QMSR Gap Analysis for ISO 13485:2016 Certified Companies: The 50+ Item Checklist for FDA's New Quality System Rule
Clause-by-clause gap analysis checklist mapping ISO 13485:2016 to FDA's QMSR — covering terminology changes, complaint handling, labeling controls, UDI integration, record retention, and 50+ specific action items your QMS documents still need.
If You Have ISO 13485:2016 Certification, You Are Not Automatically QMSR-Compliant
FDA's Quality Management System Regulation (QMSR) became effective on February 2, 2026, replacing the Quality System Regulation (QSR) that governed medical device manufacturing since 1996. The QMSR incorporates ISO 13485:2016 by reference into 21 CFR Part 820, harmonizing U.S. requirements with the international standard that most device manufacturers already hold.
But here is the critical point that catches companies off guard: ISO 13485:2016 certification alone does not satisfy all QMSR requirements.
FDA layered additional U.S.-specific requirements on top of ISO 13485 through two key regulatory sections — 21 CFR 820.35 (Control of Records) and 21 CFR 820.45 (Device Labeling and Packaging Controls). The agency also preserved several existing FDA regulations that sit outside Part 820 but are integrated into QMSR inspection expectations: Medical Device Reporting (21 CFR Part 803), Corrections and Removals (21 CFR Part 806), Unique Device Identification (21 CFR Part 830), and Device Traceability (21 CFR Part 821).
This guide provides a clause-by-clause gap analysis for companies that already hold ISO 13485:2016 certification. For each ISO 13485 clause, we identify what is already covered and the specific FDA additions still required. The goal is to give your QA/RA team a working checklist with 50+ action items that can be tracked, assigned, and closed before your next FDA inspection.
How to Use This Checklist
Each row in the tables below follows this structure:
- ISO 13485 Clause — the clause you already satisfy through certification
- QMSR Requirement — what FDA expects under the new rule
- Gap / Action Required — the specific work your QMS documents still need
- Priority — High (inspection-critical), Medium (documentation update), Low (terminology alignment)
Section 1: Document Architecture and Terminology Changes
The most visible change under QMSR is the elimination of legacy FDA document terms. If your SOPs, forms, and quality manual still reference the old terminology, they are now outdated.
1.1 Design History File (DHF) → Design and Development File (DDF)
| ISO 13485 Clause | QMSR Requirement | Gap / Action Required | Priority |
|---|---|---|---|
| Clause 7.3.10 | Design and Development File must contain all design records | Update all SOPs, forms, and quality manual references from "DHF" to "DDF" or add a crosswalk mapping DHF → DDF | Medium |
| Clause 7.3.10 | DDF must include design plans, inputs, outputs, reviews, verification, validation, and changes | Verify existing DHF contents map to ISO 13485 Clause 7.3.10 requirements; add any missing elements | High |
| Clause 7.3.7 | Design transfer must be explicitly documented | Old 21 CFR 820.30(h) design transfer requirement now maps to ISO 7.3.7; verify design transfer procedure covers verification that outputs are suitable for manufacturing | High |
Action Items 1–3:
- Create a terminology crosswalk table mapping DHF → DDF, DMR → MDF, DHR → Production Records in your quality manual.
- Audit all SOPs for legacy "DHF" references and update to "DDF" (or add a note that DHF and DDF are equivalent for your organization).
- Review your design transfer procedure to ensure it meets ISO 13485 Clause 7.3.7 explicitly.
1.2 Device Master Record (DMR) → Medical Device File (MDF)
| ISO 13485 Clause | QMSR Requirement | Gap / Action Required | Priority |
|---|---|---|---|
| Clause 4.2.3 | Medical Device File must contain device description, specifications, manufacturing procedures, labeling, and more | Map existing DMR contents to ISO 13485 Clause 4.2.3 requirements; update quality manual to reference MDF terminology | Medium |
| Clause 4.2.3 | MDF must be established for each device type or device family | Verify that every device in your portfolio has a corresponding MDF (or DMR that satisfies 4.2.3) | High |
Action Items 4–5: 4. Create an MDF index template aligned with ISO 13485 Clause 4.2.3 and map each existing DMR to it. 5. For each product family, confirm the MDF includes: device description, product specifications, manufacturing process specifications, and labeling requirements.
1.3 Device History Record (DHR) → Production Records
| ISO 13485 Clause | QMSR Requirement | Gap / Action Required | Priority |
|---|---|---|---|
| Clause 7.5.1 | Production records providing traceability per Clause 7.5.9 | Verify existing DHR procedures satisfy ISO 7.5.1 requirements for amount manufactured and amount released for distribution | Medium |
| Clause 7.5.9 | Traceability requirements for implantable and critical devices | Confirm DHR/production records capture all traceability elements required under ISO 7.5.9 | High |
Action Items 6–7: 6. Update production record SOPs to reference "production records" aligned with ISO 13485 Clause 7.5.1 rather than legacy DHR terminology. 7. Verify traceability records for implantable devices capture the serial numbers, batch numbers, and distribution records required by Clause 7.5.9.
1.4 Management Representative → Top Management
| ISO 13485 Clause | QMSR Requirement | Gap / Action Required | Priority |
|---|---|---|---|
| Clause 5.5.2 | Management representative role under ISO 13485 | QMSR eliminates the old QSR requirement for a designated "management representative"; ISO 13485 Clause 5.5.2 continues this role but with "Top Management" accountability | Low |
| Clause 5.6 | Management review requirements | Verify management review procedure includes all ISO 13485 Clause 5.6 inputs and outputs | High |
Action Items 8–9: 8. Update your quality manual to align management representative responsibilities with ISO 13485 Clause 5.5.2 language. 9. Review management review procedure to ensure all required inputs (audit results, customer feedback, process performance, CAPA status, regulatory changes) and outputs (QMS improvement decisions, resource needs) are documented.
Section 2: FDA-Specific Requirements Beyond ISO 13485
These are the gaps that catch ISO 13485-certified companies off guard. FDA explicitly stated that ISO 13485 was inadequate in certain areas and added requirements through 21 CFR 820.35 and 820.45.
2.1 Control of Records — 21 CFR 820.35
This is more detailed and explicit than what was in the old QSR for complaint records.
| ISO 13485 Clause | QMSR Addition (820.35) | Gap / Action Required | Priority |
|---|---|---|---|
| Clause 8.2.2 (Complaint handling) | Complaint records must document: whether the complaint was investigated; if not investigated, the reason why; results of investigation; corrective action taken | Audit your complaint handling SOP against 820.35 content requirements; add any missing mandatory documentation elements | High |
| Clause 8.2.2 | Multiple complaint-handling units must be coordinated through a single corporate procedure | If your organization has multiple complaint-handling sites or business units, verify a single overarching procedure exists with defined coordination responsibilities | High |
| Clause 7.2.3 | Customer communication procedures (new for FDA-regulated companies) | ISO 13485 Clause 7.2.3 requires documented customer communication procedures beyond just complaints — including inquiries, contracts, and feedback. Most QSR-only companies lack this. | Medium |
| Clause 8.2.2 | Service records must be documented per 820.35 | Verify service report procedures capture: device identification, service date, service provider, problem reported, and action taken | Medium |
Action Items 10–14: 10. Review your complaint handling SOP and add all 820.35-required complaint record elements (investigation decision, rationale if not investigated, investigation results, corrective actions). 11. If you have multiple complaint-handling units, create or update a corporate-level complaint coordination procedure. 12. Draft a customer communication procedure (ISO 7.2.3) covering inquiries, contracts, order handling, and feedback channels — this is new for most FDA-regulated companies. 13. Update service record forms to capture all 820.35-required fields. 14. Train complaint handling and service teams on the new documentation requirements.
2.2 Device Labeling and Packaging Controls — 21 CFR 820.45
FDA determined that ISO 13485's labeling controls were not adequate and added specific requirements.
| ISO 13485 Clause | QMSR Addition (820.45) | Gap / Action Required | Priority |
|---|---|---|---|
| Clause 7.5.1 (Labeling) | Manufacturers must inspect the accuracy of device labels with respect to identity, quantity, lot/batch, expiry, storage instructions, and handling instructions prior to release | This mirrors old 820.120(b); verify your labeling verification procedure covers all 820.45-specified elements | High |
| Clause 7.5.1 | Labeling release must be documented and traceable | Add labeling inspection sign-off step to production release procedure | High |
| Clause 7.5.5 | Packaging controls must ensure device integrity during storage and distribution | Review packaging validation and inspection procedures for alignment with 820.45 | Medium |
Action Items 15–17: 15. Create or update a labeling inspection checklist covering all elements specified in 820.45: identity, quantity/weight, lot/batch number, expiry date, storage instructions, and handling instructions. 16. Add a formal labeling inspection sign-off to your production release process. 17. Verify packaging control procedures include inspection of labeling accuracy at the packaging stage.
Section 3: Risk Management Integration Across the QMS
Under QSR, risk management was largely confined to design controls. Under QMSR, ISO 13485 requires risk management to be integrated throughout the entire quality system.
| ISO 13485 Clause | QMSR Requirement | Gap / Action Required | Priority |
|---|---|---|---|
| Clause 7.1 (Planning) | Risk management must be applied to product realization planning | Verify product realization plans include risk management activities | Medium |
| Clause 7.3.2 (Design inputs) | Design inputs must include risk management outputs | Confirm design input procedures require risk analysis as an input source | High |
| Clause 7.3.9 (Design changes) | Design changes must be evaluated for risk impact | Verify design change control procedure includes risk re-evaluation step | High |
| Clause 7.5.1 (Production) | Risk management integrated into production and service provision controls | Verify production SOPs reference risk control measures | Medium |
| Clause 7.5.6 (Validation of processes) | Process validation must consider risk | Confirm IQ/OQ/PQ protocols include risk-based acceptance criteria | Medium |
Action Items 18–22: 18. Conduct a risk management coverage audit: map where ISO 14971 risk management outputs feed into design, production, purchasing, and post-market activities. 19. Update design input procedure to explicitly require risk analysis as an input source. 20. Add a risk re-evaluation step to your design change control SOP. 21. Review production procedures to ensure risk control measures from the risk management file are referenced and implemented. 22. Verify process validation protocols (IQ/OQ/PQ) include risk-based acceptance criteria.
Section 4: CAPA Separation and Post-Market Requirements
4.1 Corrective Action and Preventive Action — Now Two Separate Processes
Under the old QSR, CAPA was a single combined process. Under ISO 13485, corrective action (Clause 8.5.2) and preventive action (Clause 8.5.3) are two distinct processes with separate triggers and documentation.
| ISO 13485 Clause | QMSR Requirement | Gap / Action Required | Priority |
|---|---|---|---|
| Clause 8.5.2 | Corrective Action — triggered by nonconformity that has already occurred | Verify your CAPA procedure distinguishes corrective action triggers from preventive action triggers | High |
| Clause 8.5.3 | Preventive Action — triggered by potential nonconformity that has not yet occurred | Many companies have combined CAPA procedures; split them or clearly separate the trigger logic within one procedure | High |
| Clause 8.5.2 / 8.5.3 | Both require root cause analysis, effectiveness checks, and documentation of any changes to the QMS | Verify effectiveness verification is required for both CA and PA, not just CAPA as a whole | Medium |
Action Items 23–25: 23. Review your CAPA SOP and create two distinct process flows: one for corrective action (reactive) and one for preventive action (proactive). 24. Train QA and production teams on the difference between CA and PA triggers. 25. Verify effectiveness checks are required for both CA and PA outcomes.
4.2 Complaint Handling Linkage to MDR Reporting — 21 CFR Part 803
| ISO 13485 Clause | QMSR / Part 803 Requirement | Gap / Action Required | Priority |
|---|---|---|---|
| Clause 8.2.2 | Complaints must be evaluated for MDR reportability under 21 CFR Part 803 | Verify complaint handling SOP includes a mandatory MDR evaluation step with documented decision rationale | High |
| Clause 8.2.2 | MDR-reportable events must be submitted within required timeframes (30 calendar days for deaths and serious injuries, 5 working days for malfunctions requiring immediate remedial action) | Confirm your SOP includes MDR reporting timelines and escalation triggers | High |
| Clause 8.2.2 | Trend reporting of non-serious complaints must be documented | Verify trend analysis procedure captures non-serious complaints for MDR trend reporting per 21 CFR 803.18 | Medium |
Action Items 26–28: 26. Add a mandatory MDR evaluation decision point to your complaint handling workflow with documented rationale. 27. Verify MDR reporting timelines (30-day death and serious injury, 5-day malfunction report for events requiring immediate remedial action) are built into your complaint triage process. 28. Implement or update a complaint trend analysis procedure for non-serious events per 21 CFR 803.18.
Section 5: UDI System Integration — 21 CFR Part 830
| ISO 13485 Clause | QMSR / Part 830 Requirement | Gap / Action Required | Priority |
|---|---|---|---|
| Clause 7.5.9 (Traceability) | UDI must be assigned to each device per 21 CFR Part 830 | Verify UDI assignment process covers all device classes and packaging levels | High |
| Clause 7.5.5 (Preservation) | UDI must be on device labels and directly marked on reusable devices | Confirm labeling procedure includes UDI placement verification per Part 830 | High |
| Clause 4.2.3 (MDF) | UDI-DI and UDI-PI must be documented in the Medical Device File | Add UDI-DI and UDI-PI fields to your MDF template | Medium |
| Clause 7.5.9 | GUDID submission must be completed before device is introduced to commerce | Verify GUDID submission is a required step in your product release process | High |
Action Items 29–32: 29. Confirm every device in your portfolio has a UDI-DI assigned and submitted to the GUDID database. 30. Verify labeling procedures include UDI placement on labels and direct marking on reusable devices per 21 CFR Part 830. 31. Add UDI-DI and UDI-PI fields to your MDF / product master file template. 32. Make GUDID submission a formal gate in your product release checklist.
Section 6: Corrections and Removals — 21 CFR Part 806
| ISO 13485 Clause | QMSR / Part 806 Requirement | Gap / Action Required | Priority |
|---|---|---|---|
| Clause 8.5.2 (Corrective Action) | Corrections and removals that risk health must be reported to FDA under 21 CFR Part 806 | Verify your corrective action procedure includes an 806 evaluation step for any field action | High |
| Clause 8.3 (Nonconforming product) | Recalls and market withdrawals must follow Part 806 reporting requirements | Confirm recall procedure references Part 806 timelines and reporting requirements | High |
Action Items 33–34: 33. Add a Part 806 evaluation step to your corrective action and recall procedures. 34. Train the QA and RA teams on when corrections and removals trigger mandatory FDA reporting.
Section 7: Internal Audit Transparency — FDA Inspection Access
Under QSR, FDA had limited access to internal audit records. Under QMSR, FDA inspectors operating under Compliance Program 7382.850 can now request:
| Area | QMSR Inspection Scope | Gap / Action Required | Priority |
|---|---|---|---|
| Internal audit reports | FDA inspectors may now request access to management review and internal audit records | Ensure internal audit reports are inspection-ready and accurately reflect QMSR scope | High |
| Supplier audit reports | FDA inspectors may request supplier audit reports | Verify supplier audit reports are well-documented and available for inspection | High |
| Management review records | Management review minutes and outputs are within inspection scope | Confirm management review records document all required inputs and outputs per ISO 5.6 | Medium |
Action Items 35–37: 35. Review your internal audit procedure to ensure audit scope covers all QMSR requirements (not just old QSR items). 36. Ensure supplier audit reports are well-organized, complete, and accessible for FDA inspection. 37. Update management review records to include all ISO 13485 Clause 5.6 required inputs and outputs.
Section 8: Record Retention Periods
ISO 13485 does not specify exact record retention periods. QMSR inherits FDA's existing retention requirements, which may differ from your current ISO-based defaults.
| Record Type | FDA Requirement | Gap / Action Required | Priority |
|---|---|---|---|
| Device history records (production records) | Retain for at least the device's expected life, but not less than 2 years from commercial distribution | Verify your record retention policy meets this minimum | High |
| Complaint files | Retain per 21 CFR 820.35 requirements | Ensure complaint records are retained per FDA retention periods, which may exceed ISO defaults | High |
| Design records (DDF) | Retain for the life of the device | Confirm DDF retention policy matches FDA expectations for design history records | Medium |
| Quality system records | Retain per organizational needs, but minimum per FDA field access expectations | Verify quality manual, procedures, and work instructions are retained as long as the QMS is active | Low |
Action Items 38–41: 38. Compare your current record retention schedule against FDA requirements and update where needed. 39. Ensure complaint records are retained for the required period (minimum device expected life or 2 years from release, whichever is longer). 40. Verify DDF/design records are retained for the life of the device. 41. Document record retention rationale in your quality manual.
Section 9: Design Controls — Now ISO 13485 Clause 7.3 (Formerly §820.30)
Under QMSR, the old §820.30 design control provisions have been removed from the CFR. Design controls are now covered by ISO 13485 Clause 7.3, incorporated by reference through §820.10. The design control requirements themselves are largely preserved, but the regulatory structure has changed. FDA inspectors will assess design control compliance against ISO 13485 Clause 7.3, supplemented by the QMSR definitions and provisions in Subpart B.
| Old QSR Requirement | QMSR / ISO 13485 Equivalent | Gap / Action Required | Priority |
|---|---|---|---|
| 820.30(b) Design input | ISO 7.3.3 | Verify design input procedure covers all ISO requirements including statutory and regulatory requirements | Medium |
| 820.30(c) Design output | ISO 7.3.4 | Confirm design outputs include acceptance criteria and are documented sufficiently for verification | Medium |
| 820.30(e) Design review | ISO 7.3.5 | Key change: QSR required design review participants who did not have direct responsibility for the design stage being reviewed. FDA removed this explicit requirement in QMSR but states that a successful QMS under 7.3.3 and 7.3.4 will require a similar approach. Best practice: keep your independent reviewer requirement. | Medium |
| 820.30(f) Design verification | ISO 7.3.6 | Verify design verification procedure aligns with ISO 7.3.6 requirements | Low |
| 820.30(g) Design validation | ISO 7.3.6 | Confirm design validation includes clinical evaluation or performance evaluation as applicable | Medium |
| 820.30(i) Design changes | ISO 7.3.9 | Verify design change control procedure includes risk re-evaluation (see Action Item 20) | Medium |
Action Items 42–46: 42. Map your existing design control SOP to ISO 13485 Clause 7.3 structure and identify any gaps. 43. Keep the independent design reviewer requirement even though it is no longer explicitly mandated — FDA expects it. 44. Verify design input procedures include statutory and regulatory requirements as a mandatory input category. 45. Confirm design output procedures produce records with sufficient detail for design verification. 46. Update your design change control SOP to explicitly reference ISO 7.3.9 and include risk re-evaluation.
Section 10: Supplier Quality Management
| ISO 13485 Clause | QMSR Requirement | Gap / Action Required | Priority |
|---|---|---|---|
| Clause 7.4.1 (Purchasing) | Supplier evaluation based on risk and effect on product quality | Verify supplier evaluation procedure is risk-based and documented | Medium |
| Clause 7.4.2 (Purchasing info) | Purchasing documents must describe the product to be purchased | Confirm purchasing specifications are detailed and traceable | Low |
| Clause 7.4.3 (Verification) | Verification of purchased product must be proportional to risk | Review incoming inspection procedures for risk-based sampling and acceptance criteria | Medium |
| Clause 7.4 (General) | Quality agreements with suppliers should be updated to reflect QMSR expectations | Review and update quality agreements with critical suppliers to reference QMSR and ISO 13485:2016 | Medium |
Action Items 47–50: 47. Review and update your supplier evaluation procedure to ensure it is risk-based and aligns with ISO 13485 Clause 7.4.1. 48. Update quality agreements with critical suppliers to reference QMSR and ISO 13485:2016 requirements. 49. Verify incoming inspection procedures include risk-based acceptance criteria proportional to supplier risk. 50. Ensure supplier qualification records include evidence of ongoing monitoring and periodic re-evaluation.
Summary: The Complete Action Item Tracker
| # | Action Item | Priority | Responsible | Status |
|---|---|---|---|---|
| 1 | Create DHF/DDF/DMR/MDF terminology crosswalk table | Medium | QA | ☐ |
| 2 | Update all SOPs from "DHF" to "DDF" references | Medium | QA | ☐ |
| 3 | Review design transfer procedure for ISO 7.3.7 compliance | High | R&D/QA | ☐ |
| 4 | Create MDF index template per ISO 4.2.3 | Medium | QA | ☐ |
| 5 | Confirm MDF exists for each device family | High | QA/RA | ☐ |
| 6 | Update production record SOPs to ISO 7.5.1 terminology | Medium | QA | ☐ |
| 7 | Verify traceability records for implantable devices | High | QA | ☐ |
| 8 | Update quality manual management representative language | Low | QA | ☐ |
| 9 | Review management review procedure for ISO 5.6 completeness | High | QA/Mgmt | ☐ |
| 10 | Add 820.35 complaint record elements to SOP | High | QA | ☐ |
| 11 | Create corporate complaint coordination procedure | High | QA | ☐ |
| 12 | Draft customer communication procedure (ISO 7.2.3) | Medium | QA/Sales | ☐ |
| 13 | Update service record forms per 820.35 | Medium | QA/Service | ☐ |
| 14 | Train complaint/service teams on new documentation requirements | Medium | QA | ☐ |
| 15 | Create labeling inspection checklist per 820.45 | High | QA/Labeling | ☐ |
| 16 | Add labeling inspection sign-off to production release | High | QA/Production | ☐ |
| 17 | Verify packaging controls include labeling accuracy inspection | Medium | QA | ☐ |
| 18 | Conduct risk management coverage audit across QMS | Medium | QA/RA | ☐ |
| 19 | Update design input procedure to require risk analysis | High | R&D/QA | ☐ |
| 20 | Add risk re-evaluation to design change control | High | R&D/QA | ☐ |
| 21 | Review production procedures for risk control measure references | Medium | QA/Production | ☐ |
| 22 | Verify IQ/OQ/PQ protocols include risk-based criteria | Medium | QA/Engineering | ☐ |
| 23 | Separate CAPA into distinct CA and PA processes | High | QA | ☐ |
| 24 | Train teams on CA vs PA trigger differences | High | QA | ☐ |
| 25 | Verify effectiveness checks for both CA and PA | Medium | QA | ☐ |
| 26 | Add MDR evaluation step to complaint handling | High | QA/RA | ☐ |
| 27 | Verify MDR reporting timelines in complaint triage | High | QA/RA | ☐ |
| 28 | Implement complaint trend analysis per 803.18 | Medium | QA | ☐ |
| 29 | Confirm UDI-DI assignment for all devices | High | RA/QA | ☐ |
| 30 | Verify UDI placement on labels and direct marking | High | QA/Labeling | ☐ |
| 31 | Add UDI fields to MDF template | Medium | QA/RA | ☐ |
| 32 | Make GUDID submission a formal release gate | High | RA/QA | ☐ |
| 33 | Add Part 806 evaluation to corrective action procedure | High | QA/RA | ☐ |
| 34 | Train QA/RA on corrections and removals reporting | High | QA/RA | ☐ |
| 35 | Update internal audit scope to cover QMSR requirements | High | QA | ☐ |
| 36 | Ensure supplier audit reports are inspection-ready | High | QA | ☐ |
| 37 | Update management review records for ISO 5.6 compliance | Medium | QA/Mgmt | ☐ |
| 38 | Update record retention schedule for FDA requirements | High | QA/Document Control | ☐ |
| 39 | Verify complaint record retention periods | High | QA | ☐ |
| 40 | Verify DDF retention for device lifetime | Medium | QA | ☐ |
| 41 | Document record retention rationale in quality manual | Low | QA | ☐ |
| 42 | Map design control SOP to ISO 7.3 structure | Medium | R&D/QA | ☐ |
| 43 | Retain independent design reviewer requirement | Medium | R&D/QA | ☐ |
| 44 | Verify design inputs include regulatory requirements | Medium | R&D/RA | ☐ |
| 45 | Confirm design outputs have verification-level detail | Medium | R&D/QA | ☐ |
| 46 | Update design change control SOP to reference ISO 7.3.9 | Medium | R&D/QA | ☐ |
| 47 | Update supplier evaluation procedure to risk-based approach | Medium | QA/Purchasing | ☐ |
| 48 | Update supplier quality agreements for QMSR | Medium | QA/Purchasing | ☐ |
| 49 | Verify incoming inspection includes risk-based acceptance | Medium | QA | ☐ |
| 50 | Ensure supplier re-evaluation is documented periodically | Medium | QA | ☐ |
Next Steps for Your Organization
If your company is ISO 13485:2016 certified, your primary gaps fall into three categories:
FDA-specific additions (820.35 complaint records, 820.45 labeling controls, Part 803 MDR linkage, Part 806 corrections and removals, Part 830 UDI) — these are the items most likely to cause findings during an FDA inspection because ISO 13485 certification does not address them.
Terminology updates (DHF→DDF, DMR→MDF, DHR→Production Records, Management Representative→Top Management) — lower risk but important for demonstrating awareness and alignment.
Structural changes (separated CA/PA, risk management integration across the QMS, inspection readiness for internal audits and supplier audits) — medium to high risk depending on your current QMS maturity.
If your company was QSR-compliant but NOT ISO 13485 certified, the gap is significantly larger. You will need to implement the full ISO 13485:2016 framework plus the FDA additions listed above. Consider engaging a regulatory consultant to conduct a baseline assessment.
For MDSAP-certified companies, you have an advantage: MDSAP already audits against ISO 13485 plus country-specific requirements. Your remaining gaps are primarily the FDA-specific items in Sections 2, 4, 5, 6, 7, and 8 of this checklist.
Key References
- FDA Quality Management System Regulation (QMSR) — 21 CFR Part 820, effective February 2, 2026
- FDA Final Rule: Medical Devices; Quality System Regulation Amendments (Federal Register, January 31, 2024)
- ISO 13485:2016 — Medical devices — Quality management systems — Requirements for regulatory purposes
- FDA Compliance Program 7382.850 — Inspection of Medical Device Manufacturers (updated for QMSR)
- 21 CFR Part 803 — Medical Device Reporting
- 21 CFR Part 806 — Medical Devices; Reports of Corrections and Removals
- 21 CFR Part 830 — Unique Device Identification
- 21 CFR Part 821 — Medical Device Tracking
- ISO 14971:2019 — Medical devices — Application of risk management to medical devices