Strategic Planning for Regulatory Compliance

Will you wait until your company has an unannounced audit by a Notified Body? Or will you develop a Quality Plan to prepare for these changes? The principles in this article apply to all medical device manufacturers, any device and every new and revised regulatory requirement. The purpose of this article is to illustrate best practices in strategic planning for companies.

This is a brief story about an orthopaedic device manufacturer somewhere near you.

March 21, 2010: The M5 version of the European Medical Device Directive (MDD) went into effect. Your company was relying upon a regulatory consultant to help stay current with the European requirements, but there were no new CE Marked products at that time.

December 4, 2010: Your company received a major nonconformity during an annual surveillance audit by the Notified Body. The nonconformity was specific to your company’s failure to be compliant with the changes in the M5 version of the MDD.

January 2, 2011: You joined the company as the new Regulatory Affairs Manager. You had 45 days to implement corrective actions so that the company could continue to sell implants in Europe.

February 15, 2011: The Notified Body “knocked-down” the major nonconformity to a minor nonconformity. You had until your recertification audit in December to complete the corrective action plan.

September 26, 2012: The European Commission released a proposal for a new Medical Device Regulation.[1] This is the most sweeping change in European medical device regulation since the CE Marking process was first implemented in 1993. The proposed regulations will be debated in the European Parliament and the Council of the European Union during 2013, and the final regulation is expected to come into force sometime in 2014. The top management at your company decided to wait until the regulations are finalized.

October 10, 2012: The third revision of the Code of Conduct for Notified Bodies is finalized. This third revision includes minimum requirements for the frequency of unannounced audits at medical device manufacturers. You were unaware of this change, because you have been focusing your time upon the completion of a 510(k) submission for the US FDA.

December 19, 2012: You completed a Notified Body annual surveillance audit, but the auditor identified a negative trend of complaints about damaged packaging that your company has not yet taken corrective actions to resolve. The auditor also issued a minor nonconformity related to supplier controls for a contract manufacturer that performs contract packaging for your company.

May 14, 2013: Your Notified Body shows up unannounced at your contract manufacturer to perform an audit. You are one of the first companies to be subject to an unannounced audit. This is part of the specific interim measures that Notified Bodies are required to implement in 2013.2 The Notified Body issued a major nonconformity against your company related to the lack of supplier controls. The supplier was not following your company’s documented procedures regarding final inspection of packaging prior to shipment to the contract sterilizer.

The above fictitious story illustrates how companies that do not take a proactive approach to preparing for changes in regulations can be caught unaware. Will you wait until your company has an unannounced audit by a Notified Body? Or will you develop a Quality Plan to prepare for these changes?

Although the most significant regulatory changes on the immediate horizon are specific to CE Marking, the principles in this article are applicable to all medical device manufacturers, any device and every new and revised regulatory requirement. The purpose of this article is to illustrate best practices in strategic planning for companies.

In order to ensure that you are prepared for regulatory changes, I recommend the following step-by-step approach:

  1. Develop systematic processes for gathering information about new and revised regulations.
  2. Perform a gap analysis of your existing policies and procedures against these new and revised regulations in a timely manner.
  3. When needed, initiate Quality Plans for implementing changes in your Quality Management System (QMS) when gaps are significant.
  4. Hire independent regulatory experts to perform internal audits of regulatory compliance (i.e., mock inspections) at least once per year.
  5. Develop qualified back-up personnel for the Management Representative so that someone is prepared to take action (when needed) in absence of the Management Representative.


Convincing the senior management of a small or mid-sized company to make investments in regulatory affairs is quite difficult—until you have a Warning Letter or your Notified Body threatens to suspend your CE Certificate. The cost of implementing corrective actions and supporting special audits to address nonconformities is significant, too. If you have to hire regulatory experts to implement corrective actions urgently, the cost can quickly equal an additional head count. Therefore, I offer this detailed advice for preparing for regulatory changes.

#1 – Identifying New & Revised Regulatory Updates

This is difficult primarily because many of the people responsible for regulatory affairs are not aware of where to look for knowledge. The most common recommendation is to subscribe to RSS feeds to learn of updates. These are provided by most of the FDA, Notified Bodies, authorized representatives, bloggers and organizations that issue standards (AAMI, ANSI, ASTM, etc.). If you subscribe to an RSS feed for this purpose, you actually need to read your emails. When there is something new that requires further investigation, I recommend creating an automated task reminder in your smartphone or your computer to do the work when you have the time.

In addition to the sources of new regulations and standards, you also need to be aware of trends in the industry. Professional networking organizations such as RAPS and ASQ are great for word of mouth. LinkedIn discussion groups and regulatory blogs are my personal favorites. Calling a regulatory affairs colleague who works for a different company is a great way to compare notes too—especially when you hear that someone just experienced an FDA inspection or an unannounced audit.

The third most common method for gathering information on regulatory changes is performing Post-Market Surveillance. This is not just analyzing complaint information. You must be proactive. FDA has a tool called the Total Product Life Cycle (TPLC) Report. I explained this tool briefly in a blog, with screen captures; refer to the endnotes to find the link.3 The European Database of Medical Devices (Eudamed) will be publically available in the future (2015-2017) with this type of vigilance data—starting with the high-risk implantable devices.

#2 – Performing a Gap Analysis

Gap analysis involves three critical pieces. First, you need to identify the appropriate subject matter expert(s) to perform the gap analysis. Second, the gap analysis needs to be cross-functional in most cases. A specific change may impact more than just QA/RA. Changes can affect purchasing departments that are responsible for negotiating with suppliers, engineering departments that communicate changes to suppliers and IT departments that may need to validate software modifications to increase traceability of raw materials and finished goods. Third, the gap analysis needs to be documented with an action plan for implementation. A gap analysis that identifies the gap is only the starting point for a new Quality Plan. That Quality Plan should be referenced in the gap analysis to document what actions were taken.

#3 – Initiating Quality Plans

The acronym CAPA stands for corrective and preventive action. Corrective actions are typically short-term. Preventive actions are typically long-term. If a gap is identified prior to the mandatory implementation date for a new or revised regulation, then the actions taken in response to the gap analysis are “true” preventive actions. These “true” preventive actions make your Notified Body auditors very happy. Many companies have trouble identifying these opportunities, but these same companies often receive nonconformities for their failure to implement new and revised regulations. Therefore, I recommend documenting the actions taken to address gaps as preventive actions if the steps can be implemented in a timely manner. If the actions require more than six months to implement, a long-term Quality Plan may be more appropriate to document these projects. These plans will have many of the same elements of a Design and Development Plan. Therefore, you may want to adapt your Design Controls procedure and forms to meet the needs of a Quality Plan.

#4 – Get Expert Independent Auditors

The key here is to hire someone who will elevate your Quality Systems for improved compliance—rather than simply maintaining the status quo. The person should be thorough, challenging and spend much more time interviewing people than reading documents in a conference room. Proper use of the process approach to auditing is absolutely critical.

#5 – Who is Your Back-up?

Almost every company identifies a Management Representative, but who does their job when they have a heart attack, go on vacation, go on maternity/paternity leave? What if he is attending the RAPS conference in Seattle and you have the need to implement an urgent recall? I know! You could call the regulatory consultant who did your audit. But, guess what? Your consultant is probably at the RAPS conference, too. If you delay until the Management Representative returns, you will be noncompliant if this is a Class I recall with serious injuries or death. For the most critical aspects of regulatory affairs, it is necessary to have a back-up. In addition, the proposed EU regulations for 2014 require that each company have a qualified regulatory expert. This person will be responsible for release of CE Marked product. If you only have one person in the company who is knowledgeable of regulatory affairs, then you may be in a tough situation if that person gets a lucrative job offer from another company.

1. European Commission, Revision of the medical device directives. Notes on ongoing and previous revisions. Accessed November 19, 2012.
2. Medical Devices Legal and Regulatory Blog. November 5, 2012.
3. QC is Dead Blog. Section 513(g) – How to request classification information from the FDA. September 11, 2012.

Robert Packard of Packard Consulting is a regulatory consultant with 20 years of experience developing products and managing projects in the medical device, biotechnology, pharmaceutical industries. His experience includes research, product development, operations management, manufacturing engineering, equipment design, regulatory affairs, quality assurance and fund-raising. Rob’s passion is training others. Rob may be reached at This email address is being protected from spambots. You need JavaScript enabled to view it..