QA vs QC in Medical Devices: Complete Comparison — Roles, Responsibilities, Organizational Structure & QMSR 2026 Impact
Quality Assurance vs. Quality Control in medical device manufacturing — proactive vs. reactive, process vs. product, responsibilities, tools, org structure, and how QMSR 2026 changes the landscape. Includes FDA 21 CFR 820 and ISO 13485 alignment.
Two Sides of the Same Coin — But Not Interchangeable
Quality Assurance (QA) and Quality Control (QC) are often lumped together as "QA/QC" in medical device companies. They share the same goal — ensuring that devices are safe, effective, and compliant — but they serve fundamentally different functions, operate at different stages, and require different skills, tools, and organizational structures.
The distinction matters more than ever in 2026. The FDA's Quality Management System Regulation (QMSR), effective February 2, 2026, incorporates ISO 13485:2016 by reference and introduces new requirements for top management engagement, process validation, and expanded inspection authority. QA and QC both must evolve to meet these expectations.
This guide provides a complete comparison of QA and QC in medical device manufacturing — including responsibilities, processes, tools, organizational models, regulatory alignment, and practical guidance for building both functions effectively.
What Is Quality Assurance (QA)?
Quality Assurance is a proactive, process-focused discipline that builds quality into the system from the start. QA designs and maintains the processes, procedures, and policies that prevent defects from occurring in the first place.
QA answers the question: "How can we design our processes to prevent defects?"
QA Responsibilities in Medical Devices
| QA Activity | Description | Regulatory Basis |
|---|---|---|
| QMS design and maintenance | Creating and maintaining the quality management system — quality manual, procedures, work instructions, forms | ISO 13485 Clauses 4.1, 4.2 |
| Design control oversight | Ensuring design controls are followed through design planning, inputs, outputs, reviews, verification, validation, and transfer | ISO 13485 Clause 7.3, 21 CFR 820.30 |
| Risk management | Driving ISO 14971 risk management activities — hazard analysis, risk evaluation, risk control, residual risk assessment | ISO 14971:2019 |
| Process validation | Planning and overseeing IQ/OQ/PQ for manufacturing processes that cannot be fully verified by subsequent inspection | ISO 13485 Clause 7.5.6 |
| Supplier quality management | Qualifying suppliers, conducting supplier audits, maintaining approved supplier lists, monitoring supplier performance | ISO 13485 Clause 7.4 |
| Internal audits | Planning and conducting internal audits to verify QMS effectiveness and compliance | ISO 13485 Clause 8.2.4 |
| Management review | Preparing quality data and presenting to top management for review of QMS suitability and effectiveness | ISO 13485 Clause 5.6 |
| Training program design | Developing training requirements, competency frameworks, and effectiveness assessments | ISO 13485 Clause 6.2 |
| CAPA system management | Managing the CAPA process — ensuring investigations are thorough, root causes are identified, actions are implemented and verified | ISO 13485 Clause 8.5.2, 8.5.3 |
| Change control | Evaluating proposed changes for quality impact, managing change control workflows, ensuring re-validation where needed | ISO 13485 Clause 7.3.9 |
| Regulatory intelligence | Monitoring regulatory changes, updating procedures to reflect new requirements (e.g., QMSR transition) | ISO 13485 Clause 7.2.3 |
| Document control | Managing document approval, distribution, revision, and obsolescence workflows | ISO 13485 Clause 4.2.4 |
QA Methods and Tools
- PDCA cycle (Plan-Do-Check-Act) for continuous process improvement
- Quality planning — establishing quality objectives, plans, and metrics
- Process mapping and flowcharting to identify process weaknesses
- Failure Mode and Effects Analysis (FMEA) to proactively identify risks
- Design reviews at each development stage to catch issues early
- Internal audits to verify system compliance and effectiveness
- Training needs analysis and competency assessment programs
What Is Quality Control (QC)?
Quality Control is a reactive, product-focused discipline that verifies whether products conform to specifications through inspection, testing, and measurement. QC catches defects that slip through the process — it is the final line of defense before products reach patients.
QC answers the question: "Does this product meet our standards?"
QC Responsibilities in Medical Devices
| QC Activity | Description | Regulatory Basis |
|---|---|---|
| Incoming material inspection | Inspecting and testing raw materials and components against specifications upon receipt | ISO 13485 Clause 7.4.3 |
| In-process inspection and testing | Monitoring production at defined checkpoints — dimensional checks, visual inspection, functional tests | ISO 13485 Clause 7.5.1 |
| Final product testing | Comprehensive testing of finished devices against acceptance criteria — functional, electrical safety, biocompatibility, sterility | ISO 13485 Clause 8.2.4 |
| Acceptance criteria documentation | Establishing formal documents defining how product conformance is determined | 21 CFR 820 (QMSR), ISO 13485 Clause 7.3.3 |
| Measurement and test equipment management | Maintaining, calibrating, and verifying all inspection, measuring, and test equipment | ISO 13485 Clause 7.6 |
| Nonconforming product handling | Identifying, segregating, and documenting nonconforming product; recommending disposition (rework, scrap, use-as-is) | ISO 13485 Clause 8.3 |
| Sampling plan execution | Implementing statistically valid sampling plans per ANSI/ASQ Z1.4 or ISO 2859 | ISO 13485 Clause 8.2.4 |
| DHR review | Verifying Device History Records are complete and accurate before product release | ISO 13485 Clause 7.5.1, 21 CFR 820 |
| Laboratory testing | Conducting or managing specialized testing — biocompatibility, sterility, chemical analysis, mechanical testing | Various product-specific standards |
| Stability and shelf-life testing | Managing ongoing stability studies and accelerated aging programs | ISO 13485, ISO 11607 |
QC Methods and Tools
- Acceptance sampling using ANSI/ASQ Z1.4 (attribute) or Z1.9 (variable) sampling plans
- Statistical Process Control (SPC) — control charts, capability indices (Cpk, Ppk)
- Measurement System Analysis (MSA) — gauge R&R, bias, linearity studies
- Visual inspection standards with reference samples and defect catalogs
- Functional testing protocols against design specification limits
- Destructive testing for mechanical, thermal, and chemical properties
- Non-destructive testing (NDT) — X-ray, ultrasonic, leak testing
QA vs QC: Complete Comparison
| Dimension | Quality Assurance (QA) | Quality Control (QC) |
|---|---|---|
| Focus | Process | Product |
| Approach | Proactive (prevention) | Reactive (detection) |
| Goal | Build quality into processes | Verify quality of outputs |
| When it occurs | Throughout the product lifecycle | At specific checkpoints during/after production |
| Primary question | "Are we building it right?" | "Did we build the right thing?" |
| Responsibility | Entire organization (everyone follows processes) | Dedicated QC personnel (inspectors, technicians, test engineers) |
| Key output | Processes, procedures, plans, audit reports | Test results, inspection reports, acceptance/rejection decisions |
| Regulatory framework | ISO 13485 QMS design, FDA QMSR compliance | ISO 13485 monitoring/measurement, product-specific testing standards |
| Relationship to risk | Risk management design (ISO 14971) | Risk control verification |
| Success indicator | Low defect rate, high FPY, few CAPAs | High pass rate, low DPMO, accurate acceptance decisions |
| Cost impact | Prevention costs (CoGQ) | Appraisal costs (CoGQ) + failure detection |
| Example activity | Writing the process validation protocol | Executing the test and recording results |
How QA and QC Work Together: The Feedback Loop
QA and QC form a closed-loop quality system. The relationship is not sequential — it is cyclical:
- QA designs the process — establishes procedures, acceptance criteria, sampling plans, and testing requirements
- QC executes the checks — performs inspections, runs tests, records results against acceptance criteria
- QC detects nonconformances — identifies products or processes that deviate from specifications
- QA investigates root causes — leads CAPA investigations to determine why the nonconformance occurred
- QA improves the process — implements corrective and preventive actions based on root cause findings
- QC verifies effectiveness — confirms that the improved process produces conforming product
This feedback loop is the engine of continuous improvement. Without QA, QC becomes a gate with no mechanism for reducing defects. Without QC, QA has no data to validate that processes are working.
Organizational Structure: How to Staff QA and QC
Typical Medical Device Company Structure
The size and structure of QA and QC teams depend on the company's stage and product complexity:
| Company Stage | QA Team | QC Team | Reporting Structure |
|---|---|---|---|
| Startup (pre-revenue) | 1–3 people (QA/RA combined) | Often outsourced or 1 QC person | VP Quality or Quality Director reports to CEO |
| Growth (first product shipped) | 3–8 people (QA engineers, document control, audit) | 2–5 people (inspectors, test technicians) | QA Manager + QC Manager, both reporting to VP Quality |
| Mid-size (multiple products) | 8–20 people (specialized by function) | 5–15 people (incoming, in-process, final) | Director of QA, Director of QC, both under VP Quality |
| Large (enterprise) | 20+ (QA by product line or site) | 15+ (QC labs, inspection teams) | VP Quality with site QA/QC directors |
Key Principle: QA and QC Should Report to the Same Quality Leader
Both functions should report to the same VP Quality or Chief Quality Officer. This ensures:
- Consistent quality policy and strategy across process design and product verification
- Integrated feedback loops — QC data flows directly into QA improvement activities
- No gaps or overlaps between process oversight and product testing
- Unified management review input covering both system health and product conformity
Separation of Concerns: Production vs. Quality
A critical regulatory principle is that QC must have the authority to reject product without production override. ISO 13485 Clause 8.2.4 requires that product release be performed by personnel independent of the production function. QC inspectors must report to quality leadership, not to production management.
QMSR 2026 Impact on QA and QC
The FDA's Quality Management System Regulation, effective February 2, 2026, introduces several changes that directly affect how QA and QC operate:
Changes Affecting QA
| QMSR Change | Impact on QA |
|---|---|
| ISO 13485 incorporated by reference | QA must now ensure QMS aligns with ISO 13485 terminology, structure, and requirements — not just 21 CFR 820 |
| Top management engagement required | QA must prepare quality data for executive-level review and tie quality metrics to leadership KPIs |
| FDA can inspect management reviews and internal audits | QA audit programs and management review processes must be inspection-ready at all times |
| Process validation expanded (§820.75) | QA must strengthen process validation protocols, including outsourced activities and continuous process verification |
| Retirement of QSIT | FDA now uses Compliance Program 7382.850 — QA must understand the new inspection approach |
Changes Affecting QC
| QMSR Change | Impact on QC |
|---|---|
| Control of nonconforming product strengthened (§820.65) | QC must enhance procedures for identifying, documenting, and addressing nonconformances |
| Control of records expanded (§820.35) | QC records (test results, inspection reports, DHRs) must meet enhanced documentation requirements |
| Control of documents expanded (§820.45) | QC test procedures, acceptance criteria, and work instructions must follow updated document control procedures |
| ISO 13485 Clause 7.6 (Control of monitoring and measuring equipment) | QC must ensure all test equipment calibration and verification meets ISO 13485 requirements |
The Practical Impact
Companies like OrthoX, documented in IntuitionLabs' QMSR analysis, have already responded to QMSR by:
- Elevating the frequency of management reviews — CEO now attends quarterly instead of annually
- Tying quality metrics (nonconformances, audit findings, CAPA effectiveness) to executive scorecards
- Conducting self-audits using the new Compliance Program 7382.850
- Training all quality staff on ISO 13485 clause-by-clause requirements
- Identifying and closing gaps in supplier evaluation processes
QA vs QC: Common Misconceptions
Misconception 1: "QA is more important than QC"
Neither is more important. QA builds the guardrails; QC proves they work. A medical device company with excellent processes but no product verification is trusting without confirming. A company with excellent inspection but poor processes is finding defects without preventing them. Both are essential.
Misconception 2: "QA and QC can be the same person"
In very small startups, one person may wear both hats, but this creates an inherent conflict of interest. The person writing the process should not be the sole person verifying the output. ISO 13485 requires independence between those who perform quality activities and those who review or approve them. As soon as a company reaches 5–10 employees, QA and QC should be separate roles.
Misconception 3: "QC only happens at the end of production"
Modern QC in medical devices operates at three stages:
- Incoming QC: Verifying raw materials and components before they enter production
- In-process QC: Monitoring production at defined checkpoints
- Final QC: Comprehensive testing before product release
The most effective QC programs catch issues as early as possible — incoming inspection is cheaper than in-process rework, which is cheaper than final rejection, which is vastly cheaper than a field recall.
Misconception 4: "QA is just documentation"
QA encompasses the entire system design: risk management strategy, process validation planning, supplier qualification criteria, training program design, audit scheduling, and management review preparation. Documentation is a means, not the end. QA's value is measured by the absence of quality failures, not the volume of documents produced.
Comparison: QA and QC Activities Across the Product Lifecycle
| Lifecycle Stage | QA Activities | QC Activities |
|---|---|---|
| Concept / Feasibility | Quality planning, risk management initiation, regulatory strategy | Initial material and component evaluation |
| Design & Development | Design control oversight, risk analysis, design review facilitation, design transfer planning | Design verification testing, prototype testing, test method development |
| Process Development | Process validation planning (IQ/OQ/PQ), SOP development, training program design | Process capability studies, measurement system analysis, sampling plan development |
| Production | Process monitoring, change control, CAPA management, supplier audits, internal audits | Incoming inspection, in-process monitoring, final product testing, DHR review |
| Post-Market | Complaint trending analysis, PMS planning, vigilance reporting, management review | Returned product analysis, stability testing, ongoing calibration |
| Retirement | Product retirement planning, record retention management | Final disposition verification |
FAQ
What is the main difference between QA and QC in medical devices?
QA is proactive and process-focused — it designs the processes, procedures, and systems that prevent defects from occurring. QC is reactive and product-focused — it inspects and tests products to detect defects that have already occurred. QA prevents problems; QC detects them.
Can the same person do both QA and QC?
In very small organizations, one person may perform both functions. However, ISO 13485 requires independence between those who perform quality activities and those who approve them. As a company grows, QA and QC should be separate roles reporting to the same quality leader.
What does ISO 13485 require for QA and QC?
ISO 13485 requires a quality management system (QA function — Clauses 4–6) that includes monitoring and measurement of product (QC function — Clause 8.2.4). The standard does not use the terms "QA" and "QC" explicitly, but the requirements map directly to these functions. QA covers system design and maintenance; QC covers product verification and testing.
How does QMSR 2026 change QA and QC?
QMSR incorporates ISO 13485:2016 by reference, replacing the old QSR. Key changes include: top management must now actively engage with quality data, FDA has expanded authority to inspect management reviews and audit reports, process validation requirements are enhanced, and the new Compliance Program 7382.850 replaces the old QSIT inspection method. Both QA and QC processes must be updated to align with ISO 13485 terminology and requirements.
What tools does QC use in medical device manufacturing?
QC uses acceptance sampling (ANSI/ASQ Z1.4), Statistical Process Control (SPC), Measurement System Analysis (MSA), functional testing equipment, visual inspection standards, dimensional measurement tools, environmental monitoring, and product-specific test methods per applicable standards (e.g., IEC 60601 for electrical safety, ISO 10993 for biocompatibility).
What tools does QA use in medical device manufacturing?
QA uses the PDCA cycle, quality planning, FMEA, design review facilitation, internal auditing, process mapping, CAPA management systems, document control systems, training management systems, and risk management frameworks (ISO 14971).
How should QA and QC be organized in a medical device company?
Both functions should report to the same VP Quality or Chief Quality Officer to ensure integrated feedback loops and consistent quality policy. QC must have the authority to reject product without production override — QC inspectors should not report to production management.
What is the relationship between QA/QC and the Cost of Quality?
QA activities generate prevention costs (CoGQ). QC activities generate appraisal costs (CoGQ). When QA fails to prevent defects and QC fails to detect them, the result is internal and external failure costs (CoPQ). The goal is to invest adequately in QA prevention and QC appraisal to minimize the far more expensive failure costs.