Your ISO 13485 quality management system is the foundation of every successful FDA 510(k) submission. From design controls and risk management to the new QMSR harmonization — understand exactly how QMS quality drives regulatory clearance.
By Jared Clark, JD, MBA, PMP, CMQ-OE, RAC — Updated February 2026
200+
Clients Served
100%
First-Time Pass
RAC
RAPS Certified
The FDA 510(k) premarket notification is the most common pathway to U.S. market access for medical devices. Each year the FDA reviews approximately 3,000 to 4,000 510(k) submissions, clearing the majority of Class II medical devices — from surgical instruments and diagnostic imaging equipment to cardiovascular stents and software as a medical device (SaMD). But behind every successful 510(k) clearance lies a well-documented quality management system, and ISO 13485 is the internationally recognized standard that defines what that quality system must look like.
Many manufacturers make the mistake of treating the 510(k) submission as a standalone regulatory exercise — assembling predicate comparisons, performance data, and biocompatibility reports without a systematic quality infrastructure to support them. This approach creates immediate problems: design control records that lack traceability, risk management files that do not follow ISO 14971 methodology, and testing protocols that were never formally validated. The result is preventable Additional Information (AI) requests from FDA reviewers, delays that add months to your time-to-market, and a quality system that will not survive the inevitable FDA facility inspection that follows 510(k) clearance.
The smarter approach — and the one that organizations with experienced ISO 13485 quality management systems follow — is to build the QMS first and let the 510(k) submission emerge naturally from the quality system's outputs. When your design controls, risk management, verification and validation activities, and supplier controls are all running within an ISO 13485 framework, the 510(k) submission is essentially a compilation of records your QMS already produces.
A 510(k) is a premarket submission made to the FDA to demonstrate that a new medical device is substantially equivalent to a legally marketed predicate device. Substantial equivalence means the new device has the same intended use as the predicate and either has the same technological characteristics or has different technological characteristics but does not raise new questions of safety and effectiveness. The 510(k) pathway applies primarily to Class II devices, though some Class I devices with special controls and certain Class III devices pending reclassification also use this route.
There are three types of 510(k) submissions: Traditional, Special, and Abbreviated. The Traditional 510(k) is the most common and requires the most comprehensive documentation. The Special 510(k) is available for modifications to a manufacturer's own cleared device when the modification does not affect intended use or alter the fundamental scientific technology. The Abbreviated 510(k) relies on guidance documents, special controls, or recognized consensus standards to streamline the equivalence demonstration. Regardless of type, all 510(k) submissions benefit from a robust ISO 13485 QMS backing the documentation.
ISO 13485 Clause 7.3 design controls produce the Design History File (DHF) — the single most important document linking your quality system to your FDA submission.
The design plan defines development phases, team responsibilities, review milestones, and V&V activities. Design inputs capture all functional, performance, safety, usability, and regulatory requirements — including applicable FDA guidance documents and recognized consensus standards. These inputs form the foundation of your 510(k) substantial equivalence argument.
510(k) impact: Predicate comparison table, intended use statement, and indications for use are all derived from design inputs.
Design verification confirms outputs meet inputs through bench testing, electrical safety testing, mechanical testing, and software verification. Design validation confirms the device meets user needs under actual or simulated use conditions. Both are required by ISO 13485 Clause 7.3.6 and 7.3.7, and the test reports feed directly into the 510(k) performance data section.
510(k) impact: Performance test reports, software validation, and clinical evidence (if required) all come from V&V activities.
Design transfer ensures the finalized design can be reliably reproduced in manufacturing. Process validation (IQ/OQ/PQ), manufacturing instructions, inspection procedures, and packaging validation are all documented. The complete DHF — capturing the entire design history from concept through transfer — serves as the authoritative record that your device was developed under controlled conditions.
510(k) impact: Manufacturing information, sterilization validation, and shelf-life data for the submission come from design transfer outputs.
A medical device startup engaged our team to build their ISO 13485 QMS from scratch while simultaneously developing their Class II in-vitro diagnostic device. By structuring design controls from day one, we produced a submission-ready DHF with fully traceable design inputs, comprehensive V&V reports per recognized consensus standards, and an ISO 14971-compliant risk management file. The Traditional 510(k) was cleared by FDA in 97 days with zero Additional Information requests — well under the average timeline. The company's QMS also passed its ISO 13485 Stage 2 certification audit with zero major nonconformities.
The risk management file is one of the most scrutinized components of any 510(k) submission. FDA reviewers expect to see a systematic, documented approach to hazard identification, risk estimation, risk evaluation, and risk control — and ISO 14971:2019 is the recognized consensus standard that defines this methodology. ISO 13485 Clause 7.1 requires risk management throughout product realization, making ISO 14971 an integral part of your quality management system, not an afterthought bolted onto the submission.
For 510(k) purposes, the risk management file must demonstrate several critical elements. First, a comprehensive hazard analysis that identifies all reasonably foreseeable hazards associated with the device in both normal use and foreseeable misuse conditions. Second, a risk estimation for each identified hazardous situation, typically using a severity-by-probability matrix with clearly defined risk acceptability criteria. Third, documented risk control measures following the priority hierarchy: inherently safe design first, then protective measures, then information for safety. Fourth, verification of risk control effectiveness through testing or analysis. And fifth, an evaluation of overall residual risk acceptability weighed against the device's clinical benefit.
ISO 14971
FDA-recognized consensus standard for medical device risk management
Lifecycle
Risk management continues from design through post-market surveillance
A critical point that many manufacturers miss: the risk management file for a 510(k) should specifically address risks associated with the differences between your device and the predicate. If your device introduces new materials, different energy modalities, novel software algorithms, or altered performance specifications, the risk file must show that these differences do not introduce new risks that would undermine the substantial equivalence determination. FDA reviewers are specifically trained to look for this gap analysis, and its absence is one of the most common triggers for AI requests.
When your risk management activities are embedded within an ISO 13485 QMS, there is a natural connection between design inputs (which include safety requirements), design verification (which tests against those requirements), design validation (which confirms clinical acceptability), and the risk management file (which provides the risk-based rationale for all of the above). This traceability is exactly what FDA reviewers look for, and it is nearly impossible to achieve retroactively if the risk management file was created as a standalone document after the fact.
Effective February 2, 2026, the FDA's Quality Management System Regulation (QMSR) replaces the legacy 21 CFR 820 QSR and directly incorporates ISO 13485:2016 by reference. This is the most significant regulatory harmonization in FDA medical device history.
The legacy QSR (21 CFR 820) — originally published in 1996 — has been replaced by the QMSR, which incorporates ISO 13485:2016 by reference. FDA inspectors will now evaluate your quality system against ISO 13485 clause structure and terminology. Terminology shifts from "device master record" and "quality system regulation" to ISO 13485 language like "quality manual" and "documented procedures."
Manufacturers must comply by February 2, 2026.
While ISO 13485 is now the foundation, several FDA-specific regulations still apply separately: Medical Device Reporting (MDR/21 CFR 803), Corrections and Removals (21 CFR 806), Reports of Corrections and Removals, Unique Device Identification (UDI/21 CFR 830), and establishment registration and device listing. These are not covered by ISO 13485 and require separate compliance procedures.
Your QMS must address both ISO 13485 and these FDA overlays.
For 510(k) manufacturers, the QMSR means your quality system infrastructure must be built on ISO 13485 architecture. FDA facility inspections — which typically follow within 6 to 24 months after 510(k) clearance — will evaluate your QMS against ISO 13485 requirements. Manufacturers already ISO 13485 certified have a significant compliance advantage; those operating under legacy QSR-only procedures must transition immediately.
ISO 13485 certification = QMSR readiness.
This is one of the most frequently misunderstood aspects of FDA 510(k) submissions. Strictly speaking, the FDA does not require ISO 13485 certification as a condition for 510(k) clearance. You can submit a 510(k), receive clearance, and begin marketing your device without holding an ISO 13485 certificate from an accredited certification body. However, this narrow technical interpretation obscures the practical reality that makes ISO 13485 effectively essential for any serious medical device manufacturer.
With the QMSR now in effect, the FDA requires all manufacturers to maintain a quality management system that meets ISO 13485:2016 requirements. The difference between "meeting the requirements" and "holding the certificate" is the third-party audit: the FDA will evaluate your compliance during its own inspections, whether or not you have undergone a separate certification audit. In practice, the vast majority of medical device companies pursue ISO 13485 certification because it provides several critical advantages.
The bottom line: while ISO 13485 certification is technically voluntary for a 510(k)-only manufacturer, compliance with ISO 13485 requirements is mandatory under the QMSR. Given that the gap between compliance and certification is merely the third-party audit itself, most manufacturers conclude that certification delivers far more value than operating without it. The certification audit is an investment in confidence — confidence that your QMS will withstand FDA scrutiny, satisfy customer requirements, and enable global market expansion.
Each FDA regulatory pathway has distinct submission requirements, but all three demand a robust quality management system. ISO 13485 provides the common foundation across every pathway.
| Dimension | 510(k) | PMA | De Novo |
|---|---|---|---|
| Device Class | Class II (most common) | Class III (high risk) | Class I or II (novel, no predicate) |
| Key Requirement | Substantial equivalence to predicate | Clinical evidence of safety/efficacy | Risk-benefit analysis with special controls |
| Clinical Data | Rarely required; bench/animal data typical | Clinical trials typically required | May require clinical data |
| Typical Review Time | 90–180 days | 12–24 months | 6–12 months |
| ISO 13485 QMS Role | DHF, risk file, V&V reports | Full QMS review + clinical protocol QA | DHF, risk file, special controls compliance |
| Design Controls (7.3) | Required — DHF supports submission | Required — more rigorous documentation | Required — novel design demands thoroughness |
| FDA Inspection | Pre-clearance (rare) or post-clearance | Pre-approval inspection required | Post-authorization |
While the 510(k) pathway is the most common, manufacturers pursuing Premarket Approval (PMA) for Class III devices face significantly higher quality system expectations. The FDA conducts a mandatory pre-approval inspection (PAI) that evaluates your entire QMS — not just the submitted documentation. PMA applications require extensive clinical trial data, and the QMS must demonstrate that clinical protocol management, data integrity, and adverse event reporting are all controlled within the quality system framework. The design controls documentation for a PMA device is typically two to three times more detailed than for a 510(k).
The De Novo classification pathway is designed for novel devices that lack a predicate but present low-to-moderate risk. Because there is no predicate to establish substantial equivalence, the risk management file becomes even more critical: you must demonstrate through a thorough risk-benefit analysis that the probable benefits outweigh the probable risks and that general and special controls provide reasonable assurance of safety and effectiveness. ISO 13485 provides the structured framework for documenting this risk-benefit determination with the traceability that FDA expects.
For comprehensive FDA regulatory consulting — including 510(k) strategy, FDA audit preparation, and warning letter remediation — visit our dedicated FDA practice at thefdaexpert.com.
For a comprehensive view of all ISO certification services — including ISO 9001, ISO 14001, ISO 27001, ISO 42001, and more — visit certify.consulting.
Jared Clark is a Regulatory Affairs Certified (RAC) consultant with deep expertise in FDA 510(k) submissions and ISO 13485 quality management systems for medical devices. Holding credentials from RAPS, ASQ, and PMI, Jared combines legal training (JD), business strategy (MBA), and hands-on quality system implementation experience to help medical device companies navigate the intersection of quality management and regulatory clearance. He has guided over 200 clients through ISO certification and FDA regulatory pathways with a 100% first-time audit pass rate.
Expert answers to the most common questions about integrating ISO 13485 quality management with FDA 510(k) submissions.
Schedule a free consultation to discuss your medical device, target regulatory pathway, and the ISO 13485 QMS infrastructure needed for successful FDA clearance. RAC-certified expertise, 100% first-time audit pass rate.
No commitment required. Expert guidance on your FDA regulatory and ISO 13485 certification journey.