TLDR

The FDA's Quality Management System Regulation (QMSR) became effective February 2, 2026, replacing the legacy Quality System Regulation (QSR) under 21 CFR Part 820. The QMSR incorporates ISO 13485:2016 by reference, making it the core QMS standard for medical device manufacturers in the United States. FDA inspections now follow a new risk-based compliance program, replacing the old QSIT framework. For QA Directors, Regulatory Affairs professionals, and Quality Managers at medical device companies, this is the most significant regulatory shift in over 25 years.

The Regulatory Shift Every Medical Device QA Team Now Faces

For decades, medical device manufacturers in the United States built their quality systems around the Quality System Regulation, commonly known as the QSR, which lived within 21 CFR Part 820. That framework spelled out each requirement directly in the regulation itself, from Subpart A through Subpart O, giving U.S. manufacturers a distinct domestic standard that differed meaningfully from international norms.

On February 2, 2026, that changed. The FDA's Quality Management System Regulation (QMSR) took effect, fundamentally restructuring how the FDA defines quality system requirements for medical device manufacturers. The QMSR is not a minor revision. It rewrites Part 820 by incorporating ISO 13485:2016 by reference, making the international standard the primary source of QMS requirements for U.S. manufacturers.

For QA teams already certified to ISO 13485:2016, the transition is manageable. For teams that operated exclusively under the legacy QSR, the adjustment is significant. Terminology has changed, inspection methodology has changed, and the philosophy underlying FDA oversight has shifted toward a lifecycle-based, risk-driven model.

This article breaks down exactly what changed, what the QMSR requires, how device classification interacts with QMS obligations, what FDA inspectors consistently flag as deficiencies, and how a modern electronic QMS positions your team for inspection readiness.

What the QMSR Is and Why the FDA Made the Change

The QMSR is the FDA's revised regulatory framework under 21 CFR Part 820, finalized in the Federal Register on February 2, 2024, and effective two years later on February 2, 2026. Its core mechanism is incorporation by reference: rather than rewriting every QMS requirement in federal code, Part 820 now directs manufacturers to meet the requirements set out in ISO 13485:2016, Medical devices – Quality management systems – Requirements for regulatory purposes, along with Clause 3 of ISO 9000:2015 for terminology.

The FDA's rationale is straightforward. The global medical device regulatory community had largely standardized around ISO 13485:2016, including the European Union, Canada, Japan, and Australia. The legacy QSR, first established in 1996, created a situation where manufacturers selling into multiple markets maintained parallel quality systems with overlapping but non-identical requirements. Harmonizing U.S. requirements with ISO 13485:2016 reduces that dual-system burden and aligns FDA oversight with internationally recognized standards.

Importantly, ISO 13485 compliance alone does not satisfy the QMSR. The FDA retained specific provisions within Part 820 that go beyond ISO 13485, particularly for Unique Device Identification (UDI), Medical Device Reporting (MDR), labeling, and certain electronic records requirements. Manufacturers must meet both the ISO 13485:2016 standard and any additional FDA-specific provisions simultaneously.

What Changed: Key Differences Between the Legacy QSR and the QMSR

Terminology and Document Structure

The legacy QSR used terminology that many U.S. manufacturers had built entire quality systems around: the Device History File (DHF), Device Master Record (DMR), and Device History Record (DHR). The QMSR retires these terms. Under the QMSR, all three concepts consolidate into the Medical Device File (MDF), drawn from ISO 13485:2016 terminology. Manufacturers with legacy documentation architecture built around DHF, DMR, and DHR structures need to remap those records to align with the MDF framework.

The New Inspection Program: CP 7382.850

On February 2, 2026, the FDA simultaneously retired the Quality System Inspection Technique (QSIT) guidance and the Inspection of Medical Device Manufacturers program (7382.845), replacing them with Compliance Program 7382.850. Under the old QSIT model, inspectors followed a structured subsystem approach, reviewing four major subsystems: Management Controls, CAPA, Design Controls, and Production and Process Controls. CP 7382.850 replaces this with a risk-based, lifecycle-focused methodology. Inspectors now evaluate end-to-end product lifecycle risk controls holistically, examining cybersecurity readiness, design and development evidence, and systemic quality indicators rather than working through a fixed subsystem checklist. Inspections under this program are more adaptive and more penetrating.

FDA-Specific Additions Beyond ISO 13485

Part 820 under the QMSR adds requirements not found in ISO 13485:2016. These include specific provisions for complaint files, MDR procedures, correction and removal reporting, and unique device identification. Manufacturers must address these in addition to the full ISO 13485:2016 standard.

Core QMS Requirements Under the QMSR

Management Responsibility

ISO 13485:2016 Section 5 requires top management to demonstrate active leadership of the quality management system. This includes establishing a quality policy, setting measurable quality objectives, appointing a management representative accountable for QMS performance, and conducting scheduled management reviews. The management review process must evaluate inputs from audits, customer feedback, process performance data, CAPA status, and regulatory changes. Under the QMSR, management engagement is not a paper exercise. Inspectors evaluate whether quality objectives connect to measurable outcomes and whether leadership receives and acts on quality data.

Design Controls

Design controls remain one of the most scrutinized areas in FDA medical device inspections. Under ISO 13485:2016 Section 7.3, manufacturers must plan and control device design and development through defined stages with reviews, verification, validation, and transfer activities at each stage. Design inputs must be complete, unambiguous, and traceable to design outputs. Design verification confirms outputs meet inputs. Design validation confirms the finished device meets user needs and intended uses. All design and development activities require documented evidence within the Medical Device File.

Document Controls

ISO 13485:2016 Section 4.2 requires a documented procedure for controlling all documents that form part of the QMS. This includes approval before release, review and update procedures, identification of current document revision status, and availability of applicable versions at points of use. Obsolete documents must be prevented from unintended use. The audit trail for document approvals and revisions is a core inspection focus, particularly for electronic quality management systems operating under FDA's electronic records rules.

CAPA

Corrective and Preventive Action remains the backbone of any FDA-compliant QMS. ISO 13485:2016 Section 8.5 requires manufacturers to identify nonconformities, determine root causes, implement corrective actions, verify effectiveness, and prevent recurrence. The root cause investigation must go beyond identifying "human error" to systemic causes using structured methodologies such as 5 Whys, Fishbone analysis, or Fault Tree Analysis. The Deviation CAPA process also requires evidence that corrective actions did not introduce new risks into the system. Effectiveness verification must use objective evidence, not assumption.

Complaint Handling

Under ISO 13485:2016 Section 8.2.2, combined with FDA-specific Part 820 provisions, manufacturers must maintain a documented procedure for receiving, reviewing, and evaluating complaints. All complaints must be documented, and the manufacturer must determine whether the complaint constitutes a reportable event under MDR regulations. Adverse events related to device malfunction, deterioration, or patient injury require investigation and, where MDR thresholds are met, timely reporting to the FDA. Complaint records must link to any resulting CAPA and to the relevant product records in the Medical Device File.

Audits

ISO 13485:2016 Section 8.2.4 requires manufacturers to conduct scheduled internal audits to confirm the QMS conforms to planned arrangements and is effectively implemented. Audit programs must address all QMS processes, with frequency based on the status and importance of each area and the results of previous audits. Audit findings must be documented and communicated to management, and any nonconformities identified must feed into the CAPA process. Process audits of manufacturing and support processes complement the system-level internal audit program. Supplier Quality Management (SQM) audits are also required under Section 7.4, with supplier selection, evaluation, and re-evaluation based on their ability to meet specified requirements.

Device Classification and Regulatory Pathways: Class I, II, and III

The FDA classifies medical devices into three risk-based categories, and the classification determines the premarket regulatory pathway and the scope of QMS obligations.

Class I Devices

Class I devices present the lowest risk, such as elastic bandages and examination gloves. Most Class I devices are subject only to General Controls, which include proper labeling, FDA registration and listing, manufacturing under GMP, and prohibition against adulteration and misbranding. The majority of Class I devices are 510(k) exempt.

Class II Devices and the 510(k) Pathway

Class II devices carry moderate risk and require Special Controls in addition to General Controls. Most Class II devices reach the market through 510(k) submission, where the manufacturer demonstrates that the new device is substantially equivalent to a legally marketed predicate device. Substantial equivalence means the device has the same intended use and the same or different technological characteristics that do not raise new safety questions. Class II manufacturers must operate a full QMS compliant with the QMSR and ISO 13485:2016.

Class III Devices and the PMA Pathway

Class III devices support or sustain human life, are implanted, or present a potential unreasonable risk of illness or injury. Pacemakers, implantable defibrillators, and deep brain stimulators are examples. Class III devices require Premarket Approval (PMA), the FDA's most rigorous premarket review process. PMA approval requires valid scientific evidence, typically including clinical trial data, demonstrating reasonable assurance of safety and effectiveness. PMA holders must also maintain robust post-market surveillance programs and notify the FDA of any changes to the device, labeling, or manufacturing process that could affect safety or effectiveness.

For all three classes, the QMSR's QMS requirements apply once a device enters commercial distribution. The depth of QMS infrastructure required scales with device risk and complexity, but no manufacturer is exempt from the core requirements of ISO 13485:2016 as incorporated by Part 820.

Common FDA Inspection Findings Medical Device Manufacturers Face

FDA Form 483 observations for medical device manufacturers reveal consistent systemic patterns. Understanding these is the first step toward addressing them before an investigator arrives.

CAPA Process Deficiencies. Inadequate CAPA remains the top observation in FDA medical device inspections. Specific failures include conducting inadequate root cause analyses, failing to implement timely corrective actions, not verifying effectiveness of completed CAPAs, and allowing recurrence of the same nonconformity without systemic remediation. Under the new CP 7382.850 inspection framework, inspectors evaluate CAPA holistically across the product lifecycle rather than in isolation.

Design Control Gaps. Design control deficiencies appear consistently in Form 483 observations, particularly for manufacturers who developed legacy products before robust design control processes existed and have not updated those records to meet current requirements. Common gaps include missing design verification or validation documentation, inadequate traceability between design inputs and outputs, and insufficient documentation in the Medical Device File.

Complaint Handling Failures. Manufacturers frequently receive observations for not evaluating all potential complaints, failing to determine whether complaints represent reportable events, and not maintaining complete complaint files. The connection between complaint records, MDR determinations, and CAPA initiation is a standard inspection focus area.

Document Control Weaknesses. Investigators frequently observe the use of obsolete document versions at points of use, missing approval signatures, inadequate change control records, and SOPs that do not reflect actual practice. Under the QMSR, document control extends to the full Medical Device File structure, raising the scope of what investigators review.

Supplier Control Gaps. Manufacturers regularly receive observations for insufficient supplier qualification documentation, failure to re-evaluate critical suppliers on a defined schedule, and inadequate controls over supplier changes. The risk register for supplier-related risks is increasingly an inspection focus under the risk-based CP 7382.850 framework.

How a Modern eQMS Builds Inspection Readiness

Inspection readiness is not a project you start when the FDA calls. It is a continuous operating state where your QMS produces clean, traceable, complete documentation as a natural output of daily quality operations.

A paper-based or disconnected QMS creates structural gaps that become visible under inspection. Documents stored across disparate systems, CAPA records that do not link to complaints or deviations, audit findings without evidence of follow-through, and manual signature workflows without reliable audit trails are inspection liabilities.

A validated, purpose-built electronic QMS addresses these gaps by design. Cloudtheapp is an AI-powered, no-code eQMS built specifically for regulated industries, including medical device manufacturers operating under the QMSR and ISO 13485:2016. The platform is FDA-validated under 21 CFR Part 820 and ISO 13485:2016, meaning manufacturers deploy on an infrastructure that is already compliant with the same standards inspectors evaluate.

Cloudtheapp's CAPA application provides end-to-end workflow management from nonconformity identification through root cause analysis, corrective action planning, implementation, and effectiveness verification, with a complete audit trail at every step. The Complaints application connects complaint records to MDR determination workflows and links directly to CAPA initiation, closing the compliance loop that inspectors look for. The Audits application manages internal audit programs, tracks findings, and routes them to management review and CAPA as required by ISO 13485:2016. The Design Controls application manages the full design and development lifecycle within the Medical Device File framework, maintaining traceability from design inputs through verification, validation, and transfer. The Documents application enforces document control with automated approval workflows, version control, and obsolete document management.

Because Cloudtheapp provides a validation package with every platform update, manufacturers do not absorb the risk or cost of re-validating after each software release. Updates are seamless, validated, and free, which means your QMS stays current with regulatory requirements without resource-intensive upgrade projects.

For QA Directors and Regulatory Affairs professionals managing the QMSR transition, the most practical action is to evaluate whether your current QMS infrastructure can produce the evidence CP 7382.850 inspectors now demand: lifecycle-integrated risk documentation, fully linked CAPA records, traceable design controls, and complete complaint investigation trails.

Preparing Your QA Team for What Comes Next

The QMSR transition is complete. The compliance deadline has passed. Manufacturers who delayed their QMS alignment now face inspections under CP 7382.850 without the legacy QSIT safety net of a predictable subsystem approach.

The manufacturers that perform best in FDA inspections share a common characteristic: their quality systems produce coherent, connected evidence as a matter of routine operation, not emergency preparation. Every CAPA links to its source nonconformity. Every complaint connects to its MDR determination. Every audit finding resolves through documented follow-through. Design control records are complete and traceable from the first design input to the validated output.

That operating state does not happen by accident. It happens when quality management infrastructure is purpose-built for regulated device manufacturing, runs on a validated platform, and gives QA teams real-time visibility into the status of every compliance obligation.

If your team is working through the QMSR transition or identifying gaps in your current QMS ahead of your next inspection cycle, request a demo at cloudtheapp.com to see how Cloudtheapp's QMSR and ISO 13485:2016 dual-compliant platform supports inspection readiness at every stage of the product lifecycle.

This post created by and appeared first on Cloudtheapp

Under the FDA's Quality Management System Regulation (QMSR), effective February 2, 2026, corrective action and preventive action are two distinct, separately evaluated QMS processes with different triggers, different documented inputs, and different required outputs. Corrective action responds to a confirmed nonconformity; preventive action responds to a potential failure identified through data analysis before any event occurs. FDA investigators now assess these processes independently under Compliance Program 7382.850. Organizations that still operate a single merged CAPA SOP, treating preventive action as a follow-on step inside a corrective action record, carry measurable inspection risk under the current regulatory framework.

What QMSR Changed for CAPA

The Quality Management System Regulation (QMSR), which became effective on February 2, 2026, is a substantive overhaul of 21 CFR Part 820. It harmonizes FDA's medical device quality requirements with ISO 13485:2016 by incorporating that standard by reference, creating a dual-layer regulatory obligation: manufacturers must comply with both the QMSR's specific statutory requirements and the entirety of ISO 13485:2016.

For CAPA practitioners, the implications are significant. Under the legacy Quality System Regulation (QSR), section 820.100 addressed “Corrective and Preventive Action” as a single combined process. The language was broad enough that industry practice largely treated corrective and preventive action as two phases of the same workflow. A nonconformance would trigger a CAPA record, a root cause investigation would be conducted, corrective actions would be assigned, and then a “preventive action” field would be populated, often describing steps to prevent recurrence of the same event. This blending was not FDA's original intent, but the structure of section 820.100 allowed it to persist for decades.

In the QMSR preamble, Comment #20 makes the FDA's position explicit: the agency's intent was always that corrective action and preventive action function as ISO 13485:2016 defines them, as separate processes with distinct triggers, inputs, and documentation requirements. QMSR removes the regulatory ambiguity. ISO 13485:2016 addresses corrective action in clause 8.5.2 and preventive action in clause 8.5.3. These are independent QMS processes with separate procedural requirements, not sub-steps of a unified workflow.

FDA investigators conducting inspections under Compliance Program 7382.850 now evaluate each process on its own terms. An organization that runs both through one SOP is not automatically in violation, but the documentation that process generates must satisfy the distinct requirements of each clause independently. In practice, that outcome is difficult to achieve with a single-form CAPA record.

Corrective Action Under QMSR: What the Regulation Requires

Corrective action, as defined under ISO 13485:2016 clause 8.5.2, is the process of eliminating the root cause of a detected nonconformity to prevent its recurrence. The trigger is always reactive: something has already occurred. A product nonconformity, a complaint, a deviation CAPA, a supplier failure, a failed inspection, an audit finding. In every case, a confirmed adverse condition has been identified, and the corrective action process begins from that documented event.

The standard and the QMSR require that the corrective action procedure produce specific documented evidence. This includes: a review of the nonconformities encountered; a determination of the causes of those nonconformities; an evaluation of the need for action to ensure that nonconformities do not recur; the determination and implementation of the action required; records of the investigation and its results; and verification or validation that the corrective action taken does not adversely affect the ability to meet applicable requirements or the safety and performance of the device.

The root cause investigation is the analytical core of the corrective action process, and it is the element FDA investigators scrutinize most closely. Common inspection findings include: corrective actions that address only the symptom rather than the systemic cause; investigations closed without documented evidence of root cause determination; and effectiveness checks that verify the action was completed rather than verifying the nonconformity did not recur in a defined observation period.

The depth and rigor of the root cause investigation also determines the scope of the corrective action taken. An investigation that identifies “operator error” as the root cause without examining training record completeness, work instruction clarity, or process design factors will typically produce a corrective action that does not hold. FDA warning letters frequently reference situations where the same or similar nonconformity recurred after a closed corrective action record because the underlying root cause was not fully addressed.

Under QMSR, the risk-based approach required throughout ISO 13485:2016 applies directly to corrective action. The extent of investigation and urgency of action must be proportionate to the effect of the nonconformity encountered. A one-off documentation error in a low-risk process may warrant a focused correction and a brief investigation. A recurring product failure with field impact requires a comprehensive investigation, a formal risk assessment, and potentially a systemic process review. Both must be documented, but the calibration must be defensible and traceable.

Preventive Action Under QMSR: A Proactive, Data-Driven Process

Preventive action, defined in ISO 13485:2016 clause 8.5.3, is the process of eliminating the cause of a potential nonconformity to prevent its occurrence. The trigger is always proactive: nothing has happened yet. The preventive action process begins when data or analysis reveals that conditions exist which, if left unaddressed, are likely to produce a nonconformity in the future.

This distinction in trigger is the most operationally important difference between corrective and preventive action, and it is the one most consistently misunderstood in organizations that rely on a merged CAPA procedure. Preventive action does not start after a problem occurs. It starts with data.

The inputs that can initiate a preventive action include: trend analysis of in-process monitoring data; quality metrics that show gradual degradation before reaching a nonconformance threshold; risk assessments that identify high-probability failure modes with insufficient current mitigations; supplier performance data trending toward a potential qualification failure; internal audits or management reviews that surface systemic vulnerabilities; and customer feedback indicating growing dissatisfaction with a characteristic not yet reaching formal complaint status.

ISO 13485:2016 clause 8.5.3 requires organizations to: determine potential nonconformities and their causes; evaluate the need for action to prevent occurrence; determine and implement the action needed; record the results of the investigation; and review preventive actions taken. Critically, information about preventive actions must be submitted as an input to management review. This creates a formal feedback loop between the preventive action process and senior leadership oversight, and it means preventive action activity must be traceable to the management review record.

Under QMSR, FDA now expects to see active preventive action programs during inspections, not just corrective action records. An organization that can only demonstrate reactive CAPA, with no documented preventive actions sourced from trend data, risk analysis, or management review inputs, presents a visible gap. FDA investigators look for evidence that the organization systematically analyzes data beyond direct nonconformances and translates that analysis into documented, time-bound preventive measures.

The Documentation Each Process Requires

Because QMSR and ISO 13485:2016 treat corrective and preventive action as separate processes, the documentation each one produces must be distinct. An FDA Form 483 observation citing inadequate corrective action will be assessed against the specific requirements of clause 8.5.2. A citation for inadequate preventive action will be assessed against clause 8.5.3. A merged CAPA record that combines both must satisfy each set of requirements simultaneously, and the record must clearly demonstrate which portions of the documentation belong to which process.

For corrective action, the minimum required documentation covers: the identified nonconformity and its source; the investigation findings and determined root cause; the corrective actions taken; documentation of the investigation results; evidence of effectiveness verification with defined criteria; and records of any updates to procedures, specifications, or training that resulted from the action.

For preventive action, the minimum required documentation covers: the potential nonconformity identified and its source data; the analysis that established the likelihood of occurrence; the preventive actions taken and their rationale; the results of those actions; and records submitted to management review with traceability back to the source data.

Effectiveness verification deserves particular attention in both processes. For corrective action, the verification confirms that the action taken actually eliminated the root cause and that the nonconformity has not recurred within a defined observation period. The verification method, timing, and pass/fail criteria must be predetermined and documented at the time the corrective action plan is finalized, not assigned retrospectively. For preventive action, effectiveness monitoring confirms that the potential nonconformity has not materialized after the preventive measure was implemented, over a defined observation period assessed against the source data that originally triggered the action.

A chronic inspection finding across both processes is that effectiveness checks are left open indefinitely or closed with narrative notes rather than structured evidence. FDA investigators consider this inadequate. The effectiveness evaluation must be structured, with criteria established before implementation, executed at a defined point, and documented with objective evidence.

Risk-Based Proportionality and the Connection Between Both Processes

QMSR's incorporation of ISO 13485:2016 brings an explicit risk-based approach to both corrective and preventive action. The level of investigation, the scope of corrective action, and the urgency of preventive action must all be calibrated to the risk level of the actual or potential failure being addressed. This proportionality is not optional language. It is a documented requirement that FDA investigators evaluate when reviewing CAPA records.

The two processes also intersect in a meaningful operational sense. When a corrective action resolves a nonconformity, the investigation findings and the nature of the root cause should feed back into the risk assessment and preventive action program. If a root cause investigation reveals a failure mode that the organization's current risk analysis did not adequately control, that finding becomes an input to a preventive action for all potentially affected processes or products. The corrective action process generated the intelligence; the preventive action process applies it systematically across the broader system.

A well-structured QMS under QMSR reflects this relationship explicitly. Corrective action records reference the risk assessment updates that followed. Preventive action records trace their input to a specific trend report, risk register output, or corrective action finding. Management review minutes document both processes and draw documented connections between them. When this architecture is present, the CAPA system demonstrates the systemic, risk-based quality thinking that QMSR was designed to codify.

Building a CAPA Program That Meets QMSR Requirements

Quality teams managing CAPA under QMSR need separate, documented procedures for corrective action and preventive action that each satisfy their respective ISO 13485:2016 clause requirements. The procedures do not need to be managed in entirely separate systems, but the workflows, record structures, and documentation outputs must be distinct and independently defensible.

The critical operational gap that QMSR exposes is in preventive action sourcing. Organizations that only initiate preventive actions from within a corrective action record, as a “prevent recurrence” checkbox, are not running a true preventive action program under clause 8.5.3. Preventive action has entirely different inputs: trend monitoring, supplier quality metrics, customer feedback analysis, internal audit outputs, and risk assessment findings. The function responsible for CAPA must have formal mechanisms to receive and analyze these data sources and convert them into documented, time-bound preventive action records.

From a process design standpoint, the key steps for corrective action are: initiation from a confirmed nonconformance source; containment where patient or product safety risk exists; formal root cause investigation using a documented methodology; determination and implementation of corrective actions; effectiveness verification with predefined criteria; and records submitted to management review. For preventive action, the key steps are: formal data collection and trend monitoring across QMS inputs; identification of potential failure conditions with documented analysis; risk evaluation to determine whether action is warranted; determination, implementation, and documentation of preventive actions; and effectiveness monitoring with formal management review reporting.

Cloudtheapp's CAPA module is built to support this separation with structural rigor. The platform maintains distinct workflows for corrective action and preventive action, each with dedicated record forms, role-based routing, configurable root cause analysis frameworks, and automated effectiveness verification scheduling. Quality Managers can configure each workflow independently to match existing SOPs without custom coding, and management review reporting is generated directly from CAPA record data.

Preparing for FDA Inspection Under the New Compliance Program

CAPA remains one of the most frequently cited areas in FDA inspections and Form 483 observations across both pharmaceutical and medical device manufacturers. The findings that carry the most enforcement weight are those that show systemic failure: ineffective root cause investigations; closed corrective actions where the nonconformity recurred; preventive action programs that are absent or undocumented; and effectiveness verifications that exist on paper but cannot be supported with objective evidence.

QMSR raises the compliance threshold by directly incorporating ISO 13485:2016 requirements. FDA investigators now have the full specificity of clauses 8.5.2 and 8.5.3 as the compliance benchmark. An organization that meets the general intent of CAPA but cannot demonstrate the specific documented outputs required by those clauses will accumulate observations.

The path to inspection readiness requires procedural clarity, documented execution, and a preventive action program that operates from real data inputs rather than as a formality embedded inside corrective action records. When these two processes are structurally distinct, their records are independently complete, and effectiveness verification is evidence-based and systematic, the CAPA program becomes one of the most defensible elements of the QMS rather than one of the most cited.

Cloudtheapp supports medical device and life sciences manufacturers in building compliant, inspection-ready CAPA systems as part of a fully validated, FDA-compliant eQMS, built on ISO 13485:2016 and 21 CFR Part 820 requirements from the ground up.

If your organization is working through QMSR compliance or building a CAPA program that meets the separate requirements of ISO 13485:2016 clauses 8.5.2 and 8.5.3, request a demo to see how the Cloudtheapp CAPA module operates in practice, or start a 30-Day Free Trial to explore the full platform in your own environment.

This post created by and appeared first on Cloudtheapp

TLDR

Management review is a formal, documented process in which senior leadership evaluates the performance and effectiveness of the quality management system. Under ISO 13485 Clause 5.6 and the FDA's Quality Management System Regulation (QMSR), which became effective February 2, 2026, management review is a mandatory requirement, not a best practice. The standard specifies exactly what inputs leadership must review, what outputs the meeting must produce, and how the entire process must be documented. As of February 2026, FDA investigators can inspect management review records during routine facility audits, making quality and thoroughness of documentation more critical than ever.

What Is Management Review in a Quality Management System?

Management review is a scheduled, structured meeting in which top management evaluates whether the quality management system is still suitable, adequate, and effective. The review brings together executives, quality directors, department heads, and the management representative to assess the current state of quality performance and make decisions about where the system needs to improve.

The purpose is not to review individual records or investigate specific events. Management review operates at a system level. Leadership looks across all quality data accumulated since the last review, identifies trends, assesses risks, allocates resources, and sets direction for the coming period.

For medical device companies, this process sits in ISO 13485:2016 Clause 5.6 and is fully incorporated into the QMSR under 21 CFR Part 820, effective February 2, 2026. It is one of the clearest expressions of management commitment in the entire standard.

Why Management Review Matters More Than Ever Under QMSR 2026

When the FDA's QMSR replaced the legacy Quality System Regulation on February 2, 2026, it brought one change that significantly raised the stakes for management review: FDA investigators can now access and inspect management review records during facility inspections.

Under the previous QSR, FDA policy historically shielded internal audit and management review records from routine inspection. That discretion ended with QMSR. The FDA's revised compliance program (7382.850) now allows investigators to review these records directly. A management review that is thin, vague, undated, or missing required inputs is no longer just an internal quality gap. It can now produce an FDA Form 483 observation or a warning letter finding.

Quality leaders who treated management review as a formality need to reassess that approach. The record your team produces in that room is now a primary inspection artifact.

ISO 13485 Clause 5.6: The Structure of Management Review

ISO 13485:2016 breaks management review into three sub-clauses, each covering a distinct aspect of the requirement.

Clause 5.6.1: General Requirements

Top management must review the quality management system at planned intervals. The standard requires management to evaluate whether the QMS is suitable, adequate, and effective. The review must also assess opportunities for improvement and the need for changes to the system, quality policy, and quality objectives.

Critically, the standard specifies that records of management reviews must be maintained. This is not optional documentation. The absence of management review records is itself a nonconformance.

The standard does not mandate a single annual meeting format. Many organizations hold quarterly reviews of key metrics and one comprehensive annual review that covers all required inputs. Both approaches satisfy the requirement provided the review cycle is planned, consistent, and documented.

Clause 5.6.2: Review Inputs

ISO 13485 specifies ten categories of information that must be included as inputs to the management review. These are not suggestions. Auditors look for evidence that each input was addressed.

The required inputs are:

1. Results of audits, including internal audits and external certification or regulatory audits
2. Customer feedback, including complaints and complaint handling results
3. Process performance and product conformity data
4. Status of preventive and corrective actions, including Deviation CAPA outcomes
5. Follow-up actions from previous management reviews and their current status
6. Changes that could affect the quality management system, including regulatory updates, organizational changes, or new product lines
7. Recommendations for improvement from any source within the organization
8. New or revised regulatory requirements applicable to the devices the company produces
9. Applicable new or revised standards
10. Supplier Quality Management (SQM) performance, including supplier audit results and supplier-related quality issues

Each input requires supporting data, not just a verbal acknowledgment. Management review minutes should capture what data was reviewed for each category and what conclusions leadership drew from that data.

Clause 5.6.3: Review Outputs

The outputs of management review are the decisions and actions that result from the review. ISO 13485 requires that outputs address at least three areas:

1. Improvement of the QMS and its processes – specific decisions about where and how the system will be strengthened
2. Improvement of product related to customer requirements – actions related to product quality, safety, or performance
3. Resource needs – decisions about staffing, equipment, infrastructure, or training required to support quality objectives

Outputs must be documented with assigned owners, action items, and deadlines where applicable. A management review that concludes without specific decisions and assigned actions does not satisfy the spirit or the letter of the standard.

Frequency and Documentation Requirements

ISO 13485 requires management review at "planned intervals," with the minimum expectation being at least once per year. Regulatory bodies and certification auditors generally view annual reviews as the floor, not the target. High-volume manufacturers, companies with active CAPA programs, or organizations that have experienced regulatory action in the prior period should consider semi-annual or quarterly reviews.

Every management review must produce a written record. The record typically includes:

• Date and location of the review
• List of attendees, including their titles and roles
• Confirmation that all required inputs were addressed
• Summary of data reviewed for each input category
• Key findings, trends, or concerns identified
• Decisions made and actions assigned
• Owner and target date for each action item
• Statement that the QMS was evaluated for suitability, adequacy, and effectiveness
• Signatures from senior management, including the management representative

The depth and completeness of this record determines whether the review will survive an FDA inspection or a third-party certification audit.

Who Must Attend Management Review

ISO 13485 requires that management with executive responsibility participate in the review. The management representative, who carries responsibility for QMS oversight under Clause 5.5.2, must be present and must report on QMS performance to executive leadership.

In practice, effective management reviews include:

• CEO, President, or General Manager
• VP or Director of Quality
• Management Representative (often the same as VP/Director of Quality)
• VP or Director of Operations
• VP or Director of Regulatory Affairs
• Heads of relevant departments based on input topics (e.g., supply chain for supplier quality inputs)

Management review cannot be delegated entirely to the quality team. The standard is explicit that executive leadership participates. An audit finding commonly cited by certification bodies is management review attendance records that show only quality personnel with no executive representation.

Common Management Review Failures That Trigger Audit Findings

Auditors reviewing management review records frequently cite the same categories of deficiency. Understanding these gaps helps quality teams design a review process that holds up under scrutiny.

Incomplete inputs. The most common finding is that one or more of the ten required input categories was missing from the review record. Often, companies address the inputs they have data for and skip categories where nothing noteworthy occurred. The standard requires all inputs to be addressed, even if the conclusion is that performance was satisfactory with no action required.

No evidence of data review. Management review minutes that list input topics but do not summarize the actual data reviewed are difficult to defend in an audit. Effective records reference specific metrics, trend data, root cause investigation summaries, or complaint volumes reviewed at the meeting.

No outputs or vague outputs. A management review that ends with "the QMS is performing well" and no specific actions fails to meet the output requirements. Every review must produce documented decisions, even if some of those decisions are to maintain current practices without change.

Overdue actions from prior reviews. When follow-up items from the previous management review are still open with no explanation, auditors treat this as evidence that the management review process is not driving real improvement.

Missing executive signatures. Records without signatures from executive management, or with only quality staff signatures, do not demonstrate the leadership commitment the standard requires.

Poor frequency. Companies that conduct management reviews less than annually, or that cannot produce records for planned review periods, face nonconformance findings related to Clause 5.6.1 frequency requirements.

How a Process Audit Connects to Management Review

Management review does not operate in isolation. It sits at the top of a continuous quality loop that draws data from process audits, internal audits, CAPA records, complaint data, and supplier performance. The strength of a management review depends directly on the quality of data flowing up from these connected processes.

A company with a fragmented QMS, where CAPA lives in one spreadsheet, complaints in another, and audit findings in a shared drive, cannot produce the consolidated, trend-based data that an effective management review requires. Leaders end up reviewing snapshots rather than patterns, and the decisions they make reflect that limitation.

The shift to an integrated eQMS changes this fundamentally. When all quality processes feed into a single system, management review preparation moves from a weeks-long manual aggregation exercise to an on-demand data review. Trend reports, open action status, CAPA closure rates, complaint metrics, and Risk Register updates are available in real time, not assembled manually before each meeting.

Maintaining the Audit Trail for Management Review Records

Under both ISO 13485 and the QMSR, management review records must be controlled documents. This means they fall under the document control requirements of Clause 4.2 and must be retained for a defined period, typically the life of the device plus a defined retention window specified in the company's document control procedure.

Maintaining a complete audit trail for management review records includes preserving evidence of who created the record, when it was created, when it was approved, and any subsequent revisions. For companies still managing management review records in Word documents or shared drives, demonstrating this audit trail during an FDA inspection is difficult. The QMSR's expanded access to these records makes a defensible, time-stamped document control system a compliance requirement, not a convenience.

How Cloudtheapp Supports Management Review Compliance

Cloudtheapp's AI-powered eQMS includes a dedicated Management Review application designed around the ISO 13485 Clause 5.6 structure. The platform automatically aggregates data from connected quality modules, including CAPA, complaints, Deviation CAPA, audits, and supplier quality, into a consolidated management review input report.

Quality leaders can configure the system to pull live trend data for each of the ten required input categories, assign review participants, track outputs and action items with owner assignments and due dates, and maintain fully validated, time-stamped records that satisfy both FDA and ISO 13485 audit requirements.

Because Cloudtheapp is pre-validated for FDA 21 CFR Part 820 (QMSR) and ISO 13485, the platform itself meets the computer system validation requirements that apply to electronic quality records. Management review records created in the platform carry the audit trail and access controls that make them defensible under QMSR inspection.

Organizations preparing for their first post-QMSR FDA inspection can use Cloudtheapp to structure management review records that directly address the expanded documentation expectations introduced in February 2026.

Book a free demo to see how the Management Review application fits into a complete eQMS built for regulated industry compliance.

Conclusion

Management review is the mechanism through which executive leadership takes ownership of quality system performance. ISO 13485 Clause 5.6 defines the structure precisely: ten required inputs, three required output categories, planned frequency, documented records, and executive participation. Under the QMSR effective February 2, 2026, those records are now inspectable by FDA investigators, which means quality teams need management review processes and documentation that hold up under direct regulatory scrutiny, not just third-party certification audits.

The companies that treat management review as a genuine leadership tool, rather than a compliance checkbox, produce stronger QMS data, identify systemic issues earlier, and enter inspections with a defensible record of continuous improvement. The standard gives you the structure. The execution determines whether that structure actually protects your business.

This post created by and appeared first on Cloudtheapp

On February 2, 2026, FDA's Quality Management System Regulation (QMSR) replaced the legacy Quality System Regulation (QSR) under 21 CFR Part 820. The QMSR incorporates ISO 13485:2016 by reference and fundamentally expands risk management requirements beyond design controls to every part of a manufacturer's quality system. If your risk management program still looks like it did under the old QSR, it is no longer compliant. This article explains exactly what QMSR demands, how ISO 14971:2019 fits in, what a complete risk management file looks like, and the most common gaps FDA investigators find in 2026.

What QMSR Now Requires for Risk Management

The QMSR, which took effect on February 2, 2026, represents the most significant overhaul of U.S. medical device quality regulations in decades. The rule amends 21 CFR Part 820 by incorporating ISO 13485:2016 by reference, replacing the prescriptive QSR subsystem requirements with the internationally recognized framework used by regulators in the EU, Canada, Japan, Brazil, and Australia. (FDA)

Under QMSR, risk management is no longer a design-phase activity. ISO 13485:2016 requires manufacturers to apply a risk-based approach across the entire quality management system, as described in Subclause 4.1.2. That means risk thinking must inform decisions in purchasing, production, complaint handling, supplier qualification, corrective and preventive actions, and every other process within the QMS.

FDA's official definition of risk, drawn directly from ISO 13485, is: the combination of the probability of occurrence of harm and the severity of that harm. This definition governs how manufacturers must frame, document, and evaluate all risk-related decisions throughout the product lifecycle.

The QMSR also requires manufacturers to document their risk-based decisions as part of QMS documentation, maintained per ISO 13485 Subclause 4.2.5. Undocumented risk decisions are, in the eyes of an FDA investigator, decisions that were never made.

ISO 13485:2016 Incorporation by Reference: What It Means for Risk

Before the QMSR, 21 CFR Part 820 contained its own written requirements for each QMS element. The new Part 820 is dramatically shorter. Most requirements now appear as references to specific clauses of ISO 13485:2016, the full text of which manufacturers must have and follow.

For risk management, the relevant ISO 13485 clauses are:

• Clause 4.1.2 requires a risk-based approach to control of QMS processes.
• Clause 7.1 requires risk management to be addressed during product realization planning.
• Clause 7.3 connects risk management to design and development.
• Clause 7.4 applies risk thinking to purchasing processes, meaning supplier risk must be evaluated and documented.
• Clause 8.2.1 requires feedback from post-market surveillance to serve as input into risk management.
• Clause 8.4 requires data analysis to demonstrate the suitability and effectiveness of the QMS.
• Clause 8.5.1 requires the manufacturer to identify and implement changes necessary for continued safety and performance.

This framework demands a living, connected risk management system, not a one-time design phase exercise. Post-market data must flow back into your risk files. Supplier risk must be evaluated and re-evaluated. Process risk must inform how you control and monitor production.

QMSR Risk Management vs. the Old QSR: Key Differences

Under the old QSR, risk analysis was primarily located in 21 CFR 820.30(g), tied to design controls. Risk analysis was largely a design-phase deliverable. The scope of risk management was narrower, inspection was more procedural, and the QSIT inspection technique focused on defined subsystems independently.

QMSR changes this in three important ways.

First, risk management now spans the entire QMS. FDA's January 2026 Town Hall on QMSR risk and design topics made clear that even Class I devices exempt from design controls must maintain records of risk management activities for production processes, purchasing, and labeling. (FDA Town Hall, January 14, 2026)

Second, FDA's inspection approach changed on the same day the QMSR took effect. The agency replaced the QSIT technique with Compliance Program 7382.850, a risk-driven, lifecycle-focused inspection model. Investigators now evaluate end-to-end risk controls holistically, not as isolated subsystems.

Third, management review records are now inspectable. Under the old QSR, they were explicitly exempt. Under QMSR, FDA investigators can request and review them. Any candid language, incomplete documentation, or unresolved action items in those records becomes inspection evidence.

The shift in expectation is significant: where the old QSR asked "do you have a procedure?", QMSR asks "can you demonstrate that risk-based decisions were made consistently across your entire QMS?"

ISO 14971:2019 and QMSR: The Practical Alignment

FDA made clear at the January 2026 Town Hall that ISO 14971 is not a mandatory requirement under QMSR. There is no QMSR clause that explicitly mandates conformity to ISO 14971. Manufacturers may use any validated risk management process appropriate for their device and QMS.

However, the practical reality is this: ISO 14971:2019 is the gold standard framework for medical device risk management, and without a process of equivalent rigor, demonstrating that your risk management is effective, systematic, and defensible is extremely difficult. FDA investigators will probe the logic of your risk decisions. If you cannot point to a structured framework, the burden of proof rests entirely on you.

ISO 14971:2019, the third edition of the standard, was confirmed current in 2025 and represents the most comprehensive version to date. It applies to all types of risks throughout the device lifecycle, from conception through decommissioning, and specifically covers software as a medical device (SaMD) and in vitro diagnostic devices.

For manufacturers seeking QMSR compliance while maintaining global market access, ISO 14971:2019 combined with ISO 13485:2016 provides a dual-compliance architecture that satisfies FDA, MDR, Health Canada, and most other major regulatory frameworks simultaneously.

The ISO 14971:2019 Risk Management Process

The ISO 14971:2019 process consists of five core activities that form a closed loop across the product lifecycle.

Risk Analysis

Risk analysis starts with the intended use and reasonably foreseeable misuse of the device. The manufacturer identifies all hazards associated with the device, determines the hazardous situations that could arise from each hazard, and estimates the risk for each hazardous situation. A Hazard Analysis is typically the primary output, with supporting tools like Failure Mode and Effects Analysis (FMEA) providing structured documentation of potential failure modes, their causes, effects, current controls, and risk levels.

Risk Evaluation

Once risks are estimated, the manufacturer evaluates each against pre-defined risk acceptability criteria. These criteria must be established in the risk management plan before analysis begins. ISO 14971 does not specify acceptable risk levels, since acceptability depends on device type, intended patient population, and clinical benefit context. What the standard requires is objective, documented criteria and a consistent methodology for applying them.

Risk Control

When a risk is judged unacceptable, the manufacturer must implement controls using a strict priority hierarchy:

1. Inherently safe design (eliminate or reduce the hazard at source)
2. Protective measures in the device or manufacturing process
3. Information for safety (labels, warnings, instructions for use)

Risk controls must be verified for effectiveness. New hazards introduced by the controls themselves must be identified and evaluated. This is an area where many manufacturers fall short: they implement a control but fail to assess whether the control created a new or modified risk.

Residual Risk Evaluation

After controls are implemented, the residual risk for each hazard must be evaluated against the acceptability criteria. If the residual risk remains unacceptable and further risk reduction is not practicable, the manufacturer must weigh the residual risk against the clinical benefit of the device. This benefit-risk analysis must be documented.

The overall residual risk must then be evaluated in totality. Even if individual residual risks are acceptable, the aggregate residual risk across the device may not be.

Risk Management Report

The risk management report is the formal summary that ties the entire process together. It confirms that the risk management plan was executed, all identified risks were evaluated, the overall residual risk is acceptable, and appropriate post-production information collection methods are in place. This report is a required output of ISO 14971 and a critical component of the risk management file.

What a Complete Risk Management File Contains

The risk management file (RMF) is the organized collection of documents and records that demonstrate a manufacturer's risk management activities for a specific device. Under both ISO 14971 and QMSR, the RMF must be traceable, complete, and maintained throughout the product lifecycle.

A compliant risk management file typically includes:

• Risk management plan: Scope, intended use, life cycle phases covered, risk acceptability criteria, and responsibilities.
• Hazard identification records: Comprehensive list of hazards and hazardous situations derived from intended use analysis.
• Risk estimation records: For each hazardous situation, the estimated probability of harm and severity, with supporting rationale.
• Risk evaluation records: Comparison of estimated risks to acceptability criteria, with documented decisions for each.
• Risk control records: Description of selected controls, verification of effectiveness, and evaluation of any new risks introduced.
• Residual risk evaluation: Post-control risk assessments and benefit-risk analysis where required.
• Risk management report: Summary document confirming plan execution, risk acceptability, and post-production monitoring methods.
• Post-market surveillance records: Evidence that post-market data is fed back into risk management per ISO 13485 Clauses 8.2.1 and 8.5.1.

The Risk Register functions as the living backbone of the RMF, aggregating risks across the device and QMS processes in a single, auditable record.

Every document in the risk management file must carry an Audit Trail, showing who created, reviewed, and approved each record and when. Under 21 CFR Part 11 requirements, if your QMS is electronic, electronic signatures and records must comply with FDA's electronic record requirements.

Common QMSR Risk Management Gaps at FDA Inspections

As FDA investigators begin operating under CP 7382.850 and QMSR, certain deficiency patterns are already emerging. Quality Directors and Regulatory Affairs Managers should conduct gap assessments against these areas before the next inspection.

Risk management confined to design controls. The most prevalent gap is treating risk management as a design-phase-only activity. QMSR requires risk-based thinking across complaints, supplier qualification, production processes, and corrective actions. If your Deviation CAPA process does not include a documented risk-based prioritization decision, that is a gap.

Undocumented risk-based decisions. FDA's Town Hall guidance was explicit: risk-based decisions must be documented in QMS records. A complaint investigation that differentiates between a packaging defect and a patient harm complaint is exercising risk-based thinking. If that differentiation is not documented, it cannot be demonstrated during an inspection. Audit Finding records that do not reflect the risk-based rationale for corrective action timing or scope are another common observation.

No post-market feedback loop into risk management. ISO 13485 Clauses 8.2.1 and 8.5.1 require that post-market data informs the risk management process. Many manufacturers have complaint handling procedures and post-market surveillance programs, but no documented mechanism connecting post-market data back to their risk files. This traceability gap is increasingly cited at inspections.

Missing or incomplete risk management files. The risk management file must exist as an organized collection, not a scattered set of documents across different folders or systems. Missing risk management reports, unapproved hazard analysis records, or unverified risk controls are among the most direct pathways to an FDA Form 483 observation.

Risk acceptability criteria not established in advance. Defining acceptability criteria after risk analysis is complete is a significant procedural violation. The criteria must be in the risk management plan before hazard analysis begins.

Supplier risk not evaluated or documented. ISO 13485 Clause 7.4 applies risk thinking to purchasing. Under QMSR, if you have outsourced critical processes or use critical suppliers, there must be documented risk evaluations supporting your supplier qualification and monitoring decisions.

Root Cause Investigation records disconnected from risk management. When a nonconformance triggers a root cause investigation, the findings should feed back into the risk management file if they reveal a new hazard or previously underestimated risk. Systems where CAPA and risk management operate in silos fail this expectation.

How an eQMS Supports 21 CFR Part 820 Risk Management

Managing QMSR risk management requirements manually or across disconnected spreadsheets is increasingly untenable. Risk data lives across multiple device files, supplier records, production nonconformances, complaints, and management reviews. Without a connected system, demonstrating end-to-end traceability to an FDA investigator is extremely difficult.

An electronic QMS (eQMS) built for QMSR and ISO 13485 dual compliance closes this gap by connecting risk management to every relevant QMS process in a single platform.

Cloudtheapp's Enterprise Risk Management application provides a centralized environment for building and maintaining risk management files, tracking risk controls, and documenting residual risk evaluations with full audit trail support. The platform's Hazard Analysis and FMEA tools guide users through the ISO 14971:2019 process step by step, ensuring that risk analysis, evaluation, control, and reporting activities are structured, linked, and version-controlled.

The Risk Assessments module connects directly to Design Controls, so design changes automatically trigger risk impact evaluations, keeping the risk management file current throughout the product development lifecycle. Supplier risk records in the Supplier Qualification Management module link to the purchasing risk evaluation requirements of ISO 13485 Clause 7.4, creating the documented evidence FDA expects.

Post-market surveillance data from complaints, deviations, and nonconforming material records feeds back into the risk management environment automatically, satisfying the ISO 13485 Clauses 8.2.1 and 8.5.1 loop that FDA now actively inspects.

Because Cloudtheapp is a fully validated platform compliant with 21 CFR Part 820 (QMSR), ISO 13485:2016, and ISO 9001, manufacturers can maintain their own QMS compliance while operating on infrastructure that already satisfies FDA's Computer System Validation requirements. Every update comes with a complete validation package, removing the burden of managing platform compliance in-house.

Conclusion

QMSR risk management is not a design controls update. It is a fundamental shift in how risk thinking must be embedded across every element of a medical device manufacturer's quality system. With FDA inspections now operating under CP 7382.850 and ISO 13485:2016 as the binding framework, manufacturers who treat risk management as a pre-market exercise will face growing inspection risk.

The ISO 14971:2019 process remains the most rigorous and defensible framework available, and the combination of ISO 14971 and ISO 13485 provides the strongest foundation for both FDA and global regulatory compliance.

For Quality Directors, Regulatory Affairs professionals, and Risk Managers navigating this transition, the starting point is a documented gap assessment: where does risk-based thinking exist in your QMS today, where is it absent, and what records demonstrate that risk decisions were made intentionally and consistently?

If you are building or restructuring your QMSR risk management program, request a demo at cloudtheapp.com to see how Cloudtheapp's validated eQMS platform supports end-to-end 21 CFR Part 820 risk management, from hazard analysis and FMEA through post-market surveillance feedback and audit-ready documentation.

This post created by and appeared first on Cloudtheapp

This post created by and appeared first on Cloudtheapp