Risk Is the Spine: What The First 100 QMSR Inspections Reveal

By Marcelo Trevino, independent expert

FDA has now completed just over 100 inspections under its new Quality Management System Regulation, and the agency has begun sharing preliminary observations from those inspections. Early FDA findings under the new inspection model confirm the structural shift and show where manufacturers are most exposed. According to the FDA at the 2026 MedCon Conference, the most cited topics on Form 483 observations issued between February and the middle of April fall into a tight cluster that tells the industry, in data, what the agency has been signaling in messaging for the past year.

The top five, in order:

1. Risk management
2. Outsourcing and purchasing
3. Complaint handling and feedback
4. Unique device identifiers (UDI)
5. Corrective action

The headline, risk management at number one, is no surprise. FDA has been telegraphing this shift since the QMSR final rule was issued. What is striking is how cleanly the rest of the list confirms the story. QMSR is not a documentation refresh. It is a structural change in how FDA inspects medical device manufacturers, and these rankings are the first quantitative evidence of where the new model is biting.

The Structural Shift

Under the legacy Quality System Inspection Technique, or QSIT, the model FDA used from 1999 until February, inspections orbited four subsystems: management controls, design controls, CAPA, and production and process controls. Risk was largely confined to design validation, mostly because that is where the regulation explicitly required it. When risk concerns appeared on a Form 483, they tended to be filed under design validation even when the underlying issue had little to do with design.

QSIT is retired. The replacement is an inspection model built around seven areas: management oversight, design and development, production and service provision, change control, outsourcing and purchasing, measurement, analysis and improvement, and other applicable FDA requirements. Sitting at the center of all seven, explicitly named as the spine of the model, is risk management. Patients and users sit at the center of that.

The practical consequence is that risk is now examined in every inspection, in every process area. Outsourcing and purchasing, historically not covered in every QSIT inspection, will be covered every time. So will UDI. So will change control. The common question across all of them is whether your risk activities actually connect what you decide, what you build, what you ship, and what you learn after the product is in use or whether they live in independent silos that happen to share a binder.

That conceptual shift is why the first 100 data points matter. The top five list is not a roster of new requirements. Almost none of these obligations is new. It is a map of where the silos break first when an inspector starts pulling on the connecting threads.

1. Risk Management: Why It Tops The List

The number one spot is exactly what FDA’s inspection messaging has been signaling for the past year. Risk management is not new. ISO 13485 has long embedded it. But QMSR makes risk the lens through which every other process is read, and that lens exposes patterns that a process-by-process audit would never catch.

What does a risk management 483 actually look like under the new model? Three patterns recur in the early findings. First, procedures recite ISO 14971 in the abstract but never operationalize it: no defined triggers for reevaluating risk, no input pathway from complaints or CAPAs into the risk file, no rule for when an out of specification severity assumption forces an update. Second, risk vocabularies diverge across departments. Supplier quality, design, and production each assess severity and probability on different scales, producing risk numbers that cannot be compared and a risk file that cannot be reconciled. Third, risk control measures exist on paper but cannot be executed in the operating reality of the line. A 100 percent inspection step that, at actual throughput, takes 2 seconds per unit, with no second pair of eyes anywhere in the loop, is a control in name only.

These are not abstract documentation failures. They are the kinds of disconnects an inspector will reliably surface by walking from the risk management file to the floor and back. Under QSIT, this kind of gap would often be invisible because risk was not the lens. Under QMSR, the question is asked everywhere, and the gap shows up on every 483 it touches.

2. Outsourcing And Purchasing: Risk Has To Travel With The Product

The number two item is, in many ways, the most consequential change in inspection scope. Outsourcing and purchasing were never guaranteed inspection topics under QSIT. Under QMSR, every inspection asks how the risk you have assessed for your finished device flows into the way you select, qualify, and oversee your suppliers, and back again from the supplier into your own files.

Two failure patterns illustrate the gap the inspection model is designed to find. In the first, a specification developer engages a contract manufacturer whose prior history is in consumer products. The contract manufacturer accepts a generic sampling plan with an acceptable quality limit (AQL) appropriate for consumer goods and dangerous for medical devices. No one has translated the device’s risk profile into quality requirements for the supplier. In the second, a contract manufacturer makes a manufacturing change that produces a surge of nonconforming lots, but the quality agreement does not require the supplier to report nonconformances or process changes. The product owner sees the good lots arriving and the complaints arriving, and never connects the two. Outcomes like these, when they reach FDA, typically end in significant recalls and serious regulatory exposure.

Preventing them requires more than a vendor checklist. It requires executed quality agreements that define roles and responsibilities in practice, not on paper. It requires risk information flowing in both directions, including post-market data that firms are sometimes reluctant to share because it feels embarrassing. And it requires the specification developer to remember that legal responsibility for the device does not transfer with the work order. The label still says your name.

3. Complaint Handling And Feedback: The Resource Question

Complaints and feedback are not a new inspection topic, but the third-place finish reflects how often the process breaks in ways the new inspection model is designed to find. FDA has opened for cause inspections solely on the basis that a firm reported zero MDRs while its direct competitors reported many. The bar for filing is, by design, low. The agency repeatedly emphasizes that filing an MDR is not the problem. Failing to file one is.

Underneath the recurring findings is almost always a resourcing question. When a complaint-handling unit is staffed for steady state volume and the firm grows rapidly or experiences a quality event, complaints get triaged in seconds and miscoded. Software defects in particular are often coded once and routed into an engineering ticketing queue that the quality system never sees again. Patterns that should have triggered a risk file update, such as a user saying “this is the second time,” are buried.

A robust system feeds complaints back into the risk file. When the actual severity or occurrence of a failure mode differs from what the risk analysis predicted, the document must move, not stay static for a year because the procedure says annual review. The new inspection model is built specifically to surface the gap between what the risk file says and what the complaint data is showing.

4. UDI At Number Four: A Surprise That Shouldn’t Be

UDI at number four caught most observers off guard. The requirement for unique device identifiers under 21 CFR 830 has been in effect for years. The labeling and direct marking requirements are well established. Many quality leaders had stopped treating UDI as an active enforcement risk.

That complacency now looks misplaced. UDI lives under “other applicable FDA requirements” in the new inspection model, and the categories of failure that UDI inspections typically examine span a familiar but unforgiving range. They include the integrity of the FDA’s Global UDI Database (GUDID) entries, the synchronization between direct mark identifiers and labeled identifiers across packaging revisions, the discipline of updating UDIs when a device model is revised or a kit configuration changes, and the encoding of dates and expirations through routines simple enough to be validated by an automated check that few firms have built.

What the ranking suggests is not that firms have suddenly become careless. It is that UDI sits at the intersection of labeling, regulatory affairs, manufacturing, and IT, and the new inspection model now reliably looks at all four interfaces every time. Under QSIT, UDI gaps could go undetected for years between inspections that happened to focus on other subsystems. Under QMSR, the question is asked in every inspection. Firms that have not run a structured reconciliation between GUDID, the labeling system, and the actual product in the field should expect to be the next data point.

5. Corrective Action At Number Five: Reading Between The Numbers

At first glance, corrective action at number five looks like a striking improvement. Under QSIT, CAPA was famously the most cited inspection area year after year. Has the industry suddenly figured it out?

Almost certainly not. The more likely explanation is structural. What used to be a single CAPA requirement under 21 CFR 820.100 is, under QMSR’s alignment with ISO 13485, separated into three distinct processes: analysis of data, corrective action, and preventive action. Findings that historically would all have rolled up under CAPA are now distributed across three different topic categories. When the inspection model partitions a category, the citation count for any single piece of it falls, even when underlying performance is unchanged.

The substantive lesson is that data analysis is now its own discipline in the eyes of the regulation. It is no longer adequate to bury trending of complaints, nonconformances, process data, supplier performance, and post-market signals inside a CAPA procedure. Each needs to be defined, executed, and reviewed on its own. Preventive action, long the most neglected leg of the old CAPA triad, is similarly exposed when it is required to stand alone.

Manufacturers reading the rankings should not conclude that corrective action has become a low-risk area. They should expect that the same root issues now get cited across data analysis, corrective action, and preventive action, and prepare each accordingly.

What The List Doesn’t Say

The absences in this list are also informative. Design controls, the historical champion of FDA citations, does not appear in the top five, but that almost certainly reflects the same accounting effect as CAPA. Design findings now disperse across design and development, change control, and risk management, where the underlying issue often actually lives. Management oversight is also absent from the top five, though the inspection model places significant expectations there. It may simply be that the most visible 483 observations remain the operational ones an investigator can document with physical evidence on the floor.

What the list captures, more than anything, is where risk fails to connect across functions. That is exactly what the new inspection model is designed to find, and the first 100 inspections suggest it is finding it consistently.

Building The Connections

For executives, directors, and quality leaders planning the next 12 months, the practical implications are concrete.

Make procedures specific and operational. Define when risk analyses are updated, by what trigger, with what input from complaints, CAPAs, and post-market data. Build a trace matrix that 

connects design inputs to design outputs to verification, validation, risk controls, and post-market signals, and use it as the spine of internal audits.

Standardize risk vocabulary across departments. If supplier quality, design, and production assess severity and probability differently, there is no risk management system. There are three of them held together by hope.

Treat supplier risk transfer as a mutual obligation. Communicate the device’s risk profile down to contract manufacturers in language they can use to build their own process risk analysis. Require nonconformance reporting up. Audit critical suppliers for substance, not for completed checklists.

Resource complaint handling and post-market surveillance proportionally to volume and risk, and watch for processing delays as the leading indicator that you lack adequate capacity. Code complaints consistently so the data is usable. Connect today’s complaint to yesterday’s when the user says “this is the second time.”

Reconcile UDI data structurally, working through the relationships between GUDID, label, device, and record, and own the result. Build a routine validation that catches drift in expiration data and direct mark identifiers before an investigator does.

Treat the CAPA split as an organizational reality, not a clerical one. Stand up data analysis as its own process with its own owner, inputs, outputs, and review cadence. Do the same for preventive action.

Conclusion

The first 100 QMSR inspections have done the industry a real service. They have replaced speculation with a data point. Risk is the spine. Supplier, complaint, and UDI failures are where the spine breaks first. And corrective action’s apparent decline is an accounting effect that disguises continuing exposure across data analysis and preventive action.

Manufacturers that treat QMSR as a documentation update are setting themselves up for 483 observations, warning letters, and, in some cases, significantly worse outcomes. Those that treat it as the inspection model it actually is, one in which risk genuinely connects design, supply, production, change, and the post-market signal, will find the new system not just survivable but, quietly, the kind of operation it was built to recognize.

About The Author:

Marcelo Trevino has more than 25 years of experience in global regulatory affairs, quality, and compliance, serving in senior leadership roles while managing a variety of medical devices: surgical heart valves, patient monitoring devices, insulin pump therapies, surgical instruments, orthopedics, medical imaging/surgical navigation, in vitro diagnostic devices, and medical device sterilization and disinfection products. He has an extensive knowledge of medical device management systems and medical device regulations worldwide (ISO 13485:2016, ISO 14971:2019, EU MDR/IVDR, MDSAP). He holds a BS in industrial and systems engineering and an MBA in supply chain management from the W.P. Carey School of Business at Arizona State University. Trevino is also a certified Medical Device Master Auditor and Master Auditor in Quality Management Systems by Exemplar Global. He has experience working on Lean Six Sigma Projects and many quality/regulatory affairs initiatives in the U.S. and around the world, including third-party auditing through Notified Bodies, supplier audits, risk management, process validation, and remediation. He can be reached at marcelotrevino@outlook.com or on LinkedIn.