Author: Suzanne Broussard
Take the advice of industry experts and AOs—the key to acing the MDSAP audit is to prepare, prepare, prepare.
The MDSAP audit process is intense in that it is designed to provide thorough coverage of QMS and multiple jurisdictions regulations. Remember, your organization already maintains a level of compliance in all countries they sell devices. MDSAP simply rolls all these regulatory requirements into an efficient process. Here are a few tips to keep in mind when preparing for the MDSAP audit.
1. Look closely at the MDSAP Audit Model to determine exactly what the Auditing Organization (AO) will need. The MDSAP Audit Model is the AOs guide. Everything needed for the audit is clearly laid out in this comprehensive guide. Each of the 90 questions the AO will ask is contained in this guide. And, each question is cross-referenced to relevant sections of ISO 13485:2016 and other specific requirements of medical device regulatory authorities participating in the MDSAP program.
2. Use the MDSAP Companion Document to create a gap analysis and perform an internal audit. It is universally agreed by AOs and manufacturers that have been through the MDSAP audit process that the best way to get ready for an MDSAP audit is to use the MDSAP Companion Document as a guideline. The Companion Document further clarifies the Audit Model and provides guidance to the auditors, making this a very handy supplement for manufacturers. MDSAP is very structured, and understanding the specific information that auditors will be focusing on and in which order eliminates any guesswork by the manufacturer.
3. All documents need to be organized and available. The audit is timed. Therefore, the vast volume of documents required need to be organized and quickly accessible—this is critical for a successful audit. The AO will not be able to come back and revisit areas in which documents are not readily available.
4. Organizations must prove control over their suppliers. The way in which you demonstrate control over your suppliers needs to justified, and these details need to be incorporated into procedures and programs. A manufacture cannot simply say their supplier is ISO or MDSAP certified. The AO wants to know how your organization ensures that the supplier is compliant. Here’s why a global medical device manufacturer should consider the MDSAP.
6. Be clear on what is done where. This aspect is especially important for multi-site manufactures. Clearly list the scope of activity at each site and which products are covered by operations. Make sure to define multi-site manufacturing in Stage 1 so the AO can calculate the appropriate time-frame for Stage 2.
7. Employees must be proven competent. Providing objective evidence that employees are competent, not just trained, in regulatory requirements of all pertinent jurisdictions is mandatory. Objective evidence could include testing after training and job function checks to assure competency is practiced—not just learned.
8. Consider the Auditors Perspective. Brian Ludovico, Executive Director at NSF International, suggest organizations keep in mind the AOs perspectives when preparing for the MDSAP Audit. He provided a number of additional tips in recent interviews: auditors cannot read your mind, please justify your work, and regulatory and quality need to be friends in your organization.
9. Learn From Past Mistakes. Marcelo Trevino, Senior VP of Regulatory Affairs and Quality Systems at Applied Medical, provides insights on how to avoid some of the most common mistakes with European regulatory compliance.
If you are ready to bypass the hassle of multiple regulatory inspections and undergo a single, rigorous audit which satisfies the quality regulation of each jurisdiction, consider transitioning to MDSAP.
Author: Suzanne Broussard
When preparing for the MDSAP audit, it is important to understand that the audit focuses heavily on risk-based processes, outsourced processes, and validation activities. MDSAP is based on the international quality systems standard ISO 13485:2016, which requires organizations to consider risk from device conception through its lifetime of use. This Risk Management includes the device manufacturer and the supply chain.
Check out our Resources page for our whitepaper on MedDev 2.7/1 Equivalence and Risk/Benefit Profile.
There are seven “Processes” in the MDSAP audit. FDA’s vision of how all these processes link together is depicted in Figure 2.
The first four “Primary” processes, depicted in the dark blue boxes, and the “Supporting” Purchasing process were all built on a foundation of Risk Management. The other two Supporting processes (note that Device Marketing Authorization and Facility Registration links to two processes), depicted in the light blue boxes, fulfill the requirements of the participating regulatory authorities. There are 90 total tasks.
The MDSAP Audit is designed with the interrelatedness of each process in mind. For example, the manufacturer must identify the linked processes and perform Risk Management in accordance with clause 4.1.2 (c) of ISO 13485:2016. One process naturally links to the next process and the audit is conducted in a logical sequence.
Device manufacturers currently selling in these markets should already be in compliance with each country’s quality regulations, but allocating time and resources for each country’s audit can be challenging. Thankfully, MDSAP’s fruition offers the opportunity to simplify this challenge. Keep in mind that companies only need to be compliant in markets they are currently selling, and organizations are not allowed to opt out of participating nations in which they sell once they adopt MDSAP (no “cherry-picking”).
Read more about how device manufacturers can benefit from the MDSAP.
The audit is very scripted and starts with the Management Process working through each subsequent task straight through to the Purchasing Process. There is no deviation in flow and every “task” is timed. Tasks sections are broken down into Clause and Regulations, Additional Country-specific Requirements, and Links to Other Processes.
The Initial Certification Audit is conducted in two separate stages, typically several weeks apart.
Stage 1 is designed to determine if the Quality Management System (QMS) and other MDSAP documentation requirements are adequate, evaluate the readiness of the manufacturer, and facilitate the planning of the Stage 2 audit. Stage 1, sometimes referred to as a desk-audit, occurs in real-time, typically via virtual communications between the organization and auditor.
Here is an example of what MDSAP is looking for in Stage 1. “Whenever a MDSAP Audit Task requires an auditor to verify the identification and documentation of a requirement in QMS documentation, this verification should be performed as part of the pre-audit preparation and documentation review, as practical, to minimize on-site audit time and to increase the auditor’s familiarity with the manufacturer’s QMS.“
A deficiency letter is sent out after the Stage 1 audit informing manufacturers of deficiencies. Corrective action can then be taken to avoid getting findings during the physical audit.
The Stage 2 audit activities determine the manufacturer’s actual compliance with ISO 13485:2016 and all the regulatory requirements of the participating jurisdiction in which they market. There are two onsite auditors that split up assignments, typically in individual conference rooms.
The flow and timing of the Stage 2 audit are based on the specific tasks that need to be performed as assessed from the information supplied in Stage 1. The duration is calculated using the MDSAP P0008 algorithm based on the number of tasks and the time allotted for each. Variables like the number of employees and the specific process activities performed by the organization are used in this calculation. MDSAP provides two tools to help determine audit time, both of which are available on the FDA website.
Author: Dr. Suzanne Broussard
The Medical Device Single Audit Program (MDSAP) is now in year three of voluntarily allowing medical device manufacturers to satisfy requirements of multiple regulatory jurisdictions with a single audit. Understanding the basics of MDSAP is the first step to determining if this is right for your organization.
Device manufacturers are starting to accept this more harmonized auditing program, with over 2,700 manufacturers having undergone an MDSAP audit as of December 2018 (Figure 1). The significant increase in audits in 2018 reflects Health Canada’s hard deadline of January 1, 2019 for device manufacturers to comply with MDSAP in order to sell medical devices in Canada. While there were plenty of concerns about the transition, Health Canada received over 3,000 MDSAP certifications or transition submissions accounting for 90% of medical manufacturers operating in Canada. The remaining 10% are companies with very low or no sales, meaning they may likely pull out of the market.
Several early adaptors are lauding the MDSAP program for saving time and limiting company resources needed for auditing agencies. These outcomes are in line with IMDRF’s primary goals for creating MDSAP, which are to “…jointly leverage regulatory resources to manage an efficient, effective, and sustainable single audit program focused on the oversight of medical device manufacturers.”
If you are one of the many medical devices manufacturers that have not yet embraced MDSAP, industry experts suggest it is time to get started! This single audit via MDSAP provides an opportunity for companies to reap the benefits of reduced audits from agencies in multiple jurisdictions if they sell products in participating countries.
Keep in mind that MDSAP does not place a single new requirement on device manufacturers. What MDSAP does is place requirements on the Auditing Organizations (AOs) dictating how to consistently perform an audit. Essentially, AOs are approved by regulatory agencies to perform audits after a rigorous process to prove competency. These AOs are charged with performing the audit in a manner that is consistent and predictable while giving a high degree of confidence that the manufacturer is in complete compliance.
Even regulatory authorities like the FDA are promoting the many benefits of MDSAP.
Some companies that have gone through the process claim that they found the process easier than going through an FDA audit once they embraced MDSAP. Why? Because, the MDSAP audit is performed in a specific order that is predictable and clearly outlined. This approach is very different than an FDA or ISO audit, which are much less predictable. Company testimonials on the FDA MDSAP site claim transition to MDSAP save costs internally with less disruption. This sentiment is shared by other industry leaders who applaud the prescriptive nature of the MDSAP audits.
IMDRF provides device manufacturers with everything required to understand and prepare for MDSAP. A plethora of resources that explain the program in more detail and help prepare for an MDSAP audit are available on FDA’s website. Best of all—they are free!
The most helpful resources are the MDSAP Companion Document and the MDSAP Audit Model.
If your organization sells medical devices in multiple participating countries and already maintains a high level of compliance, transitioning to MDSAP is worth considering. Are you ready to ace the MDSAP?