FDA QMSR changed what 21 CFR 820 requires for supplier control on 2 February 2026, and the gap it exposes sits between onboarding and today.
Quick answer: FDA QMSR amended 21 CFR Part 820 on 2 February 2026. The purchasing controls that sat in 21 CFR 820.50 now come from ISO 13485 clause 7.4. The record FDA inspectors ask for first is a dated, ongoing monitoring record showing supplier status since onboarding. Most programmes have a qualification file. Few have the monitoring record. That gap is where a Form 483 observation lands.
Key takeaways
FDA QMSR is the Quality Management System Regulation – the FDA’s rewrite of 21 CFR Part 820, the rule that sets quality system requirements for medical device manufacturers in the US. It came into force on 2 February 2026.
QMSR keeps 21 CFR 820 as its legal home but builds its requirements on ISO 13485:2016, which it incorporates by reference. A device sold in the US is now assessed against an ISO 13485-based quality system during an FDA inspection, with a small set of FDA-specific requirements kept on top.
If your company already holds ISO 13485 certification, most of your quality management system maps across. The work sits in the detail — confirming procedures and supplier controls reference the right clauses, and that the evidence those clauses require actually exists in the form an inspection expects.
For the primary source, see the FDA QMSR programme page and the Federal Register final rule (2024-01709).
In one line: QMSR is 21 CFR Part 820 rebuilt on ISO 13485:2016. Live since 2 February 2026. For supplier quality teams, purchasing controls move from 820.50 into clause 7.4 — with an explicit ongoing monitoring obligation.
21 CFR Part 820 is the section of the US Code of Federal Regulations holding the FDA quality system requirements for medical devices. It is the legal home of the rules a manufacturer follows to design, produce and release a device for the US market.
QMSR did not delete Part 820. It rewrote what sits inside it. Before 2 February 2026, 21 CFR 820 was a standalone US regulation in FDA language. After that date, the same Part 820 incorporates ISO 13485:2016 by reference. The citation survives. The requirements inside it changed.
For supplier teams, this is the operational headline: procedures citing specific QSR section numbers are now outdated. The equivalent duties come from ISO 13485 clauses.
21 CFR 820 under QMSR: Part 820 is still the FDA quality system regulation. It now incorporates ISO 13485:2016 by reference. For supplier control, the section number changes from 820.50 to clause 7.4. The obligation does not shrink.
The old QSR was a standalone US regulation in FDA language. QMSR keeps the legal authority of 21 CFR 820 and builds its requirements on ISO 13485:2016. The table below maps the differences that affect supplier quality work.
| Area | QSR (until 1 Feb 2026) | QMSR (from 2 Feb 2026) |
|---|---|---|
| Regulatory basis | Standalone US regulation, 21 CFR 820 in FDA language | 21 CFR 820 with ISO 13485:2016 incorporated by reference |
| Supplier and purchasing controls | Prescriptive rules in 820.50 | ISO 13485 clause 7.4 — risk-based, explicitly ongoing |
| Risk management | Limited explicit risk language | Risk-based thinking throughout the standard |
| Terminology | US-specific (e.g. Device Master Record) | ISO-aligned (e.g. medical device file, clause 4.2.3) |
| Documentation | 820.180 record requirements | ISO 13485 clause 4.2 plus retained FDA records |
| Monitoring obligation | Implied in 820.50(a) only | Explicit under clause 7.4.1 with clause 8.4 |
The last row is where most programmes are exposed. The monitoring obligation was implied before. Under QMSR it is written into the regulation.
The change that lands Form 483 observations: A supplier programme that satisfied the implied monitoring standard under the QSR does not automatically satisfy the explicit clause 7.4.1 obligation under QMSR. A qualification record is not a monitoring record. These are different evidence types.
Imahe: QSR vs QMSR
21 CFR 820.50 was the Purchasing Controls section of the old QSR. Under QMSR, that section is superseded. The same duties now come from ISO 13485 clause 7.4, across three sub-clauses.
| Sub-clause | What it covers | Replaces |
|---|---|---|
| 7.4.1 | Supplier evaluation, selection and ongoing monitoring — risk-based | 820.50(a) |
| 7.4.2 | Purchasing information — specifications, quality agreements | 820.50(b) |
| 7.4.3 | Verification of purchased product — incoming inspection, CoCs | 820.50, 820.80(b) |
| 8.4 (with 7.4.1) | Analysis of supplier data — ongoing, risk-sized | No direct QSR equivalent |
The last row has no direct predecessor in the QSR. Clause 8.4 read with 7.4.1 creates the ongoing monitoring obligation that most current supplier programmes do not carry evidence for. This is the operational core of any mature supply chain risk management programme applied to the FDA context.
Document review flag: If your supplier SOPs still cite “21 CFR 820.50” as at June 2026, that is an audit flag. Procedures should now reference ISO 13485 clause 7.4 as incorporated by 21 CFR 820 under QMSR. A one-day document review catches stale references before an investigator does.
Free readiness review
A focused readiness review checks whether your supplier controls, clause references and monitoring records line up with ISO 13485 clause 7.4 as incorporated by 21 CFR 820 under QMSR.
No sales call triggered. We confirm scope within one working day.
The supplier obligations under ISO 13485 and the former QSR are the same in substance. The reference point moves from a section number to a clause. One duty changes materially: ongoing monitoring moves from implied to explicit.
| Supplier duty | 21 CFR 820 (QSR) | ISO 13485:2016 (QMSR) |
|---|---|---|
| Evaluate and select suppliers on risk | 820.50(a) | Clause 7.4.1 |
| Agree purchasing requirements and quality agreements | 820.50(b) | Clause 7.4.2 |
| Verify purchased product on receipt | 820.50, 820.80(b) | Clause 7.4.3 |
| Monitor and re-evaluate suppliers over time | Implied in 820.50(a) | Explicit – clause 7.4.1 + 8.4 |
The fourth row is where most programmes have a gap. A well-run vendor due diligence programme with defined refresh cycles gives this obligation its evidence – but only if the monitoring record is dated and continuous.
A supplier control programme that holds up under inspection produces six categories of evidence. Each maps to a clause in ISO 13485 clause 7.4 or 8.4.
Approved supplier list with risk tiers
A current approved supplier list with each supplier placed in a tier – critical, major or minor – and the reason for each tier recorded. Clause 7.4.1. This is the document an investigator asks for first.
Supplier quality agreements
Signed agreements setting out the quality requirements each supplier has accepted. Clause 7.4.2. The one element a static document can fully satisfy. Investigators expect it and then look past it for the monitoring record.
Incoming verification records
Records showing how you verify purchased product – incoming inspection logs, certificates of conformance. Clause 7.4.3. Depth of verification should scale with the supplier’s risk tier.
Ongoing monitoring records Most commonly missing
Dated records showing you watch critical and major suppliers between audits: scorecards, performance data, enforcement actions, warning letters, ownership changes. Clause 7.4.1 with clause 8.4. This is the record most programmes do not have.
Re-evaluation and supplier audit records
Evidence that you re-assess suppliers on risk and conduct audits for higher-risk suppliers. Re-evaluation should be event-triggered as well as calendar-scheduled. A warning letter mid-cycle warrants an out-of-cycle review.
Supplier corrective action (SCAR/CAPA) records
Records showing how supplier issues are raised, investigated and closed – with objective evidence of effectiveness. This proves the loop closes when a problem is found, not that problems are logged and left.
The inspection test: An investigator picks one critical supplier and asks for the full trail – approval, monitoring since approval, any changes, what you did. Four of the six evidence elements must show a record that builds over time. One snapshot file fails four of six.
These are the errors that appear most often in readiness reviews and as Form 483 observations. Each one is an operational failure, not a procedure gap.
1. Leaving 820.50 in the SOP header
Supplier procedures that still cite “21 CFR 820.50” as the regulatory reference, four months after it was superseded. The activity described may be correct. The citation tells an investigator the document has not been reviewed since the QMSR transition. Notified body auditors notice it without being asked.
2. Treating the approved supplier list as a static register
A list with no version date, no risk tiers, no removal history. Clause 7.4.1 requires the list to reflect current approved status. A supplier that has received a warning letter, changed ownership or subcontracted critical work should not hold the same approval status as before those events.
3. Counting the quality agreement as the monitoring record
A signed supplier quality agreement satisfies clause 7.4.2. It does not touch the monitoring requirement in clause 7.4.1 or clause 8.4. Some teams produce a good agreement and stop, leaving no evidence of what has happened to the supplier since signing. These are different evidence types covering different obligations.
4. Running re-evaluation only on a fixed annual calendar
Clause 7.4.1 requires re-evaluation proportionate to risk — not once per year for all suppliers. A critical supplier that receives a warning letter in March should not wait until the December review cycle. Fixed-calendar programmes produce predictable gaps. Inspections find them.
5. Closing supplier corrective actions on paper only
SCARs marked closed with “supplier confirmed resolution” and no verification that the fix worked. Clause 8.5 requires objective evidence of effectiveness. A CAPA closed without a follow-up check does not close the loop under QMSR. This is the pattern that triggers repeat observations.
The pattern across all five: These are not procedure failures. The procedures often describe the right activities. The failure is that the organisation is not running the programme as described, and the absence of a dated record makes that visible on inspection day.
An FDA investigator wants proof that supplier control runs continuously and responds to risk. A clean procedure document is the entry point, not the answer. The records that carry weight are the ones that show what happened between onboarding and today.
The standard approach: pick a critical supplier and follow the trail. How it was qualified. What happened since. What changed. What the manufacturer did. An investigator running this sequence on a supplier approved in 2022 with nothing recorded since will find a gap every time.
Worth knowing
A supplier approved in 2022 is your biggest inspection risk in 2026 if nothing has been recorded about them since. An onboarding file with nothing after it does not read as control. It reads as an unmonitored supplier.
When a Form 483 observation lands on supplier control, it identifies this gap: a programme that can show qualification but cannot show what happened after it. A repeat finding escalates to a warning letter. A second can escalate to a consent decree. The sequence is predictable and avoidable.
Neotas provides enhanced due diligence and continuous monitoring for higher-risk suppliers, producing the timestamped records and audit trail an FDA inspection asks for.
A supplier-control finding is not just a regulatory event. These are the financial consequences of a gap that continuous monitoring prevents.
A supplier-control finding also signals to every customer, partner and competitor that your quality system has an open gap. In a market where contract manufacturers hold multiple device clients, the reputational damage compounds beyond direct remediation cost.
act on time
The Neotas Supplier Evidence Standard whitepaper sets out the full cost of a supplier-control finding under QMSR, the five-step path to close the gap, and the Supplier Evidence Continuum framework.
A gap analysis compares what your supplier programme does today against what 21 CFR 820 under QMSR expects and gives you actions to close the difference. A focused supplier-control version runs in five steps.
What most teams find: Steps one and two take a day or two. Step three is where the real exposure surfaces. Most quality teams reach step three and realise the monitoring record simply does not exist for any of their critical suppliers.
A complete third-party risk management framework already carries the tiering and cadence this plan needs, so most of the architecture is reused rather than built from scratch.
Once the gap analysis names the gaps, the next deliverable is an implementation plan with owners and dates. This 90-day sequence closes the highest inspection risk first.
| Phase | Actions | Output |
|---|---|---|
| Days 1–30 | Re-cite all supplier SOPs to ISO 13485 clause 7.4. Review and update the approved supplier list. Set risk tiers and document the tier criteria. | Updated procedures and a tiered approved supplier list |
| Days 31–60 | Stand up ongoing monitoring for critical and major suppliers. Define signals to track, frequency, and owner for each check. | A live monitoring record for every critical supplier — highest priority |
| Days 61–90 | Wire supplier issues into SCAR and CAPA with closure evidence. Run one re-evaluation and one supplier audit. Walk the inspection trail end to end. | A defensible evidence file you can produce at short notice |
Point-in-time qualification fails because clause 7.4.1 requires monitoring, and an inspection asks about a period a single check cannot cover.
A supplier approved in one quarter can change in the next. Ownership transfers. A site receives a warning letter. A material is recalled. None of that shows up in a qualification record dated months earlier.
Most supplier programmes were built on an annual or two-yearly re-qualification cycle. That cadence leaves long windows where the manufacturer has no current view of supplier status. Under QMSR, those windows are exactly what an investigator examines.
The inspection liability: Periodic qualification produces periodic evidence. An inspection is not periodic – it happens when it happens, and it asks for the current state. A programme that can only produce last year’s picture is exposed, however accurate that picture was.
Continuous monitoring closes the gap by turning supplier oversight into a record that always reflects the current state. Instead of a status fixed at onboarding, a supplier’s standing is checked on an ongoing basis, each check dated and logged.
Neotas runs continuous, analyst-verified supplier monitoring for regulated manufacturers. The service combines open-source intelligence and adverse media screening across 200+ languages with analyst review. Signals such as enforcement actions, warning letters, ownership changes and reputational events are surfaced, assessed and recorded. Every check produces a timestamped entry and a full audit trail. Neotas is rated in the Chartis FCC50 as a leading financial crime compliance technology provider.
That sits alongside enhanced due diligence for higher-risk suppliers and connects to the wider third-party risk management framework a manufacturer runs.
How continuous monitoring closes the gap: Analyst-verified, timestamped monitoring keeps supplier status current and produces the auditable record that QMSR clause 7.4.1 and 8.4 call for. The evidence file is always current — not assembled the week before an inspection.
Neotas provides continuous, analyst-verified supplier monitoring for regulated medical device manufacturers. OSINT and adverse media screening across 200+ languages. Full timestamped audit trail.
No commitment required. We confirm availability within one working day.
QMSR is the FDA quality system regulation for the US market. MDSAP — the Medical Device Single Audit Program — is an audit scheme allowing a single audit to satisfy multiple regulators: the US FDA, Health Canada, Australia’s TGA, Brazil’s ANVISA and Japan’s PMDA.
Both rest on ISO 13485. A supplier programme built to clause 7.4 with documented risk tiers, ongoing monitoring and supplier corrective action produces evidence that works for a QMSR inspection and for an MDSAP audit of the purchasing process. You build it once.
Run one ISO 13485-based programme with strong monitoring evidence. It serves both QMSR and MDSAP without duplication — the same logic behind a single supply chain risk management programme serving multiple regulatory obligations.
Take the standard with you
The QMSR supplier evidence guide turns clauses 7.4 and 8.4 into actions your team can start this week.
Six questions, one per evidence element. Answer for your critical suppliers. Your result band and next step appear at the end.
A Warning Letter Response Costs $600K to $2M. Continuous Monitoring Costs a Fraction of That. The Neotas Supplier Evidence Standard whitepaper sets out the full cost of a supplier-control finding under QMSR, the five-step path to close the gap, and the Supplier Evidence Continuum framework.
A healthcare-specific view of third-party risk covering risk tiering, due diligence and continuous monitoring across the supplier and vendor base — directly relevant to QMSR compliance and MDSAP audit preparation.
How healthcare and medical device organisations assess and monitor vendor risk — the evaluation and oversight disciplines FDA QMSR supplier control under 21 CFR 820 now makes explicit for all manufacturers.
The Neotas TPRM guide covers how to build a third-party risk programme with risk tiering, due diligence depth by tier and continuous monitoring — the same structure FDA QMSR supplier control under clause 7.4 depends on.
The Neotas TPRM framework covers tiering methodology, due diligence sequencing and monitoring cadence — the architecture a QMSR-compliant medical device supplier control programme draws on directly.
How to identify and monitor risk across a supplier base, including the continuous oversight approach that turns periodic supplier qualification into a live, auditable record under ISO 13485 clause 7.4.1 and 8.4.
When a supplier's risk tier calls for deeper investigation, enhanced due diligence adds OSINT and analyst-led adverse media screening across 200+ languages — producing the re-evaluation evidence QMSR requires.
How to assess and re-assess vendors and suppliers, including how often to refresh checks so an onboarding approval does not age into an unmonitored supplier record by the time of the next FDA inspection.
The full lifecycle of third-party risk management from onboarding through to off-boarding, covering the ongoing monitoring and re-evaluation stages that ISO 13485 clause 7.4.1 and QMSR now require as explicit regulatory obligations.
Neotas Enhanced Due Diligence covers 600Bn+ Archived web pages, 1.8Bn+ court records, 198M+ Corporate records, Global Social Media platforms, and more than 40,000 Media sources from over 100 countries to help you screen & manage risks.
What an FDA investigator expects under ISO 13485 clauses 7.4 and 8.4, and how to build the six evidence elements before the inspection is scheduled.
