Expert Advice on Using MDSAP for Internal Auditing

The International Medical Device Regulators Forum’s single-audit program remains on track for full implementation in 2019, and companies should be shoring up their internal auditing processes to prepare.

MDSAP was devised to leverage regulatory resources into a single audit program so that manufacturers didn’t have to contend with numerous inspections throughout the year, said Susan Reilly, president of consultancy Reilly Associates, during a recent FDAnews webinar.

Regulatory authorities participating in the program are: Australia’s Therapeutic Good Administration; Brazil’s ANVISA; Health Canada; Japan’s Ministry of Health, Labour and Welfare; and the U.S. FDA.

Audits performed in line with MDSAP will be process-based, using several defined processes, a defined method for linking those processes, as well as requirements for risk management.

An MDSAP audit will cover the following seven processes:

1. Management;
2. Device marketing authorization and facility registration;
3. Measurement, analysis and improvement;
4. Medical device adverse events and advisory notices reporting;
5. Design and development;
6. Production and service controls; and
7. Purchasing controls.

The MDSAP audit model provides an overview of the different audit sequences, cycles and management, spanning these seven processes. The document helps companies know what is going to happen with their registrar, and it can be a useful tool for auditors, Reilly said.

A companion document features similar information, but it focuses largely on audit tasks, providing specific details on the purposes and outcomes for each process. It also features country-specific regulations that are noted and defined at the end of each section. This makes it easier to reference these requirements when writing up an audit report.

“It’s a good idea for companies to implement these requirements within their own standard operating procedures,” Reilly said. She noted that the documents also provide companies with “an updated or current view of how the various regulatory authorities are interpreting these requirements.”

What is being looked at will depend on what stage or phase the company is in with respect to the external audit process. For an internal audit, companies need to hit each quality system element over the course of a given audit cycle. Auditors need to check that processes and procedures are, in fact, linked and that these linkages are auditable.

For example, adverse events and advisory notices should always be linked to each other, with an audit ensuring that corrective and preventive actions require reporting to regulatory authorities, and that there’s a defined process for that.

In addition, linkages among nonconformances need to be examined, with nonconformances graded according to severity.

Regardless of the quality system being audited, it should always have the potential to link to purchasing controls. This means that if a process is outsourced to a supplier, the manufacturer must control the third party’s process under its quality management system.

Any audit should include an audit of management to make sure the quality system is operating as it should from the top down and that risk is applied consistently across all processes.

For the MDSAP documents, visit: www.fdanews.com/08-31-16-MDSAPprogram.pdf. — Jason Scott