Audit Pressure and Applicability Defensibility

Auditors keep finding the same applicability problems

When auditors identify issues related to applicability, they are rarely isolated mistakes. Instead, the same types of observations surface repeatedly, even in organisations with mature quality systems and experienced RA teams. Requirements are marked as non-applicable without a clear legal anchor, rationales cannot be traced back to regulatory text, or applicability decisions differ between products and markets without a defensible explanation.

At first glance, these findings may look like documentation issues. In practice, they almost always point to something more fundamental: a way of handling applicability that no longer holds up under today’s regulatory scrutiny.

How Applicable Lists are typically used

In most organisations, the Applicable List is established during clearly defined, high-pressure moments. This often happens during initial classification, ahead of a regulatory submission, or as part of audit preparation. During these phases, requirements are analysed, decisions are made, and rationales are documented and approved. Once this work is completed, the Applicable List is treated as finished.

Between these moments, the Applicable List functions primarily as a reference. It represents decisions that are assumed to be settled and rarely revisited unless a specific issue arises. Applicability is considered “done”.

For a long time, this approach was sufficient. But it is built on an assumption that no longer reflects the regulatory reality.

Why this working model no longer matches regulatory reality

Modern regulatory frameworks do not treat compliance as something established once and then left unchanged. Under EU MDR and IVDR, manufacturers are required to maintain applicable regulatory obligations throughout the entire product lifecycle. ISO 13485 reinforces this by requiring organisations to continuously identify and keep regulatory requirements up to date as part of the quality management system.

This creates a structural tension. Applicability decisions are treated as static, while regulatory interpretation continues to evolve. New guidance documents are published, expectations are clarified, and interpretations mature over time. Even without formal amendments, the meaning and application of requirements can shift.

As a result, the Applicable List may appear stable, but its defensibility gradually erodes. Rationales that were once reasonable can no longer be justified with the same confidence when reviewed against current regulatory expectations.

What auditors are actually reviewing

When auditors review an Applicable List, they are rarely focused on whether all requirements are present. Instead, they are assessing whether the organisation can demonstrate that the documented applicability decisions are still valid and well founded. Auditors look for a clear connection between the decision, the regulatory source, and the logic behind the interpretation.

In practice, the review centres on three questions. Are applicability decisions grounded in regulatory text? Are the rationales still valid under current expectations? And are decisions applied consistently across time, products, and markets?

The real question is therefore not whether an organisation has an Applicable List, but whether what is written in it can still be defended.

Where audit pressure exposes the problem

As long as part of the applicability logic lives in institutional memory, this gap remains hidden. Audit pressure removes that buffer. What remains is the Applicable List itself: the recorded decisions, the written rationales, and the referenced sources.

If the list no longer tells a coherent and current story, auditors perceive a lack of control — even when the organisation is, in practice, meeting regulatory requirements. The issue is often not the decision itself, but that the reasoning behind it is no longer transparent or traceable.

Recurring audit findings related to applicability are therefore rarely coincidental. They signal that the underlying working model is no longer aligned with today’s regulatory expectations.

A shift in how applicability needs to be handled

To meet current requirements, the Applicable List must be treated as a living regulatory artefact, not as a one-time deliverable. This is not about producing more documentation. It is about changing how applicability work is understood and governed.

The shift means that applicability decisions are not considered final, but something that must remain defensible over time. Rationales need to be explicit, source-anchored, and possible to reassess as the regulatory context evolves. Applicability becomes part of ongoing regulatory governance rather than an isolated exercise ahead of the next review.

Without this shift, audit pressure will continue to surface the same weaknesses, regardless of how mature the organisation appears on paper.

Why this is a decisive moment

Many RA teams recognise the problem, but lack a structured way to address it without increasing workload or risk. At the same time, regulatory scrutiny continues to intensify.

It is precisely this tension — between growing regulatory expectations and an applicability model that is no longer fit for purpose — that is now driving the need for new ways of supporting applicability work going forward.

As part of this shift, we are preparing early access to Compliance Studio — a system designed to support how regulatory applicability decisions are structured, maintained, and reviewed over time — for teams already experiencing pressure around regulatory applicability.

Early access is intended for organisations that recognise this gap and want to follow how the product takes shape, contribute expert insight grounded in real RA/QA work, and be considered for early testing.