Regulify.aiRegulify.ai
Regulify.aiRegulify.ai

The Role of a Quality Management System Before and After Market

By regulifyAI
May 27, 2026
12 min read

How a properly engineered QMS protects a MedTech company from concept through commercialization, and what FY 2024 FDA inspection data shows about where most teams fall short.

Most MedTech teams talk about the Quality Management System as if it were paperwork. It is not. The QMS is the operating system of a medical device company. It defines how design decisions get documented, how risks get controlled, how changes get reviewed, and how the company responds when something goes wrong in the field. Built well, it gets you cleared and keeps you cleared. Built poorly, it produces the kinds of audit findings the FDA logged 2,383 times against device manufacturers in FY 2024 alone.

This guide explains what the QMS actually does before market and after market, where the dividing line falls, and why the most consequential QMS work happens after the device ships, not before. It also breaks down how Regulify.AI's six product modules map across both phases.

In short

A QMS is the structured set of policies, procedures, and records that ensures medical devices meet customer requirements and applicable regulations. Before market, the QMS focuses on producing a device that is safe and effective, with a traceable design history. After market, the QMS focuses on monitoring real-world performance and responding to changes and complaints. FY 2024 FDA inspection data shows that four of the top five most-cited device deficiencies are post-market workflows. The pattern is clear: MedTech companies often overinvest in design-time documentation and underinvest in keeping the QMS alive after launch.

Key takeaways

•       A QMS is mandated under 21 CFR Part 820 (US, transitioning to QMSR aligned with ISO 13485) and ISO 13485 internationally.

•       Pre-market QMS activities center on Design Controls, Risk Management, Document Control, Supplier Controls, and Verification and Validation.

•       Post-market QMS activities center on CAPA, Complaint Handling, Medical Device Reporting, Change Control, Post-Market Surveillance, and Internal Audits.

•       In FY 2024, FDA inspectors logged 2,383 device citations across 174 distinct rules. The top four citations are all post-market or operational discipline gaps. Source: FDA Office of Inspections and Investigations.

•       Regulify.AI's six modules map to specific QMS workflows in both phases of the device lifecycle.

What a QMS actually is

A Quality Management System is a structured set of documented policies, processes, procedures, and records that an organization uses to consistently meet customer requirements and applicable regulations. For medical devices in the US, the QMS framework is defined by 21 CFR Part 820, the Quality System Regulation, which is currently transitioning to the FDA's Quality Management System Regulation (QMSR) to align with ISO 13485. Outside the US, ISO 13485 has long been the global benchmark. Both frameworks expect the same thing: a documented, defensible, traceable system that controls how a medical device is designed, built, monitored, and changed.

The QMS is the discipline that turns engineering intent into auditable evidence. Every design input, every risk control decision, every supplier qualification, every customer complaint, every corrective action becomes a record that lives inside the QMS. When an inspector arrives, they do not interview the engineers. They read the QMS records.

Pre-market QMS activities and stakes

Before a device reaches the market, the QMS is responsible for producing the evidence that the device is safe, effective, and built under controlled conditions. The core pre-market workstreams are well-defined under 21 CFR Part 820 and ISO 13485.

Design Controls (820.30). Every requirement, design input, design output, verification activity, validation activity, and design review must be documented and traceable. The output is the Design History File (DHF), which becomes the single most scrutinized artifact in any submission or audit.

Risk Management (ISO 14971). Hazard identification, risk estimation, risk control, and risk-benefit analysis must be documented in a Risk Management File. Risk activities run continuously alongside design, not as a single deliverable at the end.

Document and Record Controls (820.40, 820.180). Every QMS document needs version control, approval workflows, and retention schedules. Audit inspectors expect to see exactly who approved each revision and when.

Supplier Controls (820.50). Critical suppliers must be qualified, monitored, and re-evaluated. Supplier files form a meaningful portion of any inspection.

Verification and Validation (820.30(f) and (g)). Every design output must be verified against its design input. Every device must be validated against user needs and intended use under defined conditions.

The pre-market QMS is the system that produces the submission package. It also produces the body of evidence the FDA reviewer or notified body inspector will demand on day one of any inspection.

Post-market QMS activities and stakes

Clearance day is not the finish line. It is the start of the most operationally demanding phase of the QMS lifecycle. Post-market activities consume more day-to-day attention than design controls did, and they are where the FDA's enforcement focus actually sits.

Corrective and Preventive Action (CAPA, 820.100). The QMS must identify the root cause of any quality issue, implement a corrective action, verify effectiveness, and prevent recurrence. CAPA was the single most-cited device citation in FY 2024, with 254 observations.

Complaint Handling (820.198). Every complaint must be logged, evaluated for reportability, investigated, and closed with documented rationale. Inadequate complaint procedures were the second most-cited device deficiency in FY 2024 (191 observations).

Medical Device Reporting (21 CFR 803). Adverse events meeting reportability criteria must be submitted to FDA within defined timelines. Lack of written MDR procedures was the seventh most-cited deficiency (54 observations).

Design Change Control (820.30(i)). Every design change must be assessed for regulatory impact, verified, validated, and approved before implementation. Inadequate design change procedures were cited 46 times in FY 2024.

Post-Market Surveillance and PMCF. Under EU MDR Articles 83-86 and the FDA's Total Product Life Cycle framework, the company must actively monitor real-world device performance. For EU-marketed devices, Post-Market Clinical Follow-up is mandatory under Annex XIV Part B.

Internal Audits (820.22). The company must periodically audit its own QMS. Inadequate audit procedures were cited 50 times in FY 2024.

The FY 2024 reality, where MedTech QMS actually falls short

In Fiscal Year 2024, FDA inspectors logged 2,383 citations against device manufacturers across 174 distinct rule references. The pattern in the top citations is striking. Four of the top five deficiencies are post-market or operational workflows, not design-time activities.

Rank

21 CFR citation

Description

Citations (FY 2024)

1

820.100(a)

Inadequate CAPA procedures

254

2

820.198(a)

Inadequate complaint procedures

191

3

820.90(a)

Inadequate nonconforming product procedures

92

4

820.75(a)

Inadequate process validation

85

5

820.50

Inadequate purchasing controls

82

6

820.100(b)

CAPA documentation gaps

59

7

803.17

Lack of written MDR procedures

54

8

820.22

Inadequate quality audit procedures

50

9

820.30(i)

Inadequate design change procedures

46

10

820.30(g)

Risk analysis not performed during design validation

42

 

This is not a coincidence. Most MedTech companies treat the QMS as a pre-submission deliverable. Design Controls get attention because they are the path to clearance. Once clearance arrives, the operational discipline that produced that submission tends to atrophy. CAPA queues build. Complaints get logged but not trended. Risk files go untouched for quarters at a time. Document control degrades into ad-hoc updates.

Then an inspector arrives. The inspector is not interested in how good the original 510(k) was. They want to see the records from the last twelve months. That is where most companies fail.

Source: FDA Office of Inspections and Investigations, Inspection Observations Fiscal Year 2024, available at fda.gov.

Why the QMS must be a living system

The phrase that captures the right operating model is the living QMS. A living QMS is updated as work happens, not under audit pressure. A living QMS has CAPA cycle times measured in weeks, not quarters. A living QMS has a Risk File that has been touched in the last 90 days. A living QMS has audit trails that map every design output to its verification activity and every change to its impact assessment.

The contrast between a reactive QMS and a living QMS is operationally measurable.

Dimension

Reactive QMS

Living QMS

Documentation cadence

Updated under audit pressure

Updated as work happens

Risk file

Frozen at submission

Reviewed at every design change

CAPA system

Backlog of open items

Actioned within defined cycle times

Complaint handling

Process exists on paper

Procedure followed and trended

Change control

Reactive to FDA queries

Impact-assessed before implementation

Internal audits

Annual checkbox exercise

Continuous and root-cause driven

Audit outcome

Form 483 with multiple observations

Audit-ready at any time

 

The cost of building a reactive QMS is invisible until the inspector arrives. The cost of building a living QMS is concentrated in tooling and discipline early in the company's life. The compounding cost difference over a five-year product lifecycle is substantial.

Where AI augmentation fits in QMS operations

Not every QMS workflow benefits equally from AI augmentation. The leverage is concentrated in five places.

•       Document maintenance and version control. AI can detect inconsistencies across revisions and flag missing approvals before they become audit findings.

•       Hazard identification and risk file updates. AI-assisted hazard libraries surface relevant hazards from prior submissions and adverse event databases.

•       Continuous clinical literature monitoring. AI flags new publications relevant to the device under PMCF without requiring manual quarterly searches.

•       Change impact analysis. AI parses proposed design changes against the existing DHF and Risk File to surface regulatory implications before the change is implemented.

•       Compliance gap detection. AI compares the current QMS against evolving regulatory standards (FDA QMSR, EU MDR amendments, ISO 13485 updates) and surfaces gaps.

How Regulify.AI maps to pre-market and post-market QMS

Regulify.AI's six product modules map to specific QMS workflows across both phases of the device lifecycle. Source: regulify.ai product pages.

Phase

QMS activity

Regulify.AI module

Pre-market

FDA Pre-Sub strategy and pathway analysis

Pre-Sub Accelerator

Pre-market

Design Controls, DHF and DMR maintenance

Compliance Checker

Pre-market

Risk Management aligned with ISO 14971

Risk Manager

Pre-market

Clinical Evaluation Report generation

CER Accelerator

Pre-market

Compliance gap analysis against standards

Compliance Checker

Post-market

Design change impact assessment

Change Clarifier

Post-market

Continuous clinical literature monitoring and PMCF

CER Accelerator

Post-market

Cybersecurity threat modeling and SBOM management

CyberSteth

Post-market

Ongoing compliance verification against evolving standards

Compliance Checker

Both phases

Risk file maintenance across the device lifecycle

Risk Manager

 

Three modules operate primarily in the pre-market phase: Pre-Sub Accelerator for FDA strategy and pathway analysis, Compliance Checker for design-time gap analysis, and CER Accelerator for clinical literature evaluation feeding into the initial submission. Two modules are designed for post-market operations: Change Clarifier for design change impact assessment and CyberSteth for cybersecurity threat modeling on connected devices. Two modules span both phases: Risk Manager for ongoing Risk File maintenance and Compliance Checker for continuous compliance verification.

Frequently asked questions

What is the difference between a QMS and ISO 13485?

ISO 13485 is the international standard that specifies QMS requirements for medical device organizations. A QMS is the actual implementation of those requirements inside a company. A company that is ISO 13485 certified has built a QMS that meets the standard and passed an external audit.

When does a MedTech startup need to start formal QMS work?

As early as the first Design Input documents are written. Many founders defer QMS work until shortly before submission and pay a heavy reconstruction cost. The most efficient QMS is built incrementally alongside the product, not retrofitted at the end.

What is the most common QMS failure during an FDA inspection?

Inadequate Corrective and Preventive Action (CAPA) procedures. In FY 2024, CAPA-related deficiencies (21 CFR 820.100(a) and (b)) accounted for 313 citations, more than any other single category. Most companies have a CAPA procedure on paper. Few have one that is actually followed with documented effectiveness verification.

Is the QMS the same in the US and EU?

The frameworks are increasingly aligned but not identical. The FDA's transition to QMSR brings US requirements into closer alignment with ISO 13485, which is the basis of the EU framework. Companies marketing in both jurisdictions typically maintain a single QMS designed to satisfy the stricter of the two requirements on any given clause.

When does Post-Market Surveillance start?

The day clearance or CE marking is issued. PMS Plans should be drafted and approved before launch, not improvised after the first complaint. PMCF Plans, which are mandatory under EU MDR for most device classes, follow the same principle.

What does the FDA's QMSR transition mean for device companies?

The FDA's Quality Management System Regulation, finalized in early 2024, replaces the previous Quality System Regulation (21 CFR Part 820) over a transition period. The new regulation aligns US requirements more closely with ISO 13485. Companies already maintaining ISO 13485 certification will find the transition straightforward. Companies built around the older Part 820 framework will need to update procedures and terminology.

The QMS is not paperwork, it is the operating system

The companies that build a living QMS from day one are the ones that maintain market access decade after decade. The companies that treat the QMS as a one-time pre-submission deliverable are the ones that show up in FDA's annual inspection observations. The pattern is consistent year over year, and the FY 2024 data confirms it.

Before market, a properly engineered QMS gets a device cleared. After market, the same QMS keeps the device on the market and protects the company from the enforcement actions, recalls, and lost market access that follow when the operational discipline breaks down.

To assess where your QMS stands today and where AI augmentation would deliver the most leverage, schedule a free Regulify.AI consultation.

About the authors

Abtin Eshraghi. Advisor at Regulify.AI. Regulatory affairs background in medical device development.

Kundan Krishna. Co-Founder at Regulify.AI. AI/ML engineer focused on natural language processing for biomedical and regulatory documents.

Related reading on regulify.ai

The MedTech Founder's Commercialization Roadmap

Stop Just Storing Your DHF. Start Making It Audit-Ready, Always

Risk Manager: Comprehensive Risk Assessment Aligned with ISO 14971

A Universal Framework for Assessing the Impact of Medical Device Changes

Clinical Literature Evaluation: How RegulifyAI Transforms Months Into Weeks

References and regulatory sources

•       U.S. FDA. 21 CFR Part 820, Quality System Regulation.

•       U.S. FDA. Quality Management System Regulation (QMSR), final rule 2024.

•       U.S. FDA. Office of Inspections and Investigations, Inspection Observations Fiscal Year 2024.

•       U.S. FDA. 21 CFR Part 803, Medical Device Reporting.

•       ISO 13485:2016. Medical devices, Quality management systems.

•       ISO 14971:2019. Medical devices, Application of risk management to medical devices.

•       European Parliament. Regulation (EU) 2017/745 on Medical Devices (EU MDR), Articles 83 to 86 and Annex XIV Part B.

•       Regulify.AI product pages, accessed November 2026.