MDSAP Audit Guide

In the last 20 years, the medical device industry has grown by leaps and bounds. Innovations are improving healthcare and diagnosis capabilities, effectively improving human life. What was once done laboriously, using simple instruments, has given way to more complex, sophisticated, and highly efficient devices. Manufacturers intend to take their products beyond their own countries and into global markets at a greater rate than ever. For this, they need to comply with demanding and varied regulatory requirements of the different jurisdictions and the audits. The regulations themselves are quickly evolving and becoming more stringent.

On the other hand, Regulatory Bodies have limited resources and are hard pressed for enough time. They need to keep pace with the rapid developments in the industry while having to ensure that the safety and performance of the devices is not compromised. Patient safety remains the ultimate aim. Therefore, the regulators looked for a single harmonized strategy for regulatory audits.

In this dynamic and vibrant scenario, the Medical Device Single Audit Program (MDSAP) was launched as a solution that allows a single audit of manufacturers against multiple regulatory requirements.

The foundational work done by the Global Harmonization Task Force (GHTF) was taken up by the International Medical Device Regulators Forum (IMDRF) in 2014, which set up a working group to create a harmonized single audit program. The pilot program, launched from 2014-2016, was found effective and therefore in Jan 2017, the MDSAP was officially implemented with five countries participating in it.

MDSAP’s mission is to jointly leverage regulatory resources to manage an efficient, effective, and sustainable single audit program focused on the oversight of medical device manufacturing.

• With a single audit, the manufacturer can now approach ISO 13485: 2016 requirements along with the regulatory compliance of the five participating jurisdictions which are built into the QMS requirements. There are no additional requirements and the need for multiple audits is eliminated.
• A single audit program optimizes resources, effort, and time. Multiple regulatory audits involve huge expenses and actually can cause audit fatigue for a manufacturer. Resources are pulled into audit related activities leaving less time for other work.
• The audit planning is exactly like the ISO 13485 audits. On-site time is also planned and there is guidance available for calculating it.
• For regulators too, it means a reduced burden. There is pooling of regulatory resources. The audits are conducted by Auditing Organizations designated by the regulatory bodies.
• The MDSAP program is expected to improve audit predictability because a standardized audit model has been introduced. Every audit follows the same set of steps. For the first time, a grading system is introduced for noncompliance. This approach helps reduce subjectivity, meaning there are no surprises.
• The audit and other documents are all available publicly on the US FDA site making the program a transparent one.
• Over the years, additional regulatory bodies may wish to participate in the program, making it a truly global regulatory program.

It is important to note that manufacturers need to follow the product approval and registration pathways. The MDSAP program is mandatory for medical device licence in Canada. In other countries, it is still a voluntary program.

There are five countries or regulatory authorities that are participating in the MDSAP program: Brazil, Japan, United States, Australia and Canada.

Table 1: Countries participating in the MDSAP program and their regulatory authorities and regulations.

Apart from these five countries, there are official observers and affiliated countries. These are the non-participating regulatory authorities that observe and/or contribute to the Regulatory Authority Council (RAC) activities.

1. European Union (EU)
2. United Kingdom’s Medicines and Healthcare products Regulatory Agency (MHRA)
3. The World Health Organization (WHO) Prequalification of In Vitro Diagnostics (IVDs) Program

If a country is a non-participating MDSAP Observer or non-participating MDSAP RAC regulatory authority that wants to engage in MDSAP, they must demonstrate an understanding of MDSAP and utilize the MDSAP audit reports and/or MDSAP certificates for evaluating a medical device manufacturer’s quality management system

1. Argentina’s National Administration of Drugs, Foods and Medical Devices (ANMAT)
2. Republic of Korea’s Ministry of Food and Drug Safety
3. Singapore’s Health Sciences Authority (HSA)

1. Regulatory authorities (RAs): They are responsible for designating the Auditing Organizations (certification bodies like BSI, TUV etc). There are several criteria that these organizations must fulfil to be designated. The regulatory bodies continue to monitor the program and have the final say. The audit reports are sent to them.

2. Auditing Organization (AO): They are selected only if they satisfy the criteria involved. They plan, conduct, and report the audit to the regulatory authorities. The audits are conducted as a three year cycle: The initial audit comprises of Stage 1 (documentation and preparedness audit) and then a Stage 2 (implementation) audit in the first year is followed by 2 surveillance audits and a re-certification audit in the third year.

(Check the following link to obtain a list of designated auditing organizations: AO Availability To Conduct MDSAP Audits 10-08-2020)

3. Manufacturers: They engage with the auditing organizations just like the QMS audits, and they schedule the audits. If there are nonconformances, they need to provide the corrective action plan and evidence.

The MDSAP audit follows a specific sequence and approach so that the audits are conducted in  a logical, focused, and efficient manner by the auditors. There are four primary processes and two supporting processes. Purchasing is considered an enabling process.

• Primary processes: (1) Management; (2) Measurement, Analysis and Improvement; (3) Design and Development; (4) Production and Service Controls; (5) Purchasing
• Supporting Processes: (6) Device Marketing Authorization and Facility Registration, and (7) Medical Device Adverse Events and Advisory Notices Reporting. The last two processes fulfil the regulatory requirements of the jurisdictions.

The auditors are expected to follow this sequence. Therefore, they start with the Management process and the device marketing authorization, since there is usually more than one auditor. Then they move on to the second primary process, Measurement, Analysis, and Improvement and along with it, Adverse Event and Advisory Notices, and so on. The sequence is fixed and risk based. The primary processes have maximum risk and so they carry more weight.

The seven processes are further broken down into several “Tasks” which are specific instructions to auditors. These cover both the relevant ISO 13485:2016 clauses and also the specific regulatory requirements of the five participating countries. For example, the Production and Service controls have 29 tasks, and below each task, are the specific regulatory requirements. Thus, at the same time the conformance of a process to ISO and regulatory requirements is assessed, the effectiveness is verified. Further, the audit model has detailed linkages interconnecting the different processes. This makes the auditing process precise and clear.

A quantitative grading system has been introduced for the first time, and how the grading will be done has also been indicated. Details are available in GHTF document GHTF/SG3/N19:2012 – Nonconformity Grading System.

1. Firstly, nonconformities are graded using a grading matrix which is based on QMS impact. Therefore, auditors analyze whether there is a direct impact (Clauses 6.4 – 8.5) or an indirect impact (Clauses 4.1 to 6.3). The result of this analysis is a grade 1 or a grade 3 nonconformity. Here, the impact on safety is of prime importance.
2. Secondly, the frequency of occurrence is taken into consideration, and whether the nonconformance is a first time, or a repeat occurrence is questioned. For a repeat occurrence, a +1 takes the score to grade 2 or 4. A repeat nonconformity indicates ineffective corrective actions.
3. Thirdly, the escalation criteria are applied. Here, +1 is added to the grade 1 or 2 score if the nonconformity led to nonconforming devices on the market, or a +1 is added to grade 3 or 4 score if there is no documented process or procedure. This takes the scores up to a maximum of 5.

The MDSAP website provides the Audit report and nonconformity grading and exchange form, which is a common means of information exchange between the Regulatory Authorities (RAs). The reports and forms created by the auditing organization are sent to the RAs. A single Grade 5, or three or more Grade 4 NCs are considered serious, and the auditing organizations must report to the RAs within 5 working days. The manufacturers have to provide a corrective action plan within 15 days and evidence of its implementation within 30 days. For the lower grade nonconformances, the manufacturer follows the usual CAPA procedures and closing is done at the next visit.

Table 2: Applications of the MDSAP Reports by Regulatory Authorities

The resources for MDSAP are available on the US FDA site. The Audit Approach document carries all the information regarding the different processes, tasks and interlinkage in complete details.

• MDSAP AU P0002.006 Audit Approach
• MDSAP AU P0019.004 Medical Device Regulatory Audit Reports Policy
• MDSAP AU F0019.1.008 Medical Device Regulatory Audit Report
• MDSAP AU F0019.2.011 NC Grading and Exchange Form
• MDSAP AU G0019.3.007 Medical Device Regulatory Audit Report Form Guidelines
• MDSAP AU G0019.4.004 Guidelines NC Grading Exchange Form

The MDSAP program offers distinct benefits to manufacturers by facilitating market entry into five jurisdictions with the help of a single audit. It also benefits the Regulatory Authorities by reducing their burden. The audit program itself is well defined. The quantitative nonconformity grading system eliminates subjectivity and adds transparency to the whole system. The result is an efficient system, taking us one step towards safer medical devices.

Celegence can provide you with subject-matter experts, including both regulatory professionals and medical doctors with the relevant device expertise to complete this type of work for you or supplement your internal teams as needed. Our team of MDR experts would love to partner with you in delivering regulatory compliance end-to-end.