The FDA cites risk management as the most frequently cited finding under the new QMSR. At the same time, the IMDRF has published guidance on supplier control.
WQS can help you achieve compliance.
The FDA’s Quality Management System Regulation (QMSR) replaced the former QS Regulation on February 2, 2026, incorporating ISO 13485:2016 by reference. For the first time, FDA inspectors now review internal audit records, management review documents, and supplier audit reports. Risk management is no longer a design-controls topic: it must permeate every QMS process.
Between February 2 and March 31, 2026, the FDA conducted over 100 inspections under the new QMSR compliance program. The top Form 483 observations show where companies are falling short.
1
“Risk is central to all QMS activities.” FDA inspectors cite vague, incomplete, or siloed risk controls. Companies confuse hazards and harms, and their documentation lacks specificity.
2
Supplier audits are now directly accessible to FDA inspectors for the first time. Inadequate supplier qualification and a lack of risk-based controls are frequently cited as issues.
3
Post-market surveillance integration with risk management is insufficient. Complaints are logged but not systematically fed back into risk files.
4
UDI traceability gaps in QMS documentation continue to generate citations, particularly for combination products and IVDs.
5
CAPA processes lack risk-based prioritization. Under QMSR, CAPA processes must demonstrably integrate risk management criteria.
The FDA’s findings under the QMSR reflect the areas that Notified Bodies and national authorities also review under the EU MDR/IVDR. Key audit topics in the European context include risk management in accordance with ISO 14971, supplier management in accordance with ISO 13485 Section 7.4, and post-market surveillance.
The IMDRF’s draft guidance “Control of Products and Services Obtained from Suppliers” directly addresses the #2 FDA finding and aligns with ISO 13485, ISO 9001, and ISO 14971. The guidance defines six phases of supplier control and emphasizes a key principle: manufacturers retain full regulatory responsibility, even when outsourcing.
The IMDRF guidance refers to three key standards. A robust supplier and risk management system must consistently address all three.
Section 7.4 governs purchasing and supplier management. This section forms the basis for both the QMSR and the EU MDR proof of conformity. Documented procedures for supplier evaluation and monitoring are required.
Defines the risk management process across the entire product lifecycle. Under QMSR, risk management must permeate all QMS processes. Supplier risks must be explicitly assessed.
Section 8.4 addresses the control of externally provided processes. This is relevant for manufacturers with a broader quality management system. The IMDRF guidance explicitly builds upon these requirements.
Even when production or testing is outsourced, the manufacturer retains full QMS accountability. This principle explicitly aligned with FDA, EU MDR, and Health Canada expectations.
Supplier oversight must be proportional to the risks of the supplied product or service. ISO certification alone is insufficient, substantive evaluation is required.
Applies to all medical devices including IVDs and combination products. It is relevant for manufacturers, contract manufacturers, importers, distributors, and auditing bodies.
The IMDRF is accepting stakeholder feedback on this draft. WQS can help you formulate and submit comments to shape the final guidance.
This guidance is designed for educational and harmonization purposes rather than direct regulatory auditing, but it signals exactly what the FDA, the EU MDR, and other authorities expect in practice.
Define supplier categories, risk classifications, and control requirements before procurement begins. Establish documented procedures for all subsequent phases.
Assess business capability, technological competence, and quality maturity. Substantive evaluation is required by the guidance.
Conduct questionnaires, desktop reviews, on-site or remote audits, product testing, first article inspections, and quality management system (QMS) effectiveness reviews. Document all findings and approval decisions.
Define contractual requirements, incoming inspection criteria, and change notification obligations. Change management must be active from day one and revisited at every phase.
Monitoring supplier performance using KPIs, nonconformance data, and periodic re-evaluation. Maintain evidence proportional to the risk level of supplied items.
Market data and complaint information are fed back to suppliers. Initiate and track corrective actions. Close the loop between post-market and supplier quality.
WQS combines deep regulatory expertise with hands-on QMS implementation. We work alongside your team, building what you need to pass inspection.
Systematic evaluation of your existing risk documentation against ISO 14971 and QMSR requirements, with prioritized remediation roadmap and inspection readiness scoring.
Review and strengthen your risk files, risk controls, and risk-benefit documentation. Align ISO 14971 implementation with QMSR’s risk-first inspection approach.
Build or overhaul your supplier qualification, evaluation, and monitoring system to be fully aligned with the new IMDRF draft guidance and FDA QMSR expectations.
Conduct mock FDA inspections focused on the top five QMSR findings. Prepare your internal audit records and management review documentation for direct FDA review.
Linking your post-market surveillance data with risk files and the CAPA system. Closing the feedback loop between market surveillance and supplier quality.
Simultaneously align your QMS with EU MDR / IVDR and US QMSR. Efficient, consistent, and tailored to both markets.
Our team of regulatory affairs and quality management specialists is ready to support you on your QMSR compliance journey, from gap assessment to inspection day.
This page provides regulatory information and does not constitute legal advice. Regulatory requirements vary by jurisdiction.
Support for US companies to enter the European market. EU Rep, Certification, QM System, Technical Documentation, support of the Procedure, selection of a Notified Body, support of the Certification Procedure, preparation of a Clinical Evaluation, support of Clinical Studies, including the Logistical Concepts.
Copyright 2024 WQS Management Consultants GmbH