The Food and Drug Administration (FDA or the Agency), the US regulating authority in the sphere of medical devices and healthcare products, has published detailed guidance dedicated to audits in the context of the Medical Device Single Audit Program (MDSAP).
Regulatory Background
The Medical Device Single Audit Program describes the approach to be used by the competent auditors when conducting an audit of a quality management system employed by a medical device organization with regard to compliance with the applicable regulatory requirements. The present guidance provides detailed information and instructions on carrying out the aforementioned audits. In particular, the document addresses process-specific aspects and connections between the procedures and risk management activities.
The MDSAP audit covers the following key spheres:
- Management process,
- Measurement, Analysis and Improvement process,
- Design and Development process, and
- Production and Service Controls process.
It is important to mention that the MDSAP concept in general covers the processes related to the medical device marketing authorization and facility registration, as well as to medical device adverse events and advisory notices reporting.
The document emphasizes the importance of the quality management system to be implemented by a medical device organization. When being properly implemented, such a system covers all processes and procedures performed by a medical device organization. It is also important to mention that in the case that a medical device organization decides to outsource certain processes to third-party organizations, it still remains responsible for such processes. In such a case, the appropriate controls should be implemented in order to monitor the quality of products or processes supplied by third parties.
The main idea of the MDSAP project is to develop a single approach to audits that would cover all the requirements applicable in jurisdictions participating in the project. However, in the case that a medical device organization is not going to supply its products to the particular jurisdiction, it may waive the requirements applicable in that jurisdiction. Moreover, certain additional exclusions could be applied.
According to the document, the scope of a general audit under the MDSAP framework does not cover the cases when medical devices are being supplied in accordance with the special access pathways (e.g. humanitarian use exemption, investigational device program). All such situations should be discussed on a case-by-case basis.
MDSAP Audit Cycle
As it is stated in the guidance, the Medical Device Single Audit Program is based on a 3-year cycle and consists of the following steps:
- Initial Audit (“Initial Certification Audit”) – a very first complete audit of the quality management system implemented by a medical device organization,
- Surveillance Audit – an additional partial audit to be carried out every two years, and
- Recertification Audit – a new complete audit to be carried out on the 3-rd year.
Apart from the types of audits listed hereabove, in certain cases the Special Audits, Audits Conducted by Regulatory Authorities, and Unannounced Audits may take place at any time within the audit cycle.
In the case of sterile medical devices, the scope of the audit activities shall also cover the aspects related to the device sterility. Some of such activities could be carried out either remotely or during an on-site inspection, while others should take place during the actual on-site inspection. According to the document, on-site inspections have higher priority since they are deemed to be more efficient.
The document also describes in detail each particular type of audits. For instance, the Initial Audit (“Initial Certification Audit”) includes the following consequent steps:
- Stage 1 – Documentation review, evaluation of preparedness for Stage 2,
- Stage 2 – Evaluation of QMS Implementation and Effectiveness.
The main purpose of Stage 1 is to identify the documentation required for further assessment and determine whether all processes subject to review are duly documented. At this step, the audit team evaluates the general preparedness of a medical device organization, collects the necessary information, and prepares a plan for s Stage 2 audit. A Stage 2 audit is intended to evaluate the actual compliance of the processes implemented by the medical device organization with the applicable regulatory requirements. Actually, the scope of a Stage 2 audit includes an evaluation of:
- The effectiveness of the medical device organization`s quality management system incorporating the applicable regulatory requirements,
- Product/process-related technologies (e.g. injection molding, sterilization),
- Adequate product technical documentation in relation to relevant regulatory requirements, and
- The medical device organization`s ability to comply with these requirements.
In the course of the aforementioned auditing activities, an audit team shall verify whether the medical device organization complies with the applicable requirements with regard to the safety, performance, and effectiveness of medical devices covered by the scope of the audit. Moreover, the audit team also has to ensure that all important processes are duly documented, and the organization keeps the appropriate records within the terms set forth by the applicable regulations. It is also important to mention that on-site inspections carried out during Stage 2 should take place on all sites to be indicated in the appropriate certificate.
MDSAP Surveillance Audits
The Surveillance Audits are intended to verify continuous compliance of the medical device organization with the applicable requirements. In particular, during the Surveillance Audits, a medical device organization shall demonstrate its ability to sustain compliance with the regulatory requirements and effectiveness of its quality management system. The scope of Surveillance Audits also covers any and all changes to the products manufactured by a medical device organization or to the processes and technologies it employs and includes the evaluation of the impact caused by such changes to the safety and performance aspects. Additionally, such audits also cover the following spheres:
- Changes to the product technical documentation,
- Complaints, problem/vigilance reports,
- Recalls, field corrective and preventive actions,
- Advisory notices.
As it was already mentioned before, Surveillance Audit constitutes a partial assessment, while the Initial Audit and Recertification Audit provide a complete assessment covering all the spheres and important matters. At the same time, in case of any non-conformities identified, the additional audits would be focused on these aspects.
MDSAP Re-audit (Recertification Audits)
Recertifications Audits are intended to verify the continuous compliance of a medical device organization with the requirements set forth by the international standard ISO 13485:2016, as well as other applicable requirements set forth by the participating regulatory authorities. According to the document, the objectives of Recertification Audits under the MDSAP framework covers the evaluation of:
- The effectiveness of the medical device organization`s quality management system incorporating the applicable regulatory requirements,
- Product/process-related technologies,
- Adequate product technical documentation in relation to relevant regulatory requirements,
- The medical device organization`s continued fulfillment of these requirements.
It is also important to mention that in case of significant changes occurred since the Initial Audit, a new Initial Audit would be required.
Summarizing the information provided here above, the guidance on the MDSAP audit approach published by the FDA covers the most important aspects related to the audits intended to evaluate compliance with the applicable safety and performance matters. The document describes in detail the types of audits and outlines their specific features.
How Can RegDesk Help?
RegDesk is a next-generation web-based software for medical device and IVD companies. Our cutting-edge platform uses machine learning to provide regulatory intelligence, application preparation, submission, and approvals management globally. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Applications that normally take 6 months to prepare can now be prepared within 6 days using RegDesk Dash(TM). Global expansion has never been this simple.
Sources:
