Certified Medical Device Auditor (CMDA)

The Certified Medical Device Auditor (CMDA) is a qualified professional responsible for evaluating medical device quality systems against applicable standards, regulations, directives, and guidance documents. A CMDA applies structured audit methodologies and analytical techniques to assess system effectiveness, identify gaps, and provide objective, evidence-based findings.

In practice, a medical device auditor reviews the full lifecycle of the quality management system—governance, risk controls, process safety, documentation, and operational controls—to determine how well the organization meets defined compliance and performance criteria. The auditor’s role is not limited to identifying nonconformities, but also to assessing system maturity and the effectiveness of management controls.

Experience Requirements

To be eligible for CMDA certification, candidates must demonstrate five years of full-time, paid professional experience in one or more areas covered by the CMDA Body of Knowledge.

Decision-Making Experience:
- At least one year of the required experience must be in a decision-making role.
Definition of Decision-Making Role:
- A decision-making position is one in which the individual has the authority to define, execute, or control projects or processes and is accountable for outcomes. This responsibility may exist with or without a formal management or supervisory title.

Education-Based Experience Waivers

Formal education can reduce the total experience requirement. Only one waiver may be applied:

Associate degree: 1 year waived
Bachelor’s degree: 3 years waived
Master’s or Doctorate: 4 years waived

Degrees or diplomas earned outside the United States must be equivalent to accredited U.S. educational qualifications recognized by ASQ.

Exam Details

The Certified Medical Device Auditor (CMDA) exam is a comprehensive assessment designed to evaluate a candidate’s understanding and practical application of the CMDA Body of Knowledge. The exam focuses on measuring how effectively candidates can interpret auditing principles, regulatory requirements, and quality system expectations within the medical device industry.
The examination is offered in two formats: computer-based and paper-and-pencil, with both delivered in English only and structured as a single-part exam.
- In the computer-based format, candidates are presented with 145 multiple-choice questions, of which 135 are scored and 10 are unscored and used for exam development purposes. The total appointment duration is four and a half hours, with an actual exam time of four hours and eighteen minutes.
- The paper-and-pencil version consists of 135 multiple-choice questions and must be completed within four hours.
All CMDA examinations are conducted as open-book exams, allowing candidates to consult reference materials during testing. However, candidates are fully responsible for bringing their own reference resources, as no materials are provided at the examination center. Overall, the exam is designed to assess applied knowledge and professional judgment rather than simple recall, making effective time management and familiarity with reference materials essential for success.

Course Outline

The Certified Medical Device Auditor (CMDA) exam covers the following topics:

1. Understand Auditing Fundamentals (12 Questions)

A. Types of Audits

Audits by purpose

Identifying and distinguishing between audits by purpose: organizational effectiveness, system efficiency, business performance, process effectiveness, risk management, regulatory compliance, supplier qualification, compliance with standards (certification and surveillance), design history file compliance, and for-cause audit. (Analyze)

Audits by method

Identifying and distinguishing between audits by method: product, process, system, first-party, second-party, third-party, internal, external, desk, management, department, and function. (Analyze)

B. Audit Roles and Responsibilities

Explaining key functions and responsibilities of various audit participants including audit team members, lead auditor, client, auditee, etc. (Understand)

C. Ethical, Legal, and Professional Issues

Professional conduct and responsibilities

Defining and applying the ASQ Code of Ethics, concepts of due diligence and due care with respect to confidentiality and conflict of interest, and various factors that influence audit credibility, including auditor independence, objectivity, and qualifications. (Apply)

Legal consequences and liability

Identifying potential legal and financial ramifications of improper auditor actions (carelessness, negligence, etc.) in various situations, and anticipate the effect that certain audit results can have on an auditee’s liability. (Apply)

Data privacy

Demonstrating the importance of maintaining confidentiality of personal information reviewed during audits. (Apply)

2. Learn about Auditing and Inspection Processes (28 Questions)

A. Audit Preparation and Planning

Elements of the audit planning process

Determining and implementing steps in audit preparation and planning, such as verifying audit authority, establishing the purpose, scope, and type of audit, audit criteria, and the resources necessary, including the size and number of audit teams. (Evaluate)

Auditor selection

Identifying and examining various internal or outsourced auditor selection criteria, such as education, experience, industry background, and subject-matter expertise, and the characteristics that make auditors effective, such as interpersonal skills, problemsolving skills, attention to detail, cultural sensitivity, and ability to work independently as well as in a group or on a team. (Evaluate)

Audit-related documentation

Identifying sources of pre-audit information and examine auditrelated documentation, such as reference materials and prior audits. (Evaluate)

Auditing tools

Identifying the sampling plan or method and procedural guidelines to be used for the specific audit. Select and prepare working papers (checklists, log sheets, etc.) to document the audit. (Create)

Auditing strategies

Identifying and using various tactical methods for conducting an audit, such as forward and backward tracing, discovery, etc. (Apply)

Logistics

Identifying and organizing various auditrelated logistics, such as travel, safety and security considerations, the need for escorts, translators, confidentiality agreements, and clear right of access. (Apply)

B. Audit Performance

Opening meeting

Managing the opening meeting of an audit, including identifying the audit’s purpose and scope, describing any scoring, rating, or classification criteria for potential audit findings, creating a record of the attendees, reviewing the audit schedule, and answering questions as needed. (Apply)

Data collection and analysis

Selecting and applying various data collection methods, such as observing work activities, taking physical measurements, examining paper and electronic documents, etc. Evaluate the results to determine their importance for providing audit evidence. (Evaluate)

Data integrity principles

Examining record-keeping requirements for data acquisition systems to ensure data integrity. Evaluate the data collected during an audit to ensure it is attributable, legible, contemporaneous, original, and accurate (ALCOA). (Evaluate)

Communication techniques

Defining and applying appropriate interviewing techniques (e.g., when to use various question types, the significance of pauses and their length, when and how to prompt a response), in various situations, including when supervisors are present, when conducting multiple interviews, and when using a translator. Identify typical conflict situations and use appropriate techniques to resolve them. (Apply)

Organization and analysis of objective evidence

Identifying and differentiating sources of objective evidence, such as observed, measured, confirmed, and documented. Classify evidence in terms of significance, severity, frequency, and level of risk. Evaluate the evidence for its potential impact on product, process, system, and cost of quality. Determine whether additional investigation is required to meet the scope of the audit. (Evaluate)

On-site audit management

Interpreting situations throughout audit performance to determine whether time is being managed well and when changes need to be made, such as revising planned audit team activities, reallocating resources, and adjusting the audit plan. Communicate with the auditee about any changes or other events related to the audit. (Analyze)

Exit/closing meeting

Formally managing these meetings: reiterate the audit’s purpose, scope, scoring, rating, or classification criteria, and create a record of the attendees. Present the audit results and obtain concurrence on evidence that could lead to an adverse conclusion. Discuss the next steps in the process (followup audit, additional evidencegathering, etc.), and clarify who is responsible for performing those steps. (Apply)

C. Audit Report

Basic elements

Defining, planning, and applying the steps in generating an audit report, including reviewing and finalizing results, organizing details, obtaining necessary approvals, and distributing the report. (Create)

Effective audit reports

Reporting observations and nonconformances accurately; citing objective evidence, procedures, and requirements; and developing and evaluating various components, such as executive summaries, prioritized data, graphic presentation, and the impact of nonconformances. (Create)

Record retention

Identifying and applying record retention requirements, including the type of documents and storage considerations. (Apply)

D. Audit Follow-Up and Closure

Elements of corrective and preventive action (CAPA)

Identifying and applying the elements of these processes, including problem identification, prioritizing actions based on risk, assignment of responsibility, root cause analysis, and establishing a plan to verify effectiveness of corrective actions to prevent recurrence. (Analyze)

Review of corrective action plan

Using various criteria to evaluate the acceptability of corrective action plans. Identify and apply strategies for negotiating changes to unacceptable plans. (Apply)

Conducting audit follow-up

Using various methods to verify and evaluate the effectiveness of corrective actions taken, such as re-examining procedures, observing revised processes, and conducting follow-up audits or re-audits. Develop strategies when corrective actions are not implemented or are not effective, such as communicating to the next level of management, re-issuing the corrective action request, etc. (Evaluate)

Audit closure

Identifying and applying various elements of, and criteria for, audit closure. (Evaluate)

E. Audit Procedural References

International guidelines for auditing quality systems

Understanding general auditing principles as described in ISO 19011 and the Medical Device Single Audit Program (MDSAP) audit model. (Understand)

Quality System Inspection Technique (QSIT) and FDA CPG 7382.845

Understanding QSIT auditing requirements and its various subsystems. Explain the purpose and scope of FDA criteria for taking regulatory action on the basis of quality system audit results. (Understand)

3. Medical Device Quality Management System Requirements (38 Questions)

A. Regulatory Laws and Requirements

FDA – Code of Federal Regulations (CFR) Title 21

Identifying, defining, and applying the following FDA requirement parts: 4 – Regulation of combination products, 7 – Enforcement policy, 11 – Electronic records; signatures, 58 – Good laboratory practice for nonclinical laboratory studies, 801 – Labeling, 803 – Medical device reporting, 806 – Medical devices; reports of corrections and removals, 807 – Establishment registration and device listing for manufacturers and initial importers of devices, 820 – Quality system regulation, 821 – Medical device tracking requirements, and 830 – Unique device identification. (Apply)

U.S. requirements (FD&C Act, 201, 301-304, 501-502, 510, 513, 518, 522, 704)

Identifying how the FD&C Act defines and differentiates between device classifications and pre-market requirements. Recognize the implications of misbranding and adulteration. (Apply)

EU MDR 2017/745

Recognizing the requirements of the directive and the key differences between this and U.S. regulations. (Apply)

Health Canada

Recognizing current requirements of the Canadian Medical Device Regulation SOR/98-282 and the key differences between this and U.S. regulations. (Apply)

Other international agencies

Recognizing requirements enforced by international agencies such as Therapeutic Goods Administration (TGA) and Japanese Pharmaceutical and Medical Device Agency, etc. (Understand)

B. Requirements for In Vitro Diagnostic (IVD) Devices

Recognizing the requirements of 21 CFR 809 and IVDR 2017/746 as they apply to in vitro diagnostic (IVD) devices. (Understand)

C. International Standards for Quality Systems

Evaluating the selection and use of the following quality system standards: ISO 9001, ISO 13485, and ISO (Evaluate)

D. Quality System Regulation (QSR) Requirements (21 CFR 820 – Parts as Shown)

Management responsibility (Parts 20, 22, 25)

Assessing management’s responsibility in establishing and maintaining the quality system: organizational structure and management representative, quality planning/ objectives, resources, management reviews, quality audits, personnel training and education, and control of customer property. (Evaluate)

Design controls (Part 30)

Evaluating the scope, purpose, and implementation of controls and their elements, including design and development planning, input, output, review, verification, validation, transfer, changes, and design history file. (Evaluate)

Document (Part 40) and record control (Parts 180-186)

Describing and reviewing elements of a document and change control system, including approval processes, retention policies, communication procedures and maintenance of device master records (DMRs), device history records (DHRs), and quality system records. (Analyze)

Purchasing controls and acceptance activities (Parts 50, 80, 86)

Describing supplier qualification and purchasing control requirements for products, components, and services. Describe appropriate identification and acceptance activities, including inspection, test, and verification processes used for incoming products. (Apply)

Identification and traceability (Parts 60, 65)

Using appropriate methods for identifying and tracing products during all stages of receipt, production, distribution, and installation. (Apply)

Production and process controls (Parts 70, 75)

Assess production and process controls, including process validation, monitoring, control of materials, equipment, environment, contamination, and software validation for automated processes. (Evaluate)

Inspection, measuring, and test equipment (Part 72)

Determining the suitability and calibration of inspection equipment. Ensure calibration is traceable to national or international standards. (Evaluate)

Nonconforming product (Part 90)

Determining the adequacy of procedures, processes, and records established for the control and disposition of nonconforming product. (Evaluate)

Corrective and preventive action (CAPA) system (Part 100)

Assessing analysis of quality data sources to determine the need for CAPA. Define and distinguish between corrective action and preventive action. Review CAPA procedures, processes, and records to evaluate the effectiveness of the system. (Evaluate)

Product handling, storage, distribution, and installation (Parts 140-170)

Determining the adequacy of procedures, processes, and records established for these aspects of product control to ensure product integrity. (Analyze)

Complaint files (Part 198)

Determining adequacy of complaint handling procedures, including investigation and determination of Medical Device Reporting. (Evaluate)

Servicing (Part 200)

Determining the adequacy of procedures, processes, and records established for products that require servicing activities such as troubleshooting and repair. Evaluate service reports for events that must be reported to the FDA to ensure that they are included in the complaint handling process. (Analyze)

Statistical techniques (Part 250)

Determining the adequacy and validity of statistical techniques and sampling plans used to measure process capability and acceptability of product characteristics. Evaluate the rationale for statistical techniques used in quality systems, including design verification and validation, acceptance sampling, etc. (Analyze)

E. Post-Market Surveillance

Determining the appropriateness of the procedures, processes, and records established for the control of postmarket surveillance activities. Define and describe vigilance, medical device reporting (MDR) and adverse event reporting (AER) requirements. Review the adequacy of requirements and processes for product recall, corrections, removals, and tracking. (Analyze)

4. Gain Technical Medical Device Knowledge (42 Questions)

A. Risk Management

ISO 14971

Describing the principles of risk management, including risk analysis, evaluation, control, benefit-risk analysis, and the incorporation of production and post-production information. (Evaluate)

IEC 62366

Determining whether the processes used for identification of known or foreseeable hazards are suitable in both normal and fault conditions, including hazards arising from device use. Verify that risk control measures have been implemented in design and production. (Evaluate)

ISO 13485

Describing and assessing the risk-based controls for appropriate processes needed for the quality management system. (Evaluate)

B. Design Control

Human factors and usability engineering

Evaluating human factors and usability studies performed during design and development. (Evaluate)

Biological evaluation

Describing material characterization and the principles of biocompatibility test selection rationale as described in ISO 10993-1 and FDA-related guidance. Understand the differences between cytotoxicity, sensitization, and irritation. (Understand)

Packaging

Interpreting the appropriate standards for sterile and non-sterile product packaging per ISO 11607, and referenced standards including, ASTM D4169 (Distribution) and ASTM F1980 (Aging). (Understand)

Device shelf life

Explaining how a device’s useful life/shelf life is determined and discuss the various parameters that determine the length of time a device will remain within acceptable specifications (e.g. sterility or package integrity). (Understand)

General safety and performance requirements

Identifying the elements of General Safety and Performance Requirements, per EU MDR 2017/745. (Remember)

C. Software Development and Maintenance for Products

Identifying principles of product software lifecycle in accordance with FDA General Principles of Software Validation Guidance and IEC 62304. Describe the software development lifecycle model, including V&V, cybersecurity considerations, change control methods, and the risk management process. (Understand)

D. Labeling

Identifying labeling requirements for devices, instructions for use (IFU), and promotional/marketing material (per 21 CFR 801). Understand the use of symbols (per ISO 15223) and UDI/GTIN/UPC (per 21 CFR 830). (Understand)

E. Controlled Environments and Utility Systems

Controlled environments

Identifying and interpreting controlled environment specifications (per ISO 14644), qualifications, validations, and monitoring (bioburden and endotoxins). Review housekeeping, disinfection, and sanitization processes in terms of controlled environment specifications and classifications. Verify that appropriate training and personnel practices are used in controlled environments. (Analyze)

Utility systems

Describing utility setups in medical device manufacturing facilities for water, compressed gas, heating, ventilation, and air conditioning (HVAC) systems, including whether they require qualification, validation, or maintenance. (Understand)

F. Sterile Medical Devices

Definitions

Describing and distinguishing between aseptically processed products and terminally sterilized products. (Understand)

Methods

Identifying basic elements of sterilization for dry heat, steam, electron beam, ethylene oxide (EtO), and radiation. (Remember)

Process controls and validation for ethylene oxide (EtO) and radiation

Determining appropriate validation, process controls and monitoring (e.g. dose audits, parametric release, process challenge device (PCD), residuals, etc.) are properly implemented to ensure Sterility Assurance Level (SAL). Ensure the process is documented in accordance with industry standards: ISO 11135, ISO (Apply)

G. Laboratory Testing and Failure Analysis

Assessing procedures and records used for laboratory test methods and determine whether they are appropriate. (Evaluate)

H. Validation

Defining and evaluating elements of different types of validations such as process (IQ/OQ/PQ per GHTF/ SG3/N99-10), cleanliness, test method, and rework. (Evaluate)

I. Reprocessing/Reuse and Cleaning of Medical Devices

Identifying elements of reprocessing and cleaning validations in accordance with the FDA Guidance on Reprocessing of Reusable Devices. (Understand)

J. Common Medical Device

Directives and Standards Define and describe elements of various standards and directives as they relate to medical devices. (Understand)

IEC 60601-1

Restriction of Hazardous Substances (RoHS) directive

Registration, Evaluation, Authorization, and Restriction of Chemicals (REACH)

K. Sources for New and Evolving Standards

Describing the sources for standards and guidance documents that form the basis for industry norms and standards, such as the FDA Recognized Consensus Standards Database, the Harmonised Standards Listing, Medical Device Guidances (MEDDEV), Notified Body Operating Group (NBOG), and Europa. (Remember)

5. Understand Quality Tools and Techniques (15 Questions)

A. Quality Control and Problem-Solving Tools

Identifying, interpreting, analyzing, and drawing conclusions based upon: 1) Pareto charts, 2) cause and effect diagrams, 3) flowcharts, 4) statistical process control (SPC) charts, 5) check sheets, 6) scatter diagrams, 7) histograms, 8) root cause analysis, 9) plan-docheck-act (PDCA), 10) Setting Alert and Action Levels, 11) 5 Whys, 12) Is/Is Not (Kepner-Tregoe). (Analyze)

B. Process Improvement Techniques

Process capability

Identifying and interpreting various process capability indices, such as Cp, Cpk, Pp, and Ppk. Recognize how these metrics are used in relation to established requirements and the effect on PPM. (Understand)

Six Sigma

Identifying and defining the six sigma DMAIC phases: define, measure, analyze, improve, and control. (Understand)

Lean tools

Identifying and defining various lean tools: 5S, standard operations, kanban (pull), error-proofing, valuestream mapping, etc. (Understand)

Measurement system analysis (MSA)

Identifying and defining various MSA terms (bias, linearity, stability, accuracy, precision, repeatability, reproducibility, etc.) and describe how these elements affect measurement systems. (Understand)

Cost of quality (COQ)

Defining and describing the four basic COQ categories: prevention, appraisal, internal failure, and external failure. (Understand)

C. Data Types and Sampling

Qualitative and quantitative analysis

Describing qualitative data in terms of the nature, type, or other characteristics of an observation or condition. Describe how quantitative data is used to detect patterns or trends. Identifying how such analyses can indicate whether a problem is systemic or isolated. (Analyze)

Attributes and variables data

Determining whether to use an attributes sampling plan or variables sampling plan in various situations such as process monitoring and control, receiving inspection, auditing, etc. (Analyze)

Sampling

Identifying and interpreting sampling plans. Determine if sampling plans are based on risk and statistically valid rationale. (Evaluate)

Certified Medical Device Auditor (CMDA) Exam FAQs

Click Here For FAQs!

Exam Policies and Procedures

Below are some of the exam policies and working:

Exam Result Notification Process

ASQ releases certification exam results based on the exam delivery format, ensuring accuracy, confidentiality, and timely communication. All results are shared through official channels only and are not disclosed by phone or to third parties without written authorization.

Computer-Based Exam Results

For computer-based exams, candidates receive a preliminary pass or fail result immediately after submitting the exam at the test center. Official confirmation is typically emailed within seven days. Exams such as Master Black Belt (MBB) or pilot exams associated with a newly revised Body of Knowledge may require extended evaluation, with results issued within four to five weeks.

Paper-Based Exam Results

Paper-based exam results are processed after completed exam materials are returned for review. Most candidates receive official results by email within two weeks, while MBB and pilot exams may take up to four weeks due to additional verification requirements.

Pass Status and Certification Access

Candidates who pass a computer-based exam see their result instantly on-screen and receive an official confirmation email within three to five business days. A separate email provides instructions for accessing and claiming the digital certificate and certification badge through the Accredible platform.

Fail Status and Retake Policy

Candidates who do not pass a computer-based exam receive a performance summary by email within three to five business days, outlining strengths and improvement areas. Eligible candidates may retake the exam at a reduced fee for up to two years from the date of the previous attempt.

Certified Medical Device Auditor (CMDA) Exam Study Guide

1. Understand the Exam Objectives and Structure

Start your preparation by gaining a clear understanding of what the CMDA exam is designed to test. Review the official exam objectives to identify the subject areas, weighting of topics, and the depth of knowledge expected in each domain. This step helps you align your preparation with exam expectations rather than studying broadly or inefficiently. Knowing how auditing principles, regulatory requirements, and quality system elements are emphasized allows you to prioritize high-impact areas and avoid unnecessary distractions.

2. Use the ASQ Certified Medical Device Auditor Handbook as a Core Resource

The ASQ Certified Medical Device Auditor Handbook should serve as your primary reference throughout your preparation. This resource provides structured explanations of medical device auditing concepts, regulatory frameworks, audit planning and execution, and system evaluation techniques. Reading this handbook carefully helps you understand not just what is required, but why certain audit practices and controls are important. Use it to build conceptual clarity, reinforce terminology, and connect real-world auditing scenarios with exam-focused knowledge as recommended by ASQ.

3. Deeply Analyze the CMDA Body of Knowledge

The Body of Knowledge is the backbone of the CMDA exam and should guide your entire study plan. Break it down into manageable sections and study each area in detail, ensuring you understand both theoretical concepts and their practical application. Focus on how different elements—such as regulatory compliance, risk management, process controls, and quality system effectiveness—interrelate during an audit. Creating summaries, concept maps, or structured notes can help reinforce retention and make revision more efficient closer to the exam.

4. Build a Disciplined and Realistic Study Plan

A well-structured study schedule is critical for consistent progress. Allocate time based on topic complexity and your personal strengths and weaknesses, ensuring all Body of Knowledge areas receive adequate attention. Spread your preparation across weeks or months to allow time for revision and reinforcement. Regular study sessions help you absorb complex auditing concepts gradually, while also reducing exam-related stress. This disciplined approach is especially important for professionals balancing preparation with full-time work.

5. Join Study Groups and Professional Communities

Collaborating with other CMDA candidates or experienced auditors can significantly enhance your learning. Study groups and professional forums provide opportunities to discuss challenging topics, clarify interpretations of standards, and share practical audit experiences. These interactions often expose you to real-world perspectives that deepen understanding beyond textbooks. Engaging with a community also keeps you motivated, accountable, and informed about common exam pitfalls and effective preparation techniques.

6. Practice with Exam-Style Questions and Mock Tests

Practice tests are essential for transitioning from knowledge acquisition to exam readiness. Regularly attempt sample questions that mirror the format, complexity, and reasoning style of the CMDA exam. This process improves your ability to interpret questions accurately, apply auditing judgment, and manage time effectively. After each practice session, review explanations carefully to understand why certain options are correct or incorrect. This reflective analysis strengthens critical thinking and highlights areas that require further study.

7. Conduct Final Reviews and Refine Exam Strategy

As the exam approaches, shift your focus from learning new material to refining existing knowledge. Revisit difficult topics, reinforce key auditing concepts, and ensure familiarity with your reference materials for the open-book exam format. Practice quickly locating information within standards or notes to save time during the exam. A calm, structured final review builds confidence and ensures you approach the CMDA exam with clarity, efficiency, and a strong problem-solving mindset.