FDA's #1 QMSR Form 483 Audit Findings, In Its Own Words: "Risk, Risk, Risk, Risk"
- Sharmila Bhatt
- 10 hours ago
- 3 min read
Five months into FDA's new Quality Management System Regulation, the agency has said out loud what's actually showing up in its inspections — and it's not a paperwork problem.
Speaking at the Food and Drug Law Institute's Annual Conference on May 6, 2026, Keisha Thomas, CDRH Associate Director in the Office of Product Evaluation and Quality, told attendees that FDA has now completed just north of 100 inspections under QMSR, which took effect February 2, 2026. For Form 483 observations issued between February and mid-April, she ranked the top areas as: risk management first, by a wide margin, followed by outsourcing and purchasing problems, inadequate complaint handling, unique device identification (UDI) issues, and corrective action violations.
Thomas didn't soften the point: "Risk, risk, risk, risk. That is the fundamental change to QMSR." Risk, she said, is meant to run through every process in the quality system — not sit in a standalone file produced for a submission and revisited only when something goes wrong.
Why risk management is topping the list. This isn't really a surprise in theory — ISO 13485 has embedded risk management for years, and QMSR incorporates that standard by reference. What's new is that inspection data is now showing, concretely, where the gap actually lives: risk files that exist as a document rather than as a live input feeding from complaints, CAPAs, supplier issues, and design changes. QMSR's risk-based inspection model is built to surface exactly that disconnect, and five months in, it's doing so at a higher rate than any other single area.
The other structural change worth your attention. QMSR does something QSR never did: it gives FDA investigators the authority to review internal audit reports, supplier audits, and management review records directly. Under the old regulation, these were confidential internal documents, off-limits to inspectors. Thomas confirmed FDA generally needs a reason to go looking at them — but a risk management finding, for instance, is exactly the kind of reason that opens that door.
That change is already shaping how companies write internal documentation. At the same conference, an attorney representing Johnson & Johnson said the company has started training staff and is being more deliberate about the language used in internal audits, on the expectation that FDA could read those records directly going forward. That's a reasonable, practical response — not a call to hide findings, but a reminder that internal audit language should be accurate without being sloppy about how gaps and remediation status are described.
What this means for your next audit prep. Three concrete takeaways:
Treat risk management as connective tissue, not a deliverable. If your risk file isn't actively pulling in complaint trends, CAPA outcomes, and supplier issues, that's the gap FDA is most likely to find first.
Revisit how internal audit and management review records are written. They're no longer purely internal — write them assuming they could be read directly, with clear, accurate remediation status attached to any open finding.
Outsourcing/purchasing and complaint handling are the next two places worth a fresh look — they're second and third on FDA's own list, not far behind risk management.
A note on tooling. The gap FDA is describing — a risk file that's disconnected from the complaints, CAPAs, and supplier data that should feed it — is exactly the kind of thing that's hard to catch manually, because those inputs usually live in different systems. Lexim Sphere is built to connect those threads into one view rather than four separate spreadsheets, so the disconnect shows up before an inspector finds it.
Sources - QMSR Form 483 Audit Findings
RAPS (Regulatory Focus), "FDA official details top observations from QMSR inspections," 14 May 2026, by Joanne S. Eglovitch: https://www.raps.org/resource/fda-official-details-top-observations-from-qmsr-inspections.html
FDA, Quality Management System Regulation (QMSR) — Frequently Asked Questions: https://www.fda.gov/medical-devices/quality-management-system-regulation-qmsr/quality-management-system-regulation-frequently-asked-questions
FDA, Quality Management System Regulation (QMSR) overview page: https://www.fda.gov/medical-devices/postmarket-requirements-devices/quality-management-system-regulation-qmsr
