MDSAP

Medical Device Single Audit Program

Introduction

In an increasingly globalised medical device market, regulatory compliance has never been more complex or critical. With device manufacturers eyeing multiple jurisdictions, each with its own regulatory framework, staying compliant while scaling becomes a significant hurdle. The Medical Device Single Audit Program (MDSAP) is a global solution to streamline quality management system audits for medical device manufacturers.

Launched as a pilot in 2014 and fully operational since 2017, MDSAP offers a single audit that satisfies the regulatory requirements of multiple participating countries. For manufacturers seeking operational efficiency and market access, MDSAP can be a strategic advantage.

In this article, we’ll explore what MDSAP is, its benefits, participating countries, structure, challenges, and why it matters for medical device companies aiming to go global.

What is MDSAP?

The Medical Device Single Audit Program (MDSAP) allows an MDSAP-recognised auditing organisation to conduct a single regulatory audit of a medical device manufacturer’s quality management system that satisfies the requirements of multiple regulatory authorities.

Developed by the International Medical Device Regulators Forum (IMDRF), MDSAP aimed to reduce duplication of regulatory audits and improve oversight of medical device manufacturing on a global scale.

Currently, the MDSAP audit process satisfies the quality management system (QMS) requirements for the following five participating countries: Here is the list formatted in Markdown with full regulator names and hyperlinks to their main websites:

Other jurisdictions, such as the European Union (EU), do not officially participate in MDSAP but may still accept MDSAP reports as part of their broader due diligence or market entry processes. The EU is an Official Observer of MDSAP, enabling it to monitor the programme and its outcomes.

Why was MDSAP created?

The goals behind MDSAP are straightforward:

Harmonise regulatory practices across multiple countries.
Reduce audit fatigue for manufacturers who previously needed to undergo multiple country-specific inspections.
Optimise resource allocation by regulators through third-party audits.
Promote early detection of compliance issues and reduce the burden on post-market surveillance.

For regulatory authorities, MDSAP enables more efficient use of their own resources while still maintaining oversight. It offers manufacturers a standardised approach to demonstrating compliance across multiple jurisdictions.

How does MDSAP operate?

Auditing Organisations (AOs)

MDSAP audits are conducted by Authorised Auditing Organisations accredited by the participating regulatory authorities. These can be notified bodies or third-party certification bodies with proven competence in medical device auditing.

Audit Model and Duration

MDSAP audits are based on a process-based audit model aligned with ISO 13485:2016. The audit includes the following key processes:

Management
Device marketing authorisation and facility registration
Measurement, analysis, and improvement
Design and development
Production and service controls
Purchasing

Audit duration is determined by the number of sites, employees, risk class of devices, and jurisdictions where the manufacturer is seeking market access.

Nonconformity Grading System

MDSAP uses a grading system to evaluate the severity of nonconformities, taking into account both the clause violated and the impact on the safety and performance of the device. Grades range from 1 to 5, with higher grades requiring more urgent and comprehensive corrective actions.

Country-specific applications of MDSAP

Although MDSAP aims for harmonisation, each participating country applies the programme slightly differently.

The FDA accepts MDSAP audit reports in lieu of routine FDA inspections for Class II and III device manufacturers. However, MDSAP does not replace FDA inspections related to:

Pre-approval
For-cause inspections
Compliance follow-ups

Canada was the first country to make MDSAP mandatory. Since January 2019, all manufacturers selling Class II, III, and IV devices in Canada must be certified under MDSAP. This move effectively replaced the Canadian Medical Devices Conformity Assessment System (CMDCAS).

ANVISA accepts MDSAP reports in lieu of on-site inspections for many manufacturers. However, Brazil has additional requirements, including documentation in Portuguese and product-specific evaluations.

Australia uses MDSAP reports as part of its conformity assessment process, often recognising them to support applications for inclusion in the Australian Register of Therapeutic Goods (ARTG).

Japan accepts MDSAP reports to reduce the scope or frequency of on-site inspections for foreign manufacturers. However, the documents must often be translated into Japanese and submitted through a Marketing Authorisation Holder (MAH).

MDSAP vs. ISO 13485: What’s the difference?

Many medical device companies already comply with ISO 13485:2016, the international standard for QMS in the sector. While MDSAP audits are built on the ISO 13485 foundation, there are important distinctions:

Feature	ISO 13485	MDSAP
Scope	Quality Management	Quality + Regulatory Requirements
Recognised By	Global (non-binding)	US, Canada, Brazil, Japan, Australia
Audit Body	Certification Body	MDSAP-Recognised Auditing Organization
Nonconformity Grading	Varies	Standardised grading system
Audit Frequency	Every 3 years	Annual surveillance + recertification after 3 years

In essence, MDSAP is ISO 13485-plus—with enhanced regulatory alignment and country-specific requirements embedded into the audit.

Considerations for manufacturers

Market Access Efficiency: MDSAP provides a streamlined path to multiple key markets via a single audit, reducing duplication and compliance overhead. With one quality system meeting multiple jurisdictions’ expectations, companies can unify their internal procedures and minimise variability. However, the programme currently covers only five countries. For access to the European Union, China, India, and other major markets, additional compliance steps are still necessary. Further, as there are country-specific add-ons, even with MDSAP certification, some countries (like Brazil or Japan) require supplementary documentation or language translations.
Audit Procedures: A single audit event minimises time away from core operations compared to staggered country-specific audits throughout the year. Unlike unannounced audits under EU MDR, MDSAP follows a planned schedule, allowing better resource management and internal preparation. However, because MDSAP audits are comprehensive, they tend to be longer and more rigorous than a standard ISO 13485 audit. Initial MDSAP audits can also be more expensive, especially for small and medium-sized enterprises (SMEs). However, many manufacturers find that reduced audit duplication and faster market access offset the costs.
Regulatory Confidence: Having MDSAP certification boosts regulatory confidence in your quality system. It shows proactive compliance and risk management.

Is MDSAP right for you?

Ideal Candidates for MDSAP:

Companies seeking access to multiple participating markets
Manufacturers with an existing ISO 13485 certification
Firms looking to streamline internal processes and reduce audit fatigue
Organisations preparing for due diligence or acquisition, where international compliance is scrutinised

MDSAP is less ideal if:

The primary market is the EU, China or other LMIC markets, where MDSAP is not yet formally recognised
The manufacturer is a small or medium-sized business with limited exports to MDSAP-participating countries. However, even smaller manufacturers may find value in MDSAP if they’re planning to scale internationally.

Looking ahead: The future of MDSAP

The success of MDSAP has raised questions about whether the model could be expanded. Some key future developments include:

Additional country participation, including potential expansion to other IMDRF members.
Greater alignment with EU MDR/IVDR, especially as pressure mounts for global harmonisation.
Integration of remote audits, especially post-COVID-19, which accelerated digital regulatory practices.

Ultimately, MDSAP represents an important step in reducing fragmentation in global device regulation—an essential move in a world of increasingly complex medical technologies and supply chains.

While it may not fit every company, MDSAP can be a catalyst for broader success for those navigating international growth. Whether you’re a startup seeking first-market entry or a multinational aiming to consolidate your compliance footprint, understanding and leveraging MDSAP could be your next competitive edge.

Resources

International Medical Device Regulators Forum (IMDRF)

United States of America (USA)

Food and Drug Administration (FDA) guidance on MDSAP
The FDA accepts MDSAP audit reports in lieu of routine FDA inspections (except for “for-cause” or compliance follow-ups).
MDSAP Q&A – FDA
Quality System (QS) Regulation/Medical Device Current Good Manufacturing Practices (CGMP)
Quality Management System Regulation (QMSR)

Health Canada

MDSAP is mandatory for medical device license holders.
Health Canada MDSAP Guidance
Guidance Document – Recognition and Use of MDSAP Reports

Brazil Agência Nacional de Vigilância Sanitária (ANVISA)

MDSAP reports are accepted to support Good Manufacturing Practices (GMP) certification.
ANVISA MDSAP Guidance
ANVISA MDSAP Information (Portuguese)

Australia Therapeutic Goods Administration (TGA)

MDSAP audit reports can be used as evidence of conformity assessment, especially for manufacturers without EU CE certification.
TGA MDSAP Guidance
TGA Guidance on Use of MDSAP Reports

Japan Ministry of Health, Labour and Welfare (MHLW) and Pharmaceuticals and Medical Devices Agency (PMDA)

MDSAP audit reports may be submitted in support of QMS conformity assessments.
PMDA Guidance MDSAP
PMDA MDSAP Overview

European Union (EU)

European Union – Not formally participating in MDSAP

The EU does not officially recognise MDSAP audit reports as a substitute for MDR or IVDR conformity assessments. However, notified bodies may consider MDSAP reports as supporting evidence in audits.

U.K. Medicines and Healthcare Products Regulatory Agency (MHRA)

The MHRA does not formally recognise MDSAP but may use MDSAP reports to inform inspection activity, particularly for overseas manufacturers.

International Standards:

ISO 13485:2016: Medical devices - Quality management systems - Requirements for regulatory purposes

United States of America (USA)

Food and Drug Administration (FDA), Federal Food, Drug, and Cosmetic Act (FD&C Act):

European Union (EU)

Medical Devices Regulation (MDR) 2017/745:

QMS Requirements: Chapter I, Article 10(9)
Conformity Assessment based on QMS and TD: ANNEX IX, Chapter 1

In Vitro Diagnostic Medical Devices Regulation (IVDR) 2017/746

QMS Requirements: Chapter I, Article 10(8)

Medical Device Single Audit Program (MDSAP)

The Medical Device Single Audit Program (MDSAP) is an international initiative that allows a single regulatory audit of a medical device manufacturer’s quality management system to satisfy the requirements of multiple participating countries.

Audit: A systematic, independent examination of a manufacturer’s processes, procedures, and products to ensure compliance with regulatory standards and quality requirements. Also see Internal Audit.

Corrective and Preventive Action (CAPA): Actions taken to eliminate the causes of existing nonconformities or other undesirable situations (corrective actions) and to prevent recurrence (preventive actions).

Design Control: A systematic process that ensures a device is designed to meet user needs and intended uses.

Intended purpose: The use for which a medical device is intended according to the information provided by the manufacturer on the labelling, in the instructions for use (IFU), or in promotional materials. This may also be referred to as the Intended Use in some jurisdictions. Also see Indication of Use.

ISO 13485: An international standard that specifies requirements for a quality management system (QMS) specific to the medical devices industry.

Labelling: The label on a medical device and all descriptive and informational literature associated with the device. Also see Instructions for Use (IFU)

Manufacturer: A legal entity that designs, produces, assembles, or labels a medical device with the intention of placing it on the market.

Medical Device Single Audit Program (MDSAP): A program that allows a single audit of a medical device manufacturer to satisfy the requirements of multiple regulatory authorities.

Post-Market Surveillance (PMS): The proactive collection and review of experiences and data related to a device after it has been released onto the market to ensure continued safety and performance.

Quality: The degree to which a device consistently meets regulatory requirements and user expectations for safety, efficacy, reliability, and performance.

Quality Assurance (QA): The systematic activities implemented to ensure that devices consistently meet regulatory requirements and standards while meeting user needs and expectations.

Quality Controls: The measures and tests conducted on the final product or at the end of the production process to ensure it meets all specified quality standards and regulatory requirements.

Quality Management System (QMS): A formalised system that documents the structure, responsibilities, and procedures required to achieve effective quality management.

Quality Management System Regulation (QMSR): The U.S. Food and Drug Administration (FDA) regulation that aligns its medical device quality system requirements with ISO 13485:2016 to streamline global compliance and enhance device safety and effectiveness.

Quality System Management Review (QSMR): A structured, periodic evaluation conducted by top management to assess the effectiveness, suitability, and compliance of a medical device manufacturer’s quality management system, ensuring continuous improvement and alignment with regulatory requirements.

Quality System Regulation (QSR): Outlined in 21 CFR Part 820, the U.S. Food and Drug Administration (FDA) framework requires medical device manufacturers to establish and maintain a quality management system to ensure their products consistently meet applicable requirements and specifications.

Regulation: The rules, laws, standards, and requirements set by regulatory authorities to ensure the safety, efficacy, and quality of devices intended for medical use.

Regulatory Authority: An official body overseeing and enforcing laws, regulations, and standards within a specific industry or sector to ensure compliance and protect public interests. Also known as a Regulatory Authority. Also see Competent Authority and Notified Body.

Risk Management (RM): The systematic application of management policies, procedures, and practices to the tasks of analysing, evaluating, controlling, and monitoring risk.

Standard: A document that provides guidance, requirements, or specifications established by regulatory bodies, industry organisations, or international consensus groups.

Supplier Management: Overseeing and controlling the relationships and activities with external suppliers to ensure the quality, reliability, and regulatory compliance of sourced materials and components.

Technical Documentation: All documents that demonstrate the design, manufacture, and performance of the device, essential for ensuring compliance with regulatory requirements. This is also known as the Technical File.

Total Product Lifecycle (TPLC): A U.S. Food and Drug Administration (FDA) term referring to the entire process of a medical device’s development, from initial concept and design through premarket review, manufacturing, marketing, post-market surveillance, and eventual product retirement. It emphasises continuous evaluation of safety, effectiveness, and quality throughout the device’s lifespan.

Updated on 29 May 2024