MDSAP AS P0034.001 Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Responsible Office/Division
Title: Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001 Version Date:
2019-05-24
Project Manager: Kimberly LewandowskiWalker, USFDA
Page: 1 of 76
Effective Date: 2019-05-24
Table of Contents 1. Introduction 2. Background 3. Authorities/Responsibilities 4. Definitions 5. Policy 6. Annex 1 - Sample Assessment Plan 7. Annex 2 - Threats to Impartiality Linked to Consultancy 8. Forms 9. Reference Documents 10. Document History
Approval Sign-Off Sheet
1. Introduction
This document provides updated guidance for assessments of Auditing Organizations that was originally presented in IMDRF/MDSAP WG/N5 "Regulatory Authority Assessment Method for the Recognition and Monitoring of Medical Device Auditing Organizations" and IMDRF/MDSAP WG/N8 "Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations".
2. Background
IMDRF developed MDSAP to encourage and support global convergence of regulatory systems, where possible. It seeks to strike a balance between the responsibilities of Regulatory Authorities to safeguard the health of their citizens as well as their obligations to avoid placing unnecessary burdens upon Auditing Organizations or the regulated industry. IMDRF Regulatory Authorities may add additional requirements beyond this document when their legislation requires such additions.
3. Authorities/Responsibilities
Regulatory Authority Assessors: Responsible for utilizing this document as guidance when performing assessments of Auditing Organizations seeking authorization under the MDSAP; re-recognition and surveillance assessments of MDSAP-recognized Auditing Organizations.
Assessment Program Managers: Responsible for communicating the availability of this guidance to assessors prior to performing the assessment.
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 2 of 76
4. Definitions
Assessment: To prevent the confusion between audits of manufacturers performed by auditors within an Auditing Organizations and audits of Auditing Organizations performed by medical device Regulatory Authority assessors, in this document, the latter are designated as "assessments."
Audit: A systematic, independent, and documented process for obtaining records, statements of fact or other relevant information and assessing them objectively to determine the extent to which specified requirements are fulfilled. (ISO 17000:2004)
Auditing Organization: An organization that audits a medical device manufacturer for conformity with quality management system requirements and other medical device regulatory requirements. Auditing Organizations may be an independent organization or a Regulatory Authority which perform regulatory audits.
Regulatory Authority: A government body or other entity that exercises a legal right to control the use or sale of medical devices within its jurisdiction, and that may take enforcement action to ensure that medical products marketed within its jurisdiction comply with legal requirements. (GHTF/SG1/N78:2012)
5. Policy
Assessment Cycle and Assessment Program
This document defines a consistent Assessment Cycle and Assessment Program for Regulatory Authorities to assess Auditing Organizations for recognition and for the maintenance of recognition through monitoring activities. A key element is to ensure consistency in the Assessment Program implementation, regardless of the designated assessment team and the Auditing Organization.
ISO 17011:2005 allows for an Assessment Program with the maximum of a 5-year cycle. For the regulated medical device sector an Auditing Organization Assessment Program should follow a 3 or 4-year cycle. Regardless of whether a 3 or 4-year cycle is chosen, the Assessment Program described in this document makes provision for additional Special Assessments, if required, to provide confidence in a recognition decision. The recognizing Regulatory Authority should assess the resources required for a 3- or 4-year cycle, considering assessor personnel, assessment management, travel budgets etc., before committing to a particular cycle length for their Assessment Program. A 4-year cycle is illustrated in Figure 1.
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 3 of 76
Year 0
Initial Assessment
Year 1
Surveillance Assessment #1
Year 2
Surveillance Assessment #2
Year 4
Re-Recognition Assessment
Year 3
Surveillance Assessment #3
Figure 1: 4-year Assessment Cycle
The Assessment Cycle includes an Initial Assessment, annual Surveillance Assessments, and a Re-recognition Assessment. Figure 2 identifies the different assessment activities within each aspect of the Assessment Program.
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 4 of 76
Assessment Program
Assessments
Assessment Activities
Initial Assessment
Surveillance Assessment
Re-Recognition Assessment
Application Review
Stage 1 Assessment Including Documentation
Review
Stage 2 On-Site Assessment (Head Office)
Surveillance On-Site Assessment (Head Office)
Stage 1 Assessment including Documentation Review for
Changes
Re-Recognition On-Site Assessment (Head Office)
Witnessed Audits
Witnessed Audits
Witnessed Audits
On-Site Assessment of
On-Site Assessment of
On-Site Assessment of
Critical Locations (as necessary) Critical Locations (as necessary) Critical Locations (as necessary)
Figure 2: Assessment Program with Assessment Activities through the Assessment Cycle
The application of the Assessment Program may be modified as needed, for example with additional Special Assessments, to take into account information collected throughout the Assessment Cycle of a particular Auditing Organization.
Regulatory Authority assessment planning should consider: Past performance of the Auditing organization including the previous assessment and identified nonconformities; A review of documentation for any significant changes at the Auditing Organization including those necessary to account for any changes in the recognizing regulatory program or requirements; The key procedures of the Auditing Organization; and, A selection of medical device manufacturer client files, where possible, that may be identified by the report of adverse events, compliance issues, and other regulatory signals.
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 5 of 76
Assessment Program Roles and Responsibilities
The key roles and responsibilities in the Assessment Program are as follows:
Assessment team including, as necessary, an assessment team leader and assessor(s):
Performs the assessment activity, according to the Assessment Program; Provides a recommendation relative to the recognition status of the Auditing
Organization; Makes recommendations for changes to or adjustments to the application of the
Assessment Program for specific Auditing Organizations, as necessary; Makes recommendations for critical location assessments and witnessed audits;
and, Reviews and approves the Auditing Organization's response to assessment
findings.
Assessment Program Manager: Interfaces with the Auditing Organization to collect the application and associated information, communicate outcome of assessment activities; Drafts, maintains and updates an Assessment Program for each Auditing Organization; Ensures the assessment activities are planned and implemented according to the Assessment Program; Assigns the assessment team members, specifies their role, and provides them with necessary information for the assessment activity; and, Reviews assessment outcomes, performs quality checks of the assessment activities, and prepares a final assessment outcome recommendation.
Note: if the recognizing Regulatory Authority chooses to have more than one Assessment Program Manager, an Assessment Program Manager may not act as an assessor for an Auditing Organization for which he/she manages the Assessment Program, in order to remain independent from the outcome of the assessment activities.
Recognizing function within the Regulatory Authority: Approves application of the Assessment Program to an Auditing Organization; and, Makes recognition decisions.
Purpose of Assessments within the Assessment Program
The purpose of the Initial Assessment includes the following:
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 6 of 76
Define an individual Assessment Program plan for the particular Auditing Organization; and,
Assessment of the compliance of the particular Auditing Organization's management system to all regulatory requirements including IMDRF MDSAP WG N3 and N4 documents, in order to enable the recognizing Regulatory Authority to make a decision on whether to recognize the Auditing Organization.
The purpose of the Surveillance Assessment includes maintaining confidence that the Auditing Organization continues to fulfill the regulatory requirements including IMDRF MDSAP WG N3 and N4 documents between re-recognition assessments.
The purpose of the Re-recognition Assessment includes the assessment of the continued compliance of the Auditing Organization's management system to satisfy all regulatory requirements including IMDRF MDSAP WG N3 and N4 documents, in order to enable the recognizing Regulatory Authority to make a decision on whether to renew the recognition of the Auditing Organization.
Assessment Activities throughout the Assessment Cycle
Application Review
Before proceeding with the assessment of the Auditing Organization, the recognizing Regulatory Authority shall conduct a review of the application and related information to ensure that the information about the Auditing Organization and its management system is sufficient for the conduct of the assessment.
Stage 1 Assessment
The Stage 1 Assessment shall be performed to: Review the Auditing Organization's management system documentation to confirm that it covers all regulatory requirements including IMDRF MDSAP WG N3 and N4 documents; Evaluate the Auditing Organization's understanding of regulatory requirements including IMDRF MDSAP WG N3 and N4 documents; Collect information necessary to define the scope of recognition; Identify the Auditing Organization's locations and site-specific conditions; Evaluate if the Auditing Organization has planned and/or performed internal audits and management reviews; Gain sufficient understanding of the Auditing Organization's structure, operations, and management system to define the individual Assessment Program plan;
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 7 of 76
Evaluate the preparedness of the Auditing Organization to submit to the Stage 2 On-Site Assessment; and,
Review the need for specific resources during the Stage 2 On-Site Assessment.
A recognizing Regulatory Authority may carry out part of the Stage 1 Assessment at the Auditing Organization's head office.
Stage 1 Assessment findings shall be documented and communicated to the Auditing Organization, including the identification of any identified areas of concern that could be classified as a nonconformity during the Stage 2 On-Site Assessment.
Stage 2 On-Site Assessment
The Stage 2 On-Site Assessment is to evaluate the implementation, including effectiveness, of the Auditing Organization's management system.
The Stage 2 On-Site Assessment shall take place at the Auditing Organization's head office. It shall include at least the following:
Evaluate the conformity of the Auditing Organization's management system documentation to meet all the regulatory requirements including IMDRF MDSAP WG N3 and N4 documents;
Evaluate the evidence of implementation, monitoring, measuring, reporting and reviewing by the Auditing Organization of its activities against policies, procedures and objectives from its management system (consistent with the expectations for recognition);
Review the operational controls of the Auditing Organization's processes, including when implemented by external resources;
Confirm that the Auditing Organization conducted internal audits and management reviews; and,
Confirm the competence of the Auditing Organization and the resources available necessary to fulfill the obligations for the scope of recognition.
Witnessed Audits
The recognizing Regulatory Authority shall observe the performance of the Auditing Organization during an audit of a medical device manufacturer during the Assessment Cycle.
The purpose of witnessed audits is to verify the performance of an Auditing
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 8 of 76
Organization with regards to: Conformity of the practices to the requirements of section 9 of IMDRF MDSAP WG documents N3; Ability of the Auditing Organization to determine the conformity of medical device manufacturers to regulatory requirements; Ability of the Auditing Organization to reliably report on the audit findings including the nonconformities; and, Ability of the Auditing Organization to select audit teams with the necessary competence.
The recognizing Regulatory Authority shall select the audits to observe and inform the Auditing Organization. The recognizing Regulatory Authority shall make an attempt to perform Witnessed Audits across a variety of different medical device manufacturers.
When selecting an Audit to observe, the following factors should be considered: The classification of the devices manufactured; The type of audit being conducted, either initial or re-certification audit; Geographical location of the audit; The identity of the auditors assigned; Manufacturing processes and technology being used; and, Known problems with the manufacturer being audited or their devices that have been identified from adverse events, post-market surveillance data, etc.
Prior to performing the Witnessed Audit, the Auditing Organization shall provide to the recognizing Regulatory Authority the following information:
Medical device manufacturer contact information; Medical device manufacturer's quality manual and if requested, other
documents; Scope for which the medical device manufacturer is being audited; Previous audit report(s) of the medical device manufacturer; Status of nonconformities identified during previous audits; Composition of the audit team, including the rationale for their selection; Copy of the information provided by the Auditing Organization to the audit team
for planning the audit; Rationale for the audit's duration; and, Audit plan.
During the Witnessed Audit, the assessors shall refrain from interfering and influencing the conduct and conclusion of the audit. There should be no direct communication between the assessor and the audited medical device manufacturers. Any
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 9 of 76
communication between the assessor and the auditing team regarding the audit should occur after the conclusion of the audit.
Witnessed audit findings shall be documented and communicated to the Auditing Organization after the review of the audit report by the assessment team.
On-Site Assessment at Critical Locations of the Auditing Organization
When any of the critical functions listed below are undertaken at locations other than the head office, including by external organizations, the recognizing Regulatory Authority shall consider the performance of an assessment at such critical locations throughout the assessment cycle.
Critical functions include: The development and approval of the management system policies, processes, and procedures for the audit of medical device manufacturers under the recognition program; The review and acceptance of applications from medical device manufacturers and the issuance of contracts, including the determination of the scope and duration of the audit. The assignment of audit teams; The technical review of audit reports; Competence management activities that apply to auditors, technical experts, and final reviewers; and, The management, monitoring, and oversight by the Auditing Organization of the medical device audit program.
On-Site Assessment of Critical Locations is performed to: Review the relationship between the head office of the Auditing Organization and the Critical Location; Review, if applicable, the arrangements between the head office of the Auditing Organization and the Critical Location; Evaluate the management system operated at the Critical Location to satisfy the requirements of the Auditing Organization; Evaluate the conformity of the activities undertaken by the Critical Location on behalf of the Auditing Organization to the requirements of the Auditing Organization's management system or to the arrangements between the head office of the Auditing Organization and the Critical Location; Evaluate the conformity of activities undertaken by the Critical Location on
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 10 of 76
behalf of the Auditing Organization to the corresponding regulatory requirements including IMDRF MDSAP WG N3 and N4 documents; and, Evaluate the controls in place at the Critical Location that would enable the Auditing Organization to monitor the activities at that location.
Surveillance On-Site Assessment
The Surveillance On-Site Assessment is to evaluate the implementation, including effectiveness, of the Auditing Organization's management system.
The Surveillance On-Site Assessment shall take place at the Auditing Organization's head office. It shall include at least the following:
Review of internal audits and management review; Review of Competence Management activities; Review of actions taken on nonconformities identified during the previous audit; Treatment of complaints and appeals; Evaluation of the effectiveness of the management system with regard to
achieving the Auditing Organization's objectives as it relates to the scope of recognition; Evaluate records of audit and decision on conformity of medical device manufacturer to regulatory requirements; Evaluate continuing operational control; and, Review any changes.
Surveillance On-Site Assessment shall be conducted annually at the anniversary date of the Stage 2 Assessment, with a tolerance of +/- 3 months.
It is recommended that the recognizing Regulatory Authority, as part of the assessment planning and preparation, reviews a sample of audit reports made available by the Auditing Organization.
Re-Recognition On-Site Assessment
The Re-Recognition On-Site Assessment shall consider the performance of the Auditing Organization's management system over the period of recognition and include the review of assessment reports from the last assessment cycle.
The Re-Recognition On-Site Assessment may need to have a Stage 1 Assessment in situations where there have been significant changes to the Auditing Organization, its
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 11 of 76
management system, or of the requirements from the recognizing Regulatory Authority.
The Re-Recognition On-Site Assessment shall include the following: Evaluate the effectiveness of the Auditing Organization's management system in its entirety in the light of internal and external changes and its continued relevance and applicability to the scope of recognition; Confirm the continued conformity of the Auditing Organization's management system to regulatory requirements including IMDRF MDSAP WG N3 and N4 documents; and, Confirm the commitment of the Auditing Organization to maintain the effectiveness of the management system.
Special Assessments
A Special Assessment is in addition to other assessment activities defined in the typical assessment cycle. A Special Assessment may be triggered by:
The Auditing Organization requesting a change of the scope of recognition or following a notice of change potentially affecting the result of prior assessments;
The recognizing Regulatory Authority based on signals indicating concerns with regards to the Auditing Organization's activities; or,
The results of previous regulatory assessment activities.
Navigating the Assessment
The goal of an assessment is to ensure Auditing Organizations make decisions that provide confidence in the conformity of medical devices to regulatory requirements when placed on the market.
Each process will require the assessment team to accomplish assessment tasks to determine if the process outcomes and the process purpose are achieved and the corresponding risks appropriately addressed. Within the description of the assessment tasks, there are references to the applicable clause(s) of the ISO/IEC 17021:2015 standard and to the clauses of the IMDRF/MDSAP WG/N3 and N4 documents. If the clause if listed without subclauses, then all subclauses apply to the task. For example, if the applicable clause for a task is listed as IMDRF/MDSAP WG/N3: 6.1, then all subclauses of 6.1 (6.1.1, 6.1.2, etc.) apply to the task. If specific subclauses are listed for a task, (for example, IMDRF/MDSAP WG/N3: 10.1.1, then the entire clause 10.1
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 12 of 76
may not apply to a particular task, only specific subclauses. These references have been provided to assist the assessors in assuring all the requirements are addressed during the assessments. The referenced clauses are not intended to be an allinclusive list of clauses that may apply to a given task but are intended to guide the assessor to specific clauses that are most directly applicable.
During the assessment, it is important that the assessors are mindful of any instances where the Auditing Organization demonstrates failure to fulfil any of the defined requirements listed in the assessment tasks, and that these nonconformities are recorded in appropriate detail.
Particular attention should be paid to the potential interrelationship of the nonconformities. For example, assessment nonconformities in both the Audit and Decisions process and the Competence Management process may in combination be significant since the planning of medical device manufacturer audits, the assignment of competent auditors and the systematic characterization of the decision making, are essential for determining a medical device manufacturer's conformity to regulatory requirements.
This document makes uses of electronic cross-references. In instances where tasks are linked, an electronic cross-reference has been imbedded. Simply use Ctrl-click to access the task cross-reference when needed.
Process: Management
Purpose
The purpose of assessing the Management process is to verify that top management ensures that an adequate and effective quality management system has been established and maintained by the Auditing Organization for the control of all activities related to the audit and the decisions on conformity of medical device manufacturers to regulatory requirements. The assessment should conclude with a reflection on the Management process in order to confirm the commitment of top management and the effective implementation of the Auditing Organization's management system.
Outcomes
As a result of the assessment of the Management process, objective evidence will show whether the Auditing Organization has:
A) Identified processes needed for their management system, their application throughout the organization, and their sequence and interaction.
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 13 of 76
B) Established a management system to support the effective auditing of medical device manufacturers and decisions with regards to the manufacturers; 1) conformity to regulatory requirements; and, 2) ability to ensure adherence with legal and contractual requirements and other requirements to which the organization is committed.
C) Established quality objectives at relevant functions and levels within the organization consistent with the quality policy and ensured that these are periodically reviewed for continued suitability.
D) Committed sufficient resources and competent personnel. E) Assigned responsibility and authority to personnel and established the
organizational structure to ensure quality is not compromised. F) Defined, documented, and implemented procedures for the control of
impartiality, the protection of confidential information, and the transparency with regards to auditing and decisions. G) Ensured the continued effectiveness of the management system and its processes.
Risks relative to this process
The failure of the management process poses the following risks: Lack of consistency in the Auditing Organization's practices; Lack of impartiality of the auditors and staff involved in the auditing and decision activities; Lack of competency of the auditors and staff involved in the auditing and decision activities; Lack of reliability in the audits; Lack of credibility of the decision; and/or, Lack of proper communication with the recognizing Regulatory Authorities, preventing the implementation of targeted enforcement actions towards delinquent medical device manufacturers.
Assessment Tasks
Task 1 Review the documentation on legal responsibility, liability, and financing. Verify the eligibility as a candidate Auditing Organization.
Applicable requirements ISO/IEC 17021-1:2015 clauses: 5.1.1, 5.3 IMDRF/MDSAP WG/N3 clauses: 5.1.1, 5.1.2, 5.1.3, 5.3
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 14 of 76
Legal entity Guidance It is important that the assessment team accurately understands the structure of the legal entity to which the Auditing Organization belongs. It is especially important in complex cases such as an Auditing Organization belonging to a larger group, where the delineation of the legal entities within the group may influence impartiality, ability to enter into contractual arrangements, and the use of external resources.
The types of legal entities and the meaning of registration of the legal entity may vary due to regional or country-specific laws and regulations.
The applicant must clearly delineate the perimeter of the legal entity, and establish a specific address, where the management responsible for the MDSAP recognition program is employed by that legal entity. (See IMDRF/MDSAP WG/N29)
Typical evidence Information regarding the legal entity to which the Auditing Organization belongs, its organizational structure, ownership, and the legal or natural persons exercising control over the entity. The information would include documentation made publicly available by the Auditing Organization (for example website or promotional documentation), official documents (such as a record of business registration or certificate of insurance policy), or other internal documents.
Financial stability Guidance The assessors should verify that the Auditing Organization has sufficient resources to support its operations and enable it to fulfill recognition criteria.
Analysis of income sources is also important to assess independence from other entities.
The Auditing Organization's business should be sufficiently diversified so that the loss of a single client does not seriously jeopardize its financial stability or compromise impartiality.
Typical evidence Annual report, fee structure, etc.
Liability insurance Guidance The Auditing Organization must provide evidence as to the method used to evaluate the risks from its activities and utilized to determine the insurance level.
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 15 of 76
Regulatory Authority assessors should ensure that the elements listed in the
requirements are documented, including:
-
Geographic regions included in the coverage;
-
Profile of risk for the range of medical devices that are subject to
audit; and
-
Scope of activities undertaken for medical device regulatory audits.
Where an Auditing Organization claims that their liability is insured through arrangements with a related legal entity, the Auditing Organization should document how those arrangements fulfill the elements of the requirement identified above.
Typical evidence Documentation of the risk assessment, records of information provided to the insurer, certificate of insurance.
Eligibility Guidance Although an on-site assessment is unlikely to reveal legal judgments against the Auditing Organization, the assessment team should still inquire about the Auditing Organization's history with respect to these matters.
Typical evidence Verbal confirmation.
Task 2 Verify that a quality manual and the required management system documentation has been defined and documented.
Applicable requirements ISO/IEC 17021-1:2015 clauses: 10.1, 10.2.1, 10.2.2 IMDRF/MDSAP WG/N3 clauses: 10.1.1
Guidance Most Auditing Organizations offer a broad range of management system certification services, beyond the medical device regulatory audit scheme. The assessor should verify that the Auditing Organization's management system clearly identifies elements applicable to the medical device regulatory audit scheme.
The Auditing Organization's management system documentation should state the documents or requirements to which the Auditing Organization claims compliance, including regulations, standards, and directives. The Auditing Organization's management system must specify whether it satisfies option 1 or 2 of ISO/IEC
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 16 of 76
17021-1:2015 section 10.1.
The Auditing Organization's management system should be appropriate to the nature, and scale of its auditing activities. The management system should be capable of supporting and ensuring consistent compliance with the requirements applicable to the audit and certification program for medical devices.
Typical evidence Quality manual and a list of related documentation on the implementation, maintenance and operation of a quality management system, which would fulfill the requirements of IMDRF MDSAP documents N3 and N4.
Task 3 Verify that a quality policy and objectives have been set at relevant functions and levels within the organization. Ensure the quality objectives are measurable and consistent with the quality policy. Confirm appropriate measures are taken to achieve the quality objectives.
Applicable requirements ISO/IEC 17021-1:2015 clauses: 10.2.1 IMDRF/MDSAP WG/N3 clauses: 10.1.3
Guidance While the term "quality policy" is not explicitly used in ISO/IEC 17021-1:2015 or IMDRF/MDSAP WG/N3, the Auditing Organization's top management should express its overall intentions and direction related to the fulfilment of the requirements of the medical device regulatory audit scheme.
The assessor should verify that the Auditing Organization's top management ensures that the quality policy, like other management system policies, is communicated and understood at all levels of the organization.
The assessor should verify that the Auditing Organization bases quality objectives on parameters that are critical to the conformity to requirements of the medical device regulatory audit scheme. Quality objectives relate to indicators that are critical to the ability of the Auditing Organization to conduct planned medical device regulatory audits and make informed decisions (for example: maintaining access to sufficient numbers of competent auditors and technical experts to fulfill audit obligations; and to auditors qualified for a technical area/product related to the number of audits in this technical area, etc.).
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 17 of 76
A quality objective should be expressed as a measurable target or goal in order to feedback into the management system to ensure effective implementation.
Typical evidence Documented policy and objectives, which may include such things as: number of audit reports delivered on time, timely post audit decisions on the manufacturer's regulatory conformity that are made within a specified time after the audit, timely investigation and closure of complaints.
Task 4 Review the Auditing Organization's organizational structure and related documents to verify that they include provisions for responsibilities, authorities. This must include the identification of functions responsible for: o the overall program; o the timely exchange of information with regulatory authorities; o ensuring that quality management system requirements are effectively established and maintained; o reporting to top management on the performance of the quality management system; and o on any need for improvement.
Applicable requirements ISO/IEC 17021-1:2015 clauses: 6.1, 7.2.3, 10.2.1 IMDRF/MDSAP WG/N3 clauses: 6.1, 7.1.4, 8.6.1
Organizational structure Guidance The assessor should verify that the Auditing Organization has documented its organizational structure to identify the different positions or roles, their responsibilities and authorities and the inter-relationships between them. It is important for the assessors to not only understand the internal organizational structure of the Auditing Organization, but also how the organization interacts with external resources.
Top management Guidance As part of the organizational structure review, the assessor should identify the job functions among the Auditing Organization's top management that are responsible for:
- Implementation and reporting on the performance of the management system;
- Performance of audits;
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 18 of 76
- Decisions on conformity to regulatory requirements; - Establishment of the contract with the medical device manufacturer and
external resources; - Responding to and investigating complaints; - Timely exchange of information with regulatory authorities.
Top management has other responsibilities that will be assessed through other assessment tasks.
The Auditing Organization should ensure that the remuneration of top management does not depend on the result of audits. Otherwise this would affect the impartiality of the Auditing Organization.
Typical evidence Organizational chart, job description, management system procedures, etc.
Responsibility and authority Guidance The Auditing Organization must make clear to each person concerned their duties, responsibilities and authorities. Assessors should review the Auditing Organization's organizational structure and related documents to verify that they include provisions for responsibilities and authorities. This must include the identification of functions responsible for: the overall program; the timely exchange of information with regulatory authorities; and, ensuring that quality management system requirements are effectively established and maintained.
The Auditing Organization may document responsibilities and authorities for each individual involved in the audit and decision process in different ways including job descriptions, process descriptions, procedures, or individual assignments, project plans, etc.
For purposes of MDSAP recognition in accordance with IMDRF/MDSAP WG/N11, the applicant for recognition as an Auditing Organization is deemed to be the legal entity and is where the management responsible for the MDSAP recognition program is employed.
The management for the MDSAP program is directly responsible for, manages, and retains authority for the following:
- Establishment of the contract with the medical device manufacturer (including the requirements of N3 5.1.4, 5.1.5);
- Identification of competence requirements for any internal or external auditor or technical expert to perform specific activities (N3 7.5.1); and,
- Final review and decision-making on conformity to regulatory requirements
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 19 of 76
(N3 7.5.1).
These listed activities cannot be delegated outside of the applicant's legal entity, even to a related organization or a subsidiary. Under the MDSAP recognition program, these related organizations or subsidiaries are regarded as separate legal entities.
(See IMDRF/MDSAP WG/N4.)
Link with other assessment tasks The organizational structure may be influenced by the definition of the Auditing Organization's legal entity (see Management Assessment Tasks
Task 1 Assessment Tasks
Task 1 ).
Task 5 Verify that the Auditing Organization has analyzed the adequacy of the set of auditors (including technical experts and team leaders) and personnel to cover all of its activities and to handle the volume of audit work.
Applicable requirements ISO/IEC 17021-1:2015 clauses: 7.2.1, 7.2.2 IMDRF/MDSAP WG/N3 clauses: 6.1.2
Guidance The assessor should verify that the Auditing Organization periodically analyses the needs of the audit program with regards to the number and scope of the competence of personnel taking into account the current number and profile of audited medical device manufacturer, and; expected changes, the evolution of auditing practices/requirements, identified issues necessitating additional resources/competence/expertise, the geographic location of their resources and clients, the time it takes to acquire new competence (in nature or volume), etc.
This analysis is important to ensure the continuity of the Auditing Organization's ability to provide auditing and certification services within the scope of recognition.
Indicators of inadequate number of auditors and personnel may include: - Overdue audits - Shortened audit time as compared to the planned arrangements - Assignment of auditor with inadequate competence - Delay in the delivery of final reports
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 20 of 76
- Delay in the issuance of certification documents
Typical evidence Analysis report
Task 6 Verify that the Auditing Organization has defined and implemented procedures for the management of impartiality.
Applicable requirements ISO/IEC 17021-1:2015 clauses: 5.2 IMDRF/MDSAP WG/N3 clauses: 5.2, 7.1.6 IMDRF/MDSAP WG/N4 clauses: 10.0
Sources of threats to impartiality Guidance The Auditing Organization must ensure that their decisions are based on objective evidence of conformity obtained during the certification/audit activities and are not influenced by other interests or parties.
The assessor should verify that the impartiality and independence of the Auditing Organization is established at all levels via:
- Structure of the organization and its relationship with superior (parent), peer or subordinate (sister) organisations;
- The relationship of individuals involved in audit and decision related activities, including top management;
- Policies, processes and procedures on audit and decision related activities.
Threats to impartiality may come from a large number of sources, including: - Additional services offered, or other activities and interests of the Auditing Organization; - The activities or personal interests of the individuals involved in the audit and decision processes, including external auditors and external technical experts; - The activities of other organizations with whom the Auditing Organization has a relationship; - The Auditing Organization's own processes, if they don't properly enable the Auditing Organization to identify and mitigate actual conflict of interest or prevent potential conflict of interest; - The influence that an audited manufacturer may have on the Auditing Organization; - The influence that other external stakeholders, (for example large
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 21 of 76
tenders, epidemics, shortages) may have on the Auditing Organization. - The remuneration of personnel involved in the audit activities shall not
depend on the number or the results of assessments carried out. - Ownership of the organisation (e.g. clients being owners or co-owners); - Influence on the direction of the organisation (e.g. clients being
represented on the board).
Typical evidence On remuneration: Income or performance targets, performance reviews, contracts
Threats to impartiality from consultancy services Guidance In accordance with IMDRF/MDSAP WG/N3, an Auditing Organization shall not offer or provide any consultancy services to the manufacturer, his authorized representative, a supplier or a commercial competitor as regards to the design, manufacture or construction, marketing, installation, use or maintenance of the product or processes being audited.
A significant threat to the Auditing Organization's impartiality comes from the selfreview threat arising from the incompatibility of the provision of management system auditing and consultancy services, even if the consultancy services are provided by a separate department or even a legally independent entity of the same group of enterprises. In the context of medical device regulatory audits, medical device regulatory consultancy cannot be offered by the same legal entity providing auditing services.
Consultancy includes: - Quality management system (or good manufacturing practices); - Device marketing authorization and facility registration; - Medical device adverse events and advisory notices reporting; and - Company or product specific training.
EXAMPLES: a) Preparing the documentation, or part of it, to be submitted for a marketing authorization (such as device license application file, premarketing notification file, premarket approval submission file, technical documentation, design dossier, etc.), with the exception of the testing reports per recognized standard or a specific preestablished protocol. b) Giving specific advice, instructions or solutions towards the resolution of quality management system deficiencies identified by a regulatory authority during an inspection. c) Preparing or producing QMS manuals or procedures; d) Giving specific advice, instructions or solutions towards the development and
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 22 of 76
implementation of a management system; and e) Acting as Clinical Research Organization for the preparation of a clinical research protocol.
COUNTER-EXAMPLES: a) Testing or calibrating a device or calibrating equipment and issuing the corresponding report per a recognized standard or a specific pre-established protocol, as long as the organization does not provide any specific advice, instructions or solutions addressing the deficiencies detected by the testing or calibration. b) Offering mock audits, pre-assessment audits or gap-audit, according to the requirements of an initial audit, including an audit report. The Auditing Organization cannot give advice or recommendations on how to address nonconformities, observations and gaps; and the manufacturer does not use the audit in lieu of an internal audit. In addition, any nonconformity resulting from such an audit must be included when grading nonconformities identified during the initial audit (see IMDRF/MDSAP WG/N3 item 9.2.5); c) Acting as a clinical research organization implementing clinical research developed by the manufacturer. d) Arranging training and participating as a trainer or exchanging technical or regulatory information is not considered consultancy, provided that, where the course or exchanged information relates to management systems; other medical device technical or regulatory requirements; or auditing, it is confined to the provision of generic information that does not provide company-specific solutions.
Any reference in ISO/IEC 17021-1:2015 and IMDRF/MDSAP WG/N3 to management system consultancy is to be interpreted as medical device regulatory consultancy.
(See Annex 2 for additional interpretation of the requirements of ISO/IEC 170211:2015 and IMDRF/MDSAP WG/N3.)
Typical evidence Organizational structure, website, advertisements, contractual agreements with external resources.
Link with other assessment tasks See also Measurement, Analysis and Improvement
Purpose
The purpose of the Measurement, Analysis and Improvement process is to verify that:
Information relative to the audits, competence of the auditors, decisions on conformity to regulatory requirements, and the Auditing Organization's
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 23 of 76
management system is collected; This information is analysed to identify actual and potential nonconformities; Actual and potential nonconformities are investigated; and, Effective corrections and corrective actions are taken, as appropriate.
If trends in the information collected above are unfavourable and nonconformities are observed during the assessment, then this information can be used to select:
Auditor qualification files to review during the assessment of the Competence Management process;
Medical device manufacturer files; and, Agreement and monitoring records during the assessment of the Use of
External Resources process.
Outcomes
As a result of the assessment of the Measurement, Analysis and Improvement process, objective evidence will show whether the Auditing Organization has:
A) Defined, documented, and implemented procedures for measurement, analysis and improvement that address the requirements of the ISO/IEC 17021-1:2015 standard and the IMDRF/MDSAP WG/N3 and N4 documents;
B) Identified, analysed, and monitored appropriate sources of quality data including internal audits, external assessments, and complaints, to identify actual and potential nonconformities;
C) Investigated actual and potential nonconformities; D) Implemented corrections, corrective actions and preventive actions, as
appropriate; and, E) Reviewed the effectiveness of such actions.
Risks relative to this process
The failure of the Measurement, Analysis and Improvement process poses the following risks:
Lack of assurance in the Auditing Organization's ability to identify and remediate nonconformities and potential nonconformities as necessary; and/or,
Lack of assurance on the Auditing Organizations decisions relating to the medical device manufacturer's conformance to regulatory requirements.
Assessment Tasks
Task 1 .
Organizational level
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 24 of 76
Guidance As a legal entity, the Auditing Organization must analyze the services offered and ensure none of its activity introduces a bias in its audits and decisions.
The Auditing Organization needs independence (financially and organizationally) from all parties interested in the outcome of audit activities, including the audited manufacturer, its representatives, suppliers, importers, clients, and competitors.
The Auditing Organization must not commit to an accelerated timeline for a fee to complete the auditing process. This practice is perceived as an inducement and represents a risk to the Auditing Organization's ability to conduct the audit under appropriate conditions and to critically review audit outcomes.
The Auditing Organization may receive business by referral. Referrals may reveal the Auditing Organization's relationship with external individuals or organizations having an unacceptable interest in the medical device manufacturers using the Auditing Organization's audit and certification services.
Typical evidence Organizational structure, website, advertisements, fee structure.
Individual level Guidance Policies, procedures, training and individual commitment to a Code of Conduct (see IMDRF/MDSAP WG/N3: 7.1.6) ensure awareness of unacceptable behaviors by individuals involved in the audit and certification decision processes. The Auditing Organization should be aware of potential conflicts of interest affecting all individuals involved in the audit and certification decision processes and have policies in place to mitigate these.
Any individual employed by a medical device manufacturer potentially being considered as an auditor would be viewed by the Regulatory Authorities as a conflict of interest or at least an appearance of conflict of interest, and hence a threat to impartiality that would prohibit that individual from part taking in a medical device regulatory audit.
Any individual involved in the testing of the medical device should not be involved in the quality management system audit that would review the testing of this device.
Typical evidence Policies, procedures, training material, personnel file and individual commitment to a Code of Conduct (see IMDRF/MDSAP WG/N3: 7.1.6).
Policies, processes, procedures and practices
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 25 of 76
Guidance The assessor should verify that the Auditing Organization has a publicly accessible statement that it understands the importance of impartiality in carrying out its audit and certification decision activities, and that it monitors and addresses any potential or actual conflict of interest.
The Auditing Organization's processes and procedures must ensure that any threat to impartiality is identified, documented, analyzed and effectively managed. When an Auditing Organization subcontracts parts of the audit related activities, processes should be in place to assure the use of the external organization does not affect its impartiality.
An Auditing Organization that only relies on signed statements from personnel involved in conformity assessment for identifying and monitoring potential conflicts of interests, and does not keep updated records of past and present consultancy activities, would fail (a) to implement an effective system (as no verification would be possible) and (b) to document consultancy activities prior to personnel taking employment, both being requirements of clauses 5.2.2 and 5.2.4 of IMDRF/MDSAP WG/N3.
The Auditing Organization should have methods in place to prevent the offering of audit services to a medical device manufacturer that (within the previous three years see N3: 5.2.3) benefited from medical device consultancy services, including internal audits from the Auditing Organization, an employee or external resource. If a mock audit, pre-assessment audit or gap-audit of a medical device manufacturer's quality management system was conducted, the Auditing Organization's management system should ensure that the subsequent initial audit is conducted by an independent audit team.
Policies, processes and procedures must ensure that an individual does not review his or her own work. In particular auditors must not decide on the compliance of the quality management system they have audited.
The composition of the audit team (and in particular the lead auditor) should change over time, at least every three years, to prevent an unreasonable risk of familiarity.
Typical evidence Documentation of a process for monitoring impartiality at planned intervals. Evidence of disclosure of any past or present relationship that would potentially represent a conflict of interest.
Link with other assessment tasks See also Competence Management
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 26 of 76
Task 6 .
Mechanisms for the safeguard of impartiality Guidance The Auditing Organization must have mechanisms for safeguarding impartiality. ISO/IEC 17021-1:2015 provides detailed requirements for managing and safeguarding impartiality. The individuals involved in the process for managing threats on impartiality (see ISO/IEC 17021-1:2015 clause 5.2.2) shall have access to individual(s) who have experience and knowledge related to medical devices in order to obtain independent expert opinions. If the Auditing Organization chooses to utilize a committee to manage impartiality concerns, this committee should be aware of the specificities of the medical device regulatory scheme.
Typical evidence The assessors can verify the activity of the impartiality committee (if used by the Auditing Organization) by: - Reviewing the agenda, the minutes or other documents from the meetings of the impartiality committee and activities; - Checking the participation at the meetings (including the presence of technical or other specific expertise, where necessary), and/or - Reviewing the files of the committee members, meeting records to determine that the members were provided with information about the Auditing Organization (structure, business, certification process) and the fundamentals of the MDSAP program
If the Auditing Organization does not utilize a committee, assessors should review the mechanisms by which potential threats to impartiality were identified, assessed, and mitigated. Assessors should ask for examples of issues that were raised as potential threats to impartiality, how those threats were mitigated, and who made the ultimate decision on the impartiality decision.
Information on safeguarding impartiality is a required input to management review. Assessors can review the information presented on impartiality concerns that were included in management reviews.
Link with other assessment tasks Threats on impartiality shall be assessed taking into account the definition of the Auditing Organization's legal entity (see Management Assessment Tasks
Task 1 ) and the Auditing Organization's organizational structure (see Management Task 4 ). Impartiality is also a required input to Management Review (see Management Task 7
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 27 of 76
Task 7 Verify that management reviews are being conducted at planned intervals, that they include a review of the suitability and effectiveness of the quality policy, quality objectives, and management system to assure that the quality management system meets all applicable requirements from ISO/IEC 17021-1:2015 and IMDRF/MDSAP WG/N3 and N4.
Applicable requirements ISO/IEC 17021-1:2015 clauses: 10.2.5, 10.3.4 IMDRF/MDSAP WG/N3 clauses: Not Applicable
Guidance The assessor should verify that the Auditing Organization's management review procedure specifies participants, roles and responsibilities, frequency (at least once a year), agenda inputs and deliverables.
The procedure may also specify: - A standard agenda of topics to be discussed (with flexibility for unique agenda items to be added); - The necessary attendees who are to participate in the management review and the quorum for decisions; - The management review objectives, including a review of the progress on meeting the stated objectives, - How action items resulting from the management review are recorded (including responsibilities and due dates; specifying whether the tracking tool to use, if any) and follow up until completion (including their review during the following management review); and - The relevant outputs of the Measurement, Analysis & Improvement process, such as corrective and preventive actions. - Changes that could affect the quality management system may include any change to 1) recognition criteria, or 2) regulatory requirements applicable to the medical device manufacturers and impacting the Auditing Organization's auditing program or practices;
The assessor should verify that action items resulting from the management reviews are recorded (including responsibilities and due dates, specifying whether a tracking tool is used) and followed up until completion (including the review of effectiveness during the following management review).
The management review may cover activities outside the scope of the medical
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 28 of 76
device regulatory audit scheme. A management review is expected to present, synthesize and analyze sufficient information for the management team to evaluate the implementation, performance, conformity and effectiveness of the activities applicable to the medical device regulatory audit scheme.
The outputs of the management review should include decision and action regarding the adequacy of the set of auditors and personnel to cover all of its activities and to handle the volume of audit work.
Typical evidence Management review records should document dates, attendees, and results of the management reviews, including a conclusion regarding the suitability, adequacy and effectiveness of the Auditing Organization's management system.
Link with other assessment tasks Inputs to the assessment of the management review should include (see Management Task 4 ), the analysis of the adequacy of the set of auditors (see Management Task 5 ), and outcomes from the management of impartiality (see Management Task 6 ).
Process: Use of External Resources
Purpose
The purpose of the Use of External Resources process is to ensure that all activities performed on behalf of the Auditing Organization by external auditors or technical experts, or external organizations remain under the control of the Auditing Organization.
Outcomes
As a result of the assessment of the Use of External Resources process, objective evidence will show whether the Auditing Organization has:
A) Defined, documented and implemented appropriate methods (i.e. procedures and criteria) for the control of external resources activities, including the control of competency, impartiality and confidentiality.
B) Documented and implemented appropriate arrangements with external resources ensuring that the competency requirements for the auditing activities, and the final review and decision making on conformity to regulatory requirements are retained by the Auditing Organization.
C) Established written arrangements with external resources including their commitment to apply the Auditing Organization's requirements and
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 29 of 76
provisions ensuring the control of confidentiality and impartiality. D) Adequate competency to review the outcome of activities performed by
external resources.
Risks relative to this process
The failure of the Use of External Resources Process poses the following risks: Lack of control of activities directly affects the ability of the external resources to provide the expected service; and/or, Lack of control by the Auditing Organization on the conformity of the external resources activities to the requirements of the recognizing Regulatory Authority.
Assessment Tasks
Task 1 Identify when and how the Auditing Organization utilizes external resources. Verify that the controls implemented for the utilization of external resources by the Auditing Organization address competence, impartiality, confidentiality and conflict of interest.
Applicable Requirement ISO/IEC 17021-1:2015 clauses: 7.5 IMDRF/MDSAP WG/N3 clauses: 7.3, 7.5
Guidance General
The Auditing Organization may use external resources, provided it does not delegate any of the following responsibilities outside the Auditing Organization's management system:
- Establishment of the contract with the medical device manufacturer; - Identification of competence requirements for the auditor or technical
expert to perform specific activities; and, - Final review and decision-making on conformity to regulatory
requirements. The Auditing Organization should ensure that the use of external resources does not compromise its ability to: (1) make an independent review and decision on the manufacturer's regulatory conformity; and, (2) demonstrate conformity to recognition criteria.
The extent of the use of external resources is an important characteristic of the Auditing Organization. The use of external resources poses increased challenges in terms of control of services to the medical device manufacturer, and control of
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 30 of 76
the Auditing Organization impartiality and the adherence to the Code of Conduct.
Controls over the use of external resources should cover both the evaluation of the competency of the individual or organization as a resource, and the assignment of a specific auditing activity to this external resource.
External persons External resources may be individuals (e.g. contracted auditors or technical experts) or organizations (e.g. an Auditing Organization recognized under different medical device regulatory audit schemes).
The process by which an Auditing Organization assures the suitability of an external auditor or an external technical expert typically includes: (1) the evaluation and ongoing monitoring of the individual's competence; (2) training in the Auditing Organization's processes and procedures; and, (3) the evaluation of potential threats to impartiality.
External organization An external organization is an organization that does not operate under the Auditing Organization's management system.
The process by which an Auditing Organization assures the suitability of an external organization typically includes the evaluation of the following considerations:
- Nature and range of the service the external organization is to perform on behalf of the Auditing Organization;
- If applicable, the impact of the additional services offered to the client by the external organization's (for example: joined audits);
- Potential conflicts of interests and other threats on the Auditing Organization's impartiality, due to, for example: o the range of services or products offered by the external organization; o the organizational structure, ownership of the external organization; and, o the personal interests of the external organization's top management;
- The internal and external human resources available to conduct the activities on behalf of the Auditing Organization;
- The infrastructure, including information systems; - Competence and impartiality of the individuals that the external
organization uses to conduct the service for the Auditing Organization; - Processes implemented by the external organization, and their
compatibility with the Auditing Organization's processes;
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 31 of 76
- Ability of the Auditing Organization to control and monitor activities undertaken on its behalf by the external organization;
- Access to the records relative to the performance of the service.
The evaluation of this information, including any concerns and their resolution, and the rationale for approving the external organization as a resource should be documented.
The relationship between the Auditing Organization and the external organization may be a partnership where both organizations may be responsible for separate auditing schemes under which the manufacturer is jointly audited. For example, one Auditing Organization may act as a European Notified Body and the other as a Japanese Registered Certification Body. When this is the case, each organization may make independent decisions on the conformity of the audited quality management system. The Auditing Organization must ensure that the decision made by the external organization does not compromise its ability to make an independent review and decision regarding the conformity of the audited quality management system with the relevant regulatory requirements.
On a periodic basis, the Auditing Organization should re-evaluate the external organization's ability to satisfy contractual agreements and expectations.
The assessors should verify that the Auditing Organization implements documented arrangements (such as a memorandum of understanding, or contractual agreement) with external resources.
Typical evidence Organizational structure, contractual arrangements with external individuals and external organizations, and competence evaluation records.
Link with other assessment tasks The evaluation of the competency of external resources includes the identification of potential threats to impartiality (see Management Task 5 ).
Task 2 Verify that the Auditing Organization has contractual arrangements with external resources. o The arrangements shall allow the recognizing Regulatory Authority to assess or witness the activities of the external resources. o The arrangements shall include a commitment by the external resource to apply the Auditing Organization's requirements and provisions ensuring the control of confidentiality and impartiality.
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 32 of 76
Applicable Requirement ISO/IEC 17021-1:2015 clauses: 7.3, 7.5.1 IMDRF/MDSAP WG/N4 clauses: 10.0
Guidance The assessors should verify that the contractual arrangements do not enable the delegation to external resources of functions identified in Use of External ResourcesTask 1 .
The assessors should verify that the contractual arrangements are comprehensive and adequately implemented.
External auditor and external technical expert Since an external auditor or external technical expert may have other professional activities (including consultancy activities), the external auditor or external technical expert should confirm the absence of any conflict of interest prior to assignment to a particular auditing activity.
Contractual arrangements should be documented and approved by the Auditing Organization's top management. The Auditing Organization should not assign any activity to an external auditor or external technical expert before the contractual arrangements are agreed.
External organization Contractual arrangements should be documented and approved by the Auditing Organization's top management. The Auditing Organization should not assign any activity to the external organization before the contractual arrangements are agreed.
Typical evidence Contractual arrangements, list of competent personnel that may identify external individuals, list of external organization if available.
Task 3 Verify that the Auditing Organization has adequate internal competence to review the outcome and appropriateness of the activities performed by external resources and to verify the validity of the objective evidence provided in order to make decisions.
Applicable Requirement ISO/IEC 17021-1:2015 clauses: Not Applicable IMDRF/MDSAP WG/N3 clauses: 7.5.2
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 33 of 76
Guidance The confidence of the Auditing Organization in the reliability of outsourced auditing activities is only achieved if the Auditing Organization has sufficient competence internally to direct the auditing activities; verify the appropriateness and validity of opinion from external technical expert, verify the competence of the external resources; critically evaluate the outcome of the outsourced activities; and understand the significance of the findings and conclusions.
The absence of such internal competence would result in the Auditing Organization relying blindly on the conclusions and recommendations of the external auditor, external technical expert, or external organization to make its certification decision. This would be equivalent to delegating the certification decision. Such a delegation is not acceptable as it would not fulfill the requirements of N3 Clause 7.2.1.
The assessor should evaluate the extent of expertise expected by an Auditing Organization of an external resource and verify that the Auditing Organization can demonstrate sufficient internal competence to verify the appropriateness and validity of objective evidence provided by the external resource.
Typical evidence The assessor may look at the competency file for an assigned individual to ensure experience and suitability can be proven for the assigned responsibility.
Process: Measurement, Analysis and Improvement
Purpose
The purpose of the Measurement, Analysis and Improvement process is to verify that:
Information relative to the audits, competence of the auditors, decisions on conformity to regulatory requirements, and the Auditing Organization's management system is collected;
This information is analysed to identify actual and potential nonconformities; Actual and potential nonconformities are investigated; and, Effective corrections and corrective actions are taken, as appropriate.
If trends in the information collected above are unfavourable and nonconformities are observed during the assessment, then this information can be used to select:
Auditor qualification files to review during the assessment of the Competence Management process;
Medical device manufacturer files; and, Agreement and monitoring records during the assessment of the Use of
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 34 of 76
External Resources process.
Outcomes
As a result of the assessment of the Measurement, Analysis and Improvement process, objective evidence will show whether the Auditing Organization has:
F) Defined, documented, and implemented procedures for measurement, analysis and improvement that address the requirements of the ISO/IEC 17021-1:2015 standard and the IMDRF/MDSAP WG/N3 and N4 documents;
G) Identified, analysed, and monitored appropriate sources of quality data including internal audits, external assessments, and complaints, to identify actual and potential nonconformities;
H) Investigated actual and potential nonconformities; I) Implemented corrections, corrective actions and preventive actions, as
appropriate; and, J) Reviewed the effectiveness of such actions.
Risks relative to this process
The failure of the Measurement, Analysis and Improvement process poses the following risks:
Lack of assurance in the Auditing Organization's ability to identify and remediate nonconformities and potential nonconformities as necessary; and/or,
Lack of assurance on the Auditing Organizations decisions relating to the medical device manufacturer's conformance to regulatory requirements.
Assessment Tasks
Task 1 Verify that the Auditing Organization has a defined and documented procedure(s) for measuring, monitoring, analyzing and improving the relevance, compliance, consistent implementation and effectiveness of the Auditing Organization's management system.
Applicable requirements ISO/IEC 17021-1:2015 clauses: 10.2.7 IMDRF/MDSAP WG/N3 clauses: Not applicable
Guidance Assessors should be mindful that while ISO 17021 does not specifically use the terminology "Measurement, Analysis and Improvement", clause 10.2.7 of ISO 17021-1:2015 refers to "corrective actions". Additionally, most data presented
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 35 of 76
during the management review are outputs of a Measurement, Analysis & Improvement process.
The Auditing Organization should have procedures to collect and monitor data relative to:
- Conflicts of interest - Auditor conduct - Auditor competence - Implementation of the Audit & Certification Processes
The Auditing Organization may use various methods to collect such data, including the review of audit reports, observed audits, solicitation of feedback from audited manufacturers, internal and external audits and assessments, recording unsolicited feedback from audited manufacturers or users of the audit reports or certification documents including those prepared by regulatory authorities.
These procedures should enable the Auditing Organization to detect individual nonconformities or potential nonconformities, as well as unfavorable trends.
The assessor should verify that the Auditing Organization has procedures to address any nonconformity and potential nonconformity, including the investigation of their cause, and the determination of corrections and corrective actions, as applicable.
Typical evidence Procedures and resulting records for these processes.
Link with other assessment tasks The monitoring, analysis and improvement processes provide input to the management review (see Management Task 7 )
Task 2 Determine if appropriate sources of data and processes have been monitored by the Auditing Organization, to identify actual and potential nonconformities. o This data must include internal audits, external assessments, complaints, and the use of external resources. Confirm that monitoring and measurement activities cover auditor competence, audit performance, decisions on conformity to regulatory requirements and adherence to the Code of Conduct throughout the Competence Management and Audit and Decisions Processes.
Applicable requirements
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 36 of 76
ISO/IEC 17021-1:2015 clauses: 10.2.7 MDRF MDSAP WG/N3 clauses: 10.1.3
Data sources Guidance It is the Auditing Organization's responsibility to determine appropriate monitoring and analysis activities.
The data sources should at least include - Complaints; - Nonconformities from internal or external audits, and other sources; - Appeals; - Competence and conduct of the auditors, technical experts, reviewers and other personnel; - Performance of the audits according to planned arrangements; - Corrective actions.
The assessor should be mindful of quality problems that appear in more than one data source. It is essential that the Auditing Organization understands the full extent of the quality problem. For example, audit nonconformities noted in complaints or customer feedback should be compared with similar nonconformities noted during the organization's analysis of data from other data sources such as auditor competence assessment reports, audit report review records, internal audit reports, etc.
Typical evidence See list above
Analysis of data Guidance The Auditing Organization has the flexibility to use whatever methods of analysis are appropriate to identify existing and potential causes of nonconformities or other quality problems. However, the Auditing Organization should use appropriate statistical methods where necessary to detect potential, emerging or recurring quality problems. The Auditing Organization should not use statistics to minimize a problem or avoid addressing a problem.
Typical evidence Records resulting from the processes. Additional record on the analysis of the data.
Task 3 Determine if investigations are conducted to identify the underlying cause(s) of detected nonconformities as well as of potential nonconformities, where possible.
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 37 of 76
Confirm investigations are commensurate with the risk of the nonconformity.
Confirm that corrections and corrective actions, as appropriate, were determined, implemented, documented, effective, and did not adversely affect the audits performed and decisions made.
Evaluate whether corrective action is appropriate to the risk of the nonconformities or potential nonconformities encountered.
Applicable requirements ISO/IEC 17021-1:2015 clauses: 10.2.7 IMDRF/MDSAP WG/N3 clauses: Not applicable
Guidance The assessor should verify that the Auditing Organization's procedures ensure that data to detect existing or potential nonconformities are analyzed and effectively reacted to when applicable.
When the Auditing Organization detects a nonconformity, it must investigate, determine and record:
- The underlying causes of the nonconformity; - Any necessary correction to control or limit the effects of the
nonconformity; - Any necessary corrective action to prevent the re-occurrence of the
nonconformity.
Potential nonconformities do not need correction; however, the Auditing Organization must still investigate, determine and record:
- The underlying causes of the potential nonconformity; - Any necessary action to prevent the nonconformity from occurring.
The depth of the Auditing Organization's investigation of the quality problem should be commensurate with the risk. An assessment team should be mindful of the risk of the nonconformity on the reliability of the audits and the credibility of the decisions made by the Auditing Organization.
Considering the nature of the services offered by Auditing Organizations, the investigation conclusion of a nonconformity's underlying cause should not be limited to "human error", in particular if there is pattern of such human errors. The assessor should verify that the Auditing Organization evaluates whether such human error originates from a lack of (or ineffective) training, insufficient competency, poor practices, or other causes (e.g. a lack of effective supervision).
The investigation of a nonconformity should include a determination of whether the nonconformity adversely affects certification documents or audit deliverables
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 38 of 76
already released to the client or any Regulatory Authority.
A nonconformity may not always warrant both correction and corrective action.
Where a quality problem has already been identified and investigated by the Auditing Organization, and the Auditing Organization had decided not to undertake any corrective actions, the assessor should verify that records include a risk-based rationale for not taking action and be approved by a designated individual.
The Auditing Organization is expected to implement in a timely manner the actions it decided to address an existing nonconformity, including correction, and/or corrective action. The time to implement these actions especially the immediate correction intended to limit the effects of the nonconformity - should be inversely related to the risk of the nonconformity. The extensive nature of some actions corrective actions in particular may necessitate extended time to implement on the part of the Auditing Organization.
The assessor should verify that the Auditing Organization evaluates the effectiveness of any implemented corrective action. These actions should not be considered complete until this evaluation has been conducted and the actions have been confirmed to be effective. If the Auditing Organization determines that a correction or corrective action was not effective, the assessor should verify that the Auditing Organization further investigates how to remediate the original problem, and, as appropriate, the causes that prevented the actions from being effective.
Typical evidence Records resulting from correction and corrective actions.
Link with other assessment tasks The output of the corrective actions is an input to management review (see Management Task 7 ).
Task 4 Determine whether any of the Auditing Organization's corrective actions require reporting to the recognizing Regulatory Authorities, such reporting may include changes relevant to its recognition).
Applicable requirements ISO/IEC 17021-1:2015 clauses: Not applicable IMDRF/MDSAP WG/N3 clauses: 8.6.5
Guidance The assessor should verify that the Auditing Organization reports to the recognizing Regulatory Authority(s) if a corrective action represents a change that may affect
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 39 of 76
the organization's recognition (e.g. legal, commercial, organizational or ownership status; top management or key personnel; resources; or premises and critical location) or its operating processes (e.g., policies and procedures submitted to the recognizing Regulatory Authority in the application package for recognition as an Auditing Organization).
Typical evidence Records of corrective action, competence record, record of organizational structure
Task 5 Verify that a process is in place to ensure that an audit which does not conform to auditing requirements is identified and managed to ensure that there is sufficient information for decisions on conformity to regulatory requirements. Confirm that appropriate decisions were made, justified, and documented.
Applicable requirements ISO/IEC 17021-1:2015 clauses: 9.5.3 IMDRF/MDSAP WG/N3 clauses: Not applicable
Guidance If the Auditing Organization determines as part of the final review of the audit outcomes that the prerequisite information for making a decision of conformity of the manufacturer is incomplete or contains error, the assessor should verify that a nonconformity is recorded and resolved prior to the making of a decision.
The resolution of the Auditing Organization's nonconformity may require the performance of an additional audit prior to the decision being made.
Typical evidence Client files, record of the review of audit decisions, if available.
Task 6 Verify that internal audits are being conducted according to planned arrangements and documented procedures to ensure the management system is in compliance with the established requirements set out in ISO/IEC 17021-1:2015 and the IMDRF/MDSAP WG/N3 and N4 documents, as well as any other applicable recognizing Regulatory Authority requirements. Confirm the internal audits include provisions for auditor
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 40 of 76
independence over the areas being audited, corrections, corrective actions, follow-up activities, and the verification of corrective actions.
Applicable requirements ISO/IEC 17021-1:2015 clauses: 10.2.6 IMDRF/MDSAP WG/N3 clauses: 10.1.4
Guidance The Auditing Organization must conduct periodic, independent and systematic examination of its management system to determine whether:
- The management system as defined, meets all applicable requirements; - The Auditing Organization conducts its activities according to the
management system; - The management system as implemented, produces the expected
deliverables and outcomes, and is suitable to achieve the Auditing Organization's quality objectives.
Internal audits may not be specific to a medical device regulatory audit scheme but the internal audit program should demonstrate sufficient coverage of this scheme. At a minimum, the entire medical device audit scheme is to be covered within the duration of the recognition cycle.
Typical evidence The records should demonstrate that the Auditing Organization implemented the internal audits according to the internal audit program (including its schedule).
Task 7 Confirm that the Auditing Organization has effective processes for handling complaints and investigating the cause of nonconformities related to complaints with provision for input into the Measurement, Analysis and Improvement process. Verify that procedures have been implemented that require the Auditing Organization to forward to the recognizing Regulatory Authority information on any complaint about a medical device manufacturer that could indicate an issue related to the safety and effectiveness of medical devices or a public health risk. Confirm the proper and timely implementation of these procedures. Evaluate how the complaint process allows for forwarding to the appeals process.
Applicable requirements ISO/IEC 17021-1:2015 clauses: 9.8 IMDRF/MDSAP WG/N3 clauses: 9.8
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 41 of 76
Guidance The assessors should verify that the complaint handling process includes:
- Any feedback from an audited manufacturer or from users of the certification documents, including Regulatory Authorities, alleging that the Auditing Organization did not fulfill all applicable requirements for recognition (i.e. from IMDRF/MDSAP WG documents N3 and N4, ISO/IEC 17021-1:2015, or any additional requirement specific to the medical device regulatory audit scheme; and,
- Any feedback from a user of the certification documents, including Regulatory Authorities, alleging that the products from the audited manufacturer do not meet their specifications, or that the manufacturer fails to satisfy its quality system and regulatory obligations.
The Auditing Organization may receive feedback through different channels. A complaint may result from broader feedback and may not be designated by the sender as a complaint. For example, the appeal of an Auditing Organization decision should be supported by a rationale for reconsidering a decision on a manufacturer's conformity. This rationale may include a statement that the Auditing Organization did not fulfill its obligations.
The assessor should verify that when communicating with a complainant other than the recognizing Regulatory Authority, the Auditing Organization does not share confidential information about any third party.
Typical evidence Complaint handling records
Link with other assessment tasks The determination of the complaint validity may be part of the investigation of the nonconformity (See Measurement, Analysis and Improvement Task 3 ).
Task 8 Where an investigation by the Auditing Organization determines that activities from external resources contributed to a nonconformity or a complaint, verify that records show that relevant information was exchanged between the parties involved.
Applicable Requirements ISO/IEC 17021-1:2015 clauses: 9.8.6 IMDRF/MDSAP WG/N3 clauses: Not applicable
Guidance External resources may be essential to the ability of the Auditing Organization to conduct all auditing activities. By nature, external resources are not controlled as
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 42 of 76
directly as internal resources, which introduce an increased risk factor.
When an external resource contributed to a nonconformity or a complaint, the assessor should verify that the Auditing Organization has made the external organization aware of the nonconformity or complaint.
The assessor should ensure that the Auditing Organization has requested information regarding the implementation of remediation actions.
Typical evidence Records of correction, corrective action or complaints
Task 9 Determine if the relevant outputs of the Measurement, Analysis and Improvement Process are inputs into the management review.
Applicable Requirements ISO/IEC 17021-1:2015 clauses: 10.2.5.2 IMDRF/MDSAP WG/N3 clauses: Not applicable
Guidance The assessor should ensure that the Auditing Organization uses relevant outputs from the Measurement, Analysis and Improvement process as inputs to management review.
Typical evidence Records of management review.
Link with other assessment tasks See Management Task 7 regarding management review.
Process: Competence Management
Purpose
The purpose of the Competence Management process is to ensure that auditors, technical experts, the program administrator and final reviewer, and all other personnel involved in the audit and related activities have demonstrated competence, according to pre-established criteria. The Competence Management Process is also to ensure that the Auditing Organization has access to competent personnel to cover the scope of their recognition. This is essential in ensuring the credibility of the Audit and Decisions Process outcomes.
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 43 of 76
Outcomes
As a result of the assessment of the Competence Management process, objective evidence will show whether the Auditing Organization has:
A. Identified the necessary competence to be an effective organization for their scope of recognition.
B. Defined, documented and implemented methods (i.e. procedures and criteria) for the evaluation and monitoring of the competence of auditors, technical experts, the program administrator and final reviewer, and all other personnel involved in the management and performance of audits and related activities.
C. Identified training needs and access to training for auditors, technical experts, the program administrator and final reviewer, and all other personnel involved in the management and performance of audits and related activities.
D. Maintained records demonstrating the effective implementation of the competence management process.
E. Demonstrated the effectiveness of its evaluation methods and of the overall competence management process.
Risks relative to this process
The failure of the Competence Management process poses the following risks: - Lack of competence may not allow the auditors, technical experts, program administrator, and final reviewer to identify the critical elements to assess, make appropriate judgement on conformity to regulatory requirements and make appropriate decisions.
Assessment Tasks
Task 1 Verify that the Auditing Organization has identified the necessary competencies for the scope of its recognition. Verify that the Auditing Organization has access to the necessary technical expertise for advice on matters directly relating to decisions of conformity to regulatory requirements.
Applicable Requirement ISO/IEC 17021-1:2015 clauses: 7.1.1, 7.1.4, 7.2.3 IMDRF/MDSAP WG/N3 clauses: 7.1.1 IMDRF/MDSAP WG/N4 clauses: Not applicable
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 44 of 76
Guidance Competence needs for the organization
The assessor should verify the following: - The Auditing Organization should identify the competence needed at all levels of the organization and for all functions involved in the audit and certification related activities, to operate as a recognized auditing organization. - The Auditing Organization should use expert opinions to identify these competencies. Such experts may be internal or external. The necessary competence may vary depending on the range of technical areas for which the Auditing Organization seeks recognition, and on the number and profile of audited medical device manufacturers, and their medical devices. - The Auditing Organization should have an appropriate workforce, in competence and number, to operate as an Auditing Organization. - If the Auditing Organization has several sites with separate organizational structures, the same competence criteria are consistently applied to all sites.
Identifying Competence criteria The assessor should verify that the documented process provides for the:
- Analysis of the requirements that a manufacturer must fulfill to effectively implement a quality management system and to fulfill the requirements that relate to products and manufacturing processes and other regulatory requirements. The analysis should consider each area of technical knowledge for which the Auditing Organization is seeking recognition.
- Determination of the aspects of the evaluation of product / process related technologies that are required to verify compliance with regulatory requirements and the extent to which these may be assessed at audit.
- Requirement that the Auditing Organization document competency criteria expressed in terms of the requisite knowledge, skills, behavior, values and experience that will ensure requirements are adequately assessed. Criteria may also include an ability to analyze and adapt to new situations. The criteria should allow for an objective and measurable assessment of competency. (IMDRF/MDSAP WG/N4 - Appendix A provides an example of a scheme for the classification of technical knowledge)
- Maintenance of the competence criteria.
The IMDRF/MDSAP WG/N4 section 6 specifies pre-requisite education and experience for auditors, technical experts, program administrators and final reviewers.
The IMDRF/MDSAP WG/N4 section 8.1 specifies pre-requisite auditing experience before an individual may conduct audits independently as an auditor or lead auditor.
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 45 of 76
The IMDRF/MDSAP WG/N4 section 8.2 specifies pre-requisite experience of the review of technical documentation to confirm the competence of a technical expert.
Some competence criteria may apply to all technical areas (horizontal criteria). For example, all medical device auditors should have demonstrated competence in medical device regulations, quality management systems, and risk management applied to medical devices.
Conversely, competence criteria may only apply to specific technical areas (vertical criteria). For example, not all medical device auditors need to have competence in the safety of electrical medical devices or software.
If the Auditing Organization excludes some technical areas from its application to the recognizing Regulatory Authority(s), the Auditing Organization would not be expected to have competent auditors for these technical areas. The Auditing Organization must not commit to undertake the assessment of manufacturers for product where it does not have the requisite competence under its scope of recognition.
For each function the Auditing Organization should identify the criteria that may be used to demonstrate competence, prior to the assessment of competence against the criteria.
Technical and regulatory expertise The assessor should verify that the Auditing Organization has access to sufficient technical expertise necessary for the scope of its audit and certification related activities (e.g. medical devices audited, their performance and safety, clinical use, manufacture, and the regulations applicable to those devices).
The necessary expertise should serve the following purposes: - Provide guidance while defining appropriate auditing and certification practices and processes; - Provide guidance during the development of the Auditing Organization's management system to ensure compliance to the recognition requirements; - Define necessary competence criteria and to train individuals involved in the audit and certification activities; - Supporting the auditors, either remotely or on-site, when facing challenging issues during an audit; and - Enabling the Auditing Organization to critically review an audit file, including the audit findings and the manufacturer response.
While defining auditing and certification practices and processes, and the Auditing Organization management system, the Auditing Organization should consider
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 46 of 76
guidance documents that are acceptable to Regulatory Authorities.
Using external resources to meet the scope of expertise
The outcome of the identification of competence needs should serve as an input to the selection of an external resource and to define operational processes between the Auditing Organization and the external resource.
Typical evidence Procedure and competence criteria
Link with other assessment tasks See Management Task 4 (analysis of the adequacy of the set of auditors) and Use of External Resources Task 3 (internal resources necessary to verify the work of external resources)
Task 2 Verify that the Auditing Organization has defined, documented and implemented procedures and criteria for initial competence evaluation of auditors, technical experts, program administrators, final reviewers, and personnel involved in the audit and related activities.
Applicable Requirement ISO/IEC 17021-1:2015 clauses: 7.1.2, 7.2 IMDRF/MDSAP WG/N3 clauses: 7.1.2, 7.1.3, 7.1.6 IMDRF/MDSAP WG/N4 clauses: 9.0
Guidance Competence evaluation criteria
Compliance with competency criteria may be demonstrated by an individual (or organization) through a combination of practical and theoretical knowledge, skills, behavior and values that are used to act effectively in an audit or certification activity.
Competence evaluation process The assessor should verify that the Auditing Organization has a defined process for the initial evaluation of the competence of a candidate auditor, technical expert, final reviewer, or of any other individual involved in the audit and decision activities.
Competence cannot strictly be confirmed through a document review. The evaluation process should consider various methods to initially evaluate the individual's competence, using a combination of the following:
- Review of records of education and training;
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 47 of 76
- Review of records of audits or inspections conducted or reviewed, if relevant to the function;
- Review of evidence of technical expertise (for example, involvement in the review of technical documentation, publications), if relevant to the function;
- Feedback from peers, and supervisors, and if relevant, from audited manufacturers;
- Interviews; - Participation in audits as an observer or as supervised auditor; and - Evaluation against competency criteria (e.g. testing).
The assessor should verify that the individual(s) involved in the evaluation of competence should themselves possess the necessary competence to do so effectively. Specifically, the individual(s) involved in the evaluation of the competence of auditors or technical experts should meet the competence criteria of a lead auditor and final reviewer with adequate education, skill and experience.
Lead auditors and auditors-in-training must undergo a confirmation of skills and personal attributes through a medical device witnessed audit prior to being authorized as a lead auditor or auditor.
Assessors may find that an effective way to assess auditor competence is to select auditors during the audit file review portion of the assessment. As the assessors are reviewing the audit files, those auditors can be selected and evaluated for the required technical competency to do the audit.
Note that the Auditing Organization may define different degrees of auditor competence, using designations such as auditor, lead auditor, senior auditor, supervising auditor. If applicable, the Auditing Organization should define the competence criteria for each of these designations, as well as determining competency criteria for different technical areas (e.g. sterilization processes, electronic devices, devices containing nanomaterials, etc.).
Typical evidence: Procedure for the initial evaluation of competence, and related records
Task 3 Verify that the Auditing Organization maintains records of personnel to include auditors, technical experts, the program administrator and final reviewer that have been assessed as competent to perform the duties associated with the audit and related activities including external resources. Verify that the records are current at all times.
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 48 of 76
Applicable Requirement ISO/IEC 17021-1:2015 clauses: Not applicable IMDRF/MDSAP WG/N3 clauses: 7.1.3, 7.2 IMDRF/MDSAP WG/N4 clauses: Not applicable
Guidance The assessor should verify that:
- These records are available and current for all personnel. - The Auditing Organization has implemented the scheme for the
classification of technical knowledge if prescribed by the recognizing Regulatory Authority.
Typical evidence List of competent personnel
Link to other assessment tasks The list must include external resources (See Use of External Resources Task 1 ).
Task 4
Verify that the Auditing Organization has identified training needs, has provided access to such training, and has ensured the identified training has been undertaken by its auditors, technical experts, the program administrator and final reviewer and all other personnel involved in the audits and related activities, including the external resources. o Training shall include IMDRF/MDSAP specific requirements. o The Auditing Organization must ensure that personnel have access to an up-to-date set of procedures.
Applicable Requirement ISO/IEC 17021-1:2015 clauses: 7.2.6 IMDRF/MDSAP WG/N3 clauses: Not applicable IMDRF/MDSAP WG/N4 clauses: 8.0
Guidance The assessor should verify that as a result of either the evaluation of an individual's competence, the recruitment of new personnel (including auditors, technical experts, final reviewers or program administrators), or the evaluation of the adequacy of the set of auditors, technical experts and personnel to the organization needs, the Auditing Organization made arrangements to complement the competence of the individual or the organization with additional training.
Training arrangements should ensure that: - Any gap identified in the competence evaluation are resolved;
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 49 of 76
- Any need for future professional development; - The training is effective, for example through knowledge tests,
examinations, review of work by a tutor or supervisor, observation of audits, interviews, etc.
Typical evidence Training plans, job-specific predefined training curriculum, etc. are examples of documented arrangement.
Task 5 Verify that the Auditing Organization has defined, documented and implemented a method (i.e. procedures and criteria) for the ongoing monitoring of competence and performance of all personnel involved in the audits and related activities. Verify that when personnel no longer meet the competence criteria their competence status is revised. Verify if any remediation plan has been implemented.
Applicable Requirement ISO/IEC 17021-1:2015 clauses: 7.1.3, 7.2.9, 7.2.10 IMDRF/MDSAP WG/N3 clauses: 6.1.5 IMDRF/MDSAP WG/N4 clauses: 7.2
Guidance Monitoring of the competence
The assessor should verify that the Auditing Organization has defined methods and criteria for the on-going monitoring of the competence of personnel according to documented procedures.
The assessor should verify that the Auditing Organization re-evaluates for continued recognition of competence at least every three years. In addition, lead auditors and auditors must undergo confirmation of skills and personal attributes through a medical device witnessed audit at least every three years.
The monitoring should be adapted to the expected level of competence, and to the potential impact of the lack of competence of the individual(s).
The assessor should verify that if the Auditing Organization identifies concerns that relate to a lack of competence of an auditor(s) or a technical expert(s), the Auditing Organization documents the concern. The procedures should specify how these concerns should be recorded and handled (e.g. through the corrective action process).
Response to the outcomes of the competence
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 50 of 76
monitoring activities The assessor should verify that the outcome of the competence monitoring activities is a decision on whether to maintain or renew the recognition of competence of personnel.
The decision may be either to maintain/renew the recognition of competence or to place the individual into remediation.
The assessor should verify that the Auditing Organization adjusts the monitoring methods and training arrangements of a particular individual that has been placed in remediation. For example, the monitoring methods may be changed to monitor the improvement of a particular competency.
The work performed by an individual that has been placed in remediation should be evaluated by the Auditing Organization to ensure its validity. If the outcomes of an audit performed by an individual that has subsequently been placed in remediation (i.e. the audit report and the decision on the manufacturer's conformity) should be invalidated, the Auditing Organization should record it as a nonconformity and inform the recognizing Regulatory Authority(s) and affected manufacturers of the situation and the remediation plan.
Typical evidence Competence re-evaluation records, audit reports, reports on witnessed audits
Link with other assessment tasks The competence monitoring process is a source of quality data for the Measuring, Analysis and Improvement process (see Measurement, Analysis and Improvement Task 2 and Task 4 )
Decision on the status of recognition of an assessor may impact the records of available qualified auditors (See Competence Management Task 3 ).
Task 6
Verify that records demonstrate the implementation of the competence evaluation, training, commitments to confidentiality, impartiality, and Code of Conduct for auditors, technical experts, the program administrator and final reviewer and all other personnel involved in the audits and related activities.
Applicable Requirement ISO/IEC 17021-1:2015 clauses: 7.4 IMDRF/MDSAP WG/N3 clauses: 7.4 IMDRF/MDSAP WG/N4 clauses: 11.0
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 51 of 76
Guidance The assessors should verify records of initial and ongoing competence evaluation as well as training records. These files should include external auditors and external technical experts, including those used by external organizations.
When assessing the Auditing Organization, the recognizing Regulatory Authority's assessment team should select a representative sample of individual files, with a preference for auditors, technical experts and final reviewers, including both internal personnel and external resources. The completion of previous assessment tasks may direct the selection to specific functions or individuals.
The Auditing Organization must maintain a list of Lead Auditors, Auditors, and Technical Experts. The list is to be reviewed annually and updated as necessary. During the assessment, the assessment team should review this list and ensure that it is complete and up-to-date.
Typical evidence Individual files
Link with other assessment task See Information Management Task 7 Commitment to impartiality
Task 7 Verify that the Auditing Organization has demonstrated the effectiveness of the competence evaluation methods and of the competence management process.
Applicable Requirement ISO/IEC 17021-1:2015 clauses: 7.1.3 IMDRF/MDSAP WG/N3 clauses: Not applicable IMDRF/MDSAP WG/N4 clauses: Not applicable
Guidance Demonstrating the effectiveness of the competence evaluation methods is intrinsically difficult for both the Auditing Organization and the recognizing Regulatory Authority's assessment team. However, if the Auditing Organization or the recognizing Regulatory Authority's assessment team identifies a lack of competence of the Auditing Organization or of an individual, this may reflect a lack of the effectiveness of the competence evaluation methods and competence management process.
The assessor should note the informative annex B and C in ISO/IEC 17021-1:2015
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 52 of 76
on possible assessment methods that the Auditing Organization might utilize.
Typical evidence Records on witnessed audits, internal audits, reviews of audit reports, records of client feedback
Link with other assessment tasks The individual's file includes information relevant to the assignment of position, including responsibilities and authorities (see Management Task 4 ), and to the management of impartiality (see Management Task 6 )
Process: Audit and Certification Decisions Process
Purpose
The purpose of the Audit and Decisions Process is to control the management of the medical device manufacturer's request for audit and other related activities. This process includes the review of the application, the definition of the audit program, the planning and performance of the audit, the review of the report, the decision making, the review of the audit program, the planning of next audits, including special audits, necessary for the maintenance of the certification.
Outcomes
As a result of the assessment of the Audit and Decisions Process, objective evidence will show whether the Auditing Organization has:
A. Defined, documented and implemented methods (i.e. procedures and criteria) for the control of the Audit and Decisions process.
B. Established and implemented audit Programs for each manufacturer in accordance with the prescribed recognizing Regulatory Authority audit cycle.
C. Planned and conducted audits according to the audit program including the assignment of a competent audit team.
D. Reviewed corrections and corrective actions implemented by the manufacturer in response to the audit findings.
E. Made reliable and consistent decisions based on the outcome of the audits and the review of the manufacturers' responses.
F. Conducted follow-up activities according to the decisions. G. Effectively evaluated and made appropriate decision regarding appeals. H. Maintained records demonstrating the effective implementation of the Audit
and Decisions process.
Risks relative to this process
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 53 of 76
The failure of the Audit and Decisions Process poses the following risks: Lack of control regarding the Audit and Decisions Process may cause inconsistency in the outcome and affect the reliability of the outputs of the Auditing Organization.
Assessment Tasks
Task 1 Verify that the Auditing Organization has documented procedures as required in the IMDRF/MDSAP WG/N3 for clause 9 of the ISO/IEC 17021-1:2015.
Applicable Requirement ISO/IEC 17021-1:2015 clauses: 10.1, 10.2.1, 10.2.2 IMDRF/MDSAP WG/N3 clauses: 9.0
Guidance The assessor should verify that any specific requirements for the audit of technical documentation, for the conduct of an audit, or for any other requirement, that has been prescribed by a Regulatory Authority, has been incorporated by the Auditing Organization's procedures for their audit and certification processes.
Task 2
Verify that the Auditing Organization established, reviewed and updated (as needed) the program for the full audit cycle, specific to each medical device manufacturer taking into account the review of the request for audits and notices of change, including information collected during prior audits.
Verify that the Auditing Organization has planned the audits according to the program, including: o the determination of audit time according to procedure MDSAP AU P0008; and o the identification of related sites and critical suppliers to audit, considering the specific circumstances of the medical device manufacturer.
Applicable Requirement ISO/IEC 17021-1:2015 clauses: 9.1.3, 9.1.4, 9.2.1, 9.5.3.3 IMDRF/MDSAP WG/N3 clauses: 9.6.7
Guidance The assessor should verify that the Auditing Organization has established an audit program for each manufacturer.
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 54 of 76
The assessor should note that informative Annex F of ISO/IEC 17021-1:2015 describes considerations for the audit program. The assessor should in particular verify that the Auditing Organization takes into account considerations such as:
- The differences in the regulatory definition of manufacturer and what might be required for the scope of any audit program;
- The scope of certification to ensure that it adequately reflects the activities of the manufacturer and their applicable sites/location
- Outsourced critical processes/activities and information regarding the type of controls over these suppliers;
- Product/process characteristics impacting the audit program such as the medical device classification, type of manufacturing and product technologies, software, the presence of substances of human or animal origin or medicinal substances, etc.;
- Ongoing or past certification.
The assessor should verify that the Auditing Organization establishes the audit program to cover the 3-year cycle and reviews and revises the program, as necessary, when information about the manufacturer becomes available to the Auditing Organization. Such information could include the findings of audit reports and identified nonconformities, deviations in the conduct of previous audits, notification of changes from the manufacturer, changes to regulatory requirements, directives from regulatory authorities, etc.
The assessor should verify that the Auditing Organization determines the audit duration according to procedure MDSAP AU P0008 "Audit Time Determination Procedure" and using guidelines specific to the medical device regulatory scheme. Assessors should not find the Auditing Organization's audit time calculation process acceptable if it only utilizes such methods as IAF MD9 without making provision for extension of the time calculation based on such things as the requirements for the MDSAP audit tasks, risks, complexity, scope of activities, regulatory requirements, etc.
Except for the Stage 1 audit, it is a requirement for all audits to be conducted onsite.
The assessor should verify that if the Auditing Organization plans to sample facilities of a multi-site medical device manufacturer, the rationale for the sampling is recorded. A facility cannot be included in the certificate before it is audited onsite. Not all regulatory jurisdictions authorize the sampling of facilities.
Typical evidence Sample of individual manufacturer's audit programs, client files
Task 3
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 55 of 76
Verify that the Auditing Organization selected and assigned audit teams with the competence required for each audit.
Verify that the Auditing Organization communicated to the audit teams the audit scope, objectives and tasks for planning the audit and for the assignment of responsibilities among the audit team members.
Verify that the Auditing Organization informed the medical device manufacturer of the audit team composition and the audit plan.
Applicable Requirement ISO/IEC 17021-1:2015 clauses: 9.2.2 IMDRF/MDSAP WG/N3 clauses: 9.0, 9.2
Guidance The assessor should verify that the Auditing Organization has a procedure for the selection of auditors that ensures the audit team possesses the competence necessary to conduct a specific audit of the medical device manufacturer, taking into account the scope of the audit and in accordance with the medical device audit scheme.
The assessor should verify that the Auditing Organization provides the audit team with the information necessary to plan the audit, including a list of medical devices and the medical device scheme within the scope of the audit program.
The assessor should verify that the Auditing Organization has effectively implemented the planned arrangements to ensure that the auditor is not the lead auditor for more than 3 consecutive audits at the same manufacturing site.
IMDRF/MDSAP N3 clause 9.2 details an important exception to ISO 17021-1:2015 in that medical device manufacturers will not be afforded the opportunity to object to the composition of the audit team as described in ISO/IEC 17021-1:2015 clause 9.2.3.5. Manufacturers may utilize the appeals process to notify the Auditing Organization of any concerns related to the audit team composition.
This task can often be efficiently assessed by selecting audit files for review and confirming that the audit scope and objectives were correct and agreed upon between the Auditing Organization and the client, the audit team that was selected has all the required technical competency, and that the audit plan was followed.
Typical evidence Client file
Link with other assessment tasks See management of impartiality in Management Task 5
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 56 of 76
Task 4 Verify that the Auditing Organization conducted audits according to the audit program and the requirements of the recognizing Regulatory Authority. Verify that the requirements for audit reports including the grading of any nonconformities as prescribed in IMDRF/MDSAP WG/N3, and any requirements of the recognizing Regulatory Authority were met.
Applicable Requirement ISO/IEC 17021-1:2015 clauses: 9.4 IMDRF/MDSAP WG/N3 clauses: 8.2, 9.4
Guidance The assessor should verify that the audit program has been implemented as planned and if audits were postponed or omitted, that the Auditing Organization has provided a rationale or taken measures to rectify the problem.
The assessor should consider how unplanned audits impact the audit program.
The assessor should verify that the Auditing Organization has followed the MDSAP Audit Model when conducting audits of medical device manufacturers.
The assessor should verify that the Auditing Organization has properly implemented the requirements in MDSAP AU P0019 "MDSAP Medical Device Regulatory Audit Reports", as well as the associated forms MDSAP AU F0019.1 "Medical Device Regulatory Audit Report" and MDSAP AU F0019.2 "Nonconformity Grading and Exchange Form".
The assessor should verify that the Auditing Organization has properly implemented the GHTF/SG4 N19:2012 Nonconformity Grading System for Regulatory Purposes and Information Exchange.
The assessor should select a sample of audit files to review their content. The sampling should take into account:
- The outcome of their assessment of prior processes (e.g. Management, Measurement, Analysis & Improvement and Competence Management processes);
- The class of the device audited; - Different type of audits (e.g. initial, surveillance, recertification,
unannounced); - Geographic locations; - Various auditors.
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 57 of 76
Task 5 Verify that the Auditing Organization reviewed any responses to nonconformities identified during an audit of the manufacturer. Verify that the Auditing Organization has appropriately required and reviewed the necessary cause analysis, and any related plans for corrections, and/or corrective action. Verify that the Auditing Organization has verified the implementation and effectiveness of such actions and conducted special audits as necessary.
Applicable Requirement ISO/IEC 17021-1:2015 clauses: 9.4.9, 9.4.10 IMDRF/MDSAP WG/N3 clauses: Not applicable
No additional guidance
Link with other assessment tasks See Audit and Decision Process Task 4
Task 6 Verify that the Auditing Organization reviewed the audit reports, and all other relevant information, and made consistent decisions on the conformity to regulatory requirements. Verify that the decisions made for suspending, withdrawing, or reducing the scope of any certification is consistent with the recognizing Regulatory Authority's requirements.
Applicable Requirement ISO/IEC 17021-1:2015 clauses: 9.5.3, 9.5.4, 9.6.5 MDRF MDSAP WG/N3 clauses: 8.6.4, 9.5, 9.6, 9.6.3, 9.6.4
Guidance Final review of the audit report
The assessor should verify that the Auditing Organization's final review includes the verification of the audit report conformity to IMDRF/MDSAP WG/N24 and that the identified nonconformities are relevant to the scope of certification and supported by evidence, and that this review is recorded.
Decision on the manufacturer's regulatory conformity
If the decision is made by a committee, this does not necessarily prohibit the auditor(s) from participating in committee meetings, provided the rules governing the committee ensure the overall independence of the committee.
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 58 of 76
The assessor should evaluate on the basis of a sample of files, whether the Auditing Organization ensures the consistency and accuracy of the certification decisions taken.
The assessor should verify that the auditing organization ensures that the certificate is only renewed or extended after the recertification process is completed including the final review of the file regardless of the certificate expiration date.
Assessors should be mindful that IMDRF/MDSAP N3 clause 8.6.4 requires that the Auditing Organization notify the recognizing Regulatory Authority(s) in writing within 5 working days from the date of a decision to refuse, suspend, reinstate, restrict, or withdraw a certificate. The notification shall include a rationale for such action.
Typical evidence Client files
Task 7 Verify that the Auditing Organization implemented the decisions and conducted follow-up reviews and audits, including unannounced and special audits.
Applicable Requirement ISO/IEC 17021-1:2015 clauses: 9.6.4.2 IMDRF/MDSAP WG/N3 clauses: 9.6.7
Guidance The assessor should verify that the Auditing Organization communicates in a timely manner with the relevant recognizing Regulatory Authority(s) in case of a decision to restrict, suspend, or withdraw certification.
The assessor should verify that the Auditing Organization ensures that the follow up activities are conducted to fulfill specified objectives, according to a specified timeline, and by individuals with the necessary competence.
Unannounced audits The assessor should verify that the Auditing Organization has procedures to add unannounced audits to the audit program when any of the following applies:
- If required by the recognizing Regulatory Authority(s); or - If specific information provides reasons to suspect serious
nonconformities of the devices or of their manufacture; or - As a follow-up of a routine audit that identified:
o one or more nonconformity(s) graded as a "5", or o more than two nonconformities graded as a "4".
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 59 of 76
Unannounced audits should be conducted by at least two auditors, take not less than one day, and have objectives set based on what triggered the audit.
In addition, the assessor should verify that the Auditing Organization has suitable arrangements with the manufacturer that would allow for unannounced audits to be conducted as part of the audit program.
Transfer of certification from another Auditing Organization
It is especially important for the assessor to verify the activities considered during contract review for transfer of certification.
In addition to normal considerations the assessor should specifically verify the planned arrangement for any transfer of certificates and that the Auditing Organization develops an audit program that is commensurate to the potential risks when relying on the information/work done outside their control. In most instances, a special audit may be required to finalize the transfer of certification.
Typical evidence Client files
Task 8 Verify that the Auditing Organization evaluated and made decisions on appeals. Verify that appeals are input to the Measurement, Analysis and Improvement process.
Applicable Requirement ISO/IEC 17021-1:2015 clauses: 9.7 IMDRF/MDSAP WG/N3 clauses: Not applicable
Guidance The assessor should verify that the Auditing Organization's process ensures a fair review of the request, taking into account internal jurisprudence, and should prevent any pressure on the decision makers that could impact their independence.
The assessor should verify that the Auditing Organization investigates appeals as potential indicators of the need for improvement through the Measurement, Analysis & Improvement process.
The assessor should verify that the Auditing Organization does not allow the manufacturer to object to the composition of the audit team unless the manufacturer has formally gone through the appeal process. If the manufacturer
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 60 of 76
raises information about the impartiality or conflict of interest of the proposed audit team, this information can be considered in the appeals process.
The assessor should verify correction and corrective action if appropriate has been taken by the Auditing Organization. An Auditing Organization may define an abbreviated appeals process specifically for handling the objection to the audit team composition.
Trends on appeal decisions may reveal signs of lack of independence.
Typical evidence Records of appeal
Link with other assessment tasks See Measurement, Analysis and Improvement Task 7 regarding complaints See Management Task 6 on impartiality
Task 9 Verify that the Auditing Organization maintained records on the audit and decision activities.
Applicable Requirement ISO/IEC 17021-1:2015 clauses: 9.5.1.4, 9.5.2 IMDRF/MDSAP WG/N3 clauses: 9.5.2
No additional guidance
Task 10 Verify the effectiveness of the Audit and Decision process.
Applicable Requirement ISO/IEC 17021-1:2015 clauses: Not applicable IMDRF/MDSAP WG/N3 clauses: 10.1.3
Guidance Auditing Organization must perform measuring, monitoring and the analysis of their audit program to provide information relating to the characteristics and trends of their processes such as: consistency in audit reports, bias in identified nonconformities, feedback from medical device manufacturers, etc.
During the MDSAP assessment, the assessment team should review the process by which the auditing organization monitors the performance of the audit program. This information can often be found by reviewing the information evaluated in management review, or as part of the auditing organization's corrective actions.
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 61 of 76
Typical evidence Records of corrective actions, management review inputs
Link with other assessment tasks See Measurement, Analysis and Improvement Task 7 regarding analysis of data, and Management Task 6
Process: Information Management
Purpose
The purpose of the Information Management Process is to ensure effective documentation control and communication, between the Auditing Organization and the medical device manufacturers, the Regulatory Authorities and the public. The Information Management Process must ensure the necessary level of confidentiality.
Outcomes
As a result of the assessment of the Information Management process, objective evidence will show whether the Auditing Organization has:
A. Established an effective process for documentation control. B. Made appropriate information available about its activities and clients to
Regulatory Authorities and the public. C. Established appropriate contractual arrangements with its clients. D. Implemented appropriate arrangements to safeguard confidentiality.
Risks relative to this process
The failure of the Information Management Process poses the following risks: Lack of control of internal documentation leading to inappropriate audits and decisions; Lack of control of information shared with external parties, potentially providing inaccurate, obsolete or misleading information; and/or, Leak of confidential information
Assessment Tasks
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 62 of 76
Task 1 Verify that procedures have been defined, documented, and implemented for the control of documents and records required by the quality management system. Confirm the organization retains records and at least one obsolete copy of controlled documents for a period of time not less than 15 years.
Applicable requirements ISO/IEC 17021-1:2015 clauses: 10.2.3, 10.2.4 IMDRF/MDSAP WG/N3 clauses: 10.1.2
Guidance If the Auditing Organization uses an electronic document control system, including the use of electronic signatures, the assessor should verify that the Auditing Organization ensures that the electronic signature has the same value as a handwritten signature, and validates the system to ensure the authenticity of the signature, that a signed document cannot be tampered with, and that the documents can be retrieved and read for at least 15 years.
The assessor should verify that audit records are uniquely identified, including their version. If an audit record needs to be amended, the changes and their author should also be identifiable. Optimally, the version of the audit record should be traceable to the decision on the manufacturer's conformity.
Typical evidence Document Control and record controls procedures, client file
Task 2 Verify that the Auditing Organization made publicly accessible or provided upon request information describing its audit programs.
Applicable Requirement ISO/IEC 17021-1:2015 clauses: 8.1 IMDRF/MDSAP WG/N3 clauses: Not applicable
Guidance This task is related to the Auditing Organization's audit programs or schemes they offer, and not the audit program for an individual manufacturer.
The assessor should identify the ways in which the Auditing Organization provides information about its audit programs.
Link with other assessment tasks
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 63 of 76
Publicly available information may affect the Auditing Organization's impartiality (see Management Task 6 ).
Task 3 Verify that the Auditing Organization has provided detailed information to the medical device manufacturer regarding the audit and decisions process, including the process addressing complaints and appeals, as well as fees.
Applicable Requirement ISO/IEC 17021-1:2015 clauses: 8.5.1, 8.5.2 IMDRF/MDSAP WG/N3 clauses: Not applicable
No additional guidance
Typical evidence This information may be found in contracts, conditions on certificates, website, etc.
Task 4 Verify that the Auditing Organization has established contractual arrangements with the medical device manufacturers specifying the responsibilities of both parties. Verify that the contractual arrangements allow for the recognizing Regulatory Authority to observe and assess the auditing organization's audits. Verify that the contractual arrangements give permission for the recognizing Regulatory Authority to exchange information with other Regulatory Authorities that maintain Confidentiality Agreements. Verify that the contractual arrangements specify requirements regarding the reference to their conformity status and potential action to deal with misuse or misrepresentation of the conformity status.
Applicable Requirement ISO/IEC 17021-1:2015 clauses: 5.1.2, 8.3.1, 8.3.2, 8.3.3, 8.3.4, 8.3.5 IMDRF/MDSAP WG/N3 clauses: 5.1.4, 5.1.5
Guidance The assessor should verify that the contractual arrangements do not restrict the exchange of information in relation to the manufacturer between the Regulatory Authorities that maintain Confidentiality Agreements.
The assessor should verify that a contractual arrangement does not imply that a certification document issued by the Auditing Organization is:
- An approval of the medical device, or a guarantee of its safety and
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 64 of 76
effectiveness; - A guarantee of compliance of the manufactured products to the
regulations included in the scope of the audit/certification; - A guarantee that the product will obtain a marketing authorization from a
Regulatory Authority.
Typical evidence Contractual arrangements
Task 5 Verify that the Auditing Organization provides the recognizing Regulatory Authorities with audit reports and certificates that meet regulatory requirements, as well as other required and requested reports and communications.
Applicable Requirement ISO/IEC 17021-1:2015 clauses: Not applicable IMDRF/MDSAP WG/N3 clauses: 8.6
Guidance The assessor should verify that the Auditing Organization communicates to the recognizing Regulatory Authority(s) within 5 working days of becoming aware of any of the following, regardless of the source of information that makes the Auditing Organization aware of such reportable situations:
- Any fraudulent activities by, or counterfeit products from, any medical device manufacturer;
- Information that indicates a public health threat; - A decision to refuse, suspend, reinstate, restrict or withdraw a certificate;
or - Significant changes relevant to the Auditing Organization's recognition, in
any aspect of its status or operations (see the list in IMDRF MDSAP WG/N3 clause 8.7.5).
Typical evidence Records of communication between the Auditing Organization and the recognizing Regulatory Authority, Client file, Suspended/Withdrawn Certificates
Task 6 Verify that the Auditing Organization made information on conformity status or certifications granted, suspended or withdrawn, publicly accessible or provided upon request.
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 65 of 76
Applicable Requirement ISO/IEC 17021-1:2015 clauses: 8.1.2 IMDRF/MDSAP WG/N3 clauses: Not applicable
No additional guidance
Task 7 Verify that the Auditing Organization has defined, documented and implemented procedures and legally enforceable arrangements to safeguard confidentiality, unless disclosure is required by the requirements of IMDRF/MDSAP documents or by law.
Applicable Requirement ISO/IEC 17021-1:2015 clauses: 8.4 IMDRF/MDSAP WG/N3 clauses: 8.4
No additional guidance
Typical evidence Procedures, contractual agreements between an Auditing Organization and a manufacturer, and contractual agreements between an Auditing Organization and its employees or external resources.
6. ANNEX 1
The information below is an excerpt from a sample MDSAP on-site assessment plan for an initial recognition or re-recognition assessment. The applicable requirements from ISO 17021-1:2015 and IMDRF/MDSAP WG/N3 and N4 have been added to the tasks, for reference. The clauses listed here are not intended to be an exhaustive list of the clauses that may apply to the task or the observed situation. When issuing the plan to an Auditing Organization, it is preferable to issue without the clauses.
Day 1 Date Facility Time
Assessor ATL + A
Assessment Model Key Process and Assessment Step
Process: Management 1. Legal entity, legal responsibility liability, financing & eligibility [ISO 17021-1: 2015:
AO's Subject Matter Expert
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 66 of 76
5.1.1, 5.3; IMDRF/MDSAP N3: 5.1, 5.3]
2. Quality Management System documents [ISO 17021-1:2015: 10.1,10.2.1,10.2.2; IMDRF/MDSAP N3: 10.1.1]
3. Quality policy, quality objectives and quality planning [ISO 17021-1:2015: 10.2.1; IMDRF/MDSAP N3: 10.1.3]
4. Organizational structure, responsibility, authority [ISO 17021-1:2015: 6.1, 7.2.3, 10.2.1; IMDRF/MDSAP N3: 6.1, 7.1.4, 8.6.1]
5. Adequacy of auditing resources [ISO 17021-1:2015: 7.2.1, 7.2.2; IMDRF/MDSAP N3: 6.1.2]
6. Management of impartiality [ISO 17021-1:2015: 5.2; IMDRF/MDSAP N3: 5.2, 7.1.6; IMDRF/MDSAP N4: 10.0]
7. Management review [ISO 170211:2015: 10.2.5, 10.3.4]
Process: Use of external resources 1. Extent of use and controls of external
resources [ISO 17021-1: 2015: 7.5; IMDRF/MDSAP N3: 7.3, 7.5]
2. Contractual arrangements with external resources [ISO 17021-1: 2015: 7.3, 7.5 IMDRF/MDSAP N4: 10.0]
3. Internal competence to review the outcome of outsourced activities [IMDRF/MDSAP N3: 7.5.2]
Process: Measurement, Analysis & Improvement
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 67 of 76
1. Procedures relative to measurement, analysis and improvement [ISO 17021-1: 2015: 10.2.7]
2. Sources of quality data [ISO 170211:2015: 10.2.7; IMDRF/MDSAP N3: 10.1.3]
3. Investigation, corrections, corrective actions and preventive actions to address nonconformities and potential nonconformities [ISO 17021-1:2015: 10.2.7]
4. Reporting of corrective actions impacting the recognition [IMDRF/MDSAP N3: 8.6.5]
Day 2 Date Facility Time
Assessor ATL + A
Assessment Model Key Process and Assessment Step
Process: Measurement, Analysis & Improvement 5. Decision on conformity to regulatory requirements supported by nonconforming audit or audit reports [ISO 17021-1:2015: 9.5.3]
AO's Subject Matter Expert
6. Internal audits [ISO 17021-1: 2015: 10.2.6; IMDRF/MDSAP N3: 10.1.4]
7. Complaint handling and management [ISO 17021-1: 2015: 9.8; IMDRF/MDSAP
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 68 of 76
N3: 9.8]
8. Communication with external resources having contributed to a nonconformity or complaint [ISO 17021-1:2015: 9.8.6]
9. Outputs of the Measurement, Analysis and Improvement process as inputs into the management review [ISO 170211:2015: 10.2.5.2] Process: Competence Management 1. Identification of necessary competence
to operate as a recognized auditing organization [ISO 17021-1:2015: 7.1.1, 7.1.4, 7.2.3; IMDRF/MDSAP N3: 7.1.1]
2. Procedure and criteria for competence evaluation of all personnel involved in audit and certification related activities [ISO 17021-1: 2015: 7.1.2, 7.2; IMDRF/MDSAP N3: 7.1.2, 7.1.3, 7.1.6; IMDRF/MDSAP N4: 9.0]
3. Identified personnel with demonstrated competence [IMDRF/MDSAP N3: 7.1.3, 7.2]
4. Training to the audit process and certification requirements and access to corresponding current documents [ISO 17021-1:2015: 7.2.6; IMDRF/MDSAP N4: 8.0]
5. Monitoring of personnel's competence and performance [ISO 17021-1:2015: 7.1.3, 7.2.9, 7.2.10; IMDRF/MDSAP N3: 6.1.5; IMDRF/MDSAP N4: 7.2]
6. Personnel's individual file [ISO 170211: 2015: 7.4; IMDRF/MDSAP N3: 7.4 IMDRF/MDSAP N4: 11.0]
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 69 of 76
7. Effectiveness of the competence evaluation methods and the competence management process [ISO 17021-1: 2015: 7.1.3]
Day 3 Date Facility Time
Assessor ATL + A
Assessment Model Key Process and Assessment Step
Process: Audit & Decision 1. Procedures for the control of the Audit & Decision Process [ISO 17021-1:2015: 10.1, 10.2.1,10.2.2; IMDRF/MDSAP N3: 9.0]
AO's Subject Matter Expert
2. Audit program establishment and update; audit time determination; planning of audits [ISO 17021-1: 2015: 9.1.3, 9.1.4, 9.2.1]
3. Selection and assignment of competent audit team, and communication prior to the audit [ISO 17021-1: 2015: 9.2.2; IMDRF/MDSAP N3: 9.0, 9.2]
4. Audit performance and audit report [ISO 17021-1: 2015: 9.4; IMDRF/MDSAP N3: 8.2, 9.4]
5. Review of correction and corrective action initiated in response to audit findings [ISO 17021-1:2015: 9.4.9, 9.4.10]
6. Technical review of the audit file and decision making on regulatory conformity
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 70 of 76
of the manufacturer [ISO 17021-1: 2015: 9.5.3, 9.5.4, 9.6.5; IMDRF/MDSAP N3: 8.6.4, 9.5, 9.6, 9.6.3, 9.6.4]
7. Implementation and follow-up of the decision, including unannounced audits [ISO 17021-1:2015: 9.5.3.3, 9.6.4.2; IMDRF/MDSAP N3: 9.6.7]
8. Appeals [ISO 17021-1: 2015: 9.7]
9. Audit and decision records [ISO 17021-1:2015: 9.5.1.4, 9.5.2; IMDRF/MDSAP N3: 9.5.2]
10. Effectiveness of the Audit and Decision process [IMDRF/MDSAP N3: 10.1.3]
Day 4 Date Facility Time
Assessor Assessment Model Key Process and Assessment Step
ATL + A
Process: Information Management 1. Control of documents and records
[ISO 17021-1:2015: 10.2.3, 10.2.4; IMDRF/MDSAP N3: 10.1.2]
AO's Subject Matter Expert
2. Public information on the audit program [ISO 17021-1:2015: 8.1]
3. Provision to the audited medical device manufacturers of detailed information on the audit and decision related processes [ISO 17021-1: 2015: 8.5.1, 8.5.2]
4. Contractual agreements with the
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 71 of 76
audited medical device manufacturer [ISO 17021-1:2015: 5.1.2, 8.3.1, 8.3.2, 8.3.3, 8.3.4, 8.3.5; IMDRF/MDSAP N3: 5.1.4, 5.1.5]
5. Sharing of information with recognizing Regulatory Authorities on auditing activities, decisions on regulatory compliance and certification status [IMDRF/MDSAP N3: 8.6]
7. Provision to the public of information on certification status or certifications granted, suspended or withdrawn [ISO 17021-1: 2015: 8.1.2]
8. Control of confidential information [ISO 17021-1: 2015: 8.4; IMDRF/MDSAP N3: 8.4]
7. ANNEX 2 Reaffirmation and Interpretation of IMDRF/MDSAP WG/N3 and ISO/IEC 17021 on Threat to Impartiality Linked to Consultancy
1. An Auditing Organization or any part of the same legal entity shall not offer or provide medical device regulatory consultancy. (ISO/IEC 17021-1: 2015 5.2.5) NOTE: No deviation to this requirement can be accepted.
2. If the Auditing Organization is a legal entity that is wholly or partly owned by a larger organization, the requirements for impartiality apply to both the Auditing Organization and the organization to which it belongs. (IMDRF/MDSAP WG/N3: 5.2.10)
NOTE: This requirement, as it relates to medical device regulatory consultancy means:
- ISO/IEC 17021-1:2015: 5.2.1: The larger organization should have corporate policies or equivalent ensuring that other legal entities within the group do not negatively impact the impartiality of the Auditing Organization.
- ISO/IEC 17021-1:2015: 5.2.2: Other legal entities within the group should
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 72 of 76
be transparent with regards to the legal entity's activities that could represent a possible conflict of interest. In particular, the list of clients who received medical device regulatory consultancy services should be available to the Auditing Organization and to Regulatory Authority Assessors. - ISO/IEC 17021-1:2015: 5.2.5: While it is not prohibited for a separate legal entity belonging to the same group as the Auditing Organization to provide medical device regulatory consultancy, the independence of the Auditing Organization from the group's Consultancy Organization must be demonstrated and documented. This demonstration should take into account: 1) organizational structure; 2) corporate branding and advertising; 3) contracts and agreements; 4) accounting; 5) top management and operational decision making; 6) individuals involved in the audit and certification activities. - ISO/IEC 17021-1:2015: 5.2.6 + N3 5.2.3: While it is not prohibited for a separate legal entity belonging to the same group as the Auditing Organization to provide internal audit services, the following should be considered:
o this legal entity cannot offer internal audit services to a certified client of the Auditing Organization, and
o the Auditing Organization cannot certify a medical device manufacturer to which this other legal entity provided internal audits within three (3) years following the end of the internal audits.
- ISO/IEC 17021-1:2015: 5.2.7 + N3 5.2.3: The Auditing Organization cannot certify a management system on which a client has received medical device regulatory consultancy services from another legal entity of the same group within three (3) years following the end of the consultancy service or of the internal audits.
- ISO/IEC 17021-1:2015: 5.2.8: An Auditing Organization cannot outsource auditing services to any Consultancy Organization or to any individual that is part of the personnel of the Consultancy Organization, and
- ISO/IEC 17021-1:2015: 5.2.9: A Consultancy Organization belonging to the same group as the Auditing Organization cannot market its activities as linked to the Auditing Organization's activities.
3. The Auditing Organization shall not certify a management system on which a client has received management system consultancy or internal audits, where the relationship between the Consultancy Organization and the Auditing Organization poses an unacceptable threat to the impartiality of the Auditing Organization. (ISO/IEC 17021-1:2015: 5.2.7)
NOTE 1: A relationship that threatens the impartiality of the Auditing Organization can be based on ownership, governance, management, personnel, shared
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 73 of 76
resources, finances, contracts, marketing and payment of a sales commission or other inducement for the referral of new clients, etc. (Note to ISO/IEC 170211:2015: 5.2.2). For example, a relationship that represents an unacceptable threat to impartiality is an Auditing Organization and Consultancy Organization operating under the same brand name.
NOTE 2: Allowing a minimum period of three (3) years to elapse following the end of the management system consultancy is one way of reducing the threat to impartiality to an acceptable level.
4. An Auditing Organization cannot outsource audits to a Consultancy Organization. (ISO/IEC 17021-1:2015: 5.2.8)
NOTE: While this generally does not apply to individuals contracted as individual external auditors and external technical experts, it does apply to individuals that are part of the personnel of a Consultancy Organization belonging to the same group as the Auditing Organization. Using an employee of a Consultancy Organization belonging to the same group as the Auditing Organization as an external auditor represents an unacceptable threat to impartiality, regardless of whether the Auditing Organization would have contractual agreements with the Consultancy Organization or with the individual.
5. An Auditing Organization cannot market or offer its activities as linked with any organization that provides management system consultancy services. (ISO/IEC 17021-1:2015: 5.2.9)
NOTE 1: An example of unacceptable link is the promotion of both an Auditing Organization's activities and Consulting Organization activities on promotional material (e.g. on the same webpage, or with direct links between webpages), or on exhibitor booth.
NOTE 2: When an Auditing Organization and a Consultancy Organization have an evident relationship, for example if they belong to the same group, the promotion of each organization's activities that could be perceived as presenting a conflict of interest should include a disclaimer that:
- Certification would not be simpler, easier, faster or less expensive if the linked Consultancy Organization were used,
- The Auditing Organization cannot audit and certify an organization that obtained medical device regulatory consultancy services from the linked Consultancy Organization during the preceding three (3) years.
6. Providing internal audit services to an organization prohibits the Auditing Organization from offering certification services to this organization for a period of three years following the last internal audit performed for this organization.
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 74 of 76
(IMDRF/MDSAP WG/N3: 5.2.3, 5.2.5)
7. Mock audits, gap audits or pre-assessment audit may be offered to certified medical device manufacturers as long as the Auditing Organization does not provide specific advice, instructions or solutions to address deficiencies. Deficiencies identified during such an audit must be taken into account when grading nonconformities identified under the medical device regulatory audit scheme. (IMDRF/MDSAP WG/N3: 9.2.5)
NOTE 1: The Auditing Organization should further mitigate the appearance of conflict of interest by ensuring that the auditors performing the mock audit, gap audit or pre-assessment audit of a manufacturer are not involved in the certification audit and certification decision.
NOTE 2: The scope of a mock audit, gap audit or pre-assessment audit offered to a certified client should be different from the pre-existing scope of certification. It would otherwise be seen as an internal audit prohibited according to ISO 17011 5.2.6.
8. The Auditing Organization must document any involvement in medical device regulatory consultancy undertaken by any personnel (including top management) prior to taking up employment with the Auditing Organization at the time of employment. (IMDRF/MDSAP WG/N3: 5.2.4)
NOTE: The documents should include the beneficiaries of the medical device regulatory consultancy services.
9. An individual cannot be involved in the audit and certification activities relative to a medical device manufacturer if he/she:
- Was an employee or provided medical device regulatory consultancy services of the specific manufacturer or of any company belonging to the same organization, at any time during the prior 3 years. (IMDRF/MDSAP WG/N3: 5.2.5);
- Provided medical device regulatory consultancy services to this specific manufacturer, its authorized representative or its supplier in the past three (3) years. (ISO/IEC 17021-1:2015: 5.2.10 and IMDRF/MDSAP WG/N3: 5.2.3 3rd and 4th bullets); OR
- Has a spouse or child who meets the conditions specified above. NOTE 1: This applies to the Auditing Organization's employees, to external auditors and to external technical experts.
NOTE 2: If an individual is part of the personnel of a Consultancy Organization, this individual cannot be involved in the audit and certification activities relative to a medical device manufacturer to which the Consultancy Organization provided
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 75 of 76
medical device regulatory consultancy services to this specific manufacturer, his authorized representative or his supplier in the past three (3) years.
10. See also IMDRF/MDSAP WG/N29
8. Forms
MDSAP AS F0016.3 "On-Site Assessment Plan Form" MDSAP AS F0016.5 "On-Site Assessment Report Form"
9. Reference Documents
ISO/IEC 17021-1:2015 "Conformity assessment -- Requirements for bodies providing audit and certification of management systems"
IMDRF/MDSAP WG/N3 (2nd Edition) "Requirements for Medical Device Auditing Organizations for Regulatory Authority Recognition"
IMDRF/MDSAP WG/N4 "Competence and Training Requirements for Auditing Organizations"
IMDRF/MDSAP WG/N6 "Regulatory Authority Assessor Competence and Training Requirements"
IMDRF/MDSAP WG/N11 "MDSAP Assessment and Decision Process for the Recognition of an Auditing Organization"
IMDRF/MDSAP WG/N29 "Clarification of the Term "Legal Entity" for MDSAP Recognition Purposes"
MDSAP AU P0019 "MDSAP Medical Device Regulatory Audit Reports"
10. Document History
VERSION NO.
VERSION
DATE
DESCRIPTION OF CHANGE
AUTHOR NAME/ PROJECT MANAGER
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov
Guidance for Regulatory Authority Assessors on the Method of Assessment for MDSAP Auditing Organizations
Document No.: MDSAP AS P0034.001
Page 76 of 76
001 2019-05-24 Initial release (This document provides
CAPT Kimberly
updated guidance for assessments of
Lewandowski-
Auditing Organizations that was originally presented in IMDRF/MDSAP WG/N5
Walker, USFDA
"Regulatory Authority Assessment Method
for the Recognition and Monitoring of
Medical Device Auditing Organizations" and
IMDRF/MDSAP WG/N8 "Guidance for
Regulatory Authority Assessors on the
Method of Assessment for MDSAP Auditing
Organizations".)
Version Approval
001
Approved: ON FILE CHAIR, MDSAP RAC
Date: 24 May 2019
Uncontrolled when printed: For the most current copy, contact MDSAP@fda.hhs.gov