Industry Voices: QMSR's Wake-Up Call for Medical Device Companies
QMS consultant John Wolf breaks down what QMSR really demands from medical device manufacturers, and why many of the companies struggling have been coasting for years.

For this Industry Voices, we sat down with John Wolf, QMS and remediation consultant, to discuss what QMSR really means for medical device manufacturers. When FDA's Quality Management System Regulation (QMSR) came into effect in February 2026, many organizations viewed it as another regulatory update. John Wolf sees something bigger.
According to John, the transition is the culmination of years of global harmonization efforts across medical device regulation. Yet for many organizations, especially those that have historically focused on the U.S. market, it represents a significant cultural shift.
"American medical device companies that focus on the domestic market are now forced to adopt ISO 13485." — John Wolf
While many discussions around QMSR focus on standards and compliance requirements, John points to the practical realities facing manufacturers across the industry, noting that many small domestic manufacturers are working with limited compliance resources. For organizations developing software-intensive medical devices, the discussion extends beyond updating procedures. It includes documentation practices, quality systems, engineering culture, and an organization's ability to demonstrate that its development processes are under control.
QMSR Exposes What Years of Coasting Left Behind
When asked why he considers QMSR one of the most significant FDA regulatory developments of the year, John Wolf points to both industry and regulatory impacts.
According to him, FDA benefits by freeing resources for activities such as enforcement and submission reviews, while manufacturers benefit from increased alignment between regulations and audit frameworks.
At the same time, he believes the transition is exposing weaknesses that have existed for years, and that for some organizations, the real challenge is not adapting to a new regulation but addressing longstanding gaps that were already present.
"With those clients, it's not really a QMSR transition, it's decades of catch-up because they've been coasting on a traditional understanding of 21 CFR 820.30."
John argues that organizations that have kept pace with FDA's direction over the years are unlikely to face major surprises. FDA guidance documents have referenced ISO 13485, ISO 14971, and IEC 62304 for years, and the agency's broader participation in international harmonization efforts has been consistent and well-documented.
"FDA has telegraphed its intentions since day one."
The Compliance Gaps That Keep Sinking Device Companies
When discussing regulatory challenges, John does not point to obscure interpretations of standards or difficult technical requirements.
"I don't see companies get into trouble because they misinterpreted Note 17 in Annex B of some ISO standard. It's always something glaring and fundamental."
One example he encounters repeatedly involves software documentation.
"The FDA guidance calls for Enhanced Documentation when the device software could cause serious injury. The company didn't provide the required documentation, but they did provide a risk analysis with a few rows where Severity=4 and Cause=SW. You do the math."
In his experience, these issues often emerge because software and quality functions operate too far apart.
"At my clients, I notice that the software group is usually the most distant from quality."
John identifies several contributing factors, including the shortage of software-savvy quality professionals, the cost of software engineering talent, and the widespread adoption of Agile development practices.
"The Agile methodology tries to avoid excessive documentation. Software developers use this as an excuse to avoid documentation altogether, whether excessive or not.”
Over time, he has noticed recurring patterns in organizations that require remediation support.
"More often than not, I'll walk into the organization and find that the people designing and building the medical device have basically no understanding of the regulations that govern them."
For Software and AI-Enabled Devices, the Margin for Error Just Shrank
Although QMSR is not an AI-specific regulation, many of the themes raised by John are highly relevant to organizations developing software-driven and AI-enabled medical devices. Throughout the interview, he repeatedly returns to the importance of documentation, engineering discipline, quality systems, and lifecycle management.
Many of the expectations surrounding modern software products — including traceability, verification, risk management, cybersecurity, and lifecycle evidence — rely on these same foundations.
He believes organizations often underestimate the importance of helping engineering teams understand the regulatory frameworks governing their work — a gap that becomes harder to close as software complexity grows, and AI capabilities become more prevalent.
"Get your tech leads some solid, multi-day training on these standards from a credible outside organization."
Harmonization Helps, But It Doesn't Close Every Gap
When discussing international markets, John Wolf offers a nuanced perspective. He expresses genuine admiration for Europe's approach to consumer protection through frameworks like the GSPR and GDPR, while also backing FDA's practical decision to align with ISO 13485 through QMSR rather than building a separate quality framework. That said, he cautions against assuming shared standards will translate into a unified regulatory environment.
"We may share ISO 13485 now, but not the MDR or Notified Bodies."
For organizations pursuing both U.S. and European market access, important differences remain despite increasing alignment around quality management principles.
What Every Software Leader in MedTech Needs to Know Now
Asked what advice he would give an engineering leader starting their first FDA-regulated software project today, John Wolf's answer goes well beyond compliance.
"You already know software development. Now it's time to build some other pillars of knowledge, like managing people and understanding the regulatory framework."
His recommendation begins with developing a practical understanding of ISO 13485 and ISO 14971 before progressing to deeper expertise in IEC 62304 and IEC 82304-1. He also emphasizes cybersecurity, usability engineering, and familiarity with FDA software guidance documents.
"Get a working knowledge of ISO 13485 and ISO 14971, then proceed to a deep understanding of IEC 62304 and 82304-1."
For John Wolf, understanding regulatory expectations is not about slowing innovation. It is about creating a foundation that allows teams to move efficiently while maintaining confidence in their processes, documentation, and evidence: "Once you understand what is required to be compliant, you can then safely optimize the development process for efficiency. Don’t try to reverse that sequence."
As software continues to play a larger role in medical devices and digital health, John’s perspective remains consistent: organizations rarely struggle because of obscure regulatory details. Success depends on strong engineering fundamentals, disciplined quality systems, and teams that understand both the technology they build and the regulations that govern it.
The regulatory expectations shaping today's medical devices — from QMSR to AI-enabled software — demand more than compliance checklists. They demand engineering discipline, lifecycle rigor, and a quality culture built to last.
Critical Software works with medical device manufacturers to build the processes, documentation, and quality systems that regulators expect — and that patients deserve. Explore our Medical Devices expertise.