If you’ve been following this series from the beginning, you’ve already thought about scope, definitions, and terminology. Now we get to the part where the QMSR starts asking something more demanding than “do you have a quality system?” It starts asking: can you show that it works?
§820.10 establishes the general requirements for your QMS — the foundational obligations that everything else in the regulation builds on. It’s the section that transforms a quality system from a collection of documents into a functioning, verifiable operation. And it’s worth spending time here, because this is where a lot of the distance between “compliant on paper” and “compliant in practice” becomes visible.
What §820.10 Requires
Through its incorporation of ISO 13485:2016, the QMSR’s general QMS requirements ask manufacturers to establish, document, implement, maintain, and continually improve a quality management system. That sequence of verbs is not decorative. Each one carries weight:
Establish means you’ve defined the processes, their sequence, and how they interact. Document means those definitions exist in writing — not just in institutional memory. Implement means the documented processes are actually being followed on the floor, in the lab, in the office. Maintain means the system stays current as products, processes, and regulations evolve. And continually improve means you’re using data — complaints, audits, CAPAs, management review outputs — to make the system measurably better over time.
FDA investigators are trained to look for gaps between “established” and “implemented.” A procedure that exists but isn’t followed is one of the most reliable sources of FDA observations. It also tends to be one of the most avoidable.
What Changed from the Old QSR
The old QSR had a general quality system requirement (§820.5) that asked for a quality system “appropriate for the specific medical device(s) designed or manufactured.” The QMSR’s general requirements, drawing from ISO 13485, are more structured and more explicit about what “appropriate” actually means in practice.
Two changes stand out. First, the risk-based approach is now woven throughout rather than confined to specific sections. Your QMS is expected to apply risk thinking not just to product design, but to process design, supplier management, and quality system decisions generally. Second, the emphasis on demonstrating effectiveness is stronger. Under the QMSR, it’s not enough to assert that your quality system works — you need records, metrics, and outputs that show it does.
The “Demonstrate” Standard
I want to linger on the word “demonstrate” for a moment, because it comes up repeatedly in the QMSR and it has a specific meaning in an FDA context. To demonstrate something to FDA is to show it through objective evidence — records, data, test results, audit findings. Not assertions. Not the fact that you’ve been doing this for 20 years without a problem. Evidence.
This matters practically when you’re preparing for an inspection. For every significant claim about your QMS — “our processes are validated,” “our suppliers are qualified,” “our complaints are investigated thoroughly” — ask yourself: what’s the record that demonstrates this? If you can answer that question for your core processes, you’re in a strong position. If the answer involves a long search or “we’d have to pull that together,” that’s a gap worth closing before someone else closes it for you.
A Practical Starting Point
Here’s an exercise I’ve recommended to clients for years: walk your quality system as if you were the investigator. Pick a process — complaint handling, CAPA, incoming inspection, take your pick — and ask for the evidence that it’s working as designed. Follow the thread from the procedure to the records to the outputs. Where does the thread go taut or snap entirely? That’s where your attention belongs.
You don’t need to do this for every process at once. Start with the processes that carry the most risk, or the ones that have generated observations in past audits. Methodical beats comprehensive when you’re working with limited time and real-world constraints.
You’re Building Something Real
I always find §820.10 — and its ISO 13485 counterpart — quietly encouraging. The requirements aren’t asking you to build a bureaucracy. They’re asking you to build a system that actually protects patients and demonstrates that it does. Those two things, done well, are the same project. And most of the manufacturers I’ve worked with genuinely want both.
Next up: §820.15 — QMS Documentation Requirements. We’ll look at what the QMSR requires in writing, how the documentation framework compares to ISO 13485, and the practical question of how much documentation is actually enough. See you then.
This series is a plain-English walkthrough of the QMSR — written for the people who actually have to implement it.