On February 2, 2026, the FDA's Quality Management System Regulation (QMSR) replaced the Quality System Regulation (QSR) that had governed medical device manufacturing since 1996. QMSR incorporates ISO 13485:2016 by reference into 21 CFR Part 820, shifting from a prescriptive US-specific framework to an internationally harmonized, risk-based quality management system.
What is QMSR?
QMSR amends 21 CFR Part 820 to incorporate the international standard ISO 13485:2016 — "Medical devices — Quality management systems — Requirements for regulatory purposes." Instead of maintaining a separate set of US-specific quality system requirements, the FDA now recognizes ISO 13485 as the foundation, with a limited set of additional FDA-specific requirements layered on top.
The final rule was published in the Federal Register on February 2, 2024, with a two-year compliance period ending February 2, 2026.
What changed: QSR vs QMSR
| Area | QSR (old 21 CFR 820) | QMSR (new 21 CFR 820) |
|---|---|---|
| Foundation | US-specific prescriptive requirements | ISO 13485:2016 incorporated by reference |
| Approach | Procedure-focused | Risk-based, outcome-oriented |
| Design controls | Detailed prescriptive requirements in §820.30 | ISO 13485 Clause 7.3 (design and development) + FDA design control requirements retained |
| Management review | Exempt from FDA inspection | Now subject to FDA inspection |
| Internal audits | Exempt from FDA inspection | Now subject to FDA inspection |
| Supplier audits | Exempt from FDA inspection | Now subject to FDA inspection |
| CAPA | §820.90 | ISO 13485 Clause 8.5.2/8.5.3 + FDA CAPA requirements retained |
| Complaint handling | §820.198 | ISO 13485 Clause 8.2.2 + FDA complaint requirements retained |
| Inspection method | QSIT (Quality System Inspection Technique) | Compliance Program 7382.850 |
What the FDA retained beyond ISO 13485
QMSR is not a simple adoption of ISO 13485. The FDA retained several requirements that go beyond the standard:
Design controls (21 CFR 820.30)
- Design history file (DHF) requirement remains
- Design transfer requirements remain
- These supplement ISO 13485 Clause 7.3
Purchasing controls (21 CFR 820.50)
- Evaluation of suppliers, contractors, and consultants
- Supplements ISO 13485 Clause 7.4
CAPA (21 CFR 820.90)
- FDA-specific corrective and preventive action requirements
- Supplements ISO 13485 Clauses 8.5.2 and 8.5.3
Complaint handling (21 CFR 820.198)
- FDA-specific requirements for complaint files
- MDR (Medical Device Report) investigation requirements
- Supplements ISO 13485 Clause 8.2.2
Records (21 CFR 820.184)
- Device History Record (DHR) requirements
What's now inspectable that wasn't before
This is the most significant practical change. Under QSR, three areas were exempt from routine FDA inspection. Under QMSR, all three are inspectable:
- Management review records — ISO 13485 Clause 5.6 requires documented management reviews of the QMS. FDA inspectors can now request these records.
- Internal audit reports — ISO 13485 Clause 8.2.4 requires internal audits. FDA inspectors can now review audit findings and corrective actions.
- Supplier audit records — ISO 13485 Clause 7.4 requires supplier evaluation. FDA can now inspect these records.
Manufacturers should review these records for completeness and ensure findings have documented follow-up before the next FDA inspection.
Do you need ISO 13485 certification?
No. The FDA does not require or recognize ISO 13485 certificates of conformance. A certificate from a registrar does not exempt you from FDA inspection, and the FDA will not issue certificates.
However, if you already hold ISO 13485 certification, you have a significant head start — your QMS already covers the foundation. Focus your gap analysis on the FDA-specific additions (design controls, CAPA, complaint handling, DHR).
New inspection approach: Compliance Program 7382.850
The FDA retired the QSIT inspection method on February 2, 2026 and replaced it with Compliance Program 7382.850. The new approach:
- Aligns inspection procedures with ISO 13485 clause structure
- Covers the additional FDA-specific requirements
- Includes the newly inspectable areas (management review, internal audits, supplier audits)
- Uses a risk-based prioritization for inspection scope
Gap analysis: where to focus
If you were QSR-compliant, focus your gap analysis on:
- Management review documentation — ensure reviews cover all ISO 13485 Clause 5.6 inputs and outputs, with documented decisions and action items
- Internal audit program — ensure audits cover the full ISO 13485 scope, not just the QSR-specific areas you previously focused on
- Supplier evaluation records — ensure documented evaluation criteria and evidence for all suppliers of production materials and services
- Risk management integration — ISO 13485 requires risk management throughout the QMS, not just in design controls. Ensure risk-based decision-making is documented across production, CAPA, and purchasing processes
- Process validation — ISO 13485 Clause 7.5.6 may require additional process validation beyond what QSR §820.75 specified
Key takeaways
- QMSR replaced QSR on February 2, 2026 — ISO 13485:2016 is now the foundation of 21 CFR Part 820
- Management review, internal audit, and supplier audit records are now subject to FDA inspection
- The FDA retained design controls, CAPA, complaint handling, and DHR requirements beyond ISO 13485
- ISO 13485 certification is not required and does not exempt you from FDA inspection
- Focus gap analysis on newly inspectable areas and risk management integration
- The new inspection approach (Compliance Program 7382.850) aligns with ISO 13485 clause structure
How RegAid helps
RegAid covers the full text of 21 CFR Part 820 (QMSR), ISO 13485:2016, and all related FDA guidance documents. Ask "What are the FDA-specific CAPA requirements beyond ISO 13485?" and get a cited answer comparing 21 CFR 820.90 with ISO 13485 Clauses 8.5.2 and 8.5.3.