Contact us now to get a quotation on our services

Easy Medical Device Merger and acquisition

Being bigger and bigger, this is the motto of any multinational company which leads to some big Merger & Acquisition (M&A). From Internet companies as Facebook, Google to healthcare companies as Valeant Pharmaceutical or Pfizer, all want to gain more market share. But being bigger is not always easy if the complete integration is not strategically planned.

Merger and Acquisition

When a company is looking to acquire another one, the first aspect that is taken into account is if there will be a quick return on investment. This count for the majority of the decision and its normal as the objective is to make a profit. For the other aspects, usually, the idea is that this would be solved after the acquisition.

Which other aspect are we talking about?

For any healthcare companies, product compliance is this other aspect. If after the acquisition we discover that this company was delivering known non-compliant products, this can lead to court, to recall or destroy the image of the brand.

The other important aspect to consider is the Data Integration. If both companies are using different software, is there a possibility to merge both databases? Can the company maintain both software? Or we can also talk about the way the Due Diligence was executed.


On this article, we will specifically focus on regulatory and quality aspects for a healthcare organization and what company boards need to focus on to avoid some critical situation.

Company Strategy

The assumption of all Executive Directors is that if a company is CE certified or if they have been audited by FDA this means that there is no risk with compliance. Wrong, we still need to be careful, as the risk still exists. A deep investigation of those topics during the due diligence process is key to minimize the possibility of a bad deal.

Imagine now that anybody acquired PIP (French company scandal) and they discover after the acquisition that they were manufacturing products with a non-compliant gel. The mother company will then be associated with the scandal even if they have nothing to do with that.

Notified Body Situation

For information, a CE mark is provided by a Notified Body (TÜV, SGS, GMED…). Those companies are auditing you and make a snapshot of the company by sampling information and now also sampling products. It’s important to consider that they are mainly private entities paid by the industry to get the CE mark certificate. The industry can choose the Notified Body they want if this one doesn’t satisfy them. For example, in the US this is not possible. Only FDA which is a governmental organization can give you the authorization to sell or can stop it.

But because of the change in the EU regulation (Medical Device Regulation MDR 2017/745), more and more we can see a decrease in the number of Notified Bodies. Some of them are not able to comply with the new EU requirements.

This is good news for compliance but a bad news for companies as this means also a long time to get certified because there are not enough bodies to manage all companies. A proposal was also made to create Super Notified Bodies for specific products of high risk.

DICT Methodology

We propose you to put in place the DICT methodology which is composed of 3 phases

  • Phase 1: Due Diligence
  • Phase 2: Integration
  • Phase 3: Crash Test

This methodology as you can see is not so sophisticated. But I am sure not so much companies are following it. As mentioned, we usually have a plan until the signature of the agreement. What happens after seems to be an adventure that should normally be prepared. For those familiar with lean manufacturing, we should take some lessons from the Pit Stop or SMED methodology. Workers are preparing before the end of a cycle all that they need for the next cycle so they don’t lose time.

Due Diligence

This phase is done prior to the acquisition. This is something that should be performed for each company the organization wants to acquire. On this section, we will focus on Quality and Regulatory affairs but for sure the Due Diligence should be global for all the aspects of the company.

For experts of Quality and Regulatory affairs within Medical Devices, the following information will not be so informative as these are basics.


We will first have a look at the certification of the company. As mentioned this should be performed by a Notified Body in Europe and by Health Authorities in other regions (FDA, ANVISA, SFDA, Health Canada, JPAL…)

The first tip is that you should challenge this certification. You should look at the dossier like if you were the auditor and looking for the mistake that nobody had seen. This is why experts in the area of the company should be appointed to review this. A company manufacturing knee implants is really different from a company with X-ray machines. Even if the ISO Quality System can have similarities, the regulatory part will be really different.

Some tricks that happen also is the fact that some companies don’t renew their certificates, so they mention that they are certified but the date on the certificate already expired. This should be looked at carefully as this can lead to important issues in the case of re-registration of the products.
If the acquisition of the company is because of a specific product, you should then have a deep look on the technical files or 510K or PMA, the clinical evaluation, the type of complaints received, the CAPA opened, issue that has been escalated…

Don’t hesitate to ask questions to the employees to understand the context. Maybe there is a good reason why we have 400 complaints received for a problem on power issue for this product. Probably a CAPA was already opened to address this issue. Potentially, this is not stopping the customer to use the product; maybe this is only because of a misuse… But maybe this is the tree hiding the forest.

Act as an auditor who wants to check if the Quality System is working and to define what are the strengths and the weaknesses of it. The history of this company is also on people, so asking key employees while they are still available is instrumental to the success of this M&A. They can decide that they will not follow you after the M&A.

The packaging material

This can speak to you. So listen carefully. Look at the label, the IFU (Instruction for use), the information mentioned on the product itself.

Imagine you look at a medical device product where you found that there is a CE mark but no Notified Body ID (This is a number written near to the CE mark (4 digits) which indicate who is the notified body). As you are an expert so you know that this product is a class I and that it’s not sterile or do not have a measuring function. But you also know that class I products are not certified by Notified Bodies because considered as low-risk products. This means that the company made a self-certification. You should then assess during the Due Diligence if this product is really a class I product. And check where it’s already registered.

You should also know that some products considered as Medical Devices by the manufacturer should be in reality classified as Medicinal products (Pharmaceutical) products if one of their ingredients is considered an active ingredient (rule 13 of the EU MDD 93/42/EC).

For example, looking at the IFU, you can see what is the intended use for this product. So if it’s sold as a product intended to protect the skin through a physical action but one of the ingredients is known as having other properties that are more pharmaceutical, you should then investigate more deeply. This product can be classified as Class III (Rule MDD) or as Pharmaceutical depending on what is claimed.

Read a plant fast

There is some efficient tool to have a good understanding of the company and the manufacturing plant. In case during the Due Diligence, they offer you a tour of the plant, there are some key points to look at. The methodology “Read a plant fast” can be a good friend to collect information that will permit to see if what you are acquiring is really worth. Look if you see procedures on the workplace, if the defects are high on the boards, if people are well trained on what is a Quality Manual and if there is any Quality Policy spread on the area.

For those that want to know more on this methodology, an article on Harvard Business Review makes an extensive description of it (HBR article)

Quality Data Investigation

“Data integration is often forgotten in the process of a merger or an acquisition, as a result of the ever-present disconnect between business and IT.” mentioned Gary Allemann, MD at Master Data Management on its article “Mergers and acquisitions – don’t forget about the data“.”SIX HUNDRED BILLION DOLLARS ANNUALLY – Got your attention? That is what poor data quality costs American businesses, according to the Data Warehousing Institute.”

The IT platforms we are using are really important. Some companies think that a big company can integrate easily the small one. If the small company does not have the same kind of activities then they can be using some specific software.

For example, the mother company does have a complaint management system which mentions the use of specific software. The small company who is delivering a product that needs specific requirements developed customized software to receive complaints that can trigger specific actions following the type of data. This is new for the big company. Should we then continue to use both software knowing that the complaint department of the small company will be divested? Can we merge both software or customize the big company software to be able to integrate those data. All this should be defined prior to the acquisition to see how much this will cost.

This part of the Due Diligence should be conducted as a real certification audit by experts of the products. By doing this, the mother company can avoid some surprises as receiving a Warning Letter from FDA or withdraw of the CE mark certificate.

After the consolidation of all the data, the company decides to move forward and approve the acquisition. Then as all the information is available, we can start Phase 2 in a confident way.


For this phase, there should be a creation of a specific project with a dedicated team and a dedicated Project leader. For the integration, an experienced manager – not only in Quality and Regulatory – should be hired.

The success of this project will be on the human. Many activities will be linked to basic actions as transferring some folders from area A to area B, but the majority will be on defining the right strategy to reach the objective.

The Project leader will then create his team and a specific person should be dedicated to each area. For Quality and Regulatory, we can have 1 leader or 2 leaders (One for Quality and one for Regulatory affairs.) and a budget should be allowed because on the Quality and Regulatory area there are many topics that can cost money:

– Data transfer

– Product re-registration

– Transfer from Notified Body A to Notified Body B

– Update labeling

For the structure of the future Quality System, if the mother company has a data governance this should then be easy. This notion can be discovered on the article of Rob Karel talking about “Measure the success of a merger by the quality of your data”.

For some companies that dream to be multinational, they should define a rule to integrate new entities. Should the quality system be “One” with one Quality Manual for all the regions, with one certificate covering all this? The risk is that if there is an issue, this can impact the worldwide system.

Or should we have a Core Quality System with all the main tools as CAPA, Audit, Non-conformities, Training… and a Local Quality System with a specific procedure for the region that is not impacting the other entities and also with its own certificate.

On the human side, training of new people is critical. The acquired company will have to deal with a lot of difficulties as many changes are happening. If the processes they were used to use are also changing, then a high support from the mother company will be needed. A training program should be defined and implemented. Training matrix should be reviewed as there could be new roles or new regions with a different type of training needed.

On some small companies, the Quality System is not sophisticated. So this could be a shock to new employees if by now for each new documents, they need 1 month before its implementation. Knowing that before by the same day, an assistant was going on each office to collect the signatures and the day after it’s released on the system.

Crash Test

Imagine now an automotive company who manufacture their last Sports Utility Vehicle (SUV) and want to put it on the market. Before that, this vehicle should pass the crash test and on a similar view, our Merger & Acquisition should also pass this test with specific expectations. For our crash test we will evaluate:

The individual

We will need to check if the individual is ready and has all needed to provide the right expectations. We will need to answer questions as:

  • Is the individual enough knowledgeable on the Quality and Regulatory information (Basic information)?
  • Are they able to talk to an auditor?
  • Do they know where to find the information?
  • Is there enough Subject Matter Experts (SMEs)?

The group

As a company, we need to see if there is a potential risk. The company should be able to analyze the risks and to put in place an action plan to solve them:

  • Do we have a regular review of the performance of Quality and Regulatory through Management Reviews?
  • Are enough resources in place to sustain compliance?
  • Are all the potential issues addressed or included in an action plan?

The environment

An evaluation of all the activities should be performed. Mainly external audits or customer communication.

    • Can we get certification without Major or Critical observations?
    • Are we ready to manage an external audit?
    • Are we ready to manage a recall or a stop shipment?
    • Is there an audit readiness plan in place?

A mock audit or internal audit should serve as the Crash Test. An outside auditor should come and act as a real auditor and challenge the team. Employees should participate actively in this audit and act as this is a real one.

Some company is using a mock audit with a similar methodology as the FDA. An auditor is just knocking on the door and saying that he comes to audit the company. This will test the reactivity of the company, the organization of an unexpected audit, the availability of SMEs.


A Merger & Acquisition within the medical device or even pharmaceutical companies is a big project to be managed seriously to avoid extra cost because of non-compliance or to fail on sustainability. This DICT methodology can help to investigate all the areas of your company.

To be more interactive, I expect some comments regarding the methodology and see if people experience issues not addressed in this article.

3 Steps Medical Device Merger & Acquisition Compliance Review (M&A)
Article Name
3 Steps Medical Device Merger & Acquisition Compliance Review (M&A)
Learn the DICT methodology to perform a Medical Device Merger & Acquisition (M&A) compliance review. 3 Steps: Due Diligence, Integration & Crash Test audit
Publisher Name
Easy Medical Device
Publisher Logo
Categories: Compliance

Monir El Azzouzi

Medical Device expert. Monir founded Easy Medical Device to help Medical Device companies to place compliant products on the market. He proposes his consulting services so don't hesitate to contact him at or +41799036836 My objective is to share my knowledge and experience with the community of people working in the Medical Device field.

UK Representative from January 1st, 2021

Contact us