The medical device industry is counting down to an important deadline: On Feb. 2, 2026, the U.S. Food and Drug Administration’s new Quality Management System Regulation (QMSR) formally replaces the Quality System Regulation (QSR).

Although the full text of the QMSR has been available for some time, there are still questions around inspections under QMSR. The FDA is retiring the Quality System Inspection Technique (QSIT) document that was the guide to inspections under QSR. Given that the FDA has stated there will be no “QSIT 2.0,” there has been some confusion around what inspections will look like under QMSR.

To help answer those questions, we had Sarah Lacey Robbins, senior quality manager and auditor at Rook Quality Systems, join us for a recent webinar to explain what the new investigations will look like. This article summarizes a few of her insights, but you can watch the full webinar on demand to get the most in-depth explanation of the new inspection framework.

QMSR: The end of checklist compliance

Robbins starts by noting that under QMSR, investigators will still look at the same subsystems of your QMS, like CAPA, complaints, medical device reports, and risk management. However, there will be a stronger emphasis on how these subsystems connect with one another. Inspectors will move beyond reviewing every procedure with a checklist. They are now authorized to use data-driven, risk-based sampling, pulling records across different parts of the QMS to test the system’s real-world effectiveness.

This new inspection philosophy also coincides with the elimination of exemptions for internal audit reports, supplier audit reports, and management review records. These three areas are now subject to FDA inspection, which means you need to treat these internal quality activities as inspection-ready documents.

As Robbins put it, under QMSR, compliance is no longer just about having the paperwork. It’s about having a living, integrated, and traceable QMS that works across all subsystems.

Complaint handling under QMSR

Complaint handling under QMSR remains grounded in 21 CFR Part 820.198, which requires manufacturers to have a formally designated unit responsible for receiving, reviewing, and evaluating all complaints in a timely manner.

However, in ISO 13485:2016, complaint handling is more than just logging issues. Complaints are treated as feedback. As defined in clause 8.2, organizations must maintain a documented complaint-handling process covering receipt, evaluation, investigation (if needed), and follow-up even if a complaint isn’t investigated. In the case that it isn’t investigated, a documented justification is required.

Additionally, complaints, along with other feedback and post-production data, must feed into the system’s risk management and CAPA processes. That means complaint data must now be treated not as isolated records, but as important inputs that influence risk assessment, quality decisions, CAPA triggers, and where relevant design or process changes.

Risk management under QMSR

Robbins also emphasized that risk management can no longer be viewed as a one-time or design-only checkbox activity. Instead, it must be woven into every part of your QMS.

The new expectation is proactive, dynamic, life cycle-wide risk management. Risk files must stay current and reflect actual product performance and real-world data, and serve as a foundation for ongoing quality, safety, and regulatory compliance. Under QMSR:
• Your QMS must use a risk-based approach to planning and controlling processes.
• The level of control validation, monitoring, and documentation should be appropriate to the risks associated with that process.
• Risk files must be living documents updated whenever new data emerge.
• There must be a traceable connection between your risk file, your design controls, and your postmarket data (including complaints, adverse events, CAPAs, and other feedback).

Risk management under QMSR isn’t an afterthought. Investigators may ask you to show them how you updated your risk file after specific complaints. They may ask about residual risk and how you justified it. Your ability to quickly demonstrate closed-loop integrations will be critical to your investigation performance.

Future-proofing your QMS in 3 steps

To prepare for QMSR-based inspections, Robbins offered a few pieces of advice that will benefit any postmarket team.

1. Run an effective gap analysis and map responsibilities: Companies should define clear escalation criteria and decision authorities for every key function (e.g., complaint logging, MDR review, CAPA ownership). Ensure that your team is trained not just on procedures, but also on the new risk-based QMS mindset.

2. Implement standardized traceability: Robbins recommends adopting standardized forms for every critical process and using unique identifiers or control numbers to explicitly link records. For instance, a complaint must link directly to an MDR evaluation decision (or nondecision), and then explicitly to the CAPA (if initiated). This turns your quality system into a coherent, traceable story.

3. Audit like a regulator: Your internal audit program should simulate a regulator’s inspection, testing the system based on its performance and integration, not just the existence of procedures. Focus on timeliness, completeness, and risk integration across the subsystems.

Is your QMS ready for QMSR?

While you’re thinking about the changes you need to make to comply with the QMSR, it also makes sense to take a step back and look at the QMS solution you’re using.

Is it built specifically for medtech? Does it help you achieve truly paperless audits? Does it come with a top-notch team of medical device experts who are always ready to help?

If you answered “no” to any of those questions, it’s probably time to modernize your QMS.

Published Dec. 10, 2025, by Greenlight Guru.