About a year ago, one of our blogs highlighted some of the MDSAP program intents and benefits.
Having gained visibility on its implementation, we would like to provide an update on the program’s current status and possible implications on Medical Device Manufacturer’s regulatory activities.
Initially subject to a three-year pilot program, the MDSAP has been fully operational since January 2017. It is now therefore an option offered by Notified Bodies and certain Medical Device manufacturers may benefit from selecting this program as a way to meet their regulatory obligations. So let’s review some of the key points that may help you decide if MDSAP is for you.
What’s in it for me?
In a nutshell, some of the advantage of MDSAP include:
- No additional requirements
- Less audits and regulatory inspections resulting in a reduction of costs, time and resources (depending on your state of compliance and your organizational structure, for example number of sites to be audited)
- Audit evidence (MDSAP certificate) can be used in addition to or as substitute to other documents (e.g. in Canada, MDSAP certificates will replace CMDCAS certificates by 2019)
- Ability to plan your audits with your Notified Body (Auditing Organization)
- Better predictability of audit time and format
The MDSAP is the result of an international effort driven by one of the IMDRF working group. The program currently counts five actively engaged regulatory jurisdictions: Australia, Brazil, Canada, Japan and the USA, and two official “observers”, the World Health Organization (WHO) and the European Union. We also expect additional regulatory authorities to join at a later stage.
Each active member has defined their level of adoption in the program and the audit output (i.e. report, non-conformances and MDSAP certificates) is used to satisfy elements of their individual regulatory framework.
The audit output may be used to satisfy:
- Pre-market inspections requirements of selected jurisdictions (Canada, Japan, Brazil) – note that MDSAP certificates cannot substantiate FDA PMAs inspections
- Product submission requirements, as substitute to other Manufacturer’s evidence (Canada, Japan, Brazil)
- Routine inspections and post-market surveillance requirements (All active members)
Unlike regulatory inspections, MDSAP audit are conducted by Auditing Organizations – AOs (i.e. members of a regulatory agency may attend a MDSAP audit to observe the AO performing the audit but not as auditors).
AOs are essentially “Notified Bodies” that have been officially assessed and recognized competent by the regulators to conduct audits using the MDSAP procedures.
At the time of writing this blog, only a few AOs have been fully recognized (e.g. BSI, TUV SUD, Intertek and LNE) but a number of AOs are in the process of recognition. A list is maintained by the MDSAP working group to reflect the state of recognition: here.
MDSAP audits are carried out over a three-year audit cycle and are very prescriptive in nature (hence quite predictable). They are conducted in accordance with a range of procedures and forms, vastly inspired by the GHTF model. The framework includes prescriptive elements at all major audit phases, these include:
- Audit Planning – Planning of the audit is conducted by the AO, on the basis of questionnaires populated by the applying Manufacturer. The questionnaires, highlight the type of products manufactured, the jurisdictions where the product is marketed and the processes carried out at each significant site. Manufacturers must declare as part of this process their critical suppliers/sub-contractors for consideration in the overall auditing activity. Upon receipt of the questionnaires, the AO will identify the relevant (product) expertise required, resources needed and the jurisdictions to be covered as part of the audits. Note that the jurisdictions covered by the MDSAP audit are not optional and that manufacturers must declare all markets where the product is intended to be sold. Where a manufacturer does not intend to market their product in one of the MDSAP jurisdictions however, then the associated requirements may not apply to the manufacturer. The audit times will be calculated for each process using a prescribed calculation method and an audit plan delivered to each site receiving an audit. (refer Audit time calculation procedure – P0008.001)
- Conduct of the audit – MDSAP requirements are essentially ISO13485 requirements plus the relevant regulatory requirements from the regulatory authorities (e.g. they include registration and listing, device tracking). Audits will be conducted at each site as per the pre-defined schedule. All audit elements must be covered at each site (i.e. there is no sampling across sites possible as part of MDSA) and following the requirements stipulated in the MDSAP Companion Document (AU G0002.1.002).
The document is an essential resource for manufacturer’s wishing to prepare for MDSAP audits as it describes the audit sequence, the type of questions asked and the audit criteria/requirements.
- Audit findings – Findings are also issued by the AO (i.e. the regulator has no say in the findings) and as per a nonconformity grading system that is based on the GHTF guidance (GHTF/SG3/N19:2012). The grading is quantitative (i.e. on a scale of 1 to 5) and is calculated based on the impact to systems and products as well as the occurrence of the issue. Significant issues may result in additional audits to be conducted outside of the normal cycle.
- Audit reports – Audit reports will be generated by the AO, along with a MDSAP certificate upon successful completion of the audit. Reports will be submitted to ALL regulators involved in the program (i.e. whether or not identified as an applicable jurisdiction by the manufacturer). Other regulators (outside of the program) may also access a summary version of the report. Information contained in the report will in most cases be utilized to substantiate regulatory evidence (e.g. regulatory inspections) but may in case of major findings be utilized to trigger regulatory actions (e.g. warning letters, Regulatory inspections).
Timing is everything
In a constantly evolving regulatory environment, appropriate planning for your audit and certification program will be key. In order to decide whether MDSAP is appropriate for your organization, give considerations to
- which markets your company intends to supply its products (i.e. if the jurisdictions covered by MDSAP are relevant to your business, particularly if you sale or intend to sale in Canada)
- your current audit cycle, whether you are re-due for ISO13485 certification or whether you are in the process of transitioning to ISO13485:2016. If you require ISO13485 certification (e.g. you are selling to Europe), your notified body may offer to combine ISO and MDSAP audits during the same visit.
Over the years, our team of consultants has developed expertise in the field of Regulatory and Quality Systems compliance, we have established strong relationships with highly reputable notified bodies and regulatory agencies.
Whether you require support through training, consulting, or even establishment of your regulatory strategy and systems, we are here to help! Contact us by email firstname.lastname@example.org or call +61 0 9906 2984. We would be pleased to discuss how we can help supporting your projects.