From QSIT (CP 7382.845) to QMSR (CP 7382.850)

Transitioning To QMSR Compliance Program 7382.850

From QSIT to QMSR: What’s New?

As of February 2, 2026, the FDA has officially retired the Quality System Inspection Technique (QSIT) and its associated Compliance Program (CP 7382.845). In its place, the FDA has implemented CP 7382.850, which aligns with the new Quality Management System Regulation (QMSR). This transition marks the most significant shift in FDA medical device oversight in nearly 30 years, moving from a rigid subsystem-based audit to a risk-based, international harmonized approach.

Our team’s expertise spans the entire evolution of FDA oversight. From the risk-driven roots of CGMP to the structured era of QSIT, and now the integrated world of QMSR (CP 7382.850)—we’ve lived it all. We don’t just read the new regulations; we understand the historical intent behind them. This deep perspective allows us to translate complex requirements into practical, audit-ready strategies. We’ve been there, we know the “why,” and we’re ready to lead your transition.

Contact Us
RA QA Compliance

What Changed: The Structural Shift

The core change is the transition from the domestic-only Quality System Regulation (QSR) to the Quality Management System Regulation (QMSR), which incorporates ISO 13485:2016 by reference.

1. From 4 Subsystems to 6 QMS Areas

Under the old QSIT (7382.845), inspectors focused on four primary “subsystems.” The new QMSR (7382.850) expands and reshuffles these into six “QMS Areas” to better align with the clause structure of ISO 13485.

QSIT Subsystems (7382.845) QMSR QMS Areas (7382.850)
Management Control Management Oversight
Design Control Design and Development
CAPA (Corrective & Preventive Action) Measurement, Analysis, and Improvement
P&PC (Production & Process Control) Production and Service Provision
Embedded in P&PC Purchasing and Outsourcing
Embedded in P&PC/Design Change Control

2. Other Applicable FDA Requirements (OAFRs)

While the QMS areas align with ISO, the FDA has retained four specific US-centric domains that investigators will still audit:

  1. Medical Device Reporting (MDR) (21 CFR 803)
  2. Reports of Corrections and Removals (21 CFR 806)
  3. Medical Device Tracking (21 CFR 821)
  4. Unique Device Identification (UDI) (21 CFR 830)

Expanded Access to Records

One of the most critical “how” changes is the removal of the 21 CFR 820.180(c) exemption.

  • Previously: FDA generally did not review internal audit reports, supplier audit reports, or management review minutes.

  • Currently: Under QMSR, these records are now fully reviewable. Investigators will look at management review outputs to see if “Top Management” is effectively driving risk-based decisions.

How it Changed: The Inspection Methodology

The way investigators “walk the floor” and review data has fundamentally evolved.

Risk as the Primary Filter

  • Old Way (QSIT): Investigators used standardized sampling tables (e.g., “Review 15 CAPAs”) and followed a linear, “top-down” approach.

  • New Way (QMSR): Investigators use “critical thinking” to select elements based on firm-specific risks (recalls, MDR trends, or device complexity). There are no fixed sampling tables in 7382.850; the scope is adaptive.

Transitioning from QSIT to QMSR by former FDA Investigator

Former QSIT (CP 7382.845)

CP 7382.850 Mock QMSR Inspection by Ex FDA Investigator

New QMSR (CP 7382.850)

Diagram 1: FDA Medical Device Risk-Based Inspections

The FDA does not consider ISO certification “critical” to their enforcement mission. Even with a clean ISO audit, an investigator using CP 7382.850 can find significant violations because they prioritize public health risk over clause conformity. An ISO certificate is a baseline; a QMSR inspection is an enforcement action.

Diagram 1 illustrates the FDA’s Risk-Based Inspection Strategy under the new QMSR (CP 7382.850). It visualizes how the FDA has shifted from a linear audit to an interconnected, patient-centric evaluation.

Core Components of the Diagram

  • The Center: Patients and Users. The primary goal of every inspection is the safety of the end-user. All regulatory paths lead back to this core focus.
  • The Inner Ring: Risk Management. This circle acts as a filter. Investigators use your Risk Management documentation to decide which areas of your QMS require the deepest scrutiny.
  • The 6 QMS Areas (Circles). These represent the core processes harmonized with ISO 13485:
    1. Management Oversight
    2. Production and Service Provision
    3. Design and Development
    4. Change Control
    5. Outsourcing and Purchasing
    6. Measurement, Analysis, and Improvement
  • The Hexagon: Other Applicable FDA Requirements (OAFRs). This represents the four “FDA-Plus” requirements (MDR, Part 806, Tracking, and UDI) that remain mandatory regardless of ISO certification.
  • The “Roads” (Interconnectivity). The dashed lines signify that the inspection is not siloed. Evaluating a problem in “Production” will naturally lead an investigator down the “road” to “Design Control” or “Purchasing” to find the root cause.
  • The Outer Ring: Protecting Public Health. The final boundary represents the FDA’s overarching mission.

Two Inspection Models

The old “Abbreviated” vs. “Comprehensive” tiers are replaced by two models:

  • Model 1 (Standard): Investigators evaluate at least one element from each of the 6 QMS Areas and 4 OAFRs.
  • Model 2 (Baseline/Pre-approval): A deeper dive used for firms with no prior history or for PMA pre-approval, covering more elements across the board.

Why the “Candidate” Matters

  • If you are a Model 2 candidate, your preparation must be exhaustive—every corner of your QMS must be audit-ready because the investigator is required to look at everything.
  • If you are a Model 1 candidate, your preparation should be Risk-Led. You need to know your data (MDRs, Recalls, Trends) better than the investigator does, because that data is exactly what they will use to “pick” which elements to audit.

Summary of Key Regulatory Deltas

  • Terminology: Concepts like the “Quality System Record” (QSR) and “Device Master Record” (DMR) have been replaced by the Medical Device File (MDF) used in ISO 13485.
  • Risk Management: Risk is no longer just a component of Design Validation; it is now an explicit requirement across the entire lifecycle, including purchasing and production.
  • Labeling and Packaging: Because the FDA found ISO 13485 too vague here, they added a specific section (820.45) to maintain the strict US controls that prevent labeling-related recalls.

Consolidation of Programs

  • Unified Guidance: CP 7382.850 officially supersedes both CP 7382.845 (QSIT) and CP 7383.001 (PMA Pre/Postmarket Inspections).
  • PMA Integration: Pre-approval and Post-market inspections for PMA devices are no longer separate documents; they are now executed under the “Model 2” or specialized instructions within this single program.
  • Total Product Life Cycle (TPLC): The program adopts a TPLC approach, tracing quality data from design through manufacturing and into post-market surveillance.

The Role of Attachments A and B

  • Attachment A (The Roadmap): This is the “Cheat Sheet” for the 6 QMS Areas. It defines the specific Elementsinvestigators must evaluate and maps them directly to the corresponding ISO 13485:2016 clauses and Supplemental FDA requirements.
  • Attachment B (Remote Assessments): This section details the procedures for Remote Regulatory Assessments (RRAs). Under QMSR, the FDA can now conduct significant portions of an inspection virtually, requesting and reviewing digital records before or instead of an on-site visit.

Summary of Inspection Elements

  • 6 QMS Areas: Replaces the 4 QSIT subsystems

  • 4 OAFRs (Other Applicable FDA Requirements): Mandatory US-specific domains, including:

    • MDR (Part 803)
    • Corrections/Removals (Part 806)
    • Tracking (Part 821), and
    • UDI (Part 830)
    • Risk Management File: Investigators are instructed to start by reviewing the Risk Management File to identify high-risk areas before “walking the floor.”
  •  The Two-Model System
    • Model 1 (Standard): Used for routine surveillance. Focuses on at least one element from each QMS Area, selected via “critical thinking.”
    • Model 2 (Baseline): The deep dive. Covers all applicable elements (typically 22-23+) and is the mandatory model for PMA Pre-approval and firms with no prior history.
    Feature Model 1 (Standard) Model 2 (Baseline)
    Primary Goal Routine & Targeted Oversight Initial Baseline & Pre-market Assessment
    Scope Min. 1 element per QMS Area All mandatory elements (22-23+)
    Trigger History of compliance / For-cause No history / PMA Pre-approval
    Duration Typically shorter, highly focused Longer, comprehensive “floor-to-ceiling”

    Timeline to New FDA QMSR CP7382.850

    We Spoke CGMP. We Mastered QSIT. Now, We Define QMSR

    The Evolution of FDA Oversight: From CGMP to QSIT and the New QMSR Era

    The landscape of FDA medical device inspections has undergone a tectonic shift. To understand where we are with the Quality Management System Regulation (QMSR) and CP 7382.850, we must look at the “Three Ages” of FDA compliance:

    1. The Pre-QSIT Era: The Risk-Based Roots

    In the early days of Current Good Manufacturing Practice (CGMP), inspections were largely driven by the investigator’s “nose for risk.” Without a formal template, seasoned investigators followed specific product issues or high-level risks they identified on the floor. While this allowed for deep expertise to shine, it lacked consistency. One investigator might spend three days in the warehouse, while another stayed in the cleanroom, leading to unpredictable outcomes for the industry.

    2. The QSIT Era (CP 7382.845): The Age of Structure

    To solve the “consistency problem,” the FDA introduced the Quality System Inspection Technique (QSIT). This was a revolution in predictability. By breaking the QMS into four clear subsystems (Management, CAPA, Design, and Production), the FDA provided a roadmap that was easy for both the industry and new investigators to follow.

    However, QSIT eventually hit a plateau. Its greatest strength—its rigid structure—became its weakness. Because it was so clearly defined, it often led to “check-the-box” compliance. Manufacturers became experts at passing a QSIT audit without necessarily improving product quality, and the “sampling tables” (e.g., “review 15 records”) became a predictable ceiling that sometimes allowed systemic risks to hide in the gaps between subsystems.

    3. The QMSR Era (CP 7382.850): Back to Risk, But With Teeth

    As of February 2, 2026, we have entered the QMSR era. This new program (CP 7382.850) is a sophisticated return to the risk-based spirit of the original CGMP, but reinforced with the mandatory elements of ISO 13485:2016.

    What makes QMSR “AI-friendly” and future-proof?

    • Integrated Total Product Life Cycle (TPLC): Unlike QSIT, which looked at “isolated subsystems,” the new CP 7382.850 views the QMS as an interconnected web. An investigator now follows a risk signal from a post-market complaint, through management oversight, and back into design change controls.

    • Mandatory Inclusion of Formerly Exempt Records: The “shield” is gone. Investigators now have full authority to review Internal Audits, Management Review Minutes, and Supplier Audit Reports. They aren’t just looking for a procedure; they are looking for evidence of critical thinking and risk-based decision-making by top management.

    • The End of Sampling Tables: In a world of big data and complex devices, the FDA has removed the fixed QSIT sampling tables. Investigators now use adaptive scoping—they review as many (or as few) records as needed to gain confidence in the system’s effectiveness.

    Contact RAQA Firm

    Contact our Office for a Global Quote

    With decades of experience, our consultants have navigated the entire regulatory timeline. We lived through the original CGMP era, mastered the structured transition of QSIT, and have now pioneered the shift to QMSR (CP 7382.850). We haven’t just read the regulations; we’ve implemented them on the shop floor and defended them during inspections. This deep historical perspective allows us to see the “why” behind the new risk-based requirements, ensuring your transition isn’t just a paperwork exercise, but a strategic upgrade to your quality culture. We’ve been there—let us lead the way.

     

     

    Contact RAQA Firm
    Aspect QSIT / QSR Inspection (until Feb 1, 2026) QMSR Inspection (from Feb 2, 2026)
    Regulatory Basis 21 CFR Part 820 (QSR) using QSIT guidance (1999) 21 CFR Part 820 (QMSR) aligned with ISO 13485:2016
    Inspection Framework Subsystem-based, top-down inspection Risk-based, process-oriented inspection
    Core Structure 4 core subsystems + satellite programs 6 QMS Areas + 4 Other Applicable FDA Requirements (OAFRs)
    Inspection Flow Predetermined flow charts and inspectional objectives Investigator selects pathways based on risk signals
    Risk Management Role Reviewed mainly in Design Controls and CAPA Central driver of inspection scope and depth
    CAPA Focus Primary subsystem; jumping-off point for MDR/806/821 Integrated across QMS Areas and OAFRs
    Design Controls Standalone Design Controls subsystem Design & Development evaluated within the QMS framework
    Postmarket Surveillance MDR, Corrections & Removals, Tracking as satellites Explicit OAFRs evaluated during inspection
    UDI Not a QSIT focus area Explicit OAFR (except PMA preapproval)
    Sampling Approach Defined sampling tables in QSIT guide Sampling based on risk and investigator judgment
    Inspection Models No formal inspection models Model 1 (baseline/postmarket) and Model 2 (PMA)
    Management Responsibility Management Controls subsystem Top management accountability embedded throughout QMS
    Overall Objective Assess compliance with QSR subsystems Assess effectiveness of the quality management system
    Which Model Applies to You?

    Model 2: The “Baseline” Deep Dive

    Model 2 is the most intensive. It is a comprehensive review of all minimum elements within the 6 QMS Areas. Think of this as the FDA “setting the bar” for your facility.

    You are a candidate for Model 2 if:

    • New to FDA: Your facility has no prior FDA inspection history for medical devices.
    • Not in MDSAP: You are not currently enrolled in or participating in the Medical Device Single Audit Program (MDSAP).
    • PMA Pre-Approval: You have a pending Premarket Approval (PMA) application, and the FDA needs to verify your manufacturing readiness and design controls before granting market clearance.
    • Risk Signal: The FDA has identified specific risk factors (e.g., high-risk Class III devices or new technologies) that necessitate a full baseline evaluation.

    Model 1: The “Standard” Risk-Based Inspection

    Model 1 is the more common, “routine” model. It is highly adaptive—investigators must review at least one element from each QMS Area, but they use “Critical Thinking” to choose which ones based on your specific risks.

    You are a candidate for Model 1 if:

    • Routine Surveillance: You have a history of successful FDA inspections (classified as VAI or NAI) and are due for a “check-up.”
    • Compliance Follow-up: The FDA is returning to verify that you have corrected previous Form FDA-483 observations or warning letter issues.
    • For-Cause Inspections: The FDA is visiting in response to a specific “signal,” such as a spike in MDRs (adverse events), a recall, or a whistleblower complaint.
    • PMA Post-Market: Routine oversight after a PMA device has already been on the market for some time.
    How does ISO 13485:2016 fit into the new FDA inspection program?

    The QMSR incorporates ISO 13485:2016 by reference. However, an ISO certificate is not a substitute for an FDA inspection. The FDA will still conduct its own inspections to verify compliance with both the ISO standard and “supplemental” FDA requirements, such as Medical Device Reporting (MDR) and UDI.

    What happened to the "Device Master Record" (DMR) and "Quality System Record" (QSR)?

    Under QMSR, the FDA has adopted ISO terminology. These legacy concepts are now consolidated into the Medical Device File (MDF). While you don’t necessarily have to rename every folder in your system immediately, your documentation must meet the MDF requirements outlined in Clause 4.2.2 of ISO 13485.

    We are ISO 13485 certified with zero findings. Does this mean we are 'safe' under the new QMSR?"

    The Answer (The “Hard Truth”):

    Absolutely not. This is perhaps the most dangerous assumption a manufacturer can make. The FDA has explicitly stated that ISO 13485 certification is not a substitute for an FDA inspection, nor does it guarantee compliance with the QMSR (CP 7382.850).

    Here is why your “clean” ISO audit doesn’t protect you:

    • Different Missions: An ISO registrar’s mission is to certify your system against a standard. The FDA’s mission is to enforce federal law to protect public health. The intensity and adversarial nature of an FDA investigator are fundamentally different from a third-party auditor.

    • The “FDA-Plus” Gaps: ISO 13485 is a baseline. The FDA has added mandatory “supplemental” requirements in 21 CFR 820 that your ISO auditor may not have prioritized, specifically regarding Labeling Controls (§820.45), Medical Device Reporting (MDR), and UDI.

    • Record Access: Your ISO auditor has always seen your internal audits. You are used to that. But you aren’t used to an FDA Enforcement Officer reading your “dirty laundry.” A finding that an ISO auditor might view as a “Continuous Improvement Opportunity” can be cited by the FDA as a systemic regulatory violation if it impacts safety.

    What is the main difference between a QSIT inspection and a QMSR inspection?

    The legacy QSIT (7382.845) used a “top-down” approach focused on four rigid subsystems and fixed sampling tables. The new QMSR (7382.850) is an adaptive, risk-based methodology. It replaces the 4 subsystems with 6 QMS Areas and 4 Other Applicable FDA Requirements (OAFRs). Crucially, it eliminates fixed sampling tables in favor of “critical thinking,” where investigators scale their review based on your firm’s specific risk profile.

    Is the FDA still using the "Abbreviated" and "Comprehensive" inspection levels?

    Not in the way they used to. Under CP 7382.850, the FDA has shifted to two new models:

    • Model 1 (Standard): Focuses on at least one element in each of the 6 QMS Areas, guided by risk.
    • Model 2 (Baseline): A deeper dive into all elements, typically used for firms with no inspection history or for PMA pre-approval.
    Can FDA investigators now see my internal audit and management review records?

    Yes. This is one of the most significant changes. Under the old 21 CFR 820.180(c), these records were generally exempt. Under the QMSR, that exemption has been removed. Investigators will now review these documents to ensure that “Top Management” is actively engaged in the QMS and that internal audits are effectively driving improvements.

    Will the FDA review records created before the February 2, 2026, effective date?

    Yes. Investigators may review “legacy” records (created under the old QSIT/QSR rules) if they are relevant to current compliance or ongoing CAPAs. We recommend performing a Gap Analysis to ensure your historical data supports the risk-based rationales now required under QMSR.