Medical Device Single Audit Program (MDSAP) -- What Manufacturers Need To Know

International regulators have long recognized the value of developing a standardized, global approach to auditing and monitoring medical device manufacturing, and for the last five years, the International Medical Device Regulators Forum (IMDRF) has spearheaded an effort to create such a framework (building upon the work of its predecessor, the Global Harmonization Task Force). Progress toward this goal has been slowed by many factors, including changes in medical device legislation, an inability to address the needs of each IMDRF member country, confidentiality agreements, etc.

However, IMDRF  launched the Medical Device Single Audit Program (MDSAP) pilot in 2014.

The international coalition of countries participating in the pilot includes the Therapeutics Goods Administration (TGA) of Australia, Brazil’s Agência Nacional de Vigilância Sanitária (ANVISA), Health Canada, the U.S. Food and Drug Administration (FDA), and the Ministry of Health and Labour and Welfare (MHLW) of Japan. The pilot will conclude by the end of 2016, with the expectation that the “official” MDSAP will be fully operational in 2017.

The Medical Device Single Audit Program (MDSAP) Mid-Pilot Status Report, released in August 2015, revealed that only 45 manufacturers had signed up to participate as of July 2015. In my opinion, this tepid response was due in part to hesitation from the manufacturers, born of the limited number of auditing organizations authorized to perform MDSAP audits. Under the MDSAP pilot, only organizations recognized by the Canadian Medical Devices Conformity Assessment System (CMDCAS) were authorized to carry out regulatory audits.

If an organization had a notified body that was not approved to do MDSAP audits, they would need to have another assessment - in addition to their regular ISO 13485 audit - which would require a lot of extra work. This could be a problem for the pilot, which had a proof of concept criteria goal of a 10 percent participation level (around 330 manufacturing companies). Still, FDA has issued no further statements regarding manufacturer participation, or a lack thereof.

The program’s goals include:

• Development of an international coalition to improve medical device safety and oversight on an international scale
• Creation of a single audit program that provides confidence to international regulators
• A minimized regulatory burden on the medical device industry
• Enabling government regulatory authorities to focus on critical/problematic manufacturers, allowing notified bodies to conduct inspections on their behalf
• More efficient and less burdensome regulatory oversight of medical device manufacturers’ quality management systems
• More effective use of regulatory resources through work-sharing and mutual acceptance among regulators
• Better global alignment of regulatory approaches, and technical requirements based on consensus standards and best practices

MDSAP Structure

The program basically uses ISO 13485:2003 as a framework, in addition to good manufacturing practice (GMP) requirements of the various regulatory authorities. Auditors follow a structured and logical process approach, with links to other processes; this is all clearly explained in the medical device application profile (MDAP) audit model and the MDSAP Companion Document. With the introduction of ISO 13485:2016, MDSAP will likely align to the new ISO 13485 standard. The model includes seven processes:

• Primary processes 1) Management, 2) Measurement, Analysis, and Improvement, 3) Design and Development, and 4) Production and Service Controls
• Supporting processes 5) Purchasing, 6) Device Marketing Authorization and Facility Registration, and 7) Medical Device Events and Advisory Notices Reporting

Audits are conducted annually, according to a three-year certification cycle, by approved auditing organizations (notified bodies). Audit time is based on tasks, not employee count, with an average of 15 minutes per task. All MDSAP audit reports must be submitted to all regulators. As part of the program, regardless of the outcome, all regulators will be reviewing the reports. Additionally, a database will be set up for these reports, so any of the participating countries can review reports associated with a particular organization or medical device, as well as trending nonconformities.

Each participant nation’s regulatory agency has mapped out its own plan for adoption:

• FDA will accept MDSAP in lieu of routine inspection, but not for initial visits or “for cause inspections.”
• Health Canada will use MDSAP to satisfy CMDCAS, and is planning to replace CMDCAS with MDSAP in January 2019. Therefore, medical device manufacturers currently selling in Canada will have to obtain MDSAP certification.
• ANVISA will accept MDSAP for initial audits. This will help with the country’s current backlog of inspections, but the agency will still require its auditors to conduct ANVISA audits for higher-risk devices.
• TGA will use MDSAP to satisfy TGA requirements, considering MDSAP certificates as equivalent CE certificates.
• MHLW will accept MDSAP in lieu of an on-site Japanese Quality Management System (J-QMS) audit.
• Europe (EU) has only been participating in the MDSAP pilot as an observer, as there are concerns it would be difficult to obtain agreement among all member states. However, the participation of European notified bodies in the program shows a strong link between EU and MDSAP. There is optimism the EU will join the program, though, as MDSAP’s aim to harmonize quality system compliance (ultimately increasing the safety and efficacy of medical devices) should serve as a way for EU to increase quality consistency across its member states.

Manufacturers cannot opt out of any particular market’s regulation if they currently sell in that market. At the same time, manufacturers will not be audited to a regulation that is not applicable to their organization.

Learn how to benchmark your existing quality system process against the MDSAP and understand the changes that will need to be implemented in your organization to participate. Register for Marcelo Trevino’s upcoming online seminar:

The New Medical Device Single Audit Program (MDSAP) for Manufacturers – Analyzing Rewards and Challenges

December 8, 2016 | 1:00-2:30PM EDT

Grading Nonconformities

The purpose of GHTF document SG3/N19 is both to grade nonconformities and to standardize how nonconformities are graded. ISO 13485:2003 clauses 4.1 through 6.3 consider “enablers” that make it possible or feasible for QMS processes to operate; those clauses are therefore considered as indirectly influencing medical device safety and performance. ISO 13485:2003 clauses 6.4 through 8.5 are seen as having a direct influence on design and manufacturing controls, and thus are considered to directly influence medical device safety and performance.

Nonconformities are graded on a scale of one to five, with a grade of 1, 2, or 3 considered a minor nonconformity, and grades of 4 or 5 considered more serious. If an audit identifies one or more grade-5 nonconformities, more than two grade-4 nonconformities, a public health threat, or any fraudulent activity, the auditing organization must inform regulatory authorities within five days. An unannounced follow-up visit six to nine months later will verify that appropriate corrective actions have been effectively implemented, and subsequent follow-up visits are then scheduled.

In most cases, the manufacturer must provide a remediation plan for each nonconformance within 15 calendar days of the date the nonconformity report was issued. In cases involving grade 4 or grade 5 nonconformities, final response — with evidence of effective corrective action — must be provided within 30 days of the last day of the audit.

Auditing organizations are expected to provide an audit package, which includes nonconformance grading, to regulatory authorities within 45 days of the end of the audit.  

Combating Industry Fears

There is skepticism in the medical device industry about disclosing all quality system information to all international regulators. Under MDSAP, FDA will have visibility into areas that it (typically) did not previously cover in depth, including internal audits, management reviews, and supplier quality audits. However, medical device manufacturers concerned that regulators could use this type of information against their organization should keep in mind that reports issued by auditing organizations will only contain a summary of what was observed, in the narrative section of the report.

Regarding the grading of nonconformities, some medical device manufacturers participating in the program reported concerns that regulators could misinterpret the severity of observations, and that grading could be subjective. To mitigate this concern, auditing organizations should be challenged to clearly substantiate grading based on the GHTF guidance. In addition, manufacturers should keep in mind that an appeals procedure is in place as part of the program.

While the regulatory requirements are not new, a structured and integrated audit approach requires organizations to look comprehensively at all of the participating countries’ requirements to ensure those standards are fully embedded within their own quality systems. This due diligence requires a good amount of effort and support from senior leadership to be successful. For example: The standard for evidence of compliance with postmarket surveillance/ medical device reporting requirements in the U.S. market differs from other countries. Internal auditors, conducting internal or supplier audits, need additional training to become qualified to audit to international requirements (outside of ISO 13485). Also, document retention procedures should address the requirements of all participating countries.

The MDSAP Pilot Program is nearing its end, and the 2017 MDSAP implementation is looming. While still viewed with a certain degree of suspicion, the program likely will become the new model to follow for most medical device manufacturers selling internationally. Assuming good compliance, there are significant benefits to having one audit per year on a predictable schedule, lowering costs from auditors and regulatory agencies, improving resource allocation, and creating an opportunity to make the quality system more robust and efficient. Certainly, there are many considerations for medical device manufacturers to factor into their MDSAP implementation planning.

For More Information

The FDA has available several online resources that explain the program in more detail:

• Pilot Program Announcement (brief description)
• Program Announcement (including benefits)
• MDSAP FAQs
• Eligible Auditing Organizations
• MDSAP Audit Procedures & Forms

About The Author

Marcelo Trevino is the President, Global Regulatory Affairs and Quality Systems, at TregMedical, a life sciences group focused on global medical device regulatory, quality, and compliance. Marcelo can be reached at: marcelotrevino@outlook.com

Marcelo has 23+ years’ experience in quality and regulatory affairs, serving in multiple senior leadership roles with different organizations while managing a variety of medical devices: surgical heart valves, patient monitoring devices, insulin pump therapies, surgical instruments, orthopedics, medical imaging/surgical navigation, among others. He has an extensive knowledge of medical device management systems and medical device regulations worldwide (ISO 13485:2016, ISO 14971:2019, EU MDD/MDR, MDSAP). Mr. Trevino holds a B.S. degree in Industrial and Systems Engineering and an MBA in Supply Chain Management from the W.P. Carey School of Business at Arizona State University. He is also a certified Quality Management Systems Lead Auditor by Exemplar Global.

He has experience working on Lean Six Sigma Projects and many Quality/Regulatory Affairs initiatives in the US and around the world including Third Party Auditing through Notified Bodies, Supplier Audits, Risk Management, Process Validation and remediation activities.

Additionally, he is a Certified Six Sigma Black Belt and Biomedical Auditor through the American Society for Quality (ASQ) and holds Certificates in Environmental & Sustainability Management Regulatory Affairs Management from University of California, Irvine.

He regularly publishes articles to assist corporations in their quest for exceptional quality and regulatory compliance.