Important Guidelines for MDSAP

The MDSAP (Medical Device Single Audit Program) is a three-year-long audit cycle. These cycles can be listed down as follows:

1. The Initial Audit Cycle
2. Partial Surveillance Audit
3. Complete Re-audit

The Initial Audit Cycle

The initial audit cycle is the first year audit cycle and is also known as “Initial Certification Audit.” In this cycle, a complete audit of the organization’s QMS is performed. This cycle comprises two stages:

• Stage 1 Audit (17021-1:2015 – Cl 9.3.1.2)
• Stage 2 Audit (17021-:2015 – Cl 9.3.1.3).

Why is Stage 1 Audit Conducted?

The MDSAP lists four reasons for conducting the stage 1 audit. These are:

• Checking the compliance for QMS documentation requirements of Clause 4.2.1 of ISO 4.2.1 and other conditions of MDSAP
• Assessing the preparation of the medical device organization for stage 2 audit
• Providing a focus for planning for stage 2 audit
• Collecting information about the scope of QMS and other aspects of the medical device organization.

Necessary Considerations Before Conducting Stage 1 Audit

Before running the Stage 1 Audit, the medical device organization should consider:

• Clause 9.3.1.2 of ISO/IEC 17021-1:2005
• Other MDSAP regulatory requirements and audit process tasks.

Result of the Stage 1 Audit Review

By combining Stage 1 and Stage 2, the auditing organizations can allow a single on-site visit for the initial audit and then re-audit the medical device organization. With the results of these audits, one can determine

• The capability of the medical device organization to begin the Stage 2 audit
• The achievement of medical device organization in Stage 1 and Stage 2 audits about on-site verifications and off-site documentations.

Partial Surveillance Audit

The initial audit is followed by the partial surveillance audit (17021-1:2015 – Cl 9.6.2.2) in two years. In this cycle, QMS implementation and effectiveness are assessed. Partial surveillance audit is the 2nd year audit cycle, and it should be according to the requirements of

• Clause 9.3.1.3 of ISO/IEC 17021-1:2015
• All of the applicable MDSAP Audit process tasks.

What are the Reasons to Conduct Partial Surveillance Audit?

The primary reasons for conducting the partial surveillance audit are

• ISO 13485:2016
• The participating regulatory authorities put forward other regulatory requirements.

Which Objectives are evaluated in the Partial Surveillance Audit?

The 2nd year audit cycle assesses the four specific objectives. These are:

• How effective is the medical device organization’s QMS?
• Products/processes related technologies (sterilization, injection molding, etc.)
• Technical documentation of the product concerning the relevant applicable regulatory requirements
• The ability of the medical device organization to demonstrate continued compliance to these requirements.

The partial surveillance audit also helps the auditor in determining the ability of the medical device organization regarding maintenance of adequate and reliable objective evidence regarding the device’s ability of

• Performance
• Effectiveness
• Safety
• Other regulatory requirements are present in the audit tasks.

The auditing and verification also determine that the records and documentation required by the Regulatory Authorities are latest, complete, and available.

Complete Re-audit

Also known as Recertification Audit, the Complete Audit (17021-1:2015 – Cl 9.6.3.2) is performed in the third year of the cycle.

Conducting the Surveillance Audits

Conducting the 1st and 2nd surveillance audits will be done under

• Applicable MDSAP audit process tasks
• Clause 9.6.2.2 of ISO/IEC 17021-1:2015
• Clause 9.6.2 of IMDRF/MDSAP WG/N3:2016.

What is the Purpose of Conducting Surveillance Audits?

Surveillance audits ensure that the audit of ISO 13485:2016 and other relevant regulatory requirements have been performed during the three-year cycle.

What does Surveillance Audit Evaluate?

In this audit, the following points are evaluated:

• Effectiveness of medical device organization regarding the incorporation of the relevant regulatory requirements in its QMS
• Medical device organization’s ability regarding compliance with these requirements
• Any latest or changed technical documentation associated with the applicable regulatory requirements
• Technical documentation of the product with regards to applicable regulatory requirements

If significant changes are made to the organization’s QMS, the auditing organizations will review the documentation as per Clause 9.6.3.1.3 of ISO/IEC 17021-1:2015.

How can the Re-auditing Objectives be Achieved?

Alongside ISO.IEC 17021-1:2015, the auditor can verify the following for achieving the re-auditing objectives:

• Reviewing the MDSAP audit reports that have been prepared since the initial audit or the last re-audit
• Reviewing the suitability and effectiveness of the present QMS compared to the previous one
• Following up with the corrective actions and/or corrections of any previous MDSAP audit
• Reviewing the changes made in the medical device organization, its QMS, or its products from the last surveillance audit.
• Other relevant MDSAP audit process tasks.

Sampling and Process Audits

These audits should emphasize upon

• Designs, processes, and products that are new or modified
• Areas that were not addressed effectively in the last surveillance period
• Any existing and potential nonconformities identified previously.

During the recertification audit, any sites concerning the medical device organization’s QMS that have been audited off-site should not be recorded on the certificate.

Other Audits that Occur in the MDSAP Cycle

Other than the audits conducted in the MDSAP cycle, three audits can occur at any time. These three audits are:

• Special audits
• Audits done by the Regulatory Authorities
• Unannounced audits

Special Audits (17021-1:2015 – Cl 9.6.4.2)

As a part of the planned audit cycle, the special audits should only be conducted if required. The emphasis of the special audits should be on the particular elements of QMS of the medical device organization.

Reasons for Conducting Special Audits

Special audits are held in response to

• Application for the extension of an already existing certification scope
• Determining that whether it would be feasible to give an extension or not
• Specific information that provides the basis for suspecting any serious non-conformities of the devices
• Other miscellaneous reasons.

These special audits can also be conducted as short notice audits to investigate potential significant complaints.

How Should these Special Audits be Conducted?

These special audits should be conducted as per

• The applicable requirements of Clause 9.6.4 of ISO/IEC 17021-1:2015
• Additional MDSAP requirements which the auditing organization of Regulatory Authorities participating in MDSAP recognize.

What Objectives does Special Audits Address?

Special audits address the following objectives:

• Need for extending the audit or certification scope of medical device organization so that new or modified products can be added
• Following up on particular post-market issues
• Following up on any essential information obtained from the last MDSAP audit
• Any shortfall recognized by MDSAP-recognized Auditing Organization’s (e.g. insufficient audit time)
• Conductance of supplier audits according to the Auditing Organization’s policy or the directions of regulatory authority.

The auditing organization performing the special audit must submit its auditing report to the recognizing Regulatory Authority/Regulatory Authorities within 15 days of the audit’s last day.

Audits Done by the Regulatory Authorities

The regulatory authorities participating in MDSAP can conduct audits at any particular time. The reason to conduct these audits can be:

• For confirmation of the effective implementation of MDSAP requirements
• To keep up with the previous audit’s results
• “For Cause.” This implies the information obtained by the regulatory authority.

Unannounced Audits

These audits are conducted in response to significant high-grade non-conformities. These audits are always performed by the MDSAP organizations that are recognized by the regulatory authorities.

Want to Conduct an MDSAP Audit?

As a Regulatory-Authority recognized auditing organization, TSQ Asia is known for its agile, efficient, and cost-effective methods of conducting MDSAP audits. As a medical device manufacturing organization, you can consult TSQ Asia to complete your MDSAP cycle today. To contact us, visit our website tsqasia.com.