For nearly thirty years, medical device companies selling in the US and abroad lived with two overlapping-but-different rulebooks: the FDA's Quality System Regulation (QSR) at 21 CFR Part 820, and ISO 13485, the international quality management standard used by regulators across Europe, Canada, Australia, Japan, and beyond. The two agreed on philosophy and diverged on details — enough that companies maintained crosswalk matrices, duplicate procedures, and two vocabularies for the same work.
That era formally ended on February 2, 2026, when the FDA's Quality Management System Regulation (QMSR) took effect. The QMSR keeps the "Part 820" address in the CFR but replaces the old QSR text, incorporating ISO 13485:2016 by reference and adding a focused set of US-specific requirements on top. So is the comparison finally moot? Mostly — but not entirely, and the differences that remain are exactly the ones that trip up startups planning their regulatory strategy.
What's now the same
Under the QMSR, the substance of FDA's quality system expectations is ISO 13485:2016. Design controls, document control, CAPA, purchasing and supplier controls, management responsibility, process validation, production controls, the risk-based approach — one well-built quality system now satisfies the requirements text of both frameworks. For a startup, this is genuinely good news: you no longer design a QMS "for the FDA" and then bolt on ISO clauses for other markets. You build one system to ISO 13485's structure, add the US-specific layer, and you're speaking every major regulator's language.
What's still different
1. A regulation is not a certificate
This is the difference founders most often miss. 21 CFR 820 (the QMSR) is law — it applies automatically to anyone placing finished devices on the US market, and no one issues you a certificate for complying. ISO 13485 is a voluntary standard — you claim conformity by hiring an accredited certification body (a "registrar") to audit you and issue a certificate, which you then renew through surveillance audits. Complying with the QMSR does not make you "ISO 13485 certified," even though the requirements are now nearly the same. If a customer, distributor, or foreign regulator asks for your ISO 13485 certificate, only a registrar audit gets you one.
2. FDA inspections vs registrar audits
The FDA inspects; registrars audit. FDA inspections can be unannounced (for domestic manufacturers), are backed by enforcement power — Form 483 observations, Warning Letters, import alerts, consent decrees — and cost you nothing directly. Registrar audits are scheduled, contractual, and paid for by you; the worst outcome is losing your certificate. Your QMS has to be ready for both postures: the scheduled deep-dive and the investigator who shows up Tuesday morning.
3. The US-specific additions in the QMSR
The QMSR layers several requirements on top of ISO 13485 that a "pure ISO" quality system won't cover:
- Records control (§ 820.35): complaint and servicing records must support Medical Device Reporting (21 CFR Part 803) determinations, records must carry the UDI where applicable, and FDA's signature/date expectations apply.
- Labeling and packaging controls (§ 820.45): the FDA kept QSR-style labeling inspection requirements because it judged ISO 13485 insufficiently specific here.
- Statutory definitions: where the FD&C Act defines a term (device, labeling, manufacturer...), the statutory meaning controls over ISO's.
- Interlocking US regulations: 21 CFR Part 11 (electronic records and signatures), Part 803 (MDR), Part 806 (corrections and removals), and Part 830 (UDI) still apply alongside the QMSR — none of them exist in the ISO world.
4. Market access mechanics
ISO 13485 certification remains the currency of non-US market access: it underpins MDSAP (which Health Canada requires), supports EU MDR conformity assessment, and is expected by regulators and partners in most major markets. QMSR compliance, by itself, opens exactly one market — the US. A startup with global ambitions will usually end up needing both: QMSR compliance by law, and ISO 13485 certification by commercial and regulatory necessity abroad.
Side-by-side summary
| Dimension | FDA 21 CFR 820 (QMSR) | ISO 13485:2016 |
|---|---|---|
| Legal status | US federal regulation — mandatory for the US market | Voluntary international standard |
| Core requirements | ISO 13485:2016, incorporated by reference | ISO 13485:2016 |
| Extra requirements | US additions: records (§ 820.35), labeling/packaging (§ 820.45), FD&C Act definitions, ties to Parts 11 / 803 / 806 / 830 | None beyond the standard |
| Who checks | FDA investigators (inspections, potentially unannounced) | Accredited certification bodies (scheduled audits) |
| Outcome | Compliance (or 483s, Warning Letters, enforcement) | Certificate, maintained via surveillance audits |
| Markets served | United States | EU, Canada (via MDSAP), UK, Australia, Japan, and most others |
| Cost to you | No fee for inspections; you fund readiness | Certification and surveillance audit fees |
What should a startup actually build?
Build one quality system on ISO 13485's structure with the QMSR's US additions designed in from the start — not two systems, and not a US-only system you'll have to retrofit when a Canadian distributor asks for MDSAP. Then treat ISO 13485 certification as a business decision with a trigger: pursue it when a target market, customer, or partner requires the certificate, not before. That sequencing gets you US-compliant immediately while keeping every international door open for the cost of a registrar audit later.
This is exactly how BushmanQC builds every Virtual QMS: ISO 13485-structured, QMSR-compliant, with 21 CFR Part 11-compliant electronic signatures throughout — implemented in seven defined steps and sized for a startup's budget and team.
Planning your regulatory strategy?
Talk it through with Nellie Bushman in a free 30-minute consultation — which markets you're targeting, what your QMS needs now, and what can wait.
Book a Free ConsultationRelated reading: The FDA QMSR 10-point compliance checklist · What a QMS really costs a startup · Virtual QMS FAQ