Preparing for ISO 13485 Harmonization: Where Do Things Stand Today?

In January 2024, the U.S. Food and Drug Administration (FDA) issued a final rule harmonizing its Quality System Regulation (QSR) with ISO 13485 for medical device quality management.

The move has been in the works since 2018, when the agency announced its intention to align quality regulations for medical devices with the globally recognized standard.

ISO 13485 harmonization has big implications for medical device manufacturers, who have until February 2, 2026 to comply with the new Quality Management System Regulation (QMSR).

With that in mind, let’s jump in and take a look at key elements of what ISO 13485 harmonization means for manufacturers, including:

• The benefits of harmonization and recent regulatory developments
• Where companies stand today in terms of aligning to the new standard
• Key changes for medical device manufacturers to have on their radar
• Actions to prioritize to streamline the transition

Watch a free webinar on How to Prepare for a Successful Audit Using an Automated QMS

ISO 13485 Harmonization Explained

The new QMSR replaces most requirements in 21 CFR Part 820, incorporating ISO 13485 by reference, retaining a select number of requirements to maintain consistency with other FDA regulations.

The main reasons why the FDA is aligning quality regulations with ISO 13485 boil down to two key elements: consistency and modernization.

Many U.S. device manufacturers sell products globally, where ISO 13485 is widely accepted as the gold standard in medical device quality management. In this context, alignment of FDA regulations with ISO 13485 helps medical device manufacturers by:

1. Reducing the regulatory burden: Organizations will no longer have to comply with separate sets of requirements for FDA, ISO 13485 and other global regulations.
2. Streamlining compliance activities: Using ISO 13485 as a baseline means organizations have fewer requirements to meet overall to obtain approvals not just in the U.S., but also other countries.
3. Facilitating entry into global markets: A streamlined set of regulatory requirements makes it easier for manufacturers to market and sell their devices abroad.
4. Reducing costs: The FDA expects that these improvements will result in significant cost savings for device manufacturers, to the tune of more than $500 million annually.

In terms of modernization, it’s worth noting that the existing QSR has changed little since it was first published in 1996. The medical device industry today looks much different than it did then as products have become more complex. Furthermore, expectations around risk and safety have also increased dramatically.

In this sense, ISO’s focus on risk-based thinking played a key role in the FDA’s desire to align the QSR with ISO 13485. Because while the QSR mentions risk management, ISO 13485 makes it a central theme, recognizing the fact that reducing risk is at the very heart of protecting patient safety.

Recent Developments

The FDA first released the proposed rule to update the QSR in February of 2022. The proposal was largely welcomed by the medical device industry, which has long struggled with the complexity of meeting different requirements in the U.S., EU and other countries.

After the comment period, the FDA made a few changes based on the feedback the agency received:

• The transition period was extended from one year to two years, acknowledging that one year wasn’t sufficient time to make the changes necessary to comply with the new law.
• Definitions for terms like “nonconformity” and “verification” now mirror those in ISO 9001.

Where Do Companies Stand Today?

According to ISO Survey data, the number of ISO 13485 certificates increased by over 20% from 2021 to 2023. It’s a clear indication that companies are laying the groundwork to ensure compliance with the new QMSR.

While large multinational organizations likely have more experience with ISO 13485, the Regulatory Affairs Professionals Society (RAPS) reports that some experts are still concerned that smaller companies may be struggling. Companies that primarily market their devices as the U.S., as well as those without in-house ISO 13485 expertise, will likely face a steeper learning curve.

The good news is that, as the FDA has pointed out, ISO 13485 requirements are already “substantially similar” to those found in the existing QSR. That said, there are some key differences that companies need to be aware of, which we look at next.

From QSR to QMSR: Key Changes

Part of the drive to replace the existing QSR with ISO 13485 is the fact that the two have so much overlap. Even so, there are important differences. In some cases, FDA requirements go further than ISO 13485, and vice versa, so it’s vital that companies take time to sift through the new regulation to understand where it affects them.

Below, we address some of the biggest areas that manufacturers need to pay attention to.

Risk Management

Throughout the harmonization process, the FDA has emphasized that risk management has always been part of 40 CFR Part 820. Experts at MedDeviceOnline point out, however, that the original QSR only mentions risk once, in the context of design validation.

By contrast, explicit references to risk management are woven throughout multiple clauses of ISO 13485, making risk management across the product development lifecycle a centerpiece of compliance. The FDA also points specifically to ISO 14971 for medical device risk management as a key resource in understanding how to apply ISO 13485.

Documentation Requirements

Another major difference seen in the new QMSR is its heightened emphasis on documentation. One example pertains to the quality manual, something required under 13485 that wasn’t required under the previous QSR.

In other cases, FDA has specific requirements that go further than ISO 13485, specifically in areas such as:

• Record traceability and control: QMSR strengthens requirements pertaining to change control of records (e.g., approval signatures and dates). It also requires backup of QMS records, as opposed to just defining controls for security in ISO 13485.
• Design and development: The new standard requires a documented design development plan, where ISO 13485 does not.
• Labeling and packaging: New requirements in the QMSR focus specifically on labeling and packaging procedures, which are frequently linked to recalls.

 Supplier Management

While the QSR includes requirements for having supplier controls, it doesn’t go as far as ISO 13485, which outlines a more systematic approach that includes:

• Risk-based supplier selection, evaluation, and performance monitoring
• Formal reevaluation processes based on supplier performance
• Full documentation of supplier quality management processes

Making Your QMSR Compliance Action List

With the compliance deadline looming just roughly a year away, medical device companies should have a plan in place to make sure they’re ready to meet the new requirements.

Several action items should be on your priority list here:

• Understanding QMSR, ISO 13485 and ISO 14971: In some areas, the new QSMR goes further than ISO 13485, so manufacturers should read through the entire rule published in the Federal Register. ISO 13485 also refers to certain ISO 14971 requirements that manufacturers must meet, making a solid understanding of both of those standards crucial as well.
• Performing a gap analysis: An ISO 13485 certificate is not equivalent to QMSR compliance, so even manufacturers certified to the standard need to perform a gap analysis.
• Updating risk management processes: Device manufacturers should look to incorporate risk assessments into every stage of the product lifecycle, from product design to post-market surveillance. You also need to make sure these risk management activities are fully documented, as it’s certain to be an area of focus during FDA inspections.
• Enhancing supplier controls: Many companies may need to shore up their supplier controls to ensure compliance with the new regulation. It’s particularly important to look at areas where supplier quality has a direct impact on product safety or effectiveness.
• Investing in training and support: If you don’t already have in-house regulatory expertise related to ISO 13485, now is the time to be looking for external support. Companies need to leave plenty of time to implement any new recommendations well in advance of the February 2026 compliance deadline.
• Leveraging QMS software: Automated QMS software can significantly streamline the transition to the new QMSR regulation. Built-in tools like FMEA, complaint handling, supplier management and more create a documented record of compliance while also demonstrating a strong compliance posture during FDA audits.

Conclusion

After years of waiting, the new QMSR is finally here. Manufacturers have no time to waste in preparing for compliance with the expanded set of requirements, so now is the time to make sure you have everything in place to navigate the transition effectively.

When looking to meet compliance with the new regulation, QMS automation provides a foundation for meeting compliance with several key sections of the new regulation, including risk management, supplier quality, post-market surveillance and more.

Ultimately, the harmonization can have lasting impacts not just on reducing the compliance burden, but also helping accelerate the process of getting products to patients who need them.

Download a free brochure on AssurX Risk Management to learn how QMS software helps mitigate risk

About the Author

Stephanie Ojeda is Director of Product Management for the Life Sciences industry at AssurX. Stephanie brings more than 15 years of leading quality assurance functions in a variety of industries, including pharmaceutical, biotech, medical device, food & beverage, and manufacturing.