COMPLIANCEJuly 2026

QMSR Readiness Checklist: Is Your Quality System Actually Compliant?

ISO 13485 certified isn't the same as QMSR compliant. This checklist covers documentation, design controls, records, complaints, CAPA, and the FDA-specific provisions the standard doesn't touch.

QE
Senior Quality Engineer
9 min read

Is Your Quality System Actually QMSR-Compliant?

With the February 2, 2026 compliance date behind every device manufacturer, "we're ISO 13485 certified" is not the same answer as "we're QMSR compliant." A readiness assessment needs to check three separate things: whether your quality system satisfies ISO 13485:2016 in full, whether it also satisfies the narrow set of FDA-specific provisions the standard doesn't cover, and whether your documentation actually reflects the current regulation rather than the pre-2024 subpart structure. The checklist below covers the areas where manufacturers most commonly find gaps, organized in the order worth working through.

Documentation & QMS Structure

  • Quality manual regulatory basis statement references ISO 13485:2016 as the incorporated standard, not just "21 CFR Part 820" as a standalone FDA regulation.
  • Document and record control procedures are mapped to ISO 13485 Clause 4.2.4 and 4.2.5 rather than the old 820.40 language exclusively.
  • Quality policy and quality objectives are documented, communicated, and reviewed by top management per Clause 5, with objectives established at relevant functions and levels, not only at the top level, per Clause 5.4.1.
  • Terminology throughout procedures — "quality management system," "top management" — matches current usage rather than legacy Quality System Regulation vocabulary. See the full terminology comparison if you're unsure which terms changed.
  • Design Controls

  • Design controls procedure is structured around ISO 13485 Clause 7.3.1 through 7.3.10 rather than the old 820.30(a) through (j) lettering.
  • Risk management is explicitly cross-referenced from the design controls procedure, consistent with Clause 7.1 and ISO 14971.
  • Design and development file (DHF) templates and indexes reference current clause numbering for new and in-progress projects.
  • Open design projects have been checked against the interdisciplinary planning requirements in Clause 7.3.2 before reaching design transfer.
  • Full detail on this section lives in the design controls crosswalk.

    Records & Complaint Handling

  • Records are maintained in English and retained for the period required, consistent with the retained FDA-specific records provisions.
  • Records are accessible to FDA within a reasonable time during an inspection — confirm your retrieval process actually meets this in practice, not just on paper.
  • Complaint handling procedure satisfies both ISO 13485 Clause 8.2.2 and the additional specificity FDA retained, consistent with former Section 820.198 expectations.
  • Complaint files are linked to CAPA and, where applicable, medical device reporting under 21 CFR Part 803, which was not changed by the QMSR rulemaking.
  • Internal Audit & Management Review

  • Internal audit program is planned at defined intervals per Clause 8.2.4, with audit criteria, scope, frequency, and methods documented and risk-based.
  • Internal audit findings feed into CAPA and management review as a closed loop, not a standalone report that gets filed and forgotten.
  • Management review covers the inputs and outputs specified in Clause 5.6, including feedback, complaint data, audit results, CAPA status, and process performance — not just a high-level status update.
  • CAPA

  • CAPA procedure distinguishes corrective action (Clause 8.5.2) from preventive action (Clause 8.5.3) and requires documented effectiveness verification before closure.
  • CAPA sources include internal audit findings, complaint data, nonconforming product trends, and process monitoring data — not complaints alone.
  • Escalation criteria exist for when a CAPA finding indicates a systemic issue requiring broader investigation.
  • FDA-Specific Provisions Beyond ISO 13485

  • 21 CFR Parts 801, 803, 806, 807, 809, and 821 — labeling, medical device reporting, corrections and removals, establishment registration, IVD labeling, and device tracking — are confirmed as unaffected by the QMSR and still separately maintained.
  • FDA-specific definitions without a direct ISO 13485 equivalent are incorporated correctly into your quality system vocabulary.
  • UDI compliance and labeling controls are current and not assumed to be "covered" simply because ISO 13485 certification is in place.
  • For the regulatory context behind each of these retained provisions, see the QMSR transition guide.

    How Long Does a QMSR Gap Assessment Take?

    For a manufacturer already ISO 13485:2016 certified with a reasonably current quality system, a documentation-focused gap assessment against this checklist typically takes two to four weeks — most of the work is verifying cross-references and terminology rather than rebuilding processes. For a manufacturer transitioning from a Quality System Regulation-only quality system without ISO 13485 certification, expect a materially longer project, since the gap includes clauses ISO 13485 requires that the old Part 820 never did — documented quality objectives at multiple organizational levels, a formal customer feedback process, and explicit infrastructure and work environment controls among them.

    Start with the FDA-facing SOP template as a structural reference point, and prioritize design controls and records first — they're the areas most likely to generate findings if your compliance date already passed without a completed gap assessment.

    Coplain's Auditor Review module checks your existing quality system documentation against ISO 13485:2016 and the retained QMSR provisions, flagging gaps before an FDA investigator does. Free trial at coplain.com.

    Frequently Asked Questions

    Q: What's the first thing to check in a QMSR readiness assessment?

    A: Your quality manual's regulatory basis statement. If it still references 21 CFR Part 820 as a standalone FDA regulation without acknowledging ISO 13485:2016 as the incorporated standard, that's the fastest signal that the broader documentation hasn't been updated.

    Q: Is ISO 13485 certification enough to be QMSR-ready?

    A: It covers most of the substance but not all of it. Certification bodies audit against ISO 13485:2016 itself, not the narrow set of FDA-specific provisions — records language and retention, complaint file specifics, and FDA definitions — that exist only in the amended Part 820.

    Q: What happens if we're found non-compliant during an FDA inspection now that the compliance date has passed?

    A: The QMSR is enforced the same way the prior Quality System Regulation was — through 483 observations, warning letters, and, in serious or repeated cases, consent decrees. There is no separate transition-period leniency built into enforcement after February 2, 2026.

    Q: Do small device manufacturers get more time to comply with the QMSR?

    A: No. The final rule set a single compliance date, February 2, 2026, for all manufacturers subject to Part 820, regardless of size. FDA's small entity compliance guide provides implementation guidance but does not extend the deadline.

    Stop reading about better documentation. Start creating it.

    Coplain turns any work instruction into a print-ready, audit-proof job aid in minutes.

    Try Coplain free →

    Related articles

    Related Tools & Templates

    COPLAIN PLATFORM

    See every tool that turns complex work instructions into floor-ready documents.

    Explore the platform →
    ← Back to Blog