Ensuring medical devices comply with the requirements for multiple markets can be disruptive, time consuming and expensive. In this article we look at the Medical Device Single Audit Program (MDSAP), which verifies compliance to ISO 13485 and the regulatory requirements of medical devices in Australia, Brazil, Canada, Japan, and the US.

Medical device manufacturers must ensure the products they supply are safe and comply with the regulatory requirements of their target market(s). Since most countries enforce their own regulations, this can be a costly exercise involving multiple audits against a variety of requirements. A much better option is a single auditing program that covers multiple markets.


Launched as a pilot program in 2014, MDSAP follows the work of the International Medical Device Regulatory Forum (IMDRF) and Global Harmonization Task Force (GHTF). It leverages regulatory resources into a single aligned auditing program covering multiple markets, and seeks to:

  • Develop a single audit program covering multiple regulatory jurisdictions
  • Create greater alignment of regulatory approaches and technical requirements
  • Promote consistency, predictability, and transparency of regulatory programs

MDSAP is based on ISO 13485:2016 but also covers the medical device regulation requirements enforced in the following territories:

  • Australia – Therapeutic Goods Act and regulations
  • Brazil – ANVISA regulations for pre-market approval, GMP, and the requirements for product registration and post market surveillance
  • Canada – Food and Drug Act and Medical Devices Regulation
  • Japan – MHLW Ministerial Ordinance No. 169
  • United States – FDA Quality System Regulation and the associated regulations for medical device reporting, recall, registration, device tracing and labeling


For medical device manufacturers, this means compliance with one auditing program will give them access to five markets.

Canada became the first country to require compliance to MDSAP. They initially began extending applications under the Canadian Medical Device Conformity Assessment Scheme (CMDCAS) in 2017, but, since January 1, 2019, it has been a mandated requirement.

ISO 13485

Originally published in 1996, ISO 13485 is a comprehensive quality management system (QMS) standard covering the regulatory requirements needed for companies operating in the medical device sector. It is now in its third edition, published on March 1, 2016.

Certification to ISO 13485:2016 allows an organization to demonstrate its ability to provide medical devices and related services in a consistent and compliant manner. It is not restricted to manufacturers but is applicable to businesses in every stage of the medical device life cycle.

As with many current ISO standards, ISO 13485:2016 provides a framework that can be applied to organizations of all sizes.


MDSAP has a three-year audit cycle. The initial audit is made up of two stages. Stage 1 looks at QMS documentation and considers the readiness of the site(s) for auditing. Stage 2 takes place at least 30 days after Stage 1 and incorporates the main body of the assessment. There are then surveillance audits every year and a recertification audit in the third year.

Each site under the scope of the audit must be assessed annually, with each site requiring a separate report. Certification can only be recommended if all applicable processes, jurisdictions, products, and manufacturing locations are audited. In general, outsourced processes and services are not audited unless they are required by the jurisdiction.

MDSAP audits cover seven processes – four primary and three supporting. These are:

  • Primary:
      • Management
      • Measurement, analysis and improvement
      • Design and development
      • Production and service controls
  • Supporting:
      • Device marketing authorization and facility registration
      • Adverse events and advisory notices reporting
      • Purchasing


In combination, auditing these processes shows compliance with the specific requirements of participating MDSAP regulatory authorities.

The tasks associated with each individual process audit are explained in the MDSAP Companion Document. This includes a reference to the applicable ISO 13485 clause and the jurisdictional requirements to need to be verified. It should be noted, all ISO 13485 clauses are covered in the MDSAP.

In total, there are 175 tasks that can be audited, of which 90 are from ISO 13485 and 85 are country-specific requirements.  In some cases, audit requirements must be multiplied for very large multisite manufacturers.

Auditing the Processes

Critical aspects will be highlighted in each of the seven process audits. These are:

  • Management – ensure top management is committed to implementing and maintaining an effective QMS. This must be communicated to all personnel
  • Device marketing authorization and facility registration – ensure the organization has performed the appropriate measures for compliance with the requirements of the target market(s), including submission of listing information, obtaining market authorization prior to distribution, notifications of change, etc.
  • Measurement, analysis, and improvement – ensure information related to products, processes, and the QMS is collected and analyzed to identify actual and potential nonconformities. Actual and potential nonconformities must be investigated, with appropriate corrective actions enforced
  • Adverse event and advisory notice reporting – ensure individual device-related adverse events and advisory notices are reported to regulatory authorities within the required timeframes
  • Design and development & production and service controls – verify that the organization has established, documented, implemented, and maintained controls to ensure the medical device meets specified QMS requirements
  • Purchasing – verify that the correct processes are in place to ensure components, materials and services brought into the organization conform to specified purchase requirements

MDSAP certification has multiple benefits for manufacturers. With a single audit, the company can demonstrate compliance to the requirements of ISO 13485:2016 and five key target markets – Australia, Brazil, Canada, Japan, and the US. These audits are also scheduled directly with the auditing organization (AO), and so there is minimal disruption while time and resources are optimized.  Additionally, scheduled FDA inspections are eliminated. However, participation in MDSAP does not eliminate FDA visits for cause.

SGS Solutions

SGS offers a comprehensive range of service, including auditing and product testing, to help companies gain MDSAP certification.

Learn about SGS MDSAP Services.


Your name

Your e-mail

Name receiver

E-mail address receiver

Your message




Sign up