QMSR Is Live: What Medical Device Manufacturers Need to Do About FMEA in 2026
The FDA’s Quality Management System Regulation (QMSR) took effect on February 2, 2026. If you manufacture medical devices for the US market, the regulatory ground has shifted under your quality system. 21 CFR 820 is gone. ISO 13485:2016 is now incorporated by reference. Risk management is no longer a nice-to-have section of your design history file. It is the backbone of your entire QMS. Companies that treated FMEA as a standalone compliance artifact are now scrambling to close gaps before their next FDA inspection. Here is what changed, what inspectors will look for, and what you need to do about your FMEA process now.
What Changed: From 820 to QMSR
For over 25 years, 21 CFR Part 820 defined the quality system requirements for medical device manufacturers in the United States. The QMSR replaces it. The core change: instead of maintaining a US-specific quality system regulation, FDA now incorporates ISO 13485:2016 by reference, with certain FDA-specific additions.
What this means in practice:
- ISO 13485 is now the law. It is not a voluntary standard you adopt for competitive advantage. It is the regulatory requirement. FDA inspectors will evaluate your QMS against ISO 13485 clauses.
- Risk management must be integrated throughout the QMS. ISO 13485 requires that risk management be applied across the product lifecycle: design, production, post-market. This is not a paragraph in your quality manual. It is a demonstrable, documented practice that touches every process.
- ISO 14971 is the risk management standard. While QMSR does not explicitly mandate ISO 14971, it is the recognized consensus standard for medical device risk management. If your risk analysis does not align with ISO 14971, you will need a strong justification for whatever you are using instead.
- Post-market surveillance feeds back into risk. The QMSR reinforces that risk management is not a design-phase activity. Complaint data, CAPA records, and field performance data must inform your risk analysis on an ongoing basis.
The transition period is over. If your quality system was built around 820’s prescriptive requirements and your risk files were last updated during your previous design review, you have a gap.
What FDA Inspectors Now Look For
FDA investigators have been trained on the new regulation. Their inspection approach reflects the ISO 13485 framework. Here is what they will evaluate:
Risk management integrated into the QMS, not siloed. Inspectors will look for evidence that risk management is not a standalone document filed in a design history folder. It should connect to design inputs, design outputs, process validation, supplier management, and post-market activities. If your risk file exists in isolation from the rest of your quality system, that is a finding.
Risk files that update with post-market data. A risk analysis created during design and never revised is a red flag. Inspectors will check whether complaint data, CAPA records, and field performance have been evaluated against your risk analysis. If you received 50 complaints about a failure mode rated “remote” in your risk file, expect a 483.
Evidence that risk controls are verified and validated. Every risk control measure in your FMEA or risk analysis must have corresponding verification and validation evidence. Inspectors will trace from the identified hazard to the control measure to the test record that proves the control works. Gaps in this chain are among the most common observations.
Traceability from hazard to control to verification. This is the thread that runs through everything. A hazardous situation identified in your risk analysis should trace to a design input, a risk control, a verification activity, and production controls. Inspectors will pull the thread. If it breaks, you have a problem.
Where FMEA Fits in QMSR Compliance
FMEA (specifically design FMEA and process FMEA) is the structured method most manufacturers use for hazard identification and risk evaluation per ISO 14971. It is not the only method, but it is the most common and the most auditable.
Under QMSR, your FMEA is your risk evidence. It is the document that demonstrates you identified hazardous situations, evaluated their severity and probability, implemented controls, and verified those controls work. It is what inspectors will ask to see.
This creates a problem for many companies. Their FMEAs were built for a different regulatory context. Common issues:
- FMEAs that live in outdated Excel spreadsheets. No revision history. No link to post-market data. No traceability to verification records. These will not survive a QMSR-era inspection.
- FMEAs that use RPN as the sole risk evaluation metric. ISO 14971 requires evaluation against defined acceptability criteria, not just a ranked list. If your risk decisions are based on RPN thresholds alone, your methodology may not align with the standard.
- FMEAs disconnected from the rest of the QMS. If your FMEA does not link to design inputs, CAPAs, or complaint records, it cannot demonstrate the integrated risk management that ISO 13485 requires.
- FMEAs that have not been updated since initial design. Post-market risk management means your risk file is a living document. If your FMEA does not reflect field data accumulated since launch, it is incomplete.
What ‘Adequate’ Risk Analysis Looks Like
An adequate risk analysis under QMSR and ISO 14971 is specific, traceable, and current. Here is what that means for your FMEA:
Every hazardous situation traced to a design input. Each row in your FMEA should connect to a specific intended use, user need, or design requirement. Generic failure modes copied from a template without connection to your actual device will not hold up.
Severity and probability rated per ISO 14971 scales. Use defined severity categories and probability levels, not arbitrary 1-10 scales inherited from automotive FMEA. Your rating criteria should be documented, justified, and consistently applied. Medical device risk evaluation requires severity based on patient harm, not manufacturing inconvenience.
Risk controls linked to verification activities. For every risk control in your FMEA, there should be a corresponding verification or validation record. If you list “biocompatibility testing” as a control, inspectors will ask for the test report. If you list “labeling warning,” they will ask for evidence of usability validation.
Post-market data feeding back into the risk file. Your FMEA should have a documented process for incorporating complaint data, adverse events, and CAPA outcomes. This is not optional under ISO 13485. It is a requirement of Clause 8.2.1 (feedback) and Clause 7.3.9 (design changes).
Complaint-driven updates. When complaints reveal a failure mode not in your FMEA, or when field data contradicts your probability rating, the risk file must be updated. The update should be traceable: what triggered the change, what was evaluated, what was the decision.
What Happens When It’s Not Adequate
Inadequate risk management is not theoretical. FDA 483 observations are public record, and recent inspections show exactly what happens when risk files fall short.
IsoTis OrthoBiologics (February 2026). During a February 2026 inspection, FDA investigators found that the firm had rated contamination events as “Improbable” in their risk analysis despite having documented evidence of contamination occurrences. The probability rating directly contradicted their own data. When your risk file says something is improbable but your complaint records show it has happened, the disconnect is indefensible.
Apotex (October 2025). In an October 2025 inspection, investigators cited Apotex for failing to adequately investigate leak testing failures. The firm had data showing leaks but did not connect it back to their risk analysis or initiate appropriate corrective action. The failure was not in the testing itself. It was in the feedback loop between production data and risk management.
These are not edge cases. They represent the most common pattern in FDA observations: a gap between what the risk file says and what the data shows. Under QMSR, this gap is even more visible because inspectors are now evaluating against ISO 13485’s explicit requirement for risk-based quality management.
The consequences are familiar but worth restating: 483 observations, warning letters, import alerts, consent decrees. For companies with products on the market, a risk management finding can cascade into design change requirements, field actions, or market withdrawal. The cost of remediation always exceeds the cost of doing it right in the first place.
How to Prepare
If you have not already aligned your risk management process to QMSR requirements, start now. These are practical steps, not aspirational goals.
Audit your current risk files. Pull every FMEA and risk analysis for your marketed devices. Check the last revision date. If the risk file has not been updated since initial design review, it is likely out of compliance. Identify which products have the largest gap between risk file status and post-market data.
Check for traceability gaps. For each hazardous situation in your FMEA, verify that you can trace to: (1) a design input or intended use, (2) a risk control measure, (3) a verification or validation record, and (4) production or process controls. Document every gap. Prioritize by product risk class.
Update probability ratings with post-market data. Pull complaint data, adverse event reports, and CAPA records for the past 3-5 years. Compare the failure modes in your complaint database against those in your FMEA. Where complaint data contradicts your probability ratings, update the FMEA. Where complaints reveal failure modes not in your FMEA, add them.
Ensure complaint records link to risk analysis. Establish a documented process that connects your complaint handling system to your risk files. When a complaint is investigated, the investigation should include an evaluation of whether the risk analysis needs to be updated. This should not be a discretionary step. It should be procedural.
Review your risk evaluation methodology. If you are using RPN as your primary risk evaluation tool, evaluate whether your methodology aligns with ISO 14971. The standard requires risk acceptability decisions based on defined criteria, not just numerical ranking. Update your risk evaluation procedure if needed.
Consider AI-assisted generation to close gaps at scale. If you have dozens of products with risk files that need updating, manual remediation may take months. AI-powered tools can ingest your device specifications, complaint data, and existing risk files to generate draft FMEAs that you review and refine. This is particularly valuable when the volume of work exceeds your team’s capacity.
How Tacit AI Approaches This
Tacit AI is the first FMEA platform where the risk analysis stays alive after approval. Generation is the on-ramp. The living system is the product.
ISO 14971 risk analysis from device specs. Provide your device description, intended use, and design inputs. Tacit AI generates a draft FMEA with hazardous situations, severity and probability ratings aligned to ISO 14971 scales, and risk control recommendations. Engineers review and refine. The first draft takes days, not months.
Every row traced to source. Each failure mode, severity rating, and control measure links to the source data it was derived from. When an inspector asks “why did you rate this as serious?” you can show exactly where the rating came from.
Complaints and CAPAs close the loop. Post-market data is semantically matched to existing risk analysis rows. When a complaint describes a failure the FMEA didn’t predict, it appears as a gap. When a complaint matches an existing row where controls were verified, it’s flagged as a regression. Probability ratings that contradict field evidence are surfaced automatically. The IsoTis scenario (rating contamination “Improbable” while evidence accumulates) becomes structurally impossible.
The FMEA knows when it’s wrong. This is the capability no static tool has. Your PLM holds the approved risk file. Tacit AI tells you when reality has moved past it. That’s what QMSR’s continuous risk management requirement actually demands.
Learn more about Tacit AI for medical devices or request a working session to see how it works with your data.