The Medical Device Single Audit Program (MDSAP): Your Questions Answered
Regulators from five countries (US, Canada, Australia, Brazil, and Japan) joined forces in 2012 with the goal of coordinating data gathering and reducing redundant audits for medical device manufacturers. The program has grown quickly. Health Canada led the way and required MDSAP certification starting in January 2019.
At Oriel STAT A MATRIX we get many questions about MDSAP, so we have compiled a list of the most common ones.
Questions and responses are grouped into the following categories.
- Who Needs to Comply with MDSAP and How Much It Costs
- How to Prepare for MDSAP and What to Expect
- Audit report content, privacy and how long it takes
Who Needs to Comply with MDSAP and How Much It Costs
We sell in Canada. Is MDSAP required?
- Yes, if you sell any Class II, III, or IV devices in Canada. If you sell only Class I devices, you do not need MDSAP certification.
We only sell in the US and Europe. Do we need MDSAP?
- No. Europe is not a participant in the MDSAP program and the US FDA does not require participation at this time, so it would not make any sense to get MDSAP certified unless you knew for certain that you plan to expand sales into Canada, Brazil, Japan, or Australia. Even then, you will need to weigh the costs of compliance with MDSAP against your sales potential in those markets. Canada is the only market that requires MDSAP certification.
Can I choose which countries to include in the scope of our audit?
- You cannot choose which countries are included in the scope of your MDSAP audit. As an example, if your company is distributing and selling in the US, Canada, and Australia, then all three would be in the scope of the audit; Brazil and Japan would not because you are not selling there. Companies selling into all five countries have quite a large scope to cover during the audit. Also, remember that MDSAP is required in Canada.
If a finished device is made by a manufacturer holding European CE Marking on the device but an exclusive distributor sells the device in Canada, who is obligated to get MDSAP certified?
- Normally, the legal medical device manufacturer applies for the Medical Device License (MDL) in Canada. Note that CE Marking is not related to either MDSAP or Health Canada and, therefore, does not influence the answer to this question. Also note that if a distributor applies for the MDL then they need to identify the actual manufacturer. This form of private labeling is still a valid process in Canada and they have guidance documents for applying for MDLs as a private labeler. If the device is a Class I device through a distributor, then this is a moot point as a Class I requires only an MDEL and not a quality system certification
What defines a manufacturer versus a private labeler in Canada?
- The term manufacturer is defined in the Canadian Medical Devices Regulations as follows: “ ‘Manufacturer’ means a person who sells a medical device under their own name, or under a trademark, design, trade name or other name or mark owned or controlled by the person, and who is responsible for designing, manufacturing, assembling, processing, labelling, packaging, refurbishing or modifying the device, or for assigning to it a purpose, whether those tasks are performed by that person or on their behalf.”
- Original manufacturer has the same meaning as manufacturer in the regulations.
- Private-label manufacturer means a company that sells a private label medical device under its own name or trademark.
- Private-label medical device means a medical device that is identical in every respect to a medical device manufactured by an original manufacturer and licensed by Health Canada, except that the device is labeled with the private-label manufacturer’s name, address, and product name and identifier.
How much does it cost?
- This is a difficult question to answer because the cost varies based on the number of facilities audited, product mix, and scope of the MDSAP audit. What we can say is the cost is significantly greater than a normal ISO 13485:2016 audit. We have seen the price vary from US$18,000 to US$30,000+, depending on the company size and scope. MDSAP has a formula for establishing the audit time according to procedure MDSAP AU P0008, but then each AO establishes their own cost or price per resource to complete the audits.
How to Prepare for MDSAP and What to Expect
What can I do to prepare for my MDSAP audit?
- Read this short primer on preparing for an MDSAP audit and what to expect.
Regarding the risk-based approach to MDSAP audits, what is required in terms of documentation and training?
- Clause 4.1.2 of ISO 13485:2016 does not include a requirement to document anything or provide training in the risk-based approach. However, if we read from 4.1.1 through 4.1.2, there is a clear progression of activities. First, the organization needs to document roles (4.1.1).Then, depending on the roles (manufacturer, distributor, etc.), the organization must determine and apply the necessary QMS processes. The organization needs to control these processes using an approach that prioritizes the processes by their impact on producing an unsafe or ineffective product. The use of the words “risk-based approach” in clause 4.1.2 indicates that to apply this approach we need to apply the risk-based thinking from ISO 9001:2015 – which is already part of the process approach and makes preventive action part of the process. Risk-based thinking solves potential problems. Just as we should use good problem-solving tools in a reactive (CAPA) process, we should also use them to identify and stop problems before they happen. Although there is no requirement for documenting the risk-based approach, Oriel STAT A MATRIX recommends that organizations document the activities they executed to determine QMS processes and their interrelationships, as well as potential problems that could arise if the processes were ineffective. Further, Oriel STAT A MATRIX advises that organizations plan for and take action to reduce the probability of undesirable outcomes from these processes and also review their effectiveness periodically. The exact nature of the tools and techniques that can be used to document these activities should be an organizational decision.
Can internal auditors approve nonconformance/corrective/preventive action records?
- In Chapter 3, Task 10 on Internal Audits, the last sentence states: “Confirm that the internal audits include provisions for auditor training and independence over the areas being audited, corrections, corrective actions, follow-up activities, and the verification of corrective actions.” Does this sentence mean that internal auditors cannot be part of nonconformance/corrective/preventive action records as approvers? First, some general advice on interpreting MDSAP audit tasks: MDSAP does not include any new requirements. Refer to the relevant ISO clause and any identified regulatory references when you need to clarify an audit task. A key requirement is that auditors remain independent of the work they are auditing. This is addressed in US 21 CFR Part 820.22 and emphasized in Clause 8.2.4 of ISO 13485:2016. This independence is what the MDSAP audit task is trying to emphasize/direct the auditor to confirm. In this case, the internal auditor can be part of approving the records in the role of an internal auditor – but not as the process owner/worker where the actions are being taken. For example, many internal audit systems have the original auditor “approve” the correction and corrective action plans to ensure that the issue noted in the audit is being addressed. This approval is analogous to a third-party auditor (e.g., ISO) reviewing and accepting your CAPA plan from a certification or surveillance audit. The key point is the independence of the internal auditor from the work being done to address the issue.
How is an MDSAP gap assessment different from an ISO 13485:2016 gap assessment?
- An MDSAP gap assessment is based on ISO 13485, with greater emphasis on the regulations and the linkages between the processes. A gap assessment for ISO 13485:2016 will focus on the “shalls” in the clauses and the documentation requirements. Oriel STAT A MATRIX recommends starting with the ISO 13485 approach. Once those gaps are closed, look specifically at the MDSAP audit approach. During the MDSAP gap assessment, Oriel STAT A MATRIX suggests two/three approaches:
- 1 – Look at the outcomes in each MDSAP process, determine how the organization is fulfilling them (be sure to write these responses down to use as answers in practice audits), and identify the gaps.
- 2 – Look at the tasks that have linkages and the procedures/processes associated with these linkages. Assess how the organization identifies and controls the linkages, as appropriate.
- 3 – Once the gaps are filled, conduct an audit rehearsal. Typical auditee training focuses on how you answer direct questions. MDSAP auditee training must address how to describe interrelationships.
What should the auditee and audit back-room staff be expecting?
- The MDSAP audit is more of a process/performance audit than a compliance audit. Prepare your organization to be very fast and efficient in providing information. The AO auditors have a limited amount of time. Oriel STAT A MATRIX recommends conducting audit drills in which the front- and back-room staff coordinate information requests and time themselves on how quickly they can respond to a process-type question. The ability to articulate processes and linkages is critically important. Oriel STAT A MATRIX suggests using process maps to show relationships and control points based on risk. The organization needs to determine whether it wants to use a paper-based system (adds time!) or an electronic system (danger of auditor scrolling through or receiving information not related to the request). The traditional role of scribe or runner between the front and back rooms is important in MDSAP. This person needs to understand and interpret what the auditor is looking for. In addition to having the traditional “on call” representatives in each functional area, Oriel STAT A MATRIX recommends that the back room have process experts physically in the room versus “on call” in their own offices. (It’s also excellent hands-on training for those people.) Don’t forget to have regulatory experts in the back room or on call in addition to those process experts. The MDSAP process links can direct the AO auditors to regulatory affairs questions quickly. Ensure that your organization can access information from other time zones (e.g., registrations, training records, regulatory files). Saving time and maximizing efficiency are key MDSAP audit success factors!
How do we handle audit observers? What credentials are they required to present?
- As of this writing, we could not locate an official guidance or an MDSAP procedure on this specific topic. MDSAP AS P0012 section 5 Witnessed Audit Procedure states only that “The assessors must not influence the conduct of the audit by the AO auditors” in reference to the scenario of having RA representatives witnessing an AO MDSAP audit as part of the AO’s ongoing assessment for recognition in the MDSAP. Also, the MDSAP AS P0005 Assessment Program Procedure does not address RA credentials or completion of NDAs. You may consider including a request to review the RA representative’s credentials and/or asking for a signed NDA prior to the site visit as part of your procedures for third-party audits, standard visitor policies, or where appropriate for your organization.
Audit report content, privacy and how long it takes
What language will be used for the MDSAP audit reports?
- Per MDSAP AU P0019.004, section 2.2 Report Language: “The language of the report is subject to the operating language of the auditing organization and should be understandable by the manufacturer; however, all audit reports must also be available in English.” The manufacturer should clarify this with their AO along with any other report needs (e.g., the report for ANVISA may need to be in Portuguese).
How do the AOs calculate audit time?
- Per MDSAP P0008007 Audit Time Determination Procedure, “When multiple site audits are conducted, the duration of audit for each individual site should be calculated. The total duration of audit is the cumulative duration of audit necessary to audit each individual site. Multiple site audits may require the duplication of audit tasks at multiple sites. Conversely, multiple sites may not have the same responsibilities and processes. Individual site duration of audit should be calculated based on the specific responsibilities and processes of that site. While a particular site may not be responsible for certain activities, consideration should be given to including audit time to verify the interfaces between various sites where responsibilities are distributed. Sampling of design and manufacturing sites is not permitted.”
Is the MDSAP Stage 1 Documentation Review part of the audit time calculation?
- The Stage 1 Documentation Review is not part of the audit time calculation. Per MDSAP P0008.006 Audit Time Determination Procedure, for initial certification audits the auditor will calculate the duration of Stage 2 using the assigned minutes per task in MDSAP P0008 and then “add 25%. The result will reflect the duration of audit (i.e., time necessary to perform Stage 1 and Stage 2.” The AO may combine elements of Stage 1 and Stage 2 to allow for a single on-site visit to the manufacturer.
For all of the post-audit timeline dates, when is Day 0?
- Day 0 is the last day of the audit. Nonconformity reports are issued on Day 0 and organizations can begin their remediation plan. See MDSAP AU P0027 for more information.
How does the US Freedom of Information Act (FOIA) work with MDSAP audit reports?
- See FDA MDSAP FAQ question #55 regarding collection of evidence of nonconformities or other evidence usually collected by regulatory authorities: “Under the MDSAP, Auditing Organizations are not required to collect any evidence, but the audit report must substantiate any audit finding by reference to audit evidence.” Also see FDA MDSAP FAQ question #66 regarding non-MDSAP RA access to MDSAP audit reports – an MDSAP RA may share with a non-MDSAP RA if the two RAs have an existing confidentiality agreement. The records posted are protected under international confidentiality standards used by MDSAP and are not expected to be accessible through the US FOIA. Also see this article.
Can all MDSAP regulatory authorities see our MDSAP audit report?
- The report is posted to the central repository REP. Theoretically, any RA could look at the report, but that would be unlikely unless something prompted them to do so, such as some type of regulatory activity by your organization with that RA. Also, note that MDSAP audit reports can be included as part of medical device approval requests submitted to other countries whose regulators participate in the IMDRF.
How are AOs reporting country-specific requirements in the audit report?
- Auditors are applying grades using the applicable ISO 13485 clause associated with the task. If it is not possible to assign a clause, the auditor is directed to make a note of the regulatory requirement on the nonconformity grading form. Per MDSAP AU P0019.004 MDSAP Medical Device Regulatory Audit Reports: “Any nonconformity regarding a requirement of a participating regulatory authority, including but not limited to, nonconformities regarding device marketing authorization and adverse event and advisory notice reporting, must be recorded as a nonconformity in the audit report.” The Audit Approach says, “Many audit tasks require verification of the availability and control of MDSAP regulator specific documentation and records. These tasks have a Clause and Regulation reference to ISO 13485:2016 clause 4.2.1, as the quality management system documentation is to include documentation specified by applicable regulatory requirements (regulations, administrative practices and policies) [4.2.1(e)]. Where a regulatory requirement relates to the documentation required by other, more specific, clauses of ISO 13485:2016 the auditing organization is to reference the more specific clause when recording findings of nonconformity.”
How does the grading system work?
- We explain the MDSAP grading system here.
Will non-MDSAP countries accept our MDSAP report in lieu of an EIR?
- Some countries have traditionally accepted FDA Establishment Inspection Report (EIR) copies as evidence of QMS compliance. This FDA memo states that the MDSAP audit report replaces the EIR. The MDSAP report is assumed to be sufficient to serve in the same capacity.
Where Can I Find Country Specific Information?
Participating Auditing Organizations (AO) such as US FDA and Australian TGA publish useful MDSAP documents and we will link to those as well. A “must have” document is the 215-page MDSAP Audit Approach, so be sure to download and study it.
See MDSAP content published by…
Need Assistance with MDSAP?
Oriel STAT A MATRIX is ready to help advance your knowledge of MDSAP or assist you with compliance. Our MDSAP auditor training is exclusively designed for experienced QMS lead auditors. For medical device companies that need help formulating an MDSAP transition plan and determining readiness for an actual audit, we can also assist with MDSAP audit consulting and gap analysis.