On February 2, 2026, the U.S. Food and Drug Administration (FDA) published its anticipated compliance program manual, Inspection of Medical Device Manufacturers (CP 7382.850), to explain how the agency intends to conduct inspections of medical device manufacturers under the Quality Management System Regulation (QMSR) at a number of points across device and manufacturer total product life cycles. CP 7382.850 is expressly designed to modernize and harmonize FDA's approach to device quality management, formally superseding the longstanding Quality System Inspection Technique (QSIT). Moreover, with the introduction of CP 7382.850, FDA will no longer use the following documents: Inspection of Medical Device Manufacturers (CP 7382.845) and Medical Device PMA Preapproval and PMA Postmarket Inspections (CP 7383.001).
Expanded scope of review
The transition to CP 7382.850 marks a significant shift in FDA inspection methodology. QSIT inspections were conducted under a rigid, subsystem “top-down” structure, focusing on Management Controls, Design Controls, Corrective and Preventive Actions (CAPAs), and Production and Process Controls, with additional reviews of other Quality System Regulation subsections for cause or when unique device or manufacturer attributes were present. This approach relied heavily on static flowcharts and decision trees, with risk management mainly confined to design controls, resulting in limited flexibility to address emerging risks or evolving regulatory priorities.
CP 7382.850, by contrast, establishes an expansive model for assessing product and process risks, all centered around risk to patients and users. The new program organizes inspection emphasis into six Quality Management System (QMS) areas and four categories of Other Applicable FDA Requirements (OAFRs):
- QMS areas: (1) Change Control; (2) Design and Development; (3) Management Oversight; (4) Measurement, Analysis, and Improvement; (5) Outsourcing and Purchasing; and (6) Production and Service Provision.
- OAFRs: (1) Medical Device Reporting (MDR); (2) Corrections and Removals; (3) Tracking; and (4) Unique Device Identification (UDI).
FDA depicts this approach in the following diagram:
Each QMS area is also now comprised of a series of elements. Each element includes one or more regulatory requirements. The specific elements in each QMS area are identified in Attachment A of the new CP. This structure aligns more closely with ISO 13485 and incorporates evolving FDA priorities, like UDI and cybersecurity, both absent in QSIT.
The new CP adopts two structured, risk-based inspection models.
- Model 1: Requires investigators to select and assess at least one element from each of the six QMS areas and to review the four OAFRs.
- Model 2: Represents a more detailed inspection approach that requires investigators to review specific elements from each of the six QMS areas and to review the four OAFRs. The specific elements reviewed for each QMS element are identified on page 24 of the CP.
In addition, each inspection model includes a review of what the agency refers to as “general” areas. These include: (1) Establishment Registration and Device Listing; (2) Marketing Authorizations; (3) Previous 483/Compliance Issues; and (4) Other areas as defined in the inspection assignment.
The type of inspection being conducted determines which model will be applied. For example:
- Non-baseline surveillance: Model 1. These are inspections involving facilities that have previous FDA inspections or MDSAP audits with a classification of Voluntary Action Indicated or No Action Indicted, or for establishments not currently enrolled in the Medical Device Single Audit Program (MDSAP).
- Baseline surveillance: Model 2. These are inspections involving establishments with no FDA inspection history, risk factors indicate a need for evaluation, and establishments not enrolled in the MDSAP.
- Compliance follow-up: Model 1. These are inspections associated with previous FDA inspections or MDSAP audits resulting in regulatory action.
- For-cause: Model 1. These are inspections carried out in response to specific information that raises questions, concerns, signals, or concerns associated with a device.
- PMA preapproval inspections: Model 2. As noted above, CP 7382.850 replaces FDA’s compliance program manual, Medical Device PMA Preapproval and PMA Postmarket Inspections (CP 7383.001), and instead utilizes the same inspection models used for routine inspections, except noting that assessment of the four OAFRs may not be relevant for review in PMA preapproval inspections if the manufacturer has not yet introduced any regulated product into the U.S. market.
- PMA postmarket inspections: Model 1. Same.
Consistent with the QMSR, another key difference from QSIT is that under CP 7382.850, investigators are now authorized to access internal audit reports, management review documentation, and supplier audit reports. This expanded visibility will likely become instrumental in assessing a manufacturer's culture of quality, as these records provide direct insight into how leadership thinks, behaves, prioritizes, and responds to risk, rather than merely how procedures are written. FDA's access to these records imposes a heightened expectation for manufacturers to maintain robust, demonstrable, and self-correcting quality systems reinforced by risk management and substantive management responsibility, as we wrote about here.
Total product life cycle and risk management
CP 7382.850 mandates the integration of post-market surveillance and life cycle data into every inspection, advancing a Total Product Life Cycle (TPLC) orientation. Investigators are now expected to systematically incorporate complaint trends, MDR and recall patterns, postmarket surveillance findings, servicing records, design changes, and supplier issues for marketed devices into their inspections. The new model framework embeds risk management throughout the QMS, replacing QSIT's compartmentalized approach with a dynamic, life cycle-oriented methodology. FDA identifies these connections as "roads" which connect the various QMS areas and OAFRs. Investigators will now employ risk-based sampling, leveraging real-time manufacturer data and trends to inform assessments and support continuous improvement throughout the QMS. This holistic approach will focus on how manufacturers are applying risk management throughout the QMS and gauge whether the system is adaptive and continuously responding to real-world device performance and safety inputs. This shift reflects a significant escalation in FDA's expectations; manufacturers will now be expected to demonstrate not only risk‑based decision-making, but real‑time responsiveness to postmarket signals, supplier issues, and field performance. Systems that are static, slow, or documentation‑only will be more easily identified as insufficient under the new program.
Cybersecurity
As expected, the updated compliance program makes cybersecurity an explicit part of the inspection process for connected devices. This change is consistent with FDA's recent emphasis on the management of cybersecurity risks across the TPLC, as we wrote about here and here, and requires cybersecurity controls to be inspection-ready in the same way CAPA, complaint handling, and design controls are.
Inclusion of remote regulatory assessments
Attachment B of CP 7382.850 focuses on procedures for conducting Remote Regulatory Assessments (RRAs) when in-person inspections are not feasible. Although RRAs are distinct from physical inspections, FDA may use them to “help assess an establishment's compliance with QMSR, support regulatory decisions, information inspection planning (e.g., a risk-inspection schedule), and prepare for a scheduled inspection (e.g., inspection coverage).” Importantly, the updated program stresses FDA's authority under the Food, Drug and Cosmetic Act to request records in advance of, or in lieu of, an inspection. This is a strong signal that inspection readiness should now include the ability to package, review, and produce core records quickly—indeed, the inability to do so may create avoidable risk or result in a more onerous inspection, particularly because RRAs allow the agency to identify gaps before arriving on‑site, increasing the likelihood that inspections begin from a position of heightened scrutiny.
Why the new CP matters
With the release of FDA's new inspection technique to align with the goals of the QMSR, device manufacturers should be prepared for a significant operational and cultural transformation for undergoing, addressing, and responding to inspections and RRAs. Manufacturers will be expected to not only demonstrate procedural compliance with QMS regulations but also confirm affirmatively with evidence the existence of a robust, self-correcting quality culture. Preparation should include comprehensive gap analyses for migrating legacy documentation into the ISO 13485 Clause 4.2.3 Medical Device File format and ensuring seamless integration of risk management data into procurement, training, and CAPA processes. Companies will also need to show that their systems actively manage risk and assure product safety in real time, reflecting the FDA's heightened expectations for management responsibility, supply chain control, and adoption of advanced data systems. In addition, because CP 7382.850 elevates outsourcing and purchasing as a core QMS area, manufacturers should expect deeper FDA attention on supplier qualification, ongoing monitoring, and responsiveness to supplier‑related risks—an area where many organizations continue to experience findings.
In summary, CP 7382.850 constitutes a thorough and far-reaching revision of the FDA's inspection strategy for medical device manufacturers. The new program's structure and methodology require integrated risk management, TPLC-oriented perspectives, and transparent quality practices. As the industry adjusts to CP 7382.850, medical device manufacturers should anticipate increased regulatory scrutiny and the necessity for ongoing internal training to stay current with dynamic requirements. FDA's emphasis on real-time data integration and continuous improvement compels manufacturers to implement agile systems capable of responding quickly to emerging risks, regulatory changes, and market feedback. Collaborative engagement with stakeholders—including suppliers, service providers, and regulatory advisors—will be vital for demonstrating effective risk management and compliance throughout the TPLC. By fostering transparent communication and leveraging digital technologies for data collection and analysis, manufacturers can optimize inspection readiness and overall quality outcomes, ensuring organizational resilience and positioning themselves as leaders in patient safety and device reliability.
Taken together, these updates signal a more probing, data‑driven, and leadership‑focused inspection environment. Manufacturers should evaluate whether their current systems (1) demonstrate closed‑loop use of risk information, (2) reflect genuine management involvement, and (3) can withstand FDA review of internal audits, supplier oversight, and life cycle data integration. Early preparation will be critical to avoid inspection surprises under the new CP
[View source.]
