MDSAP – Medical Device Single Audit Program: an Audit for the FDA and Four other Authorities

In this blog post, we explain what MDSAP is all about. We will explain its structure, process, and important aspects of preparing for this audit.

Are you interested in our services in the area of the Medical Device Single Audit Program? Then click here.

Medical Device Single Audit Program

What is MDSAP?

The abbreviation stands for Medical Device Single Audit Program. This describes an initiative led by various regulatory authorities to audit a manufacturer’s quality management system and the country-specific requirements of the authorities during a single audit. It is therefore a single audit to verify the requirements of all participating authorities. This program can reduce the number of necessary audits and make it easier to demonstrate compliance with various requirements.

MDSAP is therefore suitable for reducing the burden on authorities, as they do not have to audit all manufacturers themselves. On the other hand, it also saves manufacturers from a multitude of different audits, as the requirements of the currently five participants are reviewed in one comprehensive audit.

At a regulatory level, MDSAP corresponds to ISO 13485:2016 as a basis, in conjunction with the respective country-specific requirements of the members.

Which countries are participating?

  • Australia: Therapeutic Goods Administration (TGA)
  • Brazil: Agência Nacional de Vigilância Sanitária (ANVISA)
  • Canada: Health Canada (HC)
  • USA: Food and Drug Administration (FDA)
  • Japan: Ministry of Health, Labour and Welfare (MHLW) and Pharmaceutical and Medical Devices Agency (PMDA)

What are the challenges?

Manufacturers often face difficulties with initial MDSAP audits. The program is still quite new, and often there are no employees in the company with MDSAP experience. Thus, it is not entirely clear how the audit proceeds, how some requirements are to be interpreted, or how best to prepare. However, these difficulties are mainly due to MDSAP being relatively new.

Depending on the manufacturer and the specific characteristics of the QM system, additional content-related difficulties regarding the new requirements may arise. A QM system that is already very well developed may already address many aspects. However, smaller manufacturers, in particular, often find that a multitude of processes are lacking or that existing ones need to be revised.

MDSAP focuses heavily on purchasing and risk management. This is understandable, as final medical devices must be composed of something. They consist of goods or other products that were purchased beforehand. Thus, purchasing is the basis for the final product and is accordingly important for quality. Risk management is reasonably considered the foundation of a safe product in MDSAP and is therefore essential throughout the entire audit.

In the area of reporting incidents under MDSAP, suitable processes that enable correct reporting to the respective authorities are often lacking. All authorities have different requirements for how a report must be made, and this must be reflected at the process level.

As an interface between the permission to sell a medical device in one of the participating states and the reporting of incidents, contractual agreements with the distribution network are very important. Incidents can only be reported if one learns of them. This is where the agreements with distributors come into play. Every distributor in one of the participating states must be able to forward incidents to the manufacturer in a timely manner, and in the event of a recall, manufacturers and distributors must cooperate.

How Does an MDSAP Audit Work?

The audit usually consists of two parts. A distinction is made between Stage 1 and Stage 2.

During Stage 1, the manufacturer submits their entire quality management system for review. Subsequently, there is an opportunity to close any deviations found before Stage 2.

Stage 2 is the actual on-site audit at the manufacturer’s facility. During this audit, the audit sequence shown in the graphic is followed. The sequence is strictly adhered to. The areas of risk management and purchasing, as illustrated in the graphic, can be audited at any time, regardless of the sequence. This underscores the high importance assigned to these topics in MDSAP.

Since January 2020, there has been an option for the “Device Marketing Authorization and Facility Registration (DMAFR)” area to be audited remotely. This does not replace either the Stage 1 or Stage 2 audit. The on-site Stage 2 audit can thus be reduced, and only interfaces to other topics may need to be reviewed on-site (in relation to DMAFR).

Voluntary or mandatory?

Currently, the MDSAP audit is still voluntary. In Canada, it is already the basis for legally selling medical devices in the country. It is not excluded that other authorities or states will follow this approach.

For many manufacturers, MDSAP is also an interesting way to enter the US market. The MDSAP audit is intended to prevent the Food and Drug Administration (FDA) from appearing personally for an audit. FDA audits are still probably the most feared by manufacturers, and therefore, efforts are often made to avoid them. The path via the Medical Device Single Audit Program is a viable option. Of course, this does not prevent the medical device from having to be approved afterward, e.g., as part of a Premarket Notification 510(k).

MDSAP and Europe

It has often been discussed why the EU does not participate in the Medical Device Single Audit Program. In this context, it was mentioned that all capacities were currently blocked within the framework of the Medical Device Regulation MDR (and also IVDR). But that’s not entirely true. Strictly speaking, the MDR and IVDR are the basis for the EU to be able to participate (meaningfully) in MDSAP. Previously, there were the MDD and IVDD in the EU, but all member states had to transpose the directives into national law. For MDSAP, this would have meant that all national requirements of the EU member states would have to be reviewed in the MDSAP audit. Due to the large number of EU member states (27 in January 2020), this would lead to an excessively large scope in the audit to review the European requirements. With the introduction of the MDR and IVDR, the requirements between EU member states are becoming more uniform, and participation in MDSAP can be achieved more easily and effectively via the requirements of the MDR and IVDR.

Audit Preparation

Very important: Ensure that the affected employees have a comprehensive understanding of the Medical Device Single Audit Program. We have repeatedly found that employees who were supposed to prepare for the MDSAP audit did not actually fully understand what it was about. In such situations, a lot of valuable time is lost because employees cannot work in a targeted manner due to a lack of fundamental understanding of the topic.

Ensure that employees know how to structure a gap analysis effectively. If you have ever created such an analysis for an MDSAP project, you will know how extensive it is. This work must be targeted and structured. Due to the scope of the requirements, you will not only lose time, but your employees will also lose motivation. However, an MDSAP audit is truly exciting and a great experience for those involved, provided you prepare thoroughly and in good time.

As part of your MDSAP preparations, you should definitely conduct the aforementioned gap analysis. In doing so, you list on one side what requirements MDSAP places on the quality management system. You then compare these with the processes existing in your company and assess whether and to what extent the individual requirements are met. Proceed step by step and very carefully. The audit is very extensive, and due to the multitude of different new requirements, something can quickly be overlooked otherwise. You have, of course, already laid the foundation for the MDSAP audit if you are certified according to ISO 13485:2016. However, the country-specific requirements are often completely new and need to be meaningfully integrated into the existing process landscape.

Which documents do you need to know?

  • ISO 13485:2016
  • Quality Management System requirements of the Conformity Assessment Procedures of the Australian Therapeutic Goods (Medical Devices) Regulations – TG(MD)R Sch3
  • Brazilian Good Manufacturing Practices – RDC ANVISA 16/2013
  • Japan Ordinance on Standards for Manufacturing Control and Quality Control of Medical Devices and In Vitro Diagnostic Reagents – MHLW Ministerial Ordinance No. 169
  • Quality System Regulation (QSR) – 21 CFR Part 820

A detailed overview of all regulatory references you must consider can be found in the MDSAP Audit Model at the FDA. Since it is possible to exclude individual countries where you do not market products, these requirements are naturally not applicable to you. These requirements are then not part of the audit – However, you must specify this during audit registration and genuinely not place any products on the market in these countries.