Handrails
Medical device manufacturers

Prove your QMS. Before the auditor does.

Simulate FSCA, CAPA and post-market response scenarios under realistic operational pressure.

What if the entire exercise, from scenario to audit-ready report, took less than 60 minutes? You could run it this week.

Get startedSee how it works

Mapped to FDA QMSR · EU MDR · ISO 13485 · TGA · and more

Report · audit-ready
Live
Report · Recall & FSCA · Part 803/806 · MDR Art. 87–92Ready
Part 806 decisionReportable correction logged
PRAC notificationSponsor letter inside SLA
UDI tracebackLot scope took 4h; expected ≤90 min
Clinician commsNo pre-approved holding line
CAPA openedEffectiveness plan dated and named
What's changed

Why now

01

Auditors increasingly test how the system performs under pressure

Regulators and notified bodies want evidence that CAPA, vigilance and FSCA processes work operationally, not just that procedures exist on paper.

02

Post-market response timelines continue to tighten

Medical device manufacturers face growing pressure to coordinate faster across quality, regulatory and engineering teams during recalls, field actions and safety events.

03

Modern device risk extends beyond your own walls

Connected devices, third-party software and outsourced manufacturing have expanded the operational perimeter of every medical device company.

Says who

The frameworks behind every notified body audit, FDA inspection and market action

Every exercise maps to a real clause your regulators, auditors and notified bodies are asking about.
Recall & FSCA
Recall ExerciseUS FDA + TGA + EU MDR
On detection; inspection-observable
QMSR + 21 CFR Part 803 + Part 806 + EU MDR Art. 87-92 + TGA PRAC

Complaints and CAPA anchor in QMSR / ISO 13485 (cl. 8.5.1, 8.5.2). Corrections and removals fall under 21 CFR Part 806; medical device reporting under 21 CFR Part 803; EU vigilance under MDR Articles 87-92. In Australia the Procedure for Recalls, Product Alerts and Product Corrections (PRAC) replaced URPTG on 5 March 2025 and now governs all market actions. UDI traceability is the operational backbone everywhere.

If skipped: Form 483; warning letter; consent decree; notified body certificate suspension; TGA mandatory recall under Therapeutic Goods Act 1989 s41KA-41KD.
CAPA & Risk
CAPA ExerciseUS FDA + TGA + EU + ISO
Periodic effectiveness verification
QMSR + TGA Essential Principles

CAPA is the single most-cited Form 483 deficiency. TGA conformity assessment relies on ISO 13485 evidence and the Essential Principles in Schedule 1 of the Therapeutic Goods (Medical Devices) Regulations 2002. A risk file update under ISO 14971 must accompany every CAPA.

If skipped: Form 483; warning letter for systemic failure; ISO 13485 non-conformance; notified body action; TGA conformity assessment certificate suspension or cancellation.
Cybersecurity
Cyber ExerciseUS FDA + TGA + EU + NIS2
Premarket required; post-market obligation
FDA Section 524B + EU MDR Annex I + TGA Cyber Security Guidance

Section 524B mandates vulnerability management, secure development, SBOM and patch capability for cyber-device premarket submissions. EU MDR Annex I embeds software and cybersecurity expectations in essential requirements. The TGA's Medical Device Cyber Security Guidance for Industry expects manufacturers to maintain an SBOM, monitor for emerging vulnerabilities and demonstrate cyber risk management across the total product lifecycle.

If skipped: RTA of premarket submission; 21 CFR Part 806 reportable correction; notified body action; NIS2 enforcement; TGA finding of non-compliance with Essential Principles 2 and 12.
Post-market Surveillance
Surveillance ExerciseUS FDA + TGA + EU MDR
30-day US; 2 / 10 / 15-day EU; 48 hours / 10 / 30-day AU
21 CFR Part 803 + EU MDR Art. 86, 87-92 + TGA IRIS Scheme

US medical device reporting under Part 803 (30-day clock). EU vigilance under MDR Articles 87-92 on a 2 / 10 / 15-day three-tier. PSURs sit at MDR Article 86; trend reporting at Article 88. In Australia, sponsors report adverse events through the TGA's Incident Reporting and Investigation Scheme (IRIS) on a 48-hour death or serious public health threat / 10-day serious deterioration / 30-day other timeline. Mandatory reporting by healthcare facilities is now also in force.

If skipped: Form 483; competent authority enforcement; civil and criminal liability; TGA cancellation from the ARTG.
How it works

From scenario to audit-ready report, in under 60 minutes.

Weeks of planning. Hours of facilitation. Days more for the report. Handrails compresses the whole thing into under 60 minutes.
1Context in
Context
SectorClass II medical device
RegulatorsFDA · EU NB · TGA
QMSFDA QMSR · ISO 13485
ManufacturingCDMO · in-house
RiskISO 14971 · UDI traceability
PMSMDR · IRIS · vigilance
SectorClass II medical device
RegulatorsFDA · EU NB · TGA
QMSFDA QMSR · ISO 13485
ManufacturingCDMO · in-house
RiskISO 14971 · UDI traceability
PMSMDR · IRIS · vigilance
ScenarioClass 2 market action
Clocks30-day US · 2/10/15-day EU
RoomQA · RA · Mfg · PV · Product Sec
ReportingMDR · MIR · IRIS
CAPAEffectiveness verification
OutputNotified-body packet
ScenarioClass 2 market action
Clocks30-day US · 2/10/15-day EU
RoomQA · RA · Mfg · PV · Product Sec
ReportingMDR · MIR · IRIS
CAPAEffectiveness verification
OutputNotified-body packet

Built around your context

Answer a few questions about your setup, including your device class, regulatory regimes, manufacturing footprint and cyber exposure. The scenario is tuned to the obligations actually in scope, not a generic template. Hours of consultant prep, designed in minutes.

2Virtual session
Live · virtual47:32
Holly, the Handrails AI agent, facilitating a session
Speaking
Holly · Handrails AI
Mei · QA
Hanan · RA
Transcript
Holly

Run it live, virtually

Your team joins a video call. QA, RA, Manufacturing, Vigilance Coordinator, Product Security / CISO, Clinical Affairs and senior management observers in the same call; each function makes the decisions they'd actually make. The recording is the evidence stream. Scheduling is the only setup.

3Report out
Report · Recall & FSCA · Part 803/806 · MDR Art. 87–92Ready
Part 806 decisionReportable correction logged
PRAC notificationSponsor letter inside SLA
UDI tracebackLot scope took 4h; expected ≤90 min
Clinician commsNo pre-approved holding line
CAPA openedEffectiveness plan dated and named

The report is ready before you close the call

Results generated in minutes, logged against your internal QMS and what regulators demand. See areas for improvement and re-run quarterly to show the improvement curve auditors and senior management now want to see.

Example scenarios

Tailored, not templated

Every scenario is generated from your context, not chosen from a library. Based on your device class, regulatory regimes, manufacturing footprint, even the plans and policies you upload. Three lightweight examples below.
01Scenario

Recall execution under PRAC and Part 806

Customer-reported failure mode triggers a Class 2 market action across AU and US markets. Sponsor notification to TGA, FDA Part 806 reportable correction decision, distributor and end-user comms, retrieval logistics, end-of-quarantine clearance.

02Scenario

Cyber vulnerability disclosure

SBOM-component vulnerability disclosed by upstream supplier. Coordinated disclosure timeline, post-market cyber finding, FDA Section 524B response, TGA cyber-guidance expectations.

03Scenario

Supplier non-conformance triggers batch hold

CDMO process deviation discovered during routine review of supplier records. Quarantine decision, root cause across the supplier boundary, CAPA effectiveness verification, MDR / IRIS reportability assessment.

Partner with Handrails

Be the partner that makes notified body audits feel lighter for your clients.

For most device QA / RA consultancies, notified-body-prep firms and eQMS platforms, tabletop exercises are the most time-consuming deliverable in any audit-prep engagement. Days of scenario prep, hours of facilitation, more hours producing an audit-ready report. Handrails can now carry that load for you. Stay in the advisory role your clients need you in, run more engagements, and earn on every session.
Revenue share, every cycle
Get paid on every session your clients run.
Audit-ready evidence
Reports pre-map to FDA QMSR, ISO 13485, EU MDR (Articles 86-92), 21 CFR Part 803, 21 CFR Part 806, ISO 14971, FDA Section 524B and TGA medical device requirements. One scenario set, regulator-specific evidence packs.
Reports written for you
Don't spend hours writing up audit-ready evidence. Handrails delivers it in minutes, straight from the session.
Already working withDevice QA / RA consultanciesNotified-body-prep firmseQMS platforms
Partner with Handrails

Run your first medical devices exercise this week.

Sign up, pick a scenario, invite the team. The report is ready before the session ends.

Get startedSee how it works