The Medical Device Single Audit Program (MDSAP) is a cooperative effort between the medical device regulators in the US, Canada, Japan, Australia and Brazil. Argentina, South Korea, and Singapore participate as affiliate members.
The challenges of preparing for your first MDSAP audit are substantial, but so are the long-term benefits.
One audit allows you to meet the quality requirements of five major regulators. Unfortunately, Europe is not among them.
Many people ask whether an MDSAP audit is more similar to an FDA inspection or a Notified Body audit. The answer is both. Think of it this way: If an FDA inspection represents vanilla ice cream and an ISO 13485 audit represents chocolate ice cream, an MDSAP audit is a large scoop of each in a bowl with regulatory sprinkles on top. It soon all melts together.
The MDSAP certification cycle is a series of three audits conducted over a three-year period.
Your first certification audit will be a comprehensive look at your QMS conducted in accordance with ISO/IEC 17021-1:2015. There are two initial stages: Stage 1 and Stage 2.
The Auditing Organization (AO) will first conduct a Stage 1 audit focused on evaluating your QMS documentation. Basically, the auditors want to see if you are prepared for the rigorous Stage 2 audit, during which they will assess your actual compliance with ISO 13485 plus the specific nuances of the US, Japanese, Canadian, Australian, and Brazilian QMS requirements. Your Stage 2 audit may occur the next day after your Stage 1 audit, or weeks later. Be prepared for it to happen immediately.
In Years 1 and 2 following your initial certification audit, the AO will conduct surveillance audits focusing on any changes to your products or QMS processes during the previous year. After three years, the AO will return to conduct a recertification audit. The surveillance audits differ from your initial certification audit because they will focus on evaluating your ability to continue meeting QMS requirements under the MDSAP. After that, the cycle continues two annual surveillance audits followed by a recertification audit.
To their credit, the regulators are not being mysterious about what you can expect during an MDSAP audit. Its pretty much spelled out in this 231-page MDSAP Audit Approach document. This well-organized guide cross references specific sections of ISO 13485:2016 and relevant regulations issued by the Australian TGA, Brazil’s ANVISA, Health Canada, Japan’s MHLW/PMDA and the US FDA.
You don’t need to worry about compliance for all five participating countries if you don’t sell in all five. For example, if you do not sell devices in Japan, you will not be held accountable for meeting Japanese requirements during the audits.
If you have already scheduled your MDSAP audit with your Auditing Organization, here are some tips on how to prepare.
1 – Create your own report card.
Examine your past nonconformities from your Notified Body and internal audits, and grade them using the MDSAP nonconformities grading system. This will give you an internal report card that can be useful in elevating the importance of the initiative to management if resources are scarce.
2 – Open a CAPA for gaps and be sure to make progress.
Even if an AO finds a nonconformance during the audit, having a CAPA in progress minimizes the sting as long as the appropriate containment is effective.
3 – Be prepared to address regulatory issues.
MDSAP audits have a broader scope that pulls regulatory into the fray. You will be asked questions related to your registration processes, adverse event notification system, how regulatory strategy impacts product design, and more. Expect a heavy emphasis on risk!Make sure you have someone from Regulatory on your audit team.
Remember, this is not a typical FDA inspection or ISO 13485 audit with a few extra RA/QA questions related to Canada, Brazil, etc. Many companies have endured initial MDSAP certification audits ranging between one and two weeks long. And you’ll be delighted to know that if your AO is also your European Notified Body, you may be able to schedule your EN ISO 13485:2016 audit the following week. You’ll be ready for a vacation….
You’ll likely have two auditors attend your MDSAP certification audit. They will probably split up, which means you may need to have two escorts, two sets of Subject Matter Experts (SMEs), and maybe even two conference rooms available. If you work for a small company and you dont have duplicates of anything, just make sure you have everything quickly accessible.
Don’t be surprised if an observer from FDA, Health Canada, or Brazil ANVISA also shows up. As part of the recognition process for AOs, regulators will observe three audits plus one each following year to maintain the AOs recognition. Its important to understand that the observer is there to assess the AO, not audit you! During the audit, make sure you address the auditors and not the observer.
The audit is timed, with very specific durations for each process. This means you have to produce documentation very quickly. Consider preprinting documents or create a dedicated MDSAP folder with electronic versions that can be quickly accessed. Don’t hunt for documents on your company intranet while displaying your search attempts and other interesting documents for all to see on the conference room screen a task made infinitely harder when someone is looking over your shoulder. We recommend having only one back room where you store documents for easy access and so you can compare notes on where each auditor is going.
Make sure you study the published MDSAP Audit Model to figure out where the auditor will go next. Remember this is their guide (its not a secret!) and by studying it you can anticipate which links might be followed and what questions may come next.
MDSAP audits follow a process approach. This means an AO auditor may follow linkages and threads, whereas an internal auditor will usually look at one functional area at a time. For example, if an AO auditor is examining Receiving and Inspection, he/she may ask about process inputs such as where the testing methods and specifications originate. The answer is likely Design, so the auditor may chase the shiny object and visit the R&D department next. If you took that approach during an internal audit, the R&D manager would say, Hey, our audit isnt supposed to happen until September. Im busy. Why are you here now’
Following the process approach during internal audits can be disruptive and annoying to coworkers, but cooperation is not a choice during an AO certification audit and your coworkers need to understand this. With that reality in mind, you can still have an annual audit program with a schedule, but keep really good notes so you can pick up threads left dangling from the last audit.
Typically, in internal audits we see nonconformities that might be related to multiple areas or processes. You might choose to write up two nonconformities or, rather than double-dipping and writing a nonconformity for each area, you might write one nonconformity and link the two issues. Each organization will have to determine their process, keeping in mind that the number of nonconformities from an internal audit might trigger an escalation to management. So, if your process changes and you decide to write more nonconformities, make sure management and the rest of the organization understand and recalibrate for the new escalation triggers.
After you pass your initial certification audit and your boss gives you a well-deserved all expenses paid two-week vacation to Bora Bora, you’ll need to adjust your ongoing internal audits to align with MDSAP. Remember that ice cream analogy we used earlier’ Your internal audits will forevermore be a swirl of vanilla and chocolate ice cream with regulatory sprinkles. Adjust accordingly.
Some large medical device companies have an auditing department at the enterprise level. These auditors travel around and audit many sites over a year. They can mimic the MDSAP schedule and be at one site for a week, and then not return for a year. Smaller companies really have to organize and plan so they can cover all the processes that will to be addressed during the actual MDSAP audit. The key is to plan and document the rationale for your approach.
Preparing for the initial certification audit may stress many RA/QA managers, but maintaining compliance is the primary concern of Auditing Organizations. This is becoming a bigger issue, because many Auditing Organizations are asking companies to demonstrate that their internal auditors are qualified to maintain MDSAP compliance. Even if you have done dozens of internal ISO 13485 or FDA QSR audits, proving proficiency in MDSAP can be difficult. You cannot simply say you read the MDSAP Audit Model or each participating country’s regulations.
In anticipation of this question, you may want to plan ahead. Oriel STAT A MATRIX offers a rigorous MDSAP internal auditor training class that will give you a certification proving you are properly qualified to maintain MDSAP compliance. This can be very useful for showing AOs who may ask about this. Armed with training and a plan, you’ll be ready for any audit!