The FDA has added another document to the repository of documents for the Medical Device Single Audit Program (MDSAP), one which is based on a document from the Global Harmonization Task Force (GHTF). The new MDSAP guidance spells out a revised framework for scoring of nonconformities, but the section on written descriptions of nonconformities may represent the more important difference between the MDSAP and GHTF versions.
The latest MDSAP guideline, which is found in a webpage for all MDSAP documents at the FDA website, states that most harmonized inspection classification schemes rely on a binary descriptor of nonconformities. However, the guideline notes that the terms “major” and “minor,” when applied to nonconformities, do little to convey the nuances uncovered in these inspections. The two terms are defined in ISO 17021-1:2015, but this MDSAP update seeks to go beyond the major/minor binary, and gives regulatory authorities a more detailed look at the results of the inspection.
The new MDSAP guidance is based on the 2012 GHTF guidance for nonconformity grading systems, which highlighted the variations in how different regulatory entities dealt with deviations from a manufacturer’s quality management system (QMS). The GHTF’s version of a nonconformity grading system was based on the 2003 version of ISO 13485, the most recent version of which was published five years ago. ISO standards are eligible for revision every five years.
Written Description Requirements Elevated Under MDSAP
Section 5.1 of the MDSAP guidance, which describes written description of nonconformities, has a parallel in the GHTF guidance, but there are a number of meaningful differences. Some of the differences revolve around the available version of ISO 13485, but the MDSAP version is more detailed. There are several overarching recommendations regarding the description of nonconformities, such as that these descriptions should:
- Be clearly worded, and use precise language that allows the reader to comprehend the nature of the deviation;
- Be written so as to assist the manufacturer in identifying the cause of the nonconformity; and
- Document the records, samples and procedures examined during the inspection or audit, and provide details regarding any associated interviews.
The MDSAP guidance states that an identified nonconformity should be described with the language found in the 2016 edition of ISO 13485, or an alternative and applicable regulatory requirement. There is the possibility that more than one requirement applies to a given nonconformity, in which case the inspecting entity is instructed to choose the requirement that will result in the highest score. This last recommendation is not found in the parallel section from the GHTF document.
The MDSAP guidance also recommends that inspecting entities give preference to any QMS implementation requirements over documentation requirements. Intended or not, the net effect of these instructions is to amplify the characterization of noncompliance, and thus cast a more negative light on the manufacturing establishment.
There are some requirements that appear in both guidances, such as the handling of multiple examples or instances of a nonconformity. These can be combined into a single description of nonconformity, although combining is not recommended when the different instances originate from or relate to different aspects of a clause in the referenced regulatory standard.
The MDSAP guidance recommends that the description of observed or potential problems be directed to several inspectional subjects, such as the facility, the equipment, and manufacturing processes. Anything deemed a potential problem is based on a reasonable likelihood of occurrence, which is in turn based on observed conditions or events. Beyond this characterization, the meaning of the term “potential problem” seems to be a judgment call for the inspecting entity.
Scoring Hinges on Direct Versus Indirect Effect on QMS
The first step in the system for grading nonconformities in the MDSAP guidance is to determine whether the nonconformity exerts a direct effect on the QMS. Clauses 4.1 through 6.3 of ISO 13485 are the reference point for nonconformities with an indirect impact, with the exception of clause 4.2.3. Deviations from these requirements are generally analogous to the minor nonconformities as described in the 2015 version of ISO 17021. Clause 4.2.3 is the exception because device files include information on matters such as device design and production processes, and thus have a potential to directly affect the QMS.
In contrast, deviations from ISO 13485 clauses 6.4 through 8.5 are seen as having a direct effect on design, manufacturing and controls, and thus may implicate device safety. The exception to this range of clauses is 8.2.4, which is for internal audits. With the exception of 8.2.4, these would be analogous to major nonconformities per ISO 17021, because there is significant doubt as to whether affected products will meet pre-specified safety and performance requirements.
Deviations with an indirect QMS impact are assigned a starting grade of 1 while deviations with a direct impact are assigned a grade of 3, but there are several associated considerations. Among these are:
- The auditing organization would have to review, accept and verify any corrections made for nonconformities that would qualify as major nonconformities (or nonconformities with a direct impact on the QMS);
- A nonconformity can be elevated to a direct QMS impact when, for example, the QMS lacks adverse event reporting requirements for all regulatory jurisdictions where the product is distributed, despite that such an omission might ordinarily qualify as having an indirect QMS impact; and
- An indirect impact on the QMS may be inferred from a failure to follow internal requirements for revalidation of production processes, so long as that internal requirement is more stringent than seen in ISO 13485.
Nonconformities identified in audits or inspections conducted in the previous three years can add another score of 1 to the baseline score for direct or indirect effect on the QMS. This is the case also for nonconformities that led to the distribution of nonconforming devices. The limitation of three years for consideration of prior audits was selected because a longer term might capture conditions that do not reflect the current state of affairs at the audited site.
Another consideration in limiting the look-back to three years is whether a longer term might prove inefficient for audit purposes, but a repeat observation within that three-year window need not be additive to the facility’s score. If the manufacturer is still implementing the corrective actions from a prior audit and those corrective actions are on schedule, the auditor is instructed to refrain from tallying a new nonconformity. However, the auditor may issue a new nonconformity for a repeat finding it there is evidence that a completed corrective action has been ineffective in dealing with the deviation.
The guidance states that the maximum final score for a given nonconformity cannot be greater than 5 even when the scoring system yields a higher number. The final score also cannot be amended due to intra-inspectional corrections absent an appeal per clause 9.7 of ISO 17025. While the auditing entity must deliver a copy of the inspectional report to a requesting regulatory agency within 10 days of the request, the report need not be closed by that date. The reporting form typically used for MDSAP inspections, MDSAP AU F0019.2, does not provide a cumulative grade for the overall audit, however, apparently in an attempt to avoid tying a regulatory authority’s hands with regard to the results of the audit.