FDA

Bridging the ISO 13485 to QMSR Gap: The Top 3 Overlooked Issues

Bridging the ISO 13485 to QMSR Gap: The Top 3 Overlooked Issues

The FDA’s new Quality Management System Regulation (QMSR) takes effect February 2, 2026, harmonizing with ISO 13485. This shifts the framework from the old, prescriptive QSR to a more proactive, process-based system rooted in risk-management.

This transition is not a simple paperwork update; it demands a fundamental culture shift and rewriting your core QMS logic. Missing the nuances in this harmonization could lead to significant inspection findings, which is why we’ve identified the Top 3 Overlooked Issues where most companies will stumble.

Overlooked Issue #1: Complaint Handling: Moving from Forms to a Full Feedback Loop

The QMSR transforms complaint handling from a linear process into a dynamic feedback loop. QMSR 820.35 Control of Records maintains existing details required for Complaints and Service. Your vigilance system must now pull data from service reports, product returns, and market trends, not just formal complaints.

While your MDR reporting obligations remain the same, you must now use this broader data for continuous improvement, linking it directly to risk management files and preventive actions.

The Easy Fix: Integrate Risk into Every Feedback event.

Make it a habit to consult your risk file for every feedback event. Use it to:

1.  Review if the issue matches a known hazard.

2.  Evaluate its severity and probability against your thresholds.

3.  Prioritize high-risk issues and watch for lower-risk trends.

4.  Document your rationale clearly.

This shifts complaints from a regulatory chore to a proactive tool for risk reduction.

Overlooked Issue #2: Supplier Management: From Passive Certificates to Active, Evidence-Based Control

The QMSR mandates a fundamental shift from passive supplier approval to active, evidence-based control. The era of relying solely on a certificate and a vague quality agreement is over. You must now demonstrate risk-proportionate oversight, and critically, internal supplier audit reports are no longer confidential and must be inspection-ready.

Fixing the gap requires a two-tiered strategy:

1. Fortify Direct Supplier Agreements: Create a “Playbook,” Not a Promise.

Replace vague agreements with detailed playbooks that explicitly define:

  • Responsibilities: Who handles design changes, non-conformances, complaints, and CAPA?
  • Right of Access: Does the agreement grant you (and the FDA) explicit access to relevant supplier records?

2. Gain Visibility into Your Sub-Tier Supply Chain.

Your control must extend to sub-tier suppliers where a failure could impact your product’s safety or performance. The old mindset of “Supplier A’s problems are their own” is obsolete.

  • Example: If a critical component from Supplier A uses a special polymer from their Supplier B, a change in that polymer could break your device.
  • The Fix: Your agreement with Supplier A MUST require them to control their sub-tier suppliers and notify you of critical changes. For high-risk components, you may need the right to audit these sub-tier suppliers directly.

Bottom Line: You are responsible for the entire supply chain. Manage this risk through robust, cascading agreements that ensure clarity, control, and visibility from top to bottom.

Ultimately, QMSR transforms supplier management from a passive administrative task into an active, evidence-based risk control system. Your success now depends on demonstrable oversight, detailed agreements, and end-to-end supply chain visibility, all of which must be readily available for FDA review.

Overlooked Issue #3: Personnel: Documented Training is Dead; Prove Competency

This shift sounds simple but requires a fundamental change in how you manage personnel qualifications.

  • The Old Rule (QSR): Documented Training
    • Focus: Proving an employee received training.
    • Evidence: A completed training log or attendance sheet.
  • The New Rule (QMSR): Objective Evidence of Competency
    • Focus: Proving training was effective and the employee is capable.
    • The FDA expects proof that personnel can correctly perform their quality-critical tasks.

A 4-Step Framework for Demonstrating Competency

  1. Define Job-Specific Competency Requirements
    • For each role, define requirements based on Education, Experience, Skills, and specific Training.
  2. Implement a Multi-Method Evaluation Process
    • Go beyond “read and understand”! Use a combination of:
      • Practical Demonstrations: A supervisor observes and confirms task proficiency.
      • Skill-Based Testing: Written or practical exams.
      • On-the-Job Verification & Work Review: Ongoing monitoring of completed work.
  3. Maintain Robust, Accessible Documentation
    • Consolidate all evidence in Employee Files (job descriptions, assessments, sign-offs).
    • Use a Competency Matrix to visualize team skills and identify gaps.
  4. Establish a Feedback & Retraining Loop
    • Address performance deficiencies with targeted retraining.
    • Document the feedback and re-assessment to close the loop.

You don’t need formal proof for every single task. Apply a risk-based filter:

“If this task is performed incorrectly, what is the risk to the product or patient?”

If the risk is high, you should go beyond a simple training record. Focus your most rigorous assessment efforts on quality-critical activities that directly impact safety and performance.

The Ultimate Mindset Shift: Understanding the FDA Investigator

While the QMSR incorporates ISO 13485, an FDA inspection is not a conformity assessment. It is a regulatory enforcement activity. The investigator’s goal is to protect public health by ensuring compliance with the Food, Drug, and Cosmetic Act.

Here are the critical perspective shifts:

 Notified Body (ISO 13485 Audit)FDA Investigator (QMSR Inspection)
FocusVerifies conformance to a standard.Assesses compliance with a law. Violations can lead to devices being deemed “adulterated” with serious legal consequences.
AccessRoutinely reviews internal audit and management review reports.Now has explicit authority to review these records. They will assess how effectively you police yourself.
RegulationsFocuses on general clauses for regulatory reporting.Will specifically check integration with MDR and UDI requirements.
Risk ManagementVerifies the existence of a process (e.g., ISO 14971). Reviews the files.Focuses on execution and outcomes. Questions if your analysis truly addresses the severity of potential patient harm.

Transitioning to the QMSR isn’t just an update, it’s a mindset shift. Move from simply checking boxes for an audit to building a defensible system that proves compliance with the law. Your ultimate guide isn’t just the standard, but the FDA’s mandate to protect patient safety.

Preparing for the February 2026 deadline? Don’t just update your procedures, embed the new risk-based, proactive mindset. Address these three overlooked issues to build a QMS that isn’t just compliant, but truly resilient and ready for inspection.

For more information, you can contact Jackie Torfin at Jackie.Torfin@QLeaRAdvisors.com or 1-833-752-7489.

Jackie Torfin - CEO and Principal Advisor for QLeaR Advisors

About Jackie Torfin

Jackie has over 30 years experience and deep expertise in quality, regulatory, pre-clinical and clinical compliance. She has served in Senior Global roles for companies including Beckman Coulter, NAMSA, CIMA Labs, PDL BioPharma, Arizant/3M, and Heraeus.

More articles by Jackie Torfin