The Medical Device Single Audit Program (MDSAP) is an international scheme that lets a single QMS audit, performed by an MDSAP-recognised Auditing Organisation, be used to satisfy the QMS inspection needs of five participating regulatory authorities: the US FDA, Health Canada, Australia's TGA, Japan's MHLW/PMDA, and Brazil's ANVISA. It is built on EN ISO 13485:2016+A11:2021 plus each authority's specific regulatory requirements. MDSAP does not replace the MDR conformity assessment under Annex IX, and it does not give market access on its own. For startups targeting more than one of the five participating markets, it is often the most efficient way to avoid duplicate QMS audits.

By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.

TL;DR

  • MDSAP is an international scheme that lets one QMS audit cover the inspection needs of five regulatory authorities: US FDA, Health Canada, Australia's TGA, Japan's MHLW/PMDA, and Brazil's ANVISA.
  • The audit is performed by an MDSAP-recognised Auditing Organisation, not by the regulators themselves. The audit is assessed against EN ISO 13485:2016+A11:2021 plus each participating authority's country-specific regulatory requirements.
  • MDSAP is mandatory for Health Canada market access. It is recognised by the other four authorities to different degrees and for different purposes.
  • MDSAP is separate from the MDR conformity assessment under Annex IX. A European Notified Body audit under Annex IX does not give you MDSAP, and an MDSAP audit does not give you a CE certificate. They are parallel tracks that can often be aligned, not substituted.
  • For startups targeting only the EU, MDSAP is usually not worth pursuing. For startups targeting Canada, it is effectively required. For startups targeting the US plus one or more of the other four markets, the efficiency gain is often significant.

What MDSAP is

MDSAP stands for the Medical Device Single Audit Program. It is an international scheme under which a single regulatory audit of a medical device manufacturer's quality management system can be used to satisfy the relevant QMS inspection requirements of multiple participating regulatory authorities. Instead of receiving a separate QMS inspection or certification audit from each jurisdiction where a company sells devices, the manufacturer undergoes one MDSAP audit, performed by an Auditing Organisation that has been recognised to operate under the program, and the resulting audit report is accepted by the participating authorities according to each authority's specific rules.

The core idea is simple. QMS audits across jurisdictions overlap heavily. Every authority expects the manufacturer to run a quality management system that controls design, production, supplier management, CAPA, post-market activities, and so on. Asking five different authorities (or their designees) to perform five separate audits of substantially the same system is wasteful for the manufacturer, the auditors, and the regulators. MDSAP replaces that duplication with a single, coordinated audit against a common framework.

What MDSAP is not: MDSAP is not a product certification. It does not clear or approve any device for sale. It does not replace a premarket submission to the FDA, a medical device licence from Health Canada, an ARTG inclusion in Australia, a marketing authorisation in Japan, or an ANVISA registration in Brazil. It only addresses the QMS inspection layer. Premarket pathways in each jurisdiction remain separate.

MDSAP is also not a European scheme. The MDR conformity assessment under Annex IX is performed by an EU Notified Body and leads to a CE certificate. That process is governed by the MDR itself and is not part of MDSAP. This distinction matters more than any other single point in this post, and we come back to it below.

Which authorities participate

Five regulatory authorities participate in MDSAP as full members of the program:

  • United States Food and Drug Administration (US FDA). The FDA accepts MDSAP audit reports in lieu of routine FDA inspections for the QMS dimension of Quality System Regulation inspections, with certain exceptions (for example, for-cause inspections and pre-approval inspections for PMA devices). An MDSAP audit does not replace premarket submissions (510(k), De Novo, PMA) and does not cover every type of FDA inspection. It reduces the routine QMS inspection burden significantly for manufacturers who opt into MDSAP.
  • Health Canada. MDSAP is mandatory for Health Canada. Canadian Medical Device Licences for Class II, III, and IV devices (under the Canadian classification system) require that the manufacturer hold a valid MDSAP certificate issued by a recognised Auditing Organisation. No MDSAP certificate, no Canadian medical device licence for those classes. This is the sharpest regulatory driver in the entire program.
  • Therapeutic Goods Administration (TGA), Australia. The TGA accepts MDSAP audit reports as evidence of conformity with the QMS-related requirements for Australian market access, under conditions set out in TGA guidance. It is one of several QMS evidence routes the TGA will accept; it is not the only one.
  • Ministry of Health, Labour and Welfare (MHLW) and Pharmaceuticals and Medical Devices Agency (PMDA), Japan. Japan participates in MDSAP and uses MDSAP audit reports to inform its own QMS conformity assessment for devices within scope of the Japanese medical device regulatory framework. The degree of reliance and the specific mapping to Japanese requirements are governed by MHLW and PMDA policy.
  • Agência Nacional de Vigilância Sanitária (ANVISA), Brazil. ANVISA uses MDSAP audit reports as part of its Boas Práticas de Fabricação (Good Manufacturing Practices) assessment process for medical devices within the scope of the program. For manufacturers targeting the Brazilian market, MDSAP is often the cleanest path to the GMP assessment that would otherwise require direct ANVISA inspection — a process that has historically been long and slow.

The European Union is not an MDSAP participating authority. The European Commission has observer involvement in the program, but the MDR conformity assessment route remains the EU's own framework, performed by Notified Bodies under MDR Annex IX (and related annexes) and leading to a CE certificate. Any claim that "MDSAP covers the EU" is wrong.

The relationship to EN ISO 13485:2016+A11:2021

MDSAP is built on top of EN ISO 13485:2016+A11:2021. The audit assesses the manufacturer's QMS against the clauses of the standard, and then adds country-specific regulatory requirements for each participating authority. The audit model is structured so that the same process areas that an ISO 13485 certification audit would cover are audited in depth, with the country-specific layers checked alongside them.

For a startup that already operates an ISO 13485-conforming QMS, MDSAP is not a rebuild. It is an extension. The core QMS — document control, design controls, CAPA, management review, internal audits, supplier control, risk management linkage, PMS linkage — is already in scope of ISO 13485. What MDSAP adds is the country-specific overlay: US 21 CFR Part 820 (including the FDA's move toward QMSR alignment with ISO 13485), Health Canada's Canadian Medical Devices Regulations (CMDR), Australian regulatory requirements, Japanese MHLW Ministerial Ordinance 169 requirements, and Brazilian GMP requirements. Each overlay has its own specifics that the auditor checks against the company's actual processes and records.

The practical consequence is that a lean ISO 13485-conforming QMS built for MDR purposes can usually be extended into MDSAP scope with targeted additions rather than a full rewrite. The starting point matters. A sloppy, template-driven QMS will not survive MDSAP any better than it survives an MDR Notified Body audit. A real, honest QMS — built the way post 276 describes — extends cleanly, because the underlying processes are real and the country-specific overlays just add checks against existing records.

This is why "MDSAP vs ISO 13485" is the wrong framing. MDSAP is not an alternative to ISO 13485. MDSAP is ISO 13485 plus five regulatory overlays, audited in one pass. If you hold an MDSAP certificate, you effectively also hold an ISO 13485 certificate issued by the same Auditing Organisation.

The relationship to MDR Annex IX — and why they are separate

This is the distinction that is most easily fumbled. An MDSAP audit and an MDR Annex IX conformity assessment are separate activities, performed by different bodies, against different reference frameworks, and leading to different outcomes.

The MDR Annex IX route is the full QMS and technical documentation assessment that most Class IIa, IIb, and III devices follow for CE marking. It is performed by an EU Notified Body designated under the MDR. It assesses the manufacturer's QMS under the MDR's own requirements, audits technical documentation for specific devices, and — when successful — leads to a CE certificate that allows the device to be placed on the EU market. The reference point is the MDR itself, with EN ISO 13485:2016+A11:2021 providing presumption of conformity for the QMS-specific obligations under MDR Article 10(9).

An MDSAP audit, by contrast, is performed by an MDSAP-recognised Auditing Organisation (not by a Notified Body acting in its MDR role). It assesses the QMS against ISO 13485 plus the five participating authorities' country-specific requirements. It does not assess MDR-specific obligations, it does not lead to a CE certificate, and it does not give EU market access.

Some organisations are both EU Notified Bodies under the MDR and MDSAP Auditing Organisations. This is helpful because the same organisation can, within the same visit in some cases, perform the MDR Annex IX audit and the MDSAP audit side by side, reducing calendar days on site and reducing the number of times the company has to open its books to external auditors. What it does not do is merge the two into one audit. They are still separate assessments against separate frameworks, with separate reports and separate outcomes. A combined visit is an administrative efficiency, not a legal merger.

For a startup, the consequence is this: if you need both CE marking and market access in one or more MDSAP jurisdictions, you will be audited under both frameworks. You can often do this efficiently with one Auditing Organisation that holds both designations. You cannot do it with only one framework.

When MDSAP makes sense for a startup

Pursuing MDSAP is a real commitment. It extends the scope of QMS work, increases audit duration, and costs more than a pure ISO 13485 or pure MDR Notified Body engagement. It is not a default. It is a deliberate choice driven by the markets you actually want to enter.

A reasonable decision rule:

  1. If your market plan is EU-only for the foreseeable future, MDSAP is not worth pursuing. You need MDR conformity assessment. MDSAP adds scope and cost without adding market access.
  2. If Canada is in your market plan, MDSAP is effectively required for Class II, III, and IV devices under the Canadian classification. There is no practical alternative route to a Canadian medical device licence for those classes. Plan for MDSAP from the beginning if Canada is real.
  3. If the US is in your market plan and you want to reduce routine FDA inspection burden, MDSAP is a legitimate and commonly chosen option. It does not replace your 510(k), De Novo, or PMA. It reduces the QMS inspection layer.
  4. If Australia, Japan, or Brazil are in your market plan in addition to the EU and US, MDSAP is usually the most efficient way to avoid separate QMS inspection processes in each jurisdiction.
  5. If only one or two of the five MDSAP markets are realistic in your three-year plan, do the math honestly. A single market can sometimes be handled with a narrower, market-specific approach. Multiple markets almost always favour MDSAP.

The wrong reason to pursue MDSAP is because "more certification looks better to investors." Investors do not award points for certificates that do not trace to markets the company actually serves. The right reason is that you have identified specific MDSAP jurisdictions in your market plan and the program is the most efficient way to cover their QMS inspection requirements.

The phased implementation reality

MDSAP implementation for a startup that already runs an ISO 13485-conforming QMS is not a single event. It is a phased effort.

The first phase is scoping: deciding which of the five participating authorities are in scope for your MDSAP engagement, because the audit overlays scale with the number of jurisdictions you declare. Adding Brazil or Japan to a US-plus-Canada baseline adds specific review areas to the audit. You do not have to cover all five on day one. You can scope the audit to the markets that actually matter now and extend scope later.

The second phase is gap analysis: comparing the current QMS against the MDSAP audit model and the country-specific overlays in scope, and identifying the procedures, records, and controls that need to be added or strengthened. This is not a rebuild for a well-run ISO 13485 QMS, but it is not zero either — expect focused work on country-specific procedures, supplier change control granularity, and records formats that each overlay demands.

The third phase is the initial certification audit, performed on site by the chosen Auditing Organisation. The audit is structured around the major QMS process areas, with the country-specific overlays checked alongside the core ISO 13485 clauses. Findings are categorised, corrective actions are required for any non-conformities, and — on successful closure — an MDSAP certificate is issued.

The fourth phase is the ongoing rhythm: surveillance audits on a scheduled cycle, and eventual recertification at the end of the certificate's validity period. Each surveillance visit checks a subset of the QMS and the country-specific overlays in scope, and any changes to your scope (adding a jurisdiction, adding a device family) may require adjustments to future audits.

We are deliberately not citing specific audit phase numbers, specific durations in days, or specific certificate validity periods as universal constants, because these are governed by program documentation that evolves and by each Auditing Organisation's own scheduling. For your specific plan, work with an Auditing Organisation that will confirm the current parameters in writing.

Cost and effort reality

MDSAP is not free. It is an audit program run by Auditing Organisations that charge commercial rates, and the work scales with the number of country-specific overlays in scope, the size and complexity of the manufacturing operation, the number of sites, and the number of device families covered. For a startup with a single site and a narrow device family, the audit is smaller than for a large manufacturer with multiple global sites. The underlying pattern — scoping, gap work, initial audit, surveillance rhythm — is the same.

The honest framing for startups is that MDSAP is an investment in avoiding worse alternatives. The worse alternatives are separate QMS inspections by each of the five authorities, each with its own schedule, its own audit team, its own report format, and its own corrective action expectations. For manufacturers entering three or more MDSAP markets, the single-audit approach is almost always more efficient in total cost and calendar time than the parallel national-inspection approach. For manufacturers entering only one MDSAP market other than Canada, the calculation is closer and depends on the specific jurisdiction.

The Subtract to Ship angle on multi-market efficiency

The Subtract to Ship framework applies to multi-market work the same way it applies to single-market work: strip every activity that does not trace to a specific regulatory obligation. The twist is that you are now subtracting against several regulations at once, and the obligations sometimes overlap heavily and sometimes diverge.

The pattern we see with startups who handle multi-market QMS work well is not "build five separate QMS systems and run them in parallel." That is the pattern we see in companies who are burning out. The pattern that works is: one real QMS, designed around ISO 13485 as the spine, with country-specific overlays layered on top where each authority's requirements are distinct. MDSAP is the audit expression of this single-QMS philosophy. Instead of five audits against five systems, you run one system and audit it against the combined framework once.

Subtraction in multi-market QMS means cutting the duplicated procedures that pretend to be country-specific but actually describe the same process with different cover sheets. Cutting the separate "US QMS" and "EU QMS" and "Canada QMS" binders that some consultants recommend and that are genuinely harder to maintain than a single, honest system with country-specific addenda. Cutting the speculative scope — MDSAP coverage for jurisdictions you have no plan to enter in the next three years. The MDR conformity assessment does not subtract. The MDSAP scope does. Keep the MDR in full, keep the country overlays you need, cut the ones you do not.

This is not a recipe for a smaller QMS. It is a recipe for a more honest multi-market QMS, one where every page describes something the company actually does in a market it actually serves.

Reality Check — Where do you stand on MDSAP?

  1. Which of the five MDSAP participating markets (US, Canada, Australia, Japan, Brazil) are in your three-year business plan with a target launch date and a revenue assumption?
  2. Is Canada in that plan? If yes, do you understand that MDSAP is effectively required for Canadian market access at Class II and above under the Canadian classification?
  3. Do you currently operate a real ISO 13485-conforming QMS that would extend cleanly into MDSAP scope — or is your QMS a template binder that would collapse under any serious audit?
  4. Have you separated in your own thinking the MDR Annex IX conformity assessment (EU, Notified Body, CE certificate) from the MDSAP audit (five authorities, Auditing Organisation, QMS scope only)?
  5. Have you evaluated whether your chosen Notified Body also operates as an MDSAP Auditing Organisation, so that combined visits are possible?
  6. Have you scoped the MDSAP engagement to the jurisdictions you actually need, or are you considering "all five because it sounds complete"?
  7. If an investor asked you today whether MDSAP gives you access to the EU, what would you say — and is the answer accurate?

If more than three of these produced a "not yet," your multi-market QMS plan is not a plan yet. It is a preference.

Frequently Asked Questions

Does MDSAP give me market access in the EU? No. MDSAP is not an EU scheme. The European Union is not a participating authority. EU market access is governed by the MDR and requires a CE certificate issued after a Notified Body conformity assessment under the relevant annex (for most higher-class devices, MDR Annex IX). MDSAP covers the QMS inspection needs of five other authorities: US FDA, Health Canada, Australia's TGA, Japan's MHLW/PMDA, and Brazil's ANVISA.

Is MDSAP mandatory anywhere? Yes. For Canada, MDSAP is effectively mandatory for medical device licences at Class II and above under the Canadian classification. A manufacturer without a valid MDSAP certificate from a recognised Auditing Organisation cannot hold a Canadian medical device licence for those classes. For the other four participating authorities, MDSAP is a recognised and accepted route but not the only route.

Does an MDSAP certificate replace my 510(k) or PMA? No. MDSAP addresses the QMS inspection layer, not the premarket submission layer. A 510(k), De Novo, or PMA submission to the FDA is a separate regulatory activity with its own evidence and review process. MDSAP can reduce routine FDA QMS inspection burden, but it does not clear or approve any specific device for sale in the US.

What is the difference between an MDSAP audit and an ISO 13485 certification audit? An ISO 13485 certification audit assesses a manufacturer's QMS against the clauses of EN ISO 13485:2016+A11:2021 and leads to an ISO 13485 certificate. An MDSAP audit assesses the same QMS against the same standard plus the country-specific regulatory overlays of the five participating authorities and leads to an MDSAP certificate. MDSAP is ISO 13485 plus five regulatory overlays audited in one pass — not an alternative to ISO 13485, but an extension of it.

Can my EU Notified Body perform the MDSAP audit? Only if the Notified Body is also an MDSAP-recognised Auditing Organisation. Some organisations hold both designations and can perform MDR Annex IX audits and MDSAP audits as separate activities that are scheduled in coordinated visits. The two audits remain separate assessments against separate frameworks, but the logistics can be combined, which matters for startups with limited bandwidth for on-site audits.

When should a startup decide on MDSAP? As early as the market plan is stable. If Canada is in the plan, MDSAP scoping should start during QMS design, because the overlay requirements are easier to build in from day one than to retrofit. If only the EU is in the plan, MDSAP is a later decision — if and when a second jurisdiction becomes real. The worst time to start thinking about MDSAP is the month before the first audit.

Sources

  1. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices (MDR), Annex IX (conformity assessment based on a quality management system and on assessment of technical documentation). Official Journal L 117, 5.5.2017. Cited here for comparison with the MDSAP scope, not as the MDSAP reference framework.
  2. EN ISO 13485:2016 + A11:2021 — Medical devices — Quality management systems — Requirements for regulatory purposes. The QMS standard that forms the core of the MDSAP audit model, with country-specific regulatory overlays added for each participating authority.
  3. Medical Device Single Audit Program (MDSAP) — program documentation maintained by the International Medical Device Regulators Forum (IMDRF) and the participating regulatory authorities. Referenced here at the general framing level; for current program parameters, consult a recognised Auditing Organisation.
  4. US Food and Drug Administration, Health Canada, Therapeutic Goods Administration (Australia), Ministry of Health, Labour and Welfare / Pharmaceuticals and Medical Devices Agency (Japan), and Agência Nacional de Vigilância Sanitária (Brazil) — the five participating regulatory authorities of MDSAP as described in this post.

This post is part of the FDA & International Market Access series in the Subtract to Ship: MDR blog. Authored by Tibor Zechmeister and Felix Lenhard. MDSAP is one of the few places in MedTech where a genuinely international framework reduces duplication rather than adding to it — but only for manufacturers who have honestly decided which of the five markets they are actually serving. Use it for the markets in your plan. Do not use it for the markets in your imagination.