MDSAP will replace the current Canadian Medical Device Conformity Assessment System (CMDCAS) as a way to demonstrate quality management system compliance to ISO 13485 and the Canadian Medical Devices Regulations (CMDR). Australia, Brazil, Japan, and the U.S. are also participating in the MDSAP. Each regulatory jurisdiction is utilizing MDSAP differently depending upon how regulators are allowed to legally employ the outputs of such an internationally harmonized audit. Brazil, Japan, and Australia use the MDSAP audit report as a substitute for their regulatory inspectorates’ reports for medical device applications or authorizations, while the U.S. Food & Drug Administration (FDA) uses them as an alternative to its inspectorates’ audit reports for routine medical device inspections.
While January 2019 may seem far off, preparing for the MDSAP takes time and there are a limited number of authorized third-party auditing organizations (AO) available to conduct MDSAP audits. About five AOs are currently handling nearly 90 percent of all CMDCAS certifications—not nearly enough to meet the demand created by the Canadian MDSAP mandate.
The Perfect Storm
The world’s larger medical device manufacturers are setting internal mandates for their businesses, including compliance with ISO 13485:2016. Additionally, new European Union (EU) Medical Device and In-Vitro Diagnostic Device Regulations, published in May, require all medical devices be recertified to the new regulations in the next few years. Moreover, the new EU regulations dictate that all EU notified bodies become re-designated. With many of the MDSAP auditing organizations also being EU notified bodies, there will undoubtedly be a strain on resources to meet demands. These factors, as well as marketing pressures in jurisdictions such as China, Singapore, and Malaysia, will increase the volume of regulatory audit work as well as a potential backlog that could impact device manufacturers.
In response to this increased demand for authorized AOs and other global market and regulatory drivers, NSF Health Sciences Certification LLC applied to become an MDSAP auditing organization last year. The MDSAP Regulatory Authority Council requires auditing organizations have expertise in a manufacturer’s quality systems and product type and design, which limits the pool of entities qualified to become MDSAP AOs. This small band of AOs allows for easier enforcement of program requirements and inspires more confidence from regulatory authorities but it also may complicate efforts to find an authorized AO able to conduct required audits as the 2019 deadline approaches. Thus, it’s important for manufacturers to immediately move forward with their MDSAP preparations. There is no time to procrastinate. At the current rate of MDSAP adoption, a number of manufacturers will likely be shut out of the Canadian medical device market—at least temporarily.
A Logistical Nightmare
For years, manufacturers have complained that multiple annual regulatory audits interrupted and distracted them from their primary jobs. When I was at the FDA developing MDSAP requirements, a manufacturer shared a story that underscores the need for a single audit program. This firm employed 50 people at its small Asian facility. The FDA announced it was sending an investigator to perform a routine medical device inspection; as per procedure, the agency notified the Ministry of Health (MOH) in the home country of the manufacturing plant and offered to allow the MOH representative to shadow the FDA inspector. The MOH accepted and sent an auditor.
On the day of the FDA inspection, however, an EU notified body agent arrived to perform an unannounced audit. To compound the burden on this small manufacturing facility, the next day, a regulatory audit team from Kazakhstan arrived to perform its own audit. Ergo, four different audit teams representing four different regulatory authorities converged on this small facility at once, creating a logistical nightmare for both the facility managers and regulatory audit teams.
The international MDSAP was developed in 2012 to create a single audit system for multiple regulatory jurisdictions. The program covers ISO 13485 certification and other regulatory requirements beyond quality management systems (QMS), and provides various benefits, not the least of which are time and cost savings. MDSAP audits are becoming increasingly more popular and widely used globally.
In addition, through work-sharing and mutual acceptance among regulators while respecting the sovereignty of each authority, MDSAP allows regulatory resources to be used more efficiently, according to the FDA and MDSAP Regulatory Authority Council (RAC). The program also maximizes the use of existing conformity assessment structures and promotes the concept of greater alignment of regulatory approaches and technical requirements based on international standards and best practices on an international scale, the two regulatory bodies note.
The program allows sufficient regulatory oversight of medical device manufacturers while having minimal burden on industry, and it helps promote consistency, predictability, and transparency of regulatory programs through standardization.
Over the past decade, there has been a sharp increase in the number of regulatory authorities requiring their own audits. The number of emerging regulators placing medical device regulations into law has also grown during this time, and the volume of regulatory audits has mushroomed. Ideally, the MDSAP certificate and MDSAP audit report will be used by emerging regulatory schemes to prevent additional country-specific regulatory audits.
Efficient Yet Thorough
The MDSAP audit process ensures a single audit provides efficient, thorough coverage of QMS requirements covering:
- ISO 13485
- Brazilian Good Manufacturing Practices (ANVISA RDC 16)
- Japanese requirements (MHLW MO 169)
- FDA’s Quality System Regulation (21 CFR Part 820)
- Country-specific registration and licensing requirements
- Country-specific adverse event reporting requirements
- Other country-specific requirements beyond QMS
MDSAP also increases speed to market, especially in Brazil. In many jurisdictions, regulators lack the resources to perform required entrance-to-market audits. The MDSAP certificate or audit report replaces these regulatory inspections and allows manufacturers to enter multiple markets quicker.
The MDSAP audit model is economically efficient as it maximizes the auditor’s time and spares the manufacturer from lengthy and expensive individual audits for each of the five regulatory jurisdictions. In some countries outside of the consortium with premarket QMS requirements, the MDSAP certification can be shown as evidence of compliance to regulatory mandates.
MDSAP allows for more flexibility, since manufacturers can choose the third-party AO. Also, routine audits are announced and planned by both parties to accommodate schedules and avoid potential conflicts.
Finally, MDSAP is expected to improve the predictability of audit outcomes through:
- Enhanced auditing organization recognition criteria
- Monitoring of auditing organizations by participating regulators
- Use of a standard audit model
- Grading of any nonconformity using objective criteria to characterize the significance of the finding
- Reporting audit outcomes using a standard template
There are plenty of good reasons for companies to use MDSAP—the most notable being Canada’s requirement in 2019. Manufacturers must start preparing and scheduling their MDSAP audits now. Depending on the situation, it may take months to get ready for an MDSAP audit, assuming an authorized and qualified AO can be found.
Companies that aren’t already prepared for MDSAP, can get started by following four steps.
1. Learn about MDSAP. Enter “MDSAP” into any search engine for general information. Each of the five jurisdictions’ regulatory authority websites provide helpful information—the FDA site as well as Australia’s Therapeutic Goods Administration, Brazil’s ANVISA, Canada’s Health Canada, and Japan’s Pharmaceutical and Medical Devices Agency. The FDA website, which is the Regulatory Consortium’s official site, offers a comprehensive overview of the program while NSF.org highlights essential components and important details, including the MDSAP audit structure.
2. Conduct a Gap Analysis. Also known as a needs assessment, a gap analysis is used to determine what an organization must do to move from its current state—in this case, meeting existing medical device certification requirements—to a future standard (i.e. compliance with ISO 13485:2016 and any specific country requirements). MDSAP tools such as the Audit Model provide a process map to verify the inclusion/implementation of regulatory requirements following ISO 13485:2016.
The Audit Model and the Audit Model Companion Guidance document should not be relied upon for exact regulatory requirements because slight discrepancies exist. Instead, the model and guidance document should be used as a reference and an audit preparation tool. It is essential to read the regulations of the five jurisdictions for specifics on each. The FDA website includes an MDSAP Frequently Asked Questions document which is also quite useful.
3. Take Action Based on the Gap Analysis. Prioritize actions to address areas of greatest urgency first.
- Understand the regulatory requirements thoroughly to avoid mistakenly placed resources and insufficient implementation.
- Perform a proper root cause analysis wherever discrepancies exist to understand what and/or why something happened.
- Fix any problems and implement corrective actions to ensure they don’t recur.
- Use the “verification of effectiveness” process to ensure successful implementation. This process is widely misunderstood and often incorrectly performed, but it’s an essential step in analyzing QMS health.
- Acquire, leverage, and approve needed resources while ensuring that management understands the costs (time and money) needed to implement the requirements.
- Acquire necessary training for responsible parties.
- Assume ownership (along with top management) of the QMS.
4. Choose an authorized Auditing Organization. The FDA website includes a list of all AOs authorized to conduct MDSAP audits. Be sure to consider factors such as expertise, cost, availability, and experience. Schedule the audit no later than September 2018 in order to ensure ample time to utilize that audit for Health Canada Licensing purposes.