ISO13485:2016, MDSAP and Internal Audits

MarkC

Registered
When it was just CMDCAS and ISO13485:2016, we had an internal audit checklist. That checklist went through the ISO standard section by section, point by point and determined if our quality system addressed those requirements. After moving to the MDSAP audit style, we passed our initial audit. On our surveillance audit, the new auditor disagreed with that approach. He said that our internal audit now must follow the MDSAP audit approach, and our previous 'ISO point by point' audit wasn't valid.

I couldn't find anywhere online that agreed or disagreed with this finding. I'm limited in my ISO knowledge, but I thought that if internally we adhered to the standard, we adhered to the standard. I take it I'm wrong?

Cheers,
Mark
 

contigo123

Involved In Discussions
Did they give you a finding, and if so what did they reference? Perhaps they are looking to ensure a process approach has been implemented/audited and there are some gaps when you just do a checklist?
 

MarkC

Registered
Thanks for your response. The official finding was:

Scope of the internal audit: did not include MDSAP Audit Approach
No evidence that it covered the additional MDSAP process (e.g. CH 2 and CH4...)

Cheers!
 

LUFAN

Quite Involved in Discussions
Thanks for your response. The official finding was:

Scope of the internal audit: did not include MDSAP Audit Approach
No evidence that it covered the additional MDSAP process (e.g. CH 2 and CH4...)

Cheers!

Did your internal audit/auditor not review Marketing Authorization (Chapter 2) and Adverse Event reporting (Chapter 4)? In which case, I would say that NC is justifiable seeing as that is covered under MDSAP for each country you're selling into (and 13485 by itself to be honest).

A checklist is a totally fine approach, but seeing as MDSAP is not just ISO 13485, your checklist needs to account for every single requirement for each country that's applicable on top of ISO 13485. THAT is the MDSAP audit approach. If interested, shoot me a PM and I'll give you the checklist I got from my Auditing Organization.
 

MarkC

Registered
Thanks for your response. I'm starting to understand it better now. It makes me think my approach (my old checklist) was fine - except it needed expanding beyond simply the standard, which is what I had. The way I addressed the NC was I said myself and the other internal guy will take a formal NDSAP internal auditor training course and then update the document then.

It sounds like the NC was 'well deserved' ...
 

LUFAN

Quite Involved in Discussions
Thanks for your response. I'm starting to understand it better now. It makes me think my approach (my old checklist) was fine - except it needed expanding beyond simply the standard, which is what I had. The way I addressed the NC was I said myself and the other internal guy will take a formal NDSAP internal auditor training course and then update the document then.

It sounds like the NC was 'well deserved' ...

Bingo, you got it. Make sure your checklist is essentially a checklist of the MDSAP Companion Document for each requirement.

I just finishing building a QMS from scratch for my current employer to 13485 only, but I actually find the MDSAP approach better for internal audits because it really does mean (when performed correctly) you're looking at the right requirements in totality. I would advise you that your rewrite your internal audit procedure to be structured around the MDSAP model and grading. Major/Minor has lots of room for ambiguity where as MDSAP is going to give you a number with a methodology to get there. More easily defendable in my opinion and the congruency with MDSAP is just useful.

Let me know if you need any other help.
 

primavesvera

Involved In Discussions
I know I am a bit late, but I had a similar situation with our CE audit - we have our internal audit checklist based on ISO 13485, but we didn't add the specific requirements from the Medical Device Directive Annex.
So, re-adjusting the internal audit checklist with a couple of requirements was deemed as sufficient.
 

LUFAN

Quite Involved in Discussions
I know I am a bit late, but I had a similar situation with our CE audit - we have our internal audit checklist based on ISO 13485, but we didn't add the specific requirements from the Medical Device Directive Annex.
So, re-adjusting the internal audit checklist with a couple of requirements was deemed as sufficient.

Yep, if you're claiming you are auditing to a scope that includes ABC (13485) and 123 (21CFR820/MDD/MDSAP, etc.), you better make sure ABC and 123 are looked at.
 

levatorsuperioris

Involved In Discussions
the MDSAP is the best (IMO) internal audit structure since the consortium declared that each specific question gave a sufficient evaluation of the linked required tasks...there can be no questioning if you follow the process that you meet ISO 13485, 21 CFR, ANVISA, CMDR, TGA MHLW etc... add the MDD on top of that and you have most countries covered, add the MDR annexes and you are good to go further past 2021 May 26th, you don't need to conform to the MDD after 26th May but instead the MDR annex that deals with the transition period.
 

gabe2jadyn

Involved In Discussions
We need to revise our Supplier Facility Audit Checklist against ISO 13485:2016 and CMDR. Is there any kind of template that is available? Thank you -
 
Top Bottom