The FDA’s new Quality Management System Regulation (QMSR) represents the most significant shift in FDA quality system compliance in over 25 years. With ISO 13485:2016 becoming federal law through incorporation by reference earlier this year, the medical device industry is now liable for following standards which were previously voluntary.

Thirteen of the fifteen subparts of the original QSR have now been marked as ‘reserved’ and in their place, manufacturers must comply with the clauses of ISO 13485’s clauses, which emphasize risk-based quality management. However, the FDA retained and expanded two crucial areas from the QSR – records management and labeling and packaging controls. For manufacturers, this means that compliance now entails meeting both ISO 13485’s standards, as well as specific FDA enhancements – a reality the industry is only just beginning to grapple with.

High-impact areas

Less than a month post-implementation, there are several key areas which manufacturers often underestimate in the transition from the QSR to QMSR. Many companies have mistakenly understood that risk management was a one-time activity during product development, whereas it is now an action to be integrated throughout the entire device lifecycle. ISO 13485 explicitly requires risk management processes to include design inputs, process validation, supplier management, post-market surveillance and corrective and preventative actions (CAPA). This must be demonstrated through documented evidence and risk assessments must be updated based on field performance and complaint trends.

Similarly, expectations for supplier management have intensified with the new risk-based approach. The QMSR requires manufacturers to implement selection, approval and monitoring processes for suppliers that are scaled commensurate with the risk they present to product safety and performance. Critical suppliers must be subject to routine audits and documented performance monitoring with objective metrics.

Design control requirements have also fully transitioned, with the new regime placing greater emphasis on risk management integration throughout design phases. This requires explicit connection between design outputs and general safety and performance requirements, with the new rules mandating that design verification and validation activities are risk-based and appropriately scaled. The design history file must also demonstrate that activities were appropriate for the device classification and risk profile, with clear traceability.

The QMSR’s retention of the QSR’s control of records creates dual compliance requirements, wherein manufacturers must now ensure their records explicitly support their obligations for complaints and servicing. Traceability has become more complex, as UDI must now be integrated into device history records, complaint files, MDR reports and correction/removal documentation, creating an end-to-end identification system from manufacturing through post-market surveillance. Post-market activities must now also demonstrate clear connections to risk management updates, CAPA initiation and management review, with documented evidence of closed-loop processes.

All in all, the QMSR’s emphasis on continuous improvement means documentation must always tell a story of data-driven decision making, showing how post-market intelligence flows back into products and process improvements with measurable outcomes.

Frequent misconceptions on the QMSR

Perhaps the most common misconception established during this transitionary stage is that ISO 13485-certified businesses are compliant. While ISO 13845 certification is necessary, it is no longer sufficient. Companies are now retrofitting their certified systems to add additional requirements and integration points, while some are facing re-certification audits to address these gaps.

Some businesses have erroneously believed ISO certification exempted them from FDA inspections. While the FDA retains full inspectional authority under the QMSR, FDA inspections do not result in ISO certificates. Thus, some manufacturers are now experiencing their first QMSR-based inspections and finding that their ISO certificates do not provide full exemptions.

While this change was a long time coming, the implementation deadline of February 2^nd came around faster than anticipated for some, and companies which waited until late 2025 to begin implementation are now under regulatory scrutiny. Manufacturers may also incorrectly believe that these changes amount to a technicality, meaning their actual processes won’t need to change. While many processes remain substantively similar, companies must still enact new workflows to ensure risk management throughout lifecycles and standards monitoring requirements are integrated adequately.

The investigators’ focus

Amid ongoing changes, initial QMSR investigations have begun to reveal the FDA’s priorities across several areas. Most notably, investigators are likely to verify that connections between compliant handling, UDI assignment and documentation, and post-market surveillance activities are adequately addressed. Dual compliance will also be a focus area, with investigators expecting records and labelling to be compliant with both ISO and FDA additions.

The regulatory language requiring that manufacturers ‘undertake to apply’ their procedures will be taken seriously by investigators, who will look for objective evidence that procedures are being followed, such as meeting minutes, reports or other documentation. Inspectors will also ask pointed questions about how companies monitor harmonized standards and common specifications, assessing their impact and documenting decisions. Processes must be demonstrated in action with recent examples to guarantee approval.

The QMSR’s emphasis is on continually improving and maintaining systems ‘in the most effective manner’, so investigators will examine evidence of the data-driven improvements, such as KPIs, management reviews, CAPA effectiveness checks, and metric-driven decisions.

Simplification over duplication

For manufacturers operating globally, the QMSR offers them a chance to simplify and synthesize systems, rather than duplicate them. Successful players will implement ISO 13485 as their foundation, and then clearly identify FDA-specific additions, using procedure scope statements and traceability matrices to clarify which requirements apply to which markets.

The similarities between the two systems also mean that processes for design controls, CAPA, supplier management, production controls and other areas can be unified. Where regional differences exist, leading companies can use risk-based scaling within procedures, rather than maintaining separate documentation. Companies should also align terminology, using ISO 13485 as their baseline, but clearly delineating where FDA definitions supersede or supplement ISO terms, thus maintaining compliance with regional variations, avoiding inconsistencies.

When issued by recognized certification bodies, ISO 13485 certification satisfies EU regulatory requirements and supports entry into other key markets like Canada and Japan, demonstrating to the FDA that their core QMS meets international standards. It does not, however, replace FDA inspection, with some companies finding that ISO certification audits are most helpful in identifying gaps before inspections. As such, the best prepared companies are ones who create a single regulatory surveillance function that monitors FDA, ISO, EU and other applicable requirements, feeding this intelligence into a singular assessment process that evaluates impact across all markets simultaneously.

As the medical device manufacturing industry comes to a crossroads, this transition represents a fundamental shift in how quality systems must operate. Manufacturers who prepared strategically have created a competitive advantage through streamlined operations and global market access. Others may be playing catch-up, a path which is navigable with focus, resources and systematic implementation. With the QSMR now enshrined in law, there is an impetus for companies to demonstrate compliance rapidly and effectively.