Research & Biotechnology / Federal Regulation

FDA Medical Device

21 CFR Part 820 (Quality System Regulation) and 21 CFR Part 807 (Establishment Registration)

Legally Required Featured Framework

Federal regulations requiring medical device manufacturers to establish Quality Management Systems, implement design controls, and register with FDA.

Executive Summary

21 CFR Part 820 requires Quality Management Systems with design controls and CAPA. 21 CFR Part 807 requires annual establishment registration and premarket submissions (510(k), PMA).

Comprehensive Documentation

FDA Medical Device Regulations - Comprehensive Compliance Guide

Overview

The U.S. Food and Drug Administration (FDA) regulates medical devices under the Federal Food, Drug, and Cosmetic Act (FD&C Act) and its amendments. Medical device regulation in the United States is among the most comprehensive in the world, designed to ensure that medical devices are safe and effective for their intended use while promoting innovation in medical technology.

Massachusetts is a global leader in medical device innovation, home to hundreds of medical device companies ranging from startups to major manufacturers. The state's medical device industry includes companies developing cardiovascular devices, surgical instruments, diagnostic equipment, implantable devices, and digital health technologies. Understanding and complying with FDA medical device regulations is essential for Massachusetts companies bringing medical devices to market.

What is a Medical Device?

FDA Definition (FD&C Act Section 201(h)):

A medical device is an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part or accessory, which is:

  1. Recognized in official compendia (USP, NF), OR

  2. Intended for use in diagnosis, cure, mitigation, treatment, or prevention of disease in man or other animals, OR

  3. Intended to affect the structure or function of the body of man or other animals, AND

  4. Does not achieve its primary intended purposes through chemical action within or on the body (distinguishes from drugs)


Examples:
  • Simple devices: Tongue depressors, bandages, examination gloves

  • Complex devices: Pacemakers, artificial joints, surgical robots, MRI machines

  • In vitro diagnostics: Blood glucose meters, COVID-19 tests, genetic tests

  • Digital health: Mobile medical apps, software as a medical device (SaMD)


What's NOT a Medical Device:
  • Drugs and biologics (different regulatory pathway)

  • Cosmetics

  • General wellness products that don't make medical claims

  • Consumer electronics without medical claims


Device Classification System

The FDA classifies medical devices into three classes based on risk and regulatory control needed to assure safety and effectiveness:

Class I Devices - Low Risk (General Controls)

Characteristics:

  • Pose minimal potential for harm to user

  • Simple design

  • Well-understood technology

  • Low risk of illness or injury


Examples:
  • Elastic bandages

  • Examination gloves

  • Hand-held surgical instruments

  • Tongue depressors

  • Mercury thermometers


Regulatory Requirements:
  • General controls (good manufacturing practices, labeling, reporting)

  • Many are exempt from 510(k) premarket notification

  • Registration and listing required

  • Quality System Regulation (QSR) applies (with some exemptions)

  • Medical Device Reporting (MDR)

  • Labeling requirements


Time to Market:
  • If exempt from 510(k): weeks to months after registration

  • If 510(k) required: 3-12 months typically


Class II Devices - Moderate Risk (Special Controls)

Characteristics:

  • Pose moderate risk to user

  • General controls insufficient to assure safety and effectiveness

  • Require additional assurance through special controls


Examples:
  • Powered wheelchairs

  • Infusion pumps

  • Surgical drapes

  • Blood pressure cuffs

  • Pregnancy test kits

  • Many Software as Medical Device (SaMD) applications


Regulatory Requirements:
  • General controls PLUS special controls

  • Most require 510(k) premarket notification

  • Demonstrate substantial equivalence to predicate device

  • Performance standards (when they exist)

  • Postmarket surveillance for certain devices

  • Patient registries for certain devices

  • Special labeling requirements

  • Quality System Regulation (QSR/21 CFR Part 820)


Special Controls May Include:
  • Performance standards

  • Postmarket surveillance

  • Patient registries

  • Development and dissemination of guidance documents

  • Recommendations and other actions


Time to Market:
  • 510(k) pathway: 3-12 months typically (90 days FDA review + response time)

  • May require clinical data depending on device and predicate


Class III Devices - High Risk (Premarket Approval)

Characteristics:

  • Sustain or support life

  • Prevent impairment of human health

  • Present potential unreasonable risk of illness or injury

  • Novel devices with no predicate (insufficient information to determine Class I or II appropriate)


Examples:
  • Implantable pacemakers

  • Heart valves

  • Implanted cerebellar stimulators

  • HIV diagnostic tests

  • Automated external defibrillators (AEDs)

  • Drug-eluting stents


Regulatory Requirements:
  • Premarket Approval (PMA) - most stringent regulatory pathway

  • General and special controls

  • Extensive clinical data typically required

  • Manufacturing and facility inspections

  • Rigorous FDA review process

  • Quality System Regulation (21 CFR Part 820)

  • Post-approval studies often required

  • Supplements required for design changes


Time to Market:
  • PMA pathway: 1-3 years minimum (180-day FDA review, but usually longer)

  • Extensive clinical trials often required before PMA submission

  • Total development time can be 5-10 years


Premarket Pathways to Market

510(k) Premarket Notification

When Required:

  • Class II devices (most)

  • Some Class I devices

  • New intended use for existing device

  • Significant modification to existing device


Process:
  1. Determine if 510(k) required (check FDA database, guidance documents)

  2. Identify predicate device(s) - legally marketed device with same intended use

  3. Demonstrate substantial equivalence:

- Same intended use as predicate
- Same technological characteristics OR
- Different technological characteristics but:
- Does not raise new questions of safety/effectiveness
- Demonstrates equivalence through performance data
  1. Prepare and submit 510(k)

  2. FDA review - 90 days (may issue additional information request)

  3. Receive clearance letter


Types of 510(k)s:
  • Traditional 510(k): Most common, comprehensive comparison to predicate

  • Special 510(k): For design changes to manufacturer's own device, declaration of conformity to design controls

  • Abbreviated 510(k): Uses FDA guidance documents or consensus standards


Substantial Equivalence Criteria:
  • Intended use

  • Technological characteristics (materials, design, energy source, etc.)

  • Performance characteristics

  • Safety profile

  • Effectiveness


Common Reasons for FDA Questions:
  • Inadequate predicate comparison

  • Insufficient performance data

  • Biocompatibility concerns

  • Software validation issues

  • Unclear labeling or intended use


Premarket Approval (PMA)

When Required:

  • Class III devices

  • Devices that pose highest risk

  • Insufficient information exists to establish special controls


Process:
  1. Pre-submission meeting with FDA (highly recommended)

  2. Conduct clinical trials:

- Investigational Device Exemption (IDE) typically required
- Significant Risk (SR) devices require FDA IDE approval
- Non-Significant Risk (NSR) devices require IRB approval
- Good Clinical Practice (GCP) compliance
  1. Prepare PMA application (highly detailed, extensive documentation)

  2. Submit PMA to FDA

  3. FDA review:

- Administrative review (45 days)
- Scientific/regulatory review (180 days, often extended)
- May convene advisory committee panel
- Site inspection of manufacturing facility
  1. FDA decision:

- Approval
- Approvable (minor deficiencies to address)
- Not approvable (major deficiencies)
- Denial

PMA Contents:

  • Complete device description

  • Manufacturing information

  • Preclinical test results (bench, animal)

  • Clinical trial protocols, data, and analysis

  • Proposed labeling

  • Bibliography

  • Financial disclosure

  • Environmental assessment (if applicable)


Post-Approval Requirements:
  • PMA supplements for changes (30-day, 135-day, or real-time supplements)

  • Post-approval studies common

  • Annual reports

  • MDR reporting

  • QSR compliance


De Novo Classification

When Applicable:

  • Novel device with no predicate

  • Low to moderate risk

  • Automatically defaults to Class III without substantial equivalence pathway


Process:
  1. Submit De Novo request with risk analysis and proposed special controls

  2. FDA review (120-day goal, often longer)

  3. If granted:

- Device classified as Class I or II
- Becomes a predicate for future 510(k)s
- Avoid PMA pathway for appropriate low-moderate risk devices

Advantages:

  • Avoids PMA for appropriate devices

  • Creates new device type and predicate

  • Faster and less expensive than PMA


De Novo Success Factors:
  • Strong risk analysis

  • Appropriate proposed special controls

  • Performance data supporting safety and effectiveness

  • Clear benefit-risk profile


Humanitarian Device Exemption (HDE)

When Applicable:

  • Devices for rare diseases/conditions (<8,000 patients/year in U.S.)

  • Benefit outweighs risk

  • No comparable alternative exists


Key Points:
  • No demonstration of effectiveness required (only safety)

  • IRB approval required for each use

  • Cannot be sold for profit unless pediatric use

  • Annual distribution number reporting


Investigational Device Exemption (IDE)

Purpose:

  • Allow unapproved devices to be used in clinical studies

  • Gather safety and effectiveness data for FDA submission


Types:
  • Significant Risk (SR) IDE:

- FDA approval required before study begins
- Presents potential serious risk
- Examples: implants, life-sustaining devices
  • Non-Significant Risk (NSR) IDE:

- IRB approval sufficient
- FDA approval not required
- Sponsor determines NSR status (FDA can disagree)

Requirements:

  • IRB approval at each clinical site

  • Informed consent

  • Monitoring and reporting

  • Labeling: "CAUTION - Investigational device. Limited by Federal law to investigational use."


Quality System Regulation (QSR) - 21 CFR Part 820

Applicability:
All finished device manufacturers (with limited Class I exemptions)

Core Requirements:

Management Controls


  • Quality policy and objectives

  • Management responsibility

  • Management review

  • Quality planning

  • Quality system procedures


Design Controls (Critical for Most Devices)


  • Design and development planning

  • Design input (user needs, intended use, regulatory requirements)

  • Design output (specifications, drawings)

  • Design review (multidisciplinary reviews at stages)

  • Design verification (does it meet design outputs?)

  • Design validation (does it meet user needs?)

  • Design transfer (to manufacturing)

  • Design changes (change control)

  • Design history file (DHF)


Common Design Control Deficiencies:
  • Inadequate design validation (real-world use testing)

  • Incomplete design inputs

  • Lack of risk management integration

  • Poor design change control

  • Inadequate design review documentation


Document and Change Controls


  • Document approval and distribution

  • Change control procedures

  • Obsolete document removal


Purchasing Controls


  • Supplier evaluation and monitoring

  • Purchasing data specifications

  • Receiving inspection


Production and Process Controls


  • Process validation

  • Process monitoring and control

  • Environmental controls

  • Personnel qualifications and training

  • Contamination control

  • Equipment maintenance and calibration


Acceptance Activities


  • Incoming inspection and testing

  • In-process acceptance activities

  • Final acceptance activities

  • Acceptance status identification


Nonconforming Product


  • Identification and segregation

  • Review and disposition

  • Rework procedures


Corrective and Preventive Action (CAPA)


  • Problem identification

  • Investigation of cause

  • Actions to eliminate cause

  • Verification of effectiveness

  • Documentation


CAPA Common Issues:
  • Superficial root cause analysis

  • Ineffective corrective actions

  • Lack of verification

  • Trend analysis deficiencies


Labeling and Packaging Control


  • Label integrity and accuracy

  • Packaging validation

  • Device identification


Handling, Storage, Distribution


  • Procedures to prevent mix-ups

  • Storage conditions

  • Distribution records


Installation and Servicing


  • Installation procedures and verification (when applicable)

  • Service procedures and records

  • Service reports


Records and Documentation


  • Device Master Record (DMR)

  • Device History Record (DHR)

  • Quality System Record (QSR)

  • Complaint files

  • Record retention requirements


Medical Device Reporting (MDR) - 21 CFR Part 803

Who Must Report:

  • Device manufacturers

  • Importers

  • User facilities (hospitals, nursing homes, etc.)


What Must Be Reported:

Manufacturers/Importers:

  • Deaths

  • Serious injuries

  • Malfunctions that would likely cause death or serious injury if malfunction recurred


User Facilities:
  • Deaths (to FDA and manufacturer)

  • Serious injuries (to manufacturer only)


Reporting Timelines:
  • Death: 30 days (5-day alert for unexpected death)

  • Serious injury: 30 days

  • Malfunction: 30 days

  • 5-Day Reports: Remedial action to prevent unreasonable risk


MDR Process:
  1. Become aware of reportable event

  2. Evaluate (death, serious injury, malfunction?)

  3. Investigate

  4. Prepare report

  5. Submit via FDA portal

  6. Follow up as needed


Common MDR Deficiencies:
  • Failure to identify reportable events

  • Late reporting

  • Inadequate investigation

  • Incomplete reports

  • Failure to evaluate complaints for MDR


Labeling Requirements - 21 CFR Part 801

Key Components:

Device Labeling Must Include:

  • Manufacturer name and address

  • Device identifier (brand/trade name)

  • Adequate directions for use (unless exempt)

  • Warnings, cautions, contraindications

  • Single-use indicator (if applicable)

  • Sterilization status (if applicable)

  • Prescription vs. over-the-counter designation

  • Unique Device Identifier (UDI) - required for most devices


Prescription Device Labeling (21 CFR 801.109):
  • "Rx only" or "Caution: Federal law restricts this device to sale by or on the order of a [physician/practitioner]"

  • Adequate information for use by trained professionals


OTC Device Labeling:
  • Must include adequate directions for lay user

  • Drug Facts format for some OTC devices

  • Clear, conspicuous, easy to read


UDI Requirements:
  • Unique Device Identifier system phased in 2013-2020

  • Class III: September 2014

  • Class II: September 2016

  • Class I: September 2018 (some exemptions)

  • Direct marking for reusable devices

  • GUDID database submission


Registration and Listing - 21 CFR Part 807

Requirements:

  • All device manufacturers, repackagers, relabelers, initial importers

  • Register establishment with FDA

  • List devices commercially distributed

  • Update annually (October 1 - December 31)

  • Update within 30 days of changes


Process:
  1. Obtain DUNS number

  2. Register via FDA Unified Registration and Listing System (FURLS)

  3. Pay registration fee (annual, October - December)

  4. Obtain Official Establishment Identifier (OEI)

  5. List devices with device listing numbers


Registration Fees:
  • Annual fee (currently ~$6,875, adjusted annually)

  • Small business exemptions may apply

  • Foreign establishments must designate U.S. agent


Post-Market Surveillance and Requirements

Recalls

Recall Classifications:

  • Class I: Reasonable probability of serious adverse health consequences or death

  • Class II: Low probability of serious adverse health consequences

  • Class III: Not likely to cause adverse health consequences


Recall Process:
  • Voluntary (initiated by manufacturer) or FDA-requested

  • Recall strategy approved by FDA

  • Health hazard evaluation

  • Public notification (if necessary)

  • Effectiveness checks

  • Termination when completed


Tracking - 21 CFR Part 821


Devices Subject to Tracking:
  • Failure would be reasonably likely to have serious adverse health consequences

  • Intended for implantation >1 year

  • Life-sustaining or life-supporting device for home use


Examples: Pacemakers, defibrillators, heart valves, some orthopedic implants

Requirements:

  • Track devices from manufacturer to patient

  • Maintain records 10 years past device life expectancy

  • Patient/physician tracking system


Post-Market Surveillance Studies - 21 CFR Part 822


When Ordered by FDA:
  • Failure would be reasonably likely to have serious adverse health consequences

  • Device expected to have significant use in pediatric populations

  • Implant, life-supporting, life-sustaining device


Study Design:
  • FDA specifies objectives

  • Manufacturer designs study

  • Submit protocol for FDA approval

  • Specified duration (up to 36 months typically)


Unique Device Identification (UDI) System

Components of UDI:

  • Device Identifier (DI): Specific version/model

  • Production Identifier (PI): Lot/batch, serial number, expiration date, manufacturing date


Implementation:
  • Required on device label and package

  • Required in Global Unique Device Identification Database (GUDID)

  • Class III: 2014

  • Class II: 2016

  • Class I: 2018 (with exemptions)

  • Direct marking for reusable devices (by class-specific dates)


FDA-Accredited Issuing Agencies:
  • GS1

  • HIBCC

  • ICCBBA


Benefits:
  • Better patient safety

  • Improved recalls

  • Enhanced postmarket surveillance

  • Better supply chain management

  • Reduced medical errors


Software as a Medical Device (SaMD)

Definition:
Software intended to be used for medical purposes that performs these purposes without being part of a hardware medical device.

Examples:

  • Software that analyzes medical images for diagnosis

  • Software that calculates drug dosages

  • Mobile apps that monitor chronic conditions

  • Clinical decision support software


FDA Guidance:
  • Risk-based approach

  • IMDRF SaMD framework adopted

  • Level of concern: minor, moderate, major

  • Intended use and environment critical


Regulatory Considerations:
  • May be Class I, II, or III depending on risk

  • Some clinical decision support exempt (2016 Cures Act)

  • Cybersecurity critical

  • Validation and verification required

  • Updates and patches management


Predetermined Change Control Plans:
  • New FDA approach for SaMD updates

  • Allows certain changes without new submission

  • Requires robust QMS

  • Annual reporting


Cybersecurity for Medical Devices

Premarket Considerations:

  • Cybersecurity in design (security by design)

  • Risk assessment and management

  • Secure software development

  • Bill of Materials (BOM) including third-party components


Postmarket:
  • Continuous monitoring for vulnerabilities

  • Patch management

  • MedWatch reporting for cybersecurity incidents

  • Coordinated Vulnerability Disclosure (CVD)

  • Information sharing (ICS-CERT Medical Device Advisory)


FDA Guidance:
  • Premarket guidance (2014, updated 2018)

  • Postmarket guidance (2016)

  • Legacy devices considerations

  • Software Bill of Materials (SBOM) expectations


Clinical Trials and Studies

When Clinical Data Required:

  • Most Class III devices (PMA)

  • Some Class II devices (new technology, insufficient predicate data)

  • Significant modifications with new questions of safety/effectiveness


Study Designs:
  • Randomized controlled trials (RCTs)

  • Single-arm studies

  • Registry studies

  • Real-world evidence (emerging)


FDA Acceptance:
  • Good Clinical Practice (GCP) compliance

  • IRB approval

  • Informed consent

  • IDE compliance

  • Statistical rigor

  • Appropriate endpoints

  • Risk mitigation


Third-Party Review Program

510(k) Third-Party Review:

  • Accredited third parties can review certain Class I and II devices

  • Manufacturer option (not required)

  • FDA oversight of third-party reviewers

  • FDA final decision authority

  • May reduce review time


Devices Eligible:
  • Class I, II devices FDA determines appropriate

  • Excludes novel technologies, high risk


Breakthrough Devices Program

Purpose:

  • Expedite development and review of devices for life-threatening or irreversibly debilitating diseases

  • Devices offering significant advantages over existing alternatives


Benefits:
  • Priority FDA review

  • Interactive communication with FDA

  • Senior management engagement

  • Manufacturing development assistance

  • Data development guidance


Process:
  1. Determine eligibility

  2. Submit breakthrough designation request

  3. FDA decision (60 days)

  4. If granted: enhanced FDA interaction throughout development


Massachusetts Medical Device Industry Considerations

Regulatory Expertise:

  • Concentration of regulatory consultants

  • Regulatory affairs professionals

  • Close to FDA (proximity for meetings)


Clinical Research Infrastructure:
  • World-class medical centers for trials

  • Academic medical center partnerships

  • Patient populations for rare diseases


Manufacturing:
  • Contract manufacturers (CMOs)

  • In-house manufacturing

  • QSR compliance expectations high


Workforce:
  • Skilled regulatory affairs professionals

  • Quality and compliance experts

  • Clinical research associates

  • Biostatisticians


Funding and Investment:
  • Venture capital for medtech

  • Understand regulatory pathway critical for funding

  • FDA clearance/approval milestones


Common Compliance Challenges

Challenge 1: Classification Determination
Solution:

  • Use FDA databases (510(k), PMA, De Novo)

  • Review FDA guidance documents

  • Consult with FDA via pre-submission

  • Engage regulatory consultant if uncertain


Challenge 2: Finding Appropriate Predicate
Solution:
  • Search 510(k) database thoroughly

  • Compare intended use carefully

  • Consider multiple predicates

  • If no predicate: consider De Novo pathway


Challenge 3: Design Controls Implementation
Solution:
  • Implement robust QMS

  • Train staff on design control requirements

  • Use risk management (ISO 14971)

  • Document thoroughly

  • Conduct design reviews with multidisciplinary teams


Challenge 4: Managing Post-Market Requirements
Solution:
  • Implement complaint handling system

  • MDR evaluation procedures

  • CAPA system

  • Regulatory intelligence monitoring

  • Annual training


Best Practices for Massachusetts Medical Device Companies

  1. Engage FDA Early:

- Pre-submission meetings
- Q-Submission program
- Clarify regulatory pathway

  1. Implement Robust QMS:

- QSR compliance from day one
- Design controls critical
- CAPA system that actually works
- Document everything

  1. Risk Management:

- ISO 14971 framework
- Integrate with design controls
- Update throughout product lifecycle
- Document risk-benefit analysis

  1. Clinical Strategy:

- Determine clinical data needs early
- Plan clinical studies strategically
- Consider real-world evidence
- Partner with academic medical centers

  1. Regulatory Intelligence:

- Monitor FDA guidance documents
- Track enforcement actions
- Industry association membership (AdvaMed, MassMedic)
- Understand changing landscape

  1. Cross-Functional Collaboration:

- Regulatory, quality, R&D, clinical work together
- Quality not just QA department's job
- Regulatory input in design phase

  1. Cybersecurity:

- Build in from design
- Post-market monitoring and patching
- Vulnerability disclosure process
- SBOM maintenance

  1. Documentation Culture:

- If it's not documented, it didn't happen
- Templates and SOPs
- Training on documentation requirements
- Document contemporaneously

Resources

FDA Resources:

  • FDA.gov/MedicalDevices

  • Device databases (510(k), PMA, recalls)

  • Guidance documents

  • CDRH Learn courses

  • FDA webinars


Standards Organizations:
  • AAMI (Association for the Advancement of Medical Instrumentation)

  • ASTM International

  • IEC (International Electrotechnical Commission)

  • ISO (International Organization for Standardization)


Industry Associations:
  • AdvaMed (Advanced Medical Technology Association)

  • MassMedic (Massachusetts Medical Device Industry Council)

  • MDMA (Medical Device Manufacturers Association)


Regulatory Information:
  • Regulatory Affairs Professionals Society (RAPS)

  • FDA News (Federal Register, FDA.gov)


Key Takeaways

  1. Device classification drives regulatory pathway - understand your device's risk profile

  2. 510(k) requires substantial equivalence to a legally marketed predicate device

  3. PMA is the most rigorous pathway - extensive clinical data typically required

  4. Quality System Regulation applies to all manufacturers - implement early

  5. Design controls are critical and frequently cited in FDA inspections

  6. Post-market requirements are substantial - MDR, recalls, tracking, surveillance

  7. Clinical data requirements depend on device class, novelty, and predicate data

  8. Software devices have unique considerations - cybersecurity, updates, validation

  9. FDA engagement is beneficial - pre-submissions, meetings, guidance

  10. Massachusetts has strong infrastructure to support medical device compliance


Compliance Checklist

  • [ ] Device classification determined

  • [ ] Predicate device identified (510(k)) or clinical plan developed (PMA)

  • [ ] QMS implemented and documented

  • [ ] Design controls in place

  • [ ] Risk management process (ISO 14971)

  • [ ] Establishment registered with FDA

  • [ ] Devices listed

  • [ ] Labeling compliant (including UDI)

  • [ ] MDR procedures established

  • [ ] Complaint handling system

  • [ ] CAPA system

  • [ ] Supplier controls

  • [ ] Design history file maintained

  • [ ] Device master record

  • [ ] Device history records for each production unit

  • [ ] Cybersecurity assessment (if applicable)

  • [ ] Clinical data sufficient for intended pathway

  • [ ] Regulatory strategy documented

  • [ ] Post-market surveillance plan (if required)

Applicable Industries

Medical Device ManufacturersContract Manufacturers

Company Size

All medical device manufacturers

Effective Date

10/7/1996

Penalties for Non-Compliance

Warning Letters; Consent Decrees; Product Seizure; Civil/criminal penalties

For Massachusetts Companies

This is a mandatory federal framework that applies to Massachusetts companies in applicable industries. Non-compliance can result in significant penalties.

Applicable Massachusetts Industries

Medical Device Manufacturers
Contract Manufacturers
View MA Compliance OverviewBrowse by Industry

Official Resources

Primary Source

https://www.ecfr.gov/current/title-21/chapter-I/subchapter-H/part-820

Additional Official Sources

Enforcement Agency

FDA Center for Devices and Radiological Health