FDA QMSR Gap Analysis: Compliance Guide for IVD and CDx Manufacturers

Written by Joana Martins Published on 20.02.2026 Last updated on 04.06.2026

On February 2, 2026, the U.S. Food and Drug Administration (FDA) implemented the new Quality Management System Regulation (QMSR), formally replacing the former Quality System Regulation (21 CFR Part 820). With this transition, the FDA incorporated ISO 13485:2016 by reference into U.S. law and introduced a new inspection model under Compliance Program 7382.850.

This article focuses on that second question. It explains how to structure a QMSR gap analysis, which areas almost always reveal gaps in practice, particularly for IVD and companion diagnostic manufacturers, and what FDA inspectors are finding in the first wave of QMSR inspections.

The insights below draw directly on MDx CRO’s quality and regulatory affairs experience supporting IVD manufacturers through QMSR readiness assessments.

Key point: ISO 13485 certification does not equal QMSR compliance. FDA-specific requirements remain fully enforceable, and under QMSR, inspectors now access records they previously could not.

Why the FDA QMSR Matters Beyond the February 2026 Deadline

The February deadline was the starting point, not the finish line. FDA’s Compliance Program 7382.850 is now the active inspection model. Manufacturers operating under the assumption that QMSR readiness was a one-time transition exercise are exposed to a different enforcement environment than the one they prepared for.

Under the former QSR model, inspections used QSIT subsystem checklists. Under QMSR, investigators evaluate how quality processes function as an integrated lifecycle framework, not whether each subsystem satisfies an individual checklist. That structural shift changes what inspectors look for and what they find.

Inspection change: FDA inspectors can now access internal audit reports, management reviews, and supplier audits. Under the previous QSR model, these records were largely outside inspection scope. Many manufacturers are unaware of this shift and have not reviewed the quality or completeness of these documents with inspection readiness in mind.

MDSAP Audit Approach 2026: How It Differs from FDA Inspections Under QMSR

MDSAP audits and FDA inspections serve fundamentally different regulatory functions and must not be conflated.

An MDSAP audit is conducted by an FDA-recognized Auditing Organization. It assesses conformity with harmonized quality management system requirements — ISO 13485 and the regulatory requirements of participating authorities including FDA. It is scheduled, structured, and conformity-focused. Participation remains voluntary.

An FDA inspection is a statutory enforcement activity conducted directly by FDA investigators. Its objective is not certification — it is the evaluation of compliance with US legal requirements and the identification of potential violations, systemic weaknesses, or public health risks.

MDSAP auditFDA inspection (CP 7382.850)
Conformity-focusedCompliance-driven and enforceable
Scheduled and structuredRisk-based, for-cause, or routine
Bound by MDSAP task structureNot limited by MDSAP scope or sampling
Outcome: certification reportOutcome: Form 483 / warning letter / no action
Internal records may not be reviewedInternal audits, supplier audits, management reviews now in scope

Strong MDSAP performance may influence FDA surveillance planning. It does not eliminate the possibility of inspection, nor does it guarantee a favourable outcome when one occurs.

Common Assumptions That Increase Inspection Risk

Several structural misconceptions remain widespread. Under QMSR, these assumptions translate directly into inspection exposure.

  • “MDSAP replaces FDA inspections.” It informs surveillance planning. It does not limit FDA’s statutory authority.
  • “If the MDSAP auditor didn’t find it, FDA won’t pursue it.” FDA investigators are not constrained by MDSAP audit depth or task sequencing.
  • “ISO 13485 certification ensures FDA compliance.” ISO 13485 is incorporated by reference into QMSR, but FDA-specific requirements — UDI, MDR, device listing, labeling controls — remain fully enforceable and are not covered by ISO 13485 alone.
  • “QMSR was a documentation update.” For ISO-certified manufacturers, many gaps are substantive — missing FDA-required record content, incomplete UDI integration, absent MDR linkage — not cosmetic.

QMSR vs QSR vs ISO 13485: What Actually Changed

QMSR incorporates ISO 13485:2016 by reference into US law. That is a structural alignment, not a reduction in FDA enforcement authority. Obligations related to UDI, MDR, device listing, and labeling controls continue to apply in full.

ElementFormer QSR (21 CFR 820)FDA QMSR (2026)ISO 13485:2016
Legal statusUS regulationUS regulation (ISO 13485 incorporated by reference)International standard
Inspection modelQSIT subsystem checklistsCP 7382.850 — lifecycle, risk-basedCertification audit
Internal audit accessLimited under §820.180(c)Internal audits and management reviews reviewableAuditor access at certification
CAPA focusProcedural complianceDemonstrated effectiveness + root cause verificationEffectiveness required
FDA-specific requirementsFully embeddedUDI, MDR, labeling still fully enforceableNot included

Takeaway: ISO 13485 alignment does not eliminate FDA-specific compliance obligations. A manufacturer can hold ISO 13485 certification and still have substantive QMSR gaps.

FDA Compliance Program 7382.850: How Inspections Work

As of 2 February 2026, FDA retired QSIT and implemented Compliance Program 7382.850. Inspections are now organised around six integrated QMS areas and four Other Applicable FDA Requirements (OAFRs).

Six QMS areasFour OAFRs
Change ControlUnique Device Identification (UDI)
Design & DevelopmentMedical Device Reporting (MDR)
Management OversightCorrections & Removals
Outsourcing & PurchasingTracking
Production & Service Provision
Measurement, Analysis & Improvement

Under this model, FDA evaluates how quality subsystems operate as an interconnected framework — not as isolated elements. Inspectors assess whether risk information, design decisions, post-market data, and management oversight are aligned throughout the product lifecycle.

The Four Areas That Almost Always Reveal Gaps

Across QMSR gap assessments conducted on IVD and medical device manufacturers, four areas surface as gaps with consistent regularity — even in organisations that have maintained ISO 13485 certification for years.

1. Complaint handling and servicing records

Many companies aligned with ISO 13485 underestimate the level of record detail FDA expects. Under QMSR, complaint and servicing records must include specific, enumerated data fields that ISO 13485 does not explicitly define. Records are often incomplete from an FDA perspective even when they satisfy the certification standard.

2. UDI traceability and record integration

UDI compliance is not simply a matter of having a UDI assigned and registered in GUDID. QMSR requires the UDI to be consistently recorded across multiple record types: complaints, servicing records, and batch or device history records. That level of cross-system integration is frequently missing — particularly in manufacturers who completed UDI registration without reviewing how UDI flows through their quality records.

3. Labeling and packaging controls

FDA maintains specific requirements for label content — including UDI, expiry dates, and handling instructions — and expects documented procedures designed to ensure accuracy and prevent mix-ups. These requirements are often handled informally or through processes that do not meet FDA’s explicit documentation expectations, even when the labels themselves are technically correct.

4. Linkage between ISO processes and FDA regulatory requirements

This is the gap that most consistently surprises ISO-certified organisations. A company may have complaint handling aligned with ISO 13485 clause 8.2.2 and consider that requirement closed — but fail to explicitly connect that process to Medical Device Reporting obligations under 21 CFR Part 803. FDA does not treat ISO conformity as a substitute for regulatory linkage. Each process must demonstrably connect to the applicable FDA requirement in the documentation.

“Companies often assume that having a robust ISO-aligned procedure is sufficient. What we find in practice is that the procedure exists — but there is no explicit documented connection between that procedure and the FDA-specific obligation it is meant to fulfil. That gap is invisible until an inspector asks for it.”

Joana Martins, QA/RA Specialist, MDx CRO

Why QMSR Gap Analysis Is More Complex for IVD and CDx Manufacturers

ISO 13485 and QMSR do not formally distinguish between device types. However, the nature of IVDs fundamentally changes which gaps are most consequential and how difficult they are to close.

Illustration of FDA inspection process emphasizing quality management systems, risk-based audits, and manufacturer readiness in MedTech industry.

A QMSR gap analysis for an IVD manufacturer must extend beyond traditional quality system elements. It needs to integrate scientific validity, analytical performance, and clinical evidence into the assessment framework. Where a general medical device gap analysis evaluates whether a product is designed, manufactured, and controlled to ensure safety and functional performance, an IVD-focused analysis must additionally verify that the product generates clinically reliable results under real-world biological variability.

AreaGeneral medical deviceIVD / CDx — additional complexity
Design controlsUser needs, design inputs, outputs, V&VIntended use, specimen type, analyte definition, performance claims must link to analytical and clinical data
Risk managementDevice failure modesMust also cover false positive and false negative results, diagnostic decision risks, interfering substances, matrix effects
Production controlsProcess validation, specificationsLot-to-lot variability of biological materials must be validated against clinically relevant performance criteria
Post-market surveillanceComplaint handling, MDRMust detect performance drift — shifts in sensitivity or specificity — not just product failures
Purchasing controlsSupplier qualificationSupplier variability can directly affect assay performance outcomes

“For IVDs, failures may not manifest as product defects — they manifest as clinically incorrect results. That is a more insidious form of non-compliance, and it means the risk management and design control documentation needs to work harder than it does for a general medical device.”

Joana Martins, QA/RA Specialist, MDx CRO

What FDA Is Finding in QMSR Inspections: Warning Letter Patterns

Recent warning letters issued by CDRH following QMSR inspections show a consistent pattern. Deficiencies are not isolated — they are interconnected, reflecting a failure to operate an effective integrated quality system rather than individual documentation gaps.

Finding categoryMost common deficiency pattern
CAPAProcedures not defined or inadequate; failure to investigate root causes; CAPAs not verified for effectiveness
Complaint handlingComplaints not properly documented or evaluated; failure to assess whether complaints are reportable under MDR; no complaint trending or statistical analysis
Design controlsLack of design verification and validation; poor documentation of design changes and their impact; no design and development plan or procedure
Supplier controlsLack of defined quality requirements that suppliers must meet; no risk-based audit justification
Process validationManufacturing processes not validated; no revalidation after changes; validation protocols incomplete or not scientifically justified
Management responsibilityManagement not actively involved in QMS; no effective management review with documented decisions and follow-up

Important: The FDA has clarified that if previous inspections were conducted under the QS Regulation (prior to 2 February 2026), any corrective actions proposed or implemented must now be pursued pursuant to QMSR requirements — not the former QSR standard.

What FDA Inspectors Scrutinize Most

Based on regulatory inspection support experience, three documentation areas present heightened exposure under QMSR.

1. Internal audits, supplier audits, and management review records

Under QMSR, FDA inspectors may review internal audit reports, supplier audit outcomes, and management review records. Investigators evaluate whether quality processes function effectively in practice — not merely whether procedures formally exist. Records must clearly demonstrate identified issues, root cause analysis, corrective actions, and documented closure. Incomplete or draft audit records increase inspection risk.

2. Design controls and traceability (ISO 13485 clause 7.3)

Manufacturers must demonstrate full traceability across user needs, design inputs, design outputs, verification and validation, and residual risks. Traceability weaknesses frequently arise at the interfaces between risk management files, labeling claims, UDI triggers, and MDR criteria. For companion diagnostics, this alignment is especially critical because intended use, biomarker claims, and clinical evidence directly impact regulatory risk classification.

3. CAPA and effectiveness verification

CAPA remains one of the most enforcement-sensitive areas under QMSR. The most common weakness is the absence of documented effectiveness verification following corrective actions. Closing a CAPA administratively — marking it complete without objective evidence that the root cause was eliminated — is insufficient. Investigators expect evidence demonstrating that actions prevented recurrence.

Inspection Risk Indicators

Risk areaTypical vulnerability
CAPARepeated issues without documented effectiveness verification
Design controlsIncomplete traceability between risk analysis and design inputs
Management reviewMinutes lacking documented decisions, metrics, or follow-up actions
Supplier oversightNo risk-based justification for audit scope; missing quality requirements for suppliers
Post-market surveillanceComplaint trends not connected to CAPA or design updates
UDINot consistently recorded across complaints, servicing records, and device history records
MDR linkageComplaint handling procedures not explicitly connected to MDR reporting obligations

How to Conduct a QMSR Gap Analysis: Process and Timeline

ISO 13485 certification does not automatically confirm FDA QMSR compliance. A structured gap analysis identifies the regulatory overlays and inspection exposure points that ISO conformity alone leaves unaddressed.

What a QMSR gap analysis covers

A thorough assessment works through four stages:

  1. Clause mapping: Map ISO 13485 clauses to QMSR references. Confirm terminology alignment. Identify where the QMSR adds FDA-specific requirements beyond the ISO standard.
  2. FDA-specific overlay identification: Verify explicit incorporation of UDI requirements across all applicable record types, MDR reporting triggers and their linkage to complaint handling, labeling obligations under 21 CFR Part 801, and device listing and registration controls.
  3. Documentation exposure review: Assess internal audit completeness and whether records are inspection-ready, CAPA effectiveness evidence, management review decision traceability, and supplier risk classification and audit justification.
  4. Risk prioritisation and remediation planning: Each gap is assessed for potential impact on quality, business continuity, and regulatory standing. Higher-risk gaps — those most likely to generate Form 483 observations or warning letters — are prioritised for remediation with assigned ownership and timelines.

How long does it take?

A gap analysis typically takes 4–6 weeks, provided documentation is made available at the outset. Implementation of corrective actions depends on the number and severity of findings and on the responsiveness of the internal team.

For manufacturers with both QMSR and ISO 13485 gaps, implementation may take 4–5 months. Where gaps are limited to QMSR-specific requirements in an otherwise ISO-aligned system, the timeline is typically shorter.

The ISO 13485 certification gap — what ‘compliant’ actually means

A persistent scenario in QMSR readiness work: a manufacturer holds ISO 13485 certification, has documented procedures that appear robust, and believes ISO alignment is sufficient. Gaps emerge in missing FDA-required data fields in records, incomplete UDI implementation, and failure to link ISO processes to FDA regulatory requirements.

They are structurally compliant with ISO but not fully aligned with FDA expectations. The distinction matters: an FDA inspector is not evaluating conformity to a certification standard. The inspector is evaluating compliance with US law and assessing whether the quality system actually functions as an integrated framework.

Medical device quality management and inspection process with team training, data-driven review, and inspection narratives for FDA compliance.

Practical Implications for Manufacturers

Inspection scope may be data-driven. FDA may use pre-inspection data reviews to target areas of concern, increasing scrutiny where trends or inconsistencies are identified.

FDA inspectors are evaluating how quality processes work together in practice — not whether each subsystem satisfies a checklist in isolation.

Previously internal records are now fair game. Internal audit reports, supplier audit outcomes, and management review records may be reviewed. These documents must reflect issues identified, decisions made, and actions taken.

Risk management must be continuous and demonstrable. FDA expects risk to be actively monitored and linked to CAPA, design changes, supplier controls, and post-market surveillance — not treated as a static exercise.

Post-market data is a primary inspection focus. Complaint trends, MDR, recalls, UDI, and tracking data are increasingly used to assess whether the quality system is effective and responsive.

How MDx Supports FDA QMSR Readiness: Expert Insight

Transitioning from QSR to FDA QMSR requires more than updating terminology. It demands structural alignment, inspection-oriented preparation.

Based on field experience supporting manufacturers through inspection preparation and regulatory alignment projects, Joana Martins, QA/RA Specialist at MDx, emphasizes that the most frequent vulnerabilities do not stem from missing procedures, but from insufficiently demonstrated system effectiveness.

According to Joana’s inspection readiness experience, organizations often underestimate three exposure points during FDA inspection preparation:

  • The depth of documentation review now permitted under QMSR
  • The need for traceability between risk management, design controls, and post-market data
  • The importance of documented effectiveness verification within CAPA systems

To address these exposure points, MDx supports medical device manufacturers through:

  • Independent QMSR-aligned readiness assessments focused on inspection exposure
  • Structured QMSR gap analysis incorporating FDA-specific regulatory overlays
  • Mock FDA inspections aligned with Compliance Program 7382.850
  • Strategic support for companies developing FDA companion diagnostics, where design traceability, labeling controls, and lifecycle data integration require heightened regulatory coherence

Rather than approaching FDA QMSR as a documentation update, MDx works with organizations to ensure their quality systems demonstrate operational integrity, risk-based decision-making, and inspection resilience.

Organizations preparing for FDA inspection or evaluating their QMSR alignment can benefit from early, structured assessment. Proactive evaluation reduces remediation timelines, minimizes inspection disruption, and strengthens regulatory confidence.

Frequently Asked Questions About FDA QMSR, MDSAP, and Inspections

What is the main difference between QSR and QMSR?

The main difference is structural alignment. Under QSR, FDA requirements were written directly into 21 CFR Part 820. Under QMSR, the FDA incorporates ISO 13485:2016 by reference into U.S. law while keeping FDA-specific obligations in force. In short, QMSR harmonizes structure with ISO 13485. However, it does not reduce FDA enforcement authority or eliminate U.S.-specific requirements such as MDR, UDI, or device listing.

Does ISO 13485 certification guarantee FDA compliance under QMSR?

No, it does not. Although ISO 13485 forms the backbone of QMSR, FDA-specific statutory requirements still apply. Manufacturers must comply with MDR, UDI, corrections and removals, and other U.S. obligations. Based on regulatory experience, companies often assume ISO certification closes all gaps. In practice, a targeted QMSR gap assessment is necessary to confirm full FDA alignment.

What replaced QSIT in FDA inspections?

FDA replaced QSIT with Compliance Program 7382.850, effective February 2, 2026. This new program aligns inspections with the QMSR framework. Instead of subsystem checklists, FDA now organizes inspections around six QMS areas and four Other Applicable FDA Requirements (OAFRs). As a result, inspections follow a more integrated, risk-based, lifecycle-focused approach.

Can FDA inspect internal audit reports under QMSR?

Yes. Under QMSR, FDA investigators may review internal audit reports, supplier audits, and management review records.
In practice, inspectors now verify whether issues were identified, documented, and effectively closed. They no longer focus only on whether procedures exist, they assess whether the system works as intended.
Incomplete or unverified audit actions may increase inspection risk.

What records are now receiving greater scrutiny during FDA inspections?

FDA now places greater scrutiny on:
– Internal and supplier audit reports
– Management review documentation
– Design control traceability records
– CAPA procedures and effectiveness checks
From inspection experience, CAPA effectiveness verification is a frequent weak point. Companies often implement corrective actions but fail to document objective evidence that the action resolved the root cause.
Under QMSR, effectiveness matters as much as documentation.

Why are companies that passed MDSAP still receiving FDA 483 observations?

Because MDSAP and FDA inspections serve different purposes. MDSAP evaluates conformity. FDA inspections assess legal compliance and public health risk. FDA investigators are not bound by MDSAP sampling methods or audit scope. If inspectors identify ineffective CAPA, weak traceability, or gaps between procedures and actual practice, they may issue Form 483 observations, even after a successful MDSAP audit.

How should manufacturers prepare for FDA inspections under QMSR?

Start early. Preparation often takes longer than expected. Then conduct a structured QMSR gap assessment. ISO 13485 compliance alone does not confirm full FDA alignment. Finally, train teams on Compliance Program 7382.850. Mock interviews and inspection simulations help identify weaknesses. Even documented remediation in progress demonstrates system control and reduces inspection risk.

When does FDA QMSR enforcement begin?

FDA QMSR enforcement began on February 2, 2026, when the new Quality Management System Regulation officially replaced the former Quality System Regulation (21 CFR Part 820). From that date, FDA inspections operate under Compliance Program 7382.850.

What are the FDA QMSR and ISO 13485 harmonization requirements for 2026?

Under the 2026 QMSR, ISO 13485:2016 is incorporated by reference into U.S. law. This means manufacturers must meet ISO 13485 requirements as part of FDA compliance. However, harmonization is not complete equivalence, FDA-specific obligations such as UDI, MDR reporting, device listing, and labeling controls remain fully enforceable and are not covered by ISO 13485 alone. See the QSR vs QMSR vs ISO 13485 comparison table above for a detailed breakdown.

Written by:

Joana Martins

Quality and Regulatory Affairs professional specializing in medical devices and IVDs. More than 10 years supporting companies in achieving global compliance with EU MDR and FDA requirements, focusing on QMS implementation, risk management, and regulatory strategy.
View all articles →
Industry Insights & Regulatory Updates