Today’s piece is for the device and medtech teams among us. As you know by now, the FDA’s Quality Management System Regulation took effect earlier this year, folding ISO 13485:2016 into 21 CFR Part 820.

The agency also retired the Quality System Inspection Technique that investigators had used for decades and switched to a new inspection process under Compliance Program 7382.850.

A few months in, the early data is starting to arrive. FDA officials have now described findings from the first wave of QMSR inspections at several industry conferences, and the picture lines up closely with what our own auditors and quality consultants are seeing in readiness work.

If you still need to get compliant with the QMSR, talk to us ASAP. We’ll pair you with the ISO/FDA expertise that can be hard to find for projects like this.

The early numbers, with a caveat

At the FDA Law Institute’s annual conference in May, Keisha Thomas, associate director in CDRH’s Office of Product Evaluation and Quality, said the agency had completed just over 100 inspections under QMSR.

For Form 483 observations issued between February and mid-April, she ranked the top areas as follows:

• Risk management

• Outsourcing and purchasing

• Complaint handling and feedback

• UDI

• Corrective action.

Her framing of the central change was pretty blunt:

“Risk, risk, risk, risk. That is the fundamental change to QMSR.”

The ordering of these areas is not fixed yet. At MedCon in late April, officials put risk management first, followed by outsourcing and purchasing, for the February-through-March window.

Speaking at the RAPS Quality Conference about four months in, Thomas listed risk management, then corrective action, then risk-based approach, complaint handling, and purchasing. She added the caveat worth keeping in mind: it’s early, and the agency is largely seeing the same citations it saw before QMSR, only in a different order.

That last point is the one to sit with. The categories are old. What changed is how an inspection arrives at them.

Risk is now the roadmap (and the audit trail is open)

Under the old QSIT, investigators worked through a handful of subsystems, each more or less on its own. Under the new CP 7382.850, the inspection is organized around six QMS areas and built to follow product risk across the lifecycle. Investigators identify the risks a device could pose, then use the company’s own risk documentation to navigate the rest of the system. Risk management is no longer one file among many. It’s the route the inspection takes.

One change deserves more attention than it has gotten. QMSR removed the long-standing protection that kept internal audit reports, supplier audit results, and management review records out of the FDA’s reach during an inspection. Those records are now fair game.

There’s a related and easy-to-miss trap here: some companies read a clean internal audit history as proof of strong compliance, when an absence of findings can just as easily mean the audits are not looking hard enough. The agency is encouraging firms to run internal audits more like an FDA inspection, aimed at finding real problems before an investigator does.

With that context, here is where the early problems are clustering, and what our auditors tend to find underneath each one.

Risk management

The clearest signal is that risk management is being treated as a living system rather than a design deliverable. Thomas said firms are being cited for a lack of process and evidence showing that risk is actually rooted in their decisions, and she pressed the point that risk management has to keep evolving after launch.

Many companies still manage the risk file as something built during design and revisited only when a formal change or audit forces it.

On paper, the file looks complete. What it often can’t show is the connective work: how complaints, nonconformances, service data, field failures, and supplier issues feed back into the analysis, who owns those updates, when they trigger a change, and how control effectiveness gets verified over time. Producing an FMEA is no longer the test. You have to show that the FMEA reflects the current product performance.

Supplier and outsourcing controls

Supplier control has always drawn inspection attention, but QMSR sharpens the question from “was this supplier approved” to “is the level of control proportionate to the risk this supplier carries.”

The weakness our auditors find is rarely an empty supplier file. It’s much more often a generic one. We’ve seen quite a few low-risk packaging vendors and critical contract sterilizers governed by the same template, the same review cadence, and the same thin quality-agreement language.

Under an inspection that starts from risk, that flatness stands out pretty quickly.

Complaints and feedback

Complaint handling is surfacing as an early observation area, and it usually fails at the handoffs rather than the procedure.