Design Control Compliance
Design control compliance refers to the structured set of regulatory requirements that govern how products are designed, documented, verified, and validated before and after they enter production. This page covers the applicable regulatory frameworks, the mechanisms that satisfy those requirements, the most common compliance scenarios across regulated industries, and the decision points that determine which controls apply to a given product or process. For manufacturers in medical devices, aerospace, defense, and pharmaceutical equipment, failure to maintain compliant design controls is one of the leading causes of FDA warning letters and product recalls.
Definition and scope
Design control compliance is defined by the requirement that design and development activities follow a documented, reviewable, and traceable process from concept through product release and post-market change. The foundational US regulatory reference is 21 CFR Part 820, Subpart C, the FDA's Quality System Regulation (QSR) for medical devices, which specifies that manufacturers must establish and maintain procedures to control the design of the device. The FDA's 2023 transition to alignment with ISO 13485:2016 under the updated Quality Management System Regulation (QMSR) at 21 CFR Part 820 further harmonized US requirements with the international standard.
Scope is determined by product type and intended use. Under 21 CFR Part 820.30, design controls apply to Class II and Class III medical devices and to Class I devices that are automated with software. Design controls do not automatically apply to every manufactured good — a commodity component with no specific performance claim falls outside this regulatory perimeter. For non-medical-device industries, analogous requirements appear in AS9100 Rev D for aerospace and defense and in ISO 9001:2015 Section 8.3 for general manufacturing, both of which mandate documented design and development planning.
Understanding the QC regulatory framework in the US clarifies which federal agencies hold jurisdiction over design controls for a given product category.
How it works
Design control compliance operates through a phased development process, each phase producing documented outputs that serve as inputs for the next. The FDA-recognized framework under 21 CFR Part 820.30 structures this in the following discrete steps:
- Design planning — Establish a written plan identifying design activities, responsibilities, interfaces, and review milestones.
- Design input — Translate user needs and intended use into documented, measurable design requirements.
- Design output — Produce the complete set of specifications, drawings, and procedures that define the finished device.
- Design review — Conduct formal, documented reviews at defined stages using personnel who do not have direct responsibility for the design being reviewed.
- Design verification — Confirm through objective evidence (testing, analysis, inspection) that design outputs meet design inputs.
- Design validation — Establish through objective evidence that the device, as manufactured, meets defined user needs and intended uses under actual or simulated conditions.
- Design transfer — Translate the final design into production specifications in a controlled manner to ensure reproducible manufacturing.
- Design changes — Evaluate, document, review, and approve any change before implementation, assessing whether re-verification or re-validation is required.
The distinction between verification and validation is a critical compliance boundary. Verification answers the question "Was the device built right?" using engineering tests against specifications. Validation answers "Was the right device built?" using clinical, use-environment, or usability data against user needs. Conflating these two stages is a common FDA 483 observation.
This phased approach connects directly to the broader process framework for compliance applied across quality management systems.
Common scenarios
Medical device manufacturers face the most prescriptive design control requirements. A Class II orthopedic implant manufacturer must maintain a Design History File (DHF) containing all design controls documentation. The DHF is distinct from the Device Master Record (DMR), which contains the production specifications, and the Device History Record (DHR), which contains production records for each manufactured unit — all three are separate required documents under 21 CFR Part 820.
Software-enabled products require design controls even when the physical device is simple. FDA guidance "Design Considerations for Pivotal Clinical Investigations" and the FDA Guidance on Software as a Medical Device (SaMD) clarify that software development must follow a documented software development lifecycle integrated with design controls.
Combination products — those involving both a drug and a device component — trigger requirements from both 21 CFR Part 820 (device) and 21 CFR Parts 210/211 (pharmaceutical current Good Manufacturing Practice), requiring coordination between good manufacturing practice compliance requirements and device design controls.
Post-market design changes represent a distinct scenario. A change to a labeling specification, a material substitution, or a firmware update each requires a formal design change record assessing whether the change necessitates a 510(k) submission or PMA supplement before US distribution can continue.
Decision boundaries
The central decision in design control compliance is determining whether a specific product or change triggers the full design control process, a subset of it, or none at all.
| Condition | Design Control Requirement |
|---|---|
| Class II or III medical device | Full 21 CFR Part 820.30 compliance required |
| Class I automated/software device | Full 21 CFR Part 820.30 compliance required |
| Class I exempt device | Design controls not required under 21 CFR Part 820.30 |
| Aerospace product under AS9100 Rev D | Design and development controls per Section 8.3 required |
| ISO 9001:2015 certified manufacturer | Design controls required unless the organization has excluded Section 8.3 by documented justification |
Change magnitude determines the depth of re-validation required. A change that affects safety, efficacy, or intended use requires full re-validation. A change to an administrative document with no functional effect on the device may require only a documented change review. These thresholds are addressed in the change control compliance framework and interact with corrective and preventive action compliance when changes arise from failure investigations.
Organizations certified to ISO 13485:2016 must also apply design controls to any outsourced design activity, extending compliance obligations to supplier quality compliance programs when design work is contracted externally.
References
- 21 CFR Part 820 — Quality System Regulation (FDA, eCFR)
- ISO 13485:2016 — Medical devices: Quality management systems
- ISO 9001:2015 — Quality management systems: Requirements
- FDA — Software as a Medical Device (SaMD): Action Plan
- SAE AS9100 Rev D — Quality Management Systems: Requirements for Aviation, Space, and Defense Organizations
- FDA — Design Control Guidance for Medical Device Manufacturers