All terms
    Quality & RiskQuality System

    Change Control

    Formal QMS process for evaluating, approving, and implementing changes that could affect product quality or compliance.

    Reviewed by Christian Espinosa, Founder, Blue Goat CyberLast reviewed May 5, 2026

    Definition

    Change control evaluates proposed changes to design, processes, suppliers, software, or labeling for impact on safety, performance, regulatory status, and validation status before approval and implementation.
    What the regulation says
    Change control is a fundamental element of a quality management system, as outlined in FDA 21 CFR Part 820.30(i) for design changes and throughout ISO 13485:2016, specifically clause 4.2.4 for control of documents and clause 7.3.9 for design and development changes. It ensures that modifications to a medical device or its associated processes do not adversely affect safety, effectiveness, or compliance with applicable regulations, such as those detailed in EU MDR 2017/745 Annex I.

    What this means in practice

    Tightly linked to Letter-to-File decisions, supplier change notifications, and PCCP boundaries for AI devices. Inadequate change-impact assessments are a frequent FDA inspection finding.

    Examples

    • A MedTech company initiates a change control to update the software algorithm of an infusion pump to improve dose accuracy, requiring re-validation and regulatory submission.
    • A manufacturer of surgical instruments implements a change control to approve a new supplier for a critical component, necessitating supplier qualification and impact assessment on existing device validations.
    • A diagnostic device firm uses change control to revise its labeling to include updated warnings based on post-market surveillance data, ensuring compliance with EU MDR Annex I, Section 23.4. (Warnings and precautions).
    Common pitfalls
    • Failing to document the rationale for not performing a full re-validation after a minor design change is a common pitfall.
    • Implementing a software update without assessing its impact on cybersecurity and existing clinical claims can lead to significant issues.
    • Not involving all relevant functional areas, such as regulatory affairs or cybersecurity, in the change assessment process is a frequent mistake.
    • Overlooking the cumulative effect of multiple small changes on device performance or regulatory compliance can result in non-conformities.
    • Skipping a formal risk assessment for proposed changes, as required by ISO 14971:2019, clause 6.2, is a critical error.

    Frequently asked questions

    The primary goal is to ensure that any modification to a medical device, its manufacturing process, or quality system documentation maintains or improves the safety, performance, and regulatory compliance of the device.

    Cross-references

    Uses

    See also

    Shared paths + category

    Latest in MedTech

    Primary references

    3 sources
    Link health: 3 verified· last checked 2026-06-20
    eCFR·1FDA·1ISO·1
    1. 1
      21 CFR 820.30(i)
      Verified
      eCFRecfr.gov
    2. 2
      FDA - Quality Systems
      Verified
      FDAfda.gov
    3. 3
      ISO 13485 Standard Page
      Verified
      ISOiso.org

    Inline markers like [1] jump to the matching reference above.