--- title: MDSAP: Is It Worth It for Startups? description: MDSAP startup decision guide: what the single audit covers, the five member markets, and how it relates to ISO 13485 and MDR conformity. authors: Tibor Zechmeister, Felix Lenhard category: Quality Management Under MDR primary_keyword: MDSAP startup decision canonical_url: https://zechmeister-solutions.com/en/blog/mdsap-startup-decision source: zechmeister-solutions.com license: All rights reserved. Content may be cited with attribution and a link to the canonical URL. --- # MDSAP: Is It Worth It for Startups? *By Tibor Zechmeister (EU MDR Expert, Notified Body Lead Auditor) and Felix Lenhard.* > **MDSAP is the Medical Device Single Audit Program run through IMDRF, under which one audit by an authorised auditing organisation can satisfy regulatory QMS expectations in Australia, Brazil, Canada, Japan, and the United States. It is not mandated by MDR. For EU-first startups, MDSAP pays off only when two or more member markets are actually on the roadmap within the next audit cycle.** **By Tibor Zechmeister and Felix Lenhard.** ## TL;DR - MDSAP is not an MDR requirement. MDR is the anchor. MDSAP is commentary on what happens outside the EU. - MDSAP member markets are Australia (TGA), Brazil (ANVISA), Canada (Health Canada), Japan (MHLW and PMDA), and the United States (FDA). Health Canada mandates MDSAP; the others accept or use it to varying degrees. - MDSAP audits are built on ISO 13485 and overlay each participating authority's specific regulatory requirements. - An MDSAP audit does not replace an MDR notified body audit under Annex IX. It sits alongside it. - For a typical EU-first startup, MDSAP makes sense when Canada, the US, or both are firm targets within the next 12 to 18 months. For everything else, it adds cost without return. - Running MDSAP adds audit days, preparation effort, and auditing organisation fees. The savings come from avoiding separate unannounced inspections in multiple markets, not from the certificate itself. ## Why this matters Nearly every MedTech startup founder hears about MDSAP within a few months of starting. A consultant mentions it. A VC asks about it in a diligence call. A potential US distributor puts it on a questionnaire. The question that follows is always the same: should we do it now, or wait? The honest answer is that MDSAP is one of the most oversold decisions in early-stage regulatory strategy. It is neither a loophole to save money nor a prerequisite to enter global markets. It is a specific tool with a specific purpose, and whether it fits depends entirely on where your commercial roadmap is actually pointing in the next 12 to 18 months. This post exists because startups routinely either skip MDSAP when they should run it or burn precious runway running it when their only real market is the EU. Both mistakes are avoidable if you understand what MDSAP actually delivers and what it costs. ## What MDSAP actually is (and what MDR says) MDSAP is the Medical Device Single Audit Program. It was developed under the International Medical Device Regulators Forum (IMDRF) and allows a single regulatory audit of a manufacturer's quality management system, performed by an MDSAP-authorised auditing organisation, to satisfy the regulatory audit expectations of the five participating regulatory authorities. The five members are: - Australia — Therapeutic Goods Administration (TGA) - Brazil — Agência Nacional de Vigilância Sanitária (ANVISA) - Canada — Health Canada - Japan — Ministry of Health, Labour and Welfare (MHLW) and the Pharmaceuticals and Medical Devices Agency (PMDA) - United States — Food and Drug Administration (FDA) Each authority uses MDSAP differently. Health Canada mandates an MDSAP certificate for medical device licence holders. The FDA accepts MDSAP audit reports in lieu of routine inspections for most devices. TGA, ANVISA, and PMDA accept MDSAP audit reports in various ways, subject to their national rules. MDR says nothing about MDSAP. MDR Article 10(9) requires a quality management system state of the art, and Annex IX lays out the conformity assessment route where a notified body audits that QMS for MDR purposes. The harmonised standard for MDR QMS compliance is EN ISO 13485:2016+A11:2021. MDSAP audits are also based on ISO 13485, but they overlay each participating authority's specific requirements on top. This is the key point: an MDSAP certificate does not satisfy MDR. An MDR Annex IX certificate does not satisfy MDSAP. They overlap in their ISO 13485 spine but diverge in their regulatory overlays. A startup running both ends up with two audit tracks, not one. Some notified bodies are also MDSAP Auditing Organisations, which allows combined audits where the ISO 13485 content is shared and the regulatory overlays are added in sequence. This reduces duplication but does not collapse the two regimes into one. ## A worked example Two Class IIb startups, same product category, different commercial strategies. **Startup A — EU-first orthopaedic implant.** CE mark under MDR, primary market Germany and Austria, no US or Canadian commercial plan for at least 24 months. Decision: skip MDSAP for now. Run the ISO 13485 certification through the notified body, combine it with the MDR Annex IX audit where possible, and book an extra budget line for MDSAP in year 3 when Canada becomes realistic. Savings: roughly the cost of one MDSAP auditing organisation contract, three to five extra audit days per year, and the internal preparation effort. **Startup B — EU and US dual-launch SaMD.** CE mark under MDR plus a planned 510(k) submission. FDA inspection is likely within 18 months of first US sales. Canadian distributor already signed. Decision: run MDSAP. The reasoning: Health Canada will require it, the FDA will accept the MDSAP report in place of a routine inspection, and running the audits separately would mean one notified body audit, one FDA inspection, one Health Canada inspection, and potentially more. MDSAP collapses three of those into one annual audit by one auditing organisation. Both decisions are correct for their context. The wrong decision would be startup A running MDSAP "to be ready" and burning runway on audit days that produce no commercial value. The other wrong decision would be startup B delaying MDSAP and discovering, six months from US launch, that their notified body is not an MDSAP auditing organisation and a switch is needed. ## The Subtract to Ship playbook Subtract to Ship says: optimise for the smallest regulatory footprint that supports your actual commercial plan. Apply that lens to MDSAP. **Step 1. Write down every market on the 18-month commercial plan.** Not aspirations. Real plans with distributors, reimbursement pathways, or signed LOIs. If the list is only EU, MDSAP is not for you yet. **Step 2. Check whether any MDSAP member market is on the list.** Australia, Brazil, Canada, Japan, US. If the list is EU plus Switzerland plus UK, MDSAP still does not apply; the UK runs its own UKCA regime and Switzerland has a bilateral arrangement with the EU. MDSAP only helps if the target is inside its member group. **Step 3. Score the markets by regulatory requirement.** Canada is the strongest driver — MDSAP is mandatory for medical device licence holders. The US is next — MDSAP is accepted in place of routine inspections and is strongly preferred by sophisticated distributors. Brazil, Australia, and Japan are lighter drivers where MDSAP reduces friction but is not always decisive. **Step 4. Count the audit days and compare.** Get quotes from a notified body that is also an MDSAP auditing organisation. Compare the total cost of (a) standalone MDR Annex IX plus separate regulatory inspections in each target market against (b) a combined approach that collapses ISO 13485, MDR Annex IX, and MDSAP into one audit cycle. For a typical Class IIb startup, the break-even point is usually two or more member markets. **Step 5. Check your notified body's scope.** Not every notified body is an MDSAP auditing organisation. Switching mid-programme is expensive. Resolve this before signing a contract, not after. **Step 6. Time the MDSAP entry.** Running MDSAP before you have a QMS that can survive ISO 13485 is premature. Running it after you have already been audited separately by multiple authorities is wasteful. The sweet spot is the same audit cycle in which you plan to achieve MDR certification. **Step 7. Budget honestly.** MDSAP adds approximately one to three audit days per year to the baseline ISO 13485 audit, plus preparation time, plus the auditing organisation's fees. For a small startup, a reasonable additional budget line is in the low tens of thousands of euros per year. Do not believe anyone who tells you MDSAP is "free" because it replaces other audits — it replaces some, it stacks on others. **Step 8. Do not use MDSAP as a marketing badge.** A certificate on your website does not open doors by itself. Distributors, hospitals, and notified bodies care about what the certificate covers, not its name. If you run MDSAP, run it because a specific regulator or distributor demands it. ## Reality Check 1. Which MDSAP member markets are actually on your 18-month commercial roadmap, with named distributors or reimbursement plans? 2. Is Canada one of those markets? If yes, MDSAP is effectively mandatory for device licence holders. 3. Does your current or prospective notified body hold MDSAP auditing organisation status? 4. Have you quoted the marginal cost of adding MDSAP to your ISO 13485 and MDR Annex IX audits versus the cost of separate regulatory inspections in each target country? 5. Is your ISO 13485 QMS mature enough to pass a combined MDSAP audit, or are you still closing basic nonconformities? 6. Who on your team will own MDSAP preparation, including the authority-specific overlays for each member market? 7. Have you budgeted for the annual recurring MDSAP audit and not just the initial certification? 8. If you skip MDSAP now, do you have a clear trigger event that will make you revisit the decision? ## Frequently Asked Questions **Does MDSAP replace MDR certification?** No. MDSAP and MDR are separate regimes that share an ISO 13485 foundation but have different regulatory overlays. A manufacturer selling in the EU still needs a CE mark under MDR, regardless of MDSAP status. **Is MDSAP mandatory anywhere?** Yes — Health Canada requires it for medical device licence holders. The other members accept it in various ways but do not make it the sole route to market. **Can my MDR notified body also run my MDSAP audit?** Some notified bodies are also MDSAP auditing organisations and can run a combined audit. This is the most efficient setup for startups who need both. Check scope and authorisation before committing. **How much does MDSAP add to my audit costs?** Typical overhead is one to three extra audit days per year plus auditing organisation fees. The total additional cost varies widely by scale and scope, but low tens of thousands of euros per year is a realistic planning figure for a small startup. **If I only sell in the EU, should I still do MDSAP?** No. It adds cost and complexity without return. Revisit the decision only when a MDSAP member market enters your commercial plan with real commitment, not aspiration. **Does passing MDSAP help with FDA inspections?** Yes. The FDA accepts MDSAP audit reports in lieu of routine inspections for most devices. It does not cover for-cause inspections or pre-approval inspections. ## Related reading - [MDR QMS certification under ISO 13485](/blog/mdr-qms-certification-iso-13485) — the foundation that MDSAP builds on - [Choosing an ISO 13485 certification body](/blog/iso-13485-certification-body-choice) — whether your certifier can also handle MDSAP matters here - [MDSAP and the single audit for multiple markets](/blog/mdsap-single-audit-multiple-markets) — the international market access perspective - [Sequencing international market expansion](/blog/international-expansion-sequencing) — how MDSAP timing fits the broader roadmap - [Combining ISO 13485 and MDR Annex IX audits](/blog/combine-iso-13485-mdr-annex-ix-audits) — reducing duplication before stacking MDSAP on top ## Sources 1. Regulation (EU) 2017/745 on medical devices, consolidated text. Article 10(9), Annex IX. 2. EN ISO 13485:2016+A11:2021, Medical devices — Quality management systems — Requirements for regulatory purposes. 3. International Medical Device Regulators Forum (IMDRF), Medical Device Single Audit Program documentation and participating regulatory authority lists. --- *This post is part of the [Quality Management Under MDR](https://zechmeister-solutions.com/en/blog/category/quality-management) cluster in the [Subtract to Ship: MDR Blog](https://zechmeister-solutions.com/en/blog). For EU MDR certification consulting, see [zechmeister-solutions.com](https://zechmeister-solutions.com).*