ISO 13485 verification and validation requirements explained for medical device manufacturers navigating the QMSR transition
Affiliate Disclosure: Some links in this article are affiliate links. If you purchase through them, The Standards Navigator may earn a commission at no additional cost to you.
The Documentation Gap That Fails Design History Files
A design verification report that confirms the device meets its own specifications is not the same thing as a validation report that confirms the device meets the user’s actual needs. Auditors know the difference. Regulatory affairs teams sometimes don’t find out until an FDA inspector or notified body assessor pulls the Design History File and asks for both — and only one exists.
That gap has gotten more consequential, not less. The FDA’s Quality Management System Regulation took effect February 2, 2026, formally incorporating ISO 13485:2016 into 21 CFR Part 820 by reference. Verification and validation records that used to satisfy QSR expectations are now being evaluated against ISO 13485 Clause 7.3 directly — and the two frameworks don’t document V&V identically.
From the Floor: As a certified ISO 9001 Internal Auditor, I’ve sat across the table from teams who could produce a stack of test reports but couldn’t answer a simple question: which of these prove the design meets the specification, and which prove it meets the user’s need? Verification and validation get treated as interchangeable paperwork until an auditor separates them — and by then it’s a finding, not a conversation. The QMS documentation discipline that catches this before an audit is the same discipline that catches it before a submission.
If your last internal audit didn’t clearly separate verification evidence from validation evidence, that’s the gap worth closing first.
Run a clause-by-clause gap check before your next surveillance audit or FDA inspection — the ISO 13485 Gap Assessment Checklist below is built for exactly this kind of documentation review. Most teams miss the verification/validation split until it’s flagged.
👉 ISO 13485 Gap Assessment Checklist
In This Guide
- What verification and validation mean under ISO 13485 Clause 7.3, and why they are not interchangeable
- How process validation (Clause 7.5.6) differs from design validation
- Software validation requirements for devices and manufacturing/QMS software
- What changed under the FDA QMSR effective February 2, 2026
- The most common V&V documentation failures found in audits and inspections
- How to structure a verification and validation plan that survives scrutiny
Table of Contents
👉 Start Here (Top Resources)
If you’re building or auditing a verification and validation process, these are the two resources worth starting with:
- Get ISO 13485 training from BSI Group — BSI’s ISO 13485 training programs walk quality and regulatory teams through Clause 7.3 requirements in detail, including how design controls map to verification and validation evidence.
- Purchase the official ISO 13485:2016 standard from ANSI Webstore — the authoritative source for Clause 7.3 language. ANSI Webstore serves international buyers and offers the standard in multiple formats. Use code CC2026 for 5% off.
Verification vs. Validation: The Core Distinction

Verification confirms that design outputs meet design inputs. Validation confirms that the finished device meets user needs and intended use. That one-sentence distinction is where most documentation failures start, because the two activities can look procedurally similar — testing, measuring, comparing results against criteria — while answering completely different questions.
| Element | Design Verification | Design Validation |
|---|---|---|
| Question answered | Did we build the design correctly? | Did we build the correct design? |
| Compared against | Design inputs / specifications | User needs / intended use |
| Typical methods | Bench testing, inspection, analysis, comparison to similar designs | Clinical evaluation, simulated use testing, human factors studies |
| Timing | Throughout design and development | Under defined operating conditions, on initial production units or equivalent |
| ISO 13485 clause | 7.3.6 | 7.3.7 |
| Common failure | Testing against internal spec only, no traceability to input | Validating on prototypes instead of production-equivalent units |
Most common finding: auditors and FDA investigators repeatedly cite validation performed on non-representative units — bench prototypes, early builds, or units built on equipment that doesn’t match production. ISO 13485 Clause 7.3.7 specifically requires validation on production or production-equivalent units, under defined operating conditions.
Verification and Validation in Practice: An Infusion Pump Example
Take a manufacturer developing an infusion pump. Design verification confirms the device meets its own engineering specifications:
- ✅ Flow rate accuracy within the specified tolerance
- ✅ Battery life meets the stated runtime under load
- ✅ Alarm volume meets the decibel specification
Design validation confirms something different — that the device works safely in the hands of the people who will actually use it:
- ✅ Nurses can operate the pump correctly and safely during simulated or actual clinical use
- ✅ The alarm is audible and distinguishable in a realistic hospital environment, not a quiet test lab
- ✅ Labeling and instructions for use are understood by the intended users without additional training
A pump can pass every verification test and still fail validation — accurate flow rate and long battery life mean nothing if a nurse under time pressure misreads the alarm or misinterprets the instructions. That’s the gap Clause 7.3.7 is built to catch, and it’s why validation has to happen on production-equivalent units under conditions that resemble actual use.
Design Verification Requirements
Clause 7.3.6 requires that design verification confirms outputs meet input requirements, with results and conclusions recorded, including the methods, dates, and individuals performing the verification. In practice, that means every design input needs a traceable verification activity — not a general statement that “the device was tested.”
If you are building a Design History File from scratch → start with a traceability matrix that maps every design input to its verification method and result before writing a single test protocol. Retrofitting traceability after testing is where most rework happens.
If you are already ISO 9001 certified and adding ISO 13485 → your existing design control process likely covers verification structurally, but it almost certainly lacks the input-to-output traceability rigor ISO 13485 auditors expect. That’s the gap to close first, not the documentation format.
👉 Before You Build Another Test Protocol
Most verification failures aren’t testing failures — they’re traceability failures. Run your design inputs against your current verification records now and find the gaps before an assessor does. →
Design Validation Requirements
Design validation under Clause 7.3.7 must be performed on production or production-equivalent units, under defined operating conditions, and must include risk analysis where applicable — which is where ISO 14971 risk management intersects directly with design controls. Validation isn’t complete until it addresses actual clinical or user-environment conditions, not lab conditions that approximate them.
Objection: “Our device is low-risk — do we really need formal simulated-use validation?” Even Class I and low-risk Class II devices need validation evidence proportional to risk, and “proportional” still means documented, traceable, and tied to intended use. A shorter validation plan is defensible. No validation plan is not.
Clinical evaluation, when required, and human factors/usability testing both fall under validation, not verification — a distinction that matters for regulatory submissions referencing FDA guidance on human factors engineering.
Process Validation Under Clause 7.5.6

Separate from design validation, ISO 13485 Clause 7.5.6 requires validation of processes where the resulting output cannot be verified by subsequent monitoring or measurement — sterilization, certain sealing and bonding processes, injection molding parameters, and software used in production are the classic examples.
Process validation requires:
- ✅ Defined criteria for review and approval of the process
- ✅ Approval of equipment and qualification of personnel
- ✅ Use of specific methods, procedures, and acceptance criteria
- ✅ Requirements for records (Clause 4.2.5)
- ✅ Revalidation criteria, including criteria for triggering revalidation
Most auditors and FDA investigators expect this evidence structured around three stages: Installation Qualification (IQ), Operational Qualification (OQ), and Performance Qualification (PQ).
Installation Qualification (IQ) confirms that equipment and supporting systems are installed correctly, according to the manufacturer’s specifications and the site’s own installation requirements — including verified utilities, calibration status, and documentation of the as-installed configuration, not just a checklist that the equipment arrived and was plugged in.
Operational Qualification (OQ) confirms that the equipment operates as intended across its full specified operating range, not just at a single nominal setting. For a sterilization process, that means testing at the upper and lower bounds of temperature, time, and pressure defined in the process specification — not only the target parameters.
Performance Qualification (PQ) confirms that the process consistently produces conforming output under actual production conditions, typically across multiple runs and, where risk warrants it, multiple operators, shifts, or lots. PQ is where most revalidation triggers get defined, since it establishes the baseline the process must continue to meet.
If you are validating a sterilization or bonding process for the first time → build your IQ/OQ/PQ protocol before ordering test units. Retrofitting an IQ after OQ testing has already started is a common finding, and it undermines the traceability an assessor is looking for.
If your process hasn’t changed but your equipment or facility has → IQ typically needs to be repeated even when OQ and PQ parameters stay the same, since IQ is tied to the specific installation, not the process design.
Skipping straight to PQ — running production and calling the passing output “validation” — is one of the most common shortcuts auditors flag, because it skips the evidence that the equipment itself is capable of consistently meeting the operating range the process depends on.
If you are outsourcing sterilization or bonding processes → your supplier controls documentation needs to show that you’ve verified the supplier’s process validation, not just received a certificate of conformance.
Software Validation Requirements
Software validation shows up in two places under ISO 13485, and conflating them is a recurring audit finding: software that is part of the device (or used in its production) versus software used for quality management purposes, such as electronic QMS platforms or CAPA tracking tools. Both require validation appropriate to their use, application, and risk — but the depth and method differ substantially, and design-control software validation should be traceable back to the same input/output structure as hardware verification.
What the FDA QMSR Changed for U.S. Manufacturers
The FDA’s Quality Management System Regulation replaced the legacy Quality System Regulation under 21 CFR Part 820, effective February 2, 2026, incorporating ISO 13485:2016 by reference rather than maintaining a separately worded U.S. regulation. For manufacturers who were already ISO 13485 certified, the operational impact on verification and validation practices is smaller than the documentation-mapping impact: DHF, DMR, and DHR content doesn’t necessarily need renaming, but it does need a clear mapping showing where ISO 13485 Clause 7.3 requirements are satisfied within existing U.S. records.
If you were operating under legacy QSR language only → this is the trigger to formally adopt ISO 13485 Clause 7.3 verification/validation terminology and structure, since FDA inspectors are now trained against the ISO clause structure, not the old Part 820 subparts.
Common V&V Documentation Failures
The same handful of gaps show up repeatedly in ISO 13485 QMS audits:
- No traceability matrix linking design inputs to verification methods and results
- Validation performed on prototypes rather than production-equivalent units
- Missing revalidation criteria for processes that later change equipment, materials, or parameters
- Software validation treated as one-size-fits-all instead of scaled to risk and application
- Verification and validation dates, methods, and personnel not fully recorded, leaving conclusions without traceable support
👉 Before Your Next Notified Body Assessment
If you’re not confident your traceability matrix would hold up under document review, that’s the exact gap the ISO 13485 Gap Assessment Checklist was built to catch — in under 45 minutes. →
Building a Verification & Validation Plan That Holds Up
A defensible V&V plan starts with the traceability matrix, not the test protocols. Build it in this order:
- List every design input and requirement
- Map each input to a specific verification method and acceptance criterion
- Identify which requirements also require validation evidence, and under what conditions
- Define production-equivalent unit criteria before validation begins
- Build revalidation triggers into the plan up front — not as an afterthought after a process change
This structure is what turns a stack of individual test reports into a Design History File that answers an assessor’s questions instead of prompting more of them.

Quick Audit Checklist
- ✅ Every design input has a documented verification method and result
- ✅ Validation was performed on production or production-equivalent units
- ✅ Risk analysis is referenced in the validation rationale
- ✅ Process validation records include revalidation criteria
- ✅ Software validation is scaled to intended use and risk
- ✅ Verification and validation records include dates, methods, and personnel
- ⚠️ Watch for validation evidence copied from an earlier device without device-specific justification
FAQ
What is the difference between verification and validation in ISO 13485?
Verification confirms design outputs meet design inputs — did we build it correctly. Validation confirms the finished device meets user needs and intended use — did we build the correct thing. They require separate evidence and cannot substitute for each other.
Does ISO 13485 require validation on production units?
Yes. Clause 7.3.7 requires design validation on production or production-equivalent units under defined operating conditions, not on early prototypes or bench models that don’t reflect final manufacturing.
What processes require process validation under Clause 7.5.6?
Any process where output cannot be fully verified by later inspection or testing — common examples include sterilization, certain welding and bonding processes, injection molding, and adhesive curing.
How did the FDA QMSR affect verification and validation requirements?
The QMSR, effective February 2, 2026, incorporates ISO 13485:2016 into 21 CFR Part 820 by reference. Manufacturers now need documentation that maps clearly to ISO 13485 Clause 7.3, even if internal DHF/DMR/DHR naming stays the same.
Do low-risk devices still need design validation?
Yes, though the depth can scale with risk. A shorter, risk-justified validation plan is acceptable; skipping validation entirely is not.
Does software need separate validation from the device it’s part of?
Software validation is required both for software that’s part of or used in producing the device, and for software used for quality management purposes — but the required depth and method differ by application and risk.
What’s the most common finding auditors cite for validation?
Validation conducted on non-representative units — prototypes or early builds that don’t match production configuration or manufacturing conditions.
Where does risk management fit into verification and validation?
ISO 14971 risk management activities feed directly into what needs validation and how rigorously, particularly for design validation rationale and process revalidation triggers.
📥 Free Resources
- ISO 13485 Gap Assessment Checklist — free checklist for medical device manufacturers assessing their QMS against ISO 13485 requirements, including design control and V&V documentation gaps
- ISO 9001 Roadmap — step-by-step implementation guide for manufacturers building or improving a quality management system
- Manufacturing Compliance Checklist — practical compliance reference covering key ISO, OSHA, and quality requirements for production environments
- Supplier Quality Checklist — evaluation tool for assessing supplier quality controls and flow-down compliance before audits or new contracts
- AS9100 Rev D Gap Assessment Checklist — 74-item clause-by-clause checklist for aerospace suppliers assessing their QMS before certification
Not Sure What to Do Next?
🔹 Still researching your V&V documentation gaps? Start with the ISO 13485 Gap Assessment Checklist — it maps directly to Clause 7.3 verification and validation requirements.
🔹 Ready to build a compliant V&V process? BSI Group’s ISO 13485 training covers Clause 7.3 requirements in the depth a design control rebuild needs.
🔹 Need the standard itself to build your traceability matrix against? Get ISO 13485:2016 from ANSI Webstore — code CC2026 takes 5% off, and international formats are available.
Verification proves your engineers met the specification. Validation proves your customers can safely use the product. Auditors expect both. Regulators require both. A complete Design History File demonstrates both through traceable evidence — not one comprehensive-sounding report that tries to do both jobs at once.
Stay Ahead of the Next V&V Finding
Design History File gaps rarely surface during routine work — they surface during an audit or inspection, when there’s no time left to fix them. Manufacturers who catch the verification/validation split early walk into assessments with a traceability matrix that answers questions before they’re asked. Manufacturers who don’t spend the assessment explaining why validation was performed on a prototype.
The Standards Navigator tracks ISO 13485, QMSR, and medical device compliance requirements as they develop — including changes that affect how verification and validation get documented.
👉 Get updates on ISO 13485 and QMSR compliance changes
👉 Be first to access new medical device gap assessment tools and checklists
Subscribe below to stay ahead.
The Standards Navigator — Industrial Compliance. Clearly Explained.
