Seven Steps to Take if you Receive Significant Medical Device Audit Non-conformities

  • Post author:

If you have received significant non-conformities from a regulatory body e.g., a Notified Body, the FDA or an MDSAP Auditing Organisation, what should you do?

By John Lafferty

Photo of John Lafferty

Read Time: 7 minutes

The following seven steps form a blueprint for any organisation that has had a less-than-satisfactory performance in a regulatory body audit.

  1. Reflect and Plan.
  2. Communicate and Get Buy-in.
  3. Determine the Impact and Root Cause.
  4. Develop Corrective Actions.
  5. Respond to the Regulatory Body.
  6. Implement the Actions.
  7. Check the Effectiveness of the Corrective Actions.

1. Reflect on the Audit Non-conformities and Plan

Reflect: Don’t jump into solutions. Once the audit is over and the non-conformity has been received, the time for justifying our position and offering evidence of compliance has passed. The first step is for all concerned to accept that there has indeed been a deficiency in our systems and to adopt an open and frank approach to determining how the situation arose.  All involved with the audit will be tired and in need of a break after the audit so the first thing to do is, do nothing. Let your team have a break from the audit for one or two days following the audit, they will need time to recharge, reflect personally and catch up on day-to-day items and all those emails that have been building up while they were busy with the audit.

Plan: However, don’t leave it too long, no more than two working days to begin the process of addressing the non-conformities. Call the team together and get everyone’s view on the situation as it now stands. This serves two purposes; firstly, it allows the team members to vent following their time of personal reflection and secondly, it can provide valuable insights into the causes of and solutions to, the situation that the organisation now finds itself in. Conclude the meeting by forming a plan with assigned responsibilities for the next six steps in addressing the audit non-conformities. Corrective Actions (“CAPAs”) should be initiated for each of the non-conformities at this point.

2. Communicate and Get Buy-in for the Corrective Actions

The team involved in the audit will not be the only ones involved in addressing the audit non-conformities so it is important to communicate to everyone who may need to be involved in the corrective action process, the plan that has been prepared and to get their buy-in to ensure that the plan is successfully implemented. Immediately after the audit, of course, you must inform all in the organisation how the audit went, do this on the day of the audit or the morning of the next working day, depending when the audit concludes. In this initial communication, let everyone know that a communication containing a plan for addressing the non-conformities will follow.

3. Determine the Impact and Root Cause of the Audit Non-Conformities

Assess the impact of the deficiency on the company’s Quality System and, more importantly, any potential impact on product. Determine the impact, if any, on current production and product already shipped. Determine whether containment actions or corrections are necessary and document the rationale behind any decisions. Remember you may need to share this output and any rationale with the regulatory authorities.

Perform true Root Cause Analysis (RCA) into the causes of the non-conformities. In the RCA, it is important to identify the systemic causes of the failures, not just the immediate causes of the non-conformities. Use the standard root cause analysis techniques such as; Is Is-Not, Brainstorming, Fishbone, review of records and, most importantly, talking to the people who operate the process involved.

In addition, the 5-Why tool is a very powerful way to define the root cause. A completed 5-Why is also a very useful way to communicate the causes in your response to the Regulatory Body. One thing to be careful of when completing a 5-Why is; ensuring that the answers are based on verifiable data and not just on the views of those involved in completing the 5-Why. Every 5-Why analysis should have fields for recording or referencing the supporting data. Systemic root causes are by their nature time consuming and expensive to address but if you do not address the true root cause, then the issue will return at some point in the future.

It is important to recognise that the deficiencies may be, in part, due to behaviours rather than procedures. This may be due to unusually high demands on the employees’ time especially considering the upheaval of the last few years. To identify and address this may require some ‘soul searching’ by the organisation but, once again, if this is not addressed, ineffective solutions may be the result.

4. Develop Corrective Actions to address the Audit Non-Conformities

Corrective Action vs Correction

When identifying corrective actions, it is important to distinguish between corrective action and mere correction. A corrective action must prevent recurrence whereas a correction simply fixes the deficiency without addressing the underlying cause.  Once you have identified the true root cause of a failure, the corrective action required is often obvious, one notable exception to this is when the root cause is related to human error.  If human error has been identified as the root cause, this may indicate a failure to identify the systemic root cause behind the failure and may require a return to the Root Cause Analysis phase of the CAPA process.

Ensure the Corrective Action Plan is Realistic

When identifying corrective actions, be careful not to be overly ambitious – the corrective actions must be achievable and it must be possible to implement them in a reasonable timeframe. Even though you must address the systemic root causes and you must consider similar processes where the deficiency may also exist, be careful to avoid trying to fix all of the weaknesses in the company’s systems at once. When identifying corrective actions try to ensure that these corrective actions rely on prevention, not detection. Human beings are genetically programmed to consider detection before prevention, so it is important to guard against this. Too often the reaction to audit non-conformities is to implement a series of additional checks that can be a further drain on company resources, increase the already overburdensome compliance effort and may be counter-productive in the longer term.

5. Respond to the Regulatory Body

Be sure to respond to the regulatory body well within the allotted response timeframe. Be mindful of Parkinson’s Law – work expands to fill the time available – so set a goal of sending in the response one week ahead of the deadline. Communicate to the regulatory body the following information:

  1. A re-statement of the non-conformity.
  2. The impact of the non-conformity.
  3. Any containment actions or corrections taken.
  4. The root cause of the deficiency.
  5. The corrective actions with proposed timelines.
  6. The methods for assessing the effectiveness of the corrective actions.
  7. The duration and acceptance criteria for effectiveness checks.

It is important the responses are as succinct as possible; the information is best presented in tabular format when there are a number of non-conformities involved. It is important to be clear that the non-conformity has been accepted and avoid any sense of trying to defend the current situation when responding.

Timelines: In determining timelines for corrective actions be realistic, review past experience and consider the current demands on company resources before committing to timelines. A balance must be struck between taking timely corrective actions, which is a regulatory requirement, and being able to meet the commitments that you make to the regulatory body.  Be prepared for the regulatory body to respond with questions and clarifications; acknowledge these immediately and give a prompt response.

6. Implement the Actions

It is really important to deliver on your promises to the regulatory authority, that goes without saying, but it can be challenging to deliver on.

Always keep the regulatory body updated with progress against the corrective actions whether they are being completed on time or not. If the actions are behind schedule, send an updated schedule with reasons for the delay. Do not quote lack of resources as the reason for the delay, if you need more resources, then obtain those resources. If you need additional resources, please contact Northridge Quality & Validation to discuss your requirements by email at

7. Check the Effectiveness of the Corrective Actions.

As mentioned above; the definition of a Corrective Action is an action that is designed to prevent recurrence, so it important that you conduct effectiveness checks that establish that the implemented Corrective Action achieved the desired results. Your effectiveness checks should be SMART;

  • Specific in detail,
  • have easily Measurable, statistically valid, acceptance criteria,
  • be Achievable – think it through and word the acceptance criteria carefully,
  • they must be Relevant to the original non-conformity – beware of scope creep, and
  • they must be in place for sufficient Time to allow for the original issue to recur if indeed the cause has not been eliminated.

Your effectiveness checks should;

  1. check that the cause has been eliminated,
  2. that the solution has remained in place and
  3. check that the effect has not returned.

Any effectiveness check that does not check all three of these items may be deficient and may allow for the original issue to manifest itself at some time in the future.

Need a Medical Device Training Course?

John Lafferty is the SQT Training Tutor for Life Sciences courses. Click on the links below for more information about each course:

Software Validation

Quality Risk Management and ISO 14971: 2019

Technical Writing Skills 

Process Validation and Equipment Validation

ISO 13485:2016

Internal Quality Auditing for Manufacturers of Medical Devices

About the Author

John Lafferty is the managing director of the Northridge Quality & Validation Ltd.

Specialties: His specialties include Software Validation, MDSAP, ISO 13485, ISO 14971, and MDR. John is the holder of a Degree in Manufacturing Technology, Certificate in Training & Continuing Education, Certificate in Quality Management. 

Experience: He has over 25 years of experience in the medical device and pharmaceutical industry. He was a Senior Manager of a multinational Medical Devices plant where he managed the Quality, Regulatory, Environmental, and Health & Safety Management Systems. He has successfully completed numerous consultancy projects with medical device manufacturers in Ireland and throughout Europe. 

SQT Training Tutor: John is also a Life Sciences Tutor with SQT Training

Related articles

12 Common Mistakes in CAPA