MDSAP (Medical Device Single Audit Program) Pilot: Please share your feedback

[Highground]

Question: How "hard" was the audit? In otherwords, in comparison to regular 13485 audits, was the level of scrutiny noticeably higher?
Yes, I would say it was.

I presume, that with 6 managers the company is mid-sized?
We are small to mid-size.

My concern - as we are also signed up for MDSAP - is that the mandated (lengthy) audit timeframes will necessarily disadvantage small businesses with a limited product-line, simple processes, and small number of records. Given an initial MDSAP audit can be up to 7 days, I worry that either:

1. To fill mandated audit time, auditor will be motivated to dig much deeper into records years old (and essentially obsolete), and/or scrutinise minor details.
AND/OR
2. They'll be "wasting" much of the allotted time (as there is limited stuff to actually inspect) at our expense.

We have software, so that added one extra day equaling 4days. They will take into account how many medical devices you have on the market, employees, software, manufacturing sites etc. Also, if you sell into the countries that are associated with MDSAP this will increase the scrutiny of the regulatory side of the audit.

It was interesting how the nonconformity grading matrix worked. It's not a good thing if you get a 4 or 5. Which we did not. This will put your recertification on hold until the issue is resolved. I'm not sure if this is with a response on how to resolve or you need to resolve ASAP. I should have asked that question. The QA Manager headed the audit up.

If you receive a direct impact ncr in clauses ISO 13485:2016 7.0 to 8.5 this will put you at a score of 3 and if you have repeat nonconformities against the same QMS sub-clause the score increases by 1. It is high stakes!

Sorry if this is a little confusing...

 

[LUFAN]

Hello,

We are gearing up for our Stage 1 onsite audit next week. We were supposed to have our Stage 1 offsite about a month ago but it has become apparent our auditor has not done the work. We sent our auditor roughly 80 documents when they requested them in mid September. Our auditor is now requesting (3 weeks later) we essentially complete the audit checklist for them including referencing document numbers, specific sections of those documents, and which pages they are to be found for every MDSAP requirement, and they would verify the information. We are getting rather annoyed as they have had our documentation for nearly a month and they are only asking us to provide the document numbers, sections, and page numbers 7 days ahead of our onsite. We are a small to midsized company and the entire process has put a burden on resources.

Anyone else have this experience?

 

[Mark Meer]

We are gearing up for our Stage 1 onsite audit next week. We were supposed to have our Stage 1 offsite about a month ago but it has become apparent our auditor has not done the work. We sent our auditor roughly 80 documents when they requested them in mid September. Our auditor is now requesting (3 weeks later) we essentially complete the audit checklist for them including referencing document numbers, specific sections of those documents, and which pages they are to be found for every MDSAP requirement, and they would verify the information....

Hi LUFAN, and welcome to the Cove!

We haven't started MDSAP yet, but this seems weird to me.

I was under the impression that onsite audits were mandated by the program, and that the number of audit-days was strictly specified. Perhaps there is a clause somewhere allowing for offsite, but even in this case, how are they recording the audit-days to comply with the MDSAP program? (you say it's been over 3 weeks?!).

And, after suggesting to you they would do it offsite, they are now booking an onsite visit AFTER much of the work is already done (much, it sounds, by you)?!

I'm pretty certain this is not the way it's intended to work...

I would suggest:

1. Review the MDSAP program documents, and see if what they are proposing actually aligns with the program

2. Ask why they can't do the checklists themselves onsite. MDSAP scheduling should give them oodles of time for a small-mid sized organisation. Unless they are giving you some (financial) incentive to complete the checklists yourself, I don't see why you should be burdened with doing the work you're paying them to do...

Good Luck!
MM.

 

[LUFAN]

Hi LUFAN, and welcome to the Cove!

I was under the impression that onsite audits were mandated by the program, and that the number of audit-days was strictly specified. Perhaps there is a clause somewhere allowing for offsite, but even in this case, how are they recording the audit-days to comply with the MDSAP program? (you say it's been over 3 weeks?!).

Hello Mark,

We're definitely a little annoyed by the process thus far. If you read MDSAP AU P0002.004 P.10 it says the following:

The Auditing Organization shall determine how best to accomplish tasks of Stage 1 and Stage 2 with regards to off-site record review and on-site verifications. Hence portions of a Stage 1 audit (e.g. documentation review) may be performed at a site other than the site(s) of the manufacturer seeking initial certification. In practice it is intended that the Auditing Organization may combine elements of Stage 1 and Stage 2 to allow for a single on-site visit to the manufacturer.

Our AO (don't want to name names) scheduled our Stage 1 as two days, one off-site documentation review audit day and one on-site audit day to look at processes. The scheduler said we should book the offsite roughly one month from the onsite as we would get feedback and have time to implement those changes if required. All of this was communicated to us months ago and we were fine with it.

On the date of our Stage 1 off-site, our auditor requested the documentation that showed adherence to requirements which we did in a matter of hours. There was no specific list of documents requested. We sent everything we felt would be required. We didn't hear anything for 3 weeks despite a few emails asking for updates. Then out of the blue the auditor sent us the auditor checklist and asked us to fill it out. That brings me to today. Our on-site portion of stage 1 is next week, but the documentation review appears to have not been started and it looks like we're not getting feedback either.

I believe every AO has their own audit checklist, but ours' instructions were very vague and contain nothing indicating client specific instructions. I've read the MDSAP audit model and companion documents and there's not specific information about what the client needs to do. This sounds like our AO or our auditor putting additional requirements on us.

1. Review the MDSAP program documents, and see if what they are proposing actually aligns with the program

2. Ask why they can't do the checklists themselves onsite. MDSAP scheduling should give them oodles of time for a small-mid sized organisation. Unless they are giving you some (financial) incentive to complete the checklists yourself, I don't see why you should be burdened with doing the work you're paying them to do...

We are definitely not getting any financial incentives and definitely feel burned by the extra work giving the short time-frame it is expected. Had this been communicated months ago, we probably could have made it work. I should say we are going for initial certification to MDSAP and ISO 13485 so all of this is a little new to us, but I've spent much of the last year getting ready. This just feels way out in left field to me.

 

[Mark Meer]

Our AO (don't want to name names) scheduled our Stage 1 as two days, one off-site documentation review audit day and one on-site audit day to look at processes. The scheduler said we should book the offsite roughly one month from the onsite as we would get feedback and have time to implement those changes if required. All of this was communicated to us months ago and we were fine with it.

Wow! Your initial MDSAP certification audit was scheduled as only two days (one offsite, and one on)?! Assuming the AO is calculating correctly, count yourself lucky!

I was quoted by a variety of potential AO's and I don't recall there being any for which the initial audit was less than five days onsite.
(and we are a small company, with limited products, and only market in two of the MDSAP countries).

We are definitely not getting any financial incentives and definitely feel burned by the extra work giving the short time-frame it is expected. Had this been communicated months ago, we probably could have made it work. I should say we are going for initial certification to MDSAP and ISO 13485 so all of this is a little new to us, but I've spent much of the last year getting ready. This just feels way out in left field to me.

Unfortunately many of the AO's are new to MDSAP aswell, so presumably they've all developed their own paperwork - some more burdensome than others - without having gone through the process with many clients yet. If they are unresponsive to attempts to get status updates, that may be a red-flag. Communication is important. When they dump a bunch of paperwork/forms/checklists on you, be sure and clarify what it's for, how it impacts the process, and how detailed it has to be.

I'd wager that a lot of it is just internal paperwork developed by some overzealous documentation manager, and hence you can complete them sparingly, and hopefully not spend too much time on them.


Wish I could say I had some advice to give, but you are the trail-blazer here!
I'd love to hear more of your experiences with the MDSAP as they unfold!

MM.

 

[LUFAN]

Stage 1 was two days. Our Stage 2 will be in December and should be five, per the scheduling document. I'll update as we keep going. Just wanted to make sure this wasn't some super common thing.

 

[Highground]

Interesting...we were quoted 1 day for stage 1 and sent all requested documents. Had a report back within three weeks giving the ok to proceed to stage 2...4 days onsite.

The NB had their act together for sure. Excellent expertise. They did mention it has been pretty overwhelming to get up to speed for MDSAP. It really increases the work for the NB.

 

[smartinez]

MDSAP newbie here; How many AO's did you get quotes from? We're a small medical device company and we are worried that the cost of MDSAP will be too much for us. We are waiting for one quote but should we get more or is everyone in the similiar price ranage? what is the price range?

 

[LUFAN]

Interesting...we were quoted 1 day for stage 1 and sent all requested documents. Had a report back within three weeks giving the ok to proceed to stage 2...4 days onsite.

The NB had their act together for sure. Excellent expertise. They did mention it has been pretty overwhelming to get up to speed for MDSAP. It really increases the work for the NB.

I'm thinking this is more of an auditor thing than an AO thing. We're make several high risk devices and I get the feeling our AO has limited MDSAP auditors available, if any beyond our currently assigned one. Puts us in a difficult spot.

 

[LUFAN]

MDSAP newbie here; How many AO's did you get quotes from? We're a small medical device company and we are worried that the cost of MDSAP will be too much for us. We are waiting for one quote but should we get more or is everyone in the similiar price ranage? what is the price range?

I think I originally sent in about 7. A few turned us down immediately saying they were certified to sell MDSAP yet, a few more strung us along before they finally admitted they wouldn't be able to sell MDSAP for a while. If I were you and knowing what I know now. Send in 4 RFQs to BSI, TUV, Intertek and now UL. They are all recognized MDSAP AO's and won't string you along. That said depending on the type of device you sell, they may or may not want to take the business if they don't have the technical expertise. I ran into this problem a few times too. I would suggest you get a pre-audit done to help you with this process. We found it incredibly valuable.

Cost isn't bad. It's dependent on employees affecting your QS (which excludes sales), but even has a small to mid-sized company we thought it was pretty reasonable on a yearly basis.