Design and Development Planning

The US regulations for design controls have requirements for design and development planning.  In fact, a design and development plan is an indication that a manufacturer has “exited” research phase activities and entered the development phase, and thus, design controls should be in place.  The regulation, 21 CFR 820.30(b), specifically states:

Design and development planning. Each manufacturer shall establish and maintain plans that describe or reference the design and development activities and define responsibility for implementation. The plans shall identify and describe the interfaces with different groups or activities that provide, or result in, input to the design and development process. The plans shall be reviewed, updated, and approved as design and development evolves.
ISO 13485 §7.1 also outlines planning activities for product realization.  From the standard, it states:
The organization shall plan and develop the processes needed for product realization. Planning of product realization shall be consistent with the requirements of the other processes of the quality management system.
The organization shall document one or more processes for risk management in product realization. Records of risk management activities shall be maintained (see ISO 13485 §4.2.5).
In planning product realization, the organization shall determine the following, as appropriate:
  1. quality objectives and requirements for the product;
  2. the need to establish processes and documents (see ISO 13485 §4.2.4) and to provide resources specific to the product, including infrastructure and work environment;
  3. required verification, validation, monitoring, measurement, inspection and test, handling, storage, distribution and traceability activities specific to the product together with the criteria for product acceptance;
  4. records needed to provide evidence that the realization processes and resulting product meet requirements (see ISO 13485 §4.2.5).
The output of this planning shall be documented in a form suitable for the organization’s method of operations.

What should be included in the design and development plan?

Using the US regulation, SoftwareCPR points out the three key aspects to include in a design and development plan:
  • Write it down.  Create a plan that allows agreement on all the quality processes that will be employed during the entire lifecycle of the product.  Write down what you do know in the plan, and identify the areas with unknowns that will be researched and updated as part of the lifecycle of the product.  Use the 80/20 rule – don’t get hung up on the 20% you don’t know – release the plan.  Then update the plan as more is learned.
  • Interfaces between groups – except for the smallest manufacturers, generally many different groups will work together to design, develop, verify, validate, manufacture, service, and monitoring a medical device.  The design and development plan is the place to describe how the groups responsible for all those disparate functions will interface/interact/communicate, and at what points in the lifecycle will these interactions will occur.
  • Identify the activities that will occur at each lifecycle phase and what deliverables will be produced.

A common design and development plan outline from various industries follows:

  1. Introduction
    1. Project Overview
    2. Project Deliverables
    3. Evolution of the SPMP
    4. Reference Materials
    5. Definitions and Acronyms
  2. Project Organization
    1. Process Model
    2. Organizational Structure
    3. Organizational Boundaries and Interfaces
    4. Project Responsibilities
  3. Managerial Process
    1. Management Objectives and Priorities
    2. Assumptions, Dependencies, and Constraints
    3. Risk Management
    4. Monitoring and Controlling Mechanisms
    5. Staffing Plan
  4. Technical Process
    1. Methods, Tools, and Techniques
    2. Software Documentation
    3. Project Support Functions
  5. Work Packages, Schedule, and Budget
    1. Work Packages
    2. Dependencies
    3. Resource Requirements
    4. Budget and Resource Allocation
    5. Schedule


About the author

Brian is a biomedical software engineer - whatever that is! Started writing machine code for the Intel 8080 in 1983. Still enjoys designing and developing code. But probably enjoys his garden more now and watching plants grow ... and grandkids grow!

SoftwareCPR Training Courses:

IEC 62304 and other emerging standards for Medical Device and HealthIT Software

Our flagship course for preparing regulatory, quality, engineering, operations, and others for the activities and documentation expected for IEC 62304 conformance and for FDA expectations. The goal is to educate on the intent and purpose so that the participants are able to make informed decisions in the future.  Focus is not simply what the standard says, but what is meant and discuss examples and approaches one might implement to comply.  Special deep discount pricing available to FDA attendees and other regulators.

3-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Brian Pate

Next public offering:  TBD

Email to request a special pre-registration discount.  Limited number of pre-registration coupons.

Registration Link:




Being Agile & Yet Compliant (Public or Private)

Our SoftwareCPR unique approach to incorporating agile and lean engineering to your medical device software process training course is now open for scheduling!

  • Agile principles that align well with medical
  • Backlog management
  • Agile risk management
  • Incremental and iterative software development lifecycle management
  •  Frequent release management
  • And more!

2-days onsite (4 days virtual) with group exercises, quizzes, examples, Q&A.

Instructors: Mike Russell, Ron Baerg

Next public offering: March 7 & 28, 2024

Virtual via Zoom

Registration Link:

Register Now



Medical Device Cybersecurity (Public or Private)

This course takes a deep dive into the US FDA expectations for cybersecurity activities in the product development process with central focus on the cybersecurity risk analysis process. Overall approach will be tied to relevant standards and FDA guidance documentation. The course will follow the ISO 14971:2019 framework for overall structure but utilize IEC 62304, IEC 81001-5-1, and AAMI TIR57 for specific details regarding cybersecurity planning, risk characterization, threat modeling, and control strategies.

2-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Dr Peter Rech, 2nd instructor (optional)

Next public offering:  TBD

Corporate Office

15148 Springview St.
Tampa, FL 33624
Partners located in the US (CA, FL, MA, MN, TX) and Canada.