FDA’s Shift to Risk-Based Inspections: What MedTech Companies Need to Know

By Shannon Campbell, PhD, Principal Consultant, Frank Healthcare Advisors

FDA inspections are about to feel very different for medical device manufacturers whose quality systems are not truly risk-driven. Under the updated Inspection of Medical Device Manufacturers Compliance Program (CP 7382.850) and the forthcoming Quality Management System Regulation (QMSR), FDA is moving toward a more focused, risk-based inspection model that aligns more closely with ISO 13485:2016 and concentrates on what matters most to patient safety and product performance.

In practical terms, this means FDA will spend less time asking whether procedures exist and more time assessing whether manufacturers can demonstrate effective control of their highest-risk products, processes, and suppliers.

HOW FDA WILL SCOPE INSPECTIONS NOW

FDA inspections are moving away from a uniform, checklist-driven approach toward targeted, risk-informed inspections. Inspection scope and depth will increasingly be shaped by product and process risk, as well as by signals such as complaints, adverse events, recalls, and prior inspection history. Rather than evaluating all elements of the quality system equally, investigators will focus on the manufacturer’s ability to control critical-to-quality processes and manage areas of highest risk.

In a typical future inspection, an investigator may start with a recent complaint trend or field action and trace it back through risk management files, design controls, process validation, and postmarket surveillance to see whether the underlying risks were anticipated, monitored, and addressed in a timely way. This approach rewards companies that can quickly tell a coherent,

WHY FDA EXPECTS RISK-DRIVEN QUALITY

This shift reflects a broader expectation that manufacturers operate mature, risk-driven quality systems, not just compliant documentation libraries. Under QMSR, risk management is expected to be fully integrated across the product lifecycle, linking design, development, manufacturing, and postmarket activities in a traceable way. FDA is placing less emphasis on the mere presence of procedures and more on whether companies can demonstrate that risks are identified, prioritized, and controlled in practice.

Alignment with ISO 13485 is therefore not simply a structural exercise or a matter of matching clause to clause. FDA expects quality systems to actively guide decision-making and resource allocation, particularly where risk is highest; for example, in design changes, process changes, supplier selection, and responses to postmarket signals.

WHAT INSPECTORS WILL ASK YOU TO SHOW

For manufacturers, this transition redefines what “inspection ready” means. Companies must be able to clearly explain how risks were identified, how they informed design and process controls, and how those controls are verified and maintained over time. Documentation must present a coherent and traceable narrative that connects risk assessments to testing, validation, and postmarket monitoring.

FDA will also place greater weight on postmarket signals when assessing whether a company is effectively managing emerging risks. Complaint trends, adverse events, recalls, and real-world performance data will increasingly be used as entry points to evaluate the adequacy of risk controls and CAPA. This is particularly important for software-driven and AI-enabled devices, where performance can evolve over time and where data drift, software updates, or new clinical use patterns can change the risk profile after launch.

In addition, supplier controls and data integrity are moving closer to the center of inspection focus. Manufacturers are expected to demonstrate risk-based oversight of critical suppliers and service providers, as well as robust governance of training and validation data used in algorithm development where AI/ML is involved.

TACTICAL VS. STRATEGIC RESPONSES

These inspection changes have implications well beyond quality and compliance. A company’s quality system maturity is now tightly linked to its regulatory and commercialization strategy, and inspection outcomes can influence timelines, investor confidence, and payer engagement, especially in categories where real-world performance and recalls are highly visible.

A purely tactical response to FDA’s shift might focus on updating SOPs, refreshing FMEA templates, and tightening complaint handling workflows. A more strategic response uses the same risk information to guide portfolio decisions, design and labeling updates, and evidence-generation plans, ensuring that quality, regulatory, and clinical functions operate from a shared, risk-based playbook.

HOW TO PREPARE NOW

To position your organization for risk-based inspections under QMSR, consider the following actions:

• Map your existing QMS to ISO 13485 and QMSR, highlighting where risk management is not fully integrated into design, manufacturing, software lifecycle, and postmarket surveillance processes.

• Build an inspection-ready “risk story” that connects hazard analysis, design controls, process validation, complaint handling, CAPA, and postmarket surveillance for your highest-risk products and processes.

• Identify a small number of critical-to-quality processes and demonstrate how they are controlled, monitored, and trended using meaningful metrics, not just pass/fail checks.

• Strengthen documentation and oversight of critical suppliers and AI/ML data pipelines, with a clear rationale for the depth of control and frequency of review based on risk.

• Conduct a mock risk-based inspection or focused internal audit using recent complaints, adverse events, or field actions as starting points to test how well your systems work under real-world pressure.

BOTTOM LINE: TURN RISK INTO A COHERENT STORY

FDA’s move to risk-based inspections reflects a clear expectation: manufacturers must demonstrate that they are in control of the risks that matter most, across the full product lifecycle. Success will depend on the ability to align quality systems, regulatory strategy, and clinical evidence within a cohesive, risk-driven framework that stands up under inspection.

If your team is unsure how to turn existing procedures and data into a coherent, inspection-ready risk story, targeted support in mapping QMSR to ISO 13485, strengthening lifecycle risk integration, and rehearsing risk-based inspection scenarios can significantly reduce uncertainty ahead of your next FDA interaction.