ISO 13485 and FDA’s QMSR are now functionally very close: ISO 13485:2016 is the core of the new 21 CFR Part 820, but QMSR adds a layer of FDA-specific “ISO‑plus” requirements and clarifications.
Below is a concise view of
(1) where they are the same,
(2) where they differ, and
(3) how to adjust your QMS so that one system satisfies both.
QMSR literally incorporates ISO 13485:2016 by reference and makes it the foundational CGMP requirement for devices in the US.
| Where they are same | Where they are different | How to satisfy both |
| Overall structure and processes QMSR requires a documented QMS that complies with ISO 13485 clauses 4–8 (quality system, management responsibility, resources, product realisation, measurement/analysis/improvement). Process approach, PDCA cycle, and risk-based QMS are identical to ISO 13485 (Clause 0.3, 4.1). |
Legal framework & definitions Priority of US law and FDA definitions Where ISO 13485 terms conflict with the FD&C Act or other FDA regs, FDA definitions control (e.g., device, labelling). QMSR incorporates ISO 9000:2015 Clause 3 terms, but overrides some (e.g., manufacturer, organisation, implantable medical device, rework, “safety and performance” → “safety and effectiveness”). |
3.1 Map your current system Start from your ISO 13485 QMS (or old 820‑based system). Build a mapping matrix: ISO 13485 clauses vs. new 21 CFR 820 sections (820.1, 820.3, 820.7, 820.10, 820.35, 820.45) and related 803/806/821/830 requirements. Identify where you already satisfy QMSR (most of clauses 4–8) and where FDA‑specific additions are missing. |
| Management responsibility & resources Management commitment, quality policy, management review, resource and competence requirements are taken directly from ISO 13485 (Clauses 5 & 6) and are not rewritten in Part 820. |
2.1 Scope and finished device concept QMSR applies only to finished devices (including accessories) for human use manufactured in or imported into the US. Component/part manufacturers are formally out of scope, though the FDA can inspect them and encourages voluntary alignment. |
3.2 Update procedures to cover FDA-specific linkages At a minimum, ensure you have documented procedures that: Tie ISO 13485 complaint handling (8.2.2) directly into MDR and corrections/removals: When a complaint is MDR reportable (803) and when not; How advisory notices and field actions are handled under 806. Implement UDI and traceability expectations: Designing and assigning UDI per Part 830; Recording UDI in complaint, servicing, lot/batch, and distribution records (where applicable); Part 821 device tracking, if your device is subject to it. Clarify design‑control applicability: Explicitly identify which products are under ISO 13485 7.3 (US class II/III and named class I) and document exclusions/non-applicability for others, as ISO 13485 allows and QMSR expects. |
| Design and development controls For all class II, class III and specified class I devices, QMSR simply points to ISO 13485 Clause 7.3 and its sub‑clauses (planning, inputs, outputs, review, verification, validation, transfer, changes) as the controlling requirement. Clinical/performance evaluation as part of design validation (7.3.7) is required “in accordance with applicable regulatory requirements” in both systems. |
2.2 Explicit links to other FDA regulations ISO 13485 talks generically about “applicable regulatory requirements”; QMSR converts that into explicit cross-references: UDI (21 CFR 830) For ISO 13485 Clause 7.5.8 (Identification), QMSR requires that the system assign a UDI that complies with Part 830 and that the UDI be recorded for each device or batch. Device tracking (21 CFR 821) For Clause 7.5.9.1 (Traceability – general), if Part 821 applies, traceability procedures must explicitly address Part 821.MDR (21 CFR 803) For Clause 8.2.3 (Reporting to regulatory authorities), QMSR requires that complaints meeting criteria be reported per Part 803. Corrections/removals (21 CFR 806) For Clauses 7.2.3, 8.2.3, and 8.3.3 concerning advisory notices, QMSR requires handling in line with Part 806. These are not in ISO 13485; they are added in §820.10(b) and §820.35. |
3.3 Adjust record templates and IT systems Align your forms/IT fields with §820.35 so you don’t rely on inspectors “inferring” compliance: Complaint forms: add/make mandatory fields for date received, full complainant contact, UDI/UPC, “correction/corrective action taken,” MDR decision, and justification if no investigation. Service reports: ensure they capture device ID/UDI, date, personnel, service performed, and associated test/inspection data where applicable. Batch/lot and distribution records: ensure you can retrieve UDI per device or batch; link to traceability and field action processes. Ensure management review, internal audit, and supplier audit reports are complete and inspection‑ready, since they’re no longer exempt from FDA review. |
| Purchasing & supplier controls Supplier evaluation, selection, monitoring, re-evaluation, and risk‑proportionate controls per 7.4 are fully adopted. |
2.3 Records and complaint/servicing documentation ISO 13485 4.2.5 defines general record control; QMSR adds detailed US-specific content requirements: Complaint records (820.35(a) + ISO 13485 8.2.2) must include at least: Device name Date complaint received UDI/UPC and other identifiers Complainant name, address, phone Nature and details of complaint Any correction or corrective action taken Any reply to the complainant Justification if not investigated Servicing records (820.35(b) + ISO 13485 7.5.4) must capture: Device name UDI/UPC and other identifiers Date of service Person(s) who performed service Service performed Any test/inspection data required by the QMS UDI recording requirement 820.35(c) explicitly requires the UDI to be recorded for each device or batch; ISO 13485 does not make this explicit. Management review / internal & supplier audits no longer exempt from inspection Unlike old QSR 820.180(c), QMSR removes the explicit exemption; FDA can review these records during inspections. |
3.4 Strengthen labelling & packaging controls Review and, if needed, tighten your labelling/packaging SOPs to match §820.45: Add an explicit pre‑release labelling inspection step that verifies at least UDI/UPC, expiry, storage, handling, and special processing instructions against your medical device file. Define who performs the inspection, sampling approach (if not 100%), how results are recorded, and how label mix‑ups are prevented (line clearance, segregation, automation + human checks). Ensure that labelling release records are controlled as 4.2.5 records. |
| Production & process controls Controls for production/servicing, cleanliness, installation, servicing, sterilisation, and process validation (including software used in production and monitoring) are all ISO 13485 clauses 7.5 and 7.6, with no substantive change |
2.4 Labelling and packaging controls FDA judged ISO 13485’s labelling/packaging controls (7.5.1) insufficient, so §820.45 adds more detail: Documented procedures must ensure integrity, inspection, storage, and labelling/packaging operations under normal processing, storage, handling, distribution, and, as appropriate, use. Before release or storage, labelling must be examined for accuracy at least for: Correct UDI/UPC/identifiers Expiration date Storage instructions Handling instructions Any additional processing instructions Labelling inspection results and labelling release must be recorded as records under ISO 13485 4.2.5. |
3.5 Risk management integration While both frameworks expect risk‑based thinking, QMSR and recent FDA commentary emphasize full lifecycle risk integration consistent with ISO 14971. Practical upgrades: Make sure risk management is explicitly integrated into: Design inputs, outputs, verification, validation, and design changes; Supplier controls and change control; Post‑market surveillance (complaints, feedback, vigilance/MDR). Maintain risk management files that are visible in your design and post-market procedures and can be explained to the FDA in terms of risk controls, residual risk, and benefit–risk decisions. |
| Monitoring, nonconformities, CAPA Feedback, complaint handling, internal audits, process/product monitoring, nonconforming product, data analysis, corrective and preventive action all follow ISO 13485 Clauses 8.2–8.5. QMSR emphasises that this integrated risk-based approach is consistent with ISO 14971 but doesn’t restate it. |
2.5 Design & traceability nuances Design controls scope ISO 13485 applies 7.3 to all relevant devices; QMSR limits mandatory design controls to class II, class III, and specific class I devices (software, a few named types), matching historical 820.30. For those devices, the ISO 13485 design requirements are unchanged but US‑specific risk‑management documentation expectations are strong. Traceability for devices that support or sustain life QMSR requires compliance with ISO 13485 7.5.9.2 for implantable devices that support or sustain life, including component traceability where failure could compromise specified safety and effectiveness. This essentially preserves and modernises old 820.65 requirements. |
3.6 Combination products and other borderline cases If you make combination products: Re‑check 21 CFR Part 4, as it now references QMSR instead of QSR, but the overall CGMP logic (device + drug/biologic overlays) remains the same. Verify that your device‑side processes (design, CAPA, labelling, complaint handling) are explicitly tied to ISO 13485/QMSR as well as Parts 210/211 or 600‑680 where applicable. |
| 2.6 Terminology and “clarification of concepts” QMSR leans on ISO 13485’s Clause 0.2 but clarifies some terms: “Documented” inherently means established, implemented, and maintained (so QMSR drops the old “establish” definition). “Safety and performance” in ISO 13485 Clause 0.1 is construed as “safety and effectiveness” for US purposes. “Rework” is defined as actions before release only; post‑distribution fixes are governed instead by Parts 7/806/810. |
Bottom line:
Being ISO 13485-certified helps, but it does not, by itself, guarantee QMSR compliance; you must implement the FDA-plus elements. Conversely, a QMSR-compliant system will largely satisfy ISO 13485, but you may still want/need a formal ISO certificate for non-US markets. A practical strategy is to maintain a single integrated global QMS based on ISO 13485, then implement the QMSR add-ons (UDI/traceability, FDA-specific record content, labelling controls, MDR/806 linkages, US definitions) as globally applied practices or as US market-specific variants, depending on your portfolio and risk appetite.