How to Do Medical Device Due Diligence: A Practical Checklist for Regulatory Compliance, Quality, and Risk Management

Effective medical device due diligence verifies that a target’s products, processes, and evidence meet regulatory expectations and can scale without hidden risk. This practical checklist helps you assess regulatory compliance, the quality management system, risk management, documentation, suppliers, clinical evidence, and post‑market controls so you can identify gaps early and plan remediation.

Use this guide when evaluating an acquisition, investment, licensing deal, or contract manufacturing partner. You will confirm whether approvals (such as FDA 510(k) clearance), certifications (such as ISO 13485 certification), files, and processes are complete, current, and effective.

Regulatory Compliance Requirements

Confirm market authorizations and device scope

• Map all product families, models, accessories, indications, and intended users; verify device classification in each market.
• For the U.S., identify the regulatory pathway used (e.g., FDA 510(k) clearance, De Novo, or PMA) and confirm that the cleared/approved indications match current labeling and claims.
• Outside the U.S., review EU MDR/IVDR certificates or declarations, UKCA status, and other national registrations; ensure technical documentation aligns with the certified scope.

Verify establishment obligations and labeling controls

• Check establishment registration, device listing, UDI assignment, and GUDID/EUDAMED submissions where applicable.
• Review labeling control procedures, language/translation practices, and IFU consistency with cleared claims and risk controls.

Assess compliance governance

• Evaluate regulatory change control and impact assessment processes to ensure timely submissions for design or manufacturing changes.
• Inspect regulatory intelligence and standards management to keep files synchronized with evolving requirements.
• Sample recent submissions and correspondence; confirm commitments and post‑approval conditions have been fulfilled.

Quality Management System Evaluation

Validate certification and coverage

• Obtain the current ISO 13485 certification (scope, sites, and expiry) and review surveillance/recertification audit reports.
• Verify alignment with 21 CFR Part 820 quality system requirements and applicable country-specific additions (e.g., MDSAP outcomes).

Test core processes end to end

• Document control and training: confirm role‑based training matrices, effectiveness checks, and timely SOP updates.
• Design controls: trace user needs to design inputs/outputs, V&V, and design transfer; ensure independent review gates.
• Production and process controls: examine validations, maintenance/calibration, software/tooling control, and batch release criteria.
• Complaint handling and service: verify intake, investigation, risk trending, and escalation rules into corrective and preventive action (CAPA).
• Internal audits and management review: look for data‑driven decisions, KPIs, and closure of systemic issues.

Stress‑test CAPA effectiveness

• Sample closed CAPAs for problem statement clarity, root cause proof, verified effectiveness, and prevention of recurrence.
• Check links from CAPA to change control, training updates, and risk files to confirm enterprise‑wide fixes.

Risk Management Procedures

Examine the risk management file

• Confirm ISO 14971‑compliant procedures, risk acceptance criteria, and documented benefit‑risk justifications.
• Review hazard analyses (e.g., FMEA/FTA), risk controls, verification of control effectiveness, and residual risk evaluation.
• Ensure full traceability from hazards to controls, verification evidence, labeling/IFU warnings, and clinical data when applicable.

Evaluate specialty risks

• Usability engineering: assess IEC 62366 activities, formative/summative studies, and use‑related risk mitigations.
• Software and cybersecurity: confirm IEC 62304 lifecycle artifacts, SBOM, vulnerability management, update/patch strategy, and secure development practices.
• Sterility and biocompatibility: verify ISO 11135/11137 validations, ISO 10993 evaluations, and shelf‑life/packaging evidence.

Close the loop to post‑production data

• Confirm mechanisms to feed complaints, service data, adverse events, and field actions back into the risk management file.
• Verify periodic risk reviews and thresholds that trigger CAPA, label changes, or design remediation.

Documentation and Record Review

Design and technical documentation

• Design history file: confirm completeness from user needs through design transfer and design changes, with approvals and rationale.
• Technical documentation/technical file: review GSPR mapping, device description, verification/validation, and clinical evidence references.

Manufacturing records and traceability

• Device Master Record and Device History Records: verify specifications, travelers, acceptance criteria, nonconformances, and rework dispositions.
• Change control: check impact assessments, re‑validation triggers, and regulatory notifications or submissions tied to changes.

Test reports and supporting evidence

• Bench performance, environmental, transport/packaging (ISO 11607), and electrical safety (IEC 60601) reports with accredited lab traceability.
• Software validation, tooling/equipment qualification, and measurement system analysis where measurement data determine release.

Vendor and Supplier Assessment

Qualification and ongoing control

• Supplier risk classification and approval records, including audits or questionnaires and quality agreements covering change notification and access to records.
• Incoming inspection and acceptance activities with clear sampling plans and defect trending.

Performance and issue management

• Scorecards, on‑time delivery, defect rates, and responsiveness to corrective actions (SCARs) with effectiveness checks.
• Verification that critical suppliers maintain required certifications and validated processes; confirm subcontractor flow‑downs.

Resilience and security

• Business continuity, dual sourcing, and obsolescence management for parts, materials, and software components.
• Data integrity and cybersecurity expectations for connected suppliers, including secure file exchange and SBOM requirements when relevant.

Clinical Evaluation and Performance Data

Clinical narrative and claims support

• Clinical evaluation report: verify methodology, literature appraisal, equivalence rationale (if used), and alignment with intended use and labeling claims.
• For PMA or high‑risk devices, assess pivotal study design, endpoints, statistical power, follow‑up duration, and adverse event management.

Non‑clinical performance evidence

• Bench and validation studies covering accuracy, precision, reliability, robustness, and worst‑case conditions.
• For IVDs, confirm analytical and clinical performance (sensitivity/specificity), lot‑to‑lot studies, and matrix/variant coverage.

Real‑world evidence and updates

• Complaint and registry data, usability findings, and published evidence feeding ongoing claim maintenance.
• Ensure the clinical plan anticipates gaps closed via post‑market clinical follow‑up (PMCF) where warranted.

Post-Market Surveillance Practices

Complaint handling and vigilance

• Evaluate intake channels, medical review, risk classification, and timeliness of MDR/vigilance reporting.
• Confirm trend rules, health hazard evaluations, recall/correction management, and customer communication controls.

Structured PMCF and proactive monitoring

• Assess PMCF plans, objectives, endpoints, and data sources (registries, surveys, RWE studies) mapped to residual risks and claims.
• Verify signal detection tools, statistical thresholds, and governance for rapid escalation to CAPA or design change.

Integration with CAPA and management review

• Check that PMS and PMCF outputs drive measurable CAPA with effectiveness checks and are summarized in management review.
• Confirm resourcing, competencies, and cross‑functional accountability for sustaining surveillance activities.

Conclusion

Robust due diligence confirms that approvals match current claims, the QMS is capable, the risk management file is living and linked to evidence, and suppliers and post‑market systems can scale safely. By testing documentation quality, data integrity, and feedback loops—from design history file to CAPA to PMCF—you reduce integration risk and protect patients and enterprise value.

FAQs

What are the key regulatory standards for medical device due diligence?

Focus on the U.S. quality system requirements in 21 CFR Part 820, the appropriate market authorization pathway (e.g., FDA 510(k) clearance, De Novo, or PMA), and ISO 13485 certification for QMS robustness. Confirm ISO 14971 for risk management, IEC 62366 for usability, IEC 62304 for software, and applicable market frameworks such as EU MDR/IVDR, including technical documentation, vigilance, and PMCF expectations.

How is risk management integrated into due diligence?

You assess the risk management file end to end: hazard identification, risk estimation, control selection, verification of control effectiveness, and residual risk evaluation. Then you verify tight links to design controls, labeling, verification/validation, complaint handling, CAPA, and post‑market surveillance so new signals feed back into updated analyses and mitigations.

What documentation is essential for compliance verification?

Core artifacts include the design history file, technical documentation, Device Master Record and Device History Records, verification/validation reports, usability and software evidence, sterilization and biocompatibility data, the clinical evaluation report, the risk management file, complaint/MDR logs, CAPA records, internal audits, management reviews, and current certificates/approvals and registrations.

How should post-market surveillance be conducted during due diligence?

Review written PMS procedures, complaint handling and vigilance timeliness, trend analyses, and field action management. Confirm proactive activities—such as surveys, registries, or real‑world evidence—and ensure outputs drive CAPA and, when needed, post-market clinical follow-up (PMCF) to close evidence gaps and continuously validate benefit‑risk.