TLDR

The FDA's Quality Management System Regulation (QMSR) became effective February 2, 2026, replacing the decades-old Quality System Regulation (QSR). Alongside this shift, FDA retired its Quality System Inspection Technique (QSIT) and launched a new risk-based inspection framework under Compliance Program 7382.850. Inspectors now open by reviewing your risk management file, not a checklist of four subsystems. Management reviews, internal audits, and supplier audit reports are all now fair game for FDA review. Risk management failures are explicitly listed as triggers for Official Action Indicated (OAI) classifications. If your QMS was built around the old QSIT playbook, your inspection-readiness strategy needs a serious update in 2026.

February 2, 2026 was not just a regulatory compliance deadline. It was the day FDA rewired how it inspects medical device manufacturers.

The new Quality Management System Regulation replaced the Quality System Regulation that had governed device manufacturing practices for more than 25 years. But the change that matters most for quality teams is not what the regulation says. It is how FDA investigators now walk through your facility, what records they request first, and which findings send your inspection outcome straight to Official Action Indicated.

This article walks through the new QMSR inspection framework in practical terms, from how investigators prepare before they arrive to what you should have ready the moment they do.

What Changed on February 2, 2026

The QMSR amends 21 CFR Part 820 by incorporating ISO 13485:2016 by reference. Instead of a written requirement for each element of your quality system, the regulation now points to the corresponding ISO 13485 section. The result is a shorter Part 820 text that harmonizes U.S. device quality requirements with the global standard used by regulatory authorities across Canada, Europe, Japan, and Australia.

On the same day the QMSR took effect, FDA released Compliance Program 7382.850, the new Inspection of Medical Device Manufacturers program. This document replaced both the QSIT guide and the separate compliance programs that had previously governed premarket approval (PMA) inspections and routine surveillance inspections.

The QSIT organized FDA inspections around four subsystems: Management Controls, Design Controls, Corrective and Preventive Actions, and Production and Process Controls. Under the new CP 7382.850, that structure is gone. In its place is a six-area framework driven entirely by product risk to patients and users.

How the New QMSR Inspection Framework Is Structured

The new framework organizes QMSR compliance review into six Quality Management System Areas and four Other Applicable FDA Requirements (OAFRs).

The six QMS Areas are:

• Management Oversight (includes management review records and medical device file)
• Measurement, Analysis, and Improvement (includes complaint handling, internal audits, corrective action, preventive action, and control of nonconforming product)
• Design and Development (includes design inputs, outputs, review, verification, validation, software validation, and design transfer)
• Change Control (product and process changes)
• Outsourcing and Purchasing (supplier controls)
• Production and Service Provision (manufacturing controls, identification, traceability)

The four OAFRs that apply to every inspection are: Medical Device Reporting (MDR), Reports of Corrections and Removals, Medical Device Tracking (where applicable), and Unique Device Identification (UDI).

The Two Inspection Models

FDA uses two inspection models depending on the inspection type.

Model 1 applies to non-baseline surveillance inspections, compliance follow-up inspections, for-cause inspections, Specific Product Risk Assignment (SPRA) inspections, and PMA post-market inspections. Under Model 1, the investigator selects at least one element from each of the six QMS Areas, guided by the specific risks identified for the products under review.

Model 2 applies to baseline surveillance inspections and PMA pre-approval inspections. Under Model 2, all applicable elements within each QMS Area are reviewed. This is the more comprehensive inspection model and the one that presents the highest documentation exposure for manufacturers.

How FDA Investigators Prepare Before They Arrive

This is the part most quality teams underestimate.

Under the old QSIT model, investigators generally arrived and began working through the four subsystems based on what they found on the floor. Under CP 7382.850, FDA investigators review external information before they enter your building.

That pre-inspection review includes medical device reports (MDRs), trade complaints, reports of corrections and removals for similar products, and any prior inspection history for your facility. The objective is to build a product-specific risk profile before the investigator sets foot on your manufacturing floor.

On arrival, the investigator then opens your risk management file. This is the new starting point. According to CP 7382.850, the identified product-specific risks from your file are "used to evaluate whether a manufacturer is meeting requirements." The risk management file effectively becomes the roadmap for the entire inspection.

The practical implication: if your risk management documentation is incomplete, inconsistent with your actual manufacturing practices, or has not been updated to reflect recent changes, the investigator identifies those gaps in the first hours of the inspection, and every subsequent step is colored by that finding.

What Records FDA Now Requests That Were Off-Limits Before

One of the most consequential changes under QMSR is the elimination of the record exemptions that existed under the QSR.

Under the old Quality System Regulation, FDA was explicitly prohibited from reviewing three categories of records during inspections: management review records, internal quality audit reports, and supplier audit reports. These were considered confidential quality assurance records.

The QMSR removes all three exemptions. ISO 13485 contains no such carve-outs, and when FDA incorporated ISO 13485 by reference, it carried this change directly into U.S. federal law.

Under the new framework:

• Management review records are a named element within the Management Oversight QMS Area. They are now a standard inspection item.
• Internal audit reports appear under the Measurement, Analysis, and Improvement Area. FDA investigators can request, review, and copy them.
• Supplier audit reports are subject to FDA review and are explicitly called out on FDA's QMSR FAQ page.

FDA's legacy Compliance Policy Guide (CPG Sec. 130.300), which stated that FDA "will not review or copy reports and records that result from audits and inspections of the written quality assurance program" during routine inspections, remains on FDA's website as of early 2026. FDA has not formally rescinded it. However, the page now includes a reference to the QMSR final rule, and the legal reality is that the new regulation supersedes the older policy in practice.

Quality teams should treat all three record categories as reviewable in any inspection conducted after February 2, 2026.

What Triggers a Form 483 Under QMSR

An FDA Form 483 documents inspectional observations, meaning conditions or practices the investigator observed that may constitute violations of FDA regulations. Under the new QMSR inspection framework, several categories of findings are explicitly listed as triggers for an Official Action Indicated (OAI) classification, which is the most serious outcome and the one most likely to result in a warning letter or enforcement action.

CP 7382.850 lists the following risk management failures as Situation 1 findings, meaning they automatically move the inspection toward OAI:

• Failure to establish, implement, or maintain one or more processes for risk management in product realization
• Failure to monitor, measure, analyze, and improve processes that have demonstrated adverse impact to finished product or patient safety
• Failure to adequately analyze data, or failure to use current risk information, resulting in a decision not to proceed with formal investigations or corrective actions, where that failure leads to unmitigated adverse health consequences or nonconformities
• Feedback and postmarket surveillance data not used as inputs into risk management for monitoring and maintaining product realization processes
• Failure to control design and development of product, including inadequate evaluation of changes for risk and impact prior to implementation
• Failure to ensure processes, including changes, are adequately monitored, controlled, or evaluated for risk and impact on products prior to implementation

In addition, cybersecurity has entered the inspection scope for the first time. CP 7382.850 requires investigators to assess "cyber devices" and other software-enabled medical devices for conformity with FDA cybersecurity requirements. Failure to comply is classified as a Situation 1 finding eligible for OAI treatment.

The pattern across all of these triggers is consistent: risk management failures are the new priority. Under the QSIT, design controls were the primary focus. Under CP 7382.850, the question at every step is whether risk has been identified, evaluated, controlled, and kept current.

Six High-Priority Records to Have Ready for Any QMSR Inspection

Quality teams preparing for a QMSR inspection should ensure the following records are organized, current, and retrievable within the first day of an inspection:

Risk management file. This is the document investigators read first. It must be complete, up to date, and consistent with your current manufacturing processes and product configuration.

Management review records. These are now a named inspection element. They must reflect systematic, documented review of QMS performance at planned intervals, with clear inputs, outputs, and follow-up actions.

Internal audit reports. All internal audit records, including the scope, findings, audit findings, and corrective actions taken, are now reviewable. Audits that show findings without documented closure are particularly high-risk.

CAPA records. While CAPA is no longer a standalone mandatory element in Model 1 inspections, corrective and preventive action processes appear as elements within Measurement, Analysis, and Improvement. Root cause investigation records must show genuine analysis, not just conclusion statements.

Complaint handling and feedback records. FDA investigators will look for evidence that complaints and postmarket feedback are feeding back into risk management. Complaint records that sit in a database without documented risk review are a 483 vulnerability.

Change control records. Under both the Change Control QMS Area and the Design and Development Area, any product or process change must show documented evaluation of risk and impact prior to implementation. Undocumented or inadequately evaluated changes are among the most common 483 subjects.

What QMSR Compliance Looks Like in Practice

The shift from QSIT to CP 7382.850 is a shift in philosophy, not just structure. QSIT organized compliance into boxes. CP 7382.850 asks a single question across every box: does your organization actually understand and manage product risk throughout the product lifecycle?

That question demands a quality system with living documentation. Risk management files that are updated when products change. Internal audits that reflect honest findings. Management reviews that show leadership is genuinely engaged. Supplier controls that extend to audit reports, not just approved supplier lists.

For manufacturers that have been operating under ISO 13485 for international markets, this transition is largely familiar territory. For manufacturers whose QMS was built around QSR requirements alone, the gap is material.

The specific areas that require immediate attention for most manufacturers include: aligning the risk management file structure with ISO 14971 and ensuring it is current; updating internal audit procedures to cover all six QMS Areas; and reviewing whether management review records reflect adequate depth for FDA scrutiny.

An inspection plan that maps your existing records to the six QMS Areas and four OAFRs before your next inspection is not optional. It is how you avoid being reorganized by the investigator's roadmap instead of your own.

How Cloudtheapp Supports QMSR Inspection Readiness

Cloudtheapp is an AI-powered, no-code Quality Management System platform validated for FDA 21 CFR Part 820 (QMSR), ISO 13485:2016, and ISO 9001. It is purpose-built for the inspection environment that CP 7382.850 now defines.

Every QMSR inspection priority maps directly to a Cloudtheapp module:

The Risk Management module maintains a centralized, dynamic risk file that links product risks to design controls, process changes, and corrective actions. When FDA investigators ask to see your risk management documentation, the records are traceable, timestamped, and current.

The Audits module manages internal audits with structured scope, findings, and closure workflows. All audit records are maintained with a full audit trail, making them retrievable and defensible in an FDA review.

The CAPA module ties corrective and preventive actions to root cause investigations, complaint records, and risk assessments. Every step is documented and time-stamped.

The Change Management module ensures that every product or process change goes through a documented risk evaluation before implementation, precisely the gap that produces the most common 483 observations under the new framework.

The Complaint Handling module routes customer feedback and MDR-eligible events directly into risk review workflows, closing the loop between postmarket data and risk management inputs that CP 7382.850 explicitly evaluates.

All records are maintained in a validated, 21 CFR Part 11-compliant environment with electronic signatures and a complete audit trail on every record. That is the difference between being inspection-ready and being caught reorganizing folders the morning the investigator arrives.

Ready to build a QMS that is structured for QMSR inspections from the ground up? Request a demo of Cloudtheapp and see how quality teams in medical devices, pharma, and biotech use the platform to stay continuously inspection-ready.

Frequently Asked Questions About QMSR Inspections

What is the difference between QMSR and QSR?
The Quality Management System Regulation (QMSR) replaced the Quality System Regulation (QSR) on February 2, 2026. The QMSR amends 21 CFR Part 820 to incorporate ISO 13485:2016 by reference, harmonizing U.S. medical device quality requirements with the global standard. The QSR contained prescriptive written requirements for each element of the quality system. Under QMSR, many of those requirements now point to the corresponding ISO 13485 clauses.

Can FDA review internal audit reports under QMSR?
Yes. The QMSR removed the record exemptions that previously protected internal quality audit reports, management review records, and supplier audit reports from FDA inspection. All three categories are now subject to FDA review during inspections conducted under CP 7382.850.

What is CP 7382.850?
Compliance Program 7382.850, released January 30, 2026 and effective February 2, 2026, is the new FDA compliance program manual governing inspections of medical device manufacturers. It replaced the QSIT guide and two prior compliance programs. It establishes the six QMS Areas and four OAFRs that structure all QMSR inspections.

What triggers an OAI classification under QMSR?
CP 7382.850 lists several risk management failures as Situation 1 findings that can lead to an Official Action Indicated classification, including failure to establish or maintain risk management processes, failure to use postmarket data as risk management input, and failure to evaluate changes for risk prior to implementation. Cybersecurity failures on software-enabled devices are also classified as OAI-eligible findings.

Do MDSAP participants need to prepare differently for QMSR inspections?
For manufacturers already participating in the Medical Device Single Audit Program, the transition to CP 7382.850 has limited practical impact, since the MDSAP audit process uses a similar risk-based, process-linked approach. FDA does not conduct routine surveillance inspections for MDSAP-audited manufacturers, though for-cause and compliance follow-up inspections remain in scope.

How should quality teams prepare for their first QMSR inspection?
The most important preparation steps are: review CP 7382.850 in full and map your current QMS documentation to the six QMS Areas; ensure your risk management file is complete, current, and linked to your active products and processes; update internal audit procedures to align with the new framework; and conduct mock audits using the new inspection model as the reference structure.

This post created by and appeared first on Cloudtheapp