QMSR and ISO 13485 – talk about a tale of two regulations. QMSR and QSR do sound practically the same, but that one little M makes a world of difference, and what’s even more interesting is how QMSR intertwines with ISO 13485.
The QSR and ISO 13485 both came out around the same time in 1996, with the FDA proclaiming the QSR would eliminate redundancy and save us all a ton of money – $439 million, to be exact. But FDA math being what it is, that has not exactly worked out as promised.
The preamble to the QSR has always been a focal point, with FDA referring to the preamble several times in the regulation itself, even though the preamble is not considered regulation. AND it’s twice as long as the QSR itself.
Not to be outdone, ISO released a 20-page standard, which they revised a few times before releasing a 220 page Practical Guide to help industry interpret it. That’s 220 pages of explanation for a 20 page standard.
You just can’t make this stuff up.
Anyhoo, the whole idea behind moving to QMSR was to harmonize with ISO 13485, which it does for the most part. QMSR adopts most of 13485, some of ISO 9000 (clause 3, specifically) but doesn’t reference the risk management standard ISO 14971 at all. But FDA fully expects you to know they’re talking about 14971 when they say “risk” even though they don’t require you to follow it.
Clear as mud, right? And it gets better! QMSR has a preamble tries to explain the bits that don’t harmonize with ISO 13485: definitions, labeling and packaging, UDI stuff, reporting and removal processes. And this is more than just regulatory wordplay, because the FD&C Act often takes precedence over ISO and there are other regulations that might have their own definitions too. So, it’s not always clear-cut.
Another interesting QMSR and ISO 13485 change is the “device master record” becoming a “medical device file audit trail.” Sounds simple enough, but the practical guide throws in a whole bunch of extra stuff that wasn’t there before, changing the wording from “safety and performance” to “safety and efficacy,” which seems minor but has legal implications that will make your lawyers all quivery with excitement.
The fun doesn’t stop there! Labeling and packaging have new requirements in Parts 35 and 45, but you still have to comply with the existing Part 801 stuff.
Marketing? Bah – both the QMSR and ISO 13485 still don’t define it folks!
For UDI requirements, they’ve moved them to Part 35 for record keeping, but you also need to follow Part 830. And everyone’s favorite audit button pusher, Part 11, is still in effect.
Have I lost you yet? Stay with me, because it’s about to get weird.
Let’s talk about corrections. The FDA definition applies to products that have already left your control, but they’re also keeping the ISO 1345 definition of corrective and preventive action (CAPA). This is important to know because you have to be super clear when you say “correction” in a CAPA, because an auditor will want to know whether you’re talking about something in your facility or out in the field. Big difference.
Will the FDA accept ISO certifications instead of audits? Nope, you have to comply with the QMSR, not ISO.
But what happens if ISO 1345 gets revised? Well, since it’s a regulation now, the FDA would have to go through a whole new process to update it, which means even more regulatory nightmares for everyone.
Records? Under the QSR, things like supplier audits were exempt from FDA inspection. Now, everything’s fair game, so make sure you stay on tops of your documentation. Some procedures, like quality manuals, are now required under the QMSR. If you already have ISO 1345 certification, this might not be a big deal. But for those without, it could be a challenge.
What about the Quality System Inspection Technique (QSIT)? It’s gone, replaced by something yet to be determined. Likely something related to MDSAP.
Speaking of MDSAP, what about those certifications? They’re still recognized, and some tasks will stay the same, but some will disappear entirely thanks to the harmonization.
How much time do you have to comply? February 2026 is the deadline, which is ironically the 30th birthday of the QSR.
Here’s your recipe for QMSR success:
- Know the QMSR, the comments, the guide, and all the referenced standards.
- Be proactive! Two years might seem like a lot, but if you don’t have ISO 13485, you’ve got work to do.
- Mock audits! Put your quality management system through its paces before the real inspectors arrive.
- New inspectors! Get ready for a fresh face, as many current inspectors are retiring.
- MDSAP audit model? This might be your new inspection technique.
That was a lot to unpack. If you need more details, check out this QMSR Master Class webinar I did back March: https://youtu.be/2dwoD7k8ekA
Or for a change of pace, check out this blog on FDA submission pathways: https://leanraqa.com/fda-pathways/
