The scenario that defines the gap
A 400-person Class II device manufacturer received its first post-QMSR FDA inspection in April 2026. The investigator opened with a question that was familiar in shape but new in substance: "Show me the records you maintain under ISO 13485:2016 clause 4.2.3 for product family X."
The QA director's first instinct was to pull up the Device Master Record. The DMR no longer exists under QMSR. It was collapsed into the Medical Device File under §820.181 and ISO 13485 §4.2.3. The procedures had been updated. The eQMS field labels had not. The investigator asked again. The next forty minutes were a hunt.
The inspection didn't fail. But the QA director walked away with one takeaway: we updated our procedures for QMSR. We didn't update our system. The system was bought against language that no longer exists, and the records we produce are organised against requirements that no longer apply.
That's the gap this post is about.
What changed, in one paragraph
QMSR (the Quality Management System Regulation) replaces the operational requirements of the 1996 21 CFR Part 820 with ISO 13485:2016, incorporated by reference, plus a thin layer of FDA-specific provisions (§820.10, §820.15, §820.35, §820.45) covering Medical Device File, signatures, complaint files, and labelling/packaging. Effective date: February 2, 2026. The Final Rule preamble (89 FR 7496) explains the rationale. The FDA Compliance Program 7382.850, the new inspection manual that replaces QSIT, explains how investigators will now read it.
If you've already read Complere's piece on what actually changes for quality systems, this article is its deeper-dive companion: clause-by-clause, eQMS-evidence-first.
Why your eQMS specifically is now in scope
Three QMSR shifts put your eQMS, not just your procedures, under new inspection language.
Records that were "informational" under FDA's old framework are now FDA-inspectable. The 1996 Part 820 had a §820.180(c) exemption that kept management review minutes, internal audit reports, and supplier audit records out of FDA's reach. QMSR removes that exemption. Clauses 5.6, 7.4, and 8.2.4 are now inspection territory. If your eQMS stores those records, the investigator will ask to see them. If your eQMS doesn't, and they're floating in Word documents on someone's drive, the audit trail and version control protections you've built into the eQMS don't apply to them.
The Medical Device File replaces DMR/DHF/DHR. ISO 13485 §4.2.3 collapses three legacy record types into one. The eQMS records you produce need to map to the new construct, not to the old labels.
Software validation of the QMS processes themselves (including the eQMS) is now explicitly inspectable under clause 4.1.6. Investigators will ask for your eQMS validation package. Most packages written before 2024 don't address QMSR explicitly. A pre-2024 IQ/OQ binder won't satisfy the question.
The 12-clause map
Twelve ISO 13485:2016 clauses carry most of the weight in a QMSR-era inspection of your eQMS. Each entry below names what the clause expects in plain language, what an investigator will ask for, what evidence your eQMS must produce, and the question you can paste into a vendor RFP.
Clause 4.1.6 — Software validation of QMS processes
What it says. Software used in the QMS (including the eQMS) must be validated for its intended use, proportionate to risk. The vendor's validation isn't enough; the user's intended use is what gets validated.
What the investigator asks for. Your eQMS validation package: user requirements, intended-use documentation, risk assessment, validation protocols, test execution evidence, and the change-control trail for every release since validation.
What your eQMS must produce. A complete validation package the QA team can produce within minutes (not a pre-2024 IQ/OQ binder) plus a change-management trail showing every vendor release was risk-assessed and the validation updated where needed.
RFP-grade question. What is the format and retention of validation evidence your customers maintain for your eQMS under ISO 13485:2016 §4.1.6? Provide a sample validation package and the change-management workflow your customers use to keep it current across your release cadence.
Clause 4.2.3 — Medical Device File
What it says. A file for each medical device type or family, containing or referencing the records required to demonstrate conformity. Replaces the separate DMR (§820.181), DHF (§820.30), and DHR (§820.184).
What the investigator asks for. The Medical Device File for a specific product family. They will name the family, name the time period, and expect the file (including referenced records) in minutes.
What your eQMS must produce. A unified Medical Device File construct that aggregates design, production, and post-production records by product family, with bidirectional links to source records and a single export the QA team can produce on request. Legacy DMR/DHF/DHR field labels need to be reconciled to the new construct.
RFP-grade question. Show me the Medical Device File construct in your eQMS. How are design, production, and post-production records aggregated by product family? What's the export format an FDA investigator will receive?
Clause 4.2.4 — Control of documents
What it says. Documents required by the QMS must be controlled: approval before issue, review and update with re-approval, identification of changes and current revision status, availability at points of use, prevention of obsolete document use.
What the investigator asks for. The current effective version of a named procedure. The revision history. Who approved each version. Where the previous version is and how it's marked as obsolete.
What your eQMS must produce. Document version control with timestamped approval signatures, full revision history with diff between versions, automatic obsolescence on supersedure, role-based access to the current effective version at the point of use.
RFP-grade question. For a controlled document in your eQMS, show me the audit trail for each revision: who approved, when, what changed, and where prior versions live now.
Clause 4.2.5 — Control of records
What it says. Records demonstrating conformance must be controlled: identifiable, legible, readily retrievable, retained for the regulatory retention period, protected from loss and unauthorised alteration.
What the investigator asks for. A specific record from 18–36 months ago. Retrieval in minutes. Plus: whether the record has been altered since creation and how you can prove it hasn't.
What your eQMS must produce. Records that are append-only at the application layer post-finalisation, with signed audit-trail evidence of integrity. Retention enforced by the system, not by an export-and-pray-to-cold-storage process. Retrieval against named record IDs in seconds.
RFP-grade question. Show me the audit trail for a 24-month-old record. How is record integrity proven? What's your retention enforcement mechanism: system-enforced lock, periodic backup, or operational discipline?
Clause 5.6 — Management review
What it says. Top management must review the QMS at planned intervals. Inputs and outputs specified. Records maintained.
What the investigator asks for. The last three management review records, with full inputs (CAPA performance, audit findings, supplier performance, complaints, regulatory changes) and outputs (decisions, actions, resource allocations). This record was protected by §820.180(c) under the old QSR. It isn't anymore.
What your eQMS must produce. A management review record type with structured inputs from each QMS area (auto-populated where possible), signed-off minutes, action items with owners and timer-driven escalation, and an audit trail connecting each action back to its originating data source.
RFP-grade question. Show me the management review record type. How are inputs aggregated from CAPA, audits, supplier controls, and complaints? How are outputs linked back to the data that triggered them?
Clause 7.3 — Design and development
What it says. Documented procedures for design and development covering planning, inputs, outputs, review, verification, validation, transfer, and change controls, each with records. §7.3 covers what the old §820.30 covered, structured differently.
What the investigator asks for. The design history for a specific product, traced from user needs through design inputs, outputs, verification, validation, design transfer, and any post-market changes. They will trace the chain. They will ask where each linkage is captured in the eQMS.
What your eQMS must produce. A linked design record set where every change can be traced bidirectionally: user need to design input, input to output, output to verification, verification to validation evidence, validation to design transfer. Live traceability matrix, not Excel.
RFP-grade question. Show me the design traceability matrix for a sample product. How are linkages between user needs, design inputs, outputs, verification, validation, and transfer maintained? Can the matrix export in a format an FDA investigator will accept?
Clause 7.4 — Purchasing and supplier controls
What it says. Purchased products must conform to specified requirements. Supplier evaluation, selection criteria, ongoing monitoring, and purchasing controls all need documented procedures and records.
What the investigator asks for. Your approved supplier list. Performance history for a named supplier. The most recent supplier audit. Supplier audit records were protected by §820.180(c) under the old QSR. They aren't anymore.
What your eQMS must produce. A supplier register with risk-classified controls, supplier audit records that link to findings and CAPAs, ongoing performance monitoring with timer-driven re-qualification, and purchasing controls that prevent issuance of POs to unqualified suppliers at the framework level, not by buyer discipline.
RFP-grade question. Show me the supplier audit record type. How are audit findings linked to CAPAs? How does your system prevent purchasing from an unqualified supplier?
Clause 7.5.6 — Validation of processes
What it says. Processes whose output cannot be verified by subsequent monitoring must be validated. Procedures, criteria, equipment approval, personnel qualification, defined methods, defined records for revalidation.
What the investigator asks for. The validation history of a specific process (sterilisation, cleaning, sealing, software-controlled manufacturing). When last validated, what triggered the last validation, what evidence was produced, what triggers re-validation.
What your eQMS must produce. Process validation records with linked equipment qualification, operator qualification, and timer-driven re-validation triggers. Evidence that the eQMS alerts when a re-validation interval is approaching, not after a quarterly review surfaces the gap.
RFP-grade question. Show me a process validation record. How does the eQMS trigger re-validation? What's the audit-trail link between the validation event, the personnel qualification, and the equipment used?
Clause 7.5.9 — Traceability
What it says. Documented procedures for traceability, particularly for implantable medical devices (where serialised traceability is required) and where UDI applies.
What the investigator asks for. A specific UDI or serial number. They will name it. They will ask for the production record, the components used, the personnel involved, the in-process inspections performed, and the distribution record. They will expect this in minutes.
What your eQMS must produce. A serialised production record linked to component lots, equipment used, personnel, in-process records, final release, and shipment. The chain navigable from any node: given a UDI, the system reproduces the full chain.
RFP-grade question. Given a UDI or serial number, what's the time to retrieve the full production history including components, equipment, personnel, in-process records, and distribution? Show me a worked example.
Clause 8.2.2 — Complaint handling
What it says. Procedures for timely receipt, evaluation, investigation, and decision on complaints. Documented, evaluated against reportability criteria, investigated where needed, records maintained.
What the investigator asks for. A specific complaint from the last 18 months. The intake record, the MDR-reportability decision (with documented rationale), the investigation (if conducted), the CAPA decision, the customer communication. A QMSR-era inspection will trace the complaint through every downstream module.
What your eQMS must produce. A complaint intake record that auto-triggers an MDR-decision workflow with timer enforcement, links to investigation and CAPA records bidirectionally, and produces a single timeline export showing the complete chain from intake to closure.
RFP-grade question. Show me a complaint record with its complete downstream chain (MDR decision, investigation, CAPA, customer communication). How is each transition triggered and captured in the audit trail?
Clause 8.2.4 — Internal audit
What it says. Planned internal audits at planned intervals to determine the QMS is effectively implemented and maintained. Auditor independence, audit plan, audit records, follow-up of findings.
What the investigator asks for. Your internal audit schedule. The reports from the last 12–24 months. The findings, the CAPAs that resulted, and the management-review surfacing. This record was protected by §820.180(c) under the old QSR. It isn't anymore.
What your eQMS must produce. An internal audit record type with schedule, scope, auditor identity (with documented independence), structured findings linked to CAPAs, and direct flow into management review inputs. Internal audit results should not require manual aggregation for §5.6 inputs.
RFP-grade question. Show me the internal audit record type. How are findings linked to CAPAs and surfaced in management review? How is auditor independence captured?
Clause 8.5.2 — Corrective action (CAPA)
What it says. Action to eliminate the cause of nonconformities to prevent recurrence. Documented procedures, root cause determination, action evaluation, implementation, effectiveness verification.
What the investigator asks for. A specific CAPA from 12–18 months ago. The source (deviation, complaint, audit finding), the root cause analysis, the action plan, the implementation evidence (with change-control links where applicable), the training assignments (where applicable), and the effectiveness verification with the data behind it. The trace will cross every module boundary.
What your eQMS must produce. A CAPA record linked bidirectionally to its source, with linked Change Control (where applicable), linked Training assignments (where applicable), and effectiveness verification records with timer-driven SLAs. Every cross-module transition must carry its own audit-trail entry. See the multi-tenant SaaS audit-trail problem for why cross-module audit-trail capture is architectural, not procedural.
RFP-grade question. Show me a CAPA from source to closure with all cross-module transitions captured in the audit trail. How does the system enforce effectiveness verification timing?
Three clauses now FDA-inspectable for the first time
The shift most QA leaders haven't fully internalised: 5.6, 7.4, and 8.2.4 used to be protected from FDA review by §820.180(c) of the old QSR. The exemption was specific: management review minutes, internal audit reports, and supplier audit records weren't required to be made available to FDA. QMSR removes the exemption.
Three implications. First, if your eQMS doesn't carry first-class record types for management review, internal audit, and supplier audit, the records are getting produced in Word or Excel, outside the eQMS, where the audit trail and version control don't apply. Second, if those records exist in the eQMS but aren't linked to the data that triggers them (CAPA performance, audit findings, supplier performance, complaints), you'll spend the inspection cross-referencing. Third (and this is the vendor question): ask your eQMS account manager what's on the roadmap for first-class support of these three record types if it isn't there today.
How to use the 12-clause map
Two patterns work well.
As an RFP section. Paste the twelve RFP-grade questions into your RFP as a section titled "QMSR clause-evidence questions." Score each vendor's response 1–5. A response of "we'll need to check with engineering" scores 1. A response that walks through the workflow, the record type, the audit trail, and the export format scores 5. Vendors at 3 or below are vendors retrofitting compliance onto a generic SaaS platform.
As a current-eQMS gap audit. Run the same twelve questions against your current eQMS. For each clause where the answer is "we'd export to Excel and process there" or "the data lives in the integration layer but not the eQMS," you have a QMSR evidence gap. The gaps don't make you non-compliant today, but they're exactly the questions an FDA investigator will ask, and the answers are easier on inspection day if they're solved before then.
What QMSR-era inspectors are actually asking
First post-QMSR inspections began Feb 2, 2026. As of mid-June 2026, the pattern emerging in investigator questioning is grounded in FDA Compliance Program 7382.850, the new inspection manual that replaced QSIT.
The structure of the day shifted. QSIT-era inspections opened with the Management subsystem (management review, management responsibility). CP 7382.850 opens with the same subsystem but now expects to see management review records during the inspection itself, not summarised verbally. That's the §820.180(c) removal in practice.
Citation language in 483s has also shifted. Pre-QMSR citations read "failure to establish per 21 CFR §820.X." Post-QMSR citations read "failure to establish per ISO 13485:2016 clause X.Y.Z, as incorporated by reference under 21 CFR Part 820." The citation difference matters for response language and for procedure update scope.
Complere fit
Complere fits here as a governed quality system that produces the evidence behind each of these twelve clauses in first-class workflows, not in Word and Excel on the side.
- The three newly inspectable clauses — 5.6 management review, 7.4 supplier controls, 8.2.4 internal audit — are first-class record types, with findings linked to CAPAs and audit results flowing into management-review inputs rather than being re-aggregated by hand.
- Document and record control (4.2.4, 4.2.5) run on version-controlled approvals with timestamped signatures and an append-only audit trail at the application layer, so the who-approved-what-and-when question answers itself.
- CAPA (8.5.2), complaints (8.2.2), and design (7.3) are linked across module boundaries, so a source-to-closure trace carries an audit-trail entry at every transition instead of stopping at a hand-off.
- Its CSA-first validation model supports a current, risk-based validation story for the eQMS itself under 4.1.6 — the first artifact every QMSR-era investigator asks for.
That is the point for this post — not a device-industry pitch, just a practical map. Complere supports the teams pursuing ISO 13485 conformity by keeping the clause-level evidence connected and inspection-ready. Where records are already connected, the 12-clause map is a checklist you pass; where they aren't, it's the list of gaps an inspection will find first.




