The Medical Device Single Audit Program (MDSAP) was initiated to satisfy a wish of many medical device manufacturers: To replace the various audits and inspections by authorities with one standardized audit.
Participating in the MDSAP shall suffice for verifying effectiveness and conformity of QM systems (e.g. with ISO 13485 or 21 CFR part 820).
In this article, you will learn if this wish has really come true and at what price.
The International Medical Device Regulators Forum IMDRF, a group of international authorities and legislators, has realized that the multitude of audits and inspections of QM systems required in different target markets are suboptimal in many ways.
Standardization is expected to
Subject to standardization are audits and their documentation, whereas the MDSAP requires no standardization of manufacturers’ documentation.
The following countries participated in the pilot of the Medical Device Single Audit Program:
Country | Authority | QM Requirements |
Australia | Therapeutic Goods Administration TGA | Australian Therapeutic Goods (Medical Devices) Regulations (TG(MD)R Sch3) |
Brazil | Agência Nacional de Vigilância Sanitária (ANVISA) | Brazilian Good Manufacturing Practices (RDC ANVISA 16/2013) |
Canada | Health Canada | ISO 13485:2016 |
Japan | Ministry of Health, Labour and Welfare (MHLW) and Pharmaceuticals and Medical Devices Agency (PMDA) | Ordinance on Standards for Manufacturing Control and Quality Control of Medical Devices and In Vitro Diagnostic Reagents (MHLW Ministerial Ordinance No. 169) |
Food and Drug Administration FDA | QSR – 21 CFR Part 820 |
The EU and WHO merely participate as observers.
The FDA considers the first phase (pilot) ending in 2017 a success:
“Based on its evaluation of the MDSAP Final Pilot Report, the MDSAP Regulatory Authority Council determined that the MDSAP Pilot had satisfactorily demonstrated the viability of the Medical Device Single Audit Program. [..]FDA will continue to accept MDSAP audit reports as a substitute for routine Agency inspections.”
So far, the five countries mentioned above participate in the Medical Device Single Audit Program.
Even though those countries undertake to accept MDSAP audit results, there are minor differences, limitations and exceptions:
Country | Recognition |
Australia | Yes, except for medical devices incorporating a medicinal substance or a material of human or animal origin. |
Brazil | Yes, even as initial audit. No recognition if, for example, a prior ANVISA audit has found significant deviations. |
Canada | Yes. As of 2019, Health Canada will only accept MDSAP audits. |
Japan | Yes, except for e.g. medical devices incorporating a material of human or animal origin. |
USA | Yes, however only substitution for routine audits, not for initial or occasion-related inspections. |
Bottom line: Canada is the only country consequently operating the procedure model. As of 2019, Canada will only accept QM systems audited under MDSAP.
Audits are conducted by so-called “Auditing Organizations“ (AO). Among them are some notified bodies such as TÜV Süd, TÜV Rheinland and DQS-med. Notified bodies are, however, not automatically authorized to perform audits as AO.
The FDA maintains a list of Auditing Organizations and a list of AOs recognized by ANVISA online.
The requirements catalog is strongly based on ISO 13485:2016. In addition, requirements of participating countries not covered by ISO 13485:2016 are incorporated. Like ISO 13485:2016, the MDSAP’s requirements catalog is process-oriented and audits are conducted in process groups.
There are four primary processes or process groups and three supporting processes:
If an organization does not perform certain processes, e.g. development, the respective processes do not have to be audited. A manufacturer outsourcing processes does not benefit from this simplification.
Manufacturers may exclude requirements of a certain target market if he does not sell any medical devices on that target market.
An audit under MDSAP considers interrelationships of processes. The output of a development process, for instance, is the production process’s input. Audits must follow this sequence, must be based on risk and must consider the complete device life-cycle (until the time the product is decommissioned).
For each of the aforementioned process groups, the MDSAP audit model describes the following:
Element | Example (Excerpts) |
Process name | Management process |
Purpose of auditing this process | To verify that appropriate resources for development, production […] are provided and that […] |
Expected outcomes (= requirements) | Commitment to provide appropriate personnel and resources for infrastructure to the quality management […] |
Links to other processes dependent upon this process | Measurement, Analysis and Improvement; Development; Purchasing; Device Marketing Authorization; […] |
Audit tasks | Review the manufacturer’s organizational structure and related documents to verify that they include provisions for responsibilities, personnel, resources [….] |
References to respective subchapters, articles and paragraphs of ISO 13485:2016 and other requirements such as 21 CFR part 820 and RDC ANVISA 16/2016 for each task | SO 13485:2016: 5.1, 5.5.1, 5.5.2, 6.1, 6.2; TG(MD)R Sch3 P1 1.4(5)(b); […] |
References to country-specific requirements for each task | none |
Additional information for auditors (to be found in the Companion Document) | One method for confirming that adequate resources are made available is to ask the management representative to provide several examples of recent requests for different types of resources and describe the outcomes of these requests. |
MDSAP audits follow the same triannual frequency as audits under 93/42-EWG or ISO 13485.
As for this sequence, MDSAP heavily draws on ISO 17021:2015, which in turn is basis for ISO 13485. The MDSAP’s proximity to ISO 13485 is also illustrated in the audit model’s description :
“The purpose of a Stage 2 audit is to determine if all applicable requirements of ISO 13485:2016 and the relevant regulatory requirements from participating regulatory authorities have been implemented.”
The duration of audits under MDSAP is calculated based on the number of tasks. This number, in turn, depends on the exclusions. For instance, it may be that a manufacturer must meet no requirements for sterile products.
In the worst case, auditors must perform 90 tasks which may take them between 12 and 35 minutes to conduct. E.g., 28.8 minutes each are scheduled for the tasks of process group “Management”.
Efforts increase for auditing under country-specific requirements.
Templates for documenting the planning, conduction and assessment of audits are at your disposal. Thereby, audit and non-conformance reports are standardized and can be evaluated automatically.
MDSAP sets deadlines by which Auditing Organizations must produce and distribute the reports. Those deadlines are more ambitions than the ones set by many notified bodies and that we have accustomed to.
A reduction of the number of audits and inspections by authorities caused by MDSAP may be a great benefit for manufacturers. Nevertheless, manufacturers participating in the MDSAP’s pilot were reluctant. This may relate to the following disadvantages and challenges:
Anyone who wants to bring medical devices into the Canadian market will have no choice: Medical Device Single Audit Program will be the only possibility. For every other manufacturer, participating means weighing up the pros and cons; at least until Europe bids farewell to its role as observer and accepts the MDSAP.
Transitioning to MDSAP is time-consuming. Hence, you should start in due time.
Relatively transparent and standardized regulations regarding activities, documentation and assessment are likely to contribute to audits being processed in a more uniform way across the world.
The promised adaption of efforts to the risk of a manufacturer’s medical devices and the manufacturer’s size still leaves much to be desired. Compared to audits under ISO 13485, MDSAP represents a more serious obstacle for small manufacturers with less critical devices.