New guidelines on the use of the Nonconformity Grading System for MDSAP purposes (MDSAP AUP0037.001) have been published: An analysis of changes and their impact. 

Olena Hoi, MSc

Since 2021, Olena has been working as a Consultant for the Qserve Group. As part of the Quality and Regulatory Affairs team, Olena works with various low/high-risk devices under the EU MDR. "Working for a global medical device consultancy with manufacturers of the various products brings continuous educational opportunities every day. I truly value working with such talented and experienced colleagues in the medical device industry."


Henk-Willem Mutsaers

What has changed?

A new MDSAP document Guidelines on the use of Quality management system - Medical devices - Nonconformity Grading System for Regulatory Purposes and Information Exchange (GHTF/SG3/N19:2012) for MDSAP purposes has recently been published (MDSAP document AUP0037.001 with the effective date of September 8th, 2021).

This document ( states that it is intended for Regulatory Authorities and Auditing Organizations participating in or utilizing the results of the Medical Device Single Audit Program (MDSAP). It provides guidelines for the use of the current GHTF document GHTF/SG3/N19:2012 for grading nonconformities and brings several changes to the grading rules and introduces an analogy with major/minor nonconformity grading. 

Analysis of changes

The new MDSAP guidelines introduce the relationship between the MDSAP grading system and major/minor nonconformity grading. These common nonconformity classification terms, defined in accreditation standard ISO 17021-1:2015 (clause 3.12 and 3.13) for Certification Bodies, are often utilized in medical device certification programs to assign impact and priority to the implementation of corrective actions.

Nonconformities grading as performed by European Notified Bodies has never been determined in the way that MDSAP Auditing Organizations do. The criteria for nonconformity grading are almost equivalent between various Notified Bodies although the wording might differ. Typically the following criteria are included: 

For a Major NC:

  • Absence of procedure/documented requirement;
  • Number of nonconformities in the same area;
  • Process not implemented;
  • Product safety concerns;
  • Failure to action a nonconformity from the previous audit. 

For a Minor NC:

  • Part of requirements missing in procedure;
  • Part of requirements not implemented.

In summary, ISO 17021 is used by European Notified Bodies as a basis, and regulatory issues get easily upgraded to a major nonconformity. For instance, failure to address a minor nonconformity from a previous audit is typically a free upgrade to a major nonconformity.  

However, there is no direct association with the ISO 13845 clauses when determining the criticality of the nonconformity. 

The new MDSAP guidelines relate: 

  • Nonconformities of the “indirect” clauses to “minor” nonconformities.
  • Nonconformities of the “direct” clauses to “major” nonconformities.

In our opinion, this direct link seems too restricting. The nonconformity classification of “major” versus “minor” should be judged based on criteria such as systemic QMS issues and medical device performance and safety but not solely on non-compliance with a specific requirement of the ISO 13485 standard. 

The new MDSAP guidelines list two exclusions regarding the division of the ISO 13485:2016 clauses in “indirect” clauses (4.1~6.3) and “indirect” clauses (6.4~8.5) – based on the level of impact of the QMS clause on medical device safety and performance. These exclusions are: 

  • Clause 4.2.3 – Medical device file, which is considered to have a direct impact and therefore is now excluded from the indirect clauses and included in the direct clauses.
  • Clause 8.2.4 – Internal audits, which is considered to have an indirect impact and therefore is now excluded from the direct clauses and included in the indirect clauses.

We want to add a caution here. If internal audits are appropriately planned and executed, they could (directly) prevent releasing nonconforming products to the market. For instance, in the case that nonconformities concerning final product acceptance and release are timely identified and corrected. 

Compared to the previously used nonconformity grading system, the new MDSAP guidelines provide more clarity on the identification of the specific ISO 13485 requirements and provide clarifications to the escalation rules of nonconformities. 

The MDSAP nonconformity grading system comprises the following steps: 

Step 1 – Nonconformity Grading Matrix

The first step is to determine the direct or indirect QMS impact of a nonconformity. This has not been changed except for the new ISO 13485 clause exclusions regarding “direct” and “indirect”.



Step 2 – Application of Escalation Rules

The second step is to assess the occurrence of the nonconformity in the same sub-clause of ISO 13485. 

The grading model has changed a bit. The resultant grading from Step 1 is carried forward to Step 2, a rules-based escalation process to address areas of higher risk that can affect medical device safety and performance. Under this grading system, the Step 1 grade is increased by 1 for each rule, thereby presenting the grading as the result of 4 independent criteria: 

1. Impact on the QMS (direct: 3 or indirect: 1) 

See Step 1 - Nonconformity Grading Matrix. 

2. Repeat nonconformity (yes: 1 or no: 0)

Most notably, the nonconformity occurrence concept has not been changed. The “two previous QMS audits” criterium is still used, but in the new guidelines there is a transition from the concept “First/Repeat” to “Repeat: yes/no”. 

A clarification is given to the situations when a new (repeat) nonconformity will be issued for a similar finding observed at a previous audit if the medical device organization is implementing the timetabled actions proposed by the organization and accepted by the Auditing OrganizationIf it can be demonstrated that previously proposed actions are ineffective, considering new occurrences of the nonconformities, then a nonconformity may be issued for an ineffective corrective action system. 

3. Combination absence of documented process/procedure and failure to implement (yes: 1 or no: 0)

The escalation rule given in the GHTF/SG3/N19:2012 did not describe situations where there is a combined failure to document and implement a particular requirement. 

Documenting a process or procedure doesn’t mean that those activities are fully implemented, and in backward failing to document a procedure or process does not systematically lead to non-compliant implementations of that activity. 

Therefore, the grading of the nonconformity shall be escalated where an organization fails to: 

  1. Document a procedure or process that ISO 13485:2016 or an applicable regulatory requirement require to be documented and
  2. Implement the corresponding activities in ways that comply with these same requirements.

Therefore, escalation is limited to situations where there is a combined failure to document and implement a requirement. The rule would not be invoked when a procedure addresses the topic but incompletely or lacking the details. 

This escalation rule applies in cases where the process is generally documented but entirely fails to address the requirements from a jurisdiction and there is evidence that the implementation of the process failed to meet the requirements of that jurisdiction.

 4. Release of nonconforming devices (yes: 1 or no: 0)

In this escalation rule, an analogy was added to a “major” nonconformity per ISO 17021- 1:2015 since the release of a nonconforming medical device to the market is considered direct evidence of QMS failure. This requires that the Auditing Organization reviews, accepts, and verifies the correction and corrective actions before granting a certification decision under ISO 17021-1:2015 clause 9.5.2(b). 


Even though the MDSAP nonconformity grading system has not fundamentally been changed, the new MDSA guidelines brought several clarifications to the nonconformity grading escalation rules.  

Two ISO 13485:2016 clauses have been switched between “indirect” and “direct” QMS impact. This change could potentially impact the nonconformity grading in your next MDSAP (MOCK) audit. 

The definition of nonconformities with “direct”/“indirect” QMS impact was compared to the commonly used “major”/”minor” concept from ISO 17021-1:2015. This analogy made in the new MDSAP guidelines does not seem to do justice to the nuance of classifying nonconformities.  

In our opinion, it is unclear why this direct association is made as it is restrictive and does not align with the typical ISO 13485:2016 nonconformity classification by Certification Bodies. 

We strongly recommend looking through the new MDSAP nonconformity grading system guidelines at your earliest convenience to understand the changes and implications to be fully prepared for your next MDSAP (Mock) audit! 

In case of further questions or need for support, do not hesitate to contact us.


Need more information?

Do you have questions, or do you need more information about this topic? Please contact us.

Contact us
How can we help you? Contact us