July, 2026  Silver Spring, MD USA.  Back in 2008, at the Republican National Convention, then Maryland Lieutenant Governor Michael Steele coined the phrase “Drill, Baby, Drill” to promote U.S. energy independence by encouraging increased domestic oil and gas production.  The phrase gained wider recognition when Sarah Palin used it during the 2008 Vice Presidential debate, and continued to be associated with GOP energy policy during Donald Trump’s 2024 presidential campaign.  In April 2026, at the MedCon Conference, after having completed just over 100 of them, FDA shared the most frequently cited deficiencies from its new QMSR (Quality Management System Regulation) Inspections for medical device manufacturers.  Between February and April 2026, the top five Form-483 deficiencies have been:

  1. Risk Management
  2. Outsourcing and Purchasing
  3. Complaint Handling and Feedback
  4. Unique Device Identifiers (UDIs)
  5. CAPA

In reviewing the recent and frequent QMSR inspection 483’s, it’s clear that inspectors have been ‘drilling home’ a new campaign slogan: “Risk, Baby, Risk.”  Under the previous QSIT inspections, risk hardly ever was cited – for a good reason – under the QSR, there was a single mention of risk – in 820.30(g) the need for risk analysis as part of Design Validation.  The QMSR, and its basis on ISO 13485 has given inspectors a whole new approach to risk based on a single statement in 7.1 Product Realization Planning.  The statement requires one or more processes for Risk Management to be documented in product realization.  This requirement has been on the books for ISO 13485 certified companies from 2016.  However, for medical device manufacturers who would just whip out their device hazard analyses during the Design Control portion of the Inspection, this is a whole new ballgame.

For companies not yet ISO 13485 certified, as well as those already certified which have a single Risk Management SOP often tied to Design Controls, the re-mapping of Quality Manual and SOPs to the QMSR and ISO 13485 may not cut it for “Risk, Baby, Risk” during your next inspection.  To be sure, Risk Management is not just limited to Design and Development.  In fact, Risk Management has associations with many Quality Systems including the other deficiency areas cited in the first 100 inspections: Outsourcing and Purchasing, Complaint Handling, and CAPA.

There is a similar situation with UDI deficiencies.  Under QSIT, inspectors might cover the UDI process, but also ‘went where the previous gaps led.’  For example, under QSIT, inspectors starting with Complaint Handling and CAPA, then pursued those ‘rabbit holes’ in related Quality Systems: generally Design, Production, Non-conforming Product, etc.  However, under QMSR inspections, inspectors always go through the UDI process starting with obtaining and maintaining GUDIDs, making UDI’s consistent between labeling SOPs, often, the IT systems used to print the UDI on the product labels, and traceability for which lot and serial numbers were distributed where. 

If you are not yet ISO 13485 certified, or even if you are, but your Risk Management process is “Design heavy” and “Overall QMS Light”, and if you haven’t experienced a QMSR inspection yet, now is THE time to go beyond QMS document re-mapping, and bring your system into compliance and reap the rewards.  For more information, please click here.