On April 1, 2026, FDA's Center for Devices and Radiological Health hosted its second public Town Hall on the Quality Management System Regulation. The session, titled "Town Hall: FDA's Quality Management System Regulation (QMSR): Medical Device Risk-Based Inspections," was the first structured post-implementation Q&A focused specifically on the new inspection framework since QMSR took effect on February 2, 2026.
The timing matters. Two months of real enforcement data now exist. Warning letters with unprecedented transitional language have been issued. And the inspection model that replaced QSIT, Compliance Program 7382.850 (released January 30, 2026, effective February 2, 2026), is no longer theoretical. It is generating Form 483 observations that cite ISO 13485:2016 clauses by number.
This analysis combines enforcement data exported directly from FDA's publicly available Form 483 observation database and Inspection Classification Database with warning letter data pulled from FDA's public Warning Letter index and the intelligence shared at both the January 14 and April 1, 2026 Town Halls. Every statistic cited below traces to a primary source identified in the data notes at the end.
What Changed on February 2, 2026
The QMSR final rule withdrew the majority of 21 CFR Part 820 and incorporated ISO 13485:2016 by reference. Simultaneously, FDA retired the Quality System Inspection Technique (QSIT), the four-subsystem inspection model that had governed device inspections since 1999, and replaced it with CP 7382.850.
CP 7382.850 reorganizes the inspection framework around six QMS Areas and four Other Applicable FDA Requirements (OAFRs):
Six QMS Areas: Management Oversight; Production and Service Provision; Design and Development; Change Control; Outsourcing and Purchasing; Measurement, Analysis, and Improvement.
Four OAFRs: Medical Device Reporting (21 CFR Part 803); Reports of Corrections and Removals (21 CFR Part 806); Medical Device Tracking (21 CFR Part 821); Unique Device Identification/GUDID (21 CFR Part 830).
The structural change is significant. QSIT's four subsystems (Management, Design Controls, CAPA, Production & Process Controls) are gone. In their place: six areas aligned directly to ISO 13485 clause structure, with Attachment A of CP 7382.850 mapping each element to its ISO clause reference.
The Enforcement Data: What FDA's Own Database Shows
The 483 observation data analyzed here was exported directly from FDA's Inspectional Observation database, filtered for medical device program inspections ending on or after February 2, 2026. This represents the most current publicly available FDA enforcement data as of the date of this analysis. The published dataset covers inspection end dates from February 4 through March 13, 2026. Due to standard publication lag (FDA posts observations as inspections are processed, not in real time), the dataset does not yet capture the full period since QMSR took effect. Actual observation counts are almost certainly higher than what the current export reflects.
Within this dataset: FDA completed 93 medical device inspections under the new QMSR framework. Of those, 52 inspections resulted in a total of 132 Form 483 observations, averaging 2.5 observations per inspection.
The citation pattern shift is decisive.
89.4% of all post-QMSR 483 observations (118 of 132) cite ISO 13485:2016 clauses directly. The remaining 10.6% (14 observations) cite only 21 CFR sections, but every one of those falls into OAFR categories: UDI labeling (21 CFR 801/830) and Medical Device Reporting (21 CFR 803), not core QMS requirements. Zero observations use dual ISO/CFR citations. A single observation (0.8%) cites 21 CFR 820.35(a), which is a retained QMSR records provision rather than an ISO 13485 clause; this appeared in an inspection straddling the February 2 transition date.
The transition to ISO 13485 citation language is not gradual. It is essentially complete.
Post-QMSR 483 Citations by Type
Inspection Classifications (n=52 with 483s)
Most-Cited ISO 13485 Clauses
Thirty-six unique ISO 13485:2016 clauses appeared across 118 observations. The top 10:
| Rank | Clause | Subject | Obs. | % of Total |
|---|---|---|---|---|
| 1 | 7.1 | Planning of product realization (incl. risk management) | 18 | 13.6% |
| 2 | 7.4.1 | Purchasing process | 10 | 7.6% |
| 3 | 8.2.2 | Complaint handling | 10 | 7.6% |
| 4 | 7.5.6 | Process validation | 8 | 6.1% |
| 5 | 8.5.2 | Corrective action | 7 | 5.3% |
| 6 | 4.1.2 | Risk-based approach to QMS processes | 7 | 5.3% |
| 7 | 8.3.1 | Nonconforming product control | 5 | 3.8% |
| 8 | 7.4.3 | Verification of purchased product | 5 | 3.8% |
| 9 | 7.5.1 | Control of production and service provision | 5 | 3.8% |
| 10 | 7.3.9 | Design and development changes | 4 | 3.0% |
If you have been tracking FDA enforcement trends over the past decade, several of these are familiar inspection targets under new names: complaint handling, CAPA, process validation, supplier controls. These have always attracted inspector attention. The difference now is how they are cited and what anchors the inspection scope.
Top 10 ISO 13485:2016 Clauses Cited in Post-QMSR 483 Observations
Risk Management Dominates
The headline finding: 29 of 132 observations (22.0%) are directly tied to risk management, spanning Clause 7.1 (product realization risk management, 18 citations), Clause 4.1.2 (risk-based approach to QMS processes, 7 citations), and Clause 8.2.1 (feedback as input to risk management, 3 citations). Half of all inspected establishments (26 of 52, or 50.0%) received at least one risk-management-related observation.
This is a structural shift, not an incremental one. Under the legacy QSR, risk management observations were typically captured indirectly through design validation (820.30(g)) or CAPA findings. Clause 4.1.2, requiring a risk-based approach to the control of QMS processes themselves, had no direct equivalent under the old regulation. It is now the sixth most-cited clause in the entire post-QMSR dataset.
No directly comparable FY2025 baseline exists for risk management citation rates because the old QSR and QMSR use structurally different regulatory frameworks. The commonly cited "57% risk management" figure tracked by industry observers on LinkedIn reflects a narrower sample with different methodology. The 22.0% figure reported here uses the full 132-observation dataset with conservative classification criteria.
QMS Area Distribution
When observations are mapped to CP 7382.850's QMS Areas per Attachment A:
| QMS Area | Obs. | % of Total |
|---|---|---|
| Management Oversight | 39 | 29.5% |
| Measurement, Analysis, and Improvement | 32 | 24.2% |
| Outsourcing and Purchasing | 20 | 15.2% |
| Production and Service Provision | 17 | 12.9% |
| Design and Development | 10 | 7.6% |
| OAFR: UDI | 9 | 6.8% |
| OAFR: MDR | 4 | 3.0% |
| Retained 21 CFR 820 | 1 | 0.8% |
Management Oversight leads at 29.5%, driven primarily by Clauses 7.1 and 4.1.2. This area includes the risk management requirements that had no direct equivalent under legacy 820, making it the leading indicator of where QMSR is creating genuinely new inspection exposure.
Post-QMSR 483 Observations by QMS Area (per CP 7382.850 Attachment A)
Inspection Classifications
Of the 52 inspections that resulted in 483 observations, the classification data tells a clear story: 51 (98.1%) were classified VAI (Voluntary Action Indicated) and only 1 (1.9%) was classified NAI (No Action Indicated). Zero were classified OAI (Official Action Indicated). Across all 93 post-QMSR device inspections, 41 (44.1%) closed with no 483 observations at all.
A note on methodology: FDA's Inspection Classification Database classifies each project area within an inspection separately. Thirty-three of these 52 inspections had mixed classifications across project areas (for example, VAI for the Compliance: Devices project area and NAI for Postmarket Assurance: Devices within the same inspection). Standard practice is to report the most severe classification per inspection, which is VAI for nearly all inspections with observations.
The near-universal VAI rate among inspections with 483 observations indicates that FDA investigators are treating post-QMSR findings as substantive enough to warrant voluntary corrective action, not dismissing them as minor. The absence of OAI classifications in the published data should not be read as leniency; early enforcement periods typically reflect the types of firms inspected and the time required for observations to escalate through compliance review.
The Warning Letters: A New Remediation Mandate
Two CDRH warning letters issued after February 2, 2026, to IsoTis OrthoBiologics, Inc. (February 24) and Longhorn Vaccines and Diagnostics LLC (February 26), contain identical standardized language that establishes a significant precedent. Both letters acknowledge that their underlying inspections occurred in late 2025 under the old QSR. Both then state that any corrective actions must be pursuant to QMSR requirements in effect as of February 2, 2026.
This is not ambiguous. A manufacturer with an open 483 observation or warning letter from a pre-QMSR inspection must now remediate to QMSR/ISO 13485 standards, not the legacy QSR. The paragraph appears to be a standardized template, with only the inspection dates varying between letters.
None of the seven CDRH warning letters issued before February 2, 2026 contain any QMSR transitional language.
Notably, no warning letters in this period cite ISO 13485 clauses directly. That is expected: all post-QMSR warning letters to date stem from inspections conducted before the QMSR effective date. Based on historical enforcement timelines (typically 6 to 18 months from inspection to warning letter issuance), the first warning letters citing ISO 13485 clauses will begin appearing around Q3 2026.
What the Town Hall Revealed
The April 1 Town Hall, presented by Karen (FDA/CDRH), Keisha Thomas (CDRH/OPEQ), Tanya Wilbon (DICE), and Captain Kimberly Lewandowski-Walker (ORP), covered the operational details of how CP 7382.850 works in practice. Several clarifications carry significant compliance implications:
Previously exempt records are now reviewable. The QMSR FAQ had already confirmed this, but the Town Hall emphasized that records previously shielded under 820.180(c), including management review minutes, internal quality audit reports, and supplier audit reports, may be reviewed depending on inspection focus and risk. The enforcement data confirms this is not theoretical: five observations in the published dataset cite deficiencies in management review and internal audit records, confirming investigators are actively exercising this expanded access.
No statistical sampling. Investigators do not use statistical sampling to select records for review. Record selection is risk-driven, based on investigator expertise and identified product risks. Scope expands as issues arise.
Risk management is not a documentation exercise. The Town Hall repeatedly emphasized that risk management must be the organizing logic of the QMS, not a discrete document activity. Investigators prioritize risk files, hazard-harm analyses, implemented controls, and evidence of effectiveness across the product lifecycle. The January 14 Town Hall set this theme; the April 1 session reinforced it with inspection process specifics.
Different risk methodologies are acceptable. Manufacturers may tailor their risk approach across different QMS processes, provided the methodology is appropriate to the process and product risk and is documented. Clause 4.1.2(b) requires a risk-based approach to the control of QMS processes, distinct from the product risk management required under Clause 7.1.
Training effectiveness is proportionate to risk. FDA expects evidence that training is effective, not just completed. Higher-risk activities require more robust validation of training effectiveness (supervisor evaluation, skills assessments rather than attendance records alone).
Legacy records do not need to be rewritten. Records created before February 2, 2026 need not be revised to use ISO 13485 terminology. However, manufacturers should be prepared to demonstrate how pre-QMSR records satisfy QMSR requirements. A gap analysis comparing existing documentation to QMSR requirements is the recommended approach.
No supplemental guidance document is planned. The Compliance Program is the operative document. FDA confirmed no additional guidance will supplement CP 7382.850.
The Two Inspection Models
Model 1 (Risk-Targeted) applies to non-baseline surveillance, compliance follow-up, for-cause, Specific Product Risk Assignment (SPRA), and PMA post-market inspections. Investigators select a minimum of one element per QMS Area based on identified product risks, evaluate all four OAFRs, and expand scope as warranted. The manufacturer's risk management file drives scope selection: investigators follow the risk thread from identification through controls to effectiveness evidence.
Model 2 (Comprehensive) applies to baseline surveillance (firms with no prior FDA inspection or MDSAP audit history) and PMA pre-approval inspections. It prescribes minimum coverage: 22 elements for non-sterile devices, 23 for sterile, plus all four OAFRs. For PMA pre-approval inspections of not-yet-marketed devices, OAFRs are excluded.
Both models require review of registration/listing status, marketing authorizations, and prior 483/compliance history. Both create a feedback loop: deficiencies in one area can trigger expanded scope into related areas. No empirical data on the distribution of Model 1 versus Model 2 inspections has been published.
What Manufacturers Should Do Now
The enforcement data is early but directionally clear. Here are five preparation priorities grounded in what inspections are actually targeting:
1. Audit your risk management file for inspection readiness. Clause 7.1 is the single most-cited clause in the post-QMSR dataset. Investigators are reviewing risk management documentation at the outset of inspections to drive scope selection. If your risk management file is thin, outdated, or disconnected from production and post-market activities, it will be found, and it will expand the inspection scope. Ensure risk management records cover the full product lifecycle and that risk controls are traceable to design outputs, process validations, and post-market surveillance data.
2. Conduct a gap analysis against ISO 13485:2016 clause requirements. With 89.4% of 483 observations now citing ISO 13485 clauses directly, your internal audit program needs to evaluate against the same clause structure that investigators are using. If your internal audits are still organized around old 820 subparts, they are out of alignment with how FDA is inspecting. Map your QMS to the six QMS Areas in CP 7382.850 Attachment A and assess each element.
RegulatoryIQ's QMSR/ISO 13485:2016 Gap Assessment includes 100 assessable criteria mapped to current QMSR requirements. It is part of the Gap Assessment Toolkit ($499) alongside assessments for Part 11, Annex 11, CSA, ICH E6(R3), and ALCOA+. For a faster preliminary assessment, the AI Gap Analysis tool ($79 per report) evaluates uploaded QMS documentation against QMSR/ISO 13485 requirements and generates a clause-level findings report in minutes.
3. Restructure management review and internal audit records for inspector visibility. Five 483 observations in the published dataset cite management review and internal audit deficiencies, record types that were shielded from FDA review until February 2. If your management review minutes are superficial summaries without trend data, resource allocation decisions, and documented corrective actions, they are now a liability. Internal audit reports that identify systemic issues without demonstrable follow-through carry the same risk.
4. Prepare a legacy record strategy. The Town Hall confirmed that pre-QMSR records need not be rewritten, but manufacturers must be able to demonstrate how existing documentation satisfies QMSR requirements. The warning letter remediation mandate adds urgency: if you have open 483 observations or corrective actions from pre-QMSR inspections, your remediation responses must now meet QMSR/ISO 13485 standards. A documented gap analysis showing the comparison between your existing records and QMSR requirements is the recommended approach.
5. Align supplier qualification and purchasing controls. Outsourcing and Purchasing accounted for 15.2% of all post-QMSR observations, with Clauses 7.4.1 (purchasing process) and 7.4.3 (verification of purchased product) ranking second and eighth overall. The elimination of the 820.180(c) exemption means FDA can now review supplier audit reports directly. Ensure your supplier qualification records, vendor assessments, and purchased product verification documentation can withstand inspector review.
For organizations that need structured guidance on QMSR transition, gap assessment, or inspection preparation, schedule a consultation with RegulatoryIQ. We provide clause-level gap identification, remediation planning, and inspection readiness assessments tailored to your product portfolio and compliance history.
Looking Ahead
The first warning letters citing ISO 13485 clauses directly will begin appearing around Q3 2026 based on historical enforcement timelines, as inspections conducted under the new framework work through the enforcement pipeline. The April 1 Town Hall presentation materials, including slides and transcript, will be posted on the FDA website and CDRH Learn portal.
Two things are already clear from the early data. First, the transition to ISO 13485 citation language is not gradual; it is functionally complete. Second, risk management is not one of many inspection focus areas; it is the organizing principle of the inspection itself. Companies that treated risk management as a design control exercise under the old QSR are the ones generating 483 observations under the new one.
The enforcement data will grow. The patterns identified here will either stabilize or shift. What will not change is the structural reality: FDA inspectors are now evaluating device manufacturers against ISO 13485:2016 clause requirements, organized through CP 7382.850's QMS Area framework, with the risk management file as the starting point for every inspection.
Data Sources and Attribution
All statistics in this analysis trace to the following primary and verified sources:
Form 483 observation data: Exported directly from FDA's publicly available Inspectional Observation database (fda.gov), filtered for medical device program inspections ending on or after February 2, 2026. This represents the most current publicly available FDA enforcement data at the time of this analysis. The published dataset covers inspection end dates from February 4 through March 13, 2026 (132 observations across 52 unique establishments). Due to standard publication lag in FDA's database, the dataset does not capture the full period since the QMSR effective date. Actual observation counts are likely higher than reported here.
Inspection classification data: Exported from FDA's Inspection Classification Database. 93 total post-QMSR device inspections with final classifications posted as of the export date. Matched to the 483 dataset for the 52 inspections with observations.
Warning letter data: Pulled from FDA's publicly available Warning Letter database, covering January through March 2026. Nine CDRH warning letters identified; two post-QMSR CGMP/QSR letters containing the QMSR remediation mandate (IsoTis OrthoBiologics, Longhorn Vaccines).
Town Hall intelligence: FDA Town Hall held April 1, 2026. Presenters included representatives from CDRH, OPEQ, DICE, and ORP. Prior Town Hall (January 14, 2026) transcript available on the FDA website.
Regulatory references: CP 7382.850, "Inspection of Medical Device Manufacturers" (released January 30, 2026, effective February 2, 2026); QMSR FAQ (FDA, updated February 2, 2026); ISO 13485:2016, incorporated by reference into 21 CFR Part 820.
The "33 citations across 13 inspections" statistic referenced in some earlier industry commentary could not be verified against any primary FDA dataset and is not used in this analysis.