...
+91-7490017774 (For Enquiry Only) +91-7490017774 (For Enquiry Only) +91 9429952147 (For Career Only)
enquiry@mavenprofserv.com
Maven
Template

Mastering the MDSAP Audit Cycle: Your Complete Guide to Medical Device Compliance Excellence

  2. Blogs
  3. Mastering the MDSAP Audit Cycle: Your Complete Guide to Medical Device Compliance Excellence

Introduction

In an increasingly globalised medical device market, regulatory harmonisation is more critical than ever. The Medical Device Single Audit Program (MDSAP) offers an innovative approach by allowing a single regulatory audit to satisfy the requirements of multiple jurisdictions. For medical device manufacturers, understanding the structure, types, and intent of MDSAP audits is essential for successful certification and sustained compliance.

Based on the principles laid out in the MDSAP Audit Approach Document Version 009, this comprehensive guide explores the full three-year MDSAP audit cycle, including Initial Certification, Surveillance, Recertification, and Special Audits—including Unannounced and Regulatory Authority-conducted audits.

Understanding the MDSAP Audit Cycle

The MDSAP audit cycle spans a three-year period, designed to ensure ongoing compliance with ISO 13485:2016 and participating regulatory authorities’ requirements. It consists of:

  • Initial Certification Audit (Year 1)
  • Surveillance Audits (Years 2 and 3)
  • Recertification Audit (Year 3 end/start of next cycle)

Each of these audit stages has defined goals and methodologies governed by ISO/IEC 17021-1:2015 and tailored through MDSAP-specific procedures.

Initial Audit (Initial Certification Audit): Setting the Foundation

The Initial Certification Audit is a full assessment of a medical device organisation’s Quality Management System (QMS) and is conducted in two stages.

Stage 1: Planning and Documentation Review

In line with Clause 9.3.1.2 of ISO/IEC 17021-1:2015, and considering all relevant MDSAP audit process activities and applicable regulatory requirements, this stage focuses on reviewing the organisation’s QMS documentation, including:

  • Readiness for Stage 2 audit
  • Scope of the QMS
  • Conformity with ISO 13485:2016 Clause 4.2.1
  • Regulatory documentation required by participating MDSAP authorities

This stage may be performed off-site and lays the groundwork for audit planning.

Stage 2: Implementation and Effectiveness

In line with Clause 9.3.1.3 of ISO/IEC 17021-1:2015, and incorporating all applicable MDSAP audit process tasks, this on-site audit evaluates the implementation and effectiveness of the QMS, including:

  • the effectiveness of the medical device organisation’s QMS, ensuring integration of all applicable regulatory requirements,
  • product/process related technologies (e.g., injection moulding, sterilisation),
  • adequate product technical documentation in alignment with the relevant regulatory requirements; and,
  • the capability of the medical device organisation to meet these requirements

Sites included in Stage 2 must appear on the certification; off-site-reviewed locations are not eligible for listing.

Surveillance Audits: Ensuring Continuous Compliance

Conducted in Years 2 and 3, surveillance audits are partial evaluations, designed to monitor the QMS between initial certification and recertification. They align with Clause 9.6.2.2 of ISO/IEC 17021-1:2015 and Clause 9.6.2 of IMDRF/MDSAP WG/N3:2016, and use applicable MDSAP Audit Process tasks and include:

Core Objectives

  • the effectiveness of the medical device organization’s QMS in incorporating and addressing the applicable regulatory requirements.
  • the organization’s capability to maintain ongoing compliance with these requirements
  • new or changed product/ process-related technologies, and
  • updated or newly developed product technical documentation in alignment with the relevant regulatory requirements.

Each surveillance audit need not assess all MDSAP criteria, but across both years, all critical aspects must be covered.

Focus Areas

  • Design and Development Process and Production and Service Controls must be alternated between audits, unless otherwise justified by risk indicators.
  • Reviews must confirm up-to-date certifications, compliance markings, and appropriate use of certification references.

Changes in legislation or internal QMS modifications may trigger the need for a Stage 1 audit within the surveillance cycle.

Re-audit (Recertification Audits): Resetting the Compliance Clock

At the end of the 3-year audit cycle, the Recertification Audit (or Re-audit) validates the continued suitability and performance of the QMS.

In accordance with Clause 9.6.3 of ISO/IEC 17021-1:2015, and incorporating all applicable MDSAP audit process tasks, this audit assesses:

  • the effectiveness of the medical device organization’s QMS in integrating the applicable regulatory requirements
  • product and process-related technologies (e.g., injection moulding, sterilisation)
  • adequate product technical documentation in alignment with the relevant regulatory requirements,
  • the organisation’s ongoing ability to fulfill these requirements

This audit also ensures:

  • the organisation continues to comply with ISO 13485:2016 and applicable jurisdictional regulations.
  • Effective documentation control over the device lifecycle

If significant changes have occurred, such as in response to new regulatory legislation, a Stage 1 audit may be required.

Special Audits: Addressing the Unexpected

Special audits fall outside the routine audit cycle, triggered by circumstances requiring urgent or focused assessments. As specified in ISO/IEC 17021-1:2015 Clause 9.6.4, along with any additional requirements set by the MDSAP-recognised auditing organisation and/or, where applicable, the MDSAP participating regulatory authorities, these audits may include:

  • The need to extend the scope of the audit or certification of the medical device organisation to include new or modified products between regularly programmed audits
  • A deficiency in oversight by the MDSAP-recognised auditing organisation. For example, due to insufficient audit time, inappropriate audit team constitution, etc.
  • To follow up on specific post-market issues. For example, for a potentially significant complaint.
  • Addressing significant findings from a previous MDSAP audit.
  • Performing audits at the request of an MDSAP participating regulatory authority in response to a specific assignment.
  • To perform supplier audits as required by regulatory authority directives or Auditing Organisation policy.

Audit reports from special audits conducted at the request of regulatory authorities must be submitted within 15 days.

Unannounced Audits: When Compliance Is Questioned

A subset of special audits, unannounced audits, is executed in response to high-grade nonconformities or regulatory red flags. These audits serve as:

  • Immediate checks on compliance
  • Tools to investigate serious systemic issues
  • Mechanisms to restore regulatory confidence

The IMDRF/MDSAP WG/N3:2016 document defines the criteria applicable to these audits.

Audits Conducted by Regulatory Authorities

Apart from audits conducted by recognised MDSAP Auditing Organisations, participating regulatory authorities themselves may conduct audits at any point, especially:

  • For-cause audits
  • Follow-ups on prior findings
  • Oversight of high-risk manufacturers

These audits play a pivotal role in quality oversight and ensuring the MDSAP system functions as intended.

Sterility and Special Considerations for Sterile Devices

For sterile medical devices, the MDSAP audit must include a thorough assessment of sterilisation controls during:

  • Initial Certification
  • Recertification Audits

Surveillance audits can verify the maintenance of validated sterilisation parameters, but remote reviews alone are not sufficient. On-site verification remains critical.

Auditors must follow audit trails that may lead back to documents assessed remotely to ensure a comprehensive evaluation of sterility control measures.

Conclusion: Why Mastering the MDSAP Audit Cycle Matters

For medical device manufacturers, MDSAP certification is more than a regulatory checkbox—it’s a testament to global quality, safety, and compliance. Understanding the MDSAP audit cycle and the types of audits it encompasses enables organisations to:

  • Prepare effectively for each audit stage
  • Respond swiftly to regulatory changes
  • Mitigate risks through proactive surveillance
  • Demonstrate transparency and reliability to regulators and partners

By embedding MDSAP principles into everyday QMS operations, organisations not only achieve regulatory harmony across borders but also cultivate a culture of continuous quality improvement.

At Maven Profcon Services LLP, we specialise in providing comprehensive support for all types of MDSAP audits, including Initial Certification, Surveillance, Recertification, Special, and Unannounced audits. Our expert team ensures your Quality Management System is audit-ready and fully aligned with ISO 13485:2016 and all applicable regulatory requirements from participating MDSAP jurisdictions. From gap assessments and document preparation to mock audits and on-site audit support, we guide you through every step of the MDSAP audit cycle. Partnering with Maven means securing your compliance, reducing regulatory risks, and enhancing confidence with global regulators and stakeholders. Let us help you navigate MDSAP with confidence.

Author

Vijay Kureel

Tags

Recent Post

MDSAP Audit
August 13th, 2025

Mastering the MDSAP Audit Cycle: Your Complete Guide to Medical Device Compliance Excellence
Software as a Medical Device - SaMD
July 31st, 2025

A Guide to SaMD (Software as a Medical Device)
The CE Logo
July 8th, 2025

CE Logo Explained for Medical Devices and IVDs: What It Means and Why It Matters

Are You Looking For Medical Devices Certifications?

Contact Us