QMSR Explained: How FDA’s New Rule is Impacting Software Validation in MedTech

Article Context:

1. What is QMSR?
2. QMSR Validation
3. FDA QMSR Shift

The FDA has accomplished one of the most important regulatory overhauls in decades by replacing the traditional Quality System Regulation (QSR) with the Quality Management System Regulation (QMSR). This Final Rule, effective as of February 2, 2026, formally harmonizes U.S. medical device regulations with the worldwide gold standard on medical device Quality Management Systems, ISO 13485:2016, the international benchmark for medical device quality management systems.

For MedTech companies, especially those that use digital technologies and medical device software (e.g., Software in or as Medical Device (SiMD / SaMD), this evolution is not just about different terminology. Although the core expectations of software validation remain the same (e.g., intended use, evidence collection), this shift emphasizes how processes interact and how risk-based thinking is applied throughout the quality management system.

What is QMSR?

In January 2024, the FDA published a final rule, Quality Management System Regulation – Frequently Asked Questions | FDA , revising 21 CFR Part 820 to include, by reference, ISO 13485:2016. As of February 2026, the FDA is enforcing these requirements. The QMSR significantly reduces duplicative compliance efforts.

However, this did not mean that the FDA was simply adopting the entire international standard. It maintained specific statutory requirements to guarantee that the new rule was consistent with the Federal Food, Drug, and Cosmetic Act.

With QMSR, ISO 13485 requirements are enforceable as part of the FDA regulation under CFR Part 820. Even as the standards are harmonized, the FDA retains all authority for inspections and enforcement actions.

How QMSR Impacts Software Validation?

In the former QSR, Software Validation primarily applied to Process Validation (§820.75) and Design Controls (§820.30). After the QMSR transition, the FDA is emphasizing the software lifecycle, whether it is the device itself or in the quality system.

1. Integration of Risk-Based Thinking

ISO 13485 requires risk management across the entire quality system, not just product designs.Under QMSR, validation teams must:

• Incorporate risk-based decision-making into every software development process.
• Establish a direct relationship between validation activities and the impact on the product's safety and performance.
• Maintain documentation that records evidence of proportionate validation activity in relation to the risk investigated.

Validation can no longer exist as a standalone process, but it must be seen as a validated process for identified risks.

2. Specificity for Computerized Systems

Previously, the requirement in 21 CFR 820.70(i) was broad regarding the validation of automated processes. QMSR adopts ISO 13485 Clause 4.1.6, which specifically controls software validation within the QMS.

Manufacturers must now be ready to demonstrate an integrated QMS, as the QMSR shifts focus from a subsystem inspection model to a focus on how processes are interconnected, risk-informed, and analyzed, showing how inputs may be traced across the entire system.

3. Transition from DHF to the Medical Device File MDF

ISO 13485 Clause 4.2.3 requires manufacturers to maintain a Medical Device File (MDF), which consolidates the design and manufacturing documentation traditionally maintained separately as the Design History File (DHF) and Device Master Record (DMR) under FDA regulations.

For software validation, this means the documentation must clearly demonstrate traceability from initial requirements through verification and validation (V&V) results within a unified file structure.

New Inspection Realities

Even with harmonization, the FDA's approach to inspections has evolved. The agency has retired the Quality System Inspection Technique (QSIT) in favor of a new inspection process described in Compliance Program 7382.850. (Inspection of Medical Manufacturers - 7382.850)

Read FDA Inspection Guidance Here.

Inspectors will not simply evaluate management responsibility through the review of records, such as management reviews, but will look for demonstrable evidence of management involvement in risk-based decision making. If your software validation documentation is incomplete or lacks an adequate risk justification, it may be subjected to a Form 483 observation.

Moving Forward: Action Items for MedTech

To prepare for QMSR, companies need to:

• Break silos between functional groups, for example, QA and IT operations
• Strengthen process metrics
• Be prepared to demonstrate the effectiveness of their QMS
• Embed risk-based thinking and application across processes
• Increase leadership involvement and be prepared to demonstrate to regulators with clear evidence of leadership accountability for QMS performance.

Final Thoughts

QMSR represents the FDA's shift to a global quality approach for MedTech. While core validation principles remain, which is to make sure a system meets its intended use, the rigor and integration of risk management have reached a new level. Proactive alignment of software validation programs to these ISO-based standards ensures both regulatory compliance and safer, more reliable digital health solutions.