MDSAP: Medical Device Single Audit Program

The Medical Device Single Audit Program (MDSAP) was initiated to satisfy a wish of many medical device manufacturers: To replace the various audits and inspections by authorities with one standardized audit. 

Fig. 1: The countries participating in MDSAP are Australia, Brazil, Canada, Japan and the USA

Participating in the MDSAP shall suffice for verifying effectiveness and conformity of QM systems (e.g. with ISO 13485 or 21 CFR part 820).

In this article, you will learn if this wish has really come true and at what price.

1. MDSAP: An Introduction

a) Purposes of the MDSAP Program

The International Medical Device Regulators Forum IMDRF, a group of international authorities and legislators, has realized that the multitude of audits and inspections of QM systems required in different target markets are suboptimal in many ways.

Standardization is expected to

  • Avoid QM overhead at the level of manufacturers and to accelerate market access:
    Manufacturers must endure many, often redundant audits and inspections. This results in QM overhead and means efforts, costs, and time delay of marketing. MDSAP aims at minimizing these efforts.
  • Minimize redundant efforts for advancement of QM requirements and to standardize interpretation of requirements:
    Even international regulators' efforts referred to: they must specify largely similar requirements for QM systems and continually advance them, just as it was recently the case with the MDR. Likewise, regulators aim at accelerating the standardized interpretation of QM requirements (just as, for instance, the interpretation of ISO 13485).
  • Standardize evaluation:
    Auditors will be given evaluation standards which shall ensure that different auditors preferably come to the same conclusion when assessing facts of the case, for instance nonconformity.
  • Minimize redundant efforts of auditing QM systems:
    Highly redundant audits do not only require a great deal of effort from manufacturers or authorities themselves, such as the FDA. These auditing efforts are to be minimized. Moreover, regulators aim at more uniform auditing procedures.
  • Reduce audit time:
    According to Health Canada, MDSAP is expected to reduce audit time by 10% for firms with up to 45 employees and by even 20% for small firms with up to 15 employees.
  • Make black sheep easily identifiable and to increase product safety:
    As authorities were (and still are) often acting in isolation from one another, it is easier for black sheep among manufacturers to hide weaknesses detected by one authority from another. Hence, another of MDSAP’s purposes is information exchange, especially of audit results, between participating authorities. It is hoped for that in doing so, black sheep and unsafe products will be identified faster, thus increasing patient safety.

Subject to standardization are audits and their documentation, whereas the MDSAP requires no standardization of manufacturers’ documentation.

b) Participants

The following countries participated in the pilot of the Medical Device Single Audit Program:

Country

Authority

QM Requirements

Australia

Therapeutic Goods Administration TGA

Australian Therapeutic Goods (Medical Devices) Regulations (TG(MD)R Sch3)

Brazil

Agência Nacional de Vigilância Sanitária (ANVISA)

Brazilian Good Manufacturing Practices (RDC ANVISA 16/2013)

Canada

Health Canada

ISO 13485:2016

Japan

Ministry of Health, Labour and Welfare (MHLW) and Pharmaceuticals and Medical Devices Agency (PMDA)

Ordinance on Standards for Manufacturing Control and Quality Control of Medical Devices and In Vitro Diagnostic Reagents (MHLW Ministerial Ordinance No. 169)

USA

Food and Drug Administration FDA

QSR – 21 CFR Part 820

The EU and WHO merely participate as observers.

The FDA considers the first phase (pilot) ending in 2017 a success:

 “Based on its evaluation of the MDSAP Final Pilot Report, the MDSAP Regulatory Authority Council determined that the MDSAP Pilot had satisfactorily demonstrated the viability of the Medical Device Single Audit Program. [..]FDA will continue to accept MDSAP audit reports as a substitute for routine Agency inspections.”

c) Recognition

So far, the five countries mentioned above participate in the Medical Device Single Audit Program.

Even though those countries undertake to accept MDSAP audit results, there are minor differences, limitations and exceptions:

Country

Recognition

Australia

Yes, except for medical devices incorporating a medicinal substance or a material of human or animal origin.

Brazil

Yes, even as initial audit. No recognition if, for example, a prior ANVISA audit has found significant deviations.

Canada

Yes. As of 2019, Health Canada will only accept MDSAP audits.

Japan

Yes, except for e.g. medical devices incorporating a material of human or animal origin.

USA

Yes, however only substitution for routine audits, not for initial or occasion-related inspections.

Bottom line: Canada is the only country consequently operating the procedure model. As of 2019, Canada will only accept QM systems audited under MDSAP.

d) Auditing Organizations

Audits are conducted by so-called “Auditing Organizations“ (AO). Among them are some notified bodies such as TÜV Süd, TÜV Rheinland and DQS-med. Notified bodies are, however, not automatically authorized to perform audits as AO.

The FDA maintains a list of Auditing Organizations and a list of AOs recognized by ANVISA  online.

2. MDSAP Audits

a) Requirements and Exclusions

The requirements catalog is strongly based on ISO 13485:2016. In addition, requirements of participating countries not covered by ISO 13485:2016 are incorporated. Like ISO 13485:2016, the MDSAP’s requirements catalog is process-oriented and audits are conducted in process groups.

There are four primary processes or process groups and three supporting processes:

  • Primary processes
    • Management
    • Measurement, Analysis and Improvement
    • Design and Development
    • Production and Service Controls;
  • Support Processes
    • Purchasing
    • Device Marketing Authorization and Facility Registration
    • Medical Device Adverse Events and Advisory Notices Reporting.

     

If an organization does not perform certain processes, e.g. development, the respective processes do not have to be audited. A manufacturer outsourcing processes does not benefit from this simplification.

Manufacturers may exclude requirements of a certain target market if he does not sell any medical devices on that target market.

b) Audit Tasks

An audit under MDSAP considers interrelationships of processes. The output of a development process, for instance, is the production process’s input. Audits must follow this sequence, must be based on risk and must consider the complete device life-cycle (until the time the product is decommissioned).

For each of the aforementioned process groups, the MDSAP audit model describes the following:

Element

Example (Excerpts)

Process name

Management process

Purpose of auditing this process

To verify that appropriate resources for development, production […] are provided and that […]

Expected outcomes (= requirements)

Commitment to provide appropriate personnel and resources for infrastructure to the quality management […]

Links to other processes dependent upon this process

Measurement, Analysis and Improvement; Development; Purchasing; Device Marketing Authorization; […]

Audit tasks

Review the manufacturer’s organizational structure and related documents to verify that they include provisions for responsibilities, personnel, resources [….]

References to respective subchapters, articles and paragraphs of ISO 13485:2016 and other requirements such as 21 CFR part 820 and RDC ANVISA 16/2016 for each task

SO 13485:2016: 5.1, 5.5.1, 5.5.2, 6.1, 6.2; TG(MD)R Sch3 P1 1.4(5)(b); […]

References to country-specific requirements for each task

none

Additional information for auditors (to be found in the Companion Document)

One method for confirming that adequate resources are made available is to ask the management representative to provide several examples of recent requests for different types of resources and describe the outcomes of these requests.

c) Frequency of Audits

MDSAP audits follow the same triannual frequency as audits under 93/42-EWG or ISO 13485.

Fig. 2: The audit cycle according to MDSAP resembles the one of ISO 13485 or ISO 17021

 As for this sequence, MDSAP heavily draws on ISO 17021:2015, which in turn is basis for ISO 13485. The MDSAP’s proximity to ISO 13485 is also illustrated in the audit model’s description :

“The purpose of a Stage 2 audit is to determine if all applicable requirements of ISO 13485:2016 and the relevant regulatory requirements from participating regulatory authorities have been implemented.”

d) Audit Duration

The duration of audits under MDSAP is calculated based on the number of tasks. This number, in turn, depends on the exclusions. For instance, it may be that a manufacturer must meet no requirements for sterile products.

In the worst case, auditors must perform 90 tasks which may take them between 12 and 35 minutes to conduct. E.g., 28.8 minutes each are scheduled for the tasks of process group “Management”.

Fig. 3: The duration of audits under MDSAP is calculated based on the number of tasks and countries to be included. Depending on the manufacturer, individual tasks can be excluded (click to enlarge).

Efforts increase for auditing under country-specific requirements.

e) Audit Outcomes

Templates for documenting the planning, conduction and assessment of audits are at your disposal. Thereby, audit and non-conformance reports are standardized and can be evaluated automatically.

MDSAP sets deadlines by which Auditing Organizations must produce and distribute the reports. Those deadlines are more ambitions than the ones set by many notified bodies and that we have accustomed to.

3. Conclusion

A reduction of the number of audits and inspections by authorities caused by MDSAP may be a great benefit for manufacturers. Nevertheless, manufacturers participating in the MDSAP’s pilot were reluctant. This may relate to the following disadvantages and challenges:

  • Transparency through exchange of information between all participating countries may result in other countries’ reacting to negative audits with additional inspections. The FDA, for instance, explicitly reserves the right to impose additional inspections.
  • The list of requirements tends to increase as it combines requirements of various countries.
  • The internal quality management team must increasingly deal with international requirements.
  • One of the most important target markets got left out: Europe

Anyone who wants to bring medical devices into the Canadian market will have no choice: Medical Device Single Audit Program will be the only possibility. For every other manufacturer, participating means weighing up the pros and cons; at least until Europe bids farewell to its role as observer and accepts the MDSAP.

Transitioning to MDSAP is time-consuming. Hence, you should start in due time.

Relatively transparent and standardized regulations regarding activities, documentation and assessment are likely to contribute to audits being processed in a more uniform way across the world.

The promised adaption of efforts to the risk of a manufacturer’s medical devices and the manufacturer’s size still leaves much to be desired. Compared to audits under ISO 13485, MDSAP represents a more serious obstacle for small manufacturers with less critical devices.