Documentation, review, verification or validation, and approval of design changes before implementation — 820.30(i) change control process carried forward.
Impact assessment on already-delivered product is explicitly required; risk management re-evaluation must accompany any change affecting a risk control.
Delivered-product impact assessment in change records — changes that lack a retrospective field-impact evaluation are a recurring 483 observation.
Maps to
QMSR / ISO 13485: §820.30(i) Design changes.
Requirement text
Design changes shall be identified, reviewed, verified, validated as appropriate, and approved before implementation.
Why this clause exists
Post-design changes to medical devices are among the highest-risk events in a product's lifecycle because they can alter the performance, safety, or regulatory status of a device that has already been cleared or approved on the basis of original design evidence. The requirement to assess impact before implementation exists because the engineering team making the change may not fully anticipate its downstream effects — a dimensional change that seems minor can affect fit and function in clinical use, invalidate a previously conducted validation study, or compromise a risk control measure that was incorporated at that dimension specifically to reduce a hazard. The crosswalk to ISO 14971:2019 § 10 (production and post-production activities) formalizes the obligation to re-evaluate the risk management file whenever a design change could affect any risk control measure: the chain of risk control is only as strong as its weakest implemented link, and a change that inadvertently removes or degrades a control restores the hazard the control was meant to address. The assessment for regulatory implications — including whether the change constitutes a significant change requiring a new premarket submission — is the manufacturer's responsibility before implementation; regulators cannot evaluate every device change in real time, so the manufacturer bears the obligation to identify when regulatory interaction is required and to initiate it proactively rather than retroactively.
What changed
§820.30(i) — Part 820 (legacy)
"Each manufacturer shall establish and maintain procedures for the identification, documentation, validation or where appropriate verification, review, and approval of design changes before their implementation."
§7.3.9 — ISO 13485:2016 (current)
"The organization shall document procedures to control design and development changes. The organization shall determine the significance of the change to function, performance, usability, safety and applicable regulatory requirements for the medical device and its intended use. Design and development changes shall be identified. Before implementation, the changes shall be: a) reviewed; b) verified; c) validated, as appropriate; d) approved. The review of design and development changes shall include evaluation of the effect of the changes on constituent parts and product in process or already delivered, inputs or outputs of risk management and product realization processes. Records of changes, their review and any necessary actions shall be maintained (see 4.2.5)."
Δ Change review must now evaluate impact on in-process and delivered product, and on risk management outputs; significance assessment against usability and regulatory requirements is now explicit.
Common gaps (what we see in audits)
- No impact assessment for already-delivered products — ISO 13485 requires that design change review include evaluation of the effect on 'constituent parts and product already delivered.' Many Part 820-era change control procedures assess the impact on the current design but do not require a formal assessment of whether the change affects devices already in the field.
- Change impact on risk management not assessed — Under the QMSR framework, design changes that affect risk control measures must trigger re-evaluation of the risk analysis. Many legacy change control procedures do not include a step for assessing whether the proposed change affects any risk controls or requires updates to the risk management file.
- Scope of re-verification and re-validation not determined — ISO 13485 requires that changes be 'verified and validated, as appropriate, before implementation.' Many legacy procedures approve changes without a formal determination of what re-verification and re-validation activities are needed based on the nature and scope of the change.
- Missing 'Significance' assessment — The design change procedure lacks a formal requirement to assess the significance of the change to safety and usability. ISO 13485 §7.3.9 requires this determination.
- No evaluation of 'delivered product' impact — Change records don't document whether the change affects devices already in use. ISO 13485 §7.3.9 requires this evaluation.