Author: Suzanne Broussard
Risk Assessment is the Cornerstone of the MDSAP
Audit
When preparing for the MDSAP audit, it is important to understand that the audit focuses heavily on risk-based processes, outsourced processes, and validation activities. MDSAP is based on the international quality systems standard ISO 13485:2016, which requires organizations to consider risk from device conception through its lifetime of use. This Risk Management includes the device manufacturer and the supply chain.
Check out our Resources page for our whitepaper on MedDev 2.7/1 Equivalence and Risk/Benefit Profile.
There are seven “Processes” in the MDSAP audit. FDA’s vision of how all these processes link together is depicted in Figure 2.
The first four “Primary” processes, depicted in
the dark blue boxes, and the “Supporting” Purchasing process were all built on
a foundation of Risk Management. The other two Supporting processes (note that Device
Marketing Authorization and Facility Registration links to two processes),
depicted in the light blue boxes, fulfill the requirements of the participating
regulatory authorities. There are 90 total tasks.
The MDSAP Audit is designed with the
interrelatedness of each process in mind. For example, the manufacturer must
identify the linked processes and perform Risk Management in accordance with
clause 4.1.2 (c) of ISO 13485:2016. One process naturally links to the next
process and the audit is conducted in a logical sequence.
Device manufacturers currently selling in these
markets should already be in compliance with each country’s quality regulations,
but allocating time and resources for each country’s audit can be challenging.
Thankfully, MDSAP’s fruition offers the opportunity to simplify this challenge.
Keep in mind that companies only need to be compliant in markets they are
currently selling, and organizations are not allowed to opt out of
participating nations in which they sell once they adopt MDSAP (no
“cherry-picking”).
Read more about how device manufacturers can benefit from the MDSAP.
Stages of the MDSAP Audit
The audit is very scripted
and starts with the Management Process working through each subsequent task
straight through to the Purchasing Process. There is no deviation in flow and
every “task” is timed. Tasks sections are broken down into Clause and
Regulations, Additional Country-specific Requirements, and Links to Other
Processes.
The Initial Certification Audit is conducted in
two separate stages, typically several weeks apart.
Stage 1
Stage 1 is designed to determine if the Quality
Management System (QMS) and other MDSAP documentation requirements are
adequate, evaluate the readiness of the manufacturer, and facilitate the
planning of the Stage 2 audit. Stage 1, sometimes referred to as a desk-audit,
occurs in real-time, typically via virtual communications between the
organization and auditor.
Here is an example of what MDSAP is looking for in Stage 1. “Whenever a MDSAP Audit Task requires an auditor to verify the
identification and documentation of a requirement in QMS documentation, this
verification should be performed as part of the pre-audit preparation and
documentation review, as practical, to minimize on-site audit time and to
increase the auditor’s familiarity with the manufacturer’s QMS.“
A deficiency letter is sent out after the Stage
1 audit informing manufacturers of deficiencies. Corrective action can then be
taken to avoid getting findings during the physical audit.
Stage 2
The Stage 2 audit activities determine the
manufacturer’s actual compliance with ISO 13485:2016 and all the regulatory
requirements of the participating jurisdiction in which they market. There are
two onsite auditors that split up assignments, typically in individual
conference rooms.
The flow and timing of the Stage 2 audit are based on the specific tasks that need to be performed as assessed from the information supplied in Stage 1. The duration is calculated using the MDSAP P0008 algorithm based on the number of tasks and the time allotted for each. Variables like the number of employees and the specific process activities performed by the organization are used in this calculation. MDSAP provides two tools to help determine audit time, both of which are available on the FDA website.
Are you ready to read about our 9 tips to ace the MDSAP the first time?