The Medical Device Single Audit Program (MDSAP) enables a single regulatory audit of a medical device manufacturer’s quality management system, meeting the standards of numerous regulatory jurisdictions. Here are some MDSAP FAQ that may help you with your questions.
Some Important MDSAP FAQs:
We Sell in Canada Is MDSAP Required?
To sell any Class II, III, or IV devices in Canada, you will require an MDSAP. If you exclusively sell Class I devices, you do not require MDSAP certification.
We Only Sell in the US and Europe. Do We Need MDSAP?
No. Europe does not participate in the MDSAP program, and the US FDA does not mandate participation at this time, so becoming MDSAP certified makes little sense unless you are
Looking For a Medical Device Regulatory Consultant?
Let’s have a word about your next project
confident that you want to expand sales into Canada, Brazil, Japan, or Australia. Even then, you must assess the costs of MDSAP compliance against your prospective sales in those markets. Canada is the sole market that requires MDSAP accreditation.
If a Finished Device Is Made by a Manufacturer Holding European Ce Marking on the Device but an Exclusive Distributor Sells the Device in Canada, Who Is Obligated to Get MDSAP Certified?
Normally, a lawful medical device maker applies for a Medical Device License (MDL) from Canada. It should be noted that CE Marking has no bearing on the answer to this inquiry because it is unrelated to MDSAP or Health Canada. Also, if a distributor applies for the MDL, they must identify the actual manufacturer. This type of private labeling is still legal in Canada, and they have guidelines for filing for MDLs as a private labeler. If the device is a Class I device obtained from a distributor, this is immaterial because a Class I requires simply an MDEL and not a quality system certification.
Regarding the Risk-Based Approach to MDSAP Audits, What Is Required in Terms of Documentation and Training?
Clause 4.1.2 of ISO 13485:2016 does not need any documentation or training in the risk-based approach. However, reading from 4.1.1 to 4.1.2 reveals a definite sequence of activities. First, the organization must document roles (4.1.1). The organization must next establish and implement the appropriate QMS processes based on its functions (maker, distributor, etc.). The company must govern these processes using a method that prioritizes them based on their potential to produce an unsafe or ineffective product. The inclusion of the term “risk-based approach” in paragraph 4.1.2 suggests that to apply this approach, we need to apply the risk-based thinking from ISO 9001:2015, which is already part of the process approach and makes preventative action part of the process. Risk-based thinking resolves potential issues. Good problem-solving techniques should be used not only in a reactive (CAPA) process but also to identify and prevent problems from occurring. Although there is no requirement to document the risk-based approach, businesses do document the actions they carried out to define QMS processes and their interrelationships, as well as potential issues that could develop if the processes were ineffective. Furthermore, companies plan for and take action to limit the likelihood of negative outcomes from these processes, as well as periodically evaluate their performance. The specific methods and approaches that can be utilized to document these actions should be decided by the organization.
Can Internal Auditors Approve Non-Conformance/Corrective/Preventive Action Records?
The last sentence of Chapter 3, Task 10 on Internal Audits reads: “Confirm that the internal audits include provisions for auditor training and independence over the areas being audited, corrections, corrective actions, follow-up activities, and the verification of corrective actions.” Does this indicate that internal auditors cannot approve nonconformance/corrective/preventive action records? First, here’s some general guidance for analyzing MDSAP audit tasks: MDSAP does not contain any additional requirements. When clarifying an audit task, refer to the applicable ISO clause as well as any identified regulatory references. An important criterion is that auditors stay impartial of the work they are reviewing. This is addressed in the US 21 CFR Part 820.22, which is highlighted in ISO 13485:2016 Clause 8.2.4. The MDSAP audit task aims to stress and direct the auditor to confirm this independence. In this situation, the internal auditor can participate in the record approval process as an internal auditor, but not as the process owner/worker doing the actions. For example, many internal audit systems require the original auditor to “approve” the correction and corrective action plans to guarantee that the issue identified in the audit is rectified. This clearance is equivalent to a third-party auditor (e.g., ISO) examining and accepting your CAPA plan following a certification or surveillance audit. The crucial aspect is the internal auditor’s independence from the work being done to resolve the issue.
How Is an MDSAP Gap Assessment Different From an ISO 13485:2016 Gap Assessment?
An MDSAP gap evaluation is based on ISO 13485, with a focus on legislation and process connections. A gap analysis for ISO 13485:2016 will concentrate on the “shells” in the clauses and documentation requirements. Begin with the ISO 13485 methodology. Once those holes have been resolved, focus on the MDSAP audit model. During the MDSAP gap assessment, there are two approaches – Examine the results of each MDSAP process, evaluate how the organization is meeting them (be sure to record these responses down to serve as answers in practice audits), and identify gaps.2 – Examine the tasks that have linkages, as well as the procedures/processes that support these linkages. Evaluate how the organization finds and manages the linkages when needed.3 – Once the gaps have been filled, perform an audit rehearsal. Typical auditee training focuses on how to answer direct inquiries. MDSAP audit training should cover how to describe interrelationships.
What Should the Auditee and Audit Back-Room Staff Be Expecting?
The MDSAP audit focuses on process and performance rather than compliance. Prepare your organization to respond quickly and efficiently to information requests. The AO auditors have limited time. Conduct audit drills in which front- and back-of-house workers coordinate information requests and time themselves on how soon they can answer a process-related issue. The capacity to articulate processes and linkages is vital. Using process maps to demonstrate risk-based connections and control points. The organization must decide whether to utilize a paper-based system (adds time!) or an electronic system (risk of auditors scrolling through or obtaining information unrelated to the request). The traditional role of scribe or runner between the front and back rooms is crucial in MDSAP. This individual must comprehend and interpret what the auditor is looking for. In addition to the typical “on call” personnel in each functional area, process specialists are physically present in the back room rather than “on call” at their respective offices. (It also provides excellent hands-on training for those individuals.) Remember to have regulatory specialists in the back room or on call in addition to process experts. The MDSAP process connections allow AO auditors to swiftly navigate regulatory affairs questions. Ensure that your organization can access information from other time zones (for example, registrations, training records, and regulatory files). Saving time and increasing efficiency are critical MDSAP audit success elements!
What Language Will Be Used for the MDSAP Audit Reports?
According to MDSAP AU P0019.004, Section 2.2 Report Language: “The language of the report is subject to the operating language of the auditing organization and should be understandable by the manufacturer; however, all audit reports must also be available in English.” The manufacturer should confirm this with their AO, along with any other report requirements.
Is the MDSAP Stage 1 Documentation Review Part of the Audit Time Calculation?
The Stage 1 Documentation Review is not included in the audit time calculation. According to MDSAP P0008.006 Audit Time Determination Procedure, during initial certification audits, the auditor will determine the duration of Stage 2 using the given minutes per job in MDSAP P0008, and then “add 25%.” The outcome will reflect the duration of the audit (i.e., the time required to complete Stages 1 and 2). The AO may combine components of Stages 1 and 2 to enable a single on-site visit to the manufacturer.
Can All MDSAP Regulatory Authorities See Our MDSAP Audit Report?
The report is submitted to the central repository REP. In theory, any RA could review the report, although this is unlikely unless something prompts them to do so, such as your organization’s regulatory action with that RA. Also, MDSAP audit results can be included in medical device approval petitions sent to foreign countries whose authorities participate in the IMDRF.
Will Non-MDSAP Countries Accept Our MDSAP Report instead of an EIR?
Some countries have long accepted FDA Establishment Inspection Report (EIR) copies as proof of QMS compliance. According to this FDA memo, the MDSAP audit report will replace the EIR. The MDSAP report is deemed to be sufficient for the same purpose.
The Purpose of MDSAP is that it allows the conduct of a single regulatory audit of a medical device manufacturer QMS, it is in a way that medical device manufacturers can be audited once for compliance. We tried compiling the most important MDSAP FAQ in this blog which would clear all the doubts and queries.
MDSAP Certification Journey with Operon Strategist:
We begin by discussing your organization and the benefits of MDSAP certification before presenting a bespoke offer. A pre-audit reveals potential QMS improvement opportunities for audit planning. We train clients on QMS implementation and document creation. You will obtain your MDSAP certificate once all conditions have been met and the assessor has approved your application.
Planning for the Medical Device Single Audit Program (MDSAP) audit? We specialize in MDSAP consultation and audit services, along with consultancy for ISO 13485 Certification, ISO 15378 Certification, and US FDA 21 CFR Part 820 QSR for manufacturers. Contact us for personalized support.
