What is the medical device single audit program (MDSAP)?

The International Medical Device Regulators Forum (IMDRF) recognized that a global approach to auditing and monitoring the manufacturing of medical devices could improve their safety and oversight on an international scale.  This created the Medical Device Single Audit Program (MDSAP) and allows a recognized Auditing Organization to conduct a single regulatory audit of a medical device manufacturer that satisfies the relevant requirements of the regulatory authorities participating in the program.

To date, the MDSAP participating countries include:

• Australia (Therapeutic Goods Administration – TGA)
• Bazil (Agência Nacional de Vigilância Sanitária)
• Canada (Health Canada)
• Japan (Japanese Pharmaceuticals and Medical Devices Agency)
• United States (FDA)

The World Health Organization (WHO) Prequalification of In Vitro Diagnostics (IVDs) Programme and the European Union (EU) are Official Observers, which means they are waiting for the results of the pilot MDSAP program to determine if it’s worth their while to sign on as an official partner.

When does MDSAP come into effect?

Starting January 1, 2019, if you’re selling medical devices into Canada, it’s not optional and you must be certified to MDSAP, or at the very least, show evidence that you are in the process of complying.

As part of the MDSAP auditing program, there are seven chapters an auditor must cover.  One of those chapters is specific to marketing authorization and facility registration, which also touches on two other chapters, management and design development.  An auditor will be specifically looking for the following:

1. Have you complied with requirements to register and/or license your device facility;
2. Did you submit device listing information;
3. Did you obtain device marketing authorization;
4. Have you arranged for assessment of changes and obtained marketing authorization for changes to devices or the quality management system which require an amendment to existing marketing authorization

You must have that information organized in a meaningful way that you can get to it quickly and show, objectively, that you fulfilled the requirements of MDSAP and all of the country regulatory requirements that fall under MDSAP.  That also goes hand-in-hand with ISO 13485:2016 where you need a controlled release of products into the appropriate jurisdiction.  If you’re trying to be a global leader or a global company, for that matter, in this day and age, you need to have a solid system in place to manage those marketing authorizations worldwide.

Controlled release of product

If you are selling out of the United States, you must comply with the laws of each importing country.  That simply means, no matter where you sell outside of the United States, you must meet the importing country’s requirements for marketing authorization. Your regulatory team and business need to be on point by having a robust regulatory system in place that upon product release, you’re meeting those specific requirements.  You must have a mechanism in place to ensure that you don’t release product prior to it being properly registered.

That mechanism starts during product realization.  Sales, marketing, customer service, engineering, operations, and regulatory teams must all be on the same page.  Often times, regulatory is perceived as the bottleneck to product release.  However, this is a misconception and is primarily driven by poor planning during the design and development process.

Auditing to MDSAP

Auditors are looking for the standardized process for controlling the release of the product and ensuring that the process has been adequately established and implemented within your facility.  MDSAP has a very rigid auditing process to ensure the proper market authorizations have been obtained and facility registrations have occurred.

When your company is audited, an auditor will request records from product outside of the MDSAP participating countries due to the broad jurisdiction of US and international regulations.  If the auditor finds issues with those products, they can draw that parallel to determine that your company doesn’t have a controlled product release process and you need to investigate to ensure there isn’t a systemic issue.  That means an audit observation and a corrective and preventive action (CAPA) plan need to be established to rectify the issue(s).

What does this mean for medical device manufacturers?

A regulatory professional’s job is worldwide nowadays, which means it is a lot of responsibility, burden and business risk that are on their shoulders.  Do you really want all of that being managed by excel files, outlook reminders, and disjointed processes?  It must be a fundamental, standardized process, ingrained into your quality management system, that you need in place in order to NOT run into any compliance issues.  Your organization must have a standardized process to ensure that your company is releasing good (and approved) product into the market while maintaining any changes to that product (and registration) while it’s in that market.

The requirement is not only that you get the marketing authorization, but you stay compliant when you’re already in that market. That means you must constantly be monitoring for expiring registrations, any type of design changes with your product, and how they affect your marketing authorizations within those countries.

From a quality management system standpoint, you need a good change control process in place that ties directly to your regulatory team. If you don’t have a good regulatory process now, you’re not going to have one later. It’s going to be too late, and the amount of information that your regulatory team must handle today is only going to increase. That’s why you must develop those systems now.

To learn more about the MDSAP, markets where it’s applicable, pros and cons of using MDSAP vs Regulatory Authority inspections, and audit sequence and grading, download our Ultimate Guide to MDSAP.