7 Steps To Survive Your Next Device Compliance Audit

By Marcelo Trevino, independent expert

Practical tips for successfully meeting global regulations and notified body expectations

In today’s global medical device industry, manufacturers must endure a wide range of compliance audits, leveled at them by organizations both domestic and abroad. We face CE mark certification, surveillance, and recertification audits performed by notified bodies. Regulatory audits are brought by the likes of the U.S. FDA, Brazil’s ANVISA, Australia’s TGA, and Japan’s MHLW, to name a few. We experience internal audits, product audits… and the list goes on.

While each type of audit carries its own unique set of specific guidelines and requirements, there are overarching audit management best practices you can follow to make your next experience more effective and less stressful. Follow these seven tips to ace your next audit, whether it’s with a regulator, a notified body, or any organization conducting a compliance assessment or investigation.

1. Maintain a constant state of preparedness
This really goes without saying, but you should always have the necessary information ready for an audit, whether it is a scheduled or unscheduled audit. Many people feel confident that they either know or will be able to easily locate the information they need. That may be true when you know the audit is coming and you have enough time to prepare, but it is a lot more difficult when you have an unannounced inspection.

The FDA has been conducting unannounced inspections of medical device manufacturers for several years, but now notified bodies are starting to show up on site unannounced. The new European Commission Recommendation 2013/473/EU requires notified bodies to conduct unannounced audits, not only of device manufacturers of CE marked products, but of their critical suppliers and subcontractors as well. You need to stay on top of the standards and make sure you are familiar with current regulations — not only for planned audits, but for surprise audits that may be lurking around the next corner.

2. Establish a framework
It is critical that you have a structure in place to manage an audit. For example, you can create an audit checklist by reviewing ISO 13485 or the FDA’s QSIT (Quality System Inspection Technique). Generate a flow chart that shows all the questions that you could be potentially asked by the auditor, and then determine what objective evidence you will need to provide to prove that you are compliant with each question, each requirement. It also helps to come up with some specific examples that demonstrate your compliance.

I recommend you go through this exercise for each country in which your product is marketed. It is very helpful to identify the specific requirements and subtle differences for each regulatory body.

3. Prepare a “front room” and “back room”
Establish both a “front room,” where your quality or regulatory affairs staff will interact directly with the auditor, and a “back room” of support staff and subject matter experts who will help answering the auditor’s questions and providing additional information.

One of the critical pieces of documentation the back-room team should have on-hand is an organizational chart — almost every inspector wants to know what functions are being performed at the site and by whom. Another is the facility layout, to help explain the site’s workflow to the auditor. Your quality manual, quality policy and objectives, and top-level procedures are other pieces of documentation that will be requested at the beginning of most assessments.

The front-room team will be able to answer many of the auditor’s questions on their own, but they almost certainly won’t be able to answer all of them. Often, the discussions will become technical, and the auditor will want to talk to the subject matter experts who are doing the actual work, not the quality or regulatory person. Which brings us to our next point…

4. Coach your subject matter experts
While quality and regulatory employees usually have experience dealing with auditors, their colleagues in design, manufacturing, or other departments may not. If there is any chance a subject matter expert may be called into the front room, you must prepare them to appropriately handle the situation — coach them on dos and don'ts.

One piece of advice I give subject matter experts is this: If you don't have a good answer to an auditor’s question, it’s better to say, “Let me find out the details, and I'll come back and give you the answer,” rather than providing an insufficient answer. Sometimes auditees feel forced to say something, just because the auditor is there, even when it isn’t the best answer — or worse yet, an inaccurate answer. This can just complicates things throughout the audit.

Another recommendation is to stay calm and only answer the questions you are asked. In some cases, subject matter experts start talking about topics unrelated to the auditor’s questions, often because they are nervous. Unfortunately, it can frustrate the auditor or take the audit down a path you would rather not see it go. If they don't understand the question, advise them to ask the auditor to repeat it, reformulate it, or provide an example of what they want to see, instead of guessing or talking about matters that might be off topic.

5. Rehearse
On a related note, it often helps to conduct mock audits with the staff members who will — or might — be involved with an audit. This will help them get acquainted with the types of questions they will face, and practice how they will respond, especially on topics they may not have considered or may feel uncomfortable discussing. Mock assessments can help you really work out those details ahead of time.

Additionally, ask members of the team to review related information on their own. Have them complete your audit checklist (see #2 above) independently and share the results with you. At the end of the day, it’s not that complicated — they just have to tell the auditor what they do on a daily basis, and be able to explain how their work meets compliance to the standard or regulation requirements in question. It’s more a matter of them feeling comfortable with the material, and then feeling comfortable explaining themselves to someone who might look to challenge some of the work that they did.

6. Factor in cultural differences
If inspectors from outside the country come to visit your facility, I strongly recommend that you tailor your audit to meet their particular preferences. Familiarize yourself with their customs, expectations, and protocols in advance, to avoid any possible frustrations during the audit process.

For example, auditors from certain countries may come from pharmaceutical backgrounds, in some cases because their country’s device regulations are relatively new. While pharmaceutical regulations are similar to medical device regulations, they are not exactly the same. As a result, your auditor’s questions may not make a lot of sense to you, at least initially. Keep this in mind, and be patient with them.

Speaking of being patient, auditors from outside the country will typically bring a translator with them, which tends to significantly slow down the audit process. The auditor asks a question, and then you have to wait for the translator to explain it — and sometimes the translation is not exact. The flow will be very different than what you are accustomed to with an FDA inspection or notified body audit. It might take a little bit longer, so just be very patient and understand where they are coming from.

Respect and courtesy are very important in certain cultures, so you must take that into account with your audit prep. Auditors from some countries will expect to speak with the most senior person in the organization; if that person is not available, they might view this as a sign of disrespect. If an auditor expects to see suits and ties, and your team shows up in casual attire, you run the risk of having the auditor feel like you are not taking them — or the audit — seriously enough.

7. Do some auditor reconnaissance
How can you determine the specific cultural expectations and requirements of an auditor before an inspection? One way is by asking a coworker who is located in that country, and who has experience dealing with the agency and its protocols. They might be able to tell you if everyone should be wearing a suit, or if the auditor likes to take breaks at a particular time or have the rooms laid out in a particular manner.

If you don’t have this luxury, you can always try posing advance questions to the auditors themselves. Ask them what their background is. Ask them if there will be an agenda for the audit. Ask them what specifics they expect to see. The more you can ask, the better.

Sometimes the auditor will be willing to work with you, because they know it will help things run more smoothly during the audit. Other times — and this is often the case with regulators — they are unwilling to provide much information in advance. You just have to anticipate how the audit is going to go, and prepare the best you can.

However, it never hurts to ask. The worst they can say is “no.” And if they say “yes,” you may just obtain the information you need to not only survive your next audit, but to make it a resounding success.

Editor’s Note: If you're interested in learning more about this topic, Mr. Trevino is teaching an online course called Device Compliance Audit Management — Best Practices to Meet Global Regulations and Notified Body Expectations on April 21, 2014, at 1:00 pm EDT.