The Ultimate Comparison: ISO 13485 vs. FDA 21 CFR

Sebastian Skorka • FDA Compliance • Updated May 21, 2025

Manufacturers of medical devices need to set up a quality management system (QMS). However, the details of this set of SOPs and templates vary between the USA, Europe and the rest of the world. In this article I compare the ISO 13485 with the FDA's requirements on QMS.

The End of Quality System Regulation?

The FDA has begun to harmonize its QSR (21 CFR 820) with ISO 13485. This means the requirements are becoming increasingly similar. On February 2, 2024, the FDA published the final rule to align 21 CFR Part 820 with ISO 13485. 21 CFR 820 was renamed to 21 CFR 820 QMSR (Quality Management System Regulation). The FDA is thereby attempting to align its regulatory framework with other regulatory authorities.

Federal Regulation vs. International Standard

While most of the content is the same (spoiler alert) there is a tiny difference. Let's have a look:

FDA 21 CFR Part 820 (QSR): The Quality System Regulation (QSR) is a regulation mandated by the U.S. Food and Drug Administration (FDA) for medical devices manufactured, imported, or offered for sale in the United States. It outlines Current Good Manufacturing Practice (cGMP) requirements. Compliance is mandatory for US market access and is enforced through FDA inspections.

ISO 13485:2016: This is an international standard specifying requirements for a quality management system, where an organization needs to demonstrate its ability to provide medical devices and related services that consistently meet customer and applicable regulatory requirements. While often voluntary, it's a de facto requirement for market access in many regions (e.g., Europe - harmonized under MDR/IVDR, Canada, Australia). Certification is typically done by accredited third-party registrars.

The devil is in the details

While both aim to ensure the safety and efficacy of medical devices through a structured Quality Management System (QMS), they differ in their origin, structure, scope, and some specific requirements. The FDA QSR is a legal requirement for marketing medical devices in the United States, whereas ISO 13485 is an international standard often used as a basis for regulatory requirements in various countries (including Canada, Europe, Australia, Japan) and is sometimes used voluntarily or contractually.

Overall Similarities:

Goal: Both aim to ensure consistent design, development, production, installation, and servicing of medical devices that are safe and effective for their intended use.
Core Elements: Both cover fundamental QMS elements like management responsibility, resource management, document control, design controls, purchasing controls, production controls, corrective and preventive actions (CAPA), and record keeping.
Risk Management: Both implicitly or explicitly require risk management principles to be applied, although ISO 13485 integrates it more pervasively throughout the standard.
Focus on Process: Both emphasize the importance of defined, controlled, and documented processes.
Customer Focus: Both require processes to handle customer feedback and complaints.

Overall Differences:

Nature: FDA QSR (21 CFR Part 820) is a regulation (law) specific to the US market. ISO 13485 is an international standard.
Structure: They follow different structures. QSR is organized into Subparts A through O. ISO 13485 follows a structure common to management system standards (Clauses 1-8), though notably not the high-level structure (Annex SL) used by ISO 9001:2015.
Emphasis:
- QSR places a strong emphasis on specific records required for compliance and inspection readiness (Device Master Record - DMR, Design History File - DHF, Device History Record - DHR).
- ISO 13485 places a stronger, more explicit emphasis on risk management throughout the product lifecycle and the QMS itself. It also explicitly requires a Quality Manual.
Terminology: While concepts often align, specific terms may differ (e.g., Complaint Handling in QSR vs. Feedback/Complaint Handling in ISO 13485; DMR/DHF/DHR in QSR vs. Medical Device File in ISO 13485).
Scope: QSR applies to finished device manufacturers marketing in the US. ISO 13485 is applicable to organizations involved in one or more stages of the medical device lifecycle and can be used by suppliers or external parties.

Chapter/Section Comparison and Gap Assessment

Here's a comparison mapping the sections and highlighting key similarities, differences, and potential gaps of the quality management systems.

Clause 1: Scope	§820.1 Scope	Applicability	Similar: Both define applicability to medical device manufacturers. Difference: ISO 13485 scope is broader, potentially covering organizations involved in parts of the lifecycle (design, distribution, service, suppliers). QSR focuses on finished device manufacturers for the US market.
Clause 2: Normative references	N/A	References	Difference: ISO standards typically reference other standards. QSR, being a regulation, doesn't function this way.
Clause 3: Terms and definitions	§820.3 Definitions	Definitions	Similar: Both define key terms. Difference: Definitions may vary slightly (e.g., "complaint"). ISO 13485 has a broader set of definitions related to its structure.
Clause 4: Quality Management System	Subpart B: Quality System Requirements (§820.20, §820.22, §820.25)	General QMS, Quality Manual, Medical Device File	Similar: Both require establishing and maintaining a QMS, including procedures and controls. Difference/Gap (QSR -> ISO): ISO 13485 explicitly requires a Quality Manual (4.2.1) and the establishment of a Medical Device File (4.2.3) containing/referencing key documents (similar concept to DHF/DMR but structured differently). QSR doesn't mandate a single "Quality Manual" document, though the required documentation fulfills a similar purpose. Difference/Gap (ISO -> QSR): QSR has very specific requirements for the Device Master Record (DMR - §820.181), Design History File (DHF - §820.30(j)), and Device History Record (DHR - §820.184), which are more prescriptive than the ISO Medical Device File concept. ISO's emphasis on risk management applied to QMS processes (4.1.2) is more explicit than in QSR Subpart B. ISO requires validation of computer software used in the QMS (4.1.6). QSR also requires this (§820.70(i)) but it's located under Production Controls.
Clause 5: Management Responsibility	Subpart B: Quality System Requirements (§820.20, §820.22, §820.25)	Management Commitment, Policy, Planning, Responsibility, Review	Similar: Both heavily emphasize management commitment, quality policy, organizational structure, defined responsibilities, management review, and provision of resources. Both require a Management Representative. Difference: ISO 13485 has slightly more explicit requirements regarding defining interrelation of personnel (5.5.1) and specific inputs/outputs for management review (5.6).
Clause 6: Resource Management	Subpart B: Quality System Requirements (§820.25 Personnel) Subpart G: Production & Process Controls (§820.70 Production...)	Human Resources, Infrastructure, Work Environment	Similar: Both require adequate resources, competent personnel (training), suitable infrastructure, and appropriate work environment. Difference/Gap (QSR -> ISO): ISO 13485 has more explicit requirements regarding contamination control (6.4.2) and health, cleanliness, and clothing of personnel (6.4.1), especially relevant for sterile devices. ISO requires evaluation of training effectiveness (6.2). QSR requires training (§820.25(b)) but is less explicit on evaluating effectiveness.
Clause 7: Product Realization	Mix of Subparts: Subpart C: Design Controls (§820.30) Subpart F: Purchasing Controls (§820.50) Subpart G: Production & Process Controls (§820.70, §820.72, §820.75) Subpart H: Acceptance Activities (§820.80, §820.86) Subpart I: Nonconforming Product (§820.90) Subpart M: Labeling & Packaging (§820.120, §820.130) Subpart N: Handling, Storage, Distribution, Installation (§820.140, §820.150, §820.160, §820.170) Subpart J: CAPA (elements related to planning)	Planning, Customer Processes, Design & Development, Purchasing, Production & Service, Control of Monitoring/Measuring Equipment	Similar: This is the core of device realization. Both cover planning, design inputs/outputs/review/verification/validation/transfer/changes, purchasing controls (supplier evaluation), process controls, identification & traceability, calibration, control of nonconforming product, labeling/packaging, handling/storage/distribution. Difference/Gap (QSR -> ISO): ISO 13485 has more explicit requirements for risk management throughout product realization (7.1). It details requirements for communication with regulatory authorities (7.2.3). Specific requirements for validation of sterilization and sterile barrier systems (7.5.5, 7.5.7) are more detailed. Requirements for particular requirements for implantable devices (traceability, documentation - 7.5.9) are explicit. ISO requires procedures for advisory notices (7.5.4 - relating to post-market). Difference/Gap (ISO -> QSR): QSR Design Controls (§820.30) are very structured (inputs, outputs, review, V&V, transfer, changes, DHF) and often considered more prescriptive than ISO 7.3. QSR's specific requirements for Process Validation (§820.75) are detailed, especially regarding software validation (§820.70(i)) and when validation is required. QSR has specific requirements for Device History Record (DHR - §820.184) documenting production. QSR has explicit Receiving, in-process, and finished device acceptance (§820.80) and Acceptance status (§820.86). QSR has specific UDI (Unique Device Identification) requirements (part of labeling/traceability but very specific regulations exist).
Clause 8: Measurement, Analysis, Improvement	Mix of Subparts: Subpart E: Document Controls (§820.40)Subpart K: Labeling & Packaging Control (§820.100 Audit) Subpart O: Statistical Techniques (§820.250) Subpart J: Corrective and Preventive Action (§820.100) Subpart I: Nonconforming Product (§820.90) Subpart G: (Monitoring/Measurement of Product - §820.72)	General, Monitoring/Measurement (Feedback, Complaint Handling, Internal Audit, Process/Product Monitoring), Control of Nonconforming Product, Analysis of Data, Improvement (CAPA)	Similar: Both require monitoring customer satisfaction/feedback, internal audits, monitoring processes/products, controlling nonconformities, analyzing quality data, and implementing corrective and preventive actions (CAPA). Difference/Gap (QSR -> ISO): ISO 13485 uses the term Feedback (8.2.1) which is broader than QSR's Complaint Handling (§820.198). While QSR requires complaint handling, ISO explicitly includes other feedback. ISO requires documenting procedures for reporting to regulatory authorities (8.2.3) based on criteria (links to vigilance/MDR). Difference/Gap (ISO -> QSR): QSR has very detailed requirements for Complaint Files (§820.198), including specific investigation and reporting requirements (linking to Medical Device Reporting - MDR, 21 CFR Part 803, which is outside 820 but linked). QSR CAPA (§820.100) requirements are highly scrutinized during FDA inspections. QSR requires Document Controls (§820.40) with specific approval/distribution/change procedures. QSR explicitly requires procedures for Statistical Techniques (§820.250) to establish/control process capability and product characteristics.

Necessary Steps to Close Gaps - Coming from the ISO 13485

If your company is compliant with ISO 13485 and you aim for FDA QSR Compliance you can follow these steps:

Documentation Structure: Re-organize or map existing documentation to meet the specific definitions and requirements of DHF, DMR, and DHR. Ensure all required elements for each are present.
Complaint Handling: Enhance the feedback/complaint process to explicitly meet all requirements of §820.198, including timeliness, investigation procedures, documentation, and linkage to MDR (21 CFR 803) reporting.
Medical Device Reporting (MDR): Implement robust procedures for identifying and reporting events required under 21 CFR Part 803.
UDI: Implement systems and procedures to comply with FDA's Unique Device Identification requirements (21 CFR Part 830 and §801.20).
Process Validation: Review process validation activities, especially for software used in production and the quality management system (§820.70(i)), ensuring they meet FDA's expectations.
Labeling and Packaging: Ensure controls meet the specific requirements of §820.120 and §820.130.
Review FDA Guidance: Familiarize yourself with FDA guidance documents related to specific QSR sections, as these provide interpretation and expectations.

If your company is compliant with FDA QSR and you aim for ISO 13485 compliance you can follow these steps:

Quality Manual: Develop a Quality Manual meeting the requirements of ISO 13485 4.2.1.
Risk Management Integration: Enhance the QMS to explicitly integrate risk management principles not just in design (§820.30(g)), but throughout the QMS processes (planning, purchasing, production, software validation, supplier control, etc.) as required by ISO 13485 (4.1.2, 7.1, etc.). Document the risk management process applied to QMS processes.
Medical Device File: Establish the concept of the Medical Device File (4.2.3) and ensure it contains or references the required documentation for each device type.
Feedback: Broaden the scope of the complaint handling system to explicitly include collection and analysis of other customer/market feedback (8.2.1).
Regulatory Reporting Procedures: Document procedures for determining when reporting to regulatory authorities is necessary, according to applicable regulatory requirements recognized by ISO 13485 (8.2.3).

Need support? We got you covered.

Find all necessary ISO 13485 templates on our website and for more convenience create a free Formwork account to set up your own SOPs. You can read more articles about MDR compliance here or explore FDA's classification system here. Interested in purchasing the ISO 13485? Buy the standard via this Estonian webiste.

On a different note: Do you need any help with your EU MDR efforts?

We've worked with 100+ companies and helped them certify their devices in weeks, not months. Talk to us now – first calls are free! Check out our services and prices here.

Or, if you don't like talking to humans, check out our Wizard. It's a foolproof, step-by-step video course for getting your compliance done yourself.

And if you're looking for the best QMS software for lean, founder-led companies, check out Formwork. It automates your compliance, and there's even a free version for you to try out!

Document Template

Congratulations! You read this far.

Get notified when we post something new. Sign up for our free newsletter.

No spam, only regulatory rants. Unsubscribe anytime.

0 comments

No comments yet. Be the first one to share your thoughts!

Sebastian Skorka

Sebastian chooses to keep an air of mystery around himself.

More about me