The U.S. FDA has entered 2026 with one of the most significant regulatory transformations the medical device industry has seen in years. With the release of Compliance Program (CP) 7382.850, the agency has fundamentally rewritten how inspections are conducted, risk is evaluated, and evidence is evaluated.
FDA inspections are no longer procedural QSIT audits. They are now risk‑driven, lifecycle‑focused, ISO‑aligned regulatory examinations, with expanded legal authority. This means inspectors will now evaluate end-to-end product lifecycle risk controls, cybersecurity, design & development, and regulatory evidence holistically, not just procedural compliance.
Net Effect: Inspections become deeper, more technical, more document-intensive, and more risk-driven, with expanded FDA authority to request records remotely and during pre-inspection, and stronger legal footing to escalate enforcement.
Welcome to the new QMSR era.
At the heart of this shift is the FDA’s adoption of the Quality Management System Regulation (QMSR), which formally incorporates ISO 13485:2016 into U.S. federal law. In practice, this means FDA inspections now resemble Notified Body audits, but with the enforcement strength of a federal regulator.
Under CP 7382.850, inspectors no longer evaluate isolated quality subsystems. Instead, they examine how risk is controlled across the Total Product Lifecycle (TPLC)—risk management, cybersecurity, PMA lifecycle oversight, and real-time regulatory evidence, rather than subsystem sampling.
This repositions inspection logic from compliance verification to evidence of continuous quality governance.
1. From QSIT to QMSR: A Regulatory Framework Overhaul
The previous compliance program (7382.845) focused on 21 CFR Part 820 and QSIT subsystems, including Design Controls, CAPA, and Material, Production, and Process Controls.
The new 7382.850 framework is anchored directly in ISO 13485:2016, emphasizing:
The result? FDA inspectors will no longer “sample subsystems” — they now assess how your entire quality system manages risk from design through post-market. This aligns FDA inspections with Notified Body/MDSAP audit logic, making inspections more evidence-driven, more technical, and more ISO-fluent.
2. A New Inspection Structure and Typing
The old model used a tiered structure (Abbreviated, Comprehensive, For‑Cause). Now, the FDA deploys inspection types tied explicitly to risk, product classification, and lifecycle stage, including:
Manufacturers of Class III, software‑enabled, connected, and PMA products should expect more ‘deep dives’. PMA manufacturers will face routine post-market FDA inspections, not just pre-approval visits, but frequent and more intensive FDA attention.
3. Expanded Legal Authority: Remote Records and Virtual Inspections
Perhaps the most consequential change is that the FDA can now request records remotely, either before an inspection or instead of an on-site inspection, raising the compliance bar drastically. A refusal, delay, or inadequate response may constitute adulteration under the law. This means:
4. Cybersecurity: Now a Full Inspection Domain
Cybersecurity, once barely referenced, is now a dedicated evaluation area under CP 7382.850. FD&C Act §524B is enforced, mandating cybersecurity requirements for medical devices and ensuring they possess a ‘reasonable assurance of cybersecurity’ throughout their lifecycle. It applies to “Cyber Devices”, meaning software, networked devices, cloud-connected IVDs, and AI-enabled systems.
This change pulls IT, DevOps, and software engineering directly into the inspection arena, not just QA/RA.
5. ISO 13485:2016 is No Longer “Industry Best Practice” - It’s Law
FDA investigators will now cite ISO clauses as legal requirements. Examples:
An “ISO gap” is now an FDA violation. If your ISO system is weak, the FDA can issue 483s using ISO logic. This unifies global regulatory expectations and eliminates any separation between ISO quality systems and FDA compliance.
6. Full Integration of PMA Inspections
Premarket Approval (PMA) oversight is now fully embedded within the same program as all other inspections. It is no longer handled under a separate program (7383001). It covers PMA Preapproval Inspections and PMA Post-market Inspections. FDA now monitors design controls, Manufacturing consistency, and post-market performance as one continuum. This might trigger post-market inspections based on:
This creates a closed‑loop enforcement model in which post-market signals can automatically trigger a new inspection.
7. A Mature Risk‑Based Inspection Strategy
FDA now explicitly uses risk signals - including recalls, MDR trends, new technologies, supply chain complexity, and cybersecurity vulnerabilities - to determine:
Expect fewer routine audits and more targeted, product- or risk-specific inspections.
8. Documentation and Evidence Requirements Increase Dramatically
Inspectors now expect to see:
This increases preparation time, places a greater burden on cross‑functional teams, and requires a more holistic approach to regulatory documentation, going beyond just having the procedures in place. Companies with weak risk integration, cybersecurity governance, or post-market surveillance will face significantly higher enforcement exposure, including remote inspections and accelerated escalation pathways.
Under the old system, inspections were procedural, checklist‑driven, based on subsystem sampling, and QA‑centric. Under 7382.850, they become:
Inspectors will track risk signals across the entire lifecycle, including design, manufacturing, complaints, MDRs, cybersecurity incidents, and regulatory filings, to field failures and cybersecurity alerts and assess whether a company maintains continuous quality governance.
Executive leadership, IT, engineering, and regulatory teams are now frontline participants in FDA inspections. Quality is no longer confined to QA; it is an enterprise responsibility.
7382.850 transforms FDA inspections into something much closer to an EU Notified Body audit, but with the FDA’s legal enforcement authority. This is no longer about “passing an inspection.” It is about demonstrating continuous, documented, risk-based quality governance.
Companies that will be most impacted:
CP 7382.850 is not an incremental update; it's a complete regulatory reset. FDA inspections are now:
Manufacturers who modernize their quality systems, integrate risk across the lifecycle, and adopt strong cybersecurity and documentation practices will adapt smoothly. Those who do not will face deeper inspections, faster enforcement, and significantly higher regulatory risk.
Summary Table: Old vs. New Inspection Models
|
Area |
7382.845 (Old) |
7382.850 (New) |
Field Impact |
|
Regulatory Model |
QSR (21 CFR 820) |
QMSR (ISO 13485 law) |
ISO gaps = FDA violations |
|
Inspection Style |
Subsystem sampling |
Lifecycle risk assessment |
Deeper, technical audits |
|
PMA |
Separate program |
Fully integrated |
Continuous oversight |
|
Cybersecurity |
Not addressed |
Dedicated section |
IT/Software now inspected |
|
Authority |
On-site inspections |
Remote record authority |
Virtual inspections possible |
|
Risk Strategy |
General risk-based |
Signal-driven targeting |
More for-cause visits |
|
Enforcement |
Traditional escalation |
Adulteration for obstruction |
Higher legal exposure |