21 CFR 820Quality System Regulation for Medical Devices

21 CFR Part 820 — the Quality System Regulation, almost universally called QSR — is the FDA's current good manufacturing practice rule for finished medical devices. Published in its current form in 1996 and effective in 1997, it replaced the older Good Manufacturing Practices for Medical Devices regulation and added the design-controls subpart that had been missing from the GMP. Any company that manufactures, contract-manufactures, repackages, relabels, specifies (own-label distribution) or imports a finished medical device for the US market falls under it.

Part 820 sits in Title 21, Chapter I, Subchapter H of the CFR. It is structured into fifteen subparts (A through O) covering management responsibility, quality audit, personnel, design controls, document controls, purchasing controls, identification and traceability, production and process controls, inspection-measuring-and-test equipment, process validation, acceptance activities, nonconforming product, CAPA, labelling and packaging, handling-storage-distribution-installation, records, servicing and statistical techniques.

On 2 February 2024 the FDA published the Quality Management System Regulation (QMSR) final rule. It amends Part 820 to incorporate ISO 13485:2016 by reference, with a transition period ending 2 February 2026. From that date, the operational content of Part 820 is replaced by the text of ISO 13485:2016 plus a handful of FDA-specific additions — most notably the device labelling and UDI provisions, the complaint-handling alignment with 21 CFR Part 803 (MDR), and definitions that bridge ISO's vocabulary to FDA's.

What this means in practice: design controls become Clause 7.3, document controls become 4.2, CAPA becomes 8.5.2 and 8.5.3, the DMR becomes the medical-device file (4.2.3), the DHR becomes the medical-device record (4.2.5), management responsibility becomes Clause 5. The substance is broadly the same — both Part 820 and ISO 13485 require process control, risk management (now per ISO 14971), validation, traceability and CAPA — but the wording, the structure and some specific obligations differ. Most multinational manufacturers already ran a 13485 QMS to sell into EU and other markets; QMSR removes the dual-QMS overhead.

Section 820.20 establishes the requirement for a documented quality system: management responsibility, quality policy, organisational structure, resources, management review, and quality planning. Management with executive responsibility must review the quality system at defined intervals and with sufficient frequency to ensure suitability and effectiveness. Section 820.22 requires planned quality audits by personnel independent of those responsible for the matter being audited.

Section 820.25 covers personnel — qualifications, training, awareness of device defects and the consequences of improper performance. The training file must show that operators know not only how to do their work but also what can go wrong, why it matters and what to do when it does. This is a step harder than Part 211's training rule and FDA inspectors test it directly.

Section 820.30 is where 820 differs most sharply from 211, and where the QMSR transition is most operationally consequential. Design controls require a planned, documented design process with defined inputs, outputs, reviews, verification, validation, transfer to production, change control, and a Design History File that captures the lifecycle. The classic V-model maps neatly onto it.

The eight design-control elements

1. Design and development planning (820.30(b)) — who does what, when, with what interfaces.
2. Design input (820.30(c)) — user needs, intended uses, requirements, regulatory needs.
3. Design output (820.30(d)) — specifications, drawings, software, source code, acceptance criteria.
4. Design review (820.30(e)) — formal, multidisciplinary reviews at planned stages, with an independent reviewer present.
5. Design verification (820.30(f)) — proves design output meets design input.
6. Design validation (820.30(g)) — proves the device meets user needs and intended uses, including software validation per IEC 62304.
7. Design transfer (820.30(h)) — production specifications are correct and the device can be manufactured to them.
8. Design changes (820.30(i)) — every change identified, documented, reviewed, validated/verified, approved.

Section 820.30(j) requires a Design History File — a compilation of records that describes the design history of the device. The DHF is the audit-defence artefact for a device's design: when a regulator asks how you decided your titanium hip would survive 10 years in vivo, the DHF is the answer.

Section 820.40 requires control of documents: review and approval before issue, distribution to points of use, removal of obsolete documents, and a record of changes. ISO 13485 Clause 4.2 is almost word-for-word the same. Document controls is where the QMS lives or dies — uncontrolled SOPs on shop-floor monitors is a perennial finding.

Section 820.70 requires written procedures for production processes; monitoring and control of process parameters; compliance with reference standards; approval of processes and equipment; and criteria for workmanship expressed in documented standards or representative samples. Section 820.72 covers inspection-measuring-and-test equipment — calibration, traceability to a national standard, identification of the calibration status. Section 820.75 requires validation of processes whose results cannot be fully verified by inspection (sterilisation, welding, injection moulding, software, sealing). Process validation lives by the IQ-OQ-PQ lifecycle — see the IQ/OQ/PQ pillar.

Sections 820.80 (acceptance activities) and 820.86 (acceptance status) require inspection and test at incoming, in-process and final stages, with the acceptance status of each unit or lot unambiguously identifiable through manufacturing — by tags, labels, system records, location, or other suitable means. The acceptance status rule is what drives WIP locations like 'quarantine', 'QC hold' and 'released'.

Section 820.100 — the entire CAPA rule — is two paragraphs of text that drive most of a QMS's run-the-business effort. The procedure must include analysis of processes, work operations, concessions, quality audit reports, quality records, service records, complaints, returned product and other sources of quality data; investigation of the cause; identification of action needed; verification or validation that the action does not adversely affect the device; implementation and recording of the change; ensuring the information is disseminated; and submitting the information for management review.

CAPA is the single most-cited 820 subpart on Form 483s. The failure modes are predictable: CAPAs opened but not closed; root cause not actually investigated (the 'because the operator made an error' non-finding); effectiveness check not performed; trends not analysed across CAPAs; management review never sees the data.

Sections 820.120 through 820.130 cover label integrity, inspection, storage, control of labelling operations, and packaging — designed to ensure the device is not adulterated or damaged during processing, storage, handling and distribution. UDI labelling (21 CFR 801.20 and 21 CFR Part 830) sits on top — the UDI is part of the label and the labelling subpart enforces the same change-control and inspection rules to it.

Subpart L covers handling, storage, distribution and installation. Subpart M (records) defines the DMR (820.181), DHR (820.184) and quality system record (820.186), plus complaint files (820.198). The DMR-DHR pair is to devices what the MMR-BMR pair is to drugs — the master specification and the per-unit evidence record.

1. 820.30 — Design changes made without going through the design-change procedure; design verification not traced to design inputs.
2. 820.40 — Obsolete documents present at point of use; revision control gaps between PLM and the shop floor.
3. 820.50 — Supplier evaluations are not risk-based; critical suppliers have not been audited.
4. 820.70 — Process parameters not monitored; in-process inspection not performed per the documented plan.
5. 820.75 — Process validation lifecycle (IQ/OQ/PQ) incomplete; revalidation not performed after change.
6. 820.86 — Acceptance status of in-process material not unambiguously identifiable.
7. 820.100 — CAPA effectiveness checks not done; root-cause investigation superficial.
8. 820.180 / 820.184 — DHR does not include all required content; signatures missing; component lot traceability broken.
9. 820.198 — Complaint files do not contain the investigation depth or trending the rule requires.
10. 820.250 — Statistical techniques used for acceptance sampling not justified by a documented procedure.

V5's medical-device profile is built to the QMSR end state — ISO 13485:2016 substance with the FDA labelling, UDI and MDR overlays. Customers who are still in the Part 820 wording today get a system that maps either way; the underlying data model (DMR, DHR, design history file, CAPA, complaint file, training file) does not change at the transition.

• Design History File holds requirements, risk analysis (ISO 14971), design reviews, V&V traceability, design transfer and design-change records.
• DMR is version-controlled, two-person approved, and bound by snapshot to every work order it spawns — so the DHR is rendered from the released DMR, not from current data.
• Production controls run from the kiosk: routings, in-process checks, two-person charge-in for critical operations, mandatory equipment-calibration check before use.
• Acceptance status is enforced by location and lot-status flag — a quarantined lot literally cannot be dispensed at the kiosk.
• CAPA, NCR, complaint and audit findings live in one system with cross-links and an open-items dashboard wired into management review.
• Labelling artwork is under the same change control as the DMR; UDI carriers are generated server-side and verified by scan-back at the print-and-apply step.
• Every Part 11 / Clause 4.1.6 obligation is enforced at the data layer — audit trail, two-person signature, reason-for-change, attribution, contemporaneity.