What is MDSAP meaning? this means Medical Device Single Audit Program. I will explain to you all about it from Top to Bottom.
You are a Medical Device Company. All is going well for you.
- The doctors are happy to have your products as this is a good solution.
- Your patients are happy as their problem is solved.
- You are expanding in many countries and it’s marvelous.
But one day, you receive a notification for an audit from FDA as you are selling your product to the US.
What should I do? You should prepare for it. Some Audit Readiness should start.
And 2 weeks after, you receive another notification from ANVISA who wants also to audit you.
ANVISA is the Healthcare Authority for Brazil.
And at the same time, you know that you have your renewal audit for your CE and ISO 13485:2016 Certificate with your Notified Body.
And I forgot you need also to perform your internal audit as its required by the standard
Ok, now it starts to be a bit extreme but this was to put in context the MDSAP certification.
One of the solutions that were found was to create a single audit program called MDSAP.
This is to avoid a medical device company being audited by all the authorities regarding the same topics, regulation, requirements.
Below is a quick video to introduce you to the MDSAP Certification. And then we can dig in more details to understand MDSAP.
Learn MDSAP with this Video
Subscribe to my Youtube Channel to get notified of my next videos
Table of content
What is MDSAP?
MDSAP stands for Medical Device Single Audit Program. This is a certification.
It is coming from the collaboration of some countries in the world who decided to work together to implement a unique audit program.
The result of this audit can be used by all the countries that are part of this partnership.
With this solution, a medical device manufacturer can be audited only once. This will help to focus resources.
This program was implemented on the basis of the IMDRF MDSAP model. This was started as a pilot and now it goes to an Operation phase.
Some countries approved to be part of this program and the objective is to grow the list of countries that are accepting MDSAP Certification.
One interesting aspect of MDSAP is to harmonize some requirements. When before there could be some conflict between the regulation of one country or the other, now it’s more transparent for auditors and for manufacturers.
Imagine you receive 2 audits from 2 different Health Authorities.
The first one is raising a non-conformance and ask you to correct the issue immediately. You define an action plan that is accepted and you correct the problem as quick as possible to close your audit report.
And some months later after you corrected the issue, the second Health Authority raises the same observation as they don’t like your solution and want you to return to your initial state.
What to do?
This is why having a unique audit program will align the requirements for the manufacturer and avoid mistakes for his customers.
Share this article
Which countries are part of MDSAP?
There are 5 countries that accepted to participate in the development of this program:
- Australia: TGA
- Brazil: ANVISA
- Canada: HEALTH CANADA
- Japan: MHLW
- The United States of America: FDA
Why more countries are not involved?
As said previously, this was started as a pilot program so only a few countries accepted to be part of it at the beginning.
But many other countries are considered as observers. They are reviewing how this program goes so they can decide to be part of it later.
For example, the European Union decided to be an observer.
The main reason is that the European Regulation for Medical Devices in under a transition. The EU MDR 2017/745 and the IVDR 2017/746 will become effective respectively on May 26th, 2020 and May 26th, 2022.
As this regulation is completely new, it was a decision to not be part of MDSAP to not confuse all the different actors.
MDSAP Participating countries (Website Links)
As you will see the MDSAP program is a combination of many regulations.
This means that at some point they need to be aligned to be able to work together.
There are some differences between regulations and we accept that.
But if the program is a success, new countries that would like to participate will need first to align their regulation with the MDSAP program.
Which regulations are included on MDSAP?
MDSAP is a program that looks during one audit at all 5 countries regulations including the ISO 13485:2016 Standard.
- ISO 13485:2016
- Australia TG(MD)R Sch3)
- Brazilian FMP (RDC ANVISA 16/2013)
- Japan (MHLW Ministerial Ordinance No. 169)
- USA (FDA QSR 21 CFR Part 820)
- Canada (Medical Device Regulation – SOR/98/282)
And additionally, there are some specific requirements from the MDSAP program.
It’s interesting to see a standard being part of MDSAP because all the other requirements are country specific.
MDSAP is including latest changes so I suppose if a new version will be released there will be some adaptation for the Auditing Organizations.
What is important is that any change should still be compatible with the orther regulations.
Important countries are missing
As discussed previously, if the program integrate more countries then it will integrate also more requirements for medical device manufacturers.
Big players that are missing for example are China, Saudi Arabia, India and let’s not forget the European Union.
Finally, the countries that were already part of MDSAP are the winners as there regulations is taken into account on a worldwide program.
For new comers, they apparently will need to adapt their regulation to be able to be part of this community.
Let me know if you have a comment to that.
Who can certify you for MDSAP?
The MDSAP program is qualifying some Audit Organizations or AO. This is similar to Notified Bodies in Europe.
Those Audit Organizations will follow a certain requirement to certify Medical Device companies. I will show you after the topics that are reviewed.
The list of Audit Organization is available here. This is list can change so take this only as an information.
Auditing Organization from this list will perform an initial audit to certify your company and after that, they can also come unannounced to check that you are still following the requirements.
So I imagine that unannounced audits will be the standard for manufacturers. I imagine that they should be always “audit ready“.
MDSAP Stage 1 vs Stage 2 audit
When you are applying to get MDSAP certified, you should not be surprised that the initial audit is divided into 2 stages:
- Stage 1: This step is kind of a pre-audit. The initial assessment is to define if your QMS is ready to be fully audited and complies to ISO 13485:2016 Clause 4.2.1 and also some other MDSAP documentation requirements. End of Stage 1 will define if you can go to stage 2.
- Stage 2: This step is to define if the ISO 13485:2015 and the regulatory requirements are fulfilled.
After that, you will be certified. But it’s not over. You will receive a yearly surveillance audit on a 3-year cycle.
This is the exact same model as for the notified body certification for CE mark products.
Can I start selling my products after certification?
This depends on what means selling your product.
When you receive your MDSAP certificate with compliance to Brazil requirements for example, you cannot start shipping products to Brazil without going through the Registration process.
The MDSAP certificate is only confirming that you are following the requirements for this country. But for each product you want to deliver, you will need to initiate the registration process.
The countries will ask you to provide the MDSAP certificate as a proof of compliance and review your technical documentation.
So if you have a business plan, don’t assume that the milestone for shipping your product is the date of reception of the certificate.
Note: MDSAP will not accelerate the registration of your product in the countries. It will only avoid to receive auditors from many different Competent Authorities. So don’t use that as an argument for your product development.
What is the MDSAP Audit Model?
The MDSAP audit is looking specifically at 5 processes.
The sequence of audit is:
- Measurements, Analysis, and Improvement
- Design and Development
- Production and Service Controls
And additionally there are 2 more sections:
- Device Marketing Authorization and Facility Registration
- Medical Device Adverse Events and Advisory Notice Reporting
There is some specific information that the auditors are looking for while reviewing your system.
Those questions are available on the MDSAP Companion Documents. This provides you an example of how you should be prepared.
Get a case study on how is executed an audit. This is not specific to MDSAP but the model is the same.
I will also give you a link to a Podcast Episode where I talk about the 6 different types of Medical Device Audits. Really instructive.
MDSAP Companion Document
The companion document is a support for MDSAP requirements. It is helping the different Audit Organization to follow a similar process when auditing.
An auditor that is going to a company should follow the same process as an auditor going to another company.
This helps to be fair. But this also created a more robotic audit.
It’s true that from one auditor to other things can be easier or harder. So it can be a problem when an auditor accepts something from one company but refuse it for the other.
Therefore, this method which is used to keep things similar for any manufacturer is not opening the door to some interpretation.
But manufacturers can use this companion document to build their MDSAP gap assessment.
MDSAP Gap Assessment Template
Easy Medical Device created a Gap Assessment template to help you perform the check of your organization.
This consist of a checklist of all the requirements for each countries. So you can also hide countries that you don’t need.
This document is divided to match the 7 chapters that were mentioned on the Audit Model.
If you need also some support from Easy Medical Device to help you be compliant with MDSAP requirements, don’t hesitate to contact us at firstname.lastname@example.org
Which route to follow to become an Auditing Organization for MDSAP?
MDSAP auditor certification is done through FDA platform. Each AO will register its auditors and each of them will receive an email with its login details within 10 business days.
From that, the student auditor will need to perform the full training and get a score of 70% or more on each quiz to be successful.
You’ll be trained on each of the modules that are on the audit model as described below:
(1) Introduction to MDSAP
(2) MDSAP Management
(3) MDSAP Device Marketing Authorization and Facility Registration
(4) MDSAP Measurement, Analysis, and Improvement
(5) MDSAP Medical Device Adverse Events and Advisory Notices Reporting
(6) MDSAP Design and Development
(7) MDSAP Production and Service Controls, part 1
(8) MDSAP Production and Service Controls, part 2
(9) MDSAP Production and Service Controls, part 3
(10) MDSAP Purchasing
Should you be part of MDSAP?
This depends on your company. This program can be a good solution if you are selling to all 5 countries that are mentioned.
Instead of being audited by all of them, you’ll need to only be audited once and the report can be sent to everyone.
If you are selling or plan to sell to Canada, then it’s mandatory for you to be MDSAP certified. Let’s review that on next paragraph.
Health Canada decision to stop CMDCAS
By January 1st, 2019, CANADA is requesting all companies selling products to Canada to be certified or to have a plan to be certified.
But if you are for example only distributing your product to another, this is not necessary for you.
For manufacturers specifically focused on selling their products to Canada, I got the information that its now the end of the transition period for MDSAP.
This means that Health Canada will look only for MDSAP certificates now. The CMDCAS (Canadian Medical Devices Conformity Assessment System) is now officially replaced by MDSAP.
This decision to transition to MDSAP was an accelerator for companies to apply to this new program.
BSI Compliance Navigator issues an article with more information.
Note: Here is an FAQ from Health Canada
Should you comply to the regulations of all countries?
Another important question to answer: Can the manufacturer exclude a jurisdiction from the scope of an MDSAP audit?
The answer is YES. You should only comply with the requirements of countries where you distribute your products.
So if Japan has a specific requirement, it’s not mandatory to comply with it. But if you plan to sell to Japan in the future, maybe then it would be great to think about these exotic wishes.
MDSAP audit report with example
When you will pass the MDSAP audit you will receive a report.
If your audit was completely perfect you can have the possibility to get no non-conformities. But if during the audit some issues were raised this can lead to some observations.
Can this be a problem to get certified?
Yes, it can. But this depends on the grading of the observation. Let’s review together the different MDSAP grades.
MDSAP audit does have 5 levels of non-conformities or NCs or Grades, from Grade 1 until Grade 5.
The form you’ll be using to record these NCs is called “Non-conformity Grading and Exchange” or NGE.
This is a dynamic form that will react to the information you’ll provide. For example, he will alert you if you need to contact the Regulatory Authorities. In fact, there is a requirement to report with a 5-days notice in case of major issues.
How auditors are deciding MDSAP grading?
I was asking myself how they decide between grade 1 and grade 5 but was not able to find a clear answer.
So I decided to pull-out the NGE and fill it as if I am the auditor.
I discovered that the answers you will provide will automatically help to define the grading.
First, you decide on which topic the Non-Conformity was raised. It will help to identify if this has a direct impact or not on your QMS (Quality Management System).
Then you’ll need to answer a few questions:
- Is this a repeat NC?
- Is a required procedure lacking?
- Is a non-conforming product released?
And automatically, the grade appears.
Read more about the NGE form.
Example of Audit Report
I created a form with the company ACMED Ltd. (Fictive company).
I raised an observation on chapter Management 4.1.3. This automatically defined that this has an indirect impact on the QMS.
Then I defined that:
- this is not a repeat NC
- a required procedure is lacking
- and no nonconforming products are released
The MDSAP NC grade for this is Grade 2.
Check it below
On the next picture, you can see the table that summaries the number of NCs identified.
In that case I raised only 1 NC. And the current status is “Not responded” as I just raised it. The auditor is waiting our action plan to then change the status.
NC already identified
Ok, but if the company already identified the non-conformity that was raised. What is happening?
I tested this case. The form gives you the option to provide this information. You can see that below the table there is a tick box with the sentence:
- The Organization detected and properly addressed the nonconformity prior the audit
I ticked the box as I suppose that I already raised a CAPA for this point and defined a clear and solid action. (See below picture)
Magically the grading change from Grade 2 to Grade (2). I know, it’s still grade 2 even with the brackets but now this NC is not reported as an NC on the final table.
But you see also that the status is “Monitoring”. So this means that this topic can be reviewed during another audit. So don’t think that this topic is then forgotten. Everything is recorded.
Knowing that information, I would do one thing to be sure to pass the MDSAP audit. I would find myself the issues and open a CAPA or NC or internal audit observation on my QMS.
I know it’s easy to say it than to do it.
As you’ve seen, the MDSAP audit is not taking into account issues already identified and addressed.
Don’t identify issues and try to solve them outside of your system.
- First, you will not be recognized for the work you’ll accomplish to solve it
- Second, if an auditor find the issue before you solve it, he will raise an NC that can compromise your certification.
Test the NGE form
If you also want to test the NGE form, you can download it here.
In the case the form opens on your browser, there is a chance that this is not working. Below is the message that can appear.
You should then download it on your computer and open it with Adobe reader.
Share this article
MDSAP questions answered by Angelina Hakim
What is the difference between MDSAP and the other audits?
(Podcast extract: 20.01)
Angelina Hakim (A.H.): Due to the fact that MDSAP combines the requirements of the five countries, plus the ISO 13485, you can expect a long audit and a high time pressure.
The auditor is under an extreme time pressure, so you as an auditee will feel it too.
Imagine that you have an FDA inspection and an ISO 13485 audit at the same time. It’s like that.
But the good thing though is that it is very structured you know what the auditor expects to see and this is thanks to the MDSAP companion document.
So you need to prepare yourself.
Is the Companion Document the script for the auditor? or the auditor can decide which question he want to ask?
(Podcast Extract: 21.29)
A.H.: It depends on the auditor sometime.
They didn’t repeat exactly word by word the question but what they are not doing is to jump from one process to another (Audit Model).
There is a flow and if you know it, then it’s fine. You known that in this chapter it is expected to show this document and this evidence and so on.
When you are audited by the Audit Organization, what is the worst grading that you can have?
(Podcast Extract: 22.43)
A.H.: Theoretically you can achieve 6, but they decided that it’s already enough to have 5.
So we have a grading One to Five and Five is very critical.
And if you have more than 2 grading Four, this means that the auditing organization needs to report it to the five authorities.
To do that they will upload the report on the MDSAP database and then they can know what is happening on your company.
How you can avoid to have this grading Four and Five?
(Podcast Extract: 23.42)
First of all, understand the ISO 13485. Ensure that you have documented procedures in place. If you don’t have it, then it’s an escalation. Grading +1
As well make sure that your risk management files, product releases are justifiable and defendable so to avoid having non-conforming products released to market.
Another tip is to open a CAPA to address systematic issues that you are aware of and make sure that you have the risk out of these issues under control. Just opening a CAPA is not enough, you need to show to the auditor that you worked on it.
If you have findings from your previous audit (MDSAP, ISO 13485, FDA…), make sure that you address them appropriately. Because if they find again the same issue, this is also an escalation of +1.
This is why you can easily achieve the grading Four and Five.
If we are not selling in some of the 5 countries listed previously, should we still follow the requirement of this country?
(Podcast Extract: 26.33)
A.H.: No, because during the stage 1 you are clarifying which countries are on scope.
Then in stage 2, when they are in the company, then they will just check the requirements of the countries where you are selling.
On this infographic I summarise for your the 3 questions:
- Which countries are included on MDSAP?
- What are the topics that are reviewed on the MDSAP Audit Model?
- What are the different MDSAP Gradings?
Check below to download this infographic.
Listen to the Medical Device made Easy Podcast
I created this Mindmap so you can have easily all the links and documents we just talked about within one place.
If you’ve never used Mindmaps this is a great tool to gather information and learn quickly.
Don’t hesitate to download the Mindmap Package that include an Interactive HTML 5 mindmap.
I propose you to answer few questions about what you just read on MDSAP.
Read the question and put your mouse on the card to see the answer. Easy no!
Imagine now a world where all countries do have the same regulation for medical devices.
This would make life easier for manufacturers and countries. MDSAP is the first step to that. But still some work is needed to reach this objective.
Share this article
Medical Device expert. Monir founded Easy Medical Device to help Medical Device companies to place compliant products on the market. He proposes his consulting services so don’t hesitate to contact him at email@example.com or +41799036836
My objective is to share my knowledge and experience with the community of people working in the Medical Device field.