MDSAPMedical Device Single Audit Program

The Medical Device Single Audit Program is a third-party audit programme developed by the International Medical Device Regulators Forum (IMDRF) that allows a single regulatory audit, performed by an MDSAP-recognised Auditing Organisation (AO), to satisfy the regulatory audit requirements of multiple participating jurisdictions in parallel. Today, five regulators participate: FDA (United States), Health Canada (Canada), TGA (Australia), ANVISA (Brazil) and PMDA (Japan). Several observer regulators participate (MHRA, EU, WHO, Singapore HSA) but do not currently accept MDSAP reports for their own conformity decisions.

MDSAP does not replace the regulatory framework of any participating regulator — devices still need FDA 510(k) / De Novo / PMA clearance, Health Canada device licences, ANVISA registration, TGA inclusion on the ARTG, PMDA approval. What MDSAP replaces is the QMS audit that each regulator would otherwise perform separately. The participating AO conducts one integrated audit against the MDSAP Audit Model — which is ISO 13485:2016 plus jurisdiction-specific add-ons — and issues one audit report distributed to all five regulators.

MDSAP is mandatory in Canada — Health Canada requires a valid MDSAP certificate as a condition of Class II, III and IV Medical Device Licences since 1 January 2019; manufacturers without MDSAP cannot legally place devices on the Canadian market. FDA accepts MDSAP audit reports in lieu of routine surveillance inspections (For-Cause and Compliance Follow-up inspections continue to be conducted by FDA itself). TGA, ANVISA and PMDA each accept MDSAP reports as part of their conformity assessment process — substituting for their own audits in defined ways.

For a manufacturer selling into all five jurisdictions, the consolidation is substantial — one audit per year (or per 3-year recertification cycle, with annual surveillance) instead of five separate regulatory audits with overlapping but differently-structured scopes. For a manufacturer selling only into the US, MDSAP is optional today; it can still be valuable because (a) it gives ~3-year visibility on inspection cadence (whereas FDA routine surveillance is unpredictable), (b) it forces an externally-audited QMS rigour that reduces 483 risk during any subsequent FDA inspection, and (c) it positions the manufacturer for expansion.

The QMSR transition (21 CFR 820 amendment, effective 2 February 2026) integrates ISO 13485:2016 by reference into the US regulation — bringing the substantive content of FDA's QMS regulation into line with the global standard. MDSAP, which already uses ISO 13485 as its spine, becomes even more directly aligned with FDA expectations. The MDSAP Audit Model is being updated to reflect QMSR; manufacturers should track AO communications.

MDSAP audits are conducted by Auditing Organisations (AOs) that have been recognised by the participating regulators after rigorous assessment (witnessed audits, qualification review, ongoing surveillance). The current AO list includes the major medical-device certification bodies — BSI, TÜV SÜD, TÜV Rheinland, DEKRA, DNV, SGS, Intertek, Underwriters Laboratories (UL), NSF, KIWA, and several others. The full current list is maintained by the FDA on the MDSAP programme pages. A manufacturer contracts directly with one AO; the AO performs the audit, issues the report and the MDSAP certificate, and distributes the report to the five participating regulators.

Critical: only the audit is consolidated — the AO must be recognised by every regulator the manufacturer wants the audit to count for. AOs publish their MDSAP recognition scope (which regulators, which device categories). The manufacturer's quality team should verify the recognition scope when selecting the AO.

The MDSAP Audit Model (AU P0002) and its Companion Document (AU G0002) structure the audit into seven processes plus four supporting processes. The model is published, public and prescriptive — audit tasks are listed in detail with the regulatory linkage explicit per task per regulator. Manufacturers preparing for MDSAP should structure evidence by Audit Model chapter; AOs work the model task-by-task.

1. Chapter 1 — Management — Management responsibility, quality policy, planning, responsibility, authority, communication, management review (the entry point of every MDSAP audit).
2. Chapter 2 — Measurement, Analysis and Improvement — Monitoring, measurement, control of nonconforming product, data analysis, internal audit, improvement.
3. Chapter 3 — Medical Device Adverse Events and Advisory Notices Reporting — Jurisdiction-specific reporting (FDA MDR 21 CFR 803, Health Canada Mandatory Problem Reports, TGA RIAR, ANVISA Tecnovigilância, PMDA reporting).
4. Chapter 4 — Management of Resources / CAPA — Resource management plus the CAPA process. CAPA is the most frequently cited MDSAP chapter; AOs sample multiple CAPAs end-to-end.
5. Chapter 5 — Design and Development — ISO 13485 §7.3 design controls, design transfer, design changes, the DHF.
6. Chapter 6 — Production and Service Controls — Production planning, control of production equipment, validation of processes, identification and traceability, customer property, preservation, control of monitoring and measuring equipment.
7. Chapter 7 — Purchasing — Supplier evaluation and selection, purchasing information, verification of purchased product, supplier audit, supplier-control adequacy.

Supporting processes also assessed: Risk Management (ISO 14971 integration), Documents and Records (control of documents + records), Customer-Related Processes (contract review, customer feedback), Device Marketing Authorisation and Facility Registration (jurisdiction-specific registrations).

The MDSAP audit cycle is three years: an initial certification audit (Stage 1 documentation review + Stage 2 on-site assessment), followed by surveillance audits in years 2 and 3 (each typically smaller in scope, covering selected processes), and a recertification audit at the end of year 3 (covering the full Audit Model). Audit duration depends on the manufacturer's scope (sites, device categories, headcount, complexity); the AO calculates audit time per IAF MD 9 and MDSAP-specific tables. A typical small manufacturer might see 5-8 days for an initial certification; large multi-site manufacturers can see 20+ days.

Findings are classified per Grade 1 (one-off non-conformity) through Grade 5 (systemic, with public-health implications). Grade 4 and 5 findings trigger immediate notification to the regulators by the AO; Grade 5 can trigger an unannounced regulator inspection or import alert. The manufacturer must respond with root-cause analysis and CAPA per the grading-specific timelines. The five regulators each have their own consequence framework for findings on top of the AO's.

• FDA — 21 CFR Part 11 (electronic records and signatures), Part 803 (MDR reporting), Part 806 (corrections and removals), Part 821 (tracking for certain implantables), Part 822 (post-approval studies), Part 830 (UDI). QMSR alignment from 2 Feb 2026 changes the substantive QMS overlay.
• Health Canada — Canadian Medical Devices Regulations (CMDR) including problem reporting (s. 59 / 60), recall (s. 64 / 65), distribution records (s. 55 / 56), MDEL holders for importer / distributor activity.
• TGA (Australia) — Therapeutic Goods (Medical Devices) Regulations 2002, Essential Principles, Conformity Assessment Procedures, Adverse Event Reporting (RIAR), recalls (Uniform Recall Procedure).
• ANVISA (Brazil) — RDC 665/2022 (Boas Práticas de Fabricação), RDC 67/2009 (post-market vigilance — Tecnovigilância), RDC 16/2013 (notification of product changes), specific labelling rules in Portuguese.
• PMDA / MHLW (Japan) — Pharmaceutical and Medical Device Act (PMD Act) including MHLW Ordinance 169 (QMS), GVP Ordinance (Good Vigilance Practice) and the marketing authorisation holder (MAH) requirement.

MDSAP audits are not the place to discover that the QMS has drifted. A productive 90-day readiness drill:

1. Map every QMS deliverable to the MDSAP Audit Model chapter and task — produce an evidence index per task.
2. Run a full internal audit using the MDSAP Audit Model as the audit programme (not the manufacturer's own checklist). Track findings to closure before the AO arrives.
3. Sample 5-10 CAPAs end-to-end against the AO's expected sampling: problem statement, investigation, root cause, corrective and preventive actions, effectiveness verification, closure. AOs almost always sample CAPAs; weak CAPAs are the most common Grade 3+ finding.
4. Validate the complaint-to-vigilance reporting chain for each jurisdiction — pick a recent complaint of borderline reportability per regulator and confirm the decision was documented per the jurisdiction-specific rule with the correct clock.
5. Verify supplier-control records — critical supplier list current, recent audits documented, supplier-quality-agreement on file for every critical supplier.
6. Refresh management-review records — agenda hits every required input per ISO 13485 §5.6, outputs include decisions on improvement, action items have owners and dates, attendance records signed.
7. Refresh training records — every operator trained on every relevant current SOP; training matrix complete; effectiveness verification documented for safety-critical training.
8. Confirm UDI / labelling / registration records current for every device in scope of the audit per each jurisdiction.
9. Brief the front-line operators on what an AO interview looks like — what's expected, what to say (and not say), how to surface the evidence.
10. Pre-stage the audit room — internet, printer, projector, controlled documents on demand, knowledgeable subject-matter experts on call.

• CAPA effectiveness check missing or superficial; root cause shallow (operator-blame, training-as-fix without design analysis).
• Adverse-event reporting decision not documented per jurisdiction-specific criteria; report not filed within the regulator's clock.
• Supplier-control records out of date; critical supplier audit overdue; supplier-quality-agreement missing or stale.
• Internal-audit programme incomplete — not all QMS processes audited within the planned interval; findings open beyond the closure target.
• Management review minutes do not document every required input or fail to evidence management-derived improvement decisions.
• Design-history file gaps — design-change records do not show full impact assessment or validation closure.
• Process validation records — IQ/OQ/PQ — incomplete or revalidation overdue after a material change.
• Document control — obsolete versions in use at the line; document index inconsistent with the controlled storage system.
• Training records incomplete; training effectiveness not evidenced for safety-critical procedures.
• Software / electronic records — 21 CFR Part 11 / Annex 11 gaps in audit-trail review, e-signature controls, validation evidence.
• Risk-management file not updated post-launch with field data per ISO 14971 §10.
• UDI assignment / placement non-compliant; GUDID / EUDAMED / HC LMR / TGA / ANVISA / Japan registry not maintained.
• Complaint-handling records do not capture sufficient information per ISO 13485 §8.2.2 — initial complaint description, investigation results, corrective actions, manufacturer-determined reportability.
• Post-market surveillance plan absent or not updated per current device portfolio.

• MDSAP Audit Model task coverage (% of tasks with mapped evidence current within 12 months).
• Internal-audit coverage of the Audit Model (last-12-month coverage vs total task count).
• CAPA cycle time and effectiveness-verification closure rate.
• Vigilance / MDR / problem-report on-time rate per jurisdiction.
• Critical-supplier audit on-time rate; supplier quality-agreement currency.
• Document-control accuracy at the line (line-walk findings per 100 documents sampled).
• Management-review on-time rate; action-item closure rate.
• Training-record completeness and effectiveness verification.
• Audit-finding rate (per audit and per chapter); grade distribution; time-to-closure by grade.
• Recertification readiness scorecard (rolling) — green / amber / red per chapter.

On 31 January 2024 the FDA published the Quality Management System Regulation (QMSR) final rule, amending 21 CFR Part 820. The QMSR incorporates ISO 13485:2016 by reference and adds FDA-specific requirements that remain in US regulation (records, labelling, UDI integration, Part 11, MDR/803 etc.). Effective 2 February 2026. For MDSAP, the practical impact is alignment — the MDSAP Audit Model already used ISO 13485 as its spine, so QMSR pulls the FDA overlay closer to the existing MDSAP audit script. Manufacturers should expect updates to the MDSAP Audit Model (Companion Document) to reflect QMSR vocabulary, and FDA guidance documents will be retired or updated. The substantive QMS expectations remain — the changes are largely vocabulary, structure and reduced duplication.

V5 Ultimate maps every QMS workspace to the MDSAP Audit Model task list — management, M&I, vigilance, CAPA, design, production, purchasing, plus the supporting processes. Each task is backed by an evidence index that pulls the current controlled document, the most recent execution record, the last internal-audit closure and any open findings. Coverage gaps are flagged before the AO's documentation request lands.

The vigilance module enforces the jurisdiction-specific clocks — FDA MDR 21 CFR 803, Health Canada Mandatory Problem Reports, TGA RIAR, ANVISA Tecnovigilância, PMDA reporting — with separate clocks per jurisdiction per device, and routing to the local responsible person. Every reportability decision is documented per the jurisdictional criteria with two-person e-signature for traceability.

Internal audits can be executed using the MDSAP Audit Model itself as the audit programme — every task is a row, every finding maps to a CAPA, every CAPA tracks through to effectiveness verification. The audit-history dashboard surfaces what the AO is likely to sample (oldest evidence, recent CAPAs, recent complaints, recent design changes, recent supplier changes) so the team can pre-walk the records before the audit week.

AO-portal export packages assemble automatically — the AO's required pre-audit documentation request becomes a one-click PDF + structured-data bundle, with all controlled documents at their current effective version. Findings logged during the audit are captured directly into the CAPA system with the AO's grade, the regulator distribution and the response deadline tracked through to closure. Recertification readiness is a rolling dashboard — green / amber / red per chapter — that surfaces drift months before the next AO visit.