Share this
by QT9 Software on February 10, 2026
When the FDA began enforcing the new Quality Management System Regulation (QMSR) on February 2, 2026, it formally aligned 21 CFR Part 820 with ISO 13485:2016. Since final approval of the new regulation two years ago, medical device manufacturers have examined and, hopefully, taken steps to prepare for inspections under the new rule.
Now comes the hard part: shifting quality management and compliance mindsets from checking boxes to ongoing risk examination and continuous improvement. Like ISO 13485, medical device quality system evaluations under QMSR will now look for demonstration of risk-based decision-making, connected processes and ongoing refinement across the product lifecycle.
In a recent episode of the QT9 Q-CAST, Michelle Keane, QA/RA Director at ComplyGuru, explained why QMSR compliance depends less on rewriting procedures and more on adopting a new mindset.
Contents
Raising the bar on quality and safety evidence
QMSR embeds risk and continuous improvement into daily decision-making
Medical device manufacturers must keep risk top of mind
Start with a risk-based QMSR gap assessment
FDA-specific requirements retained in QMSR
Management review and ownership under QMSR
FDA-specific requirements retained in QMSR
Watch the QT9 Q-Cast podcast with Michelle Keane
Raising the bar on quality and safety evidence
At the core of QMSR is the FDA’s decision to alter 21 CFR Part 820 to more closely reflect ISO 13485, which is incorporated into the new rule by reference. This close alignment signals a departure from clause-by-clause quality system compliance to one that evaluates whether the quality system actually functions as intended.
“This is a shift in the landscape,” says Keane. “I think the biggest shift that people are going to experience is recognizing that this is not just ISO 13485. There are still FDA expectations that are going to be layered on top of that.” Manufacturers must look past the standard to ensure they are managing the additional FDA considerations retained in the updated rule.
QMSR embeds risk and continuous improvement into daily decision-making
Keane emphasizes that ISO 13485 requires ongoing evaluation and effort, and that is now true of FDA QMSR. Manufacturers “have an obligation now to continuously look for areas of improvement within [their] system,” she says.
"You will be continuously reviewing the data that's being generated by your system and using that to feed back into your risk management and to look for areas of preventive action,” she says.
Keane notes that ISO 13485 is a system that continuously produces signals that must be reviewed and acted on. “The cultural mindset of 13485 is a system that lives and breathes. It's always, always working. It's always giving data that's to be reviewed and fed back into the system for improvement or for risk rationality.”
Medical device manufacturers must keep risk top of mind
Keane notes that organizations who have never had to comply with ISO 13485 before will be among those most impacted by the QSR-QMSR transition, since the role of ongoing risk evaluation and continuous improvement will be new.
“That’s going to be a significant shift for them,” she says. Manufacturers new to ISO 13485 will need to take extra steps to establish risk thresholds in their system and implement those risks across their processes, from internal auditing to supplier evaluation.
Risk signals, remediation and patient safety
When organizations identify gaps, Michelle stressed that remediation should be prioritized based on patient impact.
“You want to prioritize fixes by patient risk versus business,” Keane says. “Ask yourself this, if the FDA follows a risk signal tomorrow … Where do they land first? Because that's what you fix.
Internal audits must reflect risk
Internal audit programs also should now be planned using a risk-based approach, rather than auditing every process on the same schedule.
“If you are auditing every process once per year, that's not going to fly anymore under QMSR because you must plan an audit program taking into consideration the status and importance of the area to be audited as well as the results of previous audits,” explains Keane.
Audit results are expected to feed directly back into audit frequency and focus. “If [auditors] see a report where they have a lot of non-conformities in a particular area of your system," adds Keane, "the expectation is that that data will be used as an input to update the frequency of that area in your program."
Start with a risk-based QMSR gap assessment
For quality leaders staring at long lists of procedures, the instinct may be to begin updating documents immediately. Instead, Keane advises applying the regulation through a process lens.
“What you’re going to need to do is, one, familiarize yourself with the standard and understand it,” she says. “Understand the process-based approach that's brought with your [ISO] 13485 standards, and then understand that you must apply risk to those processes.”
A practical first step is a gap analysis, but not one embarks on a clause-matching exercise. “If you do it clause-by-clause, you’re going to miss some of those retained parts of the QSR,” says Keane. “You want to identify those FDA exposed processes – so things like your complaints, your audits, your management review. …Tighten them up. Show that you understand this new approach to risk-based decision making.”
FDA-specific requirements retained in QMSR
Even though QMSR updates spotlight ISO 13485 harmonization, manufacturers must remember that several FDA-specific requirements are explicitly retained under QMSR, including for:
- Complaint handling
- MDR reporting
- Traceability
- Corrections and removals
- UDI obligations
As a major driver of FDA 483s, complaint handling will likely be one of the major areas FDA inspectors play close attention to. “Complaint handling, for me, definitely is one of those areas that people really need to up their game,” says Keane. “The FDA is going to be using that as trend signaling of risk when they come in to do their audits.”
Management review and leadership responsibility under QMSR
Long-game quality management and risk mitigation mindsets are not reserved for quality teams, but must also change across the organization, including leadership. Keane advocates organization-wide training.
“You need to train your leadership team, not just your quality team,” says Keane. “That’s further reinforced under the management responsibility part of Clause 5, where [management has] to make the organization aware and communicate the importance of the quality management system to the organization overall. So it starts with leadership.”
With management review records now in scope, Keane cautions against altering documentation for appearances. “What we don't want to see is sanitized management review meeting minutes that are not reflective of what's actually happening on the ground,” she says. Because any issues will eventually come to light during data examination.
“Management review is an opportunity for an organization to see how their system is performing,” says Keane, who emphasized that "the point isn’t flawless metrics, it’s corrective action and improvement. The failure is not in actually not achieving your KPIs. The failure is not taking the corrective action.”
Software validation supports risk-based quality systems under QMSR
As quality systems become more data-driven under QMSR, the software used to manage complaints, CAPA, audits, training and risk management also comes under greater scrutiny. ISO 13485 requires that software used in the quality management system be validated for its intended use, and the FDA continues to expect evidence that electronic systems reliably generate accurate, complete and secure records.
Under QMSR, inspectors may evaluate whether validated systems actively support risk-based decision-making and continuous improvement rather than simply storing documentation. Software that enables traceability, trend analysis, and feedback loops across the quality system can play a key role in demonstrating that risk signals are identified, reviewed and acted on.
Many manufacturers rely on electronic quality management systems that include validation documentation to support these requirements. QT9 QMS provides validation documentation designed to help regulated organizations efficiently validate the system for their intended use while maintaining data integrity and inspection readiness.
Ultimately, the effectiveness of any validated system under QMSR is measured by how well it supports risk-based decisions and continuous improvement.
Podcast: Michelle Keane of ComplyGuru talks to QT9 about risk, continuous improvement and a new approach that comes with QMSR compliance.
QMSR compliance and QT9
By connecting complaints, CAPA, audits, training, supplier quality and management review within a single platform, QT9 enables organizations to maintain clear traceability and visibility across processes.
Built-in reporting and trend analysis enable teams to identify risk signals, evaluate system performance and document corrective actions in a way that aligns with FDA expectations for evidence-based decision-making. Validation documentation provided with QT9 QMS further supports compliance by helping organizations demonstrate that the system is fit for its intended use within their quality management framework.
QMSR reinforces that quality system compliance is no longer demonstrated by written procedures alone, but by how consistently organizations apply risk-based thinking and continuous improvement in practice.
Preparing for QMSR ultimately means changing how teams think about quality. Organizations that treat their QMS as a living system that continuously surfaces risk, informs decisions and drives corrective action, will be better positioned to demonstrate compliance and sustain inspection readiness over time.
For more on how QT9 QMS simplifies and streamlines compliance, reach out today.