MDSAP Audits: No More Secrets for your Certification

MDSAP is one of the most important certifications in the medical device field, and in some countries obtaining an MDSAP certificate is a prerequisite for marketing medical devices locally. In this article, we will explore the MDSAP audit and its related certification in depth, covering all aspects of the process, from audit preparation to the use of the MDSAP certificate.

Introduction

MDSAP stands for Medical Device Single Audit Program. It refers to a certification obtained following an audit that demonstrates compliance with the regulatory requirements of multiple countries, including:

  • Australia
  • Brazil
  • Canada
  • Japan
  • United States.

Under the MDSAP framework, a recognized Auditing Organization (AO) performs a single regulatory audit of a medical device manufacturer, which is accepted by the participating Regulatory Authorities (RAs) as evidence of compliance with their respective requirements.

MDSAP audits are conducted by Auditing Organisation towards manufacturer seeking for MDSAP certification is issued by Auditing Organizations (AOs) that have been thoroughly assessed and authorized by a competent Regulatory Authority (RA) to conduct audits and issue MDSAP certificates following the successful completion of the certification process.

Structure of the Audit

The structure of MDSAP audits closely resembles that of a traditional ISO certification audit for medical device organizations, with a two-stage approach designed to ensure full compliance with regulatory requirements across all participating countries.

Stage 1: This is the preliminary assessment, during which the manufacturer’s readiness for the MDSAP audit is evaluated. Any gaps, deficiencies, or potential non-conformities that could prevent the issuance of the certificate are identified at this stage. The manufacturer is expected to address and resolve these issues before proceeding to Stage 2, ensuring that the organization is adequately prepared for a comprehensive evaluation.

Stage 2: This is the main audit, conducted on the manufacturer’s entire quality management system. During Stage 2, the audit team evaluates the organization against the regulatory and quality requirements of all participating MDSAP countries. Any non-conformities identified during this stage must be addressed and corrected before certification can be granted.

After all Stage 2 non-conformities have been resolved, the audit report undergoes a thorough review. If no outstanding issues remain, the single audit program certificate is formally issued. The certificate is valid for three years, during which annual surveillance audits are conducted to ensure continued compliance with the regulatory requirements and the quality management system. This structured approach ensures that medical device manufacturers maintain a high level of quality and regulatory conformity over time.

Exclusion of one or more MDSAP Countries

In certain cases, a medical device manufacturer may choose to exclude one or more participating MDSAP countries from the scope of their audit. This means that the audit and resulting certificate will cover only the selected countries, and compliance with the regulatory requirements of the excluded countries will not be assessed. Such exclusions can be strategic, for example, if the manufacturer does not intend to market their products in those countries, or if specific regulatory requirements make inclusion unnecessary or impractical. It is important to note that any exclusions must be clearly documented in the audit plan and agreed upon with the Auditing Organization (AO) before the audit begins, as they directly affect the scope and validity of the resulting MDSAP certificate.

The structure of the MDSAP Regulation

MDSAP is largely based on the requirements of ISO 13485, and its audit structure focuses on key processes that are already central to a compliant quality management system. These include Risk Management, Management Responsibility, Measurement, Analysis and Improvement, Design and Development, Production and Service Provision, and Purchasing.

In addition to these standard ISO 13485 processes, this single audit program introduces further regulatory-specific requirements that significantly expand the audit scope. In particular, manufacturers must demonstrate compliance with Device Marketing Authorization and Facility Registration requirements, as well as robust systems for Medical Device Adverse Events and Advisory Notice Reporting.

A distinctive feature of MDSAP audits is the strong emphasis placed on the review of marketing authorization processes and post-market surveillance activities. This includes the management and reporting of adverse events, serious incidents, recalls, and field safety corrective actions. Manufacturers are required to maintain detailed, country-specific procedures for each jurisdiction within the single audit program scope, along with comprehensive records demonstrating consistent implementation. This level of detail ensures that regulatory obligations are met across all applicable markets and that patient safety is effectively maintained.

MDSAP

MDSAP Non-Conformities Grading System

The nonconformity grading mechanism used in the Medical Device Single Audit Program (MDSAP) replaces older subjective terms like “significant” or “regular” findings with an objective, points‑based methodology to ensure uniform evaluation and reporting across regulatory authorities. Instead of relying on traditional descriptors, auditors assign an initial score using a structured matrix that considers whether the nonconformity relates to requirements that have a direct or indirect effect on the quality management system and whether the issue is a first‑time or recurring occurrence. This preliminary grade, ranging from one to four, is then adjusted through a series of escalation rules that reflect additional risk factors — for example, the absence of documented procedures or the release of nonconforming product — which can elevate the grade further. The final score, capped at five for reporting purposes, is recorded on the standardized audit exchange form and provides regulators with a consistent measure of the risk associated with each nonconformity. This modernized grading approach enhances transparency, aligns grading practices internationally, and helps manufacturers and regulators alike prioritize corrective action based on the potential impact on device safety and compliance.

NC grading MDSAP

MDSAP Certification and Market Access

MDSAP certification plays a key role in facilitating market access for medical device manufacturers by allowing a single, comprehensive audit to satisfy the quality management system requirements of multiple participating regulatory authorities. This approach significantly reduces duplication of audits, optimizes internal resources, and creates a more efficient pathway to global compliance. In certain jurisdictions, such as Canada, MDSAP certification is mandatory for obtaining and maintaining a medical device license, while in others it is widely accepted as a robust demonstration of regulatory compliance, often leading to fewer routine inspections and more streamlined interactions with authorities.

In the context of the United States, although single audit certification is not a formal requirement for market entry, it has a clear and practical connection with the FDA 510(k) process. Companies that maintain an MDSAP-compliant quality management system aligned with 21 CFR Part 820 are typically better prepared to support their 510(k) submissions, as many of the underlying requirements—such as design controls, risk management, and documentation practices—are already addressed through the single audit framework. Furthermore, the U.S. Food and Drug Administration recognizes MDSAP audit reports as a substitute for routine surveillance inspections, which can reduce regulatory burden post-clearance and allow manufacturers to focus on maintaining compliance rather than preparing for separate audits.

Risk-based Approach for MDSAP audits

A risk-based approach to auditing quality systems is closely aligned with the philosophy and structure of the Medical Device Single Audit Program (MDSAP), where audit activities are explicitly designed to focus on processes that have the greatest impact on product quality and patient safety. Rather than applying equal attention to all elements of the quality management system, this approach prioritizes critical areas—such as design controls, production processes, and supplier management—based on their associated risks and their influence on regulatory compliance. This principle is embedded within the MDSAP audit model, which follows a process-based sequence and requires auditors to evaluate not only whether procedures exist, but whether they are effectively implemented in high-risk areas.
A key point of integration is the MDSAP nonconformity grading system, which further reinforces risk-based thinking by assigning severity levels to findings according to their potential impact and systemic nature. This ensures that issues affecting critical processes or indicating broader quality system failures are escalated appropriately, allowing both regulators and manufacturers to prioritize corrective actions. Additionally, these multi-jurisdictional audit program leverages inputs such as complaint data, post-market surveillance, and previous audit results to dynamically adjust audit focus, reflecting the same continuous, data-driven prioritization that defines risk-based auditing.
Ultimately, the connection between risk-based auditing and MDSAP lies in their shared objective: moving beyond checklist compliance toward a deeper, evidence-based evaluation of how well a quality system controls real-world risks. By embedding risk prioritization into both audit execution and nonconformity assessment, MDSAP ensures that audits deliver meaningful insights, support regulatory confidence, and drive continuous improvement in the safety and performance of medical devices.

Preparation Strategy for MDSAP

An effective preparation strategy for the Medical Device Single Audit Program (MDSAP) should be built on a proactive and risk-based approach that aligns the organization’s quality management system with both ISO 13485 and the specific requirements of participating regulatory authorities. Rather than treating the audit as a one-time event, manufacturers should embed readiness into their routine operations by conducting internal audits that follow the MDSAP process sequence, ensuring that all key processes—such as design and development, supplier controls, production, and post-market activities—are consistently implemented and supported by objective evidence. A comprehensive gap analysis is essential to identify weaknesses, particularly in areas where documentation exists but practical execution may be lacking. Equally important is the review of past nonconformities and CAPA effectiveness, as well as the use of real data from complaints and post-market surveillance to demonstrate control and continuous improvement. Training personnel across functions to understand both their roles and the expectations of auditors further strengthens preparedness. By approaching MDSAP preparation as an ongoing system optimization effort rather than a compliance exercise, organizations can reduce audit risks, improve operational efficiency, and enhance their credibility with global regulators.

MDSAP Preparation

Future Perspective

The future of the Medical Device Single Audit Program (MDSAP) is expected to be shaped by a continued evolution toward greater regulatory convergence and increased reliance by participating authorities on audit outcomes as a primary oversight tool. As global regulatory expectations become more aligned, MDSAP requirements are likely to expand in depth and scope, with stronger emphasis on areas such as post-market surveillance, real-world evidence, and data integrity, reflecting broader trends in medical device regulation. At the same time, regulatory bodies are progressively leveraging MDSAP audit reports to reduce the need for routine inspections, signaling a shift toward a more efficient, audit-driven compliance model. This growing reliance means that the quality and consistency of MDSAP audits—and the robustness of manufacturers’ quality systems—will play an increasingly critical role in maintaining market access. Looking ahead, organizations that invest early in strengthening their processes, digitalizing quality systems, and adopting a risk-based mindset will be better positioned to adapt to future updates and benefit from a regulatory environment that is moving toward greater harmonization and trust in unified audit frameworks.

Conclusions

In conclusion, the Medical Device Single Audit Program (MDSAP) represents a pivotal shift in how medical device manufacturers approach regulatory compliance, moving from fragmented, country-specific audits to a harmonized, efficient, and risk-based global framework. By integrating multiple regulatory requirements into a single audit model, MDSAP not only reduces duplication and administrative burden but also drives higher standards of quality system performance and transparency. Its structured approach to auditing, including the standardized nonconformity grading system and strong emphasis on process effectiveness, encourages organizations to adopt a more proactive and data-driven mindset. As regulatory authorities continue to increase their reliance on MDSAP outcomes, manufacturers that embrace this model as a strategic tool—rather than a compliance obligation—will gain a competitive advantage through improved operational control, smoother market access, and enhanced regulatory confidence. Ultimately, MDSAP is not just an audit program, but a catalyst for continuous improvement and global alignment in the medical device industry.

Alessandro Stella

Alessandro Stella is a freelance Medical Device Regulatory Consultant and ISO 13485 / ISO 9001 Lead Auditor based in Italy. With over 13 years of experience spanning R&D, Quality, and Regulatory Affairs, he has supported companies across Europe and beyond in EU MDR technical documentation, QMS implementation, ISO 13485 compliance, and FDA submissions. His device expertise covers cardiovascular devices, AI-based standalone software, robotic surgery systems, active wearables, and more. Alessandro is the founder of MD Regulatory.

Similar Posts