21 CFR Part 821

This glossary term is part of the SG Systems Global regulatory & operations guide library.

Updated December 2025 • Medical device tracking requirements, FDA tracking orders, tracking plan, distributor recordkeeping, UDI alignment, recall execution, postmarket response • Primarily Medical Devices (with operational cross-over into warehouse/logistics and customer support)

21 CFR Part 821 is the FDA’s rule for medical device tracking—meaning the ability to identify specific devices (often by serial/lot-level identity) and quickly locate where they went so the right people can be notified or the right product can be recovered when risk demands it. This is not “nice-to-have traceability.” It is an enforcement-ready expectation for certain devices when FDA requires tracking.

In real operations, Part 821 isn’t about writing an elegant policy. It’s about answering brutal questions under time pressure: Which exact devices are affected? Where are they now? Who has them? Can you prove it without hand-built spreadsheets? Can you execute a field action without losing chain-of-custody? If your system can’t answer those questions cleanly, “we have a process” becomes “we have a story.” Part 821 is where stories get pressure-tested.

Part 821 also exposes a common organizational blind spot: teams often assume tracking is owned by “Quality.” But tracking is not a department—it’s a cross-functional behavior across distribution, customer records, complaint intake, service/repair, returns, and recall execution. That’s why Part 821 naturally connects to UDI (Unique Device Identification), Chain of Custody, Postmarket Surveillance, and practical recall readiness.

“Device tracking only matters when something goes wrong—so it must work when everything is going wrong.”

1) What people mean when they cite 21 CFR Part 821

When someone says “we have to comply with Part 821,” they’re almost always pointing to a high-stakes operational need: the organization must be able to locate devices fast. That can be because FDA has required tracking for the device category, because the company is preparing for a field action posture, or because leadership has realized that their current state is “we can trace some things most of the time” (which is not what regulators mean by tracking).

In practice, Part 821 is less about memorizing citations and more about building a retrieval-grade device identity network—a system that connects device identity (serial/lot), distribution identity (who received it, where it went), and lifecycle identity (service/repair/returns). That network is what powers credible recall execution, targeted notifications, and defensible reporting.

Tell it like it is: most tracking programs fail because companies confuse “we record shipments” with “we can locate devices.” Shipment records alone are not tracking. Tracking is a cross-functional record chain that stays coherent after returns, repairs, consignment, distributor transfers, and customer address changes.

2) What Part 821 is (and what it isn’t)

What it is Part 821 is the FDA’s framework for device tracking requirements—including expectations around a tracking program, a tracking plan, and records—so manufacturers (and relevant distribution parties) can locate devices and notify appropriate stakeholders when necessary.

What it isn’t Part 821 is not the general QMS rule. It doesn’t replace quality system governance under Part 820 (or modern alignment programs). It also isn’t the same as UDI. UDI is an identity standard that helps tracking; it doesn’t automatically create a working tracking program.

Operationally, treat Part 821 as the “can you locate and act?” rule. A QMS can be beautifully documented and still fail tracking if the identity chain breaks across logistics and customer lifecycle events.

3) Who Part 821 applies to

Part 821 is easiest to misunderstand when teams assume “tracking is only for manufacturers.” In reality, tracking depends on the record chain across the supply chain. Manufacturers are typically central, but distribution roles matter because the manufacturer can’t locate what it can’t see.

Another common surprise: if you’re importing devices, you may inherit “manufacturer-like” obligations for tracking. In other words, you can’t hide behind geography. If you are responsible for the device entering U.S. commerce, your tracking posture still needs to stand up. That’s why device businesses that import (or private label) should treat Part 821 as a governance risk, not a clerical detail.

4) When Part 821 “turns on”: FDA tracking orders and risk triggers

Part 821 is not a generic “all devices must be tracked the same way” rule. The real-world trigger is that FDA can require tracking for certain devices when public health risk justifies it. In plain English: when device failure, misuse, or field correction risk is serious enough, FDA expects you to be able to locate devices, quickly and precisely—not with broad, expensive, reputation-damaging overreach.

The risk logic that matters operationally is predictable: implantable or life-sustaining/life-supporting devices, devices used outside controlled clinical environments, and devices whose failure could reasonably cause serious adverse health consequences. The exact legal framing lives in the regulation text, but the operational implication is the same: tracking is used when “we’ll do our best” is not acceptable.

If you want to run a mature program, don’t wait for a tracking event to design identity. Your “trackability” must already exist in normal operations. Tracking is not installed during a crisis; it is revealed during a crisis.

5) The tracking plan: why it’s the real control object

If you only remember one operational idea from Part 821, make it this: tracking must be engineered as a program. That program is typically expressed through a tracking plan that defines how devices will be identified, how movement will be captured, how records will be reconciled, and how the company will prove the system is working.

Weak organizations treat the plan as paperwork. Strong organizations treat it as a system contract: what must be captured, when it must be captured, who owns exceptions, and how audits prove the data is real.

Tracking plans also fail when they ignore business model nuance. A direct-to-hospital distributor model does not behave like a direct-to-patient home-use model. Consignment behaves differently than purchase-and-ship. Service programs create a second “lifecycle” movement layer. Your plan has to match how your device actually moves in the world.

6) The tracking data model: identifiers, parties, and events

Tracking is ultimately an identity graph. If that graph is incomplete, you will be forced into broad, expensive actions (“notify everyone”) because you cannot confidently isolate who is affected. The core building blocks are simple—but they must be consistent:

A very common failure is that companies treat customer identity like CRM-only data and device identity like ERP-only data. Part 821 doesn’t care where you store it. It cares whether you can reliably connect the two during a field action.

This is why mature organizations intentionally align device tracking with chain-of-custody and data integrity: a tracking record that can’t be trusted is not “close enough.” It becomes a liability during enforcement.

7) Execution reality: where tracking fails in the field

Tracking failures are usually not caused by “bad people.” They’re caused by predictable operational friction:

• Distributor transfers: devices move between sites and accounts without the manufacturer seeing the final location.
• Consignment: the device exists in the customer’s world but your system treats it like “inventory somewhere.”
• Service/repair loops: serial numbers get swapped, labels get replaced, or records fragment between RMA and service tickets.
• Customer identity drift: contacts, locations, and installation sites change, but device records don’t update.
• Returns without identity: product comes back without clean device ID, then gets “triaged” and re-entered loosely.

The practical takeaway: tracking must be forced by workflow, not requested by policy. When operators can complete a shipment, service close-out, or return disposition without capturing the required identity fields, the system will rot quietly until the first high-stakes event.

If you want implementation patterns for building a recall-ready operational posture, the most relevant playbooks are: Recall Readiness Software (how to operationalize rapid traceability response), Complaint Management Software (how complaint intake becomes signal and field action fuel), and Audit Readiness (how to keep the evidence posture stable instead of heroic).

8) How Part 821 interfaces with 803, 806, 807, and 820

Part 821 rarely lives alone. In a real incident, it interacts with other regulatory obligations and operational systems. If you don’t design the interfaces, they will collide during stress.

Part 803 (MDR): complaint signals that drive reporting often point directly to the devices you must locate. That means your complaint intake and your tracking identity must share a common language—typically UDI/serial/lot identity and unambiguous customer/site identity. If MDR work happens in one system and tracking work happens in another, you risk delays, misidentification, and overbroad notifications. See 21 CFR Part 803 and Medical Device Reporting (MDR).

Part 806 (Corrections & Removals): field actions are where tracking proves its worth. A correction/removal action that can’t precisely target affected devices becomes expensive and reputationally damaging. Part 821 tracking capability is what keeps Part 806 actions controlled instead of chaotic. See 21 CFR Part 806.

Part 807 (Registration & Listing): this is not “tracking,” but it is part of the device compliance surface area. Organizations that are sloppy with regulatory master data (entities, sites, device identifiers) tend to be sloppy with tracking identity too. See 21 CFR Part 807.

Part 820 (QMS discipline): even though Part 821 is a tracking-focused rule, it depends on QMS fundamentals: controlled records, controlled changes, CAPA linkage, training, and auditability. If your record control is weak, your tracking evidence will be weak. See 21 CFR Part 820.

9) Records, retention, and confidentiality

Tracking programs quietly fail on retention. Teams capture some tracking data, but they don’t retain it long enough, they can’t retrieve it, or it’s scattered across systems that don’t survive reorganizations and software replacements.

Operationally, retention should be treated as a lifecycle commitment: device identity and distribution history must remain retrievable for as long as they matter. That requires stable identifiers, stable governance, and controlled corrections—not “whatever the CRM happens to keep.”

In a mature organization, the tracking record lifecycle is treated like regulated evidence: it is versioned, protected, and retrievable. That’s why tracking connects strongly to data integrity expectations and why teams that rely on ad hoc exports get exposed during real events.

10) Inspection & incident response: proving your tracking works

Regulators (and auditors) don’t validate tracking by reading your policy. They validate tracking by asking you to produce proof. In practice, that means a retrieval drill:

If this drill turns into a week-long email hunt, the gap is not “training.” It’s architecture. You don’t fix tracking by reminding people to be careful; you fix it by preventing completion of critical events without the required identity and evidence.

11) Copy/paste readiness scorecard (self-assessment)

Use this as a practical self-assessment. If you can’t answer these cleanly, your Part 821 posture is fragile.

The goal is not to “pass a quiz.” The goal is to identify where your operating model depends on reconstruction and replace it with event-driven evidence.

12) How this maps to V5 by SG Systems Global

V5 supports Part 821 outcomes by turning tracking into an event-driven identity chain rather than an end-of-month reconciliation exercise. Part 821 is fundamentally about: consistent identity, controlled events, and fast retrieval under stress.

In practice, organizations building a tracking-ready posture typically need three systems to behave like one: quality governance, warehouse/distribution execution, and manufacturing/serialization identity. That’s why Part 821 alignment fits naturally with the V5 platform:

Use the V5 Quality Management System (QMS) to govern procedures, changes, training, and CAPA evidence; use the
V5 Warehouse Management System (WMS) to enforce controlled distribution events (ship/receive/transfer/return) with status integrity; and connect identity and integrations cleanly using
V5 Connect (API) so the tracking identity chain doesn’t fracture across ERP/CRM/service tools.
If you want the platform overview in one place, anchor on V5 Solution Overview.

If you’re operating in the medical device space and need an industry-aligned view of how execution + compliance patterns come together, see Medical Device Manufacturing.

13) Extended FAQ

Q1. Is Part 821 the same thing as UDI?
No. UDI helps define identity. Part 821 is about the tracking program that can locate devices and support field action execution. You can have UDI and still have broken tracking if your event capture and customer/location linkage is weak.

Q2. Is tracking just a “manufacturer problem”?
Not operationally. Tracking depends on the record chain across distribution and lifecycle events. If transfers, consignment, or service loops break visibility, you can’t locate devices reliably.

Q3. What’s the most common failure mode?
Fragmented identity. Device IDs live in one place, customer/location data lives in another, service data lives in a third—and nobody can reliably connect them when a field action hits.

Q4. Can we “track” using spreadsheets?
You can sometimes survive at low volume with stable personnel. But it’s fragile. Under scale or incident pressure, spreadsheets become slow and error-prone—and Part 821 is fundamentally a “must work under pressure” obligation.

Q5. How do we know whether our tracking is real?
Run retrieval drills. Pick a serial/lot, then prove you can identify shipment history, current holder/location, lifecycle events, and a targeted notification list quickly and defensibly.

Related Reading
• Regulatory Sources: 21 CFR Part 821 (CFR text via Cornell) | Tracking Plan (21 CFR 821.25)
• Implementation Playbooks: Recall Readiness Software | Complaint Management Software | Audit Readiness
• Supporting Glossary Terms: 21 CFR Part 803 | 21 CFR Part 806 | 21 CFR Part 807 | 21 CFR Part 820 | UDI | Recall Readiness