14 medical device quality management system requirements for regulatory compliance


    Every day, three medical device quality managers open a piece of mail they will never forget. And these letters aren’t unforgettable in a good way.

    On average, the FDA sends three warning letters a day to medical device manufacturers that haven't met their strict quality management system standards. The majority of FDA observations tell a clear story about common regulatory compliance challenges, including ineffective CAPA, purchasing, and complaint procedures.

    No one is destined to receive a 483 observation. Understanding the medical device quality management system requirements for regulatory compliance can help you avoid landing on the FDA’s naughty list.

    14 Medical Device Quality Management System Requirements for Regulatory Compliance


    A medical device quality management system is a roadmap to create safe, effective products and quality-driven operations. It’s a comprehensive set of requirements and standards that identifies core goals and activities, parameters, and records keeping.

    A quality management system should drive continuous improvement with procedures for regular review, audits, and measurement.

    FDA Code of Federal Regulations 21, Part 820 addresses “quality system regulation,” or QMS requirements for medical device manufacturers. This includes 14 different regulatory requirements for quality systems. Every device manufacturer’s QMS must address each of these 14 subsections to a greater or lesser extent, depending on device class and product risk.

    1. Quality System Requirements

    820.20-25, Subpart B establishes three distinct regulatory requirements for medical device quality management systems — management responsibility, quality audits, and personnel.

    Management responsibility

    • Executive management should create and distribute a quality policy.
    • The organization’s structure and job descriptions should support quality objectives.
    • Leaders must dedicate enough quality resources for training, audits, and assessments.
    • Designate an executive responsible for the QMS and quality system reviews.

    Quality Audits

    Create a policy for neutral quality audits and use audit results to trigger corrective action. Document audit activities and findings.


    Hire sufficient personnel, provide adequate training, and educate staff on how their role impacts product quality.

    2. Design Controls

    Design control requirements apply to all manufacturers of Class II and III medical devices, and the manufacturers of a select few types of Class I devices, including tracheobronchial suction catheters and surgical gloves. These requirements also apply to any medical device which uses software for automation.

    Learn more: What Are the Differences in the FDA Medical Device Classes?

    • Plan, document, and approve product design activities.
    • Document customer requirements.
    • Create design input requirements.
    • Establish clear standards for design outputs.
    • Write and maintain design review policy.
    • Document review by neutral approvers and subject matter experts.
    • Verify and validate designs.
    • Ensure design specifications are translated into production specs.
    • Maintain a unique Design History File (DHF) for each device.


    RELATED READING: Everything you need to know about design controls


    3. Document Controls

    Manufacturers must establish and maintain document control procedures and adopt certain requirements for document approval, distribution, and document changes. Subpart D requirements address document approval, approval signatures, and access control.

    • Designate document approvers for new documents and changes.
    • Capture time-stamped eSignatures from approvers.
    • Make all necessary documents available at the point of work.
    • Remove obsolete documents from circulation.
    • Prevent unintended use of documents or unauthorized access.
    • Communicate document changes in a timely manner.


    4. Purchasing Controls

    A medical device QMS needs to include purchasing controls to screen qualified vendors and ensure that products and services meet quality thresholds. The QMS needs to include clear criteria for suppliers and a record of screening and purchase activities.

    • Establish and maintain supplier, contractor, and consultant requirements.
    • Evaluate all vendors' ability to meet quality requirements.
    • Document vendor evaluations.
    • Create quality standards for suppliers, contractors, and consultants.
    • Maintain comprehensive purchasing requirements.
    • Retain purchasing data, including vendor quality agreements.


    5. Identification and Traceability

    A QMS should include a policy to clearly identify products during every stage of the device lifecycle to prevent quality issues from mixups. In addition, certain types of devices are required to include unique identifiers, including surgical implants and devices, which could result in serious injury if they are used incorrectly.

    Learn more: The Essential Parts of an ISO 13485 Medical Device Quality Management System



    6. Production and Process Controls

    A medical device manufacturing QMS must include adequate controls to ensure that devices meet the design and quality specifications. Any design controls must include:

    • Standard Operating Procedure (SOP) instructions
    • Quality parameters and monitoring methods

    Controls should address all applicable medical device QMS regulatory requirements. Any changes to controls must be documented. Controls can vary depending on the manufacturer and device but may include SOPs for the control of:

    • Environment
    • Personnel
    • Contamination
    • Equipment
    • Maintenance
    • Inspections
    • Tolerances
    • Material Inputs
    • Automation

    In addition, 820.70 Subpart G includes specific requirements for equipment controls and process validation. This includes documenting procedure and results for calibration activities and validating processes to make sure they meet quality specifications.


    7. Acceptance Activities

    Acceptance activities occur at several stages during the product life cycle. A QMS must include acceptance procedures for receiving, production, and finished designs, which are verified through inspections, tests, or other methods. Manufacturers are required to create and follow procedures for acceptance and create records which document acceptance or rejection.

    Inputs and finished devices shouldn’t be released until acceptance activities are complete, and records have been authorized by a designated team member. Acceptance records must include data on:

    • What was done
    • The date
    • Who did it
    • Acceptance data and results
    • Equipment used
    • Authorization


    8. Nonconforming Product

    Device manufacturers need procedures to control products that don’t conform to quality specifications. Section 820.90, Subpart I addresses nonconformity review, disposition (disposal), and rework.

    • Evaluate nonconformances.
    • Investigate nonconformances.
    • Notify regulators and patients, if applicable.
    • Assign responsibility for nonconformance review and disposition.
    • Create rework, retesting, and reevaluation procedures.
    • Document investigations, dispositions, and rework.


    9. Corrective and Preventive Action

    The QMS must include corrective and preventive action (CAPA) procedures to identify quality problems within the QMS and device lifecycle — including quality issues within processes, operations, records, and product returns. Statistical methods should be used when appropriate to determine the risk of recurring quality problems.

    Other specific CAPA requirements which must be documented and followed include:

    • Perform root cause investigations on nonconformities.
    • Identify actions to prevent quality issues from recurring.
    • Verify or validate that actions were effective.
    • Record and adopt changes resulting from CAPA.

    CAPA records and results should be made available to all impacted personnel and included in management review activities.

    More insight: How to choose CAPA software in 2024


    10. Labeling and Package Control

    QMS procedures should create adequate controls for device labeling. Labels should be inspected for integrity. When necessary, these procedures should address label storage, unique identifiers, and documentation of labeling activities.

    Device packaging must be adequate to prevent damage or compromise to medical devices during typical storage, handling, and distribution activities.


    11. Handling, Storage, Distribution, and Installation

    Manufacturers are required to create SOPs which address safe handling, storage, distribution, and installation of medical devices whenever applicable. All of these SOPs should be adequate to prevent deterioration, damage, contamination, and product mixups.

    When necessary, manufacturers must create clear guidelines for any post-installation inspection and maintenance activities performed by patients or healthcare providers.


    12. Records

    The device manufacturer must develop and maintain comprehensive procedures for records keeping throughout the device lifecycle. The records do not have to be stored on-site, but they need to be readily available for review and copying by FDA personnel.

    Any storage methods need to minimize the risks of data loss, including regular backup activities for electronic data records.

    The QMS should address data confidentiality requirements and records retention. Data must be retained for the lifecycle of commercially released products or a minimum of two years.

    820.181-198, Subpart M also lays out specific requirements for several types of records which must be included in the QMS:

    • A master record file for each device
    • Device history records (DHRs) for each unit or batch
    • A Quality System Record (QSR)
    • Complaint files


    13. Servicing

    Anytime that servicing is required, there must be a clear policy for servicing, including statistical methods to analyze service reports and the creation of complaint procedures when events fall outside established quality guidelines.

    SOPs should be created to guide effective service documentation. Service reports must include, at a minimum:

    • What was serviced
    • Unique Device Identifiers (UDIs), if applicable
    • Service date
    • What was done
    • Who did it
    • Test and inspection data


    14. Statistical Techniques

    820.250, Subpart O establishes requirements for the use of statistical techniques to validate processes and products. Sampling plans must be based on valid statistical methods and documented. Manufacturers are required to review statistical techniques to ensure these methods are adequate and provide documentation of review and changes.


    How to Handle Medical Device Quality Management System Requirements for Regulatory Compliance: DIY or eQMS?

    The 14 Subsections of FDA 820 provide clear standards for documenting and maintaining procedures, record-keeping, and other quality processes. While the FDA is clear that maintaining regulatory compliance in a medical device QMS requires including CAPA and purchasing controls, federal regulations don’t dictate how manufacturers achieve this. It’s up to your company to decide between a paper-based quality management system, electronic documents, or quality management system software (eQMS).

    So, should you DIY your QMS? Or should you get an eQMS?

    A purpose-built eQMS is almost always the simplest and least risky way to achieve compliance with FDA 820 requirements. While paper-based QMS systems can initially seem like an adequate way to maintain compliance, it's nearly impossible to see the bigger picture of quality. DIY systems are prone to error. Maintaining regulatory compliance on paper is challenging, and it’s even harder when your company starts to grow or add new processes.

    A cloud eQMS removes the challenges and risks of taking a DIY approach to creating a quality management system. Qualio’s eQMS software is the first cloud-based quality system built specifically in accordance with FDA 820 guidance for medical device manufacturers. Qualio removes the guesswork from creating a compliant quality management system, so you can focus on continuous quality improvements.

    Get a demo today to learn how Qualio can make your company better.