Product Development
Design controls under 21 CFR 820.30 and risk management under ISO 14971 are the two most heavily inspected elements of a medical device quality system. Getting them right from the start of development is dramatically less expensive than reconstructing them before a submission or inspection.
Build Your Design Control SystemDesign Control Architecture
FDA's Quality System Inspection Technique (QSIT) designates design controls as one of the four major subsystems inspected in device facility audits. Under 21 CFR 820.30, the design controls requirement applies to all Class II and III device manufacturers and to Class I devices that are automated with computer software. The regulation requires documented procedures for design and development planning, design inputs, design outputs, design review, design verification, design validation, design transfer to production, and design changes — each with specific content requirements.
The design history file (DHF) is the documentary record that demonstrates design controls were followed. FDA investigators inspect the DHF to verify that: design inputs were documented before outputs were generated, design outputs meet design inputs and can be verified, design reviews occurred at appropriate stages with qualified participants, verification activities were completed with documented protocols and results, validation included user needs confirmation, and design changes were controlled through the change process. A DHF that exists on paper but doesn't reflect actual development practice fails inspection on the first substantive question.
Traceability from user needs through design inputs, design outputs, verification, and validation is what makes a design history file navigable for FDA review. Without a traceability matrix, proving that every user need is addressed by a design input, that every design input is addressed by a design output, that every design output was verified, and that the validation addressed the intended use requires forensic reconstruction of the development record. With a maintained traceability matrix, this demonstration is straightforward.
We design traceability matrices that are built into the development process from the beginning — not assembled after the fact. The matrix structure is designed to survive the inevitable design changes that occur during development without requiring complete reconstruction, using requirements management approaches that track change history alongside current requirements status.
ISO 14971:2019 requires that risk management be integrated throughout the product life cycle, not treated as a standalone activity. Risk management files that exist as separate documents disconnected from the design history file create a specific inspection problem: FDA investigators expect to see risk management referenced in the design inputs, reflected in verification and validation activities, and updated following design changes. A risk management file that was completed once and never updated to reflect design iterations fails to demonstrate the ongoing risk management process the standard requires.
We build risk management files that reference the DHF bidirectionally: risk controls appear in design outputs and are verified through identified test methods; residual risks are documented and their acceptability is evaluated against the overall benefit-risk profile. Risk management reports are generated at appropriate milestones and updated following design changes — producing a live record rather than a document written once for submission and never touched again.
Get Started
A DHF that looks complete but doesn't reflect real development history fails on the first question. We build design control systems designed for the real conditions of FDA audit — not for appearance.