FDA Compliance Program 7382.850: The definitive guide to medical device inspections under QMSR
Beginning February 2, 2026, FDA inspections of medical device manufacturers fundamentally changed. The new Compliance Program 7382.850 (CP 7382.850) replaces both the QSIT methodology and CP 7382.845
Beginning February 2, 2026, FDA inspections of medical device manufacturers fundamentally changed. The new Compliance Program 7382.850 (CP 7382.850) replaces both the QSIT methodology and CP 7382.845, introducing a risk-based, process-focused inspection framework aligned with the Quality Management System Regulation (QMSR). For quality professionals at small-to-mid-size device companies, understanding this new framework isn't optional—your next inspection will be conducted under these rules.
The most critical shift: FDA inspectors will no longer simply verify you have procedures. They will test whether your quality system actually functions as an integrated, risk-driven whole. Management reviews, internal audits, and supplier audit reports—previously exempt under §820.180(c)—are now no longer categorically exempt from FDA inspection. The era of checklist compliance is over.
What CP 7382.850 contains and where to find it
The official CP 7382.850 document is a 78-page compliance program guide available at FDA.gov/media/80195/download, with an implementation date of February 2, 2026. It supersedes both CP 7382.845 (Inspection of Medical Device Manufacturers, issued September 29, 2023) and CP 7383.001 (PMA Pre/Postmarket Inspections, issued March 5, 2012).
The document provides FDA field investigators and Center staff with detailed instructions for conducting inspections under the new QMSR framework. Its structure reflects a total product lifecycle (TPLC) assessment approach, with benefit-risk informed compliance and enforcement decisions.
Key structural components include:
- Part I: Background — covering FDARA 2017, QMSR requirements, premarket approval, and the four Other Applicable FDA Requirements
- Part II: Implementation — inspection procedures, sampling methodology, and risk-based approach
- Attachment A — Tables defining the 6 QMS Areas, OAFRs, elements, and specific regulatory requirements
- Attachment B — Remote Regulatory Assessment procedures under FD&C Act Section 704(a)(4)
New Product Assignment Codes (PACs) structure inspections differently: codes 82850A/42850A cover non-baseline surveillance, 82850B/42850B handle baseline surveillance, 82850G applies to all for-cause inspections, and 83850/83850A cover PMA preapproval and postmarket inspections respectively.
The 6 QMS Areas replace QSIT subsystems entirely
CP 7382.850 organizes QMSR requirements into 6 QMS Areas rather than the 4 major QSIT subsystems. Each area comprises one or more "elements" containing specific regulatory requirements mapped to ISO 13485:2016 clauses.
Management Responsibility (ISO 13485 Clause 5)
What investigators evaluate: Management commitment, quality policy establishment, quality objectives, responsibility/authority/communication structures, and management review processes.
Records reviewed: Management review meeting minutes and outputs, quality policy documentation, organizational charts, job descriptions with authority matrices, quality objectives and metrics, resource allocation decisions, and internal communication records.
Key inspection focus: FDA now expects management review records to demonstrate risk-based discussion, not merely performance metrics. Resource allocation, remediation timing, and supplier actions should reflect stated risk priorities. Investigators will look for evidence that top management integrates quality into business operations—culture of quality, not just documented procedures.
Sample questions: How does top management demonstrate commitment to the QMS? Show me your last three management review records. How do management review outputs drive improvement actions?
Resource Management (ISO 13485 Clause 6)
What investigators evaluate: Provision of adequate resources, personnel competence verification, training effectiveness, infrastructure appropriateness, work environment controls, and contamination control measures.
Records reviewed: Training records with competency assessments, job descriptions specifying competency requirements, training effectiveness verification documentation, equipment maintenance and calibration records, environmental monitoring data, and facility/personnel qualification records.
Key inspection focus: Investigators verify that personnel performing quality-affecting work have documented competence—not just training completion, but demonstrated capability. Environmental controls must be validated and monitored.
Sample questions: How do you determine competency requirements for each role? How do you verify training effectiveness? What environmental controls exist for your manufacturing areas?
Product Realization (ISO 13485 Clause 7)
What investigators evaluate: Planning of product realization, customer-related processes, design and development (all subclauses including inputs, outputs, review, verification, validation, transfer, changes), purchasing, production and service provision, and control of monitoring/measuring equipment.
Records reviewed: Design History Files/Medical Device Files, design reviews, risk management files (ISO 14971 integration), process validation protocols and reports, batch/device history records, equipment qualification records, labeling inspection records, and sterilization validation documentation.
Key inspection focus: This area covers the bulk of traditional design controls and production requirements. FDA-specific addition §820.45 requires labeling and packaging controls including accuracy verification prior to release. Traceability requirements link to UDI (21 CFR Part 830) and device tracking (21 CFR Part 821).
Sample questions: Walk me through your design control process for [specific product]. How are design inputs traced to outputs? Show me your design verification and validation protocols. How do you validate special processes?
Measurement, Analysis, and Improvement (ISO 13485 Clause 8)
What investigators evaluate: Monitoring and measurement processes, customer feedback handling, internal audit program effectiveness, process and product monitoring, control of nonconforming product, data analysis, and the complete CAPA system.
Records reviewed: Internal audit reports and schedules (no longer categorically exempt), complaint files and investigations, CAPA records (identification, investigation, root cause analysis, corrective action, effectiveness verification), nonconformance reports, trend analysis reports, and statistical analysis records.
Key inspection focus: The CAPA system remains critical, but inspectors now evaluate whether corrective and preventive actions are clearly separated, root cause analysis demonstrates appropriate depth, and effectiveness verification is documented. Internal audit programs should evaluate system performance and integration—not just procedure existence—to mirror the rigor of regulatory inspections.
Sample questions: How do you handle nonconforming materials? Show me your internal audit schedule and last three audit reports. What data sources feed into your trend analysis? Show me how you verified effectiveness of [specific CAPA].
Outsourcing and Purchasing (ISO 13485 Clauses 4.1.5 and 7.4)
What investigators evaluate: Outsourcing requirements, supplier qualification criteria, purchasing process controls, purchasing information adequacy, and verification of purchased product.
Records reviewed: Approved Supplier List with qualification criteria, supplier audit reports (no longer categorically exempt), quality agreements with contract manufacturers, supplier qualification records, receiving inspection documentation, supplier performance metrics, and supplier corrective action records.
Key inspection focus: Supplier controls must be risk-proportionate—critical component suppliers require more rigorous oversight than commodity suppliers. Quality agreements with contract manufacturers must clearly define responsibilities. FDA can now review supplier audit reports to verify purchasing controls stated in PMA applications.
Sample questions: How do you qualify and evaluate suppliers? Show me supplier audit reports for [critical supplier]. What quality agreements exist with your contract manufacturers? How do supplier nonconformances feed into your CAPA system?
Change Control (ISO 13485 Clauses 4.2.4 and 7.3.9)
What investigators evaluate: Document control procedures including change management, design and development changes, change validation requirements, and regulatory impact assessment processes.
Records reviewed: Change control procedures, change request/order records, change impact assessments, risk assessments for changes, change validation records, document revision histories, and regulatory submission determination documentation.
Key inspection focus: Investigators evaluate whether changes are assessed before implementation, whether risk impact is analyzed, and whether regulatory submission requirements (510(k), PMA supplement) are properly determined. UDI updates when changes warrant new Device Identifiers must be documented.
Sample questions: How do you evaluate whether a design change requires regulatory submission? Show me your change control procedure and recent change records. How do you assess the risk impact of changes?
The 4 Other Applicable FDA Requirements operate alongside QMS Areas
Beyond the 6 QMS Areas, CP 7382.850 covers 4 OAFRs (Other Applicable FDA Requirements) that represent FDA-specific regulatory obligations not fully addressed in ISO 13485:
| OAFR | Regulation | Scope |
|---|---|---|
| Medical Device Reporting (MDR) | 21 CFR Part 803 | Mandatory reporting of deaths, serious injuries, malfunctions; must include UDI when known |
| Corrections and Removals | 21 CFR Part 806 | Reports required for corrections/removals reducing health risks; reports must include UDI |
| Medical Device Tracking | 21 CFR Part 821 | Applies to permanently implanted and life-sustaining devices under tracking orders |
| Unique Device Identification (UDI) | 21 CFR Parts 801B and 830 | UDI labeling requirements and GUDID submissions; integration with complaints, servicing, DHR |
These OAFRs are inspected concurrently with QMS Areas. The PAC codes 81011, 81850T, 81850R, and 82016 track specific assessment time for MDR practices, tracking practices, corrections/removals, and UDI compliance respectively.
How CP 7382.850 differs from the old QSIT framework
The Quality System Inspection Technique (QSIT), implemented in August 1999, organized inspections around 7 subsystems: 4 major (Management Controls, Design Controls, CAPA, Production and Process Controls) plus 3 supporting (Facility and Equipment Controls, Material Controls, Records/Documents/Change Controls). QSIT was explicitly withdrawn on February 2, 2026, with no "QSIT 2" replacement planned.
| Dimension | QSIT (Retired) | CP 7382.850 |
|---|---|---|
| Philosophy | Subsystem-based "top-down" checklist | Process-based, risk-oriented |
| Organization | 7 subsystems (4 major + 3 supporting) | 6 QMS Areas + 4 OAFRs |
| Methodology | Itemized checklist objectives | Data-driven, risk-based sampling |
| Focus | Discrete compartment compliance | Process interactions and system effectiveness |
| Management Review | Exempt from inspection (§820.180(c)) | No longer categorically exempt |
| Internal Audits | Exempt from inspection (§820.180(c)) | No longer categorically exempt |
| Supplier Audits | Exempt from inspection (§820.180(c)) | No longer categorically exempt |
| Regulatory Basis | 21 CFR Part 820 (QSR) | QMSR incorporating ISO 13485:2016 |
| Terminology | FDA-specific (DMR, DHF, DHR) | ISO 13485 terminology accepted |
Critical transition point: The elimination of the §820.180(c) exemption means records previously shielded from FDA review—management review minutes, internal audit findings, supplier audit reports—are no longer categorically exempt and FDA intends to review them as part of QMSR inspections. Companies must ensure these documents are factual, complete, and devoid of unnecessary characterizations.
Inspection methodology emphasizes process interconnection
FDA investigators are now trained to evaluate how processes connect and interact, not merely whether individual procedures exist. The compliance program describes a QMS as "a set of linked processes" and expects inspectors to trace quality system threads across functional boundaries.
How investigators test interconnection:
- Thread complaints through the system: Start with a complaint → follow through investigation → CAPA → design changes → risk file updates → supplier actions → management review
- Verify data flows between processes: Does complaint trend data feed into preventive action? Does risk management output influence supplier controls?
- Test real-world effectiveness: Pull actual records demonstrating the system works, not just documented procedures
- Risk-based sampling: Focus resources on higher-risk devices and processes using MDR data, recall history, and trend information
CP 7382.850 defines several inspection types, each with distinct scope and triggers:
- For-cause inspections target specific product risks, compliance concerns, or follow-up on reported issues
- Surveillance inspections (baseline and non-baseline) cover broad QMS assessment as part of routine oversight
- Compliance follow-up inspections verify corrective actions from prior findings
- PMA preapproval and postmarket inspections evaluate manufacturing capability and ongoing compliance for high-risk devices
- Specific product risk inspections focus on targeted device or process concerns
During the January 14, 2026 FDA Town Hall ("Quality Management System Regulation: Risk and Design and Development," 2:00–3:00 PM ET), FDA representatives emphasized that QMSR does not raise the bar by demanding more documentation—it raises the bar by expecting manufacturers to use risk intentionally, consistently, and transparently across the quality system. That shift—not formatting or terminology—is where inspections will focus.
The January 14, 2026 FDA Town Hall clarified critical expectations
FDA hosted a virtual Town Hall on January 14, 2026 (2:00–3:00 PM ET) titled "Quality Management System Regulation: Risk and Design and Development." The event addressed frequently asked questions and clarified inspector expectations just weeks before the effective date. Presentation slides, recording, and transcript are available on the CDRH Learn page under "Postmarket Activities" → "Quality Management System Regulation."
Key clarifications on risk management:
- FDA adopted the ISO 13485 definition of risk: combination of severity of harm and probability of occurrence
- Risk management extends beyond design and development to purchasing, production, complaint handling, post-market surveillance, and QMS improvement
- ISO 14971 is NOT mandated—no specific risk management tool required
- Quantitative scoring is NOT mandatory—flexibility exists, but the process must be systematic, documented, repeatable, and appropriate
- Qualitative judgment is acceptable; ignoring available data is not
Key clarifications on design controls:
- Design controls do NOT apply to feasibility or proof-of-concept work
- Controls must begin before any IDE and apply to design changes, not just initial development
- Not retroactive: Legacy design files do NOT need rewriting to match ISO terminology
- Design changes released after February 2, 2026 must reflect QMSR concepts
- While ISO 13485 doesn't explicitly require independent reviewers, FDA expects design reviews to include appropriate personnel capable of meaningful oversight
How QMSR, ISO 13485:2016, and CP 7382.850 work together
These three elements form an integrated compliance framework:
| Element | Function | Relationship |
|---|---|---|
| 21 CFR Part 820 (QMSR) | Legal regulation with force of law | Incorporates ISO 13485:2016 by reference; retains FDA-specific sections |
| ISO 13485:2016 | International consensus standard | Provides substantive QMS requirements now legally required in U.S. |
| CP 7382.850 | Inspection guidance document | Instructs FDA investigators how to evaluate QMSR compliance |
The incorporation structure: QMSR incorporates ISO 13485:2016 and ISO 9000:2015 Clause 3 (definitions) by reference. Most of Part 820 is now "Reserved," directing users to ISO 13485. FDA-specific sections retained include:
- §820.1 (Scope)
- §820.3 (Definitions)
- §820.7 (Incorporation by reference)
- §820.10 (Requirements for a quality management system)
- §820.35 (Control of records—complaint and service records)
- §820.45 (Device labeling and packaging controls)
Definition hierarchy: FD&C Act Section 201 supersedes all, followed by QMSR definitions, other FDA regulations, ISO 13485 definitions, then ISO 9000 Clause 3 definitions.
Critical clarification: ISO 13485 certification is NOT required for QMSR compliance and does NOT exempt manufacturers from FDA inspections. FDA will not issue ISO 13485 certificates. MDSAP participation may substitute for routine surveillance inspections, but for-cause inspections remain FDA-conducted.
Industry reactions reveal preparation challenges and opportunities
Industry consultancies, law firms, and regulatory experts have provided extensive analysis of what companies should expect.
Predictions for first inspections:
- Investigators will move beyond reviewing every procedure with a checklist toward data-driven, risk-based sampling
- Stronger emphasis on how subsystems connect with one another—complaints, CAPAs, medical device reports, and risk management must demonstrably interact
- Internal audit programs should evaluate system performance and integration rather than just confirming procedure existence
Biggest challenges for small-to-mid-size companies:
- US-only manufacturers face the steepest learning curve if they've never aligned with ISO 13485:2016
- Risk management integration across the entire QMS—not just in design files—requires new thinking and documentation
- Budget limitations for consultants, software tools, or additional staff slow implementation
- Documentation restructuring to ensure management review, internal audit, and supplier audit records are inspection-ready
Recommended preparation actions:
- Conduct comprehensive gap analysis against ISO 13485:2016 AND FDA QMSR requirements immediately
- Update QMS terminology throughout documentation (though complete rewriting isn't required)
- Ensure risk-based approach extends throughout product lifecycle, not just product risk management
- Train personnel on key differences between QSR and QMSR
- Review internal audit, management review, and supplier audit records to ensure they're factual and inspection-ready
- Consider mock inspections with experienced consultants
Industry resources identified:
- Greenlight Guru Webinar: "After QMSR: What FDA Investigators Will Look For" (on-demand)
- RAPS Webcast: "QMSR Blueprint: Complying with the FDA's New Medical Device Regulation"
- Medical Device Academy: "21 CFR 820 Webinar - Updated for QMSR 2026"
- Oriel STAT A MATRIX: One-day and two-day QMSR/ISO 13485 training courses
- AAMI TIR102:2019: U.S. FDA 21 CFR mapping to ISO 13485:2016
Preparing for your first CP 7382.850 inspection
For quality professionals at small-to-mid-size device companies, the February 2, 2026 transition demands immediate action. The message from FDA is unambiguous: compliance is no longer about having procedures—it's about demonstrating your quality system functions as an integrated, risk-driven whole.
Any FDA inspection conducted on or after February 2, 2026 will follow CP 7382.850 and QMSR. The investigator will be asking questions like: How does risk actually drive how this organization makes decisions? The answer cannot be a binder of procedures. It must be a traceable thread through management reviews, supplier controls, CAPAs, complaints, and design changes that demonstrates intentional, consistent, transparent risk-based decision-making.
The companies that struggle will be those treating QMSR as a documentation update. The companies that succeed will be those who recognize this as a fundamental shift in FDA's expectations—from checklist compliance to quality system effectiveness. The 78 pages of CP 7382.850 provide the roadmap. The January 14, 2026 Town Hall clarified the destination. The question now is whether your organization is ready to demonstrate it has arrived.