Yesterday, RAPS hosted a QMSR implementation webcast featuring:

• FDA’s Karen Masley-Joseph (Senior Advisor, OMDRHI, and FDA’s lead for QMSR implementation)

• Julie Larsen (Managing Principal, BioTeknica/IQVIA, with 35+ years in quality assurance and compliance)

• Jodi Scott (Partner, Hogan Lovells, former in-house FDA counsel at Medtronic, and ISO 13485 certified auditor).

The session provided some important information and drew 21 submitted questions. We attended, so you didn’t have to!

Here are the 15 takeaways every medical device quality professional needs to know, plus a full Q&A breakdown. We’ve lightly edited some quotes for clarity. Talk to us if you need audit, mock inspection, or general inspection-readiness support to align with these new expectations.

1. QSIT is in fact gone, replaced by Compliance Program 7382.850

The FDA’s risk-based inspection process is now documented in Compliance Program 7382.850 (”Inspection of Medical Device Manufacturers”), released January 30, 2026.

This 78-page document replaces QSIT and consolidates two former compliance programs (pre-market and post-market PMA inspections) into a single reference. Read our inspection readiness breakdown here if you haven’t already:

QSIT is Officially Replaced: What FDA’s New Inspection Program Means Under QMSR

The FDA Group

·

Feb 2

Read full story

Karen Masley-Joseph emphasized that this realigns device inspections with the FDA’s broader documentation approach:

“Compliance programs provide instructions to FDA personnel for conducting activities to evaluate industry compliance with the Federal Food, Drug and Cosmetic Act. There are compliance programs for most products that FDA regulates. They are our FDA internal procedures. They’re not guidance. They do not go through public comment or review, but we do post them for transparency. QSIT as a separate document was kind of an outlier. Now we’re just realigning our documentation with the rest of FDA.”

And an important caveat:

“Compliance programs do not create or confer any rights for or on any person, and they do not operate to bind the FDA or the public.”

2. Every inspection now touches every part of your QMS

As we reported on in our prior compliance manual breakdown, the new process organizes QMSR requirements into six QMS areas plus four Other Applicable FDA Requirements (OAFRs—pronounced “offers”).

Karen:

“One difference between this inspection process and QSIT is that now on every inspection, FDA will evaluate, to some extent, requirements in each of the main parts of your Quality Management System. This is done in alignment with the QMSR, as ISO 13485 is based on a process approach to quality management.”

Detailed tables mapping each QMS area and OAFR to specific ISO 13485 clauses (referred to as “requirements”) are in Attachment A of the compliance program.

Karen noted:

“Each QMS area and OAFR is comprised of one or more elements, and each element includes one or more regulatory requirements. The term ‘clause’ or ‘clauses’ refer to those requirements in the 2016 version of ISO 13485, which is incorporated by reference under 21 CFR 820.7.”

3. Know which of the two new inspection models applies to you

Model 1 is used for most inspections: non-baseline surveillance, compliance follow-ups, for-cause, specific product risk, and PMA post-market inspections. Under Model 1, investigators select at a minimum one element to evaluate requirements in each of the six QMS areas and OAFRs.

Karen emphasized the flexibility:

“The inspection process is flexible, and that means the QMS areas and OAFRs are not required to be evaluated in any specific order.”

Model 2 is used for baseline surveillance and PMA pre-approval inspections. This model “requires that the investigator covers a few more elements in the QMS areas, because in Model 2 assignments, those are used mostly for baseline surveillance inspections and PMA pre-approval inspections.” The specific required elements are listed in Figure 2 of the compliance program.

Both models include the same critical expansion clause:

“If an inspection reveals objectionable conditions, or if information cannot be adequately assessed through review of these minimum requirements, the investigator may consider selecting additional elements for evaluation.”

Both models also require investigators to cover general items including registration and listing, marketing authorizations, previous 483s or compliance issues, and other areas defined in the assignment.

4. Risk management documentation is the inspection’s spine

The compliance program documents a two-part inspection goal:

1. Evaluate if the manufacturer’s QMS meets FDA requirements and provides reasonable assurance that devices will be safe and effective.

2. Evaluate if risk management and risk-based decision making are effectively used in the QMS.

Karen described how investigators will pursue this:

“Investigators use critical thinking and consider risk throughout the inspection. They become familiar with the manufacturer’s roles, products and processes, and identify product risks that could adversely impact patients or users. The identification of the product risks includes becoming familiar with the manufacturer’s roles, such as a spec developer or finished device manufacturer. They will also understand their products, the processes, and they will gain an understanding of what requirements are applicable to that site. Investigators review the manufacturer’s risk management documentation throughout the inspection, and that’s to assist them with understanding the product risks and the associated risk controls the manufacturer has implemented.”

Notably, the Management Oversight QMS area now explicitly includes planning of product realization (clause 7.1) and risk-based approach (clause 4.1.2b).

Karen explained this was done “with consideration of the discussion of risk that is in the QMSR preamble,” specifically Comment 19, which states:

“The explicit integration of risk management throughout the clauses of ISO 13485 more explicitly establishes a requirement for risk management to occur throughout a QMS, and effective risk management systems provide the framework for sound decision making within a QMS and provide assurance that devices will be safe and effective.”

5. Yes, the FDA can see your management review and internal audit records now

The removal of §820.180(c) exceptions means management review records, internal audit findings, and supplier audit reports are no longer shielded from inspection. Multiple questions addressed this topic.

Karen confirmed directly:

“Your QMS is a living breathing system, and we can look at records that were prior to February 2. That does include these records that were formally excluded under the 21 CFR 820.180(c).”

This applies retroactively to records created before the QMSR effective date. There is no carve-out for historical documents generated under the former exclusion.

6. But take a breath: this wasn’t the FDA’s ask

Karen provided some helpful context that should calm concerns:

“I know this is a hot topic. There’s always a lot of questions. I do want to point people to our FAQs on the website that does discuss record review and what FDA will look at on an inspection. I also hope that people have read the preamble and they look at Comment 55. It does talk about, you know, FDA has had access to the inputs and outputs of these processes already. We’ve always had that. We’ve been able to do effective inspections without looking at this information. This removal of this exclusion was really a byproduct of harmonization. It was, you know, that this is just how everyone else in the world is doing it, and we’re going to align with what everyone else is doing. So we’re not going to carve out things, because we’re going to be harmonized. So that was the byproduct. It wasn’t anything specific that the inspectorate really clamored for, right? It really wasn’t. Again, we’ve already had access to this data.”

Critically, under Model 1 (which applies to most inspections), these records are not required elements:

“If you looked at the models and look at the compliance program, these are not required for our Model 1. So they may be looked at, they may not be looked at. It depends. It really depends what the investigator is finding. It does not mean they’ll be looking at it each and every inspection.”

7. Reframe it: these records are your opportunity to shine

Karen urged manufacturers to shift their mindset:

“Comment 55 also does talk about a culture of quality, and you know, think of it as an opportunity of using these documents to show the great work that you are doing to control the risks that you know about—these risks that your top management knows about, the risks that you guys are taking care of business. And you know, doing prevention where you need to control risks. And then, you know, really taking timely action if you have to do some reaction to some information in situations. And so that’s a really good way to think about it.”

She added:

“If the investigator does look there, it does not mean they’ll be looking at it each and every inspection. But you know, do look at how you’re using your QMS processes to really make good risk-based decisions. And these are places where you could really show that off.”

Her final word on the topic:

“I would just encourage everyone to take a breath. I think it’ll be okay. I think that you’ll all really have some good information to show about the risk-based decisions you’re making.”

8. “Culture of Quality” is now explicit and testable

Preamble Comment 27 makes the FDA’s expectations around organizational culture explicit.

Jodi Scott noted:

“While it’s explicit in the QMSR, I don’t think it’s really a big difference—we have certainly over the years seen FDA have expectations around a culture of quality within an organization. And how do you demonstrate that?”

She outlined what the FDA looks for:

“They want to know that your leadership owns it, that they know that they have responsibility for everything and that quality is part of their job and what they’re responsible for, which means they’re looking at risk. They’re looking at quality. They’re allocating the resources and prioritizing quality. If there are decisions made, both the decisions to take actions, and probably more importantly, the decisions not to take action—they can explain why those decisions are made, and they can tie it back to risk, and particularly the risks to patients and users.”

On the concept of psychological safety:

“You want to make sure that there is both infrastructure and also an ethos around being able to raise issues so they can be handled. You can’t fix things if you have no idea that they’re occurring. And I will tell you, having spent a lot of time in organizations remediating systems, very often when there are issues, people within the organization know about them. It’s very rarely when an entire organization has an issue that they’re confronting that nobody had any idea about it.”

On risk-based thinking:

“It’s been clear for the past two years that risk-based thinking everywhere. Risk to patients and users should be a question that you’re asking all the time, kind of everything everywhere, all at once. It’s going to be that central to how FDA looks at how organizations are managing quality, but also should just be really core to how you’re doing business.”

Julie Larsen added the concept of:

“a culture of self-correction, which means your system and your behaviors are geared towards finding your problems and fixing them, and it’s really just that simple. And those items are demonstrated throughout your system and can specifically be illustrated when you show information on your management reviews, on your CAPA system, on your internal audits, all the places—your health hazard evaluations, your device correction and removal decisions. All those are places where you can demonstrate that you have a culture of self-correction, culture of quality.”

9. Expect investigators to pull threads through your entire system

Jodi Scott described a shift in inspection sophistication: