FDA's Risk-Based Inspection Model: How Your Facility Gets Selected — And How to Stay Ready

FDA’s Office of Regulatory Affairs (ORA) fields roughly 1,700 investigators tasked with covering more than 190,000 FDA-regulated domestic facilities. The coverage problem is obvious: there is no world in which every facility gets a thorough inspection every year. The agency’s answer — the Site Selection Model (SSM) — is a risk-scoring framework that determines which facilities get inspected, how soon, and how often. If you manage compliance for a regulated site and don’t have a clear picture of your own risk profile under this model, you have a meaningful blind spot.

How FDA’s Site Selection Model Actually Prioritizes Facilities

The SSM assigns each domestic facility a risk tier based on a combination of weighted factors. FDA has outlined the model’s general logic through budget justification documents, Congressional testimony, and its Compliance Program Guidance Manuals (CPGMs) — the same CPGMs that investigators carry into inspections. The model isn’t a black box, even if the exact weighting of each variable remains internal to ORA.

At a high level, the SSM considers: time elapsed since the last inspection, prior inspection outcomes, product category risk, compliance history (including warning letters and consent decrees), and post-market surveillance signals. The output is a tier assignment — high, medium, or low risk — that drives how aggressively a facility gets scheduled for routine surveillance.

High-risk facilities, including those manufacturing sterile injectables, Class III devices, blood and tissue products, or any site with a warning letter in the past 36 months, are targeted for inspection every 1–2 years. Medium-risk sites typically land in a 2–4 year cycle. Low-risk facilities, with clean recent histories and lower-risk product categories, may go 5 years or longer between routine surveillance visits.

One thing that’s easy to misread: a successful inspection doesn’t lock in a long inspection-free window indefinitely. Post-market surveillance data — adverse event reports, MedWatch filings, consumer complaints — feeds into the model continuously. A cluster of Medical Device Reports (MDRs) tied to a specific device family can elevate a facility’s priority regardless of when it was last inspected. The model is dynamic, not a snapshot.

Five Risk Factors That Can Move Your Facility Up the Priority List

Most of the factors in the SSM are knowable in advance. Here’s what actually deserves your attention.

Prior inspection outcomes. FDA’s FACTS (Field Accomplishments and Compliance Tracking System) database holds every Form 483 observation going back years. Repeat observations — the same deficiency cited across two or more consecutive inspections — are among the most powerful signals of a systemic quality failure. They tell FDA’s risk model that the first observation didn’t produce a genuine correction. One repeat finding does more damage to your risk profile than three novel ones.

Time since last inspection. Facilities that haven’t been inspected in more than five years are automatically elevated in the SSM, regardless of how clean their history looks. The counterintuitive implication: a consistently compliant site that’s been deprioritized for years can suddenly find itself near the top of the queue simply due to elapsed time. A long quiet stretch isn’t evidence you’re off the radar. It may be the opposite.

Warning letters and consent decrees. A warning letter received within the past 36 months places a facility into a high-priority tier for follow-up inspection. Consent decrees impose mandatory inspection schedules that override the SSM entirely. These are the most visible escalations — but they come after a sequence of earlier signals that a well-run quality system would have caught first.

Post-market surveillance flags. For device manufacturers, MDR submissions that cluster by lot number or device family can trigger a directed inspection under CPMG 7382.845. For drug manufacturers, fielded complaints suggesting a manufacturing root cause will prompt ORA to pull batch records and process controls. These signals move faster through FDA’s systems than most compliance teams expect.

Product category. Sterile drugs, Class III devices, blood components, and certain biologics sit in FDA’s highest-risk product tiers. If your products fall here, a 12–24 month inspection cycle is a planning assumption, not a worst case. No amount of clean inspection history gets a sterile injectable manufacturer onto a five-year surveillance schedule.

Building an Inspection-Ready Quality System: A Step-by-Step Approach

Inspection readiness isn’t a sprint that starts when you get a call from a district office. It’s an operating condition. The facilities that consistently navigate FDA inspections with few or no observations share a common trait: their quality systems generate real-time compliance evidence rather than after-the-fact documentation assembled under pressure.

Step 1: Score your own SSM risk profile. Pull your last inspection date and outcome. List any 483 observations and check whether corrective actions were fully implemented and verified as effective. Review your adverse event volume over the past 24 months. Map your product category against FDA’s risk tier framework. If you can’t answer these questions quickly and honestly, that’s your first gap.

Step 2: Map your quality system against applicable regulations. For drug manufacturers, that’s 21 CFR Parts 210 and 211. For device manufacturers, 21 CFR Part 820 — which FDA has been formally harmonizing with ISO 13485:2016. For food facilities subject to FSMA, 21 CFR Part 117. The exercise isn’t to confirm SOPs exist. It’s to confirm that each regulatory requirement has a named procedure, an owner, training records, and execution evidence. One-to-one traceability, from regulation to record.

Step 3: Stress-test your CAPA system. CAPA deficiencies under 21 CFR 820.100 are the single most frequently cited observation in FDA device inspections year over year. For drug manufacturers, related citations under 21 CFR 211.192 are consistently in the top five. When investigators pull your CAPA log, they’re evaluating whether root causes are actually identified (not just symptoms), whether actions are time-bound and completed, and whether effectiveness checks were actually executed. A log full of months-overdue items tells a story you don’t want written into a 483.

Step 4: Audit training records before an investigator does. Untrained personnel performing regulated activities is one of the most common and most preventable 483 categories. Every SOP revision should trigger documented retraining for affected personnel. Every new hire should have training completion on file before touching a regulated process. This isn’t a sophisticated systems problem — it requires consistent administrative discipline, not sophisticated technology.

Step 5: Run a mock inspection with genuine external challenge. Internal audits are valuable but tend to be too familiar with the environment to catch everything. A pre-inspection readiness assessment conducted by qualified regulatory compliance consulting professionals — using the actual CPGMs and Compliance Inspection Guides that FDA investigators use — reliably surfaces gaps that internal programs miss. The point isn’t to rehearse answers to investigator questions. It’s to find the real findings before the investigator does, when you can still fix them.

Step 6: Organize your document retrieval process. When an investigator arrives, they’ll ask for specific records within the first hour — master batch records, validation summaries, change control files, supplier qualification packages, complaint logs. How quickly and cleanly your team produces those records signals something about your quality culture. Disorganized retrieval, even for complete and accurate records, creates an impression of a disorganized system. That impression follows the inspection.

What Experienced FDA Investigators Are Actually Looking For

The CPGMs describe what investigators should cover. But the experienced ones follow a different thread underneath the checklist: does this quality system actually run the facility, or does it sit on a shelf?

The tells are surprisingly consistent. Deviation reports authored by people who clearly understand the process, versus templated paragraphs that could apply to any event. Management review records that contain real trend data and genuine decisions, versus meeting minutes that could have been written before the meeting. Change controls that led process changes, versus ones that documented changes after the fact. These distinctions don’t live in any regulation — they live in daily practice, and they’re visible to anyone who’s spent time auditing regulated facilities.

For drug manufacturers, FDA’s published ORA performance data consistently shows that laboratory controls, process validation, and CAPA systems generate the majority of Form 483 observations. Device manufacturers see CAPA, design controls, and corrective action verification as the perennial top citations. The pattern isn’t random. These are the quality system elements where the gap between what a procedure says and what actually happens is most visible — and most damaging.

The practical implication: no amount of last-minute document organization changes what a quality system fundamentally is. What it is becomes apparent within the first few hours of an inspection. And it was built — or not built — over the months and years before the investigator arrived.

When an FDA investigator appears at your facility, the first 15 minutes set the tone for everything that follows. Whether that tone is collaborative or adversarial depends almost entirely on the quality system they find when they start asking questions. Run an honest SSM risk assessment now, close the gaps your last internal audit deferred, and treat your next inspection as a scheduled event on the calendar — because for most regulated facilities operating in high-risk product categories, it already is.

Written by Sam Sammane, Founder & CEO, Aurora TIC. Learn more about our team

Talk to our compliance consultants Contact us

Related from our network

• Pharmaceutical and supplement testing for FDA compliance — ISO 17025-accredited analytical testing for drug and supplement manufacturers navigating FDA oversight
• GMP-aligned laboratory testing for regulated manufacturers — Canadian regulatory testing services for facilities maintaining compliance across North American markets