Understanding Design Controls Under the QMSR
Design controls have always been a cornerstone of FDA medical device regulation, and the transition from the legacy Quality System Regulation (QSR) to the Quality Management System Regulation (QMSR) has introduced meaningful changes to how manufacturers must approach design and development activities. Under the QMSR, design controls are now anchored in ISO 13485:2016 Clause 7.3, with additional FDA-specific requirements that manufacturers must carefully integrate into their quality systems.
The QMSR represents a philosophical shift in how the FDA views design controls. Rather than prescribing exact procedures, the regulation now leans on the internationally harmonized framework of ISO 13485 while retaining certain FDA-specific expectations that reflect the unique regulatory landscape of the United States market. This article explores what has changed, what remains the same, and how manufacturers can ensure their design control processes meet the new requirements.
The Foundation: ISO 13485 Clause 7.3
Under the QMSR, design and development controls are primarily governed by ISO 13485:2016 Clause 7.3. This clause establishes requirements for design and development planning, inputs, outputs, review, verification, validation, transfer, and changes. For manufacturers already certified to ISO 13485, much of this framework will be familiar. However, the integration with FDA expectations adds layers of complexity that cannot be overlooked.
Design and development planning under ISO 13485 requires organizations to establish documented procedures that define the stages of design, the review activities at each stage, the responsibilities and authorities for design activities, and the methods for ensuring effective communication among different groups involved in the design process. The QMSR does not fundamentally alter these requirements but places them within the context of FDA oversight, meaning that these plans and their execution are now subject to FDA inspection in ways that align with international expectations.
FDA-Specific Additions to Design Controls
While the QMSR incorporates ISO 13485 by reference, it retains certain FDA-specific requirements that go beyond the base standard. These additions reflect decades of FDA enforcement experience and address areas where the agency has historically found quality system failures that lead to device safety issues.
One critical FDA-specific addition relates to design validation. The FDA has long required that design validation include testing under actual or simulated use conditions, and this expectation carries forward under the QMSR. Manufacturers must demonstrate that the device, as produced, meets the defined user needs and intended uses. This is not merely a documentation exercise — the FDA expects robust validation protocols that reflect real-world conditions, including worst-case scenarios where appropriate.
Another important area is design transfer. The QMSR maintains the expectation that organizations have documented procedures for transferring the device design to production. This includes ensuring that the production process is capable of consistently producing devices that meet the design specifications. Design transfer is often an area where auditors find gaps, particularly in organizations that have not formalized the handoff between R&D and manufacturing.
Risk Management Integration in Design Controls
The QMSR places greater emphasis on integrating risk management throughout the design and development process. While the legacy QSR mentioned risk analysis, the QMSR — through its alignment with ISO 13485 — requires a more systematic approach to identifying, evaluating, controlling, and monitoring risks associated with device design.
Risk management under the QMSR is not a standalone activity that happens in parallel with design. It must be woven into every stage of the design process. During design planning, organizations must identify the risk management activities that will occur at each stage. During design input, risk considerations must inform the specification of requirements. During design verification and validation, risk controls must be verified and validated alongside functional requirements.
This integration extends to post-market activities as well. The QMSR expects that feedback from post-market surveillance informs design risk management, creating a continuous loop between market experience and design improvements. Manufacturers who treat risk management as a checkbox exercise rather than a living, integrated process will find themselves exposed during FDA inspections.
Common Design Control Deficiencies
Based on years of audit experience, several common deficiencies emerge in design control implementations. Understanding these pitfalls can help manufacturers proactively address gaps before they become inspection findings.
Incomplete design inputs are among the most frequent issues. Organizations often fail to capture all relevant requirements, including regulatory requirements, applicable standards, risk management outputs, and human factors considerations. Under the QMSR, the expectation is that design inputs are comprehensive and traceable throughout the design process.
Inadequate design reviews represent another common gap. Design reviews must be systematic evaluations of design results at appropriate stages. They require participation from representatives of all functions concerned with the design stage being reviewed, as well as any specialists needed. Too often, design reviews are treated as informal discussions rather than structured evaluations with documented outcomes and action items.
Weak traceability between design inputs, outputs, verification, and validation is also a persistent challenge. The QMSR, through ISO 13485, requires that organizations maintain records that demonstrate the relationship between design inputs and design outputs, and that verification and validation activities confirm that outputs meet inputs and that the device meets user needs.
Preparing Your Design Controls for QMSR Compliance
To ensure compliance with the QMSR design control requirements, manufacturers should take several proactive steps. First, conduct a thorough gap analysis comparing your current design control procedures against both ISO 13485 Clause 7.3 and the FDA-specific additions in the QMSR. Identify any areas where your existing processes fall short and develop a remediation plan.
Second, review your design and development files for completeness. Ensure that each design project has a comprehensive design plan, complete and traceable design inputs, design outputs that can be verified against inputs, evidence of design reviews at appropriate stages, verification and validation records, design transfer documentation, and records of design changes with impact assessments.
Third, strengthen the integration of risk management into your design process. If risk management currently operates as a parallel activity, work to embed it directly into your design procedures and work instructions. Ensure that risk management outputs feed into design inputs, that risk controls are verified during design verification, and that residual risks are evaluated during design validation.
Fourth, train your design and development teams on the changes introduced by the QMSR. Many team members may be familiar with the legacy QSR requirements but not with the nuances of ISO 13485 Clause 7.3 or the FDA-specific additions. Training should cover both the regulatory requirements and your organization-specific procedures for meeting them.
The Role of Independent Audits in Design Control Compliance
Independent audits play a critical role in verifying that design control processes are not only documented but effectively implemented. An experienced independent auditor can identify gaps that internal teams may overlook due to familiarity bias, and can provide an objective assessment of your readiness for FDA inspection.
When selecting an independent auditor for design control assessment, look for auditors with specific experience in medical device design and development, familiarity with both ISO 13485 and FDA requirements, and a track record of identifying actionable findings that strengthen quality systems rather than simply generating compliance checklists.
Partner with Qualyx Group
At Qualyx Group, we specialize in independent, audit-only services for regulated industries. Our experienced auditors bring deep domain expertise, bilingual capabilities, and an unwavering commitment to objectivity. Whether you need a gap analysis, a supplier audit, or preparation for an upcoming regulatory inspection, we are here to help.
Contact Qualyx Group today to discuss how our independent audit services can strengthen your quality system and support your compliance goals.