Guide
MDSAP: One Audit, Five Regulators, Zero Surprises
The Medical Device Single Audit Program lets a recognised Auditing Organisation conduct a single regulatory audit of a manufacturer's QMS that satisfies the requirements of five participating regulators — FDA, Health Canada, ANVISA (Brazil), TGA (Australia), and PMDA/MHLW (Japan) — plus the WHO and the EU as observers. For Canadian market access MDSAP is mandatory; for the others it is an accepted alternative to country-specific inspections, with FDA accepting MDSAP reports in lieu of routine surveillance inspections under the 2017 agreement. This guide walks through the audit model, the seven processes, the grading methodology, the country-specific add-ons that catch manufacturers out, and a practical readiness path. It is written for QA leads, regulatory affairs, and management representatives at medical device manufacturers selling into any of the five jurisdictions.
Start free trial Free trial, no credit card, onboard in days, not months.
The seven-process audit model
MDSAP audits are structured around seven processes: Management, Measurement Analysis and Improvement, Design and Development, Production and Service Controls, Purchasing, Device Marketing Authorisation and Facility Registration, and Medical Device Adverse Events and Advisory Notices Reporting. Each process has defined tasks, a sequence, and links to specific clauses of ISO 13485, 21 CFR Part 820 (now QMSR), and the country-specific regulations. The audit follows the linkages — a finding in Production has explicit ties to Measurement Analysis and to Management Responsibility, so a single nonconformity often touches three processes. Manufacturers who prepare process-by-process without rehearsing the linkages are caught off guard.
The Companion Document and the audit tasks
The MDSAP Audit Approach (the 'Companion Document') is the public auditor's playbook — every task, every input, every expected output, every linkage. Reading it is non-optional preparation. Each task has a defined input (the artefact the auditor will ask for first), the activities the auditor will perform, the outputs they document, and the regulation-specific tasks that get layered on. A manufacturer who has run their internal audit against the Companion Document tasks knows precisely what will be asked and in what order; a manufacturer who has prepared against ISO 13485 alone will lose three days of audit time to surprise.
Grading: from Grade 1 to Grade 5 and the Unannounced Audit trigger
MDSAP nonconformities are graded 1 to 5 using a structured methodology: the starting grade is based on the QMS sub-clause (with critical clauses starting at Grade 4), then escalates by one if the nonconformity is repeated from a prior audit, and by one more if it involves a release of nonconforming product. Grade 4 and Grade 5 findings trigger a 5-day notification to all participating regulators and, for FDA specifically, can lead to a routine for-cause inspection regardless of the MDSAP coverage. Understanding the grading mechanics changes how a manufacturer responds to a finding in real time — the order of escalation factors matters.
Country-specific tasks: the add-ons that surprise manufacturers
Each participating regulator adds country-specific tasks to the core audit. FDA: 21 CFR 803 medical device reporting, 21 CFR 806 corrections and removals, 21 CFR 820 specifics. Health Canada: SOR/98-282 incident reporting, mandatory problem reporting, CMDR-specific licensing tasks. ANVISA: RDC 16/2013 GMP for medical devices and RDC 67/2009 distribution. TGA: Australian Medical Device Regulations including manufacturer evidence and IVD-specific tasks. PMDA: Japan's MAH/D-MAH relationships, post-market obligations under the PMD Act. The country-specific tasks are the most common source of findings because they are the easiest to underprepare for.
Stage 1 / Stage 2 / Surveillance / Recertification cadence
An MDSAP certification cycle runs initial Stage 1 (documentation review and readiness), Stage 2 (full on-site audit of all seven processes), then annual surveillance audits (covering a subset of processes on a rotation) and a triennial recertification (full re-audit of all seven). Each surveillance has a defined process scope, and Management Responsibility plus the customer-feedback-and-CAPA cluster are audited every visit. Manufacturers who prepare only for recertification routinely take surveillance findings because they let the off-year processes drift.
A 120-day readiness path
Days 1 to 20: gap assessment against the seven processes using the current Companion Document; identify weakest processes and weakest country-specific tasks. Days 21 to 50: rebuild the documentation and records for the weakest processes, prioritising Production, Measurement Analysis, and CAPA; close country-specific gaps (FDA reporting, Health Canada licensing, others as applicable). Days 51 to 80: run an internal audit task-by-task against the Companion Document; close findings with the MDSAP grading mechanics applied. Days 81 to 110: management review with the internal audit and country-task evidence; mock audit with the Auditing Organisation if offered. Days 111 to 120: pre-audit logistics, evidence packs, and rehearsal of the opening meeting where the auditor sets the linkage expectations.
Where this lives in V5 Ultimate
The clauses above aren't theoretical — every one maps to a shipped module and an industry profile. Jump to the parts of the product that turn this guide into evidence on a Monday morning.
Modules that do the work
Quality management
ISO 13485 + country regulations mapped to the seven processes.
Audits & CAPA
Internal audit templates aligned to the MDSAP Companion Document.
Document control
Country-specific reporting and license evidence in one controlled set.
Compliance self-assessment
Score readiness per MDSAP process and per country task.
Supplier qualification
Purchasing process evidence at the MDSAP-expected depth.
Industries this hits hardest
Frequently asked
Is MDSAP mandatory?
It is mandatory for any medical device manufacturer selling into the Canadian market — Health Canada accepts only MDSAP certificates for QMS evidence under CMDR. For FDA, TGA, ANVISA, and PMDA it is an accepted alternative to country-specific inspections rather than a mandate, but the operational efficiency of one audit instead of five drives most multi-market manufacturers to adopt it.
Does MDSAP replace ISO 13485 certification?
An MDSAP certificate is issued against ISO 13485:2016 plus the participating regulators' requirements, so a single MDSAP audit produces both the ISO 13485 certificate and the MDSAP certificate when issued by a recognised Auditing Organisation that holds both scopes. Most manufacturers run them as a single audit programme.
Does MDSAP cover EU MDR?
What happens if we get a Grade 4 or Grade 5 finding?
Grade 4 and Grade 5 nonconformities trigger a 5-day notification from the Auditing Organisation to all participating regulators. The manufacturer must submit a containment plan and corrective action plan; the regulators may take independent action (FDA, for example, may schedule a for-cause inspection regardless of MDSAP coverage). Responding well in the first 72 hours materially changes the regulatory outcome.
See it on your shop floor.
Free trial, no credit card, onboard in days, not months.