The QSIT Is Dead: How FDA's New Risk-Based Inspection Playbook Changes Everything for Medical Device Quality Teams

For a quarter century, quality teams at medical device companies operated under a predictable inspection regime. The Quality System Inspection Technique — QSIT — was the framework FDA investigators followed when they walked through your door. It organized your quality system into four tidy subsystems: Management Controls, Design Controls, Corrective and Preventive Actions, and Production and Process Controls. You prepared for each subsystem. You kept the right binders on the right shelves. And when the investigator arrived, both sides largely knew the script.

That script has been shredded.

On January 30, 2026 — exactly three days before the Quality Management System Regulation took effect — FDA released Compliance Program 7382.850, a new inspection manual that replaces QSIT entirely. The timing alone should tell you something about how FDA views this transition: not as a gentle evolution, but as a hard reset.

And here is what most of the industry commentary is missing: the shift from QMSR to ISO 13485 alignment is important, yes. But the real operational disruption is in how FDA will inspect against those requirements. CP 7382.850 does not just update the checklist. It eliminates the checklist mentality altogether.

A New Inspection Architecture

Under QSIT, investigators worked through four defined subsystems in a relatively linear fashion. The approach was consistent, and consistency created predictability. Quality teams could prepare subsystem by subsystem and feel reasonably confident they had covered the bases.

CP 7382.850 replaces that structure with six QMS Areas and four Other Applicable FDA Requirements. The QMS Areas cover the full lifecycle of quality management: from quality planning and management responsibility through design and development, purchasing and supplier controls, production and service provision, and measurement, analysis, and improvement. The four OAFRs address FDA-specific requirements that exist outside the ISO 13485 framework, including Medical Device Reporting, Unique Device Identification, and corrections and removals.

This is not a cosmetic reorganization. The fundamental shift is from subsystem-level evaluation to cross-functional, risk-based investigation. Investigators are now authorized to use data-driven, risk-based sampling, which means they can — and will — pull records across different parts of the QMS to test the system's real-world effectiveness. They follow the risk thread wherever it leads, rather than staying within the walls of a single subsystem.

What does that look like in practice? An investigator reviewing a complaint might trace the thread from the complaint record to the risk file to the design controls to the supplier audit to the CAPA and back to the management review. Under QSIT, they might have stayed within the CAPA subsystem. Under CP 7382.850, they follow the evidence across every boundary.

The Records That Are No Longer Protected

For decades, FDA maintained a compliance policy — CPG Section 130.300 — that effectively shielded internal audit reports, supplier audit reports, and management review documentation from routine inspection. Quality teams wrote candid internal audits knowing the FDA would not see them. That protection shaped how an entire industry documented its self-assessments.

Under QMSR, those protections are functionally gone. FDA has made clear that investigators may now request and review internal audit reports, supplier audit reports, and management review records. The old CPG technically still appears on the FDA website, but the QMSR final rule preamble and the new compliance program leave no ambiguity about the agency's intent.

This is a seismic change that the industry has not fully internalized. Think about what your internal audit reports look like right now. Were they written with the assumption that an FDA investigator would be reading them? Or were they written as internal working documents — candid, sometimes incomplete, occasionally flagging issues that were acknowledged but not yet resolved?

Under the new framework, an internal audit report that identifies a significant risk and shows no corresponding CAPA, no risk file update, and no management review discussion is not just an internal documentation gap. It is a documented failure to act on known quality signals — exactly the kind of evidence that leads to 483 observations and, potentially, warning letters.

The Shift from Compliance Verification to Quality Governance

Multiple regulatory analysts have noted a fundamental shift in language between the old and new inspection frameworks. The old model was about compliance verification: Did you follow the procedure? Is the document signed? Is the record complete?

The new model demands evidence of quality governance: How did you identify this risk? What data informed your decision? How does your post-market surveillance connect to your design controls? Where is the evidence that your management team reviewed quality performance data and made resource allocation decisions based on what it showed?

This is not regulatory rhetoric. It represents a fundamentally different evidentiary standard. Under QSIT, having the right procedures and following them was largely sufficient. Under CP 7382.850, investigators are looking for evidence that your quality system is a living, adaptive mechanism that responds to real-world data in real time.

Companies that have treated their QMS as a compliance documentation exercise — procedures on shelves, records in binders, audits on schedules — will struggle under this new standard. The investigator is no longer asking whether you have a CAPA process. They are asking whether your CAPA process is actually working, whether it is connected to your risk management system, and whether the outputs are informing your quality planning.

MDSAP: Still a Strategic Asset, But Not a Free Pass

Companies participating in the Medical Device Single Audit Program have long enjoyed a significant advantage: MDSAP participation generally substitutes for routine FDA surveillance inspections. That structural benefit persists under QMSR.

However, CP 7382.850 explicitly preserves FDA's authority to conduct for-cause inspections, compliance follow-up inspections, and PMA-related inspections at MDSAP-participating sites. The new compliance program also notes that FDA will review MDSAP audit outcomes and may initiate inspections based on concerns identified in those reports.

The practical implication: MDSAP remains valuable as a strategic framework for global quality management and as a way to reduce routine inspection burden. But it is not a shield against targeted FDA scrutiny. Companies that use MDSAP as a compliance floor rather than a platform for continuous improvement may find that the audit outcomes themselves trigger the kind of FDA attention they were hoping to avoid.

The Biggest Blind Spot: ISO Certification Does Not Equal QMSR Compliance

The most dangerous assumption circulating in the industry right now is that companies already certified to ISO 13485:2016 have nothing to worry about under QMSR. This is wrong.

While QMSR incorporates ISO 13485 by reference, it also retains and adds FDA-specific requirements that do not exist in the international standard. Medical Device Reporting under 21 CFR 803, Unique Device Identification requirements, corrections and removals procedures, and specific labeling and traceability obligations for life-sustaining devices all fall outside ISO 13485. These are the four OAFRs that CP 7382.850 specifically calls out as additional inspection elements.

A company that ran a gap analysis solely against ISO 13485:2016 and declared itself QMSR-ready has a gap analysis that is itself incomplete. The FDA-specific overlay is where enforcement exposure lives for companies that assumed international harmonization meant identical requirements.

Building Continuous Readiness: The Audit Intelligence Imperative

If FDA investigators are now using data-driven, risk-based approaches to decide where to focus an inspection, the question quality leaders should be asking is: why are we not doing the same thing?

The traditional approach to inspection readiness is fundamentally reactive. A scheduled inspection is announced. A war room is established. Cross-functional teams pull records, review documentation, and conduct mock audits. The readiness sprint might last weeks. Then the investigator leaves, the binders go back on the shelf, and the cycle resets.

In a risk-based inspection world, this approach is insufficient. Investigators can now trace quality signals across the entire QMS — from complaint trends to CAPA effectiveness to supplier performance to management review decisions. If those connections do not exist in your data, they will not exist during the inspection.

Audit intelligence represents the operational shift from periodic readiness sprints to continuous quality governance. It means aggregating complaint data, CAPA trends, audit findings, supplier performance metrics, and inspection history into a unified view that surfaces risk signals in real time. It means knowing which areas of your QMS are most exposed before an investigator walks in the door. It means treating every internal audit, every management review, and every supplier assessment as an input to a living risk profile that stays current, connected, and defensible.

The companies that will thrive under the new inspection framework are not the ones with the best binders. They are the ones with the best signal detection — the ability to see what an investigator would see, before the investigator arrives.

What Quality Leaders Should Do This Quarter

First, obtain and study CP 7382.850 in detail. Understand the six QMS Areas and four OAFRs. Map your current quality system against this new framework, not just against ISO 13485.

Second, audit your internal audit reports, supplier audit documentation, and management review records with the assumption that an FDA investigator will read them next month. If what you find makes you uncomfortable, you have found your highest-priority gap.

Third, evaluate whether your quality data is connected across functional silos. Can you trace a complaint signal through your risk file, into your CAPA system, through your supplier controls, and into your management review? If you cannot, an investigator will notice.

Fourth, assess whether your current QMS tools are built for risk-based governance or checkbox compliance. The difference will define your inspection outcomes for the next decade.

The QSIT era rewarded preparation. The CP 7382.850 era rewards intelligence. The companies that understand the difference will lead the industry forward.