Informational MDSAP Audit Findings - Document change orders

[XRAY_3121]

I could really use some help from everyone on some audit findings. The first one is on document change orders. We were unable to produce all of the records requested (because the person responsible didn't complete them). They requested 3 DCO's and we only had 1. Yet this was marked as a major. We do have a process in place which was reflected in both written procedure, form, and the record produced. It's an initial audit and not a repeated finding. It doesn't to me directly impact quality of the product, can I argue this or do I not have a valid point?

 

[yodon]

Are you wanting to argue that it's not a major? Clearly you had nonconformities. Based on the auditor's sampling (3 records), 2 were nonconforming. Would probably be reasonable for an auditor to conclude it's systemic. Maybe some of the auditing experts can weigh in on whether they agree it's major or not.

 

[XRAY_3121]

Oh yes systemic and we had problems no doubt. But it's still not repeat offense and indirect on QMS which is why MDSAP grade of 1. I'm wondering why a major on ISO. I have friend in notified body that thinks it is a minor. But I'm also looking for insight from other experts.

 

[shimonv]

I don't have the current version of ISO 17021, but from what I see in section 9.1.15(b) a major means:

1) failure to fulfil one or more requirements of the management system standard, or

2) a situation that raises significant doubt about the ability of the client's management system to achieve its intended outputs;

If I may speculate... the reason you got a major and not a minor is the auditor's lack of confidence in the QMS. It's difficult to argue against that and saying that it doesn't directly effect the quality of the product won't help you, and you can't prove it.
If you should appeal, aim to regain his confidence in your process.

I hope it makes sense.

Shimon

 

[XRAY_3121]

Thanks Shimon.

 

[Watchcat]

It seems to me that you do not have a process in place, or the person responsible for the process would have in fact completed all the records.

Uncontrolled changes to documents can definitely affect the quality of the product in the narrow sense (whether it continues to meet lot release criteria) and in the broader sense (whether it remains safe and effective for its intended use).

I do not think major vs minor should have anything to do with whether it is a first, second, or third offense, but should reflect the risk it represents, not to the manufacturer, but to patients. What MDSAP auditors think, I cannot say.

 

[myusoffice]

First of all, MDSAP grading is calculated automatically. Grade 1-3 considered as minor non-conformity in general sense. However, this can easily turn into grade 4-5 if repeated. You should really be worried if your NC grade is above 3. Although it is present on the MDSAP NC grading exchange form, the grade per ISO/IEC 17021-1 is not used by Regulatory Authorities participating in MDSAP. The auditing organization may be required to grade the nonconformity as major or minor per ISO/IEC 17021-1 to satisfy the needs of certification schemes other than MDSAP. If you are only getting audited per MDSAP scope, you can politely ask the auditor for an explanation behind grading that as a Major. If the auditor is not asking any additional rigor or corrective action other than what would require for MDSAP grade 1, I wouldn't challenge the auditor other than just asking for an explanation. Hope this helps.

 

[Watchcat]

What does "automatically" mean? AI?

 

[Jean_B]

Showing it from a training slide to help others out. There are similar slides available from multiple sources. This is the general information.

Depending on the clause the auditor must/chooses to write it up against it will be either considered indirect or direct (though the simplistic choice on this construction has been disputed, this is still the current state).
They must then verify whether in the past there were findings against the same clause (at the specific clause number level, though not at the itemized list level). To note: for us the recurrence was drawn from the two most recent (though non-MDSAP) ISO audits by the same certifying body. I think this one can get confusing depending on schemes, bodies etc, but simply count back 2 years.
You can get an additional increase to the grade for the absence of mandatory procedures and for the release of non-conforming product to the field (note that release under concessions, if done well, do not count as such).

Three or more grade 4's, or one or more grade 5's will result in expedited notification of relevant authorities. Any number of grade 4's already cuts down on the time you have to respond.

ISO is a different scheme, so to obtain ISO certification, relevant non-conformities will be graded minor or major as well (when they are written out against an ISO 13485 clause). We did not experience a write-up solely against an MDSAP step with only a regional requirement, but most auditors will default to a (distantly) related ISO 13485 clause anyway.

MDSAP has tighter timelines than ISO, counted in days (not work or weekdays). So tight that you should plan to:

1. initiate CAPA's the day after the audit,
2. and ensure you have the key personnel available for 3 months after the audit to implement.
3. for grade 4's or higher to complete root cause analysis and action planning within 15 days (again days, not work or weekdays).
4. complete implementation of grade 4's or higher within 30 days (to be doubly certain days, not work or weekdays).
5. complete minors in the time that you used to prioritize only to majors.
6. Luckily verification can extend beyond the period.

We went through it and this approach gave peace of mind, but might take a toll on your workforce (MDSAP don't care about school vacation or holidays).

I still believe that as truly critical NC's require real effort that cannot be compressed within a month, MDSAP will (for a period of time) result in some fake solutions within 30 days, and hopefully real solutions outside of it out of fear for the next time. But it is still odd to play it like that from the regulator's standpoint.

 

[Watchcat]

"initiate CAPA's the day after the audit"

Nice to know that actions taken to address deficiencies critical to patient safety will be carefully thought through and not just slapped together.