The FDA's Quality Management System Regulation (QMSR) took effect on February 2, 2026. If you're a medical device manufacturer and that date didn't land as significant, here's why it should have: the FDA formally restructured 21 CFR Part 820 to align with ISO 13485:2016 — and that changes the economics of quality system investment for every device company operating in or exporting to the United States.
Before February 2026, a manufacturer chasing FDA compliance and one chasing international market access were essentially running parallel quality systems, or at minimum doing significant translation work between two frameworks. Today, a well-built ISO 13485:2016 quality management system is substantively the same infrastructure that satisfies QMSR requirements. One system, two regulatory fronts covered.
In my eight-plus years of certification consulting, I've watched the ISO 13485 niche get consistently underserved. Device manufacturers know they need certification — but the FDA-ISO connection has never been cleanly explained. What follows is my attempt to fix that, clause by clause.
What the FDA QMSR Actually Changed
The FDA published the final QMSR rule in the Federal Register on February 2, 2024, giving manufacturers a two-year compliance window. The rule reorganized 21 CFR Part 820 around ISO 13485:2016's structure, replacing legacy QSR language with harmonized requirements while preserving FDA-specific additions like Unique Device Identification (UDI) and Medical Device Reporting (MDR) linkage.
The practical effect: many of the requirements that ISO 13485:2016 auditors have been verifying for years — design controls, risk management integration, supplier qualification, post-market surveillance — are now the same requirements FDA investigators examine during a Quality System Inspection Technique (QSIT) inspection. The frameworks aren't identical, but they are more aligned than at any previous point in regulatory history.
For a manufacturer pursuing international distribution through CE marking in the EU, TGA registration in Australia, or Health Canada approval, ISO 13485 has always been table stakes. The QMSR alignment means pursuing that certificate now simultaneously builds FDA compliance infrastructure. That's a meaningful shift in how device companies should think about certification ROI.
The FDA's Quality Management System Regulation, effective February 2, 2026, harmonizes 21 CFR Part 820 with ISO 13485:2016 at the substantive level — making a single integrated QMS achievable for device manufacturers selling in both U.S. and international markets for the first time in the regulation's history.
What ISO 13485:2016 Actually Requires
ISO 13485:2016 is a quality management system standard specifically tailored for medical device manufacturers and their supply chains. It builds on ISO 9001 in structure but diverges significantly in substance — particularly in its emphasis on risk-based approaches, regulatory requirements integration, and post-market vigilance.
A few clauses worth understanding in practical terms:
Clause 4.1 — General QMS Requirements
The standard requires documented processes for quality management. That sounds unremarkable until you see what "documented" means in practice: every process affecting product safety and performance needs to be identified, sequenced, and monitored, with criteria for both operation and control. Companies that build this infrastructure once find regulatory inspections — whether from a notified body or the FDA — significantly less disruptive than companies that reconstruct documentation on demand.
Clause 6.1 — Risk Management Integration
ISO 13485:2016 requires that risk management be woven into the quality system itself, not treated as a standalone exercise. This aligns with ISO 14971, the risk management standard for medical devices. I've seen companies with a risk management file sitting in a binder somewhere, untouched since the last audit. That approach works until it doesn't — and when it fails, it's typically in the middle of a design change or a supplier qualification that nobody ran through the risk process.
Clause 7.3 — Design and Development Controls
This is where the most significant gaps appear during initial assessments. The standard requires that design controls include documented planning, input requirements, output verification, review at defined stages, and validation before release. Many companies treat design as an engineering activity and documentation as a regulatory afterthought. That inversion is exactly what Form 483 observations and notified body nonconformances tend to surface.
Clause 8.2.1 — Post-Market Feedback
Post-market surveillance isn't optional under ISO 13485:2016. The standard requires a documented feedback process that collects and analyzes field information — complaints, repair data, literature reviews, regulatory reports — as an active input to the risk management system. This closes the loop between post-market data and ongoing product safety assessment. It's also the clause most companies have done the least work on.
ISO 13485:2016 vs. Legacy QSR vs. FDA QMSR: A Side-by-Side Look
Understanding how these frameworks map to each other is worth the time. The table below captures the key alignment points:
| Requirement Area | ISO 13485:2016 | Legacy 21 CFR Part 820 (pre-2026) | FDA QMSR (post-Feb 2026) |
|---|---|---|---|
| Framework structure | ISO 9001-aligned, clauses 4–10 | Subpart-based (Subparts A through O) | Restructured to mirror ISO 13485 |
| Risk management | Clause 6.1, integrated throughout | Limited explicit requirement | Now references ISO 14971 approach |
| Design controls | Clause 7.3, multi-stage planning | Subpart C (§820.30) | Harmonized with clause 7.3 |
| Post-market surveillance | Clause 8.2.1 feedback requirement | Complaint handling (§820.198) | Expanded to align with 8.2.1 |
| Supplier controls | Clause 7.4, evaluation + monitoring | Subpart E (§820.50) | Harmonized with clause 7.4 |
| Document control | Clause 4.2 | Subpart D (§820.40) | Harmonized with clause 4.2 |
| FDA-unique obligations | Not applicable | UDI, MDR requirements | UDI and MDR retained; explicitly QMSR-only |
The most important takeaway from this table: the substantive QMS work — design controls, risk integration, supplier qualification, document control — is now essentially the same exercise whether you're building for ISO certification or FDA compliance. The QMSR retained a small set of FDA-specific obligations, but the core quality infrastructure is shared.
Where Most Device Companies Actually Stand
When I run a gap assessment on a medical device manufacturer, the patterns are consistent enough that I can sketch the typical profile.
Companies that have been selling domestically under the legacy QSR for years often have reasonable documentation practices but thin risk integration. Their design history files are usually in decent shape — FDA has trained domestic manufacturers to maintain those — but the connection between post-market feedback and active risk file updates is typically weak. Clause 8.2.1 is where I find the most work.
Companies building toward international expansion often have the opposite problem. They've seen the ISO 13485 requirements and invested in documentation, but they've done it in isolation from FDA expectations. Their risk files are sophisticated and their post-market surveillance processes are solid — but there are gaps in the FDA-specific overlay requirements that QMSR has now made explicit.
The companies with the least work ahead of them are the ones that built their quality systems with both frameworks in view from the start. That's still a minority. The more common scenario is a quality system that was adequate for one regulatory context and is now being asked to serve two.
More than 30,000 ISO 13485 certificates were active worldwide according to the most recent ISO Survey data — a figure that has grown approximately 40% over the past decade as international device market access requirements have tightened. The global medical device market exceeded $600 billion in 2023, which means competitive pressure to hold international certifications is only increasing. And FDA inspection data consistently shows quality system deficiencies among the top five observations on Form 483, suggesting that even companies with long FDA compliance histories have room to strengthen their quality infrastructure.
The Certification Pathway: From Gap Assessment to Certificate
The ISO 13485 certification process follows a standard pattern, though the timeline varies considerably depending on company size, quality system maturity, and scope.
Phase 1 — Gap Assessment
Before any formal audit, a competent consultant should walk every in-scope process against the standard's requirements and produce a prioritized gap report. This isn't the certification body's job — their Stage 1 audit serves a different function. A pre-assessment done independently gives you time to close significant gaps before you're sitting across from a registrar.
In my experience, companies typically discover three or four systemic gaps — design control documentation, risk management integration, feedback process formalization, or training records — plus a longer list of minor deficiencies. The systemic gaps are where the real work lives. Minor deficiencies are often correctable in weeks.
Phase 2 — Gap Remediation
This is the implementation phase: revising procedures, building missing documentation, training personnel, and running corrected processes through at least one operational cycle before certification. ISO 13485:2016 requires documented evidence of implementation, not just documented procedures. Auditors look for records, not intentions.
Phase 3 — Stage 1 Audit (Document Review)
The certification body conducts an off-site review of QMS documentation against the standard's requirements. They assess readiness for the Stage 2 audit and identify concerns to address before the on-site visit.
Phase 4 — Stage 2 Audit (On-Site)
Auditors visit the facility, interview personnel, observe processes, and verify that documented procedures reflect actual practice. Nonconformances issued at Stage 2 require a corrective action response — major nonconformances must be resolved before the certificate is issued; minor nonconformances typically carry a 90-day window.
Phase 5 — Surveillance and Recertification
Certification is valid for three years, with annual surveillance audits. The surveillance audits are narrower in scope than the initial certification but require evidence the QMS is being maintained and improved — not just kept on paper.
Companies that go in well-prepared typically complete Stage 1 and Stage 2 in the same year they start. Companies that go in under-prepared often add six to twelve months through audit findings and remediation cycles. Medical device companies that build their quality systems around ISO 13485:2016 from the outset typically arrive at FDA inspections with more complete documentation and fewer quality system 483 observations than companies that built their QMS solely against legacy QSR requirements.
Why ISO 13485 Is Now FDA Compliance Infrastructure
I want to be specific about this because it's the piece most often misunderstood. ISO 13485 certification does not substitute for FDA compliance. A certificate from an accredited certification body is not something you present to an FDA investigator as evidence of regulatory compliance. The FDA runs its own inspection program under its own statutory authority.
What ISO 13485 certification does is build the quality system infrastructure that QMSR compliance requires. The February 2026 harmonization means the substantive requirements are aligned — so companies that have built an ISO 13485-conforming QMS have, by definition, addressed most of what FDA investigators will examine during a QSIT inspection.
In practical terms: a company that achieves ISO 13485 certification and maintains it through annual surveillance has documented evidence of design controls, supplier qualification, corrective actions, and post-market feedback — the same artifacts FDA investigators look for during QSIT. The certificate itself doesn't provide regulatory coverage, but the work that produced the certificate does.
ISO 13485:2016 clause 7.3 on design and development controls maps directly to the FDA QMSR's design controls requirements, while simultaneously adding risk management integration that the legacy 21 CFR Part 820 did not explicitly require — making ISO-trained quality systems better prepared for both regulatory contexts than either framework alone previously achieved.
This is why the FDA-ISO bridge matters so much right now. Companies that understand this alignment and move early are building quality systems that serve multiple regulatory masters without redundant effort. Companies that treat certification as an isolated checkbox exercise are paying twice for the same work.
What to Look for in an ISO 13485 Consultant
The certification body conducts the audit. A consultant's job is different: close the gaps before you're in the room with auditors, and make sure the quality system you build is one that actually serves the regulatory context — not just one that passes an audit.
In my view, the right consultant for ISO 13485 work is one who can hold both the ISO standard and the FDA regulatory context simultaneously. Not a documentation specialist who produces procedures without understanding regulatory intent, and not an FDA specialist who doesn't know the ISO framework. The QMSR harmonization has made the two-context capability more important, not less.
At Certify Consulting, we've brought more than 200 clients through first-time certification processes with a 100% first-time audit pass rate. The approach is straightforward: honest gap assessment, prioritized remediation, and preparation that treats the certification audit as a byproduct of actually building a quality system — not a documentation sprint designed to look right on paper.
The questions worth asking any ISO 13485 consultant are practical ones: Have they led ISO 13485 certifications specifically, not just general ISO 9001 work? Can they explain the QMSR harmonization and what it means for your FDA compliance picture? Have they supported companies through FDA QSIT inspections, not just certification audits?
Those answers tell you whether you're talking to someone who understands the full regulatory context or someone who knows the standard in isolation. In 2026, with QMSR in effect, the context matters more than the standard alone.
Explore our ISO certification and FDA compliance services to learn how Certify Consulting approaches the integrated ISO-FDA quality system build.
Frequently Asked Questions About ISO 13485 Certification
What is ISO 13485 and who needs it?
ISO 13485:2016 is an international quality management system standard for organizations involved in the design, production, installation, or servicing of medical devices. It is required by regulatory authorities in most major international markets — including the EU (CE marking), Canada (Health Canada), Australia (TGA), and Brazil (ANVISA). With the FDA's QMSR harmonization effective February 2026, ISO 13485 certification is now substantively aligned with U.S. regulatory requirements as well. Any medical device manufacturer seeking international distribution or looking to strengthen their FDA quality system posture should be evaluating ISO 13485 certification.
How long does ISO 13485 certification take?
For most companies, the process from initial gap assessment to certificate issuance takes 12 to 18 months. Companies with mature quality systems and strong existing documentation can sometimes complete the process in 9 to 12 months. Companies with significant gaps in design controls, risk management integration, or post-market surveillance typically need the full 18 months or longer. Front-loading the gap assessment and remediation phase — before engaging a certification body — is the most reliable way to compress the timeline and avoid costly audit findings that push the schedule back.
How does ISO 13485 relate to the FDA's QMSR under 21 CFR Part 820?
The FDA's Quality Management System Regulation, which took effect February 2, 2026, restructured 21 CFR Part 820 to align with ISO 13485:2016. The substantive quality system requirements — design controls, risk management integration, supplier qualification, document control, and post-market surveillance — are now harmonized between the two frameworks. A company with a well-maintained ISO 13485 QMS has addressed most of what the QMSR requires, though FDA-specific obligations like UDI registration and Medical Device Reporting remain distinct regulatory requirements that the ISO certificate does not satisfy independently.
What are the most common gaps found during ISO 13485 pre-assessments?
The four gaps I see most consistently are: (1) post-market feedback processes that don't feed back into the risk management system as clause 8.2.1 requires; (2) design control documentation that captures outputs without adequate evidence of stage-by-stage review and approval; (3) risk management files that exist but aren't maintained as living documents through design changes and post-market data; and (4) supplier qualification programs that evaluate initial selection but don't include ongoing performance monitoring. Each is correctable — but they require substantive process work, not just document revision.
Do I need ISO 13485 if I'm already compliant under 21 CFR Part 820?
FDA compliance and ISO 13485 certification serve different purposes. FDA compliance is a legal requirement for devices marketed in the United States. ISO 13485 certification is required by regulatory authorities in international markets and is increasingly expected by domestic healthcare system procurement processes as a quality indicator. With the February 2026 QMSR harmonization, the quality system work required for each is now substantially overlapping — which means building your QMS with ISO 13485 in mind simultaneously builds QMSR-compliant infrastructure. There is more reason now than at any prior point in the regulation's history to pursue both in a coordinated, integrated way.
Last updated: 2026-07-07
Jared Clark
Principal Consultant, Certify Consulting
Jared Clark is the founder of Certify Consulting, helping organizations achieve and maintain compliance with international standards and regulatory requirements.