The Basics: Understanding the Medical Device Single Audit Program

FDA and regulatory counterparts in several countries introduced the Medical Device Single Audit Program (MDSAP) Pilot, an international effort to harmonize the inspection and auditing of medical device manufacturers in a single annual audit to be conducted by third-party certification body auditors. MDSAP procedures refer to these certification bodies as “auditing organizations.” The program is the result of efforts by the International Medical Device Regulators Forum (IMDRF), and satisfies the requirements of four regulatory bodies:

  • U.S. Food & Drug Administration (FDA)
  • Brazilian National Health Surveillance Agency, Agência Nacional de Vigilância Sanitária (ANVISA)
  • Health Canada (HC)
  • Australian Therapeutic Goods Administration (TGA)

Japan will become the fifth, full member of the pilot program this summer. Several of the European Notified Bodies are actually conducting the MDSAP audits, and it is expected that Europe will also join the MDSAP when the program is fully implemented in 2017.

FDA
FDA will accept the MDSAP audit reports in lieu of routine Level 1 and Level 2 inspections. However, MDSAP audit reports will not replace “For Cause” FDA inspections or Level 3 follow-up inspections by FDA. MDSAP audits will not replace pre-clearance/pre-approval inspections for 510(k) or PMA submissions, either.

ANVISA
ANVISA will use MDSAP audit reports as part of the pre- and postmarket assessment processes. ANVISA will also accept MDSAP audits in lieu of the initial ANVISA audit. This is critical, because there is an average backlog of three years for initial inspections.

Health Canada
HC intends to replace the existing CMDCAS certification program with MDSAP as the method of verifying that Health Canada’s quality management system requirements is met. This is another reason why only registrars recognized by Health Canada were invited to apply for participation in the MDSAP Pilot.

Australian TGA
Australia’s TGA will use MDSAP audit reports as an input to decisions for issuing market authorization, unless the device is excluded or exempted, or current policy prohibits the use of MDSAP audit reports. In addition, the Australian TGA recently became HC’s 15th recognized registrar.

Japan’s Ministry of Health, Labor & Welfare (MHLW)
Japan’s MHLW and Material Authorization Holders (MAHs) perform onsite inspections of manufacturers for compliance with the Japanese Pharmaceutical Affairs Law (JPAL). Changes to JPAL were approved in November 2013 and launched in November 2014. As part of the changes, the MHLW is allowing Certification Bodies to audit additional device classifications. Also, MHLW is now an official observer and active participant in the MDSAP Pilot. MHLW becomes a full member in the summer of 2015. 

Don't miss Robert Packard's presentations at OMTEC 2015.
Presentations include:

2016 European Medical Device Regulations: Significant Changes for Importers and Distributors and
2016 European Medical Device Regulations: Preparing for the Spinal Implant Reclassification 

Omtec-2015-Badge

MDSAP Mission
The primary mission of MDSAP is to leverage resources of the collective regulatory bodies to more efficiently monitor device manufacturers. Sharing regulatory reports will decrease the total number of audits required by regulators, and manufacturers that participate in the pilot will help shape the MDSAP policies. FDA posted four new documents on the MDSAP Pilot, describing how the five countries participating in the pilot will use MDSAP reports:

  1. Participation in MDSAP Pilot
  2. MDSAP Frequently Asked Questions
  3. List of Eligible Auditing Organizations for MDSAP
  4. FDA Voice Blog 

In January 2015, FDA released an update regarding the Medical Device Single Audit Program (MDSAP) Pilot. If you signed up for the CDRH mailing list, you should have received this update. Here are some additional resources:

MDSAP Audit Process
Only companies that already have CMDCAS certification are eligible to participate in the MDSAP Pilot. Typically, CMDCAS does not add any significant time to a regular ISO 13485 surveillance audit, but the MDSAP audits are expected to be much longer than a typical surveillance audit—possibly twice as long. The extra duration is due to the time that is required to complete a regulatory checklist for each of the countries where the company distributes product. MDSAP audits will also cost more, but participation in the pilot can help companies avoid the burden of FDA inspections and audits by other regulators.

Similar to the internal policies and procedures of registrars and the QSIT manual used by FDA inspectors, the MDSAP also has procedures and forms used by the auditors. The following procedures and forms are available for download:

  • MDSAP Audit Model
  • MDSAP Companion Document
  • MDSAP Time Calculation
  • MDSAP Audit Time Calculation Spreadsheet
  • MDSAP Medical Device Regulatory Audit Reports
  • MDSAP Medical Device Regulatory Audit Report
  • MDSAP NC Grading and Exchange Form
  • MDSAP Medical Device Regulatory Audit Report Form Guidelines
  • MDSAP NC Grading and Exchange Form Guidelines
  • MDSAP Certificate Document Requirements
  • MDSAP Surveillance Audit Confirmation Notification Process
  • MDSAP Post Audit Activities and Timeline Policy
  • MDSAP Threat to Impartiality
  • MDSAP Initial Manufacturer Audit Mfg Withdrawal Notification
  • MDSAP Initial Manufacturer Audit Mfg Withdrawal Notification Form
  • MDSAP Auditor Training

The two documents that help explain the MDSAP auditing process best are the “MDSAP Audit Model” and the “MDSAP Companion Document.” The “MDSAP Audit Model” instructs auditors on how to perform audits under the MDSAP program, and includes an audit sequence with instructions for auditing each of the seven processes identified below:

  1. Management
  2. Device Marketing Authorization and Facility Registration
  3. Measurement, Analysis and Improvement
  4. Medical Device Adverse Events and Advisory Notices Reporting
  5. Design and Development
  6. Production and Service Controls
  7. Purchasing

The “MDSAP Audit Model” also highlights process interactions. Many companies struggle with ways to identify process interactions, but it is a requirement of ISO 13485 in Clause 4.2.2(c). The description of process interactions in this document are the best I have ever read. This document additionally emphasizes the interrelationships to relevant risk management activities, which is a major emphasis of ISO 14971 and the 2015 version of ISO 9001.

The second document, “MDSAP Companion Document,” is a reference and includes additional detail regarding each audited process. In fact, the “MDSAP Companion Document” is almost twice as long as the “MDSAP Audit Model” (i.e., 95 pages vs. 56 pages). The “MDSAP Companion Document” also provides guidance for assessing the conformity of each of the seven processes.

The breakdown of a quality system into seven different processes is reminiscent of the four major systems that the QSIT manual is divided into: 1) CAPA, 2) Design Controls, 3) Management and 4) Production & Process Controls. There is also the MDSAP Time Calculation document, which provides time estimates for auditing each of the seven processes.

The grading process for nonconformities is also different in the MDSAP process. First, the impact of each nonconformity is evaluated to determine whether it has a direct impact upon design or manufacturing controls (e.g., sterilization validation). If there is a direct impact, then the finding is scored “3.” Otherwise, the finding is scored “1” for an indirect impact upon design or manufacturing controls. Next, the auditor reviews previous audit reports to determine if the nonconformity is a repeat finding. For each repeat finding, the score is increased by one point to a maximum score of “5.” The findings are categorized according to a five-point scale, and findings with a score of “5” require verification of corrective actions via an unannounced audit.

If you have specific questions about any process that is part of the MDSAP, you can review the procedures for governing the MDSAP on FDA’s website. I thought it was fascinating to see how an international regulatory consortium created their own quality system documentation in the same format that we use for ISO 13485 quality systems—with some obvious modifications to ensure that the format applies to the purpose of the MDSAP. Throughout their procedures, they have even included references to harmonized standards they are applying to processes like risk management. (Good luck keeping all those references to versions of standards current.) They even created a procedure for “MDSAP QMS Management Responsibility and Management Review.”


Unannounced Audits
In 2014, there was a much interest and concern over how Notified Bodies would implement the new requirement by the EU Commission to conduct unannounced audits. In the “Audit Model” document for the MDSAP Pilot, there is a section dedicated to the topic of unannounced audits. This section does not include any details about the methods or process for an unannounced audit, but it does state that the manufacturer shall be given a 48-hour notice of the audit and the manufacturer shall provide a “letter of introduction” in order to facilitate VISA applications. This is important for auditors who reside in Europe and must perform unannounced audits of U.S. companies. Elsewhere in the audit model document, it states that unannounced audits may occur at any time during the three-year audit cycle.

How to Apply for MDSAP Pilot
If you are interested in applying for participation in the MDSAP Pilot, you might consider contacting one of the three largest auditing organizations that are participating:

Tony Rizzo at BSI, This email address is being protected from spambots. You need JavaScript enabled to view it.
Gary Minks at TÜV SÜD, This email address is being protected from spambots. You need JavaScript enabled to view it.
Bruno Samuel at SGS, This email address is being protected from spambots. You need JavaScript enabled to view it.

The investment in training and resources to support the MDSAP pilot is significant. Therefore, it is unclear how many of the other 11 recognized registrars in the CMDCAS program will be able to participate in the MDSAP pilot.

Rob Packard is a regulatory consultant with 20 years of experience in the medical device, pharmaceutical and biotechnology industries. Mr. Packard served in senior management at several medical device companies, including President and CEO of a laparoscopic imaging company. His Quality Management System expertise covers all aspects of developing, training, implementing and maintaining ISO 13485 and ISO 14971 certification. From 2009 to 2012, he was a lead auditor and instructor for one of the largest Notified Bodies. His specialty is regulatory submissions for high-risk medical devices for CE Marking applications, Canadian medical device applications and 510(k) submissions. The most favorite part of his job is training others. He can be reached by This email address is being protected from spambots. You need JavaScript enabled to view it.

Medical Device Academy
www.medicaldeviceacademy.com