Quality Management System Regulation (QMSR) – US Device QMS Harmonized with ISO 13485

This topic is part of the SG Systems Global regulatory & operations glossary.

Updated October 2025 • Regulatory Framework & Compliance Architecture • QA, RA, Manufacturing, Supply Chain

Quality Management System Regulation (QMSR) is the US FDA’s harmonized quality system rule for medical devices that aligns closely with ISO 13485 while preserving device‑specific US statutory obligations (e.g., adverse event reporting, corrections and removals, registration and listing, and UDI). QMSR replaces the legacy quality system regulation codified at 21 CFR Part 820 and codifies a risk‑based, lifecycle approach to design, manufacture, distribution, and postmarket surveillance. Practically, QMSR asks manufacturers—and the contract manufacturers and critical suppliers who support them—to run the business by the quality system: top‑management accountability, documented and controlled processes, qualified/validated production, complaint handling, CAPA, and reliable records protected under 21 CFR Part 11/Annex 11.

“QMSR blends ISO 13485’s global language with US device obligations—less translation, more compliance by design.”

1) What QMSR Changes—And Why It Matters

By harmonizing with ISO 13485, QMSR reduces duplication for global device makers and clarifies expectations for contract manufacturers. The central ideas are familiar to anyone running a mature QMS: leadership accountability, documented processes, risk‑based decision making, supplier control, process validation, and vigilance. The practical effect is to make the quality system the operating system—tying together design controls (documented in the DHF), production history (in the DHR and eBMR), and postmarket feedback (complaints, adverse events) into one managed lifecycle.

2) Relationship to Legacy 21 CFR 820 (QSR)

QMSR supersedes the historical 21 CFR Part 820 framework while keeping core intent. You still need design inputs/outputs, verification/validation, production and process controls, CAPA, complaint handling, and robust records. But the harmonized language and structure mean your ISO‑certified system should map far more directly to FDA inspection expectations. That mapping is surfaced in practical artifacts: controlled procedures (SOP under Document Control), design files (DHF), device records (DHR), and release evidence (QC – Testing & Release Evidence).

3) Who Must Comply—Manufacturers, Contract Sites, & Critical Suppliers

QMSR applies to finished device manufacturers and entities whose activities can affect device safety and performance. That includes private‑labelers, contract manufacturers, sterilizers, and sometimes critical component suppliers where their process controls and records are essential to product conformity. Practical compliance spreads across the ecosystem: purchase controls and supplier qualification, clear Quality Agreements, incoming acceptance (Incoming Inspection), and robust escalation (SCAR) when the supply chain underperforms. Even if a CMO is outside the US, their processes and records become part of your compliance story—plan your oversight and data access accordingly.

4) Core QMSR Elements in Plain Language

• Management responsibility & resourcing: Leadership sets policy, signs off on resources, and reviews QMS performance through KPI‑driven management review.
• Design & development controls: Requirements, risk, verification, validation, transfer—documented in the DHF with controlled IFU and labeling.
• Production & process controls: Qualified equipment (IQ/OQ/PQ), validated processes (PV/PPQ/CPV), Process Control Plans, and statistical control (SPC, Cp/Cpk).
• Purchasing controls: Qualification, monitoring, incoming verification, CoA management (CoA), and escalation (SCAR).
• Identification & traceability: Label control, UDI and tracking (830/821), and strong genealogy.
• Nonconforming product & CAPA: NCMR to MRB decision; systemic issues go to CAPA with effectiveness checks.
• Complaint handling & reporting: Vigilance processes tied to Part 803 (MDR) and Part 806 (corrections/removals).
• Documents & records: Controlled procedures, accurate records, and protected data (Data Integrity, Retention & Archival, Audit Trails).

5) Design & Development Under QMSR

Design control remains a cornerstone. Define clear inputs (user needs, safety/performance requirements), manage risk throughout, and prove outputs meet inputs via verification and validation. Maintain the DHF as the single source of truth: requirements, risk analyses, verification/validation protocols and reports, and transfer plans. For complex manufacturing characteristics, feed risk and critical‑to‑quality features into the PFMEA and PCP. For supplier‑made parts, use FAI where appropriate. Confirm usability and human factors (HFE) and ensure instructions and labeling (IFU, Labeling Control) are controlled items in your QMS.

6) Production & Process Controls—From Proof to Control

QMSR expects you to run validated, monitored processes. Equipment qualification (IQ/OQ/PQ) leads into Process Validation (including PPQ) and life‑cycle trending via CPV. Critical characteristics are monitored with SPC control limits and capability indices (Cp/Cpk). Advanced plants use at‑/in‑line analytics (PAT) and machine vision to reduce lag and error. Execution happens under an MES (MES) with effective‑dated instructions from the MBR/MMR and with full eBMR traceability.

Where processes are sensitive to cleaning or cross‑contamination, QMSR expects documented and verified control—see Cleaning Validation and Cross‑Contamination Control. For micro‑sensitive environments, pair process data with Environmental Monitoring (EM) and enforce status interlocks via asset calibration (Calibration Status).

7) Purchasing Controls & Supplier Quality

Suppliers must be selected, qualified, and monitored proportionate to risk. Controls span qualification, audits (Internal Audit), contractual commitments (Quality Agreement), and verification at Goods Receipt and Incoming Inspection. Incoming failures are documented through NCMR and dispositioned by MRB; systemic issues trigger a SCAR. Be clear on data sharing (e.g., access to certificates, process data, and traceability events). Where CMOs produce labeled product, UDI and labeling controls must be demonstrably under your QMS oversight.

8) Identification, UDI & Traceability

QMSR integrates with US UDI and tracking requirements: assign and manage UDI device identifiers (Part 830), maintain tracking where required (Part 821), and keep robust traceability across raw materials, intermediates, and shipments. Modern programs extend traceability using GS1 GTIN, case/pallet identifiers (SSCC), and unit serialization, with event sharing via the EPCIS standard. On‑line label verification and labeling control prevent misidentification—one of the most common recall causes.

9) Complaint Handling, Adverse Event Reporting & Field Actions

QMSR requires structured complaint handling with formal evaluation, investigation, trend analysis, and risk assessment, feeding mandatory reports under Part 803 (MDR). Corrections and removals follow Part 806, and establishments maintain registration and listing per Part 807. Ensure your processes integrate with CAPA, and that labeling updates loop through Document Control. The best systems link complaint codes to design and process risk so fixes target root causes, not symptoms.

10) Documents, Records & Data Integrity

Documents (policies, SOPs, work instructions, forms) must be controlled; records (DHF/DHR, eBMR, test data) must be complete, attributable, and readable throughout retention. Enforce ALCOA principles under Data Integrity, capture and protect raw data with immutable audit trails, and ensure electronic signatures meet Part 11 expectations. Apply approved retention & archival rules and ensure retrieval supports inspections and complaint/litigation holds. For labs, validate LIMS/ELN (LIMS, ELN); for production, validate MES and related automated batch records (CSV, GAMP 5).

11) Change Control & Continual Improvement

QMSR expects controlled change that considers risk, re‑validation, labeling, and supply‑chain impact. Run changes through Management of Change (MOC)/Change Control. Test the delta: for software/configuration, use targeted OQ and partial re‑process validation as justified. Embed learning loops through CAPA, APR/PQR, and CPV; strengthen controls where trends show risk rising and simplify where evidence is consistently strong. Lean practices—Kaizen, Lean, Jidoka—align naturally with a mature QMSR.

12) Warehouse & Distribution Controls Under QMSR

Identity, status, and environmental protection continue after manufacturing. Run receiving and storage under a WMS with status segregation (Quarantine to Released), directed movements (Directed Picking), and controlled bin/zone topology. Use FEFO/FIFO (FEFO/FIFO) where shelf life applies. At shipping, verify labels and packs (Pack & Ship), control handover (Dock Loading), and exchange accurate advance information (ASN). Strong controls here prevent the “right product, wrong label/customer” scenarios that undermine compliance and trust.

13) Sector Interfaces: Drugs, Foods, Cosmetics & Combination Products

Many device manufacturers operate in mixed portfolios (e.g., combination products or device‑adjacent kits). Understand the borders: drug cGMPs (210/211), food cGMP/FSMA (117 and FSMA 204 KDE), dietary supplements (111), GLP for pre‑clinical labs (58), and biologics (600‑680). Cosmetics modernization (MoCRA) introduces QMS‑like expectations too. Build one integrated control system so common processes (document control, CAPA, validation, labeling) satisfy all applicable regimes without duplication.

14) Common Inspection Gaps & How to Close Them

• Unclear design traceability: Remedy with a living requirements → risk → test matrix inside the DHF, and ensure transfer packages feed the PCP and MES.
• Weak process validation: Tie PV/PPQ to risk and capability; maintain CPV and set SPC limits that actually control outcomes.
• Supplier oversight on paper only: Operationalize with targeted incoming tests (GMP sampling), Quality Agreements, and disciplined SCAR closure checks.
• Label and UDI errors: Enforce artwork control and on‑line verification; validate data flows to UDI databases and distribution partners.
• Electronic record fragility: Validate systems (CSV, GAMP 5), enforce audit trails, and test backup/restore and time synchronization (Part 11).
• Inventory & status mix‑ups: Use WMS with status interlocks, location discipline, and directed picking to prevent released/blocked mixing.
• CAPA without effectiveness: Require measurable outcomes tied to process metrics and APR/PQR.

15) Building a Practical QMSR Transition Plan

1. Gap assess current QSR/ISO system to QMSR clauses; map to owned procedures and records (Document Control).
2. Prioritize high‑risk gaps: design traceability, supplier controls, validation/CPV, complaint/MDR.
3. Harmonize procedures so one SOP ecosystem serves ISO and US obligations; embed approval workflows.
4. Strengthen data integrity in core systems (MES/LIMS/WMS) per Part 11/audit trail expectations.
5. Train roles with targeted modules for design, production, QA, supply chain; record competency evidence.
6. Pilot & scale on one product family; measure KPIs (RFT, OOS/OOT, complaint turnaround, OTIF).
7. Lock in via management review and internal audits (Internal Audit), then propagate.

16) How This Fits with V5 by SG Systems Global

V5 Solution Overview. The V5 platform is engineered to operationalize QMSR. Configuration is versioned, evidence is attributable, and cross‑module interlocks (identity, status, signatures) are enforced and reportable—ideal for ISO 13485/QMSR harmonization and inspection‑ready traceability.

V5 QMS. Within the V5 QMS, procedures, SOPs, and training are controlled; deviations, CAPA, complaints, MDR/field action workflows, and MOC/Change Control are integrated under Part 11 with full audit trails.

V5 MES. The V5 MES executes effective‑dated MBR/MMR, line clearance, and IPC/SPC, capturing device genealogy and producing an eBMR/DHR bundle that QA can disposition by exception.

V5 WMS. The V5 WMS enforces status (e.g., Quarantine/Released), location discipline, FEFO/FIFO, and scan‑verified label verification including UDI, GTIN, case SSCC, and unit serialization, with EPCIS events for partner exchange.

Bottom line: V5 makes QMSR tangible. The same controls you document—identity, status, signatures, validation evidence—are the controls V5 enforces at design, make, test, label, store, and ship, shortening release cycles and strengthening compliance.

17) FAQ

Q1. How is QMSR different from the old QSR?
QMSR harmonizes with ISO 13485, so the language and structure align with global practice. Core expectations remain—design control, process control, CAPA, complaints—but mapping from ISO to FDA inspections is more direct.

Q2. If I’m certified to ISO 13485, am I automatically compliant with QMSR?
You’re close, but not automatically. You still must meet US‑specific obligations like MDR (803), corrections/removals (806), registration/listing (807), and UDI (830) plus tracking where applicable (821).

Q3. What records matter most during an FDA QMSR inspection?
Your DHF (showing traceability from requirements to testing), DHR/eBMR (proving controlled manufacturing and release), and complaint/CAPA files linked to risk and change control. Inspectors also look closely at supplier files, validation, and labeling/UDI controls.

Q4. How should we treat software and electronic records under QMSR?
Validate GxP‑relevant systems per CSV/GAMP 5. Enforce audit trails, unique users, and meaningful e‑signatures that meet Part 11. Keep raw and processed data linked and retrievable for the full retention period.

Q5. What does good supplier control look like under QMSR?
Risk‑based qualification and monitoring, clear Quality Agreements, defined incoming verification (Incoming Inspection, GMP sampling), and disciplined SCAR with effectiveness checks. Integrate supplier data into your genealogy and UDI labeling stream.

Q6. Do combination products change how we apply QMSR?
Yes—combination products pull in drug or biologics requirements (e.g., 210/211). Build an integrated system so design control, validation, labeling, CAPA, and records satisfy all applicable parts without duplicative processes.

Q7. How do we prove process control day‑to‑day?
Show qualified equipment (IQ/OQ/PQ), validated processes (PV/PPQ), live SPC and capability metrics, and effective‑dated instructions in an MES generating a traceable eBMR/DHR.

Q8. Where does warehousing fit into QMSR?
QMSR expects identity, status, environmental protection, and traceability across storage and distribution. Use a WMS to enforce Quarantine/Released segregation, location discipline, FEFO/FIFO, and verified label/UDI at Pack & Ship and Dock Loading.

Related Reading
• Foundations & Governance: ISO 13485 | 21 CFR Part 820 | GMP/cGMP | Document Control | SOP | Internal Audit
• Design & Production: DHF | DHR | Process Control Plan | Process Validation | PPQ | CPV | SPC Control Limits | Process Capability (Cp/Cpk)
• Suppliers & Materials: Quality Agreement | SCAR | Incoming Inspection | NCMR | MRB
• Labeling, UDI & Distribution: UDI (Part 830) | Device Tracking (Part 821) | Labeling Control | Label Verification | GS1 GTIN | SSCC | EPCIS | WMS | Pack & Ship
• Complaints & Reporting: Part 803 (MDR) | Part 806 (Corrections/Removals) | Part 807 (Registration & Listing) | CAPA