backOn February 2, 2026, the U.S. Food and Drug Administration’s long-awaited harmonization of the medical device good manufacturing practice regulations with the international ISO 13485 standard, Medical devices – Quality management systems – Requirements for regulatory purposes, went into effect. The new Quality Management System Regulation (QMSR) replaces the old Quality System Regulation (QSR) and incorporates ISO 13485:2016 into 21 C.F.R. Part 820 by reference. With the discontinuation of the QSR, FDA also discontinued its Quality System Inspection Technique (QSIT) Guide, which had structured FDA inspections of device manufacturers for decades. In its place, on January 30, 2026, FDA issued a new Compliance Program, Compliance Program 7382.850, Inspection of Medical Device Manufacturers, to structure and guide FDA Investigators’ inspections of device facilities1Available at https://www.fda.gov/media/80195/download (hereinafter CP 7382.850). . The new Compliance Program also incorporates and supersedes the previous Compliance Program that governed pre- and post-market inspections for Premarket Approval (PMA) devices (former Compliance Program 7383.001). Importantly, the QMSR and the new Compliance Program significantly change how FDA Investigators plan, scope, and execute inspections. The shift from QSIT to ISO aligned, risk based inspections means Investigators now select elements based on firm specific risks, rather than standardized sampling.
For a general discussion of the QMSR, and how it differs from the QSR, please see our February 8, 2024 Client Alert, FDA Aligns U.S. Medical Device Quality System Regulation with International Standards.
FDA’s New Device Inspectional Technique
As explained in the new Compliance Program, FDA groups the elements of the QMSR into six “QMS Areas”: Management Oversight; Production and Service Provision; Design and Development; Change Control; Outsourcing and Purchasing; and Measurement, Analysis, and Improvement. These QMS Areas are joined by four “Other Applicable FDA Requirements” (OAFRs): Medical Device Reporting (21 C.F.R. Part 803); Reports of Corrections and Removals (21 C.F.R. Part 806); Medical Device Tracking (21 C.F.R. Part 821); and Unique Device Identification (21 C.F.R. Part 830). Each QMS Area and each OAFR contains one or more “elements,” or regulatory requirements. Attachment A of the new Compliance Program maps each QMS Area and OAFR to its applicable elements.
The minimum number of elements to be reviewed in each QMS Area and OAFR depends on the risk-based “inspection model” that applies to the inspection: Inspection Model 1 or Inspection Model 2. Initial, baseline surveillance inspections and PMA preapproval inspections follow Inspection Model 2, which requires review of a minimum of 22 elements for non-sterile devices and 23 elements for sterile devices, along with the four OAFRs. All other inspections follow the more abbreviated Inspection Model 1, which, at a minimum, requires review of only one element per QMS Area and OAFR. The following inspections fall under Inspection Model 1: non-baseline surveillance, compliance follow-up, for-cause, specific product risk assignment (SPRA), and PMA postmarket.
Regardless of the Inspection Model being followed, the new Compliance Program directs Investigators to select elements for review by using “critical thinking” and information available before the inspection (e.g., medical device reports (MDRs), recalls, trade complaints) and during the inspection (e.g., complaint files, risk management documentation, servicing data). Investigators are to identify potential product risks associated with the inspected firm’s devices, and to select the related element or elements to be reviewed within the QMS Areas and OAFRs. When reviewing the elements, the new Compliance Program encourages Investigators to request and review records, similar to the inspectional approach taken under the QSIT approach. However, unlike QSIT, the new Compliance Program does not contain sampling tables and does not direct Investigators on the number of records to review.
Both Inspection Models further direct Investigators to review registration and listing information, marketing authorizations, and previous FDA 483 observations and compliance issues. Consistent with the former inspectional approach, the new Compliance Program guides Investigators to document registration and listing issues in the Establishment Inspection Report (EIR), not as an FDA 483 observation. The new Compliance Program also continues the previous approach of only documenting FDA 483 observations related to premarket authorization if concurrence from CDRH is obtained prior to issuing the FDA 483. It also continues the practice of permitting the inspected firm to annotate the FDA 483 observations during the close-out meeting.
It is important to note that the Medical Device Single Audit Program (MDSAP) is unaffected by the QMSR transition and new Compliance Program. As in the past, FDA will forgo routine surveillance inspections of firms that participate in MDSAP. As outlined in this Compliance Program, and similar to the previous Compliance Program, if FDA becomes aware of information, or if concerns are raised by FDA’s review of MDSAP audit outcomes, FDA can conduct compliance follow-up or for-cause inspections at MDSAP-participating manufacturing sites, applying the Inspection Model 2 criteria. In addition, MDSAP-participating sites are also eligible for SPRA and PMA-related inspections.
Important Differences Between QSR And QMSR Inspections
Internal Audits, Supplier Audits, and Management Reviews Are Now Fair Game
FDA had long maintained a policy of not requiring medical device firms to share internal audit reports, supplier audit reports, or the content of management review meetings with Investigators during inspections. This approach was intended to encourage firms to conduct robust audits and thoroughly interrogate their quality systems and those of their suppliers. The logic was that, if a firm knew that FDA would be granted a roadmap to all its shortcomings by reviewing its audit reports, it would not conduct or document robust audits.
Although not stated in the new Compliance Program, with the transition to the QMSR, FDA has eliminated this policy and now considers it to be within Investigators’ inspectional authority to request and review internal audit reports, supplier audits reports, and management review documentation2FDA confirmed this approach in the preamble to the QMSR, 89 Fed. Reg, 7496, 7514 (Feb. 2, 2024).. This approach aligns with that of ISO 13485 auditing bodies, which have not traditionally considered such documentation to be out-of-bounds. Additionally, FDA has always maintained the ability to review the outputs of internal audits and supplier audits (e.g., non-conformances, corrective and preventive actions (CAPAs), supplier corrective action requests). Nevertheless, the change will be significant, and personnel supporting FDA inspections should be made aware of this new approach so that they do not inadvertently refuse a request or limit FDA’s ability to inspect, both of which could be deemed misbranding violations.
Increased Focus on Risk Management
As has been widely discussed in the two years since FDA published the QMSR final rule in February 2024, FDA’s adoption of ISO 13485 puts greater focus on device firms’ risk management processes. The new Compliance Program makes this clear, stating that one of two goals of FDA inspections of device firms is “to evaluate if the manufacturer’s . . . [r]isk management and risk-based decision making are effectively used in the QMS.”3CP 7382.850 at p. 15. Device firms should be prepared to demonstrate to FDA Investigators how the firm incorporates risk management throughout the QMS, not just as part of design controls.
Additionally, the new Compliance Program considers significant deficiencies in risk management processes to be a factor in classifying an inspection as Official Action Indicated (OAI). Like the previous Compliance Program, the new Compliance Program outlines various examples of inspectional findings that could cause the inspection to be considered “Situation 1,” which would result in an OAI classification. FDA identifies multiple new examples of Situation 1 findings related to risk management, as follows:
- “Failure to establish, implement, and/or maintain one or more processes for risk management in product realization.”
- “Information gathered through the feedback process and/or postmarket surveillance is not used as potential input(s) into risk management for monitoring and maintaining the product realization or improvement processes.”
- “Failure to control the design and development of product, including not adequately evaluating changes for risk and impact on product(s) prior to implementation.”
- “Failure to ensure processes, including changes, are adequately monitored, controlled and/or evaluated for risk and impact on products prior to implementation.”4Id. at p 51.
The Changing Prominence of CAPAs in Inspectional Technique?
Previously, under the QSIT approach and the old Compliance Program, Investigators were directed to review CAPA systems in both Level 1 (abbreviated) and Level 2 (comprehensive) inspections. Not surprisingly, CAPA was consistently the regulatory requirement most commonly cited in FDA 483 observations under the QSR. However, under the new Compliance Program, CAPA is only a required element of Inspection Model 2 (i.e., baseline surveillance and PMA pre-approval inspections). Nevertheless, we anticipate that during most Inspection Model 1 inspections, Investigators will continue to assess the firm’s CAPA system and request CAPA records for review, particularly given the importance of CAPA for risk management processes and the QMSR’s focus on risk management.
How To Prepare
FDA’s new inspection process is now live, and FDA Investigators have been trained in the new technique and ISO 13485 requirements. FDA’s implementation of the QMSR marks a significant shift in FDA’s device oversight, with ISO 13485 now serving as the foundation of U.S. quality system requirements. As FDA made clear in the preamble to the QMSR final rule, ISO 13485 certification does not take the place of an FDA QMSR inspection. Further, as evident from the new Compliance Program, FDA is taking its own approach to its ISO-based audits, departing from the more routinized, checklist-based approach that ISO 13485 and MDSAP audits traditionally employ. Therefore, even firms that are already ISO 13485 certified could be in unfamiliar territory during their first QMSR inspection. To prepare, device firms should consider:
- Reviewing the new Compliance Program to ensure that you understand how FDA maps the QMS Areas to the various ISO 13485 clauses (and how those clauses relate to the previous QSR provisions).
- Informing personnel that FDA Investigators now have the authority to review documentation of internal audits, supplier audits, and management reviews.
- Ensuring that front room personnel have a solid grasp on the firm’s risk management processes and can explain them to FDA investigators.
- If not done already, conducting a gap assessment of your firm’s policies and procedures as compared to the QMSR/ISO 13485, and revising documentation to ensure compliance with the QMSR. In addition to substantive changes, this exercise should also include replacing outdated references to regulatory citations in 21 C.F.R. Part 820 and aligning terminology with ISO 13485 (e.g., FDA’s regulations no longer refer to Design History Files, Device Master Records, or Device History Records).
Manufacturers of drug-device and biologic-device combination products should also heed the QMSR and Compliance Program changes. When FDA issued the QMSR in 2024, the Agency also made conforming revisions to 21 C.F.R. Part 4 regarding device good manufacturing practices applicable to combination products. Although the Compliance Program does not provide detailed directions for conducting combination products inspections, firms should expect that FDA will apply relevant QMSR and ISO 13485 inspection principles to inspections of the device components of drug-led and biologics-led combination products.
If you have questions regarding the application of the QMSR or operating under the new Compliance Program, or would like assistance in preparing for a QMSR inspection, King & Spalding would be happy to assist.