On February 2, 2026, the U.S. Food and Drug Administration (FDA) implemented the new Quality Management System Regulation (QMSR), formally replacing the former Quality System Regulation (21 CFR Part 820). With this transition, the FDA incorporated ISO 13485:2016 by reference into U.S. law and introduced a new inspection model under Compliance Program 7382.850.
This article explains what the FDA QMSR changes in practical terms.
Specifically, it clarifies:
- How the updated MDSAP Audit Approach aligns with QMSR
- How FDA inspections now operate under CP 7382.850
- Which documentation areas receive increased inspection attention
- How manufacturers can structure a QMSR gap assessment
- What inspection exposure points regulatory teams should proactively address
These changes are particularly relevant for manufacturers operating in complex regulatory environments, including companies developing FDA companion diagnostics. In these companies design controls, labeling, clinical evidence, and post-market monitoring must operate as an integrated lifecycle system.
Why the FDA QMSR Matters Now?
The FDA QMSR represents more than structural alignment with ISO 13485. It modernizes inspection methodology, expands documentation accessibility, and reinforces a lifecycle-based, risk-driven enforcement approach.
Under the former QSR model, inspections often focused on subsystem compliance using QSIT checklists. Under QMSR, investigators evaluate how quality processes function collectively across the total product lifecycle.
How FDA Oversight Operates Under QMSR: MDSAP Audits vs. FDA Inspections
MDSAP audits and FDA inspections are frequently discussed together. However, they serve fundamentally different regulatory functions.
An MDSAP audit is conducted by an FDA-recognized Auditing Organization. It provides a structured, scheduled, and standardized assessment covering ISO 13485 and the regulatory requirements of participating authorities, including the FDA. The audit focuses on conformity with harmonized quality management system requirements. Participation remains voluntary.
An FDA inspection, by contrast, is a statutory enforcement activity conducted directly by FDA investigators. Its objective is not certification, but the evaluation of compliance with U.S. legal requirements and the identification of potential violations, systemic weaknesses, or public health risks.
Under the FDA QMSR framework, this distinction remains critical.
In practical terms:
- MDSAP is conformity-focused, scheduled, and audit-driven.
- FDA inspections are compliance-driven, investigative, and enforceable.
Because of these structural differences:
- MDSAP does not replace FDA’s legal authority to inspect.
- FDA inspections are not limited by the MDSAP task structure.
- A successful MDSAP audit does not guarantee a favorable FDA inspection outcome.
While strong MDSAP performance may influence FDA surveillance planning, it does not eliminate the possibility of routine, risk-based, or for-cause inspections.
Common Industry Assumptions That Elevate Inspection Risk Under QMSR
Despite years of MDSAP implementation and increasing alignment with ISO 13485, several structural misunderstandings remain common within regulatory teams. Under the FDA QMSR framework, these assumptions may create unintended inspection exposure.
Among the most frequent are:
“MDSAP replaces FDA inspections.”
MDSAP may inform FDA’s surveillance planning. However, it does not limit FDA’s statutory authority to conduct routine, risk-based, or for-cause inspections.
“If the MDSAP auditor did not identify it, FDA will not pursue it.”
FDA investigators are not constrained by MDSAP audit depth, sampling methodology, or task sequencing. They may pursue any line of inquiry necessary to evaluate U.S. compliance.
“MDSAP and FDA inspections evaluate the same criteria.”
MDSAP assesses conformity to harmonized quality system requirements. FDA inspections evaluate compliance with U.S. law and potential public health impact.
“ISO 13485 certification ensures FDA compliance.”
Although ISO 13485 is incorporated by reference into QMSR, FDA-specific statutory and regulatory requirements remain fully enforceable.
“MDSAP covers all U.S.-specific expectations.”
While the audit model maps U.S. requirements, FDA inspections may extend beyond mapped tasks and request additional evidence where risk or compliance concerns arise.
Collectively, these assumptions overlook a central element of the FDA QMSR transition.
QMSR vs QSR vs ISO 13485: What Actually Changed
Many organizations assume that QMSR simply “equals ISO 13485.” However, that interpretation is incomplete.
Although ISO 13485:2016 is incorporated by reference into U.S. law, FDA-specific statutory and regulatory requirements remain fully enforceable. Therefore, obligations related to UDI, Medical Device Reporting (MDR), device listing, and labeling controls continue to apply.
As a result, companies that focus solely on ISO 13485 conformity may overlook additional documentation, traceability, and enforcement expectations that FDA investigators apply during inspections.
Comparison: QSR vs QMSR vs ISO 13485
| Element | Former QSR (21 CFR 820) | FDA QMSR (2026) | ISO 13485:2016 |
|---|---|---|---|
| Legal Status | U.S. regulation | U.S. regulation incorporating ISO 13485 by reference | International standard (voluntary unless required) |
| Inspection Model | QSIT-based | CP 7382.850 lifecycle & risk-based | Certification audit model |
| Internal Audit Access | Certain protections under §820.180(c) | Internal audit & management review records reviewable | Auditor access during certification |
| CAPA Focus | Procedural compliance | Demonstrated effectiveness & root cause verification | Effectiveness required but certification-oriented |
| Design Controls | Detailed QSR-specific structure | ISO 13485 clause 7.3 structure + FDA overlays | Clause 7.3 framework |
| FDA-Specific Requirements | Fully embedded | Still fully enforceable (UDI, MDR, labeling, etc.) | Not included |
Key takeaway:
ISO 13485 alignment does not eliminate FDA-specific compliance obligations. FDA retains enforcement authority under U.S. law.
FDA Inspections Under QMSR: Structural Shift to CP 7382.850
As of February 2, 2026, FDA retired QSIT and implemented Compliance Program 7382.850.
Inspections now organize around:
Six Quality Management System (QMS) Areas:
- Change Control
- Design & Development
- Management Oversight
- Outsourcing & Purchasing
- Production & Service Provision
- Measurement, Analysis & Improvement
Four Other Applicable FDA Requirements (OAFRs):
- Tracking
- Corrections & Removals
- Medical Device Reporting (MDR)
- Unique Device Identification (UDI)
Under this model, FDA evaluates how quality subsystems operate as an interconnected framework rather than as isolated elements. Inspectors assess whether risk information, design decisions, post-market data, and management oversight are aligned throughout the product lifecycle.
For manufacturers of companion diagnostics, this system-level evaluation is particularly significant, as design inputs, labeling claims, clinical performance data, and post-market monitoring directly influence one another.
What FDA Inspectors Scrutinize Most Under QMSR
Based on regulatory inspection support experience, three documentation areas now present heightened exposure.
1. Internal Audits, Supplier Audits, and Management Review Records
Under QMSR, FDA inspectors may review:
- Internal audit reports
- Supplier audit outcomes
- Management review records
As our QA/RA Specialist Joana Martins notes from inspection support experience, investigators increasingly evaluate whether quality processes function effectively in practice, not merely whether procedures formally exist.
Records must clearly demonstrate:
- Identified issues
- Root cause analysis
- Corrective actions
- Follow-up and documented closure
Incomplete or draft audit records increase inspection risk.
2. Design Controls and Traceability (ISO 13485 Clause 7.3)
QMSR aligns with ISO 13485 clause 7.3. However, manufacturers must demonstrate full traceability across:
- User needs
- Design inputs
- Design outputs
- Verification and validation
- Residual risks
Traceability weaknesses frequently arise between:
- Risk management files
- Labeling claims
- UDI triggers
- MDR criteria
Inspectors expect objective evidence that these elements remain consistently aligned across documentation and decision-making processes.
For companion diagnostics, this alignment is especially critical because intended use, biomarker claims, and clinical evidence directly impact regulatory risk classification.
3. CAPA and Effectiveness Verification
CAPA remains one of the most enforcement-sensitive areas under QMSR.
A recurring weakness observed during inspection preparation is the absence of documented effectiveness verification following corrective actions. Closing a CAPA administratively is insufficient. Investigators expect objective evidence demonstrating that actions eliminated root causes and prevented recurrence.
Documented effectiveness checks are not procedural formalities, they serve as evidence that the quality system operates as intended.
Inspection Risk Indicators Under FDA QMSR
The transition to the FDA QMSR has altered not only inspection structure but also inspection depth. Under Compliance Program 7382.850, FDA investigators apply a lifecycle and risk-based model that prioritizes system effectiveness, data integrity, and management oversight.
For this reason, manufacturers should not wait until an inspection is scheduled to evaluate potential vulnerabilities. Identifying structural weaknesses in advance is critical because inspection findings under the QMSR framework increasingly derive from systemic inconsistencies rather than isolated documentation gaps.
Proactive identification of inspection risk indicators allows organizations to:
- Reduce the likelihood of Form 483 observations
- Prevent escalation to warning letters or enforcement action
- Shorten remediation timelines
- Demonstrate mature quality governance
Below are recurring inspection risk indicators observed in practice under the evolving QMSR inspection model:
Examples of Documentation Weaknesses Observed During Inspections
| Risk Area | Typical Vulnerability |
|---|---|
| CAPA | Repeated issues without documented effectiveness verification |
| Design Controls | Incomplete traceability between risk analysis and design inputs |
| Management Review | Minutes lacking documented decisions, metrics, or follow-up actions |
| Supplier Oversight | Absence of risk-based justification for audit scope |
| Post-Market Surveillance | Complaint trends not connected to CAPA or design updates |
Documentation Areas Receiving Increased Inspection Attention Under QMSR
The transition to QMSR expands the practical scope of documentation that investigators may review.
Under the former QSR, certain internal records were less frequently examined due to inspection structure and interpretative practice. Under QMSR, those same records may serve as direct evidence of whether management oversight, supplier controls, and internal audit processes operate effectively.
Investigators assess whether:
- Issues are identified systematically
- Root causes are documented clearly
- Decisions are traceable
- Corrective actions are verified for effectiveness
Inconsistent documentation, incomplete audit closure, or lack of traceability between systems may now carry greater inspection consequences than under the previous model.
QMSR Gap Assessment Framework
ISO 13485 certification does not automatically confirm FDA QMSR compliance. A structured gap assessment helps identify regulatory overlays and inspection exposure points.
A practical QMSR gap assessment should include:
1. Clause Mapping
Map ISO 13485 clauses to QMSR references and confirm terminology alignment.
2. FDA-Specific Overlay Identification
Verify incorporation of:
- UDI requirements
- MDR reporting triggers
- Labeling obligations
- Device listing controls
3. Documentation Exposure Review
Assess:
- Internal audit completeness
- CAPA effectiveness evidence
- Management review decision traceability
- Supplier risk classification
4. Inspection Simulation
Conduct mock inspections aligned with CP 7382.850 to test system coherence.
Even when corrective actions remain in progress, documented identification and remediation planning demonstrate regulatory control and transparency.
What the QMSR Means for U.S. Manufacturers and FDA Inspections
The most important U.S.-specific change is the removal of references to the former FDA Quality System Regulation (21 CFR 820). These have been replaced with references aligned to the QMSR, under which ISO 13485:2016 is now incorporated by reference into U.S. law. This does not mean that all FDA-specific requirements disappear. U.S. statutory and regulatory obligations continue to apply where relevant.
The updated MDSAP Audit Approach also reflects several U.S. regulatory updates that have been in effect since March 2024:
- Device listing updates: Manufacturers must confirm or update their device listing information annually between October 1 and December 31, or whenever a relevant change occurs (21 CFR 807).
- Predetermined Change Control Plans (PCCPs): The audit model now clarifies how PCCPs are assessed, particularly for software-based and AI-enabled devices, aligning with FDA’s existing change control requirements under 21 CFR 807.81 and 21 CFR 814.39.
These requirements are not new, but the 2026 MDSAP update removes inconsistencies between what auditors assess and what FDA expects.
Beyond the U.S.-specific updates, there is also a broader change that affects all participating jurisdictions. The term “critical supplier” has been removed and replaced with more practical language referring to “suppliers that should be considered for audit as part of the MDSAP audit of the organization.” This better reflects ISO 13485 risk-based thinking and reduces ambiguity around supplier oversight across different regulatory systems.
Other international changes Under the FDA’s QMSR Framework
While this article focuses on the U.S. regulatory framework, the updated audit approach also incorporates important revisions from other participating regulatory authorities:
- Australia (TGA): Alignment with the Procedure for Recalls, Product Alerts and Product Corrections (PRAC), which came into effect in March 2025.
- Brazil (ANVISA): Updated references to RDC 830/2023 (IVDs) and RDC 751/2022 (medical devices).
These changes ensure the audit model reflects current regulatory frameworks across all participating jurisdictions.
Practical implications for medical device manufacturers
FDA’s new compliance program significantly raises expectations for how manufacturers demonstrate quality system effectiveness during inspections:
- FDA inspectors are evaluating how quality processes work together in practice. Making a strong emphasis on risk management, data integrity, and decision-making across the total product lifecycle.
- Previously “internal” records are now fair game. Internal audit reports, supplier audit outcomes, and management review records may be reviewed during inspections. These documents must clearly reflect issues identified, decisions made, and actions taken.
- Risk management must be continuous and demonstrable. FDA expects risk to be actively monitored and linked to CAPA, design changes, supplier controls, and post-market surveillance, and not treated as a static or one-time exercise.
- Post-market data is a primary inspection focus. Complaint trends, medical device reporting, recalls, UDI, and tracking data are increasingly used to assess whether the quality system is effective and responsive to real-world performance.
- Inspection scope may be driven by data. FDA may use pre-inspection data reviews or remote assessments to target areas of concern, increasing scrutiny where trends or inconsistencies are identified.
To summarize, manufacturers should ensure their quality systems tell a coherent, data-supported story and demonstrate not just compliance, but control and effectiveness.
What medical device manufacturers should do before their next audit or inspection
Manufacturers should:
- Strengthen internal audits to test effectiveness, not just compliance
- Ensure management review and CAPA are data-driven and risk-focused
- Prepare clear inspection narratives, not just procedures
- Train teams on inspection behavior and communication
By strengthening these foundations, manufacturers can approach their next audit or inspection with clarity, confidence, and control.
Key takeaways for companies targeting the US market
- MDSAP remains valuable, but it is no longer sufficient on its own
- FDA inspections are becoming more structured, consistent, and data-driven
- Early alignment with QMSR expectactions reduces inspection risk, delays and remediation costs
How MDx Supports FDA QMSR Readiness: Expert Insight
Transitioning from QSR to FDA QMSR requires more than updating terminology. It demands structural alignment, inspection-oriented preparation.
Based on field experience supporting manufacturers through inspection preparation and regulatory alignment projects, Joana Martins, QA/RA Specialist at MDx, emphasizes that the most frequent vulnerabilities do not stem from missing procedures, but from insufficiently demonstrated system effectiveness.
According to Joana’s inspection readiness experience, organizations often underestimate three exposure points during FDA inspection preparation:
- The depth of documentation review now permitted under QMSR
- The need for traceability between risk management, design controls, and post-market data
- The importance of documented effectiveness verification within CAPA systems
To address these exposure points, MDx supports medical device manufacturers through:
- Independent QMSR-aligned readiness assessments focused on inspection exposure
- Structured QMSR gap analysis incorporating FDA-specific regulatory overlays
- Mock FDA inspections aligned with Compliance Program 7382.850
- Strategic support for companies developing FDA companion diagnostics, where design traceability, labeling controls, and lifecycle data integration require heightened regulatory coherence
Rather than approaching FDA QMSR as a documentation update, MDx works with organizations to ensure their quality systems demonstrate operational integrity, risk-based decision-making, and inspection resilience.
Organizations preparing for FDA inspection or evaluating their QMSR alignment can benefit from early, structured assessment. Proactive evaluation reduces remediation timelines, minimizes inspection disruption, and strengthens regulatory confidence.
Frequently Asked Questions About FDA QMSR, MDSAP, and Inspections
The main difference is structural alignment. Under QSR, FDA requirements were written directly into 21 CFR Part 820. Under QMSR, the FDA incorporates ISO 13485:2016 by reference into U.S. law while keeping FDA-specific obligations in force. In short, QMSR harmonizes structure with ISO 13485. However, it does not reduce FDA enforcement authority or eliminate U.S.-specific requirements such as MDR, UDI, or device listing.
No, it does not. Although ISO 13485 forms the backbone of QMSR, FDA-specific statutory requirements still apply. Manufacturers must comply with MDR, UDI, corrections and removals, and other U.S. obligations. Based on regulatory experience, companies often assume ISO certification closes all gaps. In practice, a targeted QMSR gap assessment is necessary to confirm full FDA alignment.
FDA replaced QSIT with Compliance Program 7382.850, effective February 2, 2026. This new program aligns inspections with the QMSR framework. Instead of subsystem checklists, FDA now organizes inspections around six QMS areas and four Other Applicable FDA Requirements (OAFRs). As a result, inspections follow a more integrated, risk-based, lifecycle-focused approach.
Yes. Under QMSR, FDA investigators may review internal audit reports, supplier audits, and management review records.
In practice, inspectors now verify whether issues were identified, documented, and effectively closed. They no longer focus only on whether procedures exist, they assess whether the system works as intended.
Incomplete or unverified audit actions may increase inspection risk.
FDA now places greater scrutiny on:
– Internal and supplier audit reports
– Management review documentation
– Design control traceability records
– CAPA procedures and effectiveness checks
From inspection experience, CAPA effectiveness verification is a frequent weak point. Companies often implement corrective actions but fail to document objective evidence that the action resolved the root cause.
Under QMSR, effectiveness matters as much as documentation.
Because MDSAP and FDA inspections serve different purposes. MDSAP evaluates conformity. FDA inspections assess legal compliance and public health risk. FDA investigators are not bound by MDSAP sampling methods or audit scope. If inspectors identify ineffective CAPA, weak traceability, or gaps between procedures and actual practice, they may issue Form 483 observations, even after a successful MDSAP audit.
Start early. Preparation often takes longer than expected. Then conduct a structured QMSR gap assessment. ISO 13485 compliance alone does not confirm full FDA alignment. Finally, train teams on Compliance Program 7382.850. Mock interviews and inspection simulations help identify weaknesses. Even documented remediation in progress demonstrates system control and reduces inspection risk.
