By Neelank Tiwari in FDA — 14 Dec 2025

ISO 13485 and QMSR: What Your Certification Actually Means Now

If you're ISO 13485:2016 certified, you might assume QMSR transition is automatic. After all, QMSR incorporates ISO 13485:2016 by reference. Same requirements, same regulation—right? Not quite. Your certification demonstrates compliance with ISO 13485:2016, but QMSR adds FDA-specific requirements

Reading time: 12 minutes | Last updated: December 2025

If you're ISO 13485:2016 certified, you might assume QMSR transition is automatic. After all, QMSR incorporates ISO 13485:2016 by reference. Same requirements, same regulation—right?

Not quite. Your certification demonstrates compliance with ISO 13485:2016, but QMSR adds FDA-specific requirements and expectations that your certification audit may not have addressed. And certification doesn't automatically mean your records are ready for FDA inspection.

This article clarifies what your ISO 13485 certification means under QMSR, what gaps may still exist, and what actions certified companies should take before February 2, 2026.

In this article:

What certification covers (and what it doesn't)
FDA-specific additions not in ISO 13485
Why certified companies still have QMSR gaps
Priority actions for ISO-certified companies
Certification maintenance under QMSR

What Your Certification Actually Demonstrates

ISO 13485:2016 certification means:

A registrar has audited your QMS against ISO 13485:2016 requirements and determined you conform to the standard. The audit scope covers your registered activities (design, manufacturing, distribution, etc.).

You maintain ongoing compliance through surveillance audits (typically annual) and recertification audits (typically every three years).

Your QMS addresses the requirements in ISO 13485:2016 Clauses 4-8: quality management system, management responsibility, resource management, product realization, and measurement/analysis/improvement.

This is valuable. It demonstrates a functioning quality management system meeting internationally recognized requirements. Under QMSR, it's a strong foundation.

What Certification Doesn't Guarantee

Compliance with FDA-specific additions: QMSR includes requirements in 820.35 (QMS software) and 820.45 (labeling) that aren't in ISO 13485. Your certification audit didn't assess these.

Inspection-ready records: Certification audits sample records. FDA inspections can be more intensive and detailed. Records that passed certification sampling may not withstand FDA scrutiny.

Implementation of FDA interpretations: FDA may interpret ISO 13485 requirements differently than your certification auditor. What satisfied your registrar may not satisfy FDA.

Current compliance: Certification represents a point-in-time assessment. Compliance can drift between audits.

FDA-Specific QMSR Additions

Two requirements in QMSR exist beyond ISO 13485:2016:

820.35 Control of Records

What it requires: Specific content requirements for complaint records, service records, and device identification (including UDI) that go beyond ISO 13485.

Why this matters for certified companies: ISO 13485 Clause 8.2.2 (complaints) and servicing requirements are less prescriptive than QMSR 820.35. FDA added specific content requirements:

Complaint records must include when complaints should be investigated
Service records must include specific information about servicing activities
All device records must include UDI, unique product code (UPC), or other device identification
Confidential/proprietary information must be marked appropriately

Your certification audit assessed ISO 13485 complaint and servicing requirements, but may not have verified the specific content elements FDA added in QMSR 820.35.

Action required:

Review complaint record templates to ensure all QMSR 820.35 content requirements are captured
Review service record templates to ensure compliance with 820.35 requirements
Verify UDI/device identification is documented in all device records
Establish procedures for marking confidential information provided to FDA"

820.45 Device Labeling

What it requires: Procedures shall include a process to verify labeling requirements are met, including inspections to verify that labeling activities have been performed correctly.

Why this matters for certified companies: ISO 13485 addresses labeling requirements in Clause 7.5.1 (production controls) but doesn't specifically require labeling inspection procedures with the FDA's level of specificity.

Action required:

Verify labeling inspection procedures exist
Ensure procedures address label accuracy verification
Document contamination prevention measures
Verify release procedures include labeling verification

Why Certified Companies Still Have Gaps

Even with current ISO 13485:2016 certification, gaps commonly exist:

Gap 1: Records Not FDA-Inspection Ready

The issue: Certification audits sample records. Auditors look for evidence that processes exist and are generally followed. They don't examine every record with the intensity of an FDA inspection.

Common problems:

Management review records that are informal or incomplete
Internal audit reports lacking clear findings documentation
Corrective action records without effectiveness verification evidence
Training records without competence evaluation documentation

Action required: Review records in areas FDA commonly examines with the assumption an investigator will request detailed documentation.

Gap 2: Definitions and Interpretations May Differ

The issue: ISO auditors and FDA investigators may interpret the same requirement differently.

Examples:

"Risk-based approach" interpretation
"Appropriate" validation extent
"Effective" corrective action
"Competent" personnel

Your approach may satisfy your registrar but not align with FDA expectations.

Action required: Review FDA guidance documents for interpretation clarity. Consider how FDA has cited similar requirements in warning letters.

Gap 3: Scope Differences

The issue: Your ISO 13485 certification has a defined scope (e.g., "Design and manufacture of Class II orthopedic devices"). QMSR applies to all activities subject to FDA quality system requirements.

If activities exist outside your certification scope, they may not have been assessed against ISO 13485 requirements.

Action required: Verify your certification scope covers all FDA-regulated activities. If gaps exist, address them.

Gap 4: Certification to 2003 Version

The issue: Some companies maintain certification to ISO 13485:2003 rather than the 2016 version. QMSR specifically incorporates ISO 13485:2016.

Key differences between 2003 and 2016:

Risk-based thinking requirements (2016)
Software validation requirements (2016)
Feedback system requirements (2016)
Customer communication requirements (2016)

Action required: If certified to 2003, transition to 2016 certification immediately or ensure compliance with 2016 requirements regardless of certification status.

Priority Actions for ISO-Certified Companies

Given your certification, focus on these priorities:

Priority 1: Address FDA-Specific Additions (Week 1-2)

820.35 QMS Software:

Complete QMS software inventory
Review validation documentation completeness
Document validation approach for any gaps
Establish revalidation criteria

820.45 Labeling:

Review labeling inspection procedures
Verify accuracy verification is documented
Ensure release includes labeling verification

Priority 2: Prepare Records for FDA Inspection (Week 2-4)

Management Review:

Review last 2-3 management review records
Verify all required inputs addressed
Confirm outputs include decisions and actions
Document follow-up on action items

Internal Audit:

Review recent audit reports
Verify findings are clearly documented
Confirm corrective actions tracked to closure
Document auditor qualifications

Supplier Audits:

Review supplier audit reports
Verify findings addressed
Prepare records for potential FDA review

Priority 3: Verify Current Compliance (Week 3-5)

Conduct focused self-assessment:

Review procedures against ISO 13485:2016 requirements
Interview process owners about actual practice
Sample records for compliance evidence
Identify any drift since last certification audit

Address any gaps found:

Document findings
Implement corrective actions
Verify effectiveness

Priority 4: Update References (Week 4-6)

Quality Manual:

Reference QMSR and ISO 13485:2016
Acknowledge FDA-specific requirements
Update terminology if desired

Procedures:

Review for current regulatory references
Update citations as appropriate
Ensure 820.35 and 820.45 addressed

Certification Maintenance Under QMSR

Your Certification Remains Valid

ISO 13485:2016 certification remains valuable under QMSR. It demonstrates:

Third-party verification of QMS compliance
Ongoing surveillance and maintenance
Commitment to international quality standards

FDA Won't Accept Certification as Compliance Proof

Important distinction: Certification demonstrates compliance to a registrar. It doesn't constitute FDA compliance determination.

FDA can still:

Inspect your facility
Issue 483 observations
Take regulatory action

Your certification is helpful context, not regulatory immunity.

Registrar Scope May Need Updating

If your certification scope doesn't mention FDA requirements or QMSR, consider discussing with your registrar. Some companies update certification scope to explicitly reference FDA regulatory compliance.

Surveillance Audits Continue

Continue maintaining your certification through normal surveillance audit cycles. The ongoing third-party assessment remains valuable.

Leveraging Your Certification Advantage

Certified companies have real advantages in QMSR transition:

Foundation is solid: Your QMS already meets most ISO 13485:2016 requirements. The structure is there.

Personnel understand ISO: Your team knows ISO 13485 terminology and structure. No learning curve on the basics.

Documentation exists: Procedures and records exist for most requirements. Focus is on refinement, not creation.

Audit culture established: Your organization is accustomed to external assessment. FDA inspection shouldn't be dramatically different.

Use these advantages to:

Focus effort on FDA-specific gaps
Prepare records for more intensive FDA scrutiny
Apply your established processes to close any gaps

Do You Need to Get Certified?

If you're not currently ISO 13485 certified, QMSR doesn't require you to become certified.

QMSR requires: Compliance with ISO 13485:2016 requirements (plus FDA additions).

QMSR doesn't require: Third-party certification.

However, certification may make sense for:

International market access (EU, Canada, etc.)
Customer requirements
Competitive differentiation
Third-party verification of compliance

If you're considering certification, ensure you target ISO 13485:2016 certification (not older versions) and include FDA regulatory compliance in your scope discussion.

Note on QMS Software Validation (ISO 13485 Clause 4.1.6)

While not an FDA-specific addition (it's already in ISO 13485:2016), QMS software validation is worth reviewing for QMSR readiness:

What it requires: ISO 13485 Clause 4.1.6 requires validation of computer software used in the QMS (document control, CAPA, complaints, training, etc.), with validation extent proportionate to risk.

Why this matters: Your certification audit likely verified you have a QMS software validation process, but you should ensure:

All QMS software is inventoried and risk-classified
Validation documentation is complete and proportionate to risk
Revalidation criteria for software changes are defined
Validation approach is documented

This is an ISO 13485:2016 requirement (already part of your certification), not a unique FDA addition—but it's commonly underdocumented and worth reviewing

ISO 13485 certified but uncertain about QMSR readiness?

QMS.Coach can assess your current certification against QMSR requirements and identify any gaps. Our team understands both ISO certification expectations and FDA inspection realities.

Book a Free 15-Minute Consultation →

QMS.Coach LLC | neel@qms.coach