Category: Uncategorized

FDA’s New QMSR Final Rule: What Medical Device Manufacturers Need to Know (2026)

Posted on by Brandon Miller

The FDA’s Quality Management System Regulation (QMSR) replaces the legacy QSR and formally incorporates ISO 13485:2016 (and ISO 9000:2015 Clause 3 for terminology) by reference. The final rule was issued on February 2, 2024, with an effective date of February 2, 2026 and it arrives with a new, lifecycle‑focused inspection model that retires QSIT.

 

 

Why did FDA replace QSR with QMSR?

For nearly three decades, manufacturers managed a U.S. QSR that diverged from global practice, creating duplicate compliance burdens. QMSR harmonizes with ISO 13485, modernizes expectations, and preserves specific U.S. obligations where needed, improving clarity while reducing redundancy for firms marketing in multiple jurisdictions.

 

The headline changes you’ll notice

 

ISO 13485 becomes the backbone of U.S. device CGMPs

QMSR restructures Part 820 to function as an overlay on ISO 13485:2016 (and ISO 9000:2015 for definitions), while retaining targeted FDA additions to avoid conflicts with U.S. requirements (e.g., records and labeling/packaging clarifications).

 

New inspection model; QSIT is retired

On the effective date, FDA begins inspections under Compliance Program 7382.850 and discontinues QSIT. Expect risk‑based planning, integration of post-market and lifecycle data, and inspectors following issues across processes rather than auditing subsystems in isolation.

 

Analyses show FDA will organize inspections around six QMS Areas and cover four “Other Applicable FDA Requirements” (MDR, Corrections/Removals, Tracking, UDI), often starting with your risk management file as the roadmap.

 

Terminology alignment: DHF/DMR/DHR → ISO terms

QMSR sunsets QSR‑only terms in favor of ISO vocabulary:

  • Design History File (DHF) → Design & Development File (DDF)
  • Device Master Record (DMR) → Medical Device File (MDF)
  • Design History Record (DHR) → Manufacturing Records/Records

FDA notes the content obligations remain under ISO clauses (especially 4.2 and 7.x) and retaining the old terms would be redundant and confusing.

 

Practical tip: You don’t have to rename every document, just ensure your files demonstrably meet ISO 13485 content and traceability, and keep a clear mapping for inspection.

 

Internal audits & management reviews are now fair game

Under QMSR and its new compliance program, industry observers and FDA‑facing legal analysts note that internal audits, supplier audits, and management review records are no longer categorically exempt. Treat them as inspection‑ready evidence.

 

MDSAP updates and new home

The MDSAP Audit Approach has been updated to Version 10 and is now hosted on MDSAP. Global, managed by Australia’s TGA, important for firms relying on MDSAP for global oversight alignment.

 

What doesn’t change—and where FDA adds clarity

QMSR supplements rather than displaces certain U.S. obligations. You should continue to reference UDI (21 CFR Part 830) and Medical Device Tracking (21 CFR Part 821) where ISO 13485’s text isn’t sufficiently specific for U.S. needs. FDA’s Part 820 overlay also emphasizes records and labeling/packaging controls to ensure U.S. expectations remain explicit.

 

Design controls under QMSR: clarifying Class I and risk

Class I exemptions: If your device was previously exempt from design controls, that status remains; QMSR doesn’t retroactively impose design controls on exempt devices. (Narrow exceptions for specific Class I products continue as before.)

 

Risk integration: Inspectors now begin with your risk management documentation and trace how risks drive design decisions, supplier oversight, production controls, and post-market actions reflecting the ISO 13485/ISO 14971 emphasis and the new compliance program’s lifecycle scope.

 

Inspections under CP 7382.850: what FDA evaluates now

FDA will test whether your QMS works as an integrated, risk‑driven whole:

  • Risk‑based sampling guided by your risk files; investigators follow issues across functions.
  • Lifecycle data integration (complaints, MDRs, recalls, servicing, supplier issues) feeding back into design/manufacturing changes.
  • Six QMS Areas + four OAFRs (MDR, Corrections/Removals, Tracking, UDI) form the backbone of inspection scope.

 

Do I have to buy ISO 13485 now?

Because QMSR incorporates ISO 13485 by reference, firms need to control the standard as an external document inside their QMS, typically requiring purchase and version control (per ISO 13485 clause 4.2.4 on external documents).

 

If you’re already ISO 13485‑certified: the lift is manageable

Most of the effort is validating coverage of the Part 820 overlay and tightening traceability to U.S. obligations (MDR, UDI, tracking, labeling controls). Expect incremental updates for servicing/installation records and labeling release/reconciliation to match FDA clarity.

 

FAQs

Q: Does QMSR change Class I design control exemptions?
A: No. Devices previously exempt remain exempt (with the same narrow exceptions).

 

Q: Does ISO 13485 certification replace FDA inspections?
A: No. FDA still inspects under QMSR and CP 7382.850; certification helps, but it’s not a substitute.

 

Q: Do we have to rename DHF/DMR/DHR?
A: Not necessarily. Ensure your content satisfies ISO 13485, maintain a clear mapping, and be consistent in training and retrieval.

 

How Regulatory Compliance Associates Can Support Your QMSR Transition

The shift from QSR to QMSR is more than a terminology update, it’s a transformation in how quality systems are evaluated. With ISO 13485 as the legal backbone of Part 820 and a risk‑based, lifecycle inspection model replacing QSIT, the standard is clear: demonstrate real‑world system effectiveness.

 

Why partner with RCA now?

  • QMSR Gap Assessment & Implementation Support—map current QSR systems to ISO 13485 + FDA overlay (records, labeling/packaging).
  • SOP & Document Modernization—align MDF/D&D files and manufacturing records with inspection‑ready ISO/FDA expectations.
  • Risk Management Integration—embed ISO 14971 across design, suppliers, production, and post-market—the first stop for investigators.
  • Mock FDA Inspections (CP 7382.850)—train on the new lifecycle framework (risk‑based sampling; six QMS Areas + OAFRs).
  • MDSAP Alignment—update readiness to MDSAP Audit Approach v10 (MDSAP.Global).

 

Ready to strengthen your quality system and prepare for QMSR?

 

Contact Regulatory Compliance Associates today to schedule a QMSR readiness review or request a customized support plan. Your next inspection will test how your system performs, not just what’s on paper.

The Streamlined Approach to Combination Product Compliance

Posted on by Brandon Miller

Understanding and Applying the Streamlined QMS Framework

In today’s rapidly evolving life sciences landscape, pharmaceutical and biologic companies are increasingly venturing into the world of combination products. These innovative therapies, which integrate drugs or biologics with medical devices, offer enhanced patient convenience, improved therapeutic outcomes, and a competitive edge in the marketplace. However, entering this space requires a strategic expansion of your existing Quality Management System (QMS) to meet regulatory expectations. That’s where the streamlined approach comes in.

 

Why a Streamlined QMS Approach Matters

The FDA’s implementation of 21 CFR Part 4 and the harmonization with ISO 13485 have paved the way for a simplified yet robust method for integrating device regulations into an existing pharmaceutical QMS. Known as the “streamlined approach,” this method allows companies to incorporate only six key elements from the medical device QMS framework, rather than overhauling their entire system. This is a significant advantage for organizations looking to enter the combination product market without disrupting their current operations.

 

 

The Six Core Elements of FDA’s Streamlined Approach

  1. Management Responsibility: Establishing executive oversight and accountability for the expanded QMS.
  2. Design Controls: Implementing structured documentation and testing protocols for the device component.
  3. Purchasing Controls: Ensuring supplier qualification and ongoing performance monitoring.
  4. Corrective and Preventive Actions (CAPA): Addressing systemic issues through root cause analysis and effectiveness checks.
  5. Installation and Servicing: Defining procedures for proper setup and maintenance of device components.
  6. Recordkeeping and Documentation: Maintaining comprehensive records that demonstrate compliance.

For more details, refer to the FDA’s CGMP Companion Guidance for Combination Products.

 

Key Benefits for Pharmaceutical and Biologic Companies

  • Efficiency: Focused integration minimizes disruption and accelerates time-to-market.
  • Compliance Confidence: Aligns with FDA and international standards, reducing regulatory risk.
  • Scalability: Easily adaptable to different product types and organizational sizes.
  • Cost-Effectiveness: Avoids the need for a full QMS rebuild, saving time and resources.

 

Preparing for FDA’s 2026 QMSR Transition

With the FDA’s Quality Management System Regulation (QMSR) set to take effect on February 2, 2026, aligning your QMS with ISO 13485 is no longer optional—it’s essential. The streamlined approach offers a clear, actionable path to compliance that supports innovation and growth in the combination product space.

 

Partner with RCA for End-to-End Compliance Support

Navigating the complexities of combination product compliance doesn’t have to be overwhelming. Regulatory Compliance Associates® (RCA) brings decades of experience and a team of over 500 global experts to help you expand your QMS with confidence. Whether you need SOP development, training, or full-scale implementation support, RCA is your trusted partner in regulatory, quality, and compliance excellence.

 

Ready to streamline your QMS for combination product success?
Contact RCA today to schedule a consultation and take the first step toward regulatory readiness and market leadership.

How EU and US Cybersecurity Regulations Are Aligning

Posted on by Brandon Miller

As connected medical devices become more prevalent, cybersecurity regulations are evolving rapidly across global markets. Manufacturers must now navigate complex requirements from both the United States Food and Drug Administration (FDA) and the European Union (EU) to ensure compliance and protect patient safety. Fortunately, recent updates show promising signs of alignment between these regulatory bodies, making it easier for companies to adopt unified cybersecurity strategies.

 

Understanding the Regulatory Landscape

The FDA has introduced new cybersecurity requirements under Section 524B of the Omnibus Law, mandating Software Bill of Materials (SBOMs), coordinated vulnerability disclosure, and secure product development practices. Meanwhile, the EU is updating its Medical Device Regulation (MDR) and introducing the Cyber Resilience Act, which, although not directly applicable to medical devices, sets the tone for broader cybersecurity expectations.

 

Key Areas of Alignment

Both the FDA and EU regulators emphasize the importance of early threat modeling, SBOM transparency, and postmarket vulnerability management. They also encourage manufacturers to adopt global cybersecurity standards such as ISO/IEC 27001 and IEC 62443 to ensure consistent security practices across markets.

 

Benefits of Regulatory Harmonization

As the FDA and EU move toward harmonized cybersecurity expectations, manufacturers can benefit from streamlined product development, reduced compliance costs, and faster market access. Unified standards also help improve device security and patient trust across international markets.

 

How to Stay Ahead of Regulatory Changes

To stay ahead, manufacturers should monitor regulatory updates, engage in early cybersecurity planning, and collaborate with experts who understand both FDA and EU requirements. Proactive planning and secure design practices are essential for meeting current and future cybersecurity expectations.

 

Partner with Regulatory Compliance Associates®

Navigating the evolving cybersecurity landscape requires deep regulatory expertise and strategic planning. Regulatory Compliance Associates® (RCA) specializes in helping medical device companies align with global cybersecurity regulations, from SBOM development and threat modeling to FDA submissions and EU MDR compliance.

 

Contact RCA today to schedule a consultation and ensure your connected medical device is secure, compliant, and ready for global market access.

How to Reduce Cybersecurity Costs Through Early Planning

Posted on by Brandon Miller

In today’s connected healthcare landscape, cybersecurity is not just a technical requirement, it’s a strategic investment. For medical device manufacturers, early planning can significantly reduce cybersecurity costs while improving compliance, product safety, and time to market. In this blog, we explore how proactive cybersecurity planning can help companies avoid costly mistakes and meet evolving regulatory expectations in both the U.S. and EU.

 

1. Start Cybersecurity at the Concept Phase

Waiting until the end of development to address cybersecurity can lead to expensive redesigns and regulatory delays. By integrating cybersecurity from the concept phase, manufacturers can identify risks early and design secure systems from the ground up.

 

2. Build Threat Modeling into Your Design Process

Threat modeling helps identify potential vulnerabilities before they become embedded in the product. This proactive approach reduces the need for costly post-development fixes and supports FDA and EU compliance.

 

3. Develop a Comprehensive SBOM Early

A complete Software Bill of Materials (SBOM) is now a regulatory requirement. Creating it early ensures transparency, streamlines vulnerability management, and avoids last-minute compliance issues.

 

4. Align with Global Cybersecurity Standards

Following international standards like ISO/IEC 81001-5-1 and FDA premarket guidance from the start helps reduce rework and ensures smoother regulatory submissions across markets.

 

5. Collaborate with Cybersecurity Experts

Partnering with experienced cybersecurity consultants can help identify risks, implement best practices, and avoid costly missteps. Expert guidance ensures your team stays ahead of evolving regulations and industry expectations.

 

Partner with Regulatory Compliance Associates®

Early cybersecurity planning is not just cost-effective, it’s essential for regulatory success and patient safety. By embedding cybersecurity into every stage of product development, medical device manufacturers can reduce costs, accelerate time to market, and build more secure, compliant products.

 

Regulatory Compliance Associates® (RCA) helps medical device companies reduce cybersecurity costs through early planning, threat modeling, SBOM development, and global regulatory strategy. Contact RCA today to learn how our experts can support your secure product development journey.

Top Cybersecurity Risks Facing Connected Medical Devices

Posted on by Brandon Miller

As the healthcare industry continues to embrace digital transformation, connected medical devices are becoming more common—and more vulnerable. From insulin pumps and pacemakers to remote monitoring systems and diagnostic tools, these devices are increasingly exposed to cyber threats that can compromise patient safety, data integrity, and regulatory compliance.

 

In this blog, we explore the top cybersecurity risks facing connected medical devices and share expert insights on how manufacturers can stay ahead of evolving threats and meet global regulatory expectations.

Listen to this podcast where we take a deeper dive into the Cybersecurity risks associated with Connected Medical Devices

Late Integration of Cybersecurity in Product Development

One of the most frequent mistakes medical device manufacturers make is waiting too long to address cybersecurity. Cybersecurity should be embedded early in the medical device development lifecycle, not added as an afterthought. Delayed integration can lead to vulnerabilities that are costly to fix and may result in regulatory delays or denials.

 

Tip: Begin threat modeling immediately after defining device features to ensure secure design specifications and reduce remediation costs.

 

Incomplete Software Bill of Materials (SBOM)

A comprehensive Software Bill of Materials (SBOM) is now a regulatory requirement in both the U.S. and EU. Many companies still submit SBOMs that lack depth, omitting nested components or failing to meet machine-readable format standards. This can lead to compliance issues and increased risk exposure.

 

Tip: Include all software layers—components of components—and ensure your SBOM is both human- and machine-readable.

 

Legacy Devices with Outdated Security

Legacy medical devices often lack modern cybersecurity features such as patching capabilities, logging, and threat detection. These devices pose a significant risk, especially when integrated into hospital networks.

 

Tip: Conduct a full cybersecurity assessment of legacy devices and plan for updates or redesigns that meet current FDA cybersecurity guidance and EU MDR requirements.

 

Lack of Threat Modeling and Vulnerability Management

Without proper threat modeling, manufacturers may overlook critical vulnerabilities. Additionally, failing to maintain a coordinated vulnerability disclosure program can result in non-compliance and reputational damage.

 

Tip: Implement a secure product development framework that includes threat modeling, penetration testing, and vulnerability traceability.

 

Overexposed Physical and Network Interfaces

Ports like USB, Bluetooth, and Wi-Fi can be exploited if not properly secured. Devices with exposed service ports or debug features are particularly vulnerable to unauthorized access.

 

Tip: Use physical controls (e.g., security screws, access doors) to limit exposure. Disable unnecessary ports and implement strong authentication protocols.

 

Misalignment with Global Regulatory Requirements

With evolving guidance from the FDA, EU MDR, UK MHRA, and the Cyber Resilience Act, companies must ensure their cybersecurity practices align across markets. Misalignment can lead to costly redesigns and delayed market access.

 

Tip: Stay informed on global cybersecurity regulations and work with experts who understand regional differences and harmonization efforts.

 

Final Thoughts

Cybersecurity in connected medical devices is no longer optional—it’s a regulatory and ethical imperative. By addressing these risks early and thoroughly, manufacturers can protect patients, ensure compliance, and maintain trust in their products.

 

Ready to Strengthen Your Cybersecurity Strategy?

Regulatory Compliance Associates® (RCA) specializes in helping medical device companies navigate the complex world of cybersecurity compliance, from SBOM development and threat modeling to FDA submissions and global market access. Contact RCA today to schedule a consultation with our cybersecurity experts and ensure your device is secure, compliant, and ready for market.

FDA Expands Unannounced Inspections for Foreign Manufacturing Facilities

Posted on by Brandon Miller

Regulatory Compliance Associates® (RCA) Executive Pharma Compliance Expert & Principal Consultant, Anita Michael, recently shared important FDA updates impacting pharmaceutical manufacturers. With over 25 years of global regulatory and quality experience—including 16 years as the FDA’s Global Pharmaceutical Expert—Anita emphasizes the need for heightened inspection readiness.

 

Key FDA Updates

  • Unannounced Inspections Abroad: The FDA will now conduct unannounced inspections at foreign manufacturing facilities, similar to those already performed in the U.S. This expansion ensures drug substances, finished products, and critical excipients entering the U.S. meet safety and quality standards.
  • Rigorous Reviews: Expect science-based audits across manufacturing operations and quality systems. Companies should ensure their
  • six quality systems (Quality, Production, Laboratory, Facilities & Equipment, Materials, and Packaging/Labeling) are fully inspection-ready.
  • Pre-Approval Program Updates: The FDA has refined its pre-approval inspection focus to include:
    • Readiness for commercial manufacturing (QMS and six systems)
    • Conformance to application and data integrity requirements
    • Commitment to quality and pharmaceutical development
    • Audit preparedness and documentation management

Preparing for Compliance

  • To stay ahead, companies should:Conduct robust internal and external audits
  • Maintain a centralized FDA document repository
  • Ensure subject matter experts are prepared to address complex regulatory questions

 

Why It Matters

These changes highlight the FDA’s commitment to protecting U.S. patients by ensuring consistent global manufacturing standards. Proactive preparation will be critical for pharmaceutical companies with international facilities or partnerships.

 

Need support preparing for FDA inspections or audits? Contact RCA today to speak with our compliance experts and ensure your organization is inspection-ready.