Skip to Menu Skip to Search Contact Us Finland Websites & Languages Skip to Content

MDSAP is medical device single audit program that combines the ISO 13485:2016 medical device certification and country-specific requirements of five countries: Australia, Brazil, Canada, Japan and the USA.

This article is written by Teuvo Vaara, Lead Auditor, SGS Fimko Ltd.

MDSAP audits are currently only required by Health Canada, but they are also recognized by other participating Regulatory Authorities. For example, the US FDA may choose to change their auditing schedule if an organization has notified that they will be included in the MDSAP auditing program.

Who is authorized to conduct MDSAP audits?

There are currently 13 Auditing Organizations (AO) that are authorized to conduct MDSAP audits and 11 that are fully recognized as MDSAP AOs. SGS United Kingdom Ltd. is one of the latter. Since March 2019, SGS Fimko Ltd. has qualified MDSAP lead auditors to conduct MDSAP audits for SGS UK Ltd.

The SGS UK’s Global Medical Device Office (GMDO) has oversight responsibilities for the MDSAP Program at SGS. Day-to-day operational management of the MDSAP occurs from one of the SGS office in the United States. The MDSAP auditors of SGS Fimko Ltd. report to the SGS global MDSAP team. For Finnish customers, there is a local SGS contact person in Finland.

All organizations that are subject to MDSAP audits should familiarize themselves with the MDSAP audit model (MDSAP AU P0002.004) and especially the latest audit companion document (MDSAP AU G0002.1.004) that is the detailed guideline for all MDSAP audits, as well as the instructions that MDSAP auditors follow. The document describes the minimum contents of the audit in detail.

MDSAP Audit process

At the core level, MDSAP audits are ISO 13485:2016 audits. However, all auditing organizations are required to conduct the MDSAP audits following the same common MDSAP audit procedures and reporting their actions by using the same common MDSAP forms. A large conceptual difference compared to ordinary ISO 13485:2016 audit is that the main target audience of the AOs audit reports are the MDSAP regulatory bodies instead of the audited organization itself.

Due to the unifying nature of the MDSAP program, the audit durations may often be significantly longer than IAF MD9 allocations. Therefore, the structure of the MDSAP audit plans may look somewhat different than previous ISO 13485 audit plans. There are altogether 90 audit tasks that may be applicable to the audited organization. Each task describes exactly what the auditor is expected to do to complete a specific aspect of the audit. To complete a specific task, the auditor is required to audit these aspects and collect evidence to be summarized in the audit report. The nominal minimum times for each task are pre-defined. However, the time spent on a task may need to be increased due to multiple products, suppliers, nonconformities, or other reasons.

After the audit, the possible nonconformities are reported to the audited organization and the MDSAP countries. The grading of these forms follows a common MDSAP specific guideline (MDSAP AU G0019.4.003 NC Grading Exchange Form Guidelines). For MDSAP audit nonconformities, a grading scale from 1 to 5 is applied instead of the more common Minor/Major categorization. The timelines to be followed in responding and communicating the nonconformities are defined in MDSAP AU P0027.005 Post Audit Activities and Timeline Policy. These timelines are summarized in the chart on page 3 of the document.

The report

The Medical Device Regulatory Audit Report Form MDSAP AU F0019.1 and Nonconformity Grading and Exchange Form MDSAP AU F0019.2 are the main documents used in MDSAP reporting and communication. After conclusion of the whole MDSAP audit process, SGS UK Ltd. is responsible for submitting the documents to the Regulatory Exchange Platform, where they become available for all Regulatory Authorities in the MDSAP program.

Further information

The United States Food and Drug Administration FDA currently maintains the MDSAP related web pages with applicable documentation and a training portal that are freely accessible to everybody.

The audit policy, procedures and other documents, including detailed instructions and forms, can be downloaded from the FDA site.


SGS Fimko Ltd. is currently training more MDSAP certified auditors in Finland. Local auditors make it easier to communicate and agree on the optimal audit time. The use of more than one auditor also significantly shortens the duration of the audit in calendar days.

Through our MDSAP authorization, the customer can obtain both the voluntary ISO 13485 certification, the EC certification, and the MDSAP certification all at once, in one audit period.

For questions concerning our MDSAP services, please contact

Kati Lisitsin
Account Manager