FDA Inspection Readiness for Medical Devices: Complete Guide to QMSR Inspections in 2026

The FDA Inspection Landscape Has Changed

On February 2, 2026, the FDA fundamentally rewrote how it inspects medical device manufacturers. The Quality Management System Regulation (QMSR) replaced the Quality System Regulation (QSR), incorporating ISO 13485:2016 by reference into 21 CFR Part 820. The Quality System Inspection Technique (QSIT) — the structured inspection methodology FDA investigators used for decades — was retired. In its place, FDA published Compliance Program 7382.850, "Inspection of Medical Device Manufacturers," which introduces a risk-based, lifecycle-focused inspection framework organized around six QMS areas instead of the four subsystems under QSIT.

This is not a minor procedural update. It is a structural transformation. FDA investigators have been trained as ISO 13485 specialists, and inspections are now deeper, more technical, more document-intensive, and more risk-driven than under QSIT. Even companies that hold ISO 13485 certification may find themselves in unfamiliar territory during their first QMSR inspection, because FDA's approach departs from the routinized, checklist-based methodology used by notified bodies and MDSAP auditors.

The New Inspection Framework: CP 7382.850

Six QMS Areas (Replaced QSIT's Four Subsystems)

Under QSIT, investigators focused on four primary subsystems: Management, CAPA, Design Controls, and Production/Process Controls. The new framework expands this to six QMS areas:

1. Change Control — Product and process changes, including design changes and their impact on risk files and regulatory submissions
2. Design and Development — Design inputs, outputs, review, verification, validation, software validation, and design transfer
3. Management Oversight — Management review, medical device file, and planning of product realization
4. Measurement, Analysis, and Improvement — Analysis of data, control of nonconforming product, CAPA, and feedback/complaints
5. Outsourcing and Purchasing — Supplier qualification, purchasing controls, and outsourcing of processes
6. Production and Service Provision — Manufacturing controls, process validation, acceptance activities, and servicing

Four Other Applicable FDA Requirements (OAFRs)

During every inspection, investigators also evaluate compliance with:

1. Medical Device Reporting (MDR)
2. Reports of Corrections and Removals
3. Medical Device Tracking (if applicable)
4. Unique Device Identification (UDI)

Two Inspection Models

FDA uses one of two inspection models depending on the inspection type:

Four Types of FDA Inspections

1. Pre-Approval Inspections (PAI)

Triggered by PMA applications, and sometimes by De Novo or 510(k) submissions when FDA wants to verify manufacturing capability. FDA verifies that the manufacturing process described in the submission matches actual operations, and that the firm's QMS can consistently produce the device as designed.

These inspections follow Inspection Model 2 under the new framework.

2. Surveillance Inspections

Routine inspections of registered medical device establishments. FDA uses a risk-based scheduling approach — Class I device manufacturers generally do not receive routine surveillance inspections unless there is a for-cause trigger or health-hazard signal. Class II and III manufacturers are inspected on a cycle, typically every 2-3 years for domestic facilities and less frequently for foreign manufacturers.

These follow Inspection Model 2 for baseline surveillance.

3. Compliance Follow-Up Inspections

Follow-up inspections triggered by previous Form 483 observations or warning letters. FDA investigators verify that prior deficiencies have been effectively corrected and that corrective actions are preventing recurrence. If issues persist, FDA documents the significance to support potential enforcement escalation.

These follow Inspection Model 1.

4. For-Cause Inspections

Triggered by specific concerns — adverse event reports, consumer complaints, recall concerns, or intelligence about potential violations. These inspections tend to be focused, thorough, and sometimes unannounced. FDA may also conduct sampling and testing of products if warranted.

These follow Inspection Model 1.

What FDA Investigators Look For: Common 483 Observations

FDA Form 483 data shows that the same quality system weaknesses have dominated inspection findings for nearly 20 years. According to an analysis of FDA 483 observations published in MD+DI in February 2026, CAPA citations account for 12.42% of all observations, followed by design controls at 12.32% and complaints at 10.61%. These three areas alone account for over one-third of all 483 observations.

CAPA (12.42% of all 483 observations)

According to AptSkill MedTech's analysis of FDA enforcement data, 68% of FDA warning letters cite ineffective CAPA systems. The pattern that triggers enforcement escalation: companies repeatedly experience the same type of failure because their CAPA system does not actually prevent recurrence. Common deficiencies include:

• Investigations that do not identify the true root cause
• Corrective actions that address symptoms rather than systemic causes
• No effectiveness verification after CAPA implementation
• CAPA records that are incomplete or lack documented evidence

Design Controls (12.32%)

Design control citations escalate to warning letters when investigators discover that design history files do not reflect how product development actually occurred. FDA in 2025-2026 has been scrutinizing whether the device on the market matches the one that was cleared in 510(k) submissions. Key issues include:

• Missing or inadequate risk analysis
• Design verification and validation not documented
• Software validation gaps
• No evidence of production-equivalent devices used in validation
• Design changes made without updating risk files or regulatory submissions

Complaint Handling (10.61%)

FDA expects manufacturers to treat complaint data as a strategic safety signal, not just a regulatory obligation. Common findings include:

• Inadequate evaluation of whether complaints are MDR-reportable events
• Complaint files that lack complete investigation documentation
• No trending or statistical analysis of complaint data
• Delayed complaint processing and evaluation

Purchasing Controls

Supplier oversight is a growing concern, especially for firms relying on global supply chains. FDA cites firms for inadequate supplier qualification, missing quality agreements, and failure to monitor supplier performance.

Labeling and UDI

Observations include incorrect UDI formatting, failure to update GUDID data, and labeling discrepancies between what was cleared and what is being distributed.

What Has Changed Under QMSR That Companies Miss

Management Review Records Are Now Inspectable

Under the old QSR, management review records and internal audit reports had certain protections. FDA eliminated those protections under QMSR, reasoning that ISO 13485 does not include such protections and that notified bodies and MDSAP auditors already evaluate these records. Companies should adjust their documentation practices — reports should be factual and avoid unnecessary characterizations.

Cybersecurity Is Now a Full Inspection Domain

Under CP 7382.850, cybersecurity is a dedicated evaluation area. FD&C Act Section 524B is enforced for "Cyber Devices" — including software, networked devices, cloud-connected IVDs, and AI-enabled systems. FDA will now scrutinize:

• Secure Development Lifecycle (SDLC) practices
• Threat modeling documentation
• Vulnerability and patch management processes
• Software Bill of Materials (SBOM) readiness
• Incident response processes
• Cloud, network, and AI algorithm security

This change pulls IT, DevOps, and software engineering directly into the inspection arena — not just QA and Regulatory Affairs.

Remote Records and Virtual Inspections

Under CP 7382.850, FDA can request records remotely — either before an on-site inspection or instead of one. A refusal, delay, or inadequate response may constitute adulteration under the law. This means inspection readiness is now a continuous state, not a pre-visit event. Documentation must be immediately retrievable, and your team must be prepared to respond to FDA document requests without the lead time that an on-site visit provides.

CAPA Coverage Varies by Inspection Model

Under QSIT, CAPA was reviewed in both abbreviated and comprehensive inspections. Under the new framework, CAPA is only a required element of Inspection Model 2 (baseline surveillance and PMA pre-approval). However, in practice, most investigators will continue to request CAPA records during Model 1 inspections given its importance for risk management.

Step-by-Step Inspection Readiness Checklist

Phase 1: Build Continuous Inspection Readiness (Ongoing)

1. Maintain a Robust, Audit-Ready QMS

• Ensure all procedures are current, approved, and accessible
• Verify that actual practices match documented procedures
• Keep training records current for all personnel
• Conduct regular internal audits covering all six QMS areas

2. Prepare Your Inspection Command Center

• Designate a Management Representative as the single point of contact for investigators
• Prepare an immediate-access packet: org chart with management rep identified, current FDA registration and listing confirmation, prior 483s and responses, QMS procedure index
• Prepare a dedicated "front room" for investigators with workspace, internet access, and a copy facility

3. Train Your Team

• Conduct mock inspections with all personnel who may interact with investigators
• Train front-room escorts, subject matter experts, and document handlers
• Ensure everyone knows the protocol: never volunteer information beyond what is asked, always verify facts before answering, and route all questions through the management representative

Phase 2: When the Investigator Arrives

1. Initial Reception

• Management representative greets the investigator at reception with business cards
• Verify investigator credentials and log the Form FDA 482 (Notice of Inspection)
• Provide a brief safety orientation and facility map
• Ask for the inspection scope: program type (surveillance, for-cause, application-based) and team composition

2. Establish the Protocol

• Confirm preferred daily schedule (start/stop times, lunch, floor access)
• Assign escorts for all areas the investigator will visit
• Set up document request tracking to ensure timely responses
• Establish a protocol for reviewing all documents before providing them to the investigator

3. During the Inspection

• Monitor all observations in real time through daily debriefs with the investigator
• Begin assessing potential 483 observations and preparing responses
• Ensure all document requests are fulfilled promptly and completely
• Never argue with or obstruct the investigator — address disagreements through proper channels

Phase 3: Responding to Form 483 Observations

In March 2026, FDA published a new draft guidance, "Responding to FDA Form 483 Observations at the Conclusion of a Drug CGMP Inspection," which provides detailed expectations for 483 responses. While the guidance is drug-focused, the principles apply to device inspections.

Key requirements for an effective 483 response:

1. Respond within 15 business days of the close of the inspection
2. Address each observation individually with a specific corrective action plan
3. Conduct root cause analysis — not just the immediate cause but the systemic reason
4. Extend investigations beyond the specific observation to assess whether the deficiency affects other products, processes, or facilities
5. Implement CAPAs across all affected areas, not just the area cited
6. Verify CAPA effectiveness — routine testing alone may be insufficient
7. Provide supporting documentation — evidence of actions taken, timelines for planned actions, and plans for effectiveness checks
8. Demonstrate management oversight — show that executive leadership is engaged in the response

Escalation path: Form 483 observations that are not adequately addressed can escalate to a Warning Letter, which is publicly posted on FDA's website. If warning letter issues remain unresolved, FDA may pursue consent decrees, product seizures, or import alerts.

QMSR Gap Analysis: What to Do Before Your First QMSR Inspection

1. Map your existing quality system to ISO 13485:2016 clauses — identify gaps between your current QSR-based system and ISO 13485 requirements
2. Update procedures to align with the six QMS areas FDA will inspect
3. Review management review and internal audit records — these are now fully inspectable
4. Assess cybersecurity documentation for all connected devices, software, and cloud-based systems
5. Verify design history files reflect actual development activities — not just documentation exercises
6. Strengthen CAPA effectiveness verification — FDA's March 2026 guidance emphasizes this as a critical weakness across the industry
7. Train investigators on QMSR expectations — FDA has invested heavily in training its investigators as ISO 13485 specialists; your team needs to match that depth of knowledge
8. Review prior 483 observations and warning letters in your device category to understand current enforcement priorities

Key Statistics: FDA Medical Device Enforcement in 2025-2026

• FDA issued 44 warning letters to medical device manufacturers in FY2025, with 38 citing Quality System Regulation violations
• CAPA deficiencies were the most commonly cited issue, appearing in 12.42% of all 483 observations
• Design controls and complaint handling rounded out the top three, together with CAPA accounting for over 35% of all observations
• Q1 2026 enforcement trends show FDA pressing on CAPA effectiveness, complaint analysis, risk trending, and verification of effectiveness — as seen in the Beta Bionics warning letter (January 28, 2026) citing failures in CAPA, complaint analysis, and risk trending for the iLet Bionic Pancreas System
• FDA is also increasing scrutiny of IDE/BIMO compliance and promotional overreach, as demonstrated by the ExThera Medical warning letter (February 6, 2026)

Frequently Asked Questions

How often does the FDA inspect medical device manufacturers? FDA uses a risk-based scheduling approach. Class II and III manufacturers are typically inspected every 2-3 years for domestic facilities. Class I manufacturers generally are not subject to routine surveillance inspections unless there is a for-cause trigger. Foreign manufacturers are inspected less frequently but face the same regulatory expectations.

Can FDA inspect my company if we are ISO 13485 certified? Yes. ISO 13485 certification does not take the place of an FDA QMSR inspection. FDA has explicitly stated this in the preamble to the QMSR final rule. The agency takes its own approach to ISO-based audits, departing from the checklist-based approach used by certification bodies.

What happens if FDA finds problems during an inspection? The investigator issues a Form FDA 483 listing observations at the close of the inspection. You have 15 business days to respond. If the response is inadequate or the issues are severe, FDA may issue a Warning Letter. Unresolved warning letters can lead to consent decrees, product seizures, import alerts, or civil money penalties.

Are management review records now subject to FDA inspection? Yes. Under QMSR, FDA eliminated the protections that existed under QSR for management review records, internal audit reports, and supplier quality audit reports. These records are now fully inspectable, consistent with how notified bodies and MDSAP auditors already evaluate them.

Do I need to update my quality manual for QMSR? ISO 13485 requires a quality manual, which was not explicitly required under QSR. If you do not already have one, you need to create one. If you have one, update it to reflect QMSR requirements and ISO 13485 alignment.

Related Reading

• QSR to QMSR Transition Guide
• FDA Form 483 and Warning Letter Response Guide
• CAPA for Medical Devices
• ISO 13485 Certification Guide
• QMSR Gap Analysis Checklist