MDSAP (Medical Device Single Audit Program): Why It Is Crucial for LED Device OEMs

If your OEM factory hosts four different auditors every year to repeat four almost identical audits, MDSAP consolidates them into one.

ISO 13485 audits, FDA on-site inspections, MDSAP audits, TGA audits, ANVISA audits—an LED phototherapy OEM factory supplying multiple global markets can expect 3 to 5 rounds of on-site audits annually from various regulatory bodies. Every single round means production downtime, engineering and management teams pulled away for days to host inspectors, repetitive CAPA tracking, and redundant audit report management.

The MDSAP (Medical Device Single Audit Program) is a joint framework established by five national regulatory authorities. It allows a single audit conducted by an authorized Auditing Organization (AO) to satisfy the quality management system (QMS) requirements of all five participating countries simultaneously.

For brand buyers, understanding MDSAP is not just a “factory compliance matter.” It is a strategic business decision: choosing an OEM partner with MDSAP saves your brand the time, cost, and friction of facing repetitive regulatory audits across multiple nations.

What Is MDSAP? One Audit Covering Five Regulatory Jurisdictions

The five participating countries accept MDSAP audit reports to replace or streamline their own QMS inspections.

Country & Regulatory Body	What MDSAP Replaces
United States FDA	Replaces routine FDA QSIT (Quality System Inspection Technique) / QSR on-site inspections. (Note: It does not replace pre-market PMA or 510(k) reviews). The FDA accepts MDSAP audit reports as evidence of QMS compliance.
Canada Health Canada	Replaces the ISO 13485 audit under CMDCAS (Canadian Medical Devices Conformity Assessment System). Mandatory Requirement: For Class II and above medical devices sold in Canada, an MDSAP audit report is a statutory prerequisite for market access.
Australia TGA	Replaces TGA Conformity Assessment Audits. The TGA accepts MDSAP audits to issue or maintain ARTG (Australian Register of Therapeutic Goods) entries.
Brazil ANVISA	Replaces ANVISA GMP (Good Manufacturing Practices) Audits. ANVISA accepts the MDSAP report to grant and maintain Brazilian GMP certificates.
Japan MHLW / PMDA	Replaces PMDA QMS Audits. The PMDA utilizes MDSAP reports as evidence of QMS compliance during registration reviews, reducing or exempting the factory from standalone on-site QMS inspections.

Country & Regulatory Body

What MDSAP Replaces

United States

FDA

Replaces routine FDA QSIT (Quality System Inspection Technique) / QSR on-site inspections.

(Note: It does not replace pre-market PMA or 510(k) reviews). The FDA accepts MDSAP audit reports as evidence of QMS compliance.

Canada

Health Canada

Replaces the ISO 13485 audit under CMDCAS (Canadian Medical Devices Conformity Assessment System).

Mandatory Requirement: For Class II and above medical devices sold in Canada, an MDSAP audit report is a statutory prerequisite for market access.

Australia

TGA

Replaces TGA Conformity Assessment Audits.

The TGA accepts MDSAP audits to issue or maintain ARTG (Australian Register of Therapeutic Goods) entries.

Brazil

ANVISA

Replaces ANVISA GMP (Good Manufacturing Practices) Audits.

ANVISA accepts the MDSAP report to grant and maintain Brazilian GMP certificates.

Japan

MHLW / PMDA

Replaces PMDA QMS Audits.

The PMDA utilizes MDSAP reports as evidence of QMS compliance during registration reviews, reducing or exempting the factory from standalone on-site QMS inspections.

Key Distinction: MDSAP is not a “mutual recognition” agreement where five countries blindly accept each other’s distinct audits. Instead, it is a single audit conducted by an authorized Auditing Organization (AO) following a unified MDSAP audit standard and checklist. The five regulatory bodies then independently review that single report to determine if their specific national criteria are met. The audit is singular, but each country retains its independent statutory authority and scope of acceptance.

What Does an MDSAP Audit Assess?

The MDSAP audit covers seven mandatory process modules, each containing a specific set of inspection criteria:

Management Process: Management review, quality policy and objectives, responsibility and authority, and resource allocation.
Design and Development: Design controls, design inputs/outputs, design reviews, design verification, design validation, and design changes.
Production and Process Controls: Production process controls, process verification and validation, supplier management, control of monitoring and measuring devices, identification and traceability, and product cleanliness/contamination control (highly emphasized).
Corrective and Preventive Actions (CAPA): Complete CAPA workflow—from nonconformance discovery, root cause analysis, and implementation of corrective actions, to effectiveness verification and feeding back into management review.
Measurement, Analysis, and Improvement: Internal audits, complaint handling, data analysis, and continuous improvement—focusing heavily on whether decisions are driven by data or intuition.
Purchasing: Supplier evaluation and selection, purchasing verification, and supplier monitoring/re-evaluation (including controls over outsourced processes).
Device Specific (Post-Market Surveillance & Adverse Events): Post-market surveillance, adverse event reporting and evaluation, and advisory notice (recall) management.

Audit Depth: Auditors do not just check for the existence of written documentation. They randomly sample actual production orders, nonconforming material reports, and CAPA ledgers, tracing them all the way back to the corresponding SOUP (Software of Unknown Provenance) or engineering files to verify that everyday practices strictly align with written procedures.

MDSAP vs. ISO 13485: Clearing Up the Confusion

Metric	ISO 13485	MDSAP
Nature	A Standard. Published by ISO, it serves as a foundational quality management system framework.	An Audit Program. Jointly launched by five national regulators, it defines an active auditing methodology.
Scope	A globally recognized medical device quality system standard.	Covers only the five participating countries, but the audit is built upon ISO 13485 plus country-specific requirements.
Deliverable	An ISO 13485 Certificate issued by a registrar or notified body.	An MDSAP Audit Report uploaded to a central database. Regulatory bodies access this report to determine compliance.
How It’s Obtained	Passing a standard audit $\rightarrow$ deemed compliant $\rightarrow$ certificate issued.	Audited by an authorized AO $\rightarrow$ report uploaded $\rightarrow$ five nations decide on compliance based on the report.
Relationship	Serves as the foundation for MDSAP.	MDSAP layers country-specific regulations (e.g., FDA QSR 21 CFR Part 820, TGA specific clauses) on top of ISO 13485. Passing an MDSAP audit demonstrates compliance with ISO 13485; many AOs issue both an MDSAP report and an ISO 13485 certificate simultaneously.

Why Brand Buyers Should Care if an OEM Factory Has MDSAP

1. MDSAP Is a “Deep-Dive Audit,” Not Surface Compliance

For factories holding only an ISO 13485 certificate, the depth of the audit can vary significantly depending on the registrar and individual auditor. Some audits focus primarily on the completeness of paperwork rather than sampling actual production runs or looking closely at closed-loop CAPAs.

The MDSAP audit methodology enforces rigid process verification, tracking the history of actual production lots to verify that the quality system functions in practice. Auditors will:

Randomly pick a completed order and trace it backward to its raw material inspection logs and forward to its outgoing inspection and customer complaint records to ensure a seamless data chain.
Randomly select a CAPA ticket to see if the root cause analysis goes deep, or if it settles for superficial conclusions like “operator error.” They will verify if corrective actions were proven effective rather than just checking a box marked “training completed.”
Observe active assembly lines and molding workshops, cross-checking operators’ movements directly against the active SOP. Any discrepancy triggers a nonconformance.

What this means for buyers: An OEM factory that passes an MDSAP audit has survived rigorous scrutiny comparable to a regulatory agency inspection. Their real-world QMS execution is typically much stronger than a factory that holds a standard ISO 13485 certificate without MDSAP. It serves as an excellent, independent quality indicator when vetting manufacturing partners.

2. MDSAP Reduces the Brand’s Regulatory Burden

If your brand registers and sells LED phototherapy devices in multiple MDSAP-participating countries, your OEM’s MDSAP status makes compliance much smoother.

You can submit the factory’s MDSAP audit report as quality system evidence in your own regulatory filings.
This drastically reduces the likelihood that local regulatory agencies will mandate standalone, on-site QMS inspections at your contract manufacturer, saving your team administrative labor and protecting your production lines from unnecessary disruption.

Real-World Example: Suppose your brand sells LED face masks in both the US and Canada. In the US, you must comply with FDA QSR (21 CFR Part 820); your OEM’s MDSAP report can be accepted by the FDA in lieu of a routine, on-site FDA QSIT inspection. In Canada, Class II LED phototherapy devices legally require the manufacturer to hold an MDSAP audit report. If your contract manufacturer lacks MDSAP, your brand would have to undergo an MDSAP audit independently, and your OEM would likely face a standalone inspection from Health Canada.

3. MDSAP Is a Legal Barrier for Canada, Not an Option

For LED phototherapy devices (which are typically classified as Class II medical devices in Canada), MDSAP is a mandatory statutory requirement. If your OEM does not have MDSAP, you must either secure an MDSAP audit report independently, find a contract manufacturer that already has one, or withdraw from the Canadian market entirely.

This has been strictly enforced by Health Canada since January 1, 2019, for all Class II and higher medical devices. Any brand selling Class II LED phototherapy devices in Canada must ensure that the manufacturing facility holds a valid MDSAP audit report.

How to Verify a Factory’s MDSAP Validity in 3 Steps

Do not just take a factory’s word or a website badge at face value. Follow this verification process:

Step 1: Request the Auditing Organization (AO) name and the MDSAP Organization ID (Org ID). The Org ID is a unique identifier assigned to every audited facility. If a factory cannot provide an Org ID or claims they don’t know what it is, they likely do not have a valid MDSAP audit or do not understand how the program operates—neither of which is a good sign.
Step 2: Check the FDA MDSAP Search Page. Enter the factory name or Org ID into the public verification database and confirm:
- The audit status is listed as “Active.”
- The scope and covered process modules explicitly include “Design and Development” and “Production and Process Controls.” If these are missing, the factory’s MDSAP might only cover virtual manufacturing or specifications development, meaning it does not apply to a physical OEM manufacturing facility.
- The expiration date. MDSAP audit reports are valid for three years (maintained via annual surveillance audits). If the expiration date has passed without an update, the report is invalid.
Step 3: Ask for the date and results of their latest surveillance audit. MDSAP mandates annual surveillance audits. If more than 12 months have passed since the last full audit and no surveillance record exists, the audit status may be compromised.

RainbowDO’s MDSAP and Quality Certifications: An OEM/ODM Perspective

RainbowDO holds a currently valid MDSAP audit report covering all seven process modules, including Design and Development and Production and Process Controls. This means RainbowDO’s quality management system has been verified by an authorized AO to simultaneously meet ISO 13485 alongside the specific national regulations of all five participating countries.

Tangible Benefits for Brand Clients

US Brands: RainbowDO’s MDSAP audit report is accepted by the FDA to replace routine on-site FDA QSIT inspections of our facility, minimizing regulatory risks and eliminating potential production interruptions.
Canadian Brands: RainbowDO’s MDSAP status satisfies Canada’s strict Class II medical device QMS requirements, allowing brands to leverage our MDSAP documentation for their own Canadian product registrations.
Australia, Brazil, & Japan Brands: RainbowDO’s MDSAP eliminates the need for standalone manufacturer QMS audits required by individual local regulators.

Full Quality & Regulatory Portfolio

ISO 13485:2016 — Certified; covers design, development, production, and distribution of LED phototherapy devices.
MDSAP — Active and valid; covers all 7 full modules.
FDA 510(k) Class II — Cleared across multiple form factors (masks, panels, handhelds, belts, caps, and neck devices).
CE MDR Class IIa — In transition.
ISO 9001:2015 — Certified.

Client-Facing Transparency

RainbowDO provides brand clients access to our MDSAP audit scope statements, recent surveillance audit completion confirmations, and detailed product-realization mapping aligned with MDSAP modules.

📧 layla@rainbowdo.com | WhatsApp: +86 135 9032 9742

MDSAP FAQs

Q1: My LED phototherapy device is marketed as a “beauty device,” not a “medical device.” Do I still need to care about MDSAP?

It depends entirely on how your device is classified by regulatory authorities in each market, not your internal marketing team. The core rule is: regulations are driven by your claims and product design, not your intent.

If your device claims to treat acne (blue light), reduce wrinkles (red + NIR light), or relieve pain (NIR light), these claims automatically push the device into the “medical device” category in most jurisdictions—even if you package and market it as a home-use beauty tool.

Classification thresholds vary by market:

US FDA: Claims of acne treatment or wrinkle reduction generally fall into Class II (requiring a 510(k) clearance). If you strictly claim to “improve skin appearance” without naming specific medical indications, it may fall under “General Wellness,” which is subject to enforcement discretion. (Note: Enforcement discretion means the FDA chooses not to actively enforce medical regulations on the category right now, but this is not a statutory exemption and can be reversed at any time).
Health Canada: Any claim to treat or prevent a physiological condition classifies the unit as a medical device. Class II phototherapy devices strictly require MDSAP.
Australia TGA / EU MDR: Follow similar logic; therapeutic or clinical claims bring the product under medical device surveillance.

If your product’s claims trigger a medical device classification in a market that mandates MDSAP, then you or your OEM facility must possess it.

Q2: My contract manufacturer has ISO 13485 but lacks MDSAP. Is that enough?

If you are selling exclusively in the US and your device has 510(k) clearance, an ISO 13485 + 510(k) combination is generally sufficient to satisfy the FDA. (The FDA’s QSR aligns closely with ISO 13485, though ISO 13485 lacks a few FDA-specific elements like Medical Device Reporting (MDR) and Reports of Corrections and Removals—responsibilities that primarily rest on the brand as the specification holder rather than the OEM).

However, if you plan to enter Canada, ISO 13485 is not enough. Canadian registration for Class II LED phototherapy devices strictly requires a valid MDSAP audit report. If your contract manufacturer lacks it, your brand must secure one independently or switch to an MDSAP-certified OEM.

Furthermore, if you plan to expand into multiple countries simultaneously (e.g., US, Canada, Australia, Brazil), MDSAP serves as an excellent time leverage tool, preventing your business from having to host separate QMS audits for each independent market.

Q3: How long does an MDSAP audit take, and how much factory downtime does it cause?

An initial MDSAP certification audit typically requires 4 to 5 on-site auditor days, scaling upward based on factory size, product categories, and process complexity. Annual surveillance audits generally take 2 to 3 auditor days.

Production lines do not completely shut down during the audit. However, key engineering and management personnel must be dedicated to hosting the auditors, meaning production schedules must accommodate the audit window.

For brand buyers, any minor internal adjustments the factory makes to host an MDSAP audit are completely invisible and will not disrupt your shipping schedules. This minor, controlled window is negligible compared to the alternative: if an uncertified factory faces a post-market FDA inspection that uncovers quality system failures, your brand could face import alerts, warning letters, or complete supply chain shutdowns.

This article was authored by the RainbowDO Regulatory Affairs Team to provide LED phototherapy device brands with foundational knowledge regarding the Medical Device Single Audit Program (MDSAP) for procurement decision-making. Regulatory requirements cited herein reflect public information as of the date of writing; specific market requirements are subject to updates, and brands should consult current guidelines from local regulatory bodies before making compliance decisions.