Understanding the Medical Device Single Audit Program (MDSAP) audit process

Eamonn Hoxey, BSI Group

The Medical Device Single Audit Program–MDSAP–was developed by the International Medical Device Regulators Forum (IMDRF) to conduct regulatory audits of quality management systems (QMS). Health Canada’s decision to require an MDSAP audit to maintain Canadian Device Licenses is leading to a rapid increase in use of the program.

There is a set formula to calculate the time allotted for an audit, based on the number of processes that are carried out. The MDSAP Consortium have recently updated the procedures for calculating the duration of an MDSAP audit. As a result, there could be reductions in audit duration for smaller manufacturers.

The MDSAP audit is based on 13485:2016 with the applicable regulatory requirements of the participating jurisdictions–Australia, Canada, Japan, Brazil, USA–included as areas of focus. The MDSAP Companion Document identifies the audit tasks that have to be covered and the links to the applicable regulatory requirements for participating jurisdictions. The training material for MDSAP audits is available on the US FDA website under CDRH Learn (go to Quality Systems – Inspections – Global Harmonisation). MDSAP documents are also publicly available.

An MDSAP audit uses a process approach, based on a foundation of risk management, to select samples of procedures and records to examine. The audit process is described in the MDSAP Audit Model. The audit focus is on how risks are identified and addressed. This is investigated using four primary processes and three supporting processes, in the following sequence:

• Management is the first primary process to be examined to assess the commitment of the organization’s Top Management to planning and implementing the quality management system. The supporting process of Market authorization and registration examines the maintenance of the necessary approvals, clearances and registrations. The relationship between the organization and the entity acting on its behalf in each jurisdiction is reviewed.
• Measurement, analysis and improvement is next. The processes for preventing and correcting nonconformities are assessed. Processes associated with nonconformance events will be highlighted for further evaluation. The supporting process of Adverse events and advisory notices is considered.
• The process for design and development is examined, focusing on recently introduced or changed devices and devices associated with nonconformance events. The application of risk management and the transfer of the output of design and development into production are areas of focus.
• Production and service controls are then reviewed, looking at how controls on production are planned and implemented.
• The Purchasing process supports all the primary processes and focuses on examples of the purchase of both goods and services identified as associated with highest risk activities, new product introductions or design changes. This also includes review of the adequacy of controls on processes outsourced to external parties.

Nonconformities are classified with a numerical classification from 1 to 5 using the grading system developed by the Global harmonization Task Force (GHTF).

Audits conducted to MDSAP follow this closely prescribed process of defined tasks that the auditors have to perform. Understanding this process and sequence that will be followed is important in being able to prepare for your audit effectively. There is additional material on the BSI website that can help you implement your transition to MDSAP.

Eamonn Hoxey, of E V Hoxey Ltd, UK, is a writer, trainer and consultant on a range of life science areas including regulatory compliance, quality management, sterility assurance and standards development.

The opinions expressed in this blog post are the author’s only and do not necessarily reflect those of MassDevice.com or its employees.