Copy to clipboard 
A few years ago, Scott Shankle’s team was hosting its notified body for a routine audit when another group from the same notified body showed up to conduct an unannounced audit.
“It’s a bit chaotic,” Shankle said about audits, “especially when you consider the number of countries outside of the U.S. and EU — China, Ukraine, Kazakhstan.”
Shankle spent 20-plus years in operations at OEMs before joining Orchid Orthopedic Solutions in 2023 as Chief Quality, Regulatory and EH&S Officer. “The challenges that I see can be bucketed into two categories: the number of audits and the consistency of those audits,” he said.
These examples highlight the complexity of today’s global audit landscape in orthopedic manufacturing.
The increase in the frequency of audits is leading device companies and contract manufacturers to spend more money and resources on regulatory compliance, said Monica Burt, CEO of consulting firm MB&A. Further, new changes, like the EU’s Medical Device Regulation (MDR), require stricter supplier audits.
“The implications for OEMs and contract manufacturers grow by the day with increased costs associated with audits and oversight,” Burt said.
At OMTEC 2024, Burt and Shankle took part in a panel discussion that offered advice for navigating global audits. The conversation was organized by the Orthopaedic Surgical Manufacturers Association (OSMA) and pulled together regulatory experts and industry perspectives to provide best practices to prepare for, conduct and respond to audits.
Integrate Quality and Risk Management
Most orthopedic companies are contending with audits from the U.S., EU, Medical Device Single Audit Program (MDSAP) and ISO. Earlier this year, FDA announced it would harmonize quality management requirements with ISO 13485: 2016 in the form of a new Quality Management System Regulation that will take effect in February 2026. The EU is undergoing an overhaul of its regulatory framework with MDR and placing significant emphasis on postmarket surveillance requirements.
The biggest change across those landscapes is the integration of quality management systems (QMS) and risk management systems (RMS), said Kim Trautman, a medical device regulatory consultant. Regulators expect companies to embrace a more mature model of quality management that involves all relevant functions within the manufacturer to develop and use risk information.
“QMS and RMS can no longer be separate departments,” Trautman said. “How is manufacturing going to integrate QMS and RMS through the whole lifecycle? Most companies have these systems well integrated into design and development, and then risk management stops there. It can’t anymore.”
Risk management must extend to design and development, change controls, supply chain management and post-processes, she said. Additionally, new EU requirements make it vital that manufacturers integrate risk management into postmarket surveillance.
Trautman, who authored and harmonized the 1996 FDA Quality System Regulation, conceived and developed MDSAP and serves on the international authoring group of ISO 13485, said medtech lags behind other industries in fully integrating risk management into the QMS. But she emphasized that global regulators expect it.
“You will not see fundamental changes in the requirements in ISO 13485:2016 or ISO 14971:2019,” she said. “You will see this in how those standards are audited and enforced. That’s where companies are going to get shocked.”
Place All Hands on Deck
Orthopedic companies that demonstrate proactive compliance and organizational readiness, including a comprehensive risk management program and regulatory intelligence, will be well-positioned for any audit, Shankle said. Embracing a collaborative culture also presents opportunities during audits.
As regulations become more burdensome, so does the expectation around documentation, Shankle said. Audits no longer fall to the quality team; they require cross-functional cooperation, including product development and manufacturing engineering.
“These individuals need to not only understand the requirements but be able to explain them,” Shankle said.
The person managing the audit should be someone who knows what they know and what they don’t know, Trautman said. “Don’t try to answer every question,” she added. “Pull in the people that you need.”
Those involved in the audit shouldn’t be nervous or let the silence in the room rattle them, Burt added. Auditors want to know that a company is prepared and transparent, and understand when someone else must be brought into the meeting to answer a question.
However, Burt said, the team that is answering questions, pulling data and documenting the audit must be adequately trained as it grows. Companies that invest time in educating employees about the auditing process will have an advantage.
The panel noted that audit preparedness and success stretch beyond your day-to-day internal team.
Rod Parker, Ph.D., a scientific consultant who spent much of his career at Stryker, spoke about the importance of auditing critical processes. Dr. Parker defined a critical process as one that is measured by steps through validation and not by physical inspection, and provided sterility and cleaning as examples.
Critical processes can be pain points during audits if they’re not correctly documented in every product number process, Dr. Parker said. The owner of the finished product, typically an OEM, must set the validation protocol and clearly communicate it to their supplier.
He stressed the importance of clear supplier agreements that detail what is checked to the product’s processes and not just the process itself; who is responsible for the checked items; and auditing of the secondary processing supplier.
“Contract manufacturers can protect themselves during the audit by confirming the validated process is in the supplier agreement,” Dr. Parker said. “OEMs can protect themselves by saying the process is in the agreement and the contract manufacturer handles it.”
Audit success doesn’t only extend through supply chain directives. Companies need to embrace quality and risk management from a business strategy perspective, which is a conversation to be held with leadership.
“Quality and regulatory decisions are being escalated with visibility and input from executive leaders,” Shankle said, adding that this is new for the industry. “The decisions that the quality and regulatory teams make every day influence the direction of the business.”
As regulations become more burdensome, leaders need to weigh the risk and return on investment to get products on the market and keep them there, Shankle said. This includes investments and human resources for regulatory compliance measures like audits.
Bolster Your Resources
Auditors are taught to ask horizontal and vertical questions about processes. Today’s auditors carry a heavy workload and often don’t dig as deep as they sometimes should during the audit.
Orthopedic manufacturers usually know if they escaped a nonconformity because the auditor failed to ask a probing question. The panelists emphasized that the audit team shouldn’t ignore those issues and must bring them to management’s attention.
“Is it really a nonconformity or did you just not get caught?” Dr. Parker said is a question worth asking. He referenced a previous manager of his who kept a list of nonconformities and a list of items that should have been caught as nonconformities to fix before the next audit.
Burt agreed and said it must be somebody’s job to document the “gifts.” Then the gifts must make it into your internal audit process checklists for the next round.
It’s imperative that the leaders in the functional parts of the business, such as vice presidents of operations, quality, clinical and regulatory, have insight into what issues need to be addressed, Shankle said. “It’s a requirement of the job now,” he said. “These are learning opportunities that will get corrected one way or another.”
Companies can’t gauge the health of their QMS just from regulatory audits, Trautman said. Internal and external audits can bolster a company’s audit preparedness and response, especially if the team isn’t hindered by time.
“You need a good internal audit team to expose issues,” she said. “Having someone perform tough audits and GAP assessments allows you to benchmark yourself before the regulators visit.”
