Episode 10: FDA QMSR Compliance Calls for a New Mindset

Christian (00:00)
If you work in medical device quality or regulatory, you're watching a once in a generation change happen real time. As of our recording today, February 2nd, 2026, the FDA begins enforcing the quality management system regulation or QMSR.

updating 21 CFR part 820 to align with ISO 13485. And this isn't just some renumbering exercise. The inspection playbook changes, the FDA-only mindset changes, and some things that used to feel comfortably internal, like management review and internal audit reports, can now be in scope during an FDA inspection. So today we're cutting through the noise. We're talking about what actually changes, what stays the same, and how to get ready without rewriting your entire quality system from scratch.

I'm Christian Reyes and

Welcome back to the QT9 QCAST, the show for quality and operations leaders building better systems. I'm your host, Christian Reyes. Quick reminder, this podcast is for general educational information. It is not legal or regulatory advice. Today, we're talking about the FDA's Quality Management System Regulation, or QMSR, the shift from the legacy quality system regulation, or QSR, to a model that's more aligned with ISO 13485. My guest is Michelle Keene, the QARA director at ComplyGuru.

Michelle has more than 20 years of experience across medical device and biotechnology, and she also works as a lead auditor and MDR assessor. So she's seen how these requirements land in the real world. Michelle, welcome to the show.

Michelle Keane (01:27)
Thank you, Christian. Thank you. Delighted to be here.

I think it's important that we get as much information out there as possible on the QMSR.

Christian (01:34)
Absolutely, absolutely. And so I guess jumping right into it for anyone who's been buried in CAPAs and missed the memo, what is

Michelle Keane (01:44)
In plain English folks, QMSR is the new way the FDA are going to be looking at your quality system. Essentially the FDA are modernizing how it evaluates your quality system by aligning with 13485. But it would be with the FDA's authority, with their enforcement and with the FDA's expectations layered on top. So it shifts inspections really away from this clause by clause compliance

towards whether the quality system actually works to control risk across the total product life cycle. And you know, the very important thing to remember here is that this is a 13485 incorporation by reference. So this isn't a complete rewrite. This is the FDA saying, you must refer out to 13485. We're not going to type it into our regulation. We're incorporating by reference. And I think the biggest shift that people are going to experience here

is recognising that this is not just a 13485. There are still FDA expectations that are going to be layered on top of that. And you know the way they are going to assess that system is also going to look different as well now, especially with the retirement of Q-SIT. So you know there's a lot more to consider here than just we're updating our numbering from 21 CFR 820 to QMSR.

This is a shift in the landscape and the FDA and how they're going to approach our quality systems and the additional considerations that the manufacturers should also be taking in relation to this change for them and their business.

Christian (03:16)
Absolutely. Absolutely. And so for companies that are already certified to ISO 13485, it sounds like it's going to feel more of ⁓ a light remodel, so to speak, as opposed to a gut renovation. Is that fair to say?

Michelle Keane (03:29)
Yeah, I mean, for organisations that are already certified or self-declaring to 13485, I would still caution that that's not the end. We are still retaining some parts of the old quality system regulation, for example, complaint handling, labelling, traceability. So there are certain elements that are being retained. And also, remember that 13485 in its very nature is not just a case of implement your system and move on.

and wait for the next audit. 13485 is a complete cycle and recycle of your system because you have an obligation now to continuously look for areas of improvement within your system. So you can't say, well, now we are QMS or aligned and we don't have anything else to do. That's untrue. You will be continuously reviewing the data that's being generated by your system.

Christian (04:10)
Yes.

Michelle Keane (04:21)
and using that to feed back into your risk management and to look for areas of preventive action, for example, to prevent any nonconformities or for improvements in your system. So it's not a lock and load and then we can move on and forget about it. It's continuously improving and moving. Your system is living, it's breathing. And that's going to be the big shift for organisations. So I would caution saying, I'm certified, so that's it to 13485. That's absolutely...

No.

Christian (04:49)
That is a great answer. That is a great answer. Especially what you said, the QMS, your quality system is a living thing. It's not just something that is built up once and you set it over here and it's good to go. It is a, as you said, a cycle of continuous improvement. ⁓

Michelle Keane (05:04)
Absolutely,

Christian (05:05)
Like you said, there is a rising global call to action and it hit that point. Now, so we're talking about the why and we're gonna move into the what, but real quickly before we do, are there any types of manufacturers that you think will feel this transition more than others, whether it's class one, class two or three, so on and so forth?

Michelle Keane (05:09)
Absolutely.

Yes.

for sure. We know that there is a far more, I suppose, popular uptake of 13485, this side of the pond. For the listeners, I'm based in Ireland. this side of the pond, there's a far more uptake of the standard itself, 13485, in comparison to the US. And when we think about the US, it's a very large pool with a lot of different manufacturing sites that...

do very well just selling their product in the US. They don't need to go outside of the US to make their money. So you know there will be organizations in the US that probably didn't adopt 13485. They were selling predominantly or maybe only in the US. So for them they just aligned with those QSO regulations and their 21CFOR803 and their 21CFOR806 you know and they stuck to the letter of the law. But those organizations now are going to feel the heavy lift because

You know, when we look at the QSR, risk, although it's mentioned in the preamble, is really only mentioned once under design controls, whereas risk is now completely embedded in 13485. It is the living space in 13485. And I think for organizations that are really only adopting 13485, that's going to be the significant shift for them. It's going to be establishing those risk thresholds in their system.

and then it's going to be implementing those risks across the various processes from internal auditing to supplier evaluation to risk proportionality when it comes to software validation, for example. Risk is embedded heavily in decision making, but to be able to make those decisions as per proportionality, you must also have set those risk thresholds. And 14971 is specifically called out in 13485, and it is mentioned and accepted as consensus standard in the US.

and it's mentioned in the preamble. But I think for organizations, that's going to be the significant shift. And that cultural mindset of 13485 is a system that lives and breathes. It's always, always working. It's always giving data that's to be reviewed and fed back into the system for improvement or for risk rationality, for example. So I think those are the two things. The total product life cycle and this living system.

combined with the risk that's now going to have to form every decision making within that.

Christian (07:52)
Yes, the risk is going to, as it well should, ⁓ it's a part of every process. And so as we're talking kind of again about what's changing within the QMSR transition, if I'm a quality manager staring at my list of SOPs right now, ⁓ where am I going to feel QMSR changes first?

Michelle Keane (07:56)
Absolutely.

Where are you gonna feel it first? Okay, well I suppose if you really wanted to approach this from a very practical sense, the first thing you're gonna wanna do is a complete cap analysis, okay? I'm not saying you have to rush in and start changing all your procedures. That's absolutely not what I'm saying. And I'm not saying that it needs to be clause by clause. But what you are going to need to do is one, familiarize yourself with the standard and understand it.

understand the process-based approach that's brought with your 13485 standards and then understand that you must apply risk to those processes as well. So that's the first thing that I would be considering. The next thing I'm looking at is that full gap analysis. Okay, this is what we have and this is what 13485 requires. And I think, you know, I've spoken to so many people, Christian, over the last few months as we're kind of hitting this deadline. And what they're actually struggling with is the terminology, you know, the shall.

Christian (09:04)
Mm-hmm.

Michelle Keane (09:05)
the should, the may, the can, the language that's used in the standard is throwing people off. And I think that a quality manager needs to familiarise themselves with what's actually mandatory under 13485 because remember I will say it again, the FDA are incorporating by reference 13485. They're not writing it into the legal system. They are incorporating by reference. So any managers out there that are looking to implement, they need to be familiarising themselves with context.

the narrative and the language that's used in 13485 as well.

Christian (09:36)
is 13485 aligned, obviously, but not a copy paste. Can you think of any of the FDA specific gotchas, quote unquote, that people might miss?

Michelle Keane (09:41)
later.

Okay, I suppose if we're gonna talk about, as I mentioned earlier, we do have some retained parts of the QSR. And again, I would caution that organizations don't just say, well, in 13485, I'm done. The QSR elements that are explicitly retained under the QSR include complaint handling, okay? So we have 13485, clause 822 specifically, that talks about complaint handling.

But again, it's one of those areas where the FDA felt that 13485 did not go far enough. So they are explicitly tying complaints to MDO reporting now. So manufacturers must still meet their 21 CFR part 803 requirements in relation to reporting requirements. So that's why complaint handling is being retained. Again, you have those 803 reporting obligations.

The one thing I would also say in particular about complaint handling is that it is one of the biggest offenders and top drivers of the issuance of 483s under the current FDA and has been since 2018. It has featured in the top five reasons for 483s being issued. That's not just going to disappear, Christian. That trend still exists. However, you know, I would caution that people don't think that this is going to soften under the QMSR. It absolutely not.

it's going to become the fastest way that FDA are going to follow up on those risk signals. So, you know, I would also say to people, don't think that just because we have this new model of auditing and these retained parts, that the fact that they were the biggest offenders or drivers of 483s, that that disappears now. The FDA are going to be using that as trend signaling of risk when they come in to do their audits. So complaint handling for me definitely is one of those areas that people really need to up their game.

And again, CAPA is another area that serves as a big driver. It's actually the number one driver for 483s. And again, that trend doesn't just disappear because the QMSR has arrived. If anything, the auditors are going to be used or the assessors from the FDA are going to be using that as a trend analysis or a signal to dig further into the system. Another area that's being retained is obviously your medical device reporting, as I mentioned there, 21C4803.

Christian (11:34)
Yes.

Right.

Michelle Keane (12:02)
And your corrections and removals is your 21CF4806. Obviously that's being retained as well. Traceability is also going to be retained. Again, it's another area that the FDA felt that 13485 didn't go far enough. So currently it's captured here under 13485, but we have, as you know, 21 CFR 821, which applies when tracking is required for those life-sustaining devices as well.

QMSR is going to explicitly clarify those linkages as well there. this matters a lot for organisations that have implantable devices or life-sustaining or life-supporting devices. UDI is also being retained, fully retained under 21 CFR 801 and 830. ISO does not replace those UDI obligations in any way, shape or form, and the QMSR will explicitly call this out.

And this is catching companies off guard because obviously there are very big differences between UDI under 13485 and under the 21 CFR 801 and 830 as I've mentioned. So there's also a partial retention and this is where people kind of get a little bit lost a bit. There's also a partial retention under labeling and packaging controls. So we have 13485 that would cover labeling quite broadly. But FDA...

Christian (13:02)
Yes.

Michelle Keane (13:18)
labeling requirements remain enforceable. So we're labeling ties to UDI, in tendent use, regulatory claims, this is where the FDA will still differ sharply actually from the ISO audit requirements. So there's just a few examples of where you're going to see that retention and how the FDA are going to approach it.

Christian (13:39)
Yes,

that's fantastic information. mean, even just knowing that the highest amount of 483s are being created from complaint handling and CAPAs, that is an opportunity to apply what exactly we were saying, new risk-based processes, risk-based decision-making to how you're going to update these processes and doing your gap assessment to what you've got and what it needs to be. ⁓

Michelle Keane (13:53)
Yep.

Yeah,

absolutely.

Christian (14:05)
Under under QMSR, ⁓ FDA can review things that used to not be for for the FDA's eyes, like internal audits and management review. How should companies handle that without turning audits into performative theater?

Michelle Keane (14:18)
Yeah, and this is something that I have spoken quite loudly about, Christian. It's one of the areas of this that I have discussed at length with different people in the industry. I suppose there's a couple of things that crop out at me first. We look at internal audits. For example, internal audits now must be planned taking a risk-based approach for starters. So, you know, if

you are auditing every process once per year, that's not going to fly anymore under QMSR because you must ⁓ plan an audit programme taking into consideration the status and importance of the area to be audited as well as the results of previous audits. So there are certain processes in your system that will be subjected to more auditing than others. For example, you make a change to your product, the chances are you're going to increase the frequency of design and development auditing.

Or, you know, we already know that production and operation areas or manufacturing areas are areas that will organically have more nonconformities built in or baked into it because that's where the magic is happening, that's where the hands are on the product, you know. So, you know, organically you will probably see more nonconformities being raised through your process there in your manufacturing site. So again, if that's the case, you would expect to see increased auditing in your manufacturing areas.

Christian (15:19)
Yep, yep.

Michelle Keane (15:33)
where you have experienced ⁓ heightened findings from your internal audit. So again, this is what I would say to organisations that are not used to producing their audit reports because up until now you just had to show that you were doing your audits and show the schedule. You didn't necessarily have to show them the audit reports. This is where organisations could trip up Christian because your FDSS is going to want to see that risk-based thinking.

they're going to want to see the results reflected. In other words, if they see a report where they have a lot of non-conformities in a particular area of your system, the expectation is that that data will be used as an input to update the frequency of that area in your program until such time that you've brought the area back under control and in which case you can ease off again with the frequency of auditing. So, you know, that is the one thing I would caution for anyone that's going into this, thinking, well, how much damage can our audit reports do?

Christian (16:16)
Right.

Yeah.

Michelle Keane (16:29)
Well it can do a lot

because you must be able to demonstrate risk-based thinking. You must be able to show the corrective actions that you took and the verification of that action, the verification of effectiveness of that action, excuse me. And then all of that decision making needs to be fed back into your audit programme. Risk-based thinking, here we are again. So you know, one, there will be processes in your system that automatically have a higher status and importance, for example calibration, design and development, sterility, where it exists.

and then the results of previous audits will also need to be taken into consideration. I suppose for organisations that are approaching internal audits, that is something that they need to consider because those internal audit reports again will be signal detecting for your auditor. They're going to want to see how you use the information from those audit reports to improve your system and improve your processes. And it would be an area that, you know, we've set our KPIs, did we achieve them? We did not. What action did we take?

and then did we increase our auditing until we got that area back under control. And if not, you're going to find it hard to send that to your auditors. In respect of management review, this is where I really kind of taught myself, you know, do we have a risk to culture now? So we talk about risk to our processes, because we must assign risk. We must identify our processes, we must assign criteria to them, and then we must assign risk.

But then I thought to myself, are we introducing a cultural risk now by bringing these reports into the system for auditing? Because obviously we had a lovely exclusion under Subpar Dem previously that excluded those records from auditing. And unfortunately, some people would say they are now firmly in the game, Christian, as my American friends like to say, in the game. So what I would say to this is be mindful that it doesn't present

Christian (18:10)
Yeah.

Michelle Keane (18:16)
a cultural risk in your organisation. What we don't want to see is sanitised management review meeting minutes that are not reflective of what's actually happening on the ground. Management review is not a beating stick. Management review is an opportunity for an organisation to see how their system is performing. Take a high level view. Where do we need to make improvements? Where do we need to resource? So the one thing I would always say is, you know, don't sanitise those records for the purposes of an audit and then bury away the real ones somewhere.

you know, of what's actually going on because you know what, Christian, that will get flushed out in an audit. Remember, records equals evidence and for anyone that's in doubt of that, they just need to refer to clause 4.2.5 of the standard and the very first sentence is that records are used to demonstrate, to demonstrate conformity with requirements and that means that records equals evidence and if you sanitise your management review meeting minutes, that's going to get flushed out.

Christian (18:50)
Mm-hmm.

Michelle Keane (19:12)
with all those other records that you're going to be asked to produce in the audit. So I would always say, don't let the fact that these management review meeting minutes are coming into your audit dilute your perception of your organisation. Don't sanitise those records. Put them out there and show the auditor that you're making the improvements. Because the failure is not in actually not achieving your KPIs. The failure is not taking the corrective action.

Christian (19:12)
Mm-hmm.

Michelle Keane (19:37)
and documenting it accordingly to give a true reflection of the system.

Christian (19:40)
That's important. Yeah, that's important to know. Now taking it back just just a second. What does a strong QMSR gap assessment look like and what does a lazy one look like?

Michelle Keane (19:51)
Okay, so what I would say first of all is a lazy one is just going to be claws by claws. In other words, how do we take 13485 and how do we get it to, how do we just mash it in here? How do we make it fit? How are we going to get this square into the circle? How are we going to mash this in here and just make it fit and then disguise it behind all of these records? That's not going to work. Really what you want to do from a gap analysis perspective is identify what you have.

Christian (20:02)
mash it in.

Michelle Keane (20:16)
and make it very clear. You want to map it to the requirements of 13485. Don't make it clause by clause. If you do clause by clause, you're going to miss some of those retained parts of the QSR and that's the biggest risk of just doing this clause by clause mapping. You don't want to do that because immediately you're taking this huge risk of, I suppose, well, first of all, missing those QSR retained parts.

Christian (20:32)
Yeah.

Michelle Keane (20:41)
What you also want to do is identify those FDA, and suppose a good gap analysis then, once you've performed it, you want to identify those FDA exposed processes. So things like your complaints, your audits, your management review. So what's going to be exposed here now in your FDA? Tighten them up. Show that you understand this new approach to risk-based decision making within your management review and your internal audits and how it feeds back into your system.

and then we have the big one. You need to train your leadership team, not just your quality team. Under the QSR, you know, there was a little bit more emphasis put on the fact that this is a quality thing. That doesn't work in 13485 and quality really is the responsibility of everybody on 13485.

And that's further reinforced under that management responsibility part of clause five where they have to make the organization aware and communicate, import themselves to the quality management system to the organization overall. So it starts with leadership. Train that leadership team and make it a company thing and not just a quality thing because that's where the systems fail straight away. And I've seen some crazy things written in some procedures. In particular, there was one.

Christian (21:45)
Yes. Yeah.

Michelle Keane (21:53)
They had a procedure where you weren't allowed to raise nonconformities in the production area. And when I questioned it in the audit, I was told, because nonconformities belong to quality. So you know, you'd be surprised, there is still this element out there that exists that, you know, the system belongs to quality, so quality must resolve everything. And unfortunately, that's not the case. You know, you may have been able to disguise that under the QSAT approach to auditing and the QSOR, but that becomes fully exposed under the QMS.

for sure. So what you want to do is you want to, from a strong gap assessment perspective, you want to evaluate how your decisions are being made. You want to test the linkages between your processes because again, remember that feedback loop, you want to test those linkages. These complaints really linking into your 21CF4803 medical device reporting and you want to prioritize fixes by patient risk versus business.

Christian (22:20)
Yes, yes.

Michelle Keane (22:46)
So, you know, when you're making all of those decisions, the one thing that you need to establish is, am I making the right decision for the business or am I making the right decision for the patient? Because that's where that risk proportionality comes into play. So if you, you know, when we talk about how do you prioritize what to fix first in relation to your system when you're moving from one to the other, well, what you would do is ask yourself this, if the FDA follows a risk signal tomorrow,

Christian (22:58)
Yes.

Michelle Keane (23:13)
In other words, if they come tomorrow and they're following a risk signal detection, where do they land first? And fix those costs. So you'll sit there and you'll ask yourself, if the FDA came in here tomorrow and they follow a fixed risk signal approach, in other words, my complaints, what's happening with them? Where's my detection going? Where's my CAPA going? Where's my proportionality when I'm looking at my suppliers, for example?

Where are the FDA going to follow those risk signals tomorrow if they commit to your organisation? Where do they land first? Because that's what you fix.

Christian (23:42)
That's what, Yep. That speaks to the prioritization of over mediation and overall risk-based decision making.

I really cannot recommend ComplyGuru enough. And Michelle, as an instructor enough, I really can't. I can go on and on about that. We'll have a link to the ComplyGuru website in the show notes here. So definitely click on through. See if there's anything that might catch your eye. Michelle, I just want to thank you again very much for coming on the show today.

Michelle Keane (23:55)
Thank you.

Thank you, Christian.

And thank you for inviting. Hopefully you'll have me back soon.

Christian (24:12)
⁓

Our pleasure, truly our pleasure. We would love to have you back.

Michelle Keane (24:17)
Yeah.

Christian (24:18)
This wraps up part one of my conversation with Michelle Keene from Comply Guru. We covered more ground than we expected, so we're splitting this into two episodes. Part two is coming next. In part two, we'll get practical. Training, transition priorities, and what inspections may look like under QMSR. I'm Christian Reyes, and this is the QT9 QCast. Thanks for listening. See you in part two.