Everything You Need to Know About the Medical Device Single Audit Program (MDSAP)

Maintaining regulatory and quality compliance across multiple markets is challenging. In addition to meeting stringent regulatory requirements, manufacturers must also submit to regular quality system audits. When operating in multiple markets, this often means a busy audit schedule that can distract from daily operations.

Auditors must also duplicate efforts when evaluating systems that have already been approved by another regulatory body with similar requirements. The Medical Device Single Audit Program (MDSAP) aims to make it easier for manufacturers to comply with harmonized global quality management system (QMS) standards and to reduce the resource burden on the industry as a whole. 

What is MDSAP?

MDSAP is a relatively new program that was started by the International Medical Device Regulators Forum. The program came out of the Global Harmonization Task Force, which is a group of international medical regulators who wanted to get better at coordinating requirements for getting QMS certifications for international companies.

The goals of the single audit program are twofold: to avoid spending duplicate regulatory resources across multiple countries, and to minimize disruptions of medical device manufacturers from multiple regulatory audits.

MDSAP was launched as a pilot program in 2013 and fully implemented in 2016 after a successful trial. The standard is built around ISO 13485 and is now current with the 2016 version. The audit structure is loosely similar to FDA’s Quality System Inspection Technique, using risk management data to help determine audit focus areas. 

Which countries participate in MDSAP?

There are currently five countries that actively participate in MDSAP. Although it’s a single audit program, each participating country adds requirements that are specific to its market:

• United States: FDA 21 CFR 820
• Australia: TGA
• Brazil: ANVISA RDC 16
• Canada: CMDR
• Japan: MHLW Ministerial Ordinance No. 169

Canada is the only participant that requires MDSAP certification to sell in that country. This is a significant driver for most multinational manufacturers to get certified. In the U.S., MDSAP certification allows manufacturers to forgo other routine FDA inspections unless there is cause. 

However, MDSAP certification doesn’t apply to any necessary inspections for premarket approval applications. In Australia, the Therapeutics Goods Administration (TGA) will use MDSAP to satisfy TGA requirements, considering MDSAP certificates as equivalent to a CE certificate. Brazil will accept MDSAP for initial audits, but the agency will still require its auditors to conduct ANVISA audits for higher-risk devices. In Japan, the Ministry of Health, Labour and Welfare and Pharmaceutical and Medical Devices Agency uses audit reports in both premarket and post-market audits under regulations. They will also accept MDSAP in lieu of an on-site Japanese Quality Management System audit.

Although they aren’t yet full participants, Argentina and South Korea can view audit results, but their requirements haven’t been added. In the EU, results of MDSAP surveillance audits may be used to streamline the MDR/IVDR audits of the QMS and allow the notified body to focus on other regulatory requirements of the MDR/IVDR, including clinical evaluation, post-market surveillance, and post-market clinical follow-up. 

How does MDSAP work?

MDSAP audits are performed by auditing organizations (AOs), which are private companies that meet MDSAP requirements for auditors. Manufacturers contract with an AO to perform MDSAP audits, and many AOs can also conduct ISO 13485 audits at the same time.

The MDSAP audit process encompasses seven key process elements:

1. Management
2. Device marketing authorization and facility registration
3. Measurement, analysis, and improvement
4. Medical device adverse events and advisory notices reporting
5. Design and development
6. Production and service controls
7. Purchasing

The impacts of risk management on all of these processes are also taken into consideration. Each section has specific questions that must be answered during the audit. This helps manufacturers prepare in advance because they know exactly what auditors expect to see. The actual audit involves going process by process with some interconnections, which guides the auditor and client through the entire MDSAP audit process.

Manufacturers can choose which countries they want to audit to, but if they have sales in a participating country, that country must be included. A predetermined amount of time, ranging from 15-44 minutes, is allocated to each task depending on its complexity. The duration of the audit is reduced if there is no sterilization, service, installation, or implants (each of which takes about 45 minutes), or design (which accounts for five hours). The duration is increased for critical supplier visits, which take four hours each, and outstanding NCRs, which are covered in 15 minutes each.

The renewal timeline for an MDSAP audit is similar to ISO 13485. Certification is valid for three years with an initial audit, and two surveillance audits and a recertification audit are required in that period. 

What are the benefits of MDSAP?

There are many benefits for manufacturers that choose to participate in the medical device single audit program. One of the primary reasons is to save time on audits. Every audit requires preparation, responses to questions, and remediation. When this process can be consolidated into a single audit, it reduces the burden on resources and frees up time for other priorities. There are also associated cost savings with a single audit versus multiple audits. 

With MDSAP, manufacturers can plan around a predictable audit schedule. The audit calculator tells you how long the process will take depending on your device, and the future audit schedule is known so you can allocate resources accordingly. The program also allows you to follow a prescriptive process that is very clear. There is no mystery about what is required, which reduces the number of questions when the process is followed closely. An added benefit is that you can build your QMS around the specific MDSAP questions to further increase your chances of success. 

Since Canada requires MDSAP certification, many manufacturers just take the extra steps to meet the requirements of the other participating countries and eliminate four additional audits. Most companies certify to all five participating countries to further save time and resources. When remediation is necessary, nonconformity findings are graded for severity, which allows manufacturers to easily prioritize efforts and allocate resources. 

For larger companies, one of the benefits is that audits are scaled solely on the QMS and not the number of employees or products. This often results in comparatively shorter audit periods because the audit duration is calculated based on the scope of the audit, not the size of the company. Audit duration is based on the elements to be covered in the audit (there are up to 90) and not on the number of employees (as in ISO 13485).

Of course, the industry also benefits by lowering the burden on regulators and getting products to patients into multiple markets faster.

How can RQM+ help?

RQM+ offers audit preparation, training, and mock audits for both MDSAP and ISO 13485. Our dedicated global audit team knows the MDSAP requirements inside and out. We also have former notified body leadership on staff, and some team members have been involved with MDSAP from the beginning, so we are familiar with what auditors expect to see. Contact us today to learn more.