Ok, I inform you that to be able to sell our medical devices we will have to be Audited.
You’ve said audit. Oh my god. What should I do? Where should I start? Who should I call? Why am I under panic????
Ok, let’s calm down. Breath In, Breath out.
Yes, if you want to be CE marked following the Medical Device Regulation EU MDR 2017/745 or any other certification, there is no choice. You need to pass an audit.
Let’s summarize the situation for the medical device manufacturers.
Audit situation at your company
If you are selling your medical devices to Europe, then for sure you have a Notified Body. And as required this one will be coming every year knocking to your door for your annual audit.
And most likely, you know very well the auditor as he is assigned to your company for many years now. This can be an advantage but can also be a problem.
The notified body will certify you for CE marking (MDR 2017/745 or IVDR 2017/746)
And also for your Quality Management System (ISO 13485:2016).
If you are selling in Europe, you understand that this audit is critical for you.
If you are transitioning to MDR 2017/745, check this article on the transition period.
How to find a Notified Body?
To help you find a Notified Body for CE Certification, I created this video that explains how the NANDO Database is working.
This is critical for you to find the right entity to certify you.
Subscribe to my Youtube Channel to get notified of my next videos
Or you are selling your products to China, USA or Brazil and then respectively, CFDA, FDA or ANVISA, which are the National Authorities are requiring to audit you.
Here are 2 cases:
- Or you know the regulation of that country and you are already ready.
- Or it’s the first time they audit you and you start to panic as you don’t know what are their requirements.
Here are the links to the different regulations.
Video on MDSAP
Subscribe to my Youtube Channel to get notified of my next videos
Or maybe you are a supplier to a Medical Device Company and I think, this is one is the worst situation ever.
Because you are audited by your customers, then by the notified body of your customers and if you are selling products as a Medical Device manufacturer, you are also audited by your own Notified Body and the different countries where your product is sold.
I audited some suppliers and find issues that I raised as an observation.
But the problem is that I also discovered that this issue is happening within my own company.
No choice, I had to open a CAPA to my company to correct it.
Because I don’t want an external auditor to raise this as an observation during any of my audits.
So I already open the issue as discovered by myself on my quality management system (CAPA for example) and I put in place an action plan to correct it.
And I am not done. There are also the unannounced audits. You know the ones from your notified body.
He is just knocking on the door in the morning around 9 am and say to you “Surprise, I am here to audit you”. This happened to me the end of December when half of the team is already on holiday. But the auditor said to me “Anyway a company should be able to run at any time so you should be able to provide me the documents I am requesting by any mean”.
I propose you also to listen to this anecdote that Florent Guyon, Medical Device Expert told us on my Podcast. See the video below.
I know life is difficult. For me, it was even more.
My company has also an internal Corporate Compliance Group that is doing announced and unannounced audit.
And this is not an internal audit.
And last we have the internal audit. It’s maybe the most important one to be sure to receive no observation from an external auditor.
This audit is the one that is requested by many Quality Management System as 21 CFR part 820 or ISO 13485:2016
So for those that read those line, I can tell you that I understand you. And I am sorry for all this.
For those that never went through an audit, I want you to understand what will happen. For that, I will walk you through this like if you were the host of an audit. So you’ll feel like you are in the Audit Room.
For those that already know how an audit is going on, you can compare it with your experience. I will also provide you with advice on how to pass the different steps.
I will use the example of an announced audit so this is less stressful.
I have a question for you, and please it would be great if you answer the comments below this article:
Process for an announced audit
Any audit I participated to had nearly the same framework. So I suppose yours will look the same. But don’t hesitate to comment if you have seen something else. Always curious to learn from feedback.
First of all, you get in contact with the Notified Body to agree on the date of the Audit. They make some proposal and you agree or provide another choice.
I advise you to do that several months earlier.
- First to be sure that the auditors are reserved and can come early enough before the due date of your certificate.
- Second, you need also to have your team available. So if you can know the date earlier, you can tell your team to be present and to not plan holidays during that time.
When everything is agreed, the auditor should send you an agenda.
I had several experiences where the auditor sends that agenda few weeks or even previous week to the audit. This is not helpful but this should not disturb you.
When you’ll receive it, you’ll see exactly when each topic will be discussed. You’ll have to agree to this agenda or propose some changes.
Don’t forget to communicate the final Agenda to all the team as soon as you receive it. They should know on which day they must be ready to support the auditor.
Before the auditor arrives
Let’s say that your audit starts at 8.30am. You need to gather your team 1 hour earlier to explain them the agenda, the different topics that will happen.
Why so early?
Because your team needs to be ready to support. Even if the topic of one department is at the end of the day, you’ll not have time to explain them the process. So better to explain everything in advance.
Front Room / Back Room
We usually use the concept of Front Room / Back Room to support an audit. But this is not a rule. You can choose your own method.
On my first audits, we were not so well organized. When an auditor asked a document, what do you think we were doing?
We get the binder and opened it in front of the auditor. We were flipping page by page to find the right document. It can take time and we can see some issues while flipping pages.
The result was a lot of Minor Non-Conformities.
For those that don’t know how a Front Room/Back Room concept looks like, here is an overview.
The Front Room is the room where the Auditor and Host are located. Usually, in this room, we have also some people that support the audit.
- Scribe: Writes all that the auditor is saying
- Requestor: Is writing the requests of the auditor
But those 2 roles can be held by only 1 person.
On the other side, we have the Back Room. It’s a room where a team dedicated to the audit is present. They are in charge to receive the requests and prepare the document for the Front Room.
Scribe notes are very important. The team in the Back Room can read what is happening in the Front Room and be ready to provide the right request knowing the context. Without this, mistakes can happen and delay some requests. Or even worse, provide documents that are not suitable.
How to communicate between each room?
To communicate between Front-Room and Back-Room you can have a dedicated system or use what is on the market. For example:
- a Chat messenger to talk between each room
- A Web Conference tool to see the Scribe notes (Screen share)
- An excel file on a shared drive to place requests and someone dedicated to managing them.
- Or at least you can only use a paper-based system
Think “Out of the Box” on the way to do that.
The Back Room is also a buffer. This means that this space is dedicated also to find issues and to discuss the solutions. You’ll see later while we go through the audit problems.
To be clear, this room can be your secret weapon to succeed in any audit.
Let’s now dig more on the audit process.
When the auditor will start the opening meeting, he will review with you again the agenda. And he can ask you to change something or you can also ask for changes.
So you see you can discuss with him. Don’t worry.
During the opening meeting, you have to make a presentation about your company
- Quality Policy
- Organization (Org charts…)
- Activities performed inside and outside
- Products that you are manufacturing
- Classification, certification…
- Security information
The outline of the presentation is really up to you. You can decide to present more information or even less.
To help you I created an opening presentation template.
You can get it below.
This part is really strategic as you can already provide some information that the auditor will look for later. So this will help him to understand some processes and decrease the number of questions.
For example, if you are a company where some of your activities are externalized, then it’s important to mention it. This can avoid some misunderstanding.
Your Motto during an audit is:
“No question, No Problem”
Less question you receive, higher will be the chance to get “Zero Observation”.
Please, share with your network
Then at this stage, there can be 2 choices for an auditor:
- Decide to have a plant tour first to have a better vision of the company
- Or, decide to make some document request now and go for the plant tour while you are gathering all the information.
I like the second choice as during the plant tour usually, we are doing nothing. But if we already have some requests, we can use the time to prepare documents and most importantly to review them.
This is where the concept of Front Room/Back Room can be useful.
It is a critical part of the audit. You will show to the auditor all your processes. And he can see a lot of things.
Once I read an article that was really helpful to understand how to prepare a plant tour. It’s called “Read a Plant Fast” (Harvard Business Review May 2002 – R. Eugene Goodson)
This plant tour should be well prepared by knowing where you want the auditor to go. You should prepare the way before the audit. But some auditors can ask you to go somewhere else.
Maybe you ask yourself, “Yes but what can he see?”
- Your Red KPIs that are hanging on the walls
- The post-its that are hanging on the machines and which are not compatible with “Data Integrity”
- He can find gages that are past due to the calibration date
- He can see people not wearing the right clothes in an ISO controlled room (White room)
- He can see that a machine is under maintenance but the maintenance agent is not following the company rules
He can see so many things. And don’t forget that we are talking about a professional auditor who is doing this exercise all days. So he already has the experience.
Then what should you do?
Plant tour review
You should put yourself on his shoes and prepare the audit like if you were the auditor. Create a Plant Tour Review program.
This means that you plan to go on the workshop and perform a plant tour and review all potential compliance issue. I am not asking you to do that the week before the audit, but minimum 3-4 months before.
You then train the teams and explain them the issues. And if possible you keep this process even after the audits. It will then cost you less effort and will be on the objective to be always “Audit ready”.
As mentioned previously, “Unannounced Audits” are also a possibility so you need to always be ready.
Return to Audit room or Front Room
You just finished your plant tour. Now the auditor will start to follow its agenda. He will then start to provide his requests.
What is important for you is to play ahead of him.
You already have the agenda so you should know what the auditor would like to see. Let’s say that on the agenda the next topic is “Management Review”, what would you do?
If you ask me I would prepare this topic:
- I would print the Management Review Procedure and read it again to see that all is correct
- I would print the 2 last Management Reviews and check that everything is ok
- I would prepare the SME (Subject Matter Expert) that will speak about this topic to the auditor
- I would check if some of the metrics were Red and what was the reason
- I would confirm that all the actions that were to be done are complete and also go to the workshop and check that this was implemented.
And this list is not exhaustive because as soon as you dig on a topic you can find something else.
The most important for you is to know when there is a problem on your system before the auditors mention that to you.
The worst that happened to me was when the auditor looked at a document and mentioned a big issue that we haven’t seen.
Why is it a problem?
Because we haven’t reviewed that document. We just thought that our system was ok and no issue can happen.
But human is human so even if it was not on purpose, this happened because we didn’t prepare well for that audit.
I really ask you to prepare your SME (Subject Matter Expert) to enter the audit room.
The auditor asked you (the host) a question about maintenance of an equipment and you do not really know, so you call your joker. The Maintenance Manager comes and sits in front of the auditor.
The auditor greats him, ask him his name and his function. Then he opens a document and asks:
- Auditor: Why this maintenance was not done on-time.
And what follows can be a nightmare.
- SME: I know, I told my management that I need a replacement of an employee that is on long-term sick leave. And they refused. So I had no resource to execute the maintenance on time. I still have on my planning 10 machines that are late for 3 months now.
And you see that the auditor is a professional one because he didn’t move an eyebrow when he heard about this. What he made was smart. He just said:
- Auditor: Ok, 10 other machines are late which I understand with your situation, but are they working ok?
- SME: Oh yes, they are working well. All the products that are manufactured are still ok. I can show them to you. There are 2 cleaning machines, 3 CNC…
I am here in the Front Room looking at this SME disclosing all potential issues without providing any information related to the procedure. And also putting the fault on management.
Worst moment of my life. All this because this SME was not well prepared.
And to be clear, I am not saying that the SME should lie
Rule Number 1: Never lie to an Auditor
But only to answer the question of the auditor and nothing else. Without talking about the thing that he never asked or basing his answer to a feeling.
If I am an auditor and I see that this person is talking a lot, I will continue to ask open questions so he tells me everything. Even things that I never asked.
So, first create a list of SMEs and confirm each one as the right SME.
What does it mean? How should I do?
How to prepare an SME?
- Audit the SME.
- Train the SME.
- Tell the SME how they should behave in front of an auditor.
Before they enter the front room, tell them what is the problem the auditor is concerned about or simply what is the question. The SME should know why he is entering the Audit Room. He should not discover that inside.
And if a problem is discovered, it should be known before him entering the Audit Room. He can then already have a scenario on how to answer this problem.
Let’s redo the dialogue with the right scenario:
- Auditor: I see that a Maintenance is late. Can you explain to me that?
- SME: Yes for sure. This maintenance is late but we have a tolerance of 3 months for this equipment. See here in procedure PR3
- Auditor: Ok. And can I see the document mentioned here to justify the fact that it’s late?
- SME: If you read well the procedure. This equipment is still on the tolerance period so technically not late. The document you request is when the maintenance is paste due to the tolerance period.
- Auditor: Ok, so there is no problem?
- SME: No, we are compliant to our procedure
I know it’s too perfect. But it’s an audit that is well prepared.
But imagine now that your SME is so ready that he knows the procedure and the exceptions to it. Plus he knows the situation of the machines and can justify them. This is possible, but only if you implement the preparation for this audit.
Houston! We have a problem.
(If someone asks me what means this sentence, or I am too old or people didn’t watch the movie Apollo 13)
Do you think that Houston, when received this message, said: “ok, we cannot solve it, so you are dead”.
No, they’ve made all that was possible to solve the issue.
This is exactly the attitude you should have when the auditor did find a problem. You should not say to yourself that you will have an observation. You should ask yourself how can I solve this problem to not receive any observation.
First ask again the auditor what is the exact problem and also what he thinks would have been a good answer to this problem. Write it down. Ask as many questions as possible to the auditor and don’t be shy. You should be on survival mode.
So when you completely understand the problem, you need to create a team outside of the audit room (Back Room for example). Find the SMEs and tell them exactly what is the issue and how they can find a solution.
Be creative. Review the regulation to check the requirement. Contact some other SMEs if needed. Do whatever possible to find an alternative.
Don’t give up until the auditor calls for the closing meeting.
First day over
The auditor is here for a few days. And the first day is finished.
But stop, don’t go home.
I see you already backpacking your stuff and leading to the door with a big smile. You already think about what you’ll do this evening.
Sorry to destroy your dream but you still have some tasks to do.
Before the auditor goes back to its hotel, ask him a few questions:
- Is there any confirmed observation for the moment?
- Did you had all the requests for today or do you still wait for some (You know the request list, but the auditor should confirm that to you. Don’t volunteer information)
- Are there any new requests to prepare for the next day?
Then, gather your team and discuss what exactly happened in the Audit Room. Tell them what the auditor reviewed, what were the problems. Define a team of people to initiate the strategy on how to find an answer to the problems.
Prepare also the next days. You know what is on the agenda so confirm that all is ready.
You maybe have some requests that were not presented but still requested by the auditor. So check the status. Check if there is a problem with them.
As I told you. Before to enter again the Audit room, you need to know the situation and prepare to answer the auditor.
Next and last day
Before the auditor arrives, you gather again your team to have a briefing. Try to understand if all is ready. Try to check if there is a strategy for the issues discovered.
The auditor is arriving. You have some small talk with him about his evening and the restaurant.
And he asks now to receive the next requests. He already has its list ready. He is asking of the status of requests that were asked the previous day. You know the answers and provide that to him.
Most important for you is to be quick to answer. If you are not answering quickly, the auditor will think there is a problem. If he thinks there is a problem he will dig more on the process and for sure find something.
No question means no issue. So try to provide information to the auditor that are not raising more questions. If you are prepared, you then know where one question can lead. And then you can anticipate the next one.
I am a chess player, so sometimes I compare an audit to a chess game. I was already “chess mate” but I learned from it. And I try to not make the same mistakes for my next game.
Try to prepare yourself so you can anticipate questions and already have the answer to it. This can sometimes impress the auditor.
Many times you already know the result as the auditor did already disclose the problems. But I like the times when I don’t know.
Usually, this is when we had a problem and when the auditor didn’t disclose if our answers were closing this topic or leading to an observation.
The only goal I have when arriving at that meeting is to hear the words “I don’t have any observation to raise”.
This doesn’t mean that the company has no problem as an audit is just a sampling of the Quality Management System. But this means that we had a good preparation and that we worked as a team to reach that objective.
One other thing. During this audit, you will maybe find some issues to your Quality Management System. If the auditor didn’t find them this time, it doesn’t mean they will not find them next time.
So my advice is to solve those issues so they cannot be caught again. Don’t just put them under the carpet.
What is the consequence receiving some observations?
When the audit is finished, the auditor has to provide you with an Audit report. This audit report can be formatted with this guidance from IMDRF.
So, is it a problem to receive an observation? I would say that it depends.
There are 2 classes of observations:
- Minor Observations
- Major/Critical Observations
For a Minor Observation, this can be a low-risk issue. You need to put an action plan in place maybe through a CAPA (Corrective Action Preventive Action) and then send that to the auditor.
For a Major/Critical Observation, this can be more a problem. It should be the same process as a Minor Observation, but this can impact your products.
So maybe you’ll need also to put in place a plan volunteered by you or requested by your Auditor:
- Stop Shipment
As said this depends on a case by case situation.
But anyway, Minor or Major, an observation is more work for your team. You’ll maybe have to delay some of your projects to be able to answer on time.
I hope this Case Study was helpful to you to anticipate any audit organization issues. You can see that an audit is like an exam.
This can make a company authorized to sell products.
As mentioned, what I presented to you is one method to prepare an audit, so you can choose yours.
But I know that this method is the one that helped me to reach “Zero Observation” most of the time.
I would be really interested to hear from you on the comments.
Question to you: “How are you preparing your company for an Audit?”
Medical Device expert. Monir founded Easy Medical Device to help Medical Device companies to place compliant products on the market. He proposes his consulting services so don’t hesitate to contact him at firstname.lastname@example.org or +41799036836
My objective is to share my knowledge and experience with the community of people working in the Medical Device field.