Medical device manufacturers face increasing regulatory expectations to ensure product safety and effectiveness. A key tool in meeting these expectations is a robust Quality Management System (QMS). This article explores how manufacturers can use FDA 483 inspection observations as a strategic resource to strengthen their QMS, address systemic issues, and prepare for the upcoming transition to the FDA’s new Quality Management System Regulation (QMSR). By adopting a risk-based approach and learning from common industry pitfalls, manufacturers can enhance compliance, improve product outcomes, and drive business efficiency.
CONTENT
- The Role of Quality Systems in Medical Device Safety
- QMS Frameworks: ISO 13485 and the New QMSR
- Differences Between QSR and QMSR
- Inspections and Audits in a QMS Environment
- Limitations of ISO 13485:2016 Accreditation – and Its Strategic Advantages
- Audit Preparation and Expectations
- Using FDA 483 Observations as a Learning Tool
- Common Systemic Failures Identified
- Applying ISO 13485:2016 Clause 4.1.2(b)
- Benefits of a Risk-Based Quality System
- Final Thoughts
The Role of Quality Systems in Medical Device Safety
Medical devices users trust that the product they rely on are both safe and effective for its intended purpose. However, even after risk controls have been introduced, the use of a medical device involves an inherent degree of risk that the device manufacturer defines and controls.
Part of the risk controls adopted by the manufacturer is implementation of a quality management system (QMS) to ensure their activities remain consistent and effective in producing medical devices to the required specification.
In this article, we explore how medical device manufacturers can leverage FDA 483 observations, commonly issued after inspections, to improve their QMS, and enhance medical device safety, among other valuable insights to improve their business efficiency.
QMS Frameworks: ISO 13485 and the New QMSR
The most common QMS used by medical device manufacturers is ISO 13485:2016 as it is internationally accepted. US manufacturers historically followed the Quality System Regulation 21 CFR 820 (QSR), which shares some structure with ISO 13485:2016.
However, a major shift is coming.
Starting from February 6th, 2026, the Quality Management System Regulation (QMSR) will come into effect in the US, officially replacing the QSR. The QMSR formalizes its alignment with ISO 13485:2016 by incorporating the standard by reference.
This change represents a substantial step towards global harmonisation and requires manufacturer’s placing product on the US market to adapt.
Differences Between QSR and QMSR
The incorporation of ISO 13485:2016 by reference into the QMSR strengthens the QMS requirements for medical device manufacturers, including requiring a more comprehensive risk management approach, stricter supplier control requirements, and an enhanced focus on post-market surveillance. Additionally, it is important to remember that while many familiar QSR clauses (e.g., 21 CFR 820.30 on Design Control) have been replaced by ISO 13485:2016 clauses, some clauses unique to the QSR have been retained in the QMSR and renumbered.
For example:
- 21 CFR 820.198 (Complaint Records) - now 21 CFR 820.35(a)
- 21 CFR 820.200 (Servicing) - now 21 CFR 820.35(b)
In carrying forward certain FDA expectations beyond ISO 13845, the QMSR goes beyond ISO 13485:2016 requirements.
Inspections and Audits in a QMS Environment
A QMS must maintain its effectiveness, and this is assessed in part through external independent audits or inspections conducted by:
- Notified Body (NB) for European Economic Area (EEA) markets
- Accredited Certification Body (ACB) for ISO certification
- FDA for US-destined products.
The FDA’s inspection authority remains unchanged by the introduction of QMSR, whilst their expectations have changed. Unlike NBs, the FDA is likely to continue publishing its inspection observation data (FDA 483s)1 for all the program areas it covers, including:
- 21 CFR 801 (Labelling)
- 803 (Medical Device Reporting)
- 806 (Reports of Corrections and Removals)
- 809 (IVD)
- 812 (IDE)
- 821 (Medical Device Tracking Requirements)
- 820 (QSR/QMSR)
Limitations of ISO 13485:2016 Accreditation – and Its Strategic Advantages
While ISO 13485:2016 certification alone does not ensure full compliance with the FDA’s new QMSR, it remains a strong foundation and a good starting point. It aligns with the core quality principles of QMSR and helps streamline the transition.
ISO 13485 certified organisations benefit from:
- Established systems audited by a 3rd party
- Risk-based thinking and processes
- Improved audit readiness
- A smoother path towards QMSR compliance.
Manufacturers using the Medical Device Single Audit Program (MDSAP) are especially well-positioned: MDSAP is based on ISO 13485:2016 and incorporates the additional QSR elements absent from ISO 13485:2016. The MDSAP audit guidance is, therefore, a useful tool for all manufacturers placing product on the US market. 2
Nonconformities – whether received as an FDA 483 or certification audit - can be costly involving internal labour costs, external fees, potentially new equipment, product recalls, or delayed projects. Proactive QMS strengthening is, therefore, a cost-effective investment.
Audit Preparation and Expectations
Audit and inspection scopes are generally known in advance:
- FDA inspections are guided by the Quality System Inspection Technique (QSIT) 3
- NB/ACB audits follow a scheduled surveillance plan through to the next recertification audit. These plans are regularly updated to take into account and changes and indicate the areas the auditor will be reviewing at their next visit.
- MDSAP agendas are available online.
Exceptions include “for cause” and unannounced audits:
- For Cause Audits: Triggered by a specific issue and focus on related documents, records, and processes. These audits may be delivered with short notice.
- Unannounced Audits: Required for the EU MDR and must occur at least once every three years, focusing on product and production processes. However, they are also used exceptionally in MDSAP and ISO 13485 certification schemes.
Preparation is key: understanding their own QMS through internal and external lenses allows manufacturers to improve their ability to prepare for these events and successfully navigate them when they occur.
Using FDA 483 Observations as a Learning Tool
FDA 483 inspection observation records (from 2006) offer valuable insights into systemic QMS for medical devices weaknesses across the industry. These observations are ranked by the most frequently cited observations and summarized (see Figure 1). Many stem from recuring QMS failures.
Citation Program Area | Cite ID | Reference Number | Short Description | Long Description | Frequency |
---|---|---|---|---|---|
Devices | 3130 | 21 CFR 820.100(a) | Lack of or inadequate procedures | Procedures for corrective and preventive action have not been [adequately] established. Specifically, *** | 254 |
Devices | 14713 | 21 CFR 820.198(a) | Lack of or inadequate complaint procedures | Procedures for receiving, reviewing, and evaluating complaints by a formally designated unit have not been [adequately] established. Specifically, *** | 191 |
Devices | 3282 | 21 CFR 820.90(a) | Nonconforming product, Lack of or inadequate procedures | Procedures have not been [adequately] established to control product that does not conform to specified requirements. Specifically, *** | 92 |
Figure 1: Extract from FY24 Inspection Observations, source: FDA
This list provides valuable information to allow manufacturers to prepare their QMSs to avoid unnecessary observations and nonconformances. In addition to analysing data by regulatory clause, we recommend reviewing either the short or long description datasets holistically across clauses to identify cross-functional process weaknesses.
Common Systemic Failures Identified
A cross-clause analysis of the FDQ 483 descriptions reveals recurring issues:
- Failure to establish processes
- Incomplete process content, documentation or records
- Undefined authorities and responsibilities
- Inadequate monitoring processes (e.g., management reviews, internal audits)
- Delays or omissions in regulatory reporting
Analysing the data as a learning opportunity, rather than examples of regulatory set-backs, helps to identify specific process areas that frequently lead to observations/ non-conformances. For example, Corrective Action and Preventive Action (CAPA), Complaints and Purchasing are repeatedly the top three clauses resulting in observations. CAPA is usually top as where a finding is raised against any process and is not fully addressed, a finding will be raised against the CAPA process. For complaints, often these are forewarnings of potential recalls. They need to be fully assessed to mitigate more costly actions. Purchasing often fails as changes are not correctly managed: changes in the compliance of the purchased product are not followed up with actions, leading to defective product.
Alongside external reviews, manufacturers should analyse internal audit findings, CAPA data, management review outcomes, and trend analyses. These should be compared to FDA observations for a full risk profile.
Applying ISO 13485:2016 Clause 4.1.2(b)
With this information available, it would be beneficial to consider a clause from ISO 13485:2016, namely 4.1.2(b)
“The organization shall apply a risk-based approach to the control of the appropriate processes needed for quality management system”.
This clause requires the manufacturer to consider the risk of those QMS processes producing undesired effects that would impact the medical device’s safety and effectiveness. Not all processes carry equal weight and by identifying the processes that pose the greatest risk to device safety and performance, the manufacturer can:
- Prioritise resources effectively
- Focus on areas and controls that matter most
- Strengthen surveillance across the product lifecycle to have the most impact.
A medical device lifecycle covers multiple phases, initial concept through design, manufacturing, post market activity to final disposal. Each of these lifecycle phases has associated processes, documentation and records and interact with other phases of the lifecycle.
A risk-based approach allows for the prioritisation of the processes, documentation and records which present the highest risk to the medical device’s safety and effectiveness. Allowing for more effective use of available resources to control those identified risks.
Benefits of a Risk-Based Quality System
Understanding the risk and impact of the QMS processes and their interactions on medical device safety and effectiveness provides several benefits to the organisation:
- Avoiding gaps in the QMS caused by missing processes
- Clearer organisational responsibilities and authorities
- Ensuring the content of processes, documents and records are complete and cover the information needed to demonstrate the medical device’s safety and performance.
- Defining KPIs that reflect the QMS ongoing adequacy and effectiveness
- Reducing delays in communication
- More effective change management, as the impact of change can be better assessed.
- Process improvements will be based on a solid foundation of understanding the QMS and how it impacts medical device safety and effectiveness.
- Timely provision of information during audit/inspection.
Clearer strategy as process and product improvement will be driven by data.
Final Thoughts
Most external audits are time limited. Audit outcomes depend on the documents and processes sampled in the audit and the questions asked and responses given. Accordingly, issues may go unnoticed in one audit; but arise in the next audit. Unnoticed issues can also lead to inefficiency and product failures. Manufacturers should consider the external inspections/audits as verification that their internal audit system is working effectively rather than a regulatory hurdle.
The FDA 483 inspection observation can be a strategic tool to help:
- Guide a holistic view of systemic issues (e.g., missing processes).
- Improve QMS and potentially avoid unnecessary expensive non-conformances.
- Adopt a risk-based approach and risk-based thinking.
- Embrace a proactive mindset.
- Deepen understanding of QMS.
- Mitigate risks to product safety and performance
As regulatory expectations evolve, the most successful companies will be those that go beyond the baseline compliance and build resilient, risk-based quality systems that drive product safety and effectiveness, as well as business efficiencies.
1 FDA Inspectional Observations Inspection Observations | FDA
Ready to strengthen your QMS and ensure compliance?
Partner with DQS for ISO 13485 certification and gain a competitive edge in medical device quality and safety.
DQS Newsletter
Rowland Lewis
Rowland is an experienced professional in the medical device and pharmaceutical industries, with a background spanning both manufacturing and consultancy. He is currently serving as a Technical Assessor at DQS MED, specialising in design assurance, regulatory compliance, and conformity assessment. His responsibilities include conducting audits and reviewing technical documentation in accordance with international medical device regulatory requirements.
Rowland is a Chartered Engineer with a strong academic background, including a Master’s degree in Quality Assurance and Regulatory Affairs.
