by ALAN SCHWARTZ
The Medical Device Single Audit Program (MDSAP) is a new medical device auditing plan with potential for several advantages. This discussion addresses an actual MDSAP audit experience and demonstrates how the organization dealt with its complexities. The MDSAP program is described including country involvements. Audit personnel and experiences are discussed. Example documents are described. An example hourly schedule is presented. The observation rating system is described and example audit finding are presented. Differences compared to and FDA audit are considered. The MDSAP is the biggest change in medical device regulations since the introduction of the European MDD in the 1990’s. Time will tell whether MDSAP will ultimately lead to a better quality in design, manufacturing, and regulatory control.
The Medical Device Single Audit Program (MDSAP) is a new plan in the final year of a three-year pilot program. This plan will likely become permanent beginning in 2017.
The MDSAP is a manufacturing compliance single auditing program spanning five countries: MDSAP enables one audit covering the quality system requirements for the five different countries to achieve one accepted certification.
We recently assisted one of our clients in preparation for an upcoming MDSAP certification audit. This discussion provides insight into the MDSAP certification audit and demonstrate how one of our clients dealt with this complex audit program.
The MDSAP pilot is designed to allow accredited auditing organizations to conduct a single audit of a medical device manufacturer. The regulatory authorities currently participating include United States (still in pilot); Canada; Brazil; and Australia. Japan is acting as official observers and active participants in the Pilot Program Regulatory Authority Council and subject matter expert groups. It appears that the EU will also join this group in 2017. If the EU joins these five countries under this single audit project, this single audit alone will cover 3/4s of the world medical device market.
The MDSAP is still in the trial stage this year. It is therefore also the first MDSAP audit for all participants, auditors, witnesses, and for the particular manufacturer in this scenario. The preparations took a lot of effort for the lead auditor and auditing team to cover all aspects of the checklists. The manufacturer joined the program voluntarily this year to get acquainted with the audit in its early stage — the process will become mandatory from January 2018. This will expectedly begin with the Canadian CMDCAS, followed by the other regulators.
FDA is planning to accept this third party audit only if the audit is a surveillance audit and not a compliance audit, i.e., if there were any outstanding or pending regulatory actions such as a warning letter in place.
Once this program is finalized, the MDSAP audit will be the accepted third party audit in lieu of the ISO13485 with the various country additions. Eventually it is intended that this one audit will cover all aspects of each participating country requirements.
The following describes audit activities for the client we assisted in China. The site manufactured a physical measuring device with a Class II medical device classification for the U.S. FDA and Type IIa for the CE mark. The company has over 500 employees at the China site. The certified body the client selected for this audit was from Germany, the same auditing organization the company used for their ISO13485 certification. The company had been previously certified for the Canadian CAMCAS, and audited by Brazilian and Japanese government agencies permitting exportation to all three countries. They thus had experience with the various government agency requirements.
The auditing team was aware of the complexity of the audits including logistics. Because of the pilot program status, there were three auditors and three observers, including two from the Health Ministry of Japan and one from the Australian TGA. FDA did not send an observer for this audit. The auditors also brought two interpreters. In all, there were eight guests for the visit.
Because of the amount of auditors, guest observers, and interpreters, the company was asked to have three rooms set apart for use by each auditing group to prevent interference with each other while reviewing and discussing various points of their inspections. Visits to the product floor included an auditor, possibly an interpreter and/or observer, and the company QA staff representative. The QA Manager and a company observer were present as they became available. It was a crowded area especially when there were two groups in the same area simultaneously, as well as inhibiting for the production staff.
The company logistics were also complicated. The company had a Manager of Quality Assurance and several QA staff. The strength of the company system was the QA Manager. Their strategy was to have the Quality Assurance Manager be available to each of the three auditor teams to assist and respond toquestions and to address areas of concern; this approach proved to be the best system for such a complex audit.
There was also a “war room” where all device documents were so that they could be available and reviewed as requested. This expedited the review process and also assisted in checking for document control.
To allow for a smooth transition, the auditing team supplied an auditing schedule, outlining which auditor would be doing what section of the operations, as well as which regulations would be audited. The audit checklist was 36 pages long, and color coded. The auditing team also asked for three pre-audit conference calls (stage 1 audit) to cover certain parts of the checklist by remote document review.
This was sent by the notified body:
As you can see, the “Audit Objectives: covered a long list of government compliance.”
EXAMPLE AUDIT SCHEDULE
The audit schedule was intricate as well and required a list of acronyms:
This was part of what the audit schedule looked like:
The document lists all the additional criteria required to be covered for each specific government regulations that is supposed be audited when covering that area.
The audit was like a road race for the QA Manager. During that time, the war room was working overtime in trying to collect the multiple documents being requested by the three auditors.
Maintaining the time schedule was difficult for the auditors. The time needed to get from the general offices to the manufacturing plant had not been considered. However, the auditors continued to follow the audit plan, which included dealing with each of the individual country requirements.
You can expect a very large conference for the “close out” meetings each day. Once this program is accepted by all the countries, observers should not be required.
Even with the large scope of the audit, it is important to note that the findings of an
MDSAP audit will be accumulated, which will further compound the auditing criteria. This means an observation in any of the ISO standard clauses has a grading from 1- 5, 1 being lowest and 4 or 5 as a critical grade. Critical means 2 x grade 4 or 1 x grade 5 – in that case the respective regulator(s) will be notified immediately, for them to decide further actions, corrective actions or even a follow up audit. Even if, in one of the standard clauses a lower grading was found (1 – 3) and stated in the audit report, if in the same standard clause another finding will be discovered in a subsequent surveillance audit, it will be automatically graded one level up. Only when in two of the following audits there is no more finding in the particular standard clause, the finding will be erased from the report. On a positive note, this makes the MDSAP very effective over time, more so than any similar auditing program.
EXAMPLE AUDIT FINDINGS
Here are some examples of the audit findings
Audit Findings – Summary
§ Total number of Non-conformities:
– Grade 01: 02
– Grade 02: 00
– Grade 03: 00
– Grade 04: 00
– Grade 05: 00
Audit Findings (01 / 02)
§ Clause and Regulation:
4.2.1 Documentation Requirements General (f) any other documentation specified by national or regional regulations. For each type or model of medical device, the organization shall establish and maintain a file either containing or identifying documents defining product specifications and quality management system requirements (see 4.2.3)
§ Non-Conformity Statement:
The organization missed to include all the documents necessary for the effective control of the processes especially those required by national and regulatory requirements
§ Objective Evidences:
– DMR – No revision control only approval date
– The current application procedure for products (ex: XXXX) to be sold to other jurisdictions does not sufficiently address the specific aspects of that country (ex:
Labeling / Essential Principles for Australia), the comparison table is insufficient/incomplete.
– TF for (XXX) – Manufacturer is “ABC Corporation”; IFU /
Labeling mentioned “CDE”; Certificate number in the DoC for TGA is outdated
§ Final NC Grading: 01
§ Rationale for the final NC Grading: In-Direct Impact of the QM System and this is a first time Non-conformity
Audit Findings (02 / 02)
§ Clause and Regulation:
[ISO 13485:2003: 4.2.1, 6.3; RDC ANVISA 16/2013: 5.1.2, 5.1.5; CMDR 14; MHLW MO169: 6, 24; 21 CFR 820.70(g), 820.70(f)]
§ Non-Conformity Statement:
Rubber mats on the work benches are not always grounded for ESD protection.
§ Objective Evidences:
In the production line E for production of XXXX, rubber mats between stating station no. 3 and repair station are not connected to the earthing circuit for ESD protection since those mats were replaced in 06-07.2016.
§ Final NC Grading: 01
§ Rationale for the final NC Grading: In-Direct Impact of the QM System
and this is a first time Non-conformity
Remarks (02 / 03)
§ Data Analysis: Non-conformity trends of the IR products exceeding the target of 5.0% are recurred, implemented the CAPA but the proposed implementation time was too long (need to ensure timely implementation)
§ Root cause analysis need to be completed first prior to proposing the Corrective action and Preventive action, (Ex: CAPA # CAR160823P001 of 04.08.2016: Correction and CA/PA done 05.08.2016; RCA done 23.08.2016)
§ Design plan update as appropriate when the design progresses and§
List of service providers need to be listed completely in the service providers list (xxxx) Rev 04 – last updated on 2016.03.26 (contained only MDI, XXXX (XXX), missed YYYY, AAAA, SSSS), however the qualification documents for YYYY was provided.
§ MDR determination form (ZZZZZ) used for determining reportable or not reportable for Australia, Brazil, Japan and FDA (Initially the form mentioned only FDA notification and does not mention about other jurisdiction) – form was however updated during the audit to reflect the other jurisdiction also. On the other hand, as for the US FDA acceptance of this third party audit, with all the additional company’s requirements, the time given to do the FDA QSR/cGMP concerns is minimal compared to an FDA inspection conducted by an FDA trained field investigator. Being a former US FDA investigator myself, and being involved with 100s of FDA inspections, my last being a company in Taiwan this past August, the FDA’s inspection approach to the audit with a completely different level of concern as to the safety of the device(s) manufactured by the company being audited. The FDA always agreed that the FDA audits were much more intense than ISO13485 audits and I can only imagine with the MDSAP audit concept the FDA should be very concerned as to the compliance to the FDA QSR/cGMPs especially the CAPA and design control requirements. The only time I can see the FDA agreeing to this type of audit would be on the low risk devices and with clients who have maintained their level of compliance through several years of FDA inspections. This would be limited.
The FDA foreign audit has each audit scheduled for 4 days to cover all aspects of the QSR. Since the main part of the MDSAP is the ISO13485 with additional FDA QSR issues (like MDR/Design Transfer and the CAPA procedures), it would be impossible for the MDSAP audit to give the same level of intensity as an FDA audit. FDA investigators are trained to audit differently than an ISO auditor – just as the term “FDA investigator” should signal the difference from the “ISO auditor.” The FDAs does not audit; they inspect and investigate.
The manufacturer in this case considers MDSAP as the biggest change in medical device regulations since the introduction of the European MDD in 1993 (CE-marking) followed by the new MDR next year. The future will show its effectiveness and acceptance in the industry and show as well if it will ultimately lead to a better quality in times of increasing cost pressure on all levels including design, manufacturing, and regulatory control.
The article was published on IVT Network website.