The FDA QMSR went into effect on February 2, 2026. Most quality teams have updated procedure references, mapped 21 CFR sections to ISO 13485 clauses, and considered themselves QMSR-ready.
There is one change almost no one has internalized: the records that used to be off-limits to FDA inspectors are no longer protected.
If your last few internal audits were candid because the reports were confidential, if your management review minutes named uncomfortable truths because they would never leave the room, if your supplier audit findings sat open because no one outside Quality would ever see them, that calculus just changed. And it changed quietly, in a way most QMSR transition projects have not yet addressed.
Here is what the change actually means, and what to do about it.
What 820.180(c) Used to Protect
Under the legacy Quality System Regulation, 21 CFR 820.180(c) carved out a specific protection. It read, in part:
Reports of management reviews, and quality audits, and supplier audits performed in accordance with sections 820.20, 820.22, and 820.50, respectively, and investigation reports performed in accordance with section 820.198(e), are not subject to inspection by employees of FDA.
Three categories of records were exempt from FDA review during routine inspection:
- Management review reports
- Internal quality audit reports
- Supplier audit reports
The exemption was deliberate. FDA recognized that internal audit and management review programs only worked if quality teams could be honest about what they found. If every weakness in an audit report would eventually be quoted back at the company in a Form 483, the audits would stop finding anything. The protection was the engine that made self-assessment possible.
That protection is gone.
What QMSR Actually Changed
The FDA QMSR FAQ states it directly:
The QMSR gives the FDA the authority to inspect management review, quality audits, and supplier audit reports. The exceptions that existed in the QS regulation at section 820.180(c) are not maintained in the QMSR.
Source: FDA, Quality Management System Regulation - Frequently Asked Questions
There is no ambiguity. The carve-out is gone. FDA has explicitly stated the agency now has authority to request and review the three record categories that were previously exempt.
The agency has also made the operational case clear in the preamble to the final rule. Because manufacturers are already required to provide these records to other regulators (EU Notified Bodies, Health Canada, MDSAP auditors, ANVISA, MHLW/PMDA), they are not additionally burdened by making them available to FDA. They are records maintained in the regular course of business and should be readily available upon inspection.
Two related changes round out the picture:
- QSIT is withdrawn. Effective February 2, 2026, the Quality System Inspection Technique that has guided FDA inspections since 1999 has been retired. The new compliance program is CP 7382.850, Inspection of Medical Device Manufacturers. It replaces both 7382.845 and 7383.001.
- Pre-February 2 records remain in scope. FDA has clarified that records generated before the QMSR effective date are still subject to inspection under the new authority. The change does not exempt historical records.
If your QMSR transition project did not address these three points, your transition project is incomplete.
What This Means for Your Records
Under QMSR, FDA can now request the following during a routine surveillance inspection:
- Internal audit reports: full reports, not just summaries. Findings, nonconformities, opportunities for improvement, audit checklists, audit plans, and evidence cited by the auditor.
- Management review minutes and outputs: agenda topics, attendance, decisions made, action items assigned, and the QMS performance data that informed the review.
- Supplier audit reports: initial qualification audits and ongoing surveillance audits, including findings and the evidence underlying them.
- CAPAs that trace to any of the above: the linkage between audit findings and corrective action.
- Trend data: internal audit trend analysis, supplier performance trends, quality metrics presented at management review.
There is no longer a protected category. If the record exists in your QMS and it relates to product quality or QMS effectiveness, it can be requested.
Three Common Gaps to Address
In the first quarter of QMSR enforcement, three patterns are emerging in inspection observations and Form 483s:
Gap 1: Audit Reports Written Candidly Because They Were Confidential
Internal audit reports written under old QSR assumptions often contain language that auditors now wish were not there. Phrases like "this has been a recurring issue for three years," "training records show the operator was not qualified," or "the procedure has not been followed since 2023," written candidly because the report would not leave the company, now sit in records that FDA can request.
If those issues were closed properly, the candor is fine. If they were closed without real CAPA, the audit report itself becomes a documented record of a known and unresolved issue.
Gap 2: Management Review Minutes That Named Issues Without Action Plans
Management review minutes often record problems that were "discussed" without recording the resolution decision. Under old QSR, this was tolerable because the minutes were confidential. Under QMSR, an inspector reading those minutes will ask the obvious follow-up: what did you do about it?
If the answer is "we addressed it next quarter" without records to support that, the management review record becomes a finding.
Gap 3: Supplier Audit Findings Parked Indefinitely
Supplier audit reports frequently contain findings that were communicated to the supplier without formal closure. Under old QSR, those open items lived in a confidential file and aged quietly. Under QMSR, an open supplier audit finding from 2023, sitting in a record FDA can now access, is a current nonconformity.
What to Address to Be Compliant
This is a concrete checklist. Each item is something an experienced auditor would look at in a compliance review.
- Review your last 24 months of internal audit reports for findings without corresponding CAPA records. Every finding should have either a documented CAPA or a documented justification for not opening one.
- Review your last 24 months of management review minutes for action items still listed as open or in progress with no further entry. Close them or document why they remain open.
- Review your supplier audit history for findings without documented closure. If a finding was communicated to the supplier, ensure the supplier response and the closure decision are in your records.
- Update your internal audit SOP to remove any language asserting that audit reports are confidential or exempt from regulatory review. Those statements were defensible under old QSR. They are not under QMSR.
- Update your management review SOP to align with ISO 13485 Clause 5.6 and to reflect that records are inspectable. If your SOP references 820.20, update the reference.
- Train your internal auditors on the change. Auditors who write reports the way they wrote them in 2024 may be creating compliance gaps without realizing it. Calibrate the language without compromising the substance.
- Verify CAPA traceability. Every audit finding (internal, supplier, or management review action item) should have a clear traceable record of either closure or active CAPA. Untraced findings are the most common QMSR-era observation.
- Confirm record retention. Per 21 CFR 820.35, records must be readily available upon inspection. Internal audit, management review, and supplier audit records must be retrievable in the same way as device history records.
- Review your inspection readiness procedure. If your front-room/back-room inspection process assumes management review and audit records are not requested, that assumption is no longer correct. Update the SOP and brief the front-room team.
- Conduct a mock inspection focused on these three record categories. Ask: if FDA requested every internal audit report from the last two years right now, what would they find?
The Strategic Angle
The right way to read the QMSR change is not as a compliance burden. It is as an inflection point.
Internal audit programs that find real issues and drive real corrective action have always been an asset. Under old QSR, that asset was hidden from FDA. Under QMSR, it is visible. A strong audit program is now part of the case you make during inspection: evidence that your QMS is self-correcting and effective.
The flip side is also true. A weak audit program, one that documents the same recurring issues year after year, or one that finds nothing because no one is looking hard, is now visible too.
The QMSR change does not reward better procedures. It rewards better practice. The work to do over the next twelve months is not rewriting SOPs. It is making sure your audit, supplier oversight, and management review programs are doing the job that the records claim they are doing.
Need help working through this?
The QMSR Transition Readiness Assessment from SA Quality Solutions is built for exactly this situation. In 5 business days, we conduct a structured review of your internal audit program, management review records, and supplier oversight against QMSR requirements. You receive a gap report with prioritized findings, an updated audit checklist, a document change list, and a 60-minute debrief, for a fixed $2,500.
If you have questions about your specific situation, a 30-minute discovery call is available at no cost.
Schedule a Call →