The Medical Device Single Audit Program (MDSAP), initiated by the International Medical Device Regulators Forum (IMDRF), provides a unified audit program for medical device companies. It’s a consolidated alternative to multiple regulatory audits, aligning with ISO 13485 and other regulatory standards.
Under MDSAP, accredited Auditing Organizations (AOs) conduct a comprehensive audit of a manufacturer's quality management system, with the results being recognized by all participating regulatory authorities. This streamlined process eliminates the need for multiple, separate audits by different authorities.
While MDSAP entails a more detailed review than the standard ISO 13485, it significantly reduces the total number of audits a company undergoes, consolidating evaluations from up to six regulatory bodies. The cost and duration of the MDSAP audit are influenced by the company’s size and the risk categories of the products manufactured.
The Basics of MDSAP Audit Preparation
The basic sequence of proper MDSAP preparation entails four broad steps:
- Manufacturers must implement and ensure that they comply with all relevant requirements that apply to their specific activities.
- Manufacturers can use MDSAP audit documents to perform a preparatory internal MDSAP audit. (Audit Model and Companion document are available on the FDA website.)
- After conducting a thorough internal audit and addressing any identified gaps, manufacturers collaborate with an Accredited Organization to plan and schedule the audit.
- Take advantage of the opportunity to schedule MDSAP audits in conjunction with your annual ISO 13485 audit. Make sure to communicate early with your registrar to secure a convenient time for both audits.
The Importance of a Preparatory Internal MDSAP Audit
Given the costs and commitments that come with the MDSAP, it’s critically important to prepare for success before AO auditors arrive. One of the most effective ways to ensure readiness for the initial audit is by performing a preliminary preparatory audit.
Ideally, this would be led by an experienced third party consultant with intimate knowledge of program requirements and regulator expectations, along with firsthand experience in the field helping other companies prepare.
With experience in planning and conducting these audits, we’ve summarized the anatomy of a MDSAP preparatory audit to offer a peek inside the process and what to expect if your organization intends to pursue a preparedness plan.
- A MDSAP prep audit begins with a review all SOPs currently in place — essentially mirroring a real initial MDSAP audit. Problematic or missing elements would be redlined for revision, which could be handled either internally or by the third party expert.
- Following a comprehensive review, an on-site gap assessment is performed to the MDSAP as well as any other standards (ISO, FDA, etc.) the manufacturer would like to evaluate. Training and instruction from an experienced third party consultant offers valuable insights for both inexperienced and experienced Quality professionals in the leadup to MDSAP certification.
- During the preparatory audit, third party consultants would become valuable training resources by offering fresh perspectives into new approaches and successes from prior engagements, especially for those who find themselves stuck in myopic mindsets or blind to new opportunities.
There’s rarely only one path toward compliance. Consultants not only help companies be more efficient, but also lead the effort in training staff to bring those new approaches to life within their organizations.
In the simplest terms, MDSAP preparatory audits enable companies to lean on the experience of a third party expert to review current procedures and determine an overall state of compliance. When gaps are identified, these experts lay out exactly what must be done to bring the organization into compliance — applying this assessment throughout the quality system.
Following this comprehensive review, a report is generated which details, line-by-line or section-by-section, what is out of compliance and what must be changed to resolve the issues — documenting all gaps along the way. In addition to a clear, actionable report, consultants can also develop a risk-based plan to compile the actions companies must take and prioritize them according to risk level.
If complaint handling deficiencies exist, for example, these problems will likely rise directly to the top of the task ist as these issues often prompt warning letters and other enforcement actions when observed.
A 3-Step Strategy for MDSAP Preparation
For manufacturers that have determined MDSAP certification is a valuable pursuit, there are three general steps companies should take to ready their organizations for the initial audit.
1. Conduct a gap assessment of all SOPs and processes
“The very first step toward preparing for the initial audit should be a thorough and complete gap assessment of all SOPs and processes with an eye toward risk.”
– Corrine Bonfiglio, The FDA Group Consultant
Just as many manufacturers struggled to understand and adapt their processes when design control requirements were formally introduced during the switch from GMPs to QSRs, the MDSAP presents a similar learning curve with the introduction of risk requirements.
The MDSAP follows in line with a greater movement toward a more risk-based approach around the world. This program expands the definition of “risk” beyond risk assessments for products alone to encompass the entire quality system.
2. Develop and implement a comprehensive risk assessment program
Regulators now expect manufacturers to conduct risk assessments on processes throughout the quality system. In particular, your Notified Body will be looking for a robust risk assessment program in order to gauge and measure your investment in assessing risk beyond product quality and safety alone.
In many cases, developing such a program will require companies either augment their current Quality staff or use a third party consultant. In this case, an experienced consultant can bring firsthand knowledge gained through working with other manufacturers to build a program proven to be effective and aligned with regulatory expectations. It’s important to note that the concept of risk still remains a tripping point for many regulated manufacturers.
Given its recently-expanded scope, even veteran Quality professionals at the helm of smaller risk assessment programs struggle to know where to start when widening these efforts to the entire quality system. Experienced third party experts are especially valuable not only for developing effective programs, but prioritizing their implementation and ensuring sufficient documentation while training staff to successfully use the expanded program.
Despite such a complex challenge, the bottom line for MDSAP preparation is simple: Device manufacturers must have at least a minimal risk assessment program in place with accompanying risk-related documentation for both products and processes to satisfy MDSAP auditors during their initial assessment.
3. Ensure employees aren’t just trained in ISO 13485:2016, but fully “competent” in it
In addition to conducting a thorough gap assessment and developing a comprehensive risk assessment program, device companies that haven’t yet trained their employees to the ISO 13485:2016 standard should ensure they do so in preparation for the MDSAP. This updated standard aligns incredibly closely with FDA’s regulations, and an effective training program will prepare staff for the expectations that are quickly approaching.
Companies with robust FDA quality systems shouldn’t find the new ISO standard a considerable challenge beyond the new areas of risk-related requirements. Many industry experts predict the next version of FDA’s QSR will make risk its primary focus, in keeping with the broader trend seen throughout the world. As such, device manufacturers should make risk their primary focus as well.
Perhaps even more importantly, device companies must expand their concept of training beyond what was accepted in the past. One term in particular sets the bar for training much higher in the updated standard—competence.
13485:2016 carries over the same dimensions for competency as the earlier version (education, training, skills, and experience), and still requires manufacturers determine the necessary competence for those who perform work that affects product quality.
How The FDA Group Can Help
If your company is participating or considering participating in the MDSAP, our experienced auditing professionals can assess your current processes against the MDSAP requirements and help you identify and remediate key areas while training staff to maintain compliance under MDSAP. As an auditing and remediation resourcing organization independent of certification or regulatory bodies, this preparatory audit enables you to assess and remediate your system confidentially.
Our experienced MDSAP auditors use the same MDSAP process-based audit model that the AO will use in order to calculate your MDSAP audit score and identify your areas of biggest risk. Many clients choose to include an assessment of their quality system against ISO 13485:2016 in addition to the MDSAP requirements to allow for a more comprehensive evaluation.
We recognize the challenges of developing and managing an effective quality system under the watchful eye of regulators. Our quality system resourcing professionals draw on years of experience and highly specialized skills to ensure objective, accurate, and actionable recommendations are made each step of the way.
Our proprietary talent selection process brings together a diverse array of skill sets, experience, and expertise to offer a truly unique opportunity for companies interested in receiving personal and professional attention.
Contact us today to learn more about our MDSAP auditing and support services.
FREE CASE STUDY
Deviation Backlog Reduction, CAPA Management, and Long-Term Staff Augmentation
See how we successfully partnered with a multinational pharmaceutical company to address deviation and CAPA backlogs, implement corrective actions, provide staff training, and achieve the goal of eliminating all backlogs within the allocated time and budget.