What is a QMSR gap analysis?
A gap analysis compares your current quality management system against the requirements of a standard — in this case, ISO 13485:2016 as incorporated by the FDA's QMSR. The output is a structured list of gaps: places where your system doesn't meet what the standard requires.
This isn't an audit. An audit evaluates whether you follow your own procedures. A gap analysis evaluates whether your procedures cover what the standard requires in the first place.
When do you need one?
Right now, if you haven't done one since February 2026. The QMSR is effective. FDA inspectors are referencing ISO 13485. If your QMS was built around Part 820 and you haven't systematically verified alignment with ISO 13485, a gap analysis is the first step.
You should also consider one if:
- You've recently set up a new QMS and want to verify coverage
- You're preparing for an FDA inspection or a regulatory submission
- You've expanded into new product areas that require additional QMS elements
- Your last gap analysis was more than two years ago
What you'll need
- Access to your complete document library (SOPs, work instructions, plans, records, templates)
- A copy of ISO 13485:2016 (or a clause summary)
- The QMSR final rule for FDA-specific additions
- A way to track findings (spreadsheet, or a tool like Kelsey)
If your documents live in Google Drive, SharePoint, or a similar platform, Kelsey can scan them automatically and give you a starting point.
Step-by-step process
1. Inventory your documents
List every QMS document you have. Categorize by type: SOP, work instruction, plan, record, template, form. Note which ISO 13485 clause each is intended to address.
2. Map clauses to documents
Go through each ISO 13485 clause and identify which of your documents addresses it. Some clauses will map to multiple documents. Some documents will cover multiple clauses. And some clauses may have no corresponding document at all — those are your first gaps.
3. Evaluate coverage depth
Having a document isn't enough. For each mapping, assess whether the document actually addresses what the clause requires. A Design Control SOP that describes your process but doesn't connect design decisions to risk analysis has a coverage gap even though the document exists.
4. Check QMSR-specific additions
Review your complaint handling, servicing, and traceability procedures against the FDA-specific requirements that sit on top of ISO 13485.
5. Identify terminology gaps
Search your documents for legacy Part 820 terminology (Device Master Record, Device History Record, Quality System Regulation). These aren't automatic violations, but they signal that your system may not have been updated.
6. Prioritize and plan
Not all gaps are equal. A missing CAPA procedure is more urgent than outdated terminology in a template header. Prioritize by regulatory risk and inspection likelihood.
Common gaps we find
Based on scans across hundreds of QMS document sets, these are the most frequent gaps:
- Risk-based decision making not linked to design controls — Companies have risk management procedures and design control procedures, but the two don't reference each other. ISO 13485 clause 7.3.3 requires design inputs to include risk management outputs.
- Missing or incomplete management review records — The procedure exists but records of actual management reviews are missing, incomplete, or haven't been updated in over a year.
- Supplier qualification gaps — Purchasing controls SOP exists but doesn't define criteria for evaluating and selecting suppliers based on their effect on product quality.
- No post-market surveillance procedure — Required by ISO 13485 clause 8.2.1 but often missing in companies that built their QMS around Part 820, which had weaker post-market requirements.
- Training records don't demonstrate effectiveness — Training records show that training occurred but don't demonstrate that the training was effective (ISO 13485 clause 6.2).
Cross-link: See the full Part 820 → ISO 13485 crosswalk →
Prioritizing fixes
We recommend a three-tier approach:
Tier 1 — Critical gaps (fix now)
Missing required procedures, missing CAPA system, no design control process. These are the gaps an FDA inspector would cite immediately.
Tier 2 — Significant gaps (fix within 30 days)
Procedures exist but don't cover what the standard requires. Incomplete records. Missing cross-references between related procedures.
Tier 3 — Minor gaps (fix within 90 days)
Terminology updates, formatting inconsistencies, minor coverage gaps in supporting documents.
Gap analysis vs. internal audit
These are complementary but different activities.
| Aspect | Gap Analysis | Internal Audit |
|---|---|---|
| Question | Does our system cover what the standard requires? | Do we follow our own procedures? |
| Timing | When standards change or QMS is established | Annually, or per audit schedule |
| Output | List of missing or incomplete coverage | List of non-conformances |
| Who | Can be done by anyone with standards knowledge | Should be done by trained internal auditors |
A gap analysis tells you if your house has all the rooms. An internal audit tells you if the rooms are clean.
Tools and templates
Manual approach: A spreadsheet with ISO 13485 clauses in rows and your documents in columns works for small QMS libraries. For each intersection, note: covered, partially covered, not covered, or not applicable.
Automated approach: The Kelsey Quality QMSR scanner connects to your Google Drive and maps your documents against ISO 13485 clauses. You get a prioritized gap report in minutes instead of weeks — a thorough first pass that shows you where to focus.