FDA Compliance Tips: Meeting the FDA’s ISO Medical Device Standards
Learn What Medical Device Manufacturers Need to Know About the FDA’s ISO-Based Standards for Quality Management Systems
FDA ISO Medical Device Standards Team Lead
FDA ISO Medical Device Standards Team Lead
Former DOJ Attorney
FDA ISO Medical Device Standards Team Lead
Former Senior DOJ Trial Attorney
Medical device manufacturers have numerous compliance obligations at the federal level in the United States. This includes (but is not limited to) compliance obligations enforced by the U.S. Food and Drug Administration (FDA). The FDA recently overhauled its quality management system (QMS) requirements for medical device manufacturers—establishing its new “Quality Management System Regulation” (or “QMSR”) that aligns with ISO 13485:2016.
The ISO standards for medical devices are a set of international standards recognized by governmental authorities and self-regulatory organizations around the world. While the FDA has adopted ISO standards in the past, it was previously reluctant to adopt ISO 13485:2016 (and its predecessor, ISO 9001:2000) regarding quality management systems for medical devices. However, this changed in early 2024, when the FDA’s new Quality Management System Regulation became final after years of anticipation.ISO 13485 was revised to work better with the three European directives in the medical sector that govern medical devices, in vitro diagnostic medical devices, and active implantable medical devices.
ISO Compliance for Medical Device Manufacturers in the United States
Although the FDA’s QMSR is now final, it doesn’t take effect until early 2026. Until then, medical device manufacturers in the United States must maintain compliance with the FDA’s existing Quality System Regulation (QSR). But, they must also begin preparing to comply with the QMSR—which effectively means that they must begin preparing to comply with ISO 13485:2016. For manufacturers that sell their devices abroad, this is likely to be a welcome change. But, for all manufacturers, adoption of the QMSR (and ISO 13485:2016) will require various updates to their FDA compliance programs in the U.S., as the QSR and QMSR differ in several important respects.
While some manufacturers may choose to wait until 2026 to implement QMSR (ISO 13485:2016) compliance protocols, others may find it beneficial to do so now. The FDA acknowledges that this is the case—and it allows manufacturers to do so, provided that doing so does not put them in non-compliance with the QSR:
“FDA recognizes that it is important for manufacturers to prepare to align their practices with the QMSR as soon as practical, and some manufacturers may choose to begin complying with the QMSR before the effective date. However, FDA does not intend to require compliance with the QMSR until its effective date. Until then, manufacturers are required to comply with the [QSR]. FDA’s inspections are risk based and will continue to be consistent with section 510(h) of the [Food, Drug, and Cosmetic Act].”
In many cases, the QMSR (ISO 13485:2016) establishes more general requirements than the QSR—meaning that QSR compliance will satisfy the QMSR by default. The FDA also notes that, “the requirements in ISO 13485 are, when taken in totality, substantially similar to the requirements of the [QSR].” Even so, medical device manufacturers should not assume that QSR compliance necessarily equates to QMSR compliance (or vice versa), and they must take an informed and strategic approach to transitioning from the QSR to the QMSR that avoids inadvertent exposure to FDA enforcement and the penalties that come with it.
Put our highly experienced team on your side
Dr. Nick Oberheiden
Founder
Attorney-at-Law
Lynette S. Byrd
Former DOJ Trial Attorney
Partner
Brian J. Kuester
Former U.S. Attorney
Hon. Kevin McCarthy
55th Speaker, U.S. House of Representatives (ret.)
Government Consultant
Mike Pompeo
Of Counsel
Former U.S. Secretary of State
John W. Sellers
Former Senior DOJ Trial Attorney
Linda Julin McNamara
Federal Appeals Attorney
Nicholas B. Johnson
Former Prosecutor
Roger Bach
Former Special Agent (DOJ)
Chris J. Quick
Former Special Agent (FBI & IRS-CI)
Michael S. Koslow
Former Supervisory Special Agent (DOD-OIG)
Ray Yuen
Former Supervisory Special Agent (FBI)
Preparing for QMSR (ISO 13485:2016) Compliance in the Medical Device Industry
With all of this in mind, what does a medical device manufacturer need to know about ISO compliance in the U.S. going forward? Here are some key insights from the FDA compliance lawyers and consultants at Oberheiden P.C.:
1. Medical Device Companies Cannot Focus Solely on ISO 13485:2016 Compliance
While compliance with ISO 13485:2016 will be a key aspect of FDA compliance for medical device manufacturers going forward, manufacturers cannot focus on this ISO exclusively. Even once the QMSR takes effect, manufacturers will still be required to comply with various non-ISO standards—including (but not limited to) those pertaining to pre-market authorization and other pre-market submissions. Additionally, while the FDA declined to incorporate ISO 14971 into the QMSR, it recognizes ISO 14971 as a “consensus standard,” which means that compliance with ISO 14971 is one way that manufacturers can meet the associated regulatory requirements in the United States.
2. The FDA-Adopted ISO Standards Focus Predominantly (But Not Exclusively) on Risk Management
The ISO standards adopted by the FDA to date (including ISO 13485:2016, which will become binding on medical device manufacturers in early 2026), focus largely on risk management. The FDA has identified several health and safety risks associated with all types of medical devices, and it expects manufacturers to proactively manage these risks on an ongoing basis. Risk management is a key aspect of overall FDA compliance, and it is up to manufacturers to ensure that they are doing everything that is necessary in light of the specific devices they sell and the unique aspects of their operations.
3. There Are Several Critical Aspects of FDA ISO Compliance
While risk management is one aspect of FDA ISO compliance, there are several additional critical aspects of FDA ISO compliance as well. For example, ISO 13485:2016 (and the current QSR) establish requirements pertaining to:
- Quality management systems
- Unique device identification
- Medical device labeling and packaging
- Medical device tracking
- Medical device reporting
- Corrections and removals
- Recordkeeping
At Oberheiden P.C., our lawyers and consultants assist medical device manufacturers with all aspects of FDA compliance—including medical device software and all pertinent aspects of ISO compliance. We can help you understand the full scope of your company’s obligations, and we can help your company implement policies and procedures that are designed to meet the FDA’s expectations both now and in the future.
4. A Custom-Tailored Approach to FDA ISO Compliance is Critical
While the ISO establish uniform standards for medical device manufacturers—and while the FDA’s adoption of ISO 13485:2016 is intended to harmonize compliance in the U.S. with compliance abroad, a custom-tailored approach to FDA ISO compliance is critical. Different companies will need to take different steps to effectively manage their risks, and each quality management system presents unique compliance-related considerations and concerns. Our lawyers and consultants can determine what is necessary for your company to comply, and we can assist with taking all of the necessary steps to ensure that your company is prepared to withstand the FDA’s scrutiny when necessary.
5. Medical Device Manufacturers Must Be Prepared to Demonstrate Compliance to the FDA
When it comes to withstanding FDA scrutiny, comprehensive documentation is the key to success. Medical device manufacturers that have clear and comprehensive documentation of their efforts to comply with all applicable ISO standards (and all other relevant laws and regulations) will be able to efficiently resolve FDA inquiries without unnecessary costs or delays in most cases. At Oberheiden P.C., we prioritize ensuring that our clients have the documentation they need to affirmatively demonstrate compliance—as documenting compliance is in many respects just as important as compliance itself.
FAQs: FDA ISO Compliance for Medical Device Manufacturers
What is the Difference Between QSR and QMSR?
The Quality System Regulation (QSR) establishes the FDA’s current requirements for medical device manufacturers. The Quality Management System Regulation (QMSR), which the FDA finalized in 2024, will replace the QSR when it becomes effective in February 2026. While there are many similarities between the QSR and QMSR, there are some critical differences that manufacturers will need to address before the QMSR takes effect.
What is the Difference Between QMSR and ISO 13485:2016?
The QMSR implements ISO 13485:2016 in the United States. While medical device manufacturers have long had to comply with ISO 13485:2016 in other countries, they have been subject to a different set of regulations implemented by the FDA. The QMSR (and thus ISO 13485:2016) will take effect in the U.S. in February 2026, but medical device manufacturers will want to begin assessing the QMSR’s implications now to ensure that they are prepared to make a timely transition.
Do Medical Device Manufacturers Need to Maintain ISO Compliance in the United States?
The answer to this question is a bit more complicated than it may initially seem. This is because the FDA has implemented some ISO standards—some directly, and some indirectly—and not others. Additionally, while the FDA issued a final rule adopting ISO 13485:2016 in 2024, the rule is not effective for two years. To ensure that they are complying with all relevant rules and requirements, medical device manufacturers should engage experienced FDA compliance counsel.
What Are the Risks of ISO Non-Compliance for Medical Device Manufacturers?
For medical device manufacturers, the risks of not complying with any rules or regulations enforced by the FDA are substantial. Not only can non-compliance lead to non-approval of manufacturers’ pre-market submissions, but it can lead to post-market penalties as well. These penalties can include fines, injunctions, and recalls—among others.
What Are the Keys to ISO 13485:2016 (QMSR) Compliance for Medical Device Manufacturers?
The keys to ISO 13485:2016 (QMSR) compliance for medical device manufacturers are a custom-tailored approach combined with comprehensive documentation. At Oberheiden P.C., we help our clients do what is necessary to meet all pertinent statutory and regulatory requirements, and we work with the FDA on behalf of our clients to demonstrate their compliance as necessary.
Speak with an FDA ISO Compliance Lawyer at Oberheiden P.C. Today
If you need to know more about FDA ISO compliance (including QSMR compliance), we invite you to get in touch. Call 888-680-1745 or contact us online to schedule a complimentary consultation at Oberheiden P.C. today.
