FDA 21 CFR 820 QSR: The Compliance Gaps Most Medical Device Manufacturers Miss

FDA 21 CFR Part 820 — the Quality System Regulation (QSR) — is the backbone of quality management for medical device manufacturers in the United States. It establishes the requirements for the design, manufacture, packaging, labelling, storage, installation, and servicing of medical devices. Every manufacturer that markets devices in the US must comply with it.

Most manufacturers know this. Most have quality management systems in place. Yet FDA inspection data consistently reveals the same categories of findings year after year. The gaps are not in the obvious areas — they are in the conditional requirements, the documentation expectations, and the process connections that sit between the major QSR sections.

Understanding where these gaps typically occur — and why — is essential for any manufacturer preparing for an FDA inspection or seeking to strengthen their quality system proactively.

Design controls: where most gaps begin

Subpart C of the QSR (21 CFR 820.30) establishes design control requirements. These apply to all Class II and Class III devices and are among the most frequently cited areas in FDA warning letters and 483 observations.

Design controls are not a single obligation. They are a system of interconnected requirements, each with specific conditions and documentation expectations:

• Design and development planning (820.30(b)): The design plan must describe the design and development activities and define responsibility for implementation. It must be updated as the design evolves. The gap: many manufacturers create a design plan at project initiation and never update it. The QSR requires the plan to be maintained and revised as the design and development process evolves.

• Design input (820.30(c)): Requirements must be documented, addressing intended use, performance, safety, and applicable regulatory requirements. The gap: design inputs are frequently stated in vague terms (“device shall be safe and effective”) rather than specific, measurable, and verifiable requirements. FDA expects inputs to be concrete enough that design verification can be performed against them.

• Design output (820.30(d)): Outputs must be documented and expressed in terms that can be verified against design inputs. The gap: manufacturers often produce design outputs that cannot be directly traced back to specific design inputs. The traceability matrix — while not explicitly required by the QSR text — is the standard method for demonstrating this linkage, and its absence is a common finding.

• Design review (820.30(e)): Formal documented reviews must be conducted at suitable stages. The gap: design reviews are held but inadequately documented. FDA looks for evidence that reviews included appropriate participants (including independent reviewers), that issues were identified and tracked, and that outcomes were documented. Meeting minutes that state “design reviewed and approved” without substance are insufficient.

• Design verification and validation (820.30(f) and (g)): Verification confirms outputs meet inputs. Validation confirms the device meets user needs and intended uses. The gap: manufacturers frequently conflate verification and validation or perform validation that does not adequately represent actual conditions of use. Validation must include testing under actual or simulated use conditions, and the protocols and results must be documented in detail.

• Design transfer (820.30(h)): Procedures must ensure the device design is correctly translated into production specifications. The gap: the transfer process is often informal, with no documented evidence that production specifications were verified against the final design output. This is a particularly common finding for manufacturers transitioning from prototype to production.

• Design changes (820.30(i)): Changes must be identified, documented, validated or verified as appropriate, reviewed, and approved before implementation. The gap: changes made during development are often not captured with the same rigour as post-market changes. FDA expects the same level of documentation discipline throughout the design process.

CAPA: the system that reveals everything

The Corrective and Preventive Action (CAPA) system (21 CFR 820.90) is arguably the single most important element of the QSR from an FDA inspection perspective. It is consistently among the top-cited areas in inspections, and its effectiveness — or lack thereof — tells FDA more about the state of a manufacturer’s quality system than almost any other element.

The most common CAPA gaps:

Inadequate investigation and root cause analysis. The QSR requires that CAPA procedures include investigating the cause of nonconformities. FDA expects root cause analysis — not just identification of the immediate problem. Manufacturers frequently document the symptom (“label was incorrect”) without investigating why it occurred (“incoming inspection procedure did not include label verification for this product family”). Shallow investigations lead to corrective actions that address symptoms rather than causes, resulting in recurrence.

Failure to verify or validate effectiveness. After implementing a corrective or preventive action, the QSR requires verification that the action was effective. This is one of the most commonly missed steps. Manufacturers implement a change and close the CAPA without documented evidence that the change actually resolved the issue. FDA specifically looks for effectiveness checks — and their absence is a reliable indicator of a weak CAPA system.

Scope creep and misuse of CAPA. Some manufacturers route every minor issue through CAPA, diluting the system’s effectiveness and creating an unmanageable backlog. Others avoid CAPA for issues that genuinely warrant it. The QSR requires CAPA for nonconformities and quality problems — not for routine adjustments, but also not only for critical failures. The threshold for initiating a CAPA should be defined and consistently applied.

Inadequate trending and data analysis. Section 820.90(b) specifically requires analysis of quality data to identify existing and potential causes of nonconforming product or other quality problems. This is a preventive action obligation — it requires proactive analysis, not just reactive response. Manufacturers that only open CAPAs in response to specific events, without systematic trending of complaint data, nonconformance data, and audit findings, miss this obligation.

Production and process controls

Subpart G of the QSR (820.70 through 820.75) establishes requirements for production and process controls. Common gaps include:

Process validation (820.75): When the results of a process cannot be fully verified by subsequent inspection and testing, the process must be validated. This is a conditional obligation that manufacturers sometimes misidentify. If you cannot inspect or test your way to confidence that the process produced the required result, you must validate the process itself. Common examples include sterilisation, sealing, and certain software-controlled manufacturing steps. The gap: manufacturers sometimes rely on final inspection to verify results that should be process-validated, or they validate initially but fail to revalidate when process parameters or materials change.

Environmental controls (820.70(c)): Where environmental conditions could adversely affect product quality, these conditions must be controlled and monitored. The gap: environmental monitoring is often implemented for obvious parameters (temperature, humidity in clean rooms) but not for less obvious ones relevant to specific product types. The obligation is conditioned on whether the environment could affect quality — this requires a documented assessment.

Equipment maintenance and adjustment (820.70(g)): Schedules must be established and maintained for the adjustment, cleaning, and maintenance of equipment. The gap: maintenance schedules exist but are not consistently followed, or maintenance activities are performed but not documented. FDA looks for documented evidence that scheduled maintenance was completed — not just that a schedule exists.

Document and record controls

Sections 820.40 (document controls) and 820.180-820.184 (records) establish requirements that underpin every other element of the QSR. Gaps here amplify problems everywhere else.

Document approval and distribution: Documents must be reviewed and approved before issuance. Changes must follow the same process. The gap: manufacturers sometimes operate with outdated or unapproved documents on the production floor, or document changes are implemented before formal approval is complete.

Record retention and accessibility: The QSR requires records to be maintained for a period equivalent to the design and expected life of the device, but not less than two years from the date of commercial distribution. The gap: records exist but are not readily retrievable. FDA investigators expect to access requested records within a reasonable timeframe — an inability to produce records efficiently is itself a finding.

Device History Record (DHR) (820.184): Each production unit or batch must have a DHR that demonstrates the device was manufactured in accordance with the Device Master Record. The gap: DHRs are often incomplete, missing signatures, dates, or evidence of specific production steps. The DHR is the primary evidence that the device was built correctly — gaps in the DHR undermine the manufacturer’s ability to demonstrate compliance with every production-related requirement.

Complaint handling and MDR reporting

Section 820.198 requires procedures for receiving, reviewing, and evaluating complaints. The connection between complaint handling and Medical Device Reporting (MDR) under 21 CFR Part 803 is a frequent source of gaps.

The most common issue: complaint evaluation procedures do not adequately assess whether a complaint meets the criteria for an MDR reportable event. FDA expects a documented evaluation for every complaint that could potentially involve a death, serious injury, or malfunction that could contribute to either. Manufacturers that filter complaints before this evaluation — for example, by categorising complaints as “customer service issues” without assessing reportability — create significant regulatory risk.

Taking a systematic approach

The QSR contains over 100 individual requirements across its subparts, many of which are conditional and interconnected. A gap in design controls can cascade into production, CAPA, and complaint handling. A weakness in document controls affects the integrity of evidence across every other section.

AuditDSS decomposes the QSR into its individual obligations, mapping the conditions under which each applies, the evidence required, and the dependencies between obligations. This obligation-level view allows manufacturers to identify gaps that a section-level review would miss — the conditional requirements that apply only to specific device types or manufacturing processes, the documentation expectations that are implicit rather than explicit, and the connections between QSR sections that create cascading risk when any one element is weak.

The manufacturers that perform well in FDA inspections are not necessarily the ones with the most elaborate quality systems. They are the ones that understand exactly what each QSR obligation requires, can produce the evidence for each one, and have identified and addressed gaps before an investigator arrives. The QSR rewards specificity and discipline. The gaps it punishes are the ones hiding in the details.