A critical task for any medical device company’s C-suite is to establish and maintain an adequate and effective quality system, but achieving that can be near impossible if they don’t have strong management control activities in place, MedTech industry experts say.
According to QualityHub President and former US Food and Drug Administration (FDA) official Tim Wells, management controls is sometimes misunderstood or poorly implemented by device makers. “Management controls is all-encompassing,” he said in an interview with QHub Insights. “Addressing management controls should be one of the first things a company should evaluate especially if they are facing an FDA-483 [inspectional observation form] and or a warning letter.”
Wells founded QualityHub in 2004 after a long career at the US FDA where he co-developed the Quality System Inspection Technique, among other notable regulatory and quality contributions. QSIT is an approach that’s been used by agency investigators during medical device inspections for more than 26 years. (Editor’s Note: The FDA plans to retire QSIT in early 2026 when its new Quality Management System Regulation (QMSR) comes into force; see related QHub story.)
The FDA positioned management controls as the first and last sections of QSIT to emphasize to investigators that a company’s executive management needs to follow management control requirements found in the agency’s Quality System Regulation (QSR) under 21 CFR, Part 820.20, and to remind investigators to “spend some time looking at what the organization is doing in management controls,” Wells said.
“If the investigator finds significant violations of the 820 quality system requirements – not necessarily violations of 820.20 – the blame will likely be placed on executive management,” he said. “That’s because FDA believes gaps in the quality system are the result of deficient management controls.”
What FDA’s QS Regs Say About Management Control, Responsibility
Part 820.20 says “management with executive responsibility” must, among other things, establish a quality policy and ensure quality planning, create quality system procedures, develop an organizational structure, and conduct management reviews of the quality system. Further, performing quality audits is required under Part 820.22 and having “sufficient personnel” is a requirement of Part 820.25.
Meanwhile, the FDA’s new QMSR will replace the QSR on Feb. 2, 2026. The term “management with executive responsibility” doesn’t appear in the QMSR; it was replaced by “top management,” a term used in ISO 13485:2016, which is the international quality systems standard that was incorporated into, or blended with, the QSR to create the new rule.
The QMSR preamble – the FDA’s elaboration on the regulation published along with the final rule in 2024 – makes clear that use of “the term ‘top management’ does not change that FDA expects medical device manufacturers, led by individuals with executive responsibilities, to embrace a culture of quality as a key component in ensuring the manufacture of safe and effective medical devices.”
How Often Does FDA Cite Management Controls?
According to QualityHub’s Wells, the FDA doesn’t place a lot of emphasis on management controls during facility inspections for a variety of reasons. While he believes most agency warning letters could cite a lack of adequate management controls, that citation appears in only a nominal percentage of the missives.
A QHub Insights analysis of FDA warning letters using Global Key Solutions’ KeyPedia database shows that while the number of citations of 820.20, 820.22, and 820.25 noted in warning letters from 2020 through 2024 didn’t rise to the level of other violated QSR subsections that happened during the same time frame, the management control-related citations are nevertheless nothing to sneeze at.
Twenty-two of the 215 device-related warning letters sent to firms from 2020 to 2024, or roughly 10%, included citations of 820.20, while 8% and 5% of the missives included citations of 820.22 and 820.25, respectively. (See “Device Warning Letters with Management Control Citations,” below.)
When it comes to citations of 820.20, 2022 represented a recent high-water mark; that QSR subsection was noted in nearly a quarter of the agency’s warning letters to manufacturers that year. Also notable are citations of 820.22 in 2022 and 2023, when they were found in 20% and 19% of device-related letters, respectively, and citations of 820.25, which were included in 8% of letters in both of those years.
FDA Warning Letters With Management Control Citations, 2020-2024
| Year | Device-Related Warning Letters | Letters w/ 820.20 Citation | Letters w/ 820.22 Citation | Letters w/ 820.25 Citation |
| 2020 | 47 | 2 (4%) | 1 (2%) | 1 (2%) |
| 2021 | 63 | 4 (6%) | 1 (2%) | 1 (2%) |
| 2022 | 25 | 6 (24%) | 5 (20%) | 2 (8%) |
| 2023 | 36 | 1 (3%) | 7 (19%) | 3 (8%) |
| 2024 | 44 | 9 (20%) | 4 (9%) | 4 (9%) |
| Total: | 215 | 22 (10%) | 18 (8%) | 11 (5%) |
Source: KeyPedia database by Global Key Solutions
Wells says that regardless of whether management control-related citations are written into warning letters, medical device executives still need to live and die by management controls.
“FDA believes that if a company is found with deficiencies in any of the key areas such as product design, risk management, post-market controls such as corrective and preventive actions [CAPA], and other key areas, one of the key root causes could be traced back to inadequate management controls,” Wells said. “I believe that too.”
He noted that “in the minds of FDA officials, they may be thinking: ‘Who is in charge? How and why did they let this happen? Who can we hold accountable?’”
Strong Internal Audits: Essential Component of Management Controls
Internal audits are the first and most obvious tool to keep upper management informed. However, after 40 years of experience in the MedTech industry, QualityHub’s Wells says internal audits are often the first place a breakdown in communication manifests. He believes many companies lack auditing personnel with the skills to perform deep dives into their own quality systems.
“A review of internal audit reports often show that auditors may not find many of the problems or they may gloss over the real issues,” Wells said. “A strong internal audit requires skilled auditors who find and raise up the deficiencies in the quality systems as well as in product areas, such as risk and design files.”
Further, he said, “analyzing complaint trends as well as CAPAs can help the auditor gain a more complete picture of emerging product issues and help evaluate how product complaints are being handled. These are methods used by the FDA and third-party auditors, but often not by internal auditors.”
“You should think of your deep-dive audit as your company’s annual physical exam.” – Tim Wells
Wells has seen cases where deficiencies were found in internal audits but the companies did not have the needed mechanism to insist on corrective actions, and to follow up on audit-related corrective actions. That’s why there needs to be a pipeline to inform upper management of audit findings.
“Weak audits and breakdowns in communication are serious concerns,” Wells said. “One solution is to build up an audit team and associated processes to give upper management the confidence they need to know systems are being evaluated and corrective actions are being done.”
Another solution is to use reputable third-party auditors to dig deep into the quality system and give upper management the thorough report they need.
“You should think of your deep-dive audit as your company’s annual physical exam,” Wells said. “In your personal life you want to get ahead of any physical problems found during your physical exam. It’s the same way with your quality system. You can only get ahead of the problem if you are aware of the problem.”
With a strong and effective internal audit program, any deficiencies should be out in the open and executive management will have an opportunity to fix noted problems.
“If you let the FDA find the problems, they will present your firm with an FDA-483 or warning letter with those same problems. In that case, it’s too late,” Wells said. “Once cited, companies are immediately behind the eight ball and they lose their ability to play offense with the FDA. The FDA-483 and warning letter result in the company playing defense instead.”
Management Review and Quality Goals, Objectives: Key Components of Effective Management Controls
Companies sometimes believe management controls is the same as management review, but management controls is much more than that.
“The FDA regulations require many specific elements in management controls,” QualityHub’s Wells said. “The key requirements are internal audits, quality policy, quality objectives, management review, quality planning, and trained personnel, as well as the catch-all requirements of having adequate personnel and adequate resources, which are often overlooked.”
“Internal staff needs to inform upper management of all gaps and deficiencies. Being blindsided by the FDA is always an awful way for upper management to learn about problems.” – Tim Wells
Wells noted that effective management review requires quality goals and objectives, pointing out that the FDA “did not use the words ‘quality goals’ when they revised 21 CFR, Part 820 back in 1996.” But he believes quality goals are essential for effective management controls.
“When you think about it, we often don’t accomplish what we want without first establishing goals. This also holds for quality,” he said. “We need goals and objectives that are measurable and being tracked. The goals are the perfect tool to use in management review.”
The first factor to consider is data. Regular compilation and comparison of data against goals is an essential part of strong management review. Below is a sampling of data that can be tracked; each manufacturer should customize their own goals and data elements for management review:
- Post-market data such as complaint trending;
- CAPA data;
- Recall data and information on Health Hazard Evaluations and related activities;
- Results from FDA inspections and progress on corrective actions;
- Training metrics;
- Status of audits against annual auditing goals;
- Results from internal and third-party audits (and progress on corrective actions);
- Supplier problems and related corrective actions; and
- Progress on FDA updates.
Another key factor to consider is how management review meetings are conducted. “Management reviews should not be briefings for top management,” Wells said. “Instead, they should be interactive discussions.”
For example, executive management could ask:
- Did we meet our goals for each of the areas we are collecting data, and if not, what are we doing to meet those goals?
- When will the needed improvement be implemented?
- What will it take to meet our goals?
“Note that ISO 13485 is clear on management review,” Wells said. “It states that management review must result in decisions and actions related to system effectiveness, product improvement, and resource needs.”
Management review should also include discussions on why goals are not being met, with assignments being given to middle management to determine why that is happening.
“And in situations where the goals are already being met, companies should discuss whether they set the bar too low and if they want to make the goal tougher. Think of this as continuous improvement. Don’t firms want to keep getting better in the areas of quality and compliance?”
An important discussion topic during management review should be the two “catch-all requirements” written into FDA regulations for management controls:
- Does the company have an adequate number of trained personnel?
- Does the company have adequate resources so it can meet all FDA requirements?
ISO 13485 is clear when it comes to resources, with Clause 6.1 noting that “the organization must provide resources to implement and maintain the Quality Management System [QMS] and meet regulatory and customer requirements.”
During his many years in industry, Wells has seen a lack of personnel and resources morph into big problems. “Firms with recent FDA-483s and warning letters are often lacking in resources in the areas of quality and compliance,” he said. “While both FDA requirements may require a boost in dollars to address, companies should keep in mind that the cost to prevent quality system and product problems is almost always less than the cost of correcting the problems after receipt of an FDA-483 or warning letter.”
Wells has seen several companies spend a boatload of money to rectify an FDA-483 or warning letter when they could’ve used a preventive and proactive approach instead that, while costly, would’ve saved cash in the end, long after the FDA inspection ended.
Quality System Buck Stops with CEOs – But Many May Not Know
QualityHub Principal Consultant Mahshid Zahed says an antidote to top management not understanding their legal obligations when it comes to management controls is to have empowered Regulatory Affairs and Quality Assurance teams that speak truth to power.
“If you have a strong quality and regulatory organization, the likelihood is that they are going to push the executive leadership team to think strategically about quality and compliance objectives,” said Zahed, a longtime industry expert who has worked in the MedTech, pharmaceutical, biologics, and combination products spaces. “Given how [the QSR and upcoming QMSR are] written, it’s very unusual, even for a small company, not to have some form of quality objectives.”
But too often, she says, quality and regulatory leaders fail to challenge the C-suite to ensure they fulfill their quality and regulatory responsibilities.
“Education on management control responsibilities is something that the quality and regulatory organizations must provide to enlighten the CEO and top executives that don’t work in an RA/QA space on a daily basis,” Zahed said in an interview with QHub Insights. “There needs to be conversations at the C-level so quality and regulatory leaders can say, ‘Listen, this is important.’”
“Quality must start at the very top, and quality can’t be all about words and slogans. Rather, you must live quality. You must walk the walk.” – Harry Aznoian
Meanwhile, another QualityHub Principal Consultant, Harry Aznoian, says the research and development (R&D) team should also be part of the mix to capture the attention of top leaders.
“One of the most important ingredients for management control success is collaboration between quality, regulatory, and R&D – there must be a mutual respect there and all three shouldn’t operate in silos,” he said.
In most companies, RA, QA, and R&D teams shoulder the share of responsibility for making sure top leaders are aware and address quality system and product issues. But if top leaders are sometimes too busy or have other priorities, this could be a recipe for problems down the line. Instead, leaders need to be receptive to learning about the health of their quality system and products.
“Do I believe in the function of the three legs of the RA/QA/R&D stool? Yes,” Aznoian said. “But you also need the commitment of upper management to make management control activities work smoothly. RA, QA, and R&D simply can’t say the words and suddenly executives will understand. And a lot of that is the company’s culture. Many companies even have their upper and lower management in separate silos, so it’s a difficult problem to tackle.”
He added: “In the end, quality must start at the very top, and quality can’t be all about words and slogans. It’s about people working together and it’s about the organization being committed to quality – not just putting a sign on the wall that says, ‘This is our quality policy.’ Rather, you must live quality. You must walk the walk.”
Consultant Zahed noted that she has at times met health industry executives who don’t understand the risks related to making products that are used by people.
“They must be cognizant of that and ensure that quality and product safety are a priority,” she said. “Their role as top company executives is to ensure compliance and safeguard the integrity of products they bring to market. Manufacturers of medical products rise or fall based on the quality decisions of a top executive.”
Zahed is concerned that some CEOs and other top executives sometimes aren’t fully aware of the consequences when their quality system and/or products go off the rails. This is where management controls can help everyone get on the same page.
“CEOs and top executives must create an environment where issues are escalated up to them so they are fully aware of what’s going on. It’s one of the core purposes of management reviews. Additionally, FDA places significant emphasis on the need for top executives to establish the quality objectives and policies and to actively review them during the management reviews. CEOs must maintain full visibility into the effectiveness of the company’s Quality Management System,” Zahed said.
“Unfortunately, sometimes executive management does not understand the true intent of management controls and how they need to master them,” she added. “They need to ask the right questions, challenge the organization, and embed quality and compliance objectives into every leader’s job description and performance objectives.”
The Bottom Line
MedTech manufacturers that conduct stellar management control activities and meet FDA requirements save money and have a trusted name in industry – which is something cash can’t buy.
“Having adequate management controls often means having fewer recalls and fewer complaints, as well as fewer FDA problems,” QualityHub’s Wells said. “When a company has a better brand reputation, it drives more revenue, fewer lawsuits, fewer personal injury cases, fewer FDA findings, and less time spent responding to FDA-483s and warning letters. Oh, and fewer headaches, for sure.”
His bottom line? “Management control saves money and quality is an investment,” Wells said. “Yes, quality is going to cost a company money, but in the long run they’ll save more money than they invested.”