Reviewing What We Know About LOC in Medical Devices

Remember the 2005 guidance document, Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices? In 2020 that guidance is as relevant as ever, and it can be useful to review what we know about the FDA’s expectations regarding Level of Concern (LOC) in medical devices. LOC is important if for no other reason than it determines what manufacturers should include in their premarket submission. The higher the LOC, the more extensive documentation the FDA “recommends” manufacturers submit.

Since manufacturers must state the LOC in their submission, and describe how they arrived at that LOC, it is important to understand the definition of LOC. As a term of art, Level of Concern means “an estimate of the severity of injury that a device could permit or inflict, either directly or indirectly, on a patient or operator as a result of device failures, design flaws, or simply by virtue of employing the device for its intended use.” For software specifically, LOC also implicates the “role of the software in causing, controlling, and/or mitigating hazards that could result in injury to the patient or the operator.”

Before jumping in to the three different levels of concern, note that LOC is not necessarily related to device classification or hazard or risk analysis. The FDA suggests that LOC be determined before any mitigation of relevant hazards. This means that mitigations, regardless of their effect on the individual hazards, do not necessarily decrease the LOC for a device.


What are the Levels of Concern?


Determining LOC for a Device


Documentation Based on LOC

Remember, LOC is about what documentation should be submitted to the FDA. Just because a manufacturer of a device with a Minor LOC does not have to submit as many documents as a manufacturer of a device with a Moderate or Major LOC, does not mean that the Minor LOC device manufacturer should not perform tests or keep documentation for a potential FDA inspection. The LOC flowchart and suggestions in this guidance are more about clerical ease – they govern paperwork to be submitted, but they do not necessarily excuse a manufacturer from “work” in the software development process.

There is some software documentation that must be submitted for all devices, regardless of the LOC. That list is:

  • Level of Concern Statement
  • Software Description
  • Device Hazard Analysis
  • Traceability Analysis
  • Revision Level History

The list of software documentation that differs based on the LOC is:

  • Software Requirements Specification
  • Architecture Design Chart
  • Software Development Environment Description
  • Verification and Validation Documentation
  • Unresolved Anomalies

In this list, the Moderate and Major LOC devices mostly have similar documentation requirements, although the Major LOC devices have additional requirements for the Software Development Environment Description and the V&V Documentation. Of these five types of documentation, only one category (V&V documentation) is required at the time of submission for Minor LOC devices. However, as previously mentioned, that does not mean that a manufacturer of a Minor LOC device does not need to perform any activity except V&V. This is the case even if a standard purports to exempt that type of device from some documentation – that is not what the FDA intended to convey with their LOC flowchart. When you think of the Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices, think of the LOC flowchart as a list of submission requirements that the manufacturer can (and maybe should) exceed for their own records.


Read our initial impression of the guidance here: CBER Software Submission Guidance FDA CDRH

About the author

Amy enjoys researching and writing about developments in medical technology and how that intersects with US law. She received her J.D. from the University of Florida Levin College of Law in 2020 and now works as a Regulatory Associate for SoftwareCPR®, a general-purpose regulatory consulting firm that is recognized globally for their expertise with standards and national regulations pertaining to medical device, mobile medical app, and HealthIT software.

SoftwareCPR Training Courses:

IEC 62304 and other emerging standards for Medical Device and HealthIT Software

Our flagship course for preparing regulatory, quality, engineering, operations, and others for the activities and documentation expected for IEC 62304 conformance and for FDA expectations. The goal is to educate on the intent and purpose so that the participants are able to make informed decisions in the future.  Focus is not simply what the standard says, but what is meant and discuss examples and approaches one might implement to comply.  Special deep discount pricing available to FDA attendees and other regulators.

3-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Brian Pate

Next public offering:  TBD

Email to request a special pre-registration discount.  Limited number of pre-registration coupons.

Registration Link:




Being Agile & Yet Compliant (Public or Private)

Our SoftwareCPR unique approach to incorporating agile and lean engineering to your medical device software process training course is now open for scheduling!

  • Agile principles that align well with medical
  • Backlog management
  • Agile risk management
  • Incremental and iterative software development lifecycle management
  •  Frequent release management
  • And more!

2-days onsite (4 days virtual) with group exercises, quizzes, examples, Q&A.

Instructors: Mike Russell, Ron Baerg

Next public offering: March 7 & 28, 2024

Virtual via Zoom

Registration Link:

Register Now



Medical Device Cybersecurity (Public or Private)

This course takes a deep dive into the US FDA expectations for cybersecurity activities in the product development process with central focus on the cybersecurity risk analysis process. Overall approach will be tied to relevant standards and FDA guidance documentation. The course will follow the ISO 14971:2019 framework for overall structure but utilize IEC 62304, IEC 81001-5-1, and AAMI TIR57 for specific details regarding cybersecurity planning, risk characterization, threat modeling, and control strategies.

2-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Dr Peter Rech, 2nd instructor (optional)

Next public offering:  TBD

Corporate Office

15148 Springview St.
Tampa, FL 33624
Partners located in the US (CA, FL, MA, MN, TX) and Canada.