The Medical Device Single Audit Program (MDSAP) is a framework that streamlines the quality system audit process for device companies across multiple markets. The International Medical Device Regulators Forum (IMDRF) established a working group for the program in 2012 and, after a three-year pilot program, MDSAP was adopted by five major regulatory authorities: Australia, Brazil, Canada, Japan, and the US. Under MDSAP, medical device companies complete a single audit of their quality management system to comply with QMS requirements in all participating markets. MDSAP audits are conducted by MDSAP-recognized Auditing Organizations (AOs).
MDSAP is designed to reduce the regulatory burden of multi-market expansion while maintaining a consistent approach to device quality and safety. However, the program is not free of redundancies or challenges. In this article, we’ll review need-to-know characteristics of MDSAP for manufacturers considering this regulatory pathway.
MDSAP Participating Markets
MDSAP has five active participants: Australia, Brazil, Canada, Japan, and the US. (Europe remains an Official Observer along with the UK, which means Europe may utilize MDSAP audit reports or certificates for evaluating compliance with applicable medical device requirements, but does not accept them as evidence of compliance.) Each MDSAP participating market approaches the program differently. Some accept MDSAP certificates in lieu of their own QMS requirements; in others, you may still be required to complete additional inspections on a case-by-case basis.
Let’s take a quick look at each market:
Australian Therapeutic Goods Administration (TGA)
MDSAP certificates and audit reports must state that the manufacturer complies with the Therapeutic Goods (Medical Devices) Regulations 2002. TGA accepts MDSAP audits as evidence of QMS compliance but reserves the right to perform their own audits when deemed necessary.
Brazil’s Agência Nacional de Vigilância Sanitária (ANVISA)
Brazil revised its QMS requirements in 2022 with the implementation of RDC 665/2022. ANVISA accepts MDSAP certificates but manufacturers must apply BGMP provisions from RDC 665/2022 and its regulatory requirements.
Health Canada
Canada is the only participant that requires MDSAP certificates to satisfy its QMS requirements. Manufacturers of Class II, III, and IV devices must obtain MDSAP certificates to sell in Canada as of January 1, 2019.
Ministry of Health, Labour and Welfare of Japan (MHLW)
Japan has participated in MDSAP since 2015, but only implemented more comprehensive MDSAP certificate acceptance procedures in 2022. Manufacturers must submit specific MDSAP documents and pay additional fees for the Pharmaceuticals and Medical Devices Agency (PMDA) to perform a document review. Some device types are excluded from Japan’s MDSAP route.
US FDA
FDA accepts MDSAP audit reports as a substitute for routine Agency inspections. In light of FDA’s transition to Quality Management System Regulation (QMSR), FDA has stated it will continue accepting MDSAP certificates beyond QMSR’s implementation date in 2026. During the QMSR transition period, it will review and revise as needed any agency documents related to MDSAP.
Choosing Your MDSAP Market Strategy
You may seek MDSAP for any or all of the participating markets. For instance, if you undergo MDSAP certification for compliance with Canada’s requirements, your AO can audit your QMS to Health Canada’s requirements only. In this case, your MDSAP certificate will specify that your MDSAP certification covers only Canada’s requirements. You will need to pass another MDSAP audit to meet other country-specific requirements if you wish to enter another participating market down the road.
There are certainly cases in which eliminating markets from your MDSAP audit scope is beneficial. It may not be in your company’s best interest to implement ANVISA requirements if you have no intention of selling in Brazil, for example. Nevertheless, it’s advisable to develop a market expansion strategy before you pursue an MDSAP audit to optimize your time and financial investment in the audit process.
When electing to obtain certification to MDSAP, it is key to note that the MDSAP audit reports are sent to all participating members, even if the scope of MDSAP certification does not include the particular market. Using the example above, even if Brazil was eliminated from the MDSAP certification, your MDSAP audit reports would still be provided to ANVISA. The same applies to FDA, in that MDSAP audit reports are provided to FDA; therefore, even though FDA has not conducted an inspection of a manufacturer’s facility for years, they will be receiving updates on the status of the manufacturer’s QMS through MDSAP.
Key Differences Between MDSAP and ISO 13485 Requirements
ISO 13485 is the backbone of MDSAP with an overarching emphasis on risk management. The AO will audit your quality system to ISO 13485 as well as applicable regulations defined by MDSAP participants where you intend to sell your device. The differences between MDSAP and an ISO 13485 Notified Body audit have less to do with specific requirements and more to do with process.
The MDSAP Companion Document provides a roadmap for the audit approach. AOs use the Companion Document as guidance for conducting audits; manufacturers use it to understand the requirements and what to expect from the audit process. The Companion Document explains the audit sequence in detail, which includes seven processes:
-
-
- Management: Defines the responsibilities of management as well as the allocation of management resources, including a “management representative” who reports to company leadership on QMS performance, regulatory requirements, and is responsible for ensuring QMS requirements are met.
- Device Marketing Authorization and Facility Registration: The auditor examines documents proving that the manufacturer has obtained marketing authorization from regulatory authorities in jurisdictions where the device is sold, as well as fulfilled certain regulatory requirements, such as device listings, facility registrations, and change notifications, etc., where applicable.
- Measurement, Analysis and Improvement: The auditor examines fulfillment of QMS requirements in the standard (ISO 13485) and participating MDSAP authorities, particularly with regard to clinical data quality, clinical investigation design, corrective and preventive actions (CAPAs), and other activities for the purpose of identifying potential risks and non-conformances.
- Medical Device Adverse Events and Advisory Notices Reporting: The auditor assesses the manufacturer’s processes for reporting adverse events to regulatory authorities, reporting timing, and documentation.
- Design and Development: This section addresses design controls and documentation, as well as risk management. The auditor will evaluate nine outcomes related to the design and development of your device, such as design planning, verification, and validation, including software.
-
-
-
- Production and Service Controls: The longest and most intensive portion of the audit, this section covers the manufacturing of your device. The auditor will review outcomes related to device testing, infrastructure, traceability, facilities, equipment, and servicing to ensure your products meet specifications.
- Purchasing: Verifies that all purchasing requirements are met, as well as processes for continuous supplier evaluation.
-
MDSAP Follows a Three-Year Audit Cycle
Under MDSAP’s three-year audit cycle, manufacturers can expect four audit instances in three years before a recertification audit is required.
Initial audit
The Initial Audit (referred to as the “Initial Certification Audit”) is a complete audit of your
QMS. The initial audit is conducted in two stages. The Stage 1 Audit is a thorough inventory and review of your documentation. The auditor defines the scope of the Stage 2 audit and assesses your readiness for the next phase of the audit process. Stage 1 audits may be performed offsite.
Stage 2 of the Initial Audit examines the effectiveness of your QMS, technical documentation, and compliance with regulatory requirements. The objective of the Stage 2 audit is to ensure you maintain sufficient objective evidence that demonstrates your device is safe and effective. A Stage 2 audit is performed at all sites that will be recorded on the certificate.
Surveillance audits
The AO will perform a partial Surveillance Audit in each of the subsequent two years. Surveillance audits are meant to ensure your continued compliance between Re-audits, as well as review any product or technical documentation changes, vigilance reports, and compliance with post-market regulatory requirements. Surveillance audits typically do not include a Stage 1 Audit.
Recertification audit
A complete Re-audit, or “Recertification Audit,” occurs three years following your Initial Audit. A recertification audit is a repeat of the Initial Audit, though it may or may not include a Stage 1 audit if there have been no significant changes to the QMS.
Special Audits
AOs can also conduct audits outside the normal audit schedule, including Special Audits and Unannounced Audits. Special Audits are conducted in response to a specific circumstance (such as a Regulatory Authority request or a concerning post-market issue) and are usually limited in scope. Unannounced audits are a type of Special Audit that is conducted without notice, usually in response to a severe non-conformity.
Preparing for Your MDSAP Audit
The quality of your preparation will determine the success of your MDSAP audit. Even if you already have your ISO 13485 certification, it’s important to understand the audit process and implement country-specific requirements the auditors will be looking for. At a very high level, here’s how to prepare for your upcoming MDSAP audit:
- Familiarize yourself with the MDSAP Companion Document.
- Identify the country-specific regulatory requirements that apply to your device.
- Perform a gap assessment and address any gaps in your current QMS.
- Conduct an internal audit.
- Address any non-conformances cited by the internal auditor.
- Schedule your MDSAP audit with an AO.
Your internal audit is the most crucial step in your audit preparation. It should be a dress rehearsal of your real MDSAP audit, adhering to time limits and the audit sequence. It’s possible to perform an internal audit with in-house resources, but a third-party consultant with MDSAP expertise is the best way to ensure your audit is thorough and impartial.
Ready to get started?
MDSAP audits are some of the toughest in the industry. But they’re worth it to streamline your overall audit burden across multiple markets. MedEnvoy’s QMS consulting team has been working on MDSAP audits since the program’s inception. We can help you prepare for your upcoming audit by performing a comprehensive internal audit and assisting your team as they address any gaps or non-conformances. Contact us today.
Related resources:
Related Guidance
We share our expertise because we believe in removing barriers to global commercialization.
The Business Impact of EUDAMED on Market Access
The European Database on Medical Devices (EUDAMED) is often viewed by manufacturers purely as a compliance burden when…
MedEnvoy at RAPS Euro Convergence 2026
We are excited to share that MedEnvoy will be participating in RAPS Euro Convergence 2026 as an exhibitor! This year’s…
Key FDA Changes MedTech Manufacturers Need to Know
The FDA has issued an update for MedTech Manufacturers to its List of FDA-Recognized Consensus Standards, published as …