The Medical Device Single Audit Program is one of the key cogs in the drive for medical device regulatory harmonization, and it represents a fairly significant lift for device makers accustomed to single-nation regulatory regimes.
The Medical Device Single Audit Program is one of the key cogs in the drive for medical device regulatory harmonization, and it represents a fairly significant lift for device makers accustomed to single-nation regulatory regimes. While a number of nations are not yet taking part, the MDSAP program offers tremendous benefits, principally by virtue of its reliance on ISO 13485 as a quality management system (QMS) standard.
Previously, we discussed the emergence of the MDSAP program at the International Medical Device Regulators Forum, which in conceptual terms was preceded by a cooperative inspection regime of the U.S. FDA and Health Canada. Participants in the MDSAP are undoubtedly hopeful that the European Union will soon come on board, but that hope must be tempered by the European Medicines Agency’s (EMA) ongoing implementation of a regulatory overhaul for both medical devices and diagnostics.
Despite that the EMA is not fully on board with the MDSAP, the agency recognizes ISO 13485 as a QMS standard. There are other incentives to take part in MDSAP, given that the FDA is also working toward adoption of the ISO standard as a substitute for Title 21, Part 820 of the Code of Federal Regulations. The five nations that are actively taking part in the MDSAP are Australia, Brazil, Canada, Japan and the U.S., which together represent a market of substantially more than 700 million potential and current patients. Indeed, the MDSAP is a very useful lever for sustaining and even expanding a device maker’s market reach, but one which requires an up-front investment of time and staffing.
MDSAP Process a Multi-Year Commitment
The standard MDSAP process for a device site that is new to the program requires some commitment from the manufacturer, as the first year of participation is followed by at least two more years before the cycle is complete. The cycle begins with an initial assessment by the auditing organization (AO), a stage at which the AO evaluates the manufacturer’s documentation at company headquarters and at any locations deemed critical to the manufacture of devices.
This is followed by the actual site audit(s), which will entail a thorough combing-through of the manufacturer’s QMS. As a first-time event, this audit may be fairly burdensome, more so than the surveillance assessments that follow. The second and third audits will evaluate only portions of the manufacturer’s QMS. In most instances, these post-initial audits will focus largely or entirely on any changes the manufacturer has made to its QMS since the initial audit.
Following the second and third audits, the AO will conduct a recertification or re-recognition audit, which again will be less intensive than the initial audit under most circumstances. There are exceptions, however, including instances in which:
- The manufacturer has made a large number of substantive changes to the QMS;
- The site of device manufacture has changed, or manufacturing sites have been added; and
- The audited organization was previously only a specification developer, but has added manufacturing to its activities.
The FDA’s MDSAP companion document spells out some of the country-specific aspects of an audit, although there are some aspects of ISO 13485 that are universal. Among the universal requirements are those for management representatives and for assignment of responsibility for various aspects of the QMS.
Several of the standards vary significantly from one nation to another, however, such as the requirement that a manufacturer determine the extent to which outsourcing might affect conformity to performance standards. More conspicuously, procedures for document control vary significantly by nation on a number of points, a list that includes:
- Australia, for retention of such records for five years;
- Brazil, for verification of electronic document backup;
- Japan, for retention of records for as many as 15 years in some cases; and
- U.S., for backup of electronic records without stipulating electronic backup.
Manufacturers that want to make use of the MDSAP program should of course conduct a gap analysis for compliance to 13485 generally, but should also examine the aforementioned nation-specific requirements as well. While the FDA has claimed on a number of occasions that the overlap between 13485 and Part 820 covers about 95% of each standard, the exceptions may require more attention to detail as these areas might prove more likely to trigger inspectional findings.
In addition to a consideration of MDSAP in current markets, manufacturers may also want to attempt to anticipate which currently untapped markets are of interest in the near term. A four-year projection might be appropriate as a means of heading off avoidably redundant compliance activities.
Regulators Vary in Their Use of MDSAP
While the MDSAP can be invoked for a wide range of manufacturing sites, its utility is somewhat limited in the U.S. For example, the FDA will not accept an MDSAP inspection in lieu of a pre-approval or post-approval inspection for PMA devices. For-cause and compliance follow-up inspections are also not covered in the FDA’s list of accepted MDSAP audits. Where routine audits are concerned, the agency will not reject an MDSAP audit over non-conformities that are related to portions of ISO 13485 that do not overlap with Part 820.
However, if the non-conformities are sufficiently serious based on a 2012 grading system by the Global Harmonization Task Force, the AO will advise the affected regulatory agencies, including the FDA. At that point, the FDA presumably retains the right to conduct a follow-up inspection if it deems the non-conformities sufficiently serious.
Other nations will consider the results of a successful MDSAP audit as part of a premarket assessment procedure, including Australia’s Therapeutic Goods Administration (TGA). In a July 2019 update, TGA said the requirements specific to Australia’s regulations have to be included in any MDSAP audit, and the acceptance of that audit is contingent on a demonstration of compliance with TGA requirements. TGA will accept other sources of ISO 13485 inspections and audits, but the two conditions listed both expire in May 2022, the compliance date for the EU’s regulatory overhaul. In contrast to the FDA approach, Health Canada requires MDSAP inspections for all uses, while the competent authorities in Japan and Brazil have indicated they will take MDSAP inspection reports into consideration for both premarket review and postmarket surveillance purposes.
The MDSAP program obviously comes with some costs, and it is not yet a mechanism that will allow a device maker to consolidate all its global inspectional liabilities into a single, tidy package. Nonetheless, industry has quite a bit to gain by taking part, particularly given that ISO 13485 seems to be clearing a path forward in several regions. Earlier this year, authorities in India advised that ISO 13485 certification will be required for device registration, while China’s National Medical Products Administration accepts MDSAP certifications in some instances. Another consideration is that the COVID-19 pandemic is making it difficult for regulators to conduct inspections, giving device makers yet another incentive to take part in the MDSAP.