Validation & Verification Requirements: What ISO 13485 and the New FDA QMSR Actually Demand (2026 Guide)

ISO 13485 Clause 7.3 requires distinct verification and validation evidence — and the FDA’s new QMSR, effective February 2, 2026, makes the distinction matter more than ever. This guide breaks down design verification, design validation, process validation, and software validation requirements, and shows manufacturers how to build a traceability matrix that survives an audit or inspection.

ISO 13485 verification and validation requirements explained for medical device manufacturers navigating the QMSR transition

Affiliate Disclosure: Some links in this article are affiliate links. If you purchase through them, The Standards Navigator may earn a commission at no additional cost to you.


The Documentation Gap That Fails Design History Files

A design verification report that confirms the device meets its own specifications is not the same thing as a validation report that confirms the device meets the user’s actual needs. Auditors know the difference. Regulatory affairs teams sometimes don’t find out until an FDA inspector or notified body assessor pulls the Design History File and asks for both — and only one exists.

That gap has gotten more consequential, not less. The FDA’s Quality Management System Regulation took effect February 2, 2026, formally incorporating ISO 13485:2016 into 21 CFR Part 820 by reference. Verification and validation records that used to satisfy QSR expectations are now being evaluated against ISO 13485 Clause 7.3 directly — and the two frameworks don’t document V&V identically.

From the Floor: As a certified ISO 9001 Internal Auditor, I’ve sat across the table from teams who could produce a stack of test reports but couldn’t answer a simple question: which of these prove the design meets the specification, and which prove it meets the user’s need? Verification and validation get treated as interchangeable paperwork until an auditor separates them — and by then it’s a finding, not a conversation. The QMS documentation discipline that catches this before an audit is the same discipline that catches it before a submission.

If your last internal audit didn’t clearly separate verification evidence from validation evidence, that’s the gap worth closing first.

Run a clause-by-clause gap check before your next surveillance audit or FDA inspection — the ISO 13485 Gap Assessment Checklist below is built for exactly this kind of documentation review. Most teams miss the verification/validation split until it’s flagged.

👉 ISO 13485 Gap Assessment Checklist


In This Guide

  • What verification and validation mean under ISO 13485 Clause 7.3, and why they are not interchangeable
  • How process validation (Clause 7.5.6) differs from design validation
  • Software validation requirements for devices and manufacturing/QMS software
  • What changed under the FDA QMSR effective February 2, 2026
  • The most common V&V documentation failures found in audits and inspections
  • How to structure a verification and validation plan that survives scrutiny


👉 Start Here (Top Resources)

If you’re building or auditing a verification and validation process, these are the two resources worth starting with:


Verification vs. Validation: The Core Distinction

Comparison infographic explaining the differences between ISO 13485 verification and validation requirements under ISO 13485:2016, including design inputs, intended use, testing methods, timing, applicable clauses, and common audit findings.
This comparison illustrates how verification and validation serve different purposes under ISO 13485 and why both are required for compliant medical device design controls.

Verification confirms that design outputs meet design inputs. Validation confirms that the finished device meets user needs and intended use. That one-sentence distinction is where most documentation failures start, because the two activities can look procedurally similar — testing, measuring, comparing results against criteria — while answering completely different questions.

ElementDesign VerificationDesign Validation
Question answeredDid we build the design correctly?Did we build the correct design?
Compared againstDesign inputs / specificationsUser needs / intended use
Typical methodsBench testing, inspection, analysis, comparison to similar designsClinical evaluation, simulated use testing, human factors studies
TimingThroughout design and developmentUnder defined operating conditions, on initial production units or equivalent
ISO 13485 clause7.3.67.3.7
Common failureTesting against internal spec only, no traceability to inputValidating on prototypes instead of production-equivalent units

Most common finding: auditors and FDA investigators repeatedly cite validation performed on non-representative units — bench prototypes, early builds, or units built on equipment that doesn’t match production. ISO 13485 Clause 7.3.7 specifically requires validation on production or production-equivalent units, under defined operating conditions.


Verification and Validation in Practice: An Infusion Pump Example

Take a manufacturer developing an infusion pump. Design verification confirms the device meets its own engineering specifications:

  • ✅ Flow rate accuracy within the specified tolerance
  • ✅ Battery life meets the stated runtime under load
  • ✅ Alarm volume meets the decibel specification

Design validation confirms something different — that the device works safely in the hands of the people who will actually use it:

  • ✅ Nurses can operate the pump correctly and safely during simulated or actual clinical use
  • ✅ The alarm is audible and distinguishable in a realistic hospital environment, not a quiet test lab
  • ✅ Labeling and instructions for use are understood by the intended users without additional training

A pump can pass every verification test and still fail validation — accurate flow rate and long battery life mean nothing if a nurse under time pressure misreads the alarm or misinterprets the instructions. That’s the gap Clause 7.3.7 is built to catch, and it’s why validation has to happen on production-equivalent units under conditions that resemble actual use.


Design Verification Requirements

Clause 7.3.6 requires that design verification confirms outputs meet input requirements, with results and conclusions recorded, including the methods, dates, and individuals performing the verification. In practice, that means every design input needs a traceable verification activity — not a general statement that “the device was tested.”

If you are building a Design History File from scratch → start with a traceability matrix that maps every design input to its verification method and result before writing a single test protocol. Retrofitting traceability after testing is where most rework happens.

If you are already ISO 9001 certified and adding ISO 13485 → your existing design control process likely covers verification structurally, but it almost certainly lacks the input-to-output traceability rigor ISO 13485 auditors expect. That’s the gap to close first, not the documentation format.

👉 Before You Build Another Test Protocol

Most verification failures aren’t testing failures — they’re traceability failures. Run your design inputs against your current verification records now and find the gaps before an assessor does. →


Design Validation Requirements

Design validation under Clause 7.3.7 must be performed on production or production-equivalent units, under defined operating conditions, and must include risk analysis where applicable — which is where ISO 14971 risk management intersects directly with design controls. Validation isn’t complete until it addresses actual clinical or user-environment conditions, not lab conditions that approximate them.

Objection: “Our device is low-risk — do we really need formal simulated-use validation?” Even Class I and low-risk Class II devices need validation evidence proportional to risk, and “proportional” still means documented, traceable, and tied to intended use. A shorter validation plan is defensible. No validation plan is not.

Clinical evaluation, when required, and human factors/usability testing both fall under validation, not verification — a distinction that matters for regulatory submissions referencing FDA guidance on human factors engineering.


Process Validation Under Clause 7.5.6

Infographic explaining the three phases of process validation under ISO 13485, including Installation Qualification (IQ), Operational Qualification (OQ), and Performance Qualification (PQ), with key activities, outputs, and compliance requirements.
This infographic explains the roles of IQ, OQ, and PQ in process validation, helping manufacturers understand how each qualification stage supports ISO 13485 and FDA QMSR compliance.

Separate from design validation, ISO 13485 Clause 7.5.6 requires validation of processes where the resulting output cannot be verified by subsequent monitoring or measurement — sterilization, certain sealing and bonding processes, injection molding parameters, and software used in production are the classic examples.

Process validation requires:

  • ✅ Defined criteria for review and approval of the process
  • ✅ Approval of equipment and qualification of personnel
  • ✅ Use of specific methods, procedures, and acceptance criteria
  • ✅ Requirements for records (Clause 4.2.5)
  • ✅ Revalidation criteria, including criteria for triggering revalidation

Most auditors and FDA investigators expect this evidence structured around three stages: Installation Qualification (IQ), Operational Qualification (OQ), and Performance Qualification (PQ).

Installation Qualification (IQ) confirms that equipment and supporting systems are installed correctly, according to the manufacturer’s specifications and the site’s own installation requirements — including verified utilities, calibration status, and documentation of the as-installed configuration, not just a checklist that the equipment arrived and was plugged in.

Operational Qualification (OQ) confirms that the equipment operates as intended across its full specified operating range, not just at a single nominal setting. For a sterilization process, that means testing at the upper and lower bounds of temperature, time, and pressure defined in the process specification — not only the target parameters.

Performance Qualification (PQ) confirms that the process consistently produces conforming output under actual production conditions, typically across multiple runs and, where risk warrants it, multiple operators, shifts, or lots. PQ is where most revalidation triggers get defined, since it establishes the baseline the process must continue to meet.

If you are validating a sterilization or bonding process for the first time → build your IQ/OQ/PQ protocol before ordering test units. Retrofitting an IQ after OQ testing has already started is a common finding, and it undermines the traceability an assessor is looking for.

If your process hasn’t changed but your equipment or facility has → IQ typically needs to be repeated even when OQ and PQ parameters stay the same, since IQ is tied to the specific installation, not the process design.

Skipping straight to PQ — running production and calling the passing output “validation” — is one of the most common shortcuts auditors flag, because it skips the evidence that the equipment itself is capable of consistently meeting the operating range the process depends on.

If you are outsourcing sterilization or bonding processes → your supplier controls documentation needs to show that you’ve verified the supplier’s process validation, not just received a certificate of conformance.


Software Validation Requirements

Software validation shows up in two places under ISO 13485, and conflating them is a recurring audit finding: software that is part of the device (or used in its production) versus software used for quality management purposes, such as electronic QMS platforms or CAPA tracking tools. Both require validation appropriate to their use, application, and risk — but the depth and method differ substantially, and design-control software validation should be traceable back to the same input/output structure as hardware verification.


What the FDA QMSR Changed for U.S. Manufacturers

The FDA’s Quality Management System Regulation replaced the legacy Quality System Regulation under 21 CFR Part 820, effective February 2, 2026, incorporating ISO 13485:2016 by reference rather than maintaining a separately worded U.S. regulation. For manufacturers who were already ISO 13485 certified, the operational impact on verification and validation practices is smaller than the documentation-mapping impact: DHF, DMR, and DHR content doesn’t necessarily need renaming, but it does need a clear mapping showing where ISO 13485 Clause 7.3 requirements are satisfied within existing U.S. records.

If you were operating under legacy QSR language only → this is the trigger to formally adopt ISO 13485 Clause 7.3 verification/validation terminology and structure, since FDA inspectors are now trained against the ISO clause structure, not the old Part 820 subparts.


Common V&V Documentation Failures

The same handful of gaps show up repeatedly in ISO 13485 QMS audits:

  • No traceability matrix linking design inputs to verification methods and results
  • Validation performed on prototypes rather than production-equivalent units
  • Missing revalidation criteria for processes that later change equipment, materials, or parameters
  • Software validation treated as one-size-fits-all instead of scaled to risk and application
  • Verification and validation dates, methods, and personnel not fully recorded, leaving conclusions without traceable support

👉 Before Your Next Notified Body Assessment

If you’re not confident your traceability matrix would hold up under document review, that’s the exact gap the ISO 13485 Gap Assessment Checklist was built to catch — in under 45 minutes. →


Building a Verification & Validation Plan That Holds Up

A defensible V&V plan starts with the traceability matrix, not the test protocols. Build it in this order:

  1. List every design input and requirement
  2. Map each input to a specific verification method and acceptance criterion
  3. Identify which requirements also require validation evidence, and under what conditions
  4. Define production-equivalent unit criteria before validation begins
  5. Build revalidation triggers into the plan up front — not as an afterthought after a process change

This structure is what turns a stack of individual test reports into a Design History File that answers an assessor’s questions instead of prompting more of them.

Workflow infographic illustrating how verification and validation fit into the ISO 13485 design control process, from user needs and design inputs through production-equivalent units, validation, and Design History File documentation.
This workflow shows how verification and validation integrate into ISO 13485 design controls to produce a complete, traceable Design History File for regulatory compliance.

Quick Audit Checklist

  • ✅ Every design input has a documented verification method and result
  • ✅ Validation was performed on production or production-equivalent units
  • ✅ Risk analysis is referenced in the validation rationale
  • ✅ Process validation records include revalidation criteria
  • ✅ Software validation is scaled to intended use and risk
  • ✅ Verification and validation records include dates, methods, and personnel
  • ⚠️ Watch for validation evidence copied from an earlier device without device-specific justification

FAQ

What is the difference between verification and validation in ISO 13485?

Verification confirms design outputs meet design inputs — did we build it correctly. Validation confirms the finished device meets user needs and intended use — did we build the correct thing. They require separate evidence and cannot substitute for each other.

Does ISO 13485 require validation on production units?

Yes. Clause 7.3.7 requires design validation on production or production-equivalent units under defined operating conditions, not on early prototypes or bench models that don’t reflect final manufacturing.

What processes require process validation under Clause 7.5.6?

Any process where output cannot be fully verified by later inspection or testing — common examples include sterilization, certain welding and bonding processes, injection molding, and adhesive curing.

How did the FDA QMSR affect verification and validation requirements?

The QMSR, effective February 2, 2026, incorporates ISO 13485:2016 into 21 CFR Part 820 by reference. Manufacturers now need documentation that maps clearly to ISO 13485 Clause 7.3, even if internal DHF/DMR/DHR naming stays the same.

Do low-risk devices still need design validation?

Yes, though the depth can scale with risk. A shorter, risk-justified validation plan is acceptable; skipping validation entirely is not.

Does software need separate validation from the device it’s part of?

Software validation is required both for software that’s part of or used in producing the device, and for software used for quality management purposes — but the required depth and method differ by application and risk.

What’s the most common finding auditors cite for validation?

Validation conducted on non-representative units — prototypes or early builds that don’t match production configuration or manufacturing conditions.

Where does risk management fit into verification and validation?

ISO 14971 risk management activities feed directly into what needs validation and how rigorously, particularly for design validation rationale and process revalidation triggers.


📥 Free Resources

  • ISO 13485 Gap Assessment Checklist — free checklist for medical device manufacturers assessing their QMS against ISO 13485 requirements, including design control and V&V documentation gaps
  • ISO 9001 Roadmap — step-by-step implementation guide for manufacturers building or improving a quality management system
  • Manufacturing Compliance Checklist — practical compliance reference covering key ISO, OSHA, and quality requirements for production environments
  • Supplier Quality Checklist — evaluation tool for assessing supplier quality controls and flow-down compliance before audits or new contracts
  • AS9100 Rev D Gap Assessment Checklist — 74-item clause-by-clause checklist for aerospace suppliers assessing their QMS before certification

Not Sure What to Do Next?

🔹 Still researching your V&V documentation gaps? Start with the ISO 13485 Gap Assessment Checklist — it maps directly to Clause 7.3 verification and validation requirements.

🔹 Ready to build a compliant V&V process? BSI Group’s ISO 13485 training covers Clause 7.3 requirements in the depth a design control rebuild needs.

🔹 Need the standard itself to build your traceability matrix against? Get ISO 13485:2016 from ANSI Webstore — code CC2026 takes 5% off, and international formats are available.


Verification proves your engineers met the specification. Validation proves your customers can safely use the product. Auditors expect both. Regulators require both. A complete Design History File demonstrates both through traceable evidence — not one comprehensive-sounding report that tries to do both jobs at once.


Stay Ahead of the Next V&V Finding

Design History File gaps rarely surface during routine work — they surface during an audit or inspection, when there’s no time left to fix them. Manufacturers who catch the verification/validation split early walk into assessments with a traceability matrix that answers questions before they’re asked. Manufacturers who don’t spend the assessment explaining why validation was performed on a prototype.

The Standards Navigator tracks ISO 13485, QMSR, and medical device compliance requirements as they develop — including changes that affect how verification and validation get documented.

👉 Get updates on ISO 13485 and QMSR compliance changes
👉 Be first to access new medical device gap assessment tools and checklists

Subscribe below to stay ahead.

Subscribe

* indicates required

The Standards Navigator — Industrial Compliance. Clearly Explained.

Medical Device Compliance Standards: What Manufacturers Need to Know in 2026

Medical device manufacturers face a layered compliance framework — ISO 13485, ISO 14971, FDA QMSR, and EU MDR each impose specific requirements that must work together as an integrated system. This guide explains the core standards, how they interact, and what manufacturers need to prioritize at each stage of the compliance process.

The regulatory framework every medical device manufacturer must understand before the first audit

Affiliate Disclosure: Some links in this article are affiliate links. If you purchase through them, The Standards Navigator may earn a commission at no additional cost to you.


The Compliance Gap That Gets Medical Device Manufacturers in Trouble

Most medical device manufacturers don’t fail audits because they ignored the requirements. They fail because they didn’t understand how the requirements connect — and which standards they were actually obligated to meet.

The medical device compliance standards landscape is layered. ISO 13485 sets the QMS framework. ISO 14971 governs risk management. FDA regulations run parallel to international standards and don’t always align. Supplier controls, sterilization validation, design controls, and labeling each carry their own standard reference. A manufacturer who treats these as independent checkboxes instead of an integrated system is building toward an audit finding — or worse, a product recall.

The stakes are not abstract. The FDA issued 483 observations totaling thousands of findings in the medical device sector last year. Most cited documentation gaps, inadequate CAPA processes, or failure to meet design control requirements — all areas governed by the standards covered in this guide.

I’ve worked in quality systems that span heavy industrial, energy, and manufacturing environments — and the pattern I’ve seen across every sector is the same: organizations that struggle with audits are usually managing compliance requirements in silos. In the medical device world, that problem is amplified because the regulatory framework is both more complex and less forgiving than most industrial standards. Getting the structure right before your first audit is not optional — it’s the difference between certification and a warning letter.

Before you map your compliance requirements, download the ISO 13485 Gap Assessment Checklist — it walks you through every clause so you can identify exactly where your QMS falls short before an auditor does → ISO 13485 Gap Assessment Checklist

In This Guide:

  • The core standards every medical device manufacturer must know
  • How ISO 13485, ISO 14971, and FDA regulations interact
  • US vs. EU regulatory requirements compared
  • Supplier control and special process standards
  • Decision-stage guidance: what to prioritize based on where you are in the compliance process

👉 Start Here — Top Resources


The Core Standard: ISO 13485:2016

ISO 13485:2016 infographic showing clause structure and comparison of ISO 13485 versus ISO 9001 requirements for medical device quality management systems.
A visual breakdown of ISO 13485:2016 requirements and how they differ from ISO 9001 for medical device manufacturers.

ISO 13485:2016 is the international standard for quality management systems specific to medical device manufacturers and their supply chains. It is the foundation of medical device compliance worldwide.

ISO 13485 is not simply ISO 9001 with medical device language added. The two standards share structural similarities through the harmonized high-level clause structure, but ISO 13485 imposes stricter requirements in several critical areas ISO 9001 leaves to organizational discretion:

Requirement AreaISO 9001:2015ISO 13485:2016
Risk managementRisk-based thinking (general)Formal risk management required (links to ISO 14971)
Design controlsRequiredMore prescriptive — validation, verification, design transfer
CAPARequiredMore detailed — specific investigation and effectiveness checks
Regulatory requirementsNot addressedExplicitly required — must identify and meet applicable regs
Sterile product controlsNot addressedSpecific controls for sterile devices
Supplier controlsRequiredMore stringent — supplier qualification and monitoring
Document and record retentionNot specifiedSpecific retention periods tied to device lifetime

If you are ISO 9001 certified and entering the medical device market, you are not starting from scratch — but you are adding significant requirements. The gap is larger than most manufacturers expect.

If you need the standard itself, ISO 13485:2016 is available through the ANSI Webstore — use code CC2026 for 5% off through December 31, 2026.

Most common finding: Inadequate document control — specifically, failure to control the review and approval of documents and maintain records of changes. ISO 13485 Clause 4.2 is one of the most frequently cited areas in FDA 483 observations.


Risk Management: ISO 14971:2019

ISO 14971 is the international standard for risk management applied to medical devices. It is not optional if you are manufacturing medical devices — ISO 13485 explicitly requires you to apply risk management throughout the product lifecycle, and ISO 14971 is the recognized method for doing it.

ISO 14971:2019 defines the process for:

  • Identifying hazards associated with a medical device
  • Estimating and evaluating associated risks
  • Controlling those risks
  • Monitoring the effectiveness of controls

The relationship between ISO 13485 and ISO 14971 is not optional. ISO 13485 Clause 7.1 requires organizations to establish risk management requirements for product realization. ISO 14971 is the standard that defines what “proper” risk management looks like. Auditors will look for evidence that your risk management file connects directly to your design controls, production processes, and post-market surveillance activities.

ISO 14971 vs. ISO 13485 — understanding how they interact is one of the most common questions from manufacturers building a QMS for the first time.

If your risk management files exist independently of your design control documentation — that is an audit finding waiting to happen. Most teams miss the linkage between hazard identification in the risk management file and the verification/validation activities in the design history file.

Run your gap assessment before you go further — most QMS gaps in medical device companies trace back to missing connections between ISO 14971 risk files and ISO 13485 design controls: ISO 13485 Gap Assessment Checklist


US Regulatory Requirements: FDA QMSR and 21 CFR Part 820

US medical device manufacturers operate under FDA jurisdiction. The Quality Management System Regulation (QMSR), which took effect February 2, 2026, replaced the legacy Quality System Regulation (QSR) under 21 CFR Part 820.

The QMSR represents a significant shift: it incorporates ISO 13485:2016 by reference as the baseline for device QMS requirements. This means FDA-regulated manufacturers who are ISO 13485 certified are closer to QMSR compliance than they were under the old QSR — but important differences remain.

AreaISO 13485:2016FDA QMSR (2026)
ScopeInternationalUS market devices only
ComplaintsRequiredRequired + specific MDR reporting timelines
Corrections and removalsAddressed in CAPASpecific FDA reporting requirements (21 CFR Part 806)
UDINot addressedRequired for most device classes
Electronic recordsNot specified21 CFR Part 11 compliance required
Third-party auditsRequired for ISO 13485 certificationFDA inspections — not third-party certification

Understanding the relationship between FDA QSR and ISO 13485 is essential for US manufacturers — the two frameworks are now more aligned than before, but they are not identical.

If you are selling devices in the US market, FDA QMSR compliance is a legal requirement, not a voluntary certification. ISO 13485 certification does not satisfy FDA obligations — it demonstrates QMS capability but does not substitute for an FDA inspection.

Comparison infographic showing US FDA QMSR and EU MDR regulatory pathways for medical device manufacturers and ISO 13485 quality system requirements.
A side-by-side comparison of US FDA QMSR and EU MDR pathways showing how medical device compliance differs across global markets.

EU Requirements: MDR and CE Marking

Selling medical devices in the European Union requires CE marking under the EU Medical Device Regulation (MDR 2017/745), which replaced the Medical Device Directive (MDD) and came into full effect in 2021. The transition deadline for legacy MDD-certified devices has been extended but enforcement has tightened significantly.

Key MDR requirements relevant to QMS:

MDR RequirementConnection to ISO 13485
Technical documentationDesign history file / DHF requirements
Clinical evaluationPost-market clinical follow-up (PMCF)
Unique Device Identification (UDI)Traceability requirements
Post-market surveillance (PMS)Customer feedback and complaint monitoring
Notified Body auditISO 13485 certification is typically required
Person Responsible for Regulatory Compliance (PRRC)Management responsibility — ISO 13485 Clause 5

The MDR is more prescriptive than ISO 13485 in clinical evidence requirements. If you are exporting to the EU, your clinical evaluation report and post-market surveillance plan must meet MDR requirements that go beyond what ISO 13485 explicitly requires.

If you are selling in both the US and EU markets, you are managing two regulatory frameworks simultaneously. This is where a well-structured ISO 13485 QMS becomes particularly valuable — it provides the common foundation that both frameworks build on.


Supplier Controls and Special Process Standards

ISO 13485 Clause 7.4 imposes stricter supplier control requirements than most manufacturers new to the medical device space expect. You are not simply verifying that a supplier has a quality system — you are responsible for ensuring that purchased products and services meet specified requirements and that critical suppliers are evaluated, approved, and monitored.

For medical device manufacturers, supplier controls must address:

  • Supplier qualification — documented criteria for evaluation and approval
  • Incoming inspection — defined acceptance criteria for purchased product
  • Critical supplier monitoring — ongoing performance data, not just initial qualification
  • Supplier audits — for high-risk or critical component suppliers
  • Flow-down requirements — pushing your quality requirements into the supply chain

Special processes — sterilization, biocompatibility testing, coating, welding on implantable components — require additional validation documentation. The relevant standards include:

ProcessStandard Reference
Sterilization (EO, radiation, steam)ISO 11135, ISO 11137, ISO 17665
BiocompatibilityISO 10993 series
Packaging validationASTM F2132, ISO 11607
Software validationIEC 62304
Electrical safetyIEC 60601 series

These are not optional for manufacturers of the relevant device types. If your device is sterilized, you need sterilization validation documentation. If it contacts patient tissue, you need biocompatibility data. Gaps in special process validation are among the most serious findings an FDA inspector or Notified Body auditor can cite.


Design Controls and Validation Standards

ISO 13485 design controls infographic showing the Design History File process from inputs through outputs, verification, validation, and design transfer.
A visual guide to the ISO 13485 design controls process and how design inputs become validated, production-ready medical devices.

Design controls are where ISO 13485 certification and FDA compliance intersect most directly. ISO 13485 Clause 7.3 requires a structured design and development process covering:

  • Design and development planning
  • Design inputs (requirements)
  • Design outputs (specifications)
  • Design review at defined stages
  • Design verification (does it meet inputs?)
  • Design validation (does it meet user needs?)
  • Design transfer (can it be manufactured consistently?)
  • Design changes (controlled and documented)

The design history file (DHF) is the physical record of this entire process. It is the first thing an FDA inspector or Notified Body auditor will request. Manufacturers who build their DHF as a collection of unconnected documents — rather than as a traceable record linking inputs to outputs to verification to validation — create significant risk for themselves.

If you are new to building a medical device QMS and need a structured path through these requirements, the ISO 13485 Implementation Roadmap on The Standards Navigator covers the full sequence from gap assessment through certification.

BSI Group offers ISO 13485 training covering both requirements understanding and implementation — useful for teams building their first medical device QMS or transitioning from a general ISO 9001 system.


Labeling and Traceability Standards

Labeling compliance is a specific, frequently cited area in FDA 483 observations. Under both FDA QMSR and MDR requirements, device labeling must meet defined content and format requirements — and the label must be controlled as a quality record.

Key labeling standards and requirements:

  • ISO 15223-1 — symbols used in medical device labeling (required for EU MDR compliance)
  • 21 CFR Part 801 — FDA labeling requirements for US devices
  • UDI requirements — FDA requires Unique Device Identification on most device labels, with submission to the GUDID database

Traceability connects directly to your CAPA and complaint handling processes. If a complaint involves a specific lot or device unit, your traceability records must be sufficient to identify affected products, investigate the root cause, and determine corrective action scope. ISO 13485 Clause 7.5.9 addresses traceability explicitly — and auditors will test it.


How the Standards Work Together

Layered medical device compliance standards infographic showing ISO 13485 as the foundation with ISO 14971, FDA QMSR, EU MDR, supplier controls, CAPA, and traceability requirements.
A visual framework showing how ISO 13485, FDA QMSR, EU MDR, and supporting standards connect into an integrated medical device compliance system.

The most important thing to understand about medical device compliance is that these standards are not independent — they form an integrated system. Here is how they connect:

StandardRole in the System
ISO 13485:2016QMS framework — the backbone that everything else connects to
ISO 14971:2019Risk management process — required by ISO 13485, referenced throughout
FDA QMSRUS regulatory layer — builds on ISO 13485, adds FDA-specific requirements
EU MDREU regulatory layer — requires ISO 13485 certification via Notified Body
IEC 62304Software lifecycle — required if your device includes software
ISO 10993Biocompatibility — required for patient-contacting devices
ISO 15223Labeling symbols — required for EU MDR labeling compliance

A manufacturer who has ISO 13485 certification, a complete ISO 14971 risk management file, and solid FDA QMSR documentation has built the framework that all additional standards layer onto. The common mistake is treating each standard as a separate compliance project rather than building the integrated system first.

If you are deciding between prioritizing FDA QMSR or ISO 13485 certification first: in most cases, building to ISO 13485 gives you the QMS foundation that both US and EU regulatory compliance require. The ISO 13485 Documentation Requirements article covers what your QMS documentation set must include.


Quick Compliance Checklist

Use this as a starting reference — not a substitute for a clause-by-clause gap assessment.

✅ ISO 13485:2016 obtained and QMS scope defined
✅ Risk management procedure in place referencing ISO 14971
✅ Design controls documented — inputs, outputs, verification, validation, transfer
✅ CAPA process established with effectiveness verification
✅ Supplier qualification and monitoring program documented
✅ Document and record control procedures in place with defined retention periods
✅ Internal audit program scheduled and resourced
✅ Management review process defined and conducted
✅ Complaint handling and MDR/vigilance reporting process established
✅ UDI requirements evaluated and implemented where applicable
✅ Applicable special process validations identified and documented
✅ Labeling reviewed against ISO 15223 (EU) and 21 CFR Part 801 (US)

⚠️ If you cannot check most of these — complete a formal gap assessment before committing to a certification timeline.


FAQ

Is ISO 13485 certification required to sell medical devices?

ISO 13485 certification is not legally required by US law — the FDA requires QMSR compliance, not ISO 13485 certification specifically. However, ISO 13485 certification is required to sell devices in the EU under MDR, and it is increasingly required by OEM customers and contract manufacturers as a condition of doing business. Most manufacturers targeting both markets pursue certification.

How is ISO 13485 different from ISO 9001?

ISO 13485 is a sector-specific standard derived from ISO 9001 but with significantly stricter requirements in risk management, design controls, CAPA, supplier controls, and regulatory compliance. It does not include the continual improvement emphasis that ISO 9001 requires — instead it focuses on consistent compliance with regulatory requirements. A detailed comparison is covered here.

Do I need ISO 14971 if I am ISO 13485 certified?

Yes. ISO 13485 explicitly requires risk management throughout the product lifecycle and references ISO 14971 as the applicable method. You are not ISO 13485 compliant if your risk management process does not meet ISO 14971 requirements. The two standards work together — you cannot separate them.

What is the FDA QMSR and how is it different from the old QSR?

The Quality Management System Regulation (QMSR) took effect February 2, 2026 and replaced 21 CFR Part 820 (the Quality System Regulation). The QMSR incorporates ISO 13485:2016 by reference, making it more aligned with the international standard. Key differences remain around FDA-specific reporting requirements, UDI obligations, and 21 CFR Part 11 electronic records requirements. A full breakdown of FDA QSR vs ISO 13485 is here.

How long does it take to get ISO 13485 certified?

For a manufacturer building a QMS from scratch, 12–18 months is a realistic timeline. Organizations with an existing ISO 9001 QMS can often close the gap in 6–12 months, depending on how many medical device-specific requirements need to be added. The ISO 13485 Implementation Roadmap covers the full timeline in detail.

What is a Notified Body and do I need one?

A Notified Body is an organization designated by EU member states to assess conformity of medical devices under the MDR. If you are seeking CE marking for Class IIa, IIb, or Class III devices, you must engage a Notified Body — they conduct the audits that verify ISO 13485 compliance and technical documentation. BSI Group is one of the major Notified Bodies offering both training and certification services.

What are the most common ISO 13485 audit findings?

The most frequently cited areas include: inadequate document and record control (Clause 4.2), incomplete CAPA processes with missing effectiveness verification (Clause 8.5.2), insufficient supplier qualification documentation (Clause 7.4), and gaps in design control records — particularly missing design verification and validation evidence (Clause 7.3). Common mistakes in ISO 13485 QMS implementation covers these in detail.

Do my suppliers need to be ISO 13485 certified?

Not necessarily — but you are responsible for ensuring purchased product meets specifications regardless. Whether a supplier needs ISO 13485 certification depends on their criticality and what they supply. Critical component suppliers and contract manufacturers of finished devices are typically expected to be certified. Commodity suppliers may only require documented incoming inspection.


📥 Free Resources

ISO 13485 Gap Assessment Checklist — free checklist for medical device manufacturers assessing their QMS against ISO 13485 requirements — medical device articles only

ISO 9001 Roadmap — step-by-step implementation guide for manufacturers building or improving a quality management system

Manufacturing Compliance Checklist — practical compliance reference covering key ISO, OSHA, and quality requirements for production environments

Supplier Quality Checklist — evaluation tool for assessing supplier quality controls and flow-down compliance before audits or new contracts

AS9100 Rev D Gap Assessment Checklist — 74-item clause-by-clause checklist for aerospace suppliers assessing their QMS before certification


Not Sure What to Do Next?

🔹 Still researching your compliance requirements? Start with a gap assessment against ISO 13485 before you invest in implementation. Download the free ISO 13485 Gap Assessment Checklist — it maps every clause so you know exactly where you stand.

🔹 Ready to build your QMS? ISO 13485 training through BSI Group covers requirements, implementation, and internal auditor training — the right sequence for a team building their first medical device QMS.

🔹 Need the standard itself? Buy ISO 13485:2016 through the ANSI Webstore — use code CC2026 for 5% off through December 31, 2026. International buyers can purchase in multiple languages.


Medical device compliance is not a single standard — it is a framework of interconnected requirements that must be built and maintained as a system. Understanding how ISO 13485, ISO 14971, FDA QMSR, and EU MDR relate to each other is the first step toward building a QMS that holds up under audit. The Standards Navigator covers each of these standards in depth — start with the resources above and build from there.


Stay Current on Medical Device Compliance

Regulatory changes in the medical device space don’t slow down. FDA QMSR took effect in 2026. EU MDR enforcement is intensifying. ISO 14971 continues to be misapplied by manufacturers who treat risk management as a documentation exercise rather than an integrated process.

Organizations that keep pace with these changes have one thing in common — they’re not waiting for an audit finding to tell them something changed. The ones that struggle are managing compliance reactively, updating their QMS only when a customer or inspector forces the issue.

The Standards Navigator covers ISO 13485, ISO 14971, FDA regulatory requirements, and the full medical device compliance framework — from standard purchase through certification and ongoing surveillance.

👉 Get updates when new medical device compliance articles publish
👉 Be first to access the ISO 13485 Documentation Kit when it launches

Subscribe below to stay ahead.

Subscribe

* indicates required

The Standards Navigator — Industrial Compliance. Clearly Explained.

ISO 13485 Implementation Roadmap: How to Build a Compliant Medical Device QMS in 2026

ISO 13485:2016 is now US federal law under the FDA QMSR, making a compliant medical device QMS mandatory rather than optional. This roadmap walks manufacturers through a seven-phase implementation — from gap assessment and scope through risk management, documentation, CAPA, and certification — covering both the international certification path and FDA inspection readiness for US manufacturers building from the ground up.

A step-by-step guide to implementing ISO 13485:2016 — from gap assessment to certification and FDA QMSR readiness

Affiliate Disclosure: Some links in this article are affiliate links. If you purchase through them, The Standards Navigator may earn a commission at no additional cost to you.


Building a Medical Device QMS Is No Longer Optional in the United States

For years, ISO 13485 sat in a strange position for US manufacturers. It was the global benchmark for medical device quality management — required to sell in the EU, Canada, and most of the world — but inside the United States it was voluntary. You complied with FDA’s Quality System Regulation, and ISO 13485 was a nice-to-have for export.

That changed on February 2, 2026. FDA’s Quality Management System Regulation (QMSR) took effect, replacing the old Quality System Regulation and incorporating ISO 13485:2016 by reference directly into 21 CFR Part 820. The practical effect is blunt: ISO 13485:2016 is now part of US federal law. FDA inspections are conducted against it. The standard you could once ignore at home is now the framework your inspector arrives with.

So whether you are a US manufacturer preparing for your first QMSR-aligned FDA inspection, or an international supplier chasing your first ISO 13485 certificate to unlock the EU market, you face the same task: build a quality management system that survives outside scrutiny. This roadmap walks you through it — clause by clause, phase by phase — from the day you decide to start to the day a registrar or an FDA investigator walks through the door.

This ISO 13485 implementation roadmap is a long article because building a medical device QMS is a long project. Use the table of contents to jump to where you are.


Before you build anything, find out where you actually stand. Most teams overestimate how compliant their existing processes are — and discover the gaps during the certification audit or FDA inspection, when fixing them is expensive and the clock is running. Run a clause-by-clause check against ISO 13485:2016 first.

👉 Download the free ISO 13485 Gap Assessment Checklist and benchmark your QMS in an afternoon, before you commit budget to implementation.


In This Guide

  • Why ISO 13485 implementation looks different in 2026 (QMSR, EU reforms)
  • The realistic timeline and cost of a full implementation
  • A seven-phase roadmap from gap assessment to certificate
  • How risk management (ISO 14971) and design controls fit into the QMS
  • The documentation you actually need — and where teams over-build
  • Internal audit, management review, and Stage 1 / Stage 2 audit preparation
  • FDA QMSR inspection readiness for US manufacturers
  • The mistakes that fail audits — and how to avoid them


👉 Start Here (Top Resources)

If you are implementing ISO 13485 from scratch, these are the three resources that move the project fastest:

  • Build your documentation without a consultant. A complete, pre-written ISO 13485 documentation kit gives you the quality manual, procedures, and records templates structured to the standard — so you spend your time tailoring, not drafting from a blank page. 👉 See the ISO 13485 documentation kits at 9001Simplified
  • Get the official standard. You cannot implement a clause you have not read. Buy ISO 13485:2016 from the ANSI Webstore — use code CC2026 for 5% off through December 31, 2026. ANSI serves international buyers and offers standards in multiple languages.
  • Train your internal team. Your management representative and internal auditors need formal training. BSI Group offers ISO 13485 training courses spanning awareness through lead auditor.

What Makes 2026 Different

ISO 13485:2016 is still the current edition — and it will be for a while. ISO postponed the next revision deliberately to let the 2016 edition “bed in,” with a new version not expected before roughly 2028–2029. So the standard you implement today is the standard you will operate under for years. That stability is good news: it means your implementation work has a long shelf life.

What has shifted is the regulatory context around the standard.

In the United States, the QMSR is the headline. FDA now incorporates ISO 13485:2016 into 21 CFR Part 820, layered with a handful of FDA-specific additions — labeling, UDI, and certain record and definition provisions — that go beyond the ISO text. A critical nuance: the QMSR is “version locked” to the 2016 edition. Future ISO 13485 revisions will not automatically apply in the US unless FDA initiates new rulemaking. Certification to ISO 13485 is still not legally required in the US — FDA inspects you directly — but building your QMS to the standard is now the most direct path to QMSR compliance.

In the European Union, the pressure point is notified body capacity, not the standard itself. EU Implementing Regulation 2026/977, published in May 2026 and applying from February 25, 2027, finally imposes hard maximum timelines on notified bodies — 30 days to review an application and sign a contract, 120 days for the QMS audit, 90 days for product verification, and 20 days to issue the certificate, with capped clock-stops and transparent quotations. For manufacturers, the message is that the certification path is becoming more predictable, but you still need a clean, audit-ready QMS to take advantage of it.

One more 2026 wrinkle worth flagging if your devices touch biocompatibility: FDA’s recognition of the sixth edition of ISO 10993-1 is partial. Notably, FDA does not recognize Clause 6.9 on biological risk estimation, holding that it conflicts with the recognized risk management standard ISO 14971:2019. If your risk files cite ISO 10993-1 wholesale, that is now a deficiency-letter risk in US submissions. Keep biological risk inside the ISO 14971 framework. We cover biocompatibility in depth separately — for this roadmap, just know that your risk management process is the anchor, not the 10993 series.

If you sell only in the US → build to ISO 13485:2016 for QMSR compliance and skip certification unless a customer demands it. If you sell internationally → you need an actual ISO 13485 certificate from an accredited registrar, so plan for a Stage 1 / Stage 2 audit. If you sell in both markets → build one QMS to ISO 13485:2016 and bolt on the FDA-specific QMSR additions; do not run two parallel systems.

QMSR vs ISO 13485 at a Glance

The two frameworks now share a core, but they are not identical. This is where US and international readers diverge — and where a single well-built QMS can serve both.

DimensionISO 13485:2016FDA QMSR (21 CFR Part 820)
Legal statusVoluntary international standardMandatory US federal regulation
Core requirementsThe full ISO 13485 QMSIncorporates ISO 13485:2016 by reference
Proof of complianceCertificate from accredited registrarFDA inspection — no certificate issued
Added requirementsNone beyond the standardLabeling, UDI, certain records & definitions
Risk managementReferences ISO 14971Requires ISO 14971 framework; rejects ISO 10993-1 Clause 6.9
Version handlingISO may revise (~2028–2029)“Version locked” to the 2016 edition
Who needs itAnyone selling internationallyAny device manufacturer marketing in the US

For the full treatment, see our dedicated FDA QSR vs ISO 13485 comparison.


Timeline and Cost: What to Expect

A realistic ISO 13485 implementation runs 6 to 12 months for a small-to-mid-size manufacturer building from a limited starting point. Companies already operating a mature ISO 9001 system or a legacy QSR-based system can move faster; companies starting from informal processes should plan for the full year.

ISO 13485 implementation timeline infographic showing a phased 6 to 12 month roadmap for medical device manufacturers progressing from gap assessment through certification.
A visual roadmap showing a realistic ISO 13485 implementation timeline from assessment through certification readiness.
PhaseTypical durationWhat drives it
Gap assessment & scope2–4 weeksSize of the gap between current practice and the standard
Process & documentation build8–16 weeksWhether you draft from scratch or start from templates
Implementation & operation8–12 weeksYou need real records, not just documents — audits want evidence
Internal audit & management review3–4 weeksMust be complete before a registrar will proceed to Stage 2
Certification (Stage 1 + Stage 2)6–10 weeksRegistrar scheduling and any nonconformity closure

On cost, the single biggest variable is whether you hire a consultant to draft your system or build it yourself from a structured template. Consultant-led implementations commonly run $15,000–$50,000+ depending on device class and company size. A template-driven build can cut the documentation labor dramatically. For a full breakdown, see our guide on how much ISO 13485 certification costs.


Phase 1 — Foundation: Scope, Standard, and Leadership Commitment

Everything downstream depends on getting three things right at the start.

Define your QMS scope. ISO 13485 lets you exclude certain requirements — for example, design and development (Clause 7.3) if you are a contract manufacturer building to a customer’s design. But exclusions must be justified and documented, and you cannot exclude something just because it is inconvenient. Map which clauses apply to your role: manufacturer, specification developer, contract manufacturer, sterilization provider, or importer. Your scope statement is the first thing a registrar reads and the boundary an FDA investigator works within.

Acquire and read the standard. This sounds obvious and gets skipped constantly. You cannot delegate compliance with a document nobody on the team has read end to end. Buy the official ISO 13485:2016 text from the ANSI Webstore — apply coupon CC2026 for 5% off through the end of 2026 — and have your management representative work through it clause by clause. If you also need the risk management standard, ISO 14971:2019 is available there too. ANSI’s catalog covers international buyers and multiple languages, which matters if your QMS spans sites.

Secure genuine leadership commitment. Clause 5 puts top management on the hook — quality policy, quality objectives, resource allocation, and management review are not delegable to a quality manager working in isolation. The fastest implementations have an executive sponsor who clears roadblocks. The ones that stall have a quality team trying to impose a system the leadership treats as paperwork.

If you are a contract manufacturer → document your design and development exclusion now, with justification, before you build the rest of the system around it.

⚠️ Common pitfall: Claiming a Clause 7.3 exclusion you can’t defend. If your team does any design input — even tweaking a customer’s spec for manufacturability — a registrar may reject the exclusion and you’ll be retrofitting design controls mid-project. Decide your true scope honestly before you build.


Most ISO 13485 projects don’t fail on the standard — they fail on documentation that nobody can find, follow, or defend in an audit. Before you write a single procedure, make sure you know which records the standard actually requires.

👉 Run the gap assessment and map your existing documents against the clauses — it turns “we think we’re covered” into a defensible list.


Phase 2 — Plan: Processes, Roles, and Competence

ISO 13485 is a process-based standard. Before documentation, map your actual processes and how they connect — the “sequence and interaction” the standard requires.

Identify your core processes. At minimum: management processes (planning, review, resourcing), product realization (design, purchasing, production, servicing), and support processes (document control, records, CAPA, internal audit). For each, define inputs, outputs, owners, and the records that prove it ran.

Appoint a management representative. Clause 5.5.2 requires a member of management responsible for the QMS. This person owns the system, reports its performance to leadership, and is typically the registrar’s main point of contact.

Plan competence and training. Clause 6.2 requires that personnel performing work affecting product quality are competent — with records to prove it. This includes your internal auditors, who must be trained and independent of the areas they audit. Formal training shortens the learning curve here; BSI Group’s ISO 13485 course catalog runs from awareness through lead auditor, and the lead-auditor tier is what equips your internal audit program to find problems before the registrar does. For audit methodology itself, note that the underlying guidance standard, ISO 19011, was updated to a 2026 edition in May 2026 — worth referencing when you write your internal audit procedure.

⚠️ Common pitfall: Treating internal auditor “independence” as a formality. Having someone audit their own department is one of the most common nonconformities — and it quietly undermines every finding that audit produces. Cross-train auditors so no one reviews work they own.


Phase 3 — Risk Management and Design Controls

This is where ISO 13485 separates itself from ISO 9001, and where the most consequential implementation decisions live.

Risk management is the spine. ISO 13485 threads risk-based thinking through the entire product lifecycle, and it leans on ISO 14971:2019 as the method. You need a risk management process, a risk management file for each device or device family, and evidence that risk controls are verified and monitored in production and post-market. As noted earlier, keep biological risk inside this ISO 14971 framework rather than importing a separate scoring approach — that alignment is exactly what FDA expects under the QMSR.

Design controls (Clause 7.3) apply if you develop devices. This is the discipline FDA investigators scrutinize hardest, because design failures are where patients get hurt. You need:

Design control elementWhat it requires
Design and development planningA documented plan with stages, reviews, and responsibilities
Design inputsRequirements derived from intended use, user needs, and regulation
Design outputsSpecifications that can be verified against inputs
Design reviewFormal reviews at planned stages with independent reviewers
Design verificationEvidence outputs meet inputs
Design validationEvidence the device meets user needs in actual or simulated use
Design transferControlled handoff to production
Design changesControlled, reviewed, and documented changes
Design history file (DHF)The complete record of the above

If you are a US manufacturer, the QMSR keeps design controls firmly in play — they map directly onto the ISO 13485 Clause 7.3 requirements, which is one reason a single ISO-aligned system now serves both purposes.

If you are preparing your first device submission → build the risk management file and design history file in parallel with the QMS, not after. Auditors and investigators expect to see them populated, not planned.

⚠️ Common pitfall: Building the risk file as a one-time document for the submission, then never touching it again. Risk management is a living, lifecycle requirement — production and post-market data have to feed back into it. A risk file frozen at launch is a finding waiting to happen.


Phase 4 — Build the Documentation

Now you write the system. ISO 13485 expects a defined documentation hierarchy: a quality manual, documented procedures, work instructions, forms, and the records they generate.

ISO 13485 documentation architecture infographic showing the five-layer quality management documentation hierarchy from quality manual through records.
A visual breakdown of the five documentation layers used to build and maintain an ISO 13485 quality management system.

The required documents. ISO 13485:2016 explicitly requires certain documented procedures — document control, record control, management review, internal audit, control of nonconforming product, CAPA, and several product-realization procedures among them. A medical device file (technical documentation) is required for each device type. Our breakdown of ISO 13485 documentation requirements lists exactly what the standard mandates versus what is optional.

Where teams over-build. The most common documentation mistake is writing procedures more detailed and rigid than the operation can actually follow. Every sentence in a procedure is a commitment an auditor can hold you to. If your procedure says calibration happens every 90 days and a record shows 95, that is a nonconformity you created with your own words. Write to what you do; improve what you do separately.

Start from a structured template, not a blank page. Drafting an entire ISO 13485 documentation set from scratch is where 6-month projects become 12-month projects. A complete documentation kit gives you the quality manual, every required procedure, and the records templates already structured to the clauses — so your team spends its hours tailoring language to your operation instead of reinventing the architecture of a QMS.

👉 See what’s included in the 9001Simplified ISO 13485 documentation kit — it is the no-consultant route most small manufacturers should evaluate first.

Set up document and record control before you generate volume. Clauses 4.2.4 and 4.2.5 require controlled documents and controlled records. Get the control mechanism — versioning, approval, retention, retrieval — working before you have hundreds of documents to retrofit.

⚠️ Common pitfall: Over-documenting. Teams write procedures so detailed and rigid that the floor can’t actually follow them — then every deviation from their own paperwork becomes a nonconformity. Document what you genuinely do, keep procedures lean, and push the specifics down into work instructions where they’re easier to change.


Phase 5 — Implement and Operate

A documented QMS proves nothing. Auditors and investigators want records that show the system ran.

This is the phase teams underestimate. You can write a CAPA procedure in a day; demonstrating that CAPA actually works requires real CAPAs opened, investigated, and closed over weeks. Plan for an operating period — typically 8 to 12 weeks minimum — where the system runs and generates genuine evidence: training records, calibration records, completed reviews, supplier evaluations, nonconformance reports, and CAPA records.

A registrar will not progress to a certification audit, and an FDA investigator will not be satisfied, by documents alone. Both want to trace a process from requirement to record to outcome. Build that evidence trail before you invite anyone to inspect it.

If you are under customer pressure to certify quickly → start operating the system in parallel with finishing documentation, so your evidence trail is already accumulating when the documents are signed off.

⚠️ Common pitfall: Booking the certification audit before the system has actually run. A registrar can tell the difference between a QMS that has operated for three months and one that generated all its records last week. Backdated or thin evidence is the fastest way to turn a Stage 2 audit into a list of nonconformities.


Phase 6 — CAPA, Supplier Controls, and Production Controls

Three areas generate the most audit findings and FDA 483 observations. Get them right and you de-risk the entire certification.

CAPA (Corrective and Preventive Action). This is the single most-cited area in medical device QMS audits. A weak CAPA system — actions opened and never closed, root causes not actually identified, effectiveness never verified — signals to an auditor that the whole system is decorative. Your CAPA process must show genuine root cause analysis, defined actions, and verified effectiveness. Our deep dive on CAPA requirements in ISO 13485 covers the failure modes in detail.

Supplier and purchasing controls (Clause 7.4). You are accountable for what your suppliers provide. You need defined supplier evaluation criteria, approved-supplier records, and controls proportionate to the risk the purchased product carries. Flow your quality requirements down in writing — handshake arrangements do not survive audits.

Production and process controls (Clauses 7.5). This includes process validation for any process whose output cannot be fully verified by later inspection — sterilization and certain welding or molding processes are classic examples — plus identification, traceability, and handling of product. Cleanliness, contamination control, and installation/servicing requirements apply where relevant to your device.

A documentation kit accelerates this layer too. The CAPA log, supplier evaluation forms, nonconformance records, and validation templates are exactly the high-stakes documents you do not want to invent under deadline.

👉 A structured kit gives you defensible templates for all three areas so your effort goes into running the processes, not formatting the paperwork.

Avoid the recurring traps documented in our guide to common mistakes in ISO 13485 QMS implementation — most failures are predictable.

⚠️ Common pitfall: Closing CAPAs without verifying effectiveness. “We retrained the operator” is not a closed CAPA — it’s an action with no proof it worked. Auditors reopen these constantly. Every CAPA needs a defined effectiveness check and evidence it passed before you close it.


Phase 7 — Internal Audit, Management Review, and Certification

Before any external party inspects you, inspect yourself.

Internal audit (Clause 8.2.4). Conduct a full internal audit of your QMS against ISO 13485 using trained, independent auditors. This is your dress rehearsal — the audit that finds problems while you still control the timeline and the narrative. Document findings, open CAPAs, and close them.

Management review (Clause 5.6). Top management formally reviews QMS performance against defined inputs — audit results, customer feedback, process performance, CAPA status, and more — and produces documented outputs and decisions. Registrars treat a missing or hollow management review as a serious gap.

The certification audit (international path). An accredited registrar conducts a two-stage audit:

StageFocusOutcome
Stage 1Documentation review and readinessConfirms the system is ready for Stage 2; identifies gaps
Stage 2On-site implementation auditVerifies the system operates as documented; raises any nonconformities

Close any nonconformities, and the registrar issues your certificate — typically valid for three years with annual surveillance audits. Choosing an accredited registrar matters; verify accreditation through bodies like ANAB or the relevant IAF member. Our guide to the best ISO certification bodies walks through selection.

⚠️ Common pitfall: Running a hollow management review to check the box. A review that doesn’t actually examine audit results, CAPA status, and process performance — and produce real decisions — is treated by registrars as a serious gap, because it signals leadership isn’t engaged. Make it substantive, and keep the minutes.


FDA QMSR Inspection Readiness

If you are a US manufacturer, your “certification audit” may instead be an FDA inspection — and the bar is the QMSR, which now runs on ISO 13485:2016 plus FDA’s additions.

Practical readiness steps:

  • Map ISO 13485 to the QMSR additions. Most of your ISO-aligned system satisfies Part 820 directly. Layer in the FDA-specific requirements — labeling and packaging controls, UDI, and certain record and complaint-handling provisions — that exceed the ISO text.
  • Keep your records inspection-ready, not audit-ready-once. FDA inspections are unannounced or short-notice. The evidence trail from Phase 5 has to be standing, not assembled on demand.
  • Treat CAPA and complaint handling as the focal points. These are where 483 observations concentrate. A clean, closed-loop CAPA system is your strongest signal of control.
  • Understand the relationship between the two frameworks. Our comparison of FDA QSR vs ISO 13485 explains exactly what the QMSR changed and where the frameworks now align.

For US manufacturers selling internationally, the efficient move is one ISO 13485 QMS with the QMSR additions built in — not two systems. The frameworks now overlap by design.


Quick Implementation Checklist

Use this as a high-level progress tracker. Each item maps to a phase above.

  • ✅ QMS scope defined and exclusions justified in writing
  • ✅ Official ISO 13485:2016 (and ISO 14971:2019) acquired and read
  • ✅ Top management commitment secured; quality policy and objectives set
  • ✅ Management representative appointed
  • ✅ Core processes mapped with owners, inputs, outputs, and records
  • ✅ Personnel competence and internal auditor training in place
  • ✅ Risk management process and risk management file established (ISO 14971)
  • ✅ Design controls and design history file in place (if you develop devices)
  • ✅ Quality manual, required procedures, and record templates written
  • ✅ Document control and record control operating before volume builds
  • ✅ System operated long enough to generate genuine records (8–12 weeks)
  • ✅ CAPA system demonstrably closing the loop with verified effectiveness
  • ✅ Supplier evaluation and purchasing controls documented and flowed down
  • ✅ Process validation completed where output can’t be fully verified
  • ✅ Full internal audit completed; findings closed
  • ✅ Management review conducted with documented outputs
  • ✅ Registrar selected (international) or QMSR inspection readiness confirmed (US)
  • ✅ Stage 1 and Stage 2 audit passed; nonconformities closed

FAQ

How long does ISO 13485 implementation take?

For a small-to-mid-size manufacturer building from a limited starting point, plan for 6 to 12 months. Companies with a mature ISO 9001 system or a legacy QSR-based system can move faster, while organizations starting from informal processes should plan for the full year. The longest single phase is usually documentation, followed by the operating period needed to generate real records.

Is ISO 13485 certification required in the United States?

No. FDA inspects US manufacturers directly against the QMSR, which incorporates ISO 13485:2016 — certification by a third-party registrar is not legally required. However, building your QMS to ISO 13485 is now the most direct path to QMSR compliance, and certification is required to sell in the EU, Canada, and most international markets. Many US manufacturers certify anyway to serve global customers and demonstrate a recognized standard of control.

What is the difference between ISO 13485 and the FDA QMSR?

The QMSR, effective February 2, 2026, replaced FDA’s old Quality System Regulation and incorporates ISO 13485:2016 by reference into 21 CFR Part 820, plus FDA-specific additions covering labeling, UDI, and certain records. The two are now largely aligned by design. The QMSR is “version locked” to the 2016 edition, so future ISO 13485 revisions will not automatically apply in the US. See our full FDA QSR vs ISO 13485 comparison for detail.

Do I need ISO 14971 to implement ISO 13485?

Effectively, yes. ISO 13485 threads risk-based thinking through the product lifecycle and relies on the methodology in ISO 14971:2019 for risk management. You need a documented risk management process and a risk management file for each device. We explain the relationship in ISO 14971 vs ISO 13485.

Can a contract manufacturer exclude design controls?

Yes, if you build strictly to a customer’s design and do not perform design and development activities. ISO 13485 permits excluding Clause 7.3, but the exclusion must be justified and documented in your QMS scope. You cannot exclude a requirement simply because it is burdensome — only because it genuinely does not apply to your role.

What causes most ISO 13485 audit findings?

CAPA weaknesses lead the list — actions that never close, root causes not genuinely identified, and effectiveness never verified. Document and record control, supplier controls, and process validation are also frequent finding areas. Our guide to common ISO 13485 QMS mistakes covers the recurring patterns.

Should I hire a consultant or use a documentation kit?

It depends on device class, internal capacity, and budget. Consultant-led implementations offer hands-on guidance but commonly run $15,000–$50,000 or more. A structured documentation kit gives you the full QMS architecture — manual, procedures, and record templates — at a fraction of that cost, so your team tailors rather than drafts from scratch. Many small manufacturers start with a kit and bring in targeted consulting only for device-specific risk and design questions.

What is ISO 13485 and who needs it?

ISO 13485 is the international quality management system standard for organizations involved in the medical device lifecycle — design, production, storage, distribution, installation, and servicing. It applies to manufacturers, specification developers, contract manufacturers, sterilization providers, and importers. Our primer, What Is ISO 13485?, covers the fundamentals.


📥 Free Resources

Practical tools to support your implementation — download what fits your project:

  • ISO 13485 Gap Assessment Checklist — free checklist for medical device manufacturers assessing their QMS against ISO 13485 requirements, clause by clause, before committing to implementation.
  • ISO 9001 Roadmap — step-by-step implementation guide for organizations building or improving a quality management system, useful if you operate an ISO 9001 base alongside 13485.
  • Manufacturing Compliance Checklist — practical compliance reference covering key ISO, OSHA, and quality requirements for production environments.
  • Supplier Quality Checklist — evaluation tool for assessing supplier quality controls and flow-down compliance before audits or new contracts.
  • AS9100 Rev D Gap Assessment Checklist — 74-item clause-by-clause checklist for aerospace suppliers assessing their QMS before certification, for teams operating across aerospace and medical device lines.

Not Sure What to Do Next?

Your next step depends on where you are in the project:

  • 🔹 If you haven’t assessed your gap yet → start with the free ISO 13485 Gap Assessment Checklist. Don’t commit budget to implementation until you know the size of the gap.
  • 🔹 If you’re ready to build documentation → evaluate a complete ISO 13485 documentation kit before paying consultant rates to draft from scratch. It is the fastest route to an audit-ready document set for most small manufacturers.
  • 🔹 If you’re comparing the US and international paths → read FDA QSR vs ISO 13485 and how much ISO 13485 costs to scope budget and timeline before you choose.

Building an ISO 13485 QMS is a real project, but it is a known one. The clauses are fixed, the phases are sequential, and the failure modes are predictable. Move through it in order, build real evidence as you go, and inspect yourself before anyone else does — and a certification audit or FDA inspection becomes a confirmation, not a gamble. The Standards Navigator exists to make exactly this kind of industrial compliance work clear and survivable for the people who have to actually do it.


Most teams don’t fail ISO 13485 because they misunderstand the standard — they fail because they assumed they were compliant and found out during the audit. The organizations that struggle treat the QMS as paperwork to satisfy a registrar. The organizations that succeed treat it as the operating system that proves their devices are safe — and they build evidence from day one.

The Standards Navigator covers medical device compliance from QMSR readiness to risk management, CAPA, and certification — written from operational and quality management experience, not generic theory.

  • 👉 Get updates on medical device QMS, ISO 13485, and FDA QMSR compliance
  • 👉 Be first to access new gap assessment tools, documentation guides, and implementation resources

Subscribe below to stay ahead.

Subscribe

* indicates required

The Standards Navigator — Industrial Compliance. Clearly Explained.

What Is ISO 14971? Risk Management for Medical Devices Explained (2026 Guide)

ISO 14971 is not optional supplementary guidance for ISO 13485 — it is the required risk management framework woven throughout the medical device lifecycle. This guide covers what ISO 14971:2019 requires clause by clause, how its six-step process works across the device lifecycle, what changed in the 2019 edition, and why the FDA’s QMSR makes a well-maintained Risk Management File more critical than ever.

ISO 14971 is not optional supplementary guidance for ISO 13485 — it is the required risk management framework woven throughout the medical device lifecycle. Here’s what it requires, how it works, and why the FDA’s QMSR makes understanding it more important than ever.

Affiliate Disclosure: Some links in this article are affiliate links. If you purchase through them, The Standards Navigator may earn a commission at no additional cost to you.


From the Shop Floor

Risk management in manufacturing is not a new concept. Every process engineer who has ever run a failure modes and effects analysis on a production line understands the core logic: identify what can go wrong, estimate how likely it is and how bad it would be, put controls in place, and verify those controls work.

What ISO 14971 adds to that foundation is structure, lifecycle scope, and documentation discipline.

After 25 years in heavy industrial manufacturing — including quality systems, process control, and operational risk — the single most consistent gap I see in medical device risk management is the treatment of the Risk Management File as a design-phase deliverable rather than a living operational document. Teams build an impressive RMF during product development, get through their certification audit, and then let the file sit static while the real world generates new information about how the device actually performs.

That approach worked well enough under the old QSR. It does not work under the QMSR.

FDA investigators under CP 7382.850 are not looking at your RMF to confirm it was done — they are using it as a roadmap to evaluate whether your entire quality system is functioning as an integrated risk management framework. A risk management file that hasn’t been updated since device release is not a minor documentation gap. It is evidence that your risk management process is not integrated with complaint handling, CAPA, and post-market surveillance the way the QMSR requires.

The organizations I have seen handle this well treat the RMF update as a standing agenda item in management review — not a corrective action triggered by an audit finding. If post-market data is generating complaints, those complaints are being evaluated in the context of the risk management file every quarter. That is the operating model QMSR expects.


ISO 14971 Is the Standard Your QMS Is Already Required to Implement

If you are pursuing ISO 13485 certification, operating under the FDA’s QMSR, or manufacturing medical devices for any major regulated market, ISO 14971 is not a standard you get to choose whether to implement.

ISO 13485:2016 explicitly requires risk management per ISO 14971 throughout the medical device lifecycle — in design controls, production processes, supplier controls, complaint handling, and post-market surveillance. Under the FDA’s Quality Management System Regulation (QMSR), effective February 2, 2026, that requirement now carries federal regulatory weight. FDA investigators under Compliance Program 7382.850 are expected to use the risk management file as their inspection roadmap.

Yet despite being one of the most referenced standards in medical device regulation, ISO 14971 remains one of the least understood. Most manufacturers know it exists. Far fewer understand what it actually requires, how its six-step process works across the device lifecycle, or why the 2019 edition introduced changes that many organizations still haven’t fully implemented.

This guide covers all of it — what ISO 14971 is, what it requires clause by clause, how it integrates with ISO 13485 and the QMSR, and what your risk management program needs to look like in practice.


In This Guide

  • What ISO 14971 is and why it exists
  • Who needs ISO 14971
  • The six-step ISO 14971 risk management process
  • Key clause-by-clause breakdown
  • What changed in the 2019 edition
  • The Risk Management File — what it contains and how it’s structured
  • ISO 14971 and ISO 13485 — how they integrate
  • ISO 14971 under the FDA QMSR
  • ISO/TR 24971 — the companion guidance document
  • How to buy the official standard
  • Frequently asked questions


✅ Start Here (Top Resources)

📋 Purchase the official ISO 14971:2019 standard → ISO 14971:2019 — ANSI Webstore — use coupon CC2026 for 5% off through December 31, 2026

📋 Purchase the official ISO 13485:2016 standard — required companion → ISO 13485:2016 — ANSI Webstore — use coupon CC2026 for 5% off

📋 Save up to 50% buying both standards as a bundle → ISO Standards Packages — ANSI Webstore

📋 Get ISO 13485 training that covers ISO 14971 integration → BSI Group ISO 13485 Training

📋 Get ISO 13485 certified with an accredited certification body → ISOQAR ISO 13485 Certification


What Is ISO 14971?

ISO 14971 is the international standard for the application of risk management to medical devices. The current version — ISO 14971:2019 — is the third edition, published in December 2019. It specifies the terminology, principles, and a structured process for identifying hazards associated with medical devices, estimating and evaluating the associated risks, controlling those risks, and monitoring the effectiveness of controls throughout the entire device lifecycle.

The standard applies to:

  • Physical medical devices of all classifications
  • Software as a Medical Device (SaMD)
  • In vitro diagnostic (IVD) medical devices
  • Combination products where the device constituent part requires risk management

Before ISO 14971, there was no universally accepted methodology for risk management in the medical device industry. Different manufacturers used different approaches, different terminology, and different standards for what constituted acceptable risk. ISO 14971 introduced a standardized process that could be consistently applied across the industry globally — giving regulators, certification bodies, and trading partners a shared framework for evaluating whether a manufacturer’s risk management is adequate.

Risk, as defined by ISO 14971, is the combination of two components:

  1. The probability that harm will occur
  2. The severity of that harm

This definition is important because it shapes the entire risk management process. A high-severity potential harm that is extremely unlikely to occur produces a different risk level than a moderate-severity harm that occurs frequently. ISO 14971 requires manufacturers to evaluate both dimensions systematically — not rely on intuition or experience alone.


Who Needs ISO 14971?

ISO 14971 is effectively required for any organization involved in the medical device supply chain. Specifically:

Organizations that must implement ISO 14971:

  • Medical device manufacturers — it is explicitly required by ISO 13485 and referenced throughout FDA QMSR, EU MDR, Health Canada, TGA (Australia), and most other major regulatory frameworks
  • Design-responsible organizations developing medical devices or device software
  • Contract manufacturers producing devices under a design owner’s technical file

Organizations that should implement ISO 14971:

  • Component suppliers whose products are incorporated into medical devices — risk management requirements are increasingly flowed down through quality agreements
  • Software developers producing SaMD or software incorporated into medical devices
  • Sterilization service providers — sterilization process risk must be managed within the device’s overall risk management framework

A critical distinction: ISO 14971 is not legally mandated in the same way a regulation is — regulators like the FDA do not list it as a statutory requirement. However, regulators worldwide recognize ISO 14971 as the state of the art for medical device risk management. Non-conformance with ISO 14971 — or the absence of a risk management program built on its framework — creates significant regulatory exposure. For practical purposes, ISO 14971 is mandatory for any organization intending to demonstrate that their device is safe and effective.


The ISO 14971 Risk Management Process — Six Steps

Infographic illustrating the six-step ISO 14971 medical device risk management process: Risk Analysis, Risk Evaluation, Risk Control, Overall Residual Risk, Risk Management Review, and Post-Production Information.
The six-step ISO 14971 risk management process creates a structured lifecycle approach for identifying hazards, controlling risks, evaluating residual risk, and continuously improving medical device safety.

ISO 14971 defines a six-step risk management process that applies across the entire device lifecycle — from initial concept through design, production, and post-market activities.

Step 1 — Risk Analysis

Risk analysis is the systematic use of available information to identify hazards and estimate the risks associated with a medical device. It consists of two activities:

Hazard identification: Identifying all reasonably foreseeable hazards associated with the device under both normal use conditions and fault conditions. The 2019 edition specifically requires both normal and fault conditions to be considered — a change from the 2007 edition which emphasized fault conditions primarily.

Sources of hazards include:

  • Device energy sources (electrical, thermal, mechanical, radiation)
  • Device materials and their biological interactions
  • Use environment and user characteristics
  • Reasonably foreseeable misuse
  • Software failures and cybersecurity vulnerabilities
  • Interactions with other devices

Risk estimation: For each hazardous situation identified, estimating the risk by determining the probability of occurrence of harm and the severity of that harm. ISO 14971 does not specify acceptable risk levels — manufacturers must establish their own objective criteria based on regulatory requirements, industry standards, and clinical context.

Step 2 — Risk Evaluation

Risk evaluation is the process of comparing estimated risks against the manufacturer’s defined risk acceptability criteria to determine whether risk reduction is required. If the estimated risk exceeds acceptable levels, the process moves to risk control. If the risk is within acceptable limits, it is documented as acceptable residual risk and monitored.

Step 3 — Risk Control

Risk control is the process of implementing and verifying measures to reduce risks that exceed acceptable levels. ISO 14971 requires risk control measures to be implemented in a defined priority order:

  1. Inherent safety by design — eliminate or reduce hazards through design decisions (preferred)
  2. Protective measures — guards, alarms, interlocks in the device or manufacturing process
  3. Information for safety — warnings, instructions for use, training requirements (last resort)

After implementing risk control measures, the residual risk — the risk remaining after controls — must be estimated and evaluated again. The process is iterative: if residual risk is still unacceptable, additional risk control measures must be implemented.

Risk control measures must also be evaluated for introduced risks — a control measure that eliminates one hazard may introduce a new one.

Step 4 — Evaluation of Overall Residual Risk

After all individual risks have been addressed, the overall residual risk of the device must be evaluated — not just each individual risk in isolation. If the overall residual risk is not acceptable using the manufacturer’s risk acceptability criteria, a benefit-risk analysis must be performed.

Benefit-risk analysis (introduced as a formal requirement in the 2019 edition) evaluates whether the clinical benefits of the device outweigh the overall residual risk in the context of the device’s intended use. If the benefits outweigh the risks, and appropriate information is provided to users, the device may be released. If the benefits do not outweigh the risks, the device cannot be released — additional risk control measures are required.

Step 5 — Risk Management Review

Before a device is released for distribution, a formal risk management review must be completed. The 2019 edition changed the title of this clause from “Risk Management Report” to “Risk Management Review” — a deliberate signal that this is an active review activity, not simply a summary document.

The review must confirm:

  • The risk management plan has been fully implemented
  • The overall residual risk is acceptable
  • Appropriate methods are in place to collect and review production and post-production information

Reviewers must be identified in the risk management plan in advance — they cannot be appointed after the fact.

Step 6 — Production and Post-Production Information

Risk management does not end when the device is released. ISO 14971 requires a systematic process for collecting and reviewing information from production and post-market activities throughout the device’s commercial life. This includes:

  • Complaint data and adverse event reports
  • Post-market surveillance information
  • Production nonconformances and CAPA trends
  • New scientific and technical information relevant to device safety

When this information indicates that the risk management process needs to be updated — that a new hazard has been identified, or that an existing risk estimate was incorrect — the risk management file must be revised and risk control measures re-evaluated.


ISO 14971 Clause-by-Clause Breakdown

ClauseTitleKey Content
1ScopeApplicability to all medical devices, SaMD, IVDs, combination products
2Normative referencesISO 9000:2015 for defined terms
3Terms and definitions31 defined terms including risk, hazard, harm, hazardous situation, benefit
4General requirementsRisk management system requirements, management responsibilities, competence requirements
5Risk management planningRisk management plan requirements — device scope, lifecycle phases, risk acceptability criteria
6Risk analysisIntended use, hazard identification, risk estimation
7Risk evaluationComparison to acceptability criteria, benefit-risk analysis (Clause 7.4)
8Risk controlControl option analysis, measure implementation, residual risk evaluation, introduced risks
9Evaluation of overall residual riskOverall residual risk acceptability, benefit-risk if needed
10Risk management reviewPre-release review requirements, reviewer identification
11Production and post-production activitiesInformation collection, new hazard identification, risk file updates

What Changed in ISO 14971:2019

The 2019 edition is the third edition of ISO 14971, replacing the 2007 version. Several changes have practical implementation implications:

Benefit-risk analysis is now a formal requirement. The 2019 edition formally introduced benefit-risk analysis as a defined process step (Clause 7.4) when overall residual risk is not acceptable under the manufacturer’s criteria alone. The 2007 edition referenced this concept but did not treat it as a structured requirement. The FDA’s influence here is direct — the FDA revised its language to place “benefit” before “risk” for novel device submissions, and the ISO 14971 committee adopted this framing in the 2019 revision.

Both normal and fault conditions must be analyzed. Clause 5.4 of the 2019 edition explicitly requires identification of anticipated hazards under both normal use and fault conditions. The 2007 edition emphasized fault conditions — the 2019 edition closes that gap. This has direct implications for FMEA and hazard analysis documentation.

Post-production requirements are more prescriptive. The requirements for production and post-production information collection (Clause 11) are more detailed in the 2019 edition, with stronger emphasis on systematic feedback of real-world performance data into the risk management file.

Risk Management Review replaces Risk Management Report. The title change in Clause 9 (from “report” to “review”) reflects a substantive intent: the activity must be an active review with identified reviewers, not a passive summary document compiled at device release.

EN ISO 14971:2019 + A11:2021 for EU MDR. The European version of the standard includes Amendment A11:2021, which maps ISO 14971 requirements to the General Safety and Performance Requirements (GSPR) of the EU Medical Device Regulation (MDR) and In Vitro Diagnostic Regulation (IVDR). Organizations selling into the EU need the A11 annex — organizations selling only in the U.S. do not, but the normative requirements are identical in both versions.


The Risk Management File

The Risk Management File (RMF) is the central documentation output of the ISO 14971 process. It is the organized collection of records that demonstrates a manufacturer has systematically identified hazards, evaluated risks, implemented controls, and monitored the effectiveness of those controls throughout the device lifecycle.

The RMF is not a single document. It is a defined collection of records that includes:

  • Risk Management Plan (RMP): Defines the scope of risk management activities, the lifecycle phases covered, the risk acceptability criteria, the risk estimation methodology, and the verification activities planned
  • Risk Analysis records: Hazard identification outputs, risk estimation records, FMEA or other analysis tool outputs
  • Risk Evaluation records: Comparison of estimated risks against acceptability criteria
  • Risk Control records: Selected control measures, implementation records, verification that controls achieved their intended risk reduction, evaluation of introduced risks
  • Overall Residual Risk evaluation: Documentation of the overall residual risk assessment and benefit-risk analysis if required
  • Risk Management Review: Pre-release review record with identified reviewers
  • Post-Production information records: Systematic records of production and post-market information reviewed against the risk management file

A common audit finding is a Risk Management File that functions as a static document compiled at device release — rather than a living record updated throughout the device’s commercial life as post-production information is gathered. Under the QMSR, FDA investigators start inspections with the risk management file. A static RMF that hasn’t been updated since initial device release is a significant inspection vulnerability.

Feature image promoting an ISO 13485 Gap Assessment Checklist for medical device manufacturers, contract manufacturers, and component suppliers preparing for certification and FDA QMSR compliance.
ISO 13485 Gap Assessment Checklist designed to help medical device manufacturers identify compliance gaps, prioritize actions, and prepare for certification and FDA QMSR requirements.

📋 How does your risk management program measure up? Section 6 of the free ISO 13485 Gap Assessment Checklist covers ISO 14971 integration specifically — risk management plan requirements, RMF structure, post-production feedback, and the QMSR inspection implications. Download Free Checklist


ISO 14971 and ISO 13485 — How They Integrate

ISO 14971 and ISO 13485 are companion standards — not alternatives. ISO 13485 is the quality management system framework. ISO 14971 is the risk management framework that ISO 13485 requires to be implemented throughout that QMS.

ISO 13485 references ISO 14971 in multiple clauses:

  • Clause 7.1 — Planning of product realization: Risk management activities must be planned as part of product realization
  • Clause 7.3 — Design and development: Risk management must be integrated throughout design and development activities
  • Clause 7.4 — Purchasing: Supplier controls must reflect risk — suppliers of higher-risk components require more rigorous qualification
  • Clause 8.2.1 — Feedback: Post-market feedback must be evaluated in the context of risk management
  • Clause 8.5 — Improvement: CAPA and continual improvement activities must consider risk management outputs

ISO 14971 is not optional supplementary guidance for ISO 13485. Organizations implementing ISO 13485 must purchase and implement ISO 14971. It is an external document that must be controlled under ISO 13485 Clause 4.2.4 — registered, version-controlled, and accessible to relevant personnel.

For a complete comparison of how ISO 13485 and risk management requirements interact, see ISO 9001 vs ISO 13485 — Key Differences.

📋 Buy ISO 13485:2016 — ANSI Webstore — use coupon CC2026 for 5% off

Infographic mapping ISO 13485 clauses to corresponding ISO 14971 risk management requirements, showing how quality management processes trigger risk management activities across the medical device lifecycle.
ISO 13485 establishes quality system requirements, while ISO 14971 provides the risk management framework that connects planning, design, purchasing, feedback, and improvement activities throughout the medical device lifecycle.

ISO 14971 Under the FDA QMSR

The FDA’s Quality Management System Regulation (QMSR), effective February 2, 2026, incorporated ISO 13485:2016 by reference into 21 CFR Part 820 — and with it, ISO 13485’s explicit requirement for risk management per ISO 14971.

Under QMSR, several specific changes elevate the practical importance of ISO 14971:

Risk management now extends across the entire QMS. Under the old QSR, risk management was concentrated primarily in design controls. Under QMSR, risk-based thinking is required throughout the entire quality system — supplier controls, production processes, CAPA, complaint handling, and post-market surveillance. ISO 14971 is the expected framework for implementing this expanded risk management scope.

FDA investigators start inspections with the risk management file. Under Compliance Program 7382.850 — the new inspection program that replaced QSIT on February 2, 2026 — FDA investigators are expected to begin inspections by reviewing the risk management file and following risk documentation into other quality system areas. A well-maintained, current risk management file is inspection preparation. An incomplete or static risk management file is an inspection liability.

Post-market surveillance feeds the risk management file. The QMSR’s requirements for production and post-production information — complaint handling, MDR, field corrections — are expected to feed systematically into the risk management file. Organizations that maintain complaint handling and risk management as separate, unconnected systems have a QMSR gap.

For the complete QMSR transition guide, see FDA QSR vs ISO 13485: The Complete QMSR Transition Guide.


ISO/TR 24971 — The Companion Guidance Document

ISO/TR 24971:2020 is the technical report published as a companion to ISO 14971:2019. Unlike ISO 14971, which is a normative standard (its requirements are mandatory for certification purposes), ISO/TR 24971 is guidance — it does not add requirements but provides practical methodology for implementing ISO 14971’s requirements.

ISO/TR 24971:2020 covers:

  • Guidance on risk management planning
  • Practical methods for hazard identification and risk estimation
  • Guidance on benefit-risk analysis
  • Application of risk management to software
  • Application of risk management to usability and human factors
  • Guidance on production and post-production information processes

For organizations building or rebuilding their risk management program, ISO/TR 24971 is the practical implementation companion to ISO 14971’s requirements. Many experienced quality and regulatory professionals recommend reading both together.

📋 ISO/TR 24971:2020 — ANSI Webstore — use coupon CC2026 for 5% off


How to Buy ISO 14971

ISO 14971 is a copyrighted document and must be purchased from an authorized source. It cannot be legally downloaded for free.

The ANSI Webstore is the authorized U.S. distributor for ISO standards. ISO 14971:2019 is available in PDF format with immediate download after purchase.

📋 ISO 14971:2019 — ANSI Webstore — use coupon CC2026 for 5% off through December 31, 2026

Bundle with ISO 13485 — Save Up to 50%

Organizations implementing ISO 13485 need both standards. Purchasing as a bundle through the ANSI Webstore saves significantly compared to individual purchases.

📋 ISO Standards Bundles — Save up to 50%

For the complete guide to purchasing ISO 13485, see Buy ISO 13485 — Complete Purchasing Guide.


Frequently Asked Questions

What is ISO 14971 used for?

ISO 14971 is the international standard for applying risk management to medical devices. It provides the structured process — hazard identification, risk estimation, risk evaluation, risk control, overall residual risk evaluation, and post-production monitoring — that manufacturers must use to demonstrate that their devices are safe for their intended use.

Is ISO 14971 required for ISO 13485 certification?

Yes. ISO 13485 explicitly requires risk management per ISO 14971 throughout the medical device quality management system. Organizations cannot achieve ISO 13485 certification without demonstrating that their risk management program is built on the ISO 14971 framework. ISO 14971 must be controlled as an external document within the ISO 13485 QMS.

Is ISO 14971 required by the FDA?

ISO 14971 is not listed as a statutory FDA requirement. However, the FDA recognizes ISO 14971 as the state of the art for medical device risk management. Under the QMSR, effective February 2, 2026, ISO 13485 is incorporated by reference into 21 CFR Part 820 — and ISO 13485 explicitly requires ISO 14971. FDA investigators under CP 7382.850 use the risk management file as their inspection starting point. For practical purposes, ISO 14971 is effectively mandatory for any FDA-regulated medical device manufacturer.

What is the difference between ISO 14971:2007 and ISO 14971:2019?

The 2019 edition introduced several substantive changes: benefit-risk analysis is now a formal requirement when overall residual risk is not acceptable; both normal use and fault conditions must be analyzed during hazard identification; post-production requirements are more prescriptive; and the Risk Management Report was renamed Risk Management Review to signal an active review activity rather than a passive document.

What is the Risk Management File?

The Risk Management File (RMF) is the organized collection of records that demonstrates a manufacturer has systematically implemented the ISO 14971 risk management process. It includes the Risk Management Plan, hazard analysis records, risk evaluation records, risk control records, overall residual risk evaluation, risk management review, and post-production information records. The RMF is a living document — it must be updated throughout the device’s commercial life as post-production information is gathered.

What is ISO/TR 24971?

ISO/TR 24971:2020 is the technical report companion to ISO 14971:2019. It provides practical guidance on implementing ISO 14971’s requirements — methods for hazard identification, risk estimation, benefit-risk analysis, software risk management, and post-production information processes. It does not add normative requirements but is an essential practical companion for organizations building or rebuilding their risk management programs.

What is the difference between ISO 14971 and ISO 31000?

ISO 14971 is specific to medical device risk management and defines risk purely in terms of harm to people — the combination of probability of harm and severity of that harm. ISO 31000 is a broader enterprise risk management standard with a wider definition of risk that includes any effect on objectives, including positive risks (opportunities). The two standards serve different purposes and are not interchangeable in the medical device context.

Does ISO 14971 apply to software as a medical device?

Yes. ISO 14971:2019 explicitly applies to Software as a Medical Device (SaMD). ISO/TR 24971 provides specific guidance on applying ISO 14971 to software. The companion standard IEC 62304 — Medical Device Software Lifecycle Processes — also references ISO 14971 risk management requirements throughout its software development lifecycle requirements.


📥 Free Resources


Not Sure What to Do Next?

✅ You need the official ISO 14971:2019 standard 📋 ISO 14971:2019 — ANSI Webstore — use coupon CC2026 for 5% off through December 31, 2026

✅ You also need ISO 13485:2016 — the required companion QMS standard 📋 ISO 13485:2016 — ANSI Webstore — use coupon CC2026 for 5% off

✅ You need the ISO/TR 24971 implementation guidance companion 📋 ISO/TR 24971:2020 — ANSI Webstore — use coupon CC2026 for 5% off

✅ You want to save buying multiple standards together 📋 ISO Standards Bundles — Save up to 50% — ANSI Webstore

✅ You need ISO 13485 training that covers ISO 14971 integration 📋 BSI Group ISO 13485 Training

✅ You are ready to pursue ISO 13485 certification 📋 ISOQAR ISO 13485 Certification

✅ You want to understand what ISO 13485 requires 📋 What Is ISO 13485? — Complete Guide

✅ You want to understand the FDA QMSR and how ISO 14971 fits 📋 FDA QSR vs ISO 13485 — The Complete QMSR Transition Guide

✅ You want to compare ISO 9001 and ISO 13485 📋 ISO 9001 vs ISO 13485 — Key Differences

✅ You want to understand ISO 13485 purchase options and cost 📋 Buy ISO 13485 — Complete Purchasing Guide 📋 How Much Does ISO 13485 Cost?


Risk Management Is Not a Deliverable. It’s an Operating Model.

ISO 14971 is not a checkbox on a certification audit list. It is the framework that determines whether the medical devices your organization produces — or supplies components for — are demonstrably safe for their intended use.

Under the FDA’s QMSR, effective February 2, 2026, that framework now carries federal regulatory weight. Risk management under QMSR extends across the entire quality system, and FDA investigators under CP 7382.850 are using the risk management file as their inspection roadmap.

The organizations that navigate this environment successfully are the ones that treat risk management as an operating discipline — not a documentation exercise. The Risk Management File is updated because post-market data is being systematically reviewed, not because an audit is scheduled. CAPA is connected to the risk management file because the quality system is integrated, not because an investigator asked to see the connection.

That is what ISO 14971, properly implemented, actually produces.

At The Standards Navigator, complex standards are translated into practical, real-world guidance you can act on.

✅ Get updates on new standards, implementation strategies, and compliance insights ✅ Be first to access new guides, tools, and checklists

Subscribe below to stay ahead.

Subscribe

* indicates required

FDA QSR vs ISO 13485: The Complete QMSR Transition Guide (2026)

The FDA replaced the legacy Quality System Regulation on February 2, 2026. The new QMSR incorporates ISO 13485:2016 by reference — making the international medical device quality standard the structural backbone of U.S. federal regulation. This guide covers exactly what changed, what FDA-specific requirements remain in force beyond ISO 13485, and what your quality system needs to address now that the QMSR is in full effect.

What changed on February 2, 2026, what stayed, and exactly what your quality system needs to address now that the FDA’s QMSR is in full force.

Affiliate Disclosure: Some links in this article are affiliate links. If you purchase through them, The Standards Navigator may earn a commission at no additional cost to you.


The FDA Replaced the QSR. Here’s What That Actually Means.

On February 2, 2026, the FDA’s legacy Quality System Regulation — the QSR under 21 CFR Part 820 — was replaced.

Not updated. Not revised. Replaced.

The new Quality Management System Regulation (QMSR) restructured 21 CFR Part 820 around a single foundational document: ISO 13485:2016. The FDA incorporated the international medical device quality standard by reference — meaning ISO 13485 is now the structural backbone of U.S. medical device quality regulation. It is no longer a voluntary international standard that sophisticated manufacturers pursue for global market access. It is what the FDA expects your quality system to be built on.

If your quality system was built against the old QSR framework — DMRs, DHFs, QSIT audit language — you are now operating against a framework that has been retired. The FDA’s inspectors are using a new compliance program. The terminology has changed. The inspection scope has changed. The risk management expectations have changed.

This guide covers exactly what the QSR was, what the QMSR replaced it with, where ISO 13485 fits into the new regulatory structure, what FDA-specific requirements remain in force beyond ISO 13485, and what your quality system needs to address right now.


In This Guide

  • What the FDA QSR was and why it was replaced
  • What the QMSR actually is — and what it is not
  • How FDA QSR, ISO 13485, and QMSR relate to each other
  • The four FDA-specific requirements that ISO 13485 does not cover
  • Key changes under the QMSR manufacturers need to act on
  • Does ISO 13485 certification satisfy QMSR?
  • The role of ISO 14971 in QMSR compliance
  • QMSR gap assessment — where to start
  • From the Shop Floor — what this transition actually looks like
  • Getting ISO 13485 certified under the QMSR framework


✅ Start Here (Top Resources)

📋 Start with a structured gap assessment before engaging a certification body. The free ISO 13485 Gap Assessment Checklist covers every clause area plus all four QMSR bridge requirements — so you know exactly where you stand before you spend money on implementation. Download Free Checklist

📋 Purchase the official ISO 13485:2016 standard → ISO 13485:2016 — ANSI Webstore — use coupon CC2026 for 5% off through December 31, 2026

📋 Purchase the required companion standard → ISO 14971:2019 Risk Management — ANSI Webstore — use coupon CC2026 for 5% off

📋 Get ISO 13485 training for your team → BSI Group ISO 13485 Training

📋 Get ISO 13485 certified with an accredited certification body → ISOQAR ISO 13485 Certification

📋 Save up to 50% buying ISO standards as a bundle → ISO Standards Packages — ANSI Webstore


What Was the FDA QSR?

Professional infographic explaining the FDA Quality System Regulation under 21 CFR Part 820, featuring medical device manufacturing, CGMP requirements, and regulatory compliance history.
The FDA Quality System Regulation under 21 CFR Part 820 established the foundational CGMP requirements governing medical device manufacturing quality systems in the United States.

The FDA’s Quality System Regulation was codified under 21 CFR Part 820. First authorized in July 1978 and significantly revised in 1996, the QSR established the current good manufacturing practice (CGMP) requirements for finished medical device manufacturers distributing products in the United States.

The QSR covered the core pillars of a medical device quality management system: management responsibility, design controls, document and record controls, purchasing controls, production and process controls, corrective and preventive action (CAPA), labeling, and complaint handling. It was written in FDA-specific language and structured around FDA-specific documentation concepts:

  • Device Master Record (DMR) — the compiled documentation defining how a device is manufactured
  • Design History File (DHF) — records demonstrating the device was designed in accordance with an approved plan
  • Device History Record (DHR) — production records for each manufactured unit or lot
  • Quality System Inspection Technique (QSIT) — the FDA’s subsystem-by-subsystem inspection approach

For decades, the FDA QSR and ISO 13485 ran in parallel. They covered similar ground but used different terminology, different structural frameworks, and different documentation concepts. Manufacturers selling devices in both the U.S. and international markets often maintained two parallel compliance frameworks — one for the FDA, one for ISO 13485 or MDSAP. That dual-track approach created overhead, redundancy, and audit complexity that manufacturers had been managing for years.

That parallel structure is over.


What Is the QMSR?

The Quality Management System Regulation (QMSR) is the amended version of 21 CFR Part 820, effective February 2, 2026. The FDA issued the final rule in February 2024, providing a two-year implementation window before the regulation took effect.

The core structural change: instead of writing QMS requirements directly into the regulation, the FDA incorporated ISO 13485:2016 by reference. Part 820 now points to ISO 13485 as the source document for quality system requirements. The regulation itself became significantly shorter — most of its text now simply directs manufacturers to the relevant ISO 13485 clause.

What this means in practice: ISO 13485:2016 compliance is now a regulatory expectation under 21 CFR Part 820 — not a voluntary international best practice. Manufacturers who have never engaged with ISO 13485 are now operating under a framework built on it.

The QMSR also updated the FDA’s inspection program. As of February 2, 2026, the FDA retired the Quality System Inspection Technique (QSIT) and implemented Compliance Program 7382.850 — a revised inspection approach built around the ISO 13485 process-based structure rather than the subsystem-by-subsystem approach of the old QSR.


FDA QSR vs ISO 13485 vs QMSR — How They Relate

This is where manufacturers get confused, so it is worth being precise.

The old QSR was a standalone FDA regulation with its own requirements, its own terminology, and its own documentation structure. It has been retired.

ISO 13485:2016 is the international standard for medical device quality management systems, published by the International Organization for Standardization. It has always been used by regulatory authorities globally — including Health Canada, the EU MDR framework, and MDSAP participating countries — as the baseline for QMS requirements.

The QMSR is the new version of 21 CFR Part 820. It uses ISO 13485:2016 as its foundation by incorporating it by reference, while layering on U.S.-specific regulatory requirements that ISO 13485 does not fully address on its own.

Think of it this way: the QMSR is ISO 13485 plus the FDA-specific additions the agency determined were necessary to cover U.S. statutory obligations that go beyond what the international standard requires.

ISO 13485 does most of the heavy lifting. But QMSR is not simply “ISO 13485 with a new name.” Several FDA-specific obligations remain fully in force and cannot be satisfied by ISO 13485 conformance alone.


What the QMSR Kept — The Four FDA Bridge Requirements

The QMSR retained four categories of U.S.-specific requirements that remain unchanged and fully enforceable. These are sometimes called the QMSR “bridge requirements” — the FDA-specific obligations that ISO 13485 does not cover:

1. Medical Device Reporting (MDR)

Manufacturers must continue to report adverse events, malfunctions, and deaths or serious injuries involving their devices to the FDA under 21 CFR Part 803. ISO 13485 addresses post-market surveillance at a high level but does not specify MDR reporting timelines or mechanisms. The QMSR cross-references MDR explicitly in §820.10.

2. Unique Device Identification (UDI)

The UDI system — requiring device labeling to carry a unique identifier traceable in the FDA’s Global Unique Device Identification Database (GUDID) — continues unchanged under QMSR. ISO 13485 does not address UDI requirements. §820.10 explicitly cross-references UDI compliance.

3. Corrections and Removals

Reporting obligations for corrections and removals under 21 CFR Part 806 remain in force. Manufacturers must report corrections or removals initiated to reduce a risk to health or remedy a violation.

4. Device Tracking

Tracking requirements for certain high-risk device categories under 21 CFR Part 821 continue to apply.

A manufacturer whose QMS is fully ISO 13485 compliant but has not addressed these four areas is not QMSR compliant. This is the most important distinction in the entire QMSR framework.


What Changed Under the QMSR

Infographic explaining the major operational and regulatory changes introduced under the FDA QMSR, including terminology alignment, expanded risk management, inspection changes, and ISO 13485 document control requirements.
The FDA’s QMSR transition introduced major changes beyond terminology — expanding risk management expectations, changing inspection structure, and aligning medical device quality systems directly with ISO 13485.

Beyond the structural shift to ISO 13485, several specific changes affect how manufacturers need to operate:

Terminology Alignment

The QMSR adopts ISO 13485 and ISO 9000 vocabulary, replacing legacy QSR-specific terms:

Old QSR TermQMSR / ISO 13485 Term
Device Master Record (DMR)Medical Device File (MDF)
Design History File (DHF)Design and Development File (DDF)
Device History Record (DHR)Manufacturing Records
Quality System RecordDistributed across QMS documentation

Manufacturers are not required to rename every document immediately — but QMS documentation, training materials, and internal audit programs should be progressively aligned to ISO 13485 terminology to avoid confusion during inspections.

Risk Management Extends Across the Entire QMS

Under the old QSR, risk management was concentrated primarily in design controls. Under QMSR — consistent with ISO 13485 and its companion standard ISO 14971 — risk-based thinking now extends across the entire quality system, including supplier controls, manufacturing processes, CAPA, complaint handling, and post-market activities. This is a substantive operational shift, not a documentation update.

Internal Audits and Management Reviews Are Now Inspection Territory

Under QSR, internal audits were required but the FDA’s QSIT inspection process did not focus on them directly. Under QMSR and Compliance Program 7382.850, internal audits and management reviews are within the FDA’s inspection scope. Investigators will evaluate whether your internal audit program functions as a process-based system consistent with ISO 13485 Clause 8.2.4 requirements.

Inspection Structure Changed

The FDA’s inspection approach under CP 7382.850 evaluates how quality subsystems function as an interconnected framework rather than auditing them in isolation. Inspectors follow issues across processes — a finding in complaint handling may lead directly into CAPA, risk management, and design controls in the same inspection.

ISO 13485 Must Be Controlled as an External Document

Because QMSR incorporates ISO 13485 by reference, manufacturers are required to control the standard as an external document within their QMS under ISO 13485 Clause 4.2.4. This means purchasing the official standard and maintaining version control — a detail many manufacturers miss entirely.

📋 Buy the Official ISO 13485:2016 — ANSI Webstore — use coupon CC2026 for 5% off


Does ISO 13485 Certification Satisfy QMSR?

Corporate infographic explaining whether ISO 13485 certification satisfies FDA QMSR requirements, including compliance gaps, FDA bridge requirements, inspection readiness, and the path to full QMSR compliance.
ISO 13485 certification provides the foundation for QMSR compliance — but manufacturers must still address FDA-specific bridge requirements, inspection readiness, and process-based audit expectations.

This is the most common question manufacturers ask after the QMSR took effect, and the answer requires precision.

ISO 13485 certification helps significantly — but does not automatically guarantee QMSR compliance.

ISO 13485 certification from an accredited certification body demonstrates that your QMS meets the international standard’s requirements. Under QMSR, that foundation now aligns with what the FDA expects at the structural level. If your organization is already ISO 13485 certified, the gap between your current QMS and QMSR compliance is substantially smaller than it was under the old QSR.

However, ISO 13485 certification does not cover the four FDA bridge requirements — MDR, UDI, corrections and removals, and device tracking. It also does not replace FDA inspections. The FDA retains full enforcement authority under U.S. law regardless of third-party certification status. An ISO 13485 certificate is not a substitute for FDA inspection readiness.

The practical position: ISO 13485 certification gets you approximately 80–85% of the way to QMSR compliance. The remaining work is ensuring the FDA bridge requirements are explicitly addressed in QMS documentation, records and labeling controls map to both ISO 13485 and FDA expectations, and your internal audit program is prepared for the process-based inspection approach under CP 7382.850.

If you are not yet ISO 13485 certified and are subject to QMSR, pursuing certification is the most efficient path to demonstrating compliance with the regulation’s foundation.

📋 Buy ISO 13485:2016 — ANSI Webstore — use coupon CC2026 for 5% off


The Role of ISO 14971 Under QMSR

ISO 14971 — Risk Management for Medical Devices — plays a critical role in QMSR compliance that is consistently underestimated.

Under the old QSR, risk management was primarily concentrated in design controls. Under QMSR, risk-based thinking is expected throughout the entire quality system. ISO 14971 provides the formal risk management framework — hazard identification, risk estimation, risk evaluation, risk control, and residual risk evaluation — that ISO 13485 requires manufacturers to implement but does not itself specify in detail.

ISO 13485 explicitly requires compliance with ISO 14971. Under QMSR, that requirement carries federal regulatory weight. FDA investigators under CP 7382.850 are expected to start inspections with the risk management file as their roadmap — following risk documentation into design controls, production controls, CAPA, and post-market surveillance.

If your QMS does not have a well-documented, lifecycle-integrated risk management program built on ISO 14971, this is your highest-priority gap under QMSR.

📋 ISO 14971:2019 — ANSI Webstore — use coupon CC2026 for 5% off

For the complete relationship between ISO 13485 and ISO 14971, see ISO 9001 vs ISO 13485 — Key Differences.


QMSR Gap Assessment — Where to Start

📋 Start with a structured gap assessment before engaging a certification body. The free ISO 13485 Gap Assessment Checklist covers every clause area plus all four QMSR bridge requirements — so you know exactly where you stand before you spend money on implementation. Download Free Checklist

Manufacturing compliance gap assessment scale showing audit readiness levels with 0–2 gaps as audit ready, 3–5 gaps as moderate risk, and 6+ gaps as high risk
A simple gap assessment can quickly show whether your operation is audit-ready — or at risk of failure.

For manufacturers currently operating under the old QSR framework, a structured gap assessment is the most efficient starting point. Key areas to evaluate:

Documentation and terminology. Map your existing QMS documents to ISO 13485 clause requirements. Identify where legacy QSR terminology (DMR, DHF, DHR) appears and plan progressive alignment to ISO 13485 vocabulary. Your team and your auditors need to understand the mapping.

Risk management integration. Assess whether your risk management program is limited to design controls or extends across supplier qualification, production processes, CAPA, complaint handling, and post-market surveillance as ISO 14971 and QMSR require.

FDA bridge requirements. Confirm that MDR, UDI, corrections and removals, and device tracking obligations are explicitly addressed in QMS procedures and cross-referenced in §820.10 documentation.

Internal audit program. Update your internal audit program to reflect process-based auditing across interconnected QMS elements rather than subsystem-by-subsystem evaluation. Ensure auditors understand the QMSR inspection approach under CP 7382.850.

Supplier controls. ISO 13485 Clause 7.4 has more prescriptive supplier control requirements than the old QSR. Review supplier qualification procedures, quality agreements, and monitoring programs against ISO 13485 requirements.

External document control. Confirm that ISO 13485:2016 and ISO 14971 are registered as external documents in your QMS with version control — this is now a regulatory requirement, not optional housekeeping.


From the Shop Floor

Professional manufacturing team conducting a QMS transition planning meeting focused on gap assessments, operational involvement, and ISO 13485 documentation remediation.
Successful QMSR transitions are driven by honest gap assessments, operational team involvement, and proactive cleanup of long-standing documentation and compliance weaknesses.

After 25 years managing quality systems in heavy industrial manufacturing, I have watched more regulatory transitions than I care to count. Most follow the same pattern: the announcement creates anxiety, the implementation period creates confusion, and the actual change — once you get to it — turns out to be more manageable than the noise suggested.

The QMSR transition is no different, with one important caveat.

The manufacturers who are struggling right now are the ones who treated the QSR as a compliance exercise rather than an operational system. If your QMS was built as a documentation binder rather than a living process framework, QMSR is going to expose that gap — not because the regulation is fundamentally harder, but because the ISO 13485 process-based approach assumes your quality system actually runs your operations, not the other way around.

The manufacturers I have seen navigate transitions like this most effectively do three things. They conduct an honest gap assessment before anyone from the outside asks them to. They involve their operations team — not just regulatory affairs — in the remediation. And they treat the transition as an opportunity to clean up years of accumulated documentation debt rather than a compliance burden to minimize.

QMSR gives you a cleaner, more internationally aligned framework. The manufacturers who approach it that way will come out of this transition with stronger systems and less audit friction. The ones who treat it as a box-checking exercise will find the new inspection approach under CP 7382.850 less forgiving than the old QSIT was.


Getting ISO 13485 Certified Under the QMSR Framework

If your organization is not yet ISO 13485 certified, QMSR provides a clear incentive to pursue it. An accredited ISO 13485 certificate demonstrates to customers, regulators, and trading partners that your QMS meets the international standard that now forms the foundation of U.S. medical device regulation.

For certification: ISOQAR is a UKAS-accredited certification body with experience in medical device quality management system assessments.

📋 ISO 13485 Certification — ISOQAR

For training: BSI Group offers ISO 13485 training covering requirements interpretation, internal auditing, and implementation — suitable for quality managers, regulatory affairs professionals, and internal auditors preparing for the QMSR inspection environment.

📋 ISO 13485 Training — BSI Group


Quick Reference Comparison Table

ElementOld FDA QSRISO 13485:2016QMSR (Current)
Effective date1996 (revised)2016February 2, 2026
Regulatory basisU.S. federal regulationInternational standardU.S. federal regulation
StructureFDA-specific requirementsISO Harmonized StructureISO 13485 by reference + FDA additions
TerminologyDMR, DHF, DHRMDF, DDF, manufacturing recordsISO 13485 terms (progressive alignment)
Risk management scopePrimarily design controlsFull lifecycle (ISO 14971)Full QMS — ISO 14971 expected
MDR requirementsYesNoYes (§820.10 cross-reference)
UDI requirementsYesNoYes (§820.10 cross-reference)
Inspection programQSITThird-party certification auditCP 7382.850 (process-based)
ISO 13485 certificationNot requiredThird-party certificationStrongly recommended, not sufficient alone

Frequently Asked Questions

What is the QMSR and when did it take effect?

The Quality Management System Regulation (QMSR) is the amended version of 21 CFR Part 820, effective February 2, 2026. It replaced the legacy FDA Quality System Regulation (QSR) by incorporating ISO 13485:2016 by reference as the foundational quality system framework for U.S. medical device manufacturers.

What is the difference between the FDA QSR and the QMSR?

The old QSR was a standalone FDA regulation with its own requirements and terminology — DMRs, DHFs, DHRs, and the QSIT inspection approach. The QMSR replaced it with a framework built on ISO 13485:2016, adopted by reference, while retaining four U.S.-specific bridge requirements: Medical Device Reporting, UDI, corrections and removals, and device tracking.

Does ISO 13485 certification satisfy QMSR requirements?

ISO 13485 certification provides approximately 80–85% of the foundation for QMSR compliance. However, it does not cover the four FDA-specific bridge requirements and does not replace FDA inspections. A targeted QMSR gap assessment is necessary even for fully ISO 13485 certified organizations.

Is ISO 14971 required under QMSR?

Yes. ISO 13485 explicitly requires risk management per ISO 14971, and under QMSR that requirement carries federal regulatory weight. Risk-based thinking under QMSR extends across the entire quality system — not just design controls as under the old QSR. ISO 14971 is the expected framework.

What are the four QMSR bridge requirements that ISO 13485 does not cover?

Medical Device Reporting (MDR) under 21 CFR Part 803, Unique Device Identification (UDI), Corrections and Removals under 21 CFR Part 806, and Device Tracking under 21 CFR Part 821. These remain fully enforceable under QMSR regardless of ISO 13485 certification status.

What happened to the old QSR terminology — DMR, DHF, DHR?

The QMSR adopts ISO 13485 terminology. Device Master Record (DMR) becomes Medical Device File (MDF), Design History File (DHF) becomes Design and Development File (DDF), and Device History Record (DHR) maps to Manufacturing Records. Manufacturers are not required to rename documents immediately but should plan progressive alignment to ISO 13485 terminology.

What is FDA Compliance Program 7382.850?

CP 7382.850 is the FDA’s new inspection program implemented February 2, 2026, replacing the retired Quality System Inspection Technique (QSIT). It uses a process-based inspection approach aligned with ISO 13485 structure, evaluating how quality subsystems function as an interconnected framework rather than auditing them in isolation.

Does ISO 9001 certification satisfy QMSR?

No. ISO 9001 and ISO 13485 share a structural framework but serve different regulatory purposes. ISO 9001 certification does not satisfy ISO 13485 requirements and is not accepted by the FDA under QMSR. See ISO 9001 vs ISO 13485 for the complete comparison.


📥 Free Resources

Not Sure What to Do Next?

Start with a structured gap assessment before engaging a certification body. The free ISO 13485 Gap Assessment Checklist covers every clause area plus all four QMSR bridge requirements — so you know exactly where you stand before you spend money on implementation. Download Free Checklist

✅ You need the official ISO 13485:2016 standard 📋 ISO 13485:2016 — ANSI Webstore — use coupon CC2026 for 5% off through December 31, 2026

✅ You need the required ISO 14971 risk management companion 📋 ISO 14971:2019 — ANSI Webstore — use coupon CC2026 for 5% off

✅ You want to save buying both standards together 📋 ISO Standards Packages — Save up to 50% — ANSI Webstore

✅ You need ISO 13485 training before your gap assessment or implementation 📋 BSI Group ISO 13485 Training

✅ You are ready to pursue ISO 13485 certification 📋 ISOQAR ISO 13485 Certification

✅ You want to understand what ISO 13485 requires 📋 What Is ISO 13485? — Complete Guide

✅ You want to understand how ISO 9001 and ISO 13485 differ 📋 ISO 9001 vs ISO 13485 — Key Differences

✅ You want to understand ISO 13485 purchase options and cost 📋 Buy ISO 13485 — Complete Purchasing Guide 📋 How Much Does ISO 13485 Cost?

✅ You want to understand certification costs and timelines 📋 ISO Certification Cost Calculator 📋 How Long Does ISO Certification Take? 📋 Best ISO Certification Bodies


The QSR Is Gone. The QMSR Is What the FDA Expects Now.

The FDA replaced 21 CFR Part 820 on February 2, 2026. ISO 13485:2016 is now the structural backbone of U.S. medical device quality regulation. That is not an update to a voluntary standard — it is a fundamental shift in what federal regulation requires from every manufacturer in the U.S. medical device supply chain.

For manufacturers previously operating only under the QSR framework: your system needs to be restructured around ISO 13485. For ISO 13485 certified organizations: your certification provides a strong foundation, but the four FDA bridge requirements and the updated inspection approach under CP 7382.850 require targeted attention. For ISO 9001 certified manufacturers in the medical device supply chain: the supply chain pressure is coming. The pattern that played out in automotive and aerospace — sector-specific quality standards flowing down the supply chain — is now playing out in medical devices.

At The Standards Navigator, complex standards are translated into practical, real-world guidance you can act on.

✅ Get updates on new standards, implementation strategies, and compliance insights ✅ Be first to access new guides, tools, and checklists

Subscribe below to stay ahead.

Subscribe

* indicates required