluation based on risk; supplier monitoring proportionate to risk; documented evidence of evaluation kept on file; and explicit responsibilities for changes to outsourced processes. For QMSR, that means an Approved Supplier List that lives — risk-tiered, with re-evaluation cadences tied to the tier, change-impact reviews tied to each supplier's scope of supply, and audit evidence on file for the high-risk tier.

A 12-month transition path

Months 1 to 3: gap assessment of every Part 820 SOP against the corresponding 13485 clause; identify terminology updates, missing risk-based controls, design-plan gaps, and supplier-control gaps. Months 4 to 6: rewrite top-level SOPs (Quality Manual, Management Review, Document Control, Design Controls, Supplier Control, CAPA) and update training records. Months 7 to 9: populate medical device files for each marketed product family; run a full DHF traceability matrix for at least one product as a pilot. Months 10 to 11: internal audit against the new QMSR/13485 scope; close findings. Month 12: mock inspection using the new FDA inspection model; sign off the transition. Don't wait — even FDA-only manufacturers should treat QMSR like a real audit cycle, not a paperwork change.

What FDA inspections will look like after QMSR

FDA has been clear that the post-QMSR inspection model will follow the structure of 13485 and pull from the QSIT subsystems where they still apply. Expect investigators to walk a device end-to-end: design history file, risk file, manufacturing records, complaints, CAPA, MDR. The new inspection model also tightens the agency's expectations on supplier evidence and on post-market data feeding the risk file — both areas where Part 820 inspections were historically lighter. Manufacturers who treat QMSR as a re-labelling exercise rather than a real QMS upgrade will see their first post-2026 inspection go badly.

Frequently asked

Does QMSR replace Part 11?
No. 21 CFR Part 11 remains in force for electronic records and electronic signatures. QMSR governs the QMS; Part 11 governs how the records of that QMS are kept electronically. Both apply, and a clean QMSR implementation has to also be a clean Part 11 implementation.
Do we need ISO 13485 certification once QMSR is in force?
Not for US-only manufacturers. QMSR incorporates 13485 by reference into the regulation, but it does not require third-party certification — FDA inspects you directly. If you already sell outside the US, certification remains the practical entry ticket to the EU, Canada, Japan, Australia and most other markets, and a QMSR-aligned QMS is also a certifiable 13485 QMS.
What happens to existing 820 SOPs on day one?
They don't automatically become non-compliant — but every SOP that contradicts 13485 (terminology, missing risk-based controls, light design-plan or supplier-control language) becomes an audit finding waiting to happen. Plan to retire or rewrite every Part 820 SOP within the first six months post-transition, and update training records to match.
Will FDA still cite §820 sections in 483s?
Yes — the codification stays at 21 CFR 820, so 483 observations will still reference §820.xx, but the substance behind each section now points to the corresponding 13485 clause. Expect the language of findings to mix Part 820 section numbers with 13485 clause references for several inspection cycles.

See it on your shop floor.

Free trial, no credit card, onboard in days, not months.

Start free trialRead the compliance brief →