In an industry where people's health and wellness are on the line, manufacturers can't afford to let risk go unaddressed. As the International Organization for Standardization (ISO) says, “safety and quality are nonnegotiable in the medical device industry.”

Regulatory bodies have recognized the importance of risk management in this industry. ISO 13485 is the standard for development, implementation, and maintenance of a quality management system (QMS) for medical device manufacturers and their suppliers. It features risk-based thinking and explicitly states multiple requirements for risk management within certain processes. ISO 9001, the general quality management standard, emphasizes risk-based thinking and risk management as overarching themes rather than a siloed aspect of quality management.

The shift in priorities within the latest revisions of the ISO 13485 and 9001 standards shows the importance of risk management within quality management, but especially in medical device manufacturing. This article addresses five areas where automated software improves risk management in medical device manufacturing: corrective action, supply chain management, cybersecurity, recall management, and regulatory compliance.

Quality management standards emphasize risk-based thinking and risk management.

Corrective Action

Medical device manufacturers must have processes for the following areas as per 21 CFR 820 and other previously mentioned regulations:

  • Correction: actions intended to eliminate a nonconformity.

  • Corrective action: actions intended to eliminate the root cause of a nonconformity or undesirable situation.

  • Preventive action: actions that are intended to eliminate the cause of potential nonconformity or undesirable situation.

How Does Software Help? The most important function of corrective and preventive action is making sure the issue doesn't happen again. Automated QMS software makes it possible to achieve this quickly and efficiently.

Running a root cause analysis helps determine all possible sources of risk, using different problem-solving tools and techniques to explore all possibilities. The manufacturer can determine if it was a supplier issue, if there are training gaps, if machines need maintenance, or any number of other possible causes.

From there, the team can collaborate to solve the issue. Standards require that information about the issues and all activities required in response be disseminated, with the objective to prevent the occurrence in other processes.

Once alerted, responsible parties can begin working on their tasks within the action plan, which features notifications and reminders to keep everyone on track. Finally, automated corrective and preventive action systems check the effectiveness of the action plan. Risk tools measure the risk level compared with before the corrective action to see that it was effective. These tools also continuously track incident data to confirm that the corrective action is continuing to mitigate the risk. Automating this process ensures effective corrective and preventive action, which gives the manufacturer confidence that issues will not recur and new ones will not arise.

Supply Chain Management

Medical device manufacturing is a supply chain-driven industry. The global contract manufacturing market is set to hit nearly $102.9 billion by 2021, according to market research firm Visiongain.1 With that said, an increasingly complex supply chain can bring just as many challenges to an organization as it can bring benefits.

An increasingly complex supply chain can bring many challenges to an organization.

Including external parties in a company's manufacturing operations increases risk, which varies with the maturity of processes and cultures by each supplier. Because of the variance, these risks are harder to measure via traditional communication methods.

How Does Software Help? An automated QMS is an excellent tool for mitigating and managing supply chain risk. Each supplier can have a file containing a scorecard and various ratings identifying the strengths and weaknesses of each supplier. That way, those risks can be factored into the company's processes and plans, and decisions can be made based on the lowest risk options.

If there is a weakness or an issue with a supplier, the company can issue a supplier corrective action request (SCAR). It syncs with the internal quality system so the supplier's activity can be tracked, but the supplier see only what they've been granted access to, protecting sensitive documents.

Automated supplier management systems provide a central location for checklists, requirements, and standards, which also works to lower supplier risk.


With the rise of artificial intelligence and data capturing in medical devices, organizations are increasingly vulnerable to cyberattacks for information like patient profiles and hospital records. The average cost of a cybersecurity attack over an 18-day span is $415,748. But for medical device manufacturers, the cost can be more than just money. If patients’ personal information is compromised, they can lose trust in a brand for good. FDA recommends taking a proactive approach to risk surrounding interoperable medical devices, starting as early as the design phase.

How Does Software Help? With an automated QMS, a company can use a number of risk tools to proactively mitigate cybersecurity threats:

A risk matrix plots varying degrees of probability and impact.
  • Failure modes and effects analysis (FMEA): This tool identifies all the possible ways a product could fail by analyzing each aspect of the product design. That way, the company can take measures to prevent failures before the product is even made.

  • Risk matrix: This versatile tool can be used in a number of quality processes, and it applies well to cybersecurity. This color-coded chart plots varying degrees of probability and impact, so the manufacturer can quantify the risk of a given event. Red represents unacceptable risk, while green represents generally acceptable risk levels. This is a general tool, so it can be used in a wide variety of cybersecurity tasks.

  • Decision tree: A decision tree is like a flow chart, using either decision points or yes/no questions to map out potential outcomes. Each possibility branches out to further possibilities until an endpoint is reached. This is a good tool for measuring the risk and possible outcomes of introducing new types of technology and seeing its effect on cybersecurity.

  • Bowtie matrix: In the life sciences, a cybersecurity breach is considered a catastrophic event. A bowtie matrix visually represents the causes and effects of rare but potentially disastrous events. In the middle of the model would be the loss of control event, in this case the data breach. On the left side, list controls to prevent the breach, and on the right, define recovery measures.

FDA recommends utilizing risk tools in the design phase, starting with the FMEA.

Additionally, automated software builds in the capability to grant access to specific people for defined tasks and information. Combining risk management with advanced security tools drastically reduces the risk of an adverse cybersecurity event.

Recall Management

One of the goals of a QMS in a medical device manufacturing company is to prevent a recall. Software helps a manufacturer take a proactive approach to preventing recalls with risk management, starting in the design phase.

An automated QMS is an excellent tool for mitigating and managing supply chain risk.

Applications like complaint handling linked with risk tools and corrective action can help filter out events that don't necessarily need a recall and that can be handled internally. Unfortunately, no matter how many preventive measures are put in place, recalls sometimes happen anyway. If a recall does happen despite best efforts, automated software can help streamline the process in the following ways:

  • Recall submission. Automated software helps a manufacturer launch and submit recalls to FDA quickly. Documents needed for a recall can be stored in a central location so that they are always on hand. Document control helps locate recall submission materials and launch a workflow to involve all necessary parties. Other applications allow forms to be submitted to FDA directly from the QMS, making the process even quicker.

  • Notifying the public. FDA requires all affected public to be notified of a recall within a certain time frame. To avoid penalties, OEMs must keep procedures, recall plans, and templates for notification letters within an automated document control system.

  • Evaluating the recall. Once a recall is launched, it should be evaluated to figure out the root cause and prevent a similar issue from happening again. Linking recalls to a corrective and preventive action lets the manufacturer track all activity surrounding the recall and its subsequent action plan.

A manufacturer can then use a change management application to implement changes, internally and throughout the supply chain if necessary. This enables a systematic approach to evaluating the recall and correcting the underlying issue. With an automated QMS, the processes of conducting a recall is no longer punitive, but rather an opportunity to mitigate risk by improving operations and products.

Healthcare organizations are increasingly vulnerable to cyberattacks for information like patient profiles and hospital records.

Regulatory Compliance

There are many constantly changing standards that medical device manufacturers and their suppliers must comply with. Doing so not only helps avoid penalties and fines, but adhering to the required processes inherently reduces risk. Some of those standards and regulations include:

  • ISO 9001: General quality management standards.

  • ISO 13485: Requirements for a quality management system for medical device manufacturers and their suppliers.

  • 21 CFR Part 11: Requirements for FDA-regulated industries for audits, validations, electronic signatures, documentation for software systems, and more.

  • EU Annex 11: Additional requirements to the EC-GMP Guide, specific to computerized systems.

  • ISO 14971: Requirements for the application of risk management to medical devices.

  • MDR EU: Regulatory framework for medical devices for countries in the European Union.

  • MDSAP: Medical device single audit program that recognizes a “global approach to auditing and monitoring the manufacturing of medical devices.”

How Does Software Help? Automated software gives a manufacturer a centralized location for managing everything needed for compliance. Two tools that can help the most are eMDR and audit management.

eMDR. Electronic Medical Device Reporting (eMDR) centralizes how FDA and medical device manufacturers communicate with each other, to address issues of data quality and integrity that came about while reporting serious issues.

With an eMDR tool, manufacturers can submit reports, develop written procedures, maintain files, and designate responsibility for reviving, reviewing, and evaluating complaints to see whether they need further attention. Having an eMDR application within a QMS lets a manufacturer incorporate complaint handling, corrective action, and risk management into all issues. Direct, automated communication with FDA ensures that data is accurate and unaltered, reducing the risk of important issues falling through the cracks.

Audit Management. Audits are often feared, but can actually be opportunities for learning and improvement. More importantly, audits are an important part of achieving and maintaining compliance with ISO standards, FDA regulations and more. Automated software helps a manufacturer stay complaint and reduce organizational risks. It provides a central location to keep audit templates and other documents.

Closing Thoughts

The most recent revision of ISO standards such as ISO 9001 and ISO 13484 have highlighted a common trend of quality management: developing procedures and operations with risk management in mind. Utilizing automated quality management software provides manufacturers with the tools to reduce risk in many key operational areas of medical device manufacturing.

This article was written by Alexa Sussman, Content Marketing Writer for EtQ, Farmingdale, NY. For more information, Click Here .