Navigating the QMSR Transition: Expert Insights on FDA Compliance, Risk Management, and Global Harmonization

By: Claire Wallace, Senior Writer, Informa Markets – Engineering. Published by Medical Device and Diagnostic Industry

 

Regulatory affairs expert Jordan Elder breaks down the critical steps medical device manufacturers must take to comply with the QMSR, explaining common misconceptions, prioritization strategies for gap assessments, and how the new risk-based framework differs from the prescriptive QSR—plus what FDA’s alignment with ISO 13485 means for global market access.

 

Jordan Elder has served as the Director of Regulatory Affairs at RCA (A Nelson Labs Company) for the last 15 years, providing clients with general direction, tactical objectives, and functional plans for their regulatory needs.

 

Elder has a comprehensive background in medical device regulations and a demonstrated history of successful product submissions, including FDA 510(k), EU Class IIa and IIb, Health Canada III, COFEPRIS Class III, and CFDA Class III submissions. His certifications include RCA-US, Six Sigma Black Belt, and Certified Lead Auditor per ISO 13485:2016.

 

Elder joins MD+DI Senior Writer Claire Wallace to discuss critical QMSR transition steps, gap assessments, FDA inspection changes, and global harmonization strategies.

 

With the QMSR effective as of February 2, 2026, what are the most critical first steps companies should take if they haven’t already begun their transition from QSR to QMSR?

Elder: It’s most important to know that this transition window has already closed. FDA published this rule in February of 2024, and they gave a two-year grace period for companies to make that transition. So going forward, there is no grace period. There is no enforcement discretion or a phased rollout. With that, they’re going to need to read the final rule first, and they’re going to have to have access to ISO 13485, and that’s the 2016 edition. The final rule gives some relevant information that a company should look at, but they’re really going to have to have that ISO standard. So you’re going to want to go to ISO.org and buy that standard. After that, you’re going to want to conduct a formal gap analysis, and there’s a great reference. From there, you want to go ahead and update those gaps and update your documentation. That’s going to include things like updating your quality manual. You’re going to have your SOPs, templates, your forms. You’re going to want to make sure you reference ISO 13485 rather than the old QSR structure. You’re going to migrate from DMR, DHF, and DHR towards the medical device file terminology. One big thing about this transition: they really stepped up risk management. So companies are going to want to make sure they’ve strengthened their risk management processes and make sure that you’ve trained all relevant staff. It’s great that you’ve made these changes, but if you really don’t take the time to train your staff, then you really haven’t done a whole lot other than make some changes on paper. So make sure that everybody who needs to be trained on these relevant updates has been trained.

 

What are the biggest misconceptions you’re seeing among medical device manufacturers about the QMSR transition?

Elder: I’ve seen a lot of companies talk about this QMSR as ISO 13485. And while that is a majority of the change, FDA still kept certain parts of the QSR. And so with that, it’s important to remember that you don’t just blindly follow 13485. You’re going to want to make sure that you follow all the relevant aspects that are still active from the original QSR. And a lot of these changes aren’t just semantic. A good example is documented traceability between design inputs, outputs, and verification. That was simply a best practice under the QSR. But with that transition under the QMSR, there’s an explicit requirement in 13485, and I believe it’s clause 7.3 for planning. So things like this—it’s not just semantic. You’re not just changing your terms; there are substantive changes within this change. Another misconception: a lot of companies that were following 13485 also typically follow ISO 14971, which is your risk management ISO standard. But FDA has explicitly stated in their preamble that 14971 is not incorporated by reference. So while companies can use this, it’s not explicitly required, and you can still maintain your risk management however you see best fit. I think the last misconception that I’ve seen is that ISO 13485 certification means compliance. And while you’re there and it gets you really close to that finish line, like I’ve said before, if you aren’t enacting some of the old QSR requirements, you aren’t there. So just because you got certified from your notified body does not mean you’re compliant with the QMSR.

 

How should companies prioritize their gap assessments when moving from 21 CFR 820 to the QMSR framework?

Elder: I would put these out in different tiers of priority, or critical areas. I think within your critical areas for tier one: CAPA separation. Your old QSR combined your corrective and preventive action, but in 13485 it required distinct procedures for corrective action and preventive action. Most QSR-based systems combine these, so you’re going to want to take a look at separating those out. Your management review and internal audit records—these records are now fully inspectable by FDA. Previously, FDA could take a look at whether you had conducted them, but that was the extent of it. Now they’re going to be able to take a look at everything. So you’re going to want to make sure you adjust your files and adjust your practices so you’re documenting your best for FDA. Your risk management integration through the QMS—it appeared only once in the entire QSR, but over 25 times within this ISO standard, which is a big change. Like I said, FDA is really emphasizing this risk management. So you’re going to want to conduct risk-based thinking and update your processes with your supplier evaluation, your outsource processes, your process validation, and that includes things like CAPA prioritization, software validation, or even management review of your complaint records. This was a specific FDA addition that is more detailed than the old QSR, and it requires device identification, date received, UDI information, and investigation outcomes. So you’re going to want to make sure you update that as one of your top-tier critical activities. And design, labeling, and packaging controls—they’ve added requirements beyond 13485 for documented inspection of labels for accuracy. So making sure that those processes are updated. And then you’ve got your tier two, or they’re still considered a high priority, but I wouldn’t consider them critical. So those are going to be things like your customer communication procedures, your customer feedback systems, and your QMS software validation if you have any. So making sure that you’ve got enhanced supplier quality controls and it’s risk-proportionate for your evaluation. I would say your tier three or your medium-priority things are updating your documentation terminology. It’s not critical as long as you have the right documents, but it’s something that still needs to happen. Making sure top management accountability and alignment is documented appropriately and updated. So the smaller semantic things should be updated as the final step. Make sure you’ve got your critical things first and phase down from there.

 

As a Certified Lead Auditor for ISO 13485:2016, what are the key differences between pure ISO 13485 compliance and FDA’s incorporation by reference in the QMSR that manufacturers need to understand?

Elder: Section 820.35 supplements clause 7.2.5, and it provides detailed complaint record requirements including data, service record content requirements, and confidentiality marketing provision for FOI purposes. They should also know that the FD&C Act—those definitions from the FDA—will always prevail over ISO definitions, followed by QMSR-specific redefined terms. Manufacturers should also realize that ISO 9000 has additional definitions that are defined and referenced from 13485. So it is not just a 13485 incorporation and adoption. You also need to take a look at ISO 9000 for some of those definitions as well. But the FD&C Act or FDA is always going to come first with those definitions. So take it as a trickle-down from there. I think that’s really important because you’re going to see a lot of manufacturers looking at ISO 13485 as the Bible, essentially, and with that they really need to remember that while it is 13485-centered, there are requirements from FDA, and those requirements are going to supersede whatever is in 13485 if they would contradict in any way.

 

How does the QMSR’s risk-based approach differ from the previous QSR’s prescriptive requirements, and what does this mean for day-to-day quality operations?

Elder: As we mentioned, from a risk-based standpoint, the old QSR mentioned risk once, and within ISO 13485 I think it was 25 times. So with that, there’s a lot more focus on taking a risk-based approach. From a practical standpoint, looking at things like supplier management, which transforms from treating all suppliers relatively equal to a risk-proportionate evaluation. So who are your critical suppliers, your non-critical suppliers—and this is all required under clause 7.4.1. Process validation moves from your typical IQ/OQ/PQ to validation proportionate based on risk, and that’s under 7.5.6. You’ve got your software validation, and it explicitly requires validation depth proportionate to the risk associated with the use of that software, whether it’s incorporated into the device or your QMS. And your CAPA investigations—going back to that again—they have to be proportionate to the effects of the non-conformities. A significant nonconformity needs to be treated differently than a nonconformity that really has no impact on the product quality. At the end of the day, they’re both important, but it’s going to be taken on that risk-based approach. There is no QMS requirement that calls out conformity to ISO 14971, and it does allow flexibility for manufacturers to use their appropriately validated processes to determine their risk-based approach at the end of the day. So for your quality teams out there, you’re going to want to make sure that you have well-defined risk management and how you’re going to approach your risk-based system.

 

You have extensive experience with EU, Health Canada, COFEPRIS, and CFDA submissions. How does the QMSR’s harmonization with ISO 13485 simplify or complicate multi-market regulatory strategies?

Elder: It somewhat makes it a little easier. Prior to the QMSR, companies had to have parallel quality systems. So you had one for Europe if you were marketing in Europe, and then you followed the QMS for FDA, and they kind of align—and that’s the intent here, to make things harmonized. The goal was harmonization between countries. So you’ve got Canada, which has MDSAP, which is 13485-centric. You’ve got now 13485 for the EU side of things and FDA with the QMSR. So the goal is to make things easier for companies in terms of compliance to quality systems and not have one-off problems, because as a company, if you’re juggling four different parallel quality systems, it’s really easy to overlook something and end up with a critical finding. So the intent here is to harmonize globally, and I think it’ll make it a lot easier for those companies who do have international markets.

 

For companies pursuing global market access, what are the strategic advantages of the QMSR’s alignment with international standards, and where do regulatory gaps still exist?

Elder: If you’re already certified to ISO 13485, most companies are within visual distance of that finish line for compliance for a lot of major—we’ll say tier-one—countries. So that makes gap assessments a lot easier. With that being said, if you are compliant to the QMSR, the EU MDR does go beyond 13485 for things like clinical evidence, post-market surveillance, and transparency. So conducting that gap assessment is going to be really important for each country. Health Canada has some additional requirements. I think a really good tool, outside of using FDA’s new audit inspection readiness guide, is to take a look at the MDSAP documents that are provided on the MDSAP website and conduct a gap assessment or even an audit against your system to the MDSAP audit requirements. I think that will go a long way to getting you to where you want to be, especially for Canada, Brazil, Australia, Japan—those other countries that are part of MDSAP, which are a lot of the international market. That will bring you relatively close, if not all the way, to compliance. But making sure that you’ve filled those gaps where they need to be filled.

 

Looking ahead, how do you see the QMSR evolving? Are there areas where FDA might issue additional guidance or clarifications?

Elder: I think the biggest question on everybody’s mind is: what happens when 13485 is updated? In 2016, we had a major update that was very, very significant. The good news is that in 2025, ISO 13485 was confirmed as valid, and that is through 2030. So we know that at least for the next four years, there won’t be any significant or major updates to 13485. As more countries are implementing these requirements, I think we’re going to see minor, maybe small nuanced changes in 13485 if needed, but I wouldn’t expect any major revisions coming out, especially since we had such a significant revision in 2016. FDA has discussed that any future revisions to the standard will be evaluated on a case-by-case basis to determine whether they’re going to adopt that update or whether they will make their own revisions based on that. And we do see countries taking that stance across the board with other standards as well. You have British standards for Europe where they adopt most of the ISO standard for whatever the standard may be, but at the same time they’ve put their own spin on it or their own requirements included as well. So if there is a significant update and FDA feels it is not adequately addressed or disagrees, I think we’ll see guidance from FDA on how they’re going to handle that. It won’t just be a pure adoption and moving on.

 

Is there anything else you would like to expand on?

Elder: I think one thing is critical to note: FDA is already conducting inspections for manufacturers under the QMSR. So the old QSIT manual that companies used to use—if you’re still looking at that and referencing that or expecting FDA to audit that—that has changed. Do not throw out that manual. FDA has issued a new document on their website that is explicitly made for the QMSR. I’ve seen companies that have unfortunately recently gone into inspections under the guise of, “Hey, we’re going to use the QSIT,” and it hasn’t gone as well as they had expected. So make sure that you’re updating those documents as well and reviewing all new guidance that FDA puts out.