What Is the Difference Between ISO 13485 and FDA 21 CFR Part 820?

ISO 13485 vs FDA 21 CFR Part 820: Why This Comparison Matters

If you manufacture, distribute, or supply medical devices, you have almost certainly come across both ISO 13485 and FDA 21 CFR Part 820. These two frameworks are the dominant quality system requirements for the medical device industry globally, and understanding the difference between ISO 13485 and FDA 21 CFR Part 820 is not just an academic exercise. It has direct, practical consequences for how you build your quality management system, which markets you can sell into, and how much effort you spend maintaining compliance.

The short version is this: ISO 13485 is an international standard published by the International Organisation for Standardisation, while 21 CFR Part 820 is a set of regulations published by the United States Food and Drug Administration. One is voluntary certification to an internationally recognised benchmark. The other is a legal requirement if you want to sell medical devices in the US market. But the relationship between them is more nuanced than that, and getting it wrong can cost you market access, failed audits, and significant rework.

This article breaks down both frameworks in plain terms, explains where they align, where they diverge, and what that means practically for your business.

What Is ISO 13485?

ISO 13485 is the international standard for quality management systems in the medical device industry. It is based on the same high-level structure as ISO 9001, but it is specifically tailored to the regulatory requirements of the medical device sector. Where ISO 9001 focuses broadly on customer satisfaction and continual improvement, ISO 13485 places greater emphasis on regulatory compliance, risk management, and the consistent production of safe and effective medical devices.

The standard was first published in 1996 and has been revised several times, with the current version being ISO 13485:2016. It applies to any organisation involved in the design, development, production, installation, or servicing of medical devices, including component suppliers and distributors who play a role in the supply chain.

Who Publishes ISO 13485 and Who Recognises It?

ISO 13485 is published by the International Organisation for Standardisation. Certification to ISO 13485 is recognised across many major regulatory markets including the European Union, Canada, Australia, Japan, and Brazil. In Australia, the Therapeutic Goods Administration references ISO 13485 as part of its conformity assessment framework for medical devices. In Canada, Health Canada accepts ISO 13485 certification as part of the Medical Device Single Audit Program, known as MDSAP.

Importantly, ISO 13485 is a certifiable standard. That means an accredited certification body can audit your quality management system and issue a certificate confirming conformance. That certificate carries weight in procurement, regulatory submissions, and supply chain qualification.

What Is FDA 21 CFR Part 820?

FDA 21 CFR Part 820 is the Quality System Regulation published by the US Food and Drug Administration. It sets out the requirements that medical device manufacturers must meet to legally sell devices in the United States. It is not a voluntary standard. It is federal regulation, and failure to comply can result in warning letters, import alerts, consent decrees, and product recalls.

Part 820 has been the cornerstone of US medical device quality regulation since 1996. In 2024, the FDA finalised a significant update, replacing the original Part 820 with a revised regulation known as the Quality Management System Regulation, or QMSR. This update formally incorporates ISO 13485:2016 by reference, which is a major development that has substantially narrowed the gap between the two frameworks. However, the two are still not identical, and US-specific requirements remain.

Who Must Comply With 21 CFR Part 820?

Any manufacturer of medical devices that are sold in the United States must comply with 21 CFR Part 820, including the updated QMSR provisions. This includes foreign manufacturers who export to the US. The FDA conducts inspections of manufacturing facilities, and compliance with Part 820 is assessed during those inspections. Non-compliance findings are made public through the FDA's inspection database and can have serious commercial and regulatory consequences.

Key Similarities Between ISO 13485 and 21 CFR Part 820

Because the FDA's updated QMSR explicitly incorporates ISO 13485:2016, the two frameworks now share a great deal of common ground. If you have built a solid ISO 13485 quality management system, you have already addressed a large proportion of what the FDA expects. Here are the main areas of alignment.

Document and Record Control

Both frameworks require robust control over documents and records. You need to control which version of a procedure is current, ensure staff are working from approved documents, and retain records in a way that allows traceability. The requirements are broadly equivalent, though the FDA has historically been more prescriptive about specific record retention periods and formats.

Design and Development Controls

Both ISO 13485 and 21 CFR Part 820 place significant emphasis on design controls. You need to plan your design process, document design inputs and outputs, conduct design reviews, verify and validate your design, and control design changes. This is one of the most inspection-intensive areas under FDA scrutiny, and it is equally important under ISO 13485.

Risk Management Integration

Both frameworks expect risk management to be embedded throughout the quality system. ISO 13485 references ISO 14971, the international standard for risk management of medical devices, as the expected approach. The FDA similarly expects manufacturers to apply risk-based thinking throughout their processes, particularly in design, production, and post-market surveillance.

Supplier and Purchasing Controls

Both require you to evaluate and control your suppliers. You need to qualify suppliers, define purchasing requirements clearly, and verify that purchased products and services meet your specifications. For medical device manufacturers with complex supply chains, this is often one of the most resource-intensive areas of compliance.

Corrective and Preventive Action

CAPA, which stands for corrective and preventive action, is a central requirement in both frameworks. When something goes wrong, or when you identify a potential problem, you are expected to investigate the root cause, implement a fix, and verify that the fix is effective. FDA inspectors pay close attention to CAPA systems, and weak CAPA processes are among the most commonly cited deficiencies in FDA warning letters.

Key Differences Between ISO 13485 and 21 CFR Part 820

Despite the increased alignment following the QMSR update, there are still meaningful differences between the two frameworks. Understanding these differences is critical if you are trying to sell into the US market while also maintaining ISO 13485 certification for other markets.

Legal Status and Enforcement

This is the most fundamental difference. ISO 13485 is a voluntary standard. You choose to certify to it because it opens market access, satisfies customers, and demonstrates regulatory readiness. But no government agency can shut down your operations solely because you lack an ISO 13485 certificate.

21 CFR Part 820 is law. The FDA has the authority to inspect your facility, issue observations, require corrective actions, and ultimately restrict or prohibit your ability to sell devices in the US. The consequences of non-compliance are legal and financial, not just commercial.

US-Specific Requirements That Remain

Even with the QMSR update incorporating ISO 13485:2016, the FDA has added several US-specific requirements that go beyond the international standard. These include explicit requirements around complaint handling and Medical Device Reporting, or MDR, which requires manufacturers to report certain device-related adverse events to the FDA within defined timeframes. ISO 13485 requires a feedback system and post-market surveillance, but the specific MDR reporting obligations are a US regulatory requirement that sits on top of the standard.

Similarly, the FDA's requirements around unique device identification, or UDI, are specific to the US market. UDI is a system for labelling and tracking devices through the supply chain, and compliance with UDI requirements is a regulatory obligation that does not have a direct equivalent in ISO 13485.

Certification vs Compliance

ISO 13485 compliance is demonstrated through third-party certification. An accredited certification body audits your system and issues a certificate. That certificate is renewed through ongoing surveillance audits and recertification cycles. If you want to understand how that process works in practice, the ISO 13485 Stage 1 audit preparation guide covers what to expect in the early stages of that journey.

FDA compliance under 21 CFR Part 820 is not demonstrated through a certificate. It is demonstrated through your ability to pass an FDA inspection. The FDA does not issue a certificate of compliance. Instead, inspectors review your quality system documentation, interview staff, and assess whether your practices match your procedures. The outcome is either a clean inspection, a Form 483 with observations, or in serious cases, a warning letter.

Scope of Application

ISO 13485 applies to any organisation in the medical device supply chain, including distributors and service providers who do not manufacture devices. The standard explicitly allows organisations to exclude design and development requirements if they do not perform those activities, though this must be justified and documented.

21 CFR Part 820 primarily targets manufacturers. Distributors and importers have separate FDA obligations under different parts of the CFR, and the quality system requirements under Part 820 are focused on the manufacturing entity. This distinction matters when you are mapping your supply chain and determining which entities need to be included in your quality system scope.

Language and Structure

ISO 13485 uses the clause-based structure common to ISO management system standards. It is written in the language of quality management, with requirements expressed in terms of processes, documentation, and system elements.

21 CFR Part 820 is written as federal regulation. The language is more prescriptive in places, and the obligations are expressed as legal requirements rather than system requirements. For businesses used to working with ISO standards, navigating the regulatory language of 21 CFR can feel unfamiliar at first.

Do You Need Both ISO 13485 and FDA 21 CFR Part 820 Compliance?

If you sell medical devices in the United States and in other international markets, the practical answer is yes, you need to address both. The good news is that a well-built ISO 13485 quality management system gives you a strong foundation for FDA compliance, particularly after the QMSR update. But you cannot assume that ISO 13485 certification alone satisfies the FDA.

The areas where you will need to do additional work for FDA compliance include your MDR procedures, your UDI implementation, your complaint handling processes as they relate to FDA reportability, and your readiness for FDA inspections, which are different in character from third-party certification audits.

What About MDSAP?

The Medical Device Single Audit Program, or MDSAP, is worth mentioning here because it directly addresses the challenge of demonstrating compliance with multiple regulatory frameworks through a single audit. MDSAP audits assess conformance with the quality system requirements of five participating regulatory authorities: the FDA in the US, Health Canada, ANVISA in Brazil, the TGA in Australia, and PMDA in Japan.

If you are selling into multiple regulated markets, MDSAP can significantly reduce your audit burden. An MDSAP audit is conducted by an authorised auditing organisation and covers both ISO 13485 requirements and the specific regulatory requirements of each participating jurisdiction. The FDA accepts MDSAP audit reports in lieu of routine FDA inspections, which is a significant operational benefit for manufacturers.

Practical Implications for Medical Device Businesses

Understanding the theoretical differences between ISO 13485 and 21 CFR Part 820 is useful, but what matters most is what you actually need to do. Here are some practical considerations.

Build to the Higher Standard First

When you are designing your quality management system, build it to satisfy the most demanding requirements first. In most cases, that means addressing the FDA-specific requirements around MDR, UDI, and inspection readiness alongside your ISO 13485 framework. It is far easier to build these in from the start than to retrofit them later.

Document the Regulatory Requirements That Apply to You

Both frameworks expect you to identify and document the regulatory requirements that apply to your devices and your markets. This is not just a compliance exercise. It forces you to think clearly about which regulations govern your products in each market, and it gives you a basis for gap analysis when requirements change.

Train Your Team on the Differences

Your quality team needs to understand that ISO 13485 certification and FDA compliance are related but distinct. Staff who deal with complaints, design changes, or supplier management need to know which requirements apply in which context. Confusion between the two frameworks is a common source of compliance gaps, particularly in companies that are expanding into the US market for the first time.

Engage Consultants With Dual Expertise

Not every ISO consultant has deep experience with FDA regulatory requirements, and not every regulatory affairs specialist understands ISO management systems well. If you are building a system that needs to satisfy both frameworks, look for advisors who have genuine experience with both. Industry expertise matters enormously in this space, and the cost of getting it wrong in the medical device sector is high.

If you are looking for qualified ISO 13485 consultants or accredited certification bodies, CertBetter can connect you with vetted providers who understand the medical device sector. You submit one form and receive up to three competing quotes from providers who have been verified for their experience and credentials. The service is completely free for businesses seeking certification help.

A Quick Reference Summary

• ISO 13485: International voluntary standard, certifiable by an accredited body, recognised across EU, Australia, Canada, Japan, and other markets
• FDA 21 CFR Part 820 (QMSR): US federal regulation, mandatory for US market access, enforced through FDA inspections
• Alignment: The updated QMSR incorporates ISO 13485:2016, so the frameworks now share significant common ground
• Key differences: Legal enforceability, US-specific MDR and UDI requirements, certification vs inspection-based compliance, and scope of application
• MDSAP: A practical solution for manufacturers selling into multiple regulated markets who want to reduce audit duplication

For businesses that are budgeting for ISO 13485 certification in Australia, it is worth factoring in the additional investment required to address FDA-specific requirements if the US market is on your roadmap. Getting the foundations right early saves significant cost and disruption later.