While device manufacturers were slow to adopt the Medical Device Single Audit Program (MDSAP) in its pilot days, the initiative has gained traction since FDA’s Center for Devices and Radiological Health (CDRH) named it an official program earlier this year. Like manufacturers, I too had reservations about whether this was the right strategy moving forward. But I’m warming up to the concept.
Within this article, I’ll share my qualms about MDSAP and the possible benefits of the initiative that had a rocky start because industry was convinced that FDA was not launching this program for all the right reasons.
The Stage is Set
I’ve lost track of the times I’ve heard regulators say, “Just because you’re ISO Certified doesn’t mean you’re compliant with U.S. regulations.” There is nothing “voluntary” about complying with U.S. regulations. Keep in mind that the ultimate goal is always to assure that medical devices are safe and effective for human use. To help guarantee that edict, the world market must have an inspection (audit) process in place that allows regulators the opportunity to challenge a device company’s controls using a robust Quality Management System (QMS) as a platform. Auditing (inspection) is not a perfect discipline.
In the 1990s, FDA and the ISO regulators sold everyone on the idea that regulations and ISO standards used to control the design and manufacturing of medical devices were not identical, but harmonized. Industry helped sell the concept. It was and still is a great idea. We agreed to move forward using Technical Committees, the Global Harmonization Task Force (now International Medical Device Regulators Forum (IMDRF)), input from the Competent Authorities and, of course, industry’s opinion(s).
The pressures associated with getting ISO Certified seemed to escalate, as did the use of CE Marking to enable medical device companies to conduct business in the European Union. The entire medical device industry prepared to earn the coveted ISO Merit Badge.
I have been through MDSAP pilot audits, ISO audits and FDA inspections for a varied profile of medical device companies. As with previous BONEZONE articles I’ve written, my commentary and insight comes from job/life experiences, and my opinions are based upon this reality.
MDSAP audits remind me of ISO audits and not FDA inspections. I can hear your responses to this: “Get over it, John; this is a sign of these financially-demanding times.” “We need to stretch and flex in this fast-paced world.” “We have to do something like this to make good on these regulated assurances that change way too often.”
It’s true that historically, FDA has discussed using third parties because the agency, frankly, hasn’t been able to keep up with its inspectional demands. More specifically, they were (and are) notorious for not being able to sustain the resource requirements with the self-imposed difficulties for inspecting medical device companies in the U.S. and now internationally. I get it; the MDSAP initiative is progress. And I agree that it could be. But I question, is it a Band-Aid? We’ll see. Change is inevitable.
Audits are unlike inspections from a standpoint of intent, logistics, the requirements for objective evidence, the use of the “deep dive approach” and, of course, the auditor versus the inspector’s demeanor. MDSAP is supposed to transform the approach used to conduct pre- and postmarket QMS audits and significantly reduce the audit compliance challenges facing device manufacturers. My work—and the travel it has demanded—has taught me that this is now a world market. From my years of experience with ISO audits and FDA inspections, it is my belief that we need a reality check. The check and balance system that the industry deals with every day will work its way through the issues, or maybe it won’t.
Historically, various regulatory authorities like FDA have clearly identified shortcomings in the Standards being utilized for the recognition of organizations that conduct medical device audits for regulatory purposes.
These standards were considered to be too generic and focused on commercial entities for commercial purposes, and not necessarily the systems that reassure consumers of the safety and efficacy of the medical device. Yet, here we are. But many organizations that work in the regulated environment of medical devices must comply with these Standards every day, e.g. ISO Certification and CE Marking.
The ultimate goal has always been to manufacture safe and effective medical devices. FDA Districts target coverage of manufacturers of Class II and Class III devices utilizing a risk-based methodology. Government resources are directed toward accomplishing performance goals as well. Selection of firms to accomplish the performance goals and then the remaining work plan obligations should be focused using the risk-based model. Inspecting the controls that are in place and necessary to design and manufacture medical devices is a far cry from the approach that ISO audits presently take.
Therapeutic Goods Administration of Australia
Brazil’s Agência Nacional de Vigilância Sanitária
Japan’s Ministry of Health, Labour and Welfare, and the Japanese Pharmaceuticals and Medical Devices Agency
The World Health Organization (WHO) and the European Union (EU) are Official Observers
What is MDSAP’s Perceived Impact for Your Company?
- FDA will accept MDSAP audits as a substitute for routine FDA inspections, typically planned (but not necessarily executed) every two years for all classes of medical devices. Pre-approval inspections for devices requiring premarket approval applications (PMAs) and “for cause” compliance inspections are not part of MDSAP to date. Now, companies will pay for MDSAP audits at least every year, i.e. a Stage One, Stage Two (year one), surveillance (year two) and recertification (year three). The frequency of FDA inspections was never on schedule and/or predictable.
- MDSAP does not increase regulatory requirements for medical device manufacturers. The audits cover only the existing requirements of the regulatory authorities participating. In many cases, these requirements are already harmonized or very similar to one another.
- The MDSAP model is a way that your company can be audited once for compliance with the standard and regulatory requirements of up to five different medical device markets: Australia, Brazil, Canada, Japan and the U.S.
- The program’s main mission is to jointly influence regulatory resources to manage an efficient, effective and maintainable single-audit program focused on the oversight of medical device manufacturers.
- MDSAP was implemented-based on requirements that are defined in the IMDRF model, which is to:
- Enable appropriate regulatory oversight of medical device manufacturers’ QMS while minimizing regulatory burden on industry
- Promote more efficient and flexible use of regulatory resources
- Promote greater global alignment of regulatory approaches and technical requirements based on international standards and best practices
- Promote consistency, predictability and transparency of regulatory programs
- All regulatory authorities participating in MDSAP are equal partners in the program.
FDA Quality System Inspection Technique (QSIT)
In comparison, QSIT is still viable in at least the U.S. and is somewhat harmonized with MDSAP. The process for performing subsystem inspections is based on a top-down approach to inspecting. The subsystem approach is designed to provide you with the key objectives that can help determine a firm’s state of compliance. Rather than check every aspect of the medical device company’s QMS, the subsystem approach focuses on those elements that are most important in meeting the requirements of the QMS regulation and which are key quality indicators. This includes both a broad review of whether the firm has procedures in place, and appears to meet the requirements, and a more detailed review of some records to verify the requirements have been implemented in actual production, design and daily quality assurance situations. By directing your attention to the major areas in a firm’s quality system, you should be better able to determine if the firm’s quality system is in control.
The QSIT process encompasses three approaches that are different from the traditional quality system inspection. The first is the concept of a top-down process. With QSIT, the inspection begins with review of top system-wide procedures and policies. As more information is needed, the investigator bores down farther into the records, taking a top-down approach. The second approach is the concept of record sampling. This allows the investigator to look at a selection of records by using statistical tables as a guide for determining how many documents to examine. This helps to keep the process moving and to cover more ground during the inspection. The last approach is the concept of pre-inspection record review. With QSIT, investigators are encouraged to ask for records before the inspection actually begins. While firms are not required to send any records to FDA prior to the actual start of the inspection, data from the QSIT study indicates that this practice saved time and enhanced the efficiency of the inspection.
The MDSAP Audit Model
MDSAP is derived from ISO 13485:2016 and was designed for the audit of the primary QMS processes in the following sequence: (1) Management; (2) Measurement, Analysis and Improvement; (3) Design and Development and (4) Production and Service Controls processes. The Purchasing process (5) will be reviewed in conjunction with the Measurement, Analysis and Improvement process; the Design and Development process; and the Production and Service Controls process. Purchasing Controls has a far-reaching link to suppliers worldwide. Its impact on a medical device company links to many of the processes involved directly with the safety and effectiveness of the device. The MDSAP audit process has two additional supporting processes: (1) Device Marketing Authorization and Facility Registration; and (2) Medical Device Adverse Events and Advisory Notices Reporting. These processes are necessary to fulfill specific requirements of the participating MDSAP regulatory authorities.
The Profile of Audit Sequence and Logistics
As I mentioned, the MDSAP audit is designed to meet the requirements of ISO 13485:2016. The process for postmarket surveillance will be challenged and risk management will play a large part in how this is approached from a scope and outcome standpoint. The MDSAP audit program is based on a three-year audit cycle that includes these activities:
- Initial certification audit: The initial certification audit is a complete audit of a manufacturer’s QMS and consists of two separate stages: Stage One is chiefly intended to evaluate available QMS documentation and the extent of a manufacturer’s preparedness to undergo Stage Two audit activities. (This can be a desktop audit.) Stage Two audit activities evaluate the actual compliance of the QMS with the requirements of ISO 13485, as well as other requirements of MDSAP-participating regulatory authorities.
- Surveillance audits: In each of the two years following the initial MDSAP certification audit, a surveillance audit is conducted to assess on-going compliance with MDSAP QMS requirements. Annual surveillance audits do not include the Stage One review activities that are part of an initial certification audit, and do not need to address all MDSAP requirements that are part of Stage Two activities. Surveillance audits are designed to assess any changes in the manufacturer’s products or QMS processes since the initial certification audit.
- Recertification audit: Conducted in the third year following the initial certification audit, the recertification audit is intended to evaluate a manufacturer’s QMS for its continued suitability and effectiveness in meeting QMS requirements under MDSAP. Through more selective and focused sampling, recertification audits typically take less time than initial certification audits.
The Audit Focus
During the audit of the medical device manufacturer’s QMS, the auditor must be mindful of the ISO-driven concept of “linkages.” In order for an organization’s QMS to function effectively, it has to identify and manage numerous interrelated (linked) processes in accordance with clause 4.1.2 (c) of ISO 13485:2016.
Furthermore, the auditor will commonly assess risk management activities during the audit of the QMS processes. Risk management is an essential aspect of the QMS and usually starts in conjunction with the design and development process. It then continues through product realization and supplier selection and carries on until the product is taken off the market. Risk-based decisions occur throughout the various QMS processes; each organization must decide how much risk is acceptable to ensure medical devices are safe and effective. Each medical device company needs to demonstrate its ability to provide medical devices that consistently meet customer and regulatory requirements.
IMDRF Auditing Decisions
The assumption of the IMDRF work group’s analysis was to allow ISO/IEC 17021-1:2015 to act as the generic base requirements and then utilize this IMDRF MDSAP document (IMDRF/MDSAP WG/N3 FINAL: 2016) to add prescriptive requirements for the medical device Auditing Organization (AO) and to negate or eliminate certain of these generic base requirements (meant for commercial entities, i.e. when the AO is also the regulatory authority). AOs that are also regulatory authorities have other laws and requirements that cover these deleted generic requirements in different ways.
Moving forward, FDA will continue to accept MDSAP audit reports as a substitute for routine agency inspections. FDA noted that 486 manufacturing sites had participated in MDSAP from 1Q14 to 2Q17. If properly enabled, specific benefits of MDSAP could include:
- Harmonization of auditing requirements
- Broader acceptance of audit reports
- Reduced overall auditing time and expense Reduced time responding to findings
- Wider choice of third-party audit organizations More transparent and consistent oversight by regulators
- Finally, a single, harmonized set of pre- and postmarket QMS audit requirements to ensure more regular and consistent oversight by regulatory authorities.
- From an FDA perspective, MDSAP is being actively used by the agency: MDSAP audit reports are processed and reviewed by the CDRH to determine if enforcement actions must be considered.
MidWest Process Innovation, LLC