Introduction
Many medical device and life sciences manufacturers struggle with one of the most frequently cited compliance gaps: poorly executed change control processes that lead to audit findings, product recalls, and regulatory delays. FDA inspection data through December 2025 consistently shows design controls, production process controls, and CAPA implementation among the top cited deficiencies—areas where change control failures often surface.
Change control in quality management is the formal process of identifying, evaluating, approving, implementing, and verifying modifications to products, processes, documents, or systems in a regulated environment. Operational requirements are frequently misunderstood at the team level, leading to classification errors, retroactive documentation, and incomplete impact assessments.
Uncontrolled changes in medical device and pharmaceutical manufacturing can compromise product safety, trigger regulatory findings, or invalidate validated states. Robust change control is a patient safety requirement, not just a compliance formality. This article covers the end-to-end process, classification criteria, documentation requirements, and regulatory standards that effective change control programs must address.
TL;DR
- Change control is a structured QMS process ensuring every modification is risk-evaluated and approved before implementation
- Mandatory under ISO 13485, FDA 21 CFR Part 820 (QMSR), EU MDR, ICH Q10, and other global standards
- Process follows five steps: initiation, impact assessment, review/approval, implementation, and verification/closure
- Impact assessment determines classification (minor, moderate, major) and required validation level
- Poor change control drives audit findings, recalls, and compliance gaps across regulated industries
What Is Change Control in a Quality Management System?
Change control within a QMS is a systematic, documented method for managing any modification that deviates from an approved baseline. This covers design changes, process adjustments, document revisions, supplier switches, and software updates across the product lifecycle.
The goal is straightforward: maintain product quality, patient safety, and regulatory compliance throughout every change. Change control doesn't block progress; it ensures every modification is deliberate, risk-assessed, and traceable back to an approval.
Change control vs. change management:
- Change control focuses on the what and how — evaluating, approving, and documenting each modification with procedural rigor
- Change management focuses on the who and when — communication, training, and ensuring the organization actually adopts the change
Both are necessary. But confusing them is a common source of QMS gaps, especially in organizations scaling from startup to commercial stage.
Why Change Control Is Critical in Regulated Industries
Regulated industries face unique pressures that make change control non-negotiable. Regulatory submissions—510(k)s, PMAs, CE technical files—are tied to defined product and process states. Any undocumented change can invalidate approvals, affect predicate device relationships, or require new notifications to authorities.
What goes wrong without structured change control:
- Undocumented modifications propagate across product versions without traceability
- CAPA actions never link to formal change records, breaking the closed-loop system
- Incomplete impact assessments miss downstream effects on validated processes
- Missing approval chains create regulatory exposure during audits
The consequences show up in real-world data. Analysis of Class I device recalls from 2020-2023 revealed that design compliance issues, software malfunctions, and manufacturing defects—all preventable through rigorous change control—featured prominently among 211 recall reasons.
Australia's TGA audit data covering 59 ISO 13485 audits from 2021-2023 showed frequent nonconformities under Clause 4.1 (general QMS requirements including change control), Clause 4.2.4 (document control), and Clause 8.5.2 (CAPA). Change control gaps don't stay isolated—they trigger downstream failures across documentation, CAPA, and audit readiness simultaneously.
How the Change Control Process Works: Step by Step
The change control process follows a defined flow: formal request → impact assessment → cross-functional review → approval → controlled implementation → verification and closure. Each step requires documented evidence and clear accountability.
Classification drives everything downstream. Changes are assessed as minor, moderate, or major based on potential impact on product safety, effectiveness, or validated state — and that classification determines revalidation scope, regulatory notification obligations, and design history file updates.
Step 1: Change Initiation
The change is formally documented using a standardized change request form. A complete submission includes:
- Description, scope, and reason for the change (regulatory update, CAPA action, process improvement, supplier change)
- Current vs. proposed state
- Preliminary risk assessment
- Affected documents, systems, or products
- Linked CAPA or deviation records
The change initiator is accountable for completeness and accuracy. An incomplete request delays every downstream step.
Step 2: Impact Assessment
Cross-functional teams — quality, regulatory affairs, operations, engineering — evaluate the proposed change for effects on:
- Product quality and safety
- Regulatory compliance status
- Validation state
- Labeling and instructions for use
- Related processes and systems
This is where classification is confirmed and regulatory notification requirements are determined. A major change affecting validated processes or product safety may require prior regulatory approval before implementation can begin.
Step 3: Review and Approval
The completed change request and impact assessment are routed to defined approvers — typically QA, regulatory affairs, and relevant functional owners. Approval is documented with rationale, any conditions attached, and the required verification or validation scope.
No implementation activity begins until the change plan carries documented approval. This gate prevents unapproved changes from entering the production environment.
Step 4: Implementation
The approved change is executed according to the change plan, which may include:
- Updating controlled documents and revising SOPs
- Adjusting equipment settings or modifying software
- Qualifying new suppliers or materials
All activities require documented objective evidence. Affected personnel must complete training on updated procedures before the change takes effect — training records are part of the implementation package, not an afterthought.
Step 5: Verification and Closure
Verification confirms the change performed as intended. Depending on classification, this may involve testing, performance monitoring, or a post-change audit. All completed activities, records, and evidence are linked to the change control record before formal closure.
A closed, fully documented change control record is what gives auditors and regulators confidence that changes were made in a controlled, traceable way — and what protects the organization during inspections.
Regulatory Requirements for Change Control in a QMS
Multiple global standards and regulations explicitly require formal change control procedures within a QMS. Non-compliance is among the most frequently cited findings in FDA inspections and ISO audits.
ISO 13485:2016
Clause 4.1.4 requires organizations to:
- Control changes to QMS processes
- Evaluate impact on the quality management system
- Evaluate impact on medical devices produced
- Control changes per ISO 13485 and applicable regulatory requirements
Clause 7.3.9 requires documented procedures to:
- Control design and development changes
- Determine significance to function, performance, usability, safety, and regulatory requirements
- Review, verify, and validate changes as appropriate
- Approve changes before implementation
- Evaluate effects on constituent parts and products already delivered
Clause 7.3.10 mandates design and development files include records of all changes, creating the traceability foundation regulators expect during inspections.
FDA Quality Management System Regulation (QMSR)
Effective February 2, 2026, FDA's Quality Management System Regulation incorporates ISO 13485:2016 by reference, directing change control requirements to ISO Clauses 7.3.9, 7.3.10, and 4.1.4.
Previously, 21 CFR Part 820:
- §820.30(i) required written procedures for identifying, documenting, validating/verifying, reviewing, and approving design changes before implementation
- §820.70(b) required the same structured approach for production and process changes
Under QMSR, these expectations remain but are now met through ISO 13485 compliance.
FDA 21 CFR Part 211 (Pharmaceutical cGMP)
§211.22 gives the Quality Control Unit authority to approve or disapprove all specifications and procedures affecting product quality.
§211.100(a) requires written procedures for production and process changes with QCU review and approval.
For pharmaceutical companies operating across multiple markets, ICH Q10 Section 3.2.3 extends these expectations by integrating change management across the full product lifecycle using quality risk management. It requires:
- Risk-based evaluation proportionate to risk level
- Expert cross-functional evaluation with predefined criteria
- Post-implementation evaluation to confirm objectives and no deleterious impact
EU MDR 2017/745
Article 10(9) requires manufacturers to ensure procedures exist to keep series production in conformity. Changes in device design, characteristics, or referenced harmonized standards must be "adequately taken into account in a timely manner."
Significant changes may require re-engagement with the notified body or updates to the CE marking technical file.
MDCG 2020-3 guidance provides flowcharts across five categories — intended purpose, design/performance, software, materials, and sterilization/packaging — to assess whether a change is "significant" and triggers notified body assessment.
EU GMP Annex 15 requires formal change control procedures for validated systems and processes in pharmaceutical manufacturing, with QRM-based triggers for requalification/revalidation.
Common Misconceptions and Pitfalls in Change Control
Change Control Is Not a Documentation Exercise
Teams often conflate change control with change management or reduce it to a paperwork task. Change control is specifically about technical and regulatory control of modifications — rigor should match the risk classification of the change, not applied uniformly to every modification regardless of impact.
Where Teams Oversimplify the Process
Three patterns appear repeatedly in audit findings and warning letters:
- Classifying changes as "minor" to avoid validation work, even when impact is significant
- Documenting changes after implementation, violating ISO 13485 Clause 7.3.9 and ICH Q10 requirements pre-approval requirements
- Treating the change request as a standalone record rather than linking it to CAPAs, risk assessments, and updated controlled documents
The FDA Warning Letter to iRhythm Technologies illustrates the downstream burden: FDA cited failures in design change validation and required retrospective review of 999,328 complaints after earlier process failures.
Process Completion Does Not Equal Effectiveness
Closing a change record is not the same as confirming the change worked. Effectiveness must be separately verified after implementation — closing a record without that check is a procedural gap auditors consistently flag under both ISO 13485 and FDA quality system expectations.
Conclusion
Change control is how regulated companies maintain product quality, protect patients, and demonstrate compliance every time a modification is made to a product, process, document, or system. Done well, it enables continuous improvement without opening the door to regulatory risk.
Successful change control depends on correct classification, genuine cross-functional collaboration, and tight linkage to the broader QMS: CAPAs, risk management, document control, and training.
For medical device companies navigating ISO 13485, EU MDR, or FDA QMSR requirements, Elexes quality management system services can help establish and maintain a change control process that holds up under regulatory scrutiny while supporting ongoing improvement.
Frequently Asked Questions
What is change control in a quality management system?
Change control is a formal, documented process within a QMS for evaluating, approving, implementing, and verifying modifications to products, processes, documents, or systems to maintain quality, safety, and regulatory compliance throughout the change lifecycle.
Why is change control important in a quality management system?
Without structured change control, organizations risk unauthorized modifications, validation failures, audit findings, and product quality issues. Regulators under ISO 13485, FDA 21 CFR, and EU MDR explicitly require it as a core QMS element to protect patient safety and product integrity.
What are the steps of the change control process in a quality management system?
The process follows five key steps: change initiation, impact assessment, cross-functional review and approval, controlled implementation with training, and verification with formal closure. Each step requires documented evidence and defined accountability.
What is an impact assessment in the change control process?
An impact assessment evaluates how a proposed change may affect product quality, safety, regulatory compliance, and validated states. Its outcome determines change classification (minor, moderate, or major) and the required level of validation, testing, or regulatory notification.
What 21 CFR requirements apply to change control in a quality management system?
For medical devices, FDA 21 CFR Part 820 (QMSR as of Feb 2026) incorporates ISO 13485:2016, routing change control requirements to Clauses 7.3.9 and 4.1.4. Pharmaceutical manufacturers follow 21 CFR Part 211 §211.22 and §211.100(a), which require Quality Control Unit authority and written change control procedures.
What controls are included in a quality management system?
A QMS typically includes document control, design control, process control, CAPA, risk management, training management, supplier management, audit management, and change control—each working together to ensure product quality and regulatory compliance from development through post-market.
