MedCon: FDA officials say risk management is biggest hurdle for inspections under QMSR

COLUMBUS, OH – US Food and Drug Administration (FDA) investigators have performed about 100 inspections under the new Quality Management System Regulation (QMSR), representatives from the agency told attendees at the 2026 MedCon conference, sponsored by the AFDO/RAPS Healthcare Products Collaborative.

Key changes with the QMSR include a greater focus on risk management, a culture of quality, and lifecycle integration. One of the biggest changes, officials said, is that risk is at the center of quality processes (RELATED: MedCon: FDA officials review QMSR as deadline approaches, Regulatory Focus 24 April 2025).

Between 2 February, when the QMSR went into effect, and 31 March, FDA officials said the agency issued the most 483s in risk management, followed by outsourcing and purchasing.

The increase in citations for risk management was not surprising, said Jeffrey Wooley, a compliance officer in the Office of Regulatory Programs, Office of Product Evaluation and Quality at the Center for Devices and Radiological Health (CDRH). He noted that the data was always there because risk was previously cited in design validation under the Quality System Regulation, which is now front and center with QMSR.

“I expect that to continue, and probably next year when we present this data, I'll be shocked if that is not at the top of the list on the 483,” he said.

Risk procedures and documentation

“Some companies are providing procedures during inspections that are not relevant or specific to the process,” said Laureen Geniusz, a consumer safety officer in the Office of Medical Device and Radiological Health Inspectorate (OMDRHI).

“I see a lot of companies trying to regurgitate the regulation or the standard and make that their procedure, sign off on it and use it, but it doesn't really tell you how you're going to do things,” she explained.

Geniusz said she uses the procedure the company gives her to guide her through the inspection. “I'll take your risk analysis and have you maybe select a risk and go through all the columns to understand what you’re doing and how you’re doing it,” she said.

One issue she sees with procedures is that they can become so complex that they arguably become too difficult to implement. For instance, she said she has seen a company that includes history in procedures about the history of risk, why it is important, and risk analysis tools, which may be able to use that procedure as a training tool for employees.

However, that can blur the line between procedure and a training document, she noted. What is more important is a procedure that clearly defines what should be done and when, Geniusz said.

Another concern is when different departments across a company use different risk scores and scales, said Katelyn Staub-Zamperini, medical device senior operations officer at OMDRHI.

“Something that throws a red flag up for me is that when you’ve established your risk management documentation, you’ve assigned scores and then a problem happens—and when you're investigating it, the risk score can be calculated differently than what it was originally determined to be,” Staub-Zamperini said. “If you are originally establishing this is a high-risk issue, and then you’re seeing that problem in the field, it should be treated the way that it was originally treated.”

Geniusz also said companies know when they are updating their risk analysis. While there is no requirement for when a company must update its risk analysis, “you should have a method,” she said.

She said companies are often unable to tell her during inspections when their risk analysis is updated, and their answers differ from what is documented in the change control.

“Be aware, we are going to be looking at how you update your risk analysis,” she said.

Risk controls

As part of using a company’s risk documentation throughout the inspection, an FDA inspector will also examine risk controls. Geniusz said this is an area where companies commonly run into problems post-QMSR because they are not adequately documenting their risk control measures.

“They’re not specific. They’re vague, they’re missing. It’s hard to interpret, and it’s not clear, concise, or accurate,” she said.

Being vague in documenting risk control measures will likely result in an FDA inspector spending more time determining which risk controls were employed, if any, Geniusz said.

“As a tip, best practice, try to look at your risk controls and beef them up in your comments,” she noted.

Hazard and harm descriptions

Many companies get hazards and harms confused in their risk analysis, Geniusz said. She told attendees that it’s worth reviewing their risk analysis to determine whether it is adequate and includes categories for both hazard and harm.

“If you don't have those correct in the first place, the rest of the risk analysis gets really messy and may not be appropriate to your firm,” she explained.

For companies unsure how to assign appropriate risk controls for harms that are not well defined, ISO 14971 could be a starting point. However, Geniusz noted that even though FDA does not require ISO 14971, inspectors will still hold you to the standard if it is in your procedure.

Human capital

Another issue FDA inspectors see is “unrealistic requirements” in risk assessments, Bigham said, such as when requirements for an in-process inspection or 100% verification don’t match up with the workload of production staff or quality staff.

“It looks good on paper. It looks good in your risk assessment to say, ‘We’re going to have 100% verification of this,’” said Christina Bigham, consumer safety officer at OMDRHI. “Then I go out on the quality floor, and I find out that you have one inspector that has to do every single 100% inspection, and that’s all they do for a 12-hour shift. It's just not realistic that you had a quality inspection at that point.”

There should also be some degree of training for inspectors who perform more complex inspections, Bigham said, such as an inspector checking soldering in printed circuit board manufacturing, receiving training on how to recognize good solder connections.

OEMs and contract manufacturers

Wooley acknowledged that it can be challenging for companies to control their suppliers, but they should know that any components or processes contracted out align with their overall risk assessment.

“You want to make sure that when you’re selecting and evaluating your suppliers, that you are aligning that with the risk that you’ve evaluated for your products and whatever services you’re having them to provide,” he said.

FDA wants to see the process of “open communication” between original equipment manufacturers (OEMs) and contract manufacturers, Geniusz said. Factors such as the product, device risks, and device design should be accounted for with the contract manufacturer, she noted.

“The shared communication and actually sharing the responsibility is super important,” she said.

MedCon Conference