Using the Medical Device Single Audit Program (MDSAP) to support EU regulatory requirements

Medical Device Coordination Group (MDCG) endorses guidance for notified bodies

MDSAP was developed by the International Medical Device Regulators Forum (IMDRF) to conduct regulatory audits of quality management systems (QMS).  The MDSAP audit is based on approved Auditing Organizations undertaking an audit of ISO 13485:2016 - Medical devices. Quality management systems. Requirements for regulatory purposes. The applicable regulatory requirements of the participating jurisdictions – Australia, Canada, Japan, Brazil, USA – are also included as areas of focus.  Although the audit model used for MDSAP does not incorporate the requirements from the European regulations, the MDSAP audit report form was developed so that it can be used for multipurpose audits. Where an Auditing Organization is also a notified body for the European Regulations, there is obvious interest in incorporating European requirements into the MDSAP audit criteria to combine the audit activities and eliminate duplicate reporting.

The Medical Device Coordination Group (MDCG) is composed of representatives of Member States and chaired by the EU Commission. In August 2020, the MDCG, endorsed a new guidance document giving guidance for notified bodies on the use of audit reports from the Medical Devices Single Audit Program (MDSAP) in surveillance audits carried out under the Medical Devices Regulation (MDR) and In Vitro Diagnostic medical devices Regulation (IVDR). The guidance was initially developed by a group of interested Member State representatives, notified body associations and stakeholders. As with all the MDCG guidance, it cannot be regarded as reflecting the official position of the European Commission, or as being legally binding.

The guidance indicates that:

• MDR and IVDR remain applicable in their entirety;
• use of MDSAP audit reports within the EU legislative framework is possible only where the MDSAP audit covers similar or equivalent MDR/IVDR requirements;
• taking account of MDSAP audit reports is not applicable to;
• initial QMS audits required for the issue of EU QMS certificates. Notified bodies always need to conduct these audits in their entirety;
• MDR or IVDR unannounced audits;
• reports of MDSAP unannounced audits or special audits should not be taken into account in narrowing of focus in MDR/IVDR surveillance audits;
• regular surveillance audits need to take place on a yearly basis but positive appraisal of conformity of the QMS through an MDSAP audit can limit the surveillance focus to those aspects not covered by the MDSAP audit reports;
• MDSAP audit reports should be taken into account in their complete form, including all associated attachments. Both positive and negative statements about the conformity of the manufacturer’s QMS should be incorporated in the planning of the MDR or IVDR surveillance audit.

The notified body remains fully responsible for its decision whether or not, and to what extent, an MDSAP audit report can be taken into account. The guidance indicates that notified bodies may wish to establish additional guidance in order to support their procedures for evaluating MDSAP audit reports.

The Annex to the MDCG guidance identifies and analyses aspects within MDSAP audit reports that are relevant in relation to the EU requirements. The Annex is separated into two parts:

• Part I focuses on explaining where relevant information that could be used as supporting evidence for QMS requirements in the MDR and IVDR is located in MDSAP audit reports;
• Part II provides examples on how correlations between MDR requirements to sections of MDSAP audit reports may be established in the notified bodies’ additional guidance or procedures. Although the examples in Part II focus on MDR requirements, it is indicated that the same methodology could be applied for the IVDR.

This guidance outlines the limitations and opportunities to use MDSAP audit reports to support conformity with the EU regulatory requirements of the MDR and IVDR. It will be of interest not only to notified bodies and manufacturer’s participating in MDSAP, but also to manufacturer’s considering using MDSAP and evaluating the potential benefits for their operations.

Author: Eamonn Hoxey, of E V Hoxey Ltd, UK, is a writer, trainer and consultant on a range of life science areas including regulatory compliance, quality management, sterility assurance and standards development