For decades, medical device manufacturers have largely focused their quality systems on procedures, documentation, and meeting regulatory requirements. Now, with the US Food and Drug Administration’s (FDA) Quality Management System Regulation (QMSR) in effect, the focus has expanded beyond mere compliance.
Nowadays companies are expected to demonstrate that the decisions underpinning their quality systems are based on risk, supported by objective evidence, and applied consistently across the organization, say QualityHub Medical Device Compliance VP Christina Arnt and FDA Policy Analyst Daniel Walter.
The experts further stressed during a recent MedTech industry conference discussion that risk-based decision-making has become a central focus of FDA inspections and regulatory expectations.
Walter said the agency views risk management as “the core of the backbone of the Quality Management System,” noting that the concept now sits at the center of the FDA’s updated medical device inspection framework under Compliance Program Manual (CPM) 7382.850.
Released on Feb. 2 – the same day the QMSR went into force – CPM 7382.850 instructs FDA investigators on what they should look and ask for during a facility inspection, among other activities. The CPM effectively replaced the agency’s longtime Quality System Inspection Technique (QSIT). (Related Story: “Takeaways From FDA’s Retooled Compliance Manual for MedTech Inspections,” QualityHub, March 27, 2026.)
Post-QMSR implementation, investigators are increasingly evaluating not only what decisions manufacturers make, but also how those decisions are justified and documented, Walter said. He predicted that a large portion of future inspection observations could stem from situations where a company’s documented risk assessment does not align with what investigators discover on site.
“The start of [FDA-483] observations is going to be, ‘According to your risk you said this was [acceptable, but] when we looked at it, we found that in practice it was something else,’” Walter said, encouraging manufacturers to conduct gap assessments to ensure quality system procedures, terminology, and risk management processes remain aligned.
“I’ve heard some companies say, ‘We have a 13485 cert, we’re good,’ but they’re missing the risk-based decision-making.” – Christina Arnt
One area drawing particular attention is documentation. Walter noted that the FDA expects companies to be explicit in how risk-based decisions are made throughout the quality system and to clearly connect those decisions to documented procedures.
“The word ‘explicit’ is used a bunch,” Walter said, referring to language in the QMSR’s preamble, the FDA’s elaboration on the regulation that was published along with the final rule in 2024. “You have to be deliberate about [the words] you’re using” in procedures and other documents, he added.
Arnt noted that many manufacturers mistakenly assume that being certified to ISO 13485:2016 automatically means they’re fully prepared for the FDA’s expectations under the QMSR, which is mostly aligned with the international quality systems standard.
“I’ve heard some companies say, ‘We have a 13485 cert, we’re good,’ but they’re missing the risk-based decision-making,” she said. “Those companies have a lot of work to do, and it’s well beyond updating some figures.”
Arnt said device makers must be able to demonstrate exactly where risk-based decisions are defined within their quality systems, particularly when investigators ask how complaints, corrective and preventive actions (CAPAs), and other quality events are prioritized.
During an inspection, an investigator will likely ask, “How do you prioritize your CAPA investigation? What does that look like, and where is it written down?” Arnt said. But “having that conversation with the investigator, from what I’ve seen, is not enough.”
Rather, organizations should be prepared to point directly to procedures and documented escalation pathways that govern risk-based decisions. Arnt cited traceability matrices and clearly defined complaint escalation criteria as examples of effective practices.
Technology, Integration, and Strategic Value in QMSR Compliance
Arnt also highlighted the role of technology in supporting compliance, pointing out that companies that continue to rely heavily on paper-based systems often struggle to maintain the connections between risk management activities, quality records, and documentation that the QMSR now demands.
“You need those technology connections between your documents, between your quality subsystems, to really be agile,” she said.
While some manufacturers mistakenly view the QMSR primarily as a compliance exercise, Arnt argued that the regulation presents a broader opportunity to simplify quality systems and strengthen business performance.
“If quality is done right, it can be a competitive advantage,” she said. “The QMSR really helped lean into that premise and helps educate … business partners that if [they] do this right, it does become a competitive advantage for your company.”
Arnt further challenged manufacturers to use the transition as an opportunity to eliminate unnecessary complexity and reconnect quality activities to their underlying purpose.
“The answer should not be, ‘My procedure says I have to,’” she said when discussing quality activities. “If it’s not a benefit to the patients you’re serving, and if it’s not keeping your employees safe, and if it’s not a benefit to your business, then why are you doing it?”
Arnt and Walter’s comments came during a May 12 session at the Veeva MedTech Summit titled “FDA: Evaluating the Impact of QMSR on Medtech Innovation.”
