Nothing directly carries over from Part 820. §820.80 governed receiving of the manufacturer's own incoming components; §820.60 and §820.65 addressed manufacturer-controlled traceability. None of these addressed customer-supplied property in the manufacturer's custody. Organizations with ISO 9001 heritage will recognize §7.5.10 as the adapted customer-property clause.
§7.5.10 is a net-new requirement for QMSR-transitioning organizations. It creates four distinct custody obligations — identify, verify, protect, safeguard — plus mandatory customer notification and quality-record documentation when customer property is lost, damaged, or found unsuitable for use. The verification step at receipt and the notification obligation have no Part 820 analog.
Auditors will first determine whether customer property is received. If so, they will request the procedure and customer property log, examine physical storage for distinctive labeling and segregation, and check for records of any loss or damage events with corresponding customer notifications. Contract manufacturers and OEM suppliers are at highest risk for §7.5.10 findings given no legacy-practice defense exists.
Maps to
QMSR / ISO 13485: §no equivalent
ISO 13485: §7.5.10 Customer property
Requirement text
The organization shall identify, verify, protect, and safeguard customer property provided for use or incorporation into the product while it is under the organization's control or being used by the organization. If any customer property is lost, damaged or otherwise found to be unsuitable for use, the organization shall report this to the customer and maintain records (see 4.2.5).
Why this clause exists
Customer property in the medical device context includes a range of materials provided by the customer for use in or with the device under production: customer-supplied components or subassemblies to be incorporated into finished devices, customer-owned molds or tooling used in manufacturing, samples or specimens provided for testing, and in service contexts, devices returned by customers for repair. When customer property is in the organization's custody, the customer retains ownership but the organization assumes a duty of care — to handle, store, protect, and account for the property as it would its own.
The four-obligation structure of §7.5.10 — identify, verify, protect, safeguard — is designed to prevent failures at each stage of custody. Identification prevents loss and mixup in receiving and storage. Verification confirms that the customer property received is in acceptable condition and matches what was expected before it is used in production. Protection and safeguarding cover the ongoing custody obligations during storage and use. The notification and record-keeping obligations for lost, damaged, or unsuitable customer property protect the customer's interests and the organization's accountability: the customer must be told what happened to their property, and the event must be documented as a quality record.
This requirement has no direct Part 820 equivalent. Part 820 was focused on the manufacturer's own materials and processes; the scenario of customer-supplied property incorporated into or used in the manufacture of devices was not explicitly addressed. ISO 13485 §7.5.10 is therefore a net-new obligation for organizations transitioning from a Part 820 only framework under QMSR.
What changed
No equivalent — Part 820 (legacy)
"Part 820 contained no direct equivalent to ISO 13485 §7.5.10. Requirements for customer-supplied property held in the manufacturer's custody were not addressed in the QSR framework."
§7.5.10 — ISO 13485:2016 (current)
"The organization shall identify, verify, protect, and safeguard customer property provided for use or incorporation into the product while it is under the organization's control or being used by the organization. If any customer property is lost, damaged or otherwise found to be unsuitable for use, the organization shall report this to the customer and maintain records (see 4.2.5)."
Common gaps (what we see in audits)
- No Documented Customer Property Procedure — The organization receives customer-supplied components or tooling but has no documented procedure for identifying, verifying, protecting, and safeguarding customer property, and no defined process for notifying customers of loss or damage. ISO 13485 §7.5.10 requires a managed process; informal handling does not satisfy the requirement.
- Customer Property Not Identified or Segregated from Organization Stock — Customer-supplied materials or components are received and stored without distinctive labeling or dedicated storage areas, creating mixup risk with the organization's own stock. ISO 13485 §7.5.10 requires that customer property be identified while under the organization's control.
- No Customer Notification Process for Lost, Damaged, or Unsuitable Property — The organization has no defined process for notifying customers when customer property is lost, damaged, or found to be unsuitable for use. Events may be handled ad hoc without documentation. ISO 13485 §7.5.10 requires both notification to the customer and maintenance of records.