The Medical Device Single Audit Program (MDSAP) is an audit program—established by the International Medical Device Regulators Forum (IMDRF)—that allows for the assessment of compliance of a medical device manufacturer’s Quality Management System (QMS) with the applicable regulatory requirements defined by the five regulatory authorities participating in the program, all within the context of a single audit.
The five countries participating in the program are Australia, Brazil, Canada, Japan, and the United States, which together form the Regulatory Authority Council, the decision-making body of MDSAP that oversees and provides the necessary resources for the development and maintenance of the program.
The table below summarizes the identification of the Competent Authority and the reference regulatory requirements for each country:
Country | Competent authority | Regulatory requirements |
|---|---|---|
Australia | TGA – Therapeutic Goods Administration | Therapeutic Goods Regulations (Medical Devices) – Schedule 3
|
Brasil | ANVISA – Agencia Nacional de Vigilancia Sanitaria | Resolution 665/2022 |
Canada | HC – Health Canada | Medical Device Regulations – SOR/98-282 |
Japan | MHLW – Ministry of Health, Labour and Welfare | Ministerial decree N. 169 |
United States | FDA – Food and Drug Administration | 21 CFR Part 820 |
Upon successfully passing the MDSAP audit, the manufacturer will obtain a certification that will facilitate access to the markets of the participating countries. However, it should be noted that the MDSAP certification only pertains to the QMS; thus, it remains necessary to complete the product approval process required by each country before being able to commercially market the medical devices.
The Certification Process
The certification process for MDSAP is based on a three-year cycle and includes an initial certification audit (divided into Stage 1 and Stage 2), an annual surveillance audit in the following two years, and a recertification audit in the third year. Stage 1 of the initial certification audit involves reviewing documentation and assessing the organization’s readiness for Stage 2 audit, which aims to evaluate the correct implementation and effectiveness of the QMS. Surveillance and recertification audits aim to confirm the ongoing suitability of the QMS to applicable requirements.
These audits are conducted by accredited organizations designated by the Regulatory Authority Council. Additionally, the duration of an MDSAP audit is not calculated based on the size of the organization—like it is, for example, under ISO 13485—but varies based on the number and types of processes covered by the certification.
In addition to scheduled audits, the MDSAP program also includes the execution of special audits, unannounced audits, and audits conducted directly by the competent authorities.
What is the Relationship Between MDSAP and ISO 13485?
The ISO 13485 standard is the gold standard for Quality Management Systems in the medical field. Therefore, the basic requirements that an organization must comply with to choose to participate in the MDSAP program are those of ISO 13485, along with the specific legal requirements of each participating country.
It is important to note that, as an international technical standard, ISO 13485 refers generically to applicable regulatory requirements, while MDSAP specifically calls for all regulatory (mandatory) requirements set by the competent authorities participating in the program.
The MDSAP Audit Approach document is a valuable tool for identifying the additional requirements demanded by the various competent authorities: for each process subject to the audit, this document identifies the tasks to be addressed and evaluated, and for each of these, it lists the relevant points of the ISO 13485 standard and indicates the additional applicable regulatory requirements specific to each country.
Pros and Cons
Participating in the MDSAP program is undoubtedly a strategic choice for medical device manufacturing companies as it allows them to gain facilitated access to the markets of the five participating countries through a single audit of their QMS. Specifically:
- TGA (Australia) and ANVISA (Brazil) use and accept MDSAP audit reports as input in the product marketing approval process, replacing their own audit at the manufacturer.
- HC (Canada) only accepts MDSAP certificates as evidence of compliance with Canadian regulatory requirements and to maintain the validity of the trading license.
- MHLW (Japan) uses the MDSAP audit report as part of pre- and post-marketing evaluations, replacing its own audit at the manufacturer.
- FDA (United States) accepts MDSAP audit reports in place of its routine inspections.
Furthermore, although the European Union is not among the participating countries, thanks to guideline MDCG 2020-14, Notified Bodies can use MDSAP audit reports as a reference for developing surveillance audit programs, thereby focusing on the requirements of EU Regulation 2017/745 (MDR) or EU Regulation 2017/746 (IVDR) that are not covered by the MDSAP audit report or that are only partially covered.
On the other hand, the costs of obtaining certification are high, and the preparation as well as the certification process itself are very complex. Additionally, since the duration of the audit varies based on the number and type of processes covered by the certificate, it can be very burdensome (in terms of both human and economic resources) for smaller organizations managing many processes internally to certify under the MDSAP program.
If you are considering embarking on the MDSAP certification process, it is important not to underestimate the complexity of the project. To optimize time and costs, it is strongly recommended to conduct a preliminary gap analysis of compliance with the requirements of ISO 13485 and the requirements of the countries of interest—potentially with the support of specialized consultants—to verify the current state of your QMS and adequately plan the necessary implementation activities.
