MDSAP

This topic is part of the SG Systems Global medical device audits, lifecycle & regulatory compliance glossary.

Updated December 2025 • Medical Device QMS, QMS, ISO 13485, ISO 13485 Requirements, Internal Audit, CAPA, Quality Risk Management (QRM), ISO 14971 Risk Management, Document Control System, Data Integrity, Audit Trail, Customer Complaint Handling, Postmarket Surveillance, Medical Device Reporting (MDR), Change Control, Supplier Quality Management (SQM), QMSR, V5 QMS

MDSAP stands for the Medical Device Single Audit Program: a structured, process-based regulatory audit framework that lets a single audit of your quality management system (QMS) satisfy key QMS oversight needs for multiple participating regulators. The pitch sounds simple—“one audit instead of five”—but the reality is more blunt: MDSAP is not an easier audit. It is usually more demanding than a vanilla ISO 13485 certification audit because it explicitly pulls in participating-jurisdiction requirements, forces a defined audit sequence, and puts uncomfortable spotlight on the parts of your system that fail in real life: complaint handling, CAPA effectiveness, supplier controls, design change discipline, and traceability of decisions.

If your QMS is mature, MDSAP can reduce audit duplication, shrink “regulator anxiety,” and create a predictable evidence package for global market access planning. If your QMS is held together with tribal knowledge and heroic individuals, MDSAP doesn’t just find gaps—it finds systemic gaps, grades them, and makes them visible to multiple authorities. The program’s entire point is to make “we passed an audit” less about optics and more about demonstrated control.

“MDSAP doesn’t reward good intentions. It rewards controlled processes that still work when the product changes, the supplier changes, and the person who ‘always knew how to do it’ quits.”

1) What MDSAP Actually Is

MDSAP is a global auditing program intended to harmonize how regulators evaluate a medical device manufacturer’s QMS. A qualified third party (an MDSAP-recognized Auditing Organization, often abbreviated “AO”) performs the audit using the MDSAP audit model and required sequence. The output is not just “a certificate.” It’s an audit report package and graded nonconformities designed for regulatory use, not just commercial certification.

Practically, MDSAP is a way to standardize QMS oversight across multiple markets while reducing duplicated audits. Strategically, it’s a pressure test: can your QMS demonstrate control over design, production, suppliers, postmarket feedback loops, and regulatory obligations in a way that is consistent, documented, and risk-based?

2) Why MDSAP Exists (and Why Regulators Like It)

Regulators don’t trust “paper compliance” because it breaks the moment reality shows up: component shortages, contract manufacturer drift, software updates, new lines, new operators, new markets. MDSAP exists because a global, consistent approach to auditing can improve oversight efficiency and strengthen confidence that a manufacturer’s system is actually controlling safety and performance, not just documenting it.

From a manufacturer standpoint, MDSAP exists because the alternative is expensive chaos: multiple audits by different authorities with different emphases, overlapping but non-identical expectations, and inconsistent findings that create rework and compliance debt. MDSAP tries to make QMS oversight more repeatable across borders—but it does it by standardizing the scrutiny, not reducing it.

3) Who Participates (Members, Observers, Affiliates) and What That Means

The MDSAP core member regulators are five authorities: Australia’s TGA, Brazil’s ANVISA, Health Canada, Japan’s MHLW/PMDA, and the U.S. FDA. MDSAP also has official observers and affiliate members. This matters because it affects how far MDSAP outputs can realistically travel in your market-access strategy.

• Members can use MDSAP audit reports as part of their oversight model (and in some cases have effectively built participation into how QMS evidence is accepted).
• Observers/affiliates may use the program for learning, alignment, or partial reliance depending on their policies, but they are not identical to full members.

Bottom line: treat MDSAP as a powerful global compliance asset, but don’t assume it replaces every country’s local requirement. It usually doesn’t. It does give you a strong, regulator-aligned QMS evidence set that you can leverage when expanding.

4) What MDSAP Is Not (Common Misunderstandings)

MDSAP confusion is expensive. Here’s what it does not do:

• It does not replace product approvals. You still need device-specific clearances, registrations, licenses, and technical documentation per jurisdiction.
• It does not equal EU CE marking. The EU is an observer; EU MDR conformity assessment is its own ecosystem with its own certificates, surveillance, and technical documentation expectations.
• It does not eliminate FDA authority to inspect. Even when MDSAP reports are accepted as substitutes for routine inspections, FDA retains inspection authority, and some activity areas can still trigger inspection expectations.
• It is not “just ISO 13485.” ISO 13485 is foundational, but MDSAP explicitly layers in participating-jurisdiction regulatory requirements and a defined audit approach.

The practical implication: MDSAP should be treated as a backbone component of a global compliance strategy—not as a magic passport that bypasses regulatory work.

5) The MDSAP Audit Model and Required Sequence (How the Audit Actually Runs)

MDSAP audits are process-based and follow a required sequence designed to create logical coverage across the QMS. The audit approach focuses on a set of defined processes, their interactions, and how risk management is embedded across them.

At a high level, the audit sequence follows four primary processes:

• Management
• Measurement, Analysis and Improvement
• Design and Development (where applicable)
• Production and Service Controls

The Purchasing process is audited as a supporting process linked across multiple primary processes. In addition, there are two further supporting processes that exist to address jurisdiction-specific regulatory requirements:

• Device Marketing Authorization and Facility Registration
• Medical Device Adverse Events and Advisory Notices Reporting

This structure matters because it forces you to demonstrate end-to-end control, not isolated compliance. Example: if your complaint handling is weak, it will show up in Measurement/Analysis/Improvement, cascade into CAPA effectiveness, and then surface again when the auditor looks for evidence that production controls and design changes reflect real-world signals.

6) What Auditors Really Look For (The “Show Me” Audit)

MDSAP auditors don’t just ask for procedures. They ask you to prove your procedures are real by walking evidence through the system:

• Management process: Are objectives real? Does management review drive action? Are resources and responsibilities defined beyond a PowerPoint chart?
• Measurement/Analysis/Improvement: Are you trending complaints, nonconformances and process metrics? Do you investigate signals or just close records?
• Design & development: Do design inputs trace to verification/validation? Are design changes controlled and reflected in labeling, risk files and DHF?
• Production & service controls: Are processes validated where needed? Are changes controlled? Are device history records complete and trustworthy?
• Purchasing: Do you qualify suppliers based on risk, monitor performance, and control outsourced processes with real agreements and oversight?
• Adverse event reporting/advisories: Do you know what must be reported, when, to whom, and can you show decision rationale?

In other words: MDSAP is a “systems integrity” audit. If your QMS depends on individuals remembering steps, it will bleed. If your QMS depends on controlled workflows, traceable decisions, and clean recordkeeping, it will hold.

7) Nonconformities and Grading (Why MDSAP Findings Feel Different)

Many manufacturers are used to audits where findings are labeled “minor” or “major” and then negotiated into manageable pain. MDSAP adds a more structured approach: it uses a grading system intended to go beyond the binary major/minor concept and support information exchange. The emphasis is on precise wording of nonconformities and correct identification of the specific unmet requirement, because the audit report is designed to be consumed by regulators.

One practical implication is that CAPA effectiveness becomes a recurring theme. If you “fixed the paperwork” but not the underlying system, the audit model gives auditors multiple angles to surface that weakness. A weak CAPA system is not a localized problem; it becomes a multiplier across the audit because it affects whether any corrective action you propose is credible.

Another implication: evidence quality matters. If your records are inconsistent, missing, backfilled, or not clearly attributable, you don’t just have a documentation problem—you have a data integrity problem, and that is a regulatory red flag because it undermines the trustworthiness of the entire QMS.

8) Scope and Exclusions (How Manufacturers Get Burned)

MDSAP audit scope should match the reality of what you design, manufacture, and control. That includes sites, outsourced processes, and the product range. The fastest way to create an audit disaster is to treat scope as a marketing checkbox instead of a risk-based statement of responsibility.

• Design exclusions are not automatically “fine” just because you buy a finished product. If you specify requirements, select suppliers, control labeling, handle complaints, or manage changes, you likely still have design-related responsibilities.
• Outsourced manufacturing doesn’t outsource accountability. If a contract manufacturer makes your device, you must show purchasing controls, quality agreements, performance monitoring, and effective oversight.
• Multi-site operations require consistent document control and change control. If each site has “their own way,” MDSAP will find the seams.

A realistic MDSAP strategy is to build a scope that you can defend under audit without storytelling or exceptions. If you need a paragraph of explanation to justify scope, you probably need a better scope definition—or a stronger system.

9) How Member Regulators Use MDSAP in Practice

MDSAP is global, but each regulator still uses it within their own legal framework:

• FDA: FDA can accept MDSAP audit reports as a substitute for routine inspections (while retaining authority to inspect and recognizing that some activity areas may still be subject to FDA inspection expectations).
• Health Canada: Canada completed its transition to MDSAP and requires manufacturers holding medical device licences in Canada to participate in the program, strengthening oversight through the MDSAP framework.
• TGA (Australia): Australia can use MDSAP certification and audit reports as evidence inputs and may perform desk-based reviews of MDSAP audit reports depending on context.
• ANVISA (Brazil) and Japan (MHLW/PMDA): MDSAP is used to support QMS oversight expectations and to reduce redundant audit burden, but local regulatory obligations still apply.

The honest takeaway: MDSAP can reduce duplicative audit pain, but it doesn’t turn regulators into passive bystanders. They still evaluate risk signals, trends, and compliance posture. A clean MDSAP report helps; a messy one can amplify scrutiny.

10) MDSAP Readiness: The Non-Negotiables

If you want to pass MDSAP without drama, you need a QMS that is operationally true, not “audit-ready by document.” In practice, that means:

• Document control that actually controls: people can’t use obsolete procedures, and controlled forms are used consistently.
• Risk management embedded in decisions: not a separate file updated once a year, but an active input to design changes, supplier changes, and CAPA prioritization.
• Complaint handling and PMS loops that work: complaint triage, investigation, reportability decisions, trending, and feedback into CAPA and labeling are traceable.
• CAPA that closes the loop: root cause analysis that isn’t cosmetic, corrections that don’t create new risk, and effectiveness checks that are real.
• Training and competency evidence: not just “signed the roster,” but role-based competency where it matters (inspection, test, release, complaint triage, sterilization oversight, etc.).

If any of these are weak, MDSAP doesn’t just find “a finding.” It finds a theme, and the audit model is designed to revisit that theme in multiple process areas until it becomes undeniable.

11) Evidence Architecture: How to Make Your QMS Auditable

Passing MDSAP is as much about evidence navigation as it is about compliance. Auditors need to move fast, follow threads, and validate claims. The manufacturers who suffer are the ones whose evidence is scattered across emails, spreadsheets, shared drives, and tribal memory.

Practical rules:

• Make sure every major QMS output is traceable to a controlled procedure and captured as a controlled record.
• Make record retention rules explicit, practical, and enforced (especially for complaint files, CAPA, design changes, and production records).
• Use audit trails and access controls to protect integrity of electronic records, especially where release decisions and regulatory reporting are involved.
• Ensure “single source of truth” for current procedures and forms. If operators can download and reuse old PDFs, you have a built-in nonconformity generator.

MDSAP doesn’t reward “we can find it eventually.” It rewards “we can show it now, and it’s clearly controlled.”

12) Supplier Control and Outsourcing (Purchasing Process Reality)

MDSAP audits treat purchasing as a supporting process because supplier control is where many device failures are born: material substitutions, process drift, hidden subcontractors, poor incoming controls, weak change notification, and “we didn’t know they changed that.”

If you rely on contract manufacturers, sterilization providers, test labs, software vendors, or critical component suppliers, your MDSAP posture depends on whether you can demonstrate:

• Risk-based supplier qualification (not one-size-fits-all questionnaires).
• Defined acceptance criteria for purchased product and services (including verification of CoAs where relevant).
• Quality agreements that address responsibilities, change notification, deviation handling, complaint data sharing, and record retention.
• Ongoing monitoring (performance metrics, audits, incoming inspection, nonconformance trends, escalation rules).

Outsourcing without oversight is not a cost savings; it is delayed regulatory debt. MDSAP is designed to make that debt visible.

13) Postmarket, Vigilance, and Advisory Notices (Where You Prove You’re Serious)

Many companies treat adverse event reporting and advisory notices as “regulatory paperwork.” MDSAP treats them as a core proof of system maturity: can you detect problems, evaluate risk, decide reportability, and execute field actions in a controlled way?

A defensible system usually includes:

• Clear reportability decision logic and documented rationale for each case.
• Time-bound workflows that align with jurisdiction expectations.
• Linkage to CAPA and risk management so signals change the system, not just close a file.
• Recall/field action readiness backed by traceability of lots, UDI, distribution history, and effectiveness checks.

MDSAP auditors will often test your system by selecting real complaint files and asking you to walk from intake to investigation to decision to CAPA to closure. If your answers are inconsistent, you will not “explain your way out.” The record will speak louder than you do.

14) MDSAP and Digital QMS: Why Spreadsheets Stop Working

At small scale, spreadsheets and shared folders can limp along. At MDSAP scale, they become a liability because they break three things auditors care about: control, traceability, and integrity.

Digital QMS advantages in an MDSAP environment include:

• Controlled workflows: nonconformances, CAPA, change control, complaints, audits and training follow consistent steps with required fields and approvals.
• End-to-end linking: a complaint links to a risk record, which links to CAPA, which links to a change, which links to updated labeling, which links to training.
• Audit-ready retrieval: you can pull evidence packages quickly without hunting through email chains.
• Stronger data integrity posture: audit trails, e-signatures, role-based access, and record retention enforcement.

If you want MDSAP to be a predictable operational routine instead of a recurring emergency, a structured eQMS is usually not optional—it’s the scaling mechanism.

15) Common MDSAP Failure Modes (What Keeps Showing Up)

The same patterns show up across MDSAP audits because they’re the places where QMS theory collides with manufacturing reality:

• Weak risk management integration: risk files exist, but changes, complaints, and CAPA don’t update them in a traceable way.
• CAPA that doesn’t fix causes: “training” as the default corrective action; no real containment; no effectiveness check discipline.
• Complaint handling that isn’t evidence-driven: missing investigations, inconsistent conclusions, poor trending, unclear reportability rationale.
• Supplier control gaps: no verification of critical purchased product, poor change notification controls, no visibility into sub-suppliers.
• Document control drift: uncontrolled templates, outdated procedures in use, “local copies” on the shop floor.
• Production record weakness: incomplete DHRs, inconsistent acceptance evidence, missing process validation rationale.

None of these are mysterious. They are what happens when a QMS is built to satisfy audits instead of built to control operations. MDSAP is designed to punish that gap.

16) Implementation Roadmap: Building Toward MDSAP Without Panic

A practical, no-drama roadmap looks like this:

• Step 1: Gap map by process. Map your current QMS to the MDSAP process structure (Management; Measurement/Analysis/Improvement; Design; Production/Service; Purchasing; plus the two supporting processes). Identify evidence locations and gaps.
• Step 2: Fix systemic control points first. Document control, CAPA discipline, complaint handling, change control and supplier oversight are the highest leverage areas.
• Step 3: Build “audit paths.” Pre-build the evidence trails auditors will follow: complaint → investigation → CAPA → change → training → effectiveness; supplier NC → SCAR → incoming controls → trend → supplier requalification.
• Step 4: Run brutal internal audits. Don’t do friendly audits. Do MDSAP-style audits that follow threads and demand records. Treat internal audit as rehearsal for evidence integrity.
• Step 5: Management review that drives action. Use management review to allocate resources and remove barriers, not just “review metrics.”
• Step 6: Stabilize, then optimize. Once you can pass consistently, then improve cycle time, reduce findings, and integrate with broader global regulatory strategy.

The goal is not “pass the audit.” The goal is “make the audit boring.” In medical devices, boring audits are a sign of a controlled system.

FAQ

Q1. Is MDSAP mandatory?
It depends on the jurisdiction and your situation. Canada has completed its transition to MDSAP for manufacturers holding medical device licences in Canada, so for many manufacturers it effectively becomes a required pathway for QMS evidence. In other member jurisdictions, MDSAP can be used as a recognized regulatory audit mechanism, but it does not eliminate other legal obligations or regulator discretion.

Q2. Does MDSAP replace FDA inspections?
MDSAP audit reports can be accepted by FDA as a substitute for routine inspections, but FDA still has authority to inspect and may inspect based on risk, signals, or specific activity areas. Treat MDSAP as a powerful reduction in routine inspection burden, not a blanket exemption.

Q3. Is MDSAP the same as ISO 13485 certification?
No. ISO 13485 is foundational, and many AOs can deliver ISO 13485 certification in alignment with MDSAP activities, but MDSAP is a regulatory audit framework that adds jurisdiction-specific requirements and a defined audit approach intended for regulatory oversight.

Q4. Does MDSAP cover Europe (EU MDR) or UKCA?
Not directly. The EU and the UK are associated with MDSAP as observers in the ecosystem, but EU MDR conformity assessment and UK requirements remain separate. Some organizations may coordinate audit logistics, but the regulatory outputs are distinct.

Q5. What is the fastest way to improve MDSAP readiness?
Stop treating it as “audit prep” and treat it as system engineering. Tighten document control, make CAPA evidence-driven with real effectiveness checks, harden complaint handling and vigilance decision logic, and strengthen supplier oversight with risk-based qualification and quality agreements. Then run internal audits that follow real threads across the system—because that’s exactly what MDSAP will do.

Related Reading
• Audits & QMS Foundations:
Medical Device QMS |
ISO 13485 |
ISO 13485 Requirements |
Internal Audit |
QMS Manual

• Control Systems & Integrity:
Document Control System |
Change Control |
Audit Trail |
Data Integrity

• Risk, CAPA & Postmarket:
Quality Risk Management (QRM) |
ISO 14971 Risk Management |
CAPA |
Customer Complaint Handling |
Postmarket Surveillance |
Medical Device Reporting (MDR)

• Platform:
V5 QMS |
V5 MES |
V5 Connect API

• Authoritative Program References:
MDSAP.global |
FDA: MDSAP |
Health Canada: MDSAP Transition