If you sell software to medical device manufacturers, QMS/EQMS vendors, IVD platforms, or connected device operators, you operate inside one of the most heavily regulated tech verticals in the world — and the fastest compliance clock runs at 15 days for EU incidents and 30 days for FDA reports.
FDA 21 CFR Part 820 QSR §820.70(i) is the sharpest procurement argument in the entire MedTech stack: cloud iPaaS is unvalidated COTS software in the device lifecycle. Every automation tool that touches your QMS, device records, or patient data must be validated. Zapier and Make are not. Self-hosted n8n is — because you control and validate it.
This post covers the 5 n8n automations every MedTech and Medical Device SaaS vendor needs to manage FDA 21 CFR Part 820, EU MDR 2017/745, ISO 13485, HIPAA, and FDA 510(k)/PMA compliance.
The MedTech SaaS Compliance Stack
| Tier | Example Customer | Primary Regulations |
|---|---|---|
| ENTERPRISE_MDR_PLATFORM | Large QMS/EQMS SaaS vendor | FDA 21 CFR Part 820 QSR, EU MDR Art.86/87, ISO 13485, 21 CFR Part 11 |
| MIDMARKET_QMS_SAAS | Mid-size device QMS for Class II manufacturers | FDA §820.70(i) software validation, ISO 13485 §7.5.3, HIPAA if health data |
| REGULATORY_AFFAIRS_SAAS | RA submission management tools | FDA 510(k)/PMA, EU MDR MDR/IVDR Technical File, EUDAMED Art.27 |
| CLINICAL_EVIDENCE_SAAS | Clinical data management for device trials | 21 CFR Part 11, EU MDR Annex XIV CER, ICH E6(R3) GCP |
| DEVICE_CONNECTIVITY_SAAS | IoT/connected device platform (Class II/III) | FDA SaMD §880.3860, EU MDR Art.117 UDI, HIPAA PHI/PII |
| IVD_ANALYTICS_SAAS | In Vitro Diagnostics analytics platforms | EU IVDR 2017/746, FDA 21 CFR Part 809, ISO 15189 |
| MEDTECH_STARTUP | Pre-submission Class I/II startup | FDA §820.30 design controls, EU MDR Class I self-declaration |
Compliance Flags
Your n8n workflows segment customers by these flags:
-
FDA_QSR_21_CFR_PART_820_SUBJECT— subject to FDA Quality System Regulation (Class II/III manufacturers) -
EU_MDR_2017_745_APPLICABLE— places devices on EU market under MDR 2017/745 -
ISO_13485_CERTIFIED— certified to ISO 13485:2016 QMS standard -
HIPAA_COVERED_ENTITY_OR_BA— handles Protected Health Information (PHI) -
FDA_510K_PMA_FILER— filed or holds FDA 510(k) clearance or PMA approval -
IVD_IVDR_2017_746_SUBJECT— subject to EU IVDR 2017/746 (IVDs) -
SOC2_TYPE2_REQUIRED— enterprise customers require SOC 2 Type II attestation
The Fastest Clocks in MedTech: MDR Reporting
EU_MDR_SERIOUS_INCIDENT = 15 calendar days — EU MDR Article 87(2)
This is the fastest recurring clock in European MedTech: once a manufacturer becomes aware of a serious incident involving their device, they have 15 calendar days to file the initial report to the national competent authority via EUDAMED. For incidents involving an immediate public health threat, Article 87(3) requires reporting within 2 days.
FDA_MDR_MALFUNCTION_REPORT = 30 calendar days — 21 CFR §803.50(b)
FDA_MDR_DEATH_SERIOUS_INJURY = 30 calendar days — 21 CFR §803.50(a)
Both FDA MDR clocks start the moment the manufacturer 'becomes aware' of information — including a complaint from a healthcare facility, field rep report, or customer support ticket. If you process device complaints through cloud iPaaS, the clock starts but your RA team may not know it did.
FDA_RECALL_INITIATED = 10 working days — 21 CFR §806.10(b)
Written report to FDA district office within 10 working days of initiating any correction or removal of a device from the market.
Why Cloud iPaaS Violates FDA QSR §820.70(i)
FDA 21 CFR §820.70(i) states:
'Each manufacturer shall establish and maintain procedures for the use of automated data processing systems. This includes verifying or validating computer software that is part of or used in production of a device.'
If your QMS workflows — onboarding sequences, CAPA trackers, MDR filing pipelines, audit trails — run through Zapier or Make, those are COTS software tools inside your device production support process and they are unvalidated. During a FDA Quality System Inspection Technique (QSIT) audit, a CDRH investigator can and does issue Form 483 observations for unvalidated software in the QMS. The observation reads: 'Automated data processing equipment used to produce records is not validated per §820.70(i).'
Self-hosted n8n eliminates this:
- You install it in your QMS-controlled environment
- You write the IQ/OQ/PQ validation protocols
- You generate the validation evidence records
- It becomes part of your validated software inventory
- It appears in your Software Validation Master Plan
Cloud iPaaS cannot be validated this way — you have no access to the infrastructure, no ability to control the environment, and no guarantee the platform won't change between your validation and your FDA inspection.
EU MDR parallel: Article 10(9) requires manufacturers to maintain a post-market surveillance system. Data flowing through cloud iPaaS potentially routes PMS/MDR data through US servers — triggering GDPR Article 44-46 cross-border transfer restrictions for EU patient data.
ISO 13485 parallel: §7.5.3 requires documented validation of software used in production. Same argument as QSR §820.70(i) — cloud iPaaS is undocumented, unvalidated COTS software in your QMS process.
5 n8n Automations for MedTech Compliance
1. Tier-Segmented MedTech Customer Onboarding Drip
Routes each new customer to the right compliance context on Day 0 — QSR validation guide for Class II manufacturers, EU MDR PSUR template for EU MDR-applicable customers, IQ/OQ/PQ checklist for ISO 13485-certified accounts.
{
"name": "MedTech Customer Onboarding Drip",
"nodes": [
{
"id": "1",
"name": "Webhook",
"type": "n8n-nodes-base.webhook",
"typeVersion": 1,
"position": [
250,
300
],
"parameters": {
"httpMethod": "POST",
"path": "medtech-onboarding",
"responseMode": "onReceived"
}
},
{
"id": "2",
"name": "Set Tier & Flags",
"type": "n8n-nodes-base.code",
"typeVersion": 2,
"position": [
450,
300
],
"parameters": {
"jsCode": "const d=items[0].json;const tierMap={ENTERPRISE_MDR_PLATFORM:{day0:'Your FDA 21 CFR Part 820 QSR validation guide and EU MDR Article 86 PSUR template are attached. As a QMS/EQMS platform, your software must be validated under \u00a7820.70(i) before any customer can use it to support device production.',qsrNote:true,euMdrNote:true},MIDMARKET_QMS_SAAS:{day0:'Your QSR \u00a7820.70(i) software validation checklist and ISO 13485:2016 \u00a77.5.3 requirements matrix are enclosed. Cloud iPaaS in your QMS workflow = unvalidated external software in the device lifecycle = FDA Form 483 finding.',qsrNote:true,euMdrNote:false},REGULATORY_AFFAIRS_SAAS:{day0:'Your FDA 510(k) submission timeline automation guide and EU MDR Article 87 incident reporting pipeline are attached. RA submission data in cloud iPaaS = potential audit chain break.',qsrNote:false,euMdrNote:true},CLINICAL_EVIDENCE_SAAS:{day0:'Your 21 CFR Part 11 electronic records validation guide and EU MDR Annex XIV clinical evaluation plan template are enclosed. Clinical evidence data must stay within your validated system boundary.',qsrNote:true,euMdrNote:true},DEVICE_CONNECTIVITY_SAAS:{day0:'Your FDA SaMD software classification guide and EU MDR Article 117 UDI integration checklist are attached. Connected device data routed through cloud iPaaS = potential unauthorized disclosure of patient-identifying device data.',qsrNote:true,euMdrNote:true},IVD_ANALYTICS_SAAS:{day0:'Your EU IVDR 2017/746 compliance timeline and FDA 21 CFR Part 809 IVD labeling guide are enclosed. Analytical data for Class C/D IVDs carries the strictest data residency obligations.',qsrNote:false,euMdrNote:true},MEDTECH_STARTUP:{day0:'Welcome! Your FDA 510(k) vs PMA decision tree, QSR \u00a7820.30 design controls checklist, and EU MDR timeline overview are attached. Getting QMS software validation right from day 1 is far cheaper than a Form 483 remediation.',qsrNote:true,euMdrNote:false}};const t=tierMap[d.tier]||tierMap.MEDTECH_STARTUP;return [{json:{...d,tierNote:t.day0,qsrNote:t.qsrNote,euMdrNote:t.euMdrNote,enrolledAt:new Date().toISOString()}}];"
}
},
{
"id": "3",
"name": "Gmail Day 0 Welcome",
"type": "n8n-nodes-base.gmail",
"typeVersion": 2,
"position": [
650,
300
],
"parameters": {
"operation": "send",
"toList": "={{$json.email}}",
"subject": "Welcome to FlowKit \u2014 your MedTech compliance automation is live",
"message": "=Hi {{$json.name}},\n\nYour FlowKit account is active. {{$json.tierNote}}\n\nCRITICAL: FDA 21 CFR \u00a7820.70(i) requires that software used in or to support device production be validated. Any cloud iPaaS (Zapier, Make) in your QMS workflow is unvalidated COTS software in the device lifecycle \u2014 immediate Form 483 observation risk during a quality system inspection.\n\nStore: https://stripeai.gumroad.com\n\nBest,\nAlex Kane / FlowKit"
}
},
{
"id": "4",
"name": "Log to Sheets",
"type": "n8n-nodes-base.googleSheets",
"typeVersion": 4,
"position": [
850,
300
],
"parameters": {
"operation": "append",
"documentId": "YOUR_SHEET_ID",
"sheetName": "medtech_onboarding",
"columns": {
"mappingMode": "defineBelow",
"value": {
"email": "={{$json.email}}",
"name": "={{$json.name}}",
"tier": "={{$json.tier}}",
"enrolled": "={{$json.enrolledAt}}",
"qsr_flag": "={{$json.qsrNote}}",
"eu_mdr_flag": "={{$json.euMdrNote}}",
"day3_sent": "False",
"day7_sent": "False"
}
}
}
},
{
"id": "5",
"name": "Wait 3 Days",
"type": "n8n-nodes-base.wait",
"typeVersion": 1,
"position": [
1050,
300
],
"parameters": {
"amount": 3,
"unit": "days"
}
},
{
"id": "6",
"name": "Gmail Day 3",
"type": "n8n-nodes-base.gmail",
"typeVersion": 2,
"position": [
1250,
300
],
"parameters": {
"operation": "send",
"toList": "={{$json.email}}",
"subject": "Day 3 check-in \u2014 have you configured your QSR \u00a7820.70(i) software validation records?",
"message": "=Hi {{$json.name}},\n\nChecking in: have you validated your n8n instance per FDA \u00a7820.70(i) and documented it in your QMS?\n\nKey reminder: ISO 13485 \u00a77.5.3 requires that software used in production have documented validation evidence before first use. The validation IQ/OQ/PQ records must be part of your Device History File.\n\nReply with any questions.\n\nAlex / FlowKit"
}
},
{
"id": "7",
"name": "Wait 4 Days",
"type": "n8n-nodes-base.wait",
"typeVersion": 1,
"position": [
1450,
300
],
"parameters": {
"amount": 4,
"unit": "days"
}
},
{
"id": "8",
"name": "Gmail Day 7 Features",
"type": "n8n-nodes-base.gmail",
"typeVersion": 2,
"position": [
1650,
300
],
"parameters": {
"operation": "send",
"toList": "={{$json.email}}",
"subject": "5 FlowKit automations your MedTech compliance team needs this week",
"message": "=Hi {{$json.name}},\n\nHere are the 5 workflows your team should deploy this week:\n\n1. FDA MDR/EU MDR Incident Filing Pipeline (30d/15d clocks)\n2. QSR CAPA Deadline Tracker (\u00a7820.100)\n3. Device Platform API Health Monitor (FDA/EU MDR APIs)\n4. ISO 13485 NCR & Audit Trail Pipeline\n5. Weekly MedTech SaaS KPI Dashboard\n\nFull JSON at https://stripeai.gumroad.com\n\nAlex / FlowKit"
}
}
],
"connections": {
"Webhook": {
"main": [
[
{
"node": "Set Tier & Flags",
"type": "main",
"index": 0
}
]
]
},
"Set Tier & Flags": {
"main": [
[
{
"node": "Gmail Day 0 Welcome",
"type": "main",
"index": 0
}
]
]
},
"Gmail Day 0 Welcome": {
"main": [
[
{
"node": "Log to Sheets",
"type": "main",
"index": 0
}
]
]
},
"Log to Sheets": {
"main": [
[
{
"node": "Wait 3 Days",
"type": "main",
"index": 0
}
]
]
},
"Wait 3 Days": {
"main": [
[
{
"node": "Gmail Day 3",
"type": "main",
"index": 0
}
]
]
},
"Gmail Day 3": {
"main": [
[
{
"node": "Wait 4 Days",
"type": "main",
"index": 0
}
]
]
},
"Wait 4 Days": {
"main": [
[
{
"node": "Gmail Day 7 Features",
"type": "main",
"index": 0
}
]
]
}
}
}
What this does: Day 0 email injects FDA §820.70(i) software validation context for QSR_SUBJECT customers and EU MDR Art.87 reporting requirements for EU_MDR_APPLICABLE accounts. Day 3 follow-up verifies QMS integration setup. Day 7 delivers the full workflow deployment guide for your team.
2. MedTech Platform API Health Monitor
Polls FDA MDR gateway, GUDID UDI API, EUDAMED, FDA inspection API, and your HIPAA PHI endpoint every 15 minutes. Uses $getWorkflowStaticData to suppress duplicate alerts — one alert per outage, not one per poll cycle.
{
"name": "MedTech Platform API Health Monitor",
"nodes": [
{
"id": "1",
"name": "Every 15 Minutes",
"type": "n8n-nodes-base.scheduleTrigger",
"typeVersion": 1,
"position": [
250,
300
],
"parameters": {
"rule": {
"interval": [
{
"field": "cronExpression",
"expression": "*/15 * * * *"
}
]
}
}
},
{
"id": "2",
"name": "Load Endpoints",
"type": "n8n-nodes-base.code",
"typeVersion": 2,
"position": [
450,
300
],
"parameters": {
"jsCode": "return [{json:{api_name:'fda_mdr_gateway',health_url:'https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfres/res.cfm',compliance_note:'FDA MDR \u00a7803.50 \u2014 30-day reporting clock. Downtime = blind to pending MDR submissions.'}},{json:{api_name:'fda_gudid_udi_api',health_url:'https://accessgudid.nlm.nih.gov/api/2/devices/healthcheck',compliance_note:'21 CFR Part 830 UDI \u2014 GUDID sync. Downtime = stale UDI data in your device records.'}},{json:{api_name:'eu_eudamed_api',health_url:'https://ec.europa.eu/tools/eudamed/api/healthcheck',compliance_note:'EU MDR Art.27/87 \u2014 EUDAMED registration and incident reporting. Downtime = MDR submission gap.'}},{json:{api_name:'fda_inspection_api',health_url:'https://www.accessdata.fda.gov/scripts/inspection_reports/healthcheck',compliance_note:'FDA QSR \u00a7820.198 \u2014 complaint file reconciliation. Outage = audit readiness gap.'}},{json:{api_name:'hipaa_phi_api',health_url:'https://internal-phi-api.yourcompany.com/health',compliance_note:'HIPAA \u00a7164.312 \u2014 PHI access and audit controls. Outage = potential unauthorized access window.'}}];"
}
},
{
"id": "3",
"name": "Split Endpoints",
"type": "n8n-nodes-base.splitInBatches",
"typeVersion": 3,
"position": [
650,
300
],
"parameters": {
"batchSize": 1
}
},
{
"id": "4",
"name": "HTTP Health Check",
"type": "n8n-nodes-base.httpRequest",
"typeVersion": 4,
"position": [
850,
300
],
"parameters": {
"method": "GET",
"url": "={{$json.health_url}}",
"timeout": 5000,
"continueOnFail": true
}
},
{
"id": "5",
"name": "Classify Status",
"type": "n8n-nodes-base.code",
"typeVersion": 2,
"position": [
1050,
300
],
"parameters": {
"jsCode": "const e=items[0].json;const statusCode=e.$response?.statusCode||0;const latency=parseInt(e.$response?.headers?.['x-response-time']||'0');let status='OK';let detail='';if(statusCode===0||statusCode>=500){status='DOWN';detail='No response or server error';}else if(statusCode>=400){status='DEGRADED';detail='HTTP '+statusCode;}else if(latency>3000){status='DEGRADED';detail='High latency: '+latency+'ms';}const lastState=$getWorkflowStaticData('global');const key='state_'+e.api_name;const alreadyAlerting=lastState[key]==='alerting';if(status!=='OK'){if(!alreadyAlerting){lastState[key]='alerting';return [{json:{...e,apiStatus:status,statusCode,detail,shouldAlert:true}}];}return [{json:{...e,apiStatus:status,shouldAlert:false}}];}lastState[key]='ok';return [{json:{...e,apiStatus:'OK',shouldAlert:false}}];"
}
},
{
"id": "6",
"name": "Alert If Down",
"type": "n8n-nodes-base.if",
"typeVersion": 2,
"position": [
1250,
300
],
"parameters": {
"conditions": {
"options": {
"caseSensitive": false
},
"conditions": [
{
"leftValue": "={{$json.shouldAlert}}",
"operator": {
"type": "boolean",
"operation": "true"
}
}
]
}
}
},
{
"id": "7",
"name": "Slack Alert",
"type": "n8n-nodes-base.slack",
"typeVersion": 2,
"position": [
1450,
250
],
"parameters": {
"channel": "#platform-ops",
"text": "=:red_circle: MEDTECH API {{$json.apiStatus}}: *{{$json.api_name}}* \u2014 {{$json.compliance_note}} Detail: {{$json.detail}}. Review immediately \u2014 FDA/EU MDR compliance clock may be running blind."
}
},
{
"id": "8",
"name": "Log Incident",
"type": "n8n-nodes-base.googleSheets",
"typeVersion": 4,
"position": [
1450,
380
],
"parameters": {
"operation": "append",
"documentId": "YOUR_SHEET_ID",
"sheetName": "medtech_api_incidents",
"columns": {
"mappingMode": "defineBelow",
"value": {
"ts": "={{new Date().toISOString()}}",
"api": "={{$json.api_name}}",
"status": "={{$json.apiStatus}}",
"detail": "={{$json.detail}}",
"compliance": "={{$json.compliance_note}}"
}
}
}
}
],
"connections": {
"Every 15 Minutes": {
"main": [
[
{
"node": "Load Endpoints",
"type": "main",
"index": 0
}
]
]
},
"Load Endpoints": {
"main": [
[
{
"node": "Split Endpoints",
"type": "main",
"index": 0
}
]
]
},
"Split Endpoints": {
"main": [
[
{
"node": "HTTP Health Check",
"type": "main",
"index": 0
}
]
]
},
"HTTP Health Check": {
"main": [
[
{
"node": "Classify Status",
"type": "main",
"index": 0
}
]
]
},
"Classify Status": {
"main": [
[
{
"node": "Alert If Down",
"type": "main",
"index": 0
}
]
]
},
"Alert If Down": {
"main": [
[
{
"node": "Slack Alert",
"type": "main",
"index": 0
},
{
"node": "Log Incident",
"type": "main",
"index": 0
}
],
[]
]
}
}
}
What this does: Each alert includes the specific compliance obligation at risk during API downtime (e.g., 'FDA MDR §803.50 — 30-day reporting clock. Downtime = blind to pending MDR submissions'). Deduplication via $getWorkflowStaticData prevents alert floods for sustained outages.
3. FDA/EU MDR/ISO 13485 Compliance Deadline Tracker
Runs daily at 7AM. Reads a Google Sheet of compliance deadlines, classifies urgency by days remaining, and routes OVERDUE/CRITICAL to immediate Slack + email on #regulatory-affairs, WARNING to #regulatory-ops, NOTICE to calendar.
{
"name": "MedTech Compliance Deadline Tracker",
"nodes": [
{
"id": "1",
"name": "Daily 7AM",
"type": "n8n-nodes-base.scheduleTrigger",
"typeVersion": 1,
"position": [
250,
300
],
"parameters": {
"rule": {
"interval": [
{
"field": "cronExpression",
"expression": "0 7 * * *"
}
]
}
}
},
{
"id": "2",
"name": "Read Deadlines Sheet",
"type": "n8n-nodes-base.googleSheets",
"typeVersion": 4,
"position": [
450,
300
],
"parameters": {
"operation": "read",
"documentId": "YOUR_SHEET_ID",
"sheetName": "medtech_compliance_deadlines"
}
},
{
"id": "3",
"name": "Classify Urgency",
"type": "n8n-nodes-base.code",
"typeVersion": 2,
"position": [
650,
300
],
"parameters": {
"jsCode": "const today=new Date();return items.map(i=>{const d=i.json;const due=new Date(d.due_date);const days=Math.round((due-today)/(1000*60*60*24));let urgency='UPCOMING';if(days<0)urgency='OVERDUE';else if(days<=3)urgency='CRITICAL';else if(days<=7)urgency='URGENT';else if(days<=30)urgency='WARNING';else if(days<=60)urgency='NOTICE';const deadlineMap={FDA_MDR_MALFUNCTION_REPORT:'21 CFR \u00a7803.50(b) \u2014 30 calendar days from awareness of malfunction that could cause/contribute to serious injury if it recurs.',FDA_MDR_DEATH_SERIOUS_INJURY:'21 CFR \u00a7803.50(a) \u2014 30 calendar days from awareness of death or serious injury attributed to device.',EU_MDR_SERIOUS_INCIDENT_REPORT:'EU MDR Art.87(2) \u2014 15 calendar days from awareness of serious incident. Fastest EU reporting clock.',EU_MDR_PSUR_PERIODIC_UPDATE:'EU MDR Art.86 \u2014 annual PSUR for Class IIa/IIb, post-market surveillance updating for Class III.',FDA_QSR_CAPA_CLOSURE:'21 CFR \u00a7820.100 \u2014 CAPA must be completed within the timeframe defined in your CAPA procedure (typically 30-90d).',FDA_ESTABLISHMENT_REGISTRATION_RENEWAL:'21 CFR \u00a7807.21 \u2014 annual renewal between October 1\u2013December 31 each year.',FDA_MDR_SUPPLEMENTAL_REPORT:'21 CFR \u00a7803.56 \u2014 supplemental MDR due 30 days after new information on previously filed report.',ISO_13485_SURVEILLANCE_AUDIT:'ISO 13485:2016 \u2014 annual surveillance audit post-certification. Lapse = certificate suspension.',EU_MDR_TECHNICAL_DOCUMENTATION_REVIEW:'EU MDR Art.83(4) \u2014 technical documentation review cycle (1\u20135 years depending on device class).',FDA_510K_ANNUAL_REPORT:'21 CFR \u00a7814.84 \u2014 PMA post-approval annual report. 90 days before anniversary of approval date.',FDA_UDI_GLOBAL_RENEWAL:'21 CFR Part 830 / EU MDR Art.27 \u2014 UDI-DI renewal in GUDID/EUDAMED when device labeling changes.',SOC2_TYPE2_RENEWAL:'AICPA SOC 2 \u2014 annual audit window. Lapse = enterprise sales blocker and QMS vendor audit finding.'};return {json:{...d,daysUntil:days,urgency,deadlineNote:deadlineMap[d.deadline_type]||d.deadline_type}};}).filter(i=>i.json.urgency!=='UPCOMING'||i.json.daysUntil<=60);"
}
},
{
"id": "4",
"name": "Switch Urgency",
"type": "n8n-nodes-base.switch",
"typeVersion": 1,
"position": [
850,
300
],
"parameters": {
"dataType": "string",
"value1": "={{$json.urgency}}",
"rules": {
"rules": [
{
"value2": "OVERDUE",
"output": 0
},
{
"value2": "CRITICAL",
"output": 0
},
{
"value2": "URGENT",
"output": 1
},
{
"value2": "WARNING",
"output": 2
},
{
"value2": "NOTICE",
"output": 3
}
]
}
}
},
{
"id": "5",
"name": "Slack CRITICAL",
"type": "n8n-nodes-base.slack",
"typeVersion": 2,
"position": [
1050,
200
],
"parameters": {
"channel": "#regulatory-affairs",
"text": "=:rotating_light: MEDTECH COMPLIANCE {{$json.urgency}}: *{{$json.deadline_type}}* for {{$json.device_name}} \u2014 due {{$json.due_date}} ({{$json.daysUntil}}d). {{$json.deadlineNote}}"
}
},
{
"id": "6",
"name": "Gmail CRITICAL",
"type": "n8n-nodes-base.gmail",
"typeVersion": 2,
"position": [
1050,
320
],
"parameters": {
"operation": "send",
"toList": "={{$json.owner_email}}",
"subject": "=MEDTECH {{$json.urgency}}: {{$json.deadline_type}} due {{$json.due_date}}",
"message": "={{$json.urgency}} \u2014 {{$json.daysUntil}} days remaining.\n\nDeadline: {{$json.deadline_type}}\nRegulation: {{$json.deadlineNote}}\nDevice: {{$json.device_name}}\nDue: {{$json.due_date}}\nOwner: {{$json.owner_email}}\n\nAction required immediately."
}
},
{
"id": "7",
"name": "Slack WARNING",
"type": "n8n-nodes-base.slack",
"typeVersion": 2,
"position": [
1050,
440
],
"parameters": {
"channel": "#regulatory-ops",
"text": "=:warning: MEDTECH {{$json.urgency}}: {{$json.deadline_type}} for {{$json.device_name}} in {{$json.daysUntil}} days ({{$json.due_date}}). {{$json.deadlineNote}}"
}
},
{
"id": "8",
"name": "Slack NOTICE",
"type": "n8n-nodes-base.slack",
"typeVersion": 2,
"position": [
1050,
560
],
"parameters": {
"channel": "#regulatory-ops",
"text": "=:calendar: MEDTECH NOTICE: {{$json.deadline_type}} for {{$json.device_name}} in {{$json.daysUntil}} days."
}
}
],
"connections": {
"Daily 7AM": {
"main": [
[
{
"node": "Read Deadlines Sheet",
"type": "main",
"index": 0
}
]
]
},
"Read Deadlines Sheet": {
"main": [
[
{
"node": "Classify Urgency",
"type": "main",
"index": 0
}
]
]
},
"Classify Urgency": {
"main": [
[
{
"node": "Switch Urgency",
"type": "main",
"index": 0
}
]
]
},
"Switch Urgency": {
"main": [
[
{
"node": "Slack CRITICAL",
"type": "main",
"index": 0
},
{
"node": "Gmail CRITICAL",
"type": "main",
"index": 0
}
],
[
{
"node": "Slack WARNING",
"type": "main",
"index": 0
}
],
[
{
"node": "Slack NOTICE",
"type": "main",
"index": 0
}
],
[]
]
}
}
}
12 deadline types tracked:
| Deadline Type | Regulation | Key Risk |
|---|---|---|
| FDA_MDR_MALFUNCTION_REPORT | 21 CFR §803.50(b) | 30 calendar days from awareness — missing = Warning Letter |
| FDA_MDR_DEATH_SERIOUS_INJURY | 21 CFR §803.50(a) | 30 calendar days — most severe MDR, FDA criminal investigation risk |
| EU_MDR_SERIOUS_INCIDENT_REPORT | EU MDR Art.87(2) | 15 calendar days — fastest EU clock |
| EU_MDR_PSUR_PERIODIC_UPDATE | EU MDR Art.86 | Annual for Class IIa/IIb — lapse = certificate suspension risk |
| FDA_QSR_CAPA_CLOSURE | 21 CFR §820.100 | Top FDA Form 483 observation category |
| FDA_ESTABLISHMENT_REGISTRATION_RENEWAL | 21 CFR §807.21 | Annual October-December window — lapse = unlisted manufacturer |
| FDA_MDR_SUPPLEMENTAL_REPORT | 21 CFR §803.56 | 30 days from new information on prior MDR |
| ISO_13485_SURVEILLANCE_AUDIT | ISO 13485:2016 | Annual — lapse = certificate suspension |
| EU_MDR_TECHNICAL_DOCUMENTATION_REVIEW | EU MDR Art.83(4) | 1-5 year cycle by device class |
| FDA_510K_ANNUAL_REPORT | 21 CFR §814.84 | PMA annual report — 90 days before approval anniversary |
| FDA_UDI_GLOBAL_RENEWAL | 21 CFR Part 830 / EU MDR Art.27 | Required on labeling change |
| SOC2_TYPE2_RENEWAL | AICPA SOC 2 | Enterprise sales blocker and QMS vendor audit finding if lapsed |
4. MDR/Incident Report Filing Pipeline
Webhook-triggered. Receives incident events (FDA MDR malfunction, death/serious injury, EU MDR serious incident, FDA recall, QSR CAPA nonconformance, HIPAA PHI breach, ISO NCR, device data breach) and immediately routes to the right Slack channel, emails RA Director and VP QA, and logs to Google Sheets.
{
"name": "MedTech Incident & Regulatory Breach Pipeline",
"nodes": [
{
"id": "1",
"name": "Incident Webhook",
"type": "n8n-nodes-base.webhook",
"typeVersion": 1,
"position": [
250,
300
],
"parameters": {
"httpMethod": "POST",
"path": "medtech-incident",
"responseMode": "onReceived"
}
},
{
"id": "2",
"name": "Classify Incident",
"type": "n8n-nodes-base.code",
"typeVersion": 2,
"position": [
450,
300
],
"parameters": {
"jsCode": "const d=items[0].json;const incidentMap={FDA_MDR_MALFUNCTION_REPORT:{sla:'30 calendar days \u2014 21 CFR \u00a7803.50(b). Clock starts when you become aware of malfunction that could cause/contribute to serious injury if it recurs.',slack:'#regulatory-affairs',regulation:'21 CFR \u00a7803 MDR \u2014 manufacturer MDR filing. Failure = Warning Letter + injunction risk.',action:'Initiate MDR file in your QMS. Complete FDA Form 3500A within 30 calendar days. Assign designated MDR contact per \u00a7803.30.'},FDA_MDR_DEATH_SERIOUS_INJURY:{sla:'30 calendar days \u2014 21 CFR \u00a7803.50(a). Clock starts when you become aware of death or serious injury.',slack:'#regulatory-affairs',regulation:'21 CFR \u00a7803 MDR \u2014 most severe manufacturer MDR. Failure = FDA Criminal Investigation risk.',action:'Immediately convene complaint review per \u00a7820.198. File FDA Form 3500A within 30 days. Notify QSR complaint handling team. If 5-day MDR trigger applies (\u00a7803.53), escalate.'},EU_MDR_SERIOUS_INCIDENT:{sla:'15 calendar days \u2014 EU MDR Art.87(2). Fastest EU reporting clock. Immediate notification for public health threats (Art.87(3)).',slack:'#regulatory-affairs',regulation:'EU MDR 2017/745 Art.87 \u2014 serious incident reporting to national competent authority.',action:'Notify national competent authority (e.g., BfArM, MHRA, ANSM) within 15 days. File via EUDAMED. Initiate Field Safety Corrective Action assessment per Art.89 if required.'},FDA_RECALL_INITIATED:{sla:'10 working days \u2014 21 CFR \u00a7806.10(b). Submit written report to FDA within 10 working days of initiating correction or removal.',slack:'#regulatory-affairs',regulation:'21 CFR Part 806 \u2014 corrections and removals. Failure = Warning Letter + recall classification escalation.',action:'Submit written report to FDA district office within 10 working days. Include: reason, risk assessment, devices affected, consignees. Maintain records per \u00a7806.20.'},FDA_QSR_NONCONFORMANCE_CRITICAL:{sla:'CAPA initiation within SOP timeframe (typically 30 days) \u2014 21 CFR \u00a7820.100.',slack:'#quality-ops',regulation:'21 CFR \u00a7820.100 QSR CAPA \u2014 systematic investigation required. Unclosed CAPAs are the top FDA Form 483 observation.',action:'Open CAPA record per your QMS procedure. Assign root cause investigation owner. Document in DHF per \u00a7820.30(j). Target closure per SOP timeline.'},HIPAA_PHI_BREACH:{sla:'60 calendar days \u2014 HIPAA Breach Notification Rule \u00a7164.412. Notify affected individuals within 60 days of discovery.',slack:'#compliance-critical',regulation:'HIPAA \u00a7164.400-414 Breach Notification Rule \u2014 HHS OCR notification required for breaches >500 individuals.',action:'Notify affected individuals and HHS OCR within 60 days of discovery. For breaches >500 in a state: notify prominent media. Document breach assessment per \u00a7164.414.'},ISO_13485_NCR_CRITICAL:{sla:'CAPA within procedure timeframe \u2014 ISO 13485:2016 \u00a78.5.2/\u00a78.5.3.',slack:'#quality-ops',regulation:'ISO 13485:2016 \u00a78.3/\u00a78.5 \u2014 nonconformance and CAPA. Unresolved NCRs = certification audit major finding.',action:'Raise NCR per QMS procedure. Initiate CAPA per \u00a78.5.2 if systemic. Update Design History File per \u00a77.3.10 if design-related. Close within certification SOP timeline.'},DATA_BREACH_DEVICE_PATIENT_DATA:{sla:'72 hours \u2014 GDPR Art.33 / 60 days HIPAA \u00a7164.412.',slack:'#compliance-critical',regulation:'GDPR Art.33 / HIPAA \u00a7164.400 / EU MDR Art.87 if patient-device data',action:'Notify DPA within 72h (GDPR). Notify HHS OCR within 60d (HIPAA). Assess EU MDR Article 87 serious incident applicability if patient safety risk. Preserve all access logs per \u00a7820.198.'}};const cfg=incidentMap[d.incident_type]||{sla:'Review required',slack:'#compliance-ops',regulation:'Unknown',action:'Escalate to VP Regulatory Affairs'};return [{json:{...d,sla:cfg.sla,slackChannel:cfg.slack,regulation:cfg.regulation,action:cfg.action,ts:new Date().toISOString()}}];"
}
},
{
"id": "3",
"name": "Slack Alert",
"type": "n8n-nodes-base.slack",
"typeVersion": 2,
"position": [
650,
200
],
"parameters": {
"channel": "={{$json.slackChannel}}",
"text": "=:rotating_light: MEDTECH COMPLIANCE INCIDENT: *{{$json.incident_type}}*\nSLA: {{$json.sla}}\nRegulation: {{$json.regulation}}\nAction: {{$json.action}}\nDevice: {{$json.device_name}} | Customer: {{$json.customer_id}}\nDetected: {{$json.ts}}"
}
},
{
"id": "4",
"name": "Gmail RA Director & QA VP",
"type": "n8n-nodes-base.gmail",
"typeVersion": 2,
"position": [
650,
340
],
"parameters": {
"operation": "send",
"toList": "ra-director@yourcompany.com,vp-qa@yourcompany.com",
"subject": "=MEDTECH COMPLIANCE INCIDENT: {{$json.incident_type}} \u2014 {{$json.sla}}",
"message": "=Incident: {{$json.incident_type}}\nSLA clock: {{$json.sla}}\nRegulation: {{$json.regulation}}\nRequired action: {{$json.action}}\n\nDevice: {{$json.device_name}}\nCustomer: {{$json.customer_id}}\nDetected: {{$json.ts}}\n\nThis notification is auto-generated by FlowKit. Engage qualified regulatory counsel for all MDR, QSR, and EU MDR matters."
}
},
{
"id": "5",
"name": "Log Incident",
"type": "n8n-nodes-base.googleSheets",
"typeVersion": 4,
"position": [
650,
480
],
"parameters": {
"operation": "append",
"documentId": "YOUR_SHEET_ID",
"sheetName": "medtech_incident_log",
"columns": {
"mappingMode": "defineBelow",
"value": {
"ts": "={{$json.ts}}",
"incident_type": "={{$json.incident_type}}",
"device_name": "={{$json.device_name}}",
"customer_id": "={{$json.customer_id}}",
"sla": "={{$json.sla}}",
"regulation": "={{$json.regulation}}",
"action_taken": "pending",
"ra_notified": "True",
"qa_notified": "True"
}
}
}
}
],
"connections": {
"Incident Webhook": {
"main": [
[
{
"node": "Classify Incident",
"type": "main",
"index": 0
}
]
]
},
"Classify Incident": {
"main": [
[
{
"node": "Slack Alert",
"type": "main",
"index": 0
},
{
"node": "Gmail RA Director & QA VP",
"type": "main",
"index": 0
},
{
"node": "Log Incident",
"type": "main",
"index": 0
}
]
]
}
}
}
8 incident types with pre-configured SLA clocks:
| Incident Type | SLA | Regulation | Key Action |
|---|---|---|---|
| FDA_MDR_MALFUNCTION_REPORT | 30 calendar days | 21 CFR §803.50(b) | File Form 3500A — assign MDR contact per §803.30 |
| FDA_MDR_DEATH_SERIOUS_INJURY | 30 calendar days | 21 CFR §803.50(a) — criminal risk | File Form 3500A — convene complaint review per §820.198 |
| EU_MDR_SERIOUS_INCIDENT | 15 calendar days | EU MDR Art.87(2) — fastest EU clock | Notify national CA via EUDAMED — assess FSCA per Art.89 |
| FDA_RECALL_INITIATED | 10 working days | 21 CFR §806.10(b) | Submit written report to FDA district office |
| FDA_QSR_NONCONFORMANCE_CRITICAL | CAPA per SOP (30-90d) | 21 CFR §820.100 — top 483 category | Open CAPA — document in DHF per §820.30(j) |
| HIPAA_PHI_BREACH | 60 calendar days | HIPAA §164.412 | Notify individuals + HHS OCR within 60 days |
| ISO_13485_NCR_CRITICAL | Per SOP | ISO 13485 §8.5.2/§8.5.3 | Initiate CAPA — major finding at certification audit if open |
| DATA_BREACH_DEVICE_PATIENT_DATA | 72h GDPR / 60d HIPAA | GDPR Art.33 / HIPAA §164.412 | Notify DPA 72h + HHS 60d + assess EU MDR Art.87 |
5. Weekly MedTech SaaS KPI Dashboard
Runs every Monday at 8AM. Queries KPIs from Postgres, builds an HTML report, emails CEO with VP Regulatory and VP QA on BCC, and posts a Slack summary to #executive-summary.
{
"name": "Weekly MedTech SaaS KPI Dashboard",
"nodes": [
{
"id": "1",
"name": "Monday 8AM",
"type": "n8n-nodes-base.scheduleTrigger",
"typeVersion": 1,
"position": [
250,
300
],
"parameters": {
"rule": {
"interval": [
{
"field": "cronExpression",
"expression": "0 8 * * 1"
}
]
}
}
},
{
"id": "2",
"name": "Query KPIs",
"type": "n8n-nodes-base.postgres",
"typeVersion": 2,
"position": [
450,
300
],
"parameters": {
"operation": "executeQuery",
"query": "SELECT COUNT(DISTINCT customer_id) AS active_customers, SUM(mrr_usd) AS mrr_usd, SUM(CASE WHEN tier='ENTERPRISE_MDR_PLATFORM' THEN mrr_usd ELSE 0 END) AS enterprise_mrr, COUNT(DISTINCT CASE WHEN qsr_validated=true THEN customer_id END) AS qsr_validated_customers, COUNT(DISTINCT CASE WHEN eu_mdr_applicable=true THEN customer_id END) AS eu_mdr_customers, SUM(fda_mdr_open_7d) AS fda_mdr_open, SUM(eu_mdr_open_7d) AS eu_mdr_open, SUM(iso_ncrs_open) AS iso_ncrs_open, SUM(hipaa_incidents_7d) AS hipaa_incidents FROM medtech_metrics WHERE period_end >= NOW() - INTERVAL '7 days'"
}
},
{
"id": "3",
"name": "Build KPI Report",
"type": "n8n-nodes-base.code",
"typeVersion": 2,
"position": [
650,
300
],
"parameters": {
"jsCode": "const d=items[0].json;const prev=$getWorkflowStaticData('global');const mrrWoW=prev.mrr?(((d.mrr_usd-prev.mrr)/prev.mrr)*100).toFixed(1)+'%':'N/A';const custWoW=prev.customers?(((d.active_customers-prev.customers)/prev.customers)*100).toFixed(1)+'%':'N/A';const mdrAlert=d.fda_mdr_open>0||d.eu_mdr_open>0?'ALERT: '+d.fda_mdr_open+' FDA MDR + '+d.eu_mdr_open+' EU MDR open':'OK';const html='<h2>MedTech SaaS Weekly KPIs</h2><table border=\"1\" cellpadding=\"6\"><tr><th>Metric</th><th>Value</th><th>WoW</th></tr><tr><td>Active Customers</td><td>'+d.active_customers+'</td><td>'+custWoW+'</td></tr><tr><td>MRR</td><td>$'+Number(d.mrr_usd).toLocaleString()+'</td><td>'+mrrWoW+'</td></tr><tr><td>Enterprise MDR MRR</td><td>$'+Number(d.enterprise_mrr).toLocaleString()+'</td><td>-</td></tr><tr><td>QSR-Validated Customers</td><td>'+d.qsr_validated_customers+'</td><td>-</td></tr><tr><td>EU MDR Customers</td><td>'+d.eu_mdr_customers+'</td><td>-</td></tr><tr><td>Open FDA MDRs</td><td>'+d.fda_mdr_open+'</td><td>-</td></tr><tr><td>Open EU MDR Incidents</td><td>'+d.eu_mdr_open+'</td><td>-</td></tr><tr><td>Open ISO 13485 NCRs</td><td>'+d.iso_ncrs_open+'</td><td>-</td></tr><tr><td>HIPAA Incidents 7d</td><td>'+d.hipaa_incidents+'</td><td>-</td></tr></table><p>MDR Status: '+mdrAlert+'</p>';$getWorkflowStaticData('global').mrr=d.mrr_usd;$getWorkflowStaticData('global').customers=d.active_customers;return [{json:{...d,html,mrrWoW,custWoW,mdrAlert}}];"
}
},
{
"id": "4",
"name": "Gmail CEO + BCC VP Regulatory",
"type": "n8n-nodes-base.gmail",
"typeVersion": 2,
"position": [
850,
300
],
"parameters": {
"operation": "send",
"toList": "ceo@yourcompany.com",
"bccList": "vp-regulatory@yourcompany.com,vp-qa@yourcompany.com",
"subject": "=MedTech Weekly KPIs \u2014 MRR {{$json.mrrWoW}} WoW | MDR open: {{$json.fda_mdr_open}} FDA + {{$json.eu_mdr_open}} EU",
"message": "={{$json.html}}"
}
},
{
"id": "5",
"name": "Slack Summary",
"type": "n8n-nodes-base.slack",
"typeVersion": 2,
"position": [
850,
420
],
"parameters": {
"channel": "#executive-summary",
"text": "=:pill: MedTech Weekly: {{$json.active_customers}} customers | MRR ${{$json.mrr_usd?.toLocaleString()}} ({{$json.mrrWoW}} WoW) | QSR validated: {{$json.qsr_validated_customers}} | Open MDRs: {{$json.fda_mdr_open}} FDA + {{$json.eu_mdr_open}} EU | ISO NCRs: {{$json.iso_ncrs_open}} | MDR Status: {{$json.mdrAlert}}"
}
}
],
"connections": {
"Monday 8AM": {
"main": [
[
{
"node": "Query KPIs",
"type": "main",
"index": 0
}
]
]
},
"Query KPIs": {
"main": [
[
{
"node": "Build KPI Report",
"type": "main",
"index": 0
}
]
]
},
"Build KPI Report": {
"main": [
[
{
"node": "Gmail CEO + BCC VP Regulatory",
"type": "main",
"index": 0
},
{
"node": "Slack Summary",
"type": "main",
"index": 0
}
]
]
}
}
}
What this does: Tracks MRR by tier (enterprise MDR platform segmented separately), QSR-validated and EU MDR customer counts, open FDA MDR and EU MDR incident counts, open ISO 13485 NCRs, and HIPAA incidents. The $getWorkflowStaticData WoW delta calculation catches MRR inflections and customer-count changes automatically.
Self-Hosting vs. Cloud iPaaS: The MedTech Compliance Argument
| Requirement | Cloud iPaaS | Self-Hosted n8n |
|---|---|---|
| FDA §820.70(i) software validation | COTS tool — unvalidated in device lifecycle = Form 483 observation | Validated by you: IQ/OQ/PQ, Software Validation Master Plan, DHF entry |
| ISO 13485 §7.5.3 software validation | Same as QSR — no validation evidence possible | Validated per your QMS procedure — audit-ready documentation |
| EU MDR Art.87 incident reporting | PHI/PMS data routes through US cloud servers = GDPR Art.44-46 transfer restriction | Data stays in your validated EU/GDPR-compliant environment |
| HIPAA §164.312 technical safeguards | Cloud iPaaS = third-party with PHI access = BAA required + breach liability | Self-hosted = PHI stays inside your controlled environment |
| 21 CFR Part 11 electronic records | Cloud platform may not qualify as Part 11-validated system | Validated n8n instance: audit trail, access controls, electronic signature support |
For MedTech SaaS vendors selling to Class II/III device manufacturers, self-hosted n8n is not a preference — it is a §820.70(i) requirement the moment automation touches your QMS or device records.
Get the Full Workflow Bundle
All 5 workflows with full JSON, Google Sheets templates, and configuration guides are in the FlowKit n8n Automation Bundle:
FlowKit n8n Bundle — stripeai.gumroad.com
Individual templates: $12-$29. Bundle: $97.
FlowKit builds n8n automation templates for compliance-heavy SaaS verticals. Templates are starting points — always validate with qualified regulatory counsel for your specific FDA, EU MDR, and ISO obligations.
Top comments (0)