Recent recall analysis shows that device failures are now a leading driver of medical device recalls, and Class I recalls have reached a 15-year high, with 101 medical device recalls recorded in October 2024 alone, according to Risk & Insurance’s 2024 recall review:
Financially, the impact is brutal. Industry research from Honeywell (Sparta Systems) and wider life-sciences quality analyses suggests that medical device recalls cost the sector up to $5 billion per year, with individual recall events often running between $1 million and $15 million, depending on product type and market footprint:
Behind many of these events sits the same pattern: QMS failures that were visible in hindsight, but not taken seriously enough in time.
This article walks through the top five quality management system failures, shows how they appear in real regulatory actions, and sets out practical ISO 13485-aligned strategies to prevent them.
Why Quality Management System failures still happen
Under ISO 13485 (and ISO 9001), a QMS is supposed to do three basic things:
- Keep processes controlled and repeatable
- Ensure traceability and product safety
- Provide evidence that regulatory requirements are consistently met
On paper, it is all very sensible. In practice, QMS failures still happen because organisations are human. Typical root causes include:
- Poor document control and uncontrolled change
- Leadership disengagement from quality and regulatory priorities
- CAPA systems that exist only on paper
- Untrained or overstretched staff
- Fragmented data across departments and sites
And the pressure is increasing. A 2024 global quality survey from ETQ on manufacturing and life sciences found that 73% of respondents had experienced at least one product recall in the previous five years, with many reporting direct recall costs in the $10–49.9 million range (excluding reputational and opportunity costs):
Regulators are reacting accordingly. The MHRA sets out its enforcement approach for medical devices here:
FDA warning letters, MHRA investigations, and Notified Body suspensions frequently point back to the same systemic issues you’re about to see.
Failure #1 – Poor document control and record keeping
If you want to see a QMS fall over in slow motion, start with document control.
When procedures are outdated, signatures are missing, templates are duplicated, or records are stored across six different spreadsheets and someone’s inbox, risk multiplies quietly in the background.
Regulators know this. In a recent FDA warning letter case discussed by GMP Insiders, a medical device manufacturer was cited for continuing to use obsolete production procedures after process changes. The FDA noted failures in document control and inadequate investigation of nonconformities – textbook QMS failure leading directly to enforcement:
Typical symptoms:
- Multiple versions of SOPs in circulation
- Forms edited locally without approval
- Incomplete batch records or DHRs
- No clear ownership for key procedures
Impact:
- Inconsistent manufacturing outcomes
- Nonconforming products slipping through
- Inability to reconstruct history during investigations
- High risk of ISO 13485 nonconformities and surveillance-audit pain
Prevention strategies:
- Implement a centralised digital document control system with role-based access and audit trails.
- Define clear ownership for each procedure and record type.
- Link document changes to risk assessments and, where appropriate, to CAPA.
- Conduct quarterly document and record reviews, focusing on high-risk processes.
This is one of the most preventable quality management system failures – but only if document control is treated as a live process, not admin.
Failure #2 – Inadequate CAPA system
If document control is the nervous system of your QMS, CAPA is the immune system. When it’s weak, everything else is at risk.
Regulators repeatedly highlight CAPA as a chronic failure area. Recent analyses of FDA warning-letter trends show that Corrective and Preventive Action deficiencies remain the most frequently cited QMS problem, appearing in over 60% of device warning letters and inspection findings, alongside design-control and complaint-handling failures. Complizen’s 2024–2025 review summarises exactly this pattern:
FDA’s own Quality System Regulation explainer reinforces that CAPA is one of the core elements inspectors evaluate:
How CAPA failures show up:
- The same issue appears in three audit cycles
- Complaints trend upwards with no clear action
- CAPAs closed without root-cause evidence
- No verification of effectiveness, just “action completed”
Notified Bodies are increasingly prepared to suspend certificates where CAPA is clearly ineffective. In 2023–2024, several manufacturers faced escalating findings because:
- The root-cause analysis consisted of guesswork instead of structured methods
- CAPAs focused on symptoms (“retrain staff”) rather than system causes
- There were no effectiveness checks, or they were purely superficial
Prevention strategies:
- Run formal CAPA review meetings with metrics like CAPA ageing, recurrence rate, and impact by process.
- Embed CAPA in management review under ISO 13485 Clause 5.6 – not as an afterthought, but as a core decision input.
- Train teams in structured problem-solving tools such as 5-Why, Ishikawa (Fishbone), and fault-tree analysis.
- Create a clear link between CAPA, complaints, nonconformities, internal audits, and risk management.
Strong CAPA is one of the most effective defences against QMS failures – and one of the first areas inspectors will test.
Failure #3 – Weak management commitment and oversight
You can have the best procedures and software in the world, but if leadership treats the QMS as “the quality team’s job”, failure is only a matter of time.
In MHRA and Notified Body inspections, weak management commitment often shows up as:
- Management review minutes that simply restate KPIs with no decisions
- No follow-up on previous review actions
- No linkage to strategic planning or resource allocation
- Quality objectives that are vague, unmeasured, or ignored
When leadership isn’t visibly steering the QMS, the culture follows. Quality becomes something to “get through for the audit”, not a real business priority.
Consequences:
- Chronic under-resourcing of QA/RA
- Firefighting mentality around audits and inspections
- Slow or incomplete responses to CAPA and complaints
- Low staff engagement with quality initiatives
Prevention strategies:
- Tie QMS KPIs to executive and board reporting – including complaint trends, CAPA effectiveness, audit findings, and PMS outputs.
- Conduct regular management reviews aligned with ISO 13485 Clause 5.6, with documented decisions and follow-up responsibilities.
- Nominate Quality Champions in key functions (R&D, operations, supply chain, customer support) to keep quality visible in day-to-day decisions.
In short: a QMS without genuine management backing will eventually turn into one of your biggest ISO 13485 failures.
Failure #4 – Insufficient supplier and outsourced process control
In a globalised supply chain, many critical risks now sit outside your building – in sterilisation providers, contract manufacturers, software partners, and testing labs.
FDA warning-letter statistics for 2023, summarised by ECA Academy, highlight failures to control suppliers and purchasing processes as a persistent theme, including missing supplier evaluations, poor quality agreements, and limited monitoring of supplier performance:
The FDA Warning Letters database provides a steady stream of concrete examples:
Typical supplier-control failures:
- Suppliers added based solely on price or lead time
- No documented qualification or risk ranking
- No formal quality agreements or vague ones that cannot be enforced
- Little or no monitoring of supplier nonconformities or complaint trends
Why it matters:
- A single defective batch of components can trigger global recalls
- Sterilisation or test-lab failures can undermine entire product families
- Regulators increasingly expect end-to-end traceability, not just internal control
Prevention strategies:
- Maintain an Approved Supplier List (ASL) with risk-based qualification and periodic re-evaluation.
- Use quality agreements that clearly define responsibilities, documentation, change-notification expectations, and escalation paths.
- Audit high-risk suppliers and critical outsourced processes at planned intervals, with follow-up CAPAs where needed.
- Integrate supplier issues into your internal CAPA system – supplier failures are not “external problems”, they are part of your QMS.
Failure #5 – Ineffective internal audits and training
If CAPA is the immune system, internal audits are the early-warning radar. When done well, they catch problems before regulators and customers do. When done badly, they create a dangerous illusion of safety.
A classic pattern:
- Internal audits repeatedly report “no findings”
- Notified Body or FDA inspection, then uncovers major issues in design files, risk management, PMS, and training
- Regulators quickly conclude that your internal audit programme is superficial or incompetent
Common issues:
- Auditors lack regulatory and process understanding
- Audits simply tick compliance with procedures, not the effectiveness of the process
- Audit scopes are narrow, focusing on paperwork rather than practice
- Audit findings are not linked to CAPA or management review
Training is often the quiet co-conspirator here. Staff are expected to “follow the SOPs” but:
- Have not been properly trained on them
- Don’t understand the regulatory context
- They are not evaluated for competency, only attendance
Prevention strategies:
- Implement a risk-based internal audit programme covering all QMS processes and interfaces, including design and development, production, PMS, and supplier management.
- Train internal auditors on both ISO 13485 and relevant regulations (UK MDR, EU MDR, 21 CFR 820 / QMSR), and periodically calibrate audit techniques.
- Require CAPA for significant audit findings and track recurrence metrics.
- Use external independent audits occasionally to challenge internal blind spots.
Case studies – lessons from recent regulatory actions
While specific company names are often confidential, the patterns in 2023–2025 regulatory actions are highly consistent. Three anonymised scenarios help illustrate how QMS failures play out in practice.
1. FDA Warning Letter – Software Device (2024)
A manufacturer of a software-driven diagnostic device received an FDA warning letter after:
- Multiple software failures in the field
- Inadequate design validation and verification evidence
- Incomplete CAPA responses with poor root-cause analysis
As highlighted in analyses such as Complizen’s review of top warning-letter violations, design-control and CAPA failures frequently appear together in software-based device enforcement:
KEY LESSON
2. EU / MHRA Inspection – Risk Management & PMS Gap (2023/2024)
A Class IIa manufacturer was flagged in an inspection because:
- Their risk management file had not been updated after field complaints
- PMS reports were formal but did not change risk evaluations
- There were no CAPAs linked to recurring complaint themes
The regulator required a comprehensive corrective-action plan and increased surveillance.
KEY LESSON
3. Notified Body Surveillance Audit – Certificate Suspension (2024)
During a routine surveillance audit, a Notified Body suspended a company’s ISO 13485 certificate after observing:
- Incomplete CAPA records
- Missing training documentation for key operators
- Management review minutes with no decisions or follow-ups
The company had to undertake an extensive remediation plan just to get the certificate reinstated.
KEY LESSON
3. Notified Body Surveillance Audit – Certificate Suspension (2024)
During a routine surveillance audit, a Notified Body suspended a company’s ISO 13485 certificate after observing:
- Incomplete CAPA records
- Missing training documentation for key operators
- Management review minutes with no decisions or follow-ups
The company had to undertake an extensive remediation plan just to get the certificate reinstated.
How to build a failure-proof QMS
No QMS is truly “failure-proof”, but you can get uncomfortably close with a structured, modern approach.
Here is a practical framework:
1. Establish accountability
- Assign process owners for each major QMS element
- Clearly define who owns risk management, CAPA, PMS, document control, and supplier management
- Ensure leadership is visibly accountable for quality performance
2. Digitise documentation
- Move away from fragmented spreadsheets and shared drives
- Implement a centralised eQMS or document-control system with proper versioning and audit trails
- Standardise forms and records across sites and teams
3. Adopt risk-based thinking
- Align your QMS with ISO 14971 where applicable
- Use risk levels to prioritise audits, CAPAs, and supplier monitoring
- Ensure risk controls are traceable into design, production, and PMS activities
4. Embed CAPA and PMS feedback
- Ensure complaints, nonconformities, audits, and PMS outputs all feed into a single CAPA system
- Review CAPA and PMS trends in the management review
- treat early warning signs seriously – don’t wait for a major incident
5. Conduct Mock Audits
- Run internal and external mock audits ahead of Notified Body/FDA/MHRA inspections
- Use them to test your QMS in real conditions and stress-test high-risk processes
- Treat findings as opportunities, not embarrassments
The regulatory and financial impact of QMS failures
QMS failures are not just procedural problems – they are direct business risks.
Under UK MDR, EU MDR, and FDA frameworks, serious failures can trigger:
- MHRA warning notices or enhanced surveillance
- Notified Body suspension or withdrawal of ISO 13485 certification
- FDA warning letters, import alerts, or consent decrees
- Mandatory recalls, import holds, or product withdrawals
Financially, the numbers speak for themselves:
- Device recalls cost the industry up to $5 billion annually, according to combined analyses referenced by Honeywell and quality-assurance studies
- Recall frequency in life-sciences has more than doubled since 2018, driven by complex supply chains and increased regulatory scrutiny
- ETQ’s 2024 survey reported that 73% of manufacturers experienced at least one recall in the previous five years, with many events costing $10–49.9 million in direct costs alone
Sources for further reading:
American Additive – quality and recall impact:
IN SHORT
Conclusion
Most quality management system failures are not surprises – they are the predictable result of weak document control, superficial CAPA, disengaged leadership, poorly managed suppliers, and ineffective internal audits.
The good news is that each of these areas can be strengthened with clear accountability, digital tools, risk-based thinking, and a culture that treats quality as a strategic asset, not a compliance chore.
A robust, modern ISO 13485 QMS will not just keep regulators happy. It will reduce risk, protect patients, stabilise operations, and ultimately make your business more resilient. Schedule your QMS Health Check with Patient Guard and identify hidden compliance gaps before your next audit. Speak to an expert today.
FAQ
Typically: poor document control, weak CAPA, low management engagement, insufficient supplier oversight, and superficial internal audits.
Start with a structured gap assessment, implement targeted CAPAs, link changes to risk management, and verify effectiveness through internal audits and management review.
Lack of true root-cause analysis, no effectiveness checks, closing CAPAs too quickly, and failing to link CAPA to complaints, nonconformities, and risk files.
At least annually across all processes, using a risk-based plan. High-risk or problematic processes may require more frequent audits.
Through warning letters, enforcement notices, enhanced surveillance, certificate suspension, import holds, or, in serious cases, recalls and legal actions.
Yes. Patient Guard supports full ISO 13485 gap assessments, internal audit programmes, CAPA system design, and remediation planning for MDR, UK MDR, and FDA expectations.
Patient Guards Recent Posts
IVDR Transitional Provisions: 2026 Milestones
2026 represents a significant milestone for the amended IVDR transitional provisions framework.
Cosmetics Product Information File: UK & EU Guide
If you sell cosmetics in the UK or EU, you are legally required to maintain a Cosmetics Product Information File – even if you’re a tiny indie brand mixing batches between client emails.
ISO 15223-1:2025: Your labels may be non-compliant
ISO 15223-1:2025 is the kind of update that looks “small” on paper and then detonates in an audit because it’s printed on every box you ship.
