ISO 13485 vs. 21 CFR 820: Understanding Key Differences and Preparing for Harmonization

If you build medical devices, your quality system is under a microscope—by regulators, by customers, and increasingly, by your own team. Every decision, document, and deviation is traceable, auditable, and high-stakes.

That’s why most manufacturers operate within two frameworks: ISO 13485, the international standard for medical device quality, and 21 CFR Part 820, the FDA’s Quality System Regulation. Each comes with its own expectations, structure, and terminology. Navigating both has long been the norm.

But that will soon be changing.

The FDA is sunsetting 21 CFR 820 as we know it and replacing it with a new Quality Management System Regulation (QMSR) that aligns with ISO 13485:2016. The intent: create one harmonized standard that reduces duplication and improves global consistency. The compliance deadline is February 2026, but the time to prepare is now.

This shift raises a critical question for operations and quality leaders: how different are these frameworks, and what does it take to align your QMS with what’s coming?

Let’s take a closer look.

Are you ready for ISO 13485:2016? Take our FDA QMSR Readiness Assessment to find out! →

ISO 13485:2016 is the quality management standard for medical devices used across much of the world. If you’re selling into Europe, Canada, or Australia, chances are you’re already familiar with it. According to a recent ISO survey, as of the end of 2023, there were 32,963 valid ISO 13485:2016 certificates issued globally, covering over 52,950 sites

Unlike broader standards like ISO 9001, this one is built specifically for the medical device industry. It spells out what manufacturers need to have in place to design, build, and support devices that are consistently safe and effective. And in most countries, certification isn’t optional; it’s a gate you need to pass through to access the market.

The standard covers a lot, but a few themes come up again and again: risk, control, and documentation.

It starts with risk management. Not just for the product itself, but for every process that could impact safety or quality. ISO 13485 expects companies to apply a risk-based lens across the lifecycle, from design and procurement to complaints and recalls.

Design controls are another core piece. You need documented inputs, outputs, verification, validation, and a clear change process. This is critical for showing that the product you designed is the one you’re actually making, and that it does what it’s supposed to do.

Documentation and record-keeping are non-negotiable. The standard calls for a full quality manual, written procedures, and evidence that those procedures are followed. Auditors will expect to see everything from training records to inspection results to software validation reports.

That leads to another key requirement: validating your software and special processes. If you’re using software for inspections, data logging, or quality tracking, it needs to be tested and validated for how it’s being used. Same goes for any process that can’t be verified just by checking the final product—like sterilization or welding.

Supplier oversight matters, too. You need a process for selecting, qualifying, and monitoring vendors, especially those that impact product quality. One-time approval isn’t enough. ISO 13485 wants to see ongoing evaluation and documented performance.

And finally, the standard expects a closed-loop approach to quality: internal audits, traceability, and CAPA. That means you’re regularly auditing your own system, tracing every part and product through your process, and addressing issues in a structured way that prevents repeat problems.

For manufacturers who already operate with discipline, it often reflects what they’re already doing—just with more structure and stronger documentation. And with the FDA moving to adopt this framework, it's quickly becoming the common language of quality, both in the U.S. and globally.

21 CFR Part 820 is the FDA’s Quality System Regulation—the legal framework that governs how medical devices are made, labeled, and distributed in the U.S. If you manufacture devices for the U.S. market, compliance isn’t optional. This is the rulebook.

The regulation has been on the books since the late ‘90s and was designed to give manufacturers flexibility in how they meet quality goals. Unlike ISO 13485, which prescribes a lot of structure and documentation, the QSR is more performance-based. It defines what you need to achieve, but gives you leeway in how you do it.

That said, the core expectations are clear.

Management responsibility is a foundational piece. FDA expects senior leadership to define a quality policy, assign roles and responsibilities, and actively review system performance. This isn’t a set-it-and-forget-it exercise—executives are expected to stay engaged and accountable.

For most device classes, design controls are mandatory. You need to show how design inputs were defined, how they were tested, and how final designs were validated against user needs. This includes maintaining a complete Design History File (DHF) that documents every decision, change, and approval along the way.

In production, manufacturers are expected to establish process controls that ensure devices are built consistently and meet specifications. If a process can’t be verified by inspecting the end product—like welding or sterilizing—it must be validated. That means defined protocols, documented test results, and proof that the process is repeatable.

Complaint handling is another focus area. Companies must evaluate every complaint for potential reporting under the Medical Device Reporting (MDR) regulation. If a complaint suggests a product may have caused harm (or could do so in the future), it must be investigated thoroughly and reported to FDA when applicable.

Training and documentation requirements are straightforward: employees must be trained for the roles they perform, and training records must be kept. If someone’s work could impact device safety or compliance, there needs to be clear proof that they’re qualified to do it.

One area where 21 CFR Part 820 historically differed from ISO 13485 is internal audits. Under the current regulation, FDA inspectors weren’t allowed to review internal audit findings or management review minutes. That’s changing under the new QMSR, but it’s worth noting—this built-in privacy shaped how many U.S. companies managed those processes.

So while the QSR and ISO 13485 share a lot of common ground, they’ve taken slightly different paths over the years. One leaned more on flexibility, the other on structure. But with harmonization on the horizon, those are now fading.

While both ISO 13485 and 21 CFR Part 820 exist to make sure medical devices are safe, effective, and built under a functioning quality system, they differ in how they get there. Here’s where the two diverge:

Documentation and prescriptiveness

ISO 13485 is more explicit about what needs to be documented. It calls for a formal quality manual, defined procedures for each process, and specific records to back it all up. While the FDA’s QSR also requires documentation, it’s written to be more flexible. The focus is on whether your processes are effective, not necessarily on whether you’ve labeled everything according to a template.

In practice, this means companies following ISO 13485 often have more structure baked into their systems—something that can be helpful (or burdensome), depending on your organization.

Risk management integration

This is one of the biggest differences. ISO 13485 weaves risk into nearly every part of the quality system. From design planning to supplier oversight, risk-based thinking is expected throughout. It also ties directly into ISO 14971, the medical device risk management standard.

By contrast, the current 21 CFR 820 doesn’t mention risk in the same way. Risk shows up indirectly—in how you approach CAPAs or design validation—but there’s no system-wide expectation for a formal risk management process. That’s a gap the FDA is closing with the upcoming QMSR.

Supplier control rigor

Both frameworks require manufacturers to vet and monitor suppliers. But ISO 13485 goes further. It expects you to establish specific selection criteria, maintain records of evaluations, and continuously monitor supplier performance. The FDA’s approach is a bit lighter—it focuses on ensuring purchased components meet requirements, but doesn’t prescribe exactly how to get there.

That difference can catch companies off guard, especially if they’re ISO-audited for the first time and don’t have formalized supplier scorecards or documented re-evaluations.

Software validation requirements

This is one area where the two are largely aligned, but ISO 13485 tends to spell it out more clearly. Any software that supports production or the QMS must be validated for its intended use. FDA’s 820.70(i) says the same thing—but in fewer words.

Where ISO gets more attention is on electronic systems like document control, training platforms, and audit tracking tools. If you’re using a digital QMS, ISO auditors will want to see validation records, and so will FDA inspectors under the new QMSR.

See how life sciences manufacturers are adopting a new approach to validation →

Internal audit transparency

This discrepancy is subtle, but important. Under the current QSR, FDA inspectors don’t review internal audit results or management review records. That privacy gave more space to be candid during audits without regulatory risk.

ISO 13485, however, does not offer that same protection. Auditors can (and do) ask to see findings, follow-up actions, and evidence of closure. Once QMSR takes effect, the FDA will do the same. This change raises the bar on internal accountability, and companies will need to be ready.

Regulatory enforcement mechanisms

Finally, there’s the matter of enforcement. ISO 13485 compliance is typically verified through third-party certification audits. 21 CFR 820, on the other hand, is federal law—enforced directly by the FDA. That means inspection findings can lead to 483 observations, Warning Letters, or more serious actions.

In that sense, FDA enforcement has always carried more weight. The QMSR doesn’t change that, but by aligning with ISO 13485, it gives manufacturers a clearer, more consistent framework to operate within.

The core of the QMSR is pretty straightforward: if your quality system complies with ISO 13485, you’ll be in compliance with FDA requirements, too. But the FDA didn’t just hand over the reins. They added a few U.S.-specific expectations that ISO doesn’t fully cover, including:

• Complaint file documentation

• Unique Device Identification (UDI) recordkeeping

• Labeling and packaging inspections

• Specific definitions tied to U.S. law, such as “safety and effectiveness” versus ISO’s “safety and performance”

In other words, you can’t just copy/paste your ISO certification and call it a day. But if you’re already following ISO 13485 closely, you’re likely in good shape.

The timeline

The QMSR goes into effect on February 2, 2026. That gives manufacturers about two years to get their systems ready from the time of announcement. Some companies won’t need to do much—especially those already certified to ISO 13485. Others, particularly those that have only followed the QSR, will need to take a closer look.

This isn’t the kind of update you can push off until the last minute. If your current system is heavily tailored to 21 CFR 820, now’s the time to do a gap assessment and see what needs to change.

Inspection changes are coming, too

One of the more overlooked shifts in the QMSR is how FDA inspections will work. Under the old rule, FDA inspectors weren’t allowed to look at internal audit results or management review records. That’s going away.

Once QMSR takes effect, those documents now become fair game. In 2024 alone, the FDA issued 45 warning letters related to medical devices—31 of which cited violations of the Quality System Regulation. The most common issues: design controls (22 letters), CAPA (19), and complaint files (13). That’s a clear signal of where regulators are paying attention, and a preview of how enforcement will look moving forward.

The FDA has also said it’s moving away from its traditional QSIT inspection model. While details are still pending, inspections will likely become more aligned with how ISO audits are performed—less checklist-driven, more process-focused.

Why this matters beyond compliance

The main reason this change is happening? To reduce the burden on manufacturers who sell into multiple markets. Up until now, U.S. companies have had to maintain one system for FDA and another for the rest of the world. That meant duplicate procedures, extra audits, more complexity, and ultimately, more cost.

With this shift, manufacturers can streamline. You’ll be able to build one quality system—centered on ISO 13485—and know it meets expectations both in the U.S. and abroad. That saves time, reduces risk, and simplifies everything from supplier audits to software validation.

It also gives companies a clearer path forward. Instead of parsing two different sets of terminology and structure, teams can focus on building a single system that works—everywhere.

If you've ever managed a CAPA in a spreadsheet, chased a missing training record the day before an audit, or tried to piece together traceability from three different systems—you know the limitations of manual quality processes. They're slow, fragile, and hard to scale.

That’s where a platform like Tulip makes a real difference. It doesn’t just digitize forms. It gives your team the tools they need to run quality processes the way they should work: in real-time, with clear ownership, and nothing falling through the cracks.

CAPAs, document control, and audit trails—handled automatically

In Tulip, CAPA management can be built directly into the apps guiding your team through their daily workflows. Issues get logged, assigned, tracked, and closed out in a structured flow—with time stamps, signatures, and required fields baked in. If something gets missed, the system can flag it before it becomes a bigger problem.

Same with document management. You can control updates, route approvals, and maintain version history all within the platform. Every change is tracked, every access is recorded. When an auditor asks who approved the latest SOP and when, the answer’s there in seconds.

Training and traceability, visible at a glance

You don’t need to keep training records in a binder anymore. With Tulip, you can track who’s been trained, who’s due for a refresher, and whether they’ve acknowledged the latest procedure updates. The system can even block access to certain workflows until someone completes their required training.

As for traceability? Every time an operator interacts with a Tulip app—scans a barcode, inputs a measurement, completes a checklist—that data is recorded and linked. You can trace a product back to the components, lot numbers, equipment, and people involved. And you can do it without digging through piles of paperwork.

Apps that cover the real-world stuff: complaints, suppliers, audits

Tulip’s app library includes pre-built apps for quality checks, internal audits, deviations—you name it. These aren’t just static forms. They’re interactive apps that guide your team through each step of the process, help enforce consistency, and keep everything stored in one place.

If a customer complaint hits a certain threshold, it can trigger a CAPA automatically. If a supplier fails a quality check, the system can schedule a follow-up review or escalate to the right person. You’re not just collecting data—you’re using it to drive continuous improvement.

Built with compliance in mind

Tulip is ISO 9001:2015 certified, and it’s designed to support teams working in GxP and regulated environments. That includes built-in electronic signatures, audit trails, access controls, and everything else you’d expect in a system that’s built to stand up to scrutiny.

Whether you're preparing for ISO 13485 certification, getting ahead of the FDA’s QMSR changes, or just tired of juggling too many disconnected tools, Tulip gives you a practical way to bring it all together—without adding complexity.

The FDA’s move to adopt ISO 13485 isn’t just another compliance hurdle. It’s a chance to simplify.

For years, quality teams have had to keep one foot in ISO, one foot in FDA, and a stack of extra documentation in between.

With the QMSR, manufacturers can finally build one system that satisfies both—and focus more on making great products and less on duplicating paperwork.

If you’re already aligned with ISO 13485, you’re ahead of the game. If you’re not, now’s the time to take a serious look. Waiting until 2026 means rushing later. Starting now means building a stronger foundation, with better controls, clearer traceability, and fewer surprises during inspections.

That’s where platforms like Tulip come in.

Tulip isn’t just software—it’s a way to modernize how quality gets done. With apps for training, CAPA, complaints, audits, and more, teams can move faster without cutting corners. You get the structure ISO 13485 requires, with the flexibility to adapt as your operations grow.

Regulations will keep evolving. Expectations will keep rising. The question is whether your systems are built to keep up.

Tulip is—and it’s built for teams that are ready to treat quality as an asset, not an obstacle.