Common Failures in CE/ISO 13485 Compliance – A Quality Consultant’s Perspective

Introduction

For any medical device manufacturer interested to sell in Europe and other bigger markets, the CE marking and ISO 13485 certificate are not just papers. In my opinion, these are your ticket, your credibility to capture that market. In my work across Pakistan, especially Sialkot, for more than 15 years – inspecting factories, checking technical files, auditing for companies like Vygon and SAP France – I see the same problems appearing repeatedly. 

The issue is not that the factories lack skill. In fact, the craftsmen are among the best. The problem is somewhere else. There is often a gap between what the European regulator wants and what the factories interpret it. Sometimes old ways of working or trying to manage quality only for the auditor’s visit, also creates these failures. 

This article is about those common failures I observe in Sialkot. I am trying to explain not just what goes wrong, but why it happens from manufacturer’s perspective, and how they can fix it with a practical mindset.

Risk Management Gaps in ISO 14971

The ISO 14971 standard for risk management is the heart of the matter. But in many factories, it is treated like a formality for the quality file, not a living tool. 

The risk file is prepared after the product has already been made, just to complete the documentation. 

Hazards are copied from another file or standard list, not seriously considered for the specific device. 

A risk control is written down, but there is no test report that proves it works. This link is missing. 

For reusable instruments, the risk of cleaning or sterilisation failure is usually not evaluated. 

Once the file is made, it is forgotten. Data from the market or complaints does not actually update the risks. 

The auditor from the Notified Body is looking for a clear story. They want to follow a thread, from the design idea to the potential danger, to the controls you place, to the test that proves it, and finally to the instructions you give to the user. If this story is broken, the certification can be at risk. Manufacturers must start seeing risk management as a map for making a safe device, not as a report to be filed away. 

Technical Documentation Weaknesses Under MDR

In my experience, technical documentation file is one of the biggest weaknesses. This file is not a one-time task. 

The Design History File is not updated. The design on paper is different from what is on the production floor today. 

Evidence for design validation is weak or missing. How do you prove that device meets the user’s needs? 

A supplier changes a raw material grade, or a machining parameter is adjusted for efficiency, but no design change record is made. 

Material certificates are collected, but you cannot trace this certificate to the specific batch of instruments made on a specific date. 

For a simple stainless-steel instrument, the factory assumes biocompatibility is “obvious”, but there is no justification report. 

Packaging validation for sterile devices is overlooked. 

Under the EU MDR, the technical file must always be ready and updated. It is a “living document”. The authority can ask for it anytime, even years after you get the certificate. Manufacturers must move from making a file for the audit to maintaining a file for the product’s entire life. 

Process Validation Failures in Manufacturing

This is a critical gap. The product looks perfect, but the proof that the process makes it perfect every time is not there. 

Heat treatment process: Is the hardness the same for every instrument in the furnace batch? There is nothing to validate it. 

Passivation process for corrosion resistance: It is done, but there are no test reports (like salt spray tests) as evidence. 

Cleaning process for reusable devices: Either it was copied from somewhere else or was performed three years ago and never checked later. 

A CNC machine program is changed by the operator for faster production, but there is no record to show it, and quality department has not been informed about it. Change control is missing. 

Sterilisation validation is given to an outside company. Their report is accepted, but no one inside has reviewed if it covers all their product families properly. 

A beautiful product from a non-validated process is a compliance failure. Validation (Installation, Operational, Performance Qualification – IQ/OQ/PQ) is the proof you give to the regulator that your process is your guarantee.

Supplier Control Risks in ISO 13485

Factories are very good at collecting certificates from their vendors, but true control is more active. 

Where the system becomes weak: 

All suppliers are treated the same way. The man who supplies packaging cartoons and the one who supplies surgical-grade steel bar are in the same category. This is not risk-based. 

The forging unit, which is the first step in making a surgical instrument, is never audited. “We have been buying from them for 20 years” is not an audit. 

Material comes with a simple test certificate, not a proper material certification traceable to an international standard. 

When a vendor has a problem, the manufacturer asks for a “corrective action”. They send a letter, they file it and close the issue and that’s it. 

A vendor delivers bad material multiple times, but there is no system to score their performance and take action. 

In the eyes of the ISO standard and the Notified Body, your supplier’s mistake becomes your mistake. You are responsible. Active management means auditing, reviewing, and partnering with your critical suppliers. 

CAPA System Issues Affecting Compliance

The Corrective and Preventive Action system is meant to improve the factory but usually it is just a department to close complaints. 

Root Cause Analysis very quickly ends at “Operator Error” or “Lack of Attention”. The investigation stops there. Why was the operator error possible? Was the training poor? Was the procedure unclear? This is not explored. 

An action is taken, but who checks six months later if it truly worked and the problem did not come back? This check for “effectiveness” is many times a box to tick. 

To keep production moving, CAPAs are closed quickly, sometimes without strong evidence. 

The same type of non-conformity appears in different departments repeatedly, but no one connects the dots for a bigger, preventive solution. 

CAPA is your tool for becoming better. Use proper methods like “5 Whys” to dig to the real root cause – a system cause, not a person to blame. The goal is to close the loop permanently. 

Document Control Failures in QMS

It seems simple, but failures here are very common. The strength of a quality system rests on controlled documents. 

In the production section, you find an old version of a Standard Operating Procedure (SOP) being used. The new version is with the Quality Manager. 

Records on the floor are missing signatures, dates, or batch numbers. If you cannot trace it, in the auditor’s eyes it did not happen. 

If documents are on a computer, there are no controls. Anyone can save, delete, or overwrite. 

Old revisions of drawings or specifications are not removed from the points of use. 

An SOP is updated, but the people who must follow it are not trained on the change. 

A document is only useful if it is the correct version, where it is needed, and the people are trained to use it. This control is fundamental. 

PMS and Complaint Handling Gaps Under MDR

For many smaller manufacturers, the product is considered “finished” when it ships. The MDR has changed this completely. 

Complaints from distributors are logged in a register, but no one sits at the end of the month to look for patterns. 

A complaint is handled, but it does not trigger a CAPA or a review of the Risk Management File. 

The Post-Market Surveillance (PMS) report is written once a year because the standard says so. It does not feel like a useful tool for the business. 

Feedback is not taken seriously but it is used to reply back a satisfactory answer to the buyers. 

The concept of “vigilance” – reporting serious incidents to the authorities – is not clearly understood or implemented. 

Under MDR, PMS is not a report. It is a system. It is your ears and eyes in the market. The data you collect must feed back into your risk management, your design improvements, and your CAPA system. It is how you show you are responsible for your device for its whole life. 

Competency and Training Compliance Issues

Factories maintain nice training records. But the standard asks for proof of competency that the person can actually do the job well. 

A worker is given verbal instructions by a supervisor. This is “training”, but where is the record and where is the proof that operator understands it. 

There is no list that defines what skills are critical for a polisher, a packer, or a quality inspector. 

The same generic training sheet is used for everyone, from the storekeeper to the machine operator. 

Once trained, a person’s skill is never checked again unless they make a mistake. 

You must show that people are not just trained, but are able to do their work correctly and consistently. This means defining the needed skills, testing understanding (through question or practice), and checking skills regularly. 

Change Control Risks in CE Marking

Many failures happen slowly, not suddenly. A small change here, a small adjustment there, and over the time the product or process has drifted. 

Here are some examples from audits: 

The purchasing manager finds a cheaper grade of stainless steel. It is bought and used without informing the Quality department. 

A new, faster machine is installed on the production line. Production is happy, but no one re-validated the process on this new machine. 

The label printer is changed, and the new labels have a slightly different font size. The master document for labelling is not updated. 

Over five years, the design of an instrument handle has slowly been modified by the craftsmen for better feel. But the drawing in the technical file is ten years old. 

Any change that can affect quality must be formally requested, reviewed (by all concerned departments: production, quality, engineering), approved, and documented before it is done. This discipline prevents the dangerous “drift”. 

Internal Audit Weaknesses in ISO 13485

The internal audit program is another sign of a weak quality system. Its purpose is to find your own problems before the external auditor does. But often, it is performed to show that there are no problems. 

The audit schedule always avoids the most problematic departments or high-risk processes. 

Findings are written in soft language. “A suggestion was made to possibly improve the document storage…” instead of stating a clear non-conformity. 

The same person, often from the quality team, audits the entire factory every year. They become friendly, they overlook things. 

Corrective actions from last year’s audit are not verified during this year’s audit. 

The audit report is typed the day before the Notified Body auditor arrives. 

A strong factory is not afraid of its own internal audits. It uses them as a doctor uses a check-up, to find small issues before they become big diseases. A clean internal audit report is not the goal, but an honest one is needed. 

A Final Word: Building a Sustainable Quality Culture

Working with the standards of European companies like Vygon, I have learned one main thing. True compliance is not about making files. It is about building a habit of quality into every person and every process. 

When the factory owner sees quality as the key to his reputation, not just a cost… when the production manager stops the line himself for a small doubt… when the quality officer has the authority and respect to say “no” – that is when these common failures start to disappear. 

The world market does not remember who sold the cheapest device. It remembers who sold the most reliable one. The factories in Sialkot and across Pakistan have the talent and the potential. By moving their mindset from passing an audit to building a quality culture, they can close these gaps. If they stop working for a certificate and start working for a reputation and no doubt this is the most valuable certification of all. 

Disclaimer. The views and opinions expressed in this article are solely those of the author and do not necessarily reflect the official policy or position of Test Labs Limited. The content provided is for informational purposes only and is not intended to constitute legal or professional advice. Test Labs assumes no responsibility for any errors or omissions in the content of this article, nor for any actions taken in reliance thereon.