QMSR Just Became Law. Your Document Pile Is Still Sitting in SharePoint.

If your company is ISO 13485 certified, you are mostly fine. Mostly.

If your company is not yet ISO 13485 certified and has been operating under the old QSR for years, you are not fine. And the people in your QA department who are telling you "we're working on it" are telling you that because they don't know what else to say.

The QMSR effective date passed on February 2, 2026. The FDA is now enforcing it.

The gap between "we're working on it" and "we are demonstrably compliant" is wider than most CEOs realize. And the FDA — armed with a new AI-driven enforcement targeting system called Elsa that came online in mid-2025 — is now able to find companies that are exposed faster than ever before.

What changed

The Quality Management System Regulation (QMSR) replaces the old Quality System Regulation (QSR, defined in 21 CFR 820). The change has been in the works since 2024. It became enforceable on February 2, 2026.

The technical summary: QMSR incorporates ISO 13485:2016 by reference. This means the FDA's quality requirements now align with the international standard that most medical device companies already use if they sell internationally. The FDA's stated goal is to reduce the duplicative burden of manufacturers operating under two parallel systems (FDA + ISO).

The practical summary is more nuanced.

Companies that were already ISO 13485 certified — and were managing their FDA QSR compliance as a parallel exercise — got an easy ride. The transition mostly involves updating documentation references and confirming that your existing ISO-aligned procedures meet the FDA's additional statutory requirements (which the QMSR preserved separately).

Companies that were operating only under QSR — domestic-only manufacturers, smaller mid-market companies that never bothered to pursue ISO 13485 — are now in an awkward position. Their procedures, training materials, and design history files reference QSR clause language. The auditor walking into their facility in 2026 expects ISO 13485 risk-based thinking, ISO 13485 terminology, and an integrated risk management framework consistent with ISO 14971. The gap between "we're QSR-compliant" and "we're QMSR-compliant" looks small on paper. In practice, it's the difference between a documented quality system that's been refactored and one that hasn't.

The hidden problem: terminology drift

Even ISO 13485-certified companies have a hidden problem most QA directors won't admit until they're inside an inspection.

Years of SOPs reference QSR clause language. Training materials use QSR terminology. CAPA logs from 2019 use a different vocabulary than CAPA logs from 2025. Design history files mix old and new language. The FDA auditor reading this material is looking for ISO-aligned thinking and finding QSR-era artifacts.

Most of this drift is benign. A reference to "21 CFR 820.30" instead of "ISO 13485 clause 7.3" is fixable. But the deeper problem is the logic underneath the documentation. QSR-era design control thinking was prescriptive and checklist-oriented. ISO 13485-era thinking is risk-based and process-oriented. The two are similar but not identical. Companies whose quality system was built under QSR-era thinking now need to retrofit risk-based logic into procedures that were written without it.

This is exactly the kind of work that's invisible until it's a finding.

Elsa is watching

The FDA quietly launched an internal AI system called Elsa in mid-2025. Elsa analyzes the FDA's complaint databases, adverse event reports, Form 483 observations, and historical inspection outcomes to prioritize which facilities to inspect. Companies with unresolved CAPAs, inconsistent documentation, or anomalous complaint patterns are flagged for earlier and more frequent inspection.

This matters because it changes the math on regulatory risk. The old model was: get inspected every two to four years, prepare hard the quarter before, hope for the best. The new model is: assume you can be flagged for an inspection any time your data shows an anomaly, and operate accordingly.

For QMSR specifically, this means the FDA is now better positioned to identify companies whose stated compliance doesn't match their operational reality. A company that says it's QMSR-compliant but whose complaint files show unresolved investigations from 2024 is the kind of company Elsa is built to find.

Warning letter activity has confirmed the trend. Between July 1 and December 3, 2025, the FDA issued 327 warning letters — a 73% increase over the same period in 2024. Quality system violations remain the most common citation. Complaint files specifically are in the top three most-cited issues, alongside CAPA deficiencies and design control problems.

Where AI credibly helps

This is where the article risks turning into an AI sales pitch. I'll try to keep it honest.

There are three specific places where AI tools are genuinely useful in the QMSR transition, and a longer list of places where vendor marketing oversells.

Document mapping and cross-reference

Your old SOPs reference QSR clause language. A capable language model can read your SOP library and produce a mapping document showing where each procedure references QSR clauses and what the ISO 13485 equivalent reference is. This isn't replacing your QA team's judgment — it's eliminating the 60% of the work that's mechanical. A senior QA person reviewing the AI-generated mapping is much faster than one starting from scratch.

Gap analysis between QSR-era procedures and QMSR/ISO 13485 expectations

Same workflow, more analytical. The agent reads each SOP and flags areas where the underlying logic is QSR-era rather than risk-based. The output is a prioritized list of procedures that need rewriting. Again, this isn't replacing your QA team. It's giving them a roadmap so they can focus their time on the highest-leverage rewrites first.

Drafting harmonized procedures

Once your team has decided on the changes, AI tools can produce first drafts that are properly formatted, internally consistent, and use the right terminology throughout. The QA director reviews, edits, and approves. The agent doesn't make the decisions. It eliminates the 70% of drafting work that's structural.

For complaint handling specifically — which is going to be one of the most-scrutinized areas under QMSR — AI tools can help with initial complaint triage (categorizing incoming complaints by likely severity, identifying duplicates, flagging high-priority items for human review) and with drafting initial investigation reports. The final reportability decision must remain a human judgment. But the work that gets a human to that decision faster can be partially automated.

What AI doesn't replace

The same list of failures I see across every "AI for QA" pitch:

AI doesn't replace the QA director's judgment about whether a complaint is reportable as an MDR.

AI doesn't replace the auditor relationship. Your inspector wants to interview your QA director and your CAPA owners. The interactions are human and they always will be.

AI doesn't replace the CAPA effectiveness verification. A CAPA is closed when human investigation and verification confirm the change is effective in the field. No model can validate that.

AI doesn't replace the design control review. The decision that a design change requires a new 510(k) is a judgment call by your RA team based on the FDA's predicate change guidance. Models can support the analysis. They can't make the call.

Any vendor telling you AI can replace these functions is either lying or doesn't understand the regulation. Walk away.

The companies that will thrive under QMSR

Two patterns will emerge over the next 24 months.

The companies that built their quality system as a document graveyard — SOPs sitting in SharePoint, accessed only when an auditor asks, with no living connection to operational practice — will struggle. They'll have findings. They'll get warning letters. Their inspection cycle times will lengthen. Their product launches will slow.

The companies that treat quality as a living, AI-augmented operational system — where procedures connect to actual practice, where complaints flow into structured triage, where CAPAs are tracked and verified, where design history is current and integrated — will pass inspections faster. They'll ship product faster. They'll absorb new regulations (and there will be more — cybersecurity, AI/ML, PFAS) more gracefully.

The QMSR transition isn't really about the QMSR. It's a forcing function that's revealing which companies have built quality as a competitive operating asset and which have built it as a compliance burden. The first group is about to pull away from the second group, and the gap is going to be hard to close.

What to do this quarter

If you're a CEO or COO at a mid-market device company, three concrete things:

Ask your VP of Quality to walk you through the current state of your QMSR transition. Not the project plan. The current state. What percentage of your SOPs have been mapped? What percentage rewritten? What percentage trained on? If they can't answer in specific numbers, that's the gap.

Ask whether you have a clean complaint file backlog. Open complaints older than 30 days are the most common warning letter trigger in 2025-2026. If the answer is vague, you need to know exactly how vague before the FDA tells you.

Ask whether your team has evaluated AI tools for the document mapping and drafting work. Not buying tools — evaluating them. The companies that integrate AI into their QA operations over the next 12 months will compress their compliance cycle times by 30-50%. The companies that don't will fall further behind.

QMSR was supposed to be a paperwork exercise. For the companies that have the underlying quality discipline, it is. For everyone else, the next twelve months are going to be harder than they're being told.