On February 2, 2026, the U.S. Food and Drug Administration (FDA) implemented the new Quality Management System Regulation (QMSR), formally replacing the former Quality System Regulation (21 CFR Part 820). With this transition, the FDA incorporated ISO 13485:2016 by reference into U.S. law and introduced a new inspection model under Compliance Program 7382.850.
This article focuses on that second question. It explains how to structure a QMSR gap analysis, which areas almost always reveal gaps in practice, particularly for IVD and companion diagnostic manufacturers, and what FDA inspectors are finding in the first wave of QMSR inspections.
The insights below draw directly on MDx CRO’s quality and regulatory affairs experience supporting IVD manufacturers through QMSR readiness assessments.
Key point: ISO 13485 certification does not equal QMSR compliance. FDA-specific requirements remain fully enforceable, and under QMSR, inspectors now access records they previously could not.
Why the FDA QMSR Matters Beyond the February 2026 Deadline
The February deadline was the starting point, not the finish line. FDA’s Compliance Program 7382.850 is now the active inspection model. Manufacturers operating under the assumption that QMSR readiness was a one-time transition exercise are exposed to a different enforcement environment than the one they prepared for.
Under the former QSR model, inspections used QSIT subsystem checklists. Under QMSR, investigators evaluate how quality processes function as an integrated lifecycle framework, not whether each subsystem satisfies an individual checklist. That structural shift changes what inspectors look for and what they find.
Inspection change: FDA inspectors can now access internal audit reports, management reviews, and supplier audits. Under the previous QSR model, these records were largely outside inspection scope. Many manufacturers are unaware of this shift and have not reviewed the quality or completeness of these documents with inspection readiness in mind.
MDSAP Audit Approach 2026: How It Differs from FDA Inspections Under QMSR
MDSAP audits and FDA inspections serve fundamentally different regulatory functions and must not be conflated.
An MDSAP audit is conducted by an FDA-recognized Auditing Organization. It assesses conformity with harmonized quality management system requirements — ISO 13485 and the regulatory requirements of participating authorities including FDA. It is scheduled, structured, and conformity-focused. Participation remains voluntary.
An FDA inspection is a statutory enforcement activity conducted directly by FDA investigators. Its objective is not certification — it is the evaluation of compliance with US legal requirements and the identification of potential violations, systemic weaknesses, or public health risks.
| MDSAP audit | FDA inspection (CP 7382.850) |
|---|---|
| Conformity-focused | Compliance-driven and enforceable |
| Scheduled and structured | Risk-based, for-cause, or routine |
| Bound by MDSAP task structure | Not limited by MDSAP scope or sampling |
| Outcome: certification report | Outcome: Form 483 / warning letter / no action |
| Internal records may not be reviewed | Internal audits, supplier audits, management reviews now in scope |
Strong MDSAP performance may influence FDA surveillance planning. It does not eliminate the possibility of inspection, nor does it guarantee a favourable outcome when one occurs.
Common Assumptions That Increase Inspection Risk
Several structural misconceptions remain widespread. Under QMSR, these assumptions translate directly into inspection exposure.
- “MDSAP replaces FDA inspections.” It informs surveillance planning. It does not limit FDA’s statutory authority.
- “If the MDSAP auditor didn’t find it, FDA won’t pursue it.” FDA investigators are not constrained by MDSAP audit depth or task sequencing.
- “ISO 13485 certification ensures FDA compliance.” ISO 13485 is incorporated by reference into QMSR, but FDA-specific requirements — UDI, MDR, device listing, labeling controls — remain fully enforceable and are not covered by ISO 13485 alone.
- “QMSR was a documentation update.” For ISO-certified manufacturers, many gaps are substantive — missing FDA-required record content, incomplete UDI integration, absent MDR linkage — not cosmetic.
QMSR vs QSR vs ISO 13485: What Actually Changed
QMSR incorporates ISO 13485:2016 by reference into US law. That is a structural alignment, not a reduction in FDA enforcement authority. Obligations related to UDI, MDR, device listing, and labeling controls continue to apply in full.
| Element | Former QSR (21 CFR 820) | FDA QMSR (2026) | ISO 13485:2016 |
|---|---|---|---|
| Legal status | US regulation | US regulation (ISO 13485 incorporated by reference) | International standard |
| Inspection model | QSIT subsystem checklists | CP 7382.850 — lifecycle, risk-based | Certification audit |
| Internal audit access | Limited under §820.180(c) | Internal audits and management reviews reviewable | Auditor access at certification |
| CAPA focus | Procedural compliance | Demonstrated effectiveness + root cause verification | Effectiveness required |
| FDA-specific requirements | Fully embedded | UDI, MDR, labeling still fully enforceable | Not included |
Takeaway: ISO 13485 alignment does not eliminate FDA-specific compliance obligations. A manufacturer can hold ISO 13485 certification and still have substantive QMSR gaps.
FDA Compliance Program 7382.850: How Inspections Work
As of 2 February 2026, FDA retired QSIT and implemented Compliance Program 7382.850. Inspections are now organised around six integrated QMS areas and four Other Applicable FDA Requirements (OAFRs).
| Six QMS areas | Four OAFRs |
| Change Control | Unique Device Identification (UDI) |
| Design & Development | Medical Device Reporting (MDR) |
| Management Oversight | Corrections & Removals |
| Outsourcing & Purchasing | Tracking |
| Production & Service Provision | |
| Measurement, Analysis & Improvement |
Under this model, FDA evaluates how quality subsystems operate as an interconnected framework — not as isolated elements. Inspectors assess whether risk information, design decisions, post-market data, and management oversight are aligned throughout the product lifecycle.
The Four Areas That Almost Always Reveal Gaps
Across QMSR gap assessments conducted on IVD and medical device manufacturers, four areas surface as gaps with consistent regularity — even in organisations that have maintained ISO 13485 certification for years.
1. Complaint handling and servicing records
Many companies aligned with ISO 13485 underestimate the level of record detail FDA expects. Under QMSR, complaint and servicing records must include specific, enumerated data fields that ISO 13485 does not explicitly define. Records are often incomplete from an FDA perspective even when they satisfy the certification standard.
2. UDI traceability and record integration
UDI compliance is not simply a matter of having a UDI assigned and registered in GUDID. QMSR requires the UDI to be consistently recorded across multiple record types: complaints, servicing records, and batch or device history records. That level of cross-system integration is frequently missing — particularly in manufacturers who completed UDI registration without reviewing how UDI flows through their quality records.
3. Labeling and packaging controls
FDA maintains specific requirements for label content — including UDI, expiry dates, and handling instructions — and expects documented procedures designed to ensure accuracy and prevent mix-ups. These requirements are often handled informally or through processes that do not meet FDA’s explicit documentation expectations, even when the labels themselves are technically correct.
4. Linkage between ISO processes and FDA regulatory requirements
This is the gap that most consistently surprises ISO-certified organisations. A company may have complaint handling aligned with ISO 13485 clause 8.2.2 and consider that requirement closed — but fail to explicitly connect that process to Medical Device Reporting obligations under 21 CFR Part 803. FDA does not treat ISO conformity as a substitute for regulatory linkage. Each process must demonstrably connect to the applicable FDA requirement in the documentation.
“Companies often assume that having a robust ISO-aligned procedure is sufficient. What we find in practice is that the procedure exists — but there is no explicit documented connection between that procedure and the FDA-specific obligation it is meant to fulfil. That gap is invisible until an inspector asks for it.”
Joana Martins, QA/RA Specialist, MDx CRO
Why QMSR Gap Analysis Is More Complex for IVD and CDx Manufacturers
ISO 13485 and QMSR do not formally distinguish between device types. However, the nature of IVDs fundamentally changes which gaps are most consequential and how difficult they are to close.

A QMSR gap analysis for an IVD manufacturer must extend beyond traditional quality system elements. It needs to integrate scientific validity, analytical performance, and clinical evidence into the assessment framework. Where a general medical device gap analysis evaluates whether a product is designed, manufactured, and controlled to ensure safety and functional performance, an IVD-focused analysis must additionally verify that the product generates clinically reliable results under real-world biological variability.
| Area | General medical device | IVD / CDx — additional complexity |
|---|---|---|
| Design controls | User needs, design inputs, outputs, V&V | Intended use, specimen type, analyte definition, performance claims must link to analytical and clinical data |
| Risk management | Device failure modes | Must also cover false positive and false negative results, diagnostic decision risks, interfering substances, matrix effects |
| Production controls | Process validation, specifications | Lot-to-lot variability of biological materials must be validated against clinically relevant performance criteria |
| Post-market surveillance | Complaint handling, MDR | Must detect performance drift — shifts in sensitivity or specificity — not just product failures |
| Purchasing controls | Supplier qualification | Supplier variability can directly affect assay performance outcomes |
“For IVDs, failures may not manifest as product defects — they manifest as clinically incorrect results. That is a more insidious form of non-compliance, and it means the risk management and design control documentation needs to work harder than it does for a general medical device.”
Joana Martins, QA/RA Specialist, MDx CRO
What FDA Is Finding in QMSR Inspections: Warning Letter Patterns
Recent warning letters issued by CDRH following QMSR inspections show a consistent pattern. Deficiencies are not isolated — they are interconnected, reflecting a failure to operate an effective integrated quality system rather than individual documentation gaps.
| Finding category | Most common deficiency pattern |
| CAPA | Procedures not defined or inadequate; failure to investigate root causes; CAPAs not verified for effectiveness |
| Complaint handling | Complaints not properly documented or evaluated; failure to assess whether complaints are reportable under MDR; no complaint trending or statistical analysis |
| Design controls | Lack of design verification and validation; poor documentation of design changes and their impact; no design and development plan or procedure |
| Supplier controls | Lack of defined quality requirements that suppliers must meet; no risk-based audit justification |
| Process validation | Manufacturing processes not validated; no revalidation after changes; validation protocols incomplete or not scientifically justified |
| Management responsibility | Management not actively involved in QMS; no effective management review with documented decisions and follow-up |
Important: The FDA has clarified that if previous inspections were conducted under the QS Regulation (prior to 2 February 2026), any corrective actions proposed or implemented must now be pursued pursuant to QMSR requirements — not the former QSR standard.
What FDA Inspectors Scrutinize Most
Based on regulatory inspection support experience, three documentation areas present heightened exposure under QMSR.
1. Internal audits, supplier audits, and management review records
Under QMSR, FDA inspectors may review internal audit reports, supplier audit outcomes, and management review records. Investigators evaluate whether quality processes function effectively in practice — not merely whether procedures formally exist. Records must clearly demonstrate identified issues, root cause analysis, corrective actions, and documented closure. Incomplete or draft audit records increase inspection risk.
2. Design controls and traceability (ISO 13485 clause 7.3)
Manufacturers must demonstrate full traceability across user needs, design inputs, design outputs, verification and validation, and residual risks. Traceability weaknesses frequently arise at the interfaces between risk management files, labeling claims, UDI triggers, and MDR criteria. For companion diagnostics, this alignment is especially critical because intended use, biomarker claims, and clinical evidence directly impact regulatory risk classification.
3. CAPA and effectiveness verification
CAPA remains one of the most enforcement-sensitive areas under QMSR. The most common weakness is the absence of documented effectiveness verification following corrective actions. Closing a CAPA administratively — marking it complete without objective evidence that the root cause was eliminated — is insufficient. Investigators expect evidence demonstrating that actions prevented recurrence.
Inspection Risk Indicators
| Risk area | Typical vulnerability |
| CAPA | Repeated issues without documented effectiveness verification |
| Design controls | Incomplete traceability between risk analysis and design inputs |
| Management review | Minutes lacking documented decisions, metrics, or follow-up actions |
| Supplier oversight | No risk-based justification for audit scope; missing quality requirements for suppliers |
| Post-market surveillance | Complaint trends not connected to CAPA or design updates |
| UDI | Not consistently recorded across complaints, servicing records, and device history records |
| MDR linkage | Complaint handling procedures not explicitly connected to MDR reporting obligations |
How to Conduct a QMSR Gap Analysis: Process and Timeline
ISO 13485 certification does not automatically confirm FDA QMSR compliance. A structured gap analysis identifies the regulatory overlays and inspection exposure points that ISO conformity alone leaves unaddressed.
What a QMSR gap analysis covers
A thorough assessment works through four stages:
- Clause mapping: Map ISO 13485 clauses to QMSR references. Confirm terminology alignment. Identify where the QMSR adds FDA-specific requirements beyond the ISO standard.
- FDA-specific overlay identification: Verify explicit incorporation of UDI requirements across all applicable record types, MDR reporting triggers and their linkage to complaint handling, labeling obligations under 21 CFR Part 801, and device listing and registration controls.
- Documentation exposure review: Assess internal audit completeness and whether records are inspection-ready, CAPA effectiveness evidence, management review decision traceability, and supplier risk classification and audit justification.
- Risk prioritisation and remediation planning: Each gap is assessed for potential impact on quality, business continuity, and regulatory standing. Higher-risk gaps — those most likely to generate Form 483 observations or warning letters — are prioritised for remediation with assigned ownership and timelines.
How long does it take?
A gap analysis typically takes 4–6 weeks, provided documentation is made available at the outset. Implementation of corrective actions depends on the number and severity of findings and on the responsiveness of the internal team.
For manufacturers with both QMSR and ISO 13485 gaps, implementation may take 4–5 months. Where gaps are limited to QMSR-specific requirements in an otherwise ISO-aligned system, the timeline is typically shorter.
The ISO 13485 certification gap — what ‘compliant’ actually means
A persistent scenario in QMSR readiness work: a manufacturer holds ISO 13485 certification, has documented procedures that appear robust, and believes ISO alignment is sufficient. Gaps emerge in missing FDA-required data fields in records, incomplete UDI implementation, and failure to link ISO processes to FDA regulatory requirements.
They are structurally compliant with ISO but not fully aligned with FDA expectations. The distinction matters: an FDA inspector is not evaluating conformity to a certification standard. The inspector is evaluating compliance with US law and assessing whether the quality system actually functions as an integrated framework.

Download
QMSR Gap Assessment Checklist for IVD and CDx Manufacturers — A structured reference document developed by the MDx CRO quality team.
Practical Implications for Manufacturers
Inspection scope may be data-driven. FDA may use pre-inspection data reviews to target areas of concern, increasing scrutiny where trends or inconsistencies are identified.
FDA inspectors are evaluating how quality processes work together in practice — not whether each subsystem satisfies a checklist in isolation.
Previously internal records are now fair game. Internal audit reports, supplier audit outcomes, and management review records may be reviewed. These documents must reflect issues identified, decisions made, and actions taken.
Risk management must be continuous and demonstrable. FDA expects risk to be actively monitored and linked to CAPA, design changes, supplier controls, and post-market surveillance — not treated as a static exercise.
Post-market data is a primary inspection focus. Complaint trends, MDR, recalls, UDI, and tracking data are increasingly used to assess whether the quality system is effective and responsive.
How MDx Supports FDA QMSR Readiness: Expert Insight
Transitioning from QSR to FDA QMSR requires more than updating terminology. It demands structural alignment, inspection-oriented preparation.
Based on field experience supporting manufacturers through inspection preparation and regulatory alignment projects, Joana Martins, QA/RA Specialist at MDx, emphasizes that the most frequent vulnerabilities do not stem from missing procedures, but from insufficiently demonstrated system effectiveness.
According to Joana’s inspection readiness experience, organizations often underestimate three exposure points during FDA inspection preparation:
- The depth of documentation review now permitted under QMSR
- The need for traceability between risk management, design controls, and post-market data
- The importance of documented effectiveness verification within CAPA systems
To address these exposure points, MDx supports medical device manufacturers through:
- Independent QMSR-aligned readiness assessments focused on inspection exposure
- Structured QMSR gap analysis incorporating FDA-specific regulatory overlays
- Mock FDA inspections aligned with Compliance Program 7382.850
- Strategic support for companies developing FDA companion diagnostics, where design traceability, labeling controls, and lifecycle data integration require heightened regulatory coherence
Rather than approaching FDA QMSR as a documentation update, MDx works with organizations to ensure their quality systems demonstrate operational integrity, risk-based decision-making, and inspection resilience.
Organizations preparing for FDA inspection or evaluating their QMSR alignment can benefit from early, structured assessment. Proactive evaluation reduces remediation timelines, minimizes inspection disruption, and strengthens regulatory confidence.
Frequently Asked Questions About FDA QMSR, MDSAP, and Inspections
The main difference is structural alignment. Under QSR, FDA requirements were written directly into 21 CFR Part 820. Under QMSR, the FDA incorporates ISO 13485:2016 by reference into U.S. law while keeping FDA-specific obligations in force. In short, QMSR harmonizes structure with ISO 13485. However, it does not reduce FDA enforcement authority or eliminate U.S.-specific requirements such as MDR, UDI, or device listing.
No, it does not. Although ISO 13485 forms the backbone of QMSR, FDA-specific statutory requirements still apply. Manufacturers must comply with MDR, UDI, corrections and removals, and other U.S. obligations. Based on regulatory experience, companies often assume ISO certification closes all gaps. In practice, a targeted QMSR gap assessment is necessary to confirm full FDA alignment.
FDA replaced QSIT with Compliance Program 7382.850, effective February 2, 2026. This new program aligns inspections with the QMSR framework. Instead of subsystem checklists, FDA now organizes inspections around six QMS areas and four Other Applicable FDA Requirements (OAFRs). As a result, inspections follow a more integrated, risk-based, lifecycle-focused approach.
Yes. Under QMSR, FDA investigators may review internal audit reports, supplier audits, and management review records.
In practice, inspectors now verify whether issues were identified, documented, and effectively closed. They no longer focus only on whether procedures exist, they assess whether the system works as intended.
Incomplete or unverified audit actions may increase inspection risk.
FDA now places greater scrutiny on:
– Internal and supplier audit reports
– Management review documentation
– Design control traceability records
– CAPA procedures and effectiveness checks
From inspection experience, CAPA effectiveness verification is a frequent weak point. Companies often implement corrective actions but fail to document objective evidence that the action resolved the root cause.
Under QMSR, effectiveness matters as much as documentation.
Because MDSAP and FDA inspections serve different purposes. MDSAP evaluates conformity. FDA inspections assess legal compliance and public health risk. FDA investigators are not bound by MDSAP sampling methods or audit scope. If inspectors identify ineffective CAPA, weak traceability, or gaps between procedures and actual practice, they may issue Form 483 observations, even after a successful MDSAP audit.
Start early. Preparation often takes longer than expected. Then conduct a structured QMSR gap assessment. ISO 13485 compliance alone does not confirm full FDA alignment. Finally, train teams on Compliance Program 7382.850. Mock interviews and inspection simulations help identify weaknesses. Even documented remediation in progress demonstrates system control and reduces inspection risk.
FDA QMSR enforcement began on February 2, 2026, when the new Quality Management System Regulation officially replaced the former Quality System Regulation (21 CFR Part 820). From that date, FDA inspections operate under Compliance Program 7382.850.
Under the 2026 QMSR, ISO 13485:2016 is incorporated by reference into U.S. law. This means manufacturers must meet ISO 13485 requirements as part of FDA compliance. However, harmonization is not complete equivalence, FDA-specific obligations such as UDI, MDR reporting, device listing, and labeling controls remain fully enforceable and are not covered by ISO 13485 alone. See the QSR vs QMSR vs ISO 13485 comparison table above for a detailed breakdown.