Brian Ludovico wants device-makers to know that if they already follow international quality systems standard ISO 13485, then undergoing an MDSAP audit is a snap.
That's because the Medical Device Single Audit Program – which allows firms to undergo one audit by an accredited third party to satisfy quality regulations for the US, Canada, Brazil, Japan and Australia – maps to ISO 13485.
Some manufacturers "become nervous about an MDSAP audit – 'Oh my gosh, my gosh, my gosh, MDSAP, oh my gosh … I've got to get ready for this, I've got to get ready for this.' But be confident in yourself that you're already ready for it. You've been doing this all along," said Ludovico, executive director of MDSAP regulatory certification for consulting firm NSF International.
Firms use ISO 13485 to ensure quality systems compliance with regulators in a variety of countries, including Canada, Japan and Australia. (US FDA is in the beginning stages of harmonizing its Quality System Regulation with the standard, and companies can use an ISO 13485 certificate to temporarily meet Brazilian Good Manufacturing Practice [GMP] requirements as they await an ANVISA inspection.)
Ludovico pointed out that while ISO 13485 is a base for MDSAP, the audit program still tacks on specific regulatory requirements from each of the five participating countries.
Nevertheless, "Sec. 4 of ISO 13485 [titled 'Quality Management System'] specifically states that the standard is used for regulatory purposes," he said. "That means if you're claiming to follow ISO 13485, then you're claiming that you're following every regulation where you're selling your product.
"How is that any different than MDSAP? It's not," Ludovico added. "When you really break it down and you look at the psychology that's involved in MDSAP, you're probably already doing what you have to do to pass an MDSAP audit."
"I got into [MDSAP] to cut the red tape. I'm still trying to find the scissors, to be honest," NSF International's Brian Ludovico says.
The current 2003 version of the standard will be officially replaced by ISO 13485:2016on March 1. (Check out Medtech Insight's Interactive Timeline to stay abreast of global regulatory deadlines.)
Ludovico said the "meteoric" rise in the number of MDSAP audits performed over the past four years is evidence that more firms are moving past any jitters they may have about the audit program – although Health Canada's come-and-gone Jan. 1 deadline for device-makers to be certified to MDSAP didn't hurt the program's participation numbers last year, to be sure.
As of the end of 2018, more than 2,700 manufacturers underwent an MDSAP audit. (See chart below.)
"Such positive numbers goes to show how far we've come with this program," Ludovico said. "A lot of people are putting a lot of effort into MDSAP."
MDSAP Participating Manufacturer Sites, By Calendar YearSource: NSF International
Trust Us, We're AOs
Ludovico, whose NSF International is an MDSAP auditing organization (AO), says device firms should feel at ease knowing that AOs undergo a rigorous process to become recognized by the MDSAP Regulatory Authority Council (RAC), which oversees the program.
"We auditing organizations go through two phases. The first phase is authorization, which means you've completed all your paperwork, you've gotten into the program and you've complied with all that you need to. And then there's recognition," he said.
Recognition comes after an AO performs three MDSAP audits witnessed by participating regulators. Until then, an AO is only authorized to conduct audits.
"So, what's the difference between 'authorization' and 'recognition'? Just those three witnessed audits," Ludovico said.
"People ask me all the time, 'Can I use an auditing organization that's only authorized to audit?' And the answer is yes," he said. "The reason why is, heaven forbid something goes awry with one of those witnessed audits, and the AO goes off the rails and gets kicked out of the program – in that case, the MDSAP RAC wanted to make sure that the manufacturer is protected."
Therefore, firms planning an MDSAP audit and considering which AO to choose should know that "as long as they pass the authorization stage, they're ready to perform full MDSAP certification audits," Ludovico said.
And AOs must undergo a witnessed audit each year after becoming recognized.
"So, you can see it's a rigorous process that AOs must go through. There is oversight to us, so we must maintain our glowing reputation in our processes," Ludovico said.
As of last month, there were 14 AOs either recognized or authorized to perform audits, according to a listing on FDA's website.
"All of them but two are also notified bodies, so when we talk about this idea of a one-stop shop and getting everybody into your organization at the same time so they can perform one audit, really the idea is harmonization across the globe," Ludovico said.
"I got into [MDSAP] to cut the red tape. I'm still trying to find the scissors, to be honest, but as we move on, we'd like to get in such a way so that all of this is driving toward the same thing: harmonization," he added.
Ludovico noted that AOs follow international standard ISO 17021-1:2015, "which is our ISO 13485, if you will. It's what we follow to make sure we as an AO have a quality management system that is accredited properly."
ISO 17021 "contains principles and requirements for the competence, consistency and impartiality of bodies providing audit and certification of all types of management systems," the International Organization for Standardization (ISO) says on its website.
And, Ludovico said, AOs must follow the provisions of a 2013 document from the International Medical Device Regulators Forum. The so-called N4 document from IMDRF – the organization that runs MDSAP – lays bare requirements for auditing organizations.
"All of that oversight should make you feel confident that they're not just sending in somebody to audit because they're a warm body," he said.
Ludovico's comments came at FDAnews' 12th Annual FDA Inspections Summit in Bethesda, Md.
From the editors of The Gray Sheet