Quality & Compliance

icon

We build, operate, and enhance quality management systems for pharma and medtech companies. From QMS setup and GxP compliance through to licence applications, inspection preparation, and post-inspection remediation, we handle the documentation and the authority interactions. For companies entering the EU, UK, or Swiss market without local infrastructure, we provide ready-to-operate MAH (for pharma) and/or legal manufacturer (for devices) setups so you can launch without building your own compliance organisation from scratch.

Examples of How We Support

These are just a few examples to show what our quality and compliance support can look like in practice.

EU market entry infrastructure

You're entering the EU market and need a Marketing Authorisation Holder (MAH) setup, a wholesale distribution authorisation, or a Manufacturing Importation Authorisation (MIA), but you don't have a local entity, a Responsible Person, a Qualified Person, or a GDP/GMP-compliant quality system. You need someone who already has the infrastructure and the experts in place.

Post-inspection remediation

You've been through an authority inspection and it didn't go well. You have critical or major findings, a CAPA plan to deliver, and a deadline to demonstrate corrective action before your licence is suspended or revoked. You need experienced hands to remediate the problems, not just document them.

QMS gap closure

Your QMS exists on paper but wouldn't survive a real inspection. SOPs are outdated, training records are incomplete, deviation handling is inconsistent, and your Responsible Person or Qualified Person function is stretched. You need a gap analysis and someone to close the gaps operationally.

GDP certification

You're a wholesaler or distributor handling medicinal products and need to obtain or maintain a GDP certificate. Regulatory expectations have tightened since the COVID-era flexibility extensions expired at the end of 2024, and your next inspection is approaching.

MIA and QP batch release

You need a Manufacturing and Import Authorisation (MIA) and a Qualified Person for batch release of commercial products or IMPs, but you don't have the licence or the QP function in-house.

ISO 13485 QMS

You're launching a medical device under MDR or IVDR and need an ISO 13485 quality management system built from the ground up, or your existing QMS needs to be upgraded to meet current Notified Body expectations for certification.

Understanding Quality & Compliance

Quality and compliance work spans multiple regulatory frameworks depending on what you make, where you operate, and what role you play in the supply chain. This page covers the organisational quality infrastructure: QMS design and implementation, GxP compliance (GMP, GDP, GLP, GCP, GVP), licensing and authorisations, inspection management, and auditing services.

For data protection and GDPR compliance, see Data Privacy & Security. For pharmacovigilance system compliance and QPPV services, see Pharmacovigilance & Device Vigilance. For regulatory submission and dossier work, see Regulatory Strategy & Operations.

What We Do

Quality and compliance is where regulatory theory meets operational reality. We don't produce policy documents and leave. We build working systems, prepare the licence applications, manage the authority interactions, and stay to help operate what we've built.

  • Design and implement quality management systems for pharmaceutical companies (GMP/GDP-compliant) and medical device manufacturers (ISO 13485-compliant), either from scratch or by upgrading existing systems to meet current regulatory expectations. For device manufacturers, this includes establishing design and development controls, integrating risk management per ISO 14971 into the QMS, defining supplier qualification and purchasing controls aligned with MDR/IVDR requirements, building complaint handling and CAPA processes that feed into post-market surveillance, and preparing the QMS documentation package for Notified Body certification audits.
  • Compile and submit licence applications for Manufacturing and Import Authorisations (MIA), Wholesale Distribution Authorisations (WDA), and MAH registrations across EU member states, the UK (MHRA), and Switzerland (Swissmedic). We manage the authority correspondence through to licence grant, as well as providing the QP and/or RPs to be named on the licence.
  • Prepare for and support authority inspections (GMP, GDP, GLP, GVP): mock inspections, documentation review, back-room support during the inspection itself, and CAPA management after findings are issued.
  • Remediate after failed inspections: when an authority has issued critical findings, threatened licence suspension, or required urgent corrective action, we step in to design and execute the remediation plan, rebuild the non-compliant elements, and manage the authority follow-up until the situation is resolved.
  • Conduct GxP audits across the supply chain: vendor qualification, supplier audits, GMP/GDP/GLP/GCP/GVP audits, and mock inspections. We audit manufacturing sites, warehouses, CROs, bioanalytical labs, PV vendors, and distribution partners.
  • Draft, review, and negotiate quality agreements and technical agreements for outsourced GxP activities. Ensure agreements clearly define roles, responsibilities, escalation pathways, change control, deviation handling, complaint investigation ownership, and documentation requirements. Agreements are aligned with current regulatory expectations and structured to withstand audit and inspection scrutiny.
  • Validate computerised systems used in GxP-regulated environments using GAMP 5 risk-based methodology. Assessments cover EU GMP Annex 11 (computerised systems), 21 CFR Part 11 (electronic records and electronic signatures), and MHRA data integrity expectations. We support the full system lifecycle: user requirements specification, risk assessment, validation planning, installation and operational qualification, performance qualification, periodic review, and system retirement.
  • Prepare device manufacturers for the Medical Device Single Audit Program (MDSAP). MDSAP allows a single audit of a manufacturer's QMS to satisfy the regulatory requirements of multiple jurisdictions: currently Australia (TGA), Brazil (ANVISA), Canada (Health Canada), Japan (MHLW/PMDA), and the United States (FDA). We conduct gap analyses against MDSAP requirements, perform mock audits using the MDSAP audit model, support remediation of findings, and coordinate with recognised MDSAP Auditing Organisations.
  • Provide outsourced Responsible Person (RP) and Qualified Person (QP) functions for companies that need named individuals on their licences but do not have them in-house.

Our Workstreams

Most engagements combine QMS work with licensing, auditing, or inspection support. These are the core workstreams.

QMS Design & Implementation

GMP/GDP-compliant quality systems for pharma (MAH, manufacturer, wholesaler, distributor). ISO 13485 QMS for medical device manufacturers. SOP development, document control, training programmes, deviation and CAPA systems, management review frameworks. Data integrity controls aligned with ALCOA+ principles (Attributable, Legible, Contemporaneous, Original, Accurate, Complete, Consistent, Enduring, Available) are integrated across all quality system elements, covering paper-based records, electronic systems, and hybrid environments. Computerised system validation. Risk-based validation planning. System lifecycle management including periodic review and retirement.

Licensing & Authorisations

MIA/WDA applications across EU member states. MAH setup and registration. Swissmedic establishment licence applications. MHRA wholesale dealer and manufacturer licences. Authority correspondence and follow-up through to licence grant.

MAH & Distribution Infrastructure

MAH infrastructure in EU, UK, and Switzerland for pharma and devices. Named RP/QP on existing licences. Ongoing operational quality management as a managed service.

Inspection Management & Remediation

Mock inspections (GMP, GDP, GLP, GVP) and mock Notified Body certification audits (ISO 13485 Stage 1 and Stage 2, surveillance audits, unannounced audits under MDR Article 44). Pre-inspection and pre-audit documentation review and readiness assessment. Back-room support during live inspections and NB audits. Post-inspection and post-audit CAPA development and execution. Remediation programmes for critical findings, including licence-threatening and certificate-threatening situations.

Training

Bespoke training programme design, delivery, and effectiveness assessment across GMP, GDP, GLP, GCP, and GVP. Training needs analysis and gap identification. Role-specific training for QPs, RPs, production staff, QA personnel, and management. Topic-specific modules: deviation and CAPA handling, data integrity, inspection readiness, documentation practices, supplier management. Training records management and compliance documentation.

Information Security

An ISO 27001-compliant IMS integrated into existing GxP or ISO 13485 systems addresses information security policies, access controls, asset management, incident response, risk management and legal compliance to ensure robust data protection alongside quality and regulatory requirements.

QMR Function

Take over of the QM Representative (QMR) function — at least for a transitional time, e.g. during set-up time and initial certification audit. In parallel hands-on training of client-own personnel enabling you to practice the QMR function internally.

Where This Fits in the Development Journey

Quality and compliance work runs across the full lifecycle, but the intensity and focus shift at each stage.

Discovery & Concept

Define early quality requirements and assess what QMS infrastructure will be needed as the programme progresses.

Product Type Considerations

Quality and compliance requirements differ by product type and by the role you play in the supply chain. The QMS architecture, the licences required, and the inspection expectations all depend on what you're handling.

Pharmaceuticals

GMP and GDP compliance across manufacturing, import, storage, and distribution. MIA, WDA, and MAH licence requirements vary by EU member state. RP and QP functions must be named on licences. Country-specific QMS requirements for MAH operations differ considerably across the EU.

Medical Devices

ISO 13485 QMS as the foundation for MDR/IVDR compliance and Notified Body certification. Design and development controls, risk management per ISO 14971, and post-market surveillance integration into the QMS. EU Authorised Representative requirements for non-EU manufacturers. MDSAP readiness for companies selling into the US, Canada, Australia, Japan, and Brazil. Notified Body audit preparation, including readiness for unannounced audits under MDR Article 44. For device manufacturers also subject to FDA QSR (21 CFR Part 820, transitioning to ISO 13485 alignment under the final rule), we design quality systems that satisfy both EU and US requirements.

Combination Products

Dual quality framework: GMP for the drug component, ISO 13485 (or equivalent) for the device component. Article 117 requirements create additional QMS interfaces between drug and device documentation.

Information Security

Growing digitalisation and AI application: for any field in life science, a solid framework on information security becomes a must-have.

Biologics & ATMPs

Additional GMP requirements for aseptic processing, cold chain, and (for ATMPs) traceability, chain-of-identity, and hospital exemption frameworks. Specialist audit requirements for cell/gene therapy facilities.

Digital Health & SaMD

Software lifecycle processes (IEC 62304) integrated into the ISO 13485 QMS. Cybersecurity and data integrity controls. For AI/ML-based devices, additional expectations around change management and algorithm validation.

Wholesalers & Distributors

GDP compliance as a standalone requirement. Temperature mapping, qualification of transport routes, supplier and customer due diligence, and falsified medicines directive (FMD) obligations including serialisation verification.

Sample Deliverables

The outputs depend on the engagement, but these are representative of what we produce.

icon Complete GMP- or GDP-compliant QMS package: SOPs, work instructions, forms, training records, deviation/CAPA system, document control framework, and management review schedule.
icon ISO 13485 QMS documentation set for a medical device manufacturer, including design and development procedures, risk management integration, and internal audit programme.
icon MIA or WDA application dossier with site master file, organisational charts, RP/QP CVs, and supporting documentation, submitted to the relevant national competent authority.
icon MAH launch readiness assessment: gap analysis of QMS, PV system, regulatory documentation, and supply chain against authority expectations for a pre-launch inspection.
icon Mock inspection report with findings classification (critical, major, minor), recommended CAPAs, and prioritised remediation plan.
icon Post-inspection remediation package: root cause analysis, corrective actions, evidence of implementation, and authority response documentation.
icon Audit reports (GMP, GDP, GLP, GCP, GVP) with findings, risk assessment, and follow-up recommendations.

Example Projects

icon
Illustrative Example
Non-EU Pharma Company: EU Market Entry with Full MAH Setup

A US-based pharmaceutical company with an approved product needed to enter the EU market but had no European entity, no local licences, and no GDP-compliant infrastructure. We provided a turnkey solution: MAH registration transfer, wholesale distribution authorisation, named Responsible Person, and an operational quality system.

icon
Illustrative Example
Wholesaler: Post-Inspection Remediation After Critical GDP Findings

A pharmaceutical wholesaler received critical findings during a routine GDP inspection, with the competent authority threatening licence suspension. We conducted an immediate root cause analysis, designed a remediation plan addressing all findings, rebuilt the deficient quality system elements (temperature monitoring, supplier qualification, deviation handling), and managed the authority correspondence. The licence was maintained and the follow-up inspection confirmed compliance.

icon
Illustrative Example
Medtech Start-Up: ISO 13485 QMS from Scratch for MDR Certification

A medical device start-up preparing for Notified Body certification under MDR had no quality management system in place. We designed and implemented a complete ISO 13485 QMS, including design and development procedures, risk management processes (ISO 14971 integration), supplier controls, and an internal audit programme. The company passed its Stage 2 certification audit on the first attempt. During the set-up phase including Stage 1 and 2 audits, one of our experts acted as QM representative to safeguard a smooth and efficient certification process.

Need to Set Up Quality Infrastructure, Prepare for an Inspection, or Fix a Compliance Problem?

Tell us about your situation and timeline, and we'll outline how we can help.

Speak with an Expert

These frameworks define the quality and compliance landscape we work in daily:

What licences do I need to sell medicinal products in the EU?

It depends on your role in the supply chain. An MAH may need registration with the relevant national competent authority. If you import products from outside the EU, you need a Manufacturing and Import Authorisation (MIA). If you hold title, procure, store, distribute or export a medicinal product, you need a Wholesale Distribution Authorisation (WDA). Each licence has its own QMS requirements, named person obligations (RP for wholesale, QP for manufacturing/import), and inspection expectations. Requirements vary by member state, which is where many companies get caught out.

Can I use your existing licences and infrastructure instead of setting up my own?

Yes. We operate licensed MAH and import infrastructure in the EU, UK, and Switzerland for both pharmaceuticals and medical devices. You can use our licences and our named Responsible Persons and Qualified Persons. This is how many non-EU companies enter the European market without the cost and delay of building their own local compliance organisation.

What happens if I fail a GDP or GMP inspection?

The competent authority will issue findings classified as critical, major, or minor. Critical findings can lead to immediate licence suspension. Major findings typically require a corrective action plan within a defined timeframe (often 30 to 90 days). If you don't respond adequately, the authority can refuse to issue or renew your GDP/GMP certificate, and a non-compliance statement is entered into the EudraGMDP database, which is publicly visible. We help clients respond to findings, design remediation plans, and manage the authority follow-up.

Do I need a separate QMS for medical devices and pharmaceuticals?

Not necessarily, but the regulatory frameworks are different. Pharma QMS requirements are rooted in EU GMP (EudraLex Volume 4). Device QMS requirements are based on ISO 13485 and the relevant MDR/IVDR provisions. For combination products, you need quality system elements that satisfy both frameworks. We design integrated or parallel systems depending on your product portfolio and organisational structure.

How long does it take to get a wholesale distribution authorisation?

Timelines vary by member state. In most EU countries, expect 3 to 6 months from application to licence grant, assuming the QMS and documentation are ready. The bottleneck is usually preparation, not the authority process: getting the site GDP-compliant, appointing a qualified Responsible Person, and compiling the application package. We handle the preparation, submission, and authority follow-up.

What does a mock inspection cover?

We simulate a real authority inspection: document review, facility walkthrough (where applicable), staff interviews, and review of records (deviations, CAPAs, training, temperature monitoring, supplier qualification). We issue findings using the same classification system authorities use (critical, major, minor) and provide a remediation plan with timelines. Most clients schedule mock inspections 2 to 3 months before an expected authority visit.

Do you audit internationally?

Yes. We conduct GMP, GDP, GLP, GCP, and GVP audits across Europe, Asia, and other regions, with particular experience auditing manufacturing sites and supply chains in Asia. For locations where sending our own auditors is not practical or cost-effective, we coordinate audits through regulanet®, our global network. This gives you local auditors who know the regional regulatory landscape, managed under one contract and one quality standard. Audits can be conducted as vendor qualifications, for-cause investigations, or routine periodic re-audits.

What is MDSAP and do I need it?

The Medical Device Single Audit Program allows a single audit of your quality management system to cover the requirements of five regulatory jurisdictions: the US (FDA), Canada (Health Canada), Brazil (ANVISA), Japan (MHLW/PMDA), and Australia (TGA). MDSAP is mandatory for medical device manufacturers selling in Canada. For other participating countries, it is voluntary but increasingly recognised as a route to streamlined regulatory oversight. If you sell devices in multiple MDSAP countries, the programme can reduce the total audit burden significantly. We conduct gap analyses, perform mock audits, and support you through the certification process.

How do you prepare for a Notified Body audit under MDR?

We simulate the audit experience: documentation review against MDR and ISO 13485 requirements, technical file sampling, design history file review, management interviews, and assessment of your QMS processes (CAPA, complaint handling, supplier controls, post-market surveillance). We classify findings using the same severity grading Notified Bodies use and provide a remediation plan with timelines. For unannounced audits under MDR Article 44, we help you establish an 'always ready' compliance posture rather than preparing for a specific date.

Page Contents