The FDA Group's Insider Newsletter

The FDA Group's Insider Newsletter

Where Our Auditors Are Finding QMSR Compliance Gaps

The QMSR readiness work our teams are doing on client QMS projects keeps surfacing the same handful of exposures.

The FDA Group's avatar
The FDA Group
Jul 08, 2026
∙ Paid

We recently highlighted that the FDA has reported gaps in QMSR compliance after the first few months following the regulation's launch.

Today, we wanted to follow up on that with a companion piece from our own audit work. We’ve been running QMSR readiness assessments and gap analyses across clients' quality systems well before the effective date, and now that inspections are being conducted against the new framework, a few patterns keep recurring in our audits.

Most of them trace back to one assumption: that this was a relabeling exercise. It was not! The requirements are largely the same in substance, but several things changed that change how an inspection goes. These are the points we are flagging for clients, and the reason we want subscribers thinking about them now rather than after an investigator arrives.

If you still need to get compliant with the QMSR, talk to us ASAP. We’ll pair you with the ISO/FDA expertise that can be hard to find for projects like this.

Some records that used to be off-limits are now fair game

This is the single change most worth internalizing. Under the old QSR, 21 CFR 820.180(c) shielded three categories of records from FDA review during a routine inspection:

  • Management review minutes

  • Internal quality audit reports

  • Supplier audit reports

Investigators couldn’t ask for them. In practice, that let companies document quality problems candidly in those records, knowing FDA would not see the underlying files.

That exemption is gone. The FDA did not carry 820.180(c) into the QMSR, and its own FAQ now states plainly that it has the authority to inspect management review, quality audits, and supplier audit reports. The new inspection program goes further and lists management reviews and internal audits among the elements investigators evaluate. So the records are not just theoretically accessible. The Compliance Program tells investigators to look at them.

Here’s what we’ve been seeing going wrong in practice:

  • Teams that relied on the old exemption wrote their internal audits and management reviews bluntly, because candor had no downside.

  • Now an open finding from your last internal audit, or a management review that flagged a systemic issue you never closed, is a roadmap an investigator can follow straight to a 483.

  • The answer is not to sanitize those records. Watering down your internal audits defeats their purpose and creates its own problems.

  • The answer is discipline on closure: close what you open, track findings to completion, and make sure the record shows the loop closing rather than a problem that was named and left.

  • If your last two years of management reviews and audits would read to an investigator as a list of unresolved issues, that is the first thing to fix!

Supplier audit reports deserve their own mention here. If your supplier “audit reports” are informal email summaries or notes from a phone call, they will not hold up now that FDA can request them.

Formal, structured supplier audit records, prioritized by the risk of the component or service, are worth standing up before an inspection forces the issue.

Risk now runs through the whole system, not just the product

We discussed this at length in our prior piece on the subject, but we definitely need to cover it again.

The old QSR mentioned risk exactly once, in the design validation section, and even there it said risk analysis "where appropriate." The QMSR, through ISO 13485, threads risk management through the entire quality system. There are two distinct things happening here, and conflating them is a common gap we flag.

  • The first is product risk management, the hazard analysis and risk controls for the device itself. That lives in the world of ISO 14971 and it’s familiar territory.

  • The second is newer as an inspectable expectation: the risk-based approach to the quality management system itself, in ISO 13485 clause 4.1.2. That clause requires you to apply risk-based thinking to how you control your QMS processes and outsourced processes, and clause 4.1 requires you to document how those processes interact.

The exposure this creates is that FDA can now cite you not only for a weak product risk file, but for QMS decisions that are not risk-based and for QMS processes that do not connect to each other.

If your complaint handling, CAPA, design, and postmarket surveillance operate in silos and do not feed one another, that is a defensible observation under clause 4.1. When we assess a client system, the interfaces between processes are often where the real gaps are, more so than any single procedure actually!

This is also where quality culture and top management enter the picture. ISO 13485 puts management responsibility up front in clause 5, and the new inspection posture expects to see leadership actively owning quality and risk across the product lifecycle. If the connections between your QMS processes are broken, an investigator can reasonably read that as a management and culture problem, and it lands on top management, not on the individual process owners.

“ISO 14971 isn’t a rule” is the argument that gets companies in trouble

The FDA did not codify ISO 14971 in the QMSR. Strictly speaking, it’s 'voluntary. We hear this used as a reason to push back on risk management expectations, and it’s a losing argument in an inspection. The FDA has recognized 14971 as a consensus standard for years; it trains its investigators to it, and it inspects to its expectations. The regulation points you to ISO 13485’s risk requirements, and the practical content of meeting those requirements looks like 14971 whether or not you cite it.

So your risk management file, functionally speaking, needs to do what 14971 does:

This post is for paid subscribers

Already a paid subscriber? Sign in
© 2026 The FDA Group, LLC · Publisher Terms
Substack · Privacy ∙ Terms ∙ Collection notice
Start your SubstackGet the app
Substack is the home for great culture