ISO 13485 vs FDA 21 CFR 820 – understand the differences

You have received the green light to bring your company’s medical device to market in both the EU and the US.

You feel confident working with ISO 13485. But as soon as you dive into the FDA’s Quality System Regulation (QSR), 21 CFR 820, you realise that what seemed like a shared foundation suddenly requires adjustments, additional documentation and new processes.

This is a situation many quality professionals face: operating between two regulatory frameworks that look similar—but are not identical. Even small differences in terminology and practice can lead to major issues during audits, submissions or post-market activities.

That is why it is essential to understand the key differences—and know how to bridge them.

Key differences you need to know

Both ISO 13485 and FDA’s Quality System Regulation (21 CFR 820) define requirements for quality management systems for medical devices—but they do so in slightly different ways.

If you develop or manufacture devices for both the EU and the US, you need to navigate confidently between the two—and understand when processes and documentation can be reused, and when a more localised approach is required.

Here are the most important differences:

Risk management

ISO 13485 requires integration of ISO 14971 throughout the entire product lifecycle.

The FDA refers to risk management but does not formally mandate ISO 14971. This means you need to distinguish between best practice and regulatory requirements.

Design control

Design control is central in both frameworks, but FDA requirements under 21 CFR 820.30 are more detailed.

Documentation must be more rigorous, and you should be prepared to present it during inspections.

Management responsibility

Under the FDA regime, there is a stronger emphasis on active management responsibility for the effectiveness of the quality system.

This can impact both governance structures and internal accountability.

Terminology and structure

Many terms appear similar but differ in definition or documentation expectations.

Examples include Corrective and Preventive Action (CAPA) and complaint handling, where precision is critical.

How to handle both frameworks without duplicating work

1. Map differences and overlaps

Start with the processes and documents already in your quality management system—such as SOPs for risk management, design control, management review and CAPA.

Review them one by one and ask:

Does this process meet both ISO 13485 and 21 CFR 820 requirements?

Identify:

• Where you already comply with both
• Where gaps exist—especially where FDA requirements are more detailed

Use a simple mapping structure:

• Existing process
• ISO 13485 requirement
• 21 CFR 820 requirement
• Comments and gaps

Involve key stakeholders from QA, RA and production, and use your own products as case examples. This ensures relevance and operational realism.

2. Perform a targeted gap analysis

Once differences are identified, conduct a structured gap analysis to highlight where your system falls short.

Focus especially on areas where FDA requirements are more specific, such as:

• Design History File (DHF) documentation
• Complaint handling processes

Use the analysis strategically:

• Where is regulatory risk highest?
• Where is effort low but impact high?

FDA inspectors often expect documented awareness of these differences—even where pragmatic solutions are applied.

A focused gap analysis helps you improve your QMS without unnecessary overimplementation.

3. Train your team in both requirements—and the rationale

Compliance often fails when teams do not understand why requirements differ.

Ensure your team understands:

• Why ISO and FDA expectations diverge
• What constitutes sufficient documentation in each case

Use real examples where misunderstandings led to observations or findings.

Consider short, targeted training sessions or workshops—especially for QA, development and management.

When people understand the rationale, they take greater ownership—and your audit readiness improves.

4. Avoid duplication through shared processes and templates

There is no need to maintain parallel systems if one solution can meet both requirements.

Identify where shared approaches are possible:

• Risk management
• CAPA
• Document control
• Internal audits

Ensure templates clearly demonstrate compliance with both frameworks—for example by referencing both ISO clauses and CFR sections.

Maintain strict version control and clear ownership.

By building bridges instead of duplicating work, you create a more efficient and coherent QMS—with fewer resources and lower compliance risk.