21 CFR 820 Explained: FDA QSR, QMSR, and ISO 13485
21 CFR Part 820 is the FDA regulation that sets minimum quality system requirements for anyone who designs, manufactures, or distributes medical devices sold in the United States. As of February 2, 2026, Part 820 has been amended into the Quality Management System Regulation (QMSR), which incorporates ISO 13485:2016 by reference rather than restating FDA-specific requirements.
If you’re building a medical device company, this regulation is not optional reading — it’s the baseline FDA inspectors check against. Here’s what it actually requires, what changed with the QMSR, and where to start if you’re facing it for the first time.
What is 21 CFR 820?
21 CFR 820 sits in Title 21 of the Code of Federal Regulations, the section FDA uses to regulate food and drugs — Part 820 specifically covers medical devices. It’s commonly called the Quality System Regulation, or QSR, and it has governed US device manufacturing since it replaced the original 1978 Good Manufacturing Practice regulation in 1996.
The regulation doesn’t tell you how to build your product. It tells you what controls your quality management system must have so that your product is consistently safe and effective: documented procedures, design verification, supplier controls, corrective action when things go wrong, and traceable records. FDA inspectors use it as their checklist during facility inspections.
What changed with the QMSR in 2026?
For nearly three decades, FDA maintained its own device quality language in Part 820 that ran parallel to, but was not identical to, the international standard ISO 13485. Manufacturers selling in both the US and international markets often maintained two overlapping quality systems, or one system mapped awkwardly to both.
FDA published the Quality Management System Regulation (QMSR) final rule on February 2, 2024, amending Part 820 to incorporate ISO 13485:2016 by reference as the core quality system standard, with a small number of FDA-specific additions layered on top (such as complaint handling and reporting requirements unique to US law). The rule set a two-year transition period, and the QMSR became the enforced standard on February 2, 2026.
Practically, this means: if your quality management system already conforms to ISO 13485:2016, you are most of the way to QMSR compliance. If you were running an older QSR-only system that never aligned to ISO 13485, you need to close the gap now — the transition period is over. Because regulatory text and enforcement guidance can be updated, treat this article as an orientation, not a legal reading, and check current requirements at fda.gov before making compliance decisions.
What does 21 CFR 820 (QMSR) actually require?
The regulation is organized into subparts, each covering a category of quality system control. This is the map most quality teams build their QMS structure around, whether they call it “Part 820” or “QMSR” internally.
| Subpart / area | What it requires | Typical evidence in an audit |
|---|---|---|
| Management responsibility | Documented quality policy, organizational structure, management review at planned intervals | Quality manual, management review meeting minutes |
| Design controls | Design planning, inputs, outputs, verification, validation, transfer, and a design history file (DHF) | DHF, design review records, V&V protocols and reports |
| Document controls | Formal approval, distribution, and change control for quality documents | Document control procedure, revision history, approval signatures |
| Purchasing controls | Evaluation and selection of suppliers based on their ability to meet requirements | Approved supplier list, supplier audits, incoming acceptance criteria |
| Production and process controls | Controlled conditions for manufacturing, including process validation where output can’t be fully verified by inspection | Process validation protocols (IQ/OQ/PQ), work instructions, in-process records |
| Corrective and preventive action (CAPA) | A system to investigate nonconformances, determine root cause, and prevent recurrence | CAPA log, root cause analysis records, effectiveness checks |
| Records | Device history records (DHR), complaint files, and retention of quality records | DHR per lot/unit, complaint handling log, retention schedule |
Design controls and CAPA are the two areas FDA investigators scrutinize most closely, because weak design history or a CAPA system that closes issues without verifying they actually stopped recurring are the most common sources of serious findings.
21 CFR 820 vs ISO 13485 vs QMSR: what’s the difference now?
Since these three terms get used interchangeably and inaccurately, here’s how they actually relate to each other.
| Legacy QSR (pre-2026 text) | ISO 13485:2016 | QMSR (in effect since Feb 2026) | |
|---|---|---|---|
| Issued by | FDA | International Organization for Standardization | FDA |
| Legal status in the US | Was the enforced US regulation | Voluntary standard; a private certification, not law | Now the enforced US regulation |
| Core content | FDA’s own wording, similar intent to ISO 13485 but not identical | Global standard for device QMS, used for CE marking and most other markets | Adopts ISO 13485:2016 text by reference, plus FDA-specific additions |
| Certification/compliance mechanism | FDA inspection (no separate certificate) | Third-party certification body audit and certificate | FDA inspection; ISO 13485 certificate is supporting evidence, not a substitute |
| Who needs it | US device makers (historical) | Any company wanting to sell in ISO 13485 markets (EU, Canada, etc.) | US device makers (current) |
The practical upshot: a company already certified to ISO 13485:2016 is well positioned for QMSR, but certification alone doesn’t guarantee an FDA inspector will find no gaps — FDA’s additions and its own inspection approach still apply.
What does an FDA inspection under the QMSR look like?
FDA typically inspects using the Quality System Inspection Technique (QSIT), which samples four areas: management controls, design controls, corrective and preventive action, and production/process controls, on the theory that a system with strong controls in these four areas is likely sound throughout. The investigator reviews records, interviews staff, and walks the production floor.
Nonconformances are documented on a Form 483. The firm has an opportunity to respond in writing, typically within 15 business days, describing the corrective action it will take. Serious or unresolved findings can escalate to a warning letter, import alert, or in extreme cases an injunction — but the large majority of inspections result in a 483 (if anything) that gets closed through a documented corrective action, not an enforcement action.
First 5 things a small device startup should do
Founders facing 21 CFR 820 for the first time usually make the same mistake: they treat the QMS as a paperwork exercise to finish right before FDA submission. That backfires, because design controls and document history are supposed to be built as you go, not reconstructed after the fact.
- Write your quality policy and identify a management representative. This is the management responsibility backbone the rest of the system hangs on — it doesn’t need to be elaborate, but it needs to exist and be signed.
- Open a design history file the day design work starts, not when you file for clearance. Retroactively reconstructing design inputs, reviews, and verification records is far harder than capturing them in real time.
- Stand up document control before you have very many documents. Decide now how SOPs get drafted, reviewed, approved, and revised — this is the single most common early-audit weak spot, and it only gets harder to fix as the document set grows. Document control starts with well-written SOPs; QualityManager.AI’s free AI SOP generator drafts a structured first version so your quality lead is editing, not starting from a blank page.
- Set up a CAPA log from day one, even before you have a formal CAPA process document. Recording the first few nonconformances and how you resolved them gives you real evidence of a working system, not just a procedure that’s never been used. Our CAPA process guide covers how to structure this.
- Map your supplier and purchasing controls before your first outsourced build. Know which suppliers are “critical” to device quality, and have a basic qualification and incoming-inspection plan for them before parts arrive, not after a nonconformance traces back to one.
None of this requires expensive software on day one. It requires a habit of writing things down as they happen and organizing them the way Part 820/QMSR expects.
A note on scope
This article summarizes the structure and intent of 21 CFR 820 and the QMSR transition; it is not legal or regulatory advice, and specific applicability depends on your device classification, intended market, and current FDA guidance. For binding requirements, always check the current regulation text and FDA’s own QMSR guidance at fda.gov rather than a secondary source, including this one.
If you’re comparing software to help run this system day-to-day, our best QMS software roundup covers what to look for at different company stages, and what is an SOP is a good starting point if document control is your current gap.
Frequently asked questions
Who must comply with 21 CFR 820?
Any company that designs, manufactures, packages, labels, or distributes finished medical devices for the US market, including contract manufacturers and specification developers. This covers domestic and foreign firms alike — if your device ships to US customers, your quality system falls under this regulation, now enforced as the QMSR.
What is the difference between the QSR and the QMSR?
The QSR (Quality System Regulation) was FDA's original 21 CFR 820 text, written independently of ISO standards. The QMSR (Quality Management System Regulation) is the amended version of Part 820, finalized in February 2024, which incorporates ISO 13485:2016 by reference instead of restating similar requirements in FDA's own words. The QMSR became the enforced standard on February 2, 2026.
Does ISO 13485 certification mean a company is FDA compliant?
No. ISO 13485 certification is issued by a private certification body against the ISO standard, while FDA compliance is determined by FDA itself through inspection against 21 CFR 820/QMSR. The two overlap heavily now that QMSR incorporates ISO 13485:2016, but certification is not a substitute for FDA registration, listing, or inspection readiness.
What happens during an FDA quality system inspection?
An FDA investigator reviews your quality management system records, typically using the Quality System Inspection Technique (QSIT), focusing on management controls, design controls, corrective and preventive action (CAPA), and production/process controls. Findings of nonconformance are issued as Form 483 observations, which the firm must respond to in writing, usually within 15 business days.
Do startups need a full quality system before their first device sale?
Yes, in practice. FDA expects a functioning quality management system in place before a device is legally marketed in the US, and design controls must be applied from early development, not bolted on afterward. Waiting until just before submission to build the QMS is one of the most common and costly mistakes device startups make.