Understanding FDA’s Risk-Based Inspection Model Under QMSR
February 13, 2026Quality Management System Regulation (QMSR) became effective February 2, 2026 ( see our prior blog post about here). That same day FDA replaced the Quality System Inspection Technique (QSIT) for medical device inspections with a new risk-based inspection approach, as described in the updated Inspection of Medical Device Manufacturers Compliance Program Manual (CP-7382.850).
The new inspection method applies to all quality system inspections of medical device manufacturers (e.g., preapproval inspections, for-cause compliance inspections, routine post-market inspections). Under the new approach FDA will continue to take a risk-based approach to scheduling inspections, with Class I device manufacturers not requiring routine inspection unless a for-cause inspection is needed or there is a health-hazard signal.
Differences in Inspectional Approach
Under the new process, consistent with the QMSR’s focus on risk management, investigators will begin by reviewing a Company’s risk management file to identify product-specific risks. According to the updated Compliance Program document, these risks will be “used to evaluate whether a manufacturer is meeting requirements.” FDA does not elaborate on how this will be done but does emphasize that investigators will need to use critical thinking skills to evaluate compliance and patient/product risk. In addition, FDA investigators will review external sources of information before arriving onsite – such as MDRs, trade complaints, and reports of correction and removals for similar products – to better understand the device’s overall risk profile.
FDA will continue to organize the inspections around specific Quality Management System (QMS) areas. Under QSIT, inspections focused on four primary subsystems: (1) Management; (2) Corrective Action and Preventive Action (CAPA) – which included Medical Device Reporting (MDR), Reports of Corrections and Removals, and Medical Device Tracking; (3) Design Controls; and (4) Product and Process Controls, including Sterilization Process Controls. Under the new framework, FDA has expanded these from four to six areas:
- Management Oversight
- Measurement, Analysis and Improvement
- Design and Development
- Change Control
- Outsourcing and Purchasing
- Production and Service Provisions
The details of these six areas are shown below in the table.
In addition to these six QMS areas, during each inspection, FDA will also cover four Other Applicable FDA Requirements (OAFRs): (1) MDR; (2) Reports of Corrections and Removals; (3) Medical Device Tracking (if applicable); and (4) Unique Device Identification (UDI). General regulatory areas – such as registration and listing, marketing authorization and previous compliance issues – will also remain within inspection scope.
FDA will use one of two inspection models, depending on the inspection type. Model 1 applies to non-baselines surveillance, compliance follow-up, for cause, specific product risk assignment (SPRA), and PMA post-market inspections. Model 2 applies to baseline surveillance and PMA pre-approval inspections.
For Model 1 inspections, the investigator will use identified products’ risks to select a minimum of at least one element in each of the six QMS areas. Model 2 inspections, however, will cover all applicable elements within each QMS area, as shown below.
| Inspection Model 2 | |
| QMS Areas | Element |
| Change Control | Product and Process Changes |
| Design and Development | Design Inputs |
| Design Outputs | |
| Design Review | |
| Design Verification | |
| Design Validation | |
| Software Validation | |
| Design Transfer | |
| Management Oversight | Management Review |
| Medical Device File | |
| Planning of Product Realization | |
| Measurement, Analysis, and Improvement | Analysis of Data |
| Control of Nonconforming Product | |
| Complaint Handling | |
| Feedback | |
| Internal Audits | |
| Corrective Action | |
| Preventive Action | |
| Production and Service Provisions
(for sterile products) | Validation of Processes for Production and Service Provision |
| Control of Production and Service Provision | |
| Identification and Traceability | |
| Validation of Processes for Sterilization and Sterile Barrier Systems | |
| Outsourcing and Purchasing | Outsourcing |
FDA notes, however, that because a QMS is a “set of linked processes” inspectional focused in one area may lead investigators to examine different areas of the QMS. For Company’s already participating in the Medical Device Single Audit Program (MDSAP), this change may have limited practical impact, as this approach is similar to MSDAP audit processes. While FDA does not conduct surveillance inspections for MDSAP-audited manufacturers, FDA may still perform inspections as part of a compliance follow-up or for cause investigation.
Preparing for the New Inspectional Method
So how can companies prepare for this new inspectional approach? An important first step is ensuring company personnel are familiar with the new inspectional method. Conducting mock audits, including internal audits, following the new method can also help ensure that the business is familiar with the new methods when FDA arrives for the first QMSR inspection.
In addition to ensuring that companies are familiar with how FDA will move through the review of documents in the new inspectional method, there are other important considerations of which companies need to be aware.
For example, according to FDA’s Frequently Asked Questions, investigators may review records created before February 2, 2026. Because the former Quality System (QS) regulation and QMSR are largely similar, FDA may rely on those existing records to assess compliance with QMSR. As a result, companies should consider performing a gap analysis to identify which existing records can demonstrate QMSR compliance.
Within this category of records created prior to February 2, 2026, companies should consider actions taken in response to prior inspectional findings. While not specifically stated in the announcement from FDA, for companies with VAI or OAI inspections that require review of actions taken in response to those prior inspections during a company’s next inspection (i.e., its first QMSR inspection), FDA will evaluate the actions taken to determine whether they comply with the QMSR not the QSR. This will be true even if the actions were undertaken while the QSR was still in place. Thus, companies with prior OAI and VAI inspections should consider reviewing their prior inspectional findings and resulting actions to ensure compliance with the QMSR.
New Documents Available for Review
Additionally, the QMSR explicitly gives FDA authority to inspect management review records, quality audit records (including internal audits) and supplier audit reports. These were records not previously reviewed by FDA during inspections. Under QMSR, however, these records must be available for FDA review. This concept is not novel to many U.S. companies given that these records have been available to ISO 13485 auditors.
Although such documents are “maintained in the regular course of business and should be readily available,” it remains to be seen whether this expanded access will lead companies to limit the level of detail or transparency within their internal audit documentation.
* * *
While the new inspectional approach is not a huge departure from QSIT, it does put device risk at the forefront. Manufacturers should begin preparing now to ensure they are not caught off guard when FDA arrives for its first QMSR inspection.