Medical device manufacturers operating in the U.S. face a familiar compliance puzzle: build a quality management system that satisfies both ISO standards and FDA requirements without running two parallel bureaucracies. In my experience working with 200+ clients across regulated industries, the companies that struggle most are the ones who treat these frameworks as fundamentally separate — which, in most respects, they are not.
The structural gap between ISO 9001:2015 and 21 CFR Part 820 is narrower than most compliance teams realize. And since FDA finalized its Quality Management System Regulation (QMSR) in December 2023 — with an effective date of February 2, 2026 — that gap has narrowed further still. Understanding what aligns, what diverges, and what that means for your certification strategy is the practical work this article is designed to do.
Why These Two Standards Grew Up Together
The original 21 CFR Part 820 Quality System Regulation, published by FDA in 1996, was not developed in isolation. FDA explicitly modeled its structure on ISO 9001 (then the 1994 version), borrowing its emphasis on documented procedures, management responsibility, training, design controls, and corrective action. The preamble to the 1996 rule acknowledged the relationship directly.
ISO 9001 has since gone through two significant revisions — 2008 and 2015 — while 21 CFR Part 820 held largely in place until FDA's 2024 overhaul. The QMSR, which took effect February 2, 2026, replaced the original QSR framework by incorporating ISO 13485:2016 by reference. That single move made ISO alignment a legal requirement for U.S. medical device manufacturers, not just a best practice.
ISO 13485 is the medical device-specific quality management standard, and it is itself built on the structure of ISO 9001. So the lineage runs: ISO 9001 → ISO 13485 → FDA QMSR. Understanding that chain is the first step toward a sane compliance strategy.
As of the ISO Survey 2022, ISO 9001 holds over 1 million certifications across 170+ countries — making it the most widely adopted QMS standard in the world and the natural foundation for any regulated industry QMS build.
The QMSR Transition: What Actually Changed
FDA's December 2023 final rule was the most significant update to medical device QMS requirements since 1996. Three changes matter most:
ISO 13485:2016 is now incorporated by reference. Rather than maintaining FDA-specific language that paralleled ISO requirements, FDA adopted the ISO 13485 framework directly. If you hold an ISO 13485 certification and your QMS is compliant, you are substantially aligned with the QMSR.
The term "Quality System Regulation" (QSR) is retired. The regulation is now formally the Quality Management System Regulation (QMSR), though the 21 CFR Part 820 designation remains. You will still hear "Part 820" used informally throughout the industry.
Device-specific requirements were preserved. The QMSR kept certain FDA-specific additions that go beyond ISO 13485 — particularly around complaint handling, MDR filing linkage, and labeling controls. The ISO framework did not completely absorb 820. It anchored it.
Clause-by-Clause Alignment: ISO 9001 vs. 21 CFR Part 820
The table below maps ISO 9001:2015 clauses against the legacy 21 CFR Part 820 QSR sections, with notes on QMSR alignment. This is the fastest way to see where your ISO 9001-compliant QMS already satisfies FDA requirements — and where you need to close gaps.
| ISO 9001:2015 Clause | Topic | Legacy 820 Section | QMSR / ISO 13485 Alignment |
|---|---|---|---|
| 4.1–4.2 | Context, interested parties | 820.5 (Quality system) | Strong — QMSR adds explicit regulatory context |
| 5.1–5.3 | Leadership, quality policy, roles | 820.20 (Management responsibility) | Direct alignment; 820.20 more prescriptive on management review frequency |
| 6.1–6.2 | Risk planning, quality objectives | 820.100 (CAPA) partial | QMSR strengthens risk-based thinking per ISO 14971 linkage |
| 7.1–7.5 | Resources, infrastructure, competence, documented info | 820.25 (Personnel), 820.40 (Document controls) | Strong alignment; 820 record retention requirements are more specific |
| 7.6 / 9.1.1 | Calibration / measurement | 820.72 (Inspection, measuring, test equipment) | Direct alignment |
| 8.1 | Operational planning | 820.20(a) (Quality plan) | Aligned |
| 8.3 | Design and development | 820.30 (Design controls) | 820.30 is more detailed; design history file (DHF) has no ISO 9001 analog |
| 8.4 | External providers / purchasing | 820.50 (Purchasing controls) | Direct alignment; 820 requires qualified supplier list |
| 8.5 | Production and service provision | 820.60–820.86 (Production controls) | Strong; 820 requires device history record (DHR) specifically |
| 8.6–8.7 | Release, nonconforming outputs | 820.80, 820.90 | Direct alignment |
| 9.1–9.3 | Monitoring, analysis, management review | 820.20(c), 820.100 | Aligned; QMSR harmonizes review requirements |
| 10.1–10.3 | Improvement, CAPA | 820.100 (CAPA) | 820.100 CAPA requirements are more prescriptive and FDA-enforceable |
The coverage is genuinely substantial. If you have a mature ISO 9001 QMS, you are probably already doing most of what FDA requires. The question is whether your documentation can prove it in the way an FDA investigator expects.
Where They Diverge: Device-Specific Requirements That Go Beyond ISO 9001
ISO 9001 is a general quality management standard, built to apply across industries — manufacturing, services, healthcare, construction. That breadth is its strength and its limitation when you are making life-sustaining devices.
Design History File (DHF). FDA 820.30 requires a DHF establishing that the device was designed in accordance with approved plans. ISO 9001 clause 8.3 covers design and development, but it does not mandate this specific record. If you are a medical device manufacturer, the DHF is non-negotiable — and it requires more granular documentation than ISO 9001 alone demands.
Device History Record (DHR). The DHR is a compilation of records demonstrating that each device was manufactured in accordance with the Device Master Record (DMR). There is no precise ISO 9001 equivalent. ISO 13485 addresses this directly; ISO 9001 leaves it implied at best.
Complaint Handling. FDA 820.198 requires a formal complaint-handling procedure with specific elements: written records, investigation of every complaint involving a potential malfunction or injury, and MDR evaluation for each complaint received. ISO 9001 addresses customer feedback and nonconformity — but at a level of generality that would not satisfy an FDA investigator reviewing 820.198 compliance.
Medical Device Reporting (MDR) linkage. 21 CFR Part 803 MDR requirements exist outside the QSR/QMSR framework, but your complaint system feeds them. ISO 9001 has no concept of mandatory adverse event reporting to a regulatory body. Building that bridge is gap work, and it matters.
Labeling controls. 820.120 addresses labeling inspection and control in ways that ISO 9001 clause 8.5 does not fully capture — including requirements around label inspection, storage, and issuance controls tied specifically to 21 CFR Part 801.
The practical takeaway: if you are running ISO 9001 and want to layer on FDA 820 / QMSR compliance, you are not starting from scratch. But you do have real gaps to close, and they cluster predictably around design controls, complaint handling, and device-specific records.
What the QMSR Means for Your Certification Strategy
Here is where I think organizations get confused. The QMSR incorporates ISO 13485:2016 by reference — not ISO 9001. ISO 13485 is the medical device-specific standard. It uses ISO 9001 as its structural foundation but adds device-specific requirements, and notably unlike ISO 9001, it does not include continual improvement as a standalone principle — regulatory compliance takes that role.
The practical hierarchy:
- ISO 9001 is the general foundation. It demonstrates your QMS is systematically managed and gives you the structural vocabulary to build on.
- ISO 13485 is the medical device path. It satisfies international market access requirements and now maps directly to FDA QMSR requirements.
- FDA 21 CFR Part 820 / QMSR is the U.S. regulatory obligation — not a certification, but an enforcement reality inspected by FDA investigators with authority to issue warning letters, consent decrees, and import alerts.
If you manufacture medical devices for the U.S. market, your goal is ISO 13485 certification with a QMS that closes the delta on FDA-specific requirements. ISO 9001 certification alone will not get you there, but it is a reasonable foundation if that is where your organization currently sits.
For non-device manufacturers — food, dietary supplements, cosmetics, other FDA-regulated products — the ISO 9001 to 21 CFR Part 820 alignment question is mostly theoretical. The relevant frameworks are 21 CFR Parts 110/117 (food), Part 111 (supplements), or Parts 210/211 (pharma). ISO 9001 provides sound structural discipline for all of them, but 820 is device-specific.
Building an Integrated QMS: A Practical Approach
In my view, the right way to think about this is to build a single QMS with layered compliance — not parallel systems. Here is how that looks in practice.
Start with your ISO 9001 structure. If you are already certified, you have the core architecture: documented processes, management review, internal audit, CAPA, supplier controls, calibration, document control. That architecture is sound and reusable.
Map your gaps against ISO 13485 / 820. A structured gap analysis comparing your current documented QMS against ISO 13485:2016 requirements will surface what is missing. In my experience, the gaps almost always concentrate in four areas: design controls, complaint handling, device-specific records (DHF, DHR, DMR), and risk management integration per ISO 14971.
Close gaps through process expansion, not duplication. You do not need a new CAPA procedure for FDA compliance. You need your existing CAPA procedure to include the elements FDA expects — complaint escalation triggers, MDR evaluation, defined timelines, and documented investigations. Expand what you have rather than layering a second system on top.
Harmonize your documentation structure. FDA expects specific records. ISO 9001 expects documented information. These are compatible — use ISO 9001's document control framework as the mechanism for managing 820-required records. One document control procedure, one calibration record system, one CAPA log.
Prepare for inspection, not just certification. ISO 9001 audits are third-party certification audits. FDA inspections are regulatory enforcement actions. The stakes are different, the inspector dynamic is different, and the documentation review is typically more granular. Our clients achieve 100% first-time audit pass rates in part because we build their QMS for the tougher scrutiny — so the certification audit becomes the easier of the two evaluations they face.
Organizations with a mature ISO 9001 QMS typically need 6–12 months to close the gaps and achieve ISO 13485 certification, depending on product complexity and existing documentation maturity. The design controls gap is usually the most time-intensive to address.
The Five Gap Areas Worth Auditing First
If you want a quick self-assessment of where you stand, these five areas are where the ISO 9001 to 820 gap concentrates:
- Design controls — Does your design and development process capture inputs, outputs, reviews, verification, validation, and transfer in the way 820.30 / ISO 13485 clause 7.3 requires? Is a DHF maintained?
- Risk management — Is ISO 14971 integrated into your design and production processes, or is risk management handled only at the QMS level?
- Complaint handling — Does your complaint procedure meet 820.198 standards, including explicit MDR evaluation language and written investigation records for every complaint?
- Device-specific records — Are you maintaining DHF, DHR, and DMR in a form that would survive an FDA investigator's review?
- Supplier controls — Do you have a formal approved supplier list with documented qualification records?
If you can answer yes to all five with documented evidence, your ISO 9001 QMS is substantially ready for the 820 / QMSR overlay. Most organizations find real gaps in items 1, 3, and 4.
For more on building the documentation foundation your QMS needs, see our guide to ISO 9001 documentation requirements. And if you are working toward certification, how to prepare for an ISO 9001 certification audit covers what auditors actually scrutinize.
Frequently Asked Questions
Does ISO 9001 certification satisfy FDA 21 CFR Part 820 requirements?
No — not on its own. ISO 9001 provides the structural foundation, but FDA 21 CFR Part 820 (now the QMSR) requires device-specific elements that ISO 9001 does not mandate: design history files, device history records, complaint procedures with MDR evaluation, and specific labeling controls. ISO 13485 certification, combined with an FDA-ready QMS, is the appropriate path for medical device manufacturers.
What is the difference between the legacy QSR and the new QMSR?
FDA's original Quality System Regulation (21 CFR Part 820) was published in 1996 and modeled on ISO 9001:1994. The Quality Management System Regulation (QMSR), effective February 2, 2026, replaced the QSR by incorporating ISO 13485:2016 by reference. Device manufacturers must now demonstrate compliance against ISO 13485 requirements rather than the original QSR language — though FDA-specific additions remain.
If I have ISO 13485 certification, am I automatically QMSR-compliant?
Substantially, yes — but not completely. The QMSR incorporates ISO 13485 by reference and includes certain FDA-specific additions that go slightly beyond the ISO standard. ISO 13485 certification is strong evidence of QMSR compliance, but FDA investigators will still review complaint handling procedures for MDR linkage and other device-specific elements during inspections.
How long does it take to transition from ISO 9001 to ISO 13485 for FDA compliance?
In my experience, organizations with a mature ISO 9001 QMS typically need 6–12 months to close the gaps and achieve ISO 13485 certification, depending on product complexity and documentation maturity. Design controls is usually the most time-intensive gap to close. Organizations starting from scratch — no existing QMS — should plan for 12–18 months.
Can a single QMS satisfy both ISO 9001 and 21 CFR Part 820 / QMSR?
Yes — and that is the goal. A well-designed QMS built on ISO 13485 satisfies both international certification requirements and FDA's QMSR. You do not need parallel systems. The key is designing to the more demanding requirements on each dimension, so a single documented process satisfies both auditors and regulators.
Last updated: 2026-06-30
Jared Clark
Principal Consultant, Certify Consulting
Jared Clark is the founder of Certify Consulting, helping organizations achieve and maintain compliance with international standards and regulatory requirements.