A QMSR State of Mind: FDA Adopts New Inspection Approach for Medical Devices as Quality Management System Regulation Takes Effect

On February 2, 2026, FDA’s new Quality Management System Regulation (“QMSR”) for medical devices became effective, two years after FDA’s issuance of a final rule to implement the QMSR. The QMSR replaces the decades-old Quality System Regulation (“QSR”) and incorporates by reference ISO 13485:2016, the international consensus standard for medical device quality management systems used by regulatory authorities in many countries around the world. (For an overview of key takeaways for industry from the QMSR final rule, see our prior Alert.)

FDA’s 2024 final rule did not explain how FDA would apply the QMSR during inspections but promised that an updated inspection approach would be forthcoming. On January 30, 2026—just three days before the QMSR became effective—FDA released a new compliance program manual entitled “Inspection of Medical Device Manufacturers” (CP 7382.850) (the “New Inspection CP”), replacing FDA’s longstanding Quality System Inspection Technique (“QSIT”) guide and previously separate compliance program documents governing inspections of medical device manufacturers (CP 7382.845) and inspections related to premarket approval application (“PMA”) (CP 7383.001) under the QSR (collectively, the “QSR Inspection CPs”).

The New Inspection CP outlines FDA’s updated approach to conducting device manufacturer inspections of all types under the new QMSR. This Alert highlights key takeaways for medical device companies as they prepare for future FDA inspections that will differ in key respects from QSIT inspections to which industry had become accustomed.

Key Changes in the Inspection Process

1. Replacing the QSIT Subsystems with a Risk-Based Inspection Strategy. Under the QSR, FDA inspections were generally conducted using the QSIT, which categorized the QSR into four major subsystems: Management Controls; Design Controls; Corrective and Preventive Actions; and Production and Process Controls. The New Inspection CP replaces this QSIT-based structure with a risk-based inspection strategy that evaluates compliance with the QMSR and places particular emphasis on areas that pose the greatest risks to the patient or device user. To facilitate this focus on risk, the inspection process organizes the QMSR requirements into six Quality Management System (“QMS”) Areas and four Other Applicable FDA Requirements (“OAFRs”). Each QMS Area and OAFR is comprised of one or more “elements” that correspond to various regulatory requirements, and the requirements for those elements are evaluated during inspections. The six QMS Areas and four OAFRs are as follows:
   1. QMS Areas: (i) Change Control, (ii) Design and Development; (iii) Management Oversight; (iv) Measurement, Analysis, and Improvement; (v) Outsourcing and Purchasing; and (vi) Production and Service Provision.
   2. OAFRs: (i) Medical Device Reporting; (ii) Reports of Corrections and Removals; (iii) Medical Device Tracking; and (iv) Unique Device Identification.
2. Replacing QSIT’s Level Inspection Scheme with Two Inspection Models. The New Inspection CP replaces the QSIT Inspection Levels that were utilized under the QSR. Under the New Inspection CP, FDA investigators will follow one of two inspection models, depending on the type of inspection. Most inspections will follow inspection model 1, in which the investigator is supposed to evaluate a minimum of one element for each QMS Area and OAFR but may choose which element to assess based on their determination of which elements could adversely impact patients and users. Conversely, for the two types of inspections that follow inspection model 2—baseline surveillance inspections (i.e., those where the facility has no prior FDA device inspection or Medical Device Single Audit Program (“MDSAP”) audit and is not enrolled in MDSAP) and PMA preapproval inspections—the New Inspection CP specifies particular elements for each QMS Area and OAFR that should be evaluated as part of the inspection. There are also several general items that investigators are to review as part of both inspection models, including (i) establishment registration and device listings; (ii) marketing authorizations; (iii) previous Form FDA-483 observations and compliance issues; and (iv) any additional instructions provided in the assignment.
3. Placing Greater Emphasis on Risk Management. Compared with the more compartmentalized inspection framework under QSIT, which emphasized design controls, the New Inspection CP establishes a total product lifecycle inspection program by placing substantially greater emphasis on risk management and requiring manufacturers to integrate risk management throughout product realization. Regardless of which inspection model is used, investigators will review the manufacturer’s risk-related documentation—including, for example, medical device reports, reports of corrections and removals, consumer complaints and customer feedback, total product lifecycle reports, postmarket surveillance data, and servicing data—to more fully understand the applicable product risks and to assess the manufacturer’s ongoing risk controls. One illustration of this heightened focus is the severity with which FDA classifies risk management failures. Specifically, the New Inspection CP provides several new examples of risk management-related inspection findings that would result in the inspection being classified as Official Action Indicated, potentially leading to regulatory action (“Situation 1 Findings”), such as:
   • “Failure to establish, implement, and/or maintain one or more processes for risk management in product realization.”
   • “Failure to monitor, measure, analyze, and improve processes that have demonstrated adverse impact to the finished product and/or to patient safety.”
   • “Failure to adequately analyze data, and/or failure to utilize current risk information that results in a decision not to proceed with formal investigations and/or corrective actions, leading to unmitigated adverse health consequences or nonconformities. This may result from underestimated risk, outdated risk information, or inadequate risk management used to make decisions.”
   • “Information gathered through the feedback process and/or postmarket surveillance is not used as potential input(s) into risk management for monitoring and maintaining the product realization or improvement processes.”
   • “Failure to control the design and development of product, including not adequately evaluating changes for risk and impact on product(s) prior to implementation.”
   • “Failure to ensure processes, including changes, are adequately monitored, controlled and/or evaluated for risk and impact on products prior to implementation.”

4. Subjecting Management Reviews, Internal Audit Reports, and Supplier Audit Reports to FDA Review. Under the QSR, FDA excluded management reviews, internal quality audit reports, and supplier audit reports from the scope of review during inspections. However, ISO 13485 contains no such exceptions for these types of records. Accordingly, when issuing the QMSR final rule, FDA explained that it would not retain the QSR exceptions but provided little detail as to whether and how frequently these records would be reviewed during FDA inspections in practice.

   The agency has now provided further detail on this point in the New Inspection CP, which explicitly lists management reviews and internal quality audits as elements of QMS Areas. Additionally, FDA makes clear on its QMSR FAQ webpage that supplier audit reports are also subject to FDA review during inspections. Notably, FDA’s Compliance Policy Guide (CPG Sec. 130.300) relating to FDA access to quality assurance audits—which states that “FDA will not review or copy reports and records that result from audits and inspections of the written quality assurance program” during routine inspections—remains on FDA’s website and is listed as current as of February 3, 2026, the day after the QMSR became effective. Although FDA has not formally revised that policy, the webpage now includes a reference to the QMSR final rule and encourages manufacturers to review the current QMSR to ensure compliance with the relevant regulatory requirements. In light of these developments, industry should be prepared for FDA to request copies of management reviews, internal quality audit reports, and supplier audit reports during future FDA inspections, as these sorts of records are now ripe for FDA review.

5. Formalizing Remote Regulatory Assessments. The New Inspection CP includes an attachment that formalizes the procedures for remote regulatory assessments (“RRAs”) that FDA uses to support its oversight of medical devices and associated establishments. FDA may use RRAs, which are examinations of FDA-regulated establishments and their records that are conducted entirely remotely, in lieu of or in advance of FDA inspections. FDA has been conducting RRAs since the COVID-19 pandemic; however, the QSR Inspection CPs and the QSIT did not detail a framework for remote assessments. The New Inspection CP references a draft guidance, Conducting Remote Regulatory Assessments: Questions and Answers, from July 2022, despite FDA having published a revised version of that guidance document in January 2024 and a final guidance in June 2025. Nonetheless, companies should anticipate increasing use of RRAs by FDA and be familiar with FDA’s processes and expectations for RRAs, as summarized in our prior Alert regarding the June 2025 final guidance.
6. Expanding Focus of Inspections to Include Cybersecurity. Consistent with the cybersecurity-related statutory reforms enacted as part of the Food and Drug Omnibus Reform Act of 2022, the New Inspection CP calls for inspections to review “cyber devices” and other software-enabled devices to ensure conformity with FDA requirements, including cybersecurity requirements. Failure to comply with these requirements could result in Situation 1 Findings and lead to enforcement actions.

Next Steps

With the release of the New Inspection CP, medical device manufacturers—even those familiar with ISO 13485 and audits under the MDSAP—should take steps to ensure compliance with the QMSR and readiness for future FDA inspections. Companies will need to demonstrate a robust compliance and quality culture that proactively manages risks throughout the product lifecycle. Among other things, companies should review the New Inspection CP and the additional requirements now in effect under the QMSR. They should also closely examine their risk management practices through quality-focused audits and gap assessments of their policies and procedures to ensure compliance with the QMSR. Companies will likely also need to update their quality-related documents to reflect the heightened focus on risk management and conduct revised trainings to ensure that personnel are appropriately prepared for future FDA inspections. In particular, personnel should understand the new focus and scope of FDA inspections as well as the additional quality-related documents that investigators may request.

Overall, the New Inspection CP represents a significant shift in FDA’s inspection framework and includes a number of substantive and procedural changes that will have a material impact on how FDA inspects medical device companies going forward. If you have any questions about the new inspection framework or would like assistance preparing for FDA inspections under the QMSR, please contact any member of our FDA regulatory practice or your usual Ropes & Gray advisor.