BALTIMORE — A senior U.S. Food and Drug Administration (FDA) official has emphasized that risk management remains the most common reason medical device manufacturers are cited for non-compliance with quality system requirements, and stressed that companies should treat risk management as an ongoing and continuously evolving process.
Keisha Thomas, associate director for compliance and quality at the FDA’s Center for Devices and Radiological Health (CDRH), addressed industry attendees at the RAPS Quality Conference, outlining updates to the agency’s inspection and compliance approach following the implementation of the Quality Management System Regulation (QMSR), which has been in effect for four months.
Thomas discussed the FDA’s updated compliance framework under CPM 7382.850, which replaced the previous Quality System Inspection Technique (QSIT). The new system uses a risk-based inspection model designed to evaluate medical device manufacturers across six quality management system (QMS) areas, alongside other applicable regulatory requirements.
She explained that inspections are now guided by firm-specific risk factors, with investigators reviewing pre-inspection data such as medical device reports (MDRs), product recalls, and complaint histories. Unlike previous approaches, standardized sampling tables are no longer used.
According to Thomas, the inspection model is fully risk-based, affecting both how firms are selected for inspection and how inspections are conducted. She noted that the FDA now evaluates all six QMS areas during inspections rather than focusing on select components.
While the FDA has aligned its approach more closely with ISO 13485, the international standard for medical device quality management systems, Thomas clarified that FDA inspections are not equivalent to audits. Instead, they are intended to assess compliance with U.S. regulatory requirements.
Based on recent inspection findings and Form 483 observations, Thomas said the most frequently cited issues under QMSR include risk management, corrective actions, risk-based approaches, complaint handling, and purchasing controls. She noted that although it is still early to identify long-term trends, the types of citations remain similar to those issued prior to the updated regulation, though in a different order of frequency.
She highlighted ongoing concerns related to risk management practices, noting that some companies have established systems and documentation but do not consistently apply risk management across all areas of their quality systems. In such cases, risk management may exist in documentation but is not fully integrated into decision-making processes.
Thomas also explained changes in how corrective and preventive actions are treated under the updated framework. She said the concepts are now considered separately, with preventive actions no longer strictly linked to corrective actions, marking a shift in how quality issues are addressed within the system.
Under the updated interpretation, FDA investigators are focusing on whether companies proactively incorporate preventive actions within their quality systems, rather than treating them as a step that follows corrective measures.
When asked about medical device manufacturers participating in the Medical Device Single Audit Program (MDSAP), Thomas noted that while these companies are typically subject to third-party audits, they may still be selected for FDA inspection based on risk signals. These signals can include increases in complaints, MDRs, or product recalls.
She added that the FDA incorporates MDSAP audit data into its risk-based model and that manufacturers under the program may still receive inspections if risk indicators suggest additional regulatory review is needed.
Responding to questions about defining risk across different QMSR areas, Thomas acknowledged that while there has not historically been an explicit requirement to apply risk considerations to every category, the expectation has been that manufacturers incorporate risk-based thinking throughout their quality systems.
She emphasized that risk management should not be treated as a one-time or isolated function, but rather as an integrated and continuously developing component of a company’s operations.
“The system should be fluid, living, and continuously improving,” Thomas said, adding that risks can arise from multiple sources including system processes, products, and clinical factors, requiring ongoing evaluation and adjustment.
#FDA #MedicalDevices #QualityManagement #RegulatoryCompliance #HealthcareIndustry
