MDSAP – Insight into Medical Device Single Audit Program Guidelines

MDSAP Auditing Cycle

The MDSAP (Medical Device Single Audit Program) consists of a three-year audit cycle. These cycles include the following:

1. The Initial Audit-1st Year Audit Cycle

It is also known as “Initial Certification Audit.” The initial audit is a complete audit of the organization’s QMS (Quality Management System) and consists of two stages, i.e.,

  • Stage 1 Audit (17021-1:2015 – CI
  • Stage 2 Audit (17021-1:2015 – CI

Documentation Review, Evaluation of Stage 2 Preparation-Stage 1(17021-1:2015 – CI

For conducting the Stage 1 Audit, the following should be considered:

  • ISO/IEC 17021-1:2005’S clause
  • All other applicable MDSAP Audit Process tasks and regulatory requirements.

Purposes of Conducting Stage 1 Audit

According to MDSAP, there four purposes of Stage 1 Audit

  • To check whether the QMS documentation requirements of ISO 13485:2016’s Clause 4.2.1 and other MDSAP requirements have been met and defined
  • Assessment of the medical device organization for its preparation of Stage 2 audit
  • Provision of focus for Stage 2 audit planning
  • Information collection regarding QMS scope and other medical device organization’s aspects:

The outcome of Stage 1 Audit Review

Auditing organizations can combine Stage 1 and Stage 2 elements, thus allowing a single on-site visit for both initial and reaudit of the medical device organization. The results of these audits will determine:

  • Preparedness of the medical device organization to go into the Stage 2 Audit
  • Accomplishments of the medical device organization regarding Stage 1 and Stage 2 audits regarding off-site documentation and on-site verifications.

Some portions of Stage 1 Audit can be performed other than the sites of the medical device organization looking for initial certification.

2. Partial Surveillance Audit-2nd Year Audit Cycle

The partial surveillance audit (17021-1:2015 – CI follows the initial audit in each of the following two years. This Audit cycle evaluates the QMS implementation and effectiveness. Conducting the Stage 2 audit shall be per the requirements of ISO/IEC 17021-1:2015’s Clause and all applicable MDSAP Audit process tasks.

General Purposes of Conducting Stage 2 Audit

The primary purpose of conducting Stage 2 Audit is to determine the implementation of all the requirements of

  • ISO 13485:2016
  • Other relevant regulatory requirements from participating regulatory authorities:

Special Purposes of Conducting Stage-2 Audit

Stage 2 Audits evaluate the following four objectives specifically:

  • Effectiveness of QMS of the medical device organization that is implementing the applicable regulatory requirements
  • Technologies related to product/process (e.g., injection molding and sterilization, etc.)
  • Product technical documentation with regards to relevant regulatory requirements
  • Medical device organization’s ability to show continued compliance to these requirements.

With Stage 2 Audit, the auditor can verify if the medical device organization has been able in maintaining sufficient and reliable objective evidence for demonstrating his device’s ability in meeting the principles of

  • Safety
  • Performance
  • Effectiveness
  • Any other regulatory requirement is given in the audit tasks.

This auditing and verification process also ensures that the documentation and records which the participating Regulatory Authorities require are current, complete, and present.

3. Complete Reaudit

The complete reaudit (17021-1:2015 – CI is also known as the Recertification Audit and is performed in the third year.

Surveillance Audits (1st and 2nd Surveillance Audits)

The 1st and 2nd surveillance audits shall be conducted under

  • ISO/IEC 17021-1:2015’S Clause 9.6.2,2
  • IMDRF/MDSAP WG/N3:2016’s clause 9.6.2
  • Applicable MDSAP Audit Process Tasks.

General Purpose of Surveillance Audits

The purpose of surveillance audits is to ensure that during the three-year audit program of the medical device organization, all the ISO 13485:2016 and other relevant regulatory requirements have been audited.

Special Purpose of Surveillance Audits

The surveillance audit primarily evaluates

  • Medical device organization’s effectiveness in incorporating applicable regulatory requirements in its QMS
  • The ability of the medical device organization to comply with these requirements
  • Any new or changed technologies related to products/process
  • New or altered product technical documentation about relevant regulatory requirements.

Contents of Surveillance Audits

The surveillance audits also contain a review of medical device safety and practical issues since the last audit. These include:

  • Complaints
  • Problem reports
  • Vigilance reports
  • Recalls/field corrections/advisory notice.

An MDSAP recognized Auditing Organization could ensure that the QMS can meet the requirements between reaudits (recertification audits) with these objectives. In addition, the auditor can expect the medical device organization to maintain the documents and records to show continued compliance with post-market phase regulatory requirements of the device life-cycle.

These surveillance audits do not require Stage 1 Audit unless

  • Any significant changes (e.g., QMS changes associated with new legislation) have occurred since the last audit
  • If the Auditing Organization considers it necessary.

MDSAP Requirements to be covered by the Surveillance Audits

Each surveillance audit must cover the following requirements:

  • A review of medical device organization, its QMS, and its products since the last audit. Any changes that have occurred may require regulatory submissions
  • The MDSAP Audit Process tasks, as listed in the table in Appendix 1 of MDSAP AU P0008 – Audit Time Determination Procedure
  • Confirmation regarding medical device organization’s arrangements in the maintenance of the technical documentation currency for all the devices
  • Using marks and references to certification.

Re-Audit (Re-Certification Audit)

It should be conducted under

  • ISO/IEC 17021-1:2015’s Clause 9.6.3
  • Al applicable MSDAP Audit Process Task.

General Purpose of Recertification Audits

The Re-certification Audit has the following objectives:

  • Confirmation of continued relevance, acceptability, and suitability of the medical device organization’s QMS
  • Satisfaction of all applicable ISO 13485:2016 requirements
  • Fulfillment of all regulatory requirements of participating regulatory authorities concerning the certification scope.

Special Purpose of Recertification Audits

Recertification Audits especially evaluate

  • Effectiveness of QMS of the medical device organization that is implementing the applicable regulatory requirements
  • Technologies related to product/process (e.g., injection molding and sterilization, etc.)
  • Product technical documentation with regards to relevant regulatory requirements
  • Medical device organization’s ability to show continued compliance to these requirements.

These recertification audits do not require Stage-1 Audit, unless:

  • Any significant changes (e.g., QMS changes associated with new legislation) have occurred since the last audit
  • If the Auditing Organization considers it necessary.

In case of significant changes to the QMS, Auditing Organizations, in accordance with the ISO/IEC 17021-1:2015’s Clause, shall review the documentation implementing those changes. Through selective focusing and resampling, these reaudits can be shorter than the initial audits.

Achievement of the Objectives for Re-Auditing

For achieving the Reauditing objectives, along with the ISO/IEC 17021-1:2015 requirements, the auditor shall verify

  • Review of MDSAP audit reports prepared since the initial audit or the previous reaudit
  • Review of changes made to the medical device organization, QMS, or products since the last surveillance audit
  • Follow-up of corrections and/or corrective actions resulting from any previous MDSAP audit
  • Review of the effectiveness and suitability of the current QMS of the medical device organization over the previous QMS
  • All other applicable MDSAP Audit Process Tasks.

Process and Sampling Audits

Based on risk, these audits should focus on:

  • New or modified processes, designs, and products
  • Any previously identified existing and potential nonconformities
  • Areas that were not adequately covered during the surveillance period.

Any sites relevant to the medical device organization’s QMS but audited off-site should not be recorded on the certificate during a recertification audit.

Audits other than MDSAP

Three types of audits can occur at any given time within the MSDAP cycle. They are

1. Special Audits (17021-1:2015 – CI

These audits are part of the planned audit cycle. Therefore, they should only be used if necessary, and their focus should be the specific elements of the medical device organization’s QMS.

When to Conduct Special Audits?

Special audits can be conducted

  • In response to the application for extending an existing certification’s scope
  • In determining whether the extension can be given or not
  • As short notice audits for investigation of potentially significant complaints
  • If specific information provides the basis for suspecting serious non-conformities of the devices, or
  • Any other miscellaneous reasons.

Special Audits should be conducted as per

  • All applicable requirements of ISI/IEC 17021-1:2015’s Clause 9.6.4
  • Any additional MDSAP requirements recognized by Auditing Organization and/or regulatory authorities participating in MDSAP.

Objectives to be Addressed by Special Audits

Special audits address the following

  • Need of extending the medical device organization’s audit or certification scope to add new or modified products between regularly programmed audits
  • A shortfall recognized by MDSAP recognized Auditing Organization (e.g., insufficient audit time)
  • Follow-up of specific post-market issues (e.g., potentially significant complaint)
  • Follow-up of essential findings from a previous MDSAP audit
  • Conducting supplier audits as per the directions of the Auditing Organization policy or by the regulatory authority
  • Upon the request of the MDSAP participating regulatory authority.

The Auditing Organisation performing the special audit as per the recognizing Regulatory Authority(s)’s request must submit the auditing report to the recognizing Regulatory Authority(s) within 15 days from the audit’s last day.

2. Audits Conducted by Regulatory Authorities

MDSAP participating regulatory authorities can conduct audits at any time for the following reasons:

  • “For Cause,” i.e., from the information obtained by the regulatory authority
  • For following-up the previous audit’s findings
  • For confirming whether MDSAP requirements have been effectively implemented or not.

3. Unannounced Audits

Unannounced Audits are conducted when in the detection of high-grade non-conformities. MDSAP is an important auditing program for medical device organizations. To ensure transparency, these audits shall always be conducted by the MDSAP organizations that are recognized by the Regulatory Authorities. TSQ and E is a Regulatory Authority-recognized organization running MDSAP for various medical device organizations for a very long time. Our auditing methods are fast, efficient, and cost-reliable and can help you become compliant with regulatory authorities’ requirements. To get your MDSAP cycle conducted today, contact us today at

About the Author

Waqas Imam

S. M. Waqas Imam is associated with TS Quality as a Regional Partner. He is also an ambassador of Medical Device Community. He is an Industrial Engineer by qualification and served the manufacturing industry since 2011. He is also IRCA CQI Lead Auditor of ISO 9001 and other management system standards. He had served as Quality Assurance and Regulatory Affairs Manager in QSA Surgical Pvt. Ltd. and Ultimate Medical Products. He managed requirements of ISO 13485:2003, EU directives, CE marking and FDA. He also served as Expert Blog Writer for 13485Academy and wrote expert articles on various topics of ISO 13485:2016.