For medical device quality managers and regulatory affairs professionals navigating the biggest QMS regulatory shift in three decades.
On February 2, 2026, the FDA’s Quality Management System Regulation (QMSR) officially replaced the Quality System Regulation (QSR) that had governed medical device manufacturing under 21 CFR Part 820 since 1996. Instead of maintaining its own prescriptive requirements, the FDA now incorporates ISO 13485:2016 by reference — aligning the United States with the international quality management standard that most of the world already follows.
The intent is harmonization. The reality, for thousands of device companies, is a compliance migration project that touches every procedure, every work instruction, and every quality record in their QMS.
The Scale of the Problem
There are roughly 6,500 FDA-registered device manufacturers in the United States alone, and over 30,000 companies affected by EU MDR who also sell into the US market. Every one of them needs to demonstrate that their quality system meets ISO 13485:2016 requirements — not just in spirit, but clause by clause, with documented evidence.
For companies that built their QMS around the old 820 structure, this is not a trivial mapping exercise. The QSR organized requirements around management responsibility, design controls, production controls, and corrective actions. ISO 13485 uses a different taxonomy: Quality Management System (Section 4), Management Responsibility (Section 5), Resource Management (Section 6), Product Realization (Section 7), and Measurement, Analysis and Improvement (Section 8). The concepts overlap, but the clause structure, the documentation expectations, and the audit focal points diverge enough to create real gaps.
The traditional approach — hiring a consulting firm to perform a gap assessment — runs $10,000 to $50,000 per engagement. For a mid-size device company with multiple product families, the total cost of QMSR transition can easily reach six figures before a single procedure is rewritten.
ISO 13485:2016 gap analysis tools
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
QAtrial’s Answer: ISO 13485 Gap Assessment in Two Modes
QAtrial v3.0 ships with a purpose-built ISO 13485:2016 Gap Assessment tool that addresses this transition head-on. What makes it unusual is that it works in two distinct modes, and neither requires a purchase order.
Mode 1: Keyword-Based Static Analysis (No AI Required)
The static assessment runs entirely in the browser. It matches your project’s requirements against all 27 ISO 13485:2016 clauses — from Section 4.1 (General QMS Requirements) through Section 8.5 (Improvement/CAPA) — using curated keyword sets for each clause.
The logic is straightforward: each clause has a set of keywords that indicate coverage. A requirement titled “Design Input Specification Process” containing the description “capture user needs and intended use for design input review” would match against clause 7.3 (Design and Development) on multiple keyword hits. The scoring is simple but effective: two or more matched requirements means “covered,” one match means “partial,” zero means “gap.”
No AI provider needed. No API key. No data leaves your machine. The assessment runs in milliseconds.
Mode 2: AI-Powered Deep Analysis (Optional)
For companies that want more than keyword matching, QAtrial’s AI mode sends your requirements to the LLM of your choice (more on that below) along with the full clause descriptions. The AI returns evidence mapping — which specific requirements address which clauses — and recommendations for what is missing. This catches nuances that keyword matching cannot: a requirement might address the intent of clause 6.4 (Work Environment and Contamination Control) without using any of the expected keywords.
The AI mode uses a QMSR-specific prompt that understands the transition context: it knows that companies are moving from 21 CFR 820 to ISO 13485, and it flags requirements that may have been adequate under the QSR but fall short under the new standard.
Implementing eQMS in Medical Device Companies: From ISO 13485 Compliance to Digital Quality Excellence
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
A Concrete Example
Consider a mid-size device company with 30 requirements in their QAtrial project — a mix of design controls, production procedures, and quality system documentation. They run the static assessment and see:
- Readiness Score: 62% — 17 clauses covered, 4 partial, 6 gaps
- Section 7 (Product Realization) shows green across 7.1, 7.2, 7.4, 7.5, 7.6 — but clause 7.3 (Design and Development) shows partial coverage. They have design input and output requirements, but nothing explicitly addressing design transfer or design change control.
- Section 8 (Measurement & Improvement) shows a gap on 8.5 (CAPA) — they have a corrective action procedure but no preventive action or effectiveness check requirement.
Each gap and partial clause has a “+ Req” button. One click generates a new requirement pre-populated with the ISO 13485 regulatory reference, an appropriate risk level based on the clause’s criticality rating, and tags linking it to the specific clause. The company fills in the details, assigns an owner, and the gap is addressed.
In under an hour, that 62% readiness score becomes 85%. The remaining gaps require organizational decisions (management review schedules, resource allocation) rather than documentation.
Developing an ISO 13485-Certified Quality Management System: An Implementation Guide for the Medical-Device Industry
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Design Control: Where QMSR Compliance Gets Real
ISO 13485 clause 7.3 is where most device companies struggle, and it is where QAtrial v3.0 delivers the most depth. The new Design Control module provides:
- A 7-phase Kanban board mapping directly to 7.3 sub-clauses: User Needs, Design Input, Design Output, Verification, Validation, Transfer, Released
- Gated phase advancement: items cannot move to the next phase until the current phase status is “approved” — enforcing the review gates that auditors look for
- DHF/DMR/DHR management: Design History File, Device Master Record, and Device History Record containers with version control, section management, and lifecycle tracking (draft, active, superseded, obsolete)
- Full audit trail on every design control operation — who changed what, when, and why
This is not a generic project board with “Design Control” written on it. The phases, the gating logic, and the document record structure are built specifically for ISO 13485 Section 7.3 compliance.
FDA QMSR transition tools
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Why Open Source Matters for QMSR Transition
The commercial alternatives for QMSR transition tooling are expensive. Greenlight Guru’s quality management platform starts at roughly $30,000 per year and can exceed $100,000 for larger teams. MasterControl’s enterprise licensing is in the same range. Both are proprietary, cloud-only, and opaque.
For a regulated company, “opaque” is a problem. When an FDA auditor asks how your gap assessment tool determined that clause 7.5 was “covered,” you need an answer better than “the vendor’s algorithm said so.”
QAtrial is licensed under AGPL-3.0. The gap assessment logic — the keyword sets, the matching algorithm, the scoring thresholds — is all in src/lib/iso13485Clauses.ts, readable by anyone. The AI prompts are in src/ai/prompts/qmsrGap.ts. An auditor, a consultant, or your own quality team can inspect exactly how the tool reaches its conclusions.
Beyond transparency, open source eliminates vendor lock-in. Your quality data stays in your infrastructure. If you want to extend the clause registry with company-specific keywords, you fork the repository and add them. If you want to run the entire platform on an air-gapped network with a local LLM, you can — QAtrial supports Ollama and LM Studio for fully local AI inference.
The Cost Comparison
| Capability | QAtrial v3.0 (AGPL-3.0) | Greenlight Guru | MasterControl |
|---|---|---|---|
| ISO 13485 gap assessment | Included (static + AI) | Not included (manual) | Not included |
| Design control (DHF/DMR/DHR) | Included | $30K+/year | $50K+/year |
| QMSR transition mapping | Included (AI-powered) | Consulting add-on | Consulting add-on |
| Self-hosted option | Yes | No | On-premise available ($$) |
| Source code access | Full (AGPL-3.0) | No | No |
| Local AI (air-gapped) | Yes (Ollama/LM Studio) | No | No |
| Annual cost | $0 (self-hosted) | $30K-$100K+ | $50K-$150K+ |
The gap is not just price. It is control. When your QMSR audit is in three months, you want a tool you can inspect, customize, and trust — not a vendor relationship you have to manage.
Getting Started
QAtrial is available on GitHub at github.com/MeyerThorsten/QAtrial. Installation is three commands:
git clone https://github.com/MeyerThorsten/QAtrial.git
cd QAtrial
npm install && npm run devCreate a project, select “Medical Devices” as your vertical, add your existing requirements (or import them), and run the ISO 13485 assessment from the Evaluation dashboard. You will have a clause-by-clause gap report in minutes — not months.
The QMSR transition deadline has passed. The question is no longer whether to comply, but how quickly and at what cost. QAtrial v3.0 makes the answer: fast, transparent, and free.
QAtrial is open-source software licensed under AGPL-3.0. It is not a consulting service and does not provide legal or regulatory advice. Gap assessment results should be reviewed by qualified quality professionals. Visit github.com/MeyerThorsten/QAtrial to get started.
