MDSAP: The Medical Device Single Audit Program

6 minute read.
The Medical Device Single Audit Program (MDSAP) allows medical device companies to sell products in multiple countries with one audit. This article summarizes the MDSAP and helps your company prepare for it.
If you’re confident in your knowledge of MDSAP, consider taking a quiz to see if you’re prepared for MDSAP.
After you understand MDSAP, if you’d like to have fun learning how to improve your Quality System, consider reading “Van Halen, brown M&M’s, & the quality system audits”
Medical devices are regulated by governments in order to protect patient safety. For example, when the United States discovered that 44% of medical device recalls could be attributed to design flaws, the FDA began enforcing design controls.
Companies must comply with the regulatory requirements of each country in which they sell medical devices. Participating countries will accept MDSAP in lieu of individual audits. These countries, and their regulatory agencies, are:
MDSAP is a standardized way of auditing, ensuring repeatable audits regardless of the auditor. It doesn’t add any new regulations; it standardizes the audit process to emphasize risk-driven processes, which was already required by ISO 13485.
Currently, MDSAP is voluntary. Beginning in January 2019, Canada will require MDSAP. There are only a few circumstances in which this deadline can be extended.
Before continuing, it’s important to emphasize that MDSAP was driven by industry input, and is considered both practical and beneficial by the International Medical Device Regulators Forum, which archives the respected work of the Global Harmonization Task Force.
Most participants believe that MDSAP audits represent an improvement over previous audits. More importantly, MDSAP can increase patient safety while improving company efficiency.
Does MDSAP add requirements to existing quality systems? Why or why not?
Previously, each country required an audit.
MDSAP allows one audit to be used for all participating countries. A company only needs to comply with countries in which they intend to sell products.
Previously, auditors were encouraged to review a company’s quality system as process but were allowed to audit components independently.
MDSAP audits are conducted as a “process,” ensuring each part of a quality system links to other parts for a seamless flow of information. This must be a close-loop process; the outputs of each process become the inputs of another process, with information cycling through a review by senior management to ensure continuous improvement of the entire system.
The most common links are Risk Management and Purchasing procedures; all decisions must be based on reducing Risk to a patient, and documented to provide evidence for auditors and metrics for management review.
Image thanks to Australia’s TGA
Previously, noncompliances were graded as “minor” or “major.”
MDSAP noncompliances are graded from 1 to 5 based on the potential impact to a patient, frequency of occurrences, and whether or not products were shipped with the noncompliance.
What is a “closed-loop process,” and how does it apply to a quality system for continuous improvement?
How do you make, and document, risk-driven decisions about suppliers?
Consider checking your understanding in these fun, but informative, articles:
MDSAP auditors grade companies using a list of approximately 92 “tasks,” provided in seven chapters of the MDSAP audit model. The tasks capture all clauses of ISO 13485:2016, plus country-specific requirements.
Audits are conducted through Auditing Organizations (AO) that are approved by Regulatory Authorities (RA) of participating countries. I list some AO’s at the end of this article.
An AO will conduct an initial audit, perform surveillance audits, then re-certify a company every three years. An initial audit begins with a review of documents before an on-site visit; subsequent audits are document reviews unless there’s a reason to conduct a special audit.
What are MDSAP “tasks?”
Noncompliance for each MDSAP task is graded from 1 to 5, with 5 being the most adverse. Grading has two steps.
STEP 1: start with a score based on two factors:
Potential impact to a patient, either indirect or direct, which corresponds with clauses in ISO 13485
Clauses 4.1 through 6.3 are indirect, = 1 point
Clauses 6.4 through 8.5.3 are direct, = 3 points
Frequency of occurrence, increasing a score +1 if the noncompliance was reported in any two previous MDSAP audits. (A “repeat” is defined between different audits, not within the same audit.)

Scoring matrix via Australia’s TGA
STEP 2: apply an escalation score, if applicable.
+1 if a process isn’t documented (vs. being inaccurate or incomplete)+1 if the company shipped a non-conforming product
The final MDSAP score for each task is the combination of Step 1 and Step 2 scores, but with a maximum score of “5.” Audit results will include the following information:
Step 1 scoreFinal scoreThe ISO clause, or country-specific addition, out of complianceExamples of company documents out of compliance
Audit reporting formats, plus a standard grading system, allow regulatory agencies to know exactly what happened during the audit. This also allows companies a clear, unambiguous path to correct non-compliances.
Auditing Organizations report a score of “5” or three scores of “4” to Regulatory Authorities within five business days. Otherwise, AO’s have 90 days to submit their report to all participating countries.
Look at Step 1 scoring. If you were preparing for an audit, which ISO 13485 clauses would you focus on, initially, if you did not have a lot of time? In other words, which clauses are “bang for your buck?”
Determine if MDSAP matches your company’s business needs

Do you sell, or plan to sell, in participating countries?Canada will require MDSAP in January 2019; how does this affect your business?Does your company still use ISO 13485:2003? If so, this may be a good time to transition to the 2016 version and incorporate MDSAP.
Determine your MDSAP readiness

Understand MDSAP audit “tasks” and “grading.”

Follow the MDSAP audit modeltasks; begin by looking for obvious grades of “5” or “4” by focusing on ISO 13485:2016 clauses 6.4 – 8.5.3, which have “direct” impact and higher grade penalties.

Complete an assessment of all tasks, ensuring your procedures for risk management and purchasing are linked between parts of your quality system.

Consider if consultants could help you train your company or assist preparing for MDSAPSchedule an audit with an Auditing Organization soon; there are only a few AO’s, so their schedules may be busy.

An overview of the MDSAP won’t answer every question. Examples include how companies respond to noncompliances, how internal audits are utilized, etc.
But there are no surprises with the MDSAP. To paraphrase The Buddha, there are no secrets “hidden in the closed fist of a regulatory agency.” All documents used by Auditing Organizations are available, for free, online.
If you have the MDSAP audit model, are you fully prepared for what an auditor will ask? Why or why not?
Five countries are participating: USA, Japan, Australia, Brazil, CanadaCanada will require MDSAP by January 2019

Uses existing requirements. Differences from previous audits include:

One audit recognized by participating countries rather than individual auditsRequires links between parts of a quality system, emphasizing risk and purchasing procedures, rather than focusing on specific partsNoncompliances are graded 1-5 rather than “major” or “minor”
Test your understanding by taking this MDSAP quiz.
Please Forward
If you think others would benefit, please “like” or forward this article.