MDSAP Unlocked: What Quality and Regulatory Professionals Need to Know to Build a Certification-Ready QMS

MDSAP certification is not new. The first pilots date back to 2012, and the program has been running officially since 2017. But its relevance has never been greater. With Canada's mandatory adoption since 2019, the US QMSR now in effect, and Brazil and Japan deepening their reliance on MDSAP audit results, the question for quality and regulatory professionals is no longer whether to pursue certification, but how to build a QMS that can sustain it.

I recently joined a webinar alongside Martin King, a Swiss MDSAP consultant and lead auditor with over 40 years of medical device experience, to explore exactly this. What follows is my perspective on the key things quality and regulatory professionals need to understand before they embark on MDSAP certification.

What MDSAP Actually Does (and What It Doesn't)

MDSAP is often described as an "add-on" to ISO 13485, but that framing undersells what it actually requires. ISO 13485 audits confirm whether you have a functioning QMS. MDSAP asks a harder question: does your QMS function appropriately for each specific regulatory jurisdiction where you intend to place your device?

This distinction is already embedded in ISO 13485 itself. Section 0.2, a part of the standard that few people read closely, explicitly states that references to regulatory requirements include applicable laws in each intended market. Design and development inputs are also expected to incorporate jurisdiction-specific requirements. MDSAP simply operationalizes this expectation through a harmonized, scored, and regulator-visible audit framework.

The fundamental mechanism is regulatory reliance. Rather than each national authority conducting its own manufacturer inspection, participating regulators rely on a shared audit package produced by an accredited auditing organization to assess whether a manufacturer's QMS meets their market requirements. This audit package is uploaded to a shared platform and is accessible to all relevant regulatory authorities, not just your certifying body.

This has a significant implication: your audit findings are not private. Non-conformities are visible to regulators in every jurisdiction you have declared. This is not a reason to avoid MDSAP. It is a reason to enter it with your house in order.

How Each Jurisdiction Uses MDSAP

In my work supporting life sciences companies across different markets, one of the most common gaps I see is treating MDSAP as a single, uniform requirement. The five jurisdictions apply the program in meaningfully different ways, and understanding those differences shapes how you build your QMS.

Australia (TGA) conducts a desktop review of the MDSAP audit package rather than a site inspection. The audit report must demonstrate conformance with Australian-specific regulatory requirements, and manufacturers typically work through a local sponsor or agent. If your representative is unfamiliar with MDSAP, that is itself a useful signal about their suitability.

Brazil (ANVISA) uses MDSAP in lieu of routine pre-market GMP inspections. If you hold an MDSAP certificate, ANVISA will generally not send inspectors to your facility. Certification also extends your GMP certificate validity from approximately two years to four. For companies entering the Brazilian market, that is a material operational benefit.

Canada (Health Canada) is the only jurisdiction where MDSAP is mandatory, and has been since 2019. For Class II, III, and IV devices, an MDSAP audit pack is required as part of the Medical Device License application. An ISO 13485 certificate alone is not accepted. This is the most unambiguous case for certification: you cannot enter the market without it.

Japan (PMDA/MHLW) uses MDSAP as a supporting tool in the regulatory review process. It does not replace the national approval process, but a valid MDSAP audit report can exempt manufacturers from submitting large portions of pre-inspection documentation and, in some cases, from site inspections entirely. Exceptions apply for higher-risk products such as those containing human biological materials.

United States (FDA) is the most nuanced case. The QMSR, which came into effect in February 2025, incorporates ISO 13485 requirements into US law, but the FDA has explicitly stated it does not recognize an ISO 13485 certificate for the purpose of manufacturer oversight. MDSAP does not make FDA inspections impossible, but it substantially reduces their likelihood. I have heard cases where manufacturers obtained MDSAP certification while an FDA visit was already scheduled, and the visit was subsequently cancelled. That is a concrete indication that the program carries real regulatory weight.

The Audit Structure and Scoring System

The MDSAP audit process mirrors the ISO 13485 cycle most quality professionals will already know: a Stage 1 documentation review, followed by a Stage 2 on-site audit within 3 to 6 months, annual surveillance audits, and a full recertification every four years. In practice, many manufacturers find the MDSAP audit runs in parallel with their 13485 audit and involves the same auditors, though team size may increase depending on product scope.

One operational point worth flagging: not all notified bodies are authorized to conduct MDSAP audits. Some have arrangements with partner organizations who hold MDSAP accreditation, meaning you may have the same auditors on-site but the official certification process runs through a different entity. Always clarify this with your notified body before engagement.

The scoring system is where MDSAP diverges most sharply from a standard 13485 audit. Rather than a binary major/minor nonconformity classification, MDSAP uses a graded scale from 1 to 4, where a grade 4 finding will directly jeopardize market access. More importantly, the system includes an escalation mechanism: a nonconformity graded at level 1 or 2 in a previous audit that was not adequately closed out will automatically escalate to a higher grade at the next audit. Recurring nonconformities carry near-zero tolerance.

The practical consequence is straightforward: when you receive a nonconformity, your response must fully close it, with both a correction and a corrective action that addresses root cause, not merely demonstrate intent. At the audit itself, it is legitimate to ask auditors whether proposed corrective actions would likely be accepted, even if they cannot formally consult on this. I always encourage teams to use that opportunity.

Jurisdictional Scope and Audit Planning

Before submitting your MDSAP audit application, think carefully about which jurisdictions to include. The audit form requires you to declare the jurisdictions in scope, and if a jurisdiction-specific requirement fails during the audit, there is a risk it could affect the overall audit outcome. The implications depend on your notified body's procedures and need to be clarified explicitly before submission.

A phased approach, aligning MDSAP jurisdictions with your actual market entry roadmap, is often more prudent than declaring all five jurisdictions from the outset. This is a regulatory strategy decision, not just an auditing one.

On cost: plan for at least 50% above your current ISO 13485 audit fees for the MDSAP component alone. Beyond the audit itself, there are SOP review and update costs that can be substantial. A manufacturer operating across five jurisdictions may need to review and update 20 or more SOPs. They may be small changes individually, but each must be verified against jurisdiction-specific requirements, and that work adds up.

Preparing Your QMS for MDSAP: A Framework View

MDSAP is a regulatory audit model, and its terminology and structure differ from both ISO 13485 and the legacy 21 CFR Part 820 vocabulary. Familiar labels such as Design History File, Device Master Record, Device History Record, and CAPA are not used in MDSAP. Audits are structured around seven processes and associated regulatory tasks:

• Management
• Device Marketing, Authorization, and Facility Registration
• Measurement, Analysis, and Improvement
• Design and Development
• Production and Service Controls
• Supporting Processes (purchasing, infrastructure, human resources)
• Labeling and Packaging

For organizations transitioning from ISO 13485, this means existing documentation does not need to be replaced, but it does need to be mapped and verified against the MDSAP process structure. In my experience, MDSAP readiness typically comes from improving and connecting existing procedures, not from creating new ones wholesale.

Three areas consistently receive heightened scrutiny in MDSAP audits:

Design and development: Auditors expect controlled, end-to-end design processes with clear evidence at every stage, including defined inputs and outputs, verification and validation records, change control documentation, formal design review and transfer records, and software lifecycle controls where applicable. Innovation is necessary but not sufficient. Traceability and documented decision-making are what the audit examines.

Purchasing and supplier controls: In today's outsourced manufacturing environment, supplier oversight is one of the highest-risk areas. I strongly recommend having quality agreements in place with critical suppliers and performing audits on their quality management systems before your own audit takes place. Regulators do not distinguish between your quality failures and your suppliers'. Accountability lies with you as the manufacturer.

Measurement, monitoring, and corrective action: Auditors want to see disciplined systems for identifying and responding to problems: structured internal audit programs, complaint handling, adverse event management, and CAPA processes with complete and traceable records. What matters is not the absence of problems but the speed and rigor with which you detect, investigate, and prevent their recurrence.

What Auditors Are Actually Looking For

Having supported numerous organizations through MDSAP preparation and conducted audits myself, a few themes come up consistently.

Linkages matter more than documentation completeness. MDSAP audits are explicitly designed to assess how your processes connect, how information flows between functions, and how quality decisions are traceable across the system. A QMS that looks complete on paper but operates in silos will surface this in audit findings.

Evidence of active practice, not just documented procedure. Auditors are not only checking that procedures exist. They are checking that your processes are producing the right records and that those records are consistent with your documented procedures. Records that are missing, incomplete, or difficult to retrieve are findings, even if the underlying procedure is sound. I have seen this catch teams off guard, particularly around rework documentation and lot-specific traceability.

Leadership engagement is assessed. Management review, resource allocation, and visible senior leadership involvement in quality decisions are all part of the audit. Demonstrating that quality is embedded in how the organization is run, not just maintained by the quality team, is part of what MDSAP certification signals.

Remote and hybrid audits are increasingly common. Many notified bodies now request that QMS documentation be uploaded in advance for pre-review before the on-site component. Your documentation must be retrievable, organized, and complete enough to withstand remote review by auditors who are encountering your system for the first time.

Internal Audits and Readiness Assessments

Your internal audit program is your most reliable preparation tool. For smaller organizations whose internal teams cannot credibly audit themselves, I strongly recommend bringing in an external auditor for internal audits, provided that auditor holds credentials covering all relevant aspects of your QMS and can audit to MDSAP requirements specifically.

Many notified bodies also offer informal pre-audits, sometimes called gap assessments or readiness reviews, that fall outside the formal Stage 1/Stage 2 sequence. These allow you to identify and address issues before the official clock starts. They are worth requesting, particularly if your QMS has not previously been audited against jurisdiction-specific requirements.

The Strategic Case for MDSAP

MDSAP requires upfront investment: audit fees, SOP updates, training, and the internal resources needed to sustain ongoing compliance. But the case for it is not that it eliminates regulatory risk. It is that it fundamentally changes when and how you encounter it.

Without MDSAP, risk surfaces reactively, during an FDA inspection, a Health Canada review, or a TGA conformity assessment. With MDSAP, you identify nonconformances in a planned, structured environment before they become market-access issues. The scoring system, for all its complexity, quantifies regulatory risk in a way that is shareable across the organization and actionable before an external audit occurs.

At the webinar I recently participated in, 76% of attendees indicated they were targeting multiple MDSAP jurisdictions. That tells me most organizations reading this are not asking whether to certify. They are asking how to build a QMS that can sustain the certification cycle efficiently and continuously. The answer starts with understanding what MDSAP is actually measuring, and building toward that standard before your auditor does it for you.

For further detail on the MDSAP program structure, document templates, approved auditing organizations, and training resources, visit mdsap.global.