Threeqa / Guides / FDA QMSR

The FDA QMSR, explained: Part 820 rebuilt on ISO 13485.

Since 2 February 2026, the Quality System Regulation that governed US medical device manufacturing for almost three decades is gone. The Quality Management System Regulation replaces it — built on ISO 13485:2016, with FDA's non-negotiables stapled back in. Here's what actually changed.

Written by the Threeqa founding team Last reviewed: June 2026 9 min read
What changed, and why

One quality system for both sides of the Atlantic.

The old Quality System Regulation (QSR) dated from 1996. ISO 13485 — the quality management standard the EU, Canada, Australia and Japan already build on — had evolved past it, and device manufacturers selling globally were maintaining two near-identical quality systems with different vocabulary. The QMSR ends that: FDA incorporated ISO 13485:2016 by reference into 21 CFR Part 820, making the international standard's requirements directly enforceable US law.

The final rule was published on 2 February 2024 with a two-year transition; it has been in force since 2 February 2026. There is no grace period left — if FDA inspects you today, it inspects against the QMSR.

The QMSR isn't a new quality system to learn. It's the system the rest of the world already runs — plus the parts FDA refused to give up.

That second half matters. The QMSR is not "ISO 13485, full stop." Where the standard was silent on things US law demands — adverse event reporting hooks, UDI records, label inspection — FDA wrote additional sections. And where ISO vocabulary collides with the Federal Food, Drug, and Cosmetic Act, the FD&C Act definitions win.

The new Part 820

What the regulation looks like now.

The QMSR is short — most of its substance lives in the incorporated standard:

SectionWhat it does
§ 820.1 Scope. Who must comply carries over from the QSR — including the design-control applicability rules for device classes.
§ 820.3 Definitions. FD&C Act and FDA definitions apply where they differ from ISO 9000/13485 terms; the rest of the ISO vocabulary stands.
§ 820.7 The incorporation by reference: ISO 13485:2016 in full, plus the terms and definitions of ISO 9000:2015, clause 3.
§ 820.10 The core obligation: manufacturers must establish and maintain a QMS that complies with ISO 13485 as modified by this part.
§ 820.15 Clarification of concepts — how ISO 13485 terms map onto FDA's regulatory framework.
§ 820.35 Control of records — FDA's additions on top of ISO 13485's records clause (see below).
§ 820.45 Device labeling and packaging controls — FDA's additions where it found ISO 13485 too weak (see below).

Risk management is the other quiet shift. The QSR mentioned risk once; ISO 13485:2016 applies risk-based thinking across the whole QMS — purchasing, training, software validation, supplier control — not just design. Teams whose risk file starts and ends with design controls have ground to cover.

What FDA added

The non-negotiables on top of ISO 13485.

  • Complaint and servicing records (§ 820.35). Records must capture the information needed for Part 803 medical device reporting — so a complaint record has to make the "is this reportable?" determination traceable. Servicing records get explicit content requirements of their own.
  • UDI documentation (§ 820.35). The unique device identifier must be recorded in the relevant records for each medical device or batch.
  • Label and packaging inspection (§ 820.45). FDA judged ISO 13485's labeling controls inadequate. Labels must be inspected for accuracy — including expiration date, control number, storage and handling instructions — before release, and the inspection documented.
  • Signature and date on records. The QMSR carries forward FDA's expectation that records are signed and dated by the individual who created or approved them — which, for electronic systems, keeps 21 CFR Part 11 squarely in scope.
What disappeared

Retired terms, retired inspections, retired exemptions.

  • The DHF, DMR and DHR as regulatory terms. The Design History File, Device Master Record and Device History Record no longer appear in the regulation. Their content lives on in ISO 13485's design and development file (clause 7.3.10), medical device file (clause 4.2.3) and production records. Same evidence, new names — your procedures should map the old structure to the new clauses. (If you also ship to the EU, this is the same body of records your MDR technical file draws from.)
  • QSIT. The Quality System Inspection Technique — the four-subsystem inspection model FDA used since 1999 — was retired on 2 February 2026. Inspections now follow FDA compliance program 7382.850.
  • The record exemptions of old § 820.180(c). This one catches teams off guard: under the QSR, FDA generally did not review management review minutes, internal audit reports or supplier audit reports. Under the QMSR, it can. Write those records as if an investigator will read them — because now one might.
What to do about it

The gap analysis, in priority order.

  1. If you're ISO 13485 certified: your structure is right. Run a focused gap analysis on the FDA additions — Part 803 hooks in complaint handling, UDI in records, label inspection before release, signatures and dates — and on the FD&C Act definitions where your procedures use ISO terms loosely.
  2. If you ran a QSR-era QMS without certification: map your procedures clause-by-clause to ISO 13485. Most of the content transfers; the gaps are usually risk-based thinking outside design control, and management responsibility as ISO structures it.
  3. If you're a startup building your first QMS: you're the lucky one — build to ISO 13485:2016 from day one and you satisfy FDA and the EU's expectations with a single system. Don't model anything on the old QSR; it's gone.
  4. Everyone: review management review, internal audit and supplier audit records with fresh eyes. They're inspectable now. And note that FDA does not require — or accept — an ISO 13485 certificate in place of its own inspection.
FAQ

Common questions.

Does the QMSR require ISO 13485 certification?
No. The text of the standard is incorporated into the regulation, but FDA establishes compliance through its own inspections. A registrar's certificate has no formal standing with FDA — certified or not, the inspection is the test.
We're ISO 13485 certified. Are we automatically compliant?
Mostly, not entirely. The QMSR adds FDA-specific requirements on top of the standard: Part 803-aligned complaint records, UDI documentation, label inspection before release, signature-and-date expectations, and FD&C Act definitions that override ISO vocabulary where they conflict. A focused gap analysis closes it; a rebuild isn't needed.
What happened to the DHF, DMR and DHR?
The terms left the regulation; the records didn't. ISO 13485's design and development file (7.3.10) and medical device file (4.2.3) carry the same content. Keep your structure if it works — just map it to the clauses inspectors now cite.
How do inspections change?
QSIT is retired; inspections follow compliance program 7382.850. The bigger practical change is scope: management review minutes, internal audit reports and supplier audit reports — exempt from review under the old § 820.180(c) — are now on the table.
Did the QMSR change who has to comply?
No. Scope and applicability carry over from the QSR, including the design-control rules by device class. What changed is what the requirements say, not who they reach.
Sources & further reading

FDA: Quality Management System Regulation (QMSR) — the agency's QMSR hub, including the final rule and FAQ.

FDA: QMSR Frequently Asked Questions — certification status, inspection approach, and transition questions answered by FDA directly.

Get started

One body of records, both markets.

Threeqa keeps your requirements, risks and evidence linked in one place — so the same records serve your ISO 13485 file for FDA and your technical file for the EU. Book a 30-minute walkthrough.

Book a demo Talk to a regulatory engineer