By Marcelo Trevino, President, Global Regulatory Affairs and Quality Systems, TregMedical Compliance Services
International regulators have long recognized the value of developing a standardized, global approach to auditing and monitoring medical device manufacturing, and for the last five years, the International Medical Device Regulators Forum (IMDRF) has spearheaded an effort to create such a framework (building upon the work of its predecessor, the Global Harmonization Task Force). Progress toward this goal has been slowed by many factors, including changes in medical device legislation, an inability to address the needs of each IMDRF member country, confidentiality agreements, etc.
However, IMDRF launched the Medical Device Single Audit Program (MDSAP) pilot in 2014.
The international coalition of countries participating in the pilot includes the Therapeutics Goods Administration (TGA) of Australia, Brazil’s Agência Nacional de Vigilância Sanitária (ANVISA), Health Canada, the U.S. Food and Drug Administration (FDA), and the Ministry of Health and Labour and Welfare (MHLW) of Japan. The pilot will conclude by the end of 2016, with the expectation that the “official” MDSAP will be fully operational in 2017.
The Medical Device Single Audit Program (MDSAP) Mid-Pilot Status Report, released in August 2015, revealed that only 45 manufacturers had signed up to participate as of July 2015. In my opinion, this tepid response was due in part to hesitation from the manufacturers, born of the limited number of auditing organizations authorized to perform MDSAP audits. Under the MDSAP pilot, only organizations recognized by the Canadian Medical Devices Conformity Assessment System (CMDCAS) were authorized to carry out regulatory audits.
If an organization had a notified body that was not approved to do MDSAP audits, they would need to have another assessment - in addition to their regular ISO 13485 audit - which would require a lot of extra work. This could be a problem for the pilot, which had a proof of concept criteria goal of a 10 percent participation level (around 330 manufacturing companies). Still, FDA has issued no further statements regarding manufacturer participation, or a lack thereof.
The program’s goals include:
The program basically uses ISO 13485:2003 as a framework, in addition to good manufacturing practice (GMP) requirements of the various regulatory authorities. Auditors follow a structured and logical process approach, with links to other processes; this is all clearly explained in the medical device application profile (MDAP) audit model and the MDSAP Companion Document. With the introduction of ISO 13485:2016, MDSAP will likely align to the new ISO 13485 standard. The model includes seven processes:
Audits are conducted annually, according to a three-year certification cycle, by approved auditing organizations (notified bodies). Audit time is based on tasks, not employee count, with an average of 15 minutes per task. All MDSAP audit reports must be submitted to all regulators. As part of the program, regardless of the outcome, all regulators will be reviewing the reports. Additionally, a database will be set up for these reports, so any of the participating countries can review reports associated with a particular organization or medical device, as well as trending nonconformities.
Each participant nation’s regulatory agency has mapped out its own plan for adoption:
Manufacturers cannot opt out of any particular market’s regulation if they currently sell in that market. At the same time, manufacturers will not be audited to a regulation that is not applicable to their organization.
The purpose of GHTF document SG3/N19 is both to grade nonconformities and to standardize how nonconformities are graded. ISO 13485:2003 clauses 4.1 through 6.3 consider “enablers” that make it possible or feasible for QMS processes to operate; those clauses are therefore considered as indirectly influencing medical device safety and performance. ISO 13485:2003 clauses 6.4 through 8.5 are seen as having a direct influence on design and manufacturing controls, and thus are considered to directly influence medical device safety and performance.
Nonconformities are graded on a scale of one to five, with a grade of 1, 2, or 3 considered a minor nonconformity, and grades of 4 or 5 considered more serious. If an audit identifies one or more grade-5 nonconformities, more than two grade-4 nonconformities, a public health threat, or any fraudulent activity, the auditing organization must inform regulatory authorities within five days. An unannounced follow-up visit six to nine months later will verify that appropriate corrective actions have been effectively implemented, and subsequent follow-up visits are then scheduled.
In most cases, the manufacturer must provide a remediation plan for each nonconformance within 15 calendar days of the date the nonconformity report was issued. In cases involving grade 4 or grade 5 nonconformities, final response — with evidence of effective corrective action — must be provided within 30 days of the last day of the audit.
Auditing organizations are expected to provide an audit package, which includes nonconformance grading, to regulatory authorities within 45 days of the end of the audit.
Combating Industry Fears
There is skepticism in the medical device industry about disclosing all quality system information to all international regulators. Under MDSAP, FDA will have visibility into areas that it (typically) did not previously cover in depth, including internal audits, management reviews, and supplier quality audits. However, medical device manufacturers concerned that regulators could use this type of information against their organization should keep in mind that reports issued by auditing organizations will only contain a summary of what was observed, in the narrative section of the report.
Regarding the grading of nonconformities, some medical device manufacturers participating in the program reported concerns that regulators could misinterpret the severity of observations, and that grading could be subjective. To mitigate this concern, auditing organizations should be challenged to clearly substantiate grading based on the GHTF guidance. In addition, manufacturers should keep in mind that an appeals procedure is in place as part of the program.
While the regulatory requirements are not new, a structured and integrated audit approach requires organizations to look comprehensively at all of the participating countries’ requirements to ensure those standards are fully embedded within their own quality systems. This due diligence requires a good amount of effort and support from senior leadership to be successful. For example: The standard for evidence of compliance with postmarket surveillance/ medical device reporting requirements in the U.S. market differs from other countries. Internal auditors, conducting internal or supplier audits, need additional training to become qualified to audit to international requirements (outside of ISO 13485). Also, document retention procedures should address the requirements of all participating countries.
The MDSAP Pilot Program is nearing its end, and the 2017 MDSAP implementation is looming. While still viewed with a certain degree of suspicion, the program likely will become the new model to follow for most medical device manufacturers selling internationally. Assuming good compliance, there are significant benefits to having one audit per year on a predictable schedule, lowering costs from auditors and regulatory agencies, improving resource allocation, and creating an opportunity to make the quality system more robust and efficient. Certainly, there are many considerations for medical device manufacturers to factor into their MDSAP implementation planning.
For More Information
The FDA has available several online resources that explain the program in more detail: