Compliance Corner: 8 Handy Tips From An MDSAP Auditor To Help You Ace Your Next Audit
NSF International's Brian Ludovico offers up advice for device-makers facing an audit under the Medical Device Single Audit Program.
With more and more manufacturers lining up for the Medical Device Single Audit Program – and Canada requiring certification to MDSAP beginning Jan. 1 – it's more important than ever to make sure your firm is prepared.
Below, Brian Ludovico, executive director of MDSAP regulatory certification for consulting firm NSF International, offers tips to help firms ensure the best possible audit experience.
NSF is an auditing organization (AO) for MDSAP, which allows device-makers to undergo one audit by an accredited third party to satisfy quality regulations for the US, Canada, Brazil, Japan and Australia.
Ludovico's comments came Oct. 24 at FDAnews' 13th Annual FDA Inspections Summit in Bethesda, Md.
"No auditor wants to sit back and try to think about what you're thinking about. So, you need to put your thoughts on paper," NSF International's Brian Ludovico says.
1. Document and justify your work. "If the Golden Rule of real estate is 'location, location, location,' then the Golden Rule of being audited is 'justification, justification, justification.' I say that because nobody knows what's going on in your head better than you. No auditor wants to sit back and try to think about what you're thinking about. So, you need to put your thoughts on paper to say, 'This is exactly what my train of thought was.' We've all been asked to show our work in school. That's kind of what it's like. We don't just want you to say, 'The answer is four,' and you might guess 30% of the time and get it right. Instead, we want to know exactly what's going on in your head. Justify things. Write things down. Give the auditor an idea of why you thought what you were doing was acceptable. It may be wrong. It may be right. But at least you're giving somebody, 'Here's how I interpreted what it was. Here's the path we took.' That's better than saying, 'I don't really know what this is and I'm afraid to interpret what that is, so I'm just going to sit back and do nothing,' because that's not going to get you anywhere. So, when it comes down to things like control of suppliers and control of processes – things like that – make sure you have minutes or something that says, 'This is the path we took.'"
2. Help your auditors plan. "The best way to do that is to provide the correct information to the AOs. All [auditing organizations] have some initial application form that we send out to ask you about things – how many employees you have, how many buildings you have, what are your key processes – those types of things. But in many cases, we're going to come back and ask you questions about specifics. Not just specifics regarding the distance apart facilities might be – although I do have to account for that during audit planning – but just really, what is being sold where. So, be ready to be able to provide that information so you can say to an auditor, 'Here's our devices, here's where each one is sold, here's what we do, here's the facility it's done in.' Have a roadmap of, 'It happens here, then it gets transferred to here, but then we have a distribution center here and this is where the product goes, and by the way, we don't label until the end, or we might not label at all' – such a roadmap is going to help you have smoother audits so there's no time being spent by the auditor to figure all that out."
3. Have relevant documents at the ready. "Each MDSAP task is timed. And I don't mean the auditor says, 'OK, we have 17 minutes. Go!' Rather, it's sort of built into the plan to get the total timeframe. Some tasks will go overtime, some will not. Obviously, an auditor is not going to leave an area if they believe there's more to be gained by staying in that area to finish the path they've gone down. And you cannot sit back and use stall tactics, because there's a timeframe to get through it, and at the end they may just say, 'Time is up. I need to move on,' because there's a logical flow and it must be followed."
4. Demonstrate control over your vendors. "The auditors can decide whether or not they're going to be auditing further. What I mean by 'further' is, they may get to your supplier evaluation section and realize that the control over your suppliers isn't as adequate as you think it is. While we all know that having a certificate is a great thing to have for your key suppliers – they may be certified to [global device quality systems standard] ISO 13485, or they may have an MDSAP certificate, or EU certificates, who knows – you can't just say to an auditor, 'Here, they have a certificate, that's all I do,' because that won't get you what you think it will get you. Rather, showing how you demonstrate adequate supplier control is the best thing to do. And that should also be written into your procedures. So, make sure you can say, 'Here's how I evaluate my suppliers.' But I'm not going to prescribe how you do it – instead, explain why you think the way you're controlling suppliers is best."
"You cannot eliminate from the scope of your audit somewhere you're marketing or selling your product. So, let's dispel that false belief right now," Ludovico says.
5. MDSAP is not à la carte. "Yet still, to this day, people think it is. People think, 'Well, I'm selling into Brazil, Canada and the US. But man, I would really like it if the FDA didn't show up on my doorstep. So, can I just have you guys come in and give me an MDSAP certificate, just to cover the US?' No. You cannot eliminate from the scope of your audit somewhere you're marketing or selling your product. So, let's dispel that false belief right now."
6. Employees should be more than just trained – they should also be competent. "There is a huge difference between training and competency. Training has morphed under the guise of the standard [ISO 13485], and really the understanding of any regulatory system. That competency is really what you need to address. Things like training can make up part of competency, but they don't make up the whole thing. It's very difficult to turn the light on yourself. Nobody wants to say, 'I didn't know the rules,' or 'I didn't know that.' It's very difficult to say that, especially when your job depends on it. Competency is something that is gained, usually through attributes, skills and knowledge – what's called the 'ASK' principles. So, when you're looking at your competency, make sure you look at things beyond just training. You might say, 'My employees went to a two-hour risk management training, therefore, they're the foremost leading experts in the world on risk' – great, have them call us, because I'd like to hear about that. I'd bet that they're not."
7. MDSAP auditors will be visiting your vendors one day. "A lot of the AOs have not gone to the level of the supplier yet. But don't be surprised if, as the auditors become savvier, that they do. But it's coming. I want to warn you. Because sooner or later, the savviness and the global reach of companies using suppliers to outsource processes is going to happen. And MDSAP auditors are going to start saying, 'I don't know that the control you have in-house is adequate, therefore I'm going to go to your supplier. Schedule a visit with them for me.' That will be a part of the program after it matures a bit more."
8. Make sure regulatory is friends with quality at your firm. "I know that regulatory and quality don't like each other. I know at many companies they don't get along. But get 'mom' and 'dad' to the table so they understand what's going on, because I'm so sick and tired of the quality people telling me, 'Let me go get my regulatory person to answer that question because I have no idea where we sell and what we do.' And then the regulatory person sits down and says things, but they have no idea about the QMS [quality management system]."