Home / Audits / Medical Device Single Audit Program (MDSAP)

Medical Device Single Audit Program (MDSAP)

Published:

Updated:

Medical Device Single Audit Program (MDSAP)

The Medical Device Single Audit Program (MDSAP) is an international initiative that allows a single regulatory audit of a medical device manufacturer’s quality management system. MDSAP enables recognized Auditing Organizations (AOs) to perform one audit that satisfies the quality system requirements of multiple regulatory authorities. The audit is based on ISO 13485:2016 and incorporates country-specific regulatory requirements from participating jurisdictions, including the U.S. FDA, Health Canada, Australia’s TGA, Brazil’s ANVISA, and Japan’s MHLW/PMDA. MDSAP helps reduce audit redundancy, streamline regulatory oversight, and support global market access.

MDSAP audit tasks are aligned with ISO 13485 clauses and with country-specific clauses outlined in the Audit Approach Document. The audit evaluates process implementation, effectiveness, and documented compliance across key QMS elements such as design control, Corrective and Preventive Actions (CAPA), complaint handling, production and process controls, and risk management. Nonconformities are graded based on four independent criteria, namely, direct or indirect impact on the QMS, whether the identified nonconformity is a repeat nonconformity, whether the process or procedure was not documented or not implemented, or whether there was any release of nonconforming devices.

MDSAP audits follow a structured three-year cycle. The audit cycle includes an initial certification audit (Stage 1 and Stage 2), two annual surveillance audits, and one recertification audit. The MDSAP audit scope is determined by the jurisdictions the manufacturer selects for market access. For example, Health Canada mandates MDSAP certification for Class II–IV devices.

MDSAP reduces audit redundancy but does not eliminate country-specific requirements for each regulatory authority under the MDSAP program. Manufacturers are responsible for demonstrating documented, auditable conformance to these requirements. Regulatory requirements apply based on the specific MDSAP participating country in which market approval is sought.

Electronic QMS platforms, such as SimplerQMS, support MDSAP audit readiness by providing validated control of quality records, audit traceability, and secure electronic signatures (compliant with 21 CFR Part 11). They also enable seamless integration of risk controls, training records, and CAPA workflows.

What Is the Medical Device Single Audit Program (MDSAP)?

MDSAP stands for Medical Device Single Audit Program. MDSAP is a global auditing initiative that allows recognized third-party auditors to conduct a single regulatory audit of a medical device manufacturer. This audit is designed to meet the QMS requirements of multiple participating regulatory authorities.

The MDSAP was developed by the International Medical Device Regulators Forum (IMDRF), building on a pilot program initiated by its predecessor, the Global Harmonization Task Force (GHTF). The GHTF aimed to improve global alignment of medical device regulatory requirements by reducing audit duplication and enhancing patient safety through standardized oversight of manufacturers across multiple markets.

The MDSAP program originated from the IMDRF’s ongoing efforts to streamline and harmonize regulatory approaches among participating countries. It was created in response to the growing need for regulatory convergence, increased efficiency in regulatory oversight, and a reduced burden for manufacturers operating in global markets.

The main objectives of MDSAP audits are listed below.

  • Mutual Recognition: Allowing regulatory authorities to rely on a single audit report to fulfill their respective QMS oversight requirements.
  • Audit Efficiency: Minimizing the number of separate audits required for each market, thereby reducing overall time and resources needed.
  • Regulatory Transparency: Grading nonconformities based on severity and recurrence, using a standardized scoring model. Such a scoring model allows authorities to focus on process areas based on risk.
  • Improved Detection and Oversight: Facilitating earlier identification of systemic issues and more structured post-audit follow-up.

Traditional audits are conducted separately by each regulatory authority. The MDSAP audit approach enables a single audit to fulfill the requirements of multiple jurisdictions. Traditional audits are often varied in scope, frequency, and specific requirements. The MDSAP is standardized and covers specific audit tasks aligned with each participating country’s regulatory framework. MDSAP audits are performed by Authorized Auditing Organizations (AOs) and follow a defined structure based on process-based auditing principles aligned with ISO 13485:2016 and the country-specific requirements of MDSAP participating countries.

Recent MDSAP developments include the increased use of remote and hybrid auditing. This has prompted QA teams to prioritize digital document accessibility, data integrity, and continuous audit readiness.

Guidance on nonconformity grading and audit documentation has also become more refined. This allows manufacturers to internally “pre-grade” nonconformities during internal audits to align with MDSAP scoring criteria.

The future outlook points toward greater convergence and harmonization among global regulatory authorities. This is evident in the growing interest from countries outside MDSAP’s five current members (Australia, Brazil, Canada, Japan, and the United States) in adopting or recognizing MDSAP requirements. Such developments could drive increased alignment across international markets, enabling MDSAP-compliant manufacturers to meet regulatory requirements more efficiently and expand their global market access.

What Are the Benefits of MDSAP?

The Medical Device Single Audit Program (MDSAP) offers a range of benefits that vary across key stakeholders, including manufacturers, regulatory authorities, and patients. For manufacturers, MDSAP reduces the burden of undergoing multiple audits by consolidating regulatory requirements into a single, standardized audit process. Regulatory authorities benefit from improved oversight through harmonized audit reports and risk-based auditing of specific processes, enabling more efficient resource allocation. Patients ultimately gain from improved global alignment in quality management practices, which supports efficient access to safer and more effective medical devices across multiple markets.

The benefits of MDSAP for manufacturers are listed below.

  • Single Audit, Multiple Market Access: One MDSAP audit satisfies QMS requirements across multiple jurisdictions, thereby streamlining audit preparation and readiness.
  • Reduced Compliance Burden Over Time: Harmonizing internal audit protocols, CAPA workflows, and document controls with the MDSAP model minimizes redundant inspections and improves audit readiness across participating regulatory jurisdictions.
  • Improved Predictability and Transparency: Standardized audit structure and grading criteria provide greater predictability and transparency. This allows manufacturers to anticipate audit scope, understand regulatory expectations across different markets, respond to nonconformities, and maintain compliance more efficiently.

The benefits of MDSAP for regulatory authorities are listed below.

  • Resource Optimization: Leveraging authorized third-party auditing organizations enables regulators to reallocate inspection resources more effectively. This allows regulatory authorities to focus efforts on high-priority areas, such as on-site audits of high-risk manufacturers and their facilities.
  • Greater Consistency in Audits: The MDSAP audit model applies a standardized, process-based approach to core QMS elements such as management responsibility, design and development, product realization, supplier controls, and post-production monitoring. This standardization ensures consistent audit depth and harmonized audit requirements, thereby reducing variability between auditors and aligning regulatory expectations across jurisdictions.
  • Information-Sharing and Risk-Based Oversight: Shared access to structured audit reports and graded nonconformities facilitates early detection of systemic issues. Information-sharing enables coordinated regulatory follow-up across participating authorities. Furthermore, MDSAP allows for risk-based oversight by focusing audit processes on areas with higher risk severity and recurrence.

The benefits of MDSAP for patients are listed below.

  • Improved Quality Assurance: MDSAP requires manufacturers to maintain traceable, risk-based quality systems that link design controls, manufacturing processes, and post-market feedback. This risk-based quality system ensures that devices are safe and effective for patient use.
  • Improved Patient Safety Outcomes: MDSAP enables early detection of systemic QMS deficiencies, such as ineffective CAPA closure, delayed complaint escalation, or inadequate supplier oversight. Early detection and resolution of deficiencies reduce the likelihood of device-related failures, recalls, and adverse events impacting patient safety.

Who Participates in MDSAP?

With the exception of the World Health Organization (WHO), all MDSAP members must be a regulatory authority. MDSAP membership is structured into three categories: RAC Members, Official Observers, and Affiliate Members, each with distinct levels of engagement and regulatory use of the MDSAP audit approach, as outlined below.

  • MDSAP Regulatory Authority Council (RAC) Member: An RAC Member is a regulatory authority that is either a foundation member of the MDSAP Program or has attained full membership by being recognized by the MDSAP RAC.
  • Official Observers: With the exception of the World Health Organization (WHO), an MDSAP Official Observer is a Regulatory Authority that participates in or observes RAC activities and program operations without holding formal membership. Official Observers use MDSAP audit reports and certificates to assess compliance within their own regulatory framework.
  • Affiliate Members: Affiliate Members are Regulatory Authorities that participate in MDSAP activities. Affiliate Members demonstrate an understanding of the MDSAP objectives and apply them within their respective regulatory frameworks.

Who Are the MDSAP RAC Members?

Participating Regulatory Authorities (RAs) are the core governing members of the MDSAP program. These authorities form the MDSAP Regulatory Authority Council (RAC), responsible for the overall direction, oversight, and resource allocation supporting the development, maintenance, and expansion of MDSAP.

Participating RAs actively contribute to program governance and technical operations, ensuring that MDSAP remains aligned with international regulatory and quality management expectations.

In addition to providing governance and strategic leadership, Participating RAs are directly involved in the recognition, monitoring, and re-recognition of Auditing Organizations (AOs).

The current participating regulatory authorities are listed below.

  • United States Food and Drug Administration (FDA)
  • Health Canada
  • Australia’s Therapeutic Goods Administration (TGA)
  • Brazil’s Agência Nacional de Vigilância Sanitária (ANVISA)
  • Japan’s Pharmaceuticals and Medical Devices Agency (PMDA) and Ministry of Health, Labour and Welfare (MHLW)

Who Are the Official Observers in MDSAP?

Official observers are regulatory authorities that formally monitor and contribute to the MDSAP Regulatory Authority Council (RAC) but do not make any official decisions. The RAC retains authority on MDSAP development, implementation, maintenance, and expansion activities. Official observers provide feedback on program development, may participate in work groups and forums, and can use MDSAP audit reports within their regulatory scope.

The official observers in MDSAP are listed below.

  • European Union (EU): Observes MDSAP to evaluate alignment with EU MDR/IVDR audit principles and supports potential future adoption.
  • United Kingdom’s Medicines and Healthcare products Regulatory Agency (MHRA): Participates as an observer to assess compliance model suitability post-Brexit and evaluate potential integration of MDSAP into UK device oversight.
  • Singapore’s Health Sciences Authority (HSA): As a new observer, it contributes to MDSAP policymaking and evaluates audit outcomes for application in national regulatory programs.
  • World Health Organization (WHO) Prequalification of In Vitro Diagnostics (IVD) Programme: Observes MDSAP to explore its utility in global device quality assurance and supply chain evaluation.

Who Are the Affiliate Members in MDSAP?

MDSAP Affiliate Members include regulatory authorities that participate in MDSAP activities, utilizing MDSAP audit reports and/or certificates for evaluating compliance within their own regulatory framework. Affiliate Members report annually to the RAC on how MDSAP audit reports or certificates are used. These authorities may attend meetings and observe program operations to support international alignment and future collaboration.

The list of regulatory authorities included in the official list of MDSAP affiliate members is listed below.

  • Argentina’s National Administration of Drugs, Foods, and Medical Devices (ANMAT)
  • Ministry of Health of Israel
  • Kenya’s Pharmacy and Poisons Board
  • Republic of Korea’s Ministry of Food and Drug Safety
  • Federal Commission for Protection from Sanitary Risks (COFEPRIS) of Mexico
  • South African Health Products Regulatory Authority (SAHPRA)TFDA – Taiwan Food and Drug Administration

What Types of Organizations Are Eligible for MDSAP?

The types of organizations eligible for MDSAP include medical device manufacturers that market or intend to market devices in any of the MDSAP participating countries. MDSAP eligibility also applies to any organization that performs regulated activities impacting the device’s QMS, product conformity, or regulatory compliance.

The types of organizations eligible for MDSAP are listed below.

  • Medical Device Manufacturers: Medical device manufacturers with ultimate responsibility for product design, labeling, market authorization, and QMS maintenance are the primary subjects of MDSAP audits. These legal manufacturers must demonstrate conformity to applicable ISO 13485 clauses and country-specific MDSAP requirements.
  • Contract Manufacturers: Contract manufacturers are subject to MDSAP audits when they perform outsourced processes, such as sterilization, assembly, or packaging, that are critical to product conformity or are listed in regulatory submissions. Eligibility is based on the legal manufacturer’s reliance on the contract manufacturer’s validated processes, traceability, and quality system.
  • OEM (Original Equipment Manufacturers): OEMs may be audited when they supply finished devices or essential components under private-label agreements. OEMs may also be audited if they maintain control over design documentation, risk management, or production records referenced in the legal manufacturer’s regulatory filings.
  • Global Subsidiaries: International affiliates, sister sites, or functional divisions are included in MDSAP audits when they perform regulated activities delegated by the legal manufacturer that impact product quality or regulatory requirements. Examples include handling of customer complaints, CAPA investigations, vigilance reporting, design updates, or post-market surveillance and trending.

The audit scope for MDSAP-eligible organizations is determined based on their operational control, responsibility for the quality management system, and contribution to processes regulated under ISO 13485:2016, as well as the specific requirements of the MDSAP participating regulatory authorities.

What Is Audited During an MDSAP Audit?

An MDSAP audit assesses a medical device manufacturer’s quality management system (QMS) for compliance with ISO 13485:2016 and the specific regulatory requirements of participating countries. The audit follows a standardized structure defined in the MDSAP audit model, which organizes the assessment into seven interrelated process groupings.

The seven process groupings of the MDSAP audit model are listed below.

  • Management: Evaluates top management’s oversight of the QMS, including quality planning, defined processes and responsibilities, resource allocation, and robust risk management.
  • Device Marketing Authorization and Facility Registration: Verifies that the organization maintains proper device marketing authorizations, licensing, and facility registrations in accordance with the requirements of each participating regulatory authority.
  • Measurement, Analysis, and Improvement: Evaluates how the organization monitors QMS performance, investigates nonconformities, implements CAPAs, and uses data analysis to drive continuous improvement.
  • Adverse Event Reporting and Advisory Notices: Examines how outputs from post-market surveillance, such as complaints, adverse events, and field safety actions, are processed and reported to competent authorities.
  • Design and Development: Assesses design controls, including risk management integration, verification, validation, and design transfer processes.
  • Production and Service Controls: Evaluates production controls such as process validation, manufacturing controls, and environmental conditions to ensure product quality and consistency.
  • Purchasing Controls: Reviews supplier qualification, purchasing data, and control of outsourced processes that impact product safety and regulatory compliance.

Each process grouping is audited using linked clauses from ISO 13485 and applicable country-specific regulations.

The audit also incorporates risk-based prioritization. Therefore, auditors may focus on areas with past nonconformities, high-risk products, or processes that directly affect product safety and performance.

What QMS Elements Are Audited During MDSAP Audits?

MDSAP audits evaluate key elements of a medical device organization’s quality management system to ensure compliance with ISO 13485:2016 and applicable regulatory requirements from participating authorities.

The core QMS elements audited during MDSAP audits are listed below.

  • Management Responsibility: Refers to the role of top management in leading, planning, and supporting the quality management system. Under MDSAP, this process is assessed for evidence of leadership commitment, quality planning, resource allocation, and the effectiveness of management review activities.
  • Internal Audits: Systematic evaluations performed by the organization to assess medical device QMS compliance and effectiveness. MDSAP evaluates the frequency, scope, objectivity, and follow-up of internal audits to ensure they drive continual improvement.
  • Nonconformance Management and Corrective and Preventive Action (CAPA): A structured process for identifying, investigating, and addressing nonconformities to prevent recurrence. During MDSAP audits, CAPA systems are evaluated for the quality of root cause analysis, timeliness of implementation, effectiveness verification, and integration with risk management and trend analysis data.
  • Document and Record Control: Ensures documents and records are properly managed, accessible, and traceable. MDSAP auditors verify control over document issuance, revision approval, archiving, and traceability to support audit readiness and data integrity.
  • Risk Management: The process of identifying, evaluating, controlling, and monitoring risks throughout the product lifecycle. MDSAP audits confirm whether risk management activities are effectively integrated into design, manufacturing, and post-market surveillance.
  • Design and Development: Covers the structured process of translating product requirements into safe, effective, compliant devices. MDSAP assesses design control procedures, including the planning and management of inputs and outputs, verification and validation activities, design changes, and traceability to risk management.
  • Purchasing Controls: Systems designed to ensure suppliers and outsourced processes consistently meet regulatory and quality requirements. MDSAP evaluates supplier qualification, performance monitoring, re-evaluation processes, and the extent of control over purchased products or services.
  • Production and Process Controls: Measures to maintain consistent product quality and compliance during manufacturing. MDSAP auditors evaluate process validation, environmental controls, equipment calibration and maintenance, personnel training, and in-process and final inspections that support product conformity.
  • Complaint Handling and Reporting: Processes for managing feedback, identifying adverse events, and notifying regulators when required. MDSAP assesses complaint procedures, investigation records, escalation mechanisms, and regulatory reporting compliance.
  • Training Management: Verifies that organizations establish and maintain procedures to ensure personnel are competent to perform their assigned tasks in accordance with quality management system requirements. MDSAP audits confirm that training needs are systematically identified, that personnel have received adequate training to carry out their responsibilities, and that training is documented.
  • Change Control: Verifies that design and process changes are formally controlled through documented procedures. MDSAP audits also assess whether changes are reviewed, verified, and, where necessary, validated before implementation. All changes must be approved by authorized personnel. Supporting evidence, such as risk management records, must show that risks associated with changes are identified, evaluated, and reduced to an acceptable level.

These elements are assessed through a process-based, risk-oriented approach that reflects process interdependencies across the product lifecycle.

What Regulatory Requirements Are Assessed During MDSAP Audits?

An MDSAP audit verifies compliance with both the international standard ISO 13485:2016 and the specific regulatory requirements of all participating countries. Each regulatory authority defines its own set of applicable requirements. These requirements are integrated into the MDSAP audit model and assessed concurrently along with ISO 13485:2016 requirements. The regulatory requirements in an MDSAP audit are assessed through standardized audit tasks.

Key country-specific regulatory requirements assessed during MDSAP audits are listed below.

  • United States (FDA – 21 CFR Part 820): Assesses conformity with the FDA Quality System Regulation (QSR), including requirements for design controls, production, CAPA, and complaint handling.
  • Canada (Health Canada – Medical Devices Regulations & QMSR): Evaluates compliance with the Canadian Medical Devices Regulations (CMDR) and the Quality Management System Regulation (QMSR), which is based on ISO 13485:2016.
  • Australia (TGA – Therapeutic Goods Regulations): Reviews conformance to requirements under the Therapeutic Goods Act and Regulations, focusing on TGA’s specific conformity assessment procedures.
  • Brazil (RDC ANVISA 665/2022): Verifies compliance with Brazilian Good Manufacturing Practices (RDC ANVISA 665/2022), which governs manufacturing controls, technical documentation, and product release.
  • Japan (MHLW Ministerial Ordinance No. 169): Assesses adherence to the Japanese Ordinance on Standards for Manufacturing Control and Quality Control of Medical Devices and In Vitro Diagnostic Reagents (MHLW Ministerial Ordinance No. 169).

What Is the Structure of an MDSAP Audit?

The MDSAP audit is structured around a standardized, process-based approach designed to ensure consistent, risk-based evaluation of a medical device manufacturer’s QMS across all participating regulatory jurisdictions. The audit process follows a defined sequence, frequency, and documentation requirements as per the MDSAP audit approach.

The structure of an MDSAP audit is listed below.

  1. Audit Cycle and Frequency: MDSAP follows a three-year certification cycle consisting of an initial certification audit (Stage 1 and 2), followed by annual surveillance audits and a full recertification audit in the third year.
  2. MDSAP Audit Approach Document: The MDSAP audit approach document provides structured task-level criteria, ISO 13485 clause references, and applicable country-specific requirements. This document guides auditors in assessing regulatory conformity and process effectiveness.
  3. Audit Sequence and Task Structure: Audits are performed using a fixed sequence of process-based tasks with defined linkages, for example, linking CAPA to complaint handling. This ensures traceable evaluation of system-level performance and interdependent controls.
  4. Grading of Non-Conformities: Nonconformities identified during the audit are graded based on four independent criteria, namely, direct or indirect impact on the QMS, whether the identified nonconformity is a repeat nonconformity, whether the process or procedure was not documented or not implemented, or whether there was any release of nonconforming devices.
  5. Surveillance and Recertification Audits: Surveillance audits are conducted annually to assess ongoing QMS conformity. The recertification audit is a full-scope assessment to renew MDSAP certification at the end of each three-year cycle.

1. Audit Cycle and Frequency

MDSAP audits follow a structured three-year cycle, comprising an initial certification audit, two annual surveillance audits, and a recertification audit at the end of the third year. This cycle ensures continued oversight of the QMS and continuous verification of regulatory conformity across participating jurisdictions.

The structure of the MDSAP audit cycle is listed below.

  • Initial Certification Audit (Year 1): The initial certification audit is conducted in two stages. Stage 1 reviews QMS documentation, scope, and regulatory readiness. Stage 2 is an on-site assessment of the implementation and effectiveness of the QMS, covering key processes such as management responsibility, production controls, CAPA, and supplier management. For example, auditors assess whether CAPAs and root cause investigations comply with documented procedures, and whether design validation outputs are appropriately linked to risk management files.
  • Surveillance Audits (Years 2 & 3): conducted annually to verify continued compliance and effective operation of the QMS, with emphasis on areas of previous nonconformity, regulatory updates, and ongoing risk management. Audits include review of key processes such as design and development controls, production processes, CAPA, document control, and post-market activities as applicable.
  • Recertification Audit (End of Year 3): The recertification audit is a full-scope reassessment of the entire QMS, including verification of sustained corrective actions and assessment of changes made during the certification cycle. The audit confirms that the QMS remains effective, compliant, and capable of supporting the manufacturer’s continued market access across all participating MDSAP jurisdictions.

The audit cycle may be modified based on factors such as the manufacturer’s compliance history, device classification, or significant regulatory events. For example, manufacturers of high-risk implantable devices may be subject to more rigorous audit scrutiny. Similarly, the occurrence of serious reportable adverse events or significant changes in organizational structure may trigger additional audits or changes to audit timing and scope.

Special audits under MDSAP may be triggered outside the planned audit cycle when significant events occur, such as major complaints, critical nonconformities, or post-market issues; when a manufacturer requests an extension to the certified scope for new or modified products; or when regulatory authorities request an investigation due to new information or serious concerns.

2. MDSAP Audit Approach Document

The MDSAP audit approach is a structured, process-based framework used by authorized auditing organizations (AOs). The purpose of the MDSAP audit approach is to evaluate a manufacturer’s QMS for compliance with ISO 13485:2016 and the regulatory requirements of all participating jurisdictions.

The MDSAP Audit Approach document provides guidance and a comprehensive structure for conducting MDSAP audits, including process-level audit tasks, ISO clause references, jurisdiction-specific requirements, and expectations for audit evidence.

The MDSAP Audit approach defines audit tasks that follow a logical, risk-based sequence to reflect natural process interdependencies. Each task group is linked to relevant ISO clauses and jurisdictional regulations. Based on these task groups, auditors assess both process compliance and cross-functional interactions within these processes. This includes the linkage between nonconformance handling, CAPA, and risk management. For example, during an audit of the measurement, analysis, and improvement process, auditors may trace a recurring nonconformance from internal audit findings through to CAPA closure. Auditors may also verify whether the residual risk was updated in the risk management file and discussed during management review.

The MDSAP Audit Approach is intended for use by AOs. However, it also serves as a practical reference for QA/RA teams preparing audit documentation, conducting internal mock audits, and aligning QMS architecture with MDSAP audit requirements. Structuring internal audits using the MDSAP Audit Approach helps organizations more effectively identify systemic gaps and anticipate auditor focus areas.

3. Audit Sequence and Task Structure

The MDSAP audit follows a standardized sequence of audit tasks aligned to defined processes that ensure a comprehensive and consistent evaluation of a medical device manufacturer’s QMS across multiple jurisdictions.

The audit is conducted using a process-based approach, where each task group reflects a key operational or regulatory function. Tasks are performed in a prescribed order to assess process linkages and compliance, with emphasis on risk-prioritized process areas.

The sequence and task structure of an MDSAP audit is outlined below.

  • Management Process: Auditors evaluate how top management ensures an effective QMS through defined quality objectives and processes, resource allocation, assigned responsibilities, and effective risk management.
  • Device Marketing Authorization and Facility Registration: This task evaluates whether the manufacturer maintains valid device marketing authorizations and facility registrations in each MDSAP-participating jurisdiction. Auditors verify that regulatory submissions, establishment registrations/licenses, and device listings are aligned with the manufacturer’s quality system scope and intended markets.
  • Measurement, Analysis, and Improvement: Auditors assess the organization’s ability to monitor QMS performance and drive continuous improvement through effective nonconformance and complaint management, thorough investigation, CAPA implementation, and trend analysis. This includes reviewing audit records, effectiveness checks, and assessing how manufacturers prioritize improvement actions based on risk. Auditors also verify that risk management files are updated appropriately in response to identified issues.
  • Adverse Event Reporting and Advisory Notices: This task group focuses on the organization’s post-market surveillance processes, including complaint handling, vigilance, and field safety corrective action procedures. Auditors evaluate whether adverse events and advisory notices are reported in accordance with jurisdiction-specific timelines, such as the FDA’s 30-day Medical Device Reporting (MDR) requirements.
  • Design and Development: Design and Development refers to the structured process of translating product requirements into safe and effective medical devices. Auditors assess design planning, input and output controls, design reviews, verification and validation activities, design change management, and traceability to risk management. For example, audits may verify that usability risks identified during design and any residual risks are properly addressed in the risk management process.
  • Production and Service Controls: This task evaluates how manufacturers control production and servicing processes to ensure devices conform to specifications. Auditors assess the validation of manufacturing processes, calibration and maintenance of equipment, environmental monitoring, and service procedure implementation. Auditors may review batch records, cleanroom qualifications, and nonconformance handling within production.
  • Purchasing Controls: Auditors evaluate how manufacturers control suppliers and outsourced processes to ensure purchased products and services meet specified requirements. This includes initial supplier qualification, ongoing monitoring, and management of supplier-related nonconformities and CAPAs. Auditors typically review evidence such as supplier audit reports, quality agreements, and risk-based re-evaluation schedules.

Audit tasks are performed in a logical sequence to reflect process flow and interdependencies. For example, design outputs feed into production controls, while complaint data inform risk management and CAPA, if applicable. The audit approach assesses process linkages. This means gaps in one area (for example, ineffective complaint trending) will often lead to deeper review in related areas (for example, risk management or CAPA effectiveness).

The audit scope and sequence may be adjusted based on the manufacturer’s organizational structure, product portfolio, or risk profile. For instance, when a contract manufacturing facility is audited, design elements may be excluded if the audited facility does not maintain design responsibility.

4. Grading of Non-Conformities

Under the MDSAP audit approach, the grade of a nonconformity is calculated by applying objective scoring rules. Each nonconformity receives an initial base grade determined by whether the requirement has a direct or indirect impact on device safety and performance. Escalation points may then be added depending on the circumstances of the finding.

The nonconformity grading criteria are listed below.

  • Indirect or Direct QMS Impact: Non-fulfillment of ISO 13485:2016 clauses 4.1–6.3 (except 4.2.3 Medical Device File) is considered to have an indirect impact on device safety and performance and contributes 1 point. Non-fulfillment of clauses 6.4–8.5 (except 8.2.4 Internal Audits) is considered to have a direct impact and contributes 3 points.
  • Repeat Nonconformity: 1 point is added to the grade if the same ISO 13485 sub-clause is cited for a similar issue within the previous three years. This reflects ineffective root cause analysis or inadequate corrective action.
  • Absence of Documented Process/Procedure and Implementation: 1 point is added if a required process is both undocumented and not implemented. Missing documentation alone remains a nonconformity but does not trigger escalation unless coupled with failure to implement.
  • Release of Nonconforming Products: 1 point is added if a nonconforming medical device is released to the market. No escalation is applied if the release occurs under concession with adequate technical and scientific justification.

Under the MDSAP grading system, each nonconformity is assigned a score on a 1–5 point scale based on defined criteria. The maximum score is capped at 5. 

The manufacturer is required to submit a remediation plan for each identified nonconformity within 15 calendar days from the audit end date. The remediation plan must include the investigation results, root cause, planned corrections, and corrective actions. For grade 4 and grade 5 nonconformities, the manufacturer is required to provide objective evidence of implementation within 30 calendar days from the audit end date.

Auditing Organizations (AOs) are responsible for verifying the implementation and effectiveness of these corrections and corrective actions, either during the next routine audit or, where necessary, through a follow-up special audit. If an AO identifies one or more grade 5 nonconformities, or more than two grade 4 nonconformities, a public health threat, or evidence of fraudulent activity or counterfeit product, the AO must notify the MDSAP Regulatory Authorities (RAs) within five working days of the audit’s completion. This notification is referred to as the MDSAP 5-Day Notice.

5. Surveillance and Recertification Audits

Surveillance and recertification audits are key checkpoints within the MDSAP’s three-year audit cycle. The purpose of the surveillance and recertification audits is to assess the ongoing state of control, effectiveness, and regulatory alignment of a manufacturer’s quality management system.

The key aspects of surveillance audits are listed below.

  • Purpose: The purpose of the MDSAP surveillance audit is to verify the ongoing effectiveness of a manufacturer’s QMS and ensure continued compliance with ISO 13485 and the regulatory requirements of participating MDSAP jurisdictions. Auditors also evaluate the effectiveness of corrections and corrective actions for previously identified nonconformities.
  • Scope: The scope of surveillance audits includes a subset of QMS processes, selected based on risk, performance history, and audit cycle planning. Each surveillance audit (Years 1 and 2) typically includes different elements as part of a rotational plan. Surveillance audits focus on any changes in the manufacturer’s products or QMS processes since the initial certification audit. Surveillance audits should also include a review of issues related to medical device safety since the last audit (e.g., complaints, recalls, vigilance reports).
  • Frequency: Surveillance audits are conducted annually in years two and three, with timing and depth determined by the previous audit’s grading outcomes, product classification (Class III or active implantable), and the manufacturer’s history of recalls or field safety corrective actions.
  • Duration: Surveillance audits are shorter than the initial audit. The length of the audit may be extended based on factors such as multi-site operations or outsourced critical processes, such as contract sterilization or third-party complaint handling.

The recertification audit or re-audit is conducted at the end of year 3. The recertification audit is a re-evaluation of the manufacturer’s QMS.

The key aspects of recertification audits are listed below.

  • Purpose: Recertification audits determine whether the organization’s QMS continues to be effective and fulfills the applicable regulatory requirements under each participating country’s legislation (e.g., 21 CFR 820, QMSR, ANVISA RDC 665/2022).
  • Scope: Recertification audits are comprehensive and include all applicable MDSAP processes, including those not covered in prior surveillance audits. They also include a review of previous MDSAP audit reports, changes to devices or QMS since the last audit cycle, and the long-term effectiveness of corrective actions. A recertification audit also focuses on whether the QMS maintains end-to-end traceability, for example, linking a recurring nonconformance to a corrective action, through to any resulting field safety corrective action, and updates to the risk management file.
  • Outcome: The audit outcome determines whether the MDSAP certification is renewed for another three-year cycle or suspended/withdrawn due to unresolved high-grade nonconformities or failure to respond to regulatory updates.

How Are MDSAP Audits Conducted?

MDSAP audits are conducted by authorized Auditing Organizations (AOs) using the standardized, process-based, and risk-prioritized methodology defined in the MDSAP Audit Approach. This approach aligns audit tasks to ISO 13485:2016 clauses and integrates jurisdiction-specific regulatory requirements from participating authorities, ensuring consistent and comprehensive evaluation of a manufacturer’s quality management system.

The general process for conducting MDSAP audits is outlined below.

  1. Audit Planning: The AO coordinates planning activities with the manufacturer. The purpose of audit planning is to define audit scope, site applicability, product families, and audit team composition, taking into account prior audit outcomes and device classification, among others.
  2. Document Review (Stage 1): Auditors conduct a pre-audit evaluation of QMS documentation. This includes the quality manual, site master file, risk management files, and closure status of previous audit findings. The purpose of a document review is to evaluate the readiness of the manufacturer to progress to a Stage 2 audit and to determine document sampling priorities and the extent of scrutiny.
  3. On-Site Audit Execution (Stage 2): The audit team performs in-person process evaluations, facility walkthroughs, and cross-functional interviews. The purpose of an on-site execution is to verify, through direct observation and objective evidence, that the manufacturer’s quality management system is effectively implemented, controlled, and compliant with applicable regulatory requirements.
  4. Audit Tasks Execution: Tasks are performed in the order prescribed by the MDSAP Audit Approach. The purpose of the audit task execution is to assess process interlinkages between areas such as complaint handling, CAPA, and risk management. Auditors also assess traceability and regulatory alignment across task groups.
  5. Non-Conformity Identification & Grading: Findings are documented and graded using the MDSAP point-based system (Grades 1–5) based on QMS impact and recurrence of the nonconformity. Additional points are added if a nonconforming device was released or if there is an absence of a documented, implemented procedure. For example, the direct impact of a QMS requirement on the device’s safety and performance starts at Grade 3. If the identified nonconformity is also a repeat nonconformity, the score is added by 1, and the assigned grade becomes Grade 4. If the nonconformity is combined with the release of a nonconforming product or the absence of required procedures, the grading escalates to Grade 5.
  6. Audit Reporting: The AO issues a structured audit report summarizing findings, which are graded and linked to ISO 13485 clauses and applicable country-specific regulatory requirements. A clear statement of nonconformity, objective evidence, and relevant process references is also provided for each finding.
  7. Corrective Action Follow-Up: The manufacturer is required to respond to all nonconformities raised and should submit a remediation plan including root cause analysis, corrections, planned corrective actions, and objective evidence of implementation and effectiveness verification. The AO then evaluates the adequacy and timeliness of initiated or implemented actions.
  8. Decision and Certification: The AO determines whether certification is granted, renewed, suspended, or withdrawn based on audit results and CAPA outcomes. Certification status and high-grade nonconformities may be reported to participating regulatory authorities for compliance monitoring.

What Are MDSAP Implementation Considerations for Medical Device Companies?

Implementing MDSAP involves several preparation steps, including selecting an auditing organization, optimizing internal systems, and ensuring audit readiness in alignment with the MDSAP framework.

Considerations for medical device companies when implementing MDSAP are listed below.

  1. Selecting an MDSAP-Recognized Auditing Organization (AO): Choose a recognized AO based on geographic coverage, technical expertise, regulatory scope, and audit capacity to support multi-site or high-risk device operations.
  2. Enrolling with the Chosen Auditing Organization: Complete AO enrollment by declaring applicable facilities, product families, and intended jurisdictions to establish audit scope and regulatory applicability.
  3. Aligning the Internal QMS with MDSAP Requirements: Map QMS processes to the MDSAP Audit Approach document and ensure integration of jurisdiction-specific regulations (such as FDA 21 CFR 820, ANVISA RDC 665/2022A, Health Canada QMSR) as well as ISO 13485.
  4. Conducting a Gap Assessment: Perform a clause-by-clause and process-by-process gap analysis against the MDSAP Audit Approach Document. Identify areas of weakness or control deficiencies (e.g., missing supplier re-evaluation records (purchasing task) or lack of documented escalation criteria in management reviews (management task). Document each gap with ISO 13485 clause references and MDSAP country-specific regulatory citations. Implement a remediation plan to address identified gaps with clearly assigned responsibilities and timelines.
  5. Updating QMS Documentation and Procedures: Revise controlled documents such as SOPs, work instructions, forms, and quality plans. This ensures alignment with MDSAP audit task groups and regulatory-specific expectations. For example, update the CAPA procedure to explicitly define criteria for effectiveness checks and link closure to documented risk re-assessment.
  6. Training Internal Teams on the MDSAP Framework: Train cross-functional teams such as QA, RA, Design Engineering, Production, and Supplier Quality teams on the structure and expectations of the MDSAP Audit Approach. Focus on how to map audit tasks to internal procedures and demonstrate process interdependencies. For example, train teams to explain how a trend in returned devices triggered a CAPA, how effectiveness was verified, and how risk updates were made.
  7. Running Mock Audits: Conduct structured internal audits following MDSAP sequencing using MDSAP audit checklists and audit trail sampling. Include simulated grading of nonconformities and document and review findings using a format similar to AO audit reports. Well-structured mock audits not only prepare staff for external audits but may also help uncover systemic gaps.
  8. Leveraging an Electronic QMS (eQMS): Consider using a validated eQMS for version control on SOPs, triggering training upon document release, recording training completion, and linking audit findings and nonconformities directly to CAPA records and associated risk files. Electronic QMS enables workflow automation, routing documents, CAPAs, and approvals automatically to responsible teams, with time-stamped records for traceability.

As of 2024, MDSAP has seen broad adoption among medical device manufacturers seeking streamlined access to multiple global markets. Adoption continues to expand, particularly among organizations aiming to reduce audit duplication and align with multiple regulators through a single audit process.

How Do Companies Become MDSAP Certified?

To become MDSAP certified, a medical device company must undergo a formal audit by a recognized AO. The certification process is designed to verify that the company’s quality management system complies with MDSAP requirements in the Audit Approach Document. This includes ISO 13485:2016 requirements and the regulatory requirements of all MDSAP-participating countries. The country-specific requirements need to be met if the medical device manufacturer aims for market approval in those countries.

The certification process begins with the selection and enrollment of a recognized AO, followed by the definition of the audit scope. The audit scope could include sites or product types. The organization aiming for MDSAP certification must demonstrate compliance through a two-stage audit.

The steps in a two-stage audit for MDSAP certification are listed below.

  • Stage 1 (Readiness Review): Evaluates documentation, regulatory scope, and QMS structure.
  • Stage 2 (On-Site Audit): Assesses QMS implementation and effectiveness with a risk-based focus, following the complete MDSAP audit sequence across core task groups, confirming process linkages and interdependencies.

Nonconformities are graded, reported, and must be addressed through corrective action plans and effectiveness verification before certification is granted. The AO issues a certificate indicating MDSAP compliance across declared jurisdictions. This MDSAP certificate is subject to annual surveillance audits and a full recertification audit every three years.

The cost of MDSAP certification varies based on audit scope, number of sites, product risk classification, and the time required to audit each facility. The MDSAP certification cost includes fees for the initial certification audit, annual surveillance audits, recertification, and travel costs for auditors. Additional costs may arise from unannounced or special audits, or follow-up required for major nonconformities. Organizations should also account for internal costs, such as training personnel on MDSAP requirements, updating QMS documentation or procedures, or hiring consultants to support audit readiness or gap assessments.

MDSAP certification is valid for three years, with annual surveillance audits required in years two and three. A full recertification audit is required at the end of the third year to extend certification for the next cycle. The certificate may be suspended or revoked if critical or unresolved major nonconformities are identified during any audit. Continued certification is based on continued QMS performance, timely CAPA closure, and continued compliance with applicable country-specific regulatory requirements.

How Does MDSAP Relate to Global QMS Requirements?

MDSAP relates to global QMS requirements by integrating ISO 13485:2016 with the regulatory requirements of all participating jurisdictions into a single, process-based audit model. This alignment allows manufacturers to demonstrate compliance with ISO 13485 and country-specific requirements through one harmonized audit.

Each MDSAP audit task is mapped to ISO 13485 clauses and expanded to include national requirements using the MDSAP Audit Approach Document. For example, a complaint handling process must meet the general requirements of ISO 13485 Clause 8.2.2 while also demonstrating compliance with FDA’s adverse event reporting timelines and Health Canada’s mandatory reporting requirements.

What Is the Relationship Between MDSAP and ISO 13485?

The relationship between MDSAP and ISO 13485 is that ISO 13485:2016 forms the foundation of the MDSAP audit model. Each audit task is mapped to specific clauses of the ISO 13485 standard. MDSAP then prescribes additional country-specific regulatory requirements from participating authorities.

The similarities between MDSAP and ISO 13485 are listed below.

  • Process-Based Structure: Both MDSAP and ISO 13485 emphasize a structured QMS built around interdependent processes, including management responsibility, resource management, design and development, product realization, measurement, analysis, and improvement. Risk-based decision-making must be integrated throughout the QMS, in alignment with ISO 14971 and any jurisdiction-specific requirements in the MDSAP Audit Approach document.
  • ISO 13485 as a Foundational Audit Framework: The MDSAP audit approach uses ISO 13485:2016 as its foundation, mapping each audit task directly to the relevant clauses of the standard. This provides a uniform, process-based evaluation of QMS effectiveness, process performance, and regulatory compliance. Each task also integrates country-specific requirements. Adherence to these country-specific requirements is essential for maintaining market access in participating jurisdictions.
  • Regulatory Conformance Based on Objective Evidence: Both ISO 13485 and MDSAP require objective evidence that quality system processes are implemented, maintained, and capable of producing compliant medical devices. This includes traceability between design inputs and outputs, risk control verification, training documentation, and records demonstrating compliance with vigilance and post-market surveillance requirements.

The differences between MDSAP and ISO 13485 are listed below.

  • Best Practice vs. Regulatory Program: ISO 13485 is a best practice international standard, but not a regulatory requirement. MDSAP, however, is a regulatory audit program recognized by specific national authorities (FDA, Health Canada, ANVISA) and specifies country-specific requirements.
  • Additional Country-Specific Requirements: MDSAP incorporates jurisdiction-specific requirements such as FDA 21 CFR Part 820, or Brazil RDC 665/2022. These are additional requirements to those stated in the ISO 13485 standard. As a result, the outcomes of an MDSAP audit have a direct impact on continued market access within participating jurisdictions
  • Nonconformity Grading and Certification Consequences: MDSAP applies a standardized, quantitative five-point grading system (1–5 scale) to evaluate nonconformities. Grades 1 to 3 require corrective action and must be addressed within the quality management system. In the event of a single Grade 5 nonconformity or three or more Grade 4 nonconformities, participating Regulatory Authorities must be notified. Grade 4 and 5 nonconformities may result in follow-up actions such as special audits or inspections. High-severity findings can directly affect an organization’s MDSAP certification status and continued market access in participating jurisdictions. In contrast, nonconformity grading during ISO 13485 certification is more qualitative in nature. Escalation rules are not as formalized. However, major nonconformances typically require formal corrective action plans and verification of implementation before certificate issuance or renewal.

How Does MDSAP Differ From Other National QMS Requirements?

MDSAP applies the process-based audit structure of ISO 13485:2016. However, MDSAP differs from national QMS requirements that involve single-jurisdiction QMS audits. It differs by evaluating conformity to ISO 13485 clauses in parallel with jurisdiction-specific regulatory requirements from all participating authorities in a single integrated audit, as outlined in the examples below.

  • Canada (Health Canada): MDSAP audits verify compliance with ISO 13485:2016 requirements for outsourcing of processes. MDSAP audits check that controls are properly documented in the quality management system. These audits also confirm that the list of critical suppliers is current and accurate. For Canada, MDSAP audits verify that the roles and responsibilities of regulatory correspondents, importers, distributors, and service providers are clearly documented in the quality management system. These parties must be qualified as suppliers and appropriately controlled.
  • United States (FDA – QSR): MDSAP audits confirm that procedures for measurement, analysis, and improvement are documented and implemented. The purpose is to monitor product conformity, capture feedback, and ensure timely corrective and preventive action. For the United States, MDSAP audits also verify compliance with 21 CFR 820.100, including requirements to disseminate information on quality problems and nonconforming product to those responsible for assuring quality as per 21 CFR 820.100(a)(6) and to provide relevant information on identified issues and CAPA activities for management review as per 21 CFR 820.100(a)(7).
  • Brazil (ANVISA – RDC 665/2022): Under MDSAP, auditors verify compliance with ISO 13485 requirements for measurement, analysis, and improvement. These include procedures to monitor product conformity, capture feedback, and implement corrective and preventive actions. For Brazil, auditors also confirm compliance with RDC 665/2022, Article 120 (VI). As per this requirement, information on quality problems or nonconforming products must be disseminated to personnel responsible for maintaining product quality and preventing recurrence.
  • Japan (PMDA/MHLW – Pharmaceuticals and Medical Devices Act): MDSAP audits verify compliance with ISO 13485 requirements for document and record control. Procedures must ensure documents and records are created, approved, updated, and maintained in line with QMS requirements. For Japan, MHLW MO169 establishes additional requirements. For example, manufacturers must retain records for 15 years for specially designated maintenance control required medical devices, or for one year plus the shelf life if that period is longer. For all other devices, records must be retained for five years, or for one year plus the shelf life if that period is longer. Training records and documentation must also be retained for five years.
  • Australia (TGA – Document and Record Controls): MDSAP audits verify compliance with ISO 13485 requirements for document and record control. As per these requirements, procedures must be in place to ensure documents and records are established, approved, updated, and maintained in accordance with QMS requirements. For Australia, MDSAP audits also confirm compliance with TG(MD)R Regulation 5.10, which requires manufacturers to retain documentation and records for at least five years. For high-risk devices such as Class III, implantable Class IIb, and Class 4 IVDs, to retain distribution, malfunction, and complaint records for up to ten years.

How Does QMS Software Help Companies Prepare for MDSAP Audit?

Electronic quality management system (eQMS) software supports MDSAP audit readiness by maintaining control over quality records such as SOPs, CAPAs, training logs, and design files. An eQMS supports compliance with ISO 13485:2016 and can assist in meeting requirements from authorities such as FDA (21 CFR Part 820), Health Canada (QMSR), and ANVISA (RDC 665/2022A).

For MDSAP readiness, eQMS solutions enable evidence generation and traceability across MDSAP audit tasks, including management responsibility, measurement and analysis, design and production controls, and adverse event reporting.

The ways in which QMS software supports MDSAP audit preparation are listed below.

  • Streamlining Document Control: Maintains controlled distribution, revision tracking, and approval workflows for quality documents. Supports compliance with applicable ISO 13485, FDA, and other jurisdiction-specific documentation requirements.
  • Managing CAPAs and Non-Conformities: Enables complete CAPA lifecycle management, including root cause analysis (5 Whys, Fault Tree), risk-based prioritization, implementation tracking, and effectiveness verification. Ensures linkages between audit findings, complaints, nonconformities, and associated CAPAs are maintained for regulatory review. This supports compliance with FDA 21 CFR 820.100 and Health Canada’s mandatory problem reporting.
  • Streamlining Training Records: Provides automated assignment of training requirements based on controlled document updates, role changes, or regulatory triggers. Captures completion status, assessment outcomes, and retraining intervals to ensure compliance with ISO 13485 Clause 6.2. This also supports Japan’s PMDA expectations for role-specific training documentation.
  • Supporting Audit Trails and Record Retrieval: Maintains secure, time-stamped electronic audit trails in accordance with 21 CFR Part 11. Facilitates immediate retrieval of linked records (e.g., change history, approval status, revision metadata) during audit sampling or inspector inquiries.
  • Enabling Monitoring and Reporting: Configures real-time dashboards and quality metrics to monitor QMS effectiveness, such as overdue CAPAs, audit nonconformity trends, and training completion rates. Outputs support management review inputs as required by ISO 13485 Clause 5.6 and inform cross-functional risk communication. Also supports the FDA’s Quality System Inspection Technique (QSIT) model focuses on CAPA trending and Health Canada’s requirement to monitor adverse event trends.
  • Facilitating Risk Management Integration: Supports integration of ISO 14971-compliant risk management documentation (hazard analysis, risk assessments, and risk control matrices) with QMS processes such as design control, CAPA, and change management. Enables traceability between identified risks, mitigation actions, and verification activities. This functionality supports TGA’s post-market vigilance oversight among other requirements.

SimplerQMS is a fully validated medical device eQMS platform purpose-built for life science companies. SimplerQMS supports end-to-end quality system architecture, integrating modules for document control, audit management, training, CAPA, design control, supplier qualification, change management, and others. SimplerQMS supports compliance with 13485:2016, 21 CFR Part 820, EU MDR and EU IVDR requirements, and country-specific requirements under MDSAP.

The SimplerQMS platform includes an audit management module that enables structured planning, task-based execution, nonconformity categorization based on severity, and closure tracking. SimplerQMS also supports clause-level traceability, integration of risk management, and inspection readiness, thereby equipping QA/RA teams with the control and visibility needed to maintain audit readiness.

For manufacturers undergoing MDSAP audits, SimplerQMS provides the digital infrastructure to demonstrate QMS compliance, maintain lifecycle traceability, and ensure audit preparedness across all participating authority requirements.

SimplerQMS

Cookie Policy

Privacy Policy

Copyright © 2026 SimplerQMS. All rights reserved.

Modules

Document Control

Training Management

Change Control

Nonconformance Management

CAPA Management

Complaints Management

Audit Management

Risk Management

Equipment Management

Supplier Management

Electronic Batch Records

Product Management

View all modules

Product

Overview (QMS Software)

Implementation

Compliance

Technology

Pricing

Solutions

Medical Device

Pharma & Biotech

Laboratories

CRO & CMO

Company

About Us

Contact Us

Contact Support

Contact Sales

Experience

Careers

Our Customers

Resources

Blog Articles

Quality Digest Newsletter

View all resources