QMSR is Here: What the New Rule and Compliance Program Mean for Device Manufacturers
The FDA's new quality system regulation and compliance program are now in effect. Here's what the new framework looks like, who's most at risk, and what to do about it.
As of yesterday, February 2, 2026, the FDA’s Quality Management System Regulation (QMSR) is officially in effect. The two-year transition period that began when the FDA published the final rule in the Federal Register on February 2, 2024 (89 FR 7496) is over.
Alongside the QMSR effective date, as we recently reported on, the FDA published a new Compliance Program Manual — Inspection of Medical Device Manufacturers (CP 7382.850), dated January 30 — that replaces two previous compliance programs and lays out exactly how the agency’s investigators will conduct inspections going forward. The prior Quality System Inspection Technique (QSIT) has been retired.
To mark the milestone here, we thought we’d take a moment to recap where this came from and what to think about going forward.
Read our inspection readiness breakdown here:
Talk to us if you need audit, mock inspection, or general inspection-readiness support to align with these new expectations.
What changed and why
The QMSR harmonizes the FDA’s device quality system requirements with the international standard ISO 13485:2016, Medical devices — Quality management systems — Requirements for regulatory purposes. It also incorporates by reference Clause 3 of ISO 9000:2015 for quality management system terminology.
It’s been a long time coming. The FDA has been signaling this direction for years, and the international device community has been operating under ISO 13485 for much of the past decade. The goal was straightforward: align the U.S. regulatory framework with what’s already expected in most major global markets and reduce the duplicative burden on manufacturers who sell internationally.
For companies already complying with both the former QSR and ISO 13485, the transition should be manageable. As Kimberly Trautman, a medical device expert and former associate director of international affairs at CDRH, recently told RAPS, manufacturers already audited under the Medical Device Single Audit Program (MDSAP) across jurisdictions like the U.S., Canada, Australia, Brazil, and Japan shouldn’t face major new burdens since MDSAP is built on ISO 13485.
Who may struggle
Not every company is in the same position. Trautman flagged two groups that may find this transition more difficult:
Smaller, U.S.-focused firms. Companies that have only marketed products domestically and have limited experience with ISO 13485 will encounter new expectations around management responsibilities, supplier controls, and risk management that go beyond what the old QSR required.
Combination product manufacturers. There’s a misconception among some combination product companies that the QMSR doesn’t apply to them because the FDA maintains a separate compliance program for combination products. That’s wrong. The combination product compliance program references the medical device compliance program directly. If a product contains a device component, the QMSR applies.
As Trautman put it to RAPS, she’s concerned that some combination product makers believe they’re exempt, calling it a serious misconception.
Having helped several firms transition into QMSR compliance, her take is well-founded. Smaller firms and those who’ve not worked in the ISO paradigm are the ones with the biggest gaps to fill.
The new inspection framework puts risk at the center
The new compliance program manual (CP 7382.850) details a fundamentally risk-driven inspection approach, replacing the “checklist” approach in the QSIT. The document organizes QMSR requirements into six QMS Areas and four Other Applicable FDA Requirements (OAFRs).
The Six QMS Areas:
Management Oversight — ensuring top management plans, resources, and maintains an effective QMS with risk-based decision making.
Design and Development — ensuring design activities produce safe and effective devices.
Production and Service Provision — planning, monitoring, and controlling production.
Measurement, Analysis, and Improvement — monitoring, measuring, and improving the QMS.
Outsourcing and Purchasing — controlling outsourced processes and purchased product.
Change Control — evaluating changes for risk and impact before implementation.
The Four OAFRs:
Medical Device Reporting (21 CFR 803)
Reports of Corrections and Removals (21 CFR 806)
Medical Device Tracking Requirements (21 CFR 821)
Unique Device Identification (21 CFR 830)
The FDA will now use two inspection models. Inspection Model 1 requires investigators to evaluate at least one element in each QMS Area and OAFR and applies to non-baseline surveillance, compliance follow-ups, for-cause inspections, specific product risk assignments, and PMA postmarket inspections. Inspection Model 2 is more comprehensive, specifying particular elements within each QMS Area that must be evaluated, and is used for baseline surveillance inspections (firms with no prior inspection history) and PMA preapproval inspections.
Risk management is explicitly positioned at the center of the inspection process. Investigators are expected to become familiar with a manufacturer’s risk management documentation and use it to guide which requirements they evaluate and how deeply they dig.
What investigators will look for
The compliance program outlines the pre-inspection and on-site data sources inspectors will use to identify product risks:
Before arriving: MDRs, corrections and removals reports, GUDID records, consumer complaints, TPLC reports, and compliance management system data.
During the inspection: Complaints and customer feedback, postmarket surveillance data, risk management documentation, process monitoring data, trends in product and process characteristics, and servicing records.
Investigators are instructed to select records for review based on identified product risks and to review multiple records to build assurance that requirements are being met and risks are controlled. When deficiencies are found, they collect supporting documentation.
The inspection workforce question
One concern worth watching is the agency’s readiness to actually execute this new approach. Over the past few years, the FDA has said its invested heavily in training its investigators to become ISO 13485 specialists in preparation for the QMSR transition. But as Trautman noted in her comments to RAPS, many of those trained specialists have left the agency over the past year through various mechanisms.
The practical consequence is that companies may encounter investigators who are less familiar with ISO 13485 and the nuances of the new framework. Trautman suggested the industry may be returning to an era where more generalist investigators are conducting device inspections.
The takeaway for manufacturers: be prepared to clearly explain your QMS rationale to inspectors who may be learning the new system alongside you.
Regulatory enforcement under the QMSR
The compliance program’s enforcement strategy hasn’t fundamentally changed in philosophy, but the specifics are worth noting.
FDA classifies inspections as NAI (No Action Indicated), VAI (Voluntary Action Indicated), or OAI (Official Action Indicated). The criteria for OAI remain serious: systemic or repeat deviations with evidence of adverse impact or significant risk to patients, failure to establish or maintain QMS elements, distribution of nonconforming product without effective mitigation, and failure to implement adequate risk management processes.
The document also emphasizes that voluntary corrections are the FDA’s preferred outcome. Manufacturers have 15 business days after inspection close to submit corrective action plans. But voluntary correction doesn’t prevent advisory, administrative, or judicial action.
The recidivist policy is also detailed: manufacturers with repeated violative inspections may receive a Recidivist Warning Letter requiring up to two years of annual third-party audits and CEO certification. If conditions still don’t improve, the agency will consider administrative or judicial action.
What to do now
If you’re a device manufacturer, the clock already struck midnight. Here’s where to focus if there’s work to do:
Confirm your QMS documentation maps to ISO 13485:2016. Your quality manual, procedures, and records should reference the ISO 13485 clause structure, not the old QSR subsections. The regulation at 21 CFR 820.10 now requires documented QMS compliance with applicable ISO 13485 requirements.
Assess your risk management maturity. Risk management isn’t a standalone activity under QMSR — it’s expected throughout product realization (ISO 13485 Clause 7.1) and at the center of how FDA will evaluate your operations. Make sure your risk management file is current, connected to your design and production controls, and reflects how decisions are actually made.
Review the additional QMSR requirements. The regulation isn’t just ISO 13485 by reference. The FDA added specific provisions in 21 CFR 820.10(b) covering UDI system requirements (referencing 21 CFR 830), traceability per 21 CFR 821, MDR reporting under 21 CFR 803, and corrections and removals under 21 CFR 806. Sections 820.35 and 820.45 add requirements for records and labeling examination, respectively. Don’t overlook these!
Prepare for a different inspection experience. The QSIT subsystem approach is gone. Inspectors will be following a risk-based model, potentially moving across QMS areas in ways that may feel less predictable. Make sure your team can walk an investigator through your processes and explain your risk-based rationale fluently.
If you’re a combination product manufacturer, act now. The QMSR applies to you. The combination product compliance program points directly to CP 7382.850 for device components.
Final thoughts
The new compliance program manual gives the industry a transparent look at how the FDA plans to inspect. That transparency is an advantage, use it! Read CP 7382.850. Understand the inspection models. Know what inspectors will be looking for. And be ready to articulate your QMS strategy with confidence.
If you need help preparing for QMSR-aligned inspections, pressure-testing management oversight, or responding to FDA observations under the new framework, this is exactly the work we support every day. Talk to us.
Who is The FDA Group?
The FDA Group helps life science organizations rapidly access the industry's best consultants, contractors, and candidates. Our resources assist in every stage of the product lifecycle, from clinical development to commercialization, with a focus on Quality Assurance, Regulatory Affairs, and Clinical Operations.
With thousands of resources worldwide, hundreds of whom are former FDA, we meet your precise resourcing needs through a fast, convenient talent selection process supported by a Total Quality Guarantee. Learn more and schedule a call with us to see if we’re a fit to help you access specialized professionals and execute your projects on time and on budget.