Guest Column | December 5, 2024

How Does FDA Harmonization With ISO 13485 Impact U.S.-Focused Companies?

By Mayur Patel, Hilde Viroux, and Emanuel Wasson

ISO13485-GettyImages-2182603752

FDA’s harmonization of the Quality System (QS) Regulation with ISO 13485 was long expected. It is welcomed by the global medtech companies, as other jurisdictions like the EU already use ISO 13485 as the basis for the quality management system (QMS). Aligning 21 CFR 820 with ISO 13485 gives those companies one global standard for QMS compliance.

U.S.-focused companies that, until now, only complied with 21 CFR 820 now need to ensure their QMS aligns with ISO 13485 by February 2, 2026.

This article discusses the meaning of this ruling, including the challenges and opportunities it presents.

Meaning Of The Ruling

In the recent FDA ruling, the regulator clearly states its intent to align U.S. code with that of the 2016 edition of ISO 13485. This effort is meant to harmonize QMS requirements that are leveraged by other regulatory authorities, such as those that conform to the EU Medical Device Regulation (MDR) and In Vitro Diagnostics Regulation (IVDR). 21 CFR 820 will be updated to mirror the QMS requirements of ISO 13485. This comes as the FDA and many regulatory and quality professionals had historically called out the numerous overlaps between existing U.S. regulations and the international standard.

Many provisions and requirements of 21 CFR 820 are being amended or added in this harmonization effort. What has been historically known as the QS Regulation since 1996 is being reformatted as the quality management system regulation (QMSR). All the exact text revisions can be viewed on the FDA’s website, but some of the key takeaways from these edits in the code are:

  • ISO 13485 is directly incorporated by reference, including Clauses 0.1 (General), 0.2 (Clarification of Concepts), and 0.4 (Relationship with ISO 9001).
  • Compliance only with ISO 13485 will not fully satisfy the QMSR.
  • The Federal Food, Drug &Cosmetic Act will still supersede ISO 13485 where there are deviations (e.g., definitions for “device,” “labelling,” as well as “safety and performance”).
  • The FDA has adopted new definitions for the terms “correction,” “corrective action,” “customer,” “documenting,” “nonconformity,” “preventive action,” “product,” top management,” and “verification,” in line with ISO 13485 and ISO 9000.
  • The FDA is removing specific requirements for device master record (DMR), design history file (DHF), and device history record (DHR) record types.
  • Product specifications, procedures for manufacturing, measuring, monitoring, and servicing, and requirements for installation that were once a part of a manufacturer's DMR will now be located in the manufacturer's medical device file (MDF).

Key Differences From 21 CFR 820 To Keep In Mind

Quality and regulatory personnel should be diligent in checking deviations between ISO 13485 and QMSR, paying especially careful attention to important distinctions in definitions. FDA announced that it will not provide a mapping of the requirement revisions between the QS regulation, ISO 13485, and the QMSR. However, there are several differences companies should be aware of, a few of which are listed here:

  • In 21 CFR 820, risk is considered in certain aspects like design controls and corrective actions. ISO 13485 has a stronger emphasis on risk management across the entire QMS and life cycle of the device, including a risk-based decision process.
  • 21 CFR 820 focuses on the documentation necessary to meet FDA’s regulatory requirements, including records related to device design, production, and corrective and preventive actions (CAPA). It places less emphasis on overarching QMS documentation compared to ISO 13485.
  • ISO 13485 includes customer satisfaction as part of its requirements, which is a new requirement for 21 CFR 820.
  • 21 CFR 820 has stricter requirements for design documentation, including detailed design history files (DHF), design input, design output, design verification, and validation.

Another new element is the ISO 13485 requirement of continuous improvement of the performance of the QMS, which is wider than the robust CAPA system required by 21 CFR 820. Per ISO 13485, the QMS is a living thing, not just a set of procedures that document how things are done. ISO 13485 implementation should be the responsibility of the senior management, as the standard requires senior management commitment to the QMS. Senior management also needs to drive the continuous improvement through the mandatory management reviews.

Companies that need to adapt their QMS to ISO 13485 need to be aware of the effort required and the time it will take to implement. There is currently no indication that the FDA will extend the deadline for manufacturers to adopt the new QMSR.

Opportunities And Benefits Of Harmonization

This harmonization effort with the FDA coincides with the agency’s efforts to simplify documentation and align with international peers. Since the conclusion of the medical device single audit program (MDSAP) pilot in 2017, the FDA and other agencies have used the audit program to minimize the documentation burden for themselves and manufacturers. Having a QMS that satisfies global requirements will ultimately reduce cost and time associated with preparing for audits. Having standardized submission documentation for global submissions will result in a shorter preparation time and faster time to market and therefore increase the ability to capture market share. There are more benefits than these financial predictions.

There are operating model opportunities with this harmonization effort. Companies may be able to leverage their QMS and their quality and regulatory staff as enterprise support rather than country-specific teams. With a global, united team, there can be more frequent knowledge sharing and response to issues, which could allow organizations to prevent remediation costs from recalled products and respond to quality issues faster.

What Are The Next Steps?

Using all of the above information as a basis, companies should be aware of the effort required to implement ISO 13485 requirements. To quantify the effort, execute a gap assessment of the current QMS with ISO 13485. Based on the gaps identified, develop an implementation plan with timelines, stakeholders, responsibilities, and key performance indicators (KPIs).

A timely start will be imperative; due to the wider scope of risk management, additional CAPAs may have to be initiated. Especially if there is an impact on product labelling, this may be a lengthy remediation activity.

Even if a company only sells its products in the U.S., implementation of ISO 13485 will benefit overall performance due to the requirements of continuous improvement. It will facilitate potential expansion outside of the U.S. as the QMS is already in compliance with other jurisdictions’ requirements.

About The Authors:

Mayur Patel is an expert in QMS and software as a medical device at PA Consulting.

Hilde Viroux is a senior regulatory strategist at PA Consulting focusing on new and emerging legislation affecting the regulatory function.






Emanuel Wasson co-authored this article while employed as a medtech expert at PA Consulting with a niche on product development and business model design. He is now a project manager at 10XBeta Venture Studio. He has a MSE in bioengineering innovation and design from Johns Hopkins University and a BS in biomechanical engineering from Marquette University.