TL;DR
- FDA's Quality Management System Regulation (QMSR) replaced most of 21 CFR 820 on February 2, 2026, incorporating the international standard ISO 13485:2016 by reference — the largest change to device-quality regulation in decades (FDA QMSR FAQ).
- The first post-QMSR warning letters carry no grace period. FDA cites violations found during a QS-Regulation-era inspection, then requires the fix be built to QMSR standards instead (FDA Warning Letter to Medline Industries, LP, March 25, 2026).
- CAPA failures under 21 CFR 820.100 are the single most-cited quality-system violation in early-2026 device warning letters: 9 of 17 letters reviewed in one Q1 2026 legal tracker, ahead of design controls (7) and process validation, nonconforming product, and complaint files (6 each) (Covington & Burling, Quarterly Medical Device Warning Letters Update, May 15, 2026).
- QMSR also deletes an old carve-out. FDA can now review internal audits, supplier audits, and management review reports during an inspection, records the prior QS Regulation kept off-limits (FDA QMSR FAQ, Question 8).
- One real case shows what this looks like in practice: a March 2026 warning letter over a syringe-manifold disconnection problem cites 221 complaints, 177 medical device reports, and one report of air injected into a patient, accumulated over roughly three years of a corrective action FDA says never worked.
Is FDA's new device quality rule a compliance reset? The first warning letters say no
"Your most recent inspection... was conducted pursuant to the QS Regulation, which was in effect at the time of the inspection. However, any corrective actions you propose or implement must be pursuant to the QMSR requirements in effect as of February 2, 2026."
That sentence, lifted directly from FDA's March 25, 2026 warning letter to Medline Industries, LP, is the whole story in one paragraph (FDA Warning Letter, Medline Industries, LP, MARCS-CMS 723866). No transition period. No exemption for violations found before the rule took effect. Fix it the old way, and FDA will tell you that fix has to satisfy a different regulation now.
Device manufacturers spent two years hearing that the Quality Management System Regulation, or QMSR, was a harmonization project rather than a stricter one. That framing is technically accurate. It is also not the same thing as a soft landing, and the first wave of post-effective-date warning letters is making that distinction expensive to learn the hard way.
What actually changed on February 2, 2026
FDA's revised Part 820, now titled the QMSR, replaced most of the old Quality System (QS) Regulation on that date, incorporating the international standard ISO 13485:2016 by reference rather than spelling out each requirement in agency-specific language (FDA QMSR FAQ). The final rule itself is not new. FDA published it January 31, 2024, then gave the industry two full years to prepare, a runway few federal rulemakings bother offering.
Three structural changes matter more than the headline harmonization story.
First, the inspection method changed alongside the regulation. FDA retired the Quality System Inspection Technique (QSIT) on February 2, 2026 and moved to a new compliance program, Inspection of Medical Device Manufacturers 7382.850, built specifically around QMSR's structure.
Second, and this is the one compliance teams underrate: the QMSR deletes a carve-out that existed at old 820.180(c). Under the QS Regulation, internal audits, supplier audits, and management review reports were exempt from FDA review during an inspection. Not anymore. FDA's own FAQ confirms investigators can now request those documents directly, on the reasoning that manufacturers already share them with other regulators and international auditors, so producing them for FDA adds no new burden.
Third, a certificate of conformance to ISO 13485 buys nothing at the front door. FDA states plainly that it will not issue or require ISO 13485 certificates, and that holding one from a third-party auditor does not exempt a firm from an FDA inspection. Passing a Notified Body's ISO 13485 audit and passing an FDA QMSR inspection are two separate events, judged by two separate processes.
The letters arriving now don't offer a grace period
The Medline letter answers a question every quality director has been asking privately since the rule's effective date: what happens to a violation FDA's investigator observed in December 2025, five weeks before QMSR took effect, once the warning letter finally goes out in March?
The answer is not "grandfathered." FDA's position, stated in its own FAQ before a single post-QMSR letter existed, is that records created before February 2, 2026 remain fair game during inspection, and that the QS Regulation and QMSR requirements are, in the agency's words, "substantially similar" enough that a firm should be able to map old documentation onto the new framework without starting from zero. That's the theory. In practice, it means a manufacturer cannot point to an inspection date and argue the old rules still apply to the fix. FDA inspected under one regulation and is now demanding remediation under a different one, mid-CAPA, for the same underlying problem.
Case in point: three years of a CAPA that didn't work
Medline's NAMIC Division, a Glens Falls, New York manufacturer of angiographic control syringes and manifolds used in intra-arterial and intravenous contrast-media procedures, is the clearest early example of what this looks like on the ground.
FDA's investigators found that the company had known about a syringe-to-manifold disconnection problem since at least June 2023, when a spike in complaints traced back to excess silicone triggered CAPA-01872 (21 CFR 820.100(a)). The firm's own risk assessment initially rated the issue "low." Its design failure mode analysis, on file at the same company, had already flagged the identical failure mode, loose luer connections, as capable of causing an air embolism, the highest severity rating the firm's own risk framework allows. Those two documents disagreed with each other, and FDA noticed.
The corrective action that followed didn't hold. By the firm's own complaint-per-million tracking, the disconnection rate rose across three straight quarters of 2025, from 16.90 CPM to 16.44 to 26.81, each one above the 15.98 CPM threshold the company itself had set as its verification-of-effectiveness ceiling. By the time FDA's letter went out, the company had logged 221 complaints and filed 177 Medical Device Reports tied to the issue, including one MDR describing air injected into a patient and a separate one describing biohazard exposure to a clinician. FDA rejected the firm's first two rounds of corrective-action documentation as inadequate before Medline finally committed, in a February 27, 2026 response, to a full product removal and filed the corresponding 806 report on March 13, 2026.
The same letter also cites a cleanroom cleaning-and-maintenance gap under 21 CFR 820.70(g)(1), tied to 114 complaints of foreign matter or hair in finished packaging dating back to November 2023, and a design-verification failure under 21 CFR 820.30(f) involving luer connectors redesigned to meet the ISO 80369-7 "NRFit" standard, where FDA found the company had tested only one representative part number instead of the full family of affected connectors. Three separate quality-system failures, three separate multi-year paper trails, one letter, timed to arrive just after the regulatory floor underneath it shifted.
The pattern across early QMSR-era letters
Medline is not an outlier. A quarterly review by Covington & Burling covering warning letters posted through May 15, 2026 found 14 letters issued in Q1 2026 for medical devices, plus three 2025 letters posted late, for 17 total. Eleven of those 17 allege quality-system regulation violations, and the citation frequency lines up closely with what Medline's letter shows in miniature.
| QSR/QMSR citation | Times cited (of 17 letters reviewed) |
|---|---|
| CAPA, 21 CFR 820.100 | 9 |
| Design controls, 21 CFR 820.30 | 7 |
| Process validation, 21 CFR 820.75 | 6 |
| Nonconforming product, 21 CFR 820.90 | 6 |
| Complaint files, 21 CFR 820.198 | 6 |
Source: Covington & Burling, Quarterly Medical Device Warning Letters Update, January-March 2026.
CAPA failures leading the list is not a coincidence. A CAPA system is where a firm's quality data, complaints, MDRs, nonconforming-product records, and audit findings all converge into a single decision: is this fixed, or isn't it. Under QMSR, that convergence point is exactly where FDA is now allowed to look harder, since the internal-audit and management-review carve-out that used to shield some of that upstream data is gone.
What device compliance teams should audit before their next inspection
- Pressure-test CAPA effectiveness checks against real complaint-trend data every quarter, not only at closure. Medline's own thresholds caught the failure; the CAPA process didn't act on that signal until FDA did.
- Reconcile risk assessments against design failure mode analyses before an inspector does it for you. A "low risk" HHE sitting next to a dFMEA rating the same failure mode as its highest-severity item is the kind of internal contradiction FDA now has explicit authority to pull and compare.
- Revisit design verification scope for any product that underwent a standards-driven redesign, ISO 80369-7 connector migrations especially, and confirm every affected part number was tested, not one representative sample standing in for a whole product family.
- Pull your own internal audit reports, supplier audits, and management review minutes and read them the way an investigator now can. These records were built assuming limited external exposure. That assumption expired February 2, 2026.
- Map your quality records against the ISO 13485:2016 clause structure, not just the old Part 820 section numbers. The substance carried over; the citation format did not, and a QMSR-era inspection will be organized around the new structure.
FAQ
Does the QMSR eliminate 21 CFR 820?
No. It amends the title and replaces most substantive sections with incorporation-by-reference to ISO 13485:2016, while retaining certain FDA-specific supplemental requirements the agency determined the international standard doesn't fully cover.
Do warning letters based on pre-February 2026 inspections still count?
Yes. FDA's own position, confirmed in both its QMSR FAQ and the Medline warning letter, is that inspections conducted under the QS Regulation remain a valid basis for citations. The corrective action a firm proposes afterward, though, must meet QMSR requirements.
Can an ISO 13485 certificate of conformance protect a firm from an FDA warning letter?
No. FDA states explicitly that it will not require or issue such certificates and that holding one from a third party does not exempt a manufacturer from FDA inspection.
What records can FDA review now that it couldn't before?
Internal audit reports, supplier audit reports, and management review reports, all previously exempt under old 21 CFR 820.180(c) and now reviewable under QMSR.
What's the single most-cited violation in early QMSR-era warning letters?
CAPA failures under 21 CFR 820.100, cited in 9 of the 17 Q1 2026 letters one legal tracker reviewed, ahead of design controls, process validation, nonconforming product, and complaint file citations.
Getting a CAPA closed out, a design verification scoped correctly, or a complaint file reconciled against MDR data isn't a one-time project. It's an ongoing read of exactly the kind of enforcement signal covered here. Related reading: what makes an FDA warning letter response actually adequate, how to read an FDA inspection classification, and how device-side citation patterns compare to the drug-side ranking for FY2025.
See what a same-day FDA enforcement brief looks like — sample brief →
Sources: FDA, Quality Management System Regulation FAQ; FDA Warning Letter, Medline Industries, LP, MARCS-CMS 723866, March 25, 2026; Covington & Burling, Quarterly Medical Device Warning Letters Update, January-March 2026, May 15, 2026. Byline: The Argus Regulatory Analysis Team. Published 2026-07-12.

