You might have flawless SOPs, rockstar engineers, and a wall full of ISO certificates. But if your contract sterilizer skips a validation step, or your component supplier quietly switches factories without telling you, that single misstep can cascade through design controls, manufacturing records, and even post-market surveillance.
This can force you into unplanned investigations, corrective actions, and potentially unwelcome audit findings. In many cases, those findings can trigger costly follow-up inspections or deeper regulatory scrutiny that lasts months.
What is the MDSAP Audit Approach?
The Medical Device Single Audit Program (MDSAP) allows a single, unified audit to satisfy multiple country-specific regulatory requirements, including:
- FDA (USA)
- Health Canada
- ANVISA (Brazil)
- PMDA (Japan)
- TGA (Australia)
The MDSAP Audit Approach is your blueprint. It outlines exactly what auditors will assess, how they’ll assess it, and what outcomes you must demonstrate.
When it comes to supplier controls, this blueprint leans heavily on ISO 13485 and then adds jurisdiction-specific layers. In practice, this means you’re not just meeting one country’s expectations, you’re meeting all of them at once, which requires tighter alignment of documentation, processes, and evidence.
You’re the One Holding the Regulatory Bag
And under MDSAP, that bag just got a lot heavier.
So how can you manage your suppliers the way an MDSAP auditor expects?
Let’s break it down with some burning questions that manufacturers often ask.
Who Exactly is Considered a Supplier Under MDSAP?
A supplier is any external party who provides a product, service, or process that can impact product conformity or regulatory compliance.
It’s defined clearly in the MDSAP Audit Approach, and it’s broader than most people think.
Here’s Who’s on the List:
- Contract manufacturers – building parts or full devices
- Sterilization service providers – like EtO or gamma contractors
- Component or raw material suppliers – even those shipping pre-packaged materials
- Distributors – especially important for Canada (Health Canada sees them as suppliers)
- Software developers – if their code goes into your device or is used in QMS operations
- Test labs & calibration services
- Packaging & labeling contractors
- Consultants – providing advice regarding design, purchasing, manufacturing, packaging, labeling, storage, installation, or servicing
- Sister companies under a different QMS – yes, even if they’re in your corporate group
Okay, But Who’s Considered a Critical Supplier?
A critical supplier is one that could directly impact safety, performance, or regulatory compliance of your medical device.
As per MDSAP, critical suppliers include, but are not limited to, those that:
- Supply finished devices or accessories (packaged, labeled, or sterilized)
- Provide products or services that impact design outputs essential for the proper functioning of the device
- Perform processes requiring validation, such as sterilization, welding, coating, or other critical manufacturing steps
Ask Yourself:
- Do they supply parts that, if defective, would cause a product recall?
- Do they perform validated processes like sterilization, welding, or coating?
- Can their mistake lead to nonconformities or reportable events?
If you answered yes to any of these, they’re critical and must be managed with:
- Stricter controls (more frequent audits, tighter inspection criteria)
- Comprehensive written agreements (including change-notification clauses)
- Ongoing performance monitoring (KPIs, CAPA linkage, re-evaluation schedules)
What Kind of Supplier List Does MDSAP Want to See
Auditors will expect a current, accurate, categorized, and risk-based supplier list.
It Should Include:
- All suppliers linked to products, components, or QMS processes
- Risk classification (high, medium, low)
- Criticality flag
- Scope of goods/services provided
- Jurisdictions impacted (especially if Health Canada or TGA is involved)
Canada Heads Up
Importers and distributors are suppliers, and you must control them too.
TGA Nuance
If a manufacturer outsources to the Australian Sponsor any process, product, or service that affects conformity to Essential Principles (EPs), then the Sponsor must also be treated as a supplier for those specific activities.
Examples:
If your Sponsor:
- Provides installation or servicing
- Manages labeling, IFU content, or EP 13A compliance (e.g., patient implant cards)
- Handles post-market surveillance on your behalf
Then you must document and control them as suppliers within your QMS.
Exception: If your QMS scope already includes the Sponsor’s site and activities, you do not need to separately qualify them as suppliers. However, the oversight must be clearly documented in your QMS and covered in internal audits.
What Does Risk-Based Purchasing Mean in Real Terms?
It means you can’t treat every supplier the same.
Instead:
- Identify the risk of what they provide
- Define what acceptance or verification is needed
- Document why you trust their product or service
- Adjust your controls if the risk changes
Example:
Your component supplier is ISO 13485 certified and has stellar past performance.
You might use incoming sampling inspection.
But a new sterilizer with no validation history?
Use full verification, contract audit, and tighter controls.
FDA & TGA expect risk-based verification especially for incoming components and validated processes.
Do We Need Written Supplier Agreements for Everyone?
For critical suppliers, absolutely.
Your Agreements Should Clearly State:
- Product/service specifications
- Change notification clauses
- Requirements for compliance with applicable regulations
- Responsibilities for control, traceability, and CAPA
How Do Auditors Expect Us to Monitor Supplier Performance?
MDSAP auditors want to see structured, ongoing evaluations based on risk and impact.
This Could Include:
- Regular supplier audits or desk reviews
- KPIs like on-time delivery, defect rate, complaints
- Scorecards and re-qualification frequencies
- CAPA trends and supplier-specific non-conformities
All of this should feed into your management review process.
What Does Verification of Purchased Product Look Like Under MDSAP?
It’s not just about checking the box.
Auditors want to see that you’ve defined what you check, based on supplier risk and product criticality.
They’ll often expect documented rationale showing how your chosen verification method directly mitigates the identified supplier risk, especially for high-impact components or processes where failure could trigger recalls or adverse event reporting.
For Example:
- Visual inspection for packaging contractors
- Dimensional testing for molded parts
- Certificate of Conformance backed by audits for critical suppliers
- Retention of inspection results, not just checkmarks
FDA’s Big Concern: relying only on CoCs without actual verification for high-risk components.
