What To Expect During An MDSAP Audit

Author: Suzanne Broussard

Risk Assessment is the Cornerstone of the MDSAP Audit

When preparing for the MDSAP audit, it is important to understand that the audit focuses heavily on risk-based processes, outsourced processes, and validation activities. MDSAP is based on the international quality systems standard ISO 13485:2016, which requires organizations to consider risk from device conception through its lifetime of use. This Risk Management  includes the device manufacturer and the supply chain.

Check out our Resources page for our whitepaper on MedDev 2.7/1 Equivalence and Risk/Benefit Profile.

There are seven “Processes” in the MDSAP audit. FDA’s vision of how all these processes link together is depicted in Figure 2.

The first four “Primary” processes, depicted in the dark blue boxes, and the “Supporting” Purchasing process were all built on a foundation of Risk Management. The other two Supporting processes (note that Device Marketing Authorization and Facility Registration links to two processes), depicted in the light blue boxes, fulfill the requirements of the participating regulatory authorities. There are 90 total tasks.

The MDSAP Audit is designed with the interrelatedness of each process in mind. For example, the manufacturer must identify the linked processes and perform Risk Management in accordance with clause 4.1.2 (c) of ISO 13485:2016. One process naturally links to the next process and the audit is conducted in a logical sequence.

Device manufacturers currently selling in these markets should already be in compliance with each country’s quality regulations, but allocating time and resources for each country’s audit can be challenging. Thankfully, MDSAP’s fruition offers the opportunity to simplify this challenge.  Keep in mind that companies only need to be compliant in markets they are currently selling, and organizations are not allowed to opt out of participating nations in which they sell once they adopt MDSAP (no “cherry-picking”).

Read more about how device manufacturers can benefit from the MDSAP.

Stages of the MDSAP Audit

The audit is very scripted and starts with the Management Process working through each subsequent task straight through to the Purchasing Process. There is no deviation in flow and every “task” is timed. Tasks sections are broken down into Clause and Regulations, Additional Country-specific Requirements, and Links to Other Processes.  

The Initial Certification Audit is conducted in two separate stages, typically several weeks apart.

Stage 1

Stage 1 is designed to determine if the Quality Management System (QMS) and other MDSAP documentation requirements are adequate, evaluate the readiness of the manufacturer, and facilitate the planning of the Stage 2 audit. Stage 1, sometimes referred to as a desk-audit, occurs in real-time, typically via virtual communications between the organization and auditor.

Here is an example of what MDSAP is looking for in Stage 1. “Whenever a MDSAP Audit Task requires an auditor to verify the identification and documentation of a requirement in QMS documentation, this verification should be performed as part of the pre-audit preparation and documentation review, as practical, to minimize on-site audit time and to increase the auditor’s familiarity with the manufacturer’s QMS.“

A deficiency letter is sent out after the Stage 1 audit informing manufacturers of deficiencies. Corrective action can then be taken to avoid getting findings during the physical audit.

Stage 2

The Stage 2 audit activities determine the manufacturer’s actual compliance with ISO 13485:2016 and all the regulatory requirements of the participating jurisdiction in which they market. There are two onsite auditors that split up assignments, typically in individual conference rooms.

The flow and timing of the Stage 2 audit are based on the specific tasks that need to be performed as assessed from the information supplied in Stage 1. The duration is calculated using the MDSAP P0008 algorithm based on the number of tasks and the time allotted for each. Variables like the number of employees and the specific process activities performed by the organization are used in this calculation. MDSAP provides two tools to help determine audit time, both of which are available on the FDA website.


Are you ready to read about our 9 tips to ace the MDSAP the first time?