FDA Replaced QSIT: How Risk Management Files Now Drive Device Inspections

If you've been preparing for your first QMSR inspection, you probably felt some relief when QSIT was retired. Same basic framework, just updated language, right? Not quite. The replacement isn't cosmetic. The new risk-based inspection model changes where investigators start — and that changes how you prepare.

What Actually Changed (Beyond the Acronym)

On February 2, 2026, FDA replaced QSIT with a new inspection approach described in the updated Inspection of Medical Device Manufacturers Compliance Program Manual (CP-7382.850). The shift isn't about fewer requirements or simpler audits. It's about how investigators sequence their review.

Under QSIT, inspections were organized around four primary subsystems: Management, CAPA, Design Controls, and Production/Process Controls. Structured, predictable, defensible. You knew the script.

Under the new model, FDA has expanded to six QMS areas:

• Management Oversight
• Measurement, Analysis and Improvement
• Design and Development
• Change Control
• Outsourcing and Purchasing
• Production and Service Provisions

That's not a radical restructure — it aligns with how ISO 13485 organizes QMS thinking. But the entry point is new.

Your Risk Management File Is Now the Front Door

This is the part that matters most operationally. Investigators now begin by reviewing your risk management file to identify product-specific risks. Those risks then drive everything else they look at during the inspection.

FDA's language is deliberately vague on how the risk file will be used to evaluate compliance — the Compliance Program document says risks will be "used to evaluate whether a manufacturer is meeting requirements" but doesn't spell out the method. That ambiguity isn't accidental. It gives investigators discretion to exercise "critical thinking skills" — which is exactly what FDA emphasizes in the updated guidance.

So, what does that mean for you?

• If your risk management file is thin, generic, or not device-specific, an investigator will notice — before they've looked at a single CAPA record.
• If your risk file doesn't connect identified risks to controls and verification evidence, that gap becomes an immediate line of questioning.
• If you have unresolved residual risks that haven't been formally accepted by management, that's a visible flag right at the start.

Additionally, investigators will review external data before they arrive on-site — MDRs, trade complaints, reports of corrections and removals for similar products. They come in with a pre-formed risk picture of your device. Your risk management file needs to be consistent with that external picture, or inconsistencies become findings.

Model 1 vs. Model 2 — Know Which Applies to You

The new framework introduces two inspection models. This is a practical distinction you need to understand before your next inspection.

Model 1 applies to: non-baseline surveillance, compliance follow-up, for-cause, SPRA, and PMA post-market inspections. The investigator selects at least one element from each of the six QMS areas, guided by the product risks identified in your risk management file. The scope is narrower but risk-driven.

Model 2 applies to: baseline surveillance and PMA pre-approval inspections. All applicable elements within each QMS area are covered. No risk-based filtering — everything is in scope.

This is also where a significant change appears: under QMSR, FDA now has explicit authority to inspect management review records, quality audit records (including internal audits), and supplier audit reports. These were not previously available to FDA investigators. If your internal audit reports contain candid findings you haven't fully closed, that's now visible to the investigator.

How to Prepare Your Risk Management File for This Model

The risk management file isn't new — you've been maintaining it per ISO 14971. But the inspection context has changed, and a file built for a notified body audit may not be structured optimally for an FDA investigator using it as an inspection entry point.

Consider these preparation steps:

1. Map risks to QMS controls explicitly. Your risk management file should make it traceable — from identified hazard, through risk control measure, to the specific process or design element that implements the control. Investigators need to follow that thread.
2. Ensure residual risk acceptance is documented and current. Management review should reflect updated residual risk positions. If your last management review predates significant CAPA actions or design changes, update it.
3. Reconcile your file with external signals. If you've received MDRs or complaints related to specific risks in your risk file, the risk management file should show you've evaluated those signals. An investigator who checked your MDR history before arrival will look for this.
4. Perform a gap analysis against QMSR (not just QSR). Records created under the old QSR may be reviewed for QMSR compliance. FDA has stated this explicitly. Your remediation actions from prior VAI or OAI inspections will also be evaluated against QMSR, even if those actions were taken while QSR was still in effect.
5. Run a mock audit using the new model. Internal audits structured around QSIT subsystems won't prepare your team for the new sequencing. Update your internal audit program to reflect the six QMS areas and the risk-file-first approach.

The Practical Takeaway

The shift from QSIT to the new risk-based model is not a revolution — FDA hasn't invented a new QMS philosophy. But the operational sequence has changed. The risk management file is no longer something investigators reach later in the audit. It's the lens through which everything else gets evaluated.

This means a well-maintained, device-specific, traceable risk management file is now an inspection readiness asset, not just a regulatory requirement. If your file would embarrass you if an investigator read it on the first morning of the inspection — fix it before they arrive.

For MDSAP-certified manufacturers, this change is less disruptive — the approach is consistent with how MDSAP audits already work. But FDA retains the right to inspect even MDSAP manufacturers for compliance follow-up or for-cause reasons, so the same preparation logic applies.

The new model puts device risk at the center of every inspection. Make sure your documentation reflects that.