News

Quality culture under QMSR: What FDA really wants—and how leaders can deliver

29 December 2025
""
""

When the U.S. Food and Drug Administration (FDA) finalized the Quality Management System Regulation (QMSR), it did more than modernize 21 CFR Part 820. The preamble explains that the rule primarily incorporates ISO 13485:2016 to harmonize U.S. device CGMP with global QMS expectations—reducing redundancy while preserving assurance that firms can “consistently manufacture devices that are safe and effective.”

However, perhaps one of the most significant messages is cultural: FDA emphasizes that quality must be led by management, supported by risk-based decisions, and embedded in continuous improvement—not treated as a compliance exercise for inspection day. The effective date is February 2, 2026; culture and risk management are the long-lead items.

What the Preamble says—Including comment 27

FDA’s response to Comment 27 makes its expectation clear:

“FDA expects medical device manufacturers, led by individuals with executive responsibilities, to embrace a culture of quality as a key component in ensuring the manufacture of safe and effective medical devices that otherwise comply with the FD&C Act.

A culture of quality meets regulatory requirements through a set of behaviors, attitudes, activities, and processes.”

(Federal Register, 89 FR 7496)

This statement moves beyond technical compliance. FDA is signaling that culture is measurable through behaviors and processes—and that leadership accountability is non-negotiable. The comment also clarifies that quality must be established during design and achieved through controlled manufacturing—not inspected in at the end. This is a cultural expectation, not a procedural tweak.

Culture of Quality: What it looks like

Culture is demonstrated through decisions and actions. ISO 13485 Clause 5 (Management Responsibility), now incorporated into QMSR, sets the tone: leadership commitment, quality policy, measurable objectives, planning, and management review. These requirements are intended to be practical and visible, not theoretical.

For example:

  • Management reviews should include trend analysis, resource allocation, and documented decisions—not just summaries or a checklist.
  • Risk-based thinking should influence supplier selection, process validation, Corrective and Preventive Actions (CAPA), and complaint handling—not just design controls or recalls.
  • Training programs should build judgment and accountability—not just SOP memorization.

Is your quality culture ready for QMSR?

To meet FDA’s expectations, organizations should evaluate whether their practices reflect both compliance and cultural maturity. Here’s how to translate Comment 27 into action:

1. Leadership Commitment—FDA expects executives to own QMS effectiveness, not delegate it to QA alone.

  • What this means: Leadership must set measurable quality objectives, review performance, and allocate resources when risks arise.
  • Example: If a supplier audit reveals a critical risk, leadership should approve immediate corrective actions and budget adjustments—not defer to “next quarter.”
  • Why it matters: ISO 13485 Clause 5 requires demonstrable commitment. FDA will look for evidence in management review minutes, application of risk management principles, resource allocation records, and strategic dashboards.

2. Quality Policy and Communication—Culture starts with clarity and alignment.

  • What this means: The quality policy should connect patient safety to business objectives and be communicated across all levels—not just words posted on a wall.
  • Example: Operators should be able to explain how their work impacts product safety during an audit.
  • Why it matters: FDA expects behaviors and attitudes that reflect understanding, not rote compliance. A well-communicated policy drives accountability and decision-making.

3. Risk-Based Thinking Everywhere—Risk is not a checkbox—it’s a mindset.

  • What this means: Risk assessments must be proactive and not just reactive, influence design, supplier qualification, internal audits, process validation, labeling controls, CAPAs, and complaint trending.
  • Example: When changing a component, document risk analysis and link it to design validation and supplier requalification.
  • Why it matters: QMSR aligns with ISO 13485 and ISO 14971 principles. FDA expects risk integration throughout the lifecycle, not just in design controls.

4. Management Review as an Engine—Reviews should drive improvement, not serve as ceremonial meetings.

  • What this means: Management reviews must include comprehensive inputs (e.g., audit results, complaints, supplier performance, CAPA trends) and produce documented and actionable outputs.
  • Example: A strong review results in assigned owners, deadlines, and effectiveness checks—not just “noted” findings or actions to be placed on the next review agenda.
  • Why it matters: FDA will look for evidence that reviews lead to measurable improvements and resource commitments.

5. Continuous Improvement—CAPA is cultural, not just corrective.

  • What this means: CAPAs should be risk-based and preventive, addressing issues before they escalate to systemic problems.
  • Example: Use statistical signals (e.g., SPC charts, Pareto analysis) to trigger CAPA before harm occurs.
  • Why it matters: QMSR expects effectiveness verification—not just closure. FDA will review CAPA files for root cause analysis and follow-up actions.

6. Supplier Quality—Your culture extends beyond your walls.

  • What this means: Supplier quality must be integrated with design, process, and labeling controls. Risk ranking and ongoing monitoring are essential.
  • Example: If a supplier provides a critical component, review their processes to ensure that they have been validated, or that test methods have been validated. Review their calibration record to ensure that the calibrations cover the whole range of measurement – not just a single point.
  • Why it matters: FDA expects quality to be built in—not inspected in. Supplier failures often lead to recalls; proactive oversight demonstrates cultural maturity.

7. Training and Engagement—Culture is taught and reinforced.

  • What this means: Training should build judgment and accountability—not just SOP memorization. Employees should feel empowered to raise concerns without fear.
  • Example: Use case studies where a single shortcut led to patient harm to teach decision-making. Verify that the testing was effective, not just performed.
  • Why it matters: FDA will assess whether employees understand the “why” behind procedures and whether leadership fosters open communication.

Bringing it together

Comment 27 is clear: FDA expects executive-led quality, where leadership integrates QMS processes so quality is designed-in and controlled-in, not discovered by inspection. Aligning these cultural elements with QMSR requirements creates a roadmap for readiness.

QMSR provides the framework; culture provides resilience. FDA has said it plainly:

“A culture of quality is critical.” The question is whether leadership will make that culture real before February 2026. Start now—because culture cannot be rushed.




Authored by Jodi Scott and Mike Heyl.

Related topics

Related countries

Load more

Related keywords

Load more

Articles you may be interested in

image_1
News

FDA Device Guidance Agenda: What to Watch in 2026

15 October 2025
image_1
News

Publicly Traded Life Sciences Companies and Artificial Intelligence: Disclosing Risk Factors

30 October 2024
left_arrow
right_arrow

View more insights and analysis

arrow
arrow

Register now to receive personalized content and more!

 

Register
close
See benefits
Register