On February 2, 2026, the FDA replaced a regulation that had governed medical device quality systems for nearly three decades. The Quality System Regulation (QSR), which had structured how device manufacturers operated under 21 CFR Part 820 since 1996, gave way to the Quality Management System Regulation — the QMSR. The old framework is gone. A new one is in full force.

For organizations that had already built their quality systems around ISO 13485:2016 for international markets, the transition was largely manageable. For organizations whose quality systems were built exclusively around the legacy QSR, the gap is significant — and now that the effective date has passed, every inspection is an evaluation against the new standard, not the old one.

This article explains precisely what changed, what those changes mean operationally, and how to assess whether your quality system is genuinely ready or just approximately ready.

Why This Change Happened

The legacy QSR served its purpose but created a persistent problem for device manufacturers operating globally. U.S. quality requirements were U.S.-specific. ISO 13485 — used by regulatory authorities in the European Union, Canada, Japan, Australia, Brazil, and dozens of other markets — was a separate framework with different terminology, different structure, and different documentation expectations.

Companies selling devices in multiple markets maintained two parallel quality systems, or one system that tried to satisfy both frameworks simultaneously. Either approach created duplication, inconsistency, and compliance burden that didn’t serve manufacturers, regulators, or ultimately patients.

By the 2020s, U.S. manufacturers coexisted under two QMS approaches: the domestic 21 CFR 820 QSR and the global ISO 13485 standard. This bifurcation created inconsistencies and some burden for manufacturers operating globally. FDA’s International Medical Device Regulators Forum, which includes FDA and other agencies, had long advocated harmonization of quality systems.

The QMSR solves this by incorporating ISO 13485:2016 directly into U.S. federal law by reference. Instead of a written requirement for each part of a quality system, Part 820 now includes a reference to the section of ISO 13485:2016 where that requirement can be found. Overall, this means Part 820 is much shorter — most of the text simply directs manufacturers to ISO 13485.

The result is that ISO 13485:2016 is now the law for U.S. medical device manufacturers — not just an international standard they might choose to follow.

What Actually Changed: The Four Most Consequential Shifts

1. Internal Audit Reports Are No Longer Confidential

This is the single most operationally disruptive change the QMSR introduces, and it is the one organizations most consistently underestimate until they face their first post-QMSR inspection.

Under the legacy QSR, Section 820.180(c) explicitly shielded three categories of records from FDA inspection during routine surveillance: management review records, internal quality audit reports, and supplier audit reports. FDA’s rationale for that exemption was to help ensure open and honest dialogue within companies that would not be stifled from knowing such records would be subject to government review.

That rationale — and the protection it afforded — no longer exists.

The QMSR gives the FDA authority to inspect management review, quality audits, and supplier audit reports. The exceptions that existed in the QS regulation at § 820.180(c) are not maintained in the QMSR.

The practical implications are significant. Management reviews that existed primarily to satisfy a compliance checkbox now face the possibility of FDA scrutiny. Internal audits that identified genuine quality problems — problems that were documented and then not fully resolved — now create documented evidence of unresolved risk that an investigator can read directly. Supplier audits that found deficiencies without adequate follow-through now tell a story about supplier quality governance that the QSR never allowed investigators to access.

A management review that exists only on paper, without documented evidence of action, becomes an inspection liability. Supplier audits that identified problems without follow-through create documented evidence of unresolved risk. If your internal audit program was designed to check a box rather than genuinely assess your QMS, the calculus has changed completely.

Quality leaders who respond to this change by simply cleaning up their audit documentation have missed the point. The QMSR is not asking for better records of the same performative processes. It is asking for genuine management oversight, real supplier accountability, and internal audits that actually find and fix problems. The documentation is evidence of whether those things are happening.

2. The Inspection Framework Has Been Replaced

FDA replaced its Quality System Inspection Technique (QSIT) — the structured inspection guide that investigators had used since 1999 — with a new Compliance Program Manual (CP 7382.850), published January 30, 2026. This new program restructures inspections around six QMS Areas and four Other Applicable FDA Requirements (OAFRs), all driven by product risk to patients and users. Inspectors now use risk management documentation as the roadmap for the entire inspection.

The shift from QSIT to CP 7382.850 changes how investigators think about their job. QSIT was a checklist organized around subsystems: design controls, corrective and preventive actions, production and process controls, records, and so on. Investigators moved through those subsystems in a defined sequence.

Under QMSR, FDA now organizes inspections around six QMS areas and four Other Applicable FDA Requirements. As a result, inspections follow a more integrated, risk-based, lifecycle-focused approach. Inconsistent documentation, incomplete audit closure, or lack of traceability between systems may now carry greater inspection consequences than under the previous model.

Manufacturers that prepared for inspections by organizing their quality systems around QSIT’s subsystems face a structural mismatch. The investigator arriving at a post-QMSR inspection is not following the same roadmap. They are starting with your risk management file, following the evidence, and evaluating how your quality system functions as a whole — not checking items off a predefined list.

Inspections are now more dynamic and less predictable in scope. Investigators are expected to follow the evidence, not a prescribed checklist. Internal audit findings, CAPA records, and management reviews are explicitly in scope.

Remote Regulatory Assessments (RRAs) — the remote inspection format FDA developed during the pandemic — are now formally codified in CP 7382.850. FDA can conduct inspections entirely remotely or use RRAs as a precursor to on-site visits. This means the expectation of always-available, quickly retrievable records applies not just to in-person inspections but to any FDA oversight interaction.

3. Terminology Has Changed — And It Matters Operationally

The QMSR doesn’t just shift regulatory references. It changes the vocabulary of device quality management, and that vocabulary is embedded in every procedure, work instruction, training record, and form that a manufacturer maintains.

Under the legacy QSR, device manufacturers worked with the Device Master Record (DMR), the Device History Record (DHR), and the Design History File (DHF). Under QMSR with ISO 13485, those terms are replaced:

• DMR → Technical File (or Medical Device File)
• DHR → Records of Manufacture
• DHF → Design and Development File

Every SOP, work instruction, training record, and form that references the old terms needs to be updated. If procedures still say “DHF” and the FDA asks for a “design and development file,” that gap creates confusion and inspection exposure. Terminology inconsistency signals that a QMS transition was incomplete.

This is not a cosmetic change. An investigator reviewing a procedure that references a DHF in the context of a QMSR inspection is looking at a procedure that has not been updated to reflect current regulatory requirements. That observation does not typically travel alone.

For quality teams, the terminology update is also a training event. Every employee who creates, reviews, or references quality records needs to understand what they are now called, where they live, and what the updated documentation expectations require. Organizations that updated their SOPs without updating their training programs have closed one gap and opened another. eLeaP’s 21 CFR Part 11-compliant LMS connects document updates directly to training assignments so terminology changes reach every affected employee automatically.

4. Risk-Based Thinking Now Governs the Entire QMS

Under the legacy QSR, risk management was largely siloed. It governed design controls and informed post-market surveillance. The rest of the quality system — CAPA, supplier qualification, process validation, training — operated under procedural requirements without an explicit mandate for risk-based decision-making.

ISO 13485 integrates risk-based thinking across the full quality system. Under QMSR, that integration is now a federal regulatory requirement, not just a framework aspiration.

Under QMSR, a risk-based approach is expected to inform every process in your QMS: supplier selection, process validation, CAPA prioritization, training, and complaint handling. Companies that have been running a lightweight risk management program — one that satisfies ISO 14971 for product risk but doesn’t systematically apply risk thinking to QMS processes — have a genuine gap to address.

The practical manifestation of this requirement appears in inspections when investigators ask not just whether a CAPA was opened and closed, but whether the prioritization of that CAPA reflected the risk it represented. They ask whether supplier selection decisions are documented with a risk rationale. They ask whether the process validation scope was calibrated to process risk. The records need to show that risk-based decisions were made deliberately, consistently, and traceable to documentation — not inferred from the fact that an outcome was acceptable.

Risk management failures are explicitly listed as triggers for Official Action Indicated (OAI) classifications under CP 7382.850. OAI is the most serious inspection classification FDA issues. It typically precedes a warning letter, import alert, or other enforcement action. Risk management that exists in policy but not in practice now carries explicit OAI exposure.

The Records Gap: Why Pre-2026 Documentation Needs Review

One aspect of the QMSR that catches organizations by surprise is its retroactive reach into existing records.

To help determine compliance with the QMSR, FDA investigators may review records that are part of the manufacturer’s QMS, including those created before February 2, 2026.

This means the internal audit report from 2024 that used QSR terminology, identified three findings, and documented partial resolution is potentially reviewable under QMSR inspection authority. The management review minutes from 2023 that noted a recurring CAPA trend without documenting a systemic response are reviewable. The supplier audit from early 2025 that flagged a supplier documentation deficiency that went unaddressed is reviewable.

Organizations that assumed the effective date created a clean break — records before February 2 governed by QSR, records after governed by QMSR — are operating under a misunderstanding that will surface during their next inspection.

A manufacturer may find it useful to complete some type of comparative analysis to demonstrate that documents and records created prior to the QMSR effective date meet the QMSR requirements. That recommendation from the FDA’s own FAQ page is a strong signal. Organizations that have not conducted a formal review of pre-2026 records for QMSR compatibility have not yet completed their transition.

Who Has the Steepest Climb

Not all manufacturers enter the QMSR era from the same position. The compliance distance depends almost entirely on where the legacy quality system was built.

Manufacturers already certified to ISO 13485 through MDSAP or Notified Body audits face the most manageable transition. Their quality systems are already structured around ISO clauses, their terminology aligns, and their management processes have been designed with ISO expectations in mind. The main work involves confirming coverage of FDA’s retained and supplemental Part 820 provisions — particularly the labeling and packaging controls in §820.45 and the expanded complaint record requirements in §820.35 — and ensuring that internal audit and management review records are organized for FDA scrutiny rather than just Notified Body review.

Manufacturers who built quality systems exclusively on the legacy QSR face the steepest climb. Companies that have only marketed products domestically and have limited experience with ISO 13485 face a steeper learning curve. They will encounter new expectations around management responsibilities, supplier controls, and risk management that go beyond what the old QSR required.

For these organizations, the transition is not a documentation update. It is a quality system restructuring project that touches procedures, records, training programs, supplier agreements, and management processes simultaneously. A purpose-built medical device QMS that is pre-validated for QMSR and ISO 13485 substantially reduces that restructuring burden.

Combination product manufacturers face a specific complication. There is a misconception among some combination product companies that the QMSR doesn’t apply to them because the FDA maintains a separate compliance program for combination products. This is wrong. The QMSR applies to the device component of any combination product. Manufacturers that have assumed an exemption and have not conducted a QMSR gap analysis have a material compliance exposure.

Small domestic manufacturers with limited ISO 13485 exposure represent perhaps the highest-risk category in aggregate. Many of these organizations built quality systems that satisfied QSIT inspection requirements without ever engaging with ISO 13485 concepts, terminology, or structure. FDA’s own informal comments have flagged this group as likely to face the most difficulty in the transition.

What a Genuine Readiness Assessment Looks Like

Most organizations that believe they are QMSR-ready conducted a gap analysis against the ISO 13485 clause structure sometime in 2024 or 2025. That analysis was a necessary starting point. It is not sufficient on its own.

A genuine QMSR readiness assessment examines five specific areas.

Terminology alignment

Pull a representative sample of current SOPs, work instructions, training records, and forms. Count how many still contain QSR-era terminology: DMR, DHR, DHF, corrective action, preventive action as separate processes, or references to subsystems defined by QSIT. Every document containing legacy terminology is a document that has not been updated for QMSR. These documents need controlled revision, distribution to affected personnel, and documented training on the changes — in that order.

Management review and internal audit quality

Review the last three management review records and the last two internal audit cycles with a single question: would an FDA investigator reading these records conclude that leadership actively governs the quality system and that the internal audit program genuinely finds and resolves problems? If the management reviews document agenda items without documenting decisions and ownership, they need to be restructured. If internal audit findings show recurring themes without trend analysis and systemic response, that pattern is now visible to the FDA.

Supplier controls documentation

Under QMSR, supplier audit reports are subject to FDA inspection. Review supplier audit records for the last two years. Identify any findings that were documented but not fully resolved. For each unresolved finding, assess whether the record shows deliberate risk acceptance with rationale, active remediation with timelines, or simply an absence of follow-through. The third category is a QMSR liability.

Risk management integration across QMS processes

ISO 13485 requires risk-based thinking to permeate the quality system. Audit whether CAPA records document risk-based prioritization. Review whether the process validation scope reflects the process risk rationale. Examine whether supplier qualification criteria align with the risk tier. These are the questions an investigator will ask — not just whether procedures reference risk management, but whether records show it operating in practice. eLeaP’s overview of risk-based auditing in QMS provides a practical framework for embedding this thinking into every quality process.

Training record completeness for QMSR updates

Every procedure that changed as part of the QMSR transition creates a training requirement for the personnel whose work those procedures govern. Organizations that update documentation without systematically triggering and tracking training on those updates have a specific compliance gap. FDA investigators who find a revised procedure and then ask to see training records demonstrating that affected employees were trained on the revision are running a standard investigational sequence. That sequence should produce a clean answer. A validated LMS integrated with your QMS closes this loop automatically — every approved document revision becomes a triggered training assignment with documented completion.

The Inspection Readiness Reality Check

According to the analysis of FDA warning letters in fiscal year 2025, 38 of 44 device warning letters cited Part 820 violations. That figure establishes the baseline: Part 820 is the single most productive source of warning letter citations in the device sector. The QMSR didn’t change that dynamic — it changed the inspection framework through which those citations flow.

Organizations preparing for their first post-QMSR inspection face a fundamental shift in what “ready” means. Under QSIT, readiness meant organized records in the four subsystem areas the inspection would most likely cover. Under CP 7382.850, readiness means a quality system that demonstrably functions as designed — with risk-based decision-making visible in records, management oversight documented in review and audit records, and supplier controls evidenced in audit documentation rather than just approved supplier lists.

QMSR compliance will not be determined by whether you have procedures — it will be determined by whether you can prove risk-based decisions were made, consistently and intentionally, across your entire QMS. Paper-based or fragmented systems make it difficult to produce proof under inspection pressure. An electronic QMS that integrates document control, CAPA, audits, risk, and training in a single validated system proves the natural output of daily operations.

Conducting a mock inspection against CP 7382.850 before the real one is not optional practice. It is the only reliable way to discover where the gaps are while there is still time to address them, rather than respond to them in a 483 observation.

The Training Dimension Organizations Are Still Missing

Every change described in this article carries a training requirement — and most organizations have not completed the full training cycle their QMSR transition demands.

Updated terminology needs to be trained. Not mentioned in an email. Trained — with documented evidence of completion and competency verification.

The revised inspection framework under CP 7382.850 means that quality personnel who interact with FDA investigators need to understand what investigators can now access and what documentation practices have changed. A quality manager who tells an investigator that management review records are confidential — as they were under the QSR — is making a legally incorrect statement that will not end well.

The shift to risk-based thinking across QMS processes requires that employees responsible for CAPA management, supplier qualification, process validation, and complaint handling understand what documenting risk-based rationale actually requires. Understanding the concept is different from knowing how to apply it in records.

Internal audit teams need updated training on the six QMS Areas defined in CP 7382.850 — because those are the areas their audits now need to cover, and because FDA investigators will evaluate internal audit adequacy through the lens of whether audit scope matched the QMSR framework.

Organizations that updated their SOPs without connecting those updates to training assignments for affected personnel have completed the visible part of the transition while leaving the operational part undone. A procedure that nobody was trained on does not produce the compliant behavior the procedure describes. During an inspection, that gap shows up in the records — and it shows up as the gap it actually is. eLeaP’s GxP compliance training resources detail precisely how this failure pattern appears in FDA observations and what a fully closed training loop looks like.

What to Do Right Now

The QMSR is already in effect. Every device manufacturer subject to FDA oversight operates under it today. The question is not what to prepare for — it’s how much ground remains to cover.

Start with a documented gap analysis

Map your current quality system documentation against ISO 13485 clauses and the retained FDA provisions in Part 820, §820.35, §820.45, §820.65, and §820.75. Document what you find — both gaps and confirmed alignments. The analysis itself becomes evidence of a structured transition approach.

Conduct a pre-2026 records review

Identify management review records, internal audit reports, and supplier audit reports from the past two years. Assess whether they reflect genuine quality system function at the level of scrutiny FDA can now apply. Address unresolved findings with documented action plans before an investigator addresses them for you.

Run a mock inspection using CP 7382.850 as the roadmap

Give an internal team or external expert the compliance program and ask them to inspect your facility against it. The findings will tell you more about your actual readiness than any documentation review alone.

Connect your training records to your QMSR update activities

For every procedure updated as part of the transition, confirm that training was assigned to affected personnel, completed, and documented with competency verification. If that documentation doesn’t exist, create the training assignments now and complete them before your next inspection. Organizations using a unified QMS and LMS platform can generate this evidence on demand rather than reconstructing it manually.

Update supplier quality agreements

Quality agreements need to be revised to comply with the QMSR. References to the QSR should be removed and replaced. Agreements that still reference the QSR or describe supplier audit report confidentiality provisions that no longer apply are themselves a documentation gap.

The Broader Signal: What QMSR Tells Every Regulated Industry

The QMSR applies specifically to medical device manufacturers. But the direction it represents — greater transparency into management oversight, risk-based governance across the full quality system, and records that demonstrate a quality system actually functioning rather than simply documented — is not a device-specific regulatory philosophy.

Regulators across every major quality framework are moving in the same direction at different speeds.

The FDA’s increased inspection activity in pharmaceutical manufacturing — 972 drug quality assurance inspections in FY 2024, up 27% from the prior year, with a five-year high in warning letters — reflects the same oversight posture the QMSR formalizes for devices. Inspectors in both sectors now expect to see quality systems that work, not just quality systems that exist on paper.

AS9100 Rev D, the quality standard governing aerospace and defense manufacturers, has long required risk-based thinking and management commitment in ways that parallel QMSR’s expectations. Aerospace organizations preparing for surveillance audits face the same fundamental question QMSR poses to device manufacturers: Can your records prove that your quality system actually functions as designed?

IATF 16949, the automotive quality standard, similarly embeds risk management across the quality system and requires evidence of continuous improvement that goes beyond procedure compliance. Automotive OEMs increasingly conduct supplier quality audits that look at system effectiveness, not just documentation presence — the same lens QMSR now authorizes FDA investigators to apply.

In the food and beverage industry, FSMA inspections and GFSI scheme audits under SQF and BRCGS have moved toward demonstrating preventive control effectiveness rather than procedural compliance. The question is not whether a HACCP plan exists — it is whether the people responsible for executing it are qualified, trained, and operating consistently with its requirements.

For cannabis and hemp manufacturers operating under GMP requirements tied to 21 CFR Part 111 or 117, state licensing bodies conducting third-party GMP audits are applying the same logic: can you demonstrate that your personnel are competent, that your quality records are current, and that your management actively governs the quality system?

The QMSR is the most recent and most formal expression of a regulatory trend that every quality professional in every regulated industry should recognize. Greater scrutiny of management involvement. Deeper inspection of whether systems function rather than whether they exist. Explicit connections between quality events, corrective actions, and training outcomes. These expectations are not unique to medical devices — they are the direction quality regulation is moving across the board.

Organizations in any regulated vertical that use QMSR as a prompt to assess the coherence and demonstrability of their own quality systems are doing exactly the right thing, even if the specific regulation doesn’t directly apply to them.

The Bottom Line

The QMSR is not an incremental revision to the QSR. It is a structural replacement that changes the vocabulary of device quality management, the records that the FDA can review, the framework through which inspections operate, and the standard of evidence required to demonstrate an effective quality system.

For manufacturers who completed genuine ISO 13485 alignment before the effective date, the QMSR delivers on its harmonization promise and reduces the compliance friction of operating in multiple global markets.

For manufacturers who conducted a documentation review without completing the operational transition — updated procedures without training, mapped clauses without restructuring processes, and noted the effective date without running a mock inspection — the gap between apparent readiness and actual readiness will surface during the next inspection.

The FDA’s 2026 mandate favors the digitally mature. Companies utilizing electronic quality management systems can spot trends before the regulator even schedules a visit. The removal of the §820.180(c) safe harbor is the most immediate operational shock — but the deeper shift is from a culture of inspection-season preparation to one of continuous, demonstrable quality system effectiveness.

That shift is not primarily a technology question. It is a question of whether your quality system actually does what your procedures say it does — and whether your records make that visible to anyone who reads them.

eLeaP’s unified QMS and LMS platform helps organizations across medical devices, pharmaceutical, biotechnology, food and beverage, cannabis and hemp, automotive, aerospace, and manufacturing build quality systems that are audit-ready every day — with integrated document control, training management, CAPA workflows, and a single validated audit trail. Learn more at eleapsoftware.com.