The Medical Device Single Audit Program: How to Prepare for (and Maintain) MDSAP Certification
As of January 1, 2019, medical device companies selling in Canada had to be certified as compliant with the Medical Device Single Audit Program (MDSAP). Of course, MDSAP is not just about Canada, but it so happens that Health Canada was the first to make it mandatory. The other four MDSAP participants— Japan, Australia, Brazil, and the US —may follow suit.
The challenges of preparing for your first MDSAP audit are substantial, but so are the long-term benefits.
One audit will allow you to meet the quality requirements of five major regulators. Unfortunately, Europe is not among them.
Many people ask whether an MDSAP audit is more similar to an FDA inspection or a Notified Body audit. The answer is both. Think of it this way: If an FDA inspection represents vanilla ice cream and an ISO 13485 audit represents chocolate ice cream, an MDSAP audit is a large scoop of each in a bowl with regulatory sprinkles on top. It soon all melts together.
Medical Device Single Audit Program Certification Is a Rolling Three-Year Process
The MDSAP certification cycle is a series of three audits conducted over a three-year period.
Your first certification audit will be a comprehensive look at your QMS conducted in accordance with ISO/IEC 17021-1:2015. There are two initial stages: Stage 1 and Stage 2.
The Auditing Organization (AO) will first conduct a Stage 1 audit focused on evaluating your QMS documentation. Basically, the auditors want to see if you are prepared for the rigorous Stage 2 audit, during which they will assess your actual compliance with ISO 13485 plus the specific nuances of the US, Japanese, Canadian, Australian, and Brazilian QMS requirements. Your Stage 2 audit may occur the next day after your Stage 1 audit, or weeks later. Be prepared for it to happen immediately.
In Years 1 and 2 following your initial certification audit, the AO will conduct surveillance audits focusing on any changes to your products or QMS processes during the previous year. After three years, the AO will return to conduct a recertification audit. The surveillance audits differ from your initial certification audit because they will focus on evaluating your ability to continue meeting QMS requirements under the MDSAP. After that, the cycle continues – two annual surveillance audits followed by a recertification audit.
The MDSAP Audit Model Document Tells You Exactly How to Prepare
To their credit, the regulators are not being mysterious about what you can expect during an MDSAP audit. It’s pretty much spelled out in the 82-page MDSAP Audit Model. This comprehensive guide contains seven chapters and all 90 questions you will be asked during the audit. Perhaps the most helpful feature of this document is that each question contains cross-references to specific relevant sections of ISO 13485:2016, 21 CFR Part 820, and so on. Another useful guide is the MDSAP Companion Document, which contains the entire contents of the Audit Model and adds some guidance for the auditors.
You don’t need to worry about compliance for all five participating countries if you don’t sell in all five. For example, if you do not sell devices in Japan, you will not be held accountable for meeting Japanese Ordinance 169 requirements during the audits.
Preparing for a Medical Device Single Audit Program Audit
If you have already scheduled your MDSAP audit with your Auditing Organization, here are some tips on how to prepare.
1 – Create your own report card.
Examine your past nonconformities from your Notified Body and internal audits, and grade them using the MDSAP nonconformities grading system. This will give you an internal report card that can be useful in elevating the importance of the initiative to management if resources are scarce.
2 – Open a CAPA for gaps and be sure to make progress.
Even if an AO finds a nonconformance during the audit, having a CAPA in progress minimizes the sting as long as the appropriate containment is effective.
3 – Be prepared to address regulatory issues.
MDSAP audits have a broader scope that pulls regulatory into the fray. You will be asked questions related to your registration processes, adverse event notification system, how regulatory strategy impacts product design, and more. Expect a heavy emphasis on risk! Make sure you have someone from Regulatory on your audit team.
An MDSAP Certification Audit Is Rigorous
Remember, this is not a typical FDA inspection or ISO 13485 audit with a few extra RA/QA questions related to Canada, Brazil, etc. Many companies have endured initial MDSAP certification audits ranging between one and two weeks long. And you’ll be delighted to know that if your AO is also your European Notified Body, you may be able to schedule your EN ISO 13485:2016 audit the following week. You’ll be ready for a vacation….
You’ll likely have two auditors attend your MDSAP certification audit. They will probably split up, which means you may need to have two escorts, two sets of Subject Matter Experts (SMEs), and maybe even two conference rooms available. If you work for a small company and you don’t have duplicates of anything, just make sure you have everything quickly accessible.
Don’t be surprised if an observer from FDA, Health Canada, or Brazil ANVISA also shows up. As part of the recognition process for AOs, regulators will observe three audits plus one each following year to maintain the AO’s recognition. It’s important to understand that the observer is there to assess the AO, not audit you! During the audit, make sure you address the auditors and not the observer.
MDSAP Audits Are on a Strict Time Schedule So You Need to Be Organized!
The audit is timed, with very specific durations for each process. This means you have to produce documentation very quickly. Consider preprinting documents or create a dedicated MDSAP folder with electronic versions that can be quickly accessed. Don’t hunt for documents on your company intranet while displaying your search attempts and other “interesting documents” for all to see on the conference room screen – a task made infinitely harder when someone is looking over your shoulder. We recommend having only one “back room” where you store documents for easy access and so you can compare notes on where each auditor is going.
Make sure you study the published MDSAP Audit Model to figure out where the auditor will go next. Remember this is their guide (it’s not a secret!) and by studying it you can anticipate which links might be followed and what questions may come next.
Be Mindful of the “Process Approach” and Shiny Object Syndrome
MDSAP audits follow a process approach. This means an AO auditor may follow linkages and threads, whereas an internal auditor will usually look at one functional area at a time. For example, if an AO auditor is examining Receiving and Inspection, he/she may ask about process inputs such as where the testing methods and specifications originate. The answer is likely Design, so the auditor may chase the “shiny object” and visit the R&D department next. If you took that approach during an internal audit, the R&D manager would say, “Hey, our audit isn’t supposed to happen until September. I’m busy. Why are you here now?”
Following the process approach during internal audits can be disruptive and annoying to coworkers, but cooperation is not a choice during an AO certification audit and your coworkers need to understand this. With that reality in mind, you can still have an annual audit program with a schedule, but keep really good notes so you can pick up threads left dangling from the last audit.
Typically, in internal audits we see nonconformities that might be related to multiple areas or processes. You might choose to write up two nonconformities or, rather than “double-dipping” and writing a nonconformity for each area, you might write one nonconformity and link the two issues. Each organization will have to determine their process, keeping in mind that the number of nonconformities from an internal audit might trigger an escalation to management. So, if your process changes and you decide to write more nonconformities, make sure management and the rest of the organization understand and recalibrate for the new escalation triggers.
Maintaining Your Medical Device Single Audit Program Certification
After you pass your initial certification audit and your boss gives you a well-earned two-week vacation to Bora Bora, you’ll need to adjust your ongoing internal audits to align with MDSAP. Remember that ice cream analogy we used earlier? Your internal audits will forevermore be a swirl of vanilla and chocolate ice cream…with regulatory sprinkles. Adjust accordingly.
Some large medical device companies have an auditing department at the enterprise level. These auditors travel around and audit many sites over a year. They can mimic the MDSAP schedule and be at one site for a week, and then not return for a year. Smaller companies really have to organize and plan so they can cover all the processes that will to be addressed during the actual MDSAP audit. The key is to plan and document the rationale for your approach.
Proving Your Competency
Preparing for the initial certification audit may stress many RA/QA managers, but maintaining compliance is the primary concern of Auditing Organizations. This is becoming a bigger issue, because many Auditing Organizations are asking companies to demonstrate that their internal auditors are qualified to maintain MDSAP compliance. Even if you have done dozens of internal ISO 13485 or FDA QSR audits, proving proficiency in MDSAP can be difficult. You cannot simply say you read the MDSAP Audit Model or each participating country’s regulations.
In anticipation of this question, you may want to plan ahead. Oriel STAT A MATRIX offers a rigorous MDSAP internal auditor training class that will give you a certification proving you are properly qualified to maintain MDSAP compliance. This can be very useful for showing AOs who may ask about this. Armed with training and a plan, you’ll be ready for any audit!