Four Months Under QMSR: Risk Management Is FDA's Top Citation

CDRH's first four months of QMSR inspections produced a finding that quality professionals across the industry should recognize immediately. Risk management integration is the top citation under the new Compliance Program Manual 7382.850. Not because firms lack risk management files. Because they have the files and cannot show the controls were actually implemented.

CDRH Associate Director Keisha Thomas delivered the data at the RAPS Quality Conference in Baltimore on June 10, 2026. The numbers reflect the agency's experience since QMSR took effect February 2, 2026. In those first four months, the NAI rate dropped to 48.8% while VAI classifications rose to 51.2%. More facilities are leaving inspections with action items than before QMSR. The framework change tightened the standard, and the outcomes confirm it.

The top five citation categories Thomas presented are worth examining in order: risk management integration, CAPA procedures, risk-based approach application, complaint handling, and purchasing controls. Anyone who has followed FDA enforcement trends for the past three years will recognize that list. CAPA, complaint handling, and supplier control have been the persistent top three in both drug and device inspections since 2023. QMSR did not change the pattern. It formalized the new framework around a problem that already existed.

The risk management integration finding carries a specific meaning that deserves attention. Thomas was direct at RAPS about what inspectors are encountering: firms document their risk controls in risk management files, but when inspectors look for evidence those controls were actually implemented on the manufacturing floor, it is not there. The file exists. The implementation does not. Under QMSR's ISO 13485-informed framework, that gap is a compliance violation, not an administrative shortcoming.

The practical difference between documented and implemented risk management becomes visible during inspection when FDA asks specific questions. If a firm identified contamination risk as a priority control in its risk management file, inspectors will look for how that control is expressed in the facility's environmental monitoring program, cleaning validation records, and operator training history. If the risk file names supplier variability as a key risk, inspectors will look at supplier qualification records, incoming material testing data, and audit frequency. The existence of the risk analysis does not satisfy the regulatory requirement. The presence of records showing the control was operational does.

The third citation on Thomas's list, risk-based approach application, is related to risk management integration but distinct enough to warrant separate attention. Risk management integration is about the gap between documenting controls and implementing them. Risk-based approach application is about whether the decision logic throughout the quality system is actually grounded in risk. When inspection findings, complaints, and deviations are handled with uniform urgency regardless of patient impact or failure mode severity, that is a risk-based approach failure. QMSR expects quality decisions to be proportional to risk, with an evidence trail showing how risk was assessed when each decision was made.

This is a version of the same problem that drives inadequate CAPA findings in pharmaceutical inspections. The procedure describes what should happen when a deviation occurs. The CAPA system records the event. But the investigation does not trace the deviation back to its root cause with enough specificity to drive a control that changes what actually happens on the line. The quality system documents the activity. The activity does not achieve what the regulation requires.

Thomas also made a clarification at the RAPS conference that every quality professional operating under QMSR needs to internalize: QMSR inspections are not ISO 13485 audits. FDA inspectors are checking compliance with FDA regulatory requirements. They are not certifying ISO conformity and they are not evaluating quality management systems against ISO criteria. A firm that completed an ISO 13485 recertification before the QMSR transition and assumed that translates into inspection readiness has made a category error. The two frameworks are related in structure. They are not equivalent in scope or regulatory authority.

This distinction has direct consequences for how quality teams prepare. An ISO 13485 audit assesses whether a quality management system meets a defined set of standard criteria as evaluated by a certifying body. An FDA QMSR inspection assesses whether quality practices, records, and outcomes demonstrate compliance with 21 CFR requirements. Those requirements are shaped by ISO 13485 under QMSR, but the authority is the FDA regulation, not the ISO standard. A firm can hold current ISO 13485 certification and still leave a QMSR inspection with VAI classification. Certification and compliance are related. They are not the same.

The enforcement environment entering 2026 reflects a broader tightening of FDA's inspection expectations across both drug and device sectors. New frameworks like QMSR and updated compliance programs signal that the agency is actively resetting inspection standards, not simply enforcing existing ones. The underlying citation categories stay constant not because FDA is being repetitive, but because the execution problems those citations describe have not been resolved. New framework, same gap.

For quality teams outside the device sector, the RAPS data offers a calibration point. The QMSR citation list is not a device-specific anomaly. CAPA procedures sit at number two on QMSR's first-round list, exactly where they appear in drug CGMP inspection outcomes. Complaint handling is fourth. Purchasing controls are fifth. The structure of quality system failure is consistent across regulatory frameworks. The framework changes. The pattern persists.

What the QMSR data tells quality teams is this: the agency is not looking for a better-organized risk file. It is looking for evidence that risk controls changed what happens in your facility. Documentation is the record of implementation, not a substitute for it. Under both QMSR and drug CGMP regulations, the question an FDA inspector is answering is whether the quality system demonstrably protects product quality, not whether the quality system is properly described.

The firms in the 48.8% that left QMSR inspections with NAI outcomes showed inspectors evidence of implementation. The firms producing the top citation handed inspectors a risk file.

For quality teams preparing for QMSR inspections before the end of 2026, the CDRH data points to one specific readiness question worth asking now: if an inspector asked to see evidence that your risk controls were implemented, not documented, what would you show them?

If the answer is the risk file, that is the gap.

Find out where your facility's inspection risk is concentrated. Submit for an Inspection Risk Scan at dsrv.io/submit.