FDA Inspections 2026: The QMSR Reset and the New Era of Risk Based Enforcement

The U.S. FDA has entered 2026 with one of the most significant regulatory transformations the medical device industry has seen in years. With the release of Compliance Program (CP) 7382.850, the agency has fundamentally rewritten how inspections are conducted, risk is evaluated, and evidence is evaluated.

FDA inspections are no longer procedural QSIT audits. They are now risk‑driven, lifecycle‑focused, ISO‑aligned regulatory examinations, with expanded legal authority. This means inspectors will now evaluate end-to-end product lifecycle risk controls, cybersecurity, design & development, and regulatory evidence holistically, not just procedural compliance.

Net Effect: Inspections become deeper, more technical, more document-intensive, and more risk-driven, with expanded FDA authority to request records remotely and during pre-inspection, and stronger legal footing to escalate enforcement.

Welcome to the new QMSR era.

The New Regulatory Reality

At the heart of this shift is the FDA’s adoption of the Quality Management System Regulation (QMSR), which formally incorporates ISO 13485:2016 into U.S. federal law. In practice, this means FDA inspections now resemble Notified Body audits, but with the enforcement strength of a federal regulator.

Under CP 7382.850, inspectors no longer evaluate isolated quality subsystems. Instead, they examine how risk is controlled across the Total Product Lifecycle (TPLC)—risk management, cybersecurity, PMA lifecycle oversight, and real-time regulatory evidence, rather than subsystem sampling.

This repositions inspection logic from compliance verification to evidence of continuous quality governance.

What Has Changed?

1. From QSIT to QMSR: A Regulatory Framework Overhaul

The previous compliance program (7382.845) focused on 21 CFR Part 820 and QSIT subsystems, including Design Controls, CAPA, and Material, Production, and Process Controls.

The new 7382.850 framework is anchored directly in ISO 13485:2016, emphasizing:

• Integrated TPLC risk management
• Design and development lifecycle controls
• Cybersecurity obligations
• Traceability, UDI
• Process validation tied to risk
• Post-market surveillance as a regulatory evidence stream

The result? FDA inspectors will no longer “sample subsystems” — they now assess how your entire quality system manages risk from design through post-market. This aligns FDA inspections with Notified Body/MDSAP audit logic, making inspections more evidence-driven, more technical, and more ISO-fluent.

2. A New Inspection Structure and Typing

The old model used a tiered structure (Abbreviated, Comprehensive, For‑Cause). Now, the FDA deploys inspection types tied explicitly to risk, product classification, and lifecycle stage, including:

• Baseline & Non‑Baseline Surveillance
• Compliance Follow‑Up
• For‑Cause Investigations
• PMA Preapproval & PMA Post-market Inspections

Manufacturers of Class III, software‑enabled, connected, and PMA products should expect more ‘deep dives’. PMA manufacturers will face routine post-market FDA inspections, not just pre-approval visits, but frequent and more intensive FDA attention.

3. Expanded Legal Authority: Remote Records and Virtual Inspections

Perhaps the most consequential change is that the FDA can now request records remotely, either before an inspection or instead of an on-site inspection, raising the compliance bar drastically. A refusal, delay, or inadequate response may constitute adulteration under the law. This means:

• Inspection readiness is now continuous
• Documentation must be immediately retrievable
• Virtual inspections can escalate enforcement without the agency ever stepping on-site
  
  

  4. Cybersecurity: Now a Full Inspection Domain

  Cybersecurity, once barely referenced, is now a dedicated evaluation area under CP 7382.850. FD&C Act §524B is enforced, mandating cybersecurity requirements for medical devices and ensuring they possess a ‘reasonable assurance of cybersecurity’ throughout their lifecycle. It applies to “Cyber Devices”, meaning software, networked devices, cloud-connected IVDs, and AI-enabled systems.
  

• The FDA will now scrutinize:

• Secure Development Lifecycle (SDLC)
• Threat modeling
• Vulnerability and patch management
• SBOM readiness
• Incident response processes
• Cloud, network, software, and AI algorithm security

This change pulls IT, DevOps, and software engineering directly into the inspection arena, not just QA/RA.

5. ISO 13485:2016 is No Longer “Industry Best Practice”  - It’s Law

FDA investigators will now cite ISO clauses as legal requirements. Examples:

• Complaint handling (ISO 8.2.3) directly linked to FDA MDR obligations
• Traceability (ISO 7.5.9) tied to 21 CFR 821
• Advisory notices (ISO 8.3) tied to 21 CFR 806

An “ISO gap” is now an FDA violation. If your ISO system is weak, the FDA can issue 483s using ISO logic. This unifies global regulatory expectations and eliminates any separation between ISO quality systems and FDA compliance.

6. Full Integration of PMA Inspections

Premarket Approval (PMA) oversight is now fully embedded within the same program as all other inspections. It is no longer handled under a separate program (7383001). It covers PMA Preapproval Inspections and PMA Post-market Inspections. FDA now monitors design controls, Manufacturing consistency, and post-market performance as one continuum. This might trigger post-market inspections based on:

• Complaint and MDR trends
• Field actions
• Cybersecurity events
• Post-market study performance

This creates a closed‑loop enforcement model in which post-market signals can automatically trigger a new inspection.

7. A Mature Risk‑Based Inspection Strategy

FDA now explicitly uses risk signals - including recalls, MDR trends, new technologies, supply chain complexity, and cybersecurity vulnerabilities - to determine:

• When to inspect
• How deep to inspect
• Which functional teams to interview

Expect fewer routine audits and more targeted, product- or risk-specific inspections.

8. Documentation and Evidence Requirements Increase Dramatically

Inspectors now expect to see:

• TPLC‑integrated risk management files
• An ISO‑aligned Quality Manual
• Cybersecurity documentation,
• Traceability matrices linking risk → design → verification → validation → production → PMS
• PMA lifecycle documentation where applicable
• Digital record integrity controls

This increases preparation time, places a greater burden on cross‑functional teams, and requires a more holistic approach to regulatory documentation, going beyond just having the procedures in place. Companies with weak risk integration, cybersecurity governance, or post-market surveillance will face significantly higher enforcement exposure, including remote inspections and accelerated escalation pathways.

How Inspections Will Feel Different

Under the old system, inspections were procedural, checklist‑driven, based on subsystem sampling, and QA‑centric. Under 7382.850, they become:

• Technical: Inspectors follow engineering logic, not procedural checklists
• Cross‑functional: Engineering, IT, RA, clinical, and cybersecurity are active participants
• Continuous: Records may be reviewed before inspectors arrive
• ISO‑enforced: ISO clauses are now regulatory law

• Risk‑based: Follow product risk threads across TPLC

Inspectors will track risk signals across the entire lifecycle, including design, manufacturing, complaints, MDRs, cybersecurity incidents, and regulatory filings, to field failures and cybersecurity alerts and assess whether a company maintains continuous quality governance.

Who Is Most Impacted?

Executive leadership, IT, engineering, and regulatory teams are now frontline participants in FDA inspections. Quality is no longer confined to QA; it is an enterprise responsibility.

7382.850 transforms FDA inspections into something much closer to an EU Notified Body audit, but with the FDA’s legal enforcement authority. This is no longer about “passing an inspection.” It is about demonstrating continuous, documented, risk-based quality governance.

Companies that will be most impacted:

• Software / SaMD / AI / connected device manufacturers
• IVD and companion diagnostic companies
• PMA holders
• MDSAP‑dependent firms treating MDSAP as their FDA inspection substitute
• Any company with immature risk management or cybersecurity governance
  
  

   

  The Final Verdict: A Regulatory Reset

CP 7382.850 is not an incremental update; it's a complete regulatory reset. FDA inspections are now:

• Lifecycle‑based
• ISO‑governed
• Cyber‑aware
• Legally empowered to occur remotely
• Designed for faster escalation

Manufacturers who modernize their quality systems, integrate risk across the lifecycle, and adopt strong cybersecurity and documentation practices will adapt smoothly. Those who do not will face deeper inspections, faster enforcement, and significantly higher regulatory risk.

Summary Table: Old vs. New Inspection Models