The MDSAP Audit Model: What to Expect and How to Prepare
Unless you’ve spent several years adrift on a raft in the South Pacific, you’ve probably heard about the Medical Device Single Audit Program, known as MDSAP. At Oriel STAT A MATRIX, many of our medical device clients ask us about the program, how to prepare for it, and how an MDSAP audit differs from a typical ISO audit or FDA inspection. Before we get into that, let’s take a step back.
What is MDSAP?
The Medical Device Single Audit Program – or MDSAP – allows a single audit of a medical device manufacturer’s quality management system (QMS) to satisfy the regulatory requirements of Australia, Brazil, Canada, Japan, and the United States. Regulatory authorities participating in the program:
- Australian Therapeutic Goods Administration (TGA)
- Brazil’s Agência Nacional de Vigilância Sanitária (ANVISA)
- Health Canada
- MHLW/PMDA (Japan)
- US Food and Drug Administration (FDA)
South Korea, Argentina, and Singapore are affiliate members. This means they are allowed access to manufacturer’s information, sites, audit dates and the auditing organization, but cannot access the actual audit reports.
How MDSAP works
The MDSAP program uses recognized third-party auditors – Auditing Organizations (AOs) – to conduct these audits. The MDSAP audit model covers the requirements of ISO 13485 plus Good Manufacturing Practice requirements for each applicable regulatory authority. For example, it covers 21 CFR Part 820 for the US and ANVISA RDC 16/2013 for Brazil. During an MDSAP audit, the AO will audit only the country-specific regulatory requirements for the MDSAP participant countries in which you sell your devices. Ironically, many AOs are also Notified Bodies, even though the MDSAP program does not yet extend to cover the quality and safety requirements of Europe. Thus, you will still need to undergo a separate Notified Body audit to maintain compliance with EU requirements.
Sequence and timing of MDSAP audits
An MDSAP audit is actually a series of three audits conducted over a revolving three-year period.
Initial certification audit: This is a complete audit of your QMS conducted in accordance with the requirements of ISO/IEC 17021 in two separate stages:
- Stage 1 audit activities are intended to evaluate QMS documentation and your preparedness to undergo a Stage 2 audit.
- Stage 2 audits assess actual compliance of the QMS with the requirements of ISO 13485 and other stipulations of the MDSAP-participating regulatory authorities.
Surveillance audit: In the two years following an initial MDSAP certification audit, a surveillance audit is conducted to determine compliance with MDSAP QMS requirements. This audit does not include the review activities that are part of an initial certification audit and does not need to address all MDSAP requirements that are part of Stage 2 activities. A surveillance audit should assess any changes in the manufacturer’s products or QMS processes since the initial certification audit was conducted.
Recertification audit: A recertification audit is conducted in the third year following the initial certification audit. This audit is intended to evaluate a manufacturer’s QMS for continued suitability and ability to meet QMS requirements under the MDSAP. A recertification audit employs more precise sampling and typically takes less time than the initial certification audit.
What to expect from an MDSAP audit
The MDSAP audit follows the process approach: It moves in a top-down direction and is conducted in a structured and logical manner. The audit begins with a review of all SOPs and continues through a series of step-by-step questions. Download this comprehensive MDSAP audit approach guide. The questions are taken from an audit checklist and do not vary. Once you have decided on an AO and scheduled your audit, ask your auditor if they will share the audit checklist with you.
The audit sequence cover four primary processes:
2) Measurement, Analysis, and Improvement
3) Design and Development
4) Production and Service Controls
There are also three supporting processes:
6) Device Marketing Authorization and Facility Registration
7) Medical Device Events and Advisory Notices Reporting
You can expect a heavy focus on:
- Risk activities as they relate to all processes
- Your outsourced processes
- Design and process validations
- Change management and associated risks
One big difference you need to prepare for is that unlike an ISO audit that remains focused on one specific set of procedures, an MDSAP audit follows links to related processes. As such, you need to keep on your toes, and it is important to have regulatory people in the room with you or readily available. The FDA companion document shows examples of these links, and we will talk about that in a moment.
The MDSAP grading system: Say goodbye to “majors” and “minors”
The ISO auditing system resulted in the issuance of major and minor nonconformities. MDSAP has eschewed that language and adopted the widely understood 5-point rating scale: 1 (least critical) to 5 (most critical). We won’t go into much depth on the new rating system here, but you can read more about it in our blog post on the MDSAP grading system. Also, to see how grading works in practice, download GHTF/SG3/N19:2012 and look at the last two pages.
Do your homework!
The best preparation you can do in the months before an MDSAP audit is to download, read, highlight, and reread the MDSAP audit model guide. It’s 231 pages of jam-packed fun. Seriously, this document is a must-read as it contains a gold mine of information on how an MDSAP audit will be conducted. It is separated into seven chapters:
- Chapter 1 – Management
- Chapter 2 – Device marketing authorization and facility registration
- Chapter 3 – Measurement, analysis and improvement
- Chapter 4 – Medical device adverse events and advisory notices reporting
- Chapter 5 – Design and development
- Chapter 6 – Production and service controls
- Chapter 7 – Purchasing
Conduct an MDSAP gap analysis
After you have studied the FDA MDSAP companion document, you should conduct a thorough gap analysis. Oriel STAT A MATRIX can certain assist you in conducting an independent MDSAP gap assessment and helping you fill the holes as needed. Make sure you leave yourself enough time to schedule and prepare for the pre-assessment, conduct it, and then fix the issues that pop up. Believe us when we say that your hair will be on fire in weeks before the audit, so don’t add to your stress by fixing problems during those last few weeks. Also, once you know the AO audit dates, block off your calendar as needed and make sure key staff will not be on vacation the week before or during the audit.
In the week preceding the audit
With your gap analysis completed and findings addressed, you and your team will be busy assembling all the reference documentation that may be needed or requested during the audit. Depending on the number of procedures, devices, and markets in which you sell, you may want to commandeer a conference room or another room for a few weeks where you can assemble all documents that may be required during the audit. People often refer to this as a “war room,” but that’s not the mindset you want to establish for your team going into an audit. Call it “mission control” or your “command center.”
Here are some tips on what you should have ready. Basically, you want to have on hand all documentation you would normally have ready for an ISO or FDA audit.
- Prepare all procedures and have them printed out or ready electronically. Find out well ahead of time what format your auditor prefers.
- Create a simple Excel table with countries on the left side on each row, individual products along the top in each column, and registration numbers in the cells. Link those to online information when possible.
- Have copies of your establishment registrations for each MDSAP country in which you sell (the US, Canada, Brazil, Japan, and/or Australia – NOT for Europe, as no European countries are currently participating in MDSAP).
- Copies of all distributor, subsidiary, regulatory representation, and supplier agreements, including quality agreements.
- Manuals, labeling, IFU, and GUI, with translated versions of each.
Length of an MDSAP audit
ISO audit duration is based on the number of employees in the facility, but that’s not the case for MDSAP audits – these are based on the number of elements to be covered in the audit. There can be up to 94 such elements. On average, 15 minutes is spent on most procedures, with up to 45 minutes spent on critical areas such as sterilization, servicing, or installation. Design can be considerably longer. It’s not unusual for an MDSAP audit to last 4-5 days. You can expect to get the audit schedule about 3-5 weeks before the audit.
Keep things in perspective: One audit = five countries
At first, getting ready for an MDSAP may seem overwhelming. Never fear. Spend some time studying the bounty of materials published by FDA and they will start to make sense. Also, keep in mind that your short-term pain will pay off with long-term gains. Make sure your management team understands this as well. Upon successfully passing an MDSAP audit, you will no longer have to undergo multiple separate audits covering the same material. And remember – you don’t have to do it alone. Oriel STAT A MATRIX consultants can help you ensure a smooth transition to the MDSAP. Learn how we can help.