The Medical Device Single Audit Program (MDSAP) is a program that allows the conduct of a single regulatory audit of a medical device manufacturer\’s quality management system that satisfies the requirements of multiple regulatory jurisdictions. These are some MDSAP FAQ that might help you with your doubts.
Following we have mentioned some of the important MDSAP FAQ.
We sell in Canada. Is MDSAP required?
Yes, you\’ll need a MDSAP if you want to sell any Class II, class III, or class IV devices in Canada. If you sell only Class I devices, you do not need MDSAP certification.
We only sell in the US and Europe. Do we need MDSAP
No. Europe is not a participant in the MDSAP program and the US FDA does not require participation at this time, so it would not make any sense to get MDSAP certified unless you knew for certain that you plan to expand sales into Canada, Brazil, Japan, or Australia. Even then, you will need to weigh the costs of compliance with MDSAP against your sales potential in those markets. Canada is the only market that requires MDSAP certification.
Also Read
MDSAP audit process for Medical Device
We can help you with the MDSAP consultation and audit process.
If a finished device is made by a manufacturer holding European CE Marking on the device but an exclusive distributor sells the device in Canada, who is obligated to get MDSAP certified?
Normally, the legal medical device manufacturer applies for the Medical Device License (MDL) in Canada. Note that CE Marking is not related to either MDSAP or Health Canada and, therefore, does not influence the answer to this question. Also note that if a distributor applies for the MDL then they need to identify the actual manufacturer. This form of private labeling is still a valid process in Canada and they have guidance documents for applying for MDLs as a private labeler. If the device is a Class I device through a distributor, then this is a moot point as a Class I requires only an MDEL and not a quality system certification.
Regarding the risk-based approach to MDSAP audits, what is required in terms of documentation and training?
Clause 4.1.2 of ISO 13485:2016 does not include a requirement to document anything or provide training in the risk-based approach. However, if we read from 4.1.1 through 4.1.2, there is a clear progression of activities. First, the organization needs to document roles (4.1.1).Then, depending on the roles (manufacturer, distributor, etc.), the organization must determine and apply the necessary QMS processes. The organization needs to control these processes using an approach that prioritizes the processes by their impact on producing an unsafe or ineffective product. The use of the words “risk-based approach” in clause 4.1.2 indicates that to apply this approach we need to apply the risk-based thinking from ISO 9001:2015 – which is already part of the process approach and makes preventive action part of the process. Risk-based thinking solves potential problems. Just as we should use good problem-solving tools in a reactive (CAPA) process, we should also use them to identify and stop problems before they happen. Although there is no requirement for documenting the risk-based approach, the organizations document the activities they executed to determine QMS processes and their interrelationships, as well as potential problems that could arise if the processes were ineffective. Further, the organizations plan for and take action to reduce the probability of undesirable outcomes from these processes and also review their effectiveness periodically. The exact nature of the tools and techniques that can be used to document these activities should be an organizational decision.
We also provide the following consultation certification for manufacturers. ISO 13485 Certification, ISO 15378 Certification And US FDA 21 CFR Part 820 QSR
Can internal auditors approve nonconformance/corrective/preventive action records?
In Chapter 3, Task 10 on Internal Audits, the last sentence states: “Confirm that the internal audits include provisions for auditor training and independence over the areas being audited, corrections, corrective actions, follow-up activities, and the verification of corrective actions.” Does this sentence mean that internal auditors cannot be part of nonconformance/corrective/preventive action records as approvers? First, some general advice on interpreting MDSAP audit tasks: MDSAP does not include any new requirements. Refer to the relevant ISO clause and any identified regulatory references when you need to clarify an audit task. A key requirement is that auditors remain independent of the work they are auditing. This is addressed in US 21 CFR Part 820.22 and emphasized in Clause 8.2.4 of ISO 13485:2016. This independence is what the MDSAP audit task is trying to emphasize/direct the auditor to confirmIn this case, the internal auditor can be part of approving the records in the role of an internal auditor – but not as the process owner/worker where the actions are being taken. For example, many internal audit systems have the original auditor “approve” the correction and corrective action plans to ensure that the issue noted in the audit is being addressed. This approval is analogous to a third-party auditor (e.g., ISO) reviewing and accepting your CAPA plan from a certification or surveillance audit. The key point is the independence of the internal auditor from the work being done to address the issue.
How is an MDSAP gap assessment different from an ISO 13485:2016 gap assessment?
An MDSAP gap assessment is based on ISO 13485, with greater emphasis on the regulations and the linkages between the processes. A gap assessment for ISO 13485:2016 will focus on the “shalls” in the clauses and the documentation requirements. Starting with the ISO 13485 approach. Once those gaps are closed, look specifically at the MDSAP audit model.During the MDSAP gap assessment, two approaches:1 – Look at the outcomes in each MDSAP process, determine how the organization is fulfilling them (be sure to write these responses down to use as answers in practice audits), and identify the gaps.2 – Look at the tasks that have linkages and the procedures/processes associated with these linkages. Assess how the organization identifies and controls the linkages, as appropriate.3 – Once the gaps are filled, conduct an audit rehearsal. Typical auditee training focuses on how you answer direct questions. MDSAP auditee training must address how to describe interrelationships.
What should the auditee and audit back-room staff be expecting?
The MDSAP audit is more of a process/performance audit than a compliance audit. Prepare your organization to be very fast and efficient in providing information. The AO auditors have a limited amount of time. Conducting audit drills in which the front- and back-room staff coordinate information requests and time themselves on how quickly they can respond to a process-type question. The ability to articulate processes and linkages is critically important. Using process maps to show relationships and control points based on risk. The organization needs to determine whether it wants to use a paper-based system (adds time!) or an electronic system (danger of auditor scrolling through or receiving information not related to the request). The traditional role of scribe or runner between the front and back rooms is important in MDSAP. This person needs to understand and interpret what the auditor is looking for. In addition to having the traditional “on call” representatives in each functional area, the back room have process experts physically in the room versus “on call” in their own offices. (It’s also excellent hands-on training for those people.) Don’t forget to have regulatory experts in the back room or on call in addition to those process experts. The MDSAP process links can direct the AO auditors to regulatory affairs questions quickly. Ensure that your organization can access information from other time zones (e.g., registrations, training records, regulatory files). Saving time and maximizing efficiency are key MDSAP audit success factors!
- What language will be used for the MDSAP audit reports?
Per MDSAP AU P0019.004, section 2.2 Report Language: “The language of the report is subject to the operating language of the auditing organization and should be understandable by the manufacturer; however, all audit reports must also be available in English.” The manufacturer should clarify this with their AO along with any other report needs
Is the MDSAP Stage 1 Documentation Review part of the audit time calculation?
The Stage 1 Documentation Review is not part of the audit time calculation. Per MDSAP P0008.006 Audit Time Determination Procedure, for initial certification audits the auditor will calculate the duration of Stage 2 using the assigned minutes per task in MDSAP P0008 and then “add 25%. The result will reflect the duration of audit (i.e., time necessary to perform Stage 1 and Stage 2.” The AO may combine elements of Stage 1 and Stage 2 to allow for a single on-site visit to the manufacturer.
Can all MDSAP regulatory authorities see our MDSAP audit report?
The report is posted to the central repository REP. Theoretically, any RA could look at the report, but that would be unlikely unless something prompted them to do so, such as some type of regulatory activity by your organization with that RA. Also, note that MDSAP audit reports can be included as part of medical device approval requests submitted to other countries whose regulators participate in the IMDRF.
Will non-MDSAP countries accept our MDSAP report in lieu of an EIR?
Some countries have traditionally accepted FDA Establishment Inspection Report (EIR) copies as evidence of QMS compliance. This FDA memo states that the MDSAP audit report replaces the EIR. The MDSAP report is assumed to be sufficient to serve in the same capacity.
The Purpose of MDSAP is that it allows the conduct of a single regulatory audit of a medical device manufacture QMS, it is in a way that medical device manufacturers can be audited once for compliance and We tried compiling the most important MDSAP FAQ in this blog which would clear all the doubts and queries.
