The Medical Device Single Audit Program (MDSAP) is one comprehensive audit for meeting the regulatory requirements of multiple participating countries. Achieving regulatory harmonization across different regulatory industries will help manufacturers easily launch their products in different markets. Hence, a clear understanding of the MDSAP audit cycle and underlying objectives is vital for certification and maintaining long-term compliance. We have prepared a structured guide to help you understand the full 3-year MDSAP audit cycle. This covers the initial certification, surveillance, recertification, and special audits. Additionally, we have touched upon unannounced and regulatory authority-conducted audits.
The MDSAP enables a single audit to satisfy the regulatory requirements of five participating countries: the U.S. (FDA), Canada (Health Canada), Brazil (ANVISA), Japan (PMDA), and Australia (TGA). The audit cycle is built around a three-year certification framework. The audit cycle covers initial, surveillance, recertification, and special audits. Each cycle is designed to ensure sustained compliance across multiple jurisdictions.
What is the MDSAP audit cycle?
The MDSAP audit cycle has a three-year period. It is designed to ensure ongoing compliance with ISO 13485:2016 guidelines, global regulatory requirements as well as participating regulatory authorities’ requirements. It consists of 3 phases:
- Initial Certification Audit (Year 1)
- Surveillance Audits (Years 2 and 3)
- Recertification Audit (Year 3 end/start of next cycle)
Each of these stages of the MDSAP audit cycle has defined purpose, scope, focus areas.
Understanding the MDSAP audit cycle
Initial certification audit (Year 1)
The initial certification audit under the MDSAP audit cycle is a comprehensive evaluation of a medical device organization’s Quality Management System (QMS). It is conducted in two distinct stages to ensure regulatory alignment and operational readiness.
- Purpose: Establish baseline compliance and issue MDSAP certification.
- Scope: Full assessment of QMS processes aligned with ISO 13485 and country-specific requirements.
- Duration: Usually, longer than subsequent audits due to comprehensive coverage.
- Focus areas:
- Management controls
- Design and development
- Production and service controls
- Purchasing and supplier management
- Measurement, analysis, and improvement
Stage 1: Planning and documentation review
This stage focuses on assessing the organization’s preparedness for the full audit. It involves a detailed review of QMS documentation and may be conducted off-site. Key objectives include:
- Verifying readiness for Stage 2
- Defining the scope of the QMS
- Confirming compliance with ISO 13485:2016 Clause 4.2.1
- Reviewing regulatory documentation required by participating MDSAP authorities
This foundational step informs audit planning and ensures that all relevant regulatory expectations are addressed.
Stage 2: Implementation and effectiveness
This stage evaluates the real-world application and effectiveness of the QMS. This is conducted on-site. It incorporates all applicable MDSAP audit tasks and focuses on:
- Assessing QMS effectiveness and integration of regulatory requirements
- Evaluating product and process technologies (e.g., sterilization, injection molding)
- Reviewing technical documentation for regulatory alignment
- Determining the organization’s capability to consistently meet applicable requirements
Only sites audited during Stage 2 are eligible for inclusion on the certification. Locations reviewed off-site in Stage 1 are excluded from listing.
Surveillance audits (Years 2 & 3)
Surveillance audits of the MDSAP audit cycle are conducted annually following the initial certification to ensure continued compliance and operational effectiveness of the Quality Management System (QMS). These audits are more targeted in scope, focusing on high-risk areas and selected processes rather than the full system.
- Purpose: Monitor ongoing compliance of the QMS. Assess the effectiveness of the QMS in integrating and addressing applicable regulatory requirements. Evaluate the organization’s ability to sustain ongoing compliance. Additionally, introduction or modification of product and process technologies (e.g., sterilization, software validation) is assessed. Moreover, updates or new development in technical documentation aligned with jurisdictional expectations are also evaluated.
- Frequency: Conducted annually after initial certification.
- Scope: Partial audit focusing on selected processes and risk areas.
- Focus areas:
- Follow-up on previous nonconformities
- Review of complaint handling and adverse event reporting
- Evaluation of CAPA effectiveness
- Auditors must verify current certifications, regulatory markings, and proper use of certification references
- Significant changes in legislation or internal QMS structure may necessitate a Stage 1 audit within the surveillance cycle
Hence, surveillance audits are partial evaluations conducted in the second and third years of the MDSAP audit cycle. Notably, while not all MDSAP criteria must be covered in a single audit, the full set of critical elements must be addressed across both years.
Recertification audit (Year 3)
At the conclusion of the three-year MDSAP audit cycle, the Recertification Audit, also referred to as the Re-audit, serves to confirm the ongoing suitability, effectiveness, and regulatory alignment of the medical device organization’s Quality Management System (QMS). It incorporates all relevant MDSAP audit process tasks.
- Purpose: Renew certification and reassess full system compliance. The QMS’s effectiveness in integrating and maintaining compliance with applicable regulatory requirements are evaluated. Additionally, the continued suitability of product and process-related technologies (e.g., sterilization, injection molding) is evaluated. The adequacy and currency of product technical documentation in line with jurisdictional expectations are assessed. Furthermore, organization’s sustained capability to meet regulatory obligations across all participating markets is investigated.
- Scope: Similar to initial audit but may be tailored based on surveillance findings.
- Outcome: Continuation of MDSAP certification for another three-year cycle.
If substantial changes have occurred, such as new regulatory legislation, significant QMS restructuring, or product portfolio shifts, a Stage 1 audit may be required prior to recertification.
Unannounced audits triggered by compliance concerns
Unannounced audits are initiated in response to critical nonconformities or significant regulatory concerns. These audits are designed to:
- Conduct immediate, real-time assessments of regulatory compliance
- Investigate potential systemic failures within the Quality Management System
- Re-establish confidence among regulatory authorities regarding the manufacturer’s commitment to compliance
Special audits
Special audits are conducted outside the standard MDSAP audit cycle and are triggered by exceptional circumstances that demand immediate or targeted evaluation. These audits may be initiated to focus on:
- Scope expansion: Inclusion of new or modified products requiring certification between scheduled audits
- Oversight deficiencies: Rectifying gaps in previous audits, such as inadequate audit duration or improperly constituted audit teams
- Post-market surveillance: Investigating significant complaints or adverse events
- Follow-up actions: Addressing major findings from prior MDSAP audits
- Regulatory assignments: Fulfilling audit requests from participating authorities for specific investigations
- Supplier audits: Conducting audits of critical suppliers as mandated by regulatory directives or auditing organization policies
Audit reports for special audits initiated by regulatory authorities must be submitted within 15 calendar days of completion.
Audits by participating regulatory authorities
In addition to audits performed by recognized MDSAP auditing organizations, participating regulatory authorities retain the right to conduct independent audits at their discretion. These may be initiated in the following scenarios:
- For-cause investigations triggered by serious complaints or adverse events
- Follow-up audits to verify the resolution of prior nonconformities
- Targeted oversight of high-risk or noncompliant manufacturers
These authority-led audits are essential for maintaining regulatory vigilance and ensuring the integrity and effectiveness of the MDSAP framework.
Pro tips for navigating the MDSAP audit cycle
For medical device manufacturers, MDSAP certification is not just a regulatory commitment. It demonstrates a commitment to global standards of quality, safety, and operational integrity. A deep understanding of the MDSAP audit cycle and its various audit types will help manufacturers easily achieve the certification.
- Proactively adapt: Adapt swiftly to evolving regulatory landscape
- Audit readiness: Maintain robust documentation and internal audit programs year-round.
- Risk-based planning: Align audit preparation with known high-risk areas and jurisdictional nuances.
- Global harmonization: Use MDSAP as a platform to streamline multi-country compliance efforts.
- Build trust: Build trust and transparency with regulators, partners, and stakeholders
We at Pharmadocx Consultants specialise in providing comprehensive support for all types of MDSAP audits. Our team of experts will ensure your Quality Management System is audit-ready and fully aligned with ISO 13485:2016 as well as all applicable regulatory requirements from participating MDSAP jurisdictions. From gap assessments and document preparation to mock audits and on-site audit support, we will guide you through every step of the MDSAP audit cycle. Email at [email protected] or call/Whatsapp on 9996859227 to partner with us for easily securing the MDSAP certification.
