MDSAP Audit: The Complete Guide to the Medical Device Single Audit Program

Everything about MDSAP — the single audit program covering FDA, Health Canada, TGA, ANVISA, and MHLW. Audit process, grading, preparation, costs, and how to pass.

What Is MDSAP?

The Medical Device Single Audit Program (MDSAP) is an international program that allows a single regulatory audit of a medical device manufacturer's quality management system to satisfy the requirements of multiple regulatory authorities simultaneously. Instead of hosting separate audits from each country where you sell devices, one audit — conducted by a recognized Auditing Organization (AO) — covers the regulatory requirements of all participating authorities at once.

The program is managed by the International Medical Device Regulators Forum (IMDRF) and currently includes five participating regulatory authorities:

FDA — United States Food and Drug Administration
Health Canada — Health Canada's Medical Devices Bureau
TGA — Australia's Therapeutic Goods Administration
ANVISA — Brazil's Agência Nacional de Vigilância Sanitária
MHLW/PMDA — Japan's Ministry of Health, Labour and Welfare / Pharmaceuticals and Medical Devices Agency

The core concept: your quality management system is audited against ISO 13485:2016 as the foundation, plus the country-specific regulatory requirements layered on top for each market you participate in. The result is a single audit report that each participating regulatory authority can rely upon.

MDSAP was launched as a pilot in 2014, became fully operational in 2017, and has since grown to become the dominant quality system audit mechanism for medical device companies selling into multiple international markets. As of 2026, thousands of manufacturers hold MDSAP certificates, and the program continues to expand in scope and recognition.

Why MDSAP Exists

Before MDSAP, a medical device company selling in the US, Canada, Australia, Brazil, and Japan faced an exhausting audit calendar. Each regulatory authority conducted its own inspections or required separate third-party audits. A mid-size manufacturer might host five to eight audits per year — each covering substantially the same quality system but through a different regulatory lens. The burden was enormous:

Audit fatigue — Production floor interruptions, repeated document retrieval, and personnel tied up in audit rooms for weeks each year
Inconsistent findings — One auditor might interpret a process differently than another, creating conflicting corrective action requirements
Redundant cost — Each audit carried its own fees, travel costs, and internal preparation overhead
Scheduling nightmares — Coordinating multiple audit windows without disrupting operations

MDSAP eliminates this redundancy. One audit, one auditing organization, one report — and the regulatory authorities in all five countries can rely on the results.

Where MDSAP Is Mandatory vs. Voluntary

This is a critical distinction that manufacturers must understand clearly.

Country	MDSAP Status	Details
Canada	Mandatory	Health Canada requires MDSAP certification for all Class II, III, and IV medical device licenses. CMDCAS (the predecessor program) was fully replaced by MDSAP on January 1, 2019. You cannot obtain or maintain a Canadian medical device license without an MDSAP certificate.
United States	Voluntary (with significant benefits)	FDA accepts MDSAP audit reports as a substitute for routine FDA facility inspections. Manufacturers with MDSAP certificates may receive fewer unannounced FDA inspections. However, FDA retains the right to conduct for-cause inspections at any time.
Australia	Recognized	TGA accepts MDSAP audit results to fulfill conformity assessment requirements. For manufacturers seeking inclusion in the Australian Register of Therapeutic Goods (ARTG), an MDSAP certificate can streamline the registration process.
Brazil	Recognized	ANVISA accepts MDSAP audit reports as evidence of Good Manufacturing Practice (GMP) compliance. This can replace or supplement ANVISA's own GMP inspections, which historically involved Brazilian inspectors traveling to the manufacturer's facility.
Japan	Recognized	MHLW/PMDA accepts MDSAP audit results to support QMS compliance. The requirements are aligned with Japan's QMS Ministerial Ordinance (MO 169), which is itself based on ISO 13485 with Japan-specific additions.

The bottom line: If you sell in Canada, MDSAP is not optional. If you sell in any combination of the five participating countries, MDSAP almost certainly saves you time, money, and operational disruption compared to hosting separate audits.

MDSAP vs. Standalone Audits

Understanding the difference between an MDSAP audit and traditional standalone audits is essential for deciding whether and when to pursue MDSAP.

Traditional Audit Landscape

Without MDSAP, a manufacturer selling in multiple markets typically faces:

Audit Type	Purpose	Conducted By	Frequency
ISO 13485 certification audit	Third-party QMS certification	Notified Body or registrar	Annual surveillance; recertification every 3 years
FDA inspection	QSR/QMSR compliance	FDA investigators	Risk-based; every 1–4 years depending on device class and compliance history
Health Canada (pre-MDSAP)	CMDCAS audit	Recognized registrar	Annual surveillance
TGA audit	GMP compliance	TGA or recognized auditors	Periodic
ANVISA GMP inspection	Brazilian GMP compliance	ANVISA inspectors	Every 2–3 years (often involved international travel by Brazilian inspectors)
PMDA/MHLW audit	QMS Ordinance compliance	PMDA or recognized bodies	Periodic

A manufacturer selling in all five MDSAP markets could easily face four to six separate audits per year — all examining fundamentally the same quality system.

What MDSAP Consolidates

An MDSAP audit replaces most of the above with a single annual audit cycle. Here is what changes:

Without MDSAP	With MDSAP
Separate ISO 13485 certification audit	ISO 13485 covered within the MDSAP audit
Separate FDA inspection (routine)	MDSAP report accepted by FDA; reduced likelihood of routine inspections
Separate Health Canada audit	MDSAP certificate satisfies Health Canada requirement
Separate TGA audit	MDSAP report accepted by TGA
Separate ANVISA GMP inspection	MDSAP report accepted by ANVISA
Separate PMDA/MHLW QMS audit	MDSAP report accepted by MHLW/PMDA
4–6 audits per year	1 audit per year (plus potential for-cause inspections)

What MDSAP Does Not Replace

MDSAP is not a universal replacement for all regulatory interactions:

For-cause inspections. Any participating regulatory authority can still conduct its own inspection if there is a specific concern — a complaint trend, a product recall, an adverse event signal. MDSAP does not provide immunity from regulatory scrutiny.
Pre-market reviews. MDSAP covers quality system compliance, not product clearance or approval. You still need to submit 510(k)s, De Novos, PMAs, or equivalent applications in each market.
EU MDR/IVDR audits. The European Union is not an MDSAP participant. If you sell in Europe, you still need a Notified Body audit under EU MDR or IVDR. This is a separate process entirely.
Product-specific requirements. Some regulatory authorities have product-specific requirements (e.g., sterility assurance, biocompatibility) that go beyond what MDSAP covers. These may still require separate assessment.

The MDSAP Audit Model

The MDSAP audit model is built on a process-based approach, not a clause-by-clause review of ISO 13485. This is one of the most important things to understand about MDSAP — and one of the most common sources of confusion for companies preparing for their first MDSAP audit.

Process-Based Auditing

Traditional ISO 13485 audits often follow the standard clause by clause: the auditor reviews Clause 4, then Clause 5, then Clause 6, and so on. This can feel systematic but artificial — it does not reflect how your organization actually works.

MDSAP takes a different approach. Auditors follow interconnected processes through your quality system, tracing how inputs become outputs and how information flows between processes. The audit is organized around processes, not standard clauses.

There are seven process areas in the MDSAP audit model:

Process	What It Covers	Related ISO 13485 Clauses
Management	Management responsibility, resource management, QMS planning, management review	4.1, 4.2, 5.1–5.6, 6.1–6.4
Device Marketing Authorization and Facility Registration	Regulatory submissions, device listings, establishment registration, license maintenance	Country-specific (not directly mapped to ISO 13485 clauses)
Measurement, Analysis, and Improvement (MAI)	CAPA, complaints, internal audits, monitoring and measurement, nonconforming product, post-market surveillance, vigilance reporting	8.1–8.5
Medical Device Adverse Event and Advisory Notice Reporting	Adverse event reporting, field safety corrective actions, recalls	8.2.3, country-specific reporting requirements
Design and Development	Design planning, inputs, outputs, review, verification, validation, transfer, changes	7.1, 7.3
Production and Service Controls	Production planning, process validation, identification and traceability, preservation, installation, servicing	7.1, 7.5
Purchasing and Supplier Controls	Supplier evaluation, purchasing data, verification of purchased product, outsourced processes	7.4

Links and Connections

The process approach means the auditor does not stay in one silo. An auditor examining your CAPA process (within MAI) will naturally trace a corrective action back to a complaint, follow it through root cause analysis, and then check whether the resulting design change was managed properly under Design and Development. The auditor might then trace the design change into Production to verify that updated manufacturing instructions were implemented, and into Purchasing to verify that any new components were properly qualified.

This interconnected auditing approach means that weaknesses in one process area often surface during the audit of another. If your CAPA process is robust but your design change control is weak, the MDSAP auditor will find it — because they follow the thread.

The Audit Cycle

MDSAP operates on a three-year certification cycle, mirroring the ISO 13485 certification cycle:

Year	Audit Type	Scope
Year 1	Initial certification audit (Stage 1 + Stage 2)	Full audit of all process areas
Year 2	Surveillance audit	All process areas reviewed, with some areas receiving in-depth review
Year 3	Surveillance audit	All process areas reviewed, with different areas receiving in-depth review
Year 4	Recertification audit	Full audit of all process areas (new 3-year cycle begins)

Stage 1 audit (desk review): The auditing organization reviews your QMS documentation — quality manual, procedures, process maps, regulatory submissions — to assess readiness for the on-site audit. This is typically conducted off-site or remotely and identifies any significant gaps that need to be addressed before Stage 2.

Stage 2 audit (on-site): The full on-site audit where the auditor walks your processes, interviews personnel, reviews records, and verifies implementation. This is where the real assessment happens.

Surveillance audits occur annually and cover all seven process areas, but the depth of review varies. The auditing organization uses a risk-based approach to determine which areas receive deeper scrutiny in each surveillance cycle. Over the three-year period, every process area receives thorough examination.

Audit Tasks by Process Area

Each process area within the MDSAP audit has specific audit tasks defined in the MDSAP Companion Documents. Understanding these tasks is essential for preparation.

Management Process

The management process audit covers how top management directs and supports the QMS. Auditors evaluate:

Quality policy and objectives — Are they defined, communicated, measurable, and reviewed?
Management review — Is it conducted at planned intervals? Does it review required inputs (audit results, complaint trends, CAPA status, process performance, regulatory changes)? Are outputs documented with actions and responsibilities?
Resource management — Are personnel competent? Is training documented and effective? Are infrastructure and work environment adequate and controlled?
QMS planning — Does your quality plan address regulatory requirements for each market? Are processes identified and their interactions defined?
Organizational structure — Is a management representative appointed? Are responsibilities and authorities defined?

Country-specific additions at the management level:

Authority	Additional Management Requirements
FDA	Management must ensure compliance with applicable FDA regulations (QMSR/21 CFR 820); quality policy must address regulatory requirements
Health Canada	Management review must address Canadian regulatory changes and license conditions
TGA	Management must ensure awareness of Australian regulatory obligations
ANVISA	Management must address Brazilian GMP requirements (RDC 665/2022)
MHLW/PMDA	Management must ensure compliance with QMS Ministerial Ordinance (MO 169)

Device Marketing Authorization and Facility Registration

This process area verifies that your devices are legally marketed in each participating country. Auditors check:

Device licenses and clearances — Do you hold valid marketing authorizations (510(k) clearances, Health Canada licenses, TGA registrations, ANVISA registrations, PMDA approvals) for every device you sell in each market?
Establishment registration — Are your manufacturing facilities registered with each applicable regulatory authority?
Device listing — Are your devices listed in each applicable regulatory database?
License maintenance — Are you maintaining your registrations, paying annual fees, and filing required updates when changes occur?

This process area is heavily country-specific. The auditor verifies compliance with each authority's registration and listing requirements. A missing device listing or an expired establishment registration will generate a nonconformity.

Measurement, Analysis, and Improvement (MAI)

This is typically the most heavily scrutinized process area in an MDSAP audit. MAI covers the feedback loops that keep your quality system healthy:

Complaint handling — Is every complaint received, recorded, investigated, and closed? Are complaints evaluated for reportability (adverse event reporting) in each market? Is trending performed?
CAPA — Are corrective and preventive actions identified, investigated (with root cause analysis), implemented, and verified for effectiveness? Is there a clear trigger for opening a CAPA?
Internal audits — Are internal audits planned, conducted by competent auditors independent of the area being audited, and followed up? Do internal audits cover regulatory requirements, not just ISO 13485 clauses?
Nonconforming product — Is nonconforming product identified, segregated, dispositioned (rework, scrap, concession), and documented? Are concessions justified and, where required, reported to regulatory authorities?
Monitoring and measurement — Are processes and products monitored? Are statistical techniques used where appropriate?
Post-market surveillance — Are you actively collecting and analyzing post-market data? Are PMS plans and reports in place?
Adverse event and advisory notice reporting — Are reportable events identified and reported to each applicable regulatory authority within the required timeframes?

Country-specific reporting timelines vary significantly:

Regulatory Authority	Serious Adverse Event Reporting Timeframe	Field Safety Corrective Action Reporting
FDA (MDR)	30 calendar days (individual reports); 5 work days for events requiring remedial action	Must report recalls and corrections to FDA
Health Canada	10 calendar days (death or serious deterioration); 30 days for other mandatory reports	Mandatory recall reporting
TGA	48 hours (death or serious threat to public health); 10 days (serious injury); 30 days (other)	Report to TGA; may require Hazard Alert
ANVISA	10 calendar days (death); 30 days (serious injury); 72 hours for public health threats	Mandatory reporting to ANVISA
MHLW/PMDA	15 days (death or serious injury that was unknown/unexpected); 30 days (known events)	Mandatory reporting under PAL

The auditor will verify that your complaint handling procedure includes country-specific reportability assessments for each market you sell into. This is one of the most common nonconformity areas — manufacturers often have a single-country reporting procedure and fail to account for the differing timelines and criteria of all participating authorities.

Medical Device Adverse Event and Advisory Notice Reporting

While closely related to MAI, this process area receives focused attention because of its direct impact on patient safety. Auditors verify:

Reportability determination — Does your process evaluate every complaint against each country's adverse event reporting criteria?
Timeliness — Are reports submitted within the required timeframes for each authority?
Content — Do reports contain all required information?
Follow-up reports — Are follow-up reports submitted as additional information becomes available?
Trend reporting — Are you submitting trend reports where required (e.g., FDA's MDR trend reporting)?
Recalls and field safety corrective actions — Is your recall process defined? Have recalls been reported to all applicable authorities?

Design and Development

For manufacturers engaged in design activities, this process area is audited in depth:

Design and development planning — Are plans documented with stages, reviews, verification, and validation activities? Are responsibilities assigned?
Design inputs — Are functional, performance, safety, and regulatory requirements documented? Are inputs reviewed for adequacy?
Design outputs — Do outputs meet input requirements? Do they include acceptance criteria, manufacturing specifications, and essential safety characteristics?
Design review — Are formal reviews conducted at planned stages with appropriate participants? Are results documented?
Design verification — Is there objective evidence that design outputs meet design inputs?
Design validation — Is the device validated under actual or simulated use conditions? Does validation include software validation where applicable?
Design transfer — Is the transition from design to production documented and verified?
Design changes — Are changes identified, reviewed, verified, validated (where appropriate), and approved before implementation?
Design history file / design and development file — Is the complete record maintained?

Country-specific design requirements the auditor will check:

Authority	Design-Specific Requirements
FDA	Design controls per QMSR (incorporating ISO 13485 Clause 7.3); Design History File; risk analysis per 21 CFR 820
Health Canada	Design controls must address SOR/98-282 requirements; risk management per ISO 14971
TGA	Design controls must support Essential Principles compliance
ANVISA	Design must address RDC 665/2022 GMP requirements
MHLW/PMDA	Design controls per QMS Ministerial Ordinance; design validation must address Japanese use conditions if applicable

Production and Service Controls

This process area covers everything from manufacturing planning through delivery and servicing:

Production planning — Are work instructions, equipment, and monitoring/measuring devices defined and available?
Cleanliness and contamination control — Where applicable, are manufacturing environments controlled (cleanrooms, particulate monitoring)?
Process validation — Are processes whose outputs cannot be fully verified by subsequent inspection validated? Is validation documented with protocols, acceptance criteria, and results? Are processes revalidated when changes occur?
Identification and traceability — Can you trace each device back to its component materials, manufacturing records, and distribution? Are lot/serial numbers managed? Is UDI implemented where required?
Preservation of product — Are packaging, handling, storage, and distribution controlled?
Installation and servicing — Where applicable, are installation and servicing activities controlled with documented procedures and records?
Sterile devices — If applicable, is the sterilization process validated? Are sterility assurance levels maintained? Are environmental controls in place?

Purchasing and Supplier Controls

The purchasing process area addresses how you manage your supply chain:

Supplier evaluation and selection — Do you have criteria for evaluating suppliers? Are evaluations documented? Is supplier risk considered?
Approved supplier list — Is it maintained and current?
Purchasing data — Do purchase orders include specifications, quality requirements, and applicable regulatory requirements?
Verification of purchased product — Are incoming inspections or other verification activities performed? Is supplier performance monitored?
Outsourced processes — Are outsourced processes (contract manufacturing, sterilization, testing) controlled? Are these suppliers held to the same quality requirements as internal processes?
Supplier changes — Are changes by suppliers evaluated for impact on finished device quality?

The MDSAP Grading System

One of the most distinctive features of MDSAP is its structured grading system for nonconformities. Unlike a traditional ISO 13485 audit where findings are classified as major or minor, MDSAP uses a five-point grading scale that provides more granularity and, critically, directly informs the regulatory response.

Nonconformity Grades

Grade	Classification	Description	Typical Regulatory Impact
1	Opportunity for improvement	A situation that is not a nonconformity but where improvement could prevent future problems.	No regulatory action. Documented for manufacturer's consideration.
2	Minor nonconformity (isolated)	An isolated lapse that does not indicate a systemic failure. A single instance of a procedure not being followed, a minor documentation gap.	Low regulatory concern. Corrective action expected by next audit.
3	Major nonconformity (systemic)	A systemic failure in the QMS — a procedure that is not followed consistently, a required process that is not implemented, repeated instances of the same type of lapse.	Significant regulatory concern. Corrective action plan required within defined timeframe. Regulatory authority may request additional information or follow-up.
4	Critical nonconformity	A failure that has resulted in, or could reasonably result in, shipment of nonconforming product. The QMS has failed to prevent a quality or regulatory failure.	Serious regulatory concern. May trigger regulatory action (warning letter, compliance action, or focused inspection).
5	Regulatory action required	An imminent risk to public health or safety. A situation requiring immediate regulatory intervention.	Immediate escalation to the applicable regulatory authority. May result in product seizure, injunction, recall order, or license suspension.

How Grading Works in Practice

The auditor assigns a grade based on the nature and extent of the nonconformity, using criteria defined in the MDSAP grading system documents. The grading is not subjective — it follows a decision tree:

Is there a nonconformity? If no, it may still be documented as a Grade 1 (opportunity for improvement). If yes, proceed.
Is it isolated or systemic? An isolated instance (one document missing a signature, one training record not updated) is typically Grade 2. A pattern (multiple documents missing signatures, systematic failure to follow a procedure) is Grade 3 or higher.
Has it resulted in, or could it result in, nonconforming product being released? If yes, Grade 4.
Is there an imminent safety risk? If yes, Grade 5.

The grading system also considers which regulatory authority's requirements are affected. A nonconformity that violates a requirement specific to one country is graded in the context of that country's regulatory framework, while a nonconformity against ISO 13485 (applicable to all) is graded universally.

Regulatory Authority Response by Grade

Each regulatory authority receives the audit report and can independently decide how to respond to the findings. However, the grading system provides a common framework:

Grade	FDA Typical Response	Health Canada Typical Response
1	No action	No action
2	No action	Corrective action monitored at next surveillance
3	May request additional information; may trigger inspection	May request CAPA plan; may impact license conditions
4	May issue Warning Letter, Form 483, or conduct for-cause inspection	May suspend or refuse to renew device license
5	Immediate regulatory action (injunction, seizure, recall order)	Immediate license suspension

Nonconformity Response Requirements

When a nonconformity is identified, the manufacturer must respond with a corrective action plan. The expected response timeline depends on the grade:

Grade	Expected Response Timeline
2	Corrective action must be completed (or demonstrably in progress) by the next surveillance audit
3	Corrective action plan due within 15–30 days of audit report; implementation typically within 90 days
4	Corrective action plan due within 15 days; implementation verified through follow-up audit or regulatory action
5	Immediate containment action required; corrective action plan as directed by regulatory authority

Relationship to ISO 13485 and Country-Specific Requirements

MDSAP is built on ISO 13485:2016 as its foundation, but it goes substantially beyond it. Understanding this layered structure is essential.

The Layered Framework

Think of MDSAP requirements as a stack:

Layer 1: ISO 13485:2016 — The base quality management system standard. Every MDSAP audit assesses your QMS against all applicable clauses of ISO 13485:2016. If your system does not conform to ISO 13485, it will not pass an MDSAP audit.

Layer 2: ISO 14971 — Risk management. While ISO 13485 references risk management throughout, MDSAP auditors specifically evaluate your risk management process against the principles in ISO 14971. Your risk management must be woven into all process areas — not treated as a standalone activity.

Layer 3: Country-specific regulatory requirements — For each country you include in your MDSAP scope, the auditor assesses additional requirements specific to that country's regulations. These vary significantly.

Country-Specific Requirements Overview

Requirement Area	FDA (US)	Health Canada	TGA (Australia)	ANVISA (Brazil)	MHLW/PMDA (Japan)
QMS regulation	QMSR (21 CFR 820)	SOR/98-282 (Medical Devices Regulations)	Therapeutic Goods Act 1989; TG(MD)R 2002	RDC 665/2022	QMS Ministerial Ordinance (MO 169)
Adverse event reporting	21 CFR 803 (MDR)	Mandatory Problem Reporting (CMDR)	TGA adverse event reporting	ANVISA NOTIVISA system	PAL adverse event reporting
Registration/listing	21 CFR 807 (establishment registration and device listing)	Medical Device License (MDL) application	ARTG inclusion	ANVISA product registration	PMDA marketing approval
Labeling	21 CFR 801	SOR/98-282 labeling requirements	TG(MD)R labeling requirements	ANVISA labeling per RDC 185/2006	PAL labeling requirements
UDI	UDI Rule (21 CFR 830)	CMDR UDI requirements	TGA UDI framework	ANVISA UDI (in development)	PMDA UDI requirements

How This Affects Audit Scope

The number of countries in your MDSAP scope directly affects audit duration and complexity. Adding a country means:

Additional regulatory requirements the auditor must assess
Additional documentation you must maintain (device registrations, adverse event reporting procedures, labeling compliance)
Additional audit tasks defined in the Companion Documents for that country
Potentially longer audit duration

A manufacturer with only Canada and the US in scope will have a shorter, simpler audit than one covering all five countries.

MDSAP Companion Documents

The MDSAP Companion Documents are the auditor's roadmap. They define exactly what the auditor must examine in each process area, including specific audit tasks, expected evidence, and the regulatory requirements of each participating authority.

What the Companion Documents Contain

There is a Companion Document for each of the seven process areas. Each document includes:

Audit tasks — Specific activities the auditor must perform (e.g., "Verify that the organization has identified the regulatory requirements applicable to each medical device" or "Review records of management review for required inputs and outputs")
Regulatory references — For each task, the document lists the applicable requirements from ISO 13485 and from each participating country's regulations
Expected evidence — What the auditor expects to see as objective evidence of conformity
Links to other processes — Where the task connects to other process areas, enabling the auditor to follow the process thread

How to Use Companion Documents for Preparation

The Companion Documents are publicly available on the IMDRF website. They are your single most valuable preparation resource. Here is how to use them effectively:

Download all applicable Companion Documents from the IMDRF MDSAP page
For each audit task, verify that your QMS has documented procedures and objective evidence that address the task
Pay special attention to country-specific tasks — these are the requirements that go beyond ISO 13485 and are where manufacturers most often have gaps
Create a cross-reference matrix mapping each audit task to your specific QMS procedures and records
Conduct internal audits using the Companion Document tasks as your audit checklist — this is the single most effective preparation activity

Key Companion Documents

Document	Process Area	Key Focus
MDSAP AU P0002	Management	QMS infrastructure, management commitment, resource management
MDSAP AU P0003	Device Marketing Authorization	Regulatory submissions, registrations, listings
MDSAP AU P0004	Measurement, Analysis, and Improvement	CAPA, complaints, audits, nonconforming product, post-market surveillance
MDSAP AU P0005	Medical Device Adverse Event Reporting	Adverse event identification, evaluation, reporting, field actions
MDSAP AU P0006	Design and Development	Design controls lifecycle
MDSAP AU P0007	Production and Service Controls	Manufacturing, process validation, traceability
MDSAP AU P0008	Purchasing	Supplier management, outsourced processes

Recognized Auditing Organizations (AOs)

MDSAP audits can only be conducted by Auditing Organizations (AOs) that have been formally recognized by the MDSAP regulatory authorities. These organizations undergo rigorous assessment and ongoing oversight to ensure audit quality and consistency.

Currently Recognized AOs

As of 2026, the following organizations are recognized MDSAP Auditing Organizations:

Auditing Organization	Headquarters	Global Presence
BSI Group	United Kingdom	Worldwide
SGS	Switzerland	Worldwide
TUV SUD	Germany	Worldwide
TUV Rheinland	Germany	Worldwide
Intertek	United Kingdom	Worldwide
UL Solutions (formerly UL LLC)	United States	Worldwide
DEKRA	Germany	Worldwide
Bureau Veritas	France	Worldwide
Eurofins E&E (formerly QAI)	North America	Americas, Asia-Pacific
NSF International	United States	Worldwide
SAI Global (now part of Intertek)	Australia	Asia-Pacific, Americas

Note: The list of recognized AOs can change. Organizations may be added or removed based on ongoing performance assessment by the MDSAP regulatory authorities. Always verify current recognition status through the IMDRF or the regulatory authority's website.

Choosing an Auditing Organization

Selecting the right AO is a significant decision. Consider:

Geographic coverage — Does the AO have auditors who can reach your manufacturing sites (and any critical suppliers you need to include in the audit scope)?
Industry experience — Does the AO have auditors with experience in your specific device types (IVDs, implantables, software, combination products)?
Multi-service capability — Can the AO also provide your ISO 13485 certification, EU MDR Notified Body services, or other audits? Consolidating reduces total audit burden.
Audit scheduling flexibility — Can the AO accommodate your preferred audit windows?
Auditor quality — This is the hardest factor to assess, but it matters most. Ask for auditor CVs and look for relevant technical backgrounds.
Cost — AO fees vary. Get quotes from at least three AOs before deciding. The cheapest option is not always the best.
Reputation and track record — Talk to other manufacturers who use the AO. MDSAP audit quality varies between AOs and even between individual auditors within the same AO.

Costs and Timeline

MDSAP participation involves both direct costs and internal resource investment. Here is what to expect.

Direct Costs

Cost Component	Estimated Range	Notes
Initial certification audit (Year 1)	$15,000–$50,000+	Depends on organization size, number of countries in scope, number of device types, number of manufacturing sites
Annual surveillance audit (Years 2–3)	$10,000–$35,000	Typically 60–75% of initial certification cost
Recertification audit (Year 4)	$12,000–$45,000	Similar to initial certification; may be slightly less if no significant changes
Additional sites	$5,000–$20,000 per site	Each manufacturing site added to the audit scope increases cost
Travel and expenses	Variable	Auditor travel to your site(s); can be significant for international sites

Factors that increase audit cost:

More countries in scope (each country adds audit tasks and duration)
Multiple manufacturing sites
Complex device portfolio (combination products, sterile devices, IVDs, software)
Large organization (more processes, more records to sample)
History of nonconformities (may increase audit duration)

Factors that decrease audit cost:

Fewer countries in scope
Single manufacturing site
Narrow device portfolio
Small organization with streamlined processes
Clean compliance history

Typical Timeline

Phase	Duration	Activities
AO selection and contracting	1–3 months	Request quotes, evaluate AOs, negotiate contract, schedule audit
Pre-audit preparation	3–6 months (first-time); 1–3 months (recertification)	Gap analysis, procedure updates, internal audits, management review, training
Stage 1 audit (desk review)	1–2 days	AO reviews documentation, identifies readiness gaps
Gap remediation (if needed)	1–3 months	Address issues identified in Stage 1
Stage 2 audit (on-site)	3–7 days	On-site audit of all process areas
Audit report and NC closeout	1–3 months	AO issues report; manufacturer submits corrective action evidence for any nonconformities
Certificate issuance	2–4 weeks after NC closeout	AO issues MDSAP certificate

Total time from decision to certificate: Typically 6–12 months for a well-prepared organization. Organizations with significant QMS gaps may need 12–18 months.

Cost Comparison: MDSAP vs. Separate Audits

For a manufacturer selling in all five MDSAP countries, the cost comparison is compelling:

Scenario	Estimated Annual Cost
Separate audits (ISO 13485 + individual country audits)	$50,000–$120,000+ per year
MDSAP (single audit covering all five countries)	$15,000–$50,000 per year
Estimated annual savings with MDSAP	$30,000–$80,000+

These figures do not include the internal cost savings: fewer days of production disruption, fewer person-hours spent preparing for and hosting audits, and reduced audit fatigue on your quality and operations teams.

How to Prepare for an MDSAP Audit

Preparation is the single biggest determinant of audit outcome. Here is a practical preparation framework.

Step 1: Gap Analysis

Before anything else, conduct a thorough gap analysis against the MDSAP requirements. This is not just a gap analysis against ISO 13485 — it must include country-specific requirements for every country in your scope.

How to structure the gap analysis:

Obtain the MDSAP Companion Documents for all seven process areas
For each audit task in each Companion Document, identify your corresponding procedure, record, or evidence
Rate each task: Conforming (evidence exists and is adequate), Partial (some evidence but gaps exist), or Nonconforming (no evidence or major gap)
Prioritize remediation: address nonconforming items first, then partial items

Common gap areas for first-time MDSAP applicants:

Country-specific adverse event reporting procedures (especially for countries you recently entered)
Regulatory registration and listing maintenance documentation
Post-market surveillance plans and reports meeting each country's requirements
Management review inputs that address regulatory changes in each participating country
Internal audit programs that cover country-specific regulatory requirements (not just ISO 13485)
Supplier management documentation for outsourced processes
Traceability and UDI implementation across all applicable markets

Step 2: Procedure Updates

Based on your gap analysis, update your QMS procedures to address identified gaps. Key areas to review:

Complaint handling — Does your procedure include country-specific reportability assessment for all five authorities? Are reporting timelines documented?
CAPA — Does your procedure include root cause analysis methodology, effectiveness verification, and escalation criteria?
Design controls — Do your procedures address each country's design control requirements?
Document and record control — Do retention periods meet the most stringent requirement across all participating countries?
Management review — Does your management review procedure include all inputs required by MDSAP (including regulatory changes, post-market data, audit results, CAPA status)?

Step 3: Internal Audits Using MDSAP Criteria

This is the most effective preparation step. Conduct internal audits using the MDSAP Companion Document audit tasks as your checklist. This gives you a realistic preview of what the external MDSAP auditor will examine.

Use auditors who are independent of the areas being audited
Follow the process-based approach: trace processes across functional areas, just as the MDSAP auditor will
Document findings using the MDSAP grading system (Grades 1–5) to calibrate your internal team's assessment
Address all findings before the external audit

Step 4: Management Review

Ensure you have a recent management review (conducted within the past 12 months) that addresses all required inputs:

Customer feedback and complaint trends
Process performance and product conformity data
Audit results (internal and external)
CAPA status and effectiveness
Regulatory changes in each participating country
Post-market surveillance data
Supplier performance
Resource adequacy

The management review is one of the first things the MDSAP auditor will examine. A weak or incomplete management review sets a negative tone for the entire audit.

Step 5: Regulatory Compliance Verification

Before the audit, verify that all regulatory filings are current:

Device registrations and listings in each country
Establishment registrations
Adverse event reports (all filed on time, none overdue)
Annual reports (where required)
UDI data submissions (where required)

Step 6: Employee Preparation

Your employees will be interviewed by the auditor. Prepare them:

Ensure they understand their roles and responsibilities within the QMS
Verify they can locate and explain the procedures relevant to their work
Confirm they understand the quality policy and quality objectives
For process owners, ensure they can explain how their process connects to other processes in the QMS
Conduct mock interviews if your team has not been through an MDSAP audit before

Step 7: Audit Logistics

Practical preparation matters:

Designate an audit host/guide who will accompany the auditor throughout the visit
Prepare a conference room with access to your QMS (electronic or paper)
Ensure key personnel are available during the audit window (no vacations, no travel conflicts)
Have ready access to records the auditor is likely to request: complaint files, CAPA records, design history files, production batch records, training records, management review minutes, internal audit reports
Prepare an opening presentation covering your organization, device portfolio, markets, QMS structure, and any significant changes since the last audit

Common Nonconformities

Understanding the most frequently cited nonconformities helps you prioritize preparation. Based on MDSAP audit data and AO reports, these are the areas where manufacturers most commonly receive findings.

Top Nonconformity Areas

Rank	Nonconformity Area	Typical Grade	Root Cause
1	CAPA process deficiencies	3	Inadequate root cause analysis; failure to verify effectiveness; CAPAs open beyond defined timelines
2	Complaint handling gaps	2–3	Incomplete investigation; failure to assess reportability for all countries; complaints not trended
3	Post-market surveillance inadequacies	2–3	No PMS plan; PMS data not analyzed; PMS findings not fed back into risk management
4	Supplier management weaknesses	2–3	Incomplete supplier evaluations; no monitoring of supplier performance; outsourced processes not controlled
5	Design control deficiencies	2–3	Incomplete design inputs; traceability gaps between inputs, outputs, and verification/validation; design changes not properly validated
6	Internal audit program gaps	2	Internal audits not covering country-specific requirements; auditor independence not maintained; findings not followed up
7	Adverse event reporting failures	3–4	Late reports; failure to assess reportability for all markets; incomplete MDR/vigilance reports
8	Process validation deficiencies	2–3	Processes not identified as requiring validation; incomplete validation protocols; no revalidation after changes
9	Management review incomplete	2	Missing required inputs; no documented actions from review; regulatory changes not discussed
10	Training and competency gaps	2	Training records not current; competency not assessed (only training attendance documented); no evidence training was effective

Nonconformities That Escalate Quickly

Some nonconformity areas are more likely to receive higher grades (4 or 5) because of their direct impact on product safety or regulatory compliance:

Adverse event reporting failures — A late or missing adverse event report is a regulatory violation, not just a QMS gap. If the unreported event involved a serious injury or death, this can quickly become a Grade 4 or 5.
Nonconforming product released to market — If the auditor finds evidence that product not meeting specifications was shipped, this is Grade 4 at minimum.
Complaint files showing unreported events — If complaint records contain events that meet adverse event reporting criteria but were not reported, expect Grade 3–4.
Critical process not validated — If a sterilization process, a software process, or another process whose output cannot be verified by inspection is not validated, this is typically Grade 3 (systemic) and can reach Grade 4 if product released using that process is potentially nonconforming.

MDSAP for Startups vs. Established Companies

The MDSAP journey looks very different depending on your organization's maturity.

Startups and Early-Stage Companies

When to pursue MDSAP: If you intend to sell in Canada, you need MDSAP before you can obtain a medical device license. For other markets, the timing depends on your go-to-market strategy.

Common challenges for startups:

QMS maturity — Startups often have a QMS that was built for a single market (typically the US). Expanding it to meet multi-country requirements takes time and expertise.
Limited quality records — MDSAP auditors need to see objective evidence of QMS implementation: complaint files, CAPA records, internal audit reports, management review minutes, training records. A brand-new company may not have a meaningful volume of these records.
Resource constraints — Hosting a multi-day audit while simultaneously running product development and commercialization activities strains a small team.
Cost sensitivity — MDSAP certification costs ($15,000–$50,000+ for initial certification) represent a more significant portion of a startup's budget.

Practical recommendations for startups:

Build your QMS with MDSAP in mind from day one. If you know you will sell in MDSAP markets, design your procedures to address multi-country requirements from the start. Retrofitting is harder than building correctly the first time.
Start with a narrow scope. Include only the countries you will actually sell in within the first 12–18 months. You can add countries later.
Use the Companion Documents as your QMS design guide. Rather than building a generic ISO 13485 system and then adding country-specific requirements, use the Companion Documents to understand exactly what the auditor will check.
Consider a readiness assessment. Many AOs offer a pre-assessment or gap assessment service. This is an informal review (not a formal audit) that identifies gaps before you commit to the certification audit.
Budget for consulting if needed. If your team lacks MDSAP experience, a consultant who has guided companies through MDSAP certification can save months of trial and error. Budget $10,000–$40,000 for consulting support through your first certification.

Established Companies

Common challenges for established companies:

Legacy systems — An established company may have a mature ISO 13485 QMS but one built for a single market. Expanding to MDSAP requires integrating country-specific requirements into existing procedures.
Multiple sites — Companies with multiple manufacturing sites face increased audit scope, cost, and coordination complexity.
Resistance to change — Quality teams comfortable with the current audit model may resist the transition to MDSAP's process-based approach.
Volume of records — More years of operation means more records for the auditor to sample from. Any historical noncompliance is more likely to surface.

Practical recommendations for established companies:

Conduct a rigorous gap analysis with particular focus on country-specific requirements you may not have previously addressed.
Align internal audit programs with the MDSAP process-based approach. Stop auditing clause by clause and start auditing process by process.
Consolidate where possible. If you currently have separate complaint handling procedures for different countries, consider a single unified procedure that addresses all country-specific requirements.
Train your quality team on the MDSAP audit model, grading system, and Companion Documents. Your team's familiarity with the MDSAP approach directly affects audit outcomes.
Plan the transition carefully. Coordinate the timing of your MDSAP certification with the expiration of your current ISO 13485 certificate and any pending regulatory audits.

Benefits of MDSAP Participation

For Manufacturers

Reduced audit burden — One audit instead of many. Less time in audit rooms, more time building and improving products.
Cost savings — Direct savings on audit fees and indirect savings on internal preparation and hosting costs. Typical savings of 30–60% compared to separate audits.
Consistent assessment — One auditing organization applying one methodology reduces conflicting findings and corrective action requirements.
Regulatory goodwill — Participation in MDSAP signals to regulatory authorities that you take quality and compliance seriously. FDA, in particular, views MDSAP-certified manufacturers more favorably in its risk-based inspection scheduling.
Market access enablement — MDSAP is the only pathway to the Canadian market and significantly facilitates access to Australia, Brazil, and Japan.
Operational predictability — With one scheduled annual audit, you can plan resources and production schedules more effectively than managing multiple unscheduled or separately scheduled audits.

For Regulatory Authorities

Efficient resource allocation — Regulatory authorities can allocate inspection resources to higher-risk manufacturers while relying on MDSAP reports for well-performing manufacturers.
Standardized quality information — The MDSAP report format provides consistent, comparable information across manufacturers and countries.
Faster response to quality signals — The grading system and reporting structure allow authorities to quickly identify and respond to significant nonconformities.

Maintaining MDSAP Certification

Obtaining the certificate is only the beginning. Maintaining it requires ongoing effort.

Ongoing Requirements

Annual surveillance audits — These are mandatory. Missing a surveillance audit window can result in certificate suspension.
Corrective action closeout — All nonconformities identified in audits must be addressed within the required timelines. Failure to close corrective actions can result in certificate suspension or withdrawal.
Change notification — You must notify your AO of significant changes to your QMS, manufacturing processes, organizational structure, or device portfolio. The AO evaluates whether the change requires a special audit or can be assessed at the next scheduled surveillance.
Regulatory compliance maintenance — Your device registrations, establishment registrations, adverse event reports, and other regulatory filings must remain current.
Continuous QMS effectiveness — The QMS must continue to function effectively between audits. This means ongoing complaint handling, CAPA management, internal audits, management reviews, and post-market surveillance.

Certificate Suspension and Withdrawal

An MDSAP certificate can be suspended or withdrawn for:

Grade 4 or 5 nonconformities not resolved within required timelines
Failure to host a scheduled surveillance audit
Failure to submit corrective action evidence within required timelines
Discovery of fraud or misrepresentation
Request by a participating regulatory authority based on independent findings

Certificate suspension means you cannot use the MDSAP certificate to demonstrate compliance. For Canadian manufacturers, this directly impacts your ability to maintain medical device licenses. For other markets, it removes the MDSAP benefits and may trigger individual country inspections.

Frequently Asked Questions

Can I choose which countries to include in my MDSAP scope?

Yes. You are not required to include all five countries. You include only the countries where you market (or intend to market) your devices. Many manufacturers start with two or three countries and add more as they expand. However, if you sell in Canada, Health Canada's inclusion is mandatory.

Does MDSAP replace ISO 13485 certification?

Effectively, yes. An MDSAP audit includes a full assessment against ISO 13485:2016. Your MDSAP certificate can serve as your ISO 13485 certificate. Most AOs will issue both an MDSAP certificate and an ISO 13485 certificate from the same audit.

How long does an MDSAP audit take on-site?

Typically 3–7 days for the Stage 2 (on-site) audit, depending on organization size, number of countries in scope, and device portfolio complexity. Surveillance audits are typically shorter than initial certification or recertification audits.

Can my AO also be my EU MDR Notified Body?

Some AOs that are recognized for MDSAP are also designated as EU MDR Notified Bodies (e.g., BSI, TUV SUD). Using the same organization for both can streamline scheduling and reduce duplication, but the EU MDR audit is a separate assessment — it cannot be combined with the MDSAP audit.

What happens if I receive a Grade 4 or Grade 5 nonconformity?

A Grade 4 nonconformity is reported to the applicable regulatory authority, which may take enforcement action. A Grade 5 nonconformity requires immediate escalation and may trigger regulatory action such as product seizure, recall orders, or license suspension. In both cases, corrective action must be immediate and is closely monitored by both the AO and the regulatory authority.

Is MDSAP recognized in the European Union?

No. The EU is not an MDSAP participant. If you sell in Europe, you need a separate conformity assessment through a Notified Body under EU MDR or IVDR. There is no current indication that the EU plans to join MDSAP.

Can remote or hybrid audits be conducted under MDSAP?

MDSAP has provisions for remote auditing activities, particularly for the Stage 1 (desk review) and certain surveillance activities. However, the Stage 2 (initial certification) and recertification audits generally require on-site presence. The COVID-19 pandemic led to temporary expanded remote auditing provisions, and some of these practices have been retained in modified form. Your AO can advise on current remote auditing policies.

How does MDSAP interact with the new QMSR?

The FDA's QMSR (which replaced the QSR) incorporates ISO 13485:2016 by reference. Since MDSAP already audits against ISO 13485, the transition to QMSR does not fundamentally change what MDSAP audits assess for FDA compliance. MDSAP auditors now reference QMSR instead of the old QSR, but the substantive requirements audited are largely the same because both are built on ISO 13485.

What if I manufacture devices but only sell in one MDSAP country?

You can still pursue MDSAP with a single country in scope. This is common for manufacturers that sell only in Canada (where MDSAP is mandatory). However, the cost-efficiency benefits of MDSAP increase with each additional country you add to scope. If you sell only in one country that does not require MDSAP (e.g., only in the US), a standalone ISO 13485 certification may be more cost-effective.

Does MDSAP cover IVD manufacturers?

Yes. In vitro diagnostic (IVD) medical devices are within the scope of MDSAP when they are regulated as medical devices by the participating regulatory authorities. The MDSAP certificate template includes IVD-specific scope descriptions (see MDSAP AU P0026), and Japan's QMS Ministerial Ordinance (MO 169) is formally titled "Ordinance on Standards for Manufacturing Control and Quality Control of Medical Devices and In Vitro Diagnostic Reagents." See the dedicated IVD section below for additional details.

Can FDA inspect my audit reports and management review records under the QMSR?

Yes. Under the QMSR, which took effect February 2, 2026, FDA investigators can now review internal audit reports and management review records during inspections — a significant change from the prior QSR, where these records were generally shielded. Manufacturers should ensure that their internal audit reports are complete, well-documented, and that any findings have been addressed, as these documents are now subject to FDA review.

MDSAP Companion Documents — Complete Reference

The Companion Documents are the auditor's detailed roadmap for each process area. Beyond the seven process-area documents already described, manufacturers should be aware of the complete document ecosystem that governs MDSAP audits.

Complete List of MDSAP Procedural Documents

Document Number	Title	Purpose
MDSAP AU P0002	Audit Approach	The master document defining the MDSAP audit methodology, sequence, and process-based approach. Revised to version 010 on February 6, 2026.
MDSAP AU P0008	Audit Time Determination Procedure	Defines how audit duration is calculated based on organization size, device complexity, and number of countries in scope.
MDSAP AU F0008.2	Audit Duration Calculation Form	The form AOs use to calculate required audit days.
MDSAP AU P0019	Medical Device Regulatory Audit Reports Policy	Governs the format and content of the MDSAP audit report.
MDSAP AU F0019.1	Medical Device Regulatory Audit Report Form	The standardized audit report template used by all AOs.
MDSAP AU F0019.2	NC Grading and Exchange (NGE) Form	The standardized form for recording nonconformity grades and exchanging information between AOs and regulatory authorities.
MDSAP AU G0019.3	Audit Report Form Guidelines	Guidance on completing the audit report form.
MDSAP AU G0019.4	Guidelines NC Grading Exchange Form	Guidance on completing the NGE form.
MDSAP AU P0026	Certificate Document Requirements	Defines the format, content, and scope descriptions for MDSAP certificates.
MDSAP AU G0026.1	Surveillance Audit Confirmation Notification Process	Process for confirming surveillance audit scheduling.
MDSAP AU P0027	Post Audit Activities and Timeline Policy	Defines the timelines and activities required after an audit is completed.
MDSAP AU P0028	Threat to Impartiality	Procedures for managing conflicts of interest and threats to auditor impartiality.
MDSAP AU P0029	Communication by AOs with RA on Organizations Participating in MDSAP	Governs how AOs communicate audit results and concerns to regulatory authorities.
MDSAP AU P0033	REPs User Account Management	Manages access to the Regulatory Exchange Platform (REPS) database.
MDSAP AU P0036	Remote and Hybrid Audit Procedure	Defines requirements for remote (fully offsite) and hybrid (partially offsite) audits. Finalized as P0036:003 in 2025.
MDSAP AU P0037	Guidelines on the use of GHTF/SG3/N19:2012 for MDSAP purposes	Links the MDSAP grading system to the GHTF nonconformity grading framework.

Companion Document Details by Process Area

Document Number	Process Area	Key Audit Tasks
MDSAP AU G0002	Management	QMS infrastructure, management commitment, resource management, management representative appointment, quality policy and objectives
MDSAP AU G0003	Device Marketing Authorization and Facility Registration	Regulatory submissions, device listings, establishment registration, license maintenance, country-specific registration requirements
MDSAP AU G0004	Measurement, Analysis, and Improvement	CAPA, complaints, internal audits, nonconforming product, post-market surveillance, data analysis, monitoring and measurement
MDSAP AU G0005	Medical Device Adverse Event and Advisory Notice Reporting	Adverse event identification, evaluation, reporting timelines, field safety corrective actions, trend reporting
MDSAP AU G0006	Design and Development	Design planning, inputs, outputs, review, verification, validation, transfer, changes, design history file
MDSAP AU G0007	Production and Service Controls	Manufacturing planning, process validation, identification and traceability, preservation, installation, servicing, sterility
MDSAP AU G0008	Purchasing and Supplier Controls	Supplier evaluation, approved supplier list, purchasing data, verification of purchased product, outsourced processes

The REPS Database

The Regulatory Exchange Platform (REPS) is the IT system that underpins MDSAP information sharing. When an AO completes an audit, the final audit report package — including the audit report (AU F0019.1) and the nonconformity grading and exchange form (AU F0019.2) — is submitted to the REPS database. All five participating regulatory authorities have access to REPS and can review audit results for manufacturers selling in their jurisdictions. MDSAP Affiliate Members do not have access to REPS; instead, they receive weekly status reports containing basic information on manufacturers, manufacturing sites, audit dates, and the responsible AO. Affiliate Members must contact manufacturers directly to obtain actual audit reports and certificates.

2025–2026 Program Updates

The MDSAP program has undergone significant changes in 2025 and 2026. Manufacturers should be aware of these developments and their implications for audit preparation and QMS maintenance.

MDSAP Audit Approach Version 010 (February 2026)

The MDSAP Audit Approach (AU P0002) was revised to version 010, released February 6, 2026. This is the first major update in 18 months and introduces substantial changes that manufacturers must reflect in their QMS.

United States (FDA) changes:

All references and citations to the old Quality System Regulation (QSR) have been officially removed, aligning with the QMSR that took effect February 2, 2026
The requirement to update device listing information between October 1 and December 31 has been incorporated as a specific audit task
A new section dedicated to Predetermined Change Control Plans (PCCP) has been introduced, which is essential for managing changes in software and AI-based medical device systems
FDA-specific expectations remain in targeted areas including document and record controls, device marketing authorization and establishment registration, post-market surveillance and complaint handling, adverse event reporting, design and development controls, and production/servicing/traceability records
Under the QMSR, FDA investigators can now review internal audit reports and management review records — manufacturers should prepare for this expanded access during for-cause inspections

Australia (TGA) changes:

The Uniform Recall Procedure for Therapeutic Goods (URPTG) has been officially replaced by the Procedure for Recalls, Product Alerts and Product Corrections (PRAC)
Audit tasks 4 and 5 within the adverse event and advisory notice reporting process have been updated to reflect the new PRAC protocol

Brazil (ANVISA) changes:

Updated regulatory references for the registration process: RDC 830/2023 replaces RDC 36/2015, and RDC 751/2022 replaces RDC 40/2015
Manufacturers marketing IVDs in Brazil should note that RDC 830/2023 includes revised IVD risk classifications — a gap assessment between RDC 36/2015 and RDC 830/2023 is recommended

Supplier management changes (all countries):

The term "critical supplier" has been removed and replaced with a more operational definition: "suppliers that should be considered for audit as part of the MDSAP audit of the organization"
This reflects a more dynamic, risk-based approach to supply chain oversight rather than a fixed categorization

New MDSAP Global Website (2025)

At the 2025 MDSAP Forum in Amsterdam (June 16–20), MDSAP launched a new global website at mdsap.global. MDSAP documents have been migrated from the FDA website to this new platform managed by the TGA. The new site serves as the central hub for all MDSAP documents, procedures, forms, and announcements. Manufacturers should update their bookmarks — the FDA MDSAP page now redirects to mdsap.global for document access.

Remote and Hybrid Audit Procedure Finalized (2025)

The remote and hybrid audit procedure (MDSAP AU P0036) was finalized as version P0036:003 in 2025 (MDSAP Transmittal Number 2025-01). This procedure defines requirements for the routine ongoing use of remote (fully offsite) and hybrid (partially offsite) audits of medical device manufacturers.

Key details:

Approximately one-third of MDSAP audits now include at least a partially offsite element
Stage 1 audits are commonly conducted remotely
The FDA extended its remote and hybrid auditing pilot program for an additional six months in 2024–2025 before the procedure was formalized
Stage 2 initial certification audits and recertification audits generally still require on-site presence, though hybrid approaches (partial remote, partial on-site) are increasingly accepted for surveillance audits
Remote audits during 2020–2022 (pandemic era) reached approximately 45% of all audits conducted; this declined to approximately 9% by 2023 as on-site audits resumed, before the formalized hybrid procedure stabilized practices

AO Applications Reopened (2025)

In 2025, MDSAP reopened applications for new Auditing Organizations (MDSAP Transmittal Number 2025-03), along with the introduction of prioritization criteria for evaluating new AO candidates. This was the first time AO applications were reopened since a temporary halt was imposed in February 2022 to ensure efficient use of assessment resources.

MDO Participation Pilot (2025)

MDSAP announced a pilot program allowing Medical Device Organizations (MDOs) — the manufacturers themselves — to participate more directly in the MDSAP program (MDSAP Transmittal Number 2025-06). Details on the scope and implications of this pilot are still emerging.

New Affiliate Members (2025)

Two new Affiliate Members joined in 2025:

South African Health Products Regulatory Authority (SAHPRA) — joined April 4, 2025
Malaysia Medical Device Authority (MDA) — joined September 19, 2025

QMSR Key Gaps for Manufacturers Preparing via MDSAP

For manufacturers that have only distributed in the US and complied with the old QSR, using the MDSAP audit approach as a gap assessment tool is recommended. The major gap areas that QMSR/ISO 13485 alignment will reveal include:

Lifecycle risk management — Risk management must be woven throughout the QMS, not treated as a standalone activity. Misuse of risk priority numbers as an excuse not to take action is no longer acceptable.
Post-market surveillance — Active PMS plans and reports are now explicitly required, not just complaint handling.
Competency vs. training — Simply reading and signing a procedure or "seat time" training is insufficient. Objective evidence of competency assessment is required under ISO 13485:2016 Clause 6.2.
Corrective vs. preventive action — The QMSR reinforces the separation between corrective action (triggered by reactive data sources, with timeliness requirements) and preventive action (escalated from proactive data sources where no nonconformance has occurred).
Monitoring and measurement of products and processes — Heightened emphasis on data analysis dashboards with signals and trigger limits for potential action.

MDSAP Observers, Affiliate Members, and Program Expansion

Beyond the five RAC member countries, the MDSAP program includes a growing network of observers and affiliate members that signals future expansion.

Regulatory Authority Council (RAC) Members

The RAC is the decision-making body of MDSAP, composed of senior-level managers from the five member countries:

Therapeutic Goods Administration (TGA) — Australia
Agência Nacional de Vigilância Sanitária (ANVISA) — Brazil
Health Canada (HC) — Canada
Ministry of Health, Labour and Welfare / Pharmaceuticals and Medical Devices Agency (MHLW/PMDA) — Japan
U.S. Food and Drug Administration (FDA) — United States

Official Observers

Official Observers participate in RAC activities or observe program operations without being formal members:

European Union (EU) — Represented by the European Commission DG for Health & Food Safety (DG SANTE). At the 2025 MDSAP Forum in Amsterdam, the EU discussed its vision for future EU participation in MDSAP.
United Kingdom's Medicines and Healthcare products Regulatory Agency (MHRA) — Granted observer status in March 2021.
Singapore's Health Sciences Authority (HSA)
World Health Organization (WHO) Prequalification of In Vitro Diagnostics (IVDs) Programme — Particularly relevant for IVD manufacturers seeking WHO prequalification (see IVD section below).

Affiliate Members

Affiliate Members are regulatory authorities that engage in MDSAP, demonstrate understanding of the program, and utilize MDSAP audit reports and certificates within their own regulatory frameworks. As of late 2025, the complete list includes:

Country	Regulatory Authority
Argentina	National Administration of Drugs, Foods and Medical Devices (ANMAT)
Israel	Ministry of Health
Kenya	Pharmacy and Poisons Board (PPB)
Republic of Korea	Ministry of Food and Drug Safety (MFDS)
Mexico	Federal Commission for Protection from Sanitary Risks (COFEPRIS)
Taiwan	Taiwan Food and Drug Administration (TFDA)
South Africa	South African Health Products Regulatory Authority (SAHPRA)
Malaysia	Medical Device Authority (MDA)

Affiliate Members report annually to the RAC on their utilization of MDSAP audit reports and certificates. They do not have access to the REPS database but receive weekly status reports containing information on manufacturers, manufacturing sites, audit dates, and the responsible AO.

IMDRF Working Group Affiliate Members

The IMDRF MDSAP Working Group maintains a broader list of affiliate members that includes regulatory authorities from additional countries exploring MDSAP adoption. These include Botswana (BoMRA), Chile (ISP), Colombia (INVIMA), Costa Rica (MoH), Cuba (CECMED), Dominican Republic (DIGEMAPS), Egypt (EDA), El Salvador (SRS), Ethiopia (EFDA), Ghana (FDA), India (CDSCO), Indonesia (MoH), Jordan (JFDA), Montenegro (CINMED), Nigeria (NAFDAC), Philippines (FDA), Tanzania (TMDA), Uzbekistan (Center for Pharmaceutical Products Safety), Zanzibar (ZFDA), and Zimbabwe (MCAZ).

Updates from Affiliate Members (2025)

South Korea (MFDS): Notice No. 2025-22 consolidates K-GMP legislation. For Class 3 medical devices, an audit conducted by a Third Party Auditor is sufficient to meet K-GMP requirements. Notably, an MDSAP certificate can waive the manufacturer's on-site K-GMP audit requirement.
Mexico (COFEPRIS): NOM-241-SSA1-2025 on Good Manufacturing Practices was finalized on April 4, 2025, impacting entities based in Mexico.

What Expansion Means for Manufacturers

The growing number of observers and affiliates signals that MDSAP recognition is expanding beyond the original five countries. Manufacturers already holding MDSAP certificates may find that their certificates carry increasing value for market access in countries where MDSAP reports are being used as part of GMP evaluations — even without those countries becoming full RAC members.

MDSAP for IVD Manufacturers

In vitro diagnostic (IVD) medical devices fall within the scope of MDSAP, but IVD manufacturers should be aware of several specific considerations that affect their audit experience and regulatory compliance.

IVD Scope Under MDSAP

IVDs are within scope of MDSAP when regulated as medical devices by the participating regulatory authorities. All five MDSAP countries regulate IVDs as medical devices (or a closely related category), so IVD manufacturers can pursue MDSAP certification on the same basis as other device manufacturers. The MDSAP certificate template (MDSAP AU P0026) includes a specific template for IVD scope descriptions, separate from the template for other medical devices. IVD scope descriptions typically include:

Device types (in-vitro diagnostic analyzers/software, IVD reagents, IVD test kits)
Intended use categories (blood analytes, blood grouping, cancer, cardiac markers, coagulation, donor screening, drugs of abuse, endocrine disorders, fertility testing, genetic testing, immune status, pregnancy testing, sexually transmissible agents, tissue typing, therapeutic drug monitoring, etc.)
Use settings (clinical laboratory, home use, near patient/point of care)

Country-Specific IVD Considerations

Country	IVD-Specific Requirements
United States (FDA)	IVDs are regulated under 21 CFR Parts 862–892. IVDs follow the same QSR/QMSR requirements as other devices. Classification and premarket pathway (510(k), De Novo, PMA) depend on the specific IVD. Laboratory Developed Tests (LDTs) are subject to evolving FDA enforcement policies.
Canada (Health Canada)	IVDs are classified and licensed under the Medical Devices Regulations (SOR/98-282). MDSAP certification is mandatory for IVD manufacturers selling Class II, III, or IV IVDs in Canada, just as for other devices.
Brazil (ANVISA)	RDC 830/2023 (replacing RDC 36/2015) governs IVD registration. ANVISA has revised IVD risk classifications under RDC 830/2023 — IVD manufacturers must review whether their devices' classifications have changed and update registrations accordingly. Some IVDs may now fall into different risk classes than under the prior regulation.
Japan (MHLW/PMDA)	Japan's QMS Ministerial Ordinance (MO 169) is formally titled "Ordinance on Standards for Manufacturing Control and Quality Control of Medical Devices and In Vitro Diagnostic Reagents," explicitly including IVDs. However, certain IVD types — including radioactive IVDs — still require direct PMDA inspection and are not fully covered by MDSAP.
Australia (TGA)	IVDs are regulated under the Therapeutic Goods (Medical Devices) Regulations 2002. TGA accepts MDSAP certification for IVD conformity assessment.

WHO Prequalification of IVDs and MDSAP

The WHO Prequalification of In Vitro Diagnostics (IVDs) Programme is an Official Observer of MDSAP. This relationship is significant for IVD manufacturers supplying diagnostics to global health programs (e.g., HIV, malaria, hepatitis, tuberculosis test kits for UNICEF, the Global Fund, or other procurement agencies). MDSAP certification can support a manufacturer's WHO prequalification application by demonstrating QMS compliance, although WHO prequalification has its own additional requirements beyond what MDSAP covers.

MDSAP and EU IVDR

IVD manufacturers selling in both MDSAP countries and the EU should note that MDSAP does not cover EU IVDR (In Vitro Diagnostic Regulation 2017/746) requirements. A separate conformity assessment through an EU Notified Body is required for the EU market. However, some AOs (such as BSI, TUV SUD, and TUV Rheinland) are both MDSAP-recognized and designated as EU IVDR Notified Bodies, creating opportunities for coordinated audit scheduling.

Health Canada MDSAP — Detailed Mandatory Requirements

Because Canada is the only country where MDSAP is mandatory, manufacturers targeting the Canadian market need a thorough understanding of Health Canada's specific requirements.

Mandatory Certification Scope

Since January 1, 2019, MDSAP certification has been mandatory for all manufacturers of Class II, III, and IV medical devices seeking to obtain or maintain a Medical Device Licence (MDL) with Health Canada. This replaced the former Canadian Medical Device Conformity Assessment System (CMDCAS). Key requirements:

All manufacturers — both Canadian and foreign — must hold a valid MDSAP certificate. The obligation is manufacturer-based, not location-based.
All manufacturing and design facilities relevant to the device must be covered by the MDSAP certificate scope.
Applications for new MDLs or amendments are considered incomplete without proof of MDSAP certification.
Existing MDLs may be suspended or cancelled if the MDSAP certificate expires or is withdrawn.
Class I devices are exempt from the MDSAP/MDL requirement — they require only a Medical Device Establishment Licence (MDEL).
Private label manufacturers must also comply — any entity holding or seeking a Class II–IV licence, including private labelers, must have MDSAP certification.

2025–2026 Health Canada Regulatory Updates Affecting MDSAP

Mandatory Electronic Filing (effective January/February 2026):

Health Canada now requires mandatory use of the Regulatory Enrolment Process (REP) via the Common Electronic Submission Gateway (CESG) for all Class II, III, and IV device submissions. This includes new and amendment MDL applications and all other application-related regulatory transactions. Email submissions are no longer accepted. Manufacturers (or their Canadian regulatory representatives) must register in REP and file through CESG.

New Guidance on Managing Applications for Medical Device Licence (published November 2025, effective February 2026):

This guidance reshapes how Health Canada manages licence applications, particularly around timelines, communication on deficiencies, and reconsideration of negative decisions. Key changes include:

New target timelines and performance standards for application processing
Introduction of a "Market Authorization Time" concept
Administrative screening with 10-day response requirements for outstanding information
Technical screening for Class III/IV applications to verify scientific evidence is present before full review
Clarification requests during regulatory screening with response windows as short as 2 days

Terms and Conditions for Class II–IV Devices (effective January 1, 2026):

Health Canada's guidance on terms and conditions for Class II to IV medical devices allows Health Canada to impose conditions on MDLs, including requirements for post-market studies, stability study results, real-world evidence submissions, and ongoing clinical follow-up data.

Health Canada MDSAP and B-GMP Interaction

Manufacturers with MDSAP certificates covering both Canada and Brazil benefit from streamlined access to both markets. ANVISA's extension of B-GMP certificate validity to four years (RDC 850/2024, effective April 1, 2024) for MDSAP-certified manufacturers means that a single MDSAP program can support Canadian MDL maintenance and Brazilian B-GMP certification simultaneously with reduced regulatory overhead.

ANVISA B-GMP Certificate and MDSAP

Brazil's ANVISA uses the Brazilian Good Manufacturing Practice (B-GMP) certificate as a prerequisite for device registration. MDSAP certification significantly streamlines this process.

How MDSAP Enables B-GMP Certification

When a manufacturer holds an MDSAP certificate with Brazil in scope, ANVISA grants B-GMP certificates by analyzing the MDSAP audit report rather than conducting its own on-site GMP inspection. The process works as follows:

The Brazilian Registration Holder (BRH) submits a request for B-GMP certification on the manufacturer's behalf
The BRH submits the MDSAP audit report issued by the recognized AO
ANVISA evaluates the MDSAP report, paying particular attention to nonconformity grades and their closure status
For reports with nonconformity grades 1–3, a satisfactory action plan must be identified
For reports with nonconformity grades 4 or 5, corrective actions must have been closed before the B-GMP certificate can be issued
ANVISA issues the B-GMP certificate, which the BRH submits alongside the device registration dossier

Four-Year B-GMP Validity (RDC 850/2024)

As of April 1, 2024, ANVISA extended the validity of B-GMP certificates from two years to four years for manufacturers participating in MDSAP. This extension is conditional on the manufacturer maintaining their MDSAP certificate for the duration of the B-GMP certificate. Key points:

The extension applies only to MDSAP-certified manufacturers — non-MDSAP B-GMP certificates remain at two years
Manufacturers who had already applied for B-GMP renewal but had not yet received approval before the resolution's effective date can still benefit from the four-year extension
Annual MDSAP surveillance audits remain required throughout the four-year B-GMP period
ANVISA may investigate information reported via the 5-day notice process related to possible risks to patient or public health

ANVISA Regulatory Reference Updates

Manufacturers should note that ANVISA's regulatory references have been updated:

RDC 830/2023 replaces RDC 36/2015 for device registration (effective June 1, 2024)
RDC 751/2022 replaces RDC 40/2015
RDC 665/2022 governs GMP requirements (replacing RDC 16/2013 as the primary GMP regulation)

MDSAP Program Statistics

Understanding the scale and trends of the MDSAP program provides useful context for manufacturers evaluating participation.

Program Scale (as of late 2023)

Metric	Value
Total MDSAP audits conducted (January 2018 – October 2023)	22,252
Number of countries where MDSAP audits have been conducted	74
Average MDSAP audit duration	5.3 days
Number of active facilities participating in MDSAP	6,891
Certificate holders	6,116
Non-certificate holder facilities	2,101

Remote Audit Trends

Period	Remote/Hybrid Audit Percentage
2020–2022 (pandemic era)	Approximately 45% of audits performed at least partially remote
2023	Approximately 9% of audits performed at least partially remote
2025–2026 (post-formalization of P0036)	Approximately one-third of audits include at least a partially offsite element

Nonconformity Data by ISO 13485 Clause Category

MDSAP nonconformities are categorized based on their ISO 13485 clause reference and their QMS impact level. Understanding this categorization helps manufacturers prioritize preparation:

Indirect QMS impact (ISO 13485 Clauses 4.1–6.3): These are the "administrative enabler" clauses — requirements that make QMS processes possible. Nonconformities against these clauses are considered to have indirect influence on medical device safety and performance and receive lower base grades in the grading matrix.

Direct QMS impact (ISO 13485 Clauses 6.4–8.5): These clauses have direct influence on design and manufacturing controls, which in turn directly impact product safety and performance. Nonconformities against these clauses receive higher base grades.

The most frequently cited clause areas across MDSAP audits include:

ISO 13485 Clause Area	Nonconformity Frequency	Typical Impact
8.5.2 / 8.5.3 — Corrective and Preventive Action	Very high	Direct
8.2.2 — Complaint Handling	High	Direct
8.2.4 — Monitoring and Measurement of Product	High	Direct
7.5 — Production and Service Provision	High	Direct
7.3 — Design and Development	Moderate–High	Direct
7.4 — Purchasing	Moderate	Direct
4.2 — Documentation Requirements	Moderate	Indirect
6.2 — Human Resources (Competency)	Moderate	Indirect
5.6 — Management Review	Moderate	Indirect
8.2.3 — Monitoring and Measurement of Processes	Moderate	Direct

5-Day Notice Escalation Criteria

When certain critical conditions are identified during an audit, the AO must notify the applicable regulatory authorities within 5 working days of the audit ending date. The triggers for a 5-day notice are:

A Grade 5 nonconformity is identified
More than two Grade 4 nonconformities are identified
A public health threat is identified
Fraudulent activity is discovered
Counterfeit products are identified

Updated Auditing Organization (AO) List and Selection

Currently Recognized AOs (2026)

The list of recognized AOs has evolved since the program's inception. As of 2026, the following organizations are recognized to conduct MDSAP audits. Note that this list is significantly larger than the original roster and includes several organizations not widely known outside the MDSAP community:

Auditing Organization	Headquarters	Critical Locations
BSI Group America Inc.	Herndon, VA, USA	Milton Keynes, UK
DEKRA Certification B.V.	Arnhem, Netherlands	Stuttgart, Germany
DNV Product Assurance AS	Hovik, Norway	—
DNV MEDCERT GmbH	Hamburg, Germany	—
DQS Medizinprodukte GmbH	Frankfurt am Main, Germany	Operating from Bad Vilbel, Germany
G-MED	Paris, France	St. Etienne, France; Rockville, MD, USA
IMQ S.p.A.	Italy	(Authorized, recognition in progress)
Intertek Testing Services NA Inc.	Kentwood, MI, USA	—
National Standards Authority of Ireland (NSAI)	Dublin, Ireland	Operating from Nashua, NH, USA
NCC Certificações do Brasil Ltda.	Brazil	(Authorized, recognition in progress)
SGS United Kingdom Ltd.	Ellesmere Port, UK	—
TÜV Rheinland of North America, Inc.	Boxborough, MA, USA	Köln, Germany; Shanghai, China; Yokohama, Japan; Zabrze, Poland
TÜV SÜD America Inc.	Wakefield, MA, USA	Munich, Germany
TUV USA, Inc. (TÜV NORD Group)	Salem, NH, USA	—
UL LLC	Northbrook, IL, USA	Operating from Research Triangle Park, NC

AO Assessment and Oversight

AOs are not simply approved once — they undergo continuous assessment by the MDSAP regulatory authorities through a structured assessment cycle:

Assessment Stage	Activities
Initial recognition	Application review, Stage 1 documentation review, Stage 2 on-site assessment (head office), 3 witnessed audits, on-site assessment of critical locations (as applicable)
Surveillance (annual)	Surveillance on-site assessment (head office), witnessed audit, on-site assessment of critical locations (as applicable and necessary)
Re-recognition	Stage 1 assessment, re-recognition on-site assessment (head office), witnessed audit, on-site assessment of critical locations

The assessment program is tailored to each AO, considering the AO's size, geographic coverage, technical areas, past performance, changes to the AO or to MDSAP, and signals identified by regulatory authorities (complaints, allegations, or signals about certified manufacturers from marketing authorization applications, adverse events, or whistleblowers).

AO Selection Considerations — Additional Factors

Beyond the factors already discussed, manufacturers should consider:

Combined audit capability — Some AOs offer MDSAP combined with EU MDR/IVDR CE marking audits, ISO 9001, or UKCA assessments. Combined audits can reduce total audit days and coordination overhead. The MDSAP audit template includes space to incorporate EU-specific findings, allowing a single integrated report.
AO Contributions scheme — AOs contribute resources to the MDSAP program. Information on each AO's contributions is publicly available on mdsap.global, which can provide insight into an AO's level of engagement with the program.
Feedback and complaints mechanism — The MDSAP website provides a formal feedback and complaints process for manufacturers to report issues with AO conduct. This mechanism helps maintain audit quality across the program.

Unannounced Audits Under MDSAP

MDSAP participating regulatory authorities require AOs to conduct unannounced audits in circumstances where high-grade nonconformities have been detected. The criteria for triggering unannounced audits are defined in IMDRF/MDSAP WG/N3 Final:2016 (2nd Edition). In addition, regulatory authorities themselves may conduct audits at any time for reasons including:

For-cause audits — Based on information obtained by the regulatory authority (e.g., adverse event signals, complaint trends, recalls)
Follow-up audits — To follow up on findings from a previous audit
Oversight audits — To confirm effective implementation of MDSAP requirements by recognized AOs

When an AO performs a special audit at the request of a regulatory authority, the audit report must be submitted to the requesting authority within 15 calendar days from the last day of the audit.

MDSAP and Japan — Additional Details

Japan's participation in MDSAP has several nuances that manufacturers should understand:

Marketing Authorization Holder (MAH): Japan requires a designated MAH to submit the MDSAP audit report in lieu of pre-inspection documents. In some cases, MDSAP certification status exempts a manufacturing site from PMDA inspection entirely.
Exceptions to MDSAP coverage: Certain device types still require direct PMDA inspection regardless of MDSAP certification, including human cells/tissues/cellular and tissue-based products (HCT/Ps) and radioactive IVDs.
QMS inspection applications: PMDA has accepted over 352 QMS inspection applications that utilize MDSAP audit reports (as of data through September 2019), demonstrating significant and growing reliance on MDSAP.
Pre-market and post-market use: Japanese authorities use MDSAP reports for both pre-market and post-market activities, making MDSAP certification particularly valuable for streamlining Japan market access.

MDSAP Program History and Timeline

Year	Milestone
2012	IMDRF inaugural meeting in Singapore; working group appointed to develop MDSAP documents. Pre-pilot project initiated.
2014	MDSAP Pilot officially announced (January). Five countries participate. Mid-Pilot Report published (August).
2015	First B-GMP certificate delivered by ANVISA using MDSAP audit report (November). Health Canada publishes transition plan to replace CMDCAS with MDSAP (December). Japan announces participation (June).
2016	First Canadian medical device licence supported by an MDSAP certificate (January). MDSAP Pilot project review completed (December).
2017	AOs other than CMDCAS registrars allowed to apply (January). Final Pilot Report confirms plan objectives met performance targets (July). MDSAP becomes fully operational.
2019	MDSAP fully replaces CMDCAS — Health Canada mandates MDSAP for all Class II, III, and IV medical device licences (January 1). Affiliate Member category created.
2022	Temporary halt on acceptance of new AO applications (February).
2023	RAC formalizes processes for MDSAP membership. Remote/hybrid audit pilot launched (March).
2024	ANVISA extends B-GMP certificate validity to four years for MDSAP participants (RDC 850/2024, effective April 1).
2025	Remote/hybrid audit procedure (P0036:003) finalized. AO applications reopened with prioritization criteria. SAHPRA and Malaysia MDA join as Affiliate Members. New MDSAP global website launched. MDO participation pilot announced. 2025 MDSAP Forum held in Amsterdam (June).
2026	MDSAP Audit Approach updated to version 010 (February 6) to align with FDA QMSR (effective February 2). QMSR replaces QSR. Health Canada mandates electronic filing via REP/CESG (January/February).

Summary

MDSAP represents the most significant advancement in medical device quality system auditing in decades. By consolidating the audit requirements of five major regulatory authorities into a single program, it reduces the burden on manufacturers while maintaining — and in many cases improving — regulatory oversight.

The keys to success with MDSAP are preparation, understanding of the process-based audit model, and a QMS that genuinely addresses the requirements of each participating country — not just ISO 13485 in isolation. Use the Companion Documents as your guide, invest in thorough gap analysis and internal audits, and choose an auditing organization with the experience and expertise to conduct a fair, thorough assessment.

For companies selling in Canada, MDSAP is not optional. For companies selling in any combination of the five participating countries, it is almost certainly the most efficient path to multi-market quality system compliance. And for any medical device manufacturer committed to building a world-class quality system, the discipline that MDSAP preparation requires will strengthen your QMS in ways that benefit patients, regulators, and your business alike.