MDSAP - Medical Device Single Audit Program: One Audit for the FDA and four other authorities

Lukas Losigkeit - Expert for MDSAP Members FDA, Health Canada, ANVISA, TGA, MHLW and Quality Management

Lukas Losigkeit

CEO & Principal Consultant

In this blog post we explain what the MDSAP is all about. We explain the structure, the process and important aspects of the preparation for this audit.

Are you interested in our services in the area of the Medical Device Single Audit Program? Then click here.

MDSAP - Medical Device Single Audit Program for the authorities FDA, Health Canada, ANVISA, TGA and MHLW - Quality Management

What is MDSAP?

The abbreviation stands for Medical Device Single Audit Program. This describes an initiative led by various regulatory authorities to audit a manufacturer's quality management system and the country-specific requirements of the authorities in the course of a single audit. It is therefore a single audit to verify the requirements of all participating authorities. This program can reduce the number of necessary audits and makes it easier to prove compliance with different requirements.

MDSAP is therefore suitable for reducing the burden on the authorities, as they do not have to audit all manufacturers themselves. On the other hand, it also saves manufacturers from having to conduct a large number of different audits, since the requirements of the five participants currently taking part are checked in one large audit.

On a regulatory level, MDSAP complies with ISO 13485:2016 as a basis in conjunction with the respective country-specific requirements of the members.

Which countries or authorities participate?

  • Australia: Therapeutic Goods Administration (TGA)
  • Brazil: Agência Nacional de Vigilância Sanitária (ANVISA)
  • Canada: Health Canada (HC)
  • USA: Food and Drug Administration (FDA)
  • Japan: Ministry of Health, Labour and Welfare (MHLW) und Pharmaceutical and Medical Devices Agency (PMDA)

What difficulties are there?

Manufacturers often have difficulties with the initial MDSAP audits. The program is still fairly new and often there are no employees in the company who have experience with MDSAP. So it's not quite clear how the audit will proceed; how some requirements are to be interpreted; how best to prepare. These difficulties are mainly due to the fact that MDSAP is relatively new.

Depending on the manufacturer and version of the QM system, additional difficulties with regard to the content of the new requirements may arise. A QM system that is already very well developed may already address many aspects. However, smaller manufacturers in particular often find that a large number of processes are lacking or that the existing ones need to be revised.

MDSAP focuses strongly on purchasing and risk management. This is understandable insofar as the final medical devices must consist of something. They consist of goods or other devices that were previously purchased. Therefore, purchasing is the basis for the final devices and accordingly important for quality. Risk management is reasonably considered in the MDSAP as the basis for a safe device and is therefore essential in the overall audit.

In the area of reporting incidents according to MDSAP, suitable processes are often lacking to enable correct reporting to the relevant authorities. All authorities have different requirements as to how a notification is to be made and this must be reflected at the process level.

As an interface between the permission to sell a medical device in one of the participating states and the reporting of incidents, contractual arrangements with the distribution network are very important. Incidents can only be reported if one is aware of these incidents. This is where the arrangements with the distributors come into play. Every distributor in one of the participating states must be able to report incidents to the manufacturer in a timely manner, and in the event of a recall, the manufacturer and distributor must cooperate.

How does an MDSAP audit work?

The audit usually consists of two parts. A distinction is made between Stage 1 and Stage 2.

During Stage 1, the manufacturer submits its entire quality management system for review. It is then possible to close any deviations found before Stage 2.

Stage-2 is the actual audit at the manufacturer's premises. During this audit, the audit sequence is as shown in the diagram. The sequence is strictly adhered to. The areas of risk management and purchasing can be audited at any time, as shown in the diagram, regardless of the sequence. This underlines the high priority assigned to the topics in the MDSAP.

MDSAP Audit Sequence for the authorities FDA, Health Canada, ANVISA, TGA and MHLW - Quality Management

Since January 2020, there has been an option for remote auditing of the "Device Marketing Authorization and Facility Registration (DMAFR)" area. Neither the Stage-1 nor the Stage-2 audit is replaced. The on-site Stage-2 Audit can be less extensive and only the interfaces to other topics need to be checked on site (regarding DMAFR).

Voluntary or mandatory?

Currently the MDSAP audit is still voluntary. In Canada it is already the basis for being allowed to sell medical devices legally in the country. It is not excluded that other authorities or states will follow this approach.

For many manufacturers MDSAP is also an interesting way to enter the US market. The MDSAP audit is intended to prevent the Food and Drug Administration (FDA) from appearing in person for the audit. FDA audits are still probably the most feared by manufacturers and therefore it is often tried to avoid them. The Medical Device Single Audit Program is a viable option. Of course, this does not prevent the medical device from having to be approved afterwards, e.g. within the scope of a Premarket Notification 510(k).

MDSAP and Europe

There has been much debate about why the EU is not participating in the Medical Device Single Audit Program. In this context, the fact was mentioned that especially all capacities within the Medical Device Directive MDR (and also IVDR) are blocked. But this is not quite true. Strictly speaking, the MDR and IVDR are the basis for the EU to participate in MDSAP. Previously, the MDD and IVDD existed in the EU, but all member states had to transpose the directives into national law. For MDSAP this would have meant that all national requirements of the EU member states would have to be checked in the MDSAP audit. Due to the large number of EU Member States (27 in January 2020), this would lead to too much scope in the audit to check the European requirements. With the introduction of the MDR and IVDR, the requirements between the EU Member States will become more uniform and participation in the MDSAP can be made easier and more targeted through the requirements of the MDR and IVDR.

Audit preparation

Most importantly, make sure that the employees concerned have a comprehensive understanding of the Medical Device Single Audit Program. We've seen on several projects that employees should prepare for the MDSAP audit, but actually didn't really understand what it was about. In such situations, a lot of valuable time is lost because employees cannot work in a targeted manner because they still lack a basic understanding of the topic.

Make sure that employees know how to structure a gap analysis in a meaningful way. If you have ever done such an analysis for an MDSAP project, you will know how extensive it is. It is essential that this work is targeted and structured. Due to the scope of the requirements, you will not only lose time, but also your employees' motivation. An MDSAP audit is really exciting and a great experience for all involved, provided you prepare yourself in time and comprehensively.

As part of the MDSAP preparations you should definitely carry out the gap analysis mentioned above. On the one hand, you list the requirements that MDSAP places on the quality management system. You then compare these with your existing processes and assess whether and to what extent the individual requirements are fulfilled. Proceed step by step and very carefully. The audit is very extensive and because of the multitude of different new requirements, it is easy to forget something. You have of course already laid the foundation for the MDSAP audit, provided you are certified according to ISO 13485:2016. However, the country-specific requirements are often completely new and want to be integrated into the existing process landscape in a meaningful way.

Which documents do I need to know?

  • ISO 13485:2016
  • Quality Management System requirements of the Conformity Assessment Procedures of the Australian Therapeutic Goods (Medical Devices) Regulations - TG(MD)R Sch3
  • Brazilian Good Manufacturing Practices - RDC ANVISA 16/2013
  • Japan Ordinance on Standards for Manufacturing Control and Quality Control of Medical Devices and In Vitro Diagnostic Reagents - MHLW Ministerial Ordinance No. 169
  • Quality System Regulation (QSR) - 21 CFR Part 820

For a detailed overview of all regulatory references that you need to consider, please refer to the MDSAP Audit Model at the FDA. Since it is possible to exclude individual countries in which you do not market devices, these requirements are of course not applicable to you. These requirements are then not part of the audit - however, you must indicate this when you register for the audit and are really not allowed to market devices in these countries.