How is your understanding of the Medical Device Single Audit Program (MDSAP)?
We’ve heard a lot of folks expressing confusion and frustration over it.
I sat down to chat with consultant Kyle Rose , President of Rook Quality Systems and an expert on the new MDSAP. Our aim was to demystify the program and ensure that companies feel better prepared to take it on.
Let’s check it out:
What is MDSAP?
The Medical Device Single Audit Program is a program that allows the consolidation of global regulatory assessments across different international locations. This means that a single audit of a medical device manufacturer can be completed that satisfies the requirements of multiple regulatory jurisdictions.
At the moment, those regulatory jurisdictions participating in MDSAP are:
- USA - FDA
- Australia - TGA
- Japan - MHLW
- Canada - Health Canada
- Brazil - ANVISA
MDSAP allows you as a medical device company to contract with an MDSAP-recognized auditing organization to have a single regulatory quality management system audit that will meet the requirements of all of these regulators.
Each organization defines for itself how MDSAP outcomes are used within its jurisdiction.
Who conducts the audit?
MDSAP audits are administered very similar to how ISO audits are conducted. They are outsourced to approved auditing organizations. These audits are scheduled and contracted by the medical device company, so they won’t be unexpected.
MDSAP audits are broken down into stages as below:
- Stage 1 - This is done in year 1 and typically covers your procedures.
- Stage 2 - This is still done in year 1, typically a few weeks after the Stage 1 audit. This audit will cover more of your records.
- Surveillance audits - These are conducted in years 2 and 3 and typically cover parts of your QMS.
- Recertification audit - This will be in year 4 and covers everything over again.
You can check out a list of approved MDSAP auditors below:
How do you get the MDSAP process started?
We’ve broken this down into a few steps below:
- Reach out to one (or more) of the approved auditing organizations (AO).
- Get their questionnaire to see if you qualify, or what you need to do to get into the queue to schedule audits. (TIP: Get in early, they tend to book up quickly).
- Get a quote for services.
- Complete forms for the AO to review.
- List your products and current registrations or licenses for each market.
- List the types of products which are under the scope of your company.
- Schedule an audit.
- Be prepared for audits to take few days - anything from 5 to 9 days. It is especially at the long end for companies transitioning to 13485:2016.
Prepare for MDSAP audit
Once you’ve completed all of the paperwork and booked your audit (although preferably beforehand), it’s time to look internally at your company and determine how prepared you are for auditing.
There are regulatory concerns particular to each participating authority within MDSAP. You need to determine if you’re covering all of them, or if you’re focusing on particular markets. You can always add others later, which will be included in a future audit.
Once you’ve determined who you’re striving for approval by, you need to ensure that you’re meeting their regulations. There is a great tool for doing this - a GAP assessment process of your QMS processes, procedures and records.
Start by determining what is in scope. Do you have everything within the standards covered and listed correctly in your procedures? Follow up by ensuring you have the processes and records in place.
After this, conduct an internal audit to fall within the scope of MDSAP. You can always contract a qualified consultant to come in and do this for you. Note that changes to ISO 13485:2016 have already been incorporated into the MDSAP program. 2018 will be a big year because these changes are going into effect for most companies. Make sure you are familiar with these changes.
The audit process
Audits will generally follow a process outlined in the diagram below:
An important part for companies to account for is that it might take several days longer than you’ve been accustomed to for an audit. This means having team members available to provide documentation and answer questions for up to 9 days and the potential that there may be multiple auditors involved.
Cost is another thing to account for. As a comprehensive audit, these are expensive and it doesn’t matter what size your company is. Companies large or small will be charged the same.
If your company is across multiple sites, there needs to be an emphasis on efficient document updating and sharing. (This is where software such as greenlight.guru can really help). The focus will be on your primary site, which is where the majority of the audit will be conducted. This is regardless of which processes are off-site and includes virtual manufacturers.
Audits will begin with management review. This includes your management review procedures, quality manual and policy, document control, marketing clearances and licenses. Auditors are interested in similar things which are included in FDA inspections or ISO audits - are you documenting and following procedures? Are you following up on any complaints or CAPA-related issues?
As usual, the focus is safety, effectiveness and efficiency. Other sections of the audit will include; Process, Design and Development, Production and Service Controls and Purchasing. You can find detailed audit procedures here. As a general rule of preparedness for this and any other audit; document, document, document. It’s much easier to keep records as you go along rather than to go back and prepare them in hindsight.
As with any audit, there is the possibility that you may end up with “findings” or “observations,” meaning that there is something there that needs improvement. MDSAP audit findings are graded on a scale of 1 - 5, with 1 being a minor observation and 5 being a major finding.
You’ll see from the scale below that the table allows for a finding on a scale of 1-4 based on QMS impact and occurrence. Findings that are graded at a 4 but found to be a repeat occurrence may be upgraded to a 5. These are defined as repeat findings from within the last two audit reports.
Not documenting a management review would be considered a minor (1) if it was your first non-conformance. Suppliers not being adequately controlled and having multiple non-conformances would be a 4, perhaps a 5 if this was a repeat offense. See also the slide image below for more on the findings scale. You have one month to respond to any critical non-conformities.
Why use MDSAP?
The first and most obvious advantage is that you’re getting one audit that counts for 5 different regulatory authorities. This opens you up to other markets and streamlines that process.
Scheduling an audit rather than a surprise audit is also a plus.
A disadvantage tends to be the cost. Smaller companies in particular will notice a cost increase, although one of the things going on right now is that authorities are looking into how smaller companies might get a discount. Be aware that if you aren’t currently in the Canadian market and are looking to enter, they will require MDSAP.
MDSAP is here to make auditing to the standards of multiple regulatory bodies easier. Currently, there are five participants, meaning you would otherwise have needed five separate audits if you wanted to be certified for each country.
Companies can prepare by knowing which countries they are aiming for approval with and noting any requirements peculiar to those regulatory authorities. Use a good QMS (such as greenlight.guru) to ensure that your documentation is easily shared and kept up-to-date.
Do you have questions, concerns or general comments about MDSAP? Feel free to drop us a line, or contact Kyle at Rook Quality Systems at firstname.lastname@example.org.