MDSAP Success and Failures Guide

MDSAP: Success and Failures
By Danny Kroo,
Docusys Corporation
August 31, 2022
Copyright Docusys Corporation 2022

Agenda
• Introduction to MDSAP
• MDSAP process with Auditing Organization
• Common Failures with MDSAP audits
• How to be Successful with MDSAP audits

Introduction- About Danny Kroo
• President of Docusys Corporation- Assisting organizations to comply
with quality management and regulatory affairs.
• Documentation , implementation and training services
• Internal audit services (ISO 13485:2016, MDSAP, EU MDR, ISO 9001,
AS9100, AS9120)
• Medical device lead assessor for notified body
• Created a course at McGill University Biomedical Engineering
department “Medical Devices: Regulatory affairs and Quality
Management

What is MDSAP?
Medical Device Single Audit Program ( MDSAP) is a regulatory audit
program that was jointly developed by several jurisdictions.
It allows a medical device manufacturer to have a single quality
management system audit to satisfy the requirements of all
participating regulatory authorities.

Participating Members

• MDSAP Official Observers:
• European Union (EU)
• United Kingdom's Medicines and Healthcare products Regulatory Agency
(MHRA)
• The World Health Organization (WHO) Prequalification of In Vitro Diagnostics
(IVDs) Programme
MDSAP Affiliate members are:
• Argentina's National Administration of Drugs, Foods and Medical Devices
(ANMAT)
• Ministry of Health of Israel (NEW)
• Republic of Korea's Ministry of Food and Drug Safety
• Singapore's Health Sciences Authority (HSA)

MDSAP Program Objectives
• Develop, manage, and oversee a single audit program that
will allow a single regulatory audit to satisfy the needs of
multiple regulatory jurisdictions
• To promote greater alignment of regulatory approaches and
technical requirements
• To promote consistency, predictability, and transparency of
regulatory programs

MDSAP Benefits
Single Audit used instead of multiple separate audits/ inspections by
participating regulatory authorities:
Reduction of Number of audits/ inspections
▪ Optimization of time and resources spent/used in audits activities.
▪ Reduction of audit costs
Flexibility : Medical device manufacturers are free to choose among all
authorized auditing organizations to perform the audits.
▪ Routine audits are announced and planned with the manufacturer.
▪ Audits performed by auditors who know the company already
(certification bodies)

MDSAP Benefits
Improved predictability of audits’ outcomes :
▪ Auditing organizations monitored by the participating Regulatory
Authorities,
▪ Usage of a standard MDSAP audit approach
▪ Usage of same grading process of nonconformities
▪ Usage of standard report template to report audits’ outcomes
Commitment to quality and compliance : enrolling in the MDSAP is
considered as an evidence of a medical device manufacturers’ commitment
to product quality and regulatory compliance.

MSDAP Program Distinctions
• No additional requirements for manufacturers
• Single audit optimizes time and resources
• Routine audits are scheduled/planned with AO
• Expected to improve predictability
• Expected to add additional Regulatory Authorities
Criteria ISO 13485 MDSAP
Program Customer Manufacturer Regulator
Output of success Certificate Report & Certificate
Auditing Organizations Qualification Competent Body Regulators
Nonconformance grading Major/Minor 1, 2, 3, 4, 5

MDSAP Overview
Use of outputs of MDSAP audits
Australia Brazil Canada Japan USA
Use as part of evidence
to assess compliance
with MD market
authorization
requirements
Input for ANVISA’s
premarket and post-
market assessment
procedures
Concurrent with
CMDCAS until ends in
late Dec 2018
Report might be utilized
for a desk review for
class 2,3,4 in lieu of a
premarket inspection
performed by PMDA or
registered certification
bodies in Japan
Substitute for Routine
Inspections only.
Not for PMA, “For
Cause” or “Compliance
Follow-up”
Audits in lieu of ANVISA
inspection to grant
GMP certs for class 3,4
Use of certificate for
obtaining/maintaining a
Class 2,3,4 device
license
Report might also be
utilized for periodic
post market inspections
Report review with
scrutiny on significance
of findings
For renewal of ANVISA’s
GMP certs bi-annually
From January 2019,
Health Canada will only
accept MDSAP
certificates
Reports will be used in
review of on-site
inspection for eligible
sites so as to obtain a
QMS certificate
May use Warning Letters
if conclusion of
imminent/unreasonable
risk to public health

MDSAP Structure
Manufacturers
NCs/CAPs
Auditing Organizations
Audits NCs/CAPs
Regulatory Authorities
Assessments Reports

MDSAP Audit Cycle
• Three Year Audit Cycle
• Initial Audit (Stage One & Stage Two)
• Surveillance Audits (Years 1 and 2)
• Re-audit (Recertification Audit)
• Note that not all Regulatory Authorities require “certificate”
• Other Possible Audits
• Special Audits
• changes, nonconformances, suppliers, post-market issue follow-up
• Audits by Regulatory Authorities
• Unannounced Audits (to close major nonconformances)

MDSAP Requirements
• ISO 13485 plus applicable Country-specific requirements
• A separate report is required per site.
• To recommend certification to MDSAP all applicable processes
and jurisdictions must be audited.
• There is no sampling of design and manufacturing sites
permitted in the MDSAP program.
• All RA’s in the program get copies of submitted reports

MDSAP Process Based Approach
Different from the traditional checklist-style audit.
Similar to FDA’s QSIT (Quality Systems Inspection Technique)
Auditors assess the conformance of a process to regulatory
requirements and effectiveness of the process in producing the
desired results.
This approach reviews individual processes and the
interrelationships and connections between them, which allows
organizations to understand both their level of conformance and
the effectiveness of their quality management system (QMS).

MDSAP Process Based Approach
Auditing organization (AO) will:
▪ review procedures,
▪ map the process, and then
▪ ask auditees about the process to determine if their responses align
with the procedure and if the process is effective in achieving desired
results.
▪ analyze process performance against targets (e.g., nonconforming
parts, product defects, product quality, and reliability targets) and
planned results.
▪ evaluate the handling of process/product nonconformities and
effectiveness of the resulting corrective and preventive actions.

MDSAP Audit Sequence
Purpose of the sequence- to provide a logical, efficient roadmap for AO
and ensure consistency across auditors.
The audit sequence contains :
Four primary processes (Management; Measurement, Analysis, and
Improvement; Design and Development; and Production and Service
Controls),
An enabling process(Purchasing), and
Two supporting processes (Device Marketing Authorization and Facility
Registration, appearing in two spots below, and Medical Device Adverse
Events and Advisory Notice Reporting).

Each MDSAP process area includes:
• Audit objectives and
• A series of tasks that auditors use to determine compliance with ISO
13485 and
• Applicable regulatory requirements of the countries participating in the
program (Australia, Brazil, Canada, Japan, and the US).

Audit sequence:
Start and end each audit with the management process.
Perform the audit tasks within each process area to determine if the process
outcomes and purpose are achieved.
Focus on linkages between processes (interrelationships).
Assess risk control activities throughout the audit.
Document nonconformities, paying special attention to the potential
interrelationship of nonconformities.

MDSAP
• Uses GHTF Document
SG3/N19:2012 - Nonconformity
Grading System for Regulatory
Purposes and Information Exchange
• Definition of nonconformity
unchanged – non-fulfillment of
requirement
• Creates a quantitative grading
system
Nonconformity Grading

MDSAP Nonconformity Grading - Final
Maximum grade is a 5.
QMS Impact
Direct
3 4
Absence of Process
or Procedure +1
Indirect
1 2
Led to
Nonconforming
devices on market
+1
First Repeat
Occurrence Escalation Criteria

Failures
1. MDSAP is a regulatory audit not just for ISO 13485:2016
Some organizations just believe that MDSAP is ISO 13485:2016 + regulatory
requirements
Organizations need to adjust their own internal audit process to better align
with the MDSAP audit.
2. Clarify scope and role of organization depending on jurisdiction
3. Change Control (4.1.4) is an area where new organizations to MDSAP have
issues. Changes are reviewed when auditing each of the processes.

Failures
4. Outsourcing and purchasing controls. Example outsourced production-
auditor expectation is to review production records. Same with design.
5. Meeting regulatory requirements and addressing new regulatory
requirements.
- example: Biocompatibility testing on material but should be done on
sterilized product
-Incomplete standards referenced. Electrical device without IEC 60601.

Success factors- Preparation
1. Train key staff and process owners on MDSAP requirements
2. Document basic Regulatory Requirements from Each of the Five
MDSAP Jurisdictions that are applicable to your QMS. Could cover the
presence of technical documentation, and compliance with vigilance
and incident reporting regulations.
3. Perform a thorough audit covering all the design and production tasks
for the product selected. If there are 2 products that are candidates
for selection, audit both of them.
4. Spend time auditing the previous CAPA issued at MDSAP audits and
previous internal audits.

Success factors- Preparation- Internal audit
1. Perform an internal audit simulating the sequence and task questions.
Allows auditees the chance to practice to answer questions and
understand the thought process for audit trails.
2. When selecting the product in design or production, select the ones that
had changes since the last audit or are considered the highest risk. If all
are same risk class, select the product that is sterile or was not audited in
the previous audit.
3. Perform a thorough audit covering all the design and production tasks for
the product selected. If there are 2 products that are candidates for
selection, audit both of them.
4. Spend time auditing the previous CAPA issued at MDSAP audits and
previous internal audits.

MDSAP Audit Preparation Tips
• Create your own report card. Examine your past nonconformities from
your AO and internal audits, and grade them using the MDSAP
nonconformities grading system. This will give you an internal report card
that can be useful in elevating the importance of the initiative to
management if resources are scarce.
• Open a CAPA for gaps and be sure to make progress. Even if an AO finds a
nonconformance during the audit, having a CAPA in progress minimizes the
sting as long as the appropriate containment is effective.
• Be prepared to address regulatory issues. MDSAP audits have a broader
scope that pulls regulatory into the fray. You will be asked questions related
to your registration processes, adverse event notification system, how
regulatory strategy impacts product design, and more. Expect a heavy
emphasis on risk! Make sure you have someone from Regulatory on your
audit team.

Success factors- Preparation- MDSAP audit
1. Train several persons to work on retrieving documents- back room.
2. Stage the documents and records that will be asked for fast retrieval.
3. Review the MDSAP audit schedule and ensure that you have someone assigned
to answer questions on each topic. Translate the audit tasks.
4. Ask everyone assigned to respond to auditor questions to read through the tasks
in the Audit Approach document.
5. When an issue comes up , ask the auditor to clarify and indicate what task is
being audited.
6. Do not argue with the auditors, ask questions to better understand the issue,
the requirement and the origin of the requirements.

What to Expect
• Stage 1 audit focused on evaluating your QMS documentation.
• Will want to see if you are prepared for the stage 2 audit, during which
they will assess your actual compliance with ISO 13485 plus the specific
nuances of the United States, Japanese, Canadian, Australian and Brazilian
QMS requirements.
• In years 1 and 2 following your initial certification audit, the AO will
conduct surveillance audits focusing on any changes to your products or
QMS processes during the previous year.
• After three years, the AO will return to conduct a recertification audit. The
surveillance audits differ from your initial certification audit because they
will focus on evaluating your ability to continue meeting QMS
requirements under the MDSAP.
• After that, the cycle continues—two annual surveillance audits followed by
a recertification audit.

Managing the Initial Certification Audit
• Likely have two auditors at your door who will probably split up,
which means you may need to have two escorts, two sets of subject
matter experts (SMEs), and maybe even two conference rooms
available.
• Recommend having only one “back room” where you store
documents for easy access and so you can compare notes on where
each auditor is going.

Managing the Initial Certification
• Use the published MDSAP Audit Approach to figure out where the
auditor will go next. Remember that this is their guide and by
studying it you can anticipate which links might be followed and what
questions may come next.
• The audit is timed, with very specific durations for each process. This
means you have to produce documentation very quickly. Consider
pre-printing documents or using a dedicated folder with electronic
versions that can be quickly accessed.
• Also, if you have some physical documents that are available only in,
for example, your supplier, call ahead for the documents.

Maintaining MDSAP Compliance and Being Mindful
of the “Process Approach”
• After you (hopefully) pass your initial certification audit, you’ll need
to adjust your ongoing internal audits to align with MDSAP.
• MDSAP audits follow a process approach. This means an AO auditor
may follow linkages and threads, whereas an internal auditor will
usually look at one functional area at a time.
• For example, if an AO auditor is examining Receiving and Inspection,
he/she may ask about process inputs such as where the testing
methods and specifications originate. The answer is likely Design, so
the auditor may decide to visit R&D next.

Internal Auditing Issues- Qualification of auditors
• Some medical device companies have an auditing department at the
enterprise level that audit many sites within the organization.
• They can simulate the MDSAP schedule and be at one site for a week, and
then not return for a year.
• Smaller companies really have to organize and plan so they can cover all
the processes that will to be addressed during the actual MDSAP audit. The
key is to plan and document the rationale for your approach. Smaller
companies sometimes outsource the audit due to resource issues.
• Qualification of MDSAP internal auditors for various jurisdictions is
sometimes difficult to prove. Training and/or outsourcing are potential
solutions.

Audit Approach- Take Note
1. Does not contain the actual requirements from the various
regulations. Auditors must have access to the applicable regulations
from each of the five MDSAP countries in order to make compliance
determinations.
2. Does not necessarily refer to all of the requirements that apply from
the individual participating countries e.g. need to validate spreadsheets
that contain Quality Records.
3. There are no references (within the body of the text) to additional
regulations, from individual countries, that may apply e.g. 21 CFR Part
11 for Electronic Records and Electronic Signatures

Audit Approach

When receive schedule

Look at MDSAP Audit Approach document to verify the tasks

Tasks in Audit Approach Example

Summary- Keys to Success
• Planning
• Organizing documents and records to be easily retrievable for the
audit
• Reviewing the tasks in Audit Approach
• Conducting a Gap Analysis
• Ensure that any previous MDSAP nonconformities have been
resolved.
• Ensure that regulatory requirements are documented.

Contact Information
• LinkedIn Danny Kroo
• Website: www.docusys.ca
Do not hesitate to contact me to ask questions.
There is no charge or obligation

Thank you
for your
attention

MDSAP Success and Failures Guide

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to MDSAP Success and Failures Guide

Similar to MDSAP Success and Failures Guide (20)

More from Greenlight Guru

More from Greenlight Guru (20)

Recently uploaded

Recently uploaded (20)

MDSAP Success and Failures Guide