MDSAP isn't an ISO 13485 audit with a sticker on it. Prepare for it like that and you'll get Grade 3'd.

Most quality teams prepared for their first MDSAP the same way they prepared for their ISO 13485 surveillance audit. Cleaned up document control. Ran through recent CAPAs. Practiced answers to the obvious clauses. Then the audit started and the auditor jumped from customer complaints to Medical Device Reporting to CAPA to Design Controls in forty minutes, chasing one thread across four processes, and the quality team realised they'd prepared for the wrong audit.

That's the thing nobody tells you about MDSAP. It's a fundamentally different audit dynamic from clause-by-clause ISO 13485. The auditors read across processes in real time. Findings in one process trigger follow-up in linked processes. Nothing is evaluated in isolation. And Grade 3 findings propagate to five regulators in days.

Health Canada made MDSAP mandatory January 1, 2019. Six years in, the program has a clear pattern for what passes cleanly and what accumulates Grade 3s. Here's what actually matters.

The seven-process model isn't a clause framework

MDSAP Audit Approach document AU P0002 (currently v.008 as of late 2025) organises the audit around seven processes with defined inputs and outputs between them: Management, Device Marketing Authorisation and Facility Registration, Measurement/Analysis/Improvement, Medical Device Adverse Event Reporting, Design and Development, Production and Service Controls, and Purchasing.

An auditor examining a customer complaint in M&A&I will pull the thread into Adverse Event Reporting (was it MDR-reportable? reported on time in all applicable jurisdictions?), into CAPA (did it trigger one? what was effectiveness verification?), into Design and Development (did it surface a design issue? did it feed back into design inputs?). A single complaint record produces findings across four processes when the linkages are weak.

That's the structural difference from ISO 13485 clause-by-clause. Quality systems that look fine when each process is evaluated in isolation fall apart when the evaluation runs across process boundaries. The audit-worthy QMS is the one where a complaint record knows what design elements it implicates, what CAPAs it triggered, what regulatory reports were filed, what risk file entries were re-examined. The audit trail exists as a property of the record, not as a reconstruction when the auditor asks.

Grade 4 and 5 — the notification pipeline you can't unring

MDSAP scoring goes 1 through 5. Grades 1 and 2 are minor, handled in the audit report. Grade 3 is significant, requires a documented corrective action plan, verification typically at the next audit. Grade 4 and Grade 5 are the ones that change your day.

Grade 5 notification is within 5 days of identification. Grade 4 within 30 days. The AO notifies participating regulators directly. You're not in that conversation. Regulators respond according to their own procedures — follow-up inspections, marketing restrictions, enforcement actions — and you're managing five simultaneous regulatory responses to the same finding.

This is the thing that makes MDSAP different from ISO 13485 at a structural level. A major nonconformity on an ISO 13485 audit is a notified body conversation. A Grade 4 on MDSAP is a five-regulator conversation that started without you.

Treat the audit accordingly. Internal pre-audit calibration should be against worst-case: what does a Grade 4 in Production and Service Controls actually mean if FDA and Health Canada both decide to follow up.

What MDSAP replaces — narrower than you think

FDA accepts MDSAP reports in lieu of routine QSIT inspections. That's the headline. The substitution scope is narrower than most sponsors assume.

MDSAP does not replace for-cause FDA inspections triggered by complaints, MDR reports, recalls, whistleblower tips, or enforcement concerns. Your MDSAP certificate doesn't protect you when FDA has a reason to walk in.

MDSAP does not replace pre-approval PMA inspections. Class III sponsors still get the PAI on its own timeline and scope.

MDSAP does not replace design controls inspections triggered by specific 510(k) or De Novo submissions, particularly for complex or software-containing devices.

MDSAP does not replace Health Canada licensing activities, TGA product-specific submissions, ANVISA registration processes, or Japanese PMDA device-specific reviews.

The substitution is routine quality system audit only. Everything else continues on its own track.

The regulator-specific layers you're actually audited against

ISO 13485:2016 is the core. Each regulator stacks requirements on top.

FDA adds 21 CFR Part 820, particularly design control specifics under 820.30 (design review attendee documentation, record-of-review contents), management controls under 820.20, complaint handling under 820.198, and MDR reporting under 21 CFR Part 803. The 2024 Part 820 revision aligned closely with ISO 13485, which reduced the differential. Didn't eliminate it.

Health Canada adds CMDR requirements — device licensing, Mandatory Problem Reporting, establishment licences. Mandatory for MDSAP Canadian-licensed manufacturers, always in scope.

TGA adds the Therapeutic Goods (Medical Devices) Regulations 2002, Essential Principles, and Australian Conformity Assessment Procedures.

ANVISA adds RDC 16/2013 (Good Manufacturing Practices) and RDC 751/2022 (classification and registration). Enforcement tightened meaningfully after 2022.

PMDA/MHLW adds Ministerial Ordinance 169 quality system requirements and Japan-specific design dossier expectations.

Auditing Organisation selection — beyond authorised-or-not

All authorised AOs follow the same Audit Approach document and grade against the same criteria. On paper, they're interchangeable.

In practice, three things differentiate them. Technical expertise: AOs with depth in your device category (orthopaedic implants, IVDs, SaMD, drug-device combinations) deploy auditors who've seen your class before. For novel or edge-case devices, ask prospective AOs about their recent similar-device audits. Scheduling flexibility: lab capacity is genuinely constrained in some device categories, and an AO that can't commit firm audit dates 3–6 months out creates critical path problems worth more than any pricing difference. Surveillance cycle alignment: if you hold ISO 13485 certification with an already-authorised AO, aligning MDSAP with that cycle reduces audit load. Transfer ISO 13485 certification or maintain separate programs is the alternative.

Budget ranges I've seen: small single-site with one product family and two regulator jurisdictions is $15–30k initial, $8–15k surveillance. Mid-size single-site with multiple families and four regulators is $40–80k initial, $20–40k surveillance. Large multi-site operations with global presence push $150k+ for the initial certification cycle.

Adding a jurisdiction mid-cycle

Expanding markets after certification requires scope changes. Different AOs handle this differently. Some permit add-on jurisdictions at surveillance. Others require additional audit events. Pricing and scheduling for jurisdiction additions should be negotiated before you commit to the new market. Sponsors who expand first and figure out audit scope later have lost quarters to the scheduling gap.

How MANKAIND handles MDSAP readiness

MDSAP audits test process linkages — the connections between design decisions, risk analysis, CAPA, complaint handling, supplier controls, regulatory reporting. Fragmented QMS environments produce findings at the linkage points because those linkages don't actually exist as data; they exist as cross-references maintained by memory. The platform makes linkages structural: a complaint record knows the design elements it implicates, the CAPAs it triggered, the regulatory reports filed, the risk file entries re-examined. When an auditor pulls on a thread, the thread doesn't come apart.

The operational value is in the audits that produce no surprise findings, and in the Grade 4 regulator notifications that never happen.

Frequently asked questions about MDSAP

What is MDSAP?

MDSAP — the Medical Device Single Audit Program — is a multi-jurisdictional audit framework that allows a single audit by an authorised Auditing Organisation to satisfy the quality system requirements of five regulators: US FDA, Health Canada, Australia TGA, Brazil ANVISA, and Japan PMDA/MHLW. MDSAP is built on ISO 13485:2016 with specific regulatory requirements layered on top.

Which regulators participate in MDSAP?

Five regulators participate: US FDA (Food and Drug Administration), Health Canada, Australia TGA (Therapeutic Goods Administration), Brazil ANVISA (Agência Nacional de Vigilância Sanitária), and Japan PMDA/MHLW (Pharmaceuticals and Medical Devices Agency / Ministry of Health, Labour and Welfare). The EU is an official observer but does not recognise MDSAP audits for CE marking.

Is MDSAP mandatory?

MDSAP is mandatory for Health Canada — manufacturers selling medical devices in Canada must hold an MDSAP certificate. It is voluntary in the other four participating jurisdictions, but it substitutes for the routine FDA establishment inspection and satisfies Australian, Brazilian, and Japanese quality system audit requirements. For manufacturers selling in multiple MDSAP jurisdictions, the consolidation is substantial.

How does MDSAP relate to ISO 13485?

MDSAP is built on ISO 13485:2016 and audits against it as the core framework. The MDSAP Audit Model adds regulator-specific requirements from each of the five participating jurisdictions — for example, FDA 21 CFR Part 820 expectations, Canadian CMDR requirements, TGA Essential Principles, ANVISA RDC 16/2013, and Japanese Ministerial Ordinance 169. An ISO 13485 certificate alone does not satisfy MDSAP.

What is the MDSAP grading system?

MDSAP uses a 5-grade nonconformity scoring system. Grades 1 and 2 represent minor nonconformities that can usually be addressed at the next surveillance audit. Grade 3 indicates a significant nonconformity requiring a plan and evidence of correction. Grades 4 and 5 are critical — they indicate patient safety or regulatory concerns that must be addressed immediately, and regulators receive near-real-time notification.