Does MDSAP replace ISO 13485, or do both have to be maintained?

[Mark Meer]

With just over 17 months until MDSAP is mandatory for Canadian sales, our current ISO 13485 certification body is pressuring us to get on the program.

(and I don't blame them...I suspect a flood of requests come 2018, and not enough CB resources to accommodate. )

Can anyone on the MDSAP (or in the process) help me with the following: How does MDSAP affect your ISO 13485 certification? Did you:

a) Continue to maintain ISO 13485 certification? If so, does this involve the (odious) number of MDSAP audit hours PLUS audit hours for 13485? ...or is there some way to combine the two efficiently to avoid additional audit burden/expense? or,

b) Drop your ISO 13485 certification? I'm not sure what the implications would be. Assuming global sales (Europe, Asia, South America...) in addition to the 5 MDSAP countries, is there a reason ISO 13485 would have to be maintained if you have MDSAP? Certain distributors have asked for our ISO 13485 in the past, but maybe now they will also accept MDSAP?


Mandatory MDSAP is going to be an industry gong show it seems...

Any experience or input much appreciated!
MM

 

[DannyK]

MDSAP does not replace ISO 13485.
It replaces the CMDCAS program for Canada and adds the regulatory requirements for USA, Australia, Japan, and Brazil.
You will still need to registered to either ISO 13485:2003 and ISO 13485:2016 before March 1, 2019.
The shock will come for small businesses that were used to 1 or 1.5 days surveillance audits. These audit can 4 or 5 days easily. And with the new standard comes an increase in day rates.
Some companies are considering to abandon the Canadian market because of the huge increase in fees. Canada is the only country that makes MDSAP mandatory.
There will be a crisis situation toward the end of 2018.

 

[Mark Meer]

You will still need to registered to either ISO 13485:2003 and ISO 13485:2016 before March 1, 2019.

Why? What is the significance of March 1, 2019?

As far as global markets go, if you were wanting to keep access as flexible as possible, am I correct in assuming that companies will have to maintain BOTH MDSAP (just for Canada) and ISO13485?

The shock will come for small businesses that were used to 1 or 1.5 days surveillance audits. These audit can 4 or 5 days easily. And with the new standard comes an increase in day rates.
Some companies are considering to abandon the Canadian market because of the huge increase in fees. Canada is the only country that makes MDSAP mandatory.
There will be a crisis situation toward the end of 2018.

Yup. We are in this category. It's difficult to imagine what on earth auditors would do with a 7-day audit, given the limited products (and corresponding limited records) we maintain.
Abandoning the Canadian market altogether seems an option worth considering at this point...

 

[Mark Meer]

Some other considerations that might help our decision:

Does anyone know if there's any talk of other countries adopting MDSAP as mandatory in the future? Any anticipation that, for example, the US FDA or Australian TGA may also mandate MDSAP?

Does anyone know if other countries/regions may also recognise MDSAP in the future? Is it a program other countries are lining up to join? ...or is it likely limited to the current 5 countries for the foreseeable future?

 

[Ajit Basrur]

Great question Mark. I do not have answers and would like to read the comments

 

[yodon]

Let's back up a second. My understanding is that MDSAP is intended to be a vehicle to allow results of a single audit to be accepted by multiple countries (regulatory bodies) - you don't "maintain" MDSAP, you only comply with all the applicable regulatory requirements for your target markets. These audits would cover the country-specific requirements. As far as I know, only Canada has mandated an MDSAP audit.

Per the FDA (https://www.fda.gov/MedicalDevices/InternationalPrograms/MDSAPPilot/), they will accept an MDSAP as a substitute for a routine inspection.

The EU, as far as I know, has not embraced MDSAP so if you want to continue to market there, you'll still be subject to the same audits. I expect, if you wanted to market in the US, Canada, and EU, you could have the MDSAP audit and they could also cover the 13485 audit (no doubt with extra cost).

I think DannyK is spot on with his assertion that this is heading towards a crisis. To do an MDSAP audit, the audit agency needs to be accredited to do so. I think, to date, only a very few agencies have been accredited.

Couple that with the already reduced number of registrars / notified bodies plus all the additional work they're going to have to do under the MDR and the situation starts looking pretty grim!

Further, as the FDA statement is worded, they can accept the MDSAP audit as a substitute for a *routine* inspection. They are still authorized to do any for-cause inspections. If they don't like something in the MDSAP report, they are free to do an inspection.

So while the concept sounds good (one audit to rule them all -- sorry, had to), application is going to be, well, interesting.

 

[mihzago]

MDSAP is not a separate certification or a quality management system, it's an auditing approach.
ISO13485 is still defining your QMS requirements, and MDSAP is an audit process that verifies your compliance with ISO 13485 and applicable country regulations.

Take a look at the audit model
https://www.fda.gov/downloads/MedicalDevices/InternationalPrograms/MDSAPPilot/UCM390383.pdf

(note, there is a version specific to 2003 and 2016 version of ISO 13485).
All questions and evidence collected during the audit are based on ISO 13485.

The audit time is longer because it's no longer based on the size of the company (effective number of employees), but on the number of activities that a manufacturer is performing.

There are no additional requirements beyond ISO 13485, at least none that I am aware of, except for the regulatory requirements; though, the 2016 version requires you to comply with applicable regulatory requirements anyway.

 

[somashekar]

If you choose your ISO 13485 CB who is also accreditted to MDSAP, you may perhaps get your ISO 13485 for free ...

 

[Mark Meer]

MDSAP is not a separate certification or a quality management system, it's an auditing approach.
ISO13485 is still defining your QMS requirements, and MDSAP is an audit process that verifies your compliance with ISO 13485 and applicable country regulations.

So, am I correct to assume that by being on the MDSAP program you necessarily maintain ISO 13485 certificate as well?

In otherwords, MDSAP is not separate from ISO 13485, but rather just an extension of ISO 13485 to cover other countries' specific QMS requirements (in addition to the base ISO 13485 requirements)?

 

[Marcelo]

So, am I correct to assume that by being on the MDSAP program you necessarily maintain ISO 13485 certificate as well?

In otherwords, MDSAP is not separate from ISO 13485, but rather just an extension of ISO 13485 to cover other countries' specific QMS requirements (in addition to the base ISO 13485 requirements)?

This is not right.

First, there's no "ISO 13485 certification". What exists are certification schemes - a certification program with its own rules, which includes, for example, a specific audit methodology and usually includes a recognition agreement such as an MLA - that uses ISO 13485 as a basis. For example, the IAF has a certification scheme for ISO 13485. The end result of these schemes is a certificate that shows compliance with something, in particular, with the requirements defined in the certification scheme rules. In the case of the mentioned IAF, the certificate shows compliance with ISO 13485 following IAF rules.

MDSAP is another certification scheme, with it's own rules. The end result is a MDSAP Certificates - they represent the application of an audit methodology to determine compliance with the requirements of ISO13485:2016 and relevant regulatory requirements for QMS through a single audit for multiple regulators.

Can you use your MDSAP certificate to show compliance to ISO 13485? Or even the IAF, or any certification scheme based on ISO 13485?
The answer depends on what you are using it for.

For example, to get the benefits of the MDSAP program, you have to use and MDSAP certificate, they don't accept an ISO 13485 certificate from other schemes (this is generally true for most schemes, unless there's a recognition agreement between schemes).