Quality Management System Requirements: ISO 13485 and MDSAP
A certified quality management system (QMS) is the foundational requirement for medical device market access across all major western jurisdictions. The international standard for medical device QMS is ISO 13485:2016 — Medical Devices — Quality Management Systems — Requirements for Regulatory Purposes. Certification to ISO 13485 by an accredited certification body is required or strongly expected in the EU, UK, Canada, Australia, Japan, and increasingly the US.
ISO 13485 covers design and development controls, risk management integration (by reference to ISO 14971), purchasing and supplier controls, production and process controls, and post-market surveillance procedures. For China-based manufacturers, ISO 13485 certification is issued by accredited certification bodies (CBs) recognised in the target market. Not all ISO 13485 certificates are equal: the scope of certification must correspond to the product types and manufacturing processes being certified.
MDSAP — Medical Device Single Audit Program is a multilateral programme that allows a single audit of a manufacturer's QMS to satisfy the regulatory requirements of participating jurisdictions: the US (FDA), Canada (Health Canada), Australia (TGA), Brazil (ANVISA), and Japan (MHLW/PMDA). MDSAP audits are conducted by MDSAP-recognised Auditing Organizations (AOs) and produce an audit report shared among participating regulators. For Health Canada, an MDSAP certificate (or equivalent) is mandatory for Class II, III, and IV medical device licence applications. For the FDA, an MDSAP audit report can be used in lieu of an FDA inspection for manufacturers enrolled in the program.
The EU and UK do not participate in MDSAP. EU MDR requires QMS certification under the EU Medical Device Regulation framework (Annex IX or XI), which must be performed by an EU-designated Notified Body. A separate ISO 13485 certificate does not substitute for an EU MDR QMS certification, though the underlying QMS may be the same.
Device Classification and Risk-Based Frameworks
All major medical device regulatory frameworks use risk-based device classification to determine the level of pre-market scrutiny required. The classification a device receives in each jurisdiction determines which approval pathway applies, what clinical evidence is required, and whether a regulatory authority review or third-party certification is needed before market entry.
United States (FDA). The FDA classifies devices into Class I (general controls), Class II (general and special controls, typically requiring 510(k) clearance or De Novo classification), and Class III (premarket approval, PMA). Most medium-risk devices from China enter the US via the 510(k) premarket notification pathway, which requires the applicant to demonstrate substantial equivalence to a legally marketed predicate device. The 510(k) must include device description, intended use, comparison to the predicate, and performance testing data. The FDA does not require an ISO 13485 certificate for 510(k) clearance, but it does inspect manufacturing facilities (or accept MDSAP reports in lieu).
European Union (EU MDR — Regulation 2017/745). EU MDR classifies devices into Class I, IIa, IIb, and III based on risk rules in Annex VIII. Class I devices (except sterile, measuring, or reusable surgical instruments) can self-declare conformity. Class IIa, IIb, and III require involvement of an EU Notified Body. The EU MDR requires a Clinical Evaluation Report (CER) for all device classes, with the depth of clinical evidence scaled to risk. For China-origin devices, the requirement for clinical data generated in EU populations (or justification for data generated elsewhere) has been a common market access barrier since the EU MDR replaced the legacy MDD in May 2021.
UK (UKCA marking under the Medical Devices Regulations 2002, as amended). Post-Brexit, the UK has its own framework. UKCA marking is required for devices placed on Great Britain (England, Wales, Scotland) market. UK Approved Bodies conduct conformity assessment. CE marking under EU MDR continues to be accepted in Great Britain until 30 June 2028 for most device classes (verify current transition dates at gov.uk). Northern Ireland follows EU rules under the Windsor Framework.
Australia (TGA — Therapeutic Goods Administration). The TGA uses a classification similar to the EU: Class I, IIa, IIb, III, and AIMD (active implantable). Devices must be included in the Australian Register of Therapeutic Goods (ARTG) before supply. For most Class IIa and above devices, TGA recognition of conformity assessment certificates from EU Notified Bodies, US FDA clearance, or Health Canada licences is possible under the TGA's international recognition pathway, subject to conditions. MDSAP membership simplifies the audit process.
Canada (Health Canada — Medical Devices Directorate). Devices are classified as Class I–IV. Class II, III, and IV require a Medical Device Licence (MDL) from Health Canada. The MDL application requires an MDSAP certificate (or equivalent audit), a Declaration of Conformity to applicable standards, and for Class III–IV, a Summary of Safety and Effectiveness. Safety and effectiveness standards referenced include the applicable IEC 60601 series (medical electrical equipment), ISO 14971 (risk management), and device-specific standards.
Clinical Evidence Requirements and Key Differences
Clinical evidence requirements represent one of the most significant differences between jurisdictions and one of the most common causes of market access delays for China-origin medical devices.
FDA 510(k) — Substantial equivalence, not clinical trials. The 510(k) pathway does not typically require clinical trials. The applicant must demonstrate that the device has the same intended use and the same or different technological characteristics as a predicate device, and that any different technological characteristics do not raise new safety or effectiveness concerns. Performance testing is primarily bench testing (electrical safety per IEC 60601 series, biocompatibility per ISO 10993, software per IEC 62304 if applicable). Clinical data from China can be submitted but is not always required, and FDA may question the representativeness of Chinese clinical data for US patient populations.
EU MDR — Clinical Evaluation is mandatory. All device classes must undergo Clinical Evaluation under MEDDEV 2.7/1 Rev. 4 and the Clinical Evaluation Consultation Procedure (CECP) for certain implantables and Class III devices. The CER must be based on clinical data — either clinical investigations or literature review of equivalent devices. The concept of equivalence under EU MDR is stricter than FDA substantial equivalence: clinical, biological, and technical equivalence must be demonstrated simultaneously, and the manufacturer must have access to the technical documentation of the equivalent device. This last requirement effectively prevents reliance on competitor devices as equivalents in most cases.
Australia (TGA) — Risk-based clinical evidence. TGA's clinical evidence requirements align closely with EU MDR. For devices entering via the international recognition pathway, TGA generally accepts EU MDR or FDA clearance clinical evidence packages. For direct TGA applications, the Essential Principles (equivalent to EU MDR General Safety and Performance Requirements) must be met, including clinical evaluation.
Japan (PMDA — Pharmaceuticals and Medical Devices Agency). Japan's device regulatory framework (PMD Act) classifies devices into four classes. For Class III and IV devices, PMDA review of clinical data is required. Japan maintains bilateral recognition arrangements with some jurisdictions; however, clinical data generated outside Japan is subject to PMDA assessment of whether it is applicable to Japanese patient populations. For China-origin devices, Japanese approval typically requires clinical data supplemented or validated by Japanese investigational data for higher-risk classes.
Common cross-jurisdictional requirements. Regardless of jurisdiction, the following technical standards appear across most conformity frameworks: IEC 60601-1 (general requirements for medical electrical equipment and its amendment series), ISO 14971:2019 (risk management), IEC 62133 or IEC 62619 (battery safety where applicable), IEC 62304 (medical device software), and ISO 10993 series (biological evaluation). Compliance with these standards is foundational and should be established before jurisdiction-specific regulatory submissions begin.
Post-Market Obligations and In-Country Representative Requirements
Obtaining initial market approval or clearance is not the end of the compliance lifecycle for medical devices. All major western jurisdictions impose ongoing post-market obligations, and most require a formally designated in-country legal representative for foreign manufacturers.
EU MDR — Authorised Representative (AR). Foreign manufacturers placing devices on the EU market must designate an EU Authorised Representative (EU AR) established within the EU. The EU AR is jointly and severally liable with the manufacturer for regulatory compliance. Post-market obligations include: maintaining a post-market surveillance (PMS) plan and Post-Market Surveillance Report (PMSR) or Periodic Safety Update Report (PSUR) depending on device class; operating a vigilance system for serious incidents; and maintaining a Unique Device Identification (UDI) entry in the European database EUDAMED.
UK — UK Responsible Person (UKRP). Equivalent to the EU AR, a UK Responsible Person must be established in Great Britain for devices bearing UKCA marking. Registration with the MHRA is required before placing devices on the GB market.
US FDA — US Agent and Establishment Registration. Foreign manufacturers must designate a US Agent resident in the US and register their establishment with the FDA annually. Devices must be listed with the FDA. The US Agent is the communication intermediary between the FDA and the foreign manufacturer; they are not a legal responsible person equivalent to the EU AR, but failure to maintain a current US Agent is a compliance violation.
Australia TGA — Australian Sponsor. All therapeutic goods require an Australian Sponsor — an entity established in Australia — to hold the ARTG entry. The Sponsor is responsible for the device's compliance in the Australian market and for adverse event reporting to the TGA.
Canada Health Canada — Importer or Manufacturer Registration. The importer of a licensed device must be identified on the MDL application. Post-market obligations include mandatory problem reporting to Health Canada for serious incidents and recalls. The Vigilance Reporting system applies to Class II–IV devices.
For all jurisdictions, post-market surveillance data — complaints, incidents, and field safety corrective actions — must be documented and reported according to jurisdiction-specific timelines. Recall procedures and field safety corrective action (FSCA) notifications are legally required processes, not discretionary commercial decisions.