For nearly three decades, medical device manufacturers preparing for a U.S. Food and Drug Administration (FDA) audit knew exactly what to expect. Investigators would arrive with the Quality System Inspection Technique (QSIT) handbook in hand, systematically auditing four rigid subsystems: Management Controls, Design Controls, Corrective and Preventive Actions (CAPA), and Production and Process Controls.
That era has officially ended.
On February 2, 2026, the FDA’s long-awaited Quality Management System Regulation (QMSR) final rule took effect, formally retiring the old Quality System Regulation (QSR) under 21 CFR Part 820. Alongside this transition, the FDA officially withdrew the 1998 QSIT manual, replacing it with a modernized, risk-based inspection framework under the newly released Compliance Program (CP) 7382.850, Inspection of Medical Device Manufacturers.
For medical device companies, this represents the most significant regulatory and operational shakeup in thirty years. Below, we break down what this change is, why it happened, how it impacts your organization, and what you must do to remain compliant.
From QSIT Subsystems to Risk-Based QMS Areas
Under the new compliance program, the rigid, top-down QSIT structure has been replaced by a flexible, risk-focused inspection strategy. Instead of evaluating four isolated subsystems, FDA investigators now evaluate how a manufacturer’s quality management system functions as a holistic, self-correcting ecosystem.
The FDA has restructured the inspection process into six QMS Areas and four Other Applicable FDA Requirements (OAFRs).
The 6 QMS Areas
- Management Oversight: Evaluates leadership involvement, resource allocation, the Quality Manual, and organizational structure.
- Design and Development: Examines how products are conceptualized, built, and validated.
- Production and Service Provision: Assesses the actual manufacturing and servicing environments.
- Change Control: Audits how modifications to designs, processes, or documents are managed.
- Outsourcing and Purchasing: Evaluates supplier management, purchasing controls, and receiving.
- Measurement, Analysis, and Improvement: Focuses on how data is analyzed to drive continuous improvements.
The 4 Other Applicable FDA Requirements (OAFRs)
In addition to the QMS areas, investigators will assess compliance with specific FDA-specific statutory requirements:
- Medical Device Reporting (MDR)
- Reports of Corrections and Removals (Recalls)
- Medical Device Tracking (if applicable)
- Unique Device Identification (UDI)
Why the Change Happened
The transition to the QMSR and the new inspection model is driven by two primary goals: international harmonization and a focus on risk.
Harmonization with ISO 13485:2016
For years, medical device companies selling globally had to maintain dual compliance tracks—one for the FDA’s QSR and another for ISO 13485 (the international standard for medical device quality management systems). By incorporating ISO 13485:2016 by reference into 21 CFR Part 820, the FDA has aligned its expectations with the rest of the world, reducing redundant regulatory burdens.
Emphasizing Lifecycle Risk Management
The old QSR rarely mentioned the word “risk.” ISO 13485, however, weaves risk management into every phase of a device’s lifecycle. The FDA’s new inspection model mimics this by focusing heavily on how companies assess and mitigate risks to patients and device users, rather than simply checking off procedural boxes.
How the New Inspection Model Works
Under CP 7382.850, investigators will no longer use standardized QSIT sampling
tables. Instead, they will use “critical thinking,” pre-inspection data (like prior recalls or MDRs), and a company’s own risk files to determine what to audit.
The FDA now utilizes two distinct inspection models.
| Inspection Model | Application | Scope of Review |
|---|---|---|
| Model 1 | Routine surveillance, compliance follow-ups, for-cause, and PMA post-market inspections. | The investigator uses product-specific risks to select and review a minimum of one element in each of the six QMS Areas, plus the four OAFRs. |
| Model 2 | Baseline surveillance (firms with no FDA history or not enrolled in MDSAP) and PMA pre-approval inspections. | A much more comprehensive audit. The investigator must review all applicable elements (typically 22 to 23 elements) across all six QMS Areas and the four OAFRs. |
Key Impacts on Medical Device Companies
The transition from QSIT to the new QMSR compliance program brings several critical operational shifts.
Internal Audits and Management Reviews Are No Longer Safe Harbors
Historically, under the old QSR (§ 820.180(c)), the FDA protected internal quality audits, supplier audits, and management review minutes from routine investigator review. This exception has been eliminated. Under the QMSR, these records are now fully reviewable by the FDA. Investigators will look directly at your management reviews and internal audits to see if leadership is actively identifying and addressing systemic quality issues.
The Spotlight is on the Risk Management File
An FDA inspection under the new model will often begin with the investigator asking to see your Risk Management File. They will trace documented risks directly into your design controls, purchasing agreements, and production environments. If a risk is identified in your risk analysis but has no corresponding control in production or purchasing, it will likely trigger a Form 483 observation.
Decreased Obsession with CAPA, Increased Systemic Focus
Under QSIT, the CAPA subsystem was almost always the primary target of an inspection, resulting in CAPA consistently being the most frequently cited deficiency on Form 483s. Under the new model, investigators will look at CAPA (now nested under Measurement, Analysis, and Improvement) in tandem with Change Control and Outsourcing/Purchasing, tracking how post-market data dynamically informs the entire system.
What Companies Need to Do to Remain Compliant
To survive an FDA inspection in the QMSR era, manufacturers should immediately take the following actions.
- Establish a Quality Manual and Medical Device File: ISO 13485 explicitly requires a Quality Manual and a Medical Device File (MDF). If you previously only complied with the QSR, you must draft and implement these documents, ensuring they map out your QMS and reference all relevant procedures.
- Prepare Your Leadership for Management Review Audits: Because management reviews and internal audits are no longer shielded from FDA eyes, ensure your executive team is trained on how to conduct, document, and present these reviews. They must demonstrate a “quality culture” where issues are self-identified and aggressively corrected.
- Conduct a Gap Analysis on Pre-2026 Records: The FDA has stated that they can and will review records created prior to February 2, 2026, to assess current QMSR compliance. Conduct a gap analysis to ensure your legacy design histories, risk files, and device master records align with the new expectations.
- Update Supplier and Outsourcing Controls: Review how you evaluate and monitor suppliers. The new Outsourcing and Purchasing area requires a formal, risk-based approach to supplier selection and oversight that is much more rigorous than the old QSR’s purchasing controls.
- Conduct Mock Audits Using CP 7382.850: Do not let the FDA investigator be the first person to test your system under the new guidelines. Update your internal audit procedures to reflect the six QMS Areas and run mock inspections using both Model 1 and Model 2 frameworks.
The retirement of QSIT marks a shift from rigid, check-the-box compliance to a mature, risk-driven quality culture. By aligning with ISO 13485, the FDA is expecting manufacturers to treat quality not as a department, but as an active, system-wide process. Companies that embrace this holistic approach will ace their next FDA inspection and ultimately deliver safer, more reliable devices to the patients who depend on them.
Your Medical Device Requirements Starts Here
Access, manage, and monitor the regulations and industry standards that your operations rely on. Connect with an expert to streamline your standards management and ensure consistent, up-to-date access across your organization.
