Skip to content
8foldgovernance master
  • Services
    • AI Governance
    • Medical Devices
      • Regulatory Roadmap
      • ISO 13485 Design & Build your QMS
      • Quality Management as a Service
      • Technical File Creation & Registration
      • UK Responsible Person
      • Post Market Surveillance
    • International Standards
      • ISO 13485 Certification
      • ISO 42001 Certification
      • ISO 9001 Certification
      • ISO 27001 Certification
    • DTAC
      • DTAC Management
    • Information Governance
      • Data Security & Protection (DSPT)
      • DSPT Audit
      • HIPAA Compliance
    • Clinical Safety and Risk Management
      • DCB0129
      • DCB0160
      • Clinical Safety Officers (CSO)
    • CQC Services
      • CQC Compliance Assessment
      • CQC Registration Support
      • CQC-as-a-Service
      • CQC Regulatory Review & Strategy
    • Cyber Security
    • Governance, Risk & Compliance Advisory
    • 8foldTraining
  • About
    • Meet the Team
    • Partnerships
    • Join Us
  • Blog
  • Case Studies
  • Contact
  • Services
    • AI Governance
    • Medical Devices
      • Regulatory Roadmap
      • ISO 13485 Design & Build your QMS
      • Quality Management as a Service
      • Technical File Creation & Registration
      • UK Responsible Person
      • Post Market Surveillance
    • International Standards
      • ISO 13485 Certification
      • ISO 42001 Certification
      • ISO 9001 Certification
      • ISO 27001 Certification
    • DTAC
      • DTAC Management
    • Information Governance
      • Data Security & Protection (DSPT)
      • DSPT Audit
      • HIPAA Compliance
    • Clinical Safety and Risk Management
      • DCB0129
      • DCB0160
      • Clinical Safety Officers (CSO)
    • CQC Services
      • CQC Compliance Assessment
      • CQC Registration Support
      • CQC-as-a-Service
      • CQC Regulatory Review & Strategy
    • Cyber Security
    • Governance, Risk & Compliance Advisory
    • 8foldTraining
  • About
    • Meet the Team
    • Partnerships
    • Join Us
  • Blog
  • Case Studies
  • Contact
  • +44 (0)1273 569172
Book a Call

← From our blog

Expert Insights: What does QMSR mean for developers of SaMD?

  • Published: January 25, 2026
  • Category: Medical Devices

Share this post

Headshot of a man wearing glasses and braces over a light shirt
Daniel Mannion

Share this post

What SaMD Teams Need to Know

The FDA’s new Quality Management System Regulation (QMSR) comes into effect on 2nd February 2026. Thisreplaces the previous Quality System Regulation (QSR) and brings the  FDA’s approach and expectations to Medical Device Quality Management Systems into alignment with the ISO 13485 International Standard. While this may sound like an enormous overhaul, this blog will outline how you’re already meeting many of these requirements, even if the new terminology may not look familiar.

Need Help? Book a Call with our Expert Team
qmsr Expert Insights: What does QMSR mean for developers of SaMD? qmsr
AI regulation

Is your company impacted?

This change affects companies that sell or plan to sell products on the US market. It may require businesses that haven’t adopted an ISO 13485-compliant format for their QMS, such as those that have only exclusively engaged with the FDA, to adjust their management system and regulatory documentation. However, it’s important to note that it does not impact requirements outside of the US or affect the contents of ISO 13485 itself for other markets.

How big is this change?

The FDA have determined that ISO 13485 is “substantially similar” to their previous Quality System Regulations, but they have also “establishe[d] additional requirements that clarify certain expectations and certain concepts used in ISO 13485.”

This does not mean that manufacturers are required to be certified to ISO 13485 to meet the QMSR requirements, and in practice, this is not a big change.

This change is on the scale of a new guidance document – or a localised version of a standard like the UK NHS-specific version of ISO 14971 called DCB0129 – something your regulatory intelligence activities should be identifying and reviewing, but not something on the scale of a new set of regulations (like the transition from EU MDD to EU MDR).

Why do these changes matter?

Any manufacturer providing medical devices to the US market – whether you are based in the US or not – is subject to an unannounced audit from the FDA at any time. As anyone who has experienced one of these audits will tell you, an FDA audit is a big deal.

FDA warnings and enforcement actions are rare, but a major audit finding could block US market access. Failing to adopt the QMSR likely won’t cause immediate exclusion; however, it could exacerbate other compliance issues, potentially leading to a warning letter or enforcement action.

On the flip side, for companies looking to enter the US market, the regulatory hurdles just got a bit easier – application of ISO 13485 is now 90-95% of what the FDA expect and some small tweaks to your existing system could give you access to the US market (for some Class I devices) or make your application to the FDA easier.

What are the most significant changes?

1. The FDA will review more records

Previously, the FDA would not review management review records, internal audit records or supplier audit records as part of their auditing; their concern was that staff might hold back in these activities, fearing that an FDA auditor might raise a Non-Conformity based on the information they share. The switch to QMSR brings FDA in line with the cooperative auditing philosophy – that an auditor creating a Non-Conformity is an opportunity to improve instead of a punishment to be avoided.

Concerned about Privacy implications? 

The FDA is subject to the Freedom of Information Act, so documents provided to it with confidential information still need to be marked as confidential, or they will be subject to public access requests.

2. Removal of DHF, DHR and DMR

Design History File (DHF), Device History Record (DHR) and Device Master Record (DMR) – the three-letter acronyms that regulatory professionals love to confuse – are not present in ISO 13485 and have not been specifically retained in the FDA’s additions to the QMSR, so you’ll no longer find them in US regulations. However, this doesn’t mean that you’ll need to rename your existing files – if you want to keep these in your QMS, no problem!

3. Risk-based approaches across the QMS

While the old QSR mentions risk specifically in the Design Controls section, whereas ISO 13485 requires a risk-based approach across the QMS; for example, when considering controls on supplier products and processes, software validation and CAPA prioritisation. This doesn’t just mean increasing the resources and prioritisation – low-risk areas can be deprioritised as much as high-risk areas are prioritised.

4. Top Management Engagement

Top management must understand Medical Device Regulations for an effective Quality Management System (QMS). ISO 13485 requires Top Management Accountability, unlike the QSR, which only required a Management Representative. QMSR now forces active participation by top management in Management Reviews to demonstrate this commitment.

5. Customer Communications Procedure

ISO 13485 includes a requirement to have procedures to address:

  • sending product information to customers
  • customer enquiries
  • customer feedback that is not a complaint (such as positive feedback or suggestions)
  • contracting with customers and order handling

While these were not QSR requirements, they are commonly already included in QMSs, so hopefully, you’ll find you already have much of this.

6. Validation of QMS Software

While the FDA has led the world with their guidance documents on Computer Software Validation and the more recent Computer Software Assurance, QSR wasn’t 100% explicit in making this a requirement. By incorporating ISO 13485, QMSR makes it explicit that QMS software validation is required to access the US market – Clause 4.1.6 of ISO 13485:

“The organisation shall document procedures for the validation of the application of computer software used in the quality management system.”

Where can we help?

While small, there are some subtle differences between QSR and QMSR which can have a significant impact on future regulatory approvals and the ability to scale beyond the US. Ensuring these changes are reflected is essential and can often accelerate compliance and certification with ISO 13485. 

If you’re looking for reassurance that your Quality Management System will meet the new requirements or if you’re interested in ISO 13485 certification to expand into Europe, we can help. Get in touch to speak to a member of our expert team.

Book a Call with our Expert Team

Frequently Asked Questions.

What is the FDA Quality Management System Regulation or QMSR?

The QMSR (Section 820 of Title 21 of the Code of Federal Regulations in the USA) are the regulations that the FDA has established for medical device manufacturers to ensure their company operates in a way that supports the creation of safe and effective medical devices.

When was it introduced?

The FDA’s new Quality Management System Regulation (QMSR) was introduced in 2024 and comes into effect on 2nd February 2026.

What does it require of Medical Device manufacturers?

It requires that medical device manufacturers apply the international standard ISO 13485 to the operations – it includes a wide range of requirements across areas such as development, production, training, complaint handling and improvement.

How will QMSR impact AI Medical Device manufacturers?

The FDA found QMSR to be “substantially similar” to their previous regulations and there are no changes in the regulations that would specifically impact on AIaMD manufacturers more than others.

How similar is it to ISO 13485?

Incredibly similar – the FDA have done the legal equivalent of copying and pasting ISO 13485 into the regulation. There are only a few additional comments and clarifications that provide extra guidance on how the FDA interprets ISO 13485.

Does ISO 13485 certification mean I am automatically QMSR compliant?

Almost – there are a few additional comments and clarifications that provide extra guidance on how the FDA interprets ISO 13485. However, the FDA does not recognise or require ISO 13485 certification and it will not impact whether they choose to perform an audit on you themselves.

Do I need a Quality Manual?

Yes, ISO 13485 requires a Quality Manual – and in a small change to the old US regulations, you’ll now need to illustrate how your processes interact with each other. We recommend creating a process interactions map for the full QMS in the Quality Manual.

How does QMSR handle Risk Management?

ISO 13485 (and so QMSR) requires risk to be considered across the entire Quality Management System, not just in design and development. This doesn’t just mean increasing the resources and prioritisation – low-risk areas can be deprioritised as much as high-risk areas are prioritised.

Is ISO 14971 (Risk Management) now mandatory?

ISO 14971 was already a recognised consensus standard by the FDA – while not mandatory, it is strongly recommended (and recognised internationally as well). QMSR doesn’t change this.

Will the FDA still use QSIT?

As of 2nd February 2026, QSIT will be withdrawn, and the FDA will be using a new set of inspection guidelines.

What are the key differences between ISO 13485 and QMSR?

  1. The FDA will now look at records like management reviews and internal audits that they previously would not have.
  2. The terms DHF, DHR and DMR no longer appear in the regulation – although the concepts are still there.
  3. Risk must be considered across the QMS, not just in design controls.
  4. Extra requirements for top management engagement and customer communication.
  5. Explicit requirement to validate software used in the QMS.

Do we have to adopt QMSR to sell in the US market?

QMSR is mandatory for all Medical Device manufacturers selling in the US market; however, not all of QMSR applies to all manufacturers – application of a Quality Management System is dependent on the risk classification of the device – for example, only class I medical devices on this list need to apply design controls.

Do we have to maintain Design History File (DHF), Device History Record (DHR) and Device Master Record (DMR) as part of QMSR?

Through ISO 13485, QMSR requires manufacturers to maintain similar concepts of Design and Development Records, Product Realisation Records and Medical Device File. So no one will be asking you for a DHF, DHR or DMR, but you can keep calling them that if you want to.

Does QMSR still require Computer Software Validation and Assurance as part of the requirements?

By incorporating ISO 13485, QMSR makes it explicit that software used in the QMS must be validated prior to use.

We’re the experts that have your back.

Speak to a member of our expert team about how you can adopt QMSR in your Quality Management System

Book a Call with our Expert Team

Other Articles​

Loading...
IEC 62304 vs EU MDR classification

Implementing IEC 62304: 5 Common Mistakes

Read More →

July 3, 2026
FAQ: What is a Technical File?

FAQ: What is a Technical File?

Read More →

May 9, 2026
What is IEC 62304

FAQ: What is IEC 62304?

Read More →

April 27, 2026
8foldgovernance master

+44 (0) 1273 569172

info@8foldgovernance.com

SERVICES

  • AI Governance
  • Medical Device Registration
  • ISO Compliance
  • Full DTAC Support
  • Information Governance
  • Clinical Safety
  • Data Security & Protection
  • CQC Services
  • Cyber Security
  • 8foldTraining

LINKS

  • Contact
  • About
  • Meet The Team
  • Blog
  • Join Us
  • Case Studies
  • Charity Work
  • Partnerships
  • FAQs
DSPT Data Security And protection Toolkit 8Fold
Information Governance Badge 8 Fold
NPSORE
ABHI Member

 © 2026 8fold | Privacy Policy | Cookie Policy | Terms & Conditions

X We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies. However you may visit Cookie Settings to provide a controlled consent.
Read More ACCEPT Cookie settings
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
Save & Accept