Medical Device Manufacturers – Are You Ready for the Change to Part 820?
Quality System Regulations for MedTech
The change to Part 820 for medical device manufacturers is coming soon. Are you ready?
In 1978, the FDA published 21-CFR-820 or Part 820 as it’s commonly known in the medical device industry.
This regulation governs the “good manufacturing practices” of medical devices. It underwent revisions and was passed into law by an act of Congress in 2024.
Part 820 - Quality System Regulation covers a manufacturer’s responsibilities through the entire value chain including:
- Product design
- Manufacturing
- Labeling
- Packaging
- Storage
- Distribution
- Post-market quality
- and other elements regarding regulations and guidance documents
Without doubt, Part 820 plays a central role in how a medical device company must operate.
Shift to ISO 13485
In 2018 the FDA announced that it was shifting part 820 to align more closely with the international standard ISO 13485:2016, effective February 2, 2026. This will move Part 820 under the umbrella of what is titled the Quality Management System Regulation (QMSR).
The FDA has a history of aligning with ISO standards, for example it participated in the development of the Risk Management Standard ISO 14971 and mandates adherence to it for all medical device companies selling products in the USA. More broadly, the FDA participates in the International Medical Device Regulators Forum (IMDRF), a voluntary group of medical device regulators from around the world focused on global regulatory harmonization.
The QMSR does not change the FDA's inspection authority or exempt manufacturers from FDA inspections. Although ISO 13485 certification is not currently required by law in the US, it’s a highly recognized global standard.
The goal is to maintain the high level of quality assurance in device safety and manufacturing quality while harmonizing with international practices and cost cutting.
The change incorporates the 2016 version of ISO 13485 to align U.S. quality systems with global standards. This results in transformation of the existing QS regulation into the Quality Management System Regulation (QMSR) with added clarifications and requirements.
The FDA predicts this will save the industry approximately $532 million and will facilitate quicker market access to devices.
It’s also clear that ISO moves quicker than US Congress, so it’s easier to point to the standards and incorporate innovative thinking in areas including supplier as well as risk management.
Summary of Changes:
21 CFR Part 820 Section | QMSR Modification/Deletion | Explanation |
Subpart A - General Provisions | Mostly retained | Scope and definitions are largely retained, but some definitions are updated or clarified to align with ISO 13485:2016. |
Subpart B - Quality System Requirements | Replaced by ISO 13485:2016 | The detailed requirements for quality systems in Subpart B are replaced by the requirements of ISO 13485:2016, which is incorporated by reference. |
Subpart C - Design Controls | Replaced by ISO 13485:2016 | Design control requirements are also replaced by the corresponding requirements in ISO 13485:2016. |
Subpart D - Document Controls | Replaced by ISO 13485:2016 | Document control requirements are incorporated into the broader document and record control requirements of ISO 13485:2016. |
Subpart E - Purchasing Controls | Replaced by ISO 13485:2016 | Purchasing controls are addressed within the broader supplier management requirements of ISO 13485:2016. |
Subpart F - Identification and Traceability | Replaced by ISO 13485:2016 | Identification and traceability requirements are incorporated into various sections of ISO 13485:2016, such as production and process controls. |
Subpart G - Production and Process Controls | Replaced by ISO 13485:2016 | Production and process control requirements are covered in detail within ISO 13485:2016. |
Subpart H - Acceptance Activities | Replaced by ISO 13485:2016 | Acceptance activities, including inspection and testing, are addressed within the broader process control and product release requirements of ISO 13485:2016. |
Subpart I - Nonconforming Product | Replaced by ISO 13485:2016 | Requirements for handling nonconforming product are incorporated into the nonconformity and corrective action processes of ISO 13485:2016. |
Subpart J - Corrective and Preventive Action | Replaced by ISO 13485:2016 | Corrective and preventive action (CAPA) requirements are addressed within the broader framework of ISO 13485:2016 for addressing nonconformities and implementing improvements. |
Subpart K - Labeling and Packaging Control | Partially retained and modified | Some labeling and packaging control requirements are retained, but they are modified and aligned with the terminology and concepts of ISO 13485:2016. |
Subpart L - Handling, Storage, Distribution, and Installation | Replaced by ISO 13485:2016 | Requirements for handling, storage, distribution, and installation are incorporated into various sections of ISO 13485:2016, such as control of production and service provision. |
Subpart M - Records | Replaced by ISO 13485:2016 | Record-keeping requirements are addressed within the broader document and record control requirements of ISO 13485:2016. |
Subpart N - Servicing | Replaced by ISO 13485:2016 | Servicing requirements are addressed within the broader framework of ISO 13485:2016 for service provision and post-market surveillance. |
Subpart O - Statistical Techniques | Deleted | The specific requirements for statistical techniques are removed, as ISO 13485:2016 takes a more risk-based approach to quality management. |
Table 1: Scope of Changes of Part 820
Potential Issues with the Shift to 13485:2016
While the shift to ISO 13485 is generally a welcome change, it presents some challenges. Companies already selling products internationally and familiar with ISO 13485 will have a smoother transition, given the overlap between the existing 820 regulations and the new standard.
However, for companies focused primarily on the US market, this shift will require a more significant adjustment and even those that sell both internationally and domestically may need to harmonize processes, adjust systems and retrain personnel. Adapting to the new requirements will take time and resources and should not be taken lightly, even though the intention is to cut costs and improve manufacturing processes.
As a result, manufacturers are left, at least in the short term, with a collection of risks including:
- Interpretation and Implementation: 13485 is more broadly written, leaving questions about how to implement.
- Resources and Training: Training resources to understand and be able to demonstrate compliance with the standard will be a heavy lift for manufacturers ,especially staff not used to the existing standard.
- Risk Management: ISO 13485 expects companies to take a full Total Product Lifecycle Approach to risk. This may require investment in new tools and processes as well as evaluate how real-world-data is collected.
- Impact to Existing Products: There is also uncertainty about how the impact on existing products could create challenges for manufacturers and potentially disrupt the supply chain.
- Supplier Management: The new standard places a greater emphasis on supplier management and control. This could require manufacturers to re-evaluate their supplier relationships and implement new processes, which could be challenging.
- Information Technology Updates: Technology has been built to conform with the existing 820. Even slight changes in requirements can have big impacts on existing implementations, perhaps forcing companies to make changes to code and systems that are decades old.
- New Competition from Companies Already Certified in 13485: Companies already certified in ISO 13485:2016 may have an easier time now entering the US market.
Relevance to the Digital Thread
Besides the challenges already stated, when considered in the context of the digital thread there are specific considerations.
The following table summarizes the specific areas of focus.
Quality System Aspect | Specific Adjustments Due to 13485 Shift | Details/Impact | Impact to the Digital Thread |
Documentation & Record keeping | Revise QMS documentation, update controlled records and templates | Align documents with ISO 13485 standards and ensure traceability | May force revisions to procedures, which could impact how data is managed and organized. |
Risk Management | Enhance risk assessment, mitigation, and monitoring processes | Under the QMSR, risk management is baked into the overall system, encouraging risk-based decision making throughout the total product lifecycle (ie, from design to market, and then post market). | Systems Engineering, PLM, QMS Systems and those Collect Post Market data (like QMS and IoMT platforms) |
Design & Development Controls | Update design controls, including verification, validation, and design review procedures | Ensure that product design processes are robust and compliant with the new standards | Potential adjustments to Design Controls, Change Control and Validation Management in PLM |
Design & Development Controls – DMR | Move away from Device Master Record in favor of Medical Device File | Terminology used throughout processes and systems | Impacts to PLM and QMS systems how DMR information is labeled |
Supplier & Subcontractor Management | Adjust qualification, monitoring, and oversight processes | Ensure suppliers and subcontractors adhere to international quality criteria | Supplier Tracking Capabilities in PLM and ERP Procurement and Supply Chain Management systems |
Internal Audits & CAPA Systems | Refine internal audit processes and improve corrective/preventive action (CAPA) procedures | Address compliance gaps and foster continuous improvement | Potential QMS, MES and/or PLM system updates |
Training Programs | Update training curricula and conduct retraining for staff | Educate teams on the new ISO-based QMS processes, quality standards, and risk management | May require revisions to training curricula stored in LMS |
Technology Integration | Upgrade or adapt electronic QMS (eQMS) and related IT systems | Support enhanced documentation, audit trails, and real-time compliance reporting | Upgrades to Base Digital Thread Systems |
Audit Management | ISO 13485 does not explicitly exclude the regulator from viewing internal audits to allow companies to self-correct without fear of consequences. | While FDA has stated it does not intend to create additional burden it may encourage audits to conduct privileged attorney-client privilege approaches. | QMS system audit security requirements |
Table 2: Impacts to the Digital Thread
Overall, we've observed that the MedTech industry isn't uniformly focused on this regulatory shift.
With the 2026 deadline rapidly approaching, we advise those who haven't yet conducted a full gap assessment and developed a quality plan and strategy to do so quickly.
MedTech companies should consider leveraging this shift as a catalyst to improve their digital thread across the Total Product Lifecycle (TPLC). Specifically, ISO 13485 emphasizes a process-based approach to quality management. This presents an opportunity for US-only companies to redefine and document their processes to align with the standard.
Companies selling both in the US and internationally can harmonize their quality systems and processes globally. Consider combining these efforts with ongoing digital thread initiatives to maximize efficiency and minimize costs.
Further, the increased emphasis on risk management throughout the product lifecycle, including the collection of real-world data, can be integrated into the design and implementation of an Internet of Medical Things (IoMT) platform. This allows for proactive risk mitigation and continuous improvement of device safety and performance.
By proactively addressing the QMSR transition and integrating it with digital thread initiatives, MedTech companies can not only reduce risk of compliance problems, but can also enhance efficiency, improve quality, and drive innovation across the value chain.
Authors
