FDA Medical Device Regulations in 2026: What Every QA Team Needs to Know

TLDR

The FDA's Quality Management System Regulation (QMSR) became effective February 2, 2026, replacing the legacy Quality System Regulation (QSR) under 21 CFR Part 820. The QMSR incorporates ISO 13485:2016 by reference, making it the core QMS standard for medical device manufacturers in the United States. FDA inspections now follow a new risk-based compliance program, replacing the old QSIT framework. For QA Directors, Regulatory Affairs professionals, and Quality Managers at medical device companies, this is the most significant regulatory shift in over 25 years.

The Regulatory Shift Every Medical Device QA Team Now Faces

For decades, medical device manufacturers in the United States built their quality systems around the Quality System Regulation, commonly known as the QSR, which lived within 21 CFR Part 820. That framework spelled out each requirement directly in the regulation itself, from Subpart A through Subpart O, giving U.S. manufacturers a distinct domestic standard that differed meaningfully from international norms.

On February 2, 2026, that changed. The FDA's Quality Management System Regulation (QMSR) took effect, fundamentally restructuring how the FDA defines quality system requirements for medical device manufacturers. The QMSR is not a minor revision. It rewrites Part 820 by incorporating ISO 13485:2016 by reference, making the international standard the primary source of QMS requirements for U.S. manufacturers.

For QA teams already certified to ISO 13485:2016, the transition is manageable. For teams that operated exclusively under the legacy QSR, the adjustment is significant. Terminology has changed, inspection methodology has changed, and the philosophy underlying FDA oversight has shifted toward a lifecycle-based, risk-driven model.

This article breaks down exactly what changed, what the QMSR requires, how device classification interacts with QMS obligations, what FDA inspectors consistently flag as deficiencies, and how a modern electronic QMS positions your team for inspection readiness.

What the QMSR Is and Why the FDA Made the Change

The QMSR is the FDA's revised regulatory framework under 21 CFR Part 820, finalized in the Federal Register on February 2, 2024, and effective two years later on February 2, 2026. Its core mechanism is incorporation by reference: rather than rewriting every QMS requirement in federal code, Part 820 now directs manufacturers to meet the requirements set out in ISO 13485:2016, Medical devices – Quality management systems – Requirements for regulatory purposes, along with Clause 3 of ISO 9000:2015 for terminology.

The FDA's rationale is straightforward. The global medical device regulatory community had largely standardized around ISO 13485:2016, including the European Union, Canada, Japan, and Australia. The legacy QSR, first established in 1996, created a situation where manufacturers selling into multiple markets maintained parallel quality systems with overlapping but non-identical requirements. Harmonizing U.S. requirements with ISO 13485:2016 reduces that dual-system burden and aligns FDA oversight with internationally recognized standards.

Importantly, ISO 13485 compliance alone does not satisfy the QMSR. The FDA retained specific provisions within Part 820 that go beyond ISO 13485, particularly for Unique Device Identification (UDI), Medical Device Reporting (MDR), labeling, and certain electronic records requirements. Manufacturers must meet both the ISO 13485:2016 standard and any additional FDA-specific provisions simultaneously.

What Changed: Key Differences Between the Legacy QSR and the QMSR

Terminology and Document Structure

The legacy QSR used terminology that many U.S. manufacturers had built entire quality systems around: the Device History File (DHF), Device Master Record (DMR), and Device History Record (DHR). The QMSR retires these terms. Under the QMSR, all three concepts consolidate into the Medical Device File (MDF), drawn from ISO 13485:2016 terminology. Manufacturers with legacy documentation architecture built around DHF, DMR, and DHR structures need to remap those records to align with the MDF framework.

The New Inspection Program: CP 7382.850

On February 2, 2026, the FDA simultaneously retired the Quality System Inspection Technique (QSIT) guidance and the Inspection of Medical Device Manufacturers program (7382.845), replacing them with Compliance Program 7382.850. Under the old QSIT model, inspectors followed a structured subsystem approach, reviewing four major subsystems: Management Controls, CAPA, Design Controls, and Production and Process Controls. CP 7382.850 replaces this with a risk-based, lifecycle-focused methodology. Inspectors now evaluate end-to-end product lifecycle risk controls holistically, examining cybersecurity readiness, design and development evidence, and systemic quality indicators rather than working through a fixed subsystem checklist. Inspections under this program are more adaptive and more penetrating.

FDA-Specific Additions Beyond ISO 13485

Part 820 under the QMSR adds requirements not found in ISO 13485:2016. These include specific provisions for complaint files, MDR procedures, correction and removal reporting, and unique device identification. Manufacturers must address these in addition to the full ISO 13485:2016 standard.

Core QMS Requirements Under the QMSR

Management Responsibility

ISO 13485:2016 Section 5 requires top management to demonstrate active leadership of the quality management system. This includes establishing a quality policy, setting measurable quality objectives, appointing a management representative accountable for QMS performance, and conducting scheduled management reviews. The management review process must evaluate inputs from audits, customer feedback, process performance data, CAPA status, and regulatory changes. Under the QMSR, management engagement is not a paper exercise. Inspectors evaluate whether quality objectives connect to measurable outcomes and whether leadership receives and acts on quality data.

Design Controls

Design controls remain one of the most scrutinized areas in FDA medical device inspections. Under ISO 13485:2016 Section 7.3, manufacturers must plan and control device design and development through defined stages with reviews, verification, validation, and transfer activities at each stage. Design inputs must be complete, unambiguous, and traceable to design outputs. Design verification confirms outputs meet inputs. Design validation confirms the finished device meets user needs and intended uses. All design and development activities require documented evidence within the Medical Device File.

Document Controls

ISO 13485:2016 Section 4.2 requires a documented procedure for controlling all documents that form part of the QMS. This includes approval before release, review and update procedures, identification of current document revision status, and availability of applicable versions at points of use. Obsolete documents must be prevented from unintended use. The audit trail for document approvals and revisions is a core inspection focus, particularly for electronic quality management systems operating under FDA's electronic records rules.

CAPA

Corrective and Preventive Action remains the backbone of any FDA-compliant QMS. ISO 13485:2016 Section 8.5 requires manufacturers to identify nonconformities, determine root causes, implement corrective actions, verify effectiveness, and prevent recurrence. The root cause investigation must go beyond identifying "human error" to systemic causes using structured methodologies such as 5 Whys, Fishbone analysis, or Fault Tree Analysis. The Deviation CAPA process also requires evidence that corrective actions did not introduce new risks into the system. Effectiveness verification must use objective evidence, not assumption.

Complaint Handling

Under ISO 13485:2016 Section 8.2.2, combined with FDA-specific Part 820 provisions, manufacturers must maintain a documented procedure for receiving, reviewing, and evaluating complaints. All complaints must be documented, and the manufacturer must determine whether the complaint constitutes a reportable event under MDR regulations. Adverse events related to device malfunction, deterioration, or patient injury require investigation and, where MDR thresholds are met, timely reporting to the FDA. Complaint records must link to any resulting CAPA and to the relevant product records in the Medical Device File.

Audits

ISO 13485:2016 Section 8.2.4 requires manufacturers to conduct scheduled internal audits to confirm the QMS conforms to planned arrangements and is effectively implemented. Audit programs must address all QMS processes, with frequency based on the status and importance of each area and the results of previous audits. Audit findings must be documented and communicated to management, and any nonconformities identified must feed into the CAPA process. Process audits of manufacturing and support processes complement the system-level internal audit program. Supplier Quality Management (SQM) audits are also required under Section 7.4, with supplier selection, evaluation, and re-evaluation based on their ability to meet specified requirements.

Device Classification and Regulatory Pathways: Class I, II, and III

The FDA classifies medical devices into three risk-based categories, and the classification determines the premarket regulatory pathway and the scope of QMS obligations.

Class I Devices

Class I devices present the lowest risk, such as elastic bandages and examination gloves. Most Class I devices are subject only to General Controls, which include proper labeling, FDA registration and listing, manufacturing under GMP, and prohibition against adulteration and misbranding. The majority of Class I devices are 510(k) exempt.

Class II Devices and the 510(k) Pathway

Class II devices carry moderate risk and require Special Controls in addition to General Controls. Most Class II devices reach the market through 510(k) submission, where the manufacturer demonstrates that the new device is substantially equivalent to a legally marketed predicate device. Substantial equivalence means the device has the same intended use and the same or different technological characteristics that do not raise new safety questions. Class II manufacturers must operate a full QMS compliant with the QMSR and ISO 13485:2016.

Class III Devices and the PMA Pathway

Class III devices support or sustain human life, are implanted, or present a potential unreasonable risk of illness or injury. Pacemakers, implantable defibrillators, and deep brain stimulators are examples. Class III devices require Premarket Approval (PMA), the FDA's most rigorous premarket review process. PMA approval requires valid scientific evidence, typically including clinical trial data, demonstrating reasonable assurance of safety and effectiveness. PMA holders must also maintain robust post-market surveillance programs and notify the FDA of any changes to the device, labeling, or manufacturing process that could affect safety or effectiveness.

For all three classes, the QMSR's QMS requirements apply once a device enters commercial distribution. The depth of QMS infrastructure required scales with device risk and complexity, but no manufacturer is exempt from the core requirements of ISO 13485:2016 as incorporated by Part 820.

Common FDA Inspection Findings Medical Device Manufacturers Face

FDA Form 483 observations for medical device manufacturers reveal consistent systemic patterns. Understanding these is the first step toward addressing them before an investigator arrives.

CAPA Process Deficiencies. Inadequate CAPA remains the top observation in FDA medical device inspections. Specific failures include conducting inadequate root cause analyses, failing to implement timely corrective actions, not verifying effectiveness of completed CAPAs, and allowing recurrence of the same nonconformity without systemic remediation. Under the new CP 7382.850 inspection framework, inspectors evaluate CAPA holistically across the product lifecycle rather than in isolation.

Design Control Gaps. Design control deficiencies appear consistently in Form 483 observations, particularly for manufacturers who developed legacy products before robust design control processes existed and have not updated those records to meet current requirements. Common gaps include missing design verification or validation documentation, inadequate traceability between design inputs and outputs, and insufficient documentation in the Medical Device File.

Complaint Handling Failures. Manufacturers frequently receive observations for not evaluating all potential complaints, failing to determine whether complaints represent reportable events, and not maintaining complete complaint files. The connection between complaint records, MDR determinations, and CAPA initiation is a standard inspection focus area.

Document Control Weaknesses. Investigators frequently observe the use of obsolete document versions at points of use, missing approval signatures, inadequate change control records, and SOPs that do not reflect actual practice. Under the QMSR, document control extends to the full Medical Device File structure, raising the scope of what investigators review.

Supplier Control Gaps. Manufacturers regularly receive observations for insufficient supplier qualification documentation, failure to re-evaluate critical suppliers on a defined schedule, and inadequate controls over supplier changes. The risk register for supplier-related risks is increasingly an inspection focus under the risk-based CP 7382.850 framework.

How a Modern eQMS Builds Inspection Readiness

Inspection readiness is not a project you start when the FDA calls. It is a continuous operating state where your QMS produces clean, traceable, complete documentation as a natural output of daily quality operations.

A paper-based or disconnected QMS creates structural gaps that become visible under inspection. Documents stored across disparate systems, CAPA records that do not link to complaints or deviations, audit findings without evidence of follow-through, and manual signature workflows without reliable audit trails are inspection liabilities.

A validated, purpose-built electronic QMS addresses these gaps by design. Cloudtheapp is an AI-powered, no-code eQMS built specifically for regulated industries, including medical device manufacturers operating under the QMSR and ISO 13485:2016. The platform is FDA-validated under 21 CFR Part 820 and ISO 13485:2016, meaning manufacturers deploy on an infrastructure that is already compliant with the same standards inspectors evaluate.

Cloudtheapp's CAPA application provides end-to-end workflow management from nonconformity identification through root cause analysis, corrective action planning, implementation, and effectiveness verification, with a complete audit trail at every step. The Complaints application connects complaint records to MDR determination workflows and links directly to CAPA initiation, closing the compliance loop that inspectors look for. The Audits application manages internal audit programs, tracks findings, and routes them to management review and CAPA as required by ISO 13485:2016. The Design Controls application manages the full design and development lifecycle within the Medical Device File framework, maintaining traceability from design inputs through verification, validation, and transfer. The Documents application enforces document control with automated approval workflows, version control, and obsolete document management.

Because Cloudtheapp provides a validation package with every platform update, manufacturers do not absorb the risk or cost of re-validating after each software release. Updates are seamless, validated, and free, which means your QMS stays current with regulatory requirements without resource-intensive upgrade projects.

For QA Directors and Regulatory Affairs professionals managing the QMSR transition, the most practical action is to evaluate whether your current QMS infrastructure can produce the evidence CP 7382.850 inspectors now demand: lifecycle-integrated risk documentation, fully linked CAPA records, traceable design controls, and complete complaint investigation trails.

Preparing Your QA Team for What Comes Next

The QMSR transition is complete. The compliance deadline has passed. Manufacturers who delayed their QMS alignment now face inspections under CP 7382.850 without the legacy QSIT safety net of a predictable subsystem approach.

The manufacturers that perform best in FDA inspections share a common characteristic: their quality systems produce coherent, connected evidence as a matter of routine operation, not emergency preparation. Every CAPA links to its source nonconformity. Every complaint connects to its MDR determination. Every audit finding resolves through documented follow-through. Design control records are complete and traceable from the first design input to the validated output.

That operating state does not happen by accident. It happens when quality management infrastructure is purpose-built for regulated device manufacturing, runs on a validated platform, and gives QA teams real-time visibility into the status of every compliance obligation.

If your team is working through the QMSR transition or identifying gaps in your current QMS ahead of your next inspection cycle, request a demo at cloudtheapp.com to see how Cloudtheapp's QMSR and ISO 13485:2016 dual-compliant platform supports inspection readiness at every stage of the product lifecycle.