Guest Column | August 12, 2019

MDSAP — History and Advantages

By Edwin Bills, Consultant

A few years ago, the U.S. Food and Drug Administration (FDA) realized there was no hope of achieving the legislated mandate of inspecting every Class II and Class III medical device manufacturer every two years. Congress would not provide the finances to hire enough investigators to perform those routine quality system inspections, in addition to required premarket approval (PMA) inspections, clinical trial (BIMO) inspections, and any recall or other enforcement inspections.

FDA Moves to New Inspection Models  

The FDA began a pilot program where a company could get an approved third party to perform a quality system inspection of its facility to demonstrate the facility met the FDA’s regulatory requirements. The company would have to pay the third party to perform the inspection and the third party would share the inspection results with FDA. However, companies were reluctant to contract someone to perform the inspection when they could wait for the FDA to eventually conduct an inspection for free.

With the statistics showing that the FDA was not meeting the two-year requirement stipulated in the legislation, companies felt they would rather wait and see what happened. They could, perhaps, go 3-5 years or longer without an inspection. However, Congress addressed the FDA’s noncompliance in a 2017 update to the Food. Drug, and Cosmetic Act by allowing FDA to do what it had been doing anyway — an audit system wherein the FDA now (legally) determines which manufacturers are being inspected based on several risk factors. These factors include the manufacturer’s history of compliance, risk associated with use of the device, and relevant recalls.

Of course, if a company was working on a PMA product, several inspections would take place during product development; that was known. And, if a company had a recall, it could expect an investigator to show up on its doorstep. Such routine inspections were activities that were likely to happen at some point, but probably not on any set schedule.

Further, companies needed to allocate lots of resources to support inspection activities. Inspections could drag on for an unknown length of time, as well; some might take weeks. And, investigators could be called away in the middle of an inspection — reassigned to a higher priority activity — only to return later and pick up where they left off.

IMDRF and MDSAP Inspection Model

The FDA’s pilot of third-party inspections was failing, too. Not many companies signed up, as no one saw any advantage to participating. The FDA was a member of the Global Harmonization Task Force (GHTF), a group consisting of regulators, industry insiders, and other interested parties, such as trade groups. However, the regulatory bodies did not feel as though they could freely discuss regulatory issues in this environment, so they disbanded the group and formed a new organization, the International Medical Device Regulators Forum (IMDRF).

At the first IMDRF meeting in 2012, the new organization appointed a working group to improve a concept called the Medical Device Single Audit Program (MDSAP). The concept was a single audit that would examine (only) regulatory quality system compliance for a number of regulatory schemes, conducted by a third party called an Auditing Organization (AO). The manufacturer would be responsible for audit payment under a contract with the AO.

However, the AO would need to be approved by IMDRF to perform audits according to a set of requirements developed by the IMDRF and based on the participating regulatory bodies’ requirements. This program was piloted for three years between 2014-2016, with a report issued to IMDRF in 2017.

The report indicated the pilot was successful, and the working group recommended the program become fully active and open to any manufacturer requesting such an audit. The FDA would accept such an audit report in lieu of a routine quality system inspection, except for inspections relevant to Electronic Product Radiation Control (EPRC), which are outside the scope of MDSAP inspections.

Other participating regulatory bodies included Australia’s Therapeutic Goods Administration, Brazil’s ANVISA, Health Canada, and Japan’s Ministry of Health. Health Canada created some controversy when it decided to require MDSAP audits and dropped in-house (i.e., conducted by Health Canada) audits; in the other countries, the MDSAP would be optional.

The World Health Organization’s IVD Program and the EU are Official Observers but are not participating in the audit program. The EU will continue its own Notified Body (NB) program as it institutes its new Medical Device Regulation (MDR) and In Vitro Device Regulation (IVDR). The AO would issue an audit report to any regulatory body requested by the manufacturer and, of course, the audit would cover only those regulatory schemes that were contracted by the manufacturer.

Five Regulatory Bodies Accept MDSAP

Now, a manufacturer could get a single audit to meet up to five regulatory schemes’ quality system requirements at some cost, but without the constant interruptions for an inspection by another regulator.

One disadvantage is the lack of official participation by the EU, China’s FDA, and other countries’ regulatory agencies. MDSAP published a procedure for Affiliate Membership in May 2019 to provide a pathway for other regulatory bodies to accept MDSAP audit reports, though no applicants have been reported. Manufacturers still have to prepare for EU NB and other country audits. Further, if an AO finds a non-conformity during an MDSAP audit, that could affect compliance with up to five sets of regulations.

Of course, FDA PMA or postmarket follow-up inspections continue to occur, as does any enforcement inspection. It is possible that an AO could also be qualified as a NB under the EU MDR, but those two responsibilities will not be mixed. The manufacturer will have to contract each entity separately, and the AO and NB inspections will be separate activities, resulting in separate reports to the various regulatory agencies as contracted.

Also, the program is an IMDRF program, not run by the FDA or another of the participating regulatory bodies. The audit plan is developed based on manuals written by the guiding IMDRF team, and not any single regulator. The audits, though, do cover quality system regulations for each of the countries contracted by the manufacturer, as well as reports issued under those contracts. The audits are based on ISO 13485:2016, with additional audit material for each of the contracted country’s regulations beyond the basic ISO 13485.

MDSAP audits consist of Initial Certification Audits (which consist of a Stage I and Stage II Audit), two annual Surveillance Audits, and a Recertification Audit on the year following the last Surveillance Audit. The audits are scored based on a system initially described in GHTF SG3/N19:2012 Quality management system – Medical devices – Nonconformity Grading System for Regulatory Purposes and Information Exchange. The scoring is recorded on a MDSAP form. For certain scores, a manufacturer may be required to respond to the AO with evidence of corrective action within a limited timeframe.

Advantages and Disadvantages of MDSAP

Advantages: the majority of interruptions for inspection activities no longer occur, so regulatory staff are not constantly forced to prepare for numerous and varying inspections or audits. Further, other personnel supporting inspections are drawn away from their assigned tasks less, reducing impact to the organization’s activities and schedules.

Disadvantages: regulatory bodies still may conduct unannounced inspections based on issues they may have detected, such as recalls, vigilance issues, or significant complaints. Also, the AOs are required by MDSAP requirements to conduct unannounced manufacturer audits, as well as special audits — such as when a manufacturer wants to expand its scope of certification.

Additionally, if the audit has findings, they would be transmitted to all regulatory bodies the manufacturer selected for the audit. There have been situations where manufacturers maintain staff just to support inspections and audits, which is unproductive, but in some situations, may be necessary due to the product development activities taking place (PMA), number of markets, and the enforcement activities. Now the EU and others require surprise audits, which only adds to the burden and stress of these activities on the organization.

Thus, the decision whether to contract for MDSAP audits primarily is influenced by which markets the manufacturer targets. For example, a manufacturer operating only in the US market would see no advantage in contracting for an MDSAP audit, while a manufacturer selling into the Canadian market would be required to have MDSAP audits — the greater the number of MDSAP markets, the greater the advantage.


The IMDRF no longer maintains MDSAP, instead referring inquiries to the FDA website, where the most up-to-date information is available. Materials include procedures, forms, training material, regulatory information for participating countries, and contact information, as well as guidance on how to participate and prepare for an MDSAP audit. A 35-page Q&A document on the site also provides information covering annual follow-up audits and oversight of AOs by Regulatory Authorities, including Witnessed Audits to assess the AO.

The number of companies joining the MDSAP program reportedly continues to grow as manufacturers discover that the program’s advantages outweigh its disadvantages, depending on their target markets. However, the IMDRF states that information on manufacturer participation is not publicly available. In the future, the program may expand to include new regulators but, currently, the MDSAP program is not accepting applications from additional countries. Only the EU and WHO have any standing in the MDSAP program and, even then, only as observers.

If the EU decides to accept MDSAP audits, the program will grow exponentially, but that may be well into the future as the EU works to implement the MDR (whose date of application is May 26, 2020) and IVDR (May 26, 2022). Right now, Europe has a huge problem trying to approve sufficient Notified Bodies to enforce the new regulations. Some NBs have chosen to no longer participate in the EU scheme under the MDR and are looking at the MDSAP audit program instead. The next few years in the EU will be rocky as the new regulatory scheme is implemented, but MDSAP provides a bright spot in regulatory audits for the medical device industry.

About The Author

Edwin Bills is a consultant, ASQ Fellow, Certified Quality Engineer, Certified Quality Auditor, Certified Quality Manager, and is Regulatory Affairs Certified. He provides contracted services in the area of quality systems, regulatory affairs, product liability, and risk management for medical device, combination product, and pharmaceutical companies. He can be reached at (843) 810-2157, or at