Updated: 22nd June 2026
Reviewed by: David Small, BSc (Hons), MSc, MTOPRA (Founder & CEO)
Patient Guard Ltd is fully ISO 13485:2016 Certified by BSI — View Our Official Certificate Here.
ISO 13485 & CFR 21 Part 820 QSR
Navigating global compliance means understanding how different regulatory bodies view quality frameworks. While the US market relies on the FDA’s Quality System Regulation (21 CFR Part 820), the rest of the medical device world relies on a single international standard. Before diving into the technical variations between these systems, it is essential to understand the foundational requirements of what is ISO 13485 and why it dictates global market access.
New to ISO 13485?
This article compares ISO 13485 and the FDA's Quality System Regulation (QSR). If you're looking for a complete overview of ISO 13485 requirements, implementation, certification and quality management system obligations for medical device manufacturers, read our Complete Guide to ISO 13485.
1. Scope & Applicability
ISO 13485
ISO 13485 is an international standard designed specifically to set minimum requirements for Quality Management in the medical device industry. This standard ensures that conforming organisations implement a Quality Management System (QMS) and demonstrate an ability to provide medical devices and related services that consistently meet customer and regulatory requirements. ISO 13485 is applicable to organisations involved in one or more stages of the medical device lifecycle, including design, production, installation, and servicing.
CFR Part 820
CFR 21 Part 820, also known as the Quality System Regulation (QSR), is a regulatory requirement enforced by the FDA for medical device manufacturers selling products in the United States only. It outlines the QMS requirements that manufacturers must follow to ensure their products are safe and effective. Unlike ISO 13485, CFR 21 Part 820 is a federal regulation and carries legal implications for non-compliance.
Difference
The primary difference in the scope and applicability of these two standards is that ISO 13485 is voluntary and applies internationally, whereas CFR 21 Part 820 is mandatory regulation that is specifically for the U.S. market.
2. Focus on Risk Management
ISO 13485
ISO 13485 places a significant emphasis on risk management throughout the product lifecycle. It requires manufacturers to establish a systematic process for identifying, evaluating, and controlling risks associated with medical devices. The standard mandates comprehensive risk management procedures during the design and development phases, as well as throughout production and post-market activities. It is supplemented by ISO 14971, the international standard for Application of Risk Management to Medical Devices.
3. Design and Development Requirements
ISO 13485
ISO 13485 includes detailed requirements for the design and development of medical devices. It necessitates a structured approach, including planning, input, output, review, verification, validation, and design transfer. The standard emphasizes the importance of design controls to ensure the device meets user needs and intended use.
CFR 21 Part 820
CFR 21 Part 820 also mandates design controls but provides a more prescriptive approach. The regulation specifies requirements for design and development planning, design input, design output, design review, design verification, design validation, and design changes. These requirements are intended to ensure the device meets specified requirements and is safe and effective for its intended use.
Difference
While both standards require robust design and development processes, ISO 13485 offers more flexibility in how these processes are implemented. In contrast, CFR 21 Part 820 provides a more detailed and prescriptive framework.
4. Documentation and Record-Keeping
ISO 13485
ISO 13485 requires extensive documentation to demonstrate compliance with its QMS requirements. This includes maintaining specific records of the outputs of the procedures, processes, and activities that make up the QMS. Documentation must be controlled, and records must be maintained to provide evidence of conformity to requirements and the effective operation of the QMS.
CFR 21 Part 820
CFR 21 Part 820 also emphasizes documentation but places a stronger focus on the traceability of medical devices. The QSR mandates detailed record-keeping for all aspects of the QMS, including device history records (DHR), device master records (DMR), and quality system records (QSR). These records must be easily accessible for inspection by the FDA.
Difference
Both standards require rigorous documentation, but CFR 21 Part 820 has more extensive requirements for the specific types of records that must be maintained and for ensuring their accessibility for FDA inspections.
5. Supplier Management
ISO 13485
ISO 13485 requires manufacturers to establish criteria for the selection, evaluation, and re-evaluation of suppliers. It emphasizes the importance of supplier management in ensuring the quality of procured products and services. Manufacturers must implement a risk-based approach to supplier management, including monitoring of supplier performance and periodic re-evaluation. ISO 13845 also requires that Quality Agreements are employed as part of your risk based supplier controls.
CFR 21 Part 820
CFR 21 Part 820 also requires manufacturers to evaluate and select suppliers based on their ability to meet specified requirements. However, the QSR places a greater emphasis on the need for purchasing controls to ensure that all purchased or otherwise received product and services conform to these specified requirements, rather then taking a risk-based approach and applying more strict controls on higher risk suppliers.
Difference
ISO 13485 promotes a more comprehensive risk-based approach to supplier management, whereas CFR 21 Part 820 focuses on a more universal approach to implementing purchasing controls to ensure conformance to specifications.
The New FDA QMSR Framework: Harmonization is Here
The FDA has officially transitioned from the old QSR to the new Quality Management System Regulation (QMSR), incorporating ISO 13485:2016 by reference into 21 CFR Part 820. This historic transition streamlines compliance requirements for international manufacturers by addressing five major areas:
1. Incorporation of Risk Management Principles:
The QMSR explicitly integrates risk management concepts directly from ISO 13485, emphasizing the absolute necessity of identifying, managing, and controlling safety risks throughout the entire product lifecycle.
2. Adopted Supplier Controls:
The regulation now utilizes a comprehensive approach to supplier management, reflecting the standard’s strict emphasis on supplier evaluation, selection criteria, and continuous performance monitoring.
3. Harmonized Documentation Requirements:
By aligning record-keeping parameters with international expectations, the FDA has reduced the historical double-documentation burden on manufacturers operating in multiple global jurisdictions.
4. Aligned Design Controls:
Design and development planning, input, output, and validation requirements now closely mirror the workflows found within ISO 13485, promoting a unified approach to design files.
5. Enhanced Global Compatibility:
With the QMSR active, it is structurally cleaner for international manufacturers to expand into the U.S. market, and significantly easier for established U.S. companies to export devices globally.
Summary
Understanding the differences between ISO 13485 and CFR 21 Part 820 is crucial for medical device manufacturers aiming to ensure compliance and maintain high-quality standards in the US and wider international markets. While ISO 13485 provides an international framework focusing on risk management and flexibility, the old QSR offered a highly prescriptive path specific only to the U.S. market.
The FDA’s official transition to the QMSR framework marks a monumental step toward true global harmonization. By integrating ISO 13485 into 21 CFR Part 820, these changes effectively streamline international compliance, strip away historical double-documentation burdens, and enhance the competitive agility of modern device manufacturers.
As the global regulatory landscape evolves, staying informed about these intersections is essential. By understanding and adapting to these standards, manufacturers can ensure their products meet the highest quality and safety standards, fostering trust and reliability across all borders.
Frequesntly Asked Questions about ISO 13485 & FDA 21 CFR Part 820
ISO 13485 is an international standard for Quality Management Systems (QMS) specific to medical devices, while 21 CFR Part 820 is the FDA’s Quality System Regulation (QSR) governing medical devices in the United States.
- ISO 13485: Focuses on globally harmonized QMS requirements for medical devices.
- 21 CFR Part 820: Enforces regulatory requirements for devices sold in the US market.
Key insight: While they overlap in many areas, ISO 13485 is voluntary unless required by specific regulations, whereas 21 CFR Part 820 is mandatory for US market access.
No, but they are closely aligned. Both emphasize quality management for medical devices but differ in focus:
- ISO 13485: Geared towards general medical device QMS, emphasizing global applicability and harmonization.
- 21 CFR Part 820: A regulatory requirement with specific directives for FDA compliance, including premarket and postmarket considerations.
Pro tip: Compliance with ISO 13485 often makes it easier to meet 21 CFR Part 820 requirements, but it does not guarantee FDA approval.
Both frameworks share core principles, including:
- Documented QMS: Requirement for structured quality systems.
- Risk Management: Integration of risk-based approaches to processes and product development.
- Design Controls: Comprehensive design and development processes.
- Supplier Management: Oversight of suppliers to ensure quality.
- Complaint Handling: Procedures for addressing complaints and adverse events.
- Post-Market Surveillance: Monitoring device performance after commercialization.
Key takeaway: Manufacturers targeting both global and US markets can leverage the overlap to streamline compliance efforts.
Some notable differences include:
| Aspect | ISO 13485 | 21 CFR Part 820 (QSR) |
|---|---|---|
| Scope | International standard | US-specific regulatory requirement |
| Focus | General QMS for global compliance | Specific to FDA regulations |
| Risk Management | Emphasized but less prescriptive | Embedded in device design controls |
| Flexibility | Provides general guidelines | FDA enforces strict compliance |
| Terminology | Uses terms like “validation” | More regulatory-specific terms like “verification” |
Key insight: ISO 13485 is more flexible and adaptable, while 21 CFR Part 820 is highly prescriptive for FDA compliance.
No, ISO 13485 certification is not a substitute for compliance with 21 CFR Part 820. However, the FDA recognizes ISO 13485 as a harmonized standard and is working towards aligning the QSR with ISO 13485.
Pro tip: Manufacturers planning to market devices globally should implement ISO 13485 alongside compliance with 21 CFR Part 820.
Yes! Patient Guard provides expert support for both frameworks, including:
- Developing ISO 13485-compliant Quality Management Systems.
- Aligning existing systems with 21 CFR Part 820 requirements.
- Preparing for FDA inspections and ISO audits.
- Training teams on regulatory differences and best practices.
Why choose Patient Guard: With experience supporting over 500 manufacturers, we help streamline compliance for both US and global markets, ensuring seamless regulatory approvals.
David Small BSc (Hons), MSc, MTOPRA
Reviewed by
David Small, BSc (Hons), MSc, MTOPRA
Founder & CEO |
20+ years in medical device regulatory affairs, MDR/IVDR compliance and quality systems.
Patient Guards Recent Posts

EU Authorised Representative Services for Medical Device & IVD Manufacturers
Selling medical devices or IVDs in Europe? If your company is based outside the EU, appointing an EU Authorised Representative (EC Rep) is a legal requirement under EU MDR 2017/745 and IVDR 2017/746. Patient Guard provides expert EU Authorised Representative services, EUDAMED support, regulatory guidance, and ongoing compliance management to help manufacturers access and maintain the European market with confidence.

Predetermined Change Control Plans (PCCPs): The Future of Agile Compliance for Medical Device Software
Learn how PCCPs help medical device software manufacturers manage updates, support AI systems, and enable agile compliance under evolving MDR and UKCA frameworks.

The AI Act Omnibus Explained: What the 2026 EU Rules Mean for Medical Device and IVD Manufacturers
Discover how the EU AI Act Omnibus affects AI medical devices and IVD manufacturers. Learn about the No Duplication principle, transparency rules, key 2026 and 2028 deadlines, and how MDR and IVDR compliance are converging with AI regulation.
Patient Guards Related Services
Patient Guards Regulatory Tools
Need Training?
Do you need training on Quality Management Systems or EU MDR/ EU IVDR? then check out our training courses.