V5 Ultimate
Compliance · The complete guide

21 CFR 820Quality System Regulation for Medical Devices

TL;DR

FDA’s Quality System Regulation for finished medical devices defines how manufacturers design, validate, and document safe, effective devices today and how those obligations shift to the ISO 13485-aligned Quality Management System Regulation effective 2 February 2026.

Reviewed · By V5 Ultimate compliance team· 2,221 words · ~11 min read
AI · Explain it for MY operation

How does 21 CFR 820 apply to your shop floor?

Pick your industry and scale — Ask V5 rewrites the definition in your context, gives a worked example, and shows what V5 does on day one.

Your scale

01What 21 CFR Part 820 (QSR) is and why it matters

21 CFR Part 820, FDA’s Quality System Regulation (QSR), is the central U.S. framework that requires manufacturers of finished medical devices to implement, maintain, and document a quality system that consistently produces devices that are safe and effective for their intended use. Its clauses cover management responsibility, design controls, document control, purchasing controls, production and process controls, acceptance activities, CAPA, packaging and labeling, handling and distribution, installation and servicing, and a comprehensive records architecture.

QSR is performance oriented. It tells you what outcomes are required but leaves room to tailor processes to device risk, technology, and business scale. That flexibility brings responsibility: manufacturers must justify their approach with data and maintain auditable traceability from user needs through verification, validation, manufacture, release, and postmarket feedback.

On 2 February 2026, the QSR will be replaced by FDA’s Quality Management System Regulation (QMSR), which incorporates ISO 13485:2016 by reference and harmonizes key terminology with ISO 9000:2015. The shift is not a relaxation. It tightens alignment of design and production controls with structured risk management and expands expectations for supplier oversight and documented linkages across the lifecycle.

Whether operating under QSR now or preparing for QMSR, firms should demonstrate that their quality system is systematic, risk based, and effective. That means top management accountability, design control rigor, validated production processes where appropriate, closed-loop CAPA, and complete, contemporaneous records. A mature QMS is the throughline that connects each of these elements to patient safety and regulatory compliance.

02Scope and applicability: who Part 820 covers and how FDA views responsibility

Part 820 applies to manufacturers of finished medical devices intended for human use. FDA uses a functional view of manufacture: if an entity performs activities that could affect device safety or effectiveness, the agency typically expects that entity to be controlled within the manufacturer’s quality system and, where appropriate, to maintain compliant procedures and records subject to inspection.

Finished device manufacturers remain responsible for the conformity of their devices, even when activities such as design, component fabrication, sterilization, packaging, labeling, or distribution are contracted out. Purchasing controls, supplier evaluation, and clear quality agreements must extend the manufacturer’s quality system to external partners in a risk-proportionate way. FDA expects complaint handling and field action processes to operate reliably across all channels.

Scope also intersects with device risk class and pathway. While compliance obligations do not vary by class, FDA’s depth of scrutiny and the granularity of evidence expected often scale with risk and complexity. Firms should map Part 820 requirements to the portfolio’s risk profile and regulatory route, ensuring complete records for each product family and configuration.

  • Finished device manufacturers and specification developers are fully subject to Part 820 requirements.
  • Contract manufacturers, sterilizers, packagers, relabelers, repackagers, remanufacturers, and certain initial importers are covered for the activities they perform.
  • Component manufacturers are not directly regulated under Part 820 but are controlled through the finished manufacturer’s purchasing controls.
  • Distributors and service providers may be outside Part 820’s direct scope, yet their activities must be addressed by the manufacturer’s quality system when they can affect device quality.
  • Complaint handling responsibilities extend to entities receiving device-related complaints, which must be triaged, investigated, and trended under the manufacturer’s procedures.
  • Combination products trigger additional requirements under FDA’s framework for such products, including cross-references to drug or biologic cGMPs when applicable.

Before development begins, align quality planning with the intended regulatory pathway and classification. Early clarity on responsibilities and interfaces reduces rework and inspection risk. See foundational concepts in Medical device classification, and note specialized expectations for combination products under 21 CFR Part 4.

03Design controls and risk management: from user needs to validated design

Design controls anchor the QSR’s lifecycle. They require planning, capturing design inputs, generating outputs, performing design reviews, verifying that outputs meet inputs, validating that the finished device meets user needs and intended uses, and controlling design changes. A robust design history file must show objective evidence that decisions were data driven and that verification and validation were conducted by qualified, independent personnel when appropriate.

Risk management is woven through these activities. Hazards are identified from the earliest concept stage, risks are estimated and controlled, and residual risks are evaluated for acceptability. Traceability should connect hazards and hazardous situations to design features, manufacturing controls, labeling, training, and postmarket surveillance signals.

Under QMSR, FDA explicitly aligns with ISO 13485:2016 and expects firms to integrate risk management consistent with ISO 14971’s principles. That does not fundamentally change the QSR intent but raises the bar for explicit, living risk files that inform design choices, test strategies, process validation, and field action criteria. The best evidence packages demonstrate that risk thinking is continuous, not episodic.

Teams should ensure design plans are realistic, responsibilities are clear, and interfaces across disciplines are governed. Requirements creep, insufficient human factors validation, and weak software verification are frequent sources of nonconformity. Establish independent review gates and maintain clean bidirectional traceability among requirements, tests, risks, and changes.

For definitions and alignment expectations, see ISO 14971 on risk management and our primer on Design controls, which explains planning, inputs, outputs, verification, validation, and change control in practical terms.

04Production and process controls: validated, capable, and under control

Part 820 requires manufacturers to develop and maintain controlled production processes that ensure devices conform to specifications. Written procedures, controlled equipment, qualified personnel, and monitored environments are the baseline. Where results cannot be fully verified by subsequent inspection or test, processes must be validated with defined parameters, acceptance criteria, and documented revalidation triggers.

Acceptance activities span incoming, in-process, and final acceptance. Sampling plans must be scientifically valid, equipment must be routinely calibrated and maintained, and acceptance status must be visible to prevent unintended use of nonconforming materials. Identification and traceability requirements apply where device risk or process complexity necessitate unit, lot, or batch-level tracking.

Labeling and packaging controls are essential. FDA often finds errors in label version control, UDI application, and packaging integrity. Handling, storage, distribution, installation, and servicing procedures must preserve device quality and maintain chain-of-custody records. For sterile devices, sterilization processes typically require validation and routine monitoring, including microbiological controls and load records.

Nonconforming product procedures must define segregation, evaluation, disposition, and the link to CAPA analysis when trends or significant events emerge. Rework and reuse require documented instructions, re-evaluation, and risk assessment to ensure the device still meets specifications and that traceability is preserved.

Validation depth should be risk based and evidence rich. For complex or software-driven processes, combine installation, operational, and performance qualification with challenge conditions and boundary testing. See Process validation for lifecycle principles, and use in-process controls and real-time monitoring to stabilize outputs as complexity grows.

05Records architecture: DMR, DHR, QSR, document control, and Part 11 expectations

QSR requires a coherent records system that enables objective demonstration of conformity. The Device Master Record (DMR) contains the authoritative specifications for manufacturing, including drawings, compositions, equipment and environmental specifications, production procedures, packaging and labeling specifications, and quality assurance procedures. The DMR is the blueprint the factory executes.

The Device History Record (DHR) proves execution against the DMR for each lot, batch, or unit. It includes production dates, quantities manufactured and released, acceptance records, primary identification labels and labeling used, and any device-specific data required to demonstrate conformity. The Quality System Record (QSR record) houses procedures and documentation that define and support the overall quality system, such as the quality manual, organizational structure, and key process procedures.

Document controls ensure the right version is available at the right place and time, changes are reviewed and approved by authorized personnel, and superseded versions are prevented from unintended use. Records must be legible, readily retrievable, protected from loss and alteration, and retained for the required period. Where records are electronic, firms should meet expectations consistent with 21 CFR Part 11 for validation, audit trails, security, and electronic signatures.

A defensible eDHR integrates master data, enforced sequencing, in-process checks, and exception handling, with complete operator attribution and date-time stamps. It should prevent backdating, ensure contemporaneous entry, and preserve linkage among materials, equipment, personnel, and test results. Hybrid paper–electronic systems warrant special attention to avoid gaps at interfaces, orphaned data, and uncontrolled transcriptions.

For practice notes, see Document control and expectations for validated e-records and signatures under 21 CFR Part 11. When selecting tools, confirm they support authoritative master records, versioned documents, change workflows, and immutable audit trails.

06CAPA, complaints, and supplier quality: the feedback loop that drives effectiveness

Corrective and Preventive Action (CAPA) is the engine of quality system effectiveness under QSR. It requires data sources to be monitored, nonconformities analyzed, root causes identified, and actions implemented, verified for effectiveness, and documented. CAPA scope includes complaints, rejects, rework, audits, service records, supplier issues, and field actions. Firms should define escalation criteria so that systemic signals are not trapped at the local level.

Complaint handling procedures must ensure timely review, medical evaluation when appropriate, and investigation proportional to risk. Trending is expected. Complaints that reasonably suggest a device may have caused or contributed to a death or serious injury must be evaluated for Medical Device Reporting (MDR), and reportable events must be submitted on time with complete information.

Supplier quality begins with risk-based selection and extends through qualification, quality agreements, incoming acceptance, change notification, and periodic re-evaluation. Purchasing data must flow into CAPA analysis when supplier performance trends downwards. For critical suppliers, on-site audits, enhanced sampling, or dual sourcing may be justified. Under QMSR and ISO 13485 alignment, the expectation for explicit supplier controls and performance evidence hardens further.

Keep the loop closed: verify CAPA implementation, confirm sustained effectiveness, and update risk files and procedures as part of change management. Field actions must be procedurally controlled, well-communicated, and effectively executed, with lessons fed back into design, specifications, and supplier controls.

Reference the MDR framework at 21 CFR 803 for reporting thresholds and timelines, and maintain a risk-weighted Approved Supplier List that integrates performance metrics, certifications, and change history.

07From QSR to QMSR: ISO 13485 alignment, definitions, and a realistic transition plan

FDA’s Quality Management System Regulation becomes enforceable on 2 February 2026 and incorporates ISO 13485:2016 by reference, aligning terminology with ISO 9000:2015. The transition consolidates overlapping concepts, clarifies expectations for risk-based processes, supplier controls, and documented linkages across the lifecycle, and reduces duplicative compliance burdens for firms already certified to ISO 13485. It does not weaken oversight; rather, it harmonizes the U.S. framework with the globally dominant device quality standard.

In practice, firms should execute a structured gap assessment that maps existing procedures to ISO 13485 clauses, confirms risk management integration consistent with ISO 14971 principles, and ensures records, metrics, and management review content meet the aligned expectations. Software-related processes, validation rigor, and supplier change management are frequent focus areas. Update training, quality planning, and internal audit programs to the revised structure and terminology.

For records created before the effective date, maintain them under the controls in force at the time and ensure they remain retrievable. For activities occurring on or after the effective date, your procedures and evidence should reflect the QMSR-aligned framework. Regulators will expect you to explain your transition choices coherently and demonstrate control at all times.

MilestoneWhat to accomplishEvidence regulators expect
NowLaunch a documented QMSR gap assessment and risk-based remediation planGap matrix mapped to ISO 13485 clauses, risk rationale, timelines, owners
6–12 months before 2 Feb 2026Update procedures, train personnel, and pilot revised processes on selected linesRedlined procedures, training records, pilot eDHRs, process validation addenda
By 2 Feb 2026Deploy revised QMS enterprise-wide and close high-risk gapsReleased procedures, internal audit reports, management review minutes
Post-effective dateSustain performance and refine metrics via CAPA and management reviewTrend charts, supplier performance evidence, risk file updates, CAPA effectiveness checks

For a practical playbook, see our guide on FDA QMSR transition readiness, and ensure top management leads the change with resourced plans, clear milestones, and routine progress visibility.

08Inspection readiness and common pitfalls: preventing avoidable citations

FDA inspections assess whether your system is designed and operated to produce conforming devices consistently. Investigators ask for objective evidence, not narratives. They will sample records across design, purchasing, production, CAPA, and complaints, and will trace linkages among procedures, training, and executed records. Strong internal audits and candid management reviews are the best predictors of inspection performance.

Frequent findings include incomplete design traceability, inadequate process validation where verification is not sufficient, uncontrolled documents at point of use, CAPAs that lack root cause analysis or effectiveness checks, and complaint files that defer medical review or lack timely MDR decisions. Data integrity issues surface when entries are not contemporaneous, calculations are transcribed without verification, or user access controls are weak.

Inspection readiness should be a standing, cross-functional discipline. Keep an accessible, current set of top-tier procedures, organograms, and key performance indicators. Ensure your teams can retrieve DHRs rapidly, explain deviations, and demonstrate that nonconformities are escalated and learned from. Mock inspections and document request drills help expose retrieval or ownership gaps before FDA does.

  • Keep live indices of DMR, DHR, and CAPA records with owners and retention periods.
  • Train operators on exact, current work instructions and show that training is effective.
  • Harden change control with documented impact assessments and timely approvals.
  • Validate software that affects device quality, including spreadsheets used to calculate acceptance decisions.
  • Trend quality data and act on signals with risk-based escalation to CAPA.
  • Close CAPAs with verified effectiveness and update risk files and procedures accordingly.

If you need a structured, inspector-friendly operating rhythm, consider capabilities that centralize readiness artifacts, pre-stage record packages, and maintain a clean audit trail. Start with Inspection readiness as a discipline, with evidence generation embedded in daily work rather than as a pre-inspection scramble.

09How V5 supports 21 CFR 820 today and QMSR tomorrow

V5 Ultimate provides an integrated quality and manufacturing execution environment built for regulated device operations. Master data drives controlled work instructions, equipment states, material status, and sampling plans, while role-based workflows enforce step sequence and capture contemporaneous evidence. eDHRs are assembled automatically from operator actions, instrument data, and quality decisions, with immutable audit trails and attribution.

Document control, change management, and training records operate from a single source of truth. Risk files, validation documentation, and supplier data can be linked to processes and lots, reinforcing traceability from design outputs to in-process controls to final release. CAPA workflows route investigations, approvals, and effectiveness checks with time-bound SLAs and analytics to ensure nothing stalls unseen.

For QMSR readiness, V5 maps procedures and records to ISO 13485 clauses, supports management review inputs and outputs, and embeds risk-based controls in daily execution. Part 11 expectations are addressed through validated configurations, electronic signatures with meaning and intent, and comprehensive technical controls for security and audit trails. Teams can show inspectors not only what was required, but exactly how it was executed and verified.

Frequently asked questions

Q.What is changing when QSR becomes QMSR on 2 February 2026?+

FDA will begin enforcing a regulation that incorporates ISO 13485:2016 by reference and aligns terminology with ISO 9000:2015. The shift emphasizes integrated risk management, supplier controls, and documented lifecycle linkages.

Q.Does Part 820 still apply before 2 February 2026?+

Yes. Until the QMSR effective date, FDA inspects against the existing QSR. Transition preparation should not delay maintaining full compliance to current requirements.

Q.Are contract manufacturers directly responsible for QSR compliance?+

They are responsible for the activities they perform that affect device quality and are subject to FDA inspection. The finished device manufacturer remains ultimately responsible and must implement robust purchasing controls.

Q.How detailed must my DHR be to satisfy inspectors?+

It should demonstrate who did what, when, with which materials and equipment, against which specification, and with what results. Include acceptance records, labeling used, quantities manufactured and released, and any deviations with documented dispositions.

Q.Do I need to validate every production process?+

Validate processes where the output cannot be fully verified by subsequent inspection or test, or where risk justifies it. Use documented protocols, predefined acceptance criteria, and maintain revalidation triggers.

Q.How do CAPA and complaints interact with MDR requirements?+

Complaint evaluation must promptly determine MDR reportability. CAPA then addresses systemic causes. Maintain clear criteria, timelines, and evidence for MDR decisions and for CAPA effectiveness checks.

Q.Will ISO 13485 certification guarantee QMSR compliance?+

It helps significantly, but it is not a guarantee. You must address FDA-specific expectations, maintain complete device records, and ensure your procedures, training, and evidence align with QMSR’s incorporated and referenced elements.

Primary sources

Further reading

Explore this topic

21 CFR 820 sits inside 2 overlapping topic clusters in our glossary. Every neighbour is one click away.

See 21 CFR 820 working on a real shop floor

V5 Ultimate ships with the 21 CFR 820 controls already wired in — audit trail, e-signatures, validation evidence. Free trial, no credit card, onboard in days, not months.