AI-Augmented Audits 2026年5月6日

FDA's QSIT Framework: What Inspectors Actually Evaluate in Your Quality System

FDA's QSIT framework governs how inspectors evaluate your quality system. Learn what changed under the 2026 QMSR transition and how to prepare.

SS
Sam Sammane
Founder & CEO, Aurora TIC | Founder, Qalitex Group

FDA published the Quality System Inspection Technique guide in 1999. Twenty-seven years later, it remains the primary operational playbook every CDRH investigator carries into your facility. Yet the majority of device manufacturers I’ve worked with still prepare for inspections by pulling their SOP binders and hoping for the best — rather than mapping their quality system against the four QSIT subsystems the investigator will methodically walk through.

That gap between how companies prepare and how FDA actually inspects is exactly where 483 observations get generated.

How QSIT Works — And Why It’s Not a Checklist

QSIT is a subsystem-based inspection methodology. FDA developed it at CDRH in 1999 and revised the guide in 2003 (still publicly available on FDA.gov and still operationally current). The design is deliberately process-oriented: instead of auditing documents top-to-bottom, the investigator selects a quality subsystem, follows the process thread — inputs, outputs, records, and linkages — and looks for systemic failure patterns rather than isolated clerical errors.

There are four primary QSIT subsystems:

  1. Management Controls — management review, quality policy, resource allocation, complaint trending, and the organizational authority structure for quality
  2. Design Controls — design input, verification, validation, transfer, and the completeness of the Design History File (DHF)
  3. Corrective and Preventive Action (CAPA) — the feedback loop fed by complaints, nonconformances, internal audit findings, and trending data
  4. Production and Process Controls (P&PC) — process validation, Device Master Record (DMR), and inspection and test activities

In a Level 2 inspection — the most common type for routine surveillance — FDA mandates coverage of Management Controls and CAPA. Full stop, every time. The investigator then selects 2 of the remaining subsystems based on prior inspection history, complaint signals from MAUDE, and the facility’s product risk profile. A Level 1 inspection covers all four subsystems.

That Level 2 structure is something a lot of regulatory compliance consulting services professionals overlook when coaching manufacturers. The investigator isn’t wandering randomly. They’ve done pre-inspection research, they’ve reviewed prior 483 data for your site, and they arrive with a subsystem list already in mind. Treating an FDA inspection like a surprise visit is a preparation strategy that consistently produces 483s.

The 2026 QMSR Transition — What Changed for QSIT Inspections

On February 2, 2026, FDA’s Quality Management System Regulation (QMSR) replaced the legacy Quality System Regulation that had been codified at 21 CFR Part 820 since 1996 — a 30-year run. The QMSR aligns FDA’s device quality expectations directly with ISO 13485:2016, meaning investigators can now cite ISO 13485 clause requirements directly in their observations rather than translating between FDA and ISO language.

This matters for QSIT in several concrete ways.

Risk management is now explicitly embedded throughout. ISO 14971:2019 (medical device risk management) is cross-referenced across ISO 13485, and the QMSR inherits this relationship. Where the old Part 820 had relatively sparse risk management language, the QMSR effectively requires a risk-based approach to the entire quality management system — not just device design. Expect investigators to probe whether your risk management process feeds back into CAPA prioritization, Management Controls decision-making, and P&PC process validation rationale.

The Management Controls subsystem gets deeper scrutiny. ISO 13485 clause 5 (management responsibility) and clause 9 (performance evaluation) go further than the old §820.20 on management review. An investigator operating with ISO 13485 language will probe for measurable quality objectives, trend analysis tied to quality system inputs, and documented evidence that top management responds substantively to quality data — not just holds a quarterly meeting that rubber-stamps the previous quarter’s metrics.

The ISO 13485 alignment doesn’t mean automatic compliance. Companies that had an active ISO 13485:2016 certification under an accredited registrar before February 2026 will find the QMSR transition smoother than manufacturers who built their QMS exclusively against old Part 820 language. But FDA has been explicit that it will not simply defer to third-party ISO certification as evidence of QMSR compliance. The QMSR is FDA’s regulation. QSIT inspections are FDA’s process. Those are two separate things from your ISO audit.

Where QSIT Inspections Go Wrong — The Three Patterns That Repeat

After conducting dozens of mock QSIT audits across device manufacturers, contract sterilizers, distributors, and CROs, the failure patterns concentrate in predictable places.

CAPA effectiveness verification. FDA doesn’t want to see a CAPA log — they want evidence the system is actually working. Under QSIT, the investigator will pull 3 to 5 open and closed CAPAs and trace them end-to-end: Was the root cause analysis documented? Was effectiveness verification actually performed after the corrective action was implemented? In my experience across these assessments, roughly 60% of manufacturers can demonstrate a root cause analysis but cannot show a documented effectiveness check with a completion date. That gap consistently generates 483 observations citing CAPA requirements under the QMSR (the successor to old §820.100). It’s the most predictable finding in device inspections — and one of the most avoidable.

Management review data traceability. Investigators will ask to see the last 2 management review records and trace the data inputs: complaint trends, CAPA status aging, internal audit results, supplier performance metrics. The common failure isn’t that management reviews don’t happen — it’s that review records contain summaries without traceable source data. If your management review minutes state “CAPA system performing satisfactorily” without an attached metric or a reference to the underlying CAPA aging report, that’s a finding. The investigator needs to see the data chain, not the conclusion.

Design History File completeness in post-market inspections. For manufacturers operating in a post-market phase, FDA investigators still pull DHFs — particularly when a complaint trend or MDR signal suggests a potential design origin. Incomplete DHFs (missing design verification protocols, approval dates that don’t align with timeline records, or absent design transfer documentation) are among the most common Level 2 findings. Under the QMSR, design control requirements align with ISO 13485 clause 7.3, which is more prescriptive in several respects than the old §820.30. If your DHF was built to the 1996 standard and hasn’t been reviewed since, there are likely gaps that a clause 7.3 lens will expose.

Running a QSIT Self-Assessment Before Your Next Inspection

A structured QSIT self-assessment doesn’t require an elaborate framework. Here’s the practical approach I walk through with clients engaged in regulatory compliance consulting services for inspection readiness.

Start with Management Controls. Pull your last 3 management review records. For each one, trace the data inputs back to their source: can you locate the complaint trending report, the CAPA aging report, the internal audit schedule, and the supplier scorecard that fed that review? If any input is missing or paraphrased rather than cited by reference, close that gap before an investigator finds it.

Then move to CAPA. Select 10 closed CAPAs from the past 18 months — choose a random cross-section, not your cleanest records. For each one, verify: (1) there’s a documented root cause analysis, not just a problem description; (2) the corrective action is linked to the specific root cause, not a symptomatic workaround; (3) effectiveness verification is documented with a completed date; and (4) the CAPA was escalated to management review if it was systemic in nature. A pass rate below 80% on these four criteria is a structural signal worth addressing before any surveillance inspection.

For Design Controls, confirm that for every commercial device, you can locate the DHF index, the design input document, at least one verification protocol with results, validation protocols with results, and design transfer records. That’s a five-document minimum. Investigators regularly find at least one absent or undated.

For P&PC: review your validated process list and confirm each process validation has a current revalidation status. Processes that have never been revalidated after a documented change can trigger observations even when the original validation record is solid.

If your quality management system is electronic — LIMS, eQMS, or a document control platform — this kind of self-assessment increasingly benefits from AI-assisted gap analysis. Running a QSIT subsystem check manually across hundreds of records takes several days of staff time. With decision-grade AI querying your quality records directly and mapping them against QSIT subsystem criteria, that same analysis surfaces in hours and produces a prioritized gap report rather than a raw document dump. It’s one of the more concrete areas where AI earns its place in a GxP quality operation.

Fix This One Thing Before the Next Inspection Cycle

If I had to identify the single highest-leverage gap to close ahead of a QSIT inspection, it’s your CAPA effectiveness verification rate — specifically, the percentage of closed CAPAs that have documented effectiveness verification with a completion date. Not the root cause methodology format, not the closure cycle times, not the form design.

Get that rate above 95% and make sure the verification records are traceable from the CAPA record itself. Everything else in your quality system preparation is secondary to this. The CAPA subsystem is always covered in Level 2 inspections, effectiveness verification is the most common failure point within it, and it’s entirely within your control to fix before the investigator walks in the door.

Written by Sam Sammane, Founder & CEO, Aurora TIC | Founder, Qalitex Group. Learn more about our team

Reserve early access to our AI audit tools — including AI-powered QSIT gap analysis and mock audit support. Contact us

需要寻找合适的检测实验室?

Aurora TIC 为制造商和品牌方匹配通过 CNAS 认可的检测实验室——响应迅速、免费对接,并根据贵公司产品需求量身定制方案。

申请免费报价