Regulify.aiRegulify.ai
Regulify.aiRegulify.ai
Image unavailable

Design History File (DHF) Management with Traceability and Change Control

By regulifyAI
February 24, 2026
17 min read

I still remember the first time an FDA investigator pulled a design change record from a DHF binder and asked the quality manager sitting next to me, "Where is the impact assessment for this change? Where is the re-verification evidence?" The room went quiet. That company had a solid device. Good engineers. A product that worked. But their Design History File told a different story—one of missing links, undocumented decisions, and change orders that trailed off into nothing. They received a Form 483 observation that afternoon.

That experience, nearly fifteen years ago, taught me something I carry into every engagement: your Design History File is not a box-checking exercise. It is the single most important body of evidence that proves your device was designed safely, systematically, and in accordance with the plan you set out to follow. And the change control process embedded within it is what keeps that evidence credible when—not if—your design evolves.

This guide covers everything you need to manage your DHF with disciplined change control: the regulatory requirements, the practical architecture, the common failures I see repeated across the industry, and the strategies that work.

What Is a Design History File, and Why Does It Matter?

A Design History File (DHF) is the compilation of records that describes the complete design history of a finished medical device. Under FDA 21 CFR 820.30(j), each manufacturer must establish and maintain a DHF for each type of device. The regulation is specific: the DHF shall contain or reference the records necessary to demonstrate that the design was developed in accordance with the approved design plan and the requirements of Part 820.

ISO 13485:2016 Section 7.3.10 mirrors this requirement, stating that the organization shall maintain a design and development file for each medical device type or medical device family, including or referencing records generated to demonstrate conformity to design and development requirements and records for design and development changes.

Here’s what I see repeatedly: teams treat the DHF as an afterthought—a folder they’ll “pull together” before a submission or an audit. This approach almost always fails. A DHF must be built in real time, alongside the design activities it documents. If a design review happens and the minutes aren’t captured that week, the evidence quality degrades. If a design input changes and nobody records the rationale, the traceability breaks.

The DHF is not a snapshot. It is a living record.

The Regulatory Stakes

The consequences of a deficient DHF are not abstract. Design control violations represented a growing category of FDA Form 483 observations between 2020 and 2023, with a 5% increase in citations under 21 CFR Part 820.30 during that period. Incomplete or absent DHFs remain among the top findings in FDA inspections for Class II and Class III devices.

More critically, the FDA increasingly uses postmarket signals—complaints, adverse event reports, recalls—to trace problems back to design control gaps. A spike in field complaints can lead an investigator straight to your DHF, looking for evidence that you identified and mitigated that risk during design. If the evidence isn’t there, you’re facing more than a 483; you’re facing a potential warning letter and a follow-up inspection.

What Belongs in Your DHF

The DHF must contain or reference every record generated during the design control process. In practice, this means organizing documentation across the nine elements of design controls defined in 21 CFR 820.30:

1. Design and Development Plan

The plan defines what you intend to do, how you’ll do it, who is responsible, and when milestones will occur. It should identify all design control activities, assign responsibilities, and describe the interfaces between different groups contributing to the design. The plan must be updated as the design evolves.

2. Design Inputs

Design inputs are the physical and performance requirements that serve as the basis for your device design. They should be documented, reviewed, and approved. Inputs typically include user needs, intended use statements, functional requirements, performance specifications, safety requirements, applicable regulatory standards (such as IEC 60601 or IEC 62304), and risk-based requirements derived from your ISO 14971 risk analysis.

3. Design Outputs

Design outputs are the results of the design effort at each phase. They include device specifications, drawings, manufacturing procedures, packaging and labeling specifications, and software source code or object code. Outputs must be documented in terms that allow adequate evaluation of conformance to design input requirements.

4. Design Reviews

Formal, documented examinations of the design at defined stages. Reviews must include independent reviewers—individuals who do not have direct responsibility for the design stage being reviewed. The results, including the date, participants, and identified issues, must be recorded in the DHF.

5. Design Verification

Verification confirms that design outputs meet design input requirements. This includes inspections, tests, analyses, and comparisons to similar designs. Results—including what was tested, the methods used, the acceptance criteria, the date, and who performed the testing—must be documented.

6. Design Validation

Validation confirms that the device meets user needs and intended uses under actual or simulated use conditions. This is distinct from verification: validation tests the finished device (or a representative unit), not just individual outputs. Validation must be performed on production or production-equivalent units.

7. Design Transfer

Transfer activities ensure that the design is correctly translated into production specifications. This includes manufacturing procedures, quality assurance procedures, and the transition from design outputs to the Device Master Record (DMR).

8. Design Changes

Every modification to the design after initial approval must be identified, documented, verified or validated as appropriate, reviewed, and approved before implementation. This is the change control element—and it is where most organizations struggle.

9. Design History File Itself

The DHF is both a requirement and the container for all of the above. It must be maintained, organized, and accessible for regulatory review.

The Critical Role of Change Control in DHF Management

Let’s be honest: no medical device design moves from concept to market without changes. Requirements shift as clinical understanding evolves. Testing reveals unexpected failure modes. Manufacturing constraints force material substitutions. Regulatory feedback requires design modifications.

The question is not whether changes will occur. The question is whether your process captures them rigorously enough to maintain the integrity of your DHF and the safety of your device.

What FDA and ISO 13485 Require for Design Changes

Under 21 CFR 820.30(i), design changes—including changes to components, manufacturing processes, labeling, packaging, and design inputs—must be identified, documented, validated or verified (where appropriate), reviewed, and approved before implementation.

ISO 13485:2016 goes further in several respects. Section 7.3.9 requires that design and development changes be identified, and records maintained. Changes must be reviewed, verified, validated as appropriate, and approved before implementation. The review must include an evaluation of the effect of the changes on constituent parts and on the device that has already been delivered.

Additionally, ISO 13485 Section 4.1.4 establishes a standalone requirement for change control across the entire QMS, not just design. This section requires that organizations evaluate changes for their impact on both the quality management system and the medical devices produced under it.

This requires honest assessment, not wishful thinking. A seemingly minor change—swapping an adhesive supplier, adjusting a software algorithm parameter, modifying a tolerance on a molded component—can propagate through the design in ways that aren’t obvious without a structured impact analysis.

The Change Control Process: A Practical Framework

Here is a framework I have used across dozens of medical device programs, from Class I instruments to Class III implantable:

Step 1: Change Request Initiation

Every proposed change starts with a formal change request. The request must document: what is changing, why it is changing, and who is requesting the change. This applies whether the change originates from a design review finding, a CAPA, a supplier notification, a regulatory submission feedback, or a manufacturing improvement initiative.

Step 2: Impact Assessment

This is the step most organizations underperform. The impact assessment must evaluate:

  • Effect on design inputs and design outputs

  • Effect on verification and validation results (does previous testing still apply?)

  • Effect on risk analysis (does the risk profile change? are new hazards introduced?)

  • Effect on regulatory submissions (does the cleared/approved device description still match?)

  • Effect on the Device Master Record (do manufacturing or inspection procedures need updating?)

  • Effect on constituent parts and devices already delivered to the field

  • Effect on suppliers and purchased components

The traceability matrix is your most valuable tool here. If your matrix clearly links each design input to its corresponding outputs, verification activities, and risk controls, the impact assessment becomes a structured exercise rather than a guessing game.

Step 3: Verification and Validation of the Change

Any change that affects form, fit, function, safety, or performance requires re-verification and potentially re-validation. The scope of testing should be proportional to the scope of the change—not every change requires full device validation, but every change requires a documented rationale for the testing scope selected.

Step 4: Review and Approval

Changes must be reviewed by individuals qualified to evaluate the change and its impact. This typically includes design engineering, quality, regulatory affairs, and—for significant changes—clinical and manufacturing stakeholders. Approval must be documented before implementation.

Step 5: Implementation and DHF Update

Once approved, the change is implemented according to the approved plan. The DHF must be updated to reflect the new design state, including revised documents, new test reports, updated risk analyses, and an updated traceability matrix. The DMR must also be updated to ensure manufacturing reflects the current approved design.

Step 6: Closure and Effectiveness Verification

After implementation, verify that the change achieved its intended objective and did not introduce unintended effects. This is particularly important for changes driven by CAPA activities.

DHF, DMR, and DHR: Understanding the Three Files

One of the most common points of confusion I encounter—even among experienced quality professionals—is the relationship between the Design History File, the Device Master Record, and the Device History Record. These three documents serve distinct but interconnected purposes.

Preview

The DHF feeds the DMR. Design outputs—once verified, validated, and approved—become the specifications and procedures in the DMR. The DHR then records whether each manufactured lot or unit was produced in accordance with the DMR.

When a design change occurs, all three files are potentially affected. The change modifies the DHF (new records), updates the DMR (revised specifications), and creates new requirements for the DHR (revised acceptance criteria, new inspection procedures).

Building Your Traceability Matrix

The traceability matrix is the structural backbone of your DHF. It visually maps the relationships between user needs, design inputs, design outputs, verification activities, validation activities, and risk controls.

Under the incoming QMSR framework (effective February 2, 2026), traceability is no longer just a best practice—it is a regulatory requirement. ISO 13485:2016, which the QMSR incorporates by reference, explicitly requires that traceability be established between design inputs and outputs as part of design planning.

A Practical Traceability Structure

A well-constructed traceability matrix should demonstrate bidirectional traceability:

  • Forward traceability: Each user need traces to one or more design inputs, which trace to design outputs, which trace to verification and validation activities.

  • Backward traceability: Each test result traces back through the output it verifies, to the input it satisfies, to the user need it addresses.

This bidirectional mapping serves three purposes: it confirms that every requirement has been addressed (no gaps); it confirms that every design activity is justified by a requirement (no unnecessary work); and it provides the roadmap for impact assessment during change control.

Traceability During Change Control

When a design change is proposed, the traceability matrix answers the critical questions:

  • Which design inputs are affected?

  • Which design outputs need revision?

  • Which verification and validation activities must be repeated or supplemented?

  • Which risk controls are potentially impacted?

  • Which sections of the DMR need updating?

Without a current traceability matrix, these questions require manual detective work—reviewing every document in the DHF to determine what might be affected. This is slow, error-prone, and exactly the kind of process that leads to missed impacts and 483 observations.

The QMSR Transition: What Changes for Your DHF

The FDA’s Quality Management System Regulation (QMSR) took effect on February 2, 2026, replacing the longstanding Quality System Regulation (QSR). This is the most significant regulatory shift for medical device quality systems in the United States in decades.

For DHF management, there are several practical implications:

Explicit Traceability Requirement

ISO 13485:2016—now incorporated by reference—requires documented traceability between design inputs and outputs. Under the previous QSR, this was considered a best practice. Under QMSR, it is a regulatory expectation that FDA investigators can cite.

Risk Management Integration

The QMSR embeds risk-based thinking throughout the quality system, not just within design controls. This means your DHF change control process must demonstrate that risk was considered at every stage—from the initial change request through implementation and effectiveness verification. ISO 14971 risk management activities should be tightly integrated with your design change documentation.

Inspection Scope Expansion

Under QMSR, FDA inspectors now have access to management review records, internal audit records, and supplier audit records—areas that were previously exempt from FDA inspection. Your change control process must withstand scrutiny not just at the design level, but at the system level.

No Exemption from FDA Inspection

An ISO 13485 certification does not exempt a manufacturer from FDA inspection, nor does FDA issue or require ISO 13485 certificates of conformance. Compliance must be demonstrated through your actual quality system—including your DHF and change control records.

Common DHF and Change Control Failures

Over two decades of working in this space, I have seen the same failure modes repeat across companies of every size. Here are the most consequential:

1. Retroactive DHF Assembly

This is the most common and most dangerous failure. The team designs and develops the device, then attempts to compile the DHF after the fact. The result is always incomplete. Decisions that were made verbally are lost. The rationale for design choices is forgotten. Verification reports reference test protocols that no longer match the current design.

The fix: Build the DHF in real time, as design activities occur. Assign a DHF owner responsible for ensuring records are captured, reviewed, and filed at each design stage.

2. Informal Change Management

Changes happen through email threads, hallway conversations, or engineering notebook entries that never make it into the formal change control system. The design evolves, but the DHF reflects the original design. When an auditor compares the DHF to the actual device, the discrepancies are immediately apparent.

The fix: Every change, regardless of perceived significance, must enter the formal change control process. A simple triage step can categorize changes by impact level and route them to the appropriate level of review.

3. Incomplete Impact Assessments

The change request is filed, but the impact assessment is a single sentence: “No impact on safety or performance.” Without documented evidence supporting that conclusion, this statement has no regulatory value. FDA investigators routinely challenge superficial impact assessments.

The fix: Use the traceability matrix to systematically evaluate each change. Document the analysis, including the rationale for concluding that certain areas are not impacted.

4. Disconnected Risk Management

The risk analysis (per ISO 14971) exists as a standalone document that is not updated when design changes occur. The result is a risk file that does not reflect the current design state—a finding that triggers both ISO 14971 and design control citations.

The fix: Integrate risk management into the change control process. Every design change should trigger a review of the risk file to determine whether the hazard analysis, risk evaluation, or risk controls need updating.

5. Paper-Based or Folder-Based Systems

Teams managing DHFs through shared drives, email attachments, and paper binders face inherent version control challenges. It becomes difficult to confirm which version of a document is current, whether all required signatures are in place, and whether the traceability matrix reflects the latest design state.

The fix: Adopt purpose-built quality management or design control tools that enforce version control, electronic signatures, and automated traceability linking.

Practical Strategies for Effective DHF Management

Start the DHF at Project Initiation

The first entry in your DHF should be the design and development plan. From that point forward, every design control activity generates records that feed the file. Don’t wait for design reviews to start before organizing the DHF. Don’t wait for verification testing to begin before establishing the traceability matrix.

Assign a DHF Owner

Designate one individual—typically within quality engineering or regulatory affairs—as the DHF custodian for each project. This person ensures that records are captured, properly formatted, reviewed, and filed. They also maintain the traceability matrix and flag gaps.

Conduct Periodic DHF Health Checks

Schedule internal reviews of the DHF at each design stage gate. Verify completeness: are all required records present? Are signatures current? Does the traceability matrix reflect the latest design state? Are change records properly linked to the affected documents?

Integrate Change Control with CAPA

Changes driven by CAPA activities require particular attention. The CAPA system identifies the root cause and prescribes corrective action; the change control system implements that action within the design. These two processes must be linked, with clear references between the CAPA record and the design change record.

Prepare for the QMSR Inspection Model

With the QMSR now in effect, prepare for inspectors who will evaluate your DHF against ISO 13485 requirements, including explicit traceability, risk-based design planning, and comprehensive change records. Conduct a gap assessment against ISO 13485:2016 Section 7.3, and remediate any deficiencies before your next inspection.

How AI-Augmented Tools Are Transforming DHF Management

“Our current system works well enough.”

Maybe. But “well enough” has a cost that most organizations don’t fully calculate. The hours spent manually updating traceability matrices after each change. The risk of human error in impact assessments. The time lost searching through folder structures for the correct version of a verification report. The delays caused by serial review and approval workflows.

This is where AI-augmented quality and regulatory platforms are making a measurable difference. Purpose-built tools can automate traceability linking, flag incomplete records, route change requests through predefined approval workflows, and ensure that risk files stay synchronized with design changes.

At Regulify.ai, we work with medical device manufacturers across all device types—not just software devices, but everything from surgical instruments to complex implantable. Our platform combines deep MedTech regulatory expertise with AI-augmented automation to help teams maintain audit-ready DHFs with integrated change control. The result: documentation that takes months can be reduced by 50% or more, while maintaining the rigor that FDA and notified body auditors expect.

The critical question: is not whether to adopt better tools. The critical question is whether your current process can sustain the documentation burden as your device portfolio grows, your regulatory footprint expands, and the QMSR inspection model demands deeper evidence of compliance.

Key Takeaways

Your Design History File is the evidence record that proves your device was designed safely, systematically, and in compliance with your approved plan. Change control is the mechanism that keeps that evidence credible as your design evolves. Here’s a realistic view of what it takes to get this right:

  1. Build the DHF in real time—not retroactively. Every design activity generates records that belong in the file the moment they are created.

  2. Formalize every change—regardless of perceived significance. Informal changes are invisible changes, and invisible changes are audit findings.

  3. Use the traceability matrix as your change control roadmap—it tells you exactly what is affected by each change and what testing must be repeated.

  4. Integrate risk management with change control—every design change should trigger a review of your risk file. Disconnected risk analysis is a citation waiting to happen.

  5. Prepare for QMSR—with the new regulation now in effect, traceability is no longer optional, risk-based thinking must permeate your quality system, and inspectors have broader access to your records.

  6. Invest in the right tools—manual, paper-based, or shared-drive approaches introduce structural vulnerabilities that purpose-built platforms eliminate.

The manufacturers who build compliant, well-organized DHFs with disciplined change control don’t just avoid 483 observations. They move through regulatory submissions faster, respond to audits with confidence, and bring safer devices to patients. That is the outcome worth working toward.

Regulify.ai helps medical device manufacturers of all types—from simple instruments to complex implantable and software devices—build and maintain audit-ready Design History Files with AI-augmented change control automation.

Learn more at www.regulify.ai

References and Regulatory Sources

  1. FDA 21 CFR Part 820.30 — Design Controls, Quality System Regulation

  2. FDA 21 CFR Part 820.181 — Device Master Record (DMR)

  3. FDA 21 CFR Part 820.184 — Device History Record (DHR)

  4. ISO 13485:2016 — Medical devices, Quality management systems, Requirements for regulatory purposes (Section 7.3)

  5. ISO 14971:2019 — Medical devices, Application of risk management to medical devices

  6. FDA Quality Management System Regulation (QMSR) Final Rule, February 2, 2024 (Effective February 2, 2026)

  7. FDA Design Controls Guidance for Medical Device Manufacturers (March 1997)

  8. IEC 62304 — Medical device software, Software life cycle processes