FDA QMSR: What Changes for ISO 13485-Certified Manufacturers Entering the US Market

If you hold an ISO 13485 certificate and are considering the US market, the FDA’s new Quality Management System Regulation changes what you need to prepare. This article covers what QMSR actually requires, where your existing QMS covers you, and where the gaps are, so you don’t have to piece it together from five different FDA documents.

What QMSR is

21 CFR Part 820 is FDA’s quality system regulation for medical devices sold in the US. The previous version was published on October 7, 1996 and had its own standalone structure. On February 2, 2026, FDA amended Part 820 with the QMSR, incorporating ISO 13485:2016 by reference (Federal Register, 2024-01709).

This means ISO 13485:2016 is now part of US federal regulation. Manufacturers who need to comply with 21 CFR Part 820 must implement a QMS that meets ISO 13485:2016 as the baseline, plus FDA-specific additions set out in the regulation.

On the same date, FDA stopped using its old inspection model, QSIT, and moved to the updated device inspection compliance program structured around the QMSR framework. This changes how FDA investigators conduct facility inspections.

Does your ISO 13485 certificate cover you?

No. FDA is explicit on this. A third-party ISO 13485 certificate demonstrates conformance to the standard. It does not demonstrate conformance to QMSR, because QMSR includes requirements that sit outside ISO 13485. No certification body covers those sections.

This is not a technicality. FDA’s FAQ (Q13) states directly: “A certificate of conformance to ISO 13485 will not exempt a manufacturer from an FDA inspection.”

The ISO 13485 version question (for European manufacturers)

If you operate under EU MDR or IVDR, you are working with ISO 13485:2021. This combines ISO 13485:2016 with AC:2018 and Amendment 1 (A11:2021), and is the version harmonized with EU MDR. The 2021 version does not introduce new requirements relative to 2016. The amendment was structural, aligning the standard with MDR terminology and references.

For QMSR purposes, the QMSR references ISO 13485:2016. A QMS certified to ISO 13485:2021 meets that baseline. The gaps are not created by version differences between 2016 and 2021. They come from the FDA-specific sections that sit outside ISO 13485 entirely.

The two gaps that matter

QMSR adds two sections beyond ISO 13485:2016 that every manufacturer must address.

§820.35: Control of records

ISO 13485:2016 covers records control in general terms. QMSR §820.35 adds FDA-specific content requirements on top. Complaint records must include the review, evaluation, and investigation of any complaint about a possible device, labeling, or packaging failure, along with a defined set of fields (device name, date, UDI/UPC, complainant details, corrective action, and reply); where a similar complaint was already investigated, you record why a new investigation wasn't needed. Servicing records must capture a minimum set of details, the UDI must be recorded for each device or batch, and records you consider confidential may be marked so FDA can take that into account before disclosing them under its public information rules. If your records procedures were written purely to satisfy a notified body, they likely don't address these FDA-specific requirements explicitly.

§820.45: Device labeling and packaging controls

ISO 13485:2016 covers labelling only in general terms. QMSR §820.45 adds US-specific requirements on top: procedures describing how labelling and packaging integrity, inspection, and storage are ensured; examination of labelling and packaging for accuracy — including the correct UDI/UPC — before release or storage; documented release of labelling for use; and controls to prevent mix-ups, with inspection before use to confirm every device carries the correct labelling. EU MDR-aligned procedures often don't cover this, because MDR focuses on what labelling must contain, while §820.45 focuses on how it's controlled operationally before it reaches the device.

What FDA investigators will check

Under the updated inspection model, FDA investigators assess compliance against the QMSR framework, which means they work from the ISO 13485:2016 structure plus the two supplemental sections. Two things follow from this that ISO 13485-certified manufacturers should plan for.

First, the scope of what investigators can see has widened. Under the old QSR, records from management reviews, internal audits, and supplier audits were exempt from routine FDA inspection (§820.180(c)). QMSR does not carry that exemption forward, so investigators can now request these records. They need to be inspection-ready — and if your team previously relied on that exemption to keep audit or management-review discussions candid, that's worth rethinking now.

Second, investigators will expect a documented gap assessment showing that you have identified and addressed the FDA-specific requirements. ISO 13485 documentation prepared for a European notified body may align structurally with QMSR, but the §820.35 and §820.45 requirements sit outside the scope of ISO 13485 and won't be covered by that documentation by default. If you cannot trace how your records management and labeling control procedures address them, that will be a finding.

What to do: a practical checklist

1. Run a gap assessment

The two FDA-specific sections of QMSR (§820.35 and §820.45) address records control and labeling. They do not require rewriting the entire QMS. The scope of the gap is defined by those two sections.

2. Update your records management procedures

Add explicit language for the §820.35 content requirements: complaint-record fields (and the justification when an investigation is skipped), servicing-record details, UDI per device or batch, and marking of confidential records. Document this as a QMSR supplement to your existing records procedures.

3. Update your labeling control procedures

Add a documented pre-release inspection step for labeling and packaging. Define who performs the inspection, what they verify, and how the release is recorded. Add controls to prevent labeling mix-ups across product lines.

4. Update your inspection readiness

Train your team on the QMSR framework and the new FDA inspection model. Investigators no longer use the QSIT structure. They are trained to work from the QMSR. Your team should be able to explain how your QMS maps to that framework, including the FDA-specific sections.

5. Document and retain the gap assessment

FDA expects to see that you assessed the transition proactively. A documented gap assessment with action items and closure evidence is a reasonable thing to have available during an inspection.

CertHub’s Conformity Checker

If you want to know where your current QMS stands against QMSR requirements, CertHub’s Conformity Checker assesses your documentation from day one to submission. It checks against ISO 13485, 21 CFR Part 820, and MDR requirements, and tells you where the gaps are before an FDA investigator does.

Sources: FDA QMSR overview | FDA QMSR FAQ | Federal Register: QMSR Final Rule