5 Training Documentation Gaps FDA Investigators Find Under QMSR
Introduction
On February 2, 2026, the FDA’s Quality Management System Regulation (QMSR) replaced the decades-old Quality System Regulation (QSR) as the governing framework for medical device manufacturing in the United States. Published in the Federal Register on February 2, 2024, the QMSR formally incorporates ISO 13485:2016 by reference — making compliance with that international standard a legal requirement, not a voluntary best practice.
That regulatory shift reshaped how FDA investigators approach inspections. The Quality System Inspection Technique (QSIT), which guided inspectors for decades, was officially retired on February 2, 2026 and replaced by a new risk-based inspection approach described in Compliance Program Manual CP 7382.850. The new framework reorganizes inspection requirements into six Quality Management System areas, places increased emphasis on risk-based decision-making, and — critically for training compliance — explicitly grants FDA investigators access to management review records, internal audit records, and supplier audit reports that were previously shielded from inspection under the QSR.
For medical device quality teams, none of this changes the fundamental requirement that personnel be trained and competent. What has changed is the specificity and breadth of what FDA expects to see documented — and the range of records investigators can now access. Inadequate training records have consistently ranked among the most cited FDA 483 observations for medical device manufacturers, and under the QMSR, the documentation standard is higher.
Download the Free QMSR Training Compliance Checklist: Covers all five gaps with a prioritized, inspection-ready checklist of what FDA investigators audit — and what your records must contain.
What QMSR Changed About Training Documentation
The QMSR’s most significant structural change is the incorporation of ISO 13485:2016 by reference. This means the training requirements that apply to U.S. medical device manufacturers are now drawn from that international standard, not from the condensed language of the former QSR.
ISO 13485 Clause 6.2 — Human Resources — requires that personnel performing work affecting product quality be competent based on appropriate education, training, skills, and experience. Critically, the standard requires organizations to:
- Determine the necessary competence for each role affecting product quality
- Provide training or other actions to achieve or maintain that competence
- Evaluate the effectiveness of the actions taken
- Ensure awareness of the relevance of each person’s activities to quality objectives
- Maintain appropriate records of education, training, skills, and experience
The word competence is the operative term. As Clause 6.2 makes clear, effectiveness evaluation is required — and the methodology must be proportionate to the risk associated with the work. For high-risk processes, read-and-understand signatures alone do not satisfy this requirement.
The other significant change: management review, internal audit, and supplier audit records are now subject to FDA inspection. Under the former QSR, these records were explicitly shielded from investigator review. That protection is gone under the QMSR. If your organization relied on that exemption to conduct candid reviews without creating inspection-ready documentation, the approach requires immediate reassessment.
GAP 1: Incomplete Individual Training Records
What Investigators Look For
The most consistently cited training gap is the most basic: training records that cannot demonstrate what was actually trained, when, on which version of a procedure, or whether the training was effective. An attendance log — name, date, signature — is not a training record under QMSR. It is evidence that someone was present. It is not evidence of competence.
What a Compliant Individual Training Record Must Contain
- Training topic — clearly identified by name or reference
- The exact document title and controlled revision number trained on
- Trainer name and role
- Training date
- Training method (classroom, eLearning, OJT, read-and-understand)
- Documented evidence of effectiveness — assessment score, supervisor sign-off, demonstrated competency evaluation
The controlled revision number is particularly important. An investigator reviewing a nonconformance or CAPA will ask whether the employee was trained on the version of the procedure that was in effect at the time of the event. If the record shows only “SOP-042” without a revision number, the question cannot be answered.
21 CFR Part 11 and Electronic Records
Organizations using electronic training management systems face an additional documentation layer. When training completion is captured electronically, 21 CFR Part 11 applies. A compliant electronic record requires: a validated system, controlled access, full and unalterable computer-generated audit trails, and electronic signatures that include the signatory’s name, the date and time of signing, and the meaning of the signature. A spreadsheet on a shared drive — regardless of how well-maintained — does not meet this standard.
The Role-to-Training Matrix
ISO 13485 Clause 6.2 requires organizations to determine the necessary competence for personnel performing work affecting quality — which means documenting what training each role requires. The Role-to-Training Matrix formalizes this mapping: every quality-affecting role on rows, required training modules on columns. It is the structural baseline against which individual training records are measured. Without it, there is no defined standard — and therefore no way to demonstrate that training is complete.
| ⚠ KEY POINT | If an investigator cannot identify which document revision was trained on, and cannot locate documented evidence that effectiveness was evaluated, the training record is effectively incomplete — regardless of what the employee actually learned. |
GAP 2: Undifferentiated CAPA Training Records
What Investigators Look For
ISO 13485 treats corrective action and preventive action as distinct activities with distinct purposes and, consequently, distinct documentation requirements. A single CAPA training log that lumps corrective and preventive training together — without differentiating the type of action, the originating event, or the cross-reference to the triggering record — does not provide an investigator with the evidence needed to establish that the required training actually occurred in the right context.
Corrective Action Training
Corrective action training responds to a nonconformance that occurred. A compliant record must be cross-referenced to the originating CAPA number and must document what specific procedural or behavioral change was addressed. The training record is evidence that affected personnel were made aware of the nonconformance and trained on the resolution.
Preventive Action Training
Preventive action training responds to an identified risk before a nonconformance occurs. A compliant record must reference the specific risk data, trend analysis, or customer feedback that justified the preventive action. Without that cross-reference, there is no way to establish that training was taken in response to a systematic risk identification activity rather than a general awareness exercise.
The Date Sequencing Requirement
| ✓ CORRECT SEQUENCE
Training completed → CAPA effectiveness verified |
✗ INSPECTION RISK
Effectiveness verified → Training completed after the fact |
If the effectiveness verification date precedes the training completion date, the CAPA closure sequence is internally inconsistent. An investigator reviewing the timeline will observe that training was retroactively documented, which raises questions about the integrity of the entire CAPA record.
GAP 3: Missing Management Review and Supplier Audit Training Trails
What Investigators Look For
This gap is new territory under QMSR. Under the former QSR, management review records, internal audits, and supplier audit reports were shielded from FDA review by an explicit regulatory protection. That protection does not exist in the QMSR. FDA investigators may now access these records during inspections — and they will look for training documentation that supports the activities they describe.
Management Review Participants
Individuals participating in management reviews must be able to demonstrate training on the QMS inputs they are responsible for evaluating. If management review records indicate discussion of QMSR transition status, participants must have documented QMSR transition training on file. If risk management data is reviewed, participants responsible for that analysis must have documented risk management training. The record of the review and the training records of participants must be internally consistent.
Supplier Auditors
ISO 13485 requires organizations to control the quality of outsourced processes and to maintain documented supplier qualification procedures. Individuals conducting supplier audits must have documented qualifications on file demonstrating their competence to conduct those audits. External consultants are not exempt — their credentials and any training they have completed relevant to the audit scope must be retained in the QMS.
| ⚠ KEY POINT | The removal of the management review exemption means records that were previously candid internal discussions are now inspection-ready documents. If your organization hasn’t already adjusted the documentation standards for management review records accordingly, do so before your next inspection. |
GAP 4: Design Control Training Traceability Failures
What Investigators Look For
Design controls have been a persistent source of FDA 483 observations — and the QMSR heightens documentation expectations by requiring that design and development records (now organized as part of the Medical Device File under ISO 13485 terminology) include traceable evidence of who made each decision and on what basis. Three training documentation issues specifically arise in design control inspections.
Design Review Participant Qualifications
Design reviews must document the qualifications of every participant. Additionally, ISO 13485 requires that design reviews include at least one representative independent of the design stage under review. The qualifications of that independent reviewer must be on file — including their training records — and the record must establish their independence from the work being reviewed.
Specialist Activity Training
Personnel conducting specialist activities — risk management analysis, software development for medical devices, human factors engineering, biocompatibility assessment — must have training records tied to the specific standards governing those activities. A general QMS training record does not establish competence for specialist work. The training records must match the activity.
Change Control Training as a Formal Output
When a design change is approved, any training required by that change must be documented as a formal output of the change control process — not completed informally at some later point. The change record and the training records must be internally consistent, and the training must precede any affected activity performed under the changed procedure or specification.
GAP 5: Absence of Documented Good-Faith Compliance Progress
What Investigators Look For
FDA investigators assess not only whether an organization has achieved full QMSR compliance — they assess whether compliance has been pursued systematically. As FDA confirmed in its QMSR FAQ, investigators may review records created before February 2, 2026, and will use those records to evaluate compliance with the QMSR. Organizations that cannot produce auditable documentation of their transition process face a structural disadvantage during inspection: they must explain compliance through verbal assertions rather than demonstrate it through records.
Three Documents That Demonstrate Good-Faith Progress
| Gap Assessment | A written, dated comparative analysis of your existing QMS against QMSR requirements — identifying specific gaps, assigning responsibility for remediation, and establishing target completion dates. This is the foundational document for any defensible compliance narrative. |
| Training Program Master Plan | A formal written plan specifying how training requirements are determined for each role, how effectiveness is evaluated, what criteria constitute satisfactory completion, how retraining is triggered by document revisions and quality events, and how records are retained and controlled. |
| QMSR Transition Status Summary | A current, inspection-ready summary of where your organization stands against each gap identified in the assessment — showing completed items, in-progress items with responsible owners, and target completion dates. One page. Current. Verifiable against underlying records. |
| ⚠ KEY POINT | A verbal explanation of compliance progress is not a record. Under the QMSR, an investigator who cannot find a written Gap Assessment, a Training Program Master Plan, and a current Transition Status Summary has found a documentation gap — regardless of what work was actually done. |
Why Integrated QMS and LMS Architecture Closes These Gaps
The five gaps described in this article share a common architecture problem: they occur when quality management systems and training management systems operate independently. In disconnected systems, the cross-references required by QMSR — training records linked to specific document revisions, CAPA records cross-referenced to training completion dates, design review records connected to participant training files — must be constructed manually.
Manual construction means manual failure. When a procedure is revised and approved in the QMS, a human being must remember to update the LMS, identify affected personnel, assign retraining, and verify completion before the next audit. Each of those steps is a gap opportunity.
When QMS and LMS operate as a single integrated system, document approval automatically triggers training assignment, training records automatically capture the controlled revision number, effectiveness assessments are built into each training record, and CAPA cross-references are established at the time of the quality event — not reconstructed before an inspection.
eLeaP’s integrated QMS and LMS platform was built specifically for this architecture: quality and training in one system, with automatic linkages between quality events and the training records they require.
Summary: Five Gaps and What Closes Them
| Gap | Common Finding | Compliant Solution |
| Gap 1: Personnel Competency Records | Attendance logs without revision number or effectiveness evidence | Six-element ITRs, Role-to-Training Matrix, Part 11-compliant electronic records |
| Gap 2: CAPA Training | Single log without corrective/preventive differentiation or cross-references | Separate records, cross-referenced to originating CAPA, with date sequencing verified |
| Gap 3: Management Review & Supplier Audit Trails | No training documentation for review participants or auditors | Training records for all participants; auditor qualifications in QMS |
| Gap 4: Design Control Traceability | Missing participant qualifications, independence verification, change-triggered training | DHF/MDF includes training records linked to each review stage and change output |
| Gap 5: Good-Faith Compliance Progress | No written documentation of QMSR transition work | Written Gap Assessment, Training Program Master Plan, Transition Status Summary |
Download the Free QMSR Training Compliance Checklist
Covers all five gaps with a prioritized, inspection-ready checklist of what FDA investigators audit — and what your records must contain. Download now.