21 CFR Part 820

This glossary term is part of the SG Systems Global regulatory & operations guide library.

Updated January 2026 • Medical device quality system (QSR) + transition to QMSR • Design controls, document/record control, CAPA, complaint handling, production & process controls, inspection readiness • Primarily Medical Devices (with cross-over into software validation, data integrity, and postmarket reporting)

21 CFR Part 820 is the FDA’s medical device quality system regulation in operational terms: it’s the rule that decides whether you run your device business as a controlled system or as a pile of “good intentions” held together by heroic people and end-of-month cleanups.

Most teams think Part 820 is “a QA thing.” That assumption is exactly how you end up with a clean SOP library and a dirty reality: uncontrolled changes, undocumented decisions, supplier surprises, missing evidence, and CAPAs that look impressive but don’t actually reduce risk. Part 820 is not a binder requirement. It’s an execution requirement—design, manufacturing, purchasing, labeling, complaints, and corrective actions all have to behave like one connected system.

There’s also an unavoidable timing issue: FDA has finalized the Quality Management System Regulation (QMSR), which modernizes Part 820 by aligning the U.S. device QMS much more closely with ISO 13485. The compliance date is February 2, 2026. In other words: if your Part 820 posture is “we’ll fix it later,” you’re out of runway. (Start with FDA’s QMSR overview for the authoritative framing.)

If you want the canonical regulation text, use the current eCFR page for Part 820. That is the baseline “what the rule says.” Your job is translating that into a record-producing operating model that survives a real inspection.

“Part 820 doesn’t punish companies for having problems. It punishes companies for not controlling problems—and for being unable to prove they controlled them.”

1) What people mean when they cite 21 CFR Part 820

When someone says “we need to be Part 820 compliant,” they usually mean one of four things—none of which are solved by rewriting SOPs.

First: they’re anticipating an FDA inspection (or they’ve already had one), and they know Part 820 is the rule FDA uses to test whether your system is real or performative.

Second: they’ve had a quality failure—complaints, scrap spikes, supplier escapes, audit findings—and they need a structured way to stop repeating the same failure under different names.

Third: they’re scaling: more SKUs, more sites, more suppliers, more product changes. What used to be managed by “tribal knowledge” can’t scale without a controlled system.

Fourth: they’re under commercial pressure (new customers, new markets, ISO certification alignment), and they need their QMS to be legible to auditors, partners, and regulators.

Here’s the key: Part 820 is not a checklist. It’s a design spec for how regulated device operations should generate and retain trustworthy evidence—from design input decisions all the way through complaints and CAPA closure.

2) The hard truth: Part 820 is an evidence system

Part 820 doesn’t live in your quality manual. It lives in your records. FDA doesn’t get convinced by your “process.” They get convinced by your evidence that the process ran the way you claim.

If you want to make Part 820 simple, think in one sentence:

If you can’t answer that, you will feel Part 820 as chaos: repeated investigations, inconsistent answers, missing approvals, and CAPAs that are really just “work harder next time.” If you can answer it, Part 820 becomes a competitive advantage: predictable releases, fewer escapes, faster root cause, cleaner supplier relationships, and calmer audits.

3) Who Part 820 applies to (and why “we outsource manufacturing” doesn’t save you)

Most companies get burned by scope misunderstandings. If you are responsible for a finished medical device placed on the U.S. market, you are in the Part 820 story—even if a contract manufacturer physically builds the device.

Outsourcing doesn’t remove obligations; it changes how you fulfill them. You still own the system: design controls, purchasing controls, acceptance activities, complaint evaluation, and CAPA governance. Your contract partners become extensions of your regulated process. If you can’t access their evidence, you can’t defend your compliance position.

This is why “supplier quality” under Part 820 is not a vendor scorecard exercise. It’s a regulated workflow. Your purchasing controls, supplier qualification, and incoming acceptance evidence have to match the risk of what you buy.

For medical device organizations building end-to-end operational posture—not just compliance theater—tie this back to how your industry executes: the medical device manufacturing control model is about traceable decisions, controlled changes, and provable releases, not just “good intentions.”

4) Documents vs records vs evidence: the model that stops rework

Part 820 failures often come from mixing up three different objects:

In practice, the difference between a weak and strong Part 820 posture is whether your evidence is event-linked and retrieval-ready. That’s why concepts like document control, data integrity, and defensible audit trails keep showing up: they’re not academic. They are what turns execution into evidence.

5) Scope map: Subparts A–O in operational language

Part 820 is long, but it’s not random. It’s a full operating system: leadership, design, suppliers, production, acceptance, labeling, complaints, CAPA, and records. Here’s the operational map.

If you’re reading Part 820 for the first time, here’s the right mental model: it is not asking you to “have” these subparts. It is asking you to run the business so these subparts continuously generate trustworthy evidence.

6) Management responsibility: the part most companies fake

In a mature device organization, quality is a leadership system. In an immature one, quality is a department that “cleans up” after the business. Part 820 is explicit about which model is acceptable.

Management responsibility shows up as three uncomfortable questions:

1) Who owns decisions? If a deviation happens, who decides disposition? If a CAPA is late, who escalates? If a supplier repeatedly escapes, who approves continued use? Undefined authority becomes “everyone and no one,” which becomes recurring failures.

2) Who funds control? Training, validation, supplier audits, complaint investigations, and proper tooling cost money. A quality system without budget is a quality system with excuses.

3) Who reviews the system as a system? Management review should not be a quarterly slide deck. It should be a decision forum: trends, risk posture, chronic issues, and whether CAPAs are actually reducing recurrence.

Tell it like it is: Part 820 collapses when leadership delegates “quality” but keeps “authority” and “budget.” A compliant system is one where authority, accountability, and resources line up.

7) Design controls: DHF discipline (not “R&D paperwork”)

Design controls are where device companies either win credibility—or lose years. The Design History File (DHF) is not an archive. It is the evidence that your design was developed under control and that it meets user needs and intended use.

A practical design controls posture means:

The biggest design controls failure pattern is this: organizations can produce documents, but they can’t produce traceability. When an inspector asks “show me where this requirement was tested,” teams scramble. If your DHF is a folder and your traceability is a spreadsheet maintained by one person, you are one resignation away from systemic noncompliance.

A strong approach treats design traceability as a system output: requirements, risk, verification, validation, and change control are connected. Not “linked by email.” Linked by structure.

8) Document controls: controlling change without slowing the business

Document control is not bureaucracy. It’s how you stop people from executing the wrong version of reality.

In a device operation, “documents” include: procedures, work instructions, forms, test methods, specifications, labeling masters, and sometimes software configuration specifications. If those are uncontrolled, you do not have repeatable execution.

A practical document control posture includes:

Effective dating: a document is not “approved” in the abstract; it becomes effective at a defined time for defined scope.

Distribution control: the shop floor must not have access to obsolete instructions “because it’s easier.”

Change control that respects risk: not every edit needs a committee, but high-risk changes need real review and impact assessment.

Training alignment: when a controlled instruction changes, you must be able to show the right people were trained (or assessed) on the change.

Document control becomes real when it is integrated with execution, not separated from it. The more your operation relies on “print it out and hope,” the more you are manufacturing variance.

9) Purchasing controls: supplier quality as a regulated workflow

Purchasing controls exist because the device you ship is not only the output of your facility—it’s the output of your entire supplier ecosystem. If you buy critical components, contract manufacturing, sterilization services, calibration services, or packaging, you are buying risk. Part 820 expects you to control that risk with evidence.

Two supplier realities drive most failures:

Reality #1: suppliers drift. Processes change, tooling wears, people leave, and shortcuts appear. Qualification is not a one-time gate; it’s an ongoing control loop.

Reality #2: most organizations under-define requirements. They buy “parts” without fully defining acceptance criteria, traceability requirements, change notification expectations, and record access. Then they act surprised when they can’t investigate a failure.

Operationally, purchasing control should look like this: supplier selection and monitoring proportional to risk; incoming verification aligned to that risk; and a feedback loop from receiving/inspection/complaints into supplier performance and escalation.

If you treat supplier quality as email threads, you will repeatedly fail the same way: late discovery, weak evidence, and CAPAs that can’t touch the root cause because the root cause lives outside your walls.

10) Production & process controls: where validation meets reality

This is where Part 820 turns into a factory problem. The regulation expects production processes to be controlled, monitored, and—when required—validated. That includes equipment, environments, software, inspection methods, and the way operators execute work.

The trap is thinking validation is a document project. It isn’t. Validation is a claim about reality: “This process, run this way, will consistently produce conforming product.” If production changes and your control system doesn’t detect or govern that change, your validation claim becomes fiction.

Three practical control patterns matter most:

1) Process definition and enforcement. If critical steps are optional, your outcomes will be optional. This is where execution discipline matters.

2) Equipment and measurement integrity. If calibration status is not enforced, your data becomes untrustworthy. You cannot test quality into a system that can’t trust its measurements.

3) Software and electronic systems. The more you digitize execution and quality decisions, the more you must prove your systems behave predictably. This is exactly why system validation is not optional in regulated environments—see System Validation and why it’s often paired with Part 11 Readiness as the electronic evidence layer matures.

Bottom line: production control isn’t about perfect processes. It’s about controlled processes with evidence that controls worked, especially when something goes wrong.

11) Acceptance activities & the Device History Record (DHR)

Acceptance activities are how you prove product met requirements at the points where it matters: incoming, in-process, and final acceptance. This is not “QC paperwork.” It is the evidence basis for release.

For many device companies, the Device History Record (DHR) becomes the central evidence object. It should allow you to answer the most important questions without reconstruction:

• What device (and version) was built?
• Under what approved procedures/specifications?
• With which materials/components (traceability)?
• What inspections/tests were performed, by whom, when, and with what results?
• Were nonconformances generated, dispositioned, and closed appropriately?
• Was the device released by authorized personnel?

Notice what’s missing: “We think it was fine.” Part 820 doesn’t accept “we think.” It accepts records. If your acceptance records are scattered across paper travelers, spreadsheets, instrument printouts, and email approvals, you don’t have a DHR—you have fragments.

And here’s the uncomfortable truth: the DHR is what you will live or die by during complaint investigations. If you can’t tie a complaint back to build conditions, materials, inspections, and releases, your investigations will be slow and shallow.

12) Labeling & packaging controls: the recall machine if you ignore it

Labeling errors are one of the most predictable ways to trigger field action. The reason is simple: labels are how your product identifies itself to the world—use, warnings, version, UDI, and sometimes critical performance constraints.

Weak labeling control tends to look like this: label files in shared folders, changes handled informally, issuance done by “whoever is available,” and reconciliation treated as an inventory problem instead of a patient safety problem.

Strong labeling control looks like: controlled masters, controlled issuance, reconciliation that prevents mix-ups, and evidence that what shipped matches what was approved. This is where document control and execution systems collide: if the line can print or apply the wrong label without detection, your control system is not real.

13) Nonconforming product, rework, and disposition authority

Nonconformance control is not just “scrap vs use.” It is the boundary between controlled operations and uncontrolled distribution of risk.

Three things make nonconformance control defensible:

Containment that actually contains. If your system can’t prevent movement/shipment of nonconforming product, your “quarantine” is a label, not a control.

Disposition authority that is explicit. Who can approve rework? Who can approve use-as-is? Who must be involved when risk is high? If disposition authority is vague, you will have inconsistent decisions that can’t be defended under scrutiny.

Linkage to CAPA when patterns appear. A nonconformance record is a symptom record. CAPA is the systemic correction record. If you treat repeated nonconformances as isolated events, you are choosing recurrence.

Many organizations “pass” internal reviews because they have forms. They fail regulatory stress because they can’t show the system prevented recurrence or constrained risk consistently.

14) CAPA: turning pain into control (and proving effectiveness)

CAPA is where Part 820 gets brutally honest. It forces you to answer: do you fix problems, or do you document them?

CAPA breaks down into a disciplined loop:

This is why many organizations tie CAPA discipline to their definitions and tooling—see CAPA (Corrective & Preventive Action) as the control object, not just an acronym.

Tell it like it is: CAPA is where you prove your QMS learns. If your CAPAs don’t measurably reduce recurrence, your QMS is not learning—it’s recording.

15) Complaints, MDR, and field actions: where postmarket starts

Part 820 is not only a manufacturing rule. It’s a lifecycle rule. Complaints are not customer service noise; they are regulated inputs into your quality system.

A defensible complaint process should be structured enough that you can show consistent evaluation, investigation decisions, trend analysis, and linkage into CAPA when systemic signals appear. That’s why complaint workflows matter as a system—not a shared inbox. (See Customer Complaint Handling Process for the operational control view.)

Complaints also intersect with mandatory reporting expectations and downstream regulatory obligations. Medical Device Reporting is a separate regulatory program, but operationally it depends on your complaint intake and evaluation discipline—see Medical Device Reporting (MDR) and how it relates to 21 CFR Part 803.

Why does this matter? Because in real life, the “postmarket system” is where regulators see whether your QMS is alive. A company that investigates complaints deeply, trends intelligently, and drives CAPA based on evidence looks like a controlled manufacturer. A company that classifies everything as “non-reportable” without a coherent evaluation trail looks like a risk.

16) Records, retention, audit trails, and electronic systems

Records are where Part 820 becomes non-negotiable. You cannot comply with a quality system regulation with “mostly electronic” evidence that is actually fragmented, editable, and irreconcilable.

At minimum, device organizations live inside three core record families:

Design history (DHF): why the design is what it is, and how it was verified/validated under control.

Device master definition (DMR conceptually): the “recipe” for building and verifying the device (specifications, procedures, labeling).

Device history (DHR): proof that a specific unit/lot was built and accepted under that approved definition.

Now add modern reality: most of this is electronic. That forces the integrity question. “Electronic” is not the same as “digital chaos.” A defensible posture requires you to protect data from silent changes, preserve who-did-what-when, and keep records retrievable for the retention period. This is the overlap zone where data integrity principles and a real audit trail become operational requirements rather than compliance vocabulary.

If you operate validated systems, you should also be able to show the systems themselves are controlled and fit for intended use. That’s why device companies often treat system validation as “Part 820 hygiene” (again: System Validation) and treat electronic compliance readiness as a continuous posture, not a one-time project (Part 11 Readiness).

17) Inspection readiness: how FDA actually tests your system

Inspections are not debates. They are tests of whether your evidence exists and whether it matches your claims. Inspectors don’t need your best day. They need your normal day to be defensible.

Practical inspection dynamics look like this:

They follow the trail. A complaint leads to a DHR. A DHR leads to acceptance records. Acceptance records lead to calibration status. Calibration leads to training. Training leads to document control. Document control leads to change control. If any link is broken, the inspector doesn’t “move on.” They dig.

They look for repeatable answers. If one person can explain the system and everyone else is guessing, your system is personality-driven, not process-driven.

They test CAPA effectiveness. CAPA closure without effectiveness evidence is one of the fastest ways to lose credibility.

If you want a pragmatic way to reduce inspection chaos, do retrieval drills and audit rehearsals. A useful operational framing is in Audit Readiness: practice producing evidence under time pressure, with consistent narratives anchored in records rather than memory.

18) QMSR transition: what changes, what doesn’t, and what to do now

Part 820 is in transition. FDA has finalized QMSR, which shifts the U.S. device quality system framework to align closely with ISO 13485. The compliance date is February 2, 2026, and FDA’s own QMSR page is the cleanest authoritative summary of what’s happening and why.

Here’s what does not change in practice: you still need leadership accountability, controlled design, controlled production, supplier oversight, complaint handling, CAPA discipline, and defensible records. QMSR doesn’t remove the need for control—it tightens the expectation that control is systematic and lifecycle-based.

Here’s what does change operationally for many companies: the mapping becomes more direct if you already run an ISO 13485-aligned QMS. That’s why ISO 13485 and QMSR are not “extra standards”—they are now the direction of travel for Part 820 execution.

If you want a no-nonsense transition approach, do three things immediately:

The goal is not to “rename procedures.” The goal is to make your system behave the same way every time—under pressure—because that is what inspections (and real-world failures) expose.

19) Copy/paste compliance scorecard (self-assessment)

If you can’t answer these cleanly from records, your Part 820 posture is fragile.

The point is not to score yourself. The point is to find where your operating model still depends on “reconstructing the story later” and replace it with event-driven evidence now.

20) How this maps to V5 by SG Systems Global

V5 supports Part 820/QMSR outcomes by making quality evidence connected to execution, instead of trapped in disconnected documents and manual reconciliation. That matters because Part 820 doesn’t reward “having records.” It rewards having records that are retrieval-ready, version-consistent, and defensible.

If you want the high-level view of how a modern QMS platform supports controlled workflows and evidence generation, start with the Quality Management System (QMS) product overview. The practical value (in Part 820 terms) is straightforward: controlled documents, controlled records, controlled approvals, and fast retrieval without archaeology.

Part 820 success isn’t “software solves compliance.” It’s that software can enforce the behavior Part 820 assumes: role-based authority, controlled change, protected records, and audit-ready retrieval.

21) Extended FAQ

Q1. Is 21 CFR Part 820 “just documentation”?
No. Documentation is an output. Part 820 is about controlled design, controlled production, controlled supplier management, controlled postmarket response, and evidence that proves those controls ran.

Q2. We’re ISO 13485 certified. Are we automatically compliant?
Not automatically. ISO alignment helps, and QMSR makes mapping more direct, but you still need U.S.-specific obligations and defensible evidence for FDA expectations. Treat ISO certification as a strong base—not a shield.

Q3. What’s the fastest way to learn if our system is real?
Run retrieval drills. Pick a complaint. Trace it to a lot/unit DHR. Show acceptance records, calibration, training, deviations/nonconformances, CAPA linkage, and effectiveness evidence—without improvising.

Q4. What’s the most common CAPA failure?
Closing CAPAs without defined effectiveness checks. If you can’t show recurrence risk dropped, you didn’t “prevent,” you only “documented.”

Q5. What does QMSR change that matters operationally?
It pushes the system closer to ISO 13485 language and lifecycle expectations, which reduces “translation” for global manufacturers—but it also exposes organizations that relied on informal controls and personality-driven processes. The compliance date is Feb 2, 2026.

Q6. Where should I read the authoritative baseline?
Start with the current CFR text for Part 820 on eCFR, and use FDA’s QMSR page to understand the transition and timing.

Related Reading
If you want the authoritative regulation text, start with 21 CFR Part 820 (eCFR). If you need the transition framing and timing, FDA’s Quality Management System Regulation (QMSR) page is the cleanest anchor. For operational implementation, pair evidence discipline (see Data Integrity and Audit Trails) with execution-proof system hygiene (see System Validation and Audit Readiness).