21 CFR Part 820: Ultimate Guide to FDA's Quality Management System Regulation (QMSR)

In the medical device industry, compliance isn’t a pop quiz. The US Food and Drug Administration (FDA), has given you all the answers to the test in the form of a regulation: 21 CFR Part 820. That doesn’t mean it’s easy to ace the test, but it does mean that you have all the resources you need to pass. 

What separates market-leading medtech companies from the rest isn’t their knowledge of the regulations. It’s their implementation. The medtech companies that pass audits without findings and never come close to a warning letter are the companies that understand the big picture of the regulations and execute on the details. 

This in-depth, easy to understand guide paints a comprehensive picture of 21 CFR Part 820 by explaining the regulation simply yet thoroughly. You’ll get answers to the big questions (What does the regulation cover? What is its purpose?) as well as specific advice on compliance and avoiding common mistakes. 

Let's get started by reviewing the basics of 21 CFR Part 820 before diving into the details of the regulatory requirements you need to follow in order to comply with FDA’s regulation.

FREE RESOURCE:  Click here  to download the eBook of our Ultimate Guide to 21 CFR Part 820.

What is 21 CFR Part 820?

21 CFR Part 820 is a set of regulations from FDA that outlines the current good manufacturing practice (cGMP) requirements that medical device manufacturers in the United States must follow with regards to their quality system. These cGMP requirements ensure medical device companies establish a QMS that enables the delivery of safe, effective, and compliant products.

As stated by FDA, 21 CFR Part 820 covers “the design, manufacture, packaging, labeling, storage, installation, and servicing of all finished devices intended for human use,” including the facilities and designs used for those processes.

What changes on Feb. 2, 2026?

Since its last revision in 1996, 21 CFR Part 820 has been known as the Quality System Regulation (QSR). However, in order to streamline compliance for medical device companies, FDA is incorporating ISO 13485:2016 into Part 820 by reference, effective Feb. 2, 2026.

This means that many sections of Part 820 will soon refer the reader to ISO 13485:2016, the international standard for quality management systems for medical devices. The result is a Part 820 that is effectively harmonized with ISO 13485:2016, which should make compliance simpler. The new name of 21 CFR Part 820 is the Quality Management System Regulation (QMSR). 

So, keep in mind that the abbreviation QMSR will soon be used interchangeably with 21 CFR Part 820. If you see anyone refer to “the QSR,” that reference will be out of date on Feb. 2, 2026. 

This guide covers the new Part 820 (QMSR), not the old QSR

For more information on QMSR, check out our QMSR Resource Hub, which includes background, context, and explicit steps for bringing your QMS into alignment with the new Part 820.

TIP: You will need a copy of ISO 13485:2016 in order to build a compliant QMS. The FDA has provided a free link to ISO 13485:2016. However, this resource is read-only, so you won’t be able to download it. That means if you want a downloadable version, you will need to purchase the standard. 

The cheapest place to buy it? Using the Estonian link. 

What are the FDA Requirements of 21 CFR Part 820 - Quality Management System Regulation?

In the new Part 820 (QMSR), you will only find two of the original 15 subparts that made up the QSR. The two subparts that have been retained are:

• Subpart A - General Provisions

• Subpart B - Supplemental Provisions

21 CFR Part 820 Subpart A—General Provisions

What it covers: Subpart A establishes the authority, scope, and foundational terminology for the regulation, including the formal incorporation of ISO 13485.

• Scope (§ 820.1): This section lays out who is subject to the regulation and what type of devices are within its scope.

• Definitions (§ 820.3): This section states that the regulation is using the definitions from ISO 13485:2016 and Clause 3 of ISO 9000:2015. However, the FDA has also included some definitions here that are not used in either standard. It also notes that the definitions in the Federal Food, Drug, and Cosmetic Act (FD&C Act) and 21 CFR 820.3 take precedence if they conflict with the ISO standards.

• Incorporation by Reference (§ 820.7): this section simply states that most of the content in Part 820 has been removed and replaced with references to their location in ISO 13485:2016 and ISO 9000:2015. It also provides instructions on how medical device companies can obtain the standards.

• Requirements for a quality management system (§ 820.10): This section states that medical device companies are still subject to other FDA regulations such as:

  • 21 CFR Part 803 - Medical Device Reporting

  • 21 CFR Part 806 - Medical Devices; Reports of Corrections and Removals

  • 21 CFR Part 821 - Medical Device Tracking Requirements

  • 21 CFR Part 830 - Unique Device Identification (UDI)

820.10 also extends the ISO 13485:2016 traceability requirements for implantable devices to devices that support or sustain life. Finally, this section is where FDA states that failure to comply with QMSR will render a device “adulterated” and subject to regulatory action. 

21 CFR Part 820 Subpart B—Supplemental Provisions

What it covers: Subpart B contains specific requirements that supplement ISO 13485:2016 in areas where FDA felt the standard did not adequately address.

• Control of Records (§ 820.35):  Here, the QMSR defines content requirements for complaint records (including when complaints should be investigated) and service records explicitly. This is actually more detailed and explicit than what is in the QSR, so it is worth reading this section carefully.

• Labeling and Packaging (§ 820.45): The FDA did not find ISO 13485’s requirements for device labeling and packaging controls to be adequate, so they have added requirements to the QMSR. Specifically, the FDA wants to ensure that QMSR requires manufacturers to inspect the accuracy of device labels with respect to certain elements prior to release, along the lines of Part 820.120(b) in the QSR. 

Incorporation by reference: what does ISO 13485 cover?

While the clauses of ISO 13485 do not match up perfectly with the subparts C-O in the old QSR, the FDA has said that the requirements of ISO 13485 are “substantially similar” to those of the QSR. Those requirements are broken up into eight clauses, which we’ll cover here.

First, however, let’s take a look at ISO 9000. The QMSR also incorporates Clause 3 of ISO 9000:2015 by reference. ISO 9000:2015 is the international standard for the fundamentals and vocabulary for quality management systems. Note that the difference between the ISO 9000 family of standards and ISO 13485 is that ISO 13485 is medical device-specific, while the ISO 9000 family is referenced across multiple industries.

However, ISO 13485 uses terms and definitions from ISO 9000:2015, so the QMSR also needs to incorporate the terms and definitions clause (Clause 3) from ISO 9000:2015 to account for this.

So, with that out of the way, let’s look at the clauses of ISO 13485:2016.

Clauses 1-3: Scope, Normative references, and Terms and definitions

The foundational clauses of ISO 13485:2016 establish the framework, language, and boundaries of the Quality Management System (QMS). These sections do not contain the "shall" requirements for operational processes, but they are indispensable for interpreting the standard's intent.

• Scope (Clause 1): This clause provides information on what type of organizations are subject to the standard.

• Normative References (Clause 2): This clause simply states that to apply ISO 13485 correctly, organizations must refer to ISO 9000:2015, which covers quality management fundamentals and vocabulary. 

• Terms and Definitions (Clause 3): This clause provides 20 specific definitions that are used throughout the standard. 

Clause 4: Quality management system

This clause outlines the structural and documentation requirements that serve as the foundation of the QMS.

• General requirements: Organizations must document a QMS and maintain its effectiveness according to the standard and regulatory requirements. A risk-based approach must be applied to the control of QMS processes. If any process that affects product conformity is outsourced, the organization retains responsibility and must ensure control through written quality agreements. Any computer software used in the QMS must be validated prior to its initial use.

• Documentation requirements: The QMS must include a quality policy, quality objectives, and a Quality Manual. The manual must define the scope of the QMS and describe the interactions between processes.

• Medical Device file: For each device type or family, the organization must maintain a file containing or referencing documents that demonstrate conformity, such as product specifications, manufacturing procedures, and labeling.

• Control of records: Organizations must document procedures for the identification, storage, security, and retention of records. Records must remain legible and retrievable, with a retention period of at least the lifetime of the device, but not less than two years from the date of release.

Clause 5: Management responsibility

Clause 5 covers management’s responsibility for developing and implementing that QMS and maintaining its effectiveness.

• Management commitment: Top management must provide evidence of commitment by communicating the importance of meeting customer and regulatory requirements, establishing a quality policy, and ensuring resources are available.

• Customer focus: Top management must ensure that customer requirements and applicable regulatory requirements are determined and met.

• Quality policy and planning: The quality policy must include a commitment to comply with requirements and maintain QMS effectiveness. Quality objectives must be established at relevant functions, and they must be measurable and consistent with the policy.

• Management representative: Management must appoint a specific individual with the authority to ensure QMS processes are documented and to report on the system's performance.

• Management review: Top management must review the QMS at documented, planned intervals to ensure its continuing suitability and effectiveness. Inputs for review include audit results, feedback, and complaint handling; outputs must include decisions on improvements and resource needs.

Clause 6: Resource management

This clause focuses on the requirements for maintaining a compliant environment for medical device production.

• Provision of resources: The organization must determine and provide resources needed to maintain QMS effectiveness and meet regulatory and customer requirements.

• Human resources: Personnel performing work affecting quality must be competent based on education, training, skills, and experience. The organization must document the process for establishing competence and evaluate the effectiveness of training actions.

• Infrastructure: Requirements for buildings, workspace, and process equipment must be documented to prevent product mix-up and ensure orderly handling. Maintenance activities must be documented and recorded if they can affect product quality.

• Work environment: If environmental conditions can adversely affect quality, the organization must document requirements for the work environment and monitoring procedures.

• Contamination control: For sterile devices, the organization must document requirements for controlling contamination with microorganisms or particulate matter during assembly or packaging.

Clause 7: Product realization

Clause 7 covers the entire lifecycle of a medical device, from initial concept to delivery and installation.

• Planning of product realization: The organization must plan the processes needed for realization and document risk management processes throughout the lifecycle.

• Design and development: Documented procedures must cover design planning, inputs, and outputs. Design Verification (Clause 7.3.6) ensures outputs meet inputs, while Design Validation (Clause 7.3.7) ensures the device meets user needs. Validation must be conducted on representative product and include clinical or performance evaluations.

• Purchasing: Suppliers must be evaluated and selected based on their ability to provide product that meets requirements and the risk associated with the device. Purchasing information must include a written agreement that the supplier notifies the organization of changes prior to implementation.

• Control of production: Production must be planned and monitored. This includes documenting methods for control, qualification of infrastructure, and implementation of labeling/packaging operations.

• Identification and traceability: Product status must be identified throughout realization. For implantable devices, records must include components, materials, and work environment conditions that could affect safety.

• Control of measuring equipment: Measuring equipment must be calibrated or verified against standards traceable to international or national measurement standards.

Clause 8: Measurement, analysis and improvement

The final clause establishes the requirements necessary to maintain a healthy and compliant QMS.

• Feedback and complaint handling: The organization must gather information from production and post-production activities to monitor if customer requirements are met. Documented procedures for timely complaint handling must include investigating allegations and determining the need for regulatory reporting.

• Internal audit: The organization must conduct internal audits at planned intervals to determine if the QMS is effectively implemented and conforms to the standard and regulatory requirements.

• Control of nonconforming product: Product that does not conform to requirements must be identified and controlled to prevent unintended use. Acceptance by concession is only permitted if justification is provided and regulatory requirements are met. If rework is performed, it must be verified to ensure it meets acceptance criteria.

• Analysis of data: Procedures must define how to collect and analyze data (such as feedback, audits, and supplier performance) to demonstrate QMS suitability and effectiveness.

• Corrective action and preventive action: The organization must take action to eliminate the causes of nonconformities to prevent recurrence. Preventive action targets the causes of potential nonconformities. Both must be verified to ensure they do not adversely affect device safety, performance, or regulatory compliance.

Simplify 21 CFR Part 820 Compliance with a Medical Device QMS Solution

ISO 13485:2016 is now the foundation of Part 820. And just as there are separate standards for generic quality management and medical device quality management (ISO 9001 vs ISO 13485), it only makes sense to use a QMS solution that’s built specifically for medical devices. 

Greenlight Guru’s QMS software was built just for medtech, which means every feature is tailored to the needs of medical device companies without heavy customization or lengthy implementation. You also get alignment with regulations like 21 CFR Part 820 and Part 11, as well as standards like ISO 13485 and ISO 14971. 

In other words, you have everything you need to get into your QMS software and start working quickly and painlessly. If you’re ready to see what a medtech-specific QMS can do for your business, then get your free demo of Greenlight Guru today!