Streamlining Medical Device Design Controls for FDA and ISO Compliance

Design controls in a new regulatory landscape

Medical device manufacturers entering 2026 face a regulatory transition of historic scale. The FDA has finalised the Quality Management System Regulation (QMSR), replacing the longstanding QSR and formally incorporating ISO 13485:2016 by reference.

Beyond a mere terminology update, this change will reshape the regulatory expectations for design and development activities in the U.S., aligning them more closely with global standards and requiring design processes that are validated, documented, and traceable from concept to commercialisation.

Though the regulation has evolved, the underlying medical device design controls (planning, inputs, outputs, verification, validation, transfer, and change management) remain essential. What has changed is how harmonised and risk-focused those processes must be.

For medical device companies, this means more clarity and alignment, but also added pressure to implement well-documented, digital-first design processes. However, teams often face challenges with version control, disconnected approval processes, and documentation chaos, making compliance more complex.

This friction is evident in real engineering teams, where the pressure to deliver products on time, remove silos, and prevent knowledge loss during scale-up is intense, yet documentation processes often slow progress. At the same time, QA teams must secure ISO and FDA approvals while managing consistent, compliant workflows across the company.

Digitised, well-structured design controls solve both problems.

How FDA’s QMSR changes design control expectations 

Historically, U.S. manufacturers used the FDA’s 21 CFR 820 for design controls, while the rest of the world followed ISO 13485. QMSR removes that divergence. The FDA now incorporates ISO 13485:2016 by reference, while preserving certain key FDA-specific requirements (e.g., records, traceability, labelling controls).

What this means for design controls

1. The structure of ISO 13485’s design and development process becomes the U.S. baseline.
2. Documentation expectations increase, especially around risk management integration (ISO 14971 alignment).
3. The DHF/DMR/DHR model remains, but clarity improves due to harmonisation.
4. Manufacturers must ensure their QMS is validated and software-supported, as required under both ISO 13485 and QMSR.

Design controls should actively prevent you from amplifying omissions and mistakes as you specify the way you will build your device. They should help you automatically generate all the documentation that you will need for successful auditing and design transfer.

QMSR does not reduce the importance of design controls, but rather makes them more central, global, and auditable. Its alignment with ISO 13485 means that if you build a compliant process for one, you are effectively building a compliant process for both.

What are the 10 design control requirements in the FDA’s QSMR and ISO 13485?

1. Define user needs (intended use & indications for use)

All design control activities begin with a clear understanding of what the device must achieve and who it is for. “Intended use” refers to the device’s purpose, while “Indications for use” refers to the conditions it diagnoses, treats, or prevents. These must be documented, testable, and traceable across the entire development cycle. 

Mini-checklist:

• Have we defined the clinical context?
• Have we documented user groups and environments?
• Are the needs clear, measurable, verifiable, and testable?
• Are constraints (environmental, human factors, regulatory) documented?

2. Design and development planning

Plans define how the device will be developed and who is responsible for each activity. QMSR reinforces ISO’s expectation that plans must be:

• Documented
• Version-controlled
• Updated as the project evolves
• Retained for auditability

Plans should also identify review points, required outputs, and verification/validation strategies.

These plans are unique to every project and can change and update over time. However, it is essential to always make the most up-to-date version available to your team while maintaining a record of each iteration for auditing purposes.

3. Design inputs (URS requirements)

Taking the user needs, teams create User Requirement Specifications (URS) that define what the device will do and its key characteristics.

Inputs may include:

• Performance, safety, and reliability criteria
• Human factors considerations
• Environmental constraints
• Compatibility and regulatory requirements
• Labelling, packaging, and sterilisation needs

Strong design inputs are unambiguous, can be verified, and map directly to outputs. The FDA’s move to QMSR emphasises risk-based inputs; i.e. inputs must be linked to risk mitigations under ISO 14971.

4. Design outputs

Outputs translate requirements into tangible engineering reality through design drawings, schematics, specifications, software requirements/specifications, Bills of Materials (BOMs), and manufacturing instructions.

Outputs must be detailed enough to build the device exactly as intended and must be directly traceable to inputs. Trace matrices are increasingly used to demonstrate compliance.

5. Design reviews

Both ISO 13485 and the QMSR require formal, documented reviews at key milestones. Reviews provide formal checkpoints to ensure the design is on track before teams commit further resources.

Auditors expect to see:

• Defined review stages (phase gates)
• Independent reviewers
• Recorded decisions and actions
• Evidence of risk reassessment

6. Design verification

Verification answers the question “Did we design the device correctly?” It confirms through appropriate tests and procedures that you have actually designed the product according to your plans.

Common methods include:

• Inspection
• Bench testing
• Analytical modelling
• Software static analysis

Verification records must include:

• Protocols
• Results
• Deviations
• Conclusions

7. Design validation

Validation answers “Did we design the right device for the user?”, ensuring that your manufactured medical device exactly matches the user needs you identified at the outset.

It typically includes:

• Usability testing
• Simulated use studies
• Clinical evaluations (where required)

Validation must be performed on production-equivalent units, and under QMSR, validation evidence must demonstrate alignment with the intended use and risk mitigation strategies.

8. Design transfer

Teams must ensure that design outputs are fully and correctly translated into manufacturing specifications that include:

• Process documentation
• Manufacturing and assembly instructions
• Quality control requirements
• Process validation documentation

The harmonised QMSR/ISO approach places more emphasis on repeatability and reproducibility.

9. Design changes

Change control is one of the most scrutinised areas. Both ISO and the FDA require changes be controlled, documented, risk-assessed, and approved.

Your system should:

• Log every change
• Capture rationale and risk assessment
• Record Part 11-compliant approvals
• Maintain version history

For companies scaling quickly, automated audit trails with records of changes to design documentation (including details, date, time, and signatory information) can often be a struggle without digitised tools.

10. The Design History File (DHF), Device Master Record (DMR), and Device History Record (DHR)

Although QMSR incorporates ISO 13485, it retains the traditional FDA file trio:

Design History File (DHF)

The FDA says the entire history of your document control process should be compiled in a master file labelled as your Design History File. It is a complete record of the design and development process, showing that the device was built according to approved procedures.

Device Master Record (DMR)

This is the “recipe” for manufacturing the device and includes drawings, specifications, and procedures.

Device History Record (DHR)

This record serves as proof that each manufactured unit was built in accordance with the DMR.

QSMR expects higher documentation clarity because it requires coherence with ISO’s design file requirements, and risk management integration becomes more explicit.

How to digitise and automate design controls without additional overhead

Whether transitioning from the old QSR or building your first compliant QMS, digitisation is now integral to compliance. Many early-stage medical device companies attempt to manage design controls using Google Drive, Dropbox, or static folder structures, but these manual systems simply cannot manage:

• Version consistency
• Structured approvals
• Risk-linked traceability
• Audit-ready DHF completeness
• Part 11-compliant signatures

Others turn to heavy enterprise eQMS platforms, which may require a total restructuring of processes, lengthy onboarding, or mandatory document templates that exceed the project’s actual needs.

These systems can be especially problematic for teams where flexibility, speed, and clarity are critical.

Choose a lean, right-sized approach to design control management

A lean document management system (DMS) offers a more pragmatic alternative. Rather than forcing teams into predefined workflows, it supports your process, allowing compliance without unnecessary complexity.

With a lean DMS, you can:

• Predefine required inputs, outputs, reviews, and approvals
• Build phase-gated design processes with the number of stages that make sense for your project
• Group design documentation logically using “document holders”
• Ensure approvals follow the correct Part 11-compliant signature sequence
• Maintain complete, automated audit trails
• Generate the contents of your DHF progressively and automatically in real-time as you complete each phase of your design. 

In a lean DMS, your Design History File can only be approved and issued once all of the pre-defined contents have reached their required state and been approved.

Checklist: What a QMSR- and ISO-compliant design control system must support

• Documented user needs and intended use
• Version-controlled design & development plans
• Clear, testable, risk-informed design inputs
• Measurable and traceable design outputs
• Formal design reviews with recorded decisions
• Verification evidence mapping outputs to inputs
• Validation evidence mapping produced device to user needs
• Controlled design transfer into production
• Documented, risk-assessed, traceable design changes
• A complete, audit-ready Design History File automatically built over time

Conclusion

The FDA’s QMSR marks a major step toward global regulatory harmonisation, simplifying compliance for manufacturers operating in multiple markets. But harmonisation doesn’t reduce responsibility. Design controls remain central and must be digitised, documented, risk-aligned, and audit-ready.

However, the design control software that large corporations use to manage their design compliance may be unsuitable for smaller, more agile companies, who also can’t rely on Google Docs to maintain and organise complex design documents to the standards expected by the FDA and ISO.

With a lean document management system like Cognidox, you can impose the design controls that match the needs of your business, allowing you to meet and maintain ISO and FDA compliance without the complexity and rigidity of enterprise eQMS platforms.

FAQs

1. What changes for design controls under FDA’s QMSR?

QMSR incorporates ISO 13485 by reference, meaning ISO’s design and development process becomes the U.S. foundation. The DHF/DMR/DHR remain but with stronger ISO alignment and risk-based expectations.

2. What is the timeline for QMSR implementation?

The two-year transition period for manufacturers is set to conclude in February 2026. From then on, compliance will be required for FDA inspections.

3. What documents go in the Design History File (DHF)?

Typical DHF contents include plans, inputs, outputs, review records, verification and validation evidence, risk management files, and design change records.

4. How does risk management fit into QMSR design controls?

ISO 13485 and QMSR both expect risk activities (per ISO 14971) to appear throughout design planning, inputs, verification, validation, and change control.

5. What tools are best for managing design controls?

Teams typically choose between generic cloud storage, heavyweight eQMS platforms, and lean DMS tools like Cognidox. Lean systems provide the best balance of configurability, compliance, and ease of use for med-tech companies.

Blog post updated on 16/12/2025