New FDA Guidance on Software Documentation for Medical Devices

Doctor working in an operating room checking monitors

July 17, 2023

Food and Drug Administration announces revised documentation requirements for medical device software submissions

Manufacturers looking to gain market access for their medical devices were notified by the Food and Drug Administration last month of a new, risk-based approach to determining a device's documentation needs for software functions and regulatory approval.

FDA's revised guidance gives medical device manufacturers information on how to evaluate a device's Documentation Level as either Basic or Enhanced, in place of the previous Level of Concern (LOC) categorization that distinguished devices as Minor, Moderate, or Major. This new guidance is the first substantial update to FDA's documentation procedures for software-related functions since 2005.

The new guidance significantly changes the existing approach and rubric for how a device manufacturer should identify the appropriate level of documentation to include in a regulatory submission for software functions.

Medical device manufacturers must begin following the new guidance for all submissions within 60 days of the initial June 14, 2023, publication date. The FDA Center for Devices and Radiological Health has stated it will also begin reviewing this revised information in applications submitted before the deadline, if included. The most recently released version of eSTAR (v4) incorporates the Documentation Level approach per this revised software guidance.

To help sponsors and stakeholders understand FDA's revised evaluation process, a webinar will take place Thursday, July 20, at 1 p.m. EST to discuss the final guidance, Content of Premarket Submissions for Device Software Functions, which will:

  • Discuss the risk-based approach to determining the recommended documentation level for a premarket submission
  • Answer questions about the recommendations for information to be included in premarket submissions for the newly designated Basic and Enhanced Documentation Levels

Key changes to documentation requirements for Minor LOC medical device software submissions

The Basic Documentation requirements share some similarities with the Minor LOC documentation requirements; however, the new guidance does include notable differences, such as:

  • Requirement of a Risk Management File containing a risk management plan, a risk assessment demonstrating risks have been appropriately mitigated, and a risk management report
  • Individual requirements outlined and traced to risk management, the architecture design chart, and verification/validation testing
  • Requirement of an Architecture Design Chart
  • Requirement of a Software Development Environment Description, which can be satisfied via a Declaration of Conformity to IEC 62304 subclause 5.1, clause 6 and clause 8 among others
  • Summary of unit, integration, and system-level verification/validation testing with a system-level testing report including expected results, observed results, and pass/fail determination
  • Requirement of an Unresolved Anomalies list

The new guidance also provides a comprehensive list of examples for selecting the correct Documentation Level for a submission as well as style guidelines indicating when visual and language considerations for architecture diagrams should be included.

Documentation Level evaluation for medical device software submissions

FDA's new guidance also provides additional information to assist device makers in evaluating the appropriate Documentation Level for their submission. Specifically, the guidance notes "sponsors should consider all known or foreseeable software hazards and hazardous situations associated with the device, including those resulting from reasonably foreseeable misuse, whether intentional or unintentional, prior to the implementation of risk control measures. This also includes the likelihood that device functionality is intentionally or unintentionally compromised by inadequate device cybersecurity."

This new guidance broadens the scope for devices at the Enhanced Documentation Level and alludes to its 2014 and 2005 cybersecurity guidance documents.

A comparison of the minimum documentation required by the new guidance

The table below compares the documentation for Minor LOC (2005 guidance) against the new Basic Documentation Level (2023 guidance).


Document Section

Minor LOC (2005 Guidance)

Basic Documentation Level (2023 Guidance)

Documentation Level Analysis

Required (called Level of Concern Analysis)

Required (called Documentation Level Evaluation)

Software Description

Summary Overview Required

Description including overview of software features, functions, analyses, inputs, outputs, and hardware platforms is required

Risk Management

Required (called Device Hazard Analysis)

Required (called Risk Management File — Plan, Assessment, and Report)

Software Requirement Specification (SRS)

Summary of functional requirements

Individual requirements that trace to risk management, SDS (if applicable), architecture design chart, and testing

Architecture Design Chart

Not Required


Software Design Specification (SDS)

Not Required

Not Required

Traceability Analysis


Required as a part of the Software Requirement Specification (SRS)

Software Development Environment Description

Not Required

Summary of lifecycle development plan and configuration/maintenance activities OR IEC 62304 Certification

Verification and Validation Documentation

Software functional test plan, pass/fail criteria, and results

Summary of unit, integration and system-level testing, and system-level report

Revision Level History



Unresolved Anomalies

Not Required


As seen in the above table, the new guidance requires more software documentation compared to the previous guidance, even for devices considered to have a Minor LOC, which will now require Basic Documentation under the new guidance. For example, the new guidance requires an architecture design chart and listing of unresolved anomalies.

What Can We Help You Solve?

Exponent's multidisciplinary team of medical device, software, artificial intelligence, and regulatory consultants can help clients navigate both the premarket and post-market requirements for medical devices. Our consultants have expertise in bringing devices including software components to market, and we support medical device manufacturers throughout their product's lifecycle.