ISO 13485 Certification ≠ QMSR Compliance: 7 Gaps That Will Get You Cited in 2026

Introduction

FDA's Quality Management System Regulation (QMSR) is now effective. Your ISO 13485 certificate is a strong foundation—but it is not a compliance guarantee. Here are the seven gaps FDA investigators will target first.

Key Takeaway FDA has been explicit: ISO 13485 certification does not equal QMSR compliance. The agency does not rely on third-party certificates as evidence of compliance and will continue to evaluate manufacturers through its own inspections. QMSR non-compliance still renders devices "adulterated" under the FD&C Act.

On February 2, 2026, FDA's new Quality Management System Regulation (QMSR) became fully effective, replacing the legacy Quality System Regulation (QSR) in 21 CFR Part 820. The QMSR incorporates ISO 13485:2016 by reference and aligns U.S. device CGMP expectations with the international standard and ISO 9000:2015 clause 3 terminology.

This structural change has created a dangerous misconception across the medical device industry: "If our quality system is certified to ISO 13485:2016, we must already comply with QMSR."

That assumption is wrong—and it is going to cost companies. Under QMSR, manufacturers must do two things simultaneously: implement a QMS that conforms to all applicable ISO 13485:2016 clauses, and comply with FDA-specific requirements and interpretations that sit outside the ISO text or go beyond how certification bodies typically audit.

The result is that ISO 13485 certification is a strong foundation, but only a starting point. Below, we walk through the seven practical QMSR gaps that routinely appear in ISO-mature organizations and are most likely to drive Form 483 observations in 2026 and beyond.

Gap 1 — Other Applicable FDA Requirements That ISO 13485 Does Not Cover

QMSR section 21 CFR 820.10 requires manufacturers to establish and maintain a quality management system and comply with "other applicable regulatory requirements." FDA specifically calls out four key regulations:

• 21 CFR Part 803 — Medical Device Reporting (MDR)
• 21 CFR Part 806 — Reports of Corrections and Removals
• 21 CFR Part 821 — Medical Device Tracking Requirements
• 21 CFR Part 830 — Unique Device Identification (UDI)

None of these provisions are part of the ISO 13485:2016 text. While some ISO 13485 auditors verify that complaint handling and vigilance processes exist, they typically do not perform a detailed assessment of MDR decision-making, field correction and removal reporting, tracking, and UDI implementation against U.S.-specific requirements.

Additionally, establishment registration and device listing under 21 CFR Part 807, along with device labeling provisions in 21 CFR Part 801, remain fully applicable even though they sit outside Part 820.

What This Means Under QMSR, FDA will explicitly check linkages between these regulations and your ISO 13485 QMS. A QMSR gap analysis must map procedures, forms, and records to each relevant Part 803, 806, 821, and 830 requirement—not just the ISO clauses.

Gap 2 — Internal Audits, Management Reviews & Supplier Audits Are Now Fully Inspectable

Under the legacy QSR, 21 CFR 820.180(c) exempted certain records from routine FDA inspection, including management review reports, internal quality audit reports, and supplier audit reports. FDA could require written certification that these activities had been conducted, but could not request the detailed reports themselves.

QMSR removes this exemption entirely. FDA's own QMSR FAQ confirms that, from February 2, 2026 onward, investigators may review management review records, quality audit reports, and supplier audit reports—including documents created before the effective date.

This catches many ISO-certified firms off guard. In practice, internal audit and management review reports in ISO 13485 systems are often written informally, assuming they will never be shared with regulators. Supplier audit reports frequently emphasize relationship dynamics more than objective nonconformities, root causes, and follow-up actions. Management review decisions may not be traceable to CAPA, risk management, or resource adjustments.

What FDA Will Look For Expect FDA investigators to review recent management review minutes for systemic issues, trends, and documented decisions. They will examine internal audit reports to verify that high-risk areas, data integrity, and regulatory interfaces are being tested. They will evaluate supplier audit reports and follow-up actions, particularly where critical components, software, or sterilization are outsourced.

If internal records reveal unresolved issues or weak follow-up, those weaknesses can now directly drive 483 observations—even when ISO 13485 certificates are current.

Gap 3 — Design Control Rigor and the "Design and Development File"

QMSR replaces the QSR's explicit "design controls" section (21 CFR 820.30) with ISO 13485's Clause 7.3 on design and development, including the requirement to maintain a design and development file for each device or device family. Classic FDA terms like Design History File (DHF) disappear from the regulation text, but the underlying expectation does not.

Design control deficiencies have historically been one of the most frequent causes of FDA 483 observations. That enforcement pattern is not going away under QMSR.

Notified Bodies and certification bodies tend to sample a limited number of design projects, focus on the presence of procedures and templates more than end-to-end traceability, and accept design validation summaries that rely heavily on bench testing without robust clinical or usability justification. FDA, by contrast, has a track record of deep file reviews for higher-risk and novel technologies.

How to Close This Gap Ensure each device has a complete design and development file (ISO 13485 clause 7.3.10) that effectively functions as a DHF. Demonstrate full traceability from user needs through design inputs, outputs, verification, validation, and residual risks. Explicitly incorporate applicable U.S. regulatory requirements—UDI, labeling, and MDR triggers—into design inputs and risk analysis.

Gap 4 — CAPA Root Cause Rigor and Effectiveness Verification

CAPA has been the single most common FDA 21 CFR 820 observation category for years, accounting for a significant share of Form 483s. Under the legacy QSR, section 820.100 required systematic data analysis, investigation, corrective action, and verification of effectiveness.

QMSR shifts the formal regulatory basis to ISO 13485:2016 Clause 8.5.2 (Corrective action) and 8.5.3 (Preventive action). FDA has signaled that scrutiny on CAPA will increase, not decrease, because investigators can now apply the ISO 13485 text directly.

ISO 13485 certification audits often accept CAPA systems that primarily log events and assign corrective tasks, document some root cause analysis without systematic methods, and close CAPAs based on completion of actions rather than demonstrated reduction in recurrence risk.

FDA Expectation Under QMSR Robust, documented root cause analysis using appropriate tools (fault tree, fishbone, 5-Why); explicit consideration of risk management impact and updates to risk files; and effectiveness checks defined up-front with objective data such as complaint trends, nonconformance rates, process capability, or audit results. Manufacturers should re-baseline CAPA procedures against both ISO 13485 clauses 8.5.2 and 8.5.3 and FDA's historical 820.100 expectations. Implement standard templates that force clear problem statements, root cause logic, risk impact, and predefined effectiveness criteria. Trend CAPA sources across complaints, audits, nonconformances, and service records to demonstrate that recurring issues trigger deeper system-level actions.

Schedule a QMSR Gap Analysis

Gap 5 — Supplier Controls and Quality Agreements Under QMSR

ISO 13485:2016 Clause 7.4 requires organizations to control suppliers and outsourced processes proportionate to risk, with ongoing re-evaluation. Clause 4.1.5 further requires that outsourced processes be governed by documented controls, typically quality agreements.

QMSR changes the enforcement posture in two significant ways. First, supplier audit reports are now inspectable, as noted above. Second, FDA is emphasizing risk-based supplier classification and evidence of active oversight, especially for critical components, software, sterilization, and contract manufacturing.

In ISO-mature systems, it is still common to see one-time supplier qualification without documented re-evaluation criteria, lightweight quality agreements that fail to allocate responsibilities for change control and complaint handling, supplier audits that identify issues but do not track corrective actions to closure, and minimal documentation of supplier performance metrics.

Steps to Align Supplier Management With QMSR Implement risk-based supplier classification (critical, major, minor) with documented rationale. Ensure written quality agreements for all outsourced processes that affect product conformity, aligned with ISO 13485 clause 4.1.5. Upgrade supplier audit templates to clearly document requirements, objective evidence, findings, and corrective actions—knowing that FDA can now request these reports directly.

Gap 6 — Post-Market Surveillance, Complaints & MDR Integration

ISO 13485 devotes Clause 8.2 to feedback, complaint handling, and reporting to regulatory authorities, but it leaves many implementation details to regulators. In the United States, those details live in 21 CFR Parts 803 and 806, plus complaint handling provisions that historically appeared in 21 CFR 820.198.

Under QMSR, FDA expects tight integration across complaint handling (ISO 13485 clauses 8.2.1–8.2.2), MDR reporting (21 CFR 803), corrections and removals (21 CFR 806), UDI and tracking where applicable (21 CFR 830 and 821), and CAPA and risk management (ISO 13485 clause 8.5).

In practice, this means FDA will follow post-market signals through the system: from complaint intake to MDR decisions, to field corrections and removals, to CAPA and risk file updates. From complaint trends to design changes or process changes documented in the design and development file.

Many ISO 13485 audits confirm that complaint procedures exist and that MDRs are being submitted, but they may not rigorously test trending logic, consistency of MDR decision-making, or how post-market data actually influence design and risk management.

Closing This Gap Map complaint, MDR, field action, CAPA, and risk processes in a single post-market surveillance workflow. Ensure that complaint files consistently record UDI and device identifiers. Demonstrate clear examples where complaint trends resulted in CAPA, risk updates, or design modifications.

Gap 7 — Documentation Architecture and Record-Keeping Under QMSR

One of the more subtle ISO 13485 vs QMSR differences is the documentation architecture. Under the legacy QSR, FDA explicitly required a Design History File (DHF) for design development records, a Device Master Record (DMR) as the manufacturing "recipe," and a Device History Record (DHR) for production history demonstrating conformance.

These terms do not appear in the QMSR text. Instead, through ISO 13485, FDA now expects equivalent structures: a design and development file for each device or family (clause 7.3.10), a Medical Device File covering intended use, specifications, and essential manufacturing information (clause 4.2.3), and production and service records that support identification and traceability (clauses 7.5.1, 7.5.8, 7.5.9).

On top of this, QMSR adds its own specificity through 21 CFR 820.35 on control of records (clarifying maintenance, protection, retrievability, and ties to UDI and traceability) and 21 CFR 820.45 on device labeling and packaging controls (adding explicit checks for label content accuracy, including correct UDI/UPC prior to release).

Where ISO-Only Documentation Falls Short Companies that organized records around DHF/DMR/DHR concepts often have the right content but lack a clear crosswalk to ISO 13485's medical device file and design and development file structure, systematic capture of UDI and other identifiers in production, complaint, and servicing records, and documented retention, confidentiality marking, and retrieval practices aligned with QMSR 820.35.

FDA may not demand that internal document names change, but inspectors will expect manufacturers to show precisely where each ISO 13485 and QMSR requirement is satisfied in the documentation set.

Quick-Reference: ISO 13485 vs QMSR — 7 Gaps at a Glance

| Gap | ISO 13485 Covers | QMSR Adds or Strengthens | | :--- | :--- | :--- | | 1. Other FDA Requirements | General vigilance processes | Specific compliance with Parts 803, 806, 821, 830, 807 | | 2. Inspectable Records | Internal audits & management reviews exist | Full FDA inspection access; records must withstand regulatory review | | 3. Design Controls | Clause 7.3 procedures and design files | Deep file-level traceability; U.S. regulatory inputs; DHF-level rigor | | 4. CAPA | Corrective and preventive action procedures | Systematic root cause tools; predefined effectiveness criteria; trending | | 5. Supplier Controls | Clause 7.4 and 4.1.5 oversight | Inspectable supplier audits; risk-based classification; robust quality agreements | | 6. Post-Market Integration | Complaint handling and reporting | End-to-end integration: complaints → MDR → CAPA → risk → design | | 7. Documentation Architecture | QMS document control | Crosswalk from DHF/DMR/DHR to ISO structure; UDI in records; 820.35 & 820.45 |

From ISO 13485 to QMSR Compliance: Your Next Steps

For manufacturers already certified to ISO 13485, QMSR compliance is less about rebuilding the QMS and more about closing FDA-specific gaps and proving linkages. Here is a practical four-step approach.

1. Step 1: Perform a structured QMSR gap analysis. Map ISO 13485 clauses to QMSR sections (820.7, 820.10, 820.35, 820.45) and to U.S. regulations in Parts 803, 806, 807, 821, and 830. Identify where procedures, records, and quality agreements do not yet reflect U.S.-specific obligations.

2. Step 2: Harden high-risk processes for FDA inspection. Design and development files, CAPA, supplier controls, and post-market surveillance should be brought to a level that withstands deep, file-based inspection—not just sampling by a certification body.

3. Step 3: Rewrite internal audits and management reviews for an inspectable world. Ensure these records present a clear, factual narrative of issues, decisions, and follow-up, knowing that FDA can now request and review them.

4. Step 4: Build documentation crosswalks. Create a maintained mapping from legacy DHF/DMR/DHR terminology to ISO 13485's design and development file, medical device file, and production records so inspectors can navigate evidence quickly.

Don't Wait for FDA to Find Your Gaps

QMSR is now effective. VigilaMed helps medical device manufacturers identify and close the gaps between ISO 13485 certification and full QMSR compliance—before inspectors do it for you.

Schedule a QMSR Gap Analysis or Download Our QMSR Readiness Checklist

Frequently Asked Questions

Does ISO 13485 certification mean I comply with FDA's QMSR?

No. While QMSR incorporates ISO 13485:2016 by reference, manufacturers must also comply with FDA-specific requirements in 21 CFR Parts 803, 806, 821, and 830, as well as additional QMSR provisions in sections 820.10, 820.35, and 820.45 that go beyond the ISO standard. FDA does not rely on third-party ISO 13485 certificates as evidence of QMSR compliance.

When did FDA's QMSR become effective?

FDA's Quality Management System Regulation became fully effective on February 2, 2026, replacing the legacy Quality System Regulation (QSR) in 21 CFR Part 820.

Can FDA now inspect internal audit and management review records?

Yes. QMSR removes the exemption in former 21 CFR 820.180(c) that previously shielded management review reports, internal quality audit reports, and supplier audit reports from routine FDA inspection. FDA investigators may now review these records, including documents created before the effective date.

What are the most common gaps between ISO 13485 and QMSR?

The seven most critical gaps are: other applicable FDA requirements not covered by ISO 13485, internal records now being fully inspectable, design control rigor, CAPA root cause and effectiveness verification, supplier controls and quality agreements, post-market surveillance and MDR integration, and documentation architecture differences between legacy QSR and QMSR.

What is a QMSR gap analysis?

A QMSR gap analysis is a structured assessment that maps your existing ISO 13485-certified QMS against all QMSR requirements, including FDA-specific provisions. It identifies specific gaps, then produces a risk-based remediation plan with prioritized procedure updates, training, and evidence collection to achieve full compliance.

Will my Design History File (DHF) still be required under QMSR?

The term "Design History File" no longer appears in the QMSR text. However, the underlying expectation remains through ISO 13485 clause 7.3.10, which requires a "design and development file" for each device or device family. Your existing DHF content likely satisfies this requirement, but you need a clear crosswalk showing how your documentation maps to the new structure.

How can VigilaMed help with QMSR readiness?

VigilaMed provides targeted QMSR gap analysis services for ISO 13485-certified medical device manufacturers. We identify where your existing QMS meets QMSR expectations, pinpoint specific gaps across all seven critical areas, and deliver a risk-based remediation plan. Contact us to schedule an assessment.