FDA's QSR to QMSR Transition: What Medical Device Companies Need to Know
The FDA is aligning its Quality System Regulation with ISO 13485. Here's what the QMSR final rule means for your quality management system and what you need to do to prepare.
What is the QMSR?
The Quality Management System Regulation (QMSR) is the FDA's final rule that replaces the existing Quality System Regulation (QSR) under 21 CFR Part 820. The key change: instead of maintaining a separate, FDA-specific quality system framework, the QMSR incorporates ISO 13485:2016 by reference.
This is a significant shift. For decades, medical device manufacturers selling in both the US and international markets had to maintain parallel compliance — one system for FDA's QSR and another for ISO 13485. The QMSR effectively ends this dual burden.
Why This Matters
The impact of this change cannot be overstated. Medical device companies have spent millions of dollars and thousands of person-hours maintaining two parallel quality systems. The typical pain points included:
- Duplicate documentation — Maintaining two sets of procedures, one referencing 21 CFR 820 subparts and another referencing ISO 13485 clauses
- Conflicting terminology — FDA's "Design History File" vs. ISO 13485's "Design and Development File," among many others
- Audit fatigue — Separate audits for FDA registration/inspection and ISO 13485 certification, often covering the same ground with slightly different criteria
- Training overhead — Staff needing to understand both frameworks and their subtle differences
Key Changes in Detail
ISO 13485:2016 Incorporated by Reference
The entire ISO 13485:2016 standard becomes the baseline QMS requirement for FDA-regulated devices. This means:
- Clause 4 (Quality Management System) replaces the general QSR provisions
- Clause 7 (Product Realization) replaces the design controls, production, and process controls sections
- Clause 8 (Measurement, Analysis, and Improvement) replaces the CAPA and complaint handling sections
FDA-Specific Additions Retained
Not everything changes. The FDA retains certain US-specific requirements that sit on top of ISO 13485:
| Requirement | Status Under QMSR | Why Retained |
|---|---|---|
| Complaint files (21 CFR 820.198) | Retained with modifications | Ties to MDR reporting obligations |
| MDR reporting integration | Retained | Statutory requirement under FD&C Act |
| Design History File | Harmonized | Now aligns with ISO 13485 design file concept |
| Record retention periods | Retained | FDA-specific retention requirements differ from ISO |
| Unique Device Identification | Retained | UDI system is US-specific |
| Corrections and removals | Retained | 21 CFR Part 806 requirements |
Design Controls Harmonized
Design controls remain mandatory for Class II and III devices. The language is harmonized with ISO 13485's Clause 7.3, but the substance is essentially the same:
- Design and development planning
- Design inputs and outputs
- Design review, verification, and validation
- Design transfer
- Design changes
CAPA Requirements Aligned
The CAPA process under QMSR aligns with ISO 13485's Clause 8.5.2 (Corrective Action) and 8.5.3 (Preventive Action). Key considerations:
- Root cause analysis is now explicitly required (ISO 13485 is more prescriptive here than the old QSR)
- Effectiveness checks must be documented and verified
- Preventive action scope is broadened — ISO 13485 requires proactive identification of potential nonconformities, not just reaction to existing ones
Management Responsibility Expanded
ISO 13485 Clause 5 (Management Responsibility) is more detailed than the old QSR provisions. Management must now:
- Establish and communicate a quality policy
- Conduct formal management reviews at planned intervals
- Ensure resource adequacy (competence, infrastructure, work environment)
- Appoint a management representative with defined authority
What You Need to Do
If You're Already ISO 13485 Certified
Good news — you're most of the way there. Your primary task is a gap analysis against the FDA-specific additions that sit on top of ISO 13485. Focus areas:
Complaint handling — Review your complaint procedures against the retained 21 CFR 820.198 requirements. Ensure your process explicitly addresses MDR reportability determination.
MDR reporting integration — Verify that your complaint and CAPA processes have clear triggers for MDR reporting. The QMSR doesn't change MDR requirements, but your QMS must demonstrate the linkage.
Record retention — Compare your current retention periods against FDA requirements. FDA generally requires records be retained for the design life of the device, but no less than 2 years from the date of release.
Design History File — While harmonized, ensure your design and development files meet FDA's expectation for a complete, organized record of the design process.
UDI compliance — If you haven't already integrated UDI into your labeling and device tracking processes, now is the time.
If You're QSR-Compliant but Not ISO 13485 Certified
This requires more work. You'll need to:
Obtain a copy of ISO 13485:2016 — The standard is copyrighted by ISO and must be purchased. It is not freely available.
Conduct a clause-by-clause gap analysis — Map your current QSR procedures to ISO 13485 clauses. Key gaps typically include:
- Risk-based approach to quality (ISO 13485 is more explicit about risk throughout the QMS, not just in design)
- Documented information requirements (ISO 13485 has specific requirements for document and record control)
- Infrastructure and work environment requirements
- Supplier control requirements (ISO 13485 Clause 7.4 is more detailed)
Implement missing elements — Common gaps include:
- Quality manual (explicitly required by ISO 13485)
- Management review procedures and records
- Competency assessment and training records
- Work environment monitoring and control
Consider pursuing ISO 13485 certification — While not required by FDA, certification by an accredited registrar provides:
- Third-party validation of your QMS
- Simplified MDSAP participation
- Market access advantages in countries requiring ISO 13485 certification
- Reduced audit burden through combined audits
Timeline and Compliance Dates
The QMSR final rule includes a transition period to give manufacturers time to adapt. Key dates:
- Publication date: The rule was published in the Federal Register in early 2025
- Effective date: 2 years from publication (anticipated early 2027)
- During the transition: Companies can comply with either the current QSR or the new QMSR
- After the effective date: Full compliance with QMSR is mandatory
Recommended Transition Timeline
| Phase | Timing | Actions |
|---|---|---|
| Assessment | Now – 6 months | Gap analysis, resource planning, management briefing |
| Implementation | 6 – 18 months | Procedure updates, training, document migration |
| Verification | 18 – 22 months | Internal audits against QMSR, management review |
| Go-live | 22 – 24 months | Full QMSR compliance, ready for FDA inspection |
Impact on MDSAP Participants
If your company participates in the Medical Device Single Audit Program (MDSAP), the transition is simpler. MDSAP already audits against ISO 13485, so the gap between your current system and the QMSR is minimal. The main adjustment is ensuring the FDA-specific additions are addressed within your MDSAP-compliant system.
Bottom Line
The QMSR is overwhelmingly positive for the medical device industry. One quality system, harmonized with the international standard, reduces compliance burden and cost. The companies that start their gap analysis now will be well-positioned when the effective date arrives.
For smaller companies and startups, this is particularly good news: you can build one quality system from the start, rather than having to maintain parallel compliance with two frameworks.
Start your gap analysis now. The transition period is generous, but the scope of changes — particularly for companies that are not already ISO 13485 certified — should not be underestimated.