ISO 13485 vs. 21 CFR 820: Key Differences & Compliance Guide

Introduction

A failed FDA inspection or a rejected international submission often traces back to the same root cause: two overlapping quality frameworks with subtle but consequential differences. ISO 13485 governs international markets; 21 CFR Part 820 controls U.S. market access. Misaligning either can stall regulatory approvals, trigger FDA Warning Letters, or block market entry entirely.

The stakes just got higher. On February 2, 2026, the FDA's Quality Management System Regulation (QMSR) incorporated ISO 13485:2016 by reference, fundamentally rewriting the relationship between these two standards. For the first time, a single quality framework now satisfies both U.S. and international requirements—but several critical U.S.-specific obligations remain. This guide breaks down the key structural differences, maps the U.S.-specific requirements that persist under QMSR, and helps you determine what your QMS actually needs to satisfy both.

TLDR

  • ISO 13485 governs global market access (EU, Canada, Australia); 21 CFR Part 820 is the FDA's U.S. quality system regulation
  • The QMSR (effective February 2, 2026) absorbed ISO 13485:2016 into U.S. law — one standard now serves both frameworks
  • ISO 13485 certification alone doesn't equal FDA compliance—MDR reporting, UDI recordkeeping, and labeling requirements remain
  • Key differences include risk management integration, documentation prescriptiveness, supplier oversight, and enforcement mechanisms
  • Companies should build one unified QMS satisfying both frameworks simultaneously

ISO 13485 vs. 21 CFR Part 820: Quick Comparison

The table below breaks down the five most consequential differences between these two frameworks at a glance.

Element ISO 13485 21 CFR Part 820
Nature Voluntary international standard with mandatory market implications U.S. federal regulation
Governing Body International Organization for Standardization (ISO) U.S. Food and Drug Administration (FDA)
Geographic Reach Global (EU, Canada, Australia, most international markets) U.S. market only
Risk Management Explicitly integrated system-wide per ISO 13485:2016 Historically absent; now mandated under QMSR
Enforcement Third-party certification audits (notified bodies, registrars) Direct FDA inspections with legal consequences (483s, Warning Letters)

ISO 13485 versus 21 CFR Part 820 five-key-differences comparison infographic

Under the QMSR, these frameworks are now largely aligned. Quality teams managing legacy system audits, conducting gap analyses, or planning global compliance strategies still need to understand these distinctions — particularly around enforcement mechanisms and risk management scope, where the two frameworks diverge most in practice.

What Is ISO 13485:2016?

ISO 13485:2016 is the globally recognized quality management system standard for medical device manufacturers. Developed by the International Organization for Standardization, the 2016 revision introduced stronger risk-based thinking and more explicit lifecycle management requirements compared to the 2003 version.

Core requirements include:

  • Quality manual and documentation hierarchy
  • Risk management integration linked to ISO 14971
  • Design and development controls
  • Supplier qualification and ongoing monitoring
  • CAPA (Corrective and Preventive Action)
  • Internal audits
  • Post-market feedback loops

This standard governs consistent device safety and effectiveness across the entire product lifecycle. Over 30,000 certificates have been issued across more than 100 countries, making it the common QMS reference point for nearly every regulated market.

Use Cases of ISO 13485

ISO 13485 is required or strongly preferred for:

  • CE marking for the European Union under MDR 2017/745
  • Health Canada licensing through MDSAP
  • TGA registration in Australia
  • MDSAP participation across multiple jurisdictions
  • Most other regulated markets globally

For most device types — combination products, IVDs, SaMD, implants — ISO 13485 is the foundational QMS layer. Market-specific requirements like 21 CFR 820 are then applied on top, which is where the two standards start to diverge.

What Is 21 CFR Part 820?

21 CFR Part 820 is the FDA's Quality System Regulation—a legally enforceable U.S. federal regulation governing the design, manufacture, packaging, labeling, storage, installation, and servicing of finished medical devices. Non-compliance can trigger FDA inspections, Form 483 observations, Warning Letters, import alerts, or consent decrees.

Key requirements include:

  • Management responsibility and quality policy
  • Design controls with mandatory Design History File (DHF)
  • Production and process controls
  • Process validation
  • Complaint handling and MDR reporting linkage
  • CAPA
  • Training documentation

The regulation's historically performance-based approach gave manufacturers flexibility in meeting requirements—specifying what to achieve but leaving how largely to the manufacturer.

QMSR Update: What Changed in 2026

21 CFR Part 820 was formally amended by the QMSR effective February 2, 2026, replacing its core quality system provisions with ISO 13485:2016 by reference. The regulation still exists as the legal framework, however, and retains U.S.-specific bridge requirements not covered by ISO 13485 alone.

Use Cases of 21 CFR Part 820

That legal framework has real reach. The regulation applies to all finished device manufacturers—domestic and foreign—whose products are distributed in the U.S., including:

  • Class I, II, and III devices (with limited Class I exemptions)
  • In vitro diagnostics (IVDs)
  • Combination products
  • Remanufactured devices

Unlike ISO 13485 audits conducted by third parties, FDA inspections carry direct legal consequences. Recent FDA inspection data shows quality system violations remain among the most frequently cited deficiencies—making this one of the highest-risk areas for U.S. market access.

Key Differences Between ISO 13485 and 21 CFR Part 820

Risk Management Integration

ISO 13485 embeds risk-based thinking throughout all QMS processes: design inputs, supplier selection, CAPA, and post-market surveillance — all tied directly to ISO 14971. The 2016 revision deepened this emphasis across product realization and QMS processes.

The original 21 CFR Part 820 mentioned risk indirectly (primarily in design validation at §820.30(g)) but didn't mandate a system-wide risk management process. This was one of the primary gaps the QMSR set out to close.

Documentation and Prescriptiveness

Dimension ISO 13485 21 CFR Part 820
Structure Prescriptive — defined procedures per process area Performance-based — specifies what to achieve
Quality Manual Explicitly required Not mandated
Documentation Focus Medical Device File (replaces legacy DMR) Outcomes and results
Manufacturer Discretion Limited — format and process defined High — how largely left to manufacturer

This difference affects how auditors from each framework evaluate a company's QMS. ISO auditors expect explicit procedural documentation, while FDA investigators historically focused on demonstrating control through results.

Supplier Control Rigor

ISO 13485 requires:

  • Documented supplier selection criteria
  • Qualification records
  • Ongoing performance monitoring
  • Re-evaluation at defined intervals

21 CFR Part 820 focused on verifying purchased components met specifications at incoming inspection, with less emphasis on ongoing supplier performance evaluation.

This gap has caught many U.S.-only QMS companies off guard during ISO 13485 audits — they lack documented evidence of periodic supplier re-evaluation and performance trending. Audit transparency is a related area where the two frameworks diverge just as sharply.

ISO 13485 supplier control requirements versus 21 CFR Part 820 incoming inspection comparison

Internal Audit Transparency and Scope

Under the original 21 CFR Part 820, FDA investigators were prohibited from reviewing internal audit reports and management review minutes under §820.180(c) — a significant privacy protection for manufacturers.

ISO 13485 provides no such protection. Auditors can and do request audit findings, corrective actions, and evidence of closure.

The QMSR changed the FDA's position entirely. The FDA explicitly eliminated this exception, giving investigators authority to review internal audits, management reviews, and supplier audit reports. How these documents are written and retained now carries direct regulatory consequence.

Enforcement Mechanism and Legal Weight

ISO 13485 and 21 CFR Part 820 carry very different consequences for non-compliance:

ISO 13485 enforcement:

  • Third-party certification audits
  • Non-conformities result in corrective action requests
  • No direct legal penalties
  • Certificate suspension or withdrawal possible

21 CFR Part 820 enforcement:

  • Federal law enforced through FDA inspections
  • Can result in 483 observations, Warning Letters, product seizures, or injunctions
  • Legal penalties for non-compliance
  • Direct market access consequences

ISO 13485 certification is not a substitute for an FDA inspection.

FDA QMSR: How ISO 13485 and 21 CFR 820 Are Converging—And What It Means for Your QMS

With the QMSR, the FDA formally incorporated ISO 13485:2016 by reference into 21 CFR Part 820. For the first time, a single quality framework satisfies both U.S. and international QMS requirements.

The FDA projects annualized net cost savings of approximately $532 million at a 7% discount rate — a figure that reflects the scale of redundancy this harmonization eliminates.

What Changed Under QMSR

Key structural shifts manufacturers must understand:

  1. Audit exception eliminated — internal audits and management reviews are now open to FDA investigators
  2. Terminology alignment — legacy terms like Device Master Record (DMR) and Design History File (DHF) replaced by ISO term "Medical Device File"
  3. Risk-based thinking mandated — system-wide requirement, not just in design
  4. Top management responsibility — explicitly heightened per ISO 13485 Clause 5
  5. Unified definitions — aligned with ISO 9000:2015 terminology

Five key structural changes introduced by FDA QMSR 2026 regulation update

What Has NOT Changed Under QMSR

Critical U.S.-specific requirements remain fully in force and are not replaced by ISO 13485 clauses:

  • Medical Device Reporting (21 CFR Part 803)
  • Unique Device Identification recordkeeping (Part 830)
  • Corrections and Removals reporting (Part 806)
  • FDA-specific labeling inspection requirements (§820.45)
  • FDA-specific definitions that supersede ISO terminology when conflicts exist

These U.S.-specific requirements mean ISO 13485 certification alone does not equal FDA compliance.

Practical Steps for Achieving Dual Compliance

1. Conduct a formal gap analysis Compare your current QMS against QMSR requirements. Identify broken links between processes, not just missing procedures.

2. Update documentation structure Align with ISO 13485 Medical Device File terminology and organization.

3. Integrate risk management system-wide Apply ISO 14971 principles across all QMS processes—procurement, CAPA, training, post-market surveillance.

4. Strengthen supplier qualification Document selection criteria, qualification records, and ongoing evaluation evidence with periodic re-evaluation.

5. Prepare audit documentation Structure internal audit and management review documentation to withstand direct FDA scrutiny—these records are no longer protected.

6. Address U.S.-specific bridge requirements Ensure MDR reporting, UDI recordkeeping, and labeling inspection procedures are explicitly documented and linked to your QMS.

Managing these six steps simultaneously — especially across FDA, Health Canada, EU MDR, and other frameworks — is where the complexity compounds quickly. Elexes' quality system support and compliance consulting services are built for exactly this scenario, with 250+ successful projects completed and a 90% audit clearance rate across Class I–III device manufacturers globally.

Real-world consolidation scenario:

A mid-sized implantable device manufacturer historically maintained separate documentation systems — one for FDA design controls, another for CE marking under the Medical Device Directive. The result: duplicate documentation efforts, version control headaches, and audit preparation that required two parallel workstreams.

After the QMSR announcement, the company conducted a formal gap analysis and consolidated under a unified ISO 13485:2016-based QMS. The transition involved restructuring the Medical Device File, implementing system-wide risk management, and updating supplier qualification with ongoing performance monitoring.

The outcome: audit preparation time dropped by 40%, version control errors were eliminated, and both FDA and notified body audits cleared with zero major findings. The critical factor was addressing the U.S.-specific bridge requirements — MDR, UDI, labeling — as a distinct workstream within the ISO framework, not as an afterthought.

Medical device manufacturer team reviewing unified QMS documentation after successful FDA and notified body audit

Conclusion

ISO 13485 and 21 CFR Part 820 are no longer two parallel systems to be maintained separately. Under the QMSR, they share a unified core, and manufacturers who build one strong, risk-integrated QMS aligned with ISO 13485:2016 will be well-prepared for both FDA inspections and global market access.

To make that happen, focus on three priorities:

  • Assess your current QMS against QMSR requirements to identify gaps before an inspection does
  • Address the highest-risk areas first: risk management integration, internal audit documentation, and supplier oversight
  • Use harmonization to eliminate duplicate processes and reduce compliance overhead

Whether you're a startup preparing your first 510(k) submission or an established manufacturer pursuing global market access, a well-structured QMS aligned with ISO 13485:2016 and QMSR gives you a foundation that works across jurisdictions — not just for one market at a time.

Frequently Asked Questions

What is the difference between ISO 13485 and 21 CFR Part 820?

ISO 13485 is an international QMS standard enforced through third-party certification audits and required for most global markets, while 21 CFR Part 820 is the FDA's legally enforceable U.S. regulation. Under the FDA's QMSR (effective February 2026), the two are now aligned, but key U.S.-specific requirements remain in force.

Is 21 CFR Part 820 still valid?

Yes, 21 CFR Part 820 still exists as a legal framework but has been formally amended by the QMSR, which incorporated ISO 13485:2016 by reference. Manufacturers must now comply with the QMSR version of Part 820, which uses ISO 13485 as its core while retaining several FDA-specific bridge requirements.

Does the FDA require ISO 13485 certification?

No, the FDA does not require ISO 13485 certification as a substitute for its own inspection. Holding a certificate doesn't exempt manufacturers from FDA oversight. That said, since ISO 13485:2016 is now incorporated by reference into the QMSR, meeting its requirements is necessary for U.S. federal law compliance.

Do ISO 13485 and 21 CFR Part 820 require design controls?

Yes, both standards require design controls covering inputs, outputs, verification, validation, review, and change management. ISO 13485 uses "design and development" terminology and references the ISO 13485 Medical Device File, while 21 CFR Part 820 historically required a Design History File. Under the QMSR, these requirements are now fully harmonized.

What is the purpose of 21 CFR Part 820?

21 CFR Part 820 ensures that medical devices manufactured for the U.S. market are consistently safe and effective by establishing minimum quality system requirements for design, production, labeling, packaging, and post-market activities—enforced through FDA inspections with legal consequences for non-compliance.

Does 21 CFR 820 apply to drugs?

No, 21 CFR Part 820 applies specifically to medical devices, not drugs (which are governed by 21 CFR Parts 210 and 211). Combination products including a drug component may have overlapping requirements, but Part 820/QMSR is device-specific in its primary application.