MDSAP, what was that again?
The Medical Device Single Audit Programme of the International Medical Device Regulators Forum (IMDRF) – MDSAP for short – regulates joint audits according to the QM requirements of (currently) the USA, Canada, Brazil, Japan and Australia. These audits are not carried out by the authorities of the respective countries, but by selected recognised Notified Bodies.

Europe’s position
Europe has so far only participated in MDSAP as an observer, and the MDR has not yet indicated that Europe will join in the long term.
Now, in August 2020, the MDCG published MDCG 2020-14, which addresses the use of MDSAP reports for surveillance audits. We have summarised the most important points.

When may MDSAP audit reports be included in audit planning?

For initial MDR/IVDR audits and recertification audits, a full system audit must always be performed. MDSAP audit reports may not be used here. Likewise, they cannot be used for unannounced MDR/IVDR audits.

The application is intended exclusively for planning surveillance audits. Only MDSAP audit reports from regular audits can be used in planning; MDCG excludes the use of unannounced or special audits.

If there are concerns about the proper functioning of the quality management system, for example due to information gathered through the assessment of vigilance or post-market activities, previous surveillance audits or assessments of the technical documentation, the Notified Body shall continue to perform a full surveillance audit.

When may MDSAP audit reports be adduced for planning surveillance audits?

During surveillance audits, areas already audited within the MDSAP audit can be left out of the scope of the MDR audit. However, MDR/IVDR-specific items must still be audited.

This should give the Notified Bodies the opportunity to focus on points that are not or not sufficiently covered by the MDSAP. For example:

  • Clinical evaluation/performance evaluation process (including post-marketing clinical follow-up/performance monitoring),
  • Contractual provisions for EU contract representatives,
  • EU UDI orders under the quality management system, financial cover of the manufacturer with regard to possible liability,
  • Person responsible for the compliance qualification and role,
  • Control of records,
  • system for risk management,
  • Post-market vigilance and monitoring activities, including associated corrective and preventive actions.

However, the opposite can also be the case: If weaknesses of the QMS were uncovered during the MDSAP audit, it may lead to the Notified Body taking a closer look at this area during the surveillance audit. The MDCG emphasises that the entire MDSAP audit reports must be included in the planning of the surveillance audit – with all positive and negative aspects.

The Notified Body decides independently and on its own responsibility whether and to what extent an MDSAP audit report can be taken into account.

Furthermore, it retains sovereignty in all parts. It makes the judgement on the conformity of the MP manufacturer’s QMS and on the safety and performance of medical devices and IVDs to be placed on the EU market.

How should this approach be implemented?

The MDCG encourages Notified Bodies to establish additional guidance to support their procedures for assessing MDSAP audit reports. Examples are assessment criteria for MDSAP audit reports, when they can be used in planning surveillance audits and a determination of which items in the audit programme can and cannot be substituted to ensure that all MDR/IVDR specific subject areas are covered.

Who is this interesting for?

MP and IVD manufacturers who are located in Europe and already participate in MDSAP, for example to obtain FDA approval or to demonstrate conformity of other requirements to be inspected from the MDSAP participating countries, will be particularly pleased. If you have a Notified Body that also performs the MDSAP audit, possibly even the same auditor for both audits, then there is a high probability that the auditors will use their own MDSAP audit report to shorten the MDR surveillance audit. Here, the auditor knows the contents and does not need to specifically analyse the report. The situation is different if another organisation carries out the MDSAP audit. Then it remains to be seen whether MDSAP audit reports are used to determine the scope.

Please note that all details and listings do not claim to be complete, are without guarantee and are for information purposes only.