Risk management deficiencies have emerged as the most common compliance issue under the US Food and Drug Administration’s (FDA) new Quality Management System Regulation, according to early agency data that shows how medical device companies are adjusting to a more risk-focused oversight framework during the first two months of QMSR-related inspections.
The FDA’s observational findings, based on facility inspections conducted between Feb. 2 and March 31, were released by agency official Karen Cruz-Arenas on May 6 at FMMC’s Florida Medical Device Symposium, where QualityHub Corporate VP Sean Boyd led an “FDA Super Session” discussion.
Cruz-Arenas – a Senior Operations Officer in the Office of Medical Device and Radiological Health Inspectorate (OMDRHI), within the FDA’s Office of Inspections and Investigations (OII) – said investigators have identified recurring weaknesses across multiple quality system areas.
“This is just two months of data, so we’re not going to make any sweeping conclusions about what we’re seeing,” Cruz-Arenas cautioned. Nevertheless, she noted that the inspection data is beginning to reveal how companies are adapting – or not – to the FDA’s more integrated and risk-based approach to quality systems management.
The inspectional observations highlighted below show troubles with risk management, supplier oversight, complaint investigations, Unique Device Identification (UDI) compliance, and corrective action systems, all areas that FDA views as interconnected under the QMSR.
1. Risk Management
Found under Clause 7.1, risk management was the most frequently cited issue during the FDA’s first wave of QMSR inspections, something Cruz-Arenas said the agency largely anticipated because the regulation is fundamentally built around risk-based decision-making.
She said a sizeable portion of device makers treat risk management as a static exercise completed during product design and development rather than a living system that evolves alongside real-world product performance. (Related Story: “Risk Management & QMSR: 7 Questions Answered By FDA,” QualityHub, Jan. 15, 2026.)
FDA investigators found that while companies often generate extensive risk documentation during design development, many procedures fail to explain how those files should be maintained, reviewed, or updated after products go to market.
“If you’re telling me that you are going to control risk by doing X, Y, and Z, I’m going to verify that X, Y, and Z is in place.” – Karen Cruz-Arenas
“A lot of companies are creating this risk documentation during the design and development of the product, but then there’s no information and no instructions on how they’re going to maintain the risk management file,” Cruz-Arenas said.
Investigators also found that companies are not consistently feeding post-market data back into their risk analyses. Complaints, field failures, and performance signals were often not reflected in updated hazard assessments, severity rankings, or occurrence calculations.
“What we’re seeing is that [companies aren’t using post-market] data from the field to actually look at their risk management documentation and change the hazards, the harms, the severity of those harms, and the likelihood of occurrence,” Cruz-Arenas said.
Further, FDA investigators identified gaps involving risk-control measures. In several inspections, firms documented mitigation strategies in risk files but could not demonstrate that those controls had actually been implemented or verified.
“If you’re telling me that you are going to control risk by doing X, Y, and Z, I’m going to verify that X, Y, and Z is in place,” Cruz-Arenas said.
2. Outsourcing and Purchasing
Supplier controls and purchasing oversight ranked as the second most common inspectional concern, reflecting the FDA’s growing focus on supply chain risk and outsourced manufacturing activities. (Related Story: “Beyond Compliance: The New Playbook for Risk, Supplier Control, and Expertise in MedTech,” QualityHub, April 3, 2026.)
FDA investigators found that manufacturers frequently failed to apply controls proportionate to supplier risk, particularly for critical suppliers, critical components, and outsourced processes that directly affect device safety or performance.
“If you have a critical supplier, a critical component that’s coming in from a particular supplier, or perhaps a critical outsource process, [those vendors are] an extension of you,” Cruz-Arenas warned manufacturers.
She said one recurring problem is that some companies aren’t adequately communicating specifications, acceptance criteria, or quality expectations to suppliers. As a result, they may provide materials or components that don’t meet requirements, creating quality issues that cascade throughout production.
Manufacturers “aren’t telling the suppliers, ‘Hey, this is what we need,’” Cruz-Arenas said.
Investigators further found weaknesses in incoming inspection and verification processes. In some cases, firms failed to adequately assess purchased products before introducing them into manufacturing operations, increasing the risk that defective or nonconforming components could reach finished devices.
“It’s a ripple effect,” Cruz-Arenas said, emphasizing that companies need stronger supplier oversight systems capable of identifying problems before they affect manufacturing or patients. “You don’t want this product to fail in the field. You want to be able to stop [problems] at the door.”
The agency’s observations suggest investigators are paying close attention not only to supplier qualification activities, but also to how companies monitor supplier performance over time and adjust controls based on risk.
3. Complaint Handling and Feedback
Complaint handling and feedback systems emerged as another major area of concern, with FDA investigators identifying repeated deficiencies involving complaint intake processes and investigations, as well as Medical Device Reporting (MDR) decisions. (Related Story: “Don’t Play with Fire When Handling Complaints, FDA Investigators Tell MedTechs,” QualityHub, June 13, 2025.)
“The top observation for complaint handling was Clause 8.2.2,” Cruz-Arenas said, noting that companies aren’t collecting sufficient information when complaints or feedback are initially received, resulting in incomplete records and weak investigations later in the process. “If you don’t gather enough information about an issue, you’re going to have inadequate records.”
Investigators found that inadequate intake procedures often prevented companies from properly determining whether a complaint required investigation or if an event should be reported to the FDA as an MDR.
The agency also observed manufacturer confusion around the distinction between customer feedback and formal complaints. Cruz-Arenas said some companies leave feedback at lower organizational levels without escalating or analyzing it appropriately, even when the information could indicate a device malfunction or adverse event.
“What I find often in the inspections is that feedback is kind of staying behind,” she said.
Investigators also identified training gaps among frontline personnel responsible for receiving or relaying product information. Sales reps, field service personnel, and even healthcare workers observing devices in operating rooms often failed to provide enough detail back to manufacturers for effective investigations.
Cruz-Arenas made clear that the complaint intake process is “critical”: “If a company can control the intake process, that will strengthen its investigation.”
She noted that complaint handling deficiencies often tie back to broader weaknesses in risk management systems, particularly when field data is not incorporated into ongoing hazard analyses.
4. Unique Device Identification
FDA investigators also identified various recurring compliance issues involving UDI requirements, with one of the most common findings involving manufacturers completing only part of the UDI process. According to Cruz-Arenas, companies frequently obtain a UDI number but fail to register the identifier in the required global database.
“When you obtain a UDI number, you get that primary ID,” she said. “The second step is that you have to register that ID” with the Global Unique Device Identification Database, or GUDID. “A lot of companies are missing that second step.”
“What we’re seeing with corrective actions is that investigations are often inadequate and don’t drill down to the root cause.” – Karen Cruz-Arena
Investigators are also encountering products that don’t have UDI barcodes or QR codes, particularly after companies introduce new product models or make changes to a device’s packaging.
Another recurring issue involves barcode validation failures. During inspections, investigators sometimes ask companies to scan their own barcodes to verify the encoded information. In some cases, the data retrieved from the scan does not match the information stored in company systems.
“Oftentimes, when we scan it, the information is not the same,” Cruz-Arenas said, attributing many of those discrepancies to inadequate validation processes and poor controls over data entry and labeling system updates.
5. Corrective Action
Corrective action deficiencies rounded out the FDA’s list of Top 5 inspectional observations, with investigators finding problems involving root-cause analysis and the effectiveness of corrective action plans. (Related Story: “5 Pro Tips for a Strong, Vibrant CAPA System,” QualityHub, Dec. 18, 2025.)
“What we’re seeing with corrective actions is that investigations are often inadequate and don’t drill down to the root cause,” Cruz-Arenas said, but she added that this is not a new problem.
According to the FDA, companies frequently implement corrective actions aimed at controlling manufacturing symptoms without addressing deeper design-related issues that may be driving recurring failures.
“What we’re seeing is that [companies] will try to control the issue at the manufacturing level, when more than likely the issue is design,” Cruz-Arenas said.
She acknowledged that design changes can be expensive and time-consuming, but said manufacturers must still ensure corrective actions are proportional to the severity and risk associated with the problem.
The FDA also found that some firms closed corrective actions without adequately verifying effectiveness, leading investigators to encounter the same quality issues during subsequent inspections.
“I’ll go back [to a company] and reassess the data,” Cruz-Arenas said. “And I’ll say, ‘Why are you still having the same issues? I thought you fixed that.’”
She said the agency continues to stress that corrective actions should focus on long-term improvement rather than short-term containment.
“The fundamental issue of corrective action is still the same,” Cruz-Arenas said. Manufacturers are failing to “deep dive into the root cause and actually create corrective actions that are commensurate with the risk.”
