Team work

Medical Device Single Audit Program

What is MDSAP?

In March 2012, the International Medical Device Regulatory Form (IMDRF) initiated a pilot program called the Medical Device Single Audit Program (MDSAP).  Its goal is a uniform audit process of a medical device manufacturer’s quality system that satisfies the regulatory requirements of all participating countries.  Currently, the participating countries are Australia, Brazil, Canada, Japan, and the United States. 

MDSAP is based on the ISO 13485:2016 quality management system (QMS) and the participating country’s specific medical device regulatory requirements.  Each country authorizes third party organizations called “Authorized Auditing Organizations” to perform the MDSAP audits.  Authorized Auditing Organizations are monitored by participating country Regulatory Authorities (e.g., FDA in the United States).  

MDSAP = ISO 13485:2016 + Regulatory Requirements from Participating Countries

It is important to note that MDSAP does not add any new requirements to ISO 13485 or additional country-specific requirements of the participating Regulatory Authorities.  MDSAP only covers the existing requirements of the participating countries.

What are the benefits of MDSAP?

The MDSAP offers many benefits to medical device manufacturers:

  • A single audit covers the requirements of the participating countries.  Separate audits or inspections for each country are not required. Therefore, for many medical device manufacturers, the MDSAP reduces the overall number of audits or inspections and optimizes the time and resources expended on audit activities.
  • Some participating regulatory authorities will use MDSAP audit outcomes as an alternative to their own inspections to process applications for medical device marketing authorization.
  • The medical device manufacturer is free to choose among all authorized auditing organizations to perform the audits.  Routine audits are announced and planned with the manufacturer.

The MDSAP is expected to improve the predictability of audit outcomes through:

  • Enhanced auditing organization recognition criteria.
  • Monitoring of auditing organizations by the participating Regulatory Authorities.
  • The use of a standard MDSAP audit model.
  • The grading of any nonconformity using objective criteria to characterize the significance of the finding.
  • Enrolling in the MDSAP may be seen as evidence of a medical device manufacturer’s commitment to quality management systems for product quality and regulatory compliance.

What are the benefits of MSAP for U.S. manufacturers of medical devices?

U.S. Food and Drug Administration’s (FDA) Center for Devices and Radiological Health will accept the MDSAP audit reports as a substitute for FDA routine inspections (biennial by policy). 

Additional benefits include:

  • MDSAP routine audits are announced, scheduled by the Auditing Organization with the manufacturer, with a pre-established duration.  Without MDSAP, FDA will not schedule inspections (indeed, they may be unannounced) and the inspection duration is open ended.
  • The FDA will review MDSAP audit reports with a level of scrutiny commensurate to the significance of audit findings and will consider the review and follow-up performed by the Auditing Organization.  Without MDSAP, FDA may increase the level of scrutiny during an inspection depending on their findings.
  • Firms have one month to provide their full response to critical nonconformities (grade 4 and 5) to the Auditing Organization, as opposed to 15 working days following an FDA inspection.
  • Certification documents issued by the Auditing Organization state compliance with applicable US regulations, which may provide a marketing advantage. FDA does not certify a manufacturer as complaint to 21 CFR 820.

What are the elements of an MDSAP audit?

Medical Device Single Audit Program, Audit Model Version 4, MDSAP AU P20002.004 (January 2017) is the document that descries the MDSAP process.  Each chapter of Audit Model MDSAP AU P20002.004 examines the requirements of ISO 13485:2016 and the specific requirements of each participating country.  Expected outcomes for each chapter are that the manufacturer has adequately:


Chapter 1 – Management

  • A) Identified processes needed for the quality management system, their application throughout the organization, and their sequence and interaction are in place.
  • B) Defined, documented, and implemented procedures and instructions to ensure the development and maintenance of an effective quality management system.
  • C) Established quality objectives at relevant functions and levels within the organization consistent with the quality policy and ensured that these are periodically reviewed for continued suitability.
  • D) Determined the criteria and methods needed to ensure the operation and control of quality management system processes, including the identification and management of interrelated processes.
  • E) Committed the appropriate personnel and resources for infrastructure to the quality management system.
  • F) Assigned responsibility and authority to personnel and established the organizational structure to ensure processes assuring quality are not compromised.
  • G) Performed risk management planning and ongoing review of the effectiveness of risk management activities to ensure that policies, procedures and practices are established for analyzing, evaluating and controlling risk.
  • H) Ensured the continued effectiveness of the quality management system and its processes.
  • I.) Established a quality management system which can produce devices that are safe, effective, and suitable for their intended use. 

Chapter 2 - Device Marketing Authorization and Facility Registration

  • A) Complied with requirements to register and/or license device facilities.
  • B) Submitted device listing information to regulatory authorities when applicable.
  • C) Obtained device marketing authorization in the appropriate jurisdictions.
  • D) Arranged for assessment of changes (where applicable) and obtained marketing authorization for changes to devices or the quality management system which require amendment to existing marketing authorization.

Chapter 3 - Measurement, Analysis, and Improvement

  • A) Defined, documented, and implemented procedures for measurement, analysis and improvement that address the requirements of the quality management system standard and participating MDSAP regulatory authorities.
  • B) Identified, analyzed, and monitored appropriate sources of quality data to identify nonconformities or potential nonconformities and determined the need for corrective or preventive action26.
  • C) Ensured investigations are conducted to identify the underlying cause(s) of nonconformities and potential nonconformities, where possible.
  • D) Implemented appropriate corrective action to eliminate the recurrence or preventive action to prevent the occurrence of product or quality system nonconformities, commensurate with the risks associated with the nonconformities or potential nonconformities encountered.
  • E) Reviewed the effectiveness of corrective action and preventive action.
  • F) Utilized information from the analysis of production and post-production quality data to amend the analysis of product risk, as appropriate.

Chapter 4 - Medical Device Adverse Events and Advisory Notices Reporting

  • A) Defined processes to ensure individual device-related adverse events are reported to regulatory authorities as required.
  • B) Ensured that advisory notices are reported to regulatory authorities and authorized representatives when necessary.
  • C) Maintained appropriate records of individual device-related adverse events and advisory notices.

Chapter 5 - Design and Development

  • A) Defined, documented, and implemented procedures to ensure medical devices are designed according to specified requirements.
  • B) Effectively planned the design and development of a device.
  • C) Established mechanisms, including systematic review, for addressing incomplete, ambiguous or conflicting requirements.
  • D) Determined the internally or externally imposed requirements for safety, function, and performance for the intended use, including regulatory requirements, risk management, and human factors requirements.
  • E) Verified that design outputs satisfy design input requirements.
  • F) Identified and mitigated, to the extent practical, the risks associated with the device, including the device software.
  • G) Ensured that changes to the device design are controlled, the risks associated with the design change are identified and mitigated, to the extent practical, and that the device will continue to perform as intended.
  • H) Performed design validation to ensure devices conform to user needs and intended use.
  • I) Confirmed that the design is correctly translated into production methods and procedures.

Chapter 6 - Production and Service Controls

  • A) Defined, documented and implemented procedures to ensure production and service processes are planned, developed, conducted, controlled, and monitored to ensure conformity to specified requirements 66.
  • B) Developed production and service process controls commensurate with the potential effect of the process on product risk.
  • C) Ensured that when the results of a process cannot be verified by subsequent monitoring or measurement, the process is validated with a high degree of assurance that the process will consistently achieve the planned result.
  • D) Implemented procedures for the validation of the application of computer software for production and service processes that affect the ability of the product to conform to specified requirements, including validation of computer software used in the quality management system.
  • E) Maintained records for each batch of medical devices that provides information for traceability and confirmation that the batch meets specified requirements.
  • F) Implemented controls to protect customer property, including intellectual property, confidential health information, and other forms of customer property that is used or incorporated into products.

Chapter 7 – Purchasing

  • A) Defined, documented, and implemented procedures to ensure purchased or otherwise supplied products conform to specified purchase requirements.
  • B) Established criteria for the selection, evaluation and re-evaluation of suppliers based on the type and significance of the product purchased and the impact of the supplied product on subsequent product realization or the quality of the finished device.
  • C) Performed the evaluation and selection of suppliers based on the capability of the supplier to meet specified requirements.
  • D) Ensured the continued capability of suppliers to provide quality products that meet specified purchase requirements through re-evaluation.
  • E) Determined and implemented an appropriate combination of controls applied to suppliers in conjunction with acceptance verification activities to ensure conformity to product and quality management system requirements, based on the impact of the supplied product on the finished device.

How is the MDSAP Audit performed?

Authorized Auditing Organizations will perform MDSAP audits according to documents approved by the participating Regulatory Authorities. 

  • The sequence of tasks specified in the Audit Model MDSAP AU P0002 will have to be followed.
  • The audit duration of the audit will be based on planned audit tasks defined in document MDSAP AU P0008.007 Audit Time Determination Procedure, (October 2018), ensuring consistency across Auditing Organizations. 
  • An audit report will be issued at the end of each audit, using a standard fillable template specifically designed for medical device regulatory audits.
  • Nonconformities identified during an audit will be graded on a scale from 1 (least critical) to 5 (most critical) and will be managed according to criteria defined in the document GHTF/SG3/N19:2012, Quality management system – Medical devices - Nonconformity Grading System for Regulatory Purposes and Information Exchange, (November 2012).
  • Audited manufacturer will be responsible for timely development and implementation of action plans to address non-conformities identified during audits MDSAP AU P0027.006 Post Audit Activities and Timeline Policy, (January 2022).
  • Auditing Organizations will share the audit outcomes with the participating Regulatory Authorities to support their pre-market or post-market programs. 
  • Upon successful certification or recertification audits, Auditing Organizations will issue MDSAP-specific certification documents stating compliance to ISO 13485:2016 and applicable regulatory requirements, per the document MDSAP AU P0026.003 Certification Document Requirements, (February 2021).

Summary

The MDSAP was implemented to enable regulatory oversight of medical device manufacturers’ quality management systems while minimizing regulatory burden on industry by fostering efficient use of regulatory resources among regulators.  Use of MDSAP will move industry toward regulatory practices based on international standards bringing consistency, predictability and transparency to audit performance and outcomes.