Why Design Controls Matter Under ISO 13485
Design controls are among the most critical — and most commonly deficient — areas of the ISO 13485 quality management system. Clause 7.3 of ISO 13485:2016 establishes comprehensive requirements for the design and development of medical devices, covering planning, inputs, outputs, review, verification, validation, transfer, changes, and design and development files. For medical device manufacturers, mastering these requirements is not optional; it is essential for both regulatory compliance and patient safety.
Design controls exist because experience has shown that uncontrolled design processes lead to devices that fail to meet user needs, contain safety hazards that could have been identified and mitigated during development, and are difficult or impossible to manufacture consistently. By implementing robust design controls, manufacturers reduce the risk of design-related failures, ensure that devices meet their intended purpose, and create a documented foundation for production, quality control, and post-market activities.
Design and Development Planning (Clause 7.3.2)
Every design project must begin with a plan. ISO 13485 requires organizations to plan and control the design and development of the device. The plan must describe the design and development stages, the review activities needed at each stage, verification and validation activities appropriate to each stage, the responsibilities and authorities for design and development, methods to ensure traceability of design outputs to design inputs, and the resources needed, including the competence of personnel.
Design planning is not a one-time activity. The plan must be updated as the design evolves, reflecting changes in scope, timeline, resources, or approach. This is a critical point that many organizations miss — they create a design plan at the outset and never revisit it, even as the project changes significantly from its original conception.
Effective design planning also requires clear definition of design stages and decision gates. Each stage should have defined entry and exit criteria, and progression from one stage to the next should require formal review and approval. This structured approach prevents premature advancement of designs that have not been adequately evaluated.
Design Inputs (Clause 7.3.3)
Design inputs are the requirements that define what the device must do and how it must perform. ISO 13485 requires that design inputs include functional, performance, and safety requirements, applicable regulatory requirements and standards, applicable outputs of risk management, and other requirements essential for design and development. Design inputs must be reviewed for adequacy and approved, and incomplete, ambiguous, or conflicting requirements must be resolved.
A common deficiency is the failure to capture all relevant design inputs. Organizations frequently focus on functional requirements while overlooking usability requirements, environmental requirements, interface requirements, regulatory requirements, and risk management outputs. Comprehensive design inputs form the foundation for everything that follows, so gaps at this stage propagate through the entire design process.
Design Outputs and Verification (Clauses 7.3.4 and 7.3.5)
Design outputs are the results of the design process at each stage. They must be in a form suitable for verification against design inputs and must be approved prior to release. Design outputs include product specifications, manufacturing specifications, quality acceptance criteria, and identification of essential design output characteristics for safe and proper functioning of the device.
Design verification is the process of confirming, through examination and provision of objective evidence, that design outputs meet design input requirements. Verification may include tests, inspections, analyses, comparisons with similar designs, or demonstrations. The key is that verification activities must be planned, executed, and documented with sufficient rigor to demonstrate that each design output meets its corresponding design input.
Design Validation (Clause 7.3.6)
While verification confirms that outputs meet inputs, validation confirms that the resulting device meets user needs and intended uses. Validation must be performed on representative product under defined operating conditions, including actual or simulated use conditions. Validation must include software validation and risk analysis where applicable.
Design validation is often the most challenging aspect of design controls because it requires thinking beyond specifications and test results to evaluate whether the device actually works for its intended users in its intended environment. This may require clinical evaluations, usability studies, simulated use testing, or other methods that assess real-world performance.
Design Transfer (Clause 7.3.8)
Design transfer is the process of translating the device design into production specifications. ISO 13485 requires that organizations document procedures for the transfer of design outputs to manufacturing. The goal is to ensure that the production process can consistently produce devices that meet the design specifications.
Design transfer should include verification that production processes are capable and validated, that quality control methods are adequate to detect nonconformances, that production personnel are trained, and that all necessary production documentation is complete and approved. A well-executed design transfer is the bridge between successful development and reliable manufacturing.
Design Changes (Clause 7.3.9)
Design changes must be identified, documented, reviewed, verified, validated as appropriate, and approved before implementation. The review of design changes must include evaluation of the effect of the changes on constituent parts and devices already delivered, as well as inputs or outputs of risk management and product realization processes.
Organizations must maintain records of design changes, including the rationale for the change, the evaluation of its impact, and the verification and validation activities performed. Change control is an area where discipline is essential — uncontrolled changes can introduce safety hazards, compromise device performance, and create regulatory compliance issues.
The Design and Development File (Clause 7.3.10)
ISO 13485 requires organizations to maintain a design and development file for each medical device type or family. This file must contain or reference records generated during design and development to demonstrate compliance with the requirements for design and development and any records for design changes. The design file serves as the comprehensive record of the design process and its outcomes, and it must be maintained throughout the lifecycle of the device.
Partner with Qualyx Group
At Qualyx Group, we specialize in independent, audit-only services for regulated industries. Our experienced auditors bring deep domain expertise, bilingual capabilities, and an unwavering commitment to objectivity. Whether you need a gap analysis, a supplier audit, or preparation for an upcoming regulatory inspection, we are here to help.
Contact Qualyx Group today to discuss how our independent audit services can strengthen your quality system and support your compliance goals.