Medical Device Single Audit Program

History:

The Medical Audit Single Audit Program (MDSAP) was developed by the International Medical Device Regulators Forum (IMDRF) to allow third party auditors to conduct a single audit of a medical manufacturer that covers ISO 13485:2016 and the respective regulatory requirements.

A working group was established for MDSAP in 2012. Then, IMDRF initiated a three year pilot program between 2014 and 2016.

The main goal of the MDASAP program is to establish a union internationally that can work together to provide oversight and safety on a global scale to the medical device manufacturers.

Participating partners:

International partners that are participating in the MDSAP include:

MDSAP Members:

a) Therapeutic Goods Administration of Australia (TGA)

b) Brazil’s Agência Nacional de Vigilância Sanitária (ANVISA)

c) Health Canada (HC)

d) Japan’s Ministry of Health, Labour and Welfare, and the Japanese Pharmaceuticals and Medical Devices Agency

e) U.S. Food and Drug Administration (USFDA)

MDSAP Official Observers:

a) European Union (EU)

b) United Kingdom’s Medicines and Healthcare products Regulatory Agency (MHRA)

c) The World Health Organization (WHO) Prequalification of In Vitro Diagnostics (IVDs) Programme

MDSAP Affiliate Members:

a) Argentina’s National Administration of Drugs, Foods and Medical Devices (ANMAT)

b) Ministry of Health of Israel (NEW)

c) Republic of Korea’s Ministry of Food and Drug Safety

d) Singapore’s Health Sciences Authority (HSA)

Status of MDSAP adoption in participating countries:

a) US: FDA will accept the results of MDSAP audits rather than conducting inspection. However, the agency still conducts its own initial visits to manufacturers and ‘for cause’ inspections.

b) Canada: after January 1st 2019, HC fully transitioned to accept only MDSAP compliance audits from the manufacturers.

c) Brazil: the authority will accept MDSAP for initial audits. However, it will continue to conduct its own inspections and audits for high risk devices.

d) Japan: the authority has fully adopted MDSAP and will accept MDSAP audit results in place of J-QMS audit.

e) Australia: another adopter of MDSAP. The authority recognizes manufacturers who pass the audit and satisfied their QMS requirements. The TGA recognizes MDSAP certificates as equivalent to CE certificates.

Eligibility:

a) Any manufacturer may participate in the audit program if their product falls under the scope of at least one participating country and subject to QMS requirements

b) Located anywhere in the world are eligible to participate

c) Only the MDSAP participating countries will have access to audit report

d) Manufacturers cannot select which of the 5 regulatory schemes to be included in the audit scope. All country specific requirements of the manufacturer’s target sale countries must be included

MDSAP actors:

Regulatory Authorities (RA): They are responsible for designating the Auditing Organizations (AO).  There are certain criteria to be fulfilled to designate AO. The RA’s will continue to monitor the program and they have the final decision.

Auditing Organization (AO): They plan, conduct and report the audit to RA’s.

Manufacturer: they engage with the AO for QMS audits. If there is any non conformity, they need to provide corrective action plan.

Benefits of MDSAP certification:

-Reduces the burden for a manufacturer in case of audits and inspections

-Minimizes business obstacles, reduces cost and saves time due to the single audit process

-Helps the manufacturer to enter new markets with ease

-Consistent multiple regulatory programs by participating regulators

-Positive image for the company

MDSAP audit cycle:

The MDSAP audit program is based on three year audit cycle. The initial audit, also referred to as ‘Initial Certification Audit’ consists of stage 1 and stage 2 audit. The initial audit is followed by partial surveillance audit and a complete Re audit, also referred to as ‘Recertification audit’ in the third year. A recertification audit may include stage 1 audit, if there are any significant changes to the already audited QMS.

Special audits are extraordinary audits that are not part of the planned audit cycle. These audits mainly focus on specific elements of QMS. These include audits conducted in response to an application for the extension to the scope of an existing certification, to determine whether or not the extension can be granted or as short-notice audits conducted to investigate potentially significant complaints, or if specific information provides reasons to suspect serious non-conformities of the devices, or for other reasons.

Unannounced audits: The MDSAP participating regulatory authorities require AO to conduct unannounced audits in circumstances where high grade non-conformities have been detected.

MDSAP audit process:

The MDSAP audit process involves seven chapters or processes. They are, four primary processes, one enabling process and two supporting processes which are mentioned below.

-Management

-Measurement, Analysis and Improvement

-Design and Development

-Production and Service Controls

-Purchasing

-Device Marketing Authorization and Facility Registration, and

-Medical Device Adverse Events and Advisory Notices Reporting

Each chapter contains multiple audit tasks that are verified during the audit. Each audit task references the applicable clauses of ISO 13485:2016. Below table gives an overview of number of tasks mentioned in each chapter.

MDSAP PROCESSNUMBER OF TASKS
Management11
Device Marketing Authorization and Facility  Registration03
Measurement, Analysis and Improvement16
Medical Device Adverse Events and  Advisory Notices Reporting02
Design and Development17
Production and Service Controls29
Purchasing12

MDSAP audit sequence:

The MDSAP audit sequence follows a process approach and has four primary processes – Management process, Measurement, Analysis and Improvement process, Design and Development process and a Production and Service Controls process with links to the supporting process for Purchasing. Also, it has two additional supporting processes: Device Marketing Authorization and Facility Registration and Medical Device Adverse Events and Advisory Notices Reporting. These are necessary to fulfill specific requirements of the participating MDSAP regulatory authorities.

The audit sequence should be followed as designed. However, under certain circumstances, judicious exceptions to the audit sequence are allowed considering there is sufficient justification and the core elements of the MDSAP Audit Approach, are respected.

The flowchart shown in Figure 1 illustrates the MDSAP audit sequence and interrelationships.

Figure 1.  Audit sequence

MDSAP grading system:

The MDSAP grading system was created to clarify and address inconsistencies within traditional audit grading approaches that make use of ‘Major findings’ or ‘Opportunity for Improvement’.

Non Conformities (NC) are assigned a grade between 1 and 5, which is calculated using a two step scoring system.

To determine the initial score, four point NC matrix is used. There are two categories based on clauses of ISO 13485:2016.

Indirect – Clauses 4.1 through 6.3, which have indirect impact on safety and performance of a medical device, it includes general documentation, and quality manual(s).

Direct – Clauses 6.4 through 8.5.3, which has direct impact on medical device safety and performance. The documents are mainly related to design, production, CAPAs etc.

Below table gives an insight in to the NC grading system.

Credits: MDR guide

Why choose KN consulting

KN consulting and services takes a proactive approach in informing our customers about the regulatory changes concerning the industry.

-Saves time and money

-Faster market access

-Expert guidance

QMS – ISO 13485

A medical device quality system is a structured system of procedures and processes covering all aspects of design, manufacturing, supplier management, risk management, complaint handling, clinical data, storage, distribution, product labeling, and more. Most medical devices will require some form of a Quality Management System (QMS); the complexity of the QMS will vary based on the classification of the device.

For example, companies making medium-risk (Class II) or high-risk devices (Class III) devices will require a different QMS implementation than companies making low-risk, non-sterile, non-measuring, non-reusable surgical instrument devices (Class I).

Importance of ISO 13485

The standard is important to various parties including manufacturers and distributors of medical devices. In addition, suppliers and providers can enhance their marketability with this certification as manufacturers require ISO 13485 certification in order to do the business. 

The FDA has proposed a rule to harmonize USFDA 21CFR 820 with ISO 13485:2016 making ISO 13485 the FDA’s mandatory QMS for Medical Devices.

ISO 13485 Medical Device Quality Management Systems

ISO 13485: 2016

The International Standard ISO 13485:2016 can be used by internal and external parties, including certification bodies, to assess the organization’s ability to meet customer and regulatory requirements applicable to the QMS and the organization’s own requirements.

The International Standard ISO 13485:2016 is based on a process approach to quality management. Any activity that receives input and converts it to output can be considered as a process. Often the output from one process directly forms the input to the next process.

Reasons to update ISO 13385:2003 to ISO 13485:2016 

Evolution of Medical Device regulation since 2003

a) Shift in focus to risk management and risk based decision making processes

b) ISO 13485:2016 no longer aligns with the current version of ISO 9001, but rather aligns with the previous revision, ISO 9001:2008

c) Basically, ISO 13485:2016 = ISO 9001:2008 + additional requirements specific to medical devices arranged in 8 clause format. Additionally, ISO 13485:2016 has common requirements to address FDA 21 CFR 820. 

Overview of ISO 13485:2016

The standard contains requirements arranged in 8 clauses which are briefly explained below:

Clause 1: Scope

Talks about the standard and how it applies to organizations and 

a) The importance of process approach

b) Inclusion of regulatory requirements of company’s products and services

c) Processes in place for continual improvement

Clause 2: Normative reference

It outlines the QMS’s fundamentals and vocabulary.

Clause 3: Terms and Definitions

Gives definition used in the standard, from ISO 9001:2008 and other definitions specific to medical devices.

Clauses 4-8 are the ISO 13485:2016 requirements that need to be met within the organization to become certified under ISO 13485.

Clause 4: General requirements 

– Outlines the overall QMS documentation requirements, including:

-Quality Manual with Scope of the QMS

-Required Procedures

-Required Forms & Records

-Control of Documents

-Control of Forms

Clause 5: Management Responsibility 

Outlines the management’s role in the QMS

-Management Responsibility

-Quality Policy & Objectives

-Customer Focus & Customer Satisfaction

-Management Review

Clause 6: Resource Management 

Outlines the requirements for resources including:

-Personnel and training

-Resource management

Clause 7: Product Realization

-The clause outlines following requirements:

-The production of the product or service

-Planning

-Customer related processes and Customer Feedback

-Design

-Purchasing

-Process control

-Identification and Traceability

-Customer Property

Note: Majority of section 7 is modified from ISO 9001:2008

Clause 8: Measurement, Analysis and Improvement

The clause outlines the requirements on monitoring processes and improving the below processes which includes:

-Customer Satisfaction

-Internal Audits

-Control of Non-Conforming Product

-Corrective and Preventive Action

Note: Majority of section 8 is modified from ISO 9001:2008

ISO 13485:2016 certification

“ISO 13485 Certified” means an organization has implemented an ISO 13485 QMS and successfully met all of the applicable requirements in the standard. ISO 13485 evaluates whether the company’s QMS is appropriate and effective while emphasizing on the safety and effectiveness of medical devices.

To become ISO 13485 certified, an organization must –

a) Follow steps to implement ISO 13485 QMS 

b) Next, a certification body audits the performance of the organization against the latest version of standard requirements. Once the audit is successfully completed, the auditing body issues ISO 13485 certificate demonstrating that the organization is registered to ISO 13485 for a period of three years

c) Recertification has to be completed every three years to maintain the ISO 13485 status

Benefits of being ISO 13485: 2016 certified

-The beneficial outputs of an effective audit include:

-Meaningful feedback on the effectiveness of the QMS

-Confidence in compliance with regulations

-Identification of areas requiring attention

-Detection of areas of non-compliance and risk

-Reporting and certification that is valuable and recognized

Conclusion

ISO 13485 is the best internationally accepted model for a medical device organization to help demonstrate compliance to laws and regulations of the medical device industry.

Certified organizations are able to demonstrate the effective interconnectivity of their processes. It is essential to be able to demonstrate how outputs from complaints can feed into processes such as management review, improvement processes, Technical Documentation and risk management updates, etc.

KN CONSULTING AND SERVICES is a well-oiled marvel in the field of Medical devices regulatory consulting. We can provide you with flexible and detailed planning and consulting services suiting to your needs.