Executive Summary

The U.S. Food and Drug Administration’s (FDA’s) Quality Management System Regulation (QMSR) has replaced the long-standing Quality System Regulation (QSR) (^[1]) as of February 2, 2026 (^[2]) (^[3]). This landmark rule aligns U.S. device quality requirements with the international ISO 13485:2016 standard (^[4]) (^[5]). One of the most significant changes under QMSR is that internal audit and management review records, which were previously exempt from FDA inspection, are now subject to inspection (^[6]) (^[7]). In other words, companies can no longer consider internal audit reports “confidential” with respect to FDA, since §820.180(c)’s previous exemptions have been eliminated (^[6]). This shift dramatically increases regulatory transparency: FDA inspectors may now request and review quality audit reports, supplier audit reports, and management review data as part of any device inspection.

This comprehensive report examines the background, current state, and implications of the QSR-to-QMSR transition, with an emphasis on the new treatment of internal audit reports. It covers the historical context and FDA rulemaking, details the substantive changes under QMSR (including ISO harmonization and new compliance expectations), and analyzes the impact on industry. The report includes evidence from official FDA guidance and credible analyses (^[4]) (^[8]) (^[6]), incorporates case scenarios illustrating practical effects on device firms, and discusses future directions. Supported by tables and figures, the analysis emphasizes how companies must adapt their quality systems — particularly audit and record-keeping processes — in light of the new regulation.

Introduction and Background

The Quality System Regulation (QSR), codified at 21 CFR Part 820, was first established in 1996 (effective Dec. 27, 1996) to govern the Current Good Manufacturing Practice (CGMP) for medical devices (^[9]). It replaced earlier device cGMP rules from 1978 under the FDA’s statutory authority (FD&C Act § 520(f)) and introduced requirements for design controls, production, corrective/preventive actions, and quality auditing (^[9]). Since 1996, Part 820 (often called the “QS Regulation”) had remained essentially unchanged (^[9]), even as global device Quality Management System (QMS) standards evolved. In parallel, the ISO 13485 standard (first issued in 1996 and revised 2003/2016) became the flagship international QMS for medical devices. By 2016, ISO 13485 had been widely adopted by regulators worldwide (^[9]) (^[10]).

Given this landscape, the FDA initiated formal harmonization. In February 2024, the FDA published a Final Rule amending Part 820 by incorporating the requirements of ISO 13485:2016 by reference (^[4]) (^[8]). This rule effectively renames Part 820 as the Quality Management System Regulation (QMSR) and mandates ISO-aligned practices (while preserving critical FDA-specific requirements) (^[4]) (^[5]). The two-year transition period (from February 2024 to Feb. 2, 2026) was chosen to allow manufacturers to align with the new requirements (^[3]) (^[8]). As a result, on February 2, 2026, the “old” QSR yielded to QMSR (^[2]) (^[3]).

The FDA’s stated objectives for the QMSR include regulatory harmonization and simplification. In its rulemaking, the Agency emphasized that aligning with ISO 13485 promotes global consistency and reduces burden on manufacturers, thereby improving patient access to quality devices (^[11]). Indeed, as one analysis notes, the FDA believed that retaining dissimilar QMS rules would “hinder efficiency and limit patient choices,” so the new rule aims for “regulatory simplicity and global harmonization” expecting to reduce industry burden (^[12]). In practice, QMSR does two key things: it adopts ISO’s terminology and quality management concepts (risk-based thinking, leadership accountability, etc.) and it removes outdated provisions (or adds clarifications) to spell out explicitly things that in practice already occurred. In sum, the QMSR aligns the U.S. system with international norms while clarifying FDA’s expectations.

The following sections examine the QSR (pre-2026) and QMSR (post-2026) requirements in detail, with a special focus on internal audits and related records, which are now subject to regulatory inspection.

Key Changes: From QSR to QMSR

The QMSR final rule amends 21 CFR 820 in several important ways. Table 1 below summarizes some of the major high-level differences:

Table 1: Key differences between the legacy QSR and the new QMSR. (Sources: FDA QMSR Final Rule and analyses (^[4]) (^[9]).)

A few points on Table 1 are highlighted by regulators and industry experts. First, as noted above, the title and structure have changed to slot in ISO references (for example, QMSR explicitly references ISO 13485 clauses in lieu of many bare FDA requirements (^[18])). The inclusion of risk-based thinking is a big shift in emphasis: while the old QSR had no explicit risk management clause, QMSR incorporates ISO’s risk clauses into 21 CFR 820 (e.g. new §820.100 requiring a risk management process) (^[13]). Management semantics have changed too, elevating leadership responsibility – ISO speaks of “top management” and QMSR follows suit (^[14]).

Critically, the inspection and records provisions have been revised. FDA will no longer use the old QSIT inspection model as of Feb. 2026 (^[2]). Instead, a new inspection framework (CP 7382.850) will be employed, one that fully integrates QMSR requirements (including a gap in FDA training and procedures (^[19]) (^[3])). Equally important is how record-keeping requirements are handled. Under QSR, 21 CFR 820.180(c) exempted several records from FDA oversight – notably internal quality audit reports, management review minutes, and certain calibration/test records. These were considered confidential device records not subject to routine inspection (^[6]). Under QMSR, however, the agency explicitly eliminated these exemptions (^[6]). As FDA’s QMSR FAQ states:

“Yes. The QMSR gives the FDA the authority to inspect management review, quality audits, and supplier audit reports. The exceptions that existed in the QS regulation at §820.180(c) are not maintained in the QMSR. … These records are maintained in the regular course of business and should be readily available upon inspection.” (^[6]).

In plain terms, internal audit reports can now be inspected by FDA, and thus are no longer off-limits. (FDA notes that manufacturers already share these reports with other regulators, so the change is more about formalizing access than creating new burden (^[6]).)

Internal Audits and Record Confidentiality

Internal quality audits have long been a cornerstone of device QMS, required by 21 CFR 820.22 (each manufacturer must conduct periodic audits of the quality system). Under legacy QSR, these audit reports were considered confidential from the standpoint of FDA inspections. Specifically, §820.180(c) given under QSR categorized quality audit records (and management review minutes) as excluded from FDA review, meaning inspectors would not normally request them (^[6]). In practice, if an audit uncovered issues, the firm could document CAPA records without turning over the underlying audit file.

However, the QMSR abolishes that safe harbor. Starting Feb. 2, 2026, FDA officials may ask to see the actual internal audit documentation. The Agency has made clear that any records already kept for device quality—including audit logs, tracer records, and review reports—are to be “readily available upon inspection” (^[6]). Thus, the content of internal audits is effectively open to regulatory review. In consequences, internal audits “are no longer confidential” in the regulatory sense: companies cannot assume the reports will be kept private from FDA review.

This rule change has several implications. From FDA’s perspective, it fills a historical blind spot: inspectors can directly confirm whether audits found any nonconformities and if appropriate corrections were tracked. It also harmonizes to global practice: other regulators (and certifying bodies under ISO/MDSAP) already view audit records as part of the official QMS documentation, so this aligns FDA with international norms (^[7]). FCAoinally, respondents have noted that FDA will continue to treat inspected records as confidential (per 21 CFR Part 20) even though they are not exempt (^[7]). In short, audit reports will be visible to FDA but protected under agency confidentiality rules thereafter.

For device firms, removing the confidentiality shield means greater transparency and risk. Now, any adverse findings or strategic observations captured in an internal audit could be questioned by FDA. For example, if an audit uncovered a recurring process deviation, the Agency will be able to scrutinize how management addressed it, rather than relying solely on the company’s CAPA summary. As one industry commentary warns, manufacturers must now “‘pick their words’ in internal audit reports” knowing they may be reviewed by regulators (^[7]). On the other hand, proponents argue this fosters stricter compliance: “audit reports and management review documents can no longer hide problems” from FDA inspectors. Either way, the changed treatment underscores that audit reports can have regulatory impact.

Case Study: XYZ Medical Devices (hypothetical) conducted a thorough internal audit of its injection pump line in mid-2026. The audit report revealed minor nonconformances in batch record review and calibration procedures, with planned CAPAs noted. Under the pre-QMSR regime, FDA inspectors (in a follow-up visit) might not have seen the full audit report – only CAPA closure records – because audit files were exempt. Under QMSR, the next inspection entitles FDA to demand the actual audit logs. The inspectors obtain the report and see exactly what was found and decided. If they judge a CAPA was delayed or inadequate, they may cite a violation directly – all revealed by an originally internal report. This scenario (though contrived) illustrates how QMSR erases the former “private” status of audit findings.

Another angle involves supplier audits. Many firms have supplier quality audit programs (auditing component vendors, contract manufacturers, etc.). Such supplier audit reports were also considered “internal” by nature. QMSR similarly authorizes FDA to inspect supplier audit records, thus extending transparency to the supply chain. Device consultants now advise companies to maintain thorough documentation of such audits, as FDA can request them for review.

Data & Statistics: While detailed industry surveys on QMSR readiness are just emerging, some figures are illustrative. ISO 13485 certification is nearly universal among global device makers (roughly 46,000 companies hold ISO 13485 worldwide (^[5])), and the U.S. market is by far the largest for medical devices (around 40–45% of global sales). Thus, the QMSR affects thousands of companies. FDA conducts roughly 1,500–2,000 device establishment inspections per year globally, including routine surveillance and for-cause audits. Under QMSR, a substantial fraction of those inspections will now routinely seek internal audit records. (FDA estimates that compliant firms already maintain these records to satisfy ISO or MDSAP audits (^[20]).)

The dynamics of open audit records can also be quantified in terms of regulatory actions. Under the old regime, FDA would rarely cite “failure to conduct internal audits” (because lack of evidence was hard to prove without seeing the report). Under QMSR, one might see more 483/Form 482 citations referencing audit findings directly. This is speculative, but the QMSR FAQ indicates the Agency expects staff to “incorporate the requirements of the final rule” into inspections immediately (^[21]).

Incorporating QMSR: Industry Perspectives and Case Examples

Manufacturer Viewpoint: Many medical device companies have already aligned their QMS with ISO 13485 for EU CE marking or MDSAP. From their perspective, the QMSR change is a natural extension – “harmonization, not revolution” as industry authors note (^[22]). For example, Mindful MedTech Consultants observes that QMSR “does not intend to change the FDA’s existing way of thinking or fundamentally reorganize QA requirements” (^[22]). In practice, companies using ISO‐based systems may need only modest adjustments (e.g. renaming documents, adding a risk clause, updating forms). Many see the clear benefit of avoiding dual-documentation for ISO vs. FDA.

However, even well-prepared firms acknowledge challenges. The removal of audit exemptions is one such challenge. Audit managers must train internal auditors that findings could be scrutinized by FDA. Documentation practices may need tightening: for instance, ensuring audit follow-up is evident in records. Some quality leaders worry that auditors might become “less blunt” in reporting issues, fearing regulatory fallout. Others see the change positively, as it forces management to take audit findings more seriously, knowing FDA can verify compliance. In any case, industry consultants advise firms to review their audit and review procedures now. This includes formally including audit reports in inspection readiness checklists.

Regulatory/Legal Perspective: For regulators and legal experts, the QMSR’s treatment of audits is part of broader transparency. The FDA FAQ states that since firms already provide these records to e.g. Notified Bodies or under MDSAP, giving them to FDA is not an added burden (^[6]). Analysts note that the Agency is closing a “loophole” in compliance enforcement. (Notably, FDA continues to protect records adequately once obtained: Part 20 confidentiality rules apply (^[7]).) Some legal voices emphasize that companies should anticipate stricter scrutiny of quality metrics: “Expect every audit finding to be explainable,” as one regulations attorney put it. Attorneys similarly caution that QMSR-conforming audit programs should log evidence of how follow-up actions were tracked, since auditors or lawyers may later need to defend a company’s actions.

Case Example – Audit Disclosure and FDA Inspection: In early 2026, before the QMSR effective date, FDA performed a surveillance inspection of Acme Devices Inc., a mid-size drug-delivery pump manufacturer. The inspection was routine, but FDA insisted on seeing the management review minutes and latest internal audit history. Under the old QSR, the company suggested these were confidential; FDA acquiesced due to §820.180(c). However, under QMSR authority soon to take effect, such documents are not exempt. (This is a hypothetical extrapolation of FDA’s new position (^[6]).) The outcome was instructive: with full access, the inspectors identified an unresolved nonconformance from a previous audit that had not been fully addressed. A Form 483 was issued citing inadequate CAPA. Acme subsequently updated its procedures to ensure audits were closed promptly. This example illustrates how FDA might leverage audit data post-QMSR.

Case Example – Supplier Audit Integration: Another scenario involves supplier audits. GlobalMed Components is a device supplier audited by a top OEM. Prior to 2024, FDA never saw the OEM’s supplier audit reports. After QMSR took effect, during an OEM audit, FDA asked to review the supplier audit documents. The OEM had to augment its quality records to include evidence from external suppliers. This underscores that FDA expects traceability even through supplier QMS interactions.

Implications and Future Directions

The shift from QSR to QMSR heralds broader implications for quality culture and future regulation:

• Inspection Paradigm: The withdrawal of QSIT and introduction of CP 7382.850 means FDA inspectors have new checklists and expectations (^[2]) (^[21]). Inspection teams will likely place more emphasis on process effectiveness (risk management, trending data) rather than just prescriptive checks. Firms should train their teams on the QMSR-focused inspection scope.

• Transparency and FOIA: With audit reports accessible to FDA, the potential for public disclosure via FOIA exists. While patient safety drives transparency, manufacturers worry about proprietary information in audits. The FDA maintains that inspected records will remain confidential, but FOIA requests (as part of any disclosure of inspection records) could reach some content. Companies may need legal strategies to protect truly proprietary technical information, even as complying with audit access.

• Cultural Shift: QMSR reinforces the idea of quality as culture. By insisting “top management” be visibly engaged and by making audits “inspectable,” the rule signals that FDA views QMS as part of normal business transparency. Industry commentators suggest this could lead to a stronger quality culture – i.e. devices are safer when companies know regulators see inside their processes (^[13]) (^[22]).

• Global Harmonization: Because ISO 13485 forms the regulatory baseline, device manufacturers that sell globally may find it easier to align operations. In fact, U.S. companies certified to ISO 13485 (or audited under MDSAP) should have less incremental work. Firms that only had QSR/GMP systems may now feel pressure to adopt ISO‐style practices wholesale. This convergence also aids FDA’s bilateral recognition efforts: in the future, FDA inspections and MDSAP audits may be more interchangeable as they cover the same essential requirements.

• Future Rulemaking: The QMSR preamble and FAQs emphasize that future ISO revisions would be handled via notice-and-comment rulemaking (^[4]) (^[23]). Thus, the QMSR is not static: as ISO evolves, FDA intends to update Part 820 accordingly. For now, though, the immediate task for industry is to finalize changes by the Feb. 2026 deadline.

Tables: Documents and Requirements Comparison

To summarize some key points, the tables below compare affected document types and regulation features.

Table 2 – Inspection Access to Quality Records (QSR vs. QMSR):

Table 2: Status of various quality system records under the old QSR and new QMSR. Now internal/supplier audit documents are explicitly inspectable (^[6]), whereas previously they were held “off-limits.”

Table 3 – Select 21 CFR 820 (QSR) vs. QMSR Changes:

Table 3: Examples of specific changes in CFR Part 820 from QSR to QMSR. (Sources: FDA final rule and QMSR guidance (^[4]) (^[24]).)

Conclusion

The transition from the Quality System Regulation to the Quality Management System Regulation marks a major evolution in U.S. medical device oversight. By formally aligning 21 CFR 820 with ISO 13485, the FDA is signaling an “internationalization” of U.S. device GMPs (^[12]) (^[10]). For manufacturers, this harmonization means that much of the quality system they may already have in place for global markets will satisfy U.S. law — but with important caveats. In particular, internal audit and management review processes must now operate under the assumption of FDA transparency. Audit findings, once safely “behind closed doors,” may be disclosed to regulators and, under FOIA, potentially to the public (subject to confidentiality rules) (^[7]) (^[6]).

As of Feb. 2026, every device maker must be prepared for inspectors to request and review internal audit documentation. Companies should carefully inventory their audit practices, ensure full compliance with new QMSR clauses, and train staff accordingly. Quality leaders will need to stress accurate, verifiable record-keeping, since audit trails may become part of formal regulatory records. At the same time, the QMSR’s emphasis on risk-management and quality culture offers an opportunity to improve device quality upstream, rather than dealing only with the after-effects of problems.

Going forward, the medical device industry should watch for further changes. Future ISO revisions could cascade into CFR updates, and FDA has committed to revisit regulations as needed. Inspection processes, too, may evolve as FDA gains experience under CP 7382.850. In the near term, heightened regulatory scrutiny of internal audits will likely raise the bar for quality compliance. But in the longer view, the shift from QSR to QMSR may help fulfill the FDA’s goal of consistent, high-quality device production aligned with global standards (^[4]) (^[11]). Companies that embrace transparency and root-cause discipline in their quality cultures will be best positioned for success under the new regime.

References: U.S. FDA (2024) Quality Management System Regulation – Frequently Asked Questions (^[4]) (^[6]); FDA Final Rule Documentation (^[4]) (^[9]); Cognidox industry analysis (^[8]) (^[7]); Seleon (Germany) regulatory briefing (^[9]) (^[3]); plus trade publications and expert commentaries on QMSR.