FDA QMSR Gap Assessment: A 2026 Inspection Readiness Guide for Medical Device Manufacturers

The compliance deadline was February 2, 2026. If your quality management system documentation still reads like it was written in 2019, your next FDA inspection could be painful.

FDA’s Quality Management System Regulation (QMSR) — published in the Federal Register on February 2, 2024 (89 FR 7496) — replaced the legacy Quality System Regulation (QSR) under 21 CFR Part 820 and formally harmonized U.S. medical device quality requirements with ISO 13485:2016. After two years of implementation runway, FDA investigators are now conducting routine inspections against QMSR requirements, not the old QSR.

The problem? A surprising number of device manufacturers treated QMSR as a paperwork exercise — updating a few procedure headers and calling it “compliant.” That’s not going to hold up under a competent investigator.

This guide walks through a practical gap assessment process: what changed, where FDA is most likely to find deficiencies, and how to close the gaps before you get a Form 483 that you’d rather not explain to your board.

What the QMSR Actually Changed (Beyond the Terminology Swap)

The surface-level change is terminology. “Quality system record” became “quality management system documentation.” “Device master record” maps to ISO 13485’s “technical file.” If those were the only differences, the two-year transition would have been unnecessary.

The substantive changes are bigger — and they’re the ones that will catch manufacturers flat-footed.

Risk management is now explicitly woven throughout. Under the old QSR, risk management was addressed implicitly, with FDA expecting manufacturers to apply ISO 14971 as good practice. Under QMSR, the regulation directly incorporates ISO 13485:2016, which itself requires documented risk management processes at the product level, the process level, and the QMS level. If your risk management file is a standalone document that doesn’t connect back to your CAPA system, design controls, and production/process controls, you have a gap.

Design controls got more structured. Section 820.30 of the old QSR required design and development planning, inputs, outputs, review, verification, validation, and transfer. QMSR preserves these elements but adds explicit requirements for design and development changes to include risk assessment and validation re-evaluation. Any design change approved after February 2, 2026, that lacks a documented risk assessment is a finding waiting to happen.

Supplier controls are more granular. QMSR § 820.70(e) and the ISO 13485 supplier provisions together require a more formal supplier qualification and re-qualification process than most manufacturers historically maintained. FDA has consistently cited supplier-related CAPA deficiencies for years — expect that to intensify as investigators look for ISO 13485-aligned documented evidence of supplier performance monitoring.

Management review requirements expanded. ISO 13485 requires management review inputs that go beyond what legacy QSR specified, including feedback from post-market surveillance, complaints, and regulatory updates. Your management review records need to reflect this scope.

FDA estimates approximately 7,700 domestic device establishments are subject to QMSR. Not all of them are ready.

The 5 Gap Areas FDA Investigators Are Targeting First

Based on FDA’s historical warning letter data and the structural differences between the old QSR and QMSR, these are the highest-risk areas for your first post-QMSR inspection:

Disconnected risk management documentation. Investigators will ask to see how risk management connects to your CAPA system and design controls. If you can’t trace a corrective action back to a risk management file update — or if your risk files haven’t been touched since pre-510(k) clearance — that’s a significant gap. FDA has issued warning letters for failure to evaluate risk when implementing changes; under QMSR, the bar is higher and more explicit.

Design change controls without re-validation evidence. Any design or process change initiated since February 2026 needs documented risk assessment and, where applicable, re-validation evidence. Quick-fix engineering changes approved under the old system — with nothing more than a red-line drawing and a signature — will not satisfy QMSR’s strengthened requirements.

Supplier qualification records that don’t reflect ongoing monitoring. Approved Supplier Lists (ASLs) that haven’t been reviewed in three or more years are a red flag. QMSR requires documented criteria for supplier evaluation, selection, and re-evaluation. If you have critical component suppliers with no performance metrics and no documented re-qualification since initial approval, budget time to fix this before your next inspection.

Management review minutes that look like meeting agendas. ISO 13485-aligned management review isn’t a 45-minute calendar event with a one-page summary. Investigators expect documented review of post-market surveillance data, complaint trends with actual numbers, internal audit results, and process performance metrics — with explicit management decisions and resource commitments recorded. A one-page sign-off sheet won’t do it.

CAPA records that close too fast. FDA investigators have long viewed CAPAs closed in under 30 days with skepticism, particularly for systemic issues. Under QMSR’s more explicit root cause and effectiveness check requirements (aligning with ISO 13485 §§ 8.5.2 and 8.5.3), a CAPA lacking documented root cause analysis and defined effectiveness check criteria is incomplete — regardless of how quickly the corrective action was implemented.

How to Conduct a QMSR Gap Assessment Before Your Next Inspection

A gap assessment doesn’t need to take six months. A focused, document-based assessment can identify your highest-risk deficiencies in four to six weeks if you structure it correctly.

Step 1: Map your current QMS documents to QMSR sections. Create a crosswalk matrix. Left column: every controlled procedure and form in your QMS. Right columns: the corresponding QMSR section and ISO 13485 section. This reveals two things immediately — sections with no procedure coverage, and procedures that haven’t been updated to reflect QMSR language and requirements. Pay particular attention to design controls, risk management, CAPA, and supplier controls. These four areas generate the majority of Form 483 observations in device manufacturing inspections.

Step 2: Pull your last three years of internal audit results. Look for repeat findings. A deficiency appearing in two consecutive internal audits that still hasn’t been fully corrected is not only a CAPA system failure — it’s exactly the pattern an FDA investigator will construct into a systemic observation. If you have repeat findings in supplier controls or design change management, those need remediation before your inspection, not after.

Step 3: Review all CAPA records opened in the last 18 months. For each open or recently closed CAPA, verify: (a) a documented root cause exists, (b) the corrective action addresses the root cause — not just the symptom, (c) an effectiveness check was defined before the CAPA was closed, and (d) the effectiveness check was actually performed and documented. Any CAPA that fails on point (c) or (d) is technically still open, even if your system says otherwise.

Step 4: Audit your risk management files against current product configurations. Pull your ISO 14971 risk management files for your top three revenue-generating devices. Compare the hazards and mitigations documented against the current product configuration and current complaint data. If you’ve received complaints in the past 12 months for a hazard your risk management file rates as “acceptable risk,” you have an unresolved post-market safety signal — and a file that needs immediate updating.

Step 5: Test your management review records against ISO 13485 input requirements. Take your last three management review records and check them against the required input list under ISO 13485 § 5.6.2. Does each review include complaint data with trend analysis? Post-market surveillance outcomes? Internal and external audit results? Process performance metrics? If the answer to any of these is “we discussed it but didn’t document the data,” that gap needs to close before your next inspection.

Step 6: Document your findings and build a remediation tracker. Your gap assessment itself should be a documented quality record. List each gap, the associated QMSR/ISO 13485 clause, the responsible owner, the target remediation date, and the verification method. This serves two purposes: it demonstrates to FDA that you identified and are actively addressing gaps (which matters enormously if an inspection occurs mid-remediation), and it gives your team real accountability structure.

What to Do When You Find a Gap Two Weeks Before an Inspection

It happens. An unannounced inspection notice arrives, and your gap assessment is still in progress. The instinct is to frantically close as many items as possible. Resist it.

Investigators are trained to spot retroactive fixes — procedures dated last week with no training records, CAPAs with suspiciously compressed timelines, management review minutes that were suddenly updated. A half-closed gap documented honestly is almost always better than a poorly papered one.

What actually helps in a compressed timeline: ensure your documentation index is current and accessible, make sure all open CAPAs have a documented action plan even if work isn’t complete, and prepare a brief narrative summary of your QMSR transition status. FDA investigators appreciate manufacturers who know where they are and have a credible plan. They have considerably less patience for manufacturers who don’t know.

Regulatory compliance consulting engagements focused specifically on QMSR inspection readiness typically identify between 8 and 14 discrete gaps even in manufacturers who believe they’ve completed their transition. The gap you don’t find in an internal assessment, the FDA investigator will.

The Cost of Getting This Wrong

The average cost of a consent decree to a mid-size device manufacturer runs well into the tens of millions of dollars when you factor in remediation, third-party oversight, and lost market access. Warning letters related to 21 CFR Part 820 violations have historically been among FDA’s most common enforcement actions against device manufacturers — and the QMSR transition gives investigators a new checklist with more detailed requirements than the old QSR.

The QMSR transition isn’t over just because the compliance date has passed. It’s entering a new phase — one where investigators are actively building their understanding of what “QMSR-compliant” looks like in practice, and where the first wave of post-QMSR warning letters will set enforcement precedent for the next several years.

If you’re unsure where your QMS stands right now, a structured gap assessment is the most cost-effective insurance you can buy. Start with the six steps above. And if you want an independent set of eyes before FDA shows up with theirs, that option is worth considering too.

Written by Sam Sammane, Founder & CEO, Aurora TIC | Founder, Qalitex Group. Learn more about our team

Talk to our compliance consultants Contact us

Related from our network

• Medical Device Component Testing & COA Verification — ISO 17025-accredited analytical testing for device raw materials and components, supporting your QMSR supplier qualification program.
• Health Canada Medical Device QMS Compliance — Quality system and testing support for manufacturers navigating Canadian Medical Devices Regulations (CMDR) alongside FDA QMSR requirements.