The Medical Device Single Audit Program (MDSAP), developed by the International Medical Device Regulators Forum (IMDRF), is a harmonized audit framework that allows a single ISO 13485:2016 audit, conducted by an approved Auditing Organization (AO), to meet the quality management system (QMS) requirements of multiple regulatory authorities simultaneously.
In Canada, MDSAP serves as the recognized mechanism under the Food and Drugs Act and the Medical Devices Regulations (MDR) for demonstrating that a manufacturer’s Quality Management System (QMS) complies with the requirements necessary to obtain and maintain a Medical Device Licence (MDL).
Under section 32(2)(f) of the MDR, Health Canada requires all manufacturers of Class II, III, and IV medical devices to hold a valid MDSAP certificate as evidence of ongoing QMS compliance to obtain or renew an MDL. This requirement, which took effect on January 1, 2019, replaced the former Canadian Medical Devices Conformity Assessment System (CMDCAS). Through the MDSAP, one audit can fulfill the QMS requirements of multiple participating regulatory authorities, including the U.S. Food and Drug Administration (FDA), Brazil’s ANVISA, Japan’s MHLW/PMDA, and Australia’s Therapeutic Goods Administration (TGA).
What is MDSAP and Why Does It Matter?
The Medical Device Single Audit Program (MDSAP) allows medical device manufacturers to undergo one quality management system (QMS) audit that satisfies the requirements of multiple regulatory authorities. Built upon ISO 13485:2016 and enhanced with country-specific clauses, MDSAP minimizes duplicate audits, lowers compliance costs, and improves global oversight.
Introduced in December 2015 and fully implemented in 2019, MDSAP now serves as the foundation for Canadian market access for medical devices and is increasingly recognized internationally to support global market entry.
Core Concept of Medical Device Single Audit Program (MDSAP)
MDSAP centres on a single, standardized audit that evaluates a manufacturer’s QMS against the regulatory requirements of multiple jurisdictions at once. The program uses a common audit model and report format, which are accepted across all participating authorities.
Instead of preparing for multiple national inspections, manufacturers follow one audit calendar, one plan, and one report that maps evidence to each regulator’s requirements. This ultimately facilitates market entry into various countries, reducing the amount of work and time needed to fully meet the market entry requirements for MDSAP participating countries.
The MDSAP framework is based on ISO 13485:2016 and incorporates jurisdiction-specific elements such as:
- Japan: PMD Act (MHLW/PMDA QMS Ordinance)
- United States: FDA 21 CFR Part 820
- Canada: Medical Devices Regulations (SOR/98-282) under the Food and Drugs Act
- Australia: Therapeutic Goods (Medical Devices) Regulations 2002
- Brazil: ANVISA RDC 665/2022 (current Good Manufacturing Practices)
Audits under the MDSAP are performed by recognized Auditing Organizations (AOs) that have been authorized by the participating regulatory authorities. In Canada, Health Canada does not conduct MDSAP audits directly. Instead, manufacturers must obtain their MDSAP certificate from an accredited AO and submit this certificate as part of their MDL or renewal. Health Canada then verifies compliance through the review of the MDSAP audit report and certificate, which serve as evidence that the manufacturer’s quality management system meets the requirements of ISO 13485:2016 and the Medical Devices Regulations.
Who Needs and MDSAP Certificate in Canada?
Health Canada was the first regulatory authority to make participation in the MDSAP mandatory. Since January 1, 2019, all manufacturers of Class II, III, and IV medical devices must hold a valid MDSAP certificate to obtain or maintain an MDL. Manufacturers that do not possess a valid certificate cannot legally sell, import, or distribute their devices in Canada. Applications for new device licences or amendments are considered incomplete without proof of MDSAP certification, and existing MDLs may be suspended or cancelled if the certificate expires or is withdrawn.
This requirement applies equally to Canadian and foreign manufacturers, as the licensing obligation is manufacturer-based rather than location-based. Foreign manufacturers marketing Class II, III, or IV medical devices in Canada must therefore maintain a valid MDSAP certificate that covers all relevant manufacturing and design facilities.
Importers and distributors, including those representing foreign manufacturers, are not required to hold MDSAP certification, but they must ensure that their suppliers comply with the program (i.e., they must ensure that the foreign manufacturer has undergone an MDSAP and is certified). In addition, importers and distributors must obtain a valid Medical Device Establishment Licence (MDEL) from Health Canada before importing or distributing medical devices in Canada. Each legal entity involved in importation or distribution must hold its own MDEL; however, a separate licence is not required for each physical site unless it operates as a distinct legal entity.
Health Canada uses the MDSAP audit report and certificate as evidence of ongoing compliance with the Medical Devices Regulations and ISO 13485:2016. As a result, the Department does not conduct routine quality management system (QMS) inspections for manufacturers holding valid MDSAP certificates. This framework maintains strong oversight of design, production, and post-market activities while reducing redundant audits and regulatory burden. Class I devices remain exempt from the MDSAP requirement; however, importers and distributors of all classes must hold a Medical Device Establishment Licence (MDEL) in accordance with Part 1 of the Medical Devices Regulations. The MDEL demonstrates that the importer or distributor has appropriate establishment-level controls, such as procedures for recalls, complaint handling, and distribution records, rather than full QMS compliance.
MDSAP Global Standing and Implementation
The MDSAP is jointly recognized and governed by five regulatory authorities: Health Canada (Canada), the U.S. Food and Drug Administration (FDA), the Therapeutic Goods Administration (TGA, Australia), Agência Nacional de Vigilância Sanitária (ANVISA, Brazil), and the Pharmaceuticals and Medical Devices Agency / Ministry of Health, Labour and Welfare (PMDA/MHLW, Japan). Together, these regulators form the MDSAP Regulatory Authority Council (RAC), which operates under the umbrella of the International Medical Device Regulators Forum (IMDRF).
The RAC develops the MDSAP Audit Model, companion documents, and grading criteria that align ISO 13485 with the specific regulatory requirements of each participating jurisdiction. This harmonized framework allows a single audit to evaluate compliance with both the international QMS standard and national medical device regulations such as Health Canada’s Medical Devices Regulations, FDA 21 CFR Part 820, ANVISA RDC 665/2022, TGA conformity assessment requirements, and Japan’s QMS Ordinance.
For manufacturers, as discussed above, this collaboration means one structured audit can satisfy the QMS expectations of all participating authorities, eliminating the need for multiple country-specific inspections. On the other hand, for importers and distributors, it ensures that devices sourced from MDSAP-certified manufacturers meet consistent international quality and safety benchmarks, simplifying supplier qualification and regulatory due diligence.
Other regulators and international organizations participate as observers or affiliates through the IMDRF, contributing to the ongoing refinement and calibration of the MDSAP documentation. Their involvement promotes broader regulatory convergence, enhances post-market surveillance cooperation, and lays the foundation for future expansion of MDSAP principles across additional jurisdictions.
The Scope of the MDSAP Audit
Only MDSAP-recognized AOs are authorized to perform audits under the MDSAP. These organizations are formally recognized and monitored by the participating regulatory authorities to ensure impartiality, technical competence, and consistent interpretation of the audit model worldwide. Each AO must demonstrate independence from the manufacturers it audits, employ qualified auditors with expertise in ISO 13485:2016 and applicable national regulations, and comply with all procedural and documentation requirements outlined in the MDSAP Companion Document.
MDSAP audits follow a process-based approach that evaluates both compliance with ISO 13485:2016 and jurisdiction-specific regulatory obligations. Auditors examine management systems, marketing authorizations, purchasing controls, production and service operations, design and development (where applicable), and post-market surveillance. Through document reviews, facility walkthroughs, and staff interviews, AOs assess whether the manufacturer’s QMS operates effectively and conforms to both international and country-specific requirements.
Each audit results in a detailed report and certificate summarizing findings and grading any nonconformities according to the MDSAP severity scale. The certificate confirms the manufacturer’s conformity with ISO 13485:2016 and the additional requirements of the participating authorities.
Participating regulators conduct continuous oversight of AOs to ensure calibration and consistency across jurisdictions. This system enables one audit to satisfy multiple regulators’ expectations, reducing redundant inspections and administrative burden for manufacturers.
The Four Stages of an MDSAP Audit
The MDSAP process is typically divided into four stages:
- Pre-audit preparation
- Formal preparation
- On-site audit
- Reporting and corrective actions.
Together, these stages confirm that the QMS operates effectively in real-world conditions and complies with Health Canada’s Medical Devices Regulations as well as the equivalent rules of other jurisdictions.
Stage 1: Pre-Audit Preparation
Before scheduling an official MDSAP audit, many manufacturers participate in pre-audit readiness activities. These can be completed internally or with the support of a qualified third-party consultant who is not an MDSAP-recognized AO. The goal of this stage is to identify gaps, strengthen documentation, and ensure audit readiness.
Typical pre-audit tasks include reviewing the QMS for alignment with ISO 13485:2016 and MDSAP Companion Document expectations, mapping procedures and records to the seven MDSAP process streams and relevant regulatory clauses, conducting mock audits or gap assessments to test real-time responses and evidence retrieval, and training staff on audit communication and documentation control. Records such as management reviews, CAPA files, supplier evaluations, design documentation, and complaint handling reports should be current, controlled, and easy to access.
Effective pre-audit preparation shortens the duration of the formal audit, reduces the likelihood of major nonconformities, and improves communication with the Auditing Organization once the audit begins. If your team is preparing for an upcoming MDSAP audit, the SNI Regulatory Affairs team can share its extensive experience in medical device and site licensing and perform a comprehensive pre-audit review to ensure your current processes align with regulatory requirements and expectations. Reach out to our team today to learn how we can support your MDSAP readiness and successful entry into the Canadian market.
Stage 2: Formal Preparation
When the audit is scheduled, the manufacturer must ensure that all procedures, records, and forms reflect current regulatory expectations and maintain traceability across processes. A cross-functional audit team should be appointed, typically including representatives from quality, regulatory, operations, and document control. Internal mock audits using the MDSAP process approach verify that each department understands its responsibilities, and that evidence is available to demonstrate compliance.
Stage 3: On-Site Audit
During the on-site audit, the AO evaluates the manufacturer’s QMS through document reviews, staff interviews, and process observations. The audit follows the MDSAP Audit Model, which links ISO 13485:2016 clauses to jurisdiction-specific requirements. Areas reviewed include management controls, production and service operations, purchasing and supplier management, device authorization, post-market surveillance, and design controls when applicable.
Auditors grade nonconformities using the MDSAP severity scale, which ranges from Grade 1 (minor) to Grade 4 (critical). Grades are based on the issue’s impact on product safety, regulatory compliance, recurrence, and overall system scope. Each nonconformity grade can be increased by one level if it is a recurrent or linked-to-regulatory noncompliance (escalation rule), ensuring consistent and objective evaluation. In total, there are 4 grades, each corresponding to the following:
| Grade | Severity Level | Description |
| Grade 1 | Minor | An isolated lapse with limited risk or procedural oversight that does not affect product quality or safety. Typically corrected locally. |
| Grade 2 | Moderate | A systemic gap that may impact compliance but poses low risk to patient safety. Requires documented Corrective and Preventive Action (CAPA) with verification of effectiveness. |
| Grade 3 | Major | A significant system failure or repeat finding indicating a breakdown in process control or ineffective CAPA. May trigger regulatory follow-up or additional audit attention. |
| Grade 4 | Critical | A widespread or high-risk deficiency that could directly compromise patient safety, product performance, or regulatory compliance. May lead to regulatory action or suspension of certification. |
Stage 4: Reporting and Corrective Actions
After the audit, the AO issues a detailed report summarizing the audit trail, objective evidence, and all identified nonconformities with their assigned grades. Each finding must be addressed through a Corrective and Preventive Action (CAPA) plan that defines the root cause, immediate correction, long-term corrective action, and verification of effectiveness.
- Grade 1 findings are typically minor and can often be corrected locally within the affected process or department.
- Grades 2 and 3 require formal CAPA documentation and submission to the AO for review and acceptance. In most cases, the MDSAP certificate can be issued once these CAPA plans have been submitted and deemed adequate, even if implementation is still in progress, provided the findings do not compromise product safety or overall QMS effectiveness.
- Grade 4 findings, which indicate critical or systemic issues, must be fully corrected, verified, and closed before the AO can issue or renew the certificate. Once accepted, all CAPAs are tracked and verified for effectiveness during subsequent surveillance audits to ensure sustained compliance and continuous improvement.
Health Canada requires that all major and critical nonconformities be closed or under verified corrective action before an MDL is granted or renewed. As long as the AO issues a valid certificate confirming compliance, the manufacturer is considered eligible for licensing. If the certificate is suspended or withdrawn due to unresolved issues, Health Canada may reject, suspend, or cancel the associated applications and active MDLs.
Health Canada relies on the MDSAP certificate as primary evidence of QMS compliance and may review the detailed audit report, when necessary, particularly in cases involving major or critical findings.
MDSAP Audit Cycle and Certificate Validity
Each MDSAP certificate is valid for up to three years, provided that the manufacturer maintains compliance through satisfactory completion of annual surveillance audits, with a full re-certification audit required in the third year.
Each surveillance audit evaluates the effectiveness of previously implemented CAPAs, confirms that the QMS remains current, and verifies that manufacturing, design, and post-market processes are being maintained in compliance.
Continuous certification is essential for maintaining an active MDL in Canada. If a manufacturer fails to complete a required surveillance audit or loses certification due to unresolved nonconformities, Health Canada may suspend or cancel the related MDLs until the issue is rectified.
Final Remarks
The Medical Device Single Audit Program (MDSAP) represents a significant advancement in global medical device regulation, creating a unified framework that strengthens oversight while reducing redundant audits. For manufacturers of Class II, III, and IV medical devices, maintaining a valid MDSAP certificate is not only a regulatory requirement under Canada’s Medical Devices Regulations but also a strategic advantage that demonstrates quality, consistency, and trustworthiness across international markets.
An MDSAP certificate remains valid for three years, contingent upon successful completion of annual surveillance audits that confirm continued compliance with ISO 13485:2016 and the jurisdictional requirements of each participating authority. By sustaining certification, manufacturers affirm their commitment to continuous improvement, patient safety, and product reliability.
For companies entering or maintaining access to the Canadian market, early preparation is essential. Conducting a pre-audit readiness review, maintaining robust Corrective and Preventive Action (CAPA) systems, and ensuring accurate documentation across all processes help minimize findings and strengthen audit performance.
To learn more about Medical Device Licensing (MDL) in Canada, read our blog Avoid Delays: How to Successfully License a Medical Device in Canada.
SNI’s Medical Device and Site Licensing Expertise
The SNI Regulatory Affairs team provides expert support at every stage of MDSAP readiness, from pre-audit evaluations to post-audit CAPA guidance. With deep experience in medical device and site licensing, SNI helps manufacturers navigate complex compliance pathways and position their products for long-term success in Canada and beyond.
Contact us today to learn how our regulatory experts can help your organization achieve and maintain MDSAP certification, streamline your audit process, and secure compliant access to the global medical device marketplace.
💡 More about our services here.
✅ Compliance is easy with the right support!
📩 info@sourcenutra.com
⬇️ Send us a request for support or an introductory call
FAQ
What is MDSAP and why was it developed?
The Medical Device Single Audit Program (MDSAP) is a harmonized audit framework created by the International Medical Device Regulators Forum (IMDRF). It allows a single audit of a manufacturer’s Quality Management System (QMS) to meet the regulatory requirements of multiple participating authorities. MDSAP was developed to reduce duplicate audits, improve efficiency, and support greater alignment of medical device regulations worldwide.
Who must participate in MDSAP, and is it mandatory in all countries?
In Canada, participation in MDSAP is mandatory for manufacturers of Class II, III, and IV medical devices seeking to obtain or maintain a Medical Device Licence (MDL) with Health Canada. In other participating jurisdictions, such as the United States, Australia, Brazil, and Japan, MDSAP participation is recognized and encouraged, but not always required by law.
Does an ISO 13485 certificate alone satisfy the MDSAP requirement?
No. While MDSAP audits are based on the structure and requirements of ISO 13485:2016, they also include additional country-specific regulatory requirements from each participating authority. Therefore, holding an ISO 13485 certificate alone is not sufficient for compliance with MDSAP in Canada or in other regions where MDSAP certification is required.
How is the audit cycle structured and how long is the MDSAP certificate valid?
The MDSAP certification cycle typically lasts three years. It begins with an initial certification audit, followed by two annual surveillance audits, and ends with a re-certification audit in the third year. The certificate remains valid for this three-year period as long as surveillance audits are completed and ongoing compliance with MDSAP and ISO 13485 requirements is maintained.
What happens when nonconformities are found during the MDSAP audit?
Nonconformities identified during an audit are graded on a severity scale from Grade 1 (minor) to Grade 4 (critical). Minor findings, such as missing signatures or minor documentation errors, can often be corrected locally. More significant findings, such as systemic process failures or repeated issues (Grades 2 to 4), require formal Corrective and Preventive Action (CAPA) plans, supporting evidence of implementation, and management review. Depending on the nature and severity of the findings, the Auditing Organization (AO) may issue the certificate, delay issuance until corrections are verified, or withhold certification entirely.
✷ The content on this website, including information presented in this post, is provided for general informational purposes only and does not constitute legal, regulatory, or professional advice. While efforts are made to ensure accuracy, laws and regulations vary by jurisdiction and may change over time. Readers should not rely on this information as a substitute for advice from qualified legal or regulatory professionals. We disclaim any liability for actions taken based on this content, and users are encouraged to seek guidance specific to their circumstances.
