FDA QMSR Inspection Preparation: Complete Guide to Compliance Program CP 7382.850
How to prepare for FDA medical device inspections under the new Compliance Program CP 7382.850 — six QMS areas, four OAFRs, risk-based inspection methodology, ISO 13485 alignment, and step-by-step readiness checklist.
FDA Inspections Have Fundamentally Changed
On February 2, 2026, the FDA retired the Quality System Inspection Technique (QSIT) that had structured medical device inspections for over two decades. In its place, the agency activated Compliance Program 7382.850 — a 78-page operational guide that fundamentally rewrites how inspectors evaluate medical device manufacturers. The new program replaces both CP 7382.845 (device manufacturer inspections) and CP 7383.001 (PMA pre- and post-market inspections).
The shift is structural, not cosmetic. Inspectors no longer walk through quality subsystems on a checklist. They follow risk signals across your quality management system, connecting design decisions, supplier choices, production controls, complaint data, and management oversight into a single integrated narrative. Management reviews, internal audits, and supplier audit reports — previously shielded under the old §820.180(c) exemption — are now directly inspectable.
This guide covers everything you need to understand CP 7382.850, prepare your organization, and approach your next FDA inspection with confidence.
What Is CP 7382.850?
Compliance Program 7382.850 is the FDA's official inspection manual for medical device manufacturers, published and effective February 2, 2026. It serves as the operational playbook for FDA field investigators and center staff conducting inspections under the Quality Management System Regulation (QMSR).
The QMSR amends the device current good manufacturing practice (CGMP) requirements of 21 CFR Part 820 by incorporating ISO 13485:2016 by reference. This means the ISO 13485 standard text has the force and effect of US federal law. Inspectors evaluate compliance against QMSR requirements, which include both the ISO 13485 provisions and additional FDA-specific requirements.
What CP 7382.850 Replaces
| Retired Document | Description | Retirement Date |
|---|---|---|
| QSIT (Quality System Inspection Technique) | Subsystem-based checklist inspection method used since late 1990s | February 2, 2026 |
| CP 7382.845 | Inspection of Medical Device Manufacturers (issued September 2023) | February 2, 2026 |
| CP 7383.001 | PMA Preapproval and Postmarket Inspections (issued March 2012) | February 2, 2026 |
The New Inspection Framework
Six Quality Management System Areas
CP 7382.850 organizes inspections around six QMS areas, replacing the four QSIT subsystems:
| QMS Area | ISO 13485 Alignment | What Inspectors Evaluate |
|---|---|---|
| Change Control | Clauses 7.3.9, 7.5.9, 8.5 | How changes are identified, evaluated, approved, and implemented across the product lifecycle |
| Design & Development | Clause 7.3 | Design planning, inputs, outputs, verification, validation, transfer, and design changes |
| Management Oversight | Clauses 5, 6 | Management responsibility, resource management, quality policy, quality objectives, management review |
| Outsourcing & Purchasing | Clause 7.4 | Supplier evaluation, selection, monitoring, purchasing data, verification of purchased product |
| Production & Service Provision | Clauses 7.5, 7.6 | Process controls, cleanliness, installation, servicing, sterile barriers, calibration |
| Measurement, Analysis & Improvement | Clause 8 | Monitoring, measurement, customer satisfaction, internal audit, nonconformity, CAPA, improvement |
Four Other Applicable FDA Requirements (OAFRs)
In addition to the six QMS areas, inspectors evaluate compliance with four regulatory requirements that exist outside the QMSR framework:
- Unique Device Identification (UDI): Verification of UDI submission to the Global Unique Device Identification Database (GUDID) and correct UDI placement on labels
- Medical Device Reporting (MDR): Compliance with mandatory adverse event reporting under 21 CFR Part 803
- Corrections and Removals: Compliance with reporting requirements under 21 CFR Part 806
- Tracking: Compliance with device tracking requirements under 21 CFR Part 821 for tracked devices
Total Product Life Cycle (TPLC) Approach
The most significant conceptual shift in CP 7382.850 is the Total Product Life Cycle approach. Rather than sampling individual subsystems in isolation, inspectors are instructed to follow risk through interconnected processes:
- How do design inputs connect to production controls?
- How do complaint trends feed into CAPA effectiveness checks?
- How do management review decisions cascade into resource allocation for quality improvements?
- How do supplier performance data inform purchasing decisions?
- How do post-market surveillance findings trigger design changes?
The investigator uses your risk management documentation throughout the inspection to decide which QMS areas to prioritize, which records to sample, and how deeply to evaluate controls.
QSIT vs. CP 7382.850: The Key Differences
| Dimension | QSIT (Retired) | CP 7382.850 (Current) |
|---|---|---|
| Approach | Subsystem-based checklist (4 subsystems) | Risk-based, lifecycle-integrated (6 QMS areas + 4 OAFRs) |
| Framework | 21 CFR 820 (QSR) | 21 CFR 820 (QMSR) incorporating ISO 13485:2016 |
| Inspection logic | Evaluate each subsystem independently | Follow risk across interconnected processes |
| Risk management | One element among many | Central organizing principle driving inspection depth |
| Management review access | Protected under §820.180(c) | Directly inspectable |
| Internal audit access | Protected under §820.180(c) | Directly inspectable |
| Supplier audit access | Protected under §820.180(c) | Directly inspectable |
| Focus | Compliance verification | Evidence of continuous quality governance |
| Cybersecurity | Not systematically addressed | Evaluated as part of design and risk management |
| Terminology | QSR-specific terms | ISO 13485 terminology (Medical Device File, etc.) |
The Expanded Inspection Authority
One of the most consequential changes in the QMSR era is the removal of the §820.180(c) exemption. Under the former Quality System Regulation, FDA's access to certain quality records was limited. The preamble to the QMSR final rule made clear that this exemption is not maintained under the new regulation.
FDA inspectors now have authority to review:
Management Review Records
Inspectors will examine whether management reviews are:
- Conducted at planned intervals (ISO 13485 Clause 5.6)
- Documented with inputs covering audit results, customer feedback, process performance, product conformity, corrective actions, and changes that could affect the QMS
- Producing outputs that include decisions and actions related to resource needs and QMS improvement
- Actually driving change in the organization (not just a documentation exercise)
Internal Quality Audit Reports
Inspectors will evaluate whether internal audits:
- Cover all QMS elements at planned intervals
- Are conducted by personnel independent of the areas being audited
- Result in documented corrective actions with effectiveness verification
- Feed into management review as a quality input
Supplier Audit Reports
Inspectors will assess whether supplier audits:
- Are risk-based, prioritizing suppliers of critical components or services
- Document findings and required corrective actions
- Include follow-up verification of supplier corrective actions
- Inform supplier re-evaluation and ongoing monitoring decisions
How to Prepare: Step-by-Step Readiness Checklist
1. Read CP 7382.850
The compliance program is publicly available at FDA.gov/media/80195/download. It is 78 pages and unusually transparent — FDA explicitly intended it to be a resource for industry. Read it cover to cover with your quality team.
2. Conduct a QMS Gap Assessment Against the Six Areas
Map your existing quality system documentation to the six QMS areas and four OAFRs. For each area, identify:
- Are procedures documented and current?
- Do records demonstrate implementation (not just procedure existence)?
- Is risk management integrated into decision-making?
- Are there traceable connections between processes?
3. Integrate Risk Management Across the QMS
Risk management is no longer a standalone exercise. Your ISO 14971 risk management file must be connected to:
- Design inputs and outputs
- Supplier evaluation criteria and monitoring
- Production process controls and validation
- Complaint handling and CAPA
- Management review inputs
If these connections are not documented and traceable, that is your primary gap.
4. Update Your Quality Manual
Your quality manual should reflect the QMSR framework, including:
- Reference to ISO 13485:2016 as incorporated by reference
- The organizational structure and responsibilities aligned with ISO 13485 Clause 5
- The scope of the QMS, including any exclusions or non-applicable requirements
- Documented quality policy and measurable quality objectives
5. Strengthen Management Review
Ensure management reviews are substantive, documented, and outcome-driven. Prepare for inspectors to ask:
- "How did this management review decision change your quality system?"
- "What resource allocations resulted from the last management review?"
- "How do you evaluate the effectiveness of management review outputs?"
6. Prepare Internal Audit Records for Inspection
Review your internal audit program to ensure:
- Audits cover all six QMS areas
- Findings are documented with root cause analysis
- Corrective actions have effectiveness verification dates and results
- Audit schedules are risk-based (higher-risk areas audited more frequently)
7. Review and Upgrade Supplier Controls
Inspectors will evaluate whether supplier management is risk-based and evidence-driven:
- Do supplier evaluations include quality, delivery, and performance metrics?
- Are critical suppliers audited on a risk-based schedule?
- Are supplier nonconformances tracked and trended?
- Do purchasing specifications include quality requirements?
8. Verify UDI, MDR, Corrections & Removals Compliance
Confirm that your organization meets all four OAFR requirements:
| OAFR | Key Verification Points |
|---|---|
| UDI | GUDID submissions current; UDI on device labels and packages; DI and PI records accurate |
| MDR | MDR procedures current; reporting timelines met (30-day for serious injury, 5-day for death/serious injury that requires remediation); baseline reports filed |
| Corrections & Removals | Procedures for identifying reportable corrections/removals; 10 working day reporting to FDA |
| Tracking | Tracking procedures for tracked devices; distribution records maintained |
9. Prepare for Remote and Hybrid Inspection Capabilities
CP 7382.850 enables FDA to conduct records reviews remotely. Ensure your organization can:
- Provide electronic access to quality records securely
- Support virtual facility tours with video capability
- Respond to document requests within inspection timelines
10. Train Your Frontline Personnel
The people who interact with FDA inspectors — quality managers, production supervisors, design engineers — need to understand the new framework. Key training topics:
- How risk management drives inspection focus
- Why management review and internal audit records are now inspectable
- How to articulate the connections between quality processes
- What ISO 13485 terminology means in the context of FDA expectations
What to Expect During an Inspection
Inspection Initiation
The basic mechanics remain the same:
- FDA presents Form 482 (Notice of Inspection) — no advance notice for surveillance inspections
- Inspector conducts an opening meeting to discuss scope and schedule
- Typical inspection duration: 2–5 days depending on facility size and scope
Inspection Conduct
Under CP 7382.850, the inspector will:
- Request risk management documentation early in the inspection to understand the product and process risk profile
- Select QMS areas for deep evaluation based on risk signals — not all areas receive equal scrutiny
- Follow risk threads across processes (e.g., from a complaint to a CAPA to a design change to a supplier control update)
- Request management review, internal audit, and supplier audit records — these are no longer exempt
- Evaluate TPLC evidence including post-market surveillance data, complaint trends, and corrective action effectiveness
- Assess cybersecurity controls as part of design and risk management evaluation
Inspection Closeout
- Form 483 (Inspectional Observations) lists any deviations observed
- The 15-business-day response window for 483 observations continues
- FDA evaluates the adequacy of 483 responses before determining enforcement actions
- Warning letters may follow inadequate responses
Comparison: FDA QMSR Inspection vs. MDSAP Audit
| Element | FDA QMSR Inspection (CP 7382.850) | MDSAP Audit |
|---|---|---|
| Legal basis | US federal law (21 CFR 820 + ISO 13485 by reference) | Voluntary program; ISO 13485 + regulatory requirements of 5 jurisdictions |
| Authority | FDA enforcement (warning letters, consent decrees, import alerts) | Certification; market access in US, Canada, Brazil, Japan, Australia |
| Focus | Compliance with US requirements | Conformance with ISO 13485 across multiple jurisdictions |
| Scope | Risk-driven, focused on specific products/processes | Full QMS audit against MDSAP companion document |
| Duration | 2–5 days typically | 4–8 days typically |
| Internal audit access | Yes — directly inspectable | Yes — standard part of audit |
| Management review access | Yes — directly inspectable | Yes — standard part of audit |
| Enforcement | Warning letters, import alerts, consent decrees, criminal prosecution | Non-conformities; certificate suspension or withdrawal |
| Frequency | Risk-based scheduling | Annual surveillance + recertification every 3 years |
FAQ
Does ISO 13485 certification exempt my company from FDA inspection?
No. ISO 13485 certification demonstrates conformance with the international standard but does not replace FDA's regulatory oversight. FDA must independently verify compliance with QMSR requirements, which include both ISO 13485 provisions and additional FDA-specific requirements.
Can FDA inspectors really review our internal audit reports now?
Yes. The §820.180(c) exemption that previously limited FDA access to internal audit reports, management review records, and supplier audit reports has been removed under QMSR. These records are now directly inspectable.
What if our quality system was compliant with the old QSR but not yet aligned with ISO 13485?
If your QMSR effective date was February 2, 2026, you are expected to be in compliance now. If your system was built around the old QSR structure, you should have completed the transition by the effective date. Inspectors will evaluate against QMSR requirements, not the former QSR.
How are inspections different for combination products?
QMSR includes specific provisions for combination products (drugs + devices, biologics + devices). The lead FDA center (CDRH, CDER, or CBER) determines inspection focus. CP 7382.850 addresses coordination between centers for combination product inspections.
What happens if our management reviews are documented but lack substantive content?
Inspectors will evaluate whether management reviews actually function as a quality governance mechanism. If reviews produce no decisions, no resource allocations, and no quality improvements, inspectors may cite this as a deficiency even if the procedure exists and meetings are held.
Will FDA still issue QSIT-based inspections for any products?
No. As of February 2, 2026, all FDA device inspections follow CP 7382.850, regardless of product type, classification, or pathway. QSIT has been fully retired.
How does risk management drive inspection depth?
Inspectors use your risk management documentation to determine which areas receive the most scrutiny. A high-risk device with complex software, sterile manufacturing, or critical suppliers will receive deeper evaluation in design, production, and supplier controls. A lower-risk device manufacturer may receive a more streamlined inspection.
What resources did FDA provide for the transition?
FDA hosted a virtual Town Hall on January 14, 2026, addressing QMSR risk and design and development topics. Presentation slides, recordings, and transcripts are available on the CDRH Learn page. A second Town Hall on April 1, 2026, covered the new inspection process. The QMSR FAQ page on FDA.gov is regularly updated.
Key Takeaways
CP 7382.850 represents a regulatory reset, not an incremental update. FDA inspections are now lifecycle-based, ISO-governed, risk-driven, and legally empowered to review management review, internal audit, and supplier audit records. The organizations that adapt smoothly are those with integrated, risk-driven quality systems where the connections between design, production, suppliers, complaints, CAPA, and management oversight are documented, traceable, and genuinely effective.