Leveraging MDSAP to Prepare for QMSR Integration

How Device Manufacturers Can Use MDSAP to Prepare for QMSR Integration

On February 2, 2026, FDA will begin enforcing its new Quality Management System Regulation (QMSR), which replaces the long-standing Quality System Regulation (QSR) in 21 CFR 820 and incorporates ISO 13485:2016 by reference.

At the same time, the Medical Device Single Audit Program (MDSAP) continues to evolve, most recently with an updated MDSAP Audit Approach in August 2024, positioning MDSAP as a powerful lens into what future FDA QMSR inspections may look like.

This blog explores how medical device manufacturers can use the MDSAP audit model to prepare for FDA’s QMSR 2026 requirements. Learn practical steps for aligning ISO 13485, MDSAP, and QMSR for inspection readiness.

Quick refresher: What is MDSAP?

The Medical Device Single Audit Program (MDSAP) allows a single regulatory audit of a manufacturer’s quality management system that satisfies the requirements of multiple regulatory authorities. Audits are conducted by recognized Auditing Organizations (AOs) under a common model.

Currently, the core participating Regulatory Authorities (RAs) are:

• U.S. FDA (CDRH)
• Health Canada (HC)
• Australia’s TGA
• Brazil’s ANVISA
• Japan’s MHLW/PMDA
  
  

The MDSAP Audit Approach is built on ISO 13485:2016 as the base QMS standard, plus Country-specific requirements, including U.S. regulations like:

• • 21 CFR 820 (QSR – to be replaced by QMSR in 2026)
  • 21 CFR 803 (MDR reporting)
  • 21 CFR 806 (corrections & removals)
    
    

Critically for U.S. manufacturers, FDA will accept MDSAP audit reports as a substitute for routine FDA surveillance inspections, with important exceptions (for-cause, pre-approval, compliance follow-up, etc.).

So, if you participate in MDSAP, your MDSAP audit report can often stand in for an FDA routine inspection; already a strong incentive even before QMSR arrives.

QMSR in 2026: What’s changing for FDA?

On January 31, 2024, FDA issued its long-awaited final rule amending 21 CFR 820, formally renaming it the Quality Management System Regulation (QMSR).

Key points to note about FDA’s QMSR:

Effective enforcement date: February 2, 2026

Core change: 21 CFR 820 now incorporates ISO 13485:2016 by reference, along with certain definitions from ISO 9000:2015, with targeted U.S.-specific additions to satisfy the FD&C Act.

Regulatory intent: Modernize CGMP requirements, reduce redundant global requirements, and further pursue international regulatory harmonization.

FDA has been explicit on several points in the preamble and subsequent summaries:

• ISO 13485 certificates alone will not be accepted in lieu of FDA inspections.
  
  
• MDSAP remains voluntary, and QMSR does not change FDA’s policy that it may accept MDSAP audit reports in lieu of routine surveillance inspections.
  
  

For manufacturers, this means:

If you are already robustly aligned to ISO 13485:2016, you’re not starting from scratch, but you still must address FDA-specific QMSR requirements and inspection expectations.

How MDSAP and QMSR Intersect

(And Why It Matters for Your QMS)

MDSAP and QMSR are not separate regulatory pathways; they are increasingly aligned, and that convergence has real implications for manufacturers preparing their quality systems.

Both frameworks are anchored in ISO 13485:2016:

1. • MDSAP audits already use ISO 13485:2016 as the core QMS model, with U.S. add-ons (21 CFR 820, 803, 806, etc.)

• • With QMSR formally incorporating ISO 13485 into 21 CFR 820, the U.S. regulatory baseline is now structurally similar to what MDSAP has been using for years.
  This creates a unified foundation across both programs.

A Narrowing Gap Between MDSAP & FDA Compliance

Because QMSR aligns FDA’s quality system regulation with ISO 13485, the practical gap between “MDSAP compliance” and “FDA compliance” continues to shrink.

Manufacturers performing well under MDSAP are now much closer to meeting QMSR expectations.

Regulatory Perspective & Inspection Implications

FDA has reinforced the connection between the two programs:

1. • QMSR does not change the voluntary nature of MDSAP or the Agency’s policy of accepting MDSAP audit reports in place of routine surveillance inspections.

   • FDA and external experts consistently point to MDSAP as a strong signal of what QMSR-aligned inspections will emphasize, especially as QSIT is retired and FDA modernizes its inspection approach.

What This Means Strategically for Your QMS

If your QMS is MDSAP-ready, you are inherently positioned closer to QMSR readiness because both frameworks:

• Follow ISO 13485’s process-based, risk-based structure

• Emphasize the same operational pillars:
  management responsibility, design & development,
  production and service controls,
  purchasing/supplier controls,
  CAPA, and
  post-market surveillance

This creates strong overlap in expectations and audit focus areas.

But Alignment ≠ Completion

Even with significant convergence, MDSAP alignment does not fully satisfy QMSR requirements.
Manufacturers must still identify and close gaps where QMSR imposes FDA-specific obligations that exceed ISO 13485 or are interpreted differently.

How the Evolving MDSAP Audit Model Supports QMSR Preparation

1. Updated MDSAP Audit Approach (2024)

In August 2024, the MDSAP Regulatory Authority Council released a new revision of the MDSAP Audit Approach (MDSAP AU P0002.009). This revision:

• Combines the former Audit Model and Process Companion into a single document
• Provides additional detail for each audited process, including anticipated outcomes and specific task guidance
• Continues to map ISO 13485 requirements to country-specific regulatory clauses, including 21 CFR 820, 803, and 806.
  

This confirms a trend: MDSAP is actively maintained and updated to keep pace with regulatory change. The broader MDSAP QMS documents and procedures show the same pattern of continual improvement.

2. Expected Shifts as QMSR Takes Effect

As of late 2025, the MDSAP Audit Approach still explicitly references 21 CFR 820 as the U.S. quality system regulation. With QMSR enforcement starting February 2, 2026, you should reasonably anticipate future revisions in areas such as:

Regulatory References

• • U.S. portions of the audit model will likely shift from “21 CFR 820 (QSR)” language toward “21 CFR 820 (QMSR)”, while retaining 803 and 806 for reporting and corrections/removals.
    
    

Terminology & Definitions

• • Expect alignment with QMSR/ISO 13485/ISO 9000 terminology (e.g., “organization,” “product realization,” “documented information”), echoing how QMSR imports these definitions.
    
    

Emphasis, Not Reinvention

• • MDSAP already strongly emphasizes risk management, supplier controls, and post-market surveillance, areas that QMSR also highlights when it adopts ISO 13485’s lifecycle approach.
  • So, the “new model” will likely look evolutionary, not radical, from a process standpoint; more about refined expectations and cross-references than a wholesale restructuring.
    
    

At the same time, FDA has made clear that it will not rely solely on ISO 13485 or MDSAP results in place of its own oversight, even under QMSR. Your goal should be alignment, not substitution.

What The “New” MDSAP Audit Model Could Mean for FDA Alignment

Here’s what this convergence of MDSAP and QMSR means in practical terms for U.S.-focused manufacturers:

1. MDSAP as a “live-fire drill” for QMSR inspections

Because MDSAP audits:

• Are based on ISO 13485,
• Explicitly test U.S. regulatory requirements, and
• Follow a structured process-based audit sequence
  

They provide a realistic rehearsal for what FDA investigators will expect under QMSR. The same core areas that dominate MDSAP nonconformities, CAPA, documentation, supplier controls, complaint handling, design controls, are likely to be FDA focal points as well.

2. Stronger Business Case for MDSAP Participation

FDA’s policy remains:

• MDSAP is voluntary, but
• FDA may accept MDSAP audit reports in lieu of routine surveillance inspections, and QMSR does not change that.
  

In a QMSR world, this means a single MDSAP audit can:

• Support multi-jurisdictional market access, and
• Reduce the likelihood of separate FDA surveillance inspections,
  while also stress-testing your QMS against QMSR-aligned expectations.
  
  

3. But: MDSAP ≠ QMSR

It’s important not to over-interpret the harmonization:

• MDSAP certification goes beyond a basic ISO 13485 certification. While ISO 13485 provides the foundational quality standard, the MDSAP program integrates those requirements with additional, country-specific medical device regulations for the United States, Canada, Australia, Brazil, and Japan. Consequently, a manufacturer holding an MDSAP certificate demonstrates a broader, multi-jurisdictional compliance mark rather than just the standard QMS certification.
• QMSR contains FDA-specific requirements and interpretations that still must be addressed (e.g., certain recordkeeping and reporting nuances, linkage to FD&C Act obligations).
  
  

Think of MDSAP as a powerful lever for QMSR readiness — not a shortcut.

Using MDSAP to prepare for QMSR 2026

Here’s how we recommend medical device manufacturers utilize MDSAP to help prepare for QMSR integration.

1. Build a QMSR–ISO 13485–MDSAP crosswalk

Start with FDA’s own QMSR overview and guidance, which include mapping content and explanatory material on how ISO 13485 and QMSR align.

Practical approach:

1.) Create a matrix with columns for:

1. • QMSR (21 CFR 820 as revised)
   • ISO 13485:2016 clauses
   • MDSAP Audit Approach processes/tasks

2.) Map your SOPs & records into that matrix.

• • Where ISO 13485 + MDSAP already fully cover QMSR expectations
  • Where FDA-specific text in QMSR introduces additional or different requirements

    
    This becomes your master gap-assessment tool.

    
    

2. Use the MDSAP Audit Approach as your internal audit backbone

Download the latest MDSAP Audit Approach (MDSAP AU P0002.009) and use it as a structured internal audit checklist, even if you are not formally in the program.

Concrete steps:

• Structure your internal audit schedule to mirror the MDSAP process sequence. This includes essential areas such as Management, Measurement, Analysis, and Improvement (MA&I), Design & Development, Production & Service Controls, and Purchasing.
• For each process, ensure auditors are:
  • Verifying seamless linkages between quality system elements (e.g., confirming that risk controls established during the design phase flow into production controls and inform post-market feedback loops).
  • Sampling records using the same methodology as MDSAP Auditing Organizations (AOs) and FDA investigators, reviewing key documentation such as complaints, Corrective and Preventive Actions (CAPAs), supplier evaluations, Device Master Records (DMRs)/Device Files, Design History Files (DHFs)/Design Files, and validation reports.

3. Prioritize “high-impact” QMSR/MDSAP processes

Focus early resources where QMSR, ISO 13485, and MDSAP all converge—and where FDA historically finds problems:

CAPA & Risk-Based MA&I

• • Best Practice: The explicit linkage from nonconformity to verified effectiveness is a core requirement across all quality standards and a top FDA enforcement priority.
  • Risk Integration: Integrating risk management (ISO 14971) into daily QMS processes, particularly CAPA and post-market surveillance, is a key principle of the new QMSR and a major shift from previous approaches.

Design & Development Controls

1. • Leveraging MDSAP: The MDSAP audit approach provides a robust, standardized checklist that covers all key design control elements required by the FDA's former QSR and the new QMSR/ISO 13485 alignment.
   • Clinical Evidence: Ensuring validation includes appropriate clinical evidence aligns with heightened regulatory expectations for safety and performance data for higher-risk devices.
     
     
     

     Supplier Management & Purchasing Controls

     
     
     
     • Risk-Based Approach: Regulatory bodies universally expect a risk-based approach to evaluating and monitoring critical suppliers, ensuring quality throughout the entire supply chain.
     • Closed Loop: Ensuring supplier issues flow into the internal CAPA and risk management systems demonstrates a robust, closed-loop QMS, which auditors look for as evidence of effective control.
2. Complaint Handling, MDRs, and Corrections/Removals
   
   
   • Tighten processes for:
     • Complaint evaluation, investigation, and closure
     • Timely Medical Device Reporting (21 CFR 803) and corrections & removals (21 CFR 806) where required.
       
       
   • Expect these to remain FDA hot topics under QMSR: Complaint handling and regulatory reporting (MDRs/Corrections and Removals) remain high-visibility areas for the FDA. Effective procedures here are non-negotiable for QMSR compliance.
   • Timeliness and Traceability: Tighter processes ensure that potential safety issues are identified, investigated, and reported in a timely and compliant manner.

4. Decide your MDSAP strategy (participate or mirror?)

Manufacturers have two primary strategic options for leveraging MDSAP during the transition to QMSR compliance:

Option A – Participate in MDSAP

Best for manufacturers that:

• Market in multiple MDSAP jurisdictions (e.g., U.S. + Canada or Brazil)
• Want to minimize duplicated third-party audits and leverage the possibility of fewer FDA routine inspections
  
  

Action items:

• Select an Auditing Organization (AO) recognized for your target markets.
• Plan your first MDSAP audit so that its cycle overlaps early with QMSR enforcement — using the audit as a stress test.
  
  

Option B – Mirror MDSAP without formal participation

Even for manufacturers who do not formally enroll in the program, this approach offers significant benefits:

• Utilize MDSAP documentation (Audit Approach, reports guidance, NC grading) to structure and enhance your internal audits and management reviews.
• Consider hiring external auditors or consultants familiar with MDSAP to run “MDSAP-style” audits against your QMSR crosswalk.
• Consider hiring external auditors or consultants who are familiar with the MDSAP process to run "MDSAP-style" audits against your QMSR gap analysis crosswalk. This provides a valuable, objective external assessment of your QMS's readiness for FDA inspections under the new regulation.
  
  

5. Given that the QMSR Final Rule is enforceable in just over two months, a robust, urgent plan is necessary.

A pragmatic roadmap might look like:

1. Complete the QMSR–ISO 13485–MDSAP crosswalk immediately. This analysis must be a top priority.
2. Identify and prioritize top 5–7 gap areas. Focus resources on the highest-risk and most problematic areas identified (e.g., CAPA, complaint handling, design records).
3. Decide whether to pursue formal MDSAP certification or a “mirror” strategy. The decision must be made now to guide the final implementation steps.
4. Update or create necessary SOPs for high-impact processes (CAPA, design controls, supplier management, PMS, complaint/MDR/recalls). Prioritize procedures required to meet new QMSR requirements.
5. Align the internal audit program to MDSAP processes.
6. Train internal auditors and key process owners on QMSR/MDSAP expectations immediately.
7. Execute a focused, MDSAP-style internal audit against your updated QMS to identify last-minute nonconformities.
8. Drive CAPAs and verify effectiveness before the February 2, 2026 deadline.
9. If you are participating in MDSAP, coordinate the timing of your next Auditing Organization (AO) audit to confirm readiness as close to the enforcement date as possible.

How Rook Quality Systems can support you

For many device manufacturers—especially those with lean quality and regulatory teams—this transition can feel like changing the tires while the car is moving.

Rook Quality Systems can help by:

• Performing a structured QMSR/MDSAP gap assessment using FDA and MDSAP source documents as the backbone
• Developing or updating risk-based SOPs that simultaneously satisfy ISO 13485, QMSR, and MDSAP expectations
• Running MDSAP-style internal audits to surface issues before your AO or FDA does
• Providing targeted training for quality, regulatory, and leadership teams on how QMSR and MDSAP work together