Inside MDSAP: Navigating Multi-Regulatory Harmonization
While Avoiding Common Compliance Pitfalls that Cost Companies Market Access
With speakers Sean Gibbons, Matteo D’Angelo, and Lawrence Yeh
[Download Slides]
Webinar Summary
MDSAP Overview and Strategic Purpose (03:02 – 11:45)
-
MDSAP enables regulatory compliance across 5 jurisdictions (US, Canada, Brazil, Japan, Australia)
-
Notified bodies conduct single audits recognized across regions
-
Reduces audit fatigue for manufacturers with global reach
-
Emphasis on proactive readiness, not reactive compliance
MDSAP Audit Process Structure (11:46 – 21:12)
-
Audit follows a defined process across QMS elements (e.g., management, design, production)
-
Process-based approach reflects ISO 13485 but adds jurisdiction-specific clauses
-
Each jurisdiction has country-specific requirements mapped to tasks
-
Scheduling and scope are defined during planning phase
Documentation and Nonconformity Grading (21:13 – 30:54)
-
Observations are classified by severity: Grades 1–5
-
Grade 5: systemic issues; Grade 4: major breakdowns
-
Detailed grading matrix ensures transparency and uniformity
-
Justifications and CAPA expectations are well defined
-
Report structure includes task references and country flags
Implementation Tips and Best Practices (30:55 – 42:37)
-
Prepare with internal audits that mirror MDSAP structure
-
Use mock audits and documentation mapping
-
Be ready to justify procedural choices
-
Maintain traceability between SOPs, processes, and jurisdictional clauses
Challenges and Regulatory Expectations (42:38 – 51:18)
-
Complexities include maintaining alignment across jurisdictions
-
Language and documentation formats must meet local expectations
-
Transitioning from ISO 13485-only systems requires planning
-
Cultural readiness: being prepared for auditors to follow cross-functional paths
Audience Q&A (51:20 - End)
Full Webinar Transcript
00:04 - Lawrence Yeh
My name is Lawrence Yeh. I'm a senior consultant with AKRA TEAM, and I primarily focus on quality and regulatory issues for many of our customers. And you know, I really enjoy helping people clarify quality requirements because I don't think they should be that scary.
00:27 - Sean Gibbons
My name is Sean Gibbons. I work at Philips. I'm a regulatory affairs manager. Specifically, I focus on software as a medical device, cloud-based AI machine learning algorithms, and I was asked to give a quick statement that any comments made today are based on my own opinions and experience and do not reflect the position or views of Philips and its entities.
00:53 - Matteo D'Angelo
Hello everybody. My name is Matteo d'Angelo. I am a project handler, lead auditor, and technical documentation assessor at TÜV SÜD. I'm authorized for the main relevant schemes regarding medical devices, clearly including MDSAP. My primary area of work at TÜV SÜD is related to non-active medical devices, particularly in the field of orthopedics. I started to work at TÜV SÜD in 2022, but before that, I worked for several years at a large Italian company that relies on implantable devices and surgical instruments for orthopedics. I'm very excited to participate in this webinar. Thank you for the opportunity.
01:43 - Lawrence Yeh
Welcome again to the webinar on MDSAP, the Medical Device Single Audit Program, navigating multi-regulatory harmonization while avoiding the most common compliance pitfalls that can cost companies market access. What you will see and hear today includes information from published documents as well as the opinions and interpretations of myself and the two guest speakers.
So please take note of this disclaimer. And we've already introduced our guest speakers today, Matteo and Sean. For today's agenda, we will discuss the background and history of MDSAP, give you a sense of the structure and scope of the program. We will talk about the key defining features like the structure and grading scheme and how it differs from other audits. And then we will have a panel discussion with our two guest speakers.
02:46 - Lawrence Yeh
We'll talk about common pitfalls, get some insight from the industry from both the perspective of a manufacturer and auditor. And after that, we will have time for some questions from the audience. Let's start with a little background to provide some context. If you are not familiar with MDSAP, what is the Medical Device Single Audit program?
The original intention was to create a single audit that, if conducted, could satisfy the needs of more than one regulatory jurisdiction in Other words, instead of having separate audits for every single region, what if there was a way to somehow combine them? So the clue is in the title. MBSAT Mandel could devise a single audit program, one audit, to rule them all. And they were not trying to make the regulations the same. That would be incredibly challenging.
03:44 - Lawrence Yeh
Instead, they focused on creating a unified auditing method that would at least reduce the number of different audits needed, thereby saving time for both those performing the audits and those being audited. So it was very much driven by a desire to create an efficient and effective program. Now, who is this they I keep referring to?
It began with the GHTF, the Global Harmonization Task Force, which eventually dissolved. But the work was continued in 2011 or 2012 by a working group under the IMDRF, International Medical Device Regulatory Forum, which I believe involved at the time, the five countries that eventually joined MDSAP, as well as China, Europe, Japan, and Russia. And so they formed a sort of international consortium, MDSAP.
04:45 - Lawrence Yeh
And they have a regulatory authority council, RAC, in the diagram on screen, which consists of the regulatory authorities from the five countries that signed on. Australia, Brazil, Canada, Japan, and the U.S. are the five countries in which the regulatory authorities accept this single audit approach. The MDSAP consortium also has official observers from the EU, Singapore, the United Kingdom, and the World Health Organization, and they also have affiliate members from seven other countries across several continents.
Now, these observers and affiliate members participate to varying degrees. They're on the periphery. They cannot make decisions about the program, but they can participate in working groups, they can witness assessments, and participate in forums. In fact, they just recently had a forum in Amsterdam where many stakeholders gathered, and they talked about how the program is working, potential changes in the future, and so on.
05:54 - Lawrence Yeh
My interpretation is that, you know, they are at least curious about the success of the program and may one day consider it. Now, when they launched the program in 2014, the EU said they would make a decision about, you know, full participation in a couple of years. And I remember when I was getting trained on MDSAP in 2017, my trainer said that they wouldn't join any sooner than 2020 at the earliest.
But soon after, as you all know, the EU regulations were being introduced, MDR and IVDR, and they clearly went in a completely different direction. But at the recent forum, there was some discussion about the potential benefits of them joining in the future. Now, just as a side note, there is a tiny way in which an MDSAP audit report could be of use in the EU regulatory context.
06:47 - Lawrence Yeh
But it is certainly not as significant as the worth of an MDSAP audit report in the five jurisdictions. So what are the requirements in scope? Well, we have the international standard for QMS for the medical device industry, ISO 13485, and for the participating countries, we have these main sources of requirements. The regulatory requirements in each jurisdiction during the implementation of MDSAP ISO 13485:2016 had just come out, replacing the 2003 version. And I think this happened sometime during the MDSAP pilot.
Now it's 2025. So the 2016 version has been in place for a long time, and manufacturers are well acquainted with it. But you know, this will need to be revisited whenever the next version of ISO 13485 comes out. Just a couple of weeks ago, the planned five-year review was closed.
07:53 - Lawrence Yeh
In a few months, they may announce the outcome of the review. At the bottom of the slide, it also says specific requirements for the authorities participating in the program. So basically, you know, there are some other requirements. For example, 21 CFR part 807, which is about established registration, device listing, or 21 CFR part 803, which is about medical device reporting. These are additional requirements that are not in 21 CFR part 820, but nevertheless, they are still applicable. Let's talk about the stakeholders. So we have the regulatory authorities from each participating jurisdiction, and they are responsible for assessing, and if the criteria are satisfied, they will recognize auditing organizations, and they will continue to monitor their performance through witness audits and documentation reviews.
Then, from the device manufacturer's perspective, they would apply to an auditing organization to participate in MDSAP.
09:10 - Lawrence Yeh
This is how they would get an audit performed. And based on this, the auditing organizations may communicate with regulatory authorities. You know, they'll let them know that hey, this manufacturer is going to undergo an MDSUB audit. And this is how the regulatory authority knows that they do not need to proceed with their usual audits. This is one of the ways that MDSAP allows device manufacturers to save time after conducting audits and working with manufacturers to resolve any nonconformities. The auditing organizations will share results with the regulatory authorities, along with a recommendation for certification or not.
And then based on this, the regulatory authorities can use this information as part of their own process to grant a marketing authorization in their jurisdiction.
10:11 - Lawrence Yeh
This last point is particularly important because the audit performed as part of MDSAP does not replace any applicable market authorization activities in each of the five jurisdictions. The current product approval pathways are still relevant. MDSAP only replaces the routine auditing Aspect.
I should also mention that MDSAP does not allow manufacturers to avoid addressing open issues.
If you have nonconformities from a previous regulatory audit in one of those five jurisdictions and they've not been resolved, they must still be closed out with that jurisdiction. Applying for MDSAP is not a sort of 'get-out-of-jail-free' card, where you can forget the results of previous audits and then move on to a new audit program.
There is this MDSAP audit cycle, which goes over a three-year-long period. So, at the start would be the initial certification audit.
This would be followed by a surveillance audit in each of the following two years and a recertification audit in the year after that. The result of each audit can be initial certification, continuing certification, or recertification, depending on where you are in this cycle. In the initial certification audit, there are two stages. Stage one is a documentation review. It's to determine if the necessary QMS documentation has been prepared and if the organization is generally prepared to proceed with the process. It also lets the auditors get ready for the on-site audit that will happen in stage two, and lets them know what to focus on so they can save a lot of time during the site visit.
12:19 - Lawrence Yeh
So the stage two audit is the thorough evaluation of all applicable requirements, from what I said before, ISO 13485, and the relevant regulatory requirements, and takes place at all sites that will be recorded on the certificate. For surveillance audits, they check for the continuing compliance and effectiveness of the QMS.
And each surveillance audit does not necessarily need to cover all the requirements that you covered in the initial certification audit.
They will typically focus on changes to the organization, like newer updated products, technical documentation related to their products, or changes to your QMS processes. Surveillance audits also focus a lot on issues related to safety and effectiveness that have emerged since the previous audit. So we're talking about things like complaints, vigilance reports, any sort of field corrections, or recalls.
Keep in mind that terminologies and reporting timelines do vary between jurisdictions.
13:34 - Lawrence Yeh
For surveillance audits, there's typically no stage one, although there could be if there were huge changes, such as, I don't know, major changes to regulatory requirements, for example. And finally, we have the recertification audit, which goes through all the areas of the QMS.
There are more details about this, but this is a general overview of the audit cycle.
And outside of the cycle, there are also audits, like special audits, so these could be conducted to fill in gaps between surveillance audits. Maybe there was some product safety issue that emerged, and the regulatory authority wanted the auditing organization to investigate. For example, or maybe there were major nonconformities that needed to be followed up on-site.
14:32 - Lawrence Yeh
Or perhaps there was an issue with one of the audits, and they needed to redo a portion of the audit because they couldn't complete all the tasks within the available time. Perhaps an auditor fell ill or encountered another obstacle on site. Additionally, there are unannounced audits, which occur when regulatory authorities require auditing organizations to follow up on previous significant non-conformities.
Alternatively, regulatory authorities can conduct these audits themselves. They could conduct their own audits for cause they have a specific reason. Perhaps they want to follow up on something or simply confirm that everything has been implemented. Let's talk about the audit process itself. Perhaps the most important document that manufacturers would need to reference is the MDSAP Audit Approach document. I have the document ID there on your screen, and we'll provide links after this.
15:38 - Lawrence Yeh
This document provides specific instructions on how auditing organizations conduct audits within this program. When MDSAP was launched, there were two separate documents: the NDSAP Audit Model and the MDSAP companion document.
If you encounter these documents or names, please note that they have been combined into Figure 1, which is what you see on the screen.
The MDSAP Audit approach follows a process-based approach, grouping audit tasks into four primary areas: Management, Measurement, Analysis and Improvement, Design and Development, and Production and Service Provision. Then there is the supporting process of purchasing, as well as two additional supporting processes, Device Marketing Authorization and Facility Registration, and Medical Device Adverse Events and Advisory Notices Reporting, and the arrows in this diagram represent links between all of these sections.
16:52 - Lawrence Yeh
This is because there are numerous links between these areas in a QMS. It's a fundamental aspect that many requirements are intertwined and related. When you consider one area, you may end up interacting with another part of the QMS. Purchasing, for example, is a supporting process that has important links to measurement, design, development, production, and service. You may want to confirm that a purchasing requirement has been implemented when auditing another section.
The MDSAP Audit Approach document explicitly mentions these links to help you navigate them.
At the top of the diagram, you see 'Risk Management,' which surrounds the other main processes. This is to emphasize the fundamental nature of risk management and its consideration throughout the audit.
17:53 - Lawrence Yeh
If you have excluded design development from your scope or deemed certain requirements not applicable due to the nature of the device or the organization's operations, that is carried over. The auditing organization would not audit those requirements, as they remain outside your scope. Although it is presented as a sequence, they may not always be able to strictly follow this order, especially if multiple auditors are auditing in parallel.
However, this is the general sequence of activities, and it's a helpful way to view the processes and their relationships.
We don't have time to review the audit tasks in detail today, but I encourage you to review the MDSAP Audit Approach document if you haven't already. It clearly outlines each requirement from ISO 13485, along with the associated regulatory requirements from each jurisdiction.
18:49 - Lawrence Yeh
Another defining feature of MDSAP is its grading scheme. This is an excerpt from another MDSAP document, AUP 0037.002. There are four criteria, and for each one, the auditor applies a score based on the outcome.
For example, number one, is there an indirect or direct impact on medical device safety and performance?
Here, we're saying that if the issue is with something like manager responsibility or commitment, the quality policy, responsibilities, or management review, these have an indirect impact on the device. Conversely, if the issue is with something like product realization, encompassing everything from design to post-market, that would have a direct impact. So if it were a direct impact, for example, you would give it a score of 3. Then, is the second one a repeat issue? Has it occurred in audits from the last three years?
19:47 - Lawrence Yeh
Yes, at a score of one. Was there no document procedure, or was a required activity? Was there a required activity that was not performed? If yes, give it a score of one. And finally, that actually led to the release of any non-conforming device.
Now, if you do the math quickly, you realize that you can end up with a maximum score of six. But as a rule, they've kept the score at five.
Additionally, more details about this grading scheme can be found in the document ID listed on the screen. In summary, some of the benefits of MDSAP include eliminating additional requirements for manufacturers. You still only need to consider the current requirements for the countries, as well as ISO 13485.
20:39 - Lawrence Yeh
It is a single audit, which theoretically lets you use less time and resources to prepare for and undergo audits.
There's a routine audit cycle, so everything's scheduled in advance. And there's that predictability of the structure, the sequence of activities, and how long you spend on each activity. And finally, there is a chance that more regions will join the program.
Initially, there was considerable excitement about the launch, particularly the increase in the number of participating regulatory authorities. I think that's something many manufacturers would also look forward to. That is a quick overview of MDSAP within the time we have. We will include some links here for some resources that might be helpful. You can access them after the webinar.
21:49 - Lawrence Yeh
You can now proceed with completing the poll. And while we wait for the audience, let's bring in our guest speakers. Once again, we have Matteo D'Angelo, project handler and lead auditor from TÜV SÜD, and Sean Gibbons, Regulatory Affairs Manager from Philips.
So why don't we start with you, Matteo?
In your experience with an auditing organization, do you have a preferred MDSAP chapter that you like to audit the most?
22:22 - Matteo D'Angelo
Definitely the manufacturing process, as I enjoy seeing and getting hands-on experience with how devices are actually made, observing the production steps, different applications, and how companies structure their control roles, including process validations. Of course, this is just my personal opinion and not specifically related to MDSAP.
For me, it applies to any scheme clearly.
But it is anyway clear that with MDSAP very structured approach the production session becomes even more exciting because you enter the production area already aware of what most relevant to look at because you have performed before a lot of you have already inspect the management process, the measurement analysis process and therefore you have collected a lot of information to know what you have to see in production.
23:30 - Lawrence Yeh
Yes, absolutely. Yeah. It is always one of the most exciting parts of the audit when you get to check out the manufacturing space, and I'm not sure, but you often see people like. Do you ever wonder if they've like cleaned up the area a lot more just because you're arriving? Yeah, yeah, it is definitely one of the most exciting parts.
How about Sean, from your perspective, do you have a least favorite MDSAP chapter? Perhaps something you don't enjoy preparing?
24:03 - Sean Gibbons
Fair question. I would say it's a bit of a cop-out answer for regulatory, but definitely adverse event reporting falls into that least favorite bucket. No company wants to be in that position. So when you actually have to use those procedures, it's never a fun day. Additionally, for auditing purposes, I find that many companies have numerous questions regarding the different requirements for each jurisdiction. What do you consider your awareness date? What do we do with new information?
Ensuring that we report everything accurately and that information flows correctly to all the relevant regulators in a timely manner is a significant challenge that many companies face.
And because it's not a favorite part of any organization, sometimes they just don't always put the best resources towards there. Not the most favorite part of that audit.
25:00 - Lawrence Yeh
Yeah, no, that's totally fair. That is definitely understandable. All right, well, let's turn to our panel, and why don't we start with the theme that we had in our subtitle there, about compliance pitfalls and audit findings. So this question is for both panelists. What are the three most frequent MDSAP audit nonconformities that result in market access delays?
And what root causes typically drive these failures? Why don't we start with you, Matteo?
26:02 - Matteo D'Angelo
First of all, it is. It is essential to reiterate that MD Sub does not introduce any new requirements, and it is based on ISO 13485 requirements, as well as the applicable regulatory requirements of the MDSAP jurisdictions. This means that it is not entirely accurate to directly associate findings with the MDSAP program; rather, we can discuss findings that emerge as a result of the MDSAP approach. The approach encourages auditors to establish numerous connections between the various audited processes and to base sampling on risk complaints, incidents, non-conformities, or CAPA.
There is therefore a strong emphasis on the procedures that guide these processes, and it is not uncommon to issue findings on nonconformity and CAPA Management as well as Risk Management processes.
27:09 - Matteo D'Angelo
Additionally, linking to your first question, all processes verified at the beginning of the audit sequence allow for very direct and specific sampling in production, often revealing findings related to inadequate quality controls or ineffective process validations. Typical root causes include insufficient training, a lack of resources, or non-robust procedures.
27:48 - Lawrence Yeh
That's right. Yeah. That's really unfortunate. They don't have any procedures in place at all. Certainly seems very unprepared. Right? Yeah. What about you, Sean? What sort of frequent nonconformities do you see from your perspective?
28:03 - Sean Gibbons
Yes, I think my perspective aligns somewhat with Mateo's. Kappa management is definitely one of the top choices. Any manufacturer that goes through CAPAs, or anyone who has ever worked on CAPAs, knows that there are a lot of questions when conducting root cause analysis: how deep do you go? Also, make sure to do a left-right review of all your procedures. So, it's really encouraging manufacturers to ensure that when they conduct CAPAs, they're looking deeply and asking all the right questions. They're not just coming up with the simplest answer and implementing the first thought that comes to their mind.
So CAPA is definitely a big one. Design control deficiencies. So, when they do their NB planning, do they ensure that it is linked to their risk management procedures and the risk management file?
28:54 - Sean Gibbons
Do they again double-check that what they're implementing and what they test in their VMV actually covers what their risk mitigation is calling for? Following up on all of that testing, as I stated before, is the importance of adverse event reporting. This involves ensuring that you understand each jurisdiction's timelines and expectations for reporting post-market events.
These are three that I think any manufacturer can struggle with a little bit.
29:26 - Lawrence Yeh
Yeah, absolutely. Yeah, those definitely sound very familiar to me as well. This next question is for Matteo. How do companies most commonly misunderstand MDSAP requirements? Do they have a misconception about the program? Is there some documentation that they could have easily prepared to avoid noncomformity?
29:53 - Matteo D’Angelo
A frequent mistake is assuming that meeting the ISO 13485 standard is enough to ensure compliance across all jurisdictions. While ISO 13485 is a good starting point, it does not encompass the entire picture. Each country has its own set of specific requirements that must be addressed, and these requirements are essential for successfully navigating the MDSAP audit.
There are several examples we can make. For example, different countries impose strict timelines for reporting product incidents or adverse events. Clearly, missing these deadlines can lead to regulatory issues and potentially result in a delay in market access. Different jurisdictions introduce specific requirements for labeling IPU content, often including language requirements. Many jurisdictions require companies to partner with a local agent, such as the FDA, which acts as the official interface between the company, the manufacturer, and the regulatory requirements.
31:10 - Matteo D’Angelo
And this agent performs activity that varies significantly from one country to another. Another example is that the risk classification of products may differ across jurisdictions, such as between countries, and each classification may result in a different conformity assessment or regulatory pathway. If these aspects are not properly addressed, they can lead to findings by the auditing organization and significant delays in the specific regulatory pathways managed directly by the authorizer themselves. So to ensure smooth market entry and avoid costly, complex issues, it is, in my opinion, crucial to understand the specific regulatory requirements of each market and tailor the strategy accordingly.
Getting these details right from the start will help the organization to navigate global regulations with confidence and avoid unnecessary delays.
32:28 - Lawrence Yeh
That's perfect. Thank you. This next question is for both of you. If you could change one thing about NDSAP to decrease the compliance gaps, what would it be? Would you change the sequence of auditing, how long you spend on a certain task, or the grading scheme?
Let's start with you, Sean.
32:52 - Sean Gibbons
I think that anyone working in the software as a medical device space, especially those with cloud-based solutions, finds that because we're on the cutting edge, many of these auditing schemes were designed for more traditional medical devices.
One thing I would love to see MDSAP incorporate is a bit of tailoring of its auditing practices. So depending on the device type, especially when I'm talking about software as medical device, really making sure that they're creating some flexibility and tailoring of that audit specific to that device, versus just going through chapter by chapter, kind of having that rigid scheme that may not always apply to your device, and then you have to discuss with your auditor what applies, what doesn't apply, which can create a little bit of delay in the audit. As you have those discussions.
I think for me, that would be the biggest thing that makes sense.
33:52 - Lawrence Yeh
How about you, Matteo? If you could change one thing, in.
33:59 - Matteo D'Angelo
In my view, any gaps that may be identified are not a result of the MDSAP itself. So MDSAP is an audit program; it is not a standard regulation. So the applicable requirements remain those defined in ISO, along with the requirements. In my opinion, what is truly needed is a greater harmonization of these regulatory requirements. That would make things easier not only for manufacturers, but also for auditing organizations. While MDSAP doesn't change the audit framework, one of its foundational objectives has always been harmonization, and focusing on that goal could help reduce compliance gaps moving forward.
It is in my opinion something that it was in the previous, in the target, the initial targets of the program and then we have lost along the way because now then this problem is focused on the audits, on the audit structure, on the audit approach, on the fact that you can skip or you can merge five audits in one, but one of the targets was the harmonization.
35:30 - Lawrence Yeh
Yeah, no, that's a very good point. I was always pleased with how well they aligned all the requirements across jurisdictions in the document. But you're absolutely right that there's definitely a lot of work that goes into making that happen.
Let's talk about strategic benefits. Let's go with Sean.
How much do companies save in terms of time and stress? With this model, where you have one audit instead of separate audits, the requirements are the same, but is there a lot less headache because you have fewer audits to go through?
36:10 - Sean Gibbons
Right. I know that no matter how many times you conduct an audit, there's always plenty of stress, extensive planning, and a lot of preparation involved. So for me in regulatory, and I know my quality team really appreciates that one complete audit versus trying to schedule the entire year out, trying to figure out budgets for travel, trying to figure out what rooms we're going to be booking, where the auditors are going to be, who our auditors are is also a big thing since you build a personal relationship with your auditor over time.
In terms of stress, there are definitely huge benefits to your regulatory quality and other departments within the entire company. And then, for planning purposes, it's best to get everything out of the way at once, allowing you to build your procedures around this audit.
You can centralize your procedures to ensure you have fewer SOPs floating around, making it easier to keep them updated. That way, there is great centralization of those. Another benefit to the overall organization is your response times after the audit. If I have an FDA inspection coming in, a response to a significant finding is very short, very stressful, and compared to MDSAP, which buys you a little bit more time to work with your auditors to get the correct responses out and ensure that things can continue operating as normally. Final point, time. Also, whenever an audit comes around, in my opinion, the company has to shut down. Basically, you're preparing for this audit. You're getting everyone in the right room, setting up your front and back room.
That's a lot of time lost that could be spent on more productive activities, such as gaining market access and ensuring all your procedures are effective. So, there are definitely significant stress and time savings.
38:07 - Lawrence Yeh
Absolutely. And. And you have, you know, theoretically fewer different findings, right?
So you can essentially collect your time instead of having to track five different findings for possibly the same issue. You just have the one.
38:22 - Lawrence Yeh
Clean your. For your systems. Yeah. Let's talk about the implementation and transformation. If someone were to adopt MDSAP. Matteo from. Sorry. Actually, let's take a different perspective first. Matteo, from the perspective of an auditing organization, when MDSAP was introduced, what was the response? From your perspective, were there any challenges with training or recruiting auditors to perform audits, that sort of thing?
38:59 - Matteo D'Angelo
Honestly speaking, I don't know because I wasn't working for an auditing organization at the time the MD sub was introduced. However, I can imagine that the existing auditors were accustomed to providing them with a solid training plan, so an integration of the auditor schemes would be beneficial. But what I can say is that when I was authorized for this scheme, I had a very intense training. But the real value came from hands-on experience in the field because the structure of the MDSAP approach is very particular and it's very stressful for the auditor as well.
And I suppose that back in 2016, when Health Canada made the MD sub certificate mandatory for assessing the Canadian market, with a two-year transition period, many companies, I imagine, rushed to get certified all at once, which likely prompted the auditing organization to quickly ramp up training and authorizations.
40:14 - Lawrence Yeh
What about now? Do you encounter other challenges, such as finding the right auditors with the right skill sets to perform audits, or is it a fairly stable environment?
40:26 - Matteo d’Angelo
It's a typical audit where you need to be well prepared when you arrive at the company. You need to study the company, its processes, and the documentation received in advance to understand what you can sample during the inspection and the sequence of tasks you would like to follow. Therefore, it is very important that auditors have a well-organized approach and a clear plan.
So, precision organization is a typical skill of the auditor, but they are in this case, right?
41:16 - Lawrence Yeh
Absolutely. Sean, from your perspective, how do companies manage resource allocation for MDSAP? If they save time and resources, is it a challenge to justify their quality and regulatory personnel?
41:35 - Sean Gibbons
So yeah, I think that's going to be the first thought of any company is now we're coming down to a single audit. Great. Do we need all of these resources? Which, to me, is really a short-sighted plan. You do free up your resources to do the jobs for which they're hired. Quality can now focus on cost savings, whether it's reducing scrap or ensuring the plans for V and D are thorough, so you don't have recalls in the future. And then now regulators can focus more of their time on market access even outside of MDSAP countries. This allows me to now look forward and plan for additional market access instead of thinking When is my next audit coming up? What do I have to prepare for? Are the procedures ready for the different reviewers who will be coming in?
For justification of those resources, I think companies really have to be forward-looking and looking to grow, rather than just cutting the bottom line.
42:32 - Lawrence Yeh
Yes, I think that often, people don't seem to realize all the other duties that quality and regulatory personnel have. It's not just defending audits. What about, for instance, organizational changes or cultural shifts? Do you think there's anything that's necessary to navigate MDSAP implementation?
42:56 - Sean Gibbons
From a cultural perspective? I think that companies across the board, every department, need to sign up to own their own procedures and participate in these audits.
A common downfall for many companies is that they simply say, 'Okay, regulatory, quality, your audit people, you handle this whole thing.' We'll see you in a few days.
So definitely a cultural shift there. Additionally, they ensure the company is adhering to its quality system, reviewing procedures, reports, and conducting management reviews to assess its effectiveness in relation to current operations. This is something that even if you're outside of MDSAP, you should be doing. However, you now have a clearer focal point.
You have your planned one-year review, where everyone needs to come together and ensure they're ready. So I think that helps with that cultural shift as well. Since pre-planning, everyone is prepared for what we need to do to be successful? Successful, absolutely.
44:01 - Lawrence Yeh
Let's shift our focus to future-proofing and emerging technologies. This question is for both of you. What is one question you would like to have answered by the Regulatory Authority Council that is in charge of MDSAP? Is there anything you'd like to know about future expansion plans, changes to the program, or other related matters? Why don't we start with you, Matteo?
44:26 - Matteo D'Angelo
For me, the big question is definitely whether there will be an expansion to other countries. If MDSAP were to expand into Europe, for example, TÜV SÜD, being both an MDR notified body and an MDSAP organization, could greatly benefit from this and offer a comprehensive service solution. That said, it all depends on how much value the European Commission would actually place on the MDSAP certificate within its own conformity assessment process. This rationale is also valid for other countries.
45:11- Lawrence Yeh
What about you, Sean (Gibbons)?
45:14 - Sean Gibbons
Definitely. Also with the MDSAP expansion, anytime that we can harmonize and, for myself as a regulatory, make my submissions more streamlined and easier, any company is going to be looking for that help. As I mentioned before, any auditing practices specific to software's medical device changes, cloud-based practices, and adopting AI practices that each regulator is starting to move towards and plans for in the future are definitely valuable information for manufacturers.
45:48 - Lawrence Yeh
Sean, how should companies prepare their MDSAP compliance frameworks for upcoming requirements related to artificial intelligence or machine learning, device oversight, and algorithm validation expectations?
46:03 - Sean Gibbons
Yeah, so this is always a fun one, especially when you get introduced to the AI machine learning world. Definitely, algorithm versioning is something that companies need to make sure they take seriously. When we're talking about software as a medical device, it's relatively straightforward for engineers to make changes. Go in. It's not like your typical hardware, so things can move fast. So, making sure you have that versioning in place so you have an audit trail to know how your device has changed over time. Strong validation plans. There's a lot of black box mentality around AI. So, making sure that your validation is very robust, so you can cover all the use cases that maybe you possibly didn't even think of because of the nature of AI, and then real-world performance monitoring.
We always know that we try to be as robust as possible with the validation, but when it's put into real world use, there could be changes to how the device is performing. Therefore, it is essential to closely monitor this and follow the typical 62304 framework, which sets a clear boundary for software development. This framework should be taken to heart by any manufacturer, as I believe it is crucial to building a successful QMS around software development. Another aspect that I think is always overlooked is data management practices. You're seeing a lot of regulators coming out with requirements for how you collect, store, and clean your data.
All of those should be well-defined and simple to access for any auditor if you want to have a successful implementation.
47:41 - Lawrence Yeh
Sean Smith. How are we doing on time?
47:45 - Sean Smith
We have 10 minutes left. Nine, really. And so we have a number of questions in The Q&A. 13 to be exact. And that's more than we can possibly answer in the next nine minutes.
48:02 - Lawrence Yeh
Well, why don't we jump into the Q and A now?
48:06 - Sean Smith
Gladly. So let me just jump in with this question. Does MDSAP auditing organization communicate certificate suspension and withdrawal directly to regulatory authorities? Are we clear what that means?
48:31 - Sean Smith
Okay. Does MDSAP auditing organization communicate certificate suspension and withdrawal directly to regulatory authorities? I'm not sure that the auditor spent the certificate.
48:46 - Matteo D'Angelo
I think I can answer this question. What the auditing organization do is to recommend or not the issue or the continuation of the MDSAP certificate. Then it's up to the regulatory authorities to define what happened for this manufacturer on the market. So the auditing organization closes the activity when forwarding information to the jurisdictions.
49:24 - Sean Smith
Okay, thank you. So, sort of is nonconformity. Is it a nonconformity if the company wants to participate in the MDSAP program but does not have specialists for each jurisdiction?.
49:48 - Sean Gibbons
I believe you'll encounter issues with the establishment registration certification in specific regions. Top of mind. Japan. You may have to have a local authorized representative to cover your licensing. Therefore, if you're not specifically targeting that jurisdiction, it may not be an issue for MDSAP. You would simply exclude that from the scope of your certification. However, I would definitely look at the local market and understand the regulations before entering MDSAP, so you can decide whether this is necessary for your company.
50:26 - Sean Smith
Fantastic. And this is a related question. Is it possible to take part in the MDSAP program if the company only covers Canada and the US FDA?
50:41 - Lawrence Yeh
Yeah, absolutely. They just need to decide which jurisdictions they want. And those would be the ones that are in scope.
50:49 - Sean Smith
Exactly. Once audited for all MDSAP regions, can a manufacturer sell into those regions? Assuming no licenses are required, i.e., Class 1 devices and the required registration listing or notifications have been completed.
51:09 - Sean Gibbons
I think the key there would be the required registrations, listings, notifications, and also ensuring that your sales procedures and post-marketing requirements all follow local regulations. You should be able to start sales. However, I would ensure that you work with the local representative and understand the local requirements before initiating shipments. Because there are local requirements that are not covered under MDSAP for each market.
51:40 - Sean Smith
Good, I understand. Next question. If our company is based in the USA, is already FDA registered and ISO 1345 certified, would that reduce the audit required to achieve MDSAP certification for Canada? So, 13485 certified in the US FDA registered, would it make it easier to enter Canada with MDSAP?
52:15 - Matteo D'Angelo
Ultimately, you require the MD certificate to access the Canadian market. In any case, for sure if they. If they have ISO and FDA registration, it's probably easier for them. But in any case, you need to have the MDSAP certificate for Canada. Another important piece of information is that if you apply for a country like Canada for MDSAP and sell your devices in other countries, you must apply to all of them. You cannot select just one if you also sell in the other.
53:07 - Sean Gibbons
And Matteo, I think what they might be looking for is that there is an. Is there an abbreviated audit process available if I am not working with a Notified Body? I don't believe there would be an abbreviated process. It would simply be that you're already more confident in having the evidence for the MDSAP certification, given that you already have your ISO 13485 certificate. But as a manufacturing person, I'm not aware of an abbreviated audit process.
53:40 - Sean Smith
Nor am I. To both of you. What advice would you give to a manufacturing organization or what tools would you recommend without naming any proprietary tools as an effective means to maintain compliance with regulatory requirements in the different jurisdictions?
54:03 - Sean Gibbons
A regulatory intelligence platform is going to be one of your best friends. You're working across multiple markets that put out multiple requirements all the time, and you have to find a way to meet these requirements, and then also, how do they bridge to the other jurisdictions you're in? So, you definitely need to ensure that your regulatory intelligence is up to date, and then your filing structure as well. I know many companies are moving towards the EQMs, so I just want to ensure that your files are organized, readily accessible, and that there are clear connections between your SOPs, reports, and all product-related documentation.
You don't want to be caught digging through everything and finding out that you're missing a document because you didn't create a good traceability organizational structure for your QMS.
54:58 - Lawrence Yeh
To add to that, both of Sean's points are extremely valid. It's not just the change of, you know, regulations, but there are guidance documents all the time. White papers are available to help you navigate the changes and their impact on your business as a menu manufacturer. I recommend that people explore different regulatory intelligence platforms or set up their own crawlers to collect information and automatically feed it into their inboxes whenever new information becomes available. And for the EQMS side, absolutely. It's how often do people struggle to find the right record during an audit? And it's such a struggle, it slows things down. You know, the auditor starts getting anxious because they can't obtain the necessary information and move forward.
Yeah, definitely looking into the right QMS platform to store all your documents, records, and there's a whole industry out there that works on that kind of thing. So definitely that's something they should look into.
56:01 - Sean Smith
And I'm sure Lawrence would be happy to follow up with any of you who would like more specific information on how AKRA TEAM can help you establish that. We have about a minute left. Last question. Countries that accept the MDSAP certificate, such as Singapore and South Korea, do they need a specific MDSAP country in scope, or would any country be acceptable? I think I understand the question.
56:32 - Sean Gibbons
From my knowledge, I do not believe they specifically look for any country to be included. They simply look for your certificate because they will then incorporate it into their own QMS audits.
- End
Subscribe to EU MDR & IVDR Insider
Ā
