Updated 27th May 2026
Quality Assurance (QA) vs. Quality Control (QC) in Medical Devices
When bringing a medical device or in vitro diagnostic (IVD) to market, “quality” isn’t just a buzzword—it is a legal requirement. However, compliance teams and startups frequently mix up two critical pillars of a Quality Management System (QMS): Quality Assurance (QA) and Quality Control (QC).
While they work hand-in-hand to ensure patient safety, they have completely different objectives, timelines, and methods. Failing to understand the difference can lead to systemic process failures, non-conformances during audits, or worse, product recalls.
Quality Assurance (QA) is proactive and process-oriented. It focuses on preventing defects by designing, implementing, and monitoring the right processes across your entire organization.
Quality Control (QC) is reactive and product-oriented. It focuses on detecting defects by inspecting, testing, and verifying the physical product or software output before it reaches the end user.
The Golden Rule: QA builds the roadmap to ensure you make a safe product; QC inspects the final product to ensure the roadmap was actually followed.
Key Differences At a Glance
| Feature | Quality Assurance (QA) | Quality Control (QC) |
|---|---|---|
| Core Focus | The Process: Preventing defects before they happen. | The Product: Identifying defects after production. |
| Approach | Proactive and preventative. | Reactive and defensive. |
| Timing | Ongoing throughout the entire product lifecycle. | Conducted at specific milestones or post-production. |
| Goal | To improve development and testing processes so the device is consistently safe. | To identify and isolate specific non-conforming items before distribution. |
| Responsibility | Everyone involved in the lifecycle (Designers, Engineers, Regulatory, Management). | Dedicated QC inspectors, lab technicians, or automated testing software. |
| Key Standard | Dictated by ISO 13485 and FDA 21 CFR Part 820 QMS frameworks. | Executed via specific product testing standards (e.g., bioburden, electrical safety testing). |
QA vs. QC: Real-World Medical Device Examples
To truly understand how these concepts operate on the manufacturing floor or within a software engineering environment, let’s look at how they apply to specific medical device scenarios:
Example 1: Physical Hardware Manufacturing (e.g., orthopedic implants or syringes)
The QA Process: Your team designs a cleanroom environment, establishes a rigorous supplier qualification protocol for raw titanium, and drafts Standard Operating Procedures (SOPs) for machine calibration. You are setting up a system to ensure every implant is made perfectly.
The QC Action: A quality inspector pulls one out of every 50 finished implants from the assembly line. They measure its dimensions with a digital micrometer to ensure it meets tolerance specifications and run a laboratory bioburden test to check for microbial contamination before packaging.
Example 2: Medical Device Software (SaMD)
The QA Process: You establish a software development lifecycle (SDLC) compliant with IEC 62304. This includes enforcing mandatory peer code reviews, automated unit testing frameworks, and clear version control protocols before a single line of code is written.
The QC Action: Before a software update drops, a dedicated validation engineer executes a penetration test to find security vulnerabilities and runs manual beta-testing scripts to intentionally try and crash the user interface.
The Regulatory Perspective: Why Notified Bodies Care
Auditors from Notified Bodies (such as BSI) or national regulators (like the MHRA or FDA) do not view QA and QC as optional or interchangeable—they look for clear evidence of both within your ISO 13485 Quality Management System.
The overarching organizational philosophy centered on long-term compliance and safety.
When an auditor reviews your technical documentation, they track the interplay between process and product:
1. The Audit Trail of a Failure
If a QC inspector catches a non-conforming batch of products (a QC event), the auditor will immediately look at your QA framework to find out why it happened. They will expect to see a logged CAPA (Corrective and Preventive Action) to update the manufacturing process so the error never repeats.
2. ISO 13485 Compliance
Clause 7 (Product Realization): This is heavily process-driven (QA). It requires you to plan the processes needed for product realization.
Clause 8 (Measurement, Analysis, and Improvement): This is where QC shines. It demands monitoring and measurement of the product characteristics to verify that product requirements have been met.
Auditor Mindset: A company with great QC but poor QA will constantly catch mistakes right before shipping, leading to high scrap rates and wasted revenue. A company with great QA but poor QC is blind—they assume their processes are perfect but have no physical proof that safe devices are leaving the building.
Conclusion: Balancing the Scales for Market Access
To successfully navigate the EU MDR, IVDR, or UKCA marking processes, you cannot rely on product testing alone, nor can you rely purely on paperwork. True compliance means using QA to design an unshakeable ecosystem, and using QC as the safety net that double-checks your work.
FAQs
Yes, but it is a highly inefficient and risky way to operate. A company with only QC will constantly catch defects right before shipping. This leads to high scrap rates, wasted engineering hours, expensive re-work, and a massive bottleneck in delivery. Without QA to fix the underlying processes, the same production mistakes will happen repeatedly.
While ISO 13485 covers both, it heavily prioritizes Quality Assurance (QA). The standard is designed to help you build a proactive Quality Management System (QMS) where management responsibility, resource allocation, design controls, and continuous improvement prevent product failures. QC acts as the measurement and verification tool required by Clause 8 of the standard to prove your QA systems are working.
QA is an organization-wide responsibility. While a QA Manager oversees the framework, everyone from design engineers and software developers to supply chain managers must follow the established SOPs.
QC is an execution-specific responsibility. It is typically performed by designated Quality Control inspectors, laboratory technicians, or automated testing protocols whose sole job is to evaluate the output against technical specifications.
In Software as a Medical Device (SaMD), the line blurs slightly but the principles remain firm. Software QA involves setting up the compliant development lifecycle (like IEC 62304 frameworks), establishing coding standards, and scheduling peer reviews. Software QC involves the technical testing of the compiled build—such as automated unit testing, penetration testing for security vulnerabilities, and manual beta testing to verify features.
If you have excellent QA but poor QC, auditors will flag you for failing to adequately verify your products (non-conformance under testing and measurement criteria). If you have excellent QC but poor QA, auditors will see a history of product defects and ask for your CAPA (Corrective and Preventive Action) logs. If you cannot prove that you are actively updating your processes to prevent those defects from happening again, you risk failing the audit.
Patient Guards Recent Posts
Predetermined Change Control Plans (PCCPs): The Future of Agile Compliance for Medical Device Software
Learn how PCCPs help medical device software manufacturers manage updates, support AI systems, and enable agile compliance under evolving MDR and UKCA frameworks.
The AI Act Omnibus Explained: What the 2026 EU Rules Mean for Medical Device and IVD Manufacturers
Discover how the EU AI Act Omnibus affects AI medical devices and IVD manufacturers. Learn about the No Duplication principle, transparency rules, key 2026 and 2028 deadlines, and how MDR and IVDR compliance are converging with AI regulation.
Post-Deadline Reality Check: I’ve Submitted My IVDR Class C – Now What?
Submitted your IVDR Class C application? Learn what happens next, common causes of delays, review timelines, and why the September 2026 contract deadline is critical for maintaining EU market access.
