MDSAP Audit Preparation: Complete Guide for Medical Device Manufacturers (2026)

What Is MDSAP and Why It Matters in 2026

The Medical Device Single Audit Program (MDSAP) allows a medical device manufacturer to undergo a single regulatory audit that satisfies the quality management system requirements of multiple regulatory authorities simultaneously. Launched as a pilot program in 2014 under the International Medical Device Regulators Forum (IMDRF), MDSAP became fully operational in 2017 and has since grown into the dominant multi-jurisdictional audit mechanism for the medical device industry.

Five regulatory authorities currently participate as full members:

• United States — FDA (Food and Drug Administration)
• Canada — Health Canada (mandatory for Class II, III, and IV devices)
• Brazil — ANVISA (Agencia Nacional de Vigilancia Sanitaria)
• Japan — PMDA/MHLW (Pharmaceuticals and Medical Devices Agency / Ministry of Health, Labour and Welfare)
• Australia — TGA (Therapeutic Goods Administration)

A single MDSAP audit covers ISO 13485:2016 as the foundational quality standard, plus 85 additional country-specific regulatory requirements layered on top — totaling 175 audit tasks across all participating jurisdictions. This means one audit, one auditing organization, and one report can open or maintain market access in five major markets.

Several developments make MDSAP especially relevant in 2026:

• FDA chairs the MDSAP Regulatory Authority Council (RAC) for the 2026-2027 term, and has signaled its intent to expand MDSAP participation across Asia. This leadership role reinforces FDA's commitment to the program and suggests growing influence over its direction.
• Malaysia joined MDSAP as an Affiliate Member in September 2025. The Malaysian Medical Device Authority (MDA) now accepts MDSAP reports and certificates as evidence of QMS compliance for device registration. South Africa's SAHPRA also joined as an Affiliate Member in April 2025, and Singapore's HSA has announced its intent to apply for full membership in the second half of 2026.
• The MDSAP Audit Approach was revised in February 2026 (AU P0002.010), aligning the program with FDA's new Quality Management System Regulation (QMSR). This is the most significant revision in years and directly affects how manufacturers should prepare.
• The CDRH 2025 Annual Report noted that over 1,300 AI-enabled medical devices have been authorized to date, and the program oversaw 25,530 registered device manufacturing firms. By the end of FY2025, 15 Auditing Organizations were recognized under the MDSAP program.

For manufacturers selling in multiple MDSAP markets, preparation is no longer optional — it is a strategic imperative. This guide walks through the updated audit approach, the audit structure, a step-by-step preparation checklist, cost breakdowns, and the most common nonconformities to avoid.

Looking for a comprehensive MDSAP overview? For the full program background, grading system, companion document reference, IVD-specific guidance, and country-specific requirements, see our complete MDSAP guide. This preparation guide focuses on the 2026 audit approach revision and actionable preparation steps.

The 2026 MDSAP Audit Approach Update (AU P0002.010)

On February 2, 2026, IMDRF released a revised MDSAP Audit Approach document (MDSAP AU P0002.010), carrying a revision date of February 6, 2026. Its release coincides precisely with the FDA QMSR effective date of February 2, 2026 — the day FDA's Quality Management System Regulation formally replaced the legacy Quality System Regulation (21 CFR Part 820) and incorporated ISO 13485:2016 by reference.

This is not a routine update. The revision represents meaningful changes in audit expectations that manufacturers must understand before their next MDSAP cycle.

Key Changes in the 2026 Revision

1. FDA QSR references removed throughout. All references and citations to the legacy Quality System Regulation (21 CFR Part 820) have been removed from the audit approach. They are replaced with QMSR-aligned language that emphasizes ISO 13485 as the foundational structure. This is more than a terminology swap — it signals that auditors will now evaluate your ISO 13485-compliant processes while verifying FDA-specific supplemental requirements only where they still exist (such as unique labeling and record-keeping rules).

2. Audit Model and Process Companion consolidated into a single unified document. Previously, the MDSAP audit approach was split across two documents: the Audit Model and the Process Companion. AU P0002.010 merges them into one, improving navigation, usability, and audit consistency.

3. Reinforced risk-based, process-driven audit methodology. The revision strengthens the emphasis on evaluating how quality processes function collectively across the total product lifecycle, rather than checking individual subsystems in isolation.

4. Clearer task-level guidance across the full audit cycle. Each of the 175 audit tasks now has more precise assessment criteria, making it easier for manufacturers to anticipate what auditors will examine and prepare evidence accordingly.

5. PCCP (Predetermined Change Control Plans) explicitly addressed. For the first time, the Audit Approach includes guidance on FDA's Predetermined Change Control Plans in Chapter 2, Task 3 — Notification of Changes to Marketed Devices or to the QMS. Auditors are now tasked with verifying that software modifications remain within the boundaries of an FDA-cleared PCCP and that change control SOPs specifically address how those boundaries are maintained. This is particularly relevant for AI-enabled devices and Software as a Medical Device (SaMD).

6. Updated adverse event reporting and device change notification requirements. The revision incorporates jurisdiction-specific regulatory changes that have matured since 2024, including Brazil's ANVISA updates (RDC 751/2022 and RDC 830/2023 replacing older regulations).

7. Records review expanded for U.S. compliance. Internal audit reports, supplier audit reports, and management review records are now reviewed in the context of U.S. regulations, consistent with the updated FDA Inspection Guide under Compliance Program 7382.850.

8. Document library moved to mdsap.global. MDSAP documents are no longer hosted on the FDA website. They have migrated to the dedicated MDSAP platform at mdsap.global, managed by Australia's TGA. Manufacturers should bookmark this new location and update any internal links.

What This Means for Manufacturers

The practical implication is clear: companies that continue to manage ISO 13485 compliance and FDA compliance as separate, parallel efforts will encounter challenges during audit preparation and execution. The revised audit approach expects that your ISO 13485 processes clearly support FDA requirements rather than operating as duplicative systems. If your internal audit procedures and checklists still reference QSR language and clause numbers, they need to be updated to reflect process-based assessment criteria consistent with the revised approach.

MDSAP Audit Structure: The 7 Processes

MDSAP audits follow a structured three-year certification cycle designed to provide ongoing oversight of your quality management system.

The 3-Year Audit Cycle

1. Initial Certification Audit (Year 1) — Composed of two stages:
   • Stage 1: Documentation review. The auditor examines your QMS documentation to assess readiness for the full audit.
   • Stage 2: On-site or remote assessment (conducted at least 30 days after Stage 1). This is the main body of the audit, where auditors evaluate process implementation against ISO 13485 and country-specific requirements.
2. Annual Surveillance Audits (Year 1 follow-on and Year 2) — Shorter audits that verify continued conformity and check on corrective actions from previous findings.
3. Recertification Audit (Year 3) — A comprehensive audit similar in scope to the initial certification, required before the certificate expires.

The 7 Audit Processes

MDSAP organizes the audit around seven process areas — four primary and three supporting. Each process contains specific tasks mapped to ISO 13485 clauses and country-specific requirements.

Primary Processes:

1. Medical Device Authorization and Registration — Covers regulatory submissions, licensing, registration, and listing requirements across all five jurisdictions. Auditors verify that devices are properly authorized in each target market.

2. Quality Management System — Evaluates management responsibility, quality policy, quality planning, organizational structure, resource management, infrastructure, and work environment. This process also covers document control, record keeping, and internal audits.

3. Measurement, Analysis, and Improvement — Assesses how the organization monitors, measures, analyzes, and improves its QMS. This includes customer feedback, data analysis, internal audits, nonconformity management, corrective and preventive action (CAPA), and continual improvement.

4. Design and Development (if applicable) — Reviews design controls, design inputs and outputs, design verification and validation, design transfer, design changes, and the design history file. This process is only audited if the manufacturer has design responsibility.

Supporting Processes:

5. Purchasing and Supplier Controls — Evaluates supplier qualification, evaluation, monitoring, purchasing data, verification of purchased product, and outsourced process controls. Critical suppliers receive particular scrutiny.

6. Production and Process Controls — Assesses manufacturing controls, process validation, equipment calibration, product identification and traceability, handling and storage, and delivery. Special processes such as sterilization or welding require documented validation.

7. Complaint Handling, Vigilance, and Post-Market Surveillance — One of the most heavily audited areas. Covers complaint intake, evaluation, investigation, adverse event reporting, advisory notices, and post-market surveillance activities across all jurisdictions.

Across all seven processes, the audit includes 90 tasks derived from ISO 13485 plus 85 country-specific tasks, totaling 175 audit tasks. Each task links to specific ISO 13485 clauses and applicable national regulations.

MDSAP Audit Preparation Checklist: Step-by-Step

Effective MDSAP preparation requires a structured, months-long effort. The following ten-step checklist is designed to guide your team from initial assessment through audit readiness.

Step 1: Review the MDSAP Audit Approach Document (AU P0002.010)

Download the latest revision from mdsap.global (the document library is no longer hosted on the FDA website). Distribute the document to your quality, regulatory, and compliance teams. Keep highlighted copies accessible for reference during preparation.

Pay particular attention to:

• The consolidated task-level guidance and how tasks link across processes
• The updated U.S. regulatory references (QMSR-aligned, not QSR)
• The new PCCP-related guidance in Chapter 2, Task 3, if you manufacture AI-enabled or software devices
• Updated Brazil-specific references (RDC 751/2022, RDC 830/2023)

Step 2: Conduct a Comprehensive Gap Analysis

Map your existing QMS to both ISO 13485:2016 and all five country-specific regulatory requirements. Do not assume that ISO 13485 compliance alone is sufficient — the 85 additional country-specific tasks are where many manufacturers encounter surprises.

Focus your gap analysis on these high-risk areas:

• Risk management (ISO 14971) — Is risk management integrated throughout your QMS or siloed in a separate function?
• Design controls — Is there full traceability from design inputs through verification, validation, and risk management?
• CAPA effectiveness — Can you demonstrate data-driven corrective action decisions with verified effectiveness?
• Supplier qualification — Are critical suppliers qualified, evaluated, and monitored with documented criteria?

Use the QMSR gap analysis approach: start with ISO 13485 as your base, then layer in FDA-specific additions (such as records accessibility, labeling controls, and UDI requirements). The revised audit approach expects this integrated structure.

Step 3: Strengthen Your Risk Management Framework

Risk management is not a standalone process under MDSAP — it must be integrated throughout your entire QMS. Auditors will evaluate how risk management connects to design decisions, process validations, supplier controls, complaint handling, and post-market surveillance.

Key actions:

• Align your risk management process with ISO 14971:2019
• Ensure risk files link clearly to design decisions and validation results
• Verify that risk assessments are updated throughout the product lifecycle, not just during initial design
• Document risk acceptability criteria and ensure they are consistently applied

A common failure mode: using risk priority numbers (RPNs) as a justification not to take corrective actions. If your risk files show repeated high-RPN findings with no corresponding action, auditors will flag this as a nonconformity.

Step 4: Audit Your CAPA System

CAPA effectiveness is consistently one of the most common MDSAP findings — and the most common FDA inspection observation industry-wide for over a decade. Your CAPA system must demonstrate systematic, data-driven corrective and preventive action.

Critical areas to verify:

• Separate corrective action (reactive) from preventive action (proactive) — Many organizations conflate the two, which auditors will flag
• Root cause analysis thoroughness — Weak root cause analysis is the single most common MDSAP nonconformity. Use structured tools (5 Whys, fishbone diagrams, Pareto charts) and document the analysis rigorously
• Effectiveness verification — Implementing a corrective action is not enough. You must demonstrate objective evidence that the action resolved the root cause and prevented recurrence
• Trending analysis — Aggregate root cause categories over time. If the same root cause appears in three separate CAPAs, your system should identify this pattern and trigger systemic action
• Data-driven decisions — CAPA actions should be proportional to the risk and supported by data, not arbitrary

Step 5: Verify Design Controls and Documentation

If your company has design responsibility, this process area carries high audit risk. Auditors will trace a product from initial concept through market release, examining every link in the chain.

Ensure you have documented evidence for:

• Design inputs leading to design outputs with clear traceability
• Design verification confirming outputs meet inputs
• Design validation confirming the device meets user needs and intended uses
• Risk management activities integrated at each design phase
• Design reviews at appropriate stages with documented decisions
• Complete Medical Device File (MDF) containing all product documentation

Under QMSR, the Device Master Record (DMR) concept is incorporated into the MDF framework. Ensure your product documentation structure reflects this alignment.

Step 6: Tighten Supplier and Purchasing Controls

Critical suppliers and outsourced processes receive deep scrutiny during MDSAP audits. Your supplier management system must demonstrate a closed-loop process from qualification through ongoing monitoring.

Verify that you have:

• Documented supplier evaluation criteria (quality, delivery, risk)
• Qualified supplier lists with evidence of initial assessment
• Ongoing monitoring data (supplier scorecards, incoming inspection trends, audit results)
• Supplier agreements defining quality expectations, notification requirements for changes, and right-to-audit clauses
• Specific controls for outsourced manufacturing, testing, and sterilization processes
• Records of supplier audits, including any corrective actions requested and verified

Step 7: Prepare Production and Process Controls

Auditors will verify that you build your product consistently under controlled conditions. Operators may be interviewed during the audit — their responses must match what is documented in their training records.

Key preparation areas:

• Documented manufacturing procedures and work instructions accessible at point of use
• Process validation records for special processes (sterilization, welding, molding, sealing) including IQ/OQ/PQ protocols and reports
• Equipment calibration records current and within validity dates
• Environmental controls documented and monitored where required
• Product identification and traceability maintained throughout production
• Training records that match actual operator responsibilities and tasks

Step 8: Labeling and Regulatory Compliance

Labeling errors can trigger serious nonconformities. Under MDSAP, your labeling must comply with the regulatory requirements of each participating country where your devices are sold.

Check that:

• Labeling matches the regulatory status in each MDSAP country
• UDI requirements are met per jurisdiction (FDA UDI, Health Canada UDI, Japan UDI/PMDA, etc.)
• Language requirements are satisfied for each market (Japanese labeling for Japan, Portuguese for Brazil)
• Instructions for Use (IFU) are current and version-controlled
• Promotional materials do not make claims beyond the cleared or approved intended use

Step 9: Complaint Handling and Post-Market Surveillance

This is one of the most heavily audited areas in MDSAP. Auditors expect to see a closed-loop system — not just logged complaints, but evaluated, investigated, and resolved cases with documented outcomes.

Ensure your system includes:

• Defined intake, evaluation, and investigation procedures for all complaints
• Clear criteria for determining when a complaint constitutes an adverse event
• Adverse event reporting procedures that address the different requirements across all five countries (FDA Medical Device Reporting, Health Canada mandatory problem reporting, ANVISA event notifications, PMDA adverse event reporting, TGA adverse event reporting)
• Trend analysis using appropriate statistical methods to detect recurring quality problems
• Documented linkages between complaint data, CAPA decisions, and risk management updates
• Post-market surveillance plans that go beyond reactive complaint handling to include proactive data collection

Step 10: Internal Audit Readiness Check

Conduct a comprehensive internal audit that follows the MDSAP process sequence — not just the ISO 13485 clause structure. MDSAP auditors evaluate processes, not clauses, and your internal audit should mirror this approach.

Verify the following during your internal audit:

• Management review effectiveness — minutes should show real decisions and actions, not just formal notes
• Data analysis processes feeding into continual improvement
• Document control consistency across all sites within the audit scope
• Training competence for all personnel involved in audited processes
• Audit teams are trained on MDSAP audit behavior, communication, and evidence presentation

Train your teams on how to respond during the audit. Personnel should understand their roles, know where relevant documentation is located, and be prepared to explain their processes clearly and honestly. Coaching on audit communication prevents the most common self-inflicted problems.

MDSAP Audit Cost Breakdown

MDSAP represents a significant investment, but one that typically pays for itself through eliminated redundant audits and streamlined market access. The following table provides estimated cost ranges based on industry data and publicly available information.

Costs vary based on the number of manufacturing sites, device complexity, scope of design activities, and the number of jurisdictions included in the audit. Organizations with multiple sites or complex product lines will fall at the higher end of these ranges.

For context, Sternberg Consulting reported that one manufacturer was charged approximately $5,250 per audit day for 7.5 days — totaling roughly $40,000 per year for audits covering CE Marking, ISO 13485:2016, and MDSAP combined. Bundling MDSAP with other certifications through the same auditing organization can yield significant efficiencies.

MDSAP vs. Standalone Audits: Cost Savings

The true value of MDSAP becomes clear when comparing it to the cost of conducting individual country audits. Without MDSAP, a manufacturer selling into all five markets would need to undergo separate quality system evaluations for each jurisdiction.

Over a five-year period, eliminating redundant audits through MDSAP can save an estimated $50,000–$200,000 compared to conducting individual country audits. Beyond direct cost savings, MDSAP reduces audit fatigue, minimizes production disruptions, and provides a unified compliance narrative across all five markets.

Common MDSAP Nonconformities and How to Avoid Them

Understanding the most frequent audit findings allows you to target your preparation efforts where they matter most. According to SAI Global audit data and industry experience, the three most common nonconformity areas are document control and documentation errors, risk management and risk-based thinking, and purchasing and supplier control. The following expanded top-ten list draws on those findings and additional publicly available audit data:

1. Weak root cause analysis in CAPA. The single most common finding across MDSAP audits. Investigations that stop at symptoms rather than identifying true root causes lead to ineffective corrective actions and recurring problems. Use structured RCA tools and document the analysis rigorously.

2. Inadequate risk management integration. Risk management treated as a standalone exercise rather than an integrated element of design, production, supplier management, and post-market surveillance. Risk files must be living documents connected to actual process and product data.

3. Complaint handling not closed-loop. Complaints that are logged but not evaluated, investigated, or resolved. Auditors expect to see each complaint traced from intake through disposition, with documented rationale for decisions.

4. Design traceability gaps. Missing links between design inputs, outputs, verification, validation, and risk management. The design history file should tell a complete, connected story.

5. Supplier qualification deficiencies. Critical suppliers lacking documented qualification, ongoing evaluation, or current audit records. Outsourced processes without adequate controls are a frequent finding.

6. Training records do not match actual responsibilities. Operators performing tasks for which no training record exists, or training records that are outdated relative to current procedures. This is often uncovered during auditor interviews with production personnel.

7. Document control inconsistencies across sites. Different versions of procedures in use at different locations, or unapproved documents in circulation. Multi-site organizations are particularly vulnerable.

8. Inadequate management review effectiveness evidence. Management review minutes that document meeting occurrence but not meaningful decisions, actions, or resource allocations. Auditors look for evidence that management review drives actual improvement.

9. Separating CAPA vs. preventive action improperly. Organizations that lump all actions under "corrective" or fail to distinguish between reactive corrections and proactive prevention. ISO 13485 and MDSAP expect both to be addressed systematically.

10. Misusing risk files to avoid taking timely corrective actions. Using risk acceptance criteria or risk priority numbers as justification for inaction. If a risk is identified, the organization must demonstrate that it has been evaluated and addressed appropriately — not simply accepted without analysis.

Choosing an MDSAP Auditing Organization (AO)

Only Auditing Organizations recognized by MDSAP can conduct MDSAP audits. The current list of recognized AOs is available at mdsap.global. As of early 2026, the following organizations are among those authorized to conduct MDSAP audits:

• SGS (United Kingdom / global)
• BSI Group (United Kingdom / United States)
• TUV SUD (Germany / global)
• TUV Rheinland (Germany / global, with offices in the US, China, Japan, and Poland)
• NSF International (United States / global)
• GMED / LNE (France, with offices in the US)
• Intertek (United States / global)
• DNV (Norway / global, including DNV Product Assurance AS and DNV MEDCERT GmbH)
• DEKRA Certification (Netherlands / Germany)
• DQS Medizinprodukte (Germany)
• IMQ (Italy)

Factors to consider when selecting an AO:

• Experience with your device type — An AO with sector-specific expertise (orthopedics, cardiovascular, IVD, software) will conduct a more efficient and relevant audit.
• Geographic coverage — If you have manufacturing sites in multiple countries, confirm the AO can audit all locations.
• Scheduling availability — MDSAP AOs have limited capacity. Begin the selection process 6-12 months before your target audit date.
• Cost and fee structure — Request detailed quotes that break down audit days, travel costs, and any additional fees for multiple jurisdictions or sites.
• Bundling options — Some AOs offer combined audits covering MDSAP, ISO 13485, CE marking (MDR/IVDR), and other certifications, which can reduce total cost and audit days.

Key Takeaways

• MDSAP in 2026 is evolving. The February 2026 revision (AU P0002.010) removed all legacy QSR references, consolidated the Audit Model and Process Companion into a single document, and explicitly addressed PCCPs for AI/software devices. Your preparation materials must reflect these changes.
• QMSR alignment is now expected. FDA's QMSR, effective February 2, 2026, incorporates ISO 13485:2016 by reference. MDSAP auditors will evaluate your QMS through an ISO 13485-first lens with FDA-specific supplements — not as parallel compliance systems.
• Preparation must be process-based. MDSAP audits evaluate seven interconnected processes, not isolated ISO clauses. Your internal audits, gap analyses, and readiness checks should follow the same process-driven approach.
• CAPA and risk management are the highest-risk areas. Weak root cause analysis and inadequate risk management integration are the most common nonconformities. Invest disproportionate preparation effort here.
• The program is expanding. With Malaysia and South Africa as Affiliate Members, Singapore applying for full membership, and FDA chairing the RAC through 2027, MDSAP's value proposition will only grow.
• MDSAP saves money over the long run. Despite the upfront investment of $50,000–$175,000 over three years, MDSAP eliminates redundant audits and can save $50,000–$200,000 over five years compared to individual country audits.
• Document location has changed. MDSAP documents have moved from the FDA website to mdsap.global. Update your bookmarks and internal references.

Frequently Asked Questions

Is MDSAP certification mandatory?

It depends on the market. MDSAP certification is mandatory for Health Canada for all Class II, III, and IV medical device licenses (since January 1, 2019). For the US, MDSAP is voluntary but FDA accepts MDSAP audit reports as a substitute for routine inspections. For Australia, Brazil, and Japan, MDSAP is recognized and can streamline regulatory processes but is not strictly mandatory. For manufacturers selling in multiple MDSAP markets, participation is highly recommended.

How long does MDSAP certification take?

Initial MDSAP certification typically takes 3-6 months from the start of preparation through certificate issuance. The audit itself consists of Stage 1 (documentation review) and Stage 2 (on-site or remote assessment, at least 30 days after Stage 1), typically totaling 5-10 on-site audit days depending on organizational complexity, number of sites, and scope of activities.

Does MDSAP replace ISO 13485 certification?

No. MDSAP is built on ISO 13485:2016 as its foundation, plus country-specific regulatory requirements. An MDSAP certificate can serve as evidence of ISO 13485 compliance, but they are not the same thing. Many manufacturers choose to maintain both MDSAP and standalone ISO 13485 certificates for markets not covered by MDSAP. Some auditing organizations offer combined MDSAP/ISO 13485 audits to address both needs simultaneously.

What happened with the 2026 MDSAP update?

The February 2026 revision (MDSAP AU P0002.010) represents the most significant update in several years. Key changes include: removal of all FDA QSR references in favor of QMSR/ISO 13485 alignment; consolidation of the Audit Model and Process Companion into a single unified document; explicit guidance on FDA's Predetermined Change Control Plans (PCCPs) for AI/software devices; expanded records review for U.S. compliance; updated Brazil-specific regulatory references; and migration of the document library from the FDA website to mdsap.global.

Can MDSAP certification replace FDA inspections?

MDSAP can substitute for routine FDA inspections. Manufacturers with valid MDSAP certificates are generally not subject to routine CGMP inspections. However, FDA retains full statutory authority to conduct for-cause inspections, pre-approval inspections, follow-up inspections, and inspections related to Electronic Product Radiation Control (EPRC) provisions. Critically, FDA investigators are not bound by MDSAP sampling methods, audit depth, or task sequencing — they may pursue any line of inquiry necessary to evaluate U.S. compliance. A successful MDSAP audit does not guarantee immunity from FDA enforcement action.

What is the difference between MDSAP Affiliate Members and full members?

Full MDSAP members (FDA, Health Canada, ANVISA, PMDA/MHLW, and TGA) are Participating Regulatory Authorities that have voting rights on the Regulatory Authority Council and directly shape MDSAP policy. Affiliate Members — such as Malaysia (since September 2025) and South Africa (since April 2025) — can accept MDSAP reports and certificates for their regulatory purposes but do not have the same governance role. Affiliate membership still provides meaningful market access benefits for manufacturers.

How should we update our documentation for the 2026 revision?

Start by auditing your internal audit procedures and checklists for outdated QSR references and clause numbers. Update them to reflect process-based assessment criteria consistent with the revised audit approach. For AI-enabled devices or anything covered by a PCCP, ensure your change control SOP explicitly addresses PCCP boundaries. Scrub controlled documents for outdated regulatory references — for example, Brazil's RDC 36/2015 is now RDC 830/2023, and RDC 40/2015 is now RDC 751/2022. Issue change orders to bring all documentation current before your next audit.