QMSR Resource Hub

The Quality Management System Regulation (QMSR) is the revised version of FDA's device current good manufacturing practice (CGMP) requirements, codified at 21 CFR Part 820. It became effective on February 2, 2026, replacing the previous Quality System (QS) Regulation that had governed U.S. medical device manufacturing since 1997. The QMSR incorporates ISO 13485:2016 by reference as its foundation, and adds a small set of FDA-specific supplemental provisions that align the regulation with the Federal Food, Drug, and Cosmetic Act (FD&C Act).

QMSR stands for Quality Management System Regulation. This is the new title of 21 CFR Part 820. The previous title was the "Quality System Regulation" (QSR). The rename reflects the shift to align with the internationally used term "quality management system" as defined in ISO 13485.

The QMSR became effective on February 2, 2026, exactly two years after the Final Rule was published in the Federal Register on February 2, 2024. FDA began enforcing QMSR requirements on the effective date.

FDA replaced the QS Regulation to harmonize U.S. device CGMP requirements with the international consensus standard used by most other major regulatory authorities. Manufacturers who sold in both U.S. and international markets were maintaining two substantially similar but separately organized quality systems, one for FDA and one for ISO 13485. FDA determined the two frameworks were, when taken in totality, substantially similar in the level of assurance they provided, and that incorporating ISO 13485 by reference would reduce redundant effort, lower compliance costs, and speed patient access to safe and effective devices. FDA estimates annualized net cost savings of approximately $532 million at a 7% discount rate.

Three things changed meaningfully. First, the structure: the QMSR incorporates ISO 13485:2016 by reference, so the requirements are now organized the way ISO 13485 organizes them rather than the way the old Subparts A through O of Part 820 did. Second, a handful of specific provisions were added, removed, or modified, most notably the elimination of the old §820.180(c) exemption that kept internal audits, management review reports, and supplier audits out of FDA's inspection scope. Third, terminology shifted: "Device Master Record" (DMR), "Design History File" (DHF), and "Device History Record" (DHR) are no longer defined in the regulation, replaced functionally by ISO 13485's Medical Device File, design and development file, and medical device/batch records. The substance of the quality system requirements, however, did not fundamentally change.

The QMSR does not lower any substantive requirement for device safety or effectiveness. It preserves the same level of assurance under section 520(f) of the FD&C Act that the QS Regulation provided. Where the QMSR advances quality outcomes is in three indirect ways: (1) the explicit, integrated risk management expectations throughout ISO 13485 (clauses 4.1, 7.1, 7.3, 7.4, 7.5, 7.6, and 8.2) create a more rigorous risk-based framework than the former §820.30(g); (2) harmonization reduces the administrative burden that diverted quality resources from product-focused activities; and (3) alignment with global regulators enables more coherent post-market surveillance across jurisdictions. FDA has not published retrospective real-world evidence demonstrating that the new framework would have prevented specific historical device failures, and the agency's stated rationale for the rulemaking is harmonization rather than a claimed improvement in device outcomes.

FDA enforces the QMSR through its Center for Devices and Radiological Health (CDRH) and field investigators from the Office of Regulatory Affairs. Failure to comply with any applicable QMSR requirement renders a device adulterated under section 501(h) of the FD&C Act, which can result in FDA Form 483 observations, Warning Letters, Untitled Letters, import refusals, seizure, injunction, or consent decrees.

The QMSR applies to any finished device manufacturer who intends to commercially distribute medical devices in the United States, whether domestic or foreign. This includes contract sterilizers, installers, relabelers, remanufacturers, repackagers, specification developers, and initial distributors of foreign entities performing these functions. It does not apply to manufacturers of components or parts (though such manufacturers are encouraged to consider its provisions as appropriate), nor to manufacturers of blood and blood components for transfusion or further manufacturing. See the Scope section for the full applicability analysis.

A finished device is any device or accessory to any device that is suitable for use or capable of functioning, whether or not it is packaged, labeled, or sterilized. This definition is unchanged from the QS Regulation and is codified at 21 CFR 820.3(a). Finished devices include products that are manufactured and assembled but still awaiting sterilization, inspection, polishing, or packaging, FDA specifically rejected interpretations that would let manufacturers avoid CGMP by claiming a device was not yet "final." A device does not need to be in commercial distribution to be considered finished.

No. The QMSR does not apply to manufacturers of components or parts of finished devices. However, FDA encourages component manufacturers to consider the QMSR's provisions as appropriate, and FDA retains statutory authority under section 201(h)(1) of the FD&C Act to inspect component manufacturers if the need arises. Finished device manufacturers remain responsible under ISO 13485 Clause 7.4 for ensuring that components they purchase meet specifications, through a mix of supplier quality controls and in-house verification proportionate to risk.

Yes. FDA considers an accessory to be a finished device for QMSR purposes, even though accessories have their own classification pathway under section 513(f)(6) of the FD&C Act. An accessory intended to support, supplement, or augment the performance of another device is subject to the full QMSR. Examples FDA has specifically identified as finished devices include blood tubing and diagnostic x-ray components.

Contract manufacturers who perform functions covered by the QMSR, including design, manufacture, packaging, labeling, storage, installation, or servicing of finished devices, are subject to the regulation. The definition of "manufacturer" at 21 CFR 820.3 explicitly includes those performing contract sterilization, installation, relabeling, remanufacturing, repacking, and specification development. A contract manufacturer must maintain a QMS appropriate to the operations it performs; if it performs only some operations, it needs only comply with the requirements applicable to those operations.

Yes. A specification developer, importer, initial distributor of foreign entities, or any other finished device manufacturer remains responsible for QMSR compliance even when physical manufacturing is outsourced. Responsibility cannot be contracted away. The finished device manufacturer must establish supplier controls under ISO 13485 Clause 7.4 that are proportionate to the risk the supplier's work introduces, and must ensure that the contract manufacturer's activities are integrated into the finished device manufacturer's QMS.

Yes. Both are explicitly named in the definition of "manufacturer" at 21 CFR 820.3 and in the scope provision at 21 CFR 820.1(a). A contract sterilizer must comply with QMSR requirements applicable to sterilization operations. A specification developer must comply with design and development, document control, and other applicable requirements even if it does not physically make or touch a device.

Yes. Any device imported or offered for import into the United States is subject to the QMSR and can be refused admission under section 801(a) of the FD&C Act if it appears adulterated. Foreign manufacturers must comply with the same requirements as domestic manufacturers, and FDA conducts inspections of foreign establishments.

FDA's inspectional authority under section 704 of the FD&C Act allows investigators to review records relevant to compliance. While the QMSR itself does not contain an explicit English-language requirement, FDA has consistently expected that records made available during inspection be in a form investigators can readily use. In practice, foreign manufacturers typically maintain English translations of key procedures, records, and SOPs, or provide qualified translation on site, to avoid delays or findings during inspection.

Devices manufactured under an IDE are not exempt from design and development requirements. 21 CFR 820.10(c) requires IDE-stage devices (for applicable classes) to comply with ISO 13485 Clause 7.3 and its subclauses. Other QMSR requirements may or may not apply depending on the device's classification and stage; manufacturers should review 21 CFR 812 alongside the QMSR to determine the full set of applicable requirements for their IDE.

Yes, the QMSR applies to manufacturers of human cells, tissues, and cellular and tissue-based products (HCT/Ps) that are regulated as devices, meaning products that do not meet the criteria in 21 CFR 1271.10(a) and are also regulated as devices. These manufacturers must comply with the QMSR in addition to donor-eligibility requirements in 21 CFR Part 1271 Subpart C and current good tissue practice requirements in Subpart D. Where regulations in Part 1271 and Part 820 conflict, the regulation specifically applicable to the device in question controls.

No. The QMSR does not apply to manufacturers of blood and blood components used for transfusion or further manufacturing. These manufacturers are subject to subchapter F of 21 CFR.

The QMSR applies to the device constituent part of a combination product through the streamlined option at 21 CFR Part 4. FDA made conforming edits to Part 4 in this rulemaking to clarify the device QMS requirements for combination products, but these edits did not change the substantive CGMP obligations for combination products. See the Combination Products section for details.

ISO 13485:2016 is the international consensus standard titled Medical devices, Quality management systems, Requirements for regulatory purposes, published by the International Organization for Standardization. It specifies QMS requirements that manufacturers can use to demonstrate their ability to provide medical devices and related services that consistently meet customer and applicable regulatory requirements. It is used, either as a foundation or as adopted regulation, by most major medical device regulatory authorities worldwide, including the MDSAP participants (Australia, Brazil, Canada, Japan, and the United States).

The entire ISO 13485:2016 standard is incorporated by reference, including the Introduction (Clauses 0.1, 0.2, and 0.4), though the Notes provide context rather than impose standalone requirements. FDA explicitly rejected a suggestion that only "key parts" of the Introduction be incorporated. The effect of full IBR is that ISO 13485 has the force and effect of law, as if its text were published directly in the Code of Federal Regulations.

Yes, but only Clause 3 (Terms and definitions) of ISO 9000:2015 is incorporated by reference. ISO 13485 uses ISO 9000 as a normative reference for its vocabulary, and FDA incorporated Clause 3 of ISO 9000 to give those definitions legal effect within the QMSR. The remainder of ISO 9000 is not part of the QMSR.

No. ISO 14971 (Medical devices, Application of risk management to medical devices) is not directly incorporated by reference in the QMSR. However, ISO 13485 references ISO 14971 throughout its risk management provisions, and the QMSR's incorporation of ISO 13485 means that manufacturers must meet ISO 13485's risk management requirements, which in practice means using a risk management framework consistent with ISO 14971's principles. FDA explicitly declined to incorporate ISO 14971, but described it as "helpful in understanding application of ISO 13485." Most manufacturers continue to use ISO 14971 as their operational risk management standard.

Incorporation by reference is authorized under 5 U.S.C. 552(a) and 1 CFR Part 51. It allows federal agencies to give legal effect to privately developed technical standards that are published elsewhere, without reproducing the text in the Federal Register or CFR. Material that is incorporated by reference has the same force and effect as if it had been printed in the CFR. To be IBR'd, material must be approved by the Director of the Federal Register, which occurred for ISO 13485:2016 and Clause 3 of ISO 9000:2015 on February 2, 2026.

The full text of ISO 13485:2016 and Clause 3 of ISO 9000:2015 is available in read-only format at no cost through the American National Standards Institute's Incorporated by Reference portal at https://ibr.ansi.org/Standards/iso1.aspx. Purchasable copies are available from ISO at iso.org/store. ISO 9000:2015 terms and definitions are additionally available without cost at https://www.iso.org/obp/ui#iso:std:iso:9000:ed-4:v1:en. Physical copies can be inspected at FDA's Dockets Management Staff and at the National Archives and Records Administration.

No. Compliance with ISO 13485 alone does not fully satisfy the QMSR. ISO 13485 is the foundation, but the QMSR adds supplemental FDA-specific requirements at 21 CFR 820.10 (applicable regulatory requirements for UDI, traceability, MDR reporting, and advisory notices), 820.35 (record controls, specific complaint and servicing record content, UDI recording, confidentiality marking), and 820.45 (device labeling and packaging controls). A device manufacturer must satisfy ISO 13485 and these supplemental provisions.

Largely, yes. FDA has stated that compliance with the QMSR will largely satisfy the requirements of ISO 13485, though it cannot speak to whether this would be recognized by other jurisdictions. FDA does not issue certificates of conformance to ISO 13485, and is not a certifying body.

Any future revision of ISO 13485 would require FDA to evaluate the changes and determine whether the QMSR should be amended. Any amendment would go through formal rulemaking under the Administrative Procedure Act (5 U.S.C. 553) and require new approval of the incorporation by reference under 1 CFR Part 51. FDA participates in ISO Technical Committee 210, which maintains ISO 13485, and monitors revisions actively. The 2016 edition remains the incorporated version until a formal rulemaking changes it.

Where any clause of ISO 13485 conflicts with the FD&C Act or its implementing regulations, the FD&C Act and its implementing regulations control. 21 CFR 820.1(b) makes this explicit. FDA has identified two specific examples: (1) the FD&C Act definitions of "device" and "labeling" at sections 201(h) and 201(m) supersede ISO 13485's "medical device" and "labelling"; and (2) ISO 13485's "safety and performance" is construed as equivalent to "safety and effectiveness" under section 520(f) of the FD&C Act for purposes of the QMSR.

The Final Rule was published in the Federal Register on February 2, 2024 (89 FR 7496, Document No. 2024-01709). A technical correction followed on October 15, 2024 (89 FR 82945). The proposed rule had been published on February 23, 2022.

FDA set the effective date two years after publication to give manufacturers time to: update quality system documentation and terminology; train personnel on ISO 13485 and the supplemental QMSR requirements; conduct gap analyses against the new framework; revise procedures for records, complaints, labeling, and supplier controls; and integrate the removed §820.180(c) records (internal audits, management reviews, supplier audits) into inspection-ready status. FDA itself used the runway to update IT systems, train investigators, develop the new inspection process (Compliance Program 7382.850), and revise affected guidance and policy documents.

Close, but not fully. ISO 13485 certification covers the foundation of the QMSR, but does not cover the FDA-specific supplemental provisions. The most common gaps we see for ISO 13485-certified companies are: (1) the four applicable-regulatory-requirements anchors at 21 CFR 820.10(b), UDI per Part 830, traceability per Part 821 where applicable, MDR reporting per Part 803, and advisory notices per Part 806; (2) the specific content requirements for complaint records under 21 CFR 820.35(a), seven required fields including UDI/UPC, complainant contact info, corrections taken, and reply; (3) servicing record content under 820.35(b), six required fields; (4) device labeling and packaging controls at 820.45; (5) internal audit, management review, and supplier audit records now being inspectable by FDA (previously exempt under old §820.180(c)); and (6) definitional alignment, including the QMSR-specific definitions of "rework," "safety and performance," "implantable medical device," and the fact that the old terms "Device Master Record," "Design History File," and "Device History Record" no longer appear in the regulation.

The substantive obligations are largely preserved, but the procedural and documentary terrain shifts in several concrete ways: (1) internal audits, management reviews, and supplier audits are now inspectable (old §820.180(c) exception is gone); (2) DMR/DHF/DHR terminology is no longer codified, though you can keep those terms internally if you make the crosswalk explicit; (3) complaint records must contain the seven fields listed in §820.35(a); (4) servicing records must contain the six fields listed in §820.35(b); (5) UDI must be recorded for each medical device or batch (§820.35(c)); (6) "rework" is defined QMSR-specifically (not per ISO 9000) as action taken before distribution; and (7) "establish" is replaced with "document" per ISO 13485 Clause 0.2, which encompasses establishing, implementing, and maintaining. For a manufacturer already in compliance with both frameworks, the transition is primarily documentation alignment rather than new quality activities.

Yes. FDA published a technical correction on October 15, 2024 (89 FR 82945) that made minor technical clarifications to §820.3 definitions. The corrections did not change any substantive requirement; they refined the statement of how ISO 13485 and ISO 9000 definitions apply and the handling of terms that supersede ISO 13485.

FDA does not require manufacturers to perform a gap analysis. In FAQ #7, FDA notes that "a manufacturer may find it useful to complete some type of comparative analysis to demonstrate documents and records created prior to the QMSR effective date meet the QMSR requirements." That is a recommendation, not a requirement. However, given that the QMSR and QS Regulation are described as substantially similar in totality, with specific, identifiable differences, a documented gap analysis is the most defensible way to show an investigator that you have analyzed the delta and addressed it.

FDA has not mandated documentation of the gap analysis itself. However, the practical answer is yes. During inspection, an investigator reviewing a pre-February 2, 2026 record may ask how you determined that the record satisfies QMSR requirements. A documented comparative analysis, whether a crosswalk matrix, a revised procedure with rationale, or a management review action, provides a clean, auditable answer. An undocumented gap analysis is an assertion without evidence.

No. FDA has confirmed that records created before the effective date under the QS Regulation do not need to be re-created or remediated, because the substantive requirements are substantially similar. However, FDA investigators may review pre-effective-date records during post-effective-date inspections to determine QMSR compliance, which is why the optional comparative analysis in FAQ #7 is valuable, it demonstrates that your legacy records meet QMSR expectations without requiring rework.

FDA investigators assess compliance against the regulation in effect at the time of inspection, but they are assessing the record's substance and the manufacturer's ongoing quality system, not re-litigating compliance at the moment of creation. If a pre-February 2, 2026 record would also satisfy QMSR requirements (which should be true for most records given substantial similarity), it should not generate a 483. A 483 is more likely to arise if a manufacturer's current processes, procedures, or records do not meet QMSR requirements on or after the effective date, regardless of what was in place previously.

Yes, as a practical matter, a transition period produces mixed-era documentation. Records created before February 2, 2026 reference QSR terms and structure; records created on or after reference QMSR terms. FDA will not treat this as nonconformity, provided the substantive requirements are met in both eras. Good practice is to add a brief note to your quality manual or transition SOP explaining the transition and cross-walking legacy terms (DHF, DMR, DHR) to their QMSR equivalents (design and development file, Medical Device File, medical device/batch record).

No, provided your QMS as a whole was compliant on the effective date. Procedures evolve continuously under ISO 13485 Clause 4.2 and Clause 8, updates, corrective actions, and improvements are routine. The non-conformity question is whether your quality system was meeting QMSR requirements on and after February 2, 2026, not whether every procedure was revised on that specific calendar date. A post-effective-date procedure update that further aligns with QMSR is expected quality-system behavior.

FDA continues to review applications submitted under the QSR framework as they move through review. The QMSR does not retroactively invalidate submission documentation. However, manufacturers should expect that on-site inspections tied to the application (pre-approval inspections for PMAs, or establishment inspections following clearance/approval) conducted on or after February 2, 2026 will assess the manufacturer's QMS against QMSR requirements. Application-stage documentation typically does not need QMSR-specific revision, but the underlying quality system supporting the product must be QMSR-compliant at the time of inspection.

The 510(k) submission itself is a premarket notification, not a QMS audit. The content of a 510(k), indications for use, substantial equivalence rationale, performance data, labeling, is governed by the 510(k) regulations, not the QMSR. Your underlying quality system, however, must be QMSR-compliant on and after February 2, 2026, because that is the system that produces the device, supports the claims in the submission, and will be evaluated during any subsequent inspection. The FDA guidance Quality Management System Information for Certain Premarket Submission Reviews describes what QMS information may be requested during premarket review.

21 CFR 820.3 now adopts the definitions in ISO 13485 and Clause 3 of ISO 9000 as the default, with specific FDA-defined terms for concepts that must differ to align with the FD&C Act. The QMSR-specific definitions at §820.3 are: batch/lot, component, Federal Food, Drug, and Cosmetic Act, finished device, human cell, tissue, or cellular or tissue-based product (HCT/P) regulated as a device, remanufacturer, implantable medical device, manufacturer, organization (defined as equivalent to manufacturer), rework, and safety and performance. Definitions removed from the prior §820.3 include customer, design validation, nonconformity, process agent, process validation, rework (replaced with a QMSR-specific definition), top management, and verification, these now follow ISO 9000 Clause 3 or ISO 13485. The definition of product was also removed (now per ISO 13485) and establish was removed because ISO 13485 uses "document" to encompass establishing, implementing, and maintaining.

The term "establish" is no longer defined in the QMSR. ISO 13485 uses "document" to cover what the QS Regulation meant by "establish", namely, to define, implement, and maintain. Clause 0.2 of ISO 13485 clarifies that "document" encompasses these activities. Manufacturers updating SOPs and quality manuals for QMSR alignment should generally replace the phrase "establish and maintain" with "document" in procedural language, or confirm that the word "establish" in their documentation is understood in the ISO 13485 sense.

Under 21 CFR 820.3(b), "rework" means action taken on a nonconforming product so that it will fulfill the specified requirements in the medical device file (MDF) before it is released for distribution. FDA specifically declined to adopt the ISO 9000 definition of rework because it was important to make clear that rework only applies pre-distribution. Post-distribution actions on nonconforming product are corrections, corrective actions, field actions, recalls, or reworks handled under different authorities (e.g., 21 CFR Parts 7, 806, 810).

"Safety and performance" is ISO 13485's terminology. "Safety and effectiveness" is the FD&C Act's terminology under section 520(f). The QMSR at 21 CFR 820.3(b) resolves the tension by defining safety and performance to have the meaning of safety and effectiveness in Clause 0.1 of ISO 13485. In plain terms: wherever ISO 13485 says "safety and performance," read it as the FD&C Act's "safety and effectiveness" for U.S. regulatory purposes. The QMSR also clarifies that the use of "safety and performance" language does not relieve a manufacturer from any obligation to implement controls or measures that provide reasonable assurance of safety and effectiveness.

The term "Device Master Record" is no longer defined or used in the QMSR. The concept, product specifications, manufacturing procedures, QA procedures and specifications, packaging and labeling specifications, and installation/maintenance/servicing procedures, is now captured by the Medical Device File (MDF) described in ISO 13485 Clause 4.2.3. FDA has stated that retaining a separate DMR definition would be redundant and create confusion. You can keep the term "DMR" internally in your quality system, provided your procedures cross-walk DMR to MDF and your MDF meets ISO 13485 Clause 4.2.3 requirements.

The MDF covers the same operational need as the DMR but is broader in scope. ISO 13485 Clause 4.2.3 requires the MDF to contain or reference "a general description of the medical device, intended use, and labeling, including any instructions for use; specifications for product; specifications or procedures for manufacturing, packaging, storage, handling and distribution; procedures for measuring and monitoring; and, as appropriate, requirements for installation; and procedures for servicing." Commentary in AAMI/ISO guidance suggests the MDF can also include references to clinical data and risk management records. A DMR that was fully compliant with the old §820.181 likely covers most of the MDF's ground, but QMSR-aligned manufacturers should verify that clinical evaluation, risk management, and post-market data are either in the MDF or properly referenced from it.

The term "Design History File" is not defined in the QMSR, but the underlying requirement is preserved in ISO 13485 Clause 7.3.10, which requires the manufacturer to maintain a "design and development file" for each medical device type or medical device family. The file must contain, or reference, records generated to demonstrate conformity to the requirements for design and development, along with records of design and development changes. In substance, DHF and design and development file are the same artifact; in name, the QMSR uses ISO 13485's term.

The term "Device History Record" is not defined in the QMSR. Its functional equivalent is the medical device or batch record required by ISO 13485 Clause 7.5.1, which requires the manufacturer to maintain records for each medical device or batch of medical devices that demonstrate conformity to requirements and identify the amount manufactured and approved for distribution. In practice, manufacturers often combine the concepts as "Medical Device Batch Record" or similar, FDA has not objected to combined terminology as long as the substantive content requirements are met.

Yes. FDA has been explicit that manufacturers may continue to use legacy QSR terms internally, provided (1) the underlying records meet ISO 13485 and QMSR content requirements, and (2) your quality manual or a dedicated SOP makes the crosswalk explicit, mapping each legacy term to its QMSR/ISO 13485 equivalent. Investigators will assess substance, not nomenclature.

The QMSR uses the ISO 9000 Clause 3 definition of "top management" (Clause 3.1.1): the person or group of people who direct and control an organization at the highest level. FDA replaced the former QSR term "management with executive responsibility" with "top management" to harmonize with ISO 13485. The substantive expectation, that executive-level leadership drives the QMS and embeds a culture of quality, remains unchanged.

The QMSR adopts the ISO 9000 definition of customer rather than defining it separately. The prior QS Regulation definition of customer has been removed. For the customer property requirements in ISO 13485 Clause 7.5.10, FDA has clarified that manufacturers must comply to the extent necessary to assure device safety and effectiveness under section 520(f) of the FD&C Act; FDA does not intend to enforce Clause 7.5.10 for activities beyond that scope.

21 CFR 820.3(b) defines "organization" as having the meaning of "manufacturer" as defined in the QMSR. This is a simple equivalence: wherever ISO 13485 says "organization," read "manufacturer" for U.S. regulatory purposes.

21 CFR 820.3(b) defines "manufacturer" as any person who designs, manufactures, fabricates, assembles, or processes a finished device. The definition explicitly includes contract sterilizers, installers, relabelers, remanufacturers, repackagers, specification developers, and initial distributors of foreign entities performing these functions. This definition supersedes the ISO 13485 definition for U.S. regulatory purposes.

A remanufacturer is any person who processes, conditions, renovates, repackages, restores, or does any other act to a finished device that significantly changes the finished device's performance or safety specifications, or intended use. This definition is at 21 CFR 820.3(a) and is unchanged from the QS Regulation.

21 CFR 820.3(b) defines implantable medical device by reference to 21 CFR 860.3, which defines "implant." This FDA-specific definition supersedes ISO 13485's definition. Implantable medical devices carry additional QMSR obligations, including enhanced traceability under ISO 13485 Clause 7.5.9.2, as extended by 21 CFR 820.10(d) to devices that support or sustain life.

21 CFR 820.3(a) defines component as any raw material, substance, piece, part, software, firmware, labeling, or assembly that is intended to be included as part of the finished, packaged, and labeled device. This definition is unchanged from the QS Regulation. Software and firmware are explicitly components.

Yes. 21 CFR 820.3(a) defines batch or lot as one or more components or finished devices that consist of a single type, model, class, size, composition, or software version that are manufactured under essentially the same conditions and that are intended to have uniform characteristics and quality within specified limits. These terms are used in ISO 13485 but are not defined there or in ISO 9000, so FDA retained the QS Regulation definition.

21 CFR 820.35 is the QMSR's control-of-records supplement to ISO 13485 Clause 4.2.5. It adds four specific requirements: (a) complaint records must contain seven specified data fields; (b) servicing records must contain six specified data fields; (c) UDI must be recorded for each medical device or batch; and (d) records deemed confidential by the manufacturer may be marked to aid FDA in applying Part 20 public information regulations.

For any complaint that must be reported to FDA under 21 CFR Part 803, that the manufacturer determines must be investigated, or that the manufacturer investigated regardless of those requirements, the record must contain: (1) the name of the device; (2) the date the complaint was received; (3) any UDI or UPC, and any other device identification(s); (4) the name, address, and phone number of the complainant; (5) the nature and details of the complaint; (6) any correction or corrective action taken; and (7) any reply to the complainant. For any complaint involving the possible failure of a device, labeling, or packaging to meet its specifications, the manufacturer must maintain records of the review, evaluation, and investigation, unless a similar complaint has already been investigated, in which case the justification for not performing another investigation must be documented.

At minimum: (1) the name of the device serviced; (2) any UDI or UPC, and any other device identification(s); (3) the date of service; (4) the individual(s) who serviced the device; (5) the service performed; and (6) any test and inspection data.

Per 21 CFR 820.35(c), the UDI must be recorded for each medical device or batch of medical devices in records maintained under ISO 13485 Clauses 7.5.1 (control of production and service provision), 7.5.8 (identification), and 7.5.9 (traceability). UDI is also a required field in complaint records and servicing records. The operational implication is that device identification records must consistently capture UDI throughout the product lifecycle.

Yes. 21 CFR 820.35(d) expressly permits manufacturers to mark records deemed confidential, including trade secrets, commercially confidential information, or otherwise sensitive material, to aid FDA in applying the public information regulations at 21 CFR Part 20. Marking does not guarantee non-disclosure, but it puts FDA on notice to apply Part 20 analysis before any release.

The QMSR itself does not impose new electronic signature requirements. 21 CFR Part 11 (Electronic Records; Electronic Signatures) continues to apply to records that are required to be maintained under the QMSR and that are kept in electronic form. ISO 13485 Clauses 4.2.4 and 4.2.5 require document and record controls, which in electronic systems means Part 11-compliant controls for authenticity, integrity, and (where signatures are used) non-repudiation. Notably, FDA removed from §820.35 the prior QSR-era requirement to "obtain the signature for each individual who approved or re-approved the record, and the date of such approval, on that record", meaning that electronic approval workflows with version history and appropriate controls are now clearly acceptable for record approval without requiring per-record signatures, so long as ISO 13485 Clauses 4.2.4 and 4.2.5 are satisfied.

No. The QMSR does not require individual signatures on each record approval. Document approval under ISO 13485 Clause 4.2.4 requires that documents are reviewed and approved for adequacy prior to issue, and that changes and current revision status are identified, which can be satisfied through controlled electronic workflows with audit trails rather than wet-ink or individual electronic signatures on every version. Part 11 applies if signatures are used electronically.

The QMSR eliminates the old §820.180(c) exemption that kept internal audits, management review reports, and supplier audits out of FDA's inspection scope. FDA now has the authority to inspect these records. The regulation does not specify a lookback window; in practice, FDA investigators typically request records covering the period since the last inspection, or a period tied to the scope of the specific inspection (for-cause, pre-approval, routine surveillance). Manufacturers should be prepared to produce these records within the standard inspection-response expectations.

No. The confidentiality exception that previously existed under §820.180(c) is not maintained in the QMSR. FDA has the authority to inspect management review, quality audit, and supplier audit reports. FDA's rationale, stated in the preamble, is that manufacturers already provide these records to other regulators (e.g., notified bodies, MDSAP auditors) and keep them as part of routine business, so making them available to FDA investigators imposes minimal additional burden.

Yes, but the nuance matters. FDA investigators can review internal audit findings, and observations in those findings can inform a 483 observation. However, an identified, documented internal audit finding that the manufacturer has entered into CAPA or a documented corrective action plan is generally evidence of a functioning quality system, not a deficiency. Investigators look for unresolved findings, systemic patterns, or evidence that internal audits are not effective at identifying problems the investigator independently finds. A 483 is more likely where internal audits repeatedly miss issues, or where findings sit without documented corrective action.

Not typically. FDA investigators generally recognize an effective internal audit process as evidence of a compliant quality system. If an issue is documented, assigned in a CAPA or correction workflow with evidence of timely, appropriate action, and progressing toward closure, the investigator may note the item in the Establishment Inspection Report (EIR) but is unlikely to issue a 483 observation. An investigator will issue a 483 if the internal audit found the problem but no corrective action was initiated, or if the manufacturer failed to follow its own procedures for addressing findings.

All Class II devices, all Class III devices, and the specific Class I devices listed in 21 CFR 820.10(c) must comply with the design and development requirements in ISO 13485 Clause 7.3 and its subclauses. The Class I devices subject to design controls are: (1) devices automated with computer software; and (2) the devices listed in Table 1 to §820.10(c)(2): tracheobronchial suction catheters (868.6810), non-powdered surgeon's gloves (878.4460), protective restraints (880.6760), manual radionuclide applicator systems (892.5650), and radionuclide teletherapy sources (892.5740).

No. Class I devices are subject to the QMSR except where a specific classification regulation exempts them from CGMP requirements (exemptions published in the Federal Register and codified in 21 CFR Parts 862–892). Even Class I devices that are CGMP-exempt must maintain complaint files and comply with general record requirements at 21 CFR 820.35. Design controls under ISO 13485 Clause 7.3 apply only to the Class I devices identified in 21 CFR 820.10(c), not to all Class I devices.

Yes. Devices manufactured under an Investigational Device Exemption are not exempt from design and development requirements. 21 CFR 820.10(c) requires IDE-stage devices in the applicable classes to comply with ISO 13485 Clause 7.3. FDA has explicitly stated that IDE devices are subject to design controls.

ISO 13485 Clause 7.3.10 requires the manufacturer to maintain a design and development file for each medical device type or medical device family. The file must contain or reference records generated to demonstrate conformity to the design and development requirements, and records of design and development changes. Functionally, this is the QMSR equivalent of the former Design History File, the repository of design inputs, outputs, verification, validation, transfer, and change records.

The substantive requirements are substantially similar but organized and worded differently. ISO 13485 Clause 7.3 covers design and development planning (7.3.2), inputs (7.3.3), outputs (7.3.4), review (7.3.5), verification (7.3.6), validation (7.3.7), design transfer (7.3.8), changes (7.3.9), and the design and development file (7.3.10). Former §820.30 covered the same concepts under different headings. One practical shift: ISO 13485 more explicitly integrates risk management throughout design and development (Clauses 7.1 and 7.3.3 require design inputs to address applicable risk management outputs). Manufacturers migrating SOPs from §820.30 to Clause 7.3 should verify that risk integration is explicit in design-phase procedures.

Risk management is integrated throughout ISO 13485, not housed in a single clause. Key anchors include: Clause 4.1 (general QMS requirements, risk-based approach to processes), Clause 7.1 (planning of product realization with risk management), Clause 7.3 (design and development, including risk management outputs as inputs), Clause 7.4 (purchasing, with supplier evaluation criteria proportionate to risk), Clause 7.5 (production and service provision, with risk-proportionate controls), Clause 7.6 (control of monitoring and measuring equipment), and Clause 8.2 (monitoring and measurement, including complaint handling and feedback). The integrated structure makes risk management a continuous thread rather than a standalone process.

ISO 14971 is not directly incorporated by reference. However, ISO 13485 explicitly requires application of risk management throughout the product lifecycle, and the standard referenced throughout ISO 13485's risk management language is ISO 14971. Regulators, notified bodies, and FDA investigators effectively expect a risk management framework consistent with ISO 14971 principles. A manufacturer can in theory use a different framework, but would need to demonstrate equivalent rigor across hazard identification, risk estimation, risk evaluation, risk control, residual risk evaluation, risk/benefit analysis, and production and post-production monitoring. For most manufacturers, ISO 14971 remains the operational risk management standard.

No. The QMSR does not require a specific organizational structure or a dedicated risk management department. ISO 13485 requires risk management activities, competent personnel, and documented processes, but how a manufacturer organizes those activities is at the manufacturer's discretion. Small and mid-size manufacturers frequently integrate risk management within quality, regulatory, or engineering functions. The requirement is effective risk management, not a specific reporting structure.

ISO 14971 and ISO 13485 do not mandate specific risk analysis tools. Failure Mode and Effects Analysis (FMEA), Fault Tree Analysis (FTA), Hazard Analysis and Critical Control Points (HACCP), Preliminary Hazard Analysis (PHA), and others are all acceptable techniques. What matters is that the chosen technique (or combination) is appropriate to the device, systematically identifies hazards and hazardous situations, estimates and evaluates risk, and supports risk control decisions. FMEA alone is often insufficient for complex systems with multiple failure cascades, FTA or combined top-down/bottom-up analysis may be warranted. The choice of technique should be justified and documented.

In the QMSR preamble, FDA characterizes culture of quality as a set of behaviors, attitudes, activities, and processes through which top management integrates QMS processes to ensure regulatory requirements are consistently met, with quality built into products through design and manufacturing control rather than inspected or tested in. FDA does not assess culture of quality through a standalone metric or 483 observation category. Culture of quality manifests in investigator-observable evidence: consistency of procedure execution, quality of management review inputs and outputs, effectiveness of internal audits, responsiveness of CAPA, tone and substance of interactions between quality and other functions, and completeness of risk-based decision-making across the lifecycle. A weak culture of quality typically surfaces through a pattern of 483 observations rather than a single direct citation.

The QMSR incorporates ISO 13485 Clause 7.4 (Purchasing), which requires the manufacturer to: (1) document procedures to ensure purchased products conform to specified requirements; (2) establish criteria for supplier evaluation and selection based on supplier ability to provide conforming product, supplier performance, effect on device quality, and risk; (3) plan monitoring and re-evaluation commensurate with the risk; (4) document agreements under which the supplier notifies the manufacturer of changes to purchased product; (5) document purchasing information that describes the purchased product; and (6) verify purchased products against specified purchasing requirements. FDA layered no supplemental requirements on top of Clause 7.4 in the QMSR.

ISO 13485 Clause 7.4.2 requires documented agreements covering supplier notification of changes to purchased product. In practice, this is typically operationalized as a written quality agreement covering at minimum: scope of supplied product/service, applicable quality system requirements, change notification, access for audits, records retention, and escalation for non-conformance. While the standard does not mandate a single document called "quality agreement," the documented agreement requirement is best satisfied by a formal quality agreement, and this is the industry norm.

A desktop (remote/document-based) audit can be acceptable as part of a risk-based supplier evaluation and monitoring program, depending on the risk the supplier presents. ISO 13485 Clause 7.4.1 requires the extent of supplier control to be proportionate to the effect of the purchased product on subsequent realization or on the medical device itself. For lower-risk suppliers with strong documentary evidence and historical performance, desktop audits may be adequate. For higher-risk suppliers, especially those of critical components, sterile materials, or bespoke custom parts, on-site audits may be warranted. The key expectation is that your supplier control procedure defines the criteria for audit type (desktop vs. on-site), the rationale is documented, and the chosen approach is demonstrably effective.

No. FDA declined to adopt the MDSAP concept of "critical supplier" into the QMSR. The preamble explains that ISO 13485 Clause 7.4 addresses supplier criticality through a process of continuous risk-proportionate evaluation, and that a standalone "critical supplier" definition is not needed for QMSR purposes. Manufacturers may still use the concept internally for supplier segmentation, and MDSAP participants will continue to encounter the term in MDSAP audits.

ISO 13485 Clause 7.4.2 requires documented agreements for suppliers to notify the manufacturer of changes to purchased product that may affect the manufacturer's ability to meet specified purchasing requirements. Operationalized, this means: (1) a formal change notification clause in every supplier quality agreement; (2) defined categories of notifiable change (material, process, sub-supplier, location, software version, sterilization method, etc.); (3) required lead time for notification before implementation; (4) a manufacturer-side process to evaluate notified changes for impact on the finished device (including design impact, risk impact, regulatory filing impact); (5) a hold mechanism to prevent receipt of changed product until impact is assessed; and (6) periodic audit or questionnaire verification that the supplier is complying with the notification obligation.

No, manufacturers of off-the-shelf components are not subject to the QMSR (as components are not finished devices). The finished device manufacturer remains responsible for verifying that OTS components meet specified purchasing requirements under ISO 13485 Clause 7.4.3, for assessing supplier capability, and for risk-proportionate controls. For OTS components without transparent supplier quality systems (e.g., commodity electronics, standard fasteners), the manufacturer typically relies on incoming inspection, certificates of conformance, historical performance, and risk analysis, in combination, proportionate to the component's impact on device safety and effectiveness.

No. FDA establishment registration under section 510 of the FD&C Act is a legal obligation of the establishment that performs the registrable activity (manufacture, preparation, propagation, compounding, or processing of a device). A finished-device manufacturer cannot register its supplier, the supplier must register its own establishment if it meets the registration criteria. The scope of registration (section 510) and the scope of the QMSR (section 520(f)) are distinct and serve different purposes.

Not necessarily. FDA may inspect a supplier under various inspection types, routine surveillance (risk-based), pre-approval, for-cause (triggered by a specific concern), or follow-up. A supplier participating in MDSAP is not exempt from FDA inspection, and FDA inspection does not automatically imply for-cause status. The inspection type is assigned by FDA based on its own scheduling criteria. To determine whether a specific inspection was for-cause, review the Form 482 (Notice of Inspection) and any accompanying correspondence, or contact the supplier directly.

Yes. CAPA remains a core QMSR requirement. The confusion on this point is linguistic: ISO 13485 separates corrective action (Clause 8.5.2) and preventive action (Clause 8.5.3) into two distinct clauses with distinct requirements, whereas the former §820.100 combined them into one "corrective and preventive action" procedure. The substance of CAPA, identifying, investigating, and addressing actual and potential nonconformities; verifying effectiveness; preventing recurrence, is fully preserved. Many manufacturers continue to maintain a unified CAPA process internally, as long as both corrective action (Clause 8.5.2) and preventive action (Clause 8.5.3) requirements are independently satisfied.

ISO 13485 Clause 8.5.2 (Corrective action) addresses elimination of the cause of an actual nonconformity to prevent recurrence; Clause 8.5.3 (Preventive action) addresses elimination of the cause of a potential nonconformity to prevent occurrence. Both clauses require documented procedures covering: review of the nonconformity (or potential nonconformity), determination of causes, evaluation of the need for action, determination and implementation of action, verification that action does not adversely affect the ability to meet applicable regulatory requirements or the safety and performance of the device, review of the effectiveness of action taken, and records of the outcome.

"Correction" refers to action to eliminate a detected nonconformity, for example, scrap, repair, rework, or adjustment. "Corrective action" refers to action to eliminate the cause of a nonconformity to prevent recurrence. A correction fixes the immediate problem; corrective action addresses the root cause. Both concepts are defined in ISO 9000 Clause 3 and are incorporated by reference in the QMSR. 21 CFR 820.35(a)(6) specifically requires complaint records to document "any correction or corrective action taken," tracking both concepts.

Complaint handling is governed by ISO 13485 Clause 8.2.2, supplemented by 21 CFR 820.35(a). Clause 8.2.2 requires a documented process for timely complaint handling including receiving and recording information; evaluating whether the feedback constitutes a complaint; investigating complaints; determining the need for reporting to regulatory authorities; handling complaint-related product; and determining the need to initiate correction or corrective action. §820.35(a) then adds the seven specific data fields required in complaint records (listed in the Records section above) and specifies that for complaints involving possible failure to meet specifications, review/evaluation/investigation records must be maintained, unless a prior investigation of a similar complaint justifies not repeating the investigation, in which case that justification must be documented.

Medical Device Reporting under 21 CFR Part 803 is preserved as a regulatory obligation alongside the QMSR. 21 CFR 820.10(b)(3) requires the manufacturer to notify FDA of complaints that meet the reporting criteria of Part 803 in order to fully comply with ISO 13485 Clause 8.2.3 (Reporting to regulatory authorities). In other words, ISO 13485 Clause 8.2.3 sets the general expectation of reporting to regulatory authorities, and the QMSR anchors the U.S.-specific requirement to Part 803.

Advisory notices, the ISO 13485 term that encompasses field corrections, recalls, and similar communications, are addressed in ISO 13485 Clauses 7.2.3, 8.2.3, and 8.3.3. Under 21 CFR 820.10(b)(4), advisory notices must be handled in accordance with 21 CFR Part 806 (Reports of Corrections and Removals). Manufacturers must maintain procedures for issuing advisory notices, for reporting corrections and removals to FDA under Part 806, and for ensuring that advisory notices are effective.

Post-market activities are embedded throughout ISO 13485: complaint handling (8.2.2), reporting to regulatory authorities (8.2.3), data analysis (8.4), corrective and preventive action (8.5.2, 8.5.3), and advisory notices (8.3.3). These constitute the post-market components of the QMS. Formal post-market surveillance obligations under 21 CFR Part 822, the 522 post-approval studies program, and condition-of-approval studies are separate regulatory requirements that operate alongside the QMSR. The QMSR ensures that the data flowing from these programs is managed through a controlled quality system.

21 CFR 820.45 supplements ISO 13485 Clause 7.5.1 (Control of production and service provision) with specific device labeling and packaging controls. Each manufacturer must document and maintain procedures describing activities to ensure the integrity, inspection, storage, and operations for labeling and packaging during customary conditions of processing, storage, handling, distribution, and, as appropriate, use. Labeling and packaging must be examined for accuracy before release or storage, specifically checking: (1) correct UDI/UPC or other device identifier; (2) expiration date; (3) storage instructions; (4) handling instructions; and (5) any additional processing instructions. Labeling release must be documented per ISO 13485 Clause 4.2.5, and labeling and packaging operations must prevent mix-ups, including inspection before use to verify correct labeling and packaging as specified in the Medical Device File.

UDI must appear in: complaint records (§820.35(a)(3)), servicing records (§820.35(b)(2)), medical device/batch records (§820.35(c), applied to ISO 13485 Clauses 7.5.1, 7.5.8, 7.5.9), and labeling/packaging verification records (§820.45(a)(1)). UDI management is governed by 21 CFR Part 830, which the QMSR anchors through 21 CFR 820.10(b)(1) (Clause 7.5.8, Identification).

Whether a field action is classified as a recall turns on the nature of the labeling deficiency and the regulatory framework that applies. Under 21 CFR Part 830, UDI must be on both the device label and each higher level of packaging (with some exceptions). A missing UDI on the device label is a labeling nonconformity under the UDI rule. Whether the subsequent field action is reportable as a recall under 21 CFR Part 806 depends on whether the action is being taken to address a violation of the FD&C Act (which a missing UDI arguably is) and whether the correction is intended to reduce a risk to health. Manufacturers facing this scenario typically consult with FDA's Division of Industry and Consumer Education or counsel to determine whether the field action is reportable as a correction/removal under Part 806 and how to classify it.

Before release or storage, labeling and packaging must be examined for accuracy on: correct UDI/UPC or other identifier; expiration date; storage instructions; handling instructions; and any additional processing instructions. The examination must be documented. Labeling release must be documented per ISO 13485 Clause 4.2.5 (Control of records).

21 CFR 820.45(c) requires manufacturers to establish and maintain labeling and packaging operations that prevent mix-ups, including inspection of labeling and packaging before use to ensure all devices have correct labeling and packaging as specified in the Medical Device File. Inspection results must be documented per ISO 13485 Clause 4.2.5. Operational controls typically include physical segregation of labels by product, clearance of labeling lines between product runs, dedicated storage for obsolete labeling, electronic control of label printing, and line-clearance records.

Compliance Program 7382.850 is the updated Inspection of Medical Device Manufacturers Compliance Program that FDA began using on February 2, 2026 for QMSR-era inspections. It replaces the former Quality System Inspection Technique (QSIT) and the prior Compliance Program 7382.845, as well as the PMA Preapproval and Postmarket Inspections program 7383.001. Compliance Program 7382.850 is the operational framework FDA investigators now use to plan, conduct, and report device inspections under the QMSR. The current version is available on the CDRH Compliance Programs webpage at fda.gov/medical-devices/quality-and-compliance-medical-devices/center-devices-and-radiological-health-cdrh-compliance-programs.

No. The Quality System Inspection Technique (QSIT) was withdrawn on February 2, 2026. QSIT had been FDA's inspection approach since 1999, organized around four major subsystems (Management Controls, Design Controls, CAPA, and Production and Process Controls). Compliance Program 7382.850 now governs QMSR-era inspections.

FDA investigators may review any record that is part of the manufacturer's QMS, including records created before February 2, 2026. Critically, the QMSR eliminated the old §820.180(c) exemption that kept internal audit reports, management review reports, and supplier audit reports out of FDA's inspection scope. Under the QMSR, these records are fully inspectable.

Yes. This is one of the most significant operational changes under the QMSR. The §820.180(c) exemption that previously protected internal audit reports, management review reports, and supplier audit reports from FDA review is eliminated. FDA's rationale, stated in the preamble, is that manufacturers already provide these documents to other regulators and auditors (notified bodies, MDSAP auditors, certification bodies) and maintain them as a matter of normal business, so making them available to FDA does not impose substantial additional burden.

Yes. Management review records are no longer exempt from FDA review. ISO 13485 Clause 5.6 requires management review with defined inputs (feedback, complaint handling, reporting to regulatory authorities, audits, process monitoring, product monitoring, corrective and preventive action, follow-up actions from previous management reviews, changes affecting the QMS, recommendations for improvement, applicable new or revised regulatory requirements) and defined outputs (improvements to maintain QMS effectiveness and processes, improvements to product related to customer requirements, changes needed to respond to applicable regulatory requirements, resource needs). Investigators will expect to see that management reviews are occurring at planned intervals, that all required inputs are addressed, that outputs translate into action, and that the process is generating real insight, not performed as a formality.

Yes. Supplier audit reports are no longer exempt from FDA review. Under ISO 13485 Clause 7.4.1, suppliers are evaluated based on risk-proportionate criteria; audits (when performed) produce records that FDA investigators may request.

Both are post-inspection or post-investigation regulatory communications from FDA, but they differ in severity and consequence. An Untitled Letter addresses violations that do not meet the threshold for a Warning Letter, typically lower-severity concerns that FDA wants to put in writing. Untitled Letters are generally not public-facing in the same way Warning Letters are, do not carry the same implications for contracts, reimbursement, or export certificates, and do not typically trigger follow-up inspection. A Warning Letter is FDA's formal notice of significant violations, is publicly posted on FDA's website, typically requires a written response within 15 working days, and often precedes enforcement action (seizure, injunction, consent decree) if violations are not adequately addressed. Warning Letters are issued after CDRH and the Office of Chief Counsel review and concur.

A for-cause inspection is initiated in response to a specific concern about a manufacturer's compliance or a specific product issue. Common triggers include: a high volume or severity of MDR reports associated with a device; a significant recall (Class I or Class II); a consumer complaint or whistleblower report that FDA decides to investigate; data submitted with an application that raises concerns; adverse trends in post-market surveillance; competitor complaints or allegations; follow-up to a prior Warning Letter or consent decree; and findings from inspections of related establishments (e.g., a supplier's inspection identifies issues with a finished device manufacturer). Compliance Program 7382.850 defines the operational criteria and scope for for-cause inspections.

No. Routine surveillance inspections are scheduled on a risk-based cycle and are distinct from for-cause inspections. Routine surveillance examines the manufacturer's overall QMS compliance; for-cause inspections are scoped to a specific concern. Both are governed by Compliance Program 7382.850 but have different triggers, scopes, and operational expectations.

No. FDA inspections under the QMSR do not follow the MDSAP audit plan or procedures. FDA will not require certificates of conformance to ISO 13485, will not issue them, and will not treat an ISO 13485 certificate as exempting a manufacturer from inspection. FDA inspections assess compliance with FDA regulations (the QMSR plus any applicable FDA-specific requirements) and are scheduled based on FDA's own risk factors. MDSAP third-party audits assess conformance to a standard and occur on an annual basis over a three-year cycle.

The best preparation is sustained compliance, but there are specific, QMSR-era priorities: (1) ensure your internal audits, management reviews, and supplier audits are current, complete, and defensible, these are now inspectable; (2) verify that complaint records contain all seven §820.35(a) fields and that servicing records contain all six §820.35(b) fields; (3) confirm UDI is recorded in all required record types; (4) have a documented crosswalk from any legacy QSR terminology (DMR, DHF, DHR) to QMSR/ISO 13485 equivalents if you still use legacy terms; (5) prepare a front-room/back-room operational plan so document retrieval is timely and accurate; (6) ensure Subject Matter Experts for each major QMS process are available and briefed; (7) conduct a mock inspection using Compliance Program 7382.850 as the framework; and (8) maintain a current regulatory intelligence feed so team members can speak confidently about recent FDA guidance.

Yes. Most domestic FDA inspections are unannounced, investigators arrive without prior notice and present a Form 482 (Notice of Inspection). Mock audits that simulate the arrival, check-in, Form 482 presentation, and first-hour scramble produce more realistic training than pre-scheduled simulations. For international inspections, FDA typically provides advance notice due to travel and visa logistics, so a mix of mock audit scenarios (announced for international, unannounced for domestic) aligns practice to reality.

These are inspection-management roles. The front room is where the FDA investigator is actively working, interviewing Subject Matter Experts, reviewing documents, and observing operations. The back room is a separate space where the manufacturer's inspection management team (typically quality, regulatory, operations, and legal) coordinates document retrieval, prepares SMEs before they enter the front room, reviews documents before they are produced to the investigator, logs every document provided, tracks questions asked, and prepares strategic responses to investigator observations. The separation prevents uncoordinated responses and ensures that every document and statement presented to the investigator has been reviewed.

There is no regulatory "rule of thumb" for document-production timing, but common operational practice is to target 15–30 minutes for routine document requests, with longer windows explicitly negotiated for complex retrievals. Investigators understand that some records require more time to locate, verify, and review, but sustained slow production can itself become an observation if it suggests the manufacturer cannot readily access its own QMS records. The operational goal is prompt, accurate, complete production of the exact document requested, not a related document, not a partial set.

Early inspection feedback (based on publicly shared manufacturer experiences and FDA's own town halls since February 2026) suggests investigators are focused on: (1) internal audit and management review effectiveness, now-inspectable records are drawing scrutiny; (2) supplier controls, with attention to risk-proportionate evaluation and change notification; (3) complaint record completeness against the seven §820.35(a) fields; (4) risk management integration throughout the QMS (not just a standalone risk file); (5) alignment between documented procedures and actual practice; and (6) UDI completeness across record types. Investigators have also shown some variability as they themselves gain experience with QMSR-era inspections, some have asked for records using legacy QSR terminology, which manufacturers have addressed by providing both the legacy and QMSR-era equivalents.

Yes. 21 CFR 820.10(e) is explicit: failure to comply with any applicable requirement of Part 820 renders a device adulterated under section 501(h) of the FD&C Act, and the device and any person responsible for the failure are subject to regulatory action. The adulteration framework is unchanged by the QMSR.

FDA has not publicly committed to using generative AI to analyze documents received during inspections. FDA's use of document-sharing platforms (including DropBox and FDA's own secure transfer systems) during inspections is established practice; how FDA internally processes those documents, including whether AI tools are used in analysis, is subject to FDA IT policy and is not publicly detailed. Manufacturers concerned about the handling of confidential information should use the confidentiality marking provision at 21 CFR 820.35(d) and ensure that any sensitive records produced to FDA are appropriately marked.

FDA has publicly signaled increased international inspection capacity as a strategic priority, and harmonization with ISO 13485 is one enabler, investigators trained on the internationally recognized framework can more readily inspect foreign establishments that operate under the same standard. Manufacturers with foreign manufacturing sites should assume a continued or increased inspection cadence and prepare accordingly.

Yes. The Medical Device Single Audit Program (MDSAP) remains voluntary. Manufacturers who choose to participate continue to do so, and those who do not participate are not required to. MDSAP audits continue to serve their original function, reducing duplicate audits across participating regulatory authorities (Australia, Brazil, Canada, Japan, and the United States).

No. FDA has been explicit that neither an MDSAP certificate nor an ISO 13485 certificate exempts a manufacturer from FDA inspection. FDA does not require certificates of conformance to ISO 13485, does not issue them, and schedules inspections based on its own risk factors independent of third-party audit status.

No. FDA inspections are conducted under Compliance Program 7382.850, not the MDSAP audit approach. The two frameworks assess different things: FDA inspections assess compliance with U.S. regulations (the QMSR and applicable FDA-specific requirements), while MDSAP audits assess conformance to ISO 13485 plus the country-specific requirements of each participating regulator.

FDA has the authority to inspect any QMS record under the QMSR, which includes MDSAP audit reports maintained by the manufacturer. MDSAP reports are also shared with participating regulatory authorities under the MDSAP agreement, which means FDA receives them for MDSAP-participating manufacturers through that information-sharing mechanism. A manufacturer should assume that any MDSAP audit report is potentially available to FDA.

The MDSAP Regulatory Authority Council periodically updates the MDSAP Audit Model and associated documentation to reflect changes in participating regulators' frameworks. At present, the MDSAP Audit Model continues to reference 21 CFR Part 820 terminology (including DMR, DHF, DHR) for the U.S. jurisdiction. As the MDSAP Regulatory Authority Council reviews and updates its documentation, revisions will reflect the QMSR's incorporation of ISO 13485 and its supplemental provisions. Until those updates propagate, manufacturers participating in MDSAP may encounter hybrid terminology in audits.

Yes. A QMS that uses ISO 13485 / QMSR terminology as the controlling framework, and provides cross-walks to legacy QSR terms (DMR, DHF, DHR) where needed for MDSAP audits or internal continuity, is a defensible approach. The operational best practice is: (1) make ISO 13485 / QMSR terminology the primary framework in all procedures and records; (2) include an explicit terminology crosswalk in your quality manual or a dedicated SOP; (3) ensure substantive content meets ISO 13485 / QMSR requirements regardless of terminology; (4) in MDSAP audits, present both terminologies as appropriate to the audit's scope.

No. QMSR compliance does not automatically confer compliance with the EU Medical Device Regulation (EU 2017/745) or the In Vitro Diagnostic Medical Devices Regulation (EU 2017/746). MDR and IVDR establish their own specific requirements, notified body involvement, technical documentation structure, clinical evaluation and post-market clinical follow-up, EUDAMED registration, authorized representative designation, and many others, that are not part of the QMSR. A manufacturer selling into both markets must satisfy both frameworks. ISO 13485 conformity is a foundation for both, but neither FDA's QMSR nor EU MDR/IVDR accepts ISO 13485 alone as sufficient.

Canada is an international jurisdiction for FDA regulatory purposes. Devices manufactured in Canada for U.S. distribution are subject to the QMSR, and Canadian manufacturers are subject to FDA inspection. Canada is also a participating regulator in MDSAP, which means Canadian device manufacturers often use MDSAP to satisfy Health Canada's Medical Devices Regulations (SOR/98-282) alongside other jurisdictions' requirements.

The Final Rule made conforming edits to 21 CFR Part 4 to clarify the device QMS requirements for combination products. These edits updated references to replace "QS regulation" with "QMSR" and adjusted specific provisions in §4.4 (Current Good Manufacturing Practice Requirements for Combination Products) to reflect ISO 13485 clause structure, including explicit references to §820.10 general requirements, risk management documentation (§4.4(b)(1)(ii)), and analysis of data / complaint handling (§4.4(b)(1)(iv), referencing Clause 8.2.2 and §820.35(a)). The substantive CGMP requirements for combination products did not change.

A drug-led combination product continues to be governed primarily by drug CGMP (21 CFR Parts 210 and 211), with specific device-specific requirements imposed by Part 4. Under the streamlined option in §4.4, a combination product manufacturer that demonstrates compliance with drug CGMP plus the specified device-specific provisions (design controls, purchasing controls, CAPA, and installation/servicing requirements as applicable) satisfies the CGMP requirements for both constituents. The QMSR's conforming edits to Part 4 updated the device-specific provisions to reflect ISO 13485 clause structure but did not change the streamlined option's fundamental logic.

PAI scheduling is at FDA's discretion based on the risk profile of the application and the facility's inspection history. For drug-device combination products, the PAI may be conducted by CDER's inspection program, CDRH's inspection program, or a coordinated team, depending on the nature of the combination and the primary mode of action. Manufacturers expecting a PAI should prepare for inspection against both the applicable drug CGMP requirements and the QMSR's device-specific requirements as streamlined through Part 4.

The QMSR itself does not create new cybersecurity requirements. FDA's cybersecurity expectations for medical devices are articulated primarily in section 524B of the FD&C Act (added by the Consolidated Appropriations Act, 2023) for cyber devices, and in FDA guidance documents including Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions (September 2023). The QMSR provides the quality system framework within which cybersecurity activities occur, design controls (ISO 13485 Clause 7.3), risk management (Clause 7.1 and throughout), supplier controls for third-party software components (Clause 7.4), complaint handling for cybersecurity-related feedback (Clause 8.2.2), and CAPA (Clauses 8.5.2, 8.5.3). Cybersecurity requirements layer onto the QMSR through device-specific and premarket pathways, not through the QMSR text itself.

Yes. SaMD is a finished device under 21 CFR 820.3(a) and is subject to the QMSR. The design controls at ISO 13485 Clause 7.3 apply to Class II and Class III SaMD, and to Class I SaMD that meets the automated-with-computer-software criterion at 21 CFR 820.10(c)(1). SaMD manufacturers must additionally address IEC 62304 (software life cycle processes) as the industry-recognized standard for software life cycle activities, though IEC 62304 is not directly incorporated by reference in the QMSR.

SaMD used in clinical trials under an IDE is subject to the QMSR's design and development requirements under 21 CFR 820.10(c), meaning ISO 13485 Clause 7.3 applies. Other QMSR requirements apply as relevant to the manufacturer's operations during the IDE. The specific requirements differ depending on whether the SaMD is Class I (with design controls applicable if automated-with-computer-software), Class II, or Class III. Manufacturers operating under IDE should review 21 CFR Part 812 (IDE regulations) alongside the QMSR.

Computer software used as part of the medical device, or used in production or the quality system, is addressed in ISO 13485 Clauses 4.1.6 (application of computer software used in the QMS, requires documented procedures and validation of software for its intended use), 7.5.6 (validation of processes for production and service provision, which includes software used in production), and 7.3.6 (design and development verification, applicable to software as part of device development). The validation expectation is proportionate to the risk associated with the software's use. For product software, IEC 62304 provides the detailed software life cycle process requirements. For non-product software in the QMS or production, the General Principles of Software Validation (FDA guidance) and ISO 13485 Clauses 4.1.6 and 7.5.6 provide the framework.

Software in a Medical Device (SiMD) documentation, including the software development plan, software requirements specification, software architecture, software design specification, unit/integration/system test protocols and results, and traceability matrix, are design and development records under ISO 13485 Clause 7.3. They are contained in or referenced from the design and development file (Clause 7.3.10). FDA's premarket submission documentation categories (Basic Documentation, Enhanced Documentation) are distinct from the QMSR's record structure, the submission-level categorization determines what is provided to FDA in a 510(k), PMA, or De Novo submission, while the QMSR record structure determines how the underlying records are maintained in the manufacturer's QMS.

Yes. Software used in production and service provision must be validated per ISO 13485 Clause 7.5.6 for its intended use, proportionate to risk. This applies to software-controlled manufacturing equipment, test equipment, environmental monitoring systems, and any other software that affects product quality. The validation expectation covers initial validation before use, revalidation after changes, and ongoing verification that the software continues to perform as validated.

Cybersecurity expectations for non-connected devices depend on the device's classification and intended use. FDA's cyber device definition under section 524B of the FD&C Act focuses on devices that include software, have the ability to connect to the internet, and contain any of the technological characteristics of a cyber device, which would typically exempt truly air-gapped devices. However, even air-gapped devices can have cybersecurity risks (USB-borne malware, physical access to unprotected interfaces, software update pathways), and ISO 13485 Clause 7.1 requires risk management throughout the product lifecycle. A manufacturer of a non-connected device should document its rationale for the cybersecurity risk assessment and any controls applied, "not connected" does not automatically equal "no cybersecurity risk."

Post-market cybersecurity expectations apply to legacy devices through the QMS, specifically, complaint handling (ISO 13485 Clause 8.2.2), analysis of data (Clause 8.4), CAPA (Clauses 8.5.2, 8.5.3), and advisory notices (Clauses 7.2.3, 8.2.3, 8.3.3, and 21 CFR Part 806). Manufacturers of legacy devices should maintain ongoing vulnerability monitoring, process cybersecurity-related complaints through the standard complaint workflow, assess whether identified vulnerabilities warrant field action or patches, and communicate with users as appropriate. FDA's post-market cybersecurity guidance (Postmarket Management of Cybersecurity in Medical Devices, December 2016) provides detailed expectations. Section 524B of the FD&C Act applies prospectively to cyber devices submitted on or after March 29, 2023, so pre-524B devices are subject to the QMSR's general post-market obligations but not to 524B's specific premarket requirements.

ISO 13485 addresses sterile medical devices in Clauses 7.5.5 (Particular requirements for sterile medical devices), 7.5.7 (Particular requirements for validation of processes for sterilization and sterile barrier systems), and related production controls. Clause 7.5.7 requires validation of sterilization and sterile barrier system processes before implementation, with documented validation procedures, ongoing monitoring, and revalidation after changes. Specific sterilization method standards (ISO 11135 for ethylene oxide, ISO 11137 for radiation, ISO 17665 for moist heat, ISO 11138 for biological indicators) apply as relevant. Contract sterilizers are themselves subject to the QMSR under the definition of manufacturer.

21 CFR 820.10(d) requires manufacturers of devices that support or sustain life, the failure of which to perform when properly used in accordance with instructions for use can be reasonably expected to result in a significant injury, to comply with ISO 13485 Clause 7.5.9.2 (Particular requirements for implantable medical devices). Clause 7.5.9.2 requires the manufacturer to record the components, materials, and conditions of the work environment used if they could cause the medical device not to satisfy its specified safety and performance requirements, and to require the organization's agents or distributors to maintain records of distribution to allow traceability and inspection.

ISO 13485 Clause 7.5.4 (Servicing activities) requires the manufacturer, where servicing is a specified requirement, to document servicing procedures, reference materials, and reference measurements as necessary for performing servicing activities and verifying that product requirements are met. The manufacturer must analyze servicing records to determine if information is to be handled as a complaint (leading to Clause 8.2.2) and to identify input for improvement processes. 21 CFR 820.35(b) adds six specific content requirements for servicing records.

ISO 13485 Clause 7.5.3 (Installation activities) requires the manufacturer, where installation and verification of installation is a specified requirement, to document requirements for installation and the criteria for acceptance of installation. If the agreed customer requirements allow installation to be performed by a party other than the manufacturer or its supplier, the manufacturer must provide documented requirements for installation and verification. Records of installation performed by the manufacturer or its supplier and verification of installation must be maintained.

ISO 13485 Clause 7.5.9 (Identification) addresses traceability generally at Clause 7.5.9.1 and traceability for implantable medical devices at Clause 7.5.9.2. 21 CFR 820.10(b)(2) anchors traceability procedures for devices subject to 21 CFR Part 821 (Medical Device Tracking) to that regulation, meaning manufacturers of devices tracked under Part 821 must align their Clause 7.5.9.1 traceability procedures with Part 821 requirements.

ISO 13485 Clause 7.5.6 (Validation of processes for production and service provision) requires validation of processes where the resulting output cannot be, or is not, verified by subsequent monitoring or measurement, such that any deficiencies become apparent only after the product is in use or the service has been delivered. Validation must demonstrate the ability of those processes to achieve planned results. The manufacturer must document procedures for validation including criteria for review and approval, equipment and personnel qualification, use of specific methods and procedures, records, revalidation, and approval of changes. The QMSR did not carry forward a separate definition of "process validation" because the concept is fully addressed within ISO 13485.

ISO 13485 Clause 7.5.10 (Customer property) requires the manufacturer to identify, verify, protect, and safeguard customer property provided for use or incorporation into the product. If any customer property is lost, damaged, or otherwise found to be unsuitable for use, the manufacturer must report this to the customer and maintain records. FDA has clarified that manufacturers must comply with Clause 7.5.10 to the extent necessary to assure the safety and effectiveness of the devices being manufactured under section 520(f) of the FD&C Act; FDA does not intend to enforce Clause 7.5.10 for activities beyond that scope.

A thorough gap analysis compares the current QMS to QMSR requirements along these dimensions: (1) Structural, does the QMS use ISO 13485 Clause structure, or does it still follow Subparts A–O of the old Part 820? (2) Terminology, have legacy terms (DMR, DHF, DHR, establish, management with executive responsibility, process agent) been addressed? (3) Supplemental provisions, are 21 CFR 820.10(b) regulatory anchors (UDI, traceability, MDR, advisory notices), 820.35 record content, and 820.45 labeling/packaging controls fully implemented? (4) Newly-inspectable records, are internal audits, management reviews, and supplier audits complete, current, and production-ready? (5) Risk management integration, does risk management appear throughout design, purchasing, production, and post-market, not just in a standalone file? (6) Definitions, has your quality manual confirmed which QMSR-specific definitions (rework, safety and performance, implantable medical device, manufacturer, organization) supersede ISO 13485? (7) Training, have personnel been trained on QMSR structure and changes?

Across ISO 13485-certified manufacturers we've worked with, the most frequently missed QMSR-specific items are: (1) the seven required fields in complaint records under §820.35(a), ISO 13485 Clause 8.2.2 does not enumerate these fields; (2) the six required fields in servicing records under §820.35(b); (3) UDI recording across all required record types per §820.35(c); (4) labeling and packaging examination content under §820.45(a) (UDI, expiration, storage, handling, processing instructions); (5) the four applicable-regulatory-requirement anchors in §820.10(b), particularly the explicit linkage between Clause 7.5.8 and 21 CFR Part 830 (UDI), and between Clause 8.2.3 and Part 803 (MDR); (6) the QMSR-specific definition of rework (pre-distribution only); and (7) inspection-readiness of internal audits, management reviews, and supplier audits now that §820.180(c) is eliminated.

For manufacturers building a QMS from scratch, build directly to ISO 13485 + QMSR supplemental provisions, don't build to the old QSR and then migrate. Priority sequence: (1) quality manual aligned to ISO 13485 clause structure, with QMSR supplemental provisions incorporated; (2) core procedures, document control (4.2.4), record control (4.2.5 + §820.35), management review (5.6), risk management (7.1 + ISO 14971 framework), design and development (7.3), purchasing (7.4), production controls (7.5), complaint handling (8.2.2 + §820.35(a)), CAPA (8.5.2, 8.5.3); (3) design and development file for your product following Clause 7.3.10; (4) risk management file per ISO 14971; (5) Medical Device File per Clause 4.2.3 before commercial distribution; (6) supplier quality agreements covering change notification; (7) internal audit schedule and first audit before FDA inspection.

Internal audit practice should include a QMSR-transition audit that specifically verifies: (1) terminology and structural alignment across SOPs and records; (2) presence of QMSR-specific content in complaint and servicing records; (3) UDI recording completeness; (4) integration of the four §820.10(b) regulatory anchors; (5) adequacy of the terminology crosswalk if legacy terms remain; (6) readiness of previously-exempt records (internal audits, management reviews, supplier audits) for FDA review. This transition audit can be a standalone activity or integrated into the normal internal audit cycle, whichever reaches the full QMSR scope faster. Follow-on internal audits should verify sustained compliance with QMSR-specific supplemental provisions as routine scope.

ISO 13485 Clause 8.2.4 requires internal audits to be conducted by trained personnel who are objective and impartial, auditors cannot audit their own work. The standard does not mandate specific certifications, but industry best practice is for internal auditors to have: formal auditor training (often ISO 13485 Lead Auditor training), working knowledge of the QMSR supplemental provisions (21 CFR 820.10, 820.35, 820.45), familiarity with applicable FDA regulations referenced by §820.10(b) (Parts 803, 806, 821, 830), and enough subject-matter knowledge to evaluate the adequacy of the audited processes. Auditor independence can be achieved through cross-functional assignment (e.g., engineering audits quality, quality audits operations), rotation, or use of external auditors.

The auditor must be independent of the function being audited, not independent of quality or the QMS as a whole. A quality professional can audit a design or manufacturing function, and an engineer can audit quality, the independence requirement is process-specific, not organizational. What the standard prohibits is auditors reviewing their own work. For very small organizations where internal independence is impossible (e.g., one-person quality functions), external auditors or cross-organizational auditor exchanges can satisfy the requirement.

In-flight records, those started before February 2, 2026 and completed after, are acceptable as mixed-era documentation provided substantive requirements are met. Best practice: (1) complete the record using QMSR/ISO 13485 terminology going forward; (2) retain legacy terminology for portions created before February 2, 2026; (3) add a brief annotation to the record or procedure noting the transition; (4) ensure the underlying content meets both QSR (for the pre-effective-date portion) and QMSR (for the post-effective-date portion), which is generally automatic given substantial similarity. FDA investigators understand that transition-era records will reflect the transition.

Primary sources: (1) FDA's QMSR landing page at fda.gov/medical-devices/postmarket-requirements-devices/quality-management-system-regulation-qmsr, updated as FDA publishes new guidance; (2) FDA's QMSR FAQ page at fda.gov/medical-devices/quality-management-system-regulation-qmsr/quality-management-system-regulation-frequently-asked-questions, updated as FDA issues clarifications; (3) Compliance Program 7382.850 on the CDRH Compliance Programs page; (4) the Federal Register for any rulemakings amending Part 820 or Part 4; (5) FDA's guidance agenda for upcoming device QMS guidance; (6) FDA workshops and town halls, including CDRH Events and CDRH Learn; (7) AAMI resources (AAMI/ISO 13485:2016 A Practical Guide; AAMI TIR102:2019 for 21 CFR mapping). Industry associations (AdvaMed, MDMA, RAPS), notified bodies, and consultancies typically publish analyses of FDA guidance and warning letters that surface practical patterns faster than primary sources alone.