Medical device RA/QA professionals look forward to the day when MDSAP audits are routine and well understood. That day will come, but today everyone is still trying to figure out the Medical Device Single Audit Program. Canada has taken a leadership role in requiring MDSAP certification for companies wanting to sell in Canada after January 1, 2019, and the other MDSAP participants—the United States, Japan, Australia and Brazil—are likely to follow suit.
The challenges of preparing for an MDSAP audit are substantial, but so are the long-term benefits. One audit will allow you to meet the quality requirements of five major regulators.
Many people ask whether an MDSAP audit is more like an FDA inspection or a Notified Body audit. The answer is yes. Confused? Think of it this way: If an FDA inspection represents vanilla soft-serve ice cream and an ISO 13485 audit represents chocolate soft-serve ice cream, an MDSAP audit is a swirl cone with regulatory sprinkles on top. And if you don’t act quickly and approach it the right way, you’ll end up with a real mess on your hands.
What to Expect
A quick primer: The MDSAP certification cycle is actually a series of three audits conducted over a three-year period. Your first certification audit will be a comprehensive look at your quality management system conducted in accordance with ISO/IEC 17021-1:2015. There are two initial stages: Stage 1 and stage 2.
The Auditing Organization (AO; note that many AOS are also European Notified Bodies) will first conduct a stage 1 audit focused on evaluating your QMS documentation. Basically, they want to see if you are prepared for the stage 2 audit, during which they will assess your actual compliance with ISO 13485 plus the specific nuances of the United States, Japanese, Canadian, Australian and Brazilian QMS requirements. Your stage 2 audit may occur the next day after your stage 1 audit, or weeks later.
In years 1 and 2 following your initial certification audit, the AO will conduct surveillance audits focusing on any changes to your products or QMS processes during the previous year. After three years, the AO will return to conduct a recertification audit. The surveillance audits differ from your initial certification audit because they will focus on evaluating your ability to continue meeting QMS requirements under the MDSAP. After that, the cycle continues—two annual surveillance audits followed by a recertification audit.
To their credit, the regulators are not hiding anything about what you can expect during an MDSAP audit. Everything is spelled out in the 82-page MDSAP Audit Model. This comprehensive guide contains seven chapters and all 90 questions you will be asked during the audit. Perhaps the most helpful feature of this document is that each question contains cross-references to specific relevant sections of ISO 13485:2016, 21 CFR Part 820, and so on. Another useful guide is the MDSAP Companion Document, which contains the entire contents of the Audit Model and adds some guidance for the auditors.
More good news: You don’t necessarily need to worry about total compliance for all five participating countries. For example, if you do not sell devices in Japan, you will not be held accountable for meeting Japanese requirements during the audits.
MDSAP Audit Preparation Tips
|If you have already scheduled your MDSAP audit with your AO, the following are some tips on how to prepare.|
Managing the Initial Certification Audit
An MDSAP certification audit can be surprisingly rigorous, so don’t be complacent. Remember, this is not a typical FDA inspection with a few additional questions about Canada, Brazil, etc. Many companies have endured initial certification MDSAP audits ranging between 1 and 2 weeks long. And you’ll be delighted to know that if your AO is also your European Notified Body, you may be able to schedule your EN ISO 13485:2016 audit the following week. Oh, the fun….
During your MDSAP certification audit, you’ll likely have two auditors at your door. They will probably split up, which means you may need to have two escorts, two sets of subject matter experts (SMEs), and maybe even two conference rooms available. We recommend having only one “back room” where you store documents for easy access and so you can compare notes on where each auditor is going. Don’t be surprised if an observer from the FDA, Health Canada or Brazil ANVISA also shows up. As part of the recognition process for AOs, regulators will observe three audits plus one each following year to maintain the AO’s recognition. It’s important to understand that the observer is there to assess the AO, not audit you. During the audit, make sure you address the auditors and not the observer. Also, put yourself in the shoes of the AO auditor— having an FDA representative looking over your shoulder is pretty stressful.
Make sure you use the published MDSAP Audit Model to figure out where the auditor will go next. Remember that this is their guide (it’s not a secret!), and by studying it you can anticipate which links might be followed and what questions may come next.
The audit is timed, with very specific durations for each process. This means you have to produce documentation very quickly. Consider pre-printing documents or using a dedicated folder with electronic versions that can be quickly accessed. Don’t “wing it” and hunt for documents on your company intranet while displaying your search attempts for all to see on the conference room screen.
Also, if you have some physical documents that are available only in, for example, your Australia office, make sure you have RA/QA colleagues on call to retrieve them. Plan ahead.
Maintaining MDSAP Compliance and Being Mindful of the “Process Approach”
After you (hopefully) pass your initial certification audit and have taken that well-earned celebratory vacation to Tahiti, you’ll need to adjust your ongoing internal audits to align with MDSAP. Remember that ice cream analogy we used earlier? Your internal audits will need to adjust from plain vanilla to a swirl.
MDSAP audits follow a process approach. This means an AO auditor may follow linkages and threads, whereas an internal auditor will usually look at one functional area at a time. For example, if an AO auditor is examining Receiving and Inspection, he/she may ask about process inputs such as where the testing methods and specifications originate. The answer is likely Design, so the auditor may decide to visit R&D next. If you did that during an internal audit, the R&D manager would say, “Hey, our audit isn’t supposed to happen until September. Why are you here now?”
Unlike an AO certification audit, where cooperation is not a choice, following the process approach during internal audits can be disruptive and annoying to co-workers. With that reality in mind, you can still have an annual program with a schedule, but keep really good notes so you can pick up threads left dangling from the last audit.
Typically, in internal audits we see nonconformities that might be related to multiple areas or processes. You might choose to write up two nonconformities or, rather than “double-dipping” and writing a nonconformity for each area, you might write one and link them. Each organization will have to determine their process, keeping in mind that the number of nonconformities from an internal audit might trigger an escalation to management. So, if your process changes and you decide to write more nonconformities, make sure management and the rest of the organization understand and recalibrate for the new escalation triggers.
Short-Term Pain, Long-Term Gain
Some large medical device companies have an auditing department at the enterprise level. These auditors travel around and audit many sites over a year. They can mimic the MDSAP schedule and be at one site for a week, and then not return for a year. Smaller companies really have to organize and plan so they can cover all the processes that will to be addressed during the actual MDSAP audit. The key is to plan and document the rationale for your approach.
Passing the initial certification audit may stress many quality managers, but maintaining compliance is the primary concern of Auditing Organizations. This is becoming a bigger issue, because many Auditing Organizations are asking companies to demonstrate that their internal auditors are qualified to maintain MDSAP compliance. Even if you have done dozens of internal ISO 13485 or FDA QSR audits, proving proficiency in MDSAP can be difficult. You cannot simply say you read the MDSAP Audit Model or each participating country’s regulations. In anticipation of this question, you may want to plan ahead. Several companies offer MDSAP training but, if you are an internal auditor, you may want to look for MDSAP internal auditor training classes that will give you some sort of certification or proof that you are properly qualified to maintain MDSAP compliance. This can be very useful for showing AOs who may ask about this. Armed with training and a plan, you’ll be ready for any audit!