Only paid subscribers get regular full access to our guidance breakdowns and other analyses. If you’re not already a paid subscriber, you can upgrade here.

As a follow-up to yesterday’s QMSR compliance guide we published, the FDA’s CDRH hosted a public town hall focused on two areas that continue to generate the most questions as the Quality Management System Regulation (QMSR) effective date approaches: risk management and design and development.

The discussion was surprisingly practical compared to some of the other recent QMSR webinar.

FDA officials were not introducing new interpretations or policy shifts. Instead, they used the session to clarify how FDA expects manufacturers to actually apply ISO 13485 concepts under QMSR — and how those expectations will show up during inspections after February 2, 2026.

For companies still translating QMSR into day-to-day quality system decisions, several messages came through clearly.

We attended. Here’s what device firms need to know.

If you still need to get compliant with the QMSR, talk to us ASAP. We’ll pair you with the ISO/FDA expertise that can be hard to find for projects like this.

The QMSR is not about adding risk documents — it’s about using risk to actually run your QMS

One of the strongest themes in the town hall was the FDA’s insistence that risk management is not a discrete activity. Under the QMSR, risk is meant to function as the organizing logic of the quality system.

The FDA panelists repeatedly emphasized that risk management:

• Identifies and prioritizes what matters most for device safety and effectiveness.

• Scales the level of control applied to processes, suppliers, software, and investigations.

• Provides the framework for quality system decision-making across the device lifecycle.

This matters because the FDA is not looking for a single “risk file” or a perfect risk matrix. Instead, inspectors will evaluate whether risk actually drives decision-making — and whether those decisions are documented clearly.

A few action items here and in the other sections below:

• Identify where “risk-based” language appears in your QMS procedures and verify that your actual decisions vary based on risk (and you can demonstrate this).

• Make sure your risk rationales are documented for complaint triage and investigation depth, supplier qualification and monitoring, software validation scope, and process controls and verification activities.

• Train your functional leaders (QA, RA, Engineering, Operations) on how risk should influence decisions, not just documentation. Would you feel comfortable having them asked about risk by investigators? If not, there’s work to do.

The FDA’s risk definitions are ISO-based, and they apply everywhere!

The FDA confirmed that QMSR adopts ISO 13485’s definition of risk: the combination of the probability of occurrence of harm and the severity of that harm.

This definition applies broadly — not just in design and development, but across purchasing, production, complaint handling, postmarket surveillance, and improvement activities.

Importantly, FDA reiterated that while ISO 14971 is referenced within ISO 13485, QMSR does not require conformity to ISO 14971. Manufacturers may use any risk management process that is appropriate for their devices and operations, as long as it is systematic, documented, and defensible.

At the same time though, the FDA made clear that flexibility does not mean informality. A firm that cannot explain how it identifies, evaluates, controls, and monitors risk — or how that information feeds decisions — will struggle to defend its system during inspection.

• Review your DHFs, CAPAs, complaint procedures, PMS, and supplier controls for inconsistent or legacy “risk analysis” terminology.

• Update your definitions and training materials so teams are using one consistent risk concept.

• Verify that risk discussions explicitly address both severity and likelihood, even if it’s qualitative.

“Risk-based” must be visible in real decisions

We’ve touched on this, but the FDA spent considerable time clarifying what it means to make risk-based decisions under QMSR. Examples discussed during the panel included:

• Applying different levels of complaint investigation based on potential patient harm.

• Scaling supplier controls based on whether design and manufacturing are outsourced.

• Adjusting software validation and revalidation activities based on intended use risk.

• Determining when nonconformances warrant deeper investigation or corrective action.

The key point was not the specific examples, but the expectation behind them:
Manufacturers must document why they made the decisions they made.

The FDA does not require quantitative risk scoring, nor does it mandate specific tools. However, when data exists (complaints, adverse events, trend information) FDA expects firms to use it. Qualitative judgments are acceptable, but ignoring available data is not.

• Document your chosen risk management methodology and why it is appropriate for your device and organization.

• Make sure your process is systematic, documented, and repeatable.

• Prepare to explain your risk process clearly during inspection — tool choice matters less than logic and execution.

Quality culture starts at the top (and the FDA will evaluate it)

The panelists explicitly linked risk management to quality culture, citing language in the QMSR preamble stating that quality culture must be driven by executive leadership. In practice, this means the FDA will look beyond procedures and ask whether:

• Leadership decisions align with stated risk priorities.

• Risk considerations are consistently applied across departments.

• Accountability for quality outcomes is evident throughout the organization.

In the FDA’s view, compliance is not just what is written; it is how quality is embedded in operations, decision-making, and behavior.

• Make sure your future management review agendas include risk-based discussions, not just metrics!

• Confirm executive decisions (resource allocation, remediation timing, supplier actions) align with documented risk priorities.

• Be prepared to show inspectors how leadership actively engages with risk information.

Design and development clarifications that matter for inspections

The FDA provided several clarifications around design and development that are especially relevant for firms managing legacy devices alongside new or modified designs.

When design and development applies:

• Design controls do not apply to feasibility or proof-of-concept work.

• They must begin prior to any IDE.

• They apply to design changes, not just initial development.

• They are not retroactive, but designs marketed after February 2, 2026 must meet QMSR expectations.

The FDA encouraged manufacturers to clearly document where research ends and formal design and development begin.