← Journal
RéglementationConformitéAchats

FDA QMSR 2026: What the New 21 CFR Part 820 Means for US Hospital Tender Compliance

10 juin 2026

On February 2, 2026, the FDA's Quality Management System Regulation (QMSR) took effect, replacing the Quality System Regulation (QSR) that had governed US medical device manufacturing since 1996. The change is not just a nomenclature update: by incorporating ISO 13485:2016 by reference into 21 CFR Part 820, the FDA has aligned US quality management requirements with the same international standard used by the EU MDR, Canada's MDSAP program, Japan's PMDA, and most other major regulatory markets worldwide.

For medical device suppliers responding to US hospital tenders, the practical impact is immediate. Group purchasing organizations (GPOs), integrated delivery networks (IDNs), and hospital procurement departments are updating their vendor qualification questionnaires and compliance verification processes to reflect QMSR language and requirements. Suppliers who are still presenting QSR-era documentation — particularly older quality manuals and CAPA process descriptions — risk appearing out of compliance even if their underlying quality systems are sound. This guide explains what changed, what procurement teams are now verifying, and what your US tender documentation needs to reflect.

What changed: QSR to QMSR

The QSR, introduced in 1996 and heavily influenced by ISO 9001:1994, served US medical device manufacturers for three decades. Over time, global practice evolved toward ISO 13485 (currently at its 2016 revision) as the dominant international medical device quality management standard — used in EU MDR conformity assessment, the MDSAP single-audit program, and most national registration requirements. The QSR and ISO 13485:2016 had significant structural differences, meaning US manufacturers had to maintain parallel documentation to satisfy both FDA inspections and international market requirements.

The QMSR resolves this by incorporating ISO 13485:2016 by reference. The practical result:

AreaQSR (legacy)QMSR (in effect Feb 2026)
Legal basisStandalone 21 CFR Part 820 requirementsISO 13485:2016 incorporated by reference + FDA-specific additions
Risk managementRisk analysis referenced but not structured by processRisk-based approach throughout, aligned with ISO 14971 per ISO 13485
Quality policyNot explicitly required in QSR languageDocumented quality policy and quality objectives required
Corrective actionCorrective and preventive action (CAPA) per §820.100CAPA per ISO 13485 §8.5.2/8.5.3 — more structured process requirements
Design controlsDesign controls per §820.30Design and development per ISO 13485 §7.3 — additional planning requirements
Record requirementsDevice Master Record (DMR), Device History Record (DHR)Documented information per ISO 13485 framework; FDA retains specific record types
Supplier controlsPurchasing controls per §820.50Purchasing process per ISO 13485 §7.4 — risk-based supplier evaluation required
Inspection processCompliance Program 7382.845 and 7383.001Compliance Program 7382.850 (from Feb 2, 2026)

Note: FDA retained specific additions within the QMSR framework that go beyond ISO 13485 requirements, including complaint handling provisions (§820.198 language preserved), linkage to Medical Device Reporting (MDR) obligations, and correction and removal requirements per 21 CFR Part 806. The QMSR is ISO 13485 + FDA-specific additions, not a pure adoption of the international standard.

What US hospital procurement teams now verify

The QMSR's impact on vendor qualification has been faster than some suppliers anticipated. Major US GPOs — Premier, Vizient, HealthTrust Performance Group, and Intalere — began updating their vendor qualification questionnaire templates in Q4 2025 in preparation for the QMSR's February 2026 effective date. By mid-2026, most Tier 1 GPO formulary applications require QMSR-aligned quality documentation.

The standard US hospital tender or GPO vendor qualification verification process now includes:

  1. Quality policy and scope documentation: A documented quality policy (required by QMSR/ISO 13485 §5.3) covering the scope of the QMS and alignment with QMSR. Older QSR-era quality manuals that predate ISO 13485 alignment are increasingly flagged in GPO vendor qualification reviews as requiring update confirmation.
  2. ISO 13485 certificate: For high-risk device categories (Class II and Class III devices, implantables, combination products), ISO 13485 third-party certification from an MDSAP-recognized certification body is now effectively required for Tier 1 GPO formulary access. MDSAP audit reports are accepted as an alternative. The QMSR does not mandate this certificate, but market practice has moved ahead of the regulatory requirement.
  3. CAPA process documentation: Updated CAPA process description or procedure confirming alignment with ISO 13485 §8.5.2 (corrective action) and §8.5.3 (preventive action). QSR-era CAPA procedures that reference §820.100 without ISO 13485 structure are being returned for update by procurement compliance reviewers at major IDNs.
  4. FDA inspection history: GPO qualification forms typically require disclosure of FDA 483 observations and Warning Letters in the past 3–5 years. From February 2, 2026, FDA inspections use Compliance Program 7382.850 (QMSR-based) rather than 7382.845 (QSR-based). Suppliers who received a 483 under the QSR inspection program but have since addressed the observations should confirm that their corrective actions are framed in QMSR/ISO 13485 terms in their inspection response documentation — procurement reviewers may cross-check public enforcement databases.
  5. Design and development documentation: For Class II and III devices requiring design controls, procurement qualification increasingly requests confirmation that design history files (DHFs) reflect QMSR/ISO 13485 §7.3 requirements. The shift from QSR's §820.30 "design plan" language to ISO 13485's "design and development planning" structure affects how DHF indexes should be presented.
  6. Post-market surveillance records: GPOs conducting annual vendor qualification reviews are requesting evidence of an operational post-market surveillance process consistent with ISO 13485 §8.2.1. This is distinct from MDR reporting — it is the systematic process for monitoring field performance and feeding data back into risk management. Suppliers without a documented PMS process are increasingly blocked at formulary renewal.

GPO and IDN qualification form updates: what to expect

The three largest US GPOs have updated their vendor qualification workflows since the QMSR took effect:

  • Premier — Updated the Premier Supplier Quality Questionnaire to explicitly reference QMSR and ISO 13485:2016. ISO 13485 certificate required for all Class II devices; MDSAP audit report accepted as equivalent. New section on post-market surveillance process documentation.
  • Vizient — Vizient's Supplier Quality Agreement template updated with QMSR language. Corrective action responses to quality events must now reference ISO 13485 §8.5 rather than 21 CFR §820.100.
  • HealthTrust Performance Group — New vendor onboarding checklist references QMSR effective date; existing suppliers required to confirm QMS documentation update by June 30, 2026.

For hospital system IDNs conducting their own procurement (outside GPO frameworks), the QMSR impact is materialising in value analysis committee (VAC) reviews and annual supplier performance assessments. Many hospital systems have adopted ISO 13485 as their baseline quality expectation for medical device suppliers following the QMSR's adoption, particularly for devices used in surgical, critical care, and implantable applications.

QMSR and 510(k) clearance: the documentation relationship

The QMSR governs postmarket quality management — it does not change FDA 510(k) clearance or PMA approval status. For tender purposes, the 510(k) clearance number or PMA approval remains the primary market access documentation demonstrating FDA premarket review. QMSR compliance documentation functions at a different level: it supports vendor qualification and demonstrates that the manufacturer has the operational systems to consistently produce devices to cleared specifications.

The practical interaction between the two in a US hospital tender submission:

DocumentPurpose in tenderQMSR impact
FDA 510(k) clearance letter / PMA approvalMarket access — confirms FDA reviewed and cleared the deviceNo change — clearance pathway unaffected by QMSR
ISO 13485 certificateVendor qualification — confirms QMS third-party auditNow aligned with QMSR; certificates issued against ISO 13485:2016 satisfy the QMSR standard
Quality policy statementVendor qualification — confirms organisational quality commitmentNow explicitly required; must reference QMSR/ISO 13485 scope
CAPA process descriptionVendor qualification — demonstrates corrective action capabilityMust reflect ISO 13485 §8.5 structure, not just §820.100 language
FDA inspection summaryCompliance history — GPOs require disclosure of enforcement actionsRecent inspections now use QMSR criteria (7382.850); frame corrective actions accordingly
Device registration (FDA)Active registration in FDA device registration databaseNo change — registration requirements separate from QMSR

ISO 13485 and MDSAP: strategic implications for US tender access

The QMSR's ISO 13485 alignment creates a strategic opportunity for medical device companies operating in multiple markets. The MDSAP (Medical Device Single Audit Program) — a single audit program covering FDA (US), Health Canada, TGA (Australia), ANVISA (Brazil), and PMDA (Japan) — uses ISO 13485:2016 as its basis. A manufacturer with MDSAP certification:

  • Satisfies FDA QMSR requirements (FDA accepts MDSAP audit reports as a substitute for routine FDA facility inspections)
  • Satisfies Health Canada quality management requirements for medical device licensing
  • Supports TGA conformity assessment for Australian market access
  • Aligns with ANVISA registration requirements for Brazil (one of the world's fastest-growing medical device markets)
  • Supports PMDA registration in Japan

For medical device suppliers managing US hospital tenders alongside international procurement, MDSAP certification is increasingly the single quality management investment with the broadest tender access return. US GPOs that require ISO 13485 certification increasingly accept MDSAP audit reports as equivalent — and some explicitly prefer MDSAP as it demonstrates multi-market regulatory alignment.

Compliance checklist: US tender documentation update for QMSR

Use this checklist to confirm your US hospital tender documentation is aligned with QMSR requirements:

Quality documentation updates

  • Quality manual / quality policy: Confirm document explicitly references ISO 13485:2016 and QMSR (21 CFR Part 820, as amended February 2026). Update scope statement if it still references only the legacy QSR.
  • CAPA procedure: Update to reference ISO 13485 §8.5.2 and §8.5.3. Confirm the procedure includes effectiveness verification requirements per ISO 13485.
  • Design and development procedure: Update references from QSR §820.30 to ISO 13485 §7.3. Confirm design input/output/review/verification/validation/transfer activities are described in ISO 13485 terminology.
  • Supplier qualification procedure: Update to reflect ISO 13485 §7.4 risk-based supplier evaluation approach. Document risk classification criteria for suppliers and sub-contractors.
  • Post-market surveillance procedure: Confirm documented PMS process per ISO 13485 §8.2.1, including data sources, review frequency, and feedback loops to risk management and CAPA.

Certification and inspection

  • ISO 13485 certificate: Confirm certificate scope covers all device families being tendered. Verify certificate is from an IAF-recognized accreditation body. Confirm certificate validity period extends beyond tender contract duration.
  • MDSAP audit report: If using MDSAP, confirm the most recent audit report is available for GPO/IDN qualification purposes (reports older than 18 months may not satisfy GPO requirements).
  • FDA registration: Confirm current establishment registration and device listing in the FDA device registration database. Verify registration renewal date (annual renewal required by December 31).
  • Inspection history summary: Review and update FDA inspection disclosure for GPO qualification. Ensure any 483 observations or Warning Letters cite QMSR-aligned corrective actions, not legacy QSR language.

Market access documentation

  • 510(k) clearance or PMA: No change required — confirm clearance is current and device is being marketed within cleared indications and specifications.
  • UDI registration (GUDID): Confirm UDI assignment and GUDID database registration for all tendered products. UDI compliance is a separate requirement but is increasingly co-verified with QMSR in vendor qualification.

What to expect from FDA QMSR inspections

FDA inspections of medical device manufacturers shifted to the QMSR inspection protocol (Compliance Program 7382.850) on February 2, 2026. For suppliers, the implications are:

  • Inspectors will evaluate quality systems against ISO 13485:2016 requirements as incorporated into QMSR, not just the legacy QSR checklist structure
  • CAPA systems will be assessed against ISO 13485's structured root cause analysis and effectiveness verification requirements
  • Risk-based thinking — a core ISO 13485:2016 requirement — will be evaluated throughout: risk management procedures, risk-based purchasing controls, and risk-proportionate internal audit programs
  • Design controls will be assessed against ISO 13485 §7.3 design and development requirements, including design validation evidence connecting back to intended use and user needs
  • Post-market surveillance systems will receive more attention under the new inspection protocol, reflecting ISO 13485's emphasis on closed-loop feedback from field performance to risk management

For hospital tender compliance, FDA inspection outcomes are increasingly monitored by GPO supplier quality teams through the FDA's public warning letter database and 483 observation disclosures required in vendor qualification forms. A QMSR-related Warning Letter or unresolved 483 observation has a more direct path to GPO qualification suspension under the updated formulary management practices at Premier, Vizient, and HealthTrust.

How MedStrato handles QMSR compliance in US tender submissions

MedStrato's compliance engine tracks US tender documentation requirements across the full QMSR/QSR transition period. When your team responds to a US hospital tender or GPO qualification:

  • The system verifies that quality documentation on file references QMSR/ISO 13485:2016 rather than legacy QSR language, flagging outdated documents before submission
  • ISO 13485 certificate validity dates are tracked against tender contract periods — certificates expiring mid-contract are flagged as a qualification risk
  • FDA 510(k) clearance and device registration status are cross-checked against the tendered product list
  • UDI/GUDID registration is verified for US market consistency
  • GPO-specific qualification form requirements are mapped against available documentation, identifying gaps before the submission deadline

With QMSR now in effect and GPO formulary requirements actively updating, the window to align documentation proactively — before a qualification submission deadline forces a reactive scramble — is narrowing. Book a demo to see how MedStrato tracks QMSR compliance status across your US product portfolio and automates vendor qualification documentation for GPO and IDN procurement, or explore our FDA 510(k) tender compliance checklist for the full US market access documentation set.

Questions fréquentes

FDA QMSR 2026

What is the FDA QMSR?

The Quality Management System Regulation (QMSR) is the FDA's updated framework for medical device quality management, published in the Federal Register on February 2, 2024 and effective February 2, 2026. It amends 21 CFR Part 820 by incorporating ISO 13485:2016 by reference, replacing the standalone Quality System Regulation (QSR) that had been in place since 1996. The QMSR harmonises US quality management requirements with the international standard used by EU MDR, Canada (MDSAP), Japan, and most other major regulatory markets — eliminating a significant structural divergence between FDA requirements and global practice.

What is the difference between the QSR and the QMSR?

The legacy QSR (Quality System Regulation, 21 CFR Part 820, in effect since 1996) was a standalone FDA-specific framework. The new QMSR incorporates ISO 13485:2016 by reference, which means the international standard's requirements become part of US law. Key structural differences: the QMSR adopts ISO 13485's risk-based process approach throughout; terminology aligns with ISO 13485 (e.g., 'design and development planning' replaces the QSR's 'design plan' language); the QMSR explicitly requires a documented quality policy and quality objectives; and record-keeping requirements adopt ISO 13485's 'documented information' framework. FDA-specific additions retained in the QMSR include complaint handling (21 CFR 820.198), MDR reporting linkage, and correction and removal requirements.

Does QMSR compliance require ISO 13485 certification?

No. The QMSR incorporates ISO 13485:2016 by reference as the compliance standard, but FDA does not require manufacturers to obtain third-party ISO 13485 certification. However, most medical device manufacturers seeking MDSAP (Medical Device Single Audit Program) participation, which covers FDA, Health Canada, TGA, ANVISA, and PMDA requirements in a single audit cycle, must demonstrate ISO 13485 alignment. For hospital tender compliance, ISO 13485 certification from an accredited body is increasingly treated as a vendor qualification requirement by US GPOs and IDNs — particularly for high-risk device categories.

What QMSR documentation do hospital procurement teams now verify?

US hospital procurement, especially through GPOs and integrated delivery networks (IDNs), is updating vendor qualification questionnaires to reflect QMSR language. Specifically: (1) Quality Manual or equivalent documented quality policy and scope statement — now required to reflect ISO 13485:2016 alignment; (2) Corrective Action and Preventive Action (CAPA) documentation — must reflect the QMSR/ISO 13485 process structure; (3) Internal audit schedule and most recent internal audit summary; (4) Management review records; (5) ISO 13485 certificate (from accredited body) — increasingly required for formulary access at Tier 1 GPO level; (6) FDA inspection history — QMSR inspections began using Compliance Program 7382.850 from February 2, 2026. Suppliers with recent inspections under the old QSR inspection protocol may need to update their inspection summary documentation.

Does the QMSR change FDA 510(k) clearance or PMA requirements?

The QMSR does not change premarket submission pathways (510(k), De Novo, or PMA). It governs postmarket quality management — the systems manufacturers use to design, manufacture, and control devices after they are cleared or approved. However, FDA's premarket review programs increasingly reference quality system alignment, and inspections triggered by postmarket surveillance issues (MDRs, recalls) will now use QMSR criteria. For tender purposes, a current FDA clearance or approval (510(k) or PMA number) remains the core market access documentation; QMSR compliance documentation supports vendor qualification, not market clearance.

Articles connexes

2 mai 2026

Liste de vérification de conformité 510(k) FDA pour les appels d'offres : ce que les équipes achats vérifient

Ce que les équipes achats hospitalières et les GPO américains vérifient concrètement sur la conformi...

4 mai 2026

Automatisation du workflow d'appels d'offres FDA 510(k) : guide 2026 pour les fournisseurs hospitaliers américains

Guide 2026 complet pour automatiser la vérification FDA 510(k) dans les réponses aux appels d'offres...

15 mars 2026

Conformité aux appels d'offres pour dispositifs médicaux en 2026

Le paysage réglementaire des dispositifs médicaux évolue rapidement. Voici ce que les équipes achats...

Votre prochain appel d’offres
est pour vendredi.

Trente minutes. Cinquante de vos postes, appariés en direct, contre votre vrai appel d’offres.

Demander l’accèsParler à un fondateur