Thorsten Meyer | ThorstenMeyerAI.com | April 2026
Executive Summary
On February 2, 2026, the FDA’s Quality Management System Regulation (QMSR) officially replaced the Quality System Regulation that had governed medical device manufacturing since 1996. Every one of the roughly 6,500 FDA-registered device manufacturers in the United States — plus over 30,000 companies affected by EU MDR — must now demonstrate that their quality system meets ISO 13485:2016, clause by clause, with documented evidence.
The commercial tools for this transition cost $15,000 to $100,000+ per year. Greenlight Guru recently doubled prices for some customers. MasterControl and Veeva Vault are in the same range. A single consulting engagement for a gap assessment runs $10,000 to $50,000. The medical device QMS software market: $1.33 billion in 2026, growing to $2.45 billion by 2032.
Revenue Impact by Release
| Release | Target Customers | Est. Market Opportunity |
| v3.0 QMSR/Device (shipped) | ~6,500 FDA device companies + ~30,000 EU MDR manufacturers | QMSR transition creates $500M+ tooling demand |
| v3.1 Enterprise | Multi-site pharma/biotech (top 200 + CMOs) | Enterprise QMS: $4B segment |
| v3.2 Clinical/AI | ~1,100 CROs globally + pharma sponsors | eTMF market alone: $2B+ |
| v3.3 Global | Emerging market manufacturers | Brazil, India, Saudi, UAE: $1.5B+ QMS spend |
I built QAtrial because I believed the most regulated industries on Earth should not need six-figure software budgets to comply with the standards that govern them. QAtrial is open-source under AGPL-3.0. It ships with an ISO 13485:2016 gap assessment that works in two modes — keyword-based static analysis (no AI, no API, no data leaves your machine) and AI-powered deep analysis with your choice of provider. It includes a complete design control system mapped to ISO 13485 Section 7.3, configurable GxP approval workflows with 21 CFR Part 11 electronic signatures, and a bring-your-own-LLM architecture that supports five provider presets including fully local inference via Ollama.
v3.0 Features — Why They Matter NOW
FDA QMSR (effective Feb 2, 2026)
- Replaces decades-old 21 CFR 820 QSR with ISO 13485:2016 incorporation by reference
- Every FDA-regulated device company must demonstrate ISO 13485 conformity
- FDA stopped using QSIT inspection technique — now risk-based inspections
- QAtrial’s ISO 13485 Gap Assessment directly addresses this transition
Device Recall Crisis
- 115% increase in device recalls since 2018
- $5B+/year cost to industry
- #1 source of FDA 483 observations: Design Control failures
- QAtrial’s Design Control Kanban directly addresses this
EU AI Act (deadline Aug 2, 2027)
- High-risk AI medical devices must document: data governance, bias mitigation, algorithm transparency
- MDCG 2025-6 confirms AI Act requirements can integrate into ISO 13485 QMS
- QAtrial’s AI provenance tracking + gap analysis supports this
The cost is zero. The source code is inspectable. The data stays on your infrastructure. When an FDA auditor asks how your gap assessment tool determined that clause 7.5 was “covered,” you can show them the code.
| Metric | Value |
|---|---|
| QMSR effective date | February 2, 2026 |
| FDA-registered device manufacturers (US) | ~6,500 |
| Companies affected by EU MDR + US | 30,000+ |
| ISO 13485:2016 clauses covered | All 27 |
| Static assessment: AI required | No |
| Static assessment: data leaves machine | No |
| AI providers supported | 5 presets + any OpenAI-compatible |
| Local AI inference | Ollama, LM Studio |
| Design control phases | 7 (mapped to ISO 7.3) |
| Document record types | DHF, DMR, DHR |
| Workflow engine steps | Configurable (1-N) |
| Electronic signatures | 21 CFR Part 11 compliant |
| License | AGPL-3.0 |
| Annual cost (self-hosted) | $0 |
| Greenlight Guru annual cost | $15K-$60K+ (doubling for some) |
| MasterControl annual cost | $50K-$150K+ |
| Consulting gap assessment | $10K-$50K per engagement |
| QMS software market (2026) | $1.33 billion |
| QMS software market (2032) | $2.45 billion |
| OECD unemployment | 5.0% (stable) |
| OECD broadband (advanced) | 98.9% |
Developing an ISO 13485-Certified Quality Management System: An Implementation Guide for the Medical-Device Industry
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Customer Demand Signals (from research)
FDA 21 CFR Part 11 electronic signature tools
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
1. The QMSR Transition: Scale, Cost, and the Compliance Gap
The QMSR transition is the biggest quality management regulatory shift in three decades. The FDA no longer maintains its own prescriptive requirements under 21 CFR Part 820. Instead, it incorporates ISO 13485:2016 by reference — aligning the United States with the international quality management standard that most of the world already follows.
The Scale of the Problem
| Factor | Data | Implication |
|---|---|---|
| FDA-registered manufacturers (US) | ~6,500 | Each must demonstrate ISO 13485 compliance |
| EU MDR-affected companies | 30,000+ | Many also sell into US market |
| QSR structure | Management responsibility, design controls, production controls, CAPA | Different taxonomy from ISO 13485 |
| ISO 13485 structure | QMS (Sec 4), Management (5), Resources (6), Realization (7), Measurement (8) | Concepts overlap; clause structure diverges |
| Gap assessment cost (consulting) | $10K-$50K per engagement | Snapshot that becomes stale immediately |
| Full transition cost (mid-size company) | Six figures+ | Before a single procedure is rewritten |
The Commercial Tool Landscape
| Tool | Annual Cost | AI | Self-Hosted | Source Access | Air-Gapped |
|---|---|---|---|---|---|
| Greenlight Guru | $15K-$60K+ (doubling) | Vendor-selected | No | No | No |
| MasterControl | $50K-$150K+ | Vendor-selected | On-prem ($$) | No | Limited |
| Veeva Vault QMS | Enterprise pricing | Vendor-selected | No (AWS only) | No | No |
| Arena PLM | $50K+/year | Limited | No | No | No |
| QAtrial (AGPL-3.0) | $0 | Your choice (5+ providers) | Yes | Full source | Yes (Ollama) |
The gap is not just price. It is control, transparency, and data sovereignty. When your QMSR audit is in three months, you want a tool you can inspect, customize, and trust — not a vendor relationship you have to manage.
“6,500 FDA-registered manufacturers. 30,000+ EU MDR-affected companies. Every one needs ISO 13485 compliance. The commercial tools cost $15K-$150K per year. The consulting engagement costs $10K-$50K and becomes stale the moment you update a procedure. I built QAtrial because this math does not work for most of the industry.”
open-source QMS for regulated industries
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
2. ISO 13485 Gap Assessment: Two Modes, Zero Lock-In
QAtrial ships with an ISO 13485:2016 gap assessment that covers all 27 clauses — from Section 4.1 (General QMS Requirements) through Section 8.5 (Improvement/CAPA).
Mode 1: Keyword-Based Static Analysis (No AI)
| Feature | Detail |
|---|---|
| Runs where | Entirely in the browser (client-side JavaScript) |
| AI required | No |
| API key required | No |
| Data transmission | Zero — nothing leaves your machine |
| Clause coverage | All 27 ISO 13485:2016 clauses |
| Scoring logic | 2+ matches = covered; 1 match = partial; 0 = gap |
| Speed | Milliseconds |
| Criticality ratings | Critical, High, Medium, Low per clause |
| Gap remediation | “+ Req” button generates pre-populated requirement per clause |
The static assessment uses curated keyword sets for each clause. It is deliberately conservative: a single requirement matching a clause gets “partial” rather than “covered” because ISO 13485 clauses typically require multiple documented controls.
Mode 2: AI-Powered Deep Analysis (Optional)
| Feature | Detail |
|---|---|
| Sends to | LLM of your choice |
| Returns | Evidence mapping, recommendations, gap-specific guidance |
| QMSR context | Understands QSR → ISO 13485 transition; flags QSR-adequate but ISO-insufficient requirements |
| Nuance detection | Catches requirements that address clause intent without using expected keywords |
| Provider options | Anthropic (Claude), OpenAI (GPT-4.1), OpenRouter (200+ models), Ollama (local), LM Studio (local) |
The Critical Clauses
| Clause | Description | Criticality | Why It Matters |
|---|---|---|---|
| 4.1 | General QMS requirements | Critical | Foundation of entire quality system |
| 4.2.3 | Medical device file | Critical | Technical file per device family |
| 7.3 | Design and development | Critical | Most frequently cited in FDA 483s |
| 7.5 | Production and service provision | Critical | Validation, traceability, UDI |
| 8.2 | Monitoring and measurement | Critical | Complaints, adverse events, vigilance |
| 8.3 | Nonconforming product | Critical | NCR, deviation, rework |
| 8.5 | CAPA | Critical | Root cause, effectiveness checks |
Every gap and partial clause has a “+ Req” button. One click generates a pre-populated requirement with ISO 13485 regulatory reference, risk level, and clause tags. In under an hour, a 62% readiness score becomes 85%.
“The static assessment runs in milliseconds, costs nothing, and no data leaves your machine. For companies in regulated industries with data classification policies, this is not a minor point — it is the difference between ‘deploy today’ and ‘three months of security review.'”
Blue Jay Stainless Steel Finger Goniometer Protractor, Joint Range of Motion Measure Tool for Occupational Therapy, Metal Orthopedic Device with 30 to 150 Degree Scales
Precise Five-Scale Markings:Specifically designed with30 to 150-degree clear markings, this protractor provides absolute clinical accuracy. It allows you…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
3. Design Control: ISO 13485 Section 7.3 as Code
Section 7.3 is the most frequently cited clause in FDA 483 observations. It is where the gap between what companies think they are doing and what their documentation proves they are doing is widest.
The 7-Phase Kanban Board
| Phase | ISO 7.3 Sub-Clause | Gate Requirement |
|---|---|---|
| User Needs | 7.3.2 (feeds inputs) | Documented user needs + intended use |
| Design Input | 7.3.2 | Formal requirements with acceptance criteria |
| Design Output | 7.3.3 | Specifications meeting input requirements |
| Verification | 7.3.5 | Outputs confirmed against inputs |
| Validation | 7.3.6 | Product meets user needs under use conditions |
| Transfer | 7.3.7 | Verified/validated design transferred to manufacturing |
| Released | Complete | Design released for production |
Gated Phase Advancement
Phase advancement is gated. A design item cannot move to the next phase unless its current phase status is “approved.” The approval is recorded in the audit trail with reviewer identity, timestamp, and action. This is exactly what auditors look for — and it is the default behavior, not an afterthought.
DHF, DMR, DHR: Structured Document Records
| Record | Purpose | QAtrial Features |
|---|---|---|
| Design History File (DHF) | Complete record of design process | Version control, section management, links to design items, lifecycle tracking |
| Device Master Record (DMR) | Complete manufacturing documentation set | Specs, processes, QA procedures, packaging/labeling |
| Device History Record (DHR) | Production record per unit/lot | Manufacturing dates, acceptance records, UDI |
The DHF builds itself as the team works through the design phases. Design inputs reference requirements. Design outputs reference specifications. Verification and validation records reference test results. The traceability chain is maintained structurally — not as a manually maintained spreadsheet.
4. Bring Your Own LLM: Data Sovereignty by Design
The question that comes up in every regulated company evaluating AI tools: where does our data go?
Five Provider Presets
| Provider | Default Model | API Key | Data Location | Best For |
|---|---|---|---|---|
| Anthropic | Claude Sonnet 4 | Required | Anthropic cloud | Regulatory precision |
| OpenAI | GPT-4.1 | Required | OpenAI cloud | Broad model range |
| OpenRouter | Claude Sonnet 4 | Required | Multi-provider | Model experimentation |
| Ollama | Llama 3.1 8B | Not required | Your machine | Air-gapped / data sovereignty |
| LM Studio | Local model | Not required | Your machine | Desktop-friendly local AI |
Purpose-Scoped Routing
| Purpose | Recommended Route | Rationale |
|---|---|---|
| Gap analysis | Claude (cloud) | Highest regulatory precision |
| Test generation | GPT-4.1 Mini | Fast, cheap, structured output |
| Risk classification | Ollama (local) | Sensitive data stays on-premise |
| CAPA suggestions | Claude (cloud) | Deep analytical capability |
| Report narrative | Gemini 2.5 Pro | Strong long-form text |
You can route different data types to different providers based on sensitivity. Patient-related data stays local. Regulatory gap analysis against publicly available ISO standards can go to cloud. QAtrial implements that distinction at the provider level.
The Air-Gapped Deployment
QAtrial plus Ollama runs entirely on local infrastructure. No internet connection required. No other quality management platform with AI capabilities can make this claim.
5. Configurable GxP Workflows: One Size Does Not Fit All
GxP is not a single framework. It is a family — GMP, GLP, GCP, GDP, GAMP — each with distinct approval requirements.
Default Workflows
| Workflow | Steps | Key Feature |
|---|---|---|
| Requirement Approval | Review → Approve → Sign | Single approver; baseline for regulated changes |
| Design Gate Review | Review → Approve (2 required) → Sign | Cross-functional; ISO 7.3.4 compliant |
Custom Workflow Examples
| Vertical | Workflow | Steps |
|---|---|---|
| Pharma (deviation) | Production review → QA review → QA approval → Auto-check (CAPA complete) → QD signature | 5 steps; 24h/48h/72h SLAs; escalation |
| GAMP (software change) | QA review+approve → Sign | 2 steps; lightweight |
| CRO (protocol amendment) | Medical review → Sponsor approval → Notify regulatory → PI signature | 4 steps; multi-party |
Electronic Signatures: 21 CFR Part 11
| Requirement | QAtrial Implementation |
|---|---|
| Legal equivalence | Full identity verification at signature time |
| Re-authentication | Password re-entry required |
| Non-repudiation | Signature recorded with signer identity, timestamp, meaning |
| Tamper evidence | Linked to specific entity version |
| Audit trail | Complete record of all signature events |
6. OECD Context and Practical Actions
OECD broadband data (98.9% in advanced economies) confirms the infrastructure for deploying open-source quality management tools is universally available. The constraint is not technology — it is the commercial model that has made compliance tooling inaccessible to most of the companies that need it.
The Accessibility Gap
| Factor | Data | QAtrial Implication |
|---|---|---|
| Broadband | 98.9% (advanced) | Self-hosted deployment feasible anywhere |
| QMSR deadline | February 2, 2026 (passed) | Urgency is now; cost barriers block compliance |
| FDA manufacturers | ~6,500 | Most are small-to-mid; cannot afford $50K+ QMS |
| QMS market | $1.33B (2026) | Growing 10.6% CAGR; dominated by enterprise vendors |
| Greenlight Guru pricing | Doubling for some | Vendor lock-in + price escalation = market opportunity |
| Consulting gap assessment | $10K-$50K | Stale the moment a procedure changes |
| Open-source QMS alternatives | QAtrial (AGPL-3.0) | Full ISO 13485 + design control + AI for $0 |
Actions for Quality Leaders
1. Run the static gap assessment today. Three commands to install. Minutes to run. Zero cost. Zero data risk. Baseline your ISO 13485 readiness before your next audit.
2. Use the “+ Req” button to close critical gaps first. Clauses 4.1, 4.2.3, 7.3, 7.5, 8.2, 8.3, 8.5 generate the most FDA 483 observations. Close these before anything else.
3. Evaluate your data sovereignty requirements before choosing AI mode. If your security policy prohibits external APIs, deploy Ollama locally. You get AI-powered gap analysis with zero data exfiltration risk.
4. Configure workflows that match your actual approval processes. Do not adapt your processes to software. Adapt the software to your processes. QAtrial’s workflow engine supports arbitrary complexity — from 2-step GAMP changes to 5-step pharmaceutical deviations.
5. Inspect the source code before your audit. When an auditor asks how your compliance tool works, open the code. The gap assessment logic is in src/lib/iso13485Clauses.ts. The AI prompts are in src/ai/prompts/qmsrGap.ts. Transparency is not a feature — it is a regulatory requirement.
| Action | Owner | Timeline |
|---|---|---|
| Static gap assessment | QA Manager | This week |
| Critical clause remediation | QA Team | Q2 2026 |
| AI provider evaluation | IT + QA | Q2 2026 |
| Workflow configuration | QA Manager + Process Owners | Q2 2026 |
| Source code review (audit prep) | QA + IT | Before next audit |
The Bottom Line
6,500 FDA manufacturers. 30,000+ EU MDR-affected. 27 ISO 13485 clauses. 7 design control phases. $0 license cost. $15K-$150K+ commercial alternatives. $10K-$50K consulting. 5 AI provider presets. Zero data leaves your machine (static mode). 21 CFR Part 11 electronic signatures. AGPL-3.0 — every line of code inspectable.
The QMSR transition deadline has passed. The question is no longer whether to comply, but how quickly and at what cost. The commercial QMS market charges $15,000 to $150,000 per year for tools that are opaque, vendor-locked, and cloud-only. The consulting market charges $10,000 to $50,000 for gap assessments that are stale by the time you read them.
QAtrial provides ISO 13485 gap assessment, design control, GxP workflows, electronic signatures, and AI-powered analysis — for free, on your infrastructure, with source code you can show to your auditor.
The most regulated industries on Earth deserve tools that are accessible, transparent, and adaptable. That is what I built.
Compliance should not be a luxury. The standard is public. The requirements are known. The gap assessment logic can be codified. The only reason it costs $50,000 a year is that someone decided it should.
Thorsten Meyer is an AI strategy advisor and the creator of QAtrial, an open-source quality management platform for regulated industries. He notes that “show the auditor the code” is a feature that no $100,000 proprietary QMS can offer — and that the phrase “vendor lock-in” hits different when your next QMSR audit is in three months. More at ThorstenMeyerAI.com. QAtrial at github.com/MeyerThorsten/QAtrial.
Sources
- FDA — QMSR Effective February 2, 2026; Incorporates ISO 13485:2016 by Reference
- FDA — Quality Management System Regulation FAQ and Guidance
- Morgan Lewis — “February 2, 2026 Is Approaching — Are You QMSR Ready?”
- FDA — ~6,500 Registered Device Manufacturers; 30,000+ EU MDR-Affected
- 360iResearch — Medical Device QMS Software Market: $1.33B (2026), $2.45B (2032)
- Greenlight Guru — Pricing: $15K-$60K+; Doubling for Some Customers (Dec 2025)
- OpenRegulatory — “Greenlight Guru Price: Crazy Increase”
- MasterControl — Enterprise QMS: $50K-$150K+
- Veeva Vault QMS — Cloud-Only (AWS); Enterprise Pricing
- Arena PLM — $50K+/year for Design Control
- ISO 13485:2016 — 27 Clauses; 5 Sections; 7 Critical Clauses
- 21 CFR Part 11 — Electronic Signature Requirements
- GAMP 5 2nd Edition — Risk-Based Approach to Computer System Validation
- QAtrial v3.0 — AGPL-3.0; github.com/MeyerThorsten/QAtrial
- OECD — 5.0% Unemployment, 11.2% Youth, 98.9% Broadband
© 2026 Thorsten Meyer. All rights reserved. ThorstenMeyerAI.com
