Medical device companies spent years working under QSR. That changed on February 2, 2026, when the FDA’s Quality Management System Regulation (QMSR), as outlined in the FDA QMSR guidance, officially took effect.
For some organizations, the transition has been fairly straightforward. Others are discovering that records, supplier oversight, software validation, inspection preparation, and quality documentation do not always fit neatly into the new structure. Processes that looked fine under the old system can raise new questions when viewed through a QMSR lens.
That is why the discussion around QMSR has continued long after the effective date. The challenge is no longer understanding what the rule says. The challenge is showing that your quality system works the way the rule expects it to.
Key Takeaways
- QMSR is already in effect, so companies now need working evidence, not transition plans.
- ISO 13485 certification helps, but it does not replace FDA specific duties.
- Existing QSR procedures need to be mapped clearly to the QMSR and ISO 13485 structure.
- Connected device and SaMD teams need cybersecurity testing evidence when security issues can affect safety, quality, or risk decisions.
- Staff must be able to explain how records connect across quality, regulatory, engineering, supplier, software, and security teams.
What Is FDA QMSR?
FDA QMSR stands for Quality Management System Regulation. It is the FDA’s current quality system rule for medical devices under 21 CFR Part 820. The regulation took effect on February 2, 2026, replacing the older Quality System Regulation, or QSR.
The reason QMSR has received so much attention is its connection to ISO 13485:2016. The FDA now incorporates that standard by reference, bringing U.S. quality system requirements much closer to the framework already used by medical device companies in many parts of the world.
If your organization was already required to follow FDA quality system requirements, QMSR applies to you as well. Medical device manufacturers and other regulated firms remain subject to FDA oversight, but they now work within a structure that more closely reflects international quality management practices.
QSR vs QMSR: What Changed?
A lot of companies expected a brand new set of quality requirements when QMSR arrived. That is not really what happened.
The activities that quality teams deal with every day are still there. You still have design controls, complaint handling, CAPA, training records, purchasing controls, production records, and document management. What changed is the way those requirements are organized. FDA’s old QSR followed its own format. QMSR follows ISO 13485:2016 and adds FDA-specific requirements where needed.
For companies that have worked with both FDA requirements and ISO 13485, the new regulation will look more familiar. For companies that built their systems entirely around QSR, the transition usually involves reviewing procedures, records, and quality documents to see where they fit under the new arrangement.
| Area | Under QSR | Under QMSR | What the Change Means |
| Regulatory structure | FDA-specific Part 820 structure | ISO 13485-based structure with FDA requirements | Quality systems follow a format already used in many global markets |
| Terminology | FDA-specific terms and definitions | ISO 13485 terminology with FDA additions | Internal references and procedures may need updating |
| Documentation | Organized around QSR requirements | Organized around ISO 13485 requirements | Records may need to be reorganized or cross referenced |
| Design controls | Managed under QSR requirements | Managed through ISO 13485 design and development requirements plus FDA requirements | Same objective, different location within the quality system |
| CAPA | Separate QSR requirement | Integrated within ISO 13485 quality processes | Teams may need to update document references |
| Supplier controls | Purchasing controls under QSR | Supplier management requirements within ISO 13485 | Supplier documentation follows ISO based terminology |
| Inspection model | Built around the former QSR regulation | Built around QMSR requirements | Inspection evidence is reviewed against the new regulation |
| Management review | Defined by QSR requirements | Defined by ISO 13485 management review requirements | Review records may follow a different format |
| Digital quality systems | Structured around QSR documentation | Structured around ISO 13485 based documentation | Electronic systems may require updates to document architecture |
Get Expert Insights on ISO 13485 Consulting.
Who Needs to Comply With QMSR?
QMSR is not limited to large medical device manufacturers. If your company helps place a medical device on the U.S. market, your role needs a closer look.
Firms that may fall under QMSR include:
- Medical device manufacturers
- Specification developers
- Contract manufacturers
- Relabelers
- Repackagers
- Remanufacturers
- Certain foreign manufacturers selling devices in the United States
Your obligations depend on what your company actually does. A finished device manufacturer, software company, contract manufacturer, and component supplier may not carry the same quality system responsibilities.
To check whether QMSR applies, review your:
- Device classification
- FDA registration status
- Markets where the device is sold
- Role in design, manufacturing, labeling, packaging, servicing, or distribution
- Quality system responsibilities under FDA rules
Startups and smaller firms should not assume QMSR is only for established device companies. FDA requirements can apply well before a product reaches large scale commercial distribution.
Why ISO 13485 Certification Alone Is Not Enough
Many medical device companies assume that an ISO 13485 certificate puts them in a good position with the FDA. It certainly helps, but the two are not the same thing.
An ISO auditor checks whether your quality management system meets the requirements of ISO 13485. The FDA has a different job. FDA investigators look at whether your company is meeting FDA regulations and can still inspect your facility even if you hold a current ISO certificate.
That distinction catches some companies off guard. You can have a successful ISO audit and still run into FDA concerns that were never part of the certification process.
For example:
- Your quality system passes an ISO audit, but the process for escalating potential MDR events is inconsistent.
- Supplier qualification records are complete, yet product traceability for the U.S. market is difficult to demonstrate.
- The quality manual is well maintained, but complaint files do not clearly show why certain events were or were not reported.
There are also FDA requirements that sit outside the ISO certificate itself, including:
- Medical Device Reporting (MDR)
- Unique Device Identification (UDI)
- Establishment registration and device listing
- Labeling requirements
- Corrections and removals reporting
- FDA complaint handling expectations
An ISO 13485 certificate is a strong foundation. It is not proof that every FDA requirement has been covered.
How FDA Inspections Work Under QMSR
FDA retired QSIT when QMSR took effect. The agency now uses Compliance Program 7382.850 for medical device quality system inspections.
Under QMSR, inspection discussions can move across connected records. An investigator may start with a product risk, then review related complaints, CAPA records, supplier files, management review notes, or process performance data.
This means teams need to explain how quality processes connect. It is no longer enough to pull an old QSR folder and read from a procedure. Staff need to know where the evidence lives, why it matters, and how it supports the quality system.
Records FDA May Review More Closely Now
Some records carry more inspection weight because they show how the company handles quality issues after they are found. Under QMSR, FDA investigators may look closely at records related to management oversight, audit results, supplier reviews, quality objectives, and follow-up actions.
High sensitivity records include:
- Management review records
- Internal and supplier audit records
- Quality objectives and related performance data
- Audit follow up and closure evidence
- Leadership decisions on quality issues
These records need to be factual and easy to follow. A strong record shows what happened, who owned the action, what decision was made, the expected timeline, and proof that the issue was closed.
Weak documentation can create problems during an inspection. Vague meeting minutes, unsupported conclusions, open audit findings with no explanation, or wording that does not match actual actions can make the quality system look poorly controlled.
Risk Management Under QMSR
Risk management is no longer something that lives only in design documentation. Under QMSR, risk based thinking needs to show up throughout the quality system and influence everyday decisions.
You should be able to see risk considerations in areas such as:
- Supplier qualification
- Incoming acceptance activities
- Employee training plans
- Complaint review and escalation
- CAPA prioritization
- Production and process changes
- Postmarket data analysis
- Software tool validation
A sterilization supplier is not the same as an office supply vendor. A cloud vendor that stores quality records or a critical API provider for a connected device also carries more risk than a routine business service. The controls need to match that difference.
Risk records should also explain the reasoning behind a decision. Do not stop at a completed form. Show why the supplier, process, software tool, or complaint was treated as low, medium, or high risk.
Supplier Controls Under QMSR
Supplier oversight can become a pressure point under QMSR because medical device companies rarely work alone. Product quality can depend on outside manufacturers, laboratories, service providers, software tools, cloud systems, and technical vendors.
Supplier controls may need to cover:
- Contract manufacturers
- Sterilization providers
- Testing laboratories
- Software vendors
- Cloud providers
- Component suppliers
- Calibration services
- Cybersecurity vendors
An approved supplier list alone does not say much. FDA will want to see how the supplier was approved, what risk they carry, how performance is checked, and what happens when problems appear.
Stronger supplier control usually includes risk ranking, approval criteria, performance review, re evaluation, quality agreements, supplier CAPA, and rules for change notification.
Outsourcing does not move responsibility away from the manufacturer. If a supplier affects device quality, safety, or compliance, the manufacturer still needs evidence that the work is properly controlled.
CAPA Under QMSR
CAPA Needs to Connect With Real Quality Signals
While it still matters under QMSR, a CAPA record should not sit alone like a closed form in the quality system. It needs to connect with the issue that triggered it, whether that came from a complaint, audit finding, supplier issue, process deviation, nonconformity, service record, or postmarket feedback.
What Investigators May Check
During an inspection, FDA investigators may look at the quality of the root cause, how the company judged the risk, and whether the action taken actually matched the problem. They may also check whether the team separated a quick correction from a real corrective action.
Proof That the Issue Was Fixed
A CAPA is weak if it only shows that someone completed a task. The record needs to show whether the fix worked, whether the issue came back later, and whether serious or repeated problems were raised to management review when needed.
Software Validation and Digital QMS Readiness
QMSR readiness also depends on the systems your team uses to create, approve, store, and review quality records. This includes eQMS platforms, complaint databases, CAPA tools, supplier management systems, training platforms, document control tools, spreadsheets, and dashboards used for complaint or quality trend review.
For any system that supports regulated quality decisions, companies need evidence for:
- Intended use: Show what the system does and which quality task it supports. A CAPA tracker, for example, has a different role from a training platform.
- Validation: Keep proof that the system works for its actual use, not just a generic vendor claim.
- User access: Make sure access matches the person’s role. A user who only reviews records should not have the same rights as someone who approves or closes them.
- Change control: Record major updates, workflow changes, and configuration changes before they affect live quality records.
- Audit trails: Be able to see who changed a record, what changed, and when it happened.
- Backup and data integrity: Quality records need protection from loss, deletion, wrong edits, or broken files.
- Electronic signatures: If approvals happen electronically, the signature record needs to show who approved what and when.
Spreadsheets need the same attention when teams use them for CAPA tracking, supplier scoring, risk evaluation, complaint trending, or release decisions. Once a spreadsheet affects a regulated decision, it can no longer be treated like a casual working file.
Cybersecurity and QMSR for Connected Medical Devices
Cybersecurity becomes part of QMSR when a security issue has the potential to affect device safety, performance, availability, data integrity, or patient risk. For connected medical devices, security is no longer a separate technical concern. It can directly influence product quality and patient outcomes.
This is especially relevant for:
- Software as a Medical Device (SaMD)
- Mobile medical applications
- Cloud-based healthcare platforms
- Connected medical devices and IoT products
- APIs that support clinical or device functions
- AI-enabled medical systems
As devices become more connected, cybersecurity activities start appearing across multiple quality system processes. Security considerations may influence design inputs, threat modeling, software change control, vulnerability management, complaint investigations, supplier oversight, postmarket monitoring, and CAPA activities.
Security testing can also provide valuable evidence during quality reviews. Findings from penetration tests, vulnerability assessments, and security evaluations can help teams understand risk, prioritize remediation work, support release decisions, and monitor issues after a product reaches the market.
Medical device companies frequently use independent security assessments to strengthen these activities. Providers such as Qualysec help organizations identify exploitable weaknesses across web applications, mobile applications, APIs, cloud environments, external networks, and IoT ecosystems before those weaknesses develop into larger quality, safety, or regulatory concerns.
Preparing your Connected Medical Device for FDA Review?
What QMSR Means for Different Company Types
1. ISO 13485 Mature Global Manufacturers
A company with a working ISO 13485 system is not starting from zero. In many cases, the bigger job is finding the parts that do not fully match FDA expectations. That usually means checking FDA-specific procedures, U.S. record needs, complaint decisions, labeling controls, registration and listing duties, and inspection preparation.
The team still needs training. People may know the ISO system well, but an FDA inspection can ask different questions and follow records in a different way.
2. US Only QSR Based Manufacturers
Companies built mainly around the old QSR model may have more work to do. Their procedures might cover the right activities, but the system may not follow the ISO based layout QMSR now uses.
Common gaps can appear in management review, audit planning, quality objectives, risk based supplier control, and software validation. Some teams may also find that records are stored by old QSR sections, which makes evidence harder to trace.
For these companies, light procedure edits may not be enough. Some processes may need to be rebuilt so the quality system works cleanly under QMSR.
3. Medical Device Startups
Startups do not need a heavy quality system copied from large manufacturers. They need a system that their team can actually follow when records, decisions, and processes are reviewed.
Early attention usually needs to go to:
- Design change control, so product updates do not happen without proper review
- Supplier files, especially when outside vendors support development, testing, software, or production
- Software validation, when tools are used for regulated quality decisions
- Complaint readiness, so the team knows how to assess feedback once the device reaches users
- Management review, even if the leadership team is small
QMSR readiness can also affect investor diligence, enterprise partnerships, and acquisition review. Outside parties want to see that the company can manage regulated work with clear records, not just good product ideas.
4. Contract Manufacturers and Outsourced Providers
QMSR not only affect finished device manufacturers. Contract manufacturers and outsourced service providers can expect more detailed documentation requests from the companies they support.
Requests commonly involve:
- Quality agreements that clearly define responsibilities
- Validation records for critical processes and systems
- Audit reports and follow-up actions
- Supplier CAPA records when issues occur
- Process change notifications before changes are implemented
- Traceability records linked to products, materials, or services
For many providers, strong documentation is more than a compliance requirement. Device manufacturers increasingly review quality records when selecting or retaining partners. Well maintained records can help demonstrate reliability, reduce review time, and strengthen commercial relationships.
SaMD and Connected Device Companies
SaMD and connected device companies need a quality system that reflects how software is actually built and updated. Release validation, defect handling, vulnerability management, cloud dependencies, API security, access control, and postmarket updates all need proper records because each area can affect the device after it reaches users.
The work also has to move across teams. Engineering may own the code, but quality, regulatory, and security teams need visibility into changes, known defects, fixes, and risks. Without that connection, important software decisions can fall outside the quality record.
QMSR Readiness Checklist
Use this checklist for a practical review of your current quality system.
- Match old QSR procedures with the new QMSR and ISO 13485 structure so teams know where each record belongs.
- Separate FDA specific duties from ISO 13485 items. This includes MDR, UDI, registration, listing, labeling, corrections, and removals.
- Clean up controlled documents that still use old QSR wording, section numbers, or outdated process links.
- Recheck supplier risk levels and monitoring records, mainly for vendors involved in production, testing, software, cloud services, or security.
- Review management review files for clear decisions, owners, dates, and closure proof.
- Update internal audit plans so they reflect the current system.
- Check whether CAPA records link back to real signals such as complaints, audit findings, supplier issues, deviations, and service data.
- Validate eQMS tools, spreadsheets, complaint systems, and other software used for regulated decisions.
- Review electronic records and signatures where Part 11 applies.
- Train QA, RA, engineering, software, supplier management, security, and leadership teams on what they need to know and explain.
- Run a mock inspection and see whether staff can find records quickly without relying on old QSR folders.
- Review cybersecurity testing evidence for connected products, APIs, cloud systems, software platforms, and other digital systems tied to device quality or safety.
How Qualysec Supports Medical Device Companies Preparing for QMSR
Qualysec supports medical device and healthcare technology companies on the cybersecurity testing side of QMSR readiness. It is not a QMS consulting firm. Its role is to help teams test web apps, mobile apps, APIs, cloud systems, external networks, and IoT environments for exploitable weaknesses.
This matters for connected devices, SaMD platforms, healthcare SaaS products, and device APIs because security issues can affect product safety, data integrity, availability, and risk decisions.
Qualysec’s testing approach includes:
- Manual testing by security experts for complex and business logic issues
- AI agents to simulate real attack scenarios and speed up testing
- Automated scanners for broad system coverage
The team provides severity based reports, remediation guidance, retesting support, and consultation calls. These findings can help engineering, quality, regulatory, and security teams plan fixes, support risk reviews, prepare CAPA decisions, and answer supplier, partner, customer, or regulatory questions.
Connected device companies can contact Qualysec before product release, supplier audits, QMSR inspections, or postmarket cybersecurity reviews.
Contact us today for FDA inspections, expert security testing, remediation support, retesting, and compliance documentation.
Conclusion
QMSR is a real quality system transition, not a document cleanup task. Medical device companies now need records that show how decisions are made, who owns them, and how risks are controlled across the business in alignment with FDA QMSR guidance.
The best prepared teams will be the ones that can connect quality records, supplier controls, inspection evidence, digital systems, software decisions, and cybersecurity testing without gaps. For connected devices, SaMD platforms, healthcare APIs, cloud systems, and IoT environments, Qualysec can support this readiness with focused penetration testing before release, audits, inspections, or postmarket reviews.
FAQs
What is the FDA Quality System Regulation QMSR?
QMSR is the FDA quality rule for medical device companies in the United States. It comes under 21 CFR Part 820 and has been in effect since February 2, 2026. It replaced QSR and now uses ISO 13485:2016 within the rule.
What is the difference between QSR and QMSR?
QSR was written in the FDA’s own format. QMSR follows ISO 13485:2016 more closely. The work companies do has not disappeared. Records, procedures, reviews, and controls still matter, but they now sit under a different structure.
What is the 21 CFR 820.30 guidance?
21 CFR 820.30 refers to design controls. It deals with how medical device companies manage design planning, inputs, outputs, reviews, testing, validation, transfer, and design changes. The main idea is to keep product design controlled from early development to release.
What did the FDA recently revise the quality system regulation to align with?
The FDA revised the medical device quality system rule to align with ISO 13485:2016. This makes the U.S. rule closer to the quality system standard already used by many medical device companies outside the United States.
What is the new QMS standard?
For FDA-regulated medical devices, the current rule is QMSR. It brings ISO 13485:2016 into 21 CFR Part 820, but companies still need to follow FDA-specific duties that sit outside the ISO certificate.
What are the changes in the FDA in 2026?
For medical device companies, the main 2026 change is that QMSR replaced QSR on February 2, 2026. Companies now need records that show their updated procedures are trained, used, and ready for FDA review.
0 Comments