21 CFR Part 820 vs QMSR: What Changed and What Stayed the Same

TLDR

The FDA's Quality Management System Regulation (QMSR) took effect on February 2, 2026, replacing the old Quality System Regulation (QSR) that had governed 21 CFR Part 820 since 1996. The regulation number stayed the same — 21 CFR Part 820 — but the substance changed significantly. The core shift: the FDA incorporated ISO 13485:2016 by reference, making it the backbone of U.S. medical device quality system requirements for the first time. For manufacturers already certified to ISO 13485, many obligations now overlap with FDA expectations. For those who were not, the QMSR represents a broader set of documented requirements than the old QSR demanded.

What the QMSR actually is

The QMSR is the revised version of 21 CFR Part 820. The FDA published the final rule on February 2, 2024, giving manufacturers exactly two years to prepare before enforcement began. The rule did not create a new regulation from scratch. It amended the existing Part 820 by incorporating ISO 13485:2016 and ISO 9000:2015 Clause 3 (definitions) by reference, while adding FDA-specific requirements where ISO 13485 alone was insufficient to meet the statutory expectations of the Federal Food, Drug, and Cosmetic Act.

The old regulation was informally called the Quality System Regulation or QSR. The revised version carries a new name: the Quality Management System Regulation, or QMSR. The underlying legal authority — Section 520(f) of the FD&C Act — did not change. What changed is how the FDA defines what a compliant quality system looks like in practice.

According to the FDA's QMSR page, the agency determined that ISO 13485:2016 requirements are, taken in totality, substantially similar to the old QSR requirements, providing an equivalent level of assurance that devices are manufactured safely and consistently.

What changed from the old QSR

Incorporation of ISO 13485:2016

The most consequential change is structural. Under the old QSR, the FDA maintained its own standalone quality system requirements. Under the QMSR, ISO 13485:2016 is incorporated by reference, meaning compliance with the QMSR requires compliance with ISO 13485 unless FDA-specific provisions say otherwise. Manufacturers can access the standard in read-only format through the ANSI Incorporated by Reference Portal at ibr.ansi.org.

This harmonization aligns the U.S. with regulatory authorities in Canada, the European Union, Japan, and other markets that have used ISO 13485 as the baseline standard for years. A manufacturer certified to ISO 13485:2016 by an accredited certification body will find that a large portion of their existing documentation already addresses QMSR obligations, though FDA-specific additions still apply.

Expanded FDA inspection authority

Under the old QSR, Section 820.180(c) exempted internal quality audits from FDA inspection — including supplier audits and management review reports. The QMSR eliminates this exemption entirely.

As of February 2, 2026, FDA investigators can request and review:

  • Internal audit reports
  • Supplier audit reports and findings
  • Management review meeting records and outputs

The FDA's rationale, stated in the final rule preamble, is that manufacturers already provide these records to other regulatory bodies under ISO 13485, so making them available to FDA investigators does not create additional burden. For manufacturers whose internal audits have historically been informal or underdocumented, this change creates a real compliance gap. An audit trail that shows systematic, structured internal reviews is now essential to inspection readiness.

New inspection process replacing QSIT

The Quality System Inspection Technique (QSIT), which FDA investigators used for decades to structure device inspections, was withdrawn on February 2, 2026. The new inspection process is described in the updated Compliance Program 7382.850 (Inspection of Medical Device Manufacturers), implemented on the same date the QMSR took effect.

Manufacturers preparing for their first post-QMSR inspection should review this compliance program and understand how their quality system documentation maps to QMSR requirements rather than the old QSIT subsystem framework.

Combination product requirements clarified

The FDA also made conforming edits to 21 CFR Part 4 to clarify quality management system requirements for combination products (devices combined with drugs or biologics). These edits did not change the underlying CGMP requirements for combination products but provide additional clarity for manufacturers operating at the device-drug or device-biologic boundary.

What stayed the same

The fundamental obligations of a quality management system for medical devices did not change. Manufacturers must still:

  • Establish, document, implement, and maintain a quality management system
  • Define and control processes for design, production, and post-market activities
  • Conduct internal audits at planned intervals
  • Control nonconforming products and initiate corrective and preventive actions
  • Maintain document and record control systems
  • Qualify and monitor suppliers

The FDA was explicit in the final rule: the requirements of the QSR and the QMSR are substantially similar. A manufacturer that maintained a well-run quality system under the old regulation should find the transition manageable. Records created before February 2, 2026 remain valid, and the FDA has indicated that investigators may find it useful when manufacturers complete a comparative analysis showing that pre-QMSR records meet QMSR requirements.

The statutory basis and enforcement authority also stayed the same. The FDA still conducts risk-based inspections. A FDA Form 483 observation under the QMSR carries the same weight as it did under the old QSR. The path from inspection observation to warning letter to consent decree follows the same escalation pattern.

MDSAP (Medical Device Single Audit Program) continues as a voluntary third-party audit program. Holding an MDSAP certificate does not exempt a manufacturer from FDA inspection, and the FDA will not issue ISO 13485 certificates of conformance. FDA inspections assess compliance with federal regulations; third-party MDSAP audits assess conformance to the ISO standard.

What the QMSR means for ISO 13485-certified manufacturers

If your facility holds a current ISO 13485:2016 certification, a significant portion of your quality system already aligns with QMSR requirements. The areas to examine carefully are the FDA-specific additions: requirements that clarify expectations beyond what ISO 13485 alone specifies, particularly around electronic records under 21 CFR Part 11, combination product documentation, and the now-eliminated inspection exemptions for audits and management reviews.

ISO 13485 certification is not a substitute for QMSR compliance, and the FDA will not accept a certification certificate as evidence of compliance. The FDA's inspection program operates independently from third-party certification schemes.

What the QMSR means for manufacturers who were not ISO 13485-certified

The transition is more substantial for facilities that built their quality systems to the minimum QSR requirements without pursuing ISO 13485 certification. ISO 13485 is more prescriptive in certain areas — particularly risk management integration, supplier qualification, and formal management review documentation.

Areas that commonly require additional work include:

  • Risk management documentation and integration with design and production processes
  • Supplier qualification and audit programs (now fully subject to FDA inspection)
  • Formal management review records with documented outputs and follow-up actions
  • Process validation with documented evidence across all production stages

The two-year transition period from February 2024 to February 2026 was intended to allow manufacturers to close these gaps. Manufacturers still working through their gap analysis should prioritize the areas most likely to surface during an inspection visit: internal audit records, supplier controls, management review minutes, and corrective action systems.

How an eQMS supports QMSR compliance

The shift to QMSR compliance is, at its core, a documentation and traceability challenge. Every process change, corrective action, audit finding, supplier evaluation, and management review decision must be recorded, controlled, and available for review on demand.

Paper-based or fragmented quality systems create serious risk in this environment. When an FDA investigator arrives and requests your supplier audit reports from the past three years, a quality management system that stores documents in shared drives or physical binders cannot produce them quickly or consistently.

Cloudtheapp's cloud-based eQMS is built for exactly this operating model. With 60+ purpose-built applications covering audits, supplier qualification, CAPA, document control, and management review, Cloudtheapp gives quality teams a single source of truth for every record that matters under the QMSR. The platform is validated to FDA computer system validation guidelines and supports 21 CFR Part 11 electronic records and signatures, so your digital records meet the same evidentiary standards as paper records in an FDA inspection.

Manufacturers transitioning from the old QSR to the QMSR use Cloudtheapp to map their existing quality system documentation against QMSR requirements, identify gaps, and build the processes needed to close them — without rebuilding their system from scratch.

See how Cloudtheapp supports QMSR compliance

Common questions about 21 CFR Part 820 and the QMSR

Does 21 CFR Part 820 still exist?

Yes. The regulation number 21 CFR Part 820 did not change. The QMSR is the updated version of Part 820, published under the same citation. References to "21 CFR Part 820" after February 2, 2026 refer to the QMSR.

When did the QMSR become mandatory?

February 2, 2026. The final rule was published on February 2, 2024, and the two-year transition period ended on the effective date. FDA inspections conducted on or after that date assess compliance with the QMSR, not the old QSR.

Do I need ISO 13485 certification to comply with the QMSR?

No. ISO 13485 certification from a third-party body is voluntary. The QMSR incorporates ISO 13485:2016 requirements by reference as the substantive content of the regulation. You must meet those requirements, but the FDA does not require a third-party certificate.

What happened to the QSIT inspection process?

The Quality System Inspection Technique (QSIT) was withdrawn on February 2, 2026. FDA device inspections now follow the updated Compliance Program 7382.850.

Can FDA now inspect my internal audit records?

Yes. The exemption that previously protected internal quality audits, supplier audits, and management review reports from FDA inspection was eliminated under the QMSR. These records are now subject to review during FDA device inspections.

Conclusion

The QMSR kept the same regulation number but changed the underlying framework in ways that matter for daily quality operations. ISO 13485:2016 is now legally embedded in 21 CFR Part 820. Internal audits and management reviews are fully visible to FDA investigators. A new inspection process governs how those investigations unfold.

Manufacturers with well-documented quality systems built on ISO 13485 are in a strong position. Those whose quality systems were structured around the minimum QSR requirements have more work ahead, particularly in supplier qualification, audit documentation, and risk management.

The practical path forward is a documented gap analysis against QMSR requirements, followed by a systematic plan to close the identified gaps before your next FDA inspection visit. An eQMS like Cloudtheapp makes that process faster and gives you the documentation infrastructure to sustain it.

Request a demo to see how Cloudtheapp supports QMSR compliance

Please complete the form to access the Case Study

Please complete the form to access the Case Study

You will receive the webinar link via email once your request has been approved

Sign Up for Cloudtheapp

New to Cloudtheapp?

Access to try Cloudtheapp can be granted after you request a demo to learn how it can transform your operations.

Existing Customer User?

You can proceed with signing up.

New to Cloudtheapp?

Access to try Cloudtheapp can be granted after you request a demo to learn how it can transform your operations.

Existing Customer User?

You can proceed with signing up.

Please complete the form to access the Case Study

Please complete the form to access the Case Study

Please complete the form to access the Case Study

Please complete the form to access the Case Study

Please complete the form to access the Case Study