- Office-hours : 9:00 AM to 5:00 PM USA CST
On February 2, 2026, FDA formally implemented Compliance Program 7382.850 – Inspection of Medical Device Manufacturers, aligned with the new Quality Management System Regulation (QMSR).
This program replaces the prior inspection model that industry knew well: QSIT (Quality System Inspection Technique).
For device manufacturers, regulatory professionals, and quality leaders, understanding this shift is critical. This is not just a procedural update — it reflects a fundamental evolution in FDA’s inspection philosophy.
Let’s break it down.
According to the program background, CP 7382.850 provides instruction to FDA staff for inspections and enforcement activities related to:
The new QMSR (21 CFR Part 820)
ISO 13485:2016 incorporation by reference
MDR (21 CFR 803)
Corrections & Removals (21 CFR 806)
Device Tracking (21 CFR 821)
Registration & Listing (21 CFR 807)
UDI requirements (21 CFR 801 & 830)
PMA preapproval and postmarket inspections
MDSAP integration
Importantly, this compliance program supersedes the prior 2023 device inspection program and the standalone PMA inspection program.
It introduces a Total Product Lifecycle (TPLC) inspection framework and embeds risk management and benefit-risk decision-making directly into inspection activities.
That’s a major philosophical shift.
Under QSIT, inspections focused on four subsystems:
Management Controls
Design Controls
CAPA
Production & Process Controls
The new QSMR inspection model reorganizes inspections into:
Management Oversight
Design and Development
Production and Service Provision
Change Control
Measurement, Analysis, and Improvement
Outsourcing and Purchasing
Medical Device Reporting (MDR)
Corrections and Removals
Medical Device Tracking
Unique Device Identification (UDI)
These are illustrated in the risk-based inspection diagram (Part III, Diagram 1), where:
Patients and users sit at the center
Risk management surrounds them
QMS Areas connect dynamically
This visual alone signals the transformation.
QSIT was subsystem-driven.
QSMR inspections are risk-flow driven.
Under QSMR, ISO 13485:2016 is incorporated by reference and carries the force of law.
QSIT operated under the legacy Quality System Regulation (1996 version).
QSMR inspections now:
Evaluate ISO 13485 clauses directly
Integrate risk-based thinking as a structural requirement
Evaluate process linkages across the QMS
This is harmonization — but with FDA-specific clarifications layered on top.
CP 7382.850 introduces two inspection models:
Inspection Model 1 – Used for surveillance, for-cause, compliance follow-up
Inspection Model 2 – Used for baseline and PMA preapproval inspections
Model 1 requires evaluation of at least one element in each QMS Area and each OAFR.
Model 2 is more prescriptive and requires evaluation of specific elements within each QMS Area.
QSIT did not operate with structured “inspection models” tied to assignment type in this manner.
This creates greater inspection predictability — but also deeper cross-functional evaluation.
The program explicitly states that inspections encompass a Total Product Lifecycle assessment.
That means inspectors are expected to connect:
Design risk management
Production validation
Postmarket surveillance
MDR trends
Corrections and removals
UDI data
GUDID records
Recall history
QSIT focused more heavily on subsystem adequacy at a point in time.
QSMR integrates lifecycle signals into inspection targeting.
The program outlines specific pre-inspection and during-inspection data sources to identify risks, including:
MDRs
Corrections and removals
GUDID records
Consumer complaints
Total Product Lifecycle reports
Investigators are explicitly instructed to:
Use critical thinking to identify risks that could adversely impact patients and/or users.
QSIT included risk-based thinking — but not this structured pre-inspection signal integration.
The program clearly explains how FDA will:
Utilize MDSAP audit reports
Substitute MDSAP reports for routine surveillance inspections
Still retain authority for non-surveillance inspections
QSIT predated full operational MDSAP reliance.
This reflects international regulatory convergence.
Under FDORA and Section 524B requirements, cybersecurity expectations are explicitly acknowledged within the inspection framework.
Cyber devices must meet statutory cybersecurity requirements.
This was not a structured QSIT focus area.
The QSMR preamble commentary is referenced in the compliance program, emphasizing:
Top management responsibility
Integration of QMS processes
Culture of quality
QSIT evaluated management controls.
QSMR evaluates management accountability within a risk-integrated culture framework.
That’s broader.
If you are preparing for an FDA inspection under CP 7382.850:
You should expect:
Cross-process traceability questioning
Risk management file reviews tied to production records
MDR and complaint trending tied back to design inputs
Purchasing controls evaluated against risk classification
UDI system verification
Explicit lifecycle linkage discussions
Subsystem silos will not survive inspection scrutiny.
Process integration must be demonstrable.
QSIT was structured, methodical, and subsystem-based.
CP 7382.850 is:
Risk-centric
Lifecycle-oriented
ISO 13485–aligned
Signal-driven
Internationally harmonized
Explicitly tied to patient risk
This is not simply “QSIT renamed.”
It is a modernization of FDA’s medical device inspection architecture.
And in 2026, inspection readiness requires not just procedural compliance — but demonstrable integration of risk management across the entire QMS.
Organizations that still prepare using a QSIT-only mindset are already behind.