How to prepare for the Medical Device Single Audit Program: 6-minute read

This article will prepare you for the Medical Device Single Audit Program (#MDSAP), which allows medical device companies to sell in multiple countries with one audit, saving time and increasing your market access.

If you're already confident with MDSAP requirements, consider taking a Quiz to see if you're prepared for an audit, or reading How to pass an #FDA audit using lessons from Van Halen and brown M&M's.

BACKGROUND : MEDICAL DEVICE REGULATORY REQUIREMENTS

Medical devices are regulated by governments in order to protect patient safety. For example, when the United States discovered that 44% of medical device recalls could be attributed to design flaws, the FDA began enforcing design controls.

Companies must comply with the regulatory requirements of each country in which they sell medical devices. Participating countries will accept MDSAP in lieu of individual audits. These countries, and their regulatory authorities, are:

• The United States of America, FDA
• Australia,  TGA
• Japan,  MHLW and PMDA
• Brazil,  ANVISA
• Canada,  Health Canada

Currently, MDSAP is voluntary. Beginning in January 2019, Canada will require MDSAP.

MDSAP VS. TRADITIONAL AUDITS

Traditionally, each country required an audit.

MDSAP allows one audit to be used for all participating countries. A company only needs to comply with countries in which they intend to sell products.

Traditionally, auditors were encouraged to review a company's quality system as process but were allowed to audit components independently.

MDSAP audits are conducted as a "process," ensuring each part of a quality system links to other parts for a seamless flow of information. The most common links are Risk Management and Purchasing procedures.

Traditionally, noncompliances were graded as "minor" or "major."

MDSAP noncompliances are graded from 1 to 5  based on the potential impact to a patient, frequency of occurrences, and whether or not products were shipped with the noncompliance.

AUDIT SEQUENCE

MDSAP uses ISO 13485:2016, plus each country's additional requirements. All auditors follow a list of MDSAP "tasks." There are approximately 80 tasks, each of which is graded for compliance.

Audits are conducted by Auditing Organizations (AO) that are approved by Regulatory Authorities (RA) of participating countries. I list some AO's at the end of this article.

An AO will conduct an initial audit, perform surveillance audits, then re-certify a company every three years. An initial audit begins with a review of documents before an on-site visit; subsequent audits are document reviews unless there's a reason to conduct a special audit

GRADING

Noncompliance for each MDSAP task is graded from 1 to 5, with 5 being the most adverse. Grading has two steps.

STEP 1: start with a score based on two factors:

• Potential impact to a patient, either indirect or direct, which corresponds with clauses in ISO 13485. Clauses 4.1 through 6.3 are indirect, clauses 6.4 through 8.5.3 are direct. An indirect noncompliance starts with a score of "1," a direct impact starts with "3."
• Frequency of occurrence, increasing a score +1 if the noncompliance was reported in a previous audit.

 STEP 2: apply an escalation score, if applicable.

• +1 if a process isn't documented (vs. being inaccurate or incomplete)
• +1 if the company shipped a non-conforming product

The final MDSAP score for each task is the combination of Step 1 and Step 2 scores, but with a maximum score of "5." Auditing Organizations report a score of "5" or three scores of "4" to Regulatory Authorities within five business days. Otherwise, AO's have 90 days to submit their report to all participating countries.

THERE'S MORE...

An overview of the MDSAP won't answer every question. Examples include how companies respond to noncompliances, how internal audits are utilized, etc.

But, there are no surprises with the MDSAP. To paraphrase The Buddha, there are no secrets "hidden in the closed fist of a regulatory authority." All documents used by Auditing Organizations are available, for free, online.

RESOURCES

Official documents:

• MDSAP audit model is the the primary document you'll need; it's updated to include country-specific requirements.
• The United States FDA MDSAP
• Australia's TGA MDSAP
• Search "MDSAP" in the International Medical Device Regulators Forum (IMDRF)

Consulting or training:

• Oriel STAT-A-MATRIX (the cover image is via Oriel, and I consult with them)
• Maetrics
• LNE G-Med
• MDI Consultants
• JipBit.com (that's me, Jason Ian Partin)

Auditing Organizations (AO):

• Intertek
• BSI Group
• TUV SUD
• UL

MDSAP SUMMARY

1. Five countries are participating: USA, Japan, Australia, Brazil, Canada
2. Canada will require MDSAP by January 2019
3. Uses existing requirements. Differences from previous audits include:

• One audit recognized by participating countries rather than individual audits
• Requires links between parts of a quality system, emphasizing risk management and purchasing procedures
• Noncompliances are graded 1-5 rather than "major" or "minor"

Test your understanding by taking a  MDSAP quiz.

CONCLUSION

I've learned that obstacles to applying MDSAP are rarely the concepts of MDSAP; rather, obstacles stem from resistance to change within a company. My advice to people trying to improve their company is to focus, relentlessly, on increasing patient safety by reducing risk.

Patient safety includes having a simplified quality system, and ensuring employees pay attention to details because they understand the importance of their work; that's the core concept of How to pass an #FDA audit using lessons from Van Halen and brown M&M's.