In an industry where people's health and wellness are on the line, manufacturers can't afford to let risk go unaddressed. As the International Organization for Standardization (ISO) says, “safety and quality are nonnegotiable in the medical device industry.”

Regulatory bodies have recognized the importance of risk management in this industry. ISO 13485 is the standard for development, implementation, and maintenance of a quality management system (QMS) for medical device manufacturers and their suppliers. It features risk-based thinking and explicitly states multiple requirements for risk management within certain processes. ISO 9001, the general quality management standard, emphasizes risk-based thinking and risk management as overarching themes rather than a siloed aspect of quality management.

The shift in priorities within the latest revisions of the ISO 13485 and 9001 standards shows the importance of risk management within quality management, but especially in medical device manufacturing. This article addresses five areas where automated software improves risk management in medical device manufacturing: corrective action, supply chain management, cybersecurity, recall management, and regulatory compliance.

Quality management standards emphasize risk-based thinking and risk management.

Corrective Action

Medical device manufacturers must have processes for the following areas as per 21 CFR 820 and other previously mentioned regulations:

  • Correction: actions intended to eliminate a nonconformity.

  • Corrective action: actions intended to eliminate the root cause of a nonconformity or undesirable situation.

  • Preventive action: actions that are intended to eliminate the cause of potential nonconformity or undesirable situation.

How Does Software Help? The most important function of corrective and preventive action is making sure the issue doesn't happen again. Automated QMS software makes it possible to achieve this quickly and efficiently.

Running a root cause analysis helps determine all possible sources of risk, using different problem-solving tools and techniques to explore all possibilities. The manufacturer can determine if it was a supplier issue, if there are training gaps, if machines need maintenance, or any number of other possible causes.

From there, the team can collaborate to solve the issue. Standards require that information about the issues and all activities required in response be disseminated, with the objective to prevent the occurrence in other processes.

Once alerted, responsible parties can begin working on their tasks within the action plan, which features notifications and reminders to keep everyone on track. Finally, automated corrective and preventive action systems check the effectiveness of the action plan. Risk tools measure the risk level compared with before the corrective action to see that it was effective. These tools also continuously track incident data to confirm that the corrective action is continuing to mitigate the risk. Automating this process ensures effective corrective and preventive action, which gives the manufacturer confidence that issues will not recur and new ones will not arise.

Supply Chain Management

Medical device manufacturing is a supply chain-driven industry. The global contract manufacturing market is set to hit nearly $102.9 billion by 2021, according to market research firm Visiongain.1 With that said, an increasingly complex supply chain can bring just as many challenges to an organization as it can bring benefits.

An increasingly complex supply chain can bring many challenges to an organization.

Including external parties in a company's manufacturing operations increases risk, which varies with the maturity of processes and cultures by each supplier. Because of the variance, these risks are harder to measure via traditional communication methods.

How Does Software Help? An automated QMS is an excellent tool for mitigating and managing supply chain risk. Each supplier can have a file containing a scorecard and various ratings identifying the strengths and weaknesses of each supplier. That way, those risks can be factored into the company's processes and plans, and decisions can be made based on the lowest risk options.

If there is a weakness or an issue with a supplier, the company can issue a supplier corrective action request (SCAR). It syncs with the internal quality system so the supplier's activity can be tracked, but the supplier see only what they've been granted access to, protecting sensitive documents.

Automated supplier management systems provide a central location for checklists, requirements, and standards, which also works to lower supplier risk.


With the rise of artificial intelligence and data capturing in medical devices, organizations are increasingly vulnerable to cyberattacks for information like patient profiles and hospital records. The average cost of a cybersecurity attack over an 18-day span is $415,748. But for medical device manufacturers, the cost can be more than just money. If patients’ personal information is compromised, they can lose trust in a brand for good. FDA recommends taking a proactive approach to risk surrounding interoperable medical devices, starting as early as the design phase.

How Does Software Help? With an automated QMS, a company can use a number of risk tools to proactively mitigate cybersecurity threats:

A risk matrix plots varying degrees of probability and impact.
  • Failure modes and effects analysis (FMEA): This tool identifies all the possible ways a product could fail by analyzing each aspect of the product design. That way, the company can take measures to prevent failures before the product is even made.

  • Risk matrix: This versatile tool can be used in a number of quality processes, and it applies well to cybersecurity. This color-coded chart plots varying degrees of probability and impact, so the manufacturer can quantify the risk of a given event. Red represents unacceptable risk, while green represents generally acceptable risk levels. This is a general tool, so it can be used in a wide variety of cybersecurity tasks.

  • Decision tree: A decision tree is like a flow chart, using either decision points or yes/no questions to map out potential outcomes. Each possibility branches out to further possibilities until an endpoint is reached. This is a good tool for measuring the risk and possible outcomes of introducing new types of technology and seeing its effect on cybersecurity.

  • Bowtie matrix: In the life sciences, a cybersecurity breach is considered a catastrophic event. A bowtie matrix visually represents the causes and effects of rare but potentially disastrous events. In the middle of the model would be the loss of control event, in this case the data breach. On the left side, list controls to prevent the breach, and on the right, define recovery measures.

FDA recommends utilizing risk tools in the design phase, starting with the FMEA.

Additionally, automated software builds in the capability to grant access to specific people for defined tasks and information. Combining risk management with advanced security tools drastically reduces the risk of an adverse cybersecurity event.

Recall Management

One of the goals of a QMS in a medical device manufacturing company is to prevent a recall. Software helps a manufacturer take a proactive approach to preventing recalls with risk management, starting in the design phase.

An automated QMS is an excellent tool for mitigating and managing supply chain risk.

Applications like complaint handling linked with risk tools and corrective action can help filter out events that don't necessarily need a recall and that can be handled internally. Unfortunately, no matter how many preventive measures are put in place, recalls sometimes happen anyway. If a recall does happen despite best efforts, automated software can help streamline the process in the following ways:

  • Recall submission. Automated software helps a manufacturer launch and submit recalls to FDA quickly. Documents needed for a recall can be stored in a central location so that they are always on hand. Document control helps locate recall submission materials and launch a workflow to involve all necessary parties. Other applications allow forms to be submitted to FDA directly from the QMS, making the process even quicker.

  • Notifying the public. FDA requires all affected public to be notified of a recall within a certain time frame. To avoid penalties, OEMs must keep procedures, recall plans, and templates for notification letters within an automated document control system.

  • Evaluating the recall. Once a recall is launched, it should be evaluated to figure out the root cause and prevent a similar issue from happening again. Linking recalls to a corrective and preventive action lets the manufacturer track all activity surrounding the recall and its subsequent action plan.