Understanding the Gaps and Overlaps Between ISO 13485, EU MDR, and MDSAP

In the global medical device industry, manufacturers face increasingly complex regulatory landscapes. Navigating the requirements of ISO 13485, the European Union Medical Device Regulation (EU MDR 2017/745), and the Medical Device Single Audit Program (MDSAP) requires a nuanced understanding of their interrelationships, overlaps, and gaps. Each framework serves a distinct purpose: ISO 13485 establishes requirements for a quality management system (QMS), EU MDR governs device safety and market access in the European Union, and MDSAP enables harmonised audits accepted by multiple regulatory authorities.

Download our Free Ebook on the subject Here

This paper examines the intersections and distinctions among these standards and programs, highlighting practical considerations for manufacturers seeking global compliance while optimising audit efficiency. It also outlines strategies to address gaps and leverage overlaps for operational and regulatory benefit.

Overview of ISO 13485

ISO 13485:2016 is an internationally recognised standard specifying requirements for a QMS specific to medical devices. It encompasses processes for design, development, production, installation, and servicing, with an emphasis on risk management, regulatory compliance, and consistent product quality.

The standard is structured around risk-based process control, document management, traceability, and continual improvement. It aligns closely with the principles of good manufacturing practice (GMP) and is widely used as the foundational QMS for manufacturers seeking market access across multiple jurisdictions.

ISO 13485 is not a regulatory requirement in itself but serves as a harmonised framework recognised by most regulators. Compliance demonstrates that an organisation has systematically addressed quality and risk management in device production and lifecycle activities.

Overview of EU MDR

The EU MDR 2017/745 is a binding regulation that governs the safety, performance, and market authorisation of medical devices within the European Union. It replaced the previous Medical Device Directive (MDD) and introduced a significantly higher regulatory burden, including stricter clinical evaluation requirements, post-market surveillance obligations, and device traceability via the Unique Device Identification (UDI) system.

EU MDR focuses on both product-specific and systemic compliance. Manufacturers must demonstrate that devices are safe and effective for intended use, maintain technical documentation aligned with Annex II and III, and conduct post-market clinical follow-up (PMCF). Compliance is mandatory for CE marking, which is required for legal marketing within the EU.

Overview of MDSAP

The Medical Device Single Audit Program (MDSAP) allows a single regulatory audit of a manufacturer’s QMS to satisfy the requirements of multiple participating authorities, including:

• Health Canada

• U.S. Food and Drug Administration (FDA)

• Therapeutic Goods Administration (TGA, Australia)

• Japan’s PMDA and MHLW

• Brazil’s ANVISA

MDSAP audits are based on ISO 13485 principles but extend to include jurisdiction-specific regulatory requirements. Auditing organisations conduct risk-based assessments across seven defined processes, covering design, production, purchasing controls, and post-market surveillance. MDSAP improves efficiency by reducing duplicative audits and providing regulators with harmonised audit evidence.

Overlaps Among ISO 13485, EU MDR, and MDSAP

Several areas demonstrate significant overlap among these frameworks:

Quality Management Systems

ISO 13485 serves as the foundation for both EU MDR and MDSAP compliance. All three require documented procedures for QMS governance, document control, internal auditing, management review, and corrective and preventive action (CAPA). A robust ISO 13485 implementation can satisfy many MDSAP and EU MDR obligations, particularly for procedural consistency and traceability.

Risk Management

Risk management is central across all three. ISO 13485 mandates integration of ISO 14971 principles into the QMS, which aligns with EU MDR’s focus on risk-benefit analysis, safety assessment, and post-market risk evaluation. Similarly, MDSAP audits examine whether manufacturers implement a risk-based approach to quality and safety, demonstrating alignment across jurisdictions.

Post-Market Surveillance and Vigilance

ISO 13485 requires monitoring product quality post-production, while EU MDR stipulates a formal post-market surveillance system including PMCF studies. MDSAP incorporates jurisdiction-specific surveillance requirements, such as FDA’s Medical Device Reporting (MDR) and TGA complaint handling. A well-structured ISO 13485-based QMS simplifies compliance with these overlapping obligations.

Documented Evidence and Traceability

All three frameworks emphasise documentation, record retention, and traceability. Technical documentation under EU MDR, the risk management file under ISO 13485, and MDSAP audit evidence all require clear linkage between processes, design outputs, verification, and clinical or production data.

Gaps Between ISO 13485, EU MDR, and MDSAP

Despite overlaps, several key gaps exist:

Clinical Evaluation and Post-Market Requirements

ISO 13485 provides only general guidance on risk management and post-market monitoring; it does not specify detailed clinical evaluation requirements. EU MDR, in contrast, mandates comprehensive clinical evaluation reports (CERs) and PMCF for all device classes. MDSAP audits may assess post-market processes but do not substitute for EU-specific clinical documentation.

Regulatory Authority-Specific Requirements

MDSAP integrates country-specific obligations, such as Health Canada’s licensing, FDA 21 CFR Part 820, or TGA reporting, which are not explicitly covered by ISO 13485. Conversely, EU MDR introduces EU-specific conformity assessment routes, Notified Body interactions, and UDI compliance, which MDSAP and ISO 13485 do not fully address.

Labeling and UDI Requirements

EU MDR enforces rigorous UDI and labelling requirements to improve traceability, which are not addressed in ISO 13485 alone. MDSAP audits check compliance with country-specific labelling regulations, but EU-specific UDI obligations remain outside its scope.

Software and Cybersecurity Controls

EU MDR explicitly requires software validation, cybersecurity risk management, and interoperability documentation, which are not fully covered by ISO 13485 or MDSAP audit criteria. Manufacturers using software-driven devices must address these gaps to achieve EU market approval.

Practical Strategies for Addressing Gaps

Manufacturers can achieve integrated compliance by:

1. Building a robust ISO 13485 QMS as a foundation.

2. Mapping EU MDR requirements against existing processes to identify additional clinical, UDI, and cybersecurity obligations.

3. Aligning MDSAP audits with ISO 13485 processes to satisfy multi-jurisdictional audit requirements.

4. Maintaining modular technical documentation that can be adapted to meet different regulatory expectations without duplicating effort.

5. Implementing a cross-functional compliance team to monitor changes in international regulations and update QMS procedures proactively.

Benefits of Understanding Gaps and Overlaps

By comprehensively understanding overlaps and gaps, manufacturers can:

• Reduce duplicated audit efforts and regulatory submissions

• Optimise resource allocation for compliance activities

• Enhance operational efficiency while maintaining quality and safety

• Facilitate faster market access across multiple jurisdictions

• Strengthen preparedness for regulatory inspections and MDSAP audits

Conclusion

ISO 13485, EU MDR, and MDSAP share significant commonalities in quality management, risk control, post-market surveillance, and documentation practices. However, gaps remain in clinical evaluation, UDI compliance, and jurisdiction-specific regulatory requirements. A structured approach—anchored in a robust ISO 13485 QMS, supplemented with EU MDR-specific procedures, and aligned with MDSAP audit readiness—enables manufacturers to navigate the complex regulatory landscape efficiently.

Understanding these overlaps and gaps not only ensures compliance but also promotes operational excellence and global market competitiveness. For therapeutic goods manufacturers, testing laboratories, and biotechnology organisations, investing in this integrated approach is essential for sustainable quality and regulatory success.