Assyro AI
Editorial illustration for Design Controls Software: How to Choose and Implement the Right Workflow for Medical Device Development.

Design Controls Software: How to Choose and Implement the Right Workflow for Medical Device Development

Design controls software is a system for managing controlled design and development evidence: user needs, design inputs, outputs, reviews, verification, validation, risk links.

Assyro Team
Published July 8, 2026

Overview

Design controls software is a system for managing controlled design and development evidence: user needs, design inputs, outputs, reviews, verification, validation, risk links, design changes, and Design History File (DHF) records. Whether you need a dedicated tool depends mainly on your device risk class, team size, and how much software is in your product. This guide covers what qualifies as design controls software, which tool category fits which team, how to validate the system itself, and how to migrate from spreadsheets without losing traceability.

Most content about design controls explains the regulation and treats software as an afterthought. This article does the reverse. It assumes you already know why design controls matter under FDA 21 CFR 820.30 and ISO 13485, and focuses on the practical questions: which software category to evaluate, what capabilities produce audit-ready evidence, what validation and implementation actually involve, and where the cost and effort come from.

What design controls software is

Design controls software is any system used to create, link, review, approve, and preserve the records that a design control process requires. According to SimplerQMS, FDA 21 CFR Part 820.30 sets forth specifications for design controls in medical device development, and the FDA's Quality System Regulation under 21 CFR Part 820 mandates design controls for Class II and III devices. ISO 13485:2016 sets comparable specifications and, per the same source, is harmonized with Regulation (EU) 2017/745 (EU MDR). Design controls have been part of the FDA Quality System Regulation since 1997, so the record types are well established; what varies is how teams manage them.

The design control process is commonly described as eight stages: planning, inputs, outputs, reviews, verification, validation, transfer, and changes. Design controls software earns its name when it manages the records of those stages as linked, versioned, approvable objects rather than as loose documents. The distinguishing capability is traceability: every design input should point back to a user need and forward to outputs, tests, and reviews, and every change should show its impact across that chain.

A compact worked example shows the difference in practice. Suppose your team is developing an infusion pump companion app and captures the user need "the clinician must be alerted when the pump loses connectivity." In a design controls tool, that becomes a chain of linked records: user need UN-014 links to design input DI-042 ("the app shall display a connectivity-loss alert within 10 seconds of losing the pump signal"), which links to risk RISK-017 (delayed alert leads to missed occlusion event), design output DO-058 (the alert module specification), and verification protocol VER-033 (a timed connectivity-drop test with pass/fail criteria). When an engineer later proposes raising the alert threshold to 15 seconds to reduce false alarms, the system shows every record affected: the input, the risk evaluation, the verification protocol, and the design review that approved the original value. The constraint that makes this valuable is not any single record; it is that the impact of one proposed change is visible across all of them before anyone approves it. In a spreadsheet, that impact assessment depends on someone remembering the links.

What it should not be confused with

Several adjacent tool categories overlap with design controls without covering it. The distinction matters because buying the wrong category leaves gaps you discover during an audit.

  • General QMS or eQMS software manages quality processes broadly (documents, CAPAs, training, audits). Many eQMS platforms include a design controls module, but document-centric eQMS tools may not manage requirements as linked records.
  • PLM software manages product structure, BOMs, and engineering change orders. It is strong on physical product data, weaker on requirement-to-test traceability.
  • ALM software manages software requirements, code, builds, and tests. It is strong for software teams but usually lacks DHF structure and quality-system approval workflows.
  • Requirements management tools handle inputs, outputs, and traceability well but may not manage design reviews, risk files, or DHF compilation on their own.
  • Risk management and test management tools each cover one slice of the evidence chain.
  • Document control systems manage versions and approvals of documents, not the item-level links between requirements, risks, and tests.

None of these categories is wrong; each covers part of the evidence chain. The evaluation question is which combination covers your full chain without duplicating records across systems.

Why medical device teams use software for design controls

The practical driver is evidence integrity under change. Design control records are not static; requirements evolve, risks are reassessed, and tests are rerun, and every change must remain traceable to what it affects. Jama Software's practitioner guidance notes that design controls not only support regulatory compliance, they help develop better products, and a 1996 MD+DI article made the early case that design controls can provide quantifiable benefits in increased quality and reduced development schedules. Software makes those benefits achievable at scale by holding the links, versions, approvals, and audit trail in one place.

The stakes are real. SimplerQMS cites a June 2022 recall involving 23,372 HeartWare Ventricular Assist Devices as an example of what design and quality failures can cost. Software does not prevent design failures on its own, but it makes gaps visible earlier: an input with no verification, a risk control with no linked output, a change approved without an impact assessment.

Where spreadsheets and shared drives start to break down

Spreadsheets work for small, stable projects with one owner. They break down predictably as products and teams grow. Trace links live in cell references or manual IDs, so a renamed requirement silently orphans its tests. Approval status lives in a column with no signature, timestamp, or version lock behind it. Two engineers edit different copies, and the "master" traceability matrix diverges from reality. When a design change lands, no one can query which verification records are now stale, so impact assessment becomes archaeology. By the time you assemble the DHF for a submission or audit, you are reconstructing evidence rather than exporting it. If any of these symptoms are already occurring, the migration cost is only going to grow.

Core capabilities to look for in design controls software

Capability lists from vendors tend to be long; the useful filter is whether each capability produces or protects a specific piece of design control evidence. Not every company needs every feature, but four capability groups matter across almost all contexts.

Requirements, risk, and traceability management

The system should manage user needs, design inputs, design outputs, risks, verification records, and validation records as distinct, linkable items. Bidirectional links matter: you need to answer both "which tests cover this input?" and "which inputs does this failed test put at risk?" A traceability matrix should be a generated view of live links, not a manually maintained document. If a tool requires you to maintain the matrix by hand, it has not removed the failure mode that drove you off spreadsheets.

Educational visual for Requirements, risk, and traceability management in Design Controls Software: How to Choose and Implement the Right.
Educational visual for Requirements, risk, and traceability management in Design Controls Software: How to Choose and Implement the Right.

Review, approval, audit trail, and electronic signature controls

Design reviews and approvals are regulated records, so the system should capture who reviewed, who approved, when, and against which version. Look for controlled review workflows with named owners, immutable timestamps, version history on every record, and an audit trail that captures changes to both content and links. Where electronic signatures are used for regulated records, confirm the vendor's documentation on how their signature and audit trail implementation supports your compliance obligations rather than accepting a generic compliance badge.

DHF, design review, and change evidence

The DHF is where design control evidence is compiled, and the software should make compilation an output rather than a project. Evaluate whether the system can produce a point-in-time export of the full evidence chain: inputs, outputs, review records, verification and validation results, risk file links, and change history. For design changes, the system should support a change record that captures the impact assessment, affected items, re-review, and re-approval. Ask vendors to demonstrate a DHF export and a completed change record, not just the entry screens.

Integrations with engineering and quality systems

No design controls tool replaces your entire system landscape, so integration quality often matters more than feature breadth. Software teams typically need connections to ALM or issue trackers and automated test systems; quality teams need connections to document management and risk files; manufacturers may need PLM or ERP links for design transfer. Fragmented file storage is a common root cause of version drift; as a bounded example from an adjacent domain, Assyro's document management connects SharePoint, Box, and Google Drive to keep version history aligned and reduce handoff errors before validation and final assembly, which is the same failure mode design controls tools must solve for design records. Whatever category you buy, confirm that links to external records (a test run in a CI system, a document in SharePoint) remain stable and auditable.

Software category decision matrix

The categories above are not interchangeable, and the right choice depends on company maturity, product type, and existing systems. The matrix below compares the main approaches by best-fit scenario, typical strengths, common limits, and what you will likely need to integrate.

Category

Best fit

Strengths

Limitations

Typical integration needs

eQMS with design controls module

Growing manufacturers wanting one quality system

Approvals, audit trails, DHF structure, QMS context

Requirements handling can be document-centric

ALM/test tools for software evidence

PLM

Hardware-heavy manufacturers with complex BOMs

Product structure, engineering change orders, transfer

Weak requirement-to-test traceability

Requirements and risk tools

ALM

Software-heavy device and SaMD teams

Code, build, and test traceability; CI/CD fit

Lacks DHF structure and QMS approvals

eQMS or document control

Requirements management

Teams whose core gap is input/output traceability

Strong linking, baselines, trace views

Reviews, risk file, DHF need other tools

Risk, test, and document systems

Risk management tool

Teams formalizing ISO 14971-style risk files

Hazard analysis, risk-control linkage

Covers one slice of the chain

Requirements and test records

Test management tool

Teams formalizing V&V execution evidence

Protocols, runs, results, defect links

No inputs, reviews, or DHF

Requirements and change records

Document control only

Very early teams with few linked records

Simple, low cost, familiar

Item-level traceability is manual

Everything else, eventually

Use the matrix as a starting hypothesis, then pressure-test it against your specific scenario. The four profiles below cover the most common situations.

Early-stage startup

If you have one product, a small team, and are pre-submission, a lightweight QMS plus disciplined requirements and document control can be sufficient for a time. The risk is deferring traceability until it is expensive: reconstructing links between hundreds of requirements, risks, and tests after the fact is far harder than maintaining them from the start. A reasonable compromise is to adopt item-level requirements and risk linking early, even in a modest tool, and defer heavier workflow features. Plan the upgrade before your first submission or design transfer, not after.

Growing manufacturer preparing for submission or audit

As product and team complexity grow, the weak points shift from record creation to record integrity: complete trace chains, current DHF content, documented design reviews with the right participants, and defensible change records. At this stage, an eQMS with a genuine design controls module, or a requirements tool integrated with your QMS, usually fits best. Evaluate candidates against your audit scenario: can the system show an auditor the full chain for a sampled requirement, and the impact record for a sampled change, without manual assembly? Workflow ownership also matters more here; the tool should make it obvious who owns each open review and unresolved link.

Software-heavy device or SaMD team

Design controls apply to all medical device software, including SaMD, under ISO 13485 Clause 7.3 and FDA 21 CFR 820.30, and the FDA classifies software as a medical device when it performs a medical function independent of hardware, per the same Momentum analysis. For these teams, ALM integration is usually the deciding criterion: requirements need to trace to code changes, automated test results, and release versions, and design change workflows need to keep pace with frequent releases. A design controls layer that cannot consume evidence from your CI and test automation systems will push teams back into manual transcription, which is where traceability dies. Prioritize tools that treat automated test output as first-class verification evidence.

Enterprise manufacturer with PLM or ERP already in place

If PLM already owns product structure and ERP owns transfer and production data, design controls software should fill the requirements-risk-V&V traceability gap without duplicating those systems. Duplicated masters create their own compliance problem: two systems disagreeing about the current released specification. Define system boundaries first (which system is the source of truth for each record type), then evaluate design controls tools on how cleanly they respect those boundaries. Integration depth and data governance matter more here than any individual feature.

A worked traceability example

The fastest way to evaluate a tool is to walk one complete evidence chain through it. This section traces a single requirement for a hypothetical SaMD product, a glucose-monitoring companion app, from user need to post-launch change, and names the record the software should hold at each step.

From user need to measurable design input

The clinical need starts vague: "patients need to know when their glucose is dangerously low." That is not verifiable as written. The design controls tool should hold it as a user need record, then link it to one or more measurable design inputs, for example: "the app shall generate a hypoglycemia alert within 60 seconds of receiving a sensor reading below the configured threshold." Each input carries acceptance criteria an engineer can test and a verifier can pass or fail. The linked risk record (missed or delayed alert) is created in the same pass, so the risk control and the requirement are born connected rather than reconciled later.

From design output to verification and validation evidence

Design outputs for this input include the alert module architecture, the threshold configuration specification, and the implemented code and build. Verification evidence is the executed protocol showing the alert fired within 60 seconds across the tested conditions, with results linked back to the input and the risk. Validation evidence is different in kind: it shows the alert meets the user need in the intended use environment, for example through simulated-use testing with representative patients. The software's job is to keep verification and validation records distinct, linked to the right upstream items, and attached to the design review that accepted them. When the review is approved, the tool should lock the reviewed versions so later edits create new versions rather than silently rewriting approved evidence.

From change request to DHF update

Six months after launch, the team proposes changing the default alert threshold based on field data. The change record should automatically surface everything linked to the affected input: the risk evaluation, the verification protocol that tested the old value, the labeling that documents the default, and the design review that approved it. The impact assessment determines what must be redone (at minimum, re-verification of the alert timing at the new threshold and a risk file update), the change is reviewed and approved, and the DHF view updates to reflect the new current chain while preserving the prior one. This is the test to run in any vendor demo: process one realistic change and inspect the resulting evidence.

Validating the design controls software system itself

A design controls tool holds regulated records, so most quality systems will require some form of validation of the tool for its intended use before go-live. The practical goal is proportionate evidence that the system reliably does what your process depends on, not exhaustive testing of every vendor feature. Plan validation as part of the purchase, because it is a meaningful share of total implementation effort.

Define intended use and user requirements

Validation scope follows from intended use: which records the system will hold, which decisions it supports, and which regulated processes depend on it. Write user requirements for the tool the same way you write design inputs, as verifiable statements ("the system shall prevent approval of a design review by a user without the approver role"). A team using the tool only for traceability views has a narrower validation scope than one using it for electronic approvals of design reviews. Scope decisions made here determine test effort later, so involve QA early.

Assess vendor documentation and configuration

Vendor qualification and configuration control carry much of the validation load. Review the vendor's own testing and release documentation, their change notification process for cloud updates, and their audit trail and electronic records implementation. Then document your configuration: roles and permissions, workflow states, approval routing, audit trail settings, and any fields or templates you customize. Configuration is where most risk lives in modern SaaS tools, because the vendor tests the platform but only you test your configuration against your process.

Test, train, release, and maintain

A workable validation and release sequence looks like this:

1. Confirm intended use and finalize user requirements for the tool.

2. Complete vendor assessment and document the supported configuration.

3. Execute validation tests against your user requirements in your configured environment, including permissions, approvals, audit trail behavior, and trace-link integrity.

4. Train users by role and retain training records.

5. Release under change control, with a defined cutover point for regulated records.

6. Maintain validated status: assess vendor updates, revalidate affected functions, and periodically review audit trails and access.

Treat this as a living obligation rather than a one-time gate. Cloud vendors ship updates continuously, and your validation process needs a defined path for assessing them.

Implementation path from manual tools to controlled workflows

Migration is where design controls software projects succeed or fail, because the goal is not moving files, it is preserving evidence integrity across the move. Teams coming from spreadsheets, shared drives, and issue trackers should plan the migration as a controlled process with its own review points.

Start by cataloging what exists: user needs, requirements, risk records, test protocols and results, design review minutes, approvals, and DHF documents, wherever they live. Expect to find duplicated requirements, orphaned tests, and approvals whose evidence is an email. Resolve conflicts before migration, because importing contradictory records into a controlled system just gives the contradictions an audit trail. The inventory also tells you what history must migrate as regulated records versus what can be archived and referenced.

Map fields, owners, and approval states

Before configuring the tool, define your record types, required fields, statuses, owners, and approval states, and decide your change thresholds (which edits require re-review and which do not). This mapping is a process design exercise, not a software task, and it is where QA, engineering, and regulatory need to agree. A common failure is configuring the tool around one team's vocabulary and discovering at the first cross-functional review that engineering and quality mean different things by "approved." Write the mapping down and treat it as a controlled document.

Pilot before full migration

Migrate one bounded scope first: a single product, module, or in-flight design change. Run it through the full workflow, including a real design review and a real change record, and audit the resulting evidence before committing the rest of your history. The pilot surfaces configuration gaps, training needs, and integration issues while they are cheap to fix. Optimize for evidence quality over speed; a slower migration that preserves DHF continuity beats a fast one that leaves an evidentiary gap between the old system and the new.

Special considerations for medical device software and SaMD

Software-intensive products stress design controls in ways hardware-era processes did not anticipate. Releases are frequent, evidence is generated by machines, and parts of the product (libraries, cloud services) change outside your direct control. Your design controls software choice should be tested against these realities, not just the classic eight-stage flow.

Traceability across code, tests, and releases

For SaMD and software-heavy devices, the trace chain extends into the engineering toolchain: a requirement should be traceable to the code changes that implement it, the automated test results that verify it, and the specific release version that shipped it. This usually means integrating the design controls layer with issue trackers, version control, and CI systems rather than transcribing evidence manually. Automated test results can serve as verification evidence when they are linked to protocols and requirements and retained under control; the risk is unlinked evidence sitting in a CI system that no auditor can connect to an input. Evaluate tools on whether they can consume and preserve this evidence, not just reference it.

Cybersecurity and third-party component changes

Security requirements (authentication, logging, patching) work best when treated as formal design inputs with linked risks, not as features added late. The harder operational problem is change that originates outside your roadmap: a vulnerability fix, a third-party library update, a cloud service behavior change, or infrastructure configuration drift. Each of these can invalidate verification evidence without any product decision being made, so your design change workflow needs an intake path for them, with a proportionate impact assessment rather than a full-chain review for every patch. Define risk-based thresholds in advance for which changes trigger which level of review, and make sure the software can record the assessment even when the outcome is "no impact."

How to evaluate cost, effort, and ROI without relying on vendor promises

Published pricing is rare in this category, so evaluate cost through effort drivers rather than list prices. The total cost of ownership has several components beyond licensing, and the non-license components are frequently the larger share for regulated teams.

The main drivers to model are: number of users and their roles (viewer versus approver licensing often differs), number of products and the depth of history to migrate, validation scope (electronic approvals and signatures expand it), number and complexity of integrations, training burden across functions, ongoing governance effort (keeping links and reviews current), and audit preparation time saved or added. Ask each vendor to walk through a scenario matching your team size and migration scope, and get their validation documentation package into the evaluation early, since a tool with strong vendor documentation can materially reduce your own validation effort.

Frame ROI qualitatively and honestly. The defensible benefits are faster impact assessment on changes, less rework from version drift, faster DHF assembly, and audit findings avoided. If a vendor quotes quantified savings, ask for the assumptions behind them and test those assumptions against your own numbers.

How design controls software connects to submission and lifecycle workflows

Design control evidence does not end at the DHF; it feeds regulatory submissions and lives through the product lifecycle. Verification and validation records, risk documentation, and design change histories become inputs to premarket submissions and to postmarket change evaluations, so the handoff between your design controls system and your submission workflow is worth designing deliberately. Fragmentation at this boundary recreates the same version drift problem inside the submission cycle.

This is where regulated document coordination tools complement design controls software. As a bounded example, Assyro's regulatory submission workspace has regulatory, quality, and submission teams reviewing against the same version with shared comments, owners, and traceability, and its lifecycle management workflows trigger validation, drafting, routing, and readiness checks automatically at T-30, T-14, and T-3 milestones. Assyro's platform describes 21 CFR Part 11, GxP, and EU Annex 11 aligned workflows with role-based access and linked submission evidence, and for eCTD-based submissions its free eCTD validator runs 358 CFR, ICH, and FDA TRC structural checks across Modules 1-5 in the browser, supporting v3.2.2 and v4.0 dossiers. The general principle holds regardless of vendor: the same discipline you apply to design control traceability (single current version, named owners, auditable decisions) should extend into how that evidence moves into submissions.

Educational visual for How design controls software connects to submission and lifecycle workflows in Design Controls Software: How.
Educational visual for How design controls software connects to submission and lifecycle workflows in Design Controls Software: How.

Selection checklist

Use this checklist to structure vendor evaluations and internal readiness discussions before you commit.

  • Scope: Which record types (needs, inputs, outputs, risks, reviews, V&V, changes, DHF) will the system own, and which stay in other systems?
  • Traceability: Are links bidirectional, item-level, and queryable, with a generated (not manual) traceability matrix?
  • Reviews and approvals: Are review workflows controlled, with owners, versions, timestamps, and signatures where required?
  • Audit evidence: Can the system export a point-in-time DHF view and a complete change record on demand?
  • Validation: Is the vendor's documentation strong enough to support proportionate validation of your configuration?
  • Integrations: Does it connect to your ALM, test, risk, document, and (where relevant) PLM/ERP systems without duplicating masters?
  • Migration: Is there a credible path for importing legacy records while preserving DHF continuity?
  • Governance: Do roles, permissions, and change thresholds match how your QA, RA, engineering, and product teams actually work?
  • Lifecycle maintenance: Can the team realistically keep links, reviews, and risk records current after launch?

Score candidates against this list using your own worked example, ideally the same requirement-to-change chain described earlier, rather than a vendor-selected demo scenario.

FAQs

What is design controls software, and how is it different from general QMS software?

Design controls software manages design and development evidence as linked, versioned records: user needs, inputs, outputs, risks, V&V results, reviews, changes, and DHF content. General QMS software covers broader quality processes such as documents, CAPAs, training, and audits. Many eQMS platforms include a design controls module, but document-centric QMS tools often lack item-level traceability between requirements, risks, and tests.

Can spreadsheets be used for design controls?

Yes, for small, stable projects with one owner, and neither FDA 21 CFR 820.30 nor ISO 13485 mandates specific tooling. Spreadsheets break down as products and teams grow: links go stale silently, approvals lack signatures and version locks, and change impact assessment becomes manual reconstruction. Plan a move to controlled tooling before your first submission, audit, or significant design change cycle.

Does design controls software need to be validated?

If the system holds regulated records or supports regulated decisions, your quality system will generally require validation for its intended use. Scope the validation to your intended use and configuration, rely on vendor documentation where it is credible, test your own configuration (permissions, approvals, audit trails, trace links), train users, and maintain validated status as the vendor ships updates.

How does design controls software support a traceability matrix?

Good tools generate the matrix as a live view of bidirectional links between user needs, design inputs, risks, outputs, verification, and validation records. That means the matrix is always current with the underlying records, and gaps (an input with no test, a risk with no control) are queryable rather than discovered during audit preparation.

Which software category is best for a SaMD team?

SaMD teams usually need ALM integration as the deciding criterion, because requirements must trace to code changes, automated test results, and release versions. Design controls apply to all medical device software, including SaMD, per ISO 13485 Clause 7.3 and FDA 21 CFR 820.30, so the practical choice is a design controls layer that consumes engineering evidence automatically, paired with QMS-grade review and DHF capabilities.

What audit evidence should design controls software produce?

At minimum: a complete trace chain for any sampled requirement, design review records with participants, versions, and approvals, executed verification and validation protocols linked to inputs and risks, change records with impact assessments, an audit trail of edits to records and links, and a point-in-time DHF export. If a vendor cannot demonstrate these outputs live, treat the gap as disqualifying.

What drives the cost and implementation effort of design controls software?

The main drivers are user count and roles, number of products, depth of legacy history to migrate, validation scope, integration count and complexity, training burden, and ongoing governance effort. Pricing in this category is typically quote-based, so build a scenario matching your team and migration scope and ask each vendor to cost it, including their validation documentation package.

About the author

Assyro Team

Expert regulatory operations consultants helping pharmaceutical companies navigate complex compliance challenges.

Demos available this week