MDSAP Audit Preparation: What FDA, Health Canada, and ANVISA Actually Look For

What Makes MDSAP Different from a Standard ISO 13485 Audit

The Medical Device Single Audit Program (MDSAP) is not simply an ISO 13485 audit with extra questions. It is a fundamentally different audit model that evaluates your quality management system against the regulatory requirements of up to five participating authorities simultaneously: the United States (FDA), Canada (Health Canada), Brazil (ANVISA), Australia (TGA), and Japan (MHLW/PMDA).

What makes MDSAP unique is its process-based audit approach combined with authority-specific regulatory requirements layered on top. An MDSAP auditor does not simply walk through ISO 13485 clauses in order. Instead, they follow a defined audit sequence that traces your quality system processes from management through production and post-market activities, checking each process against the specific requirements of every authority you have selected for coverage.

This means a single nonconformity in your quality system can generate findings under multiple authorities simultaneously. A weak CAPA process, for example, might create a nonconformity affecting your FDA compliance, your Health Canada compliance, and your ANVISA compliance — all from the same audit observation.

For manufacturers selling into multiple markets, MDSAP offers a significant advantage: one audit replaces multiple country-specific audits. But that consolidation comes with higher complexity and higher stakes per audit. The preparation requirements are substantially greater than for a standard ISO 13485 certification audit.

The Five MDSAP Regulatory Authorities and What They Prioritize

Each MDSAP participating authority has specific regulatory requirements that auditors must assess. Understanding their priorities helps you focus your preparation:

United States — FDA

FDA's requirements under MDSAP are rooted in 21 CFR Part 820 (transitioning to the QMSR) and related regulations. FDA places particular emphasis on:

• →Design controls and design history files. FDA expects rigorous documentation of design inputs, outputs, verification, validation, and transfer activities. Design review records must demonstrate that cross-functional teams evaluated design adequacy at defined stages.

• →CAPA effectiveness. FDA does not just want to see that you have a CAPA system — they want evidence that your CAPAs actually prevent recurrence. Effectiveness checks must be documented and must demonstrate that the root cause was eliminated.

• →Complaint handling and MDR reporting. FDA requirements for complaint investigation and medical device reporting are among the most prescriptive of any MDSAP authority. Every complaint must be evaluated for reportability, and the rationale for reporting decisions must be documented.

• →Production and process controls. Process validation requirements, environmental monitoring, and equipment qualification are areas where FDA auditors frequently find deficiencies.

Canada — Health Canada

Health Canada's requirements are defined by the Canadian Medical Devices Regulations (SOR/98-282) and related guidance. Key focus areas include:

• →Mandatory Problem Reporting. Canada requires reporting of incidents involving medical devices that result in death, serious deterioration of health, or could do so if the incident recurred. Health Canada's reporting timelines and criteria differ from FDA's MDR requirements.

• →License conditions. Devices sold in Canada require a Medical Device License, and your quality system must demonstrate compliance with the conditions of that license, including device classification requirements.

• →Labeling in both official languages. Bilingual labeling (English and French) is a requirement that is sometimes overlooked by non-Canadian manufacturers.

• →Post-market surveillance. Health Canada expects a proactive post-market surveillance system, not just reactive complaint handling. Trend analysis and periodic safety update reports may be expected for higher-risk devices.

Brazil — ANVISA

ANVISA (Agência Nacional de Vigilância Sanitária) requirements are based on Brazilian regulations including RDC 665/2022 and related normative instructions. ANVISA's key priorities include:

• →Good Manufacturing Practices (GMP) certificate. ANVISA requires a GMP certificate based on the MDSAP audit for device registration in Brazil. The audit report directly affects your ability to market devices in Brazil.

• →Technical documentation requirements. ANVISA has specific expectations for technical files that may differ from what you prepare for other markets.

• →In-country registration requirements. ANVISA requires a Brazilian Registration Holder (BRH) for foreign manufacturers, and your quality system documentation must support the registration process.

• →Post-market vigilance. ANVISA's Tecnovigilância system has specific reporting requirements and timelines that your complaint handling process must accommodate.

Australia — TGA

The Therapeutic Goods Administration (TGA) regulates medical devices under the Therapeutic Goods Act 1989 and related regulations. TGA emphasizes:

• →Essential Principles compliance. Australia's Essential Principles of Safety and Performance are analogous to EU Essential Requirements. Your device must meet these principles, and your quality system must support this compliance.

• →Post-market review requirements. TGA requires ongoing post-market review activities and may request post-market surveillance data as a condition of inclusion on the Australian Register of Therapeutic Goods (ARTG).

• →Sponsor obligations. The Australian Sponsor has specific regulatory obligations that your quality system must support, including adverse event reporting under Australian timelines.

Japan — MHLW/PMDA

Japan's regulatory framework, governed by the Pharmaceutical and Medical Device Act (PMD Act), adds unique requirements:

• →QMS Ordinance compliance. Japan's QMS requirements (MO 169) are based on ISO 13485 but include Japan-specific additions. Your quality system must address these additions explicitly.

• →Marketing Authorization Holder (MAH) system. Japan requires a designated MAH who bears regulatory responsibility. Your quality system must demonstrate adequate interface with the MAH.

• →Foreign Manufacturer Registration. Your manufacturing facility must be registered with PMDA as a foreign manufacturer, and your quality system must support ongoing compliance with registration conditions.

• →JPAL (Japanese Package Insert). Labeling requirements for the Japanese market have specific content and format requirements.

Understanding the MDSAP Grading System

MDSAP uses a unique nonconformity grading system that differs significantly from standard ISO audit finding classifications. Understanding this system is essential for preparation because the grades directly determine regulatory outcomes:

Grade 1 — Observation. A minor gap that does not affect the ability of the quality system to meet requirements. No formal response required, but recommended. Think of these as opportunities for improvement.

Grade 2 — Minor Nonconformity. A lapse in the quality system that does not directly affect product safety or performance. Requires a corrective action plan with a defined timeline (typically 6 months).

Grade 3 — Major Nonconformity. A significant failure in the quality system that could affect product safety, performance, or regulatory compliance. Requires immediate corrective action and may trigger regulatory authority follow-up.

Grade 4 — Critical Nonconformity. A systemic failure or an immediate risk to patient safety. This grade triggers immediate notification to the affected regulatory authorities and may result in regulatory action including product recalls, license suspensions, or import alerts.

Grade 5 — Regulatory Authority Escalation. Reserved for the most severe situations where the auditor identifies evidence of fraud, falsification, or deliberate concealment of information. Immediate regulatory authority intervention is initiated.

The grading directly impacts your regulatory standing. A Grade 3 or higher finding for a specific authority can trigger that authority's enforcement process. For example, a Grade 4 finding affecting FDA compliance could result in an FDA Warning Letter or import alert, even though FDA did not conduct the audit directly.

This escalation model is why MDSAP audit preparation must be thorough. A single critical finding in one area of your quality system can cascade into regulatory action across multiple markets simultaneously.

The MDSAP Audit Sequence and Process Approach

MDSAP audits follow a specific sequence of seven audit tasks. Understanding this sequence helps you prepare because it tells you exactly how the auditor will navigate your quality system:

Task 1 — Management. The audit begins with your management processes: quality policy, quality objectives, management review, organizational structure, resource management, and regulatory compliance infrastructure. The auditor evaluates whether top management is genuinely engaged in the quality system or merely paying lip service.

Task 2 — Device Marketing Authorization and Facility Registration. The auditor verifies that your devices are properly authorized for sale in each selected market and that your facilities are properly registered with each authority. This is where documentation gaps in market-specific registrations surface.

Task 3 — Measurement, Analysis, and Improvement. This task covers your CAPA system, internal audit program, monitoring and measurement activities, complaint handling, and adverse event reporting. This is typically the most heavily scrutinized audit task because it reflects how your quality system performs in practice, not just on paper.

Task 4 — Medical Device Adverse Events and Advisory Notices. Focused specifically on your post-market surveillance system, adverse event reporting procedures, and field safety corrective actions. The auditor evaluates your reporting decision-making process and verifies that reportable events were identified and reported within required timelines.

Task 5 — Design and Development. The auditor examines your design control process, including design planning, inputs, outputs, review, verification, validation, transfer, and changes. A specific design project is typically sampled for detailed review.

Task 6 — Production and Service Controls. Covers purchasing controls, production processes, process validation, equipment qualification, environmental controls, labeling controls, and traceability. The auditor samples production records and traces products through your manufacturing process.

Task 7 — Purchasing. Evaluates your supplier management system, including supplier selection, evaluation, monitoring, and re-evaluation processes. The auditor typically samples several critical suppliers to verify adequate controls.

The audit sequence is designed to be cumulative — findings from earlier tasks inform the auditor's focus in later tasks. If your management review process is weak (Task 1), the auditor will pay extra attention to whether CAPA and complaint trends are being adequately escalated (Task 3).

Top MDSAP Audit Preparation Mistakes

These are the most common preparation failures that lead to nonconformities:

Preparing for ISO 13485 instead of MDSAP. MDSAP is not an ISO 13485 audit. It includes authority-specific requirements that go beyond the international standard. Your preparation must cover the specific regulatory requirements of each authority you have selected.

Neglecting authority-specific reporting requirements. Each MDSAP authority has different adverse event reporting criteria, timelines, and formats. Your complaint handling procedure must explicitly address the requirements of each authority, and your staff must know how to make reporting decisions for each market.

Inadequate management review. The management review is Task 1 of the audit and sets the tone for the entire audit. A superficial management review that does not address quality system performance data, regulatory compliance status, and resource adequacy will start the audit on a negative note.

CAPA system focused on correction rather than corrective action. Many manufacturers confuse correction (fixing the immediate problem) with corrective action (eliminating the root cause to prevent recurrence). MDSAP auditors specifically evaluate whether your CAPAs include root cause analysis, whether corrective actions address the root cause, and whether effectiveness checks verify that the root cause was eliminated.

Incomplete design files. Design and development documentation is frequently incomplete, particularly for legacy products that were designed before current standards took effect. If your design files have gaps, address them before the audit through a design history file remediation effort.

Not conducting mock audits. A pre-audit assessment using the MDSAP companion documents (which are publicly available) is the single most effective preparation activity. Walk through each audit task as the auditor would, sample records, and identify gaps before the audit.

Failing to align training records with competency requirements. MDSAP auditors evaluate whether your training system demonstrates competency, not just training delivery. For each role that affects product quality, you need defined competency requirements and evidence that personnel meet those requirements.

Building Your MDSAP Audit Preparation Timeline

A thorough MDSAP audit preparation should begin at least 6 months before your scheduled audit date. Here is a practical timeline:

6 months before: Conduct a gap assessment against MDSAP companion documents for each selected authority. Identify and prioritize gaps. Assign owners and deadlines for corrective actions.

4 months before: Complete procedure updates and begin training on revised procedures. Focus on complaint handling, CAPA, and management review processes first, as these are the most heavily scrutinized.

3 months before: Conduct a mock audit using the MDSAP audit approach. Use auditors who understand both ISO 13485 and the authority-specific requirements. Document findings and initiate corrective actions.

2 months before: Complete all corrective actions from the mock audit. Conduct a management review that addresses MDSAP readiness. Ensure all design files, production records, and supplier files that may be sampled are complete.

1 month before: Final readiness check. Verify that all training is current, all procedures are at the correct revision, and all records are accessible. Brief key personnel on the audit process and their roles.

Audit week: Ensure management availability for the opening and closing meetings. Designate a single point of contact for the auditor. Have all requested documents and records readily accessible.

The investment in thorough preparation pays for itself many times over. A clean MDSAP audit maintains your market access across multiple countries, protects your regulatory standing, and avoids the substantial costs associated with regulatory enforcement actions.