ISO 13485 vs MDSAP: Do You Need Both? (Complete Comparison for North American Medical Device Manufacturers)

ISO 13485:2016 is the international medical device QMS standard, recognised by virtually every regulator on earth. MDSAP (Medical Device Single Audit Program) is a multilateral certification scheme that uses ISO 13485 as the underlying framework but layers in country-specific regulatory requirements from five jurisdictions (US FDA, Health Canada, Brazil ANVISA, Australia TGA, Japan PMDA). The practical difference: an ISO 13485 certificate is the technical baseline; an MDSAP certificate is a single audit that satisfies five regulators at once. For NA medical device manufacturers selling into multiple regulator markets, MDSAP saves 30-50% of total annual audit cost compared to running separate ISO 13485 + FDA + Health Canada + ANVISA + TGA + PMDA audits.

This guide explains what each scheme actually covers, who needs which, what they cost in Canadian and US dollars, and how to decide whether MDSAP makes sense for your specific market mix.

Quick comparison table

The summary: ISO 13485 alone is sufficient for narrow market exposure; MDSAP becomes the more economical path when the manufacturer ships into three or more of the five MDSAP jurisdictions.

What ISO 13485:2016 covers

ISO 13485:2016 is the international medical device QMS standard published by ISO. Unlike ISO 9001, it does NOT use the Annex SL high-level structure — it retained the older 8-clause structure (clauses 4 through 8) for backward compatibility with the previous 2003 edition.

The standard requires:

• General requirements (clauses 4-5) — QMS scope, documentation, management responsibility, quality policy, quality objectives, management review.
• Resource management (clause 6) — human resources (competence + training), infrastructure, work environment (including contamination control for sterile devices), and contamination control.
• Product realization (clause 7) — planning, customer-related processes, design and development (clause 7.3 — the most demanding section), purchasing, production and service provision (including process validation, sterile validation), and control of monitoring and measuring equipment.
• Measurement, analysis and improvement (clause 8) — internal audits, monitoring of processes, monitoring of product, control of nonconforming product, complaint handling, MDR (medical device reporting), advisory notices, data analysis, and corrective action / preventive action (CAPA — explicitly mandated; ISO 9001:2015 dropped preventive action separately).

What ISO 13485 does NOT prescribe is the country-specific regulatory layer. FDA 21 CFR Part 820 (transitioning to QMSR effective February 2026), Health Canada MDR (SOR/98-282), EU MDR 2017/745, Brazil ANVISA RDC 16/2013, Australia TG(MD)R, Japan PMD Act — each adds country-specific requirements on top of ISO 13485. ISO 13485-only certificates are widely accepted as the QMS framework but rarely satisfy individual regulator inspections without additional country-specific evidence.

That gap is what MDSAP closes for the five participating jurisdictions.

What MDSAP adds on top of ISO 13485

MDSAP (Medical Device Single Audit Program) is a multilateral arrangement among regulatory authorities to recognise a single audit conducted by an MDSAP-recognized Auditing Organization as satisfying each authority's inspection requirements. The five participating regulators:

Key facts:

• Health Canada has REQUIRED MDSAP since 2019 for any low-risk classI, III, or IV medical device sold in Canada. ISO 13485 alone is no longer sufficient — Canadian manufacturers MUST hold MDSAP for those device classes.
• The FDA's QMSR transition (final rule January 2024, effective February 2026) explicitly incorporates ISO 13485:2016 by reference. Once QMSR is in effect, FDA inspections will use ISO 13485 language and clause structure.
• Brazil ANVISA, Australia TGA, and Japan PMDA each have their own inspection authority and may still conduct independent inspections, but MDSAP audits substitute for routine surveillance.
• EU MDR is NOT a MDSAP participant — manufacturers selling into the EU still need separate Notified Body assessment. The CE mark process is independent.

The MDSAP audit is roughly 30-50% longer than an equivalent ISO 13485 audit because the Auditing Organization must verify country-specific evidence on top of the base ISO 13485 framework. For Health Canada, that includes Canadian Medical Devices Regulations Section 32 (problem reporting), Section 33 (recall procedures), and Section 34 (distribution records). For FDA, it includes Medical Device Reporting (MDR) procedures, complaint files, and corrections-and-removals records.

Customer-mandate / regulator reality check

The strongest signal driving the ISO 13485 vs MDSAP decision is which regulator markets the manufacturer ships into. Reality check by major NA medical device pathway:

For a Boston-area medical device startup planning US-first commercialization with Canadian expansion in Year 2, the right path is typically: ISO 13485 first (Year 0-1, US FDA-aligned), then upgrade to MDSAP at the next surveillance audit (Year 1-2 when Canadian launch approaches). For a Toronto-area low-risk classI manufacturer selling primarily into Canada and the US, MDSAP from day one is more cost-effective than ISO 13485 + later upgrade.

Cost and timeline comparison

Realistic ranges based on PinnacleQMS engagements with North American medical device manufacturers across Boston, Cambridge, Waltham, Toronto-area, Mississauga (medical device cluster), Vancouver, Minneapolis, and the broader US biomedical corridor:

ISO 13485 alone

MDSAP

The MDSAP economic case — if the manufacturer would otherwise face separate inspections from FDA, Health Canada, ANVISA, TGA, and PMDA, the combined cost of those independent inspections runs roughly CA$80,000-150,000 / US$65,000-120,000 per year. MDSAP at CA$8,000-18,000 / US$6,500-15,000 annual surveillance captures most of that as savings — a 75-85% reduction in total annual audit cost for manufacturers selling into 3+ MDSAP markets.

Decision criteria — when to choose each

Pick ISO 13485 alone if:

• Selling exclusively into US market (FDA only) — but plan upgrade path to MDSAP if Canadian launch is on the 24-month roadmap.
• low-risk class device with limited regulatory exposure.
• Selling primarily into EU (use ISO 13485 + Notified Body, MDSAP not applicable).
• Pre-revenue startup with less than 12-month runway to first commercial product (MDSAP overhead may not be justified yet).

  Pick MDSAP if:

• Selling into Canada at any device class above low-risk class — Health Canada mandates MDSAP since 2019.
• Selling into 3+ of the 5 MDSAP jurisdictions (US, Canada, Brazil, Australia, Japan).
• Annual audit cost across multiple regulator inspections exceeds CA$30,000 / US$25,000 per year.
• Want to reduce regulator-inspection unpredictability — MDSAP audits are scheduled, not surprise-driven.

Migrating from ISO 13485 to MDSAP

Manufacturers who started with ISO 13485 alone and now need MDSAP do not have to re-build the QMS. The migration path:

1. Gap analysis against MDSAP additional requirements. A consultant or internal team maps the existing ISO 13485 system against the country-specific layers — FDA 21 CFR Part 820 (transitioning to QMSR), Health Canada MDR Section 32-34, ANVISA RDC 16/2013, TGA TG(MD)R, PMDA PMD Act.
2. MDSAP-recognized Auditing Organization selection. Not every ISO 13485 registrar is MDSAP-recognized. Confirm the chosen Auditing Organization holds current MDSAP recognition (verifiable via the IMDRF MDSAP database).
3. Country-specific procedure additions. MDR (FDA + Health Canada + equivalents), recall procedures, distribution records, complaints by jurisdiction, technical file structure for each regulator.
4. Updated documentation. Document control system tagged for both ISO 13485 and MDSAP regulator-specific evidence.
5. MDSAP transition audit. Combined ISO 13485 + MDSAP layer audit at the next surveillance (or scheduled separately). Typically 30-50% longer than the current ISO 13485 surveillance.

Total migration time for a manufacturer with mature ISO 13485: typically 4-6 months. Cost: roughly the difference between the ISO 13485 and MDSAP implementation ranges (CA$5,000 – CA$20,000 / US$5,000 – US$16,000 incremental).

Frequently Asked Questions

Is MDSAP always more expensive than ISO 13485?

Initial implementation: yes, by 20-30%. Total 3-year cost: roughly equivalent. Total cost vs running separate FDA + Health Canada + ANVISA + TGA + PMDA inspections: MDSAP saves 70-85% if the manufacturer ships into 3+ of those markets.

Does MDSAP cover EU MDR?

No. The European Union is not a MDSAP participant. EU market access requires separate Notified Body assessment for the CE mark.

Does MDSAP replace FDA inspections?

For routine surveillance: yes. The FDA accepts MDSAP audit reports in lieu of routine FDA QSR inspections. The FDA can still conduct "for-cause" inspections (post-complaint, post-adverse-event, post-recall) independently.

Will the FDA QMSR transition (Feb 2026) change the value of ISO 13485?

Yes — it strengthens it. Under QMSR, FDA inspections will use ISO 13485:2016 language and clause structure. A current ISO 13485 certificate covers approximately 90% of QMSR requirements on day one. The remaining gap is FDA-specific record-keeping (MDR, corrections and removals, etc.) that PinnacleQMS layers onto the ISO 13485 system during implementation. See the /blog/iso-22000-vs-fssc-22000-comparison-food-manufacturers for a similar regulator-alignment pattern in food safety.

How does MDSAP align with the EU Medical Device Regulation (MDR)?

EU MDR is not a MDSAP participant, but the underlying ISO 13485 framework is the same. A manufacturer with MDSAP for US/Canada/Brazil/Australia/Japan and a separate Notified Body assessment for EU MDR holds parallel certifications with shared underlying QMS — typically 70-80% documentation overlap.

Can a contract manufacturer use the principal's MDSAP certificate?

No. Contract manufacturers need their own MDSAP or ISO 13485 certificate. The principal's certificate covers their own QMS — not outsourced operations. Health Canada and FDA both require independent certification for any operation performing manufacturing, sterilization, packaging, or final release.

Which Auditing Organizations offer MDSAP in North America?

The major MDSAP-recognized Auditing Organizations operating in North America include BSI Group, DEKRA, Intertek, NSF International, SGS, TÜV Rheinland, TÜV SÜD, and DNV. The IMDRF maintains the authoritative list of MDSAP Auditing Organizations.

Talk to a PinnacleQMS specialist

Across 250+ certifications including ISO 13485 and MDSAP implementations for healthcare and medical device manufacturers across Canada and the US — Boston, Cambridge, Toronto, Mississauga, Vancouver, Minneapolis, and the broader biomedical corridor — PinnacleQMS clients pass first-attempt audits at a 98% rate. The 6-stage process is the same for ISO 13485 and MDSAP — only the depth of country-specific procedures and additional Auditing Organization audit days differ.

To scope your specific facility, device class, and target market mix, contact PinnacleQMS to know more. The team will explain whether ISO 13485 alone, MDSAP, or a phased path fits your roadmap before quoting cost.

For more on the broader medical device QMS landscape, see the main process page, the PinnacleQMS compliance platform, the ISO 13485 service overview, the Boston cluster page on medical device certification, and the Internal Auditor vs External Auditor blog for context on how MDSAP audits differ from internal audit programs.

External authoritative references used in this guide include the ISO 13485:2016 standard at iso.org, the FDA Medical Device Single Audit Program page, Health Canada Medical Devices Regulations, the International Medical Device Regulators Forum (IMDRF), ANAB accreditation registry, and SCC accreditation registry for verifying that any Auditing Organization holds current accreditation.