Comprehensive, end to end list of DHF/DDF deliverables

Thomas Cronin

5 min read

In the previous post, From Regulation to Reality: The Foundations of a Modern DHF/DDF, I outlined the regulatory and industry landscape that shapes what a modern evidence system must demonstrate. This post moves from foundations to structure. It turns that landscape into a comprehensive, end‑to‑end list of DHF/DDF deliverables, an operational map of the evidence digital health teams are responsible for as they build, release, and maintain regulated software. By consolidating these expectations into a single view, the table surfaces the true scope of work that sits beneath “compliance” and makes visible the lifecycle footprint teams must manage to stay aligned with regulations, guidance, and contemporary engineering practice. A list alone doesn’t create clarity, though, the value comes from understanding how these activities flow through the real work of software development. In the next posts, I’ll translate this evidence system into Plan–Do–Check–Act (PDCA) playbook and show where automation, traceability, and toolchain integration can reduce friction, eliminate DHF/DDF catch up work, and create a more resilient, audit ready development process.

Category Deliverable What It Contains Primary Drivers
Product Definition Intended Use / Indications Clinical context, target users, environment, high-level claims 21 CFR 820.30, QMSR, CDS/SaMD guidance
Claims & Clinical Rationale Specific claims + supporting rationale IMDRF SaMD Clinical Evaluation, CDS guidance
Regulatory Strategy Summary Classification, pathway, standards FDA classification rules
User Needs & Inputs User Needs Specification User goals, workflows, usability needs 21 CFR 820.30(c), HF guidance
Design Input Requirements Functional, performance, safety, regulatory requirements 21 CFR 820.30(c), QMSR
Software Requirements Specification Detailed software requirements incl. risk, security, privacy IEC 62304, AAMI TIR45
Interface & Integration Requirements APIs, data formats, external systems IEC 62304
Design Outputs Labeling (General) All labeling content: physical labels, digital labels, warnings, contraindications, symbols 21 CFR 820.30(d), QMSR
Instructions for Use (IFU) Step-by-step instructions, indications, contraindications, warnings, operating instructions 21 CFR 820.30(d), HF guidance
User Manual / Digital Help Content Full user guidance, troubleshooting, safety info, digital UX instructions 21 CFR 820.30(d), HF guidance
On‑Screen Instructions & Warnings In‑app instructions, alerts, CDS explanations, transparency statements CDS guidance, HF guidance
Software Safety Classification Software Safety Classification Assessment Classification (A/B/C), hazard contribution, rationale, lifecycle impact IEC 62304
Core Design Controls Design & Development Plan Scope, responsibilities, lifecycle model, reviews, documentation strategy 21 CFR 820.30(b), QMSR, IEC 62304
Software Development Plan (SDP) 62304 lifecycle model, required activities per class, verification strategy, problem resolution, config mgmt IEC 62304
Design Review Records Formal reviews, participants, issues, decisions, follow-up 21 CFR 820.30(e), QMSR
Design Transfer Documentation Evidence design outputs are correctly translated into implementation/production 21 CFR 820.30(h), QMSR
Design Change Records Change descriptions, rationale, impact assessments (safety, performance, cybersecurity, privacy), approvals 21 CFR 820.30(i), IEC 62304
Architecture & Design System Architecture Description Components, boundaries, interfaces, deployment IEC 62304
Software Architecture Specification Modules, layers, data flows, error handling IEC 62304
Detailed / Module Design Algorithms, data structures, state machines IEC 62304
UI/UX Design Artifacts Wireframes, flows, accessibility HF guidance
Multi‑Function / MDDS Boundary Docs Regulated vs non‑regulated functions, interactions MDDS guidance, Multiple Function guidance
CDS Logic & Transparency Docs Rules/models, inputs/outputs, explainability CDS guidance
Implementation & Config Mgmt Design to Code Traceability Mapping from requirements/design to implementation IEC 62304, QMSR
Configuration Management Plan Versioning, baselines, release control IEC 62304
Configuration Item List Controlled software, docs, tools, libraries IEC 62304
Tool Qualification / CSA Records Risk‑based assurance for tools CSA guidance, GPSV
Software Implementation Unit Implementation Documentation Unit/module implementation details, code-level design decisions IEC 62304
Unit Verification Procedures & Results Unit test protocols, expected results, actual results IEC 62304
Software Integration Integration Plan & Procedures Integration strategy, order, methods, acceptance criteria IEC 62304
Integration Test Results Evidence of correct integration of software units IEC 62304
System Testing System Test Procedures & Results System-level test protocols + results, traceability to requirements and risks IEC 62304
Release Software Release Documentation Release ID, known anomalies, unresolved defects + risk rationale, operating environment IEC 62304
Problem Resolution Software Problem Resolution Records Bug reports, investigations, fixes, verification of resolution IEC 62304
Risk Management Risk Management Plan Scope, methodology, acceptance criteria ISO 14971
Hazard Identification & Analysis Hazards, hazardous situations, misuse ISO 14971
Risk Assessment Records Severity, probability, initial risk ISO 14971
Risk Control Measures Controls, rationale, linkage to requirements ISO 14971, 21 CFR 820.30
Residual Risk Evaluation Residual risk + benefit–risk justification ISO 14971
Risk Traceability Matrix Hazards → controls → requirements → tests ISO 14971, QMSR
Risk Management Report Summary + acceptability conclusion ISO 14971
Verification & Validation Verification Plan Strategy, levels, methods, acceptance criteria 21 CFR 820.30(f), IEC 62304
Test Protocols Step-by-step instructions, expected results 21 CFR 820.30(f)
Test Reports Actual results, deviations, conclusions 21 CFR 820.30(f)
Automated Test Evidence CI/CD logs, coverage, regression IEC 62304, AAMI TIR45
Validation Plan Intended-use-focused validation strategy 21 CFR 820.30(g)
System Validation Report Evidence system meets user needs 21 CFR 820.30(g)
HF/Usability Protocol & Report Tasks, findings, mitigations HF guidance, ISO 14971
Clinical/Performance Evaluation Strategy, data, analysis, conclusions IMDRF SaMD, CDS guidance
Real‑World Evidence Plan Use of post‑market data RWE guidance
Cybersecurity Cybersecurity Risk Management Plan Documented process for identifying, assessing, controlling, verifying, and monitoring cybersecurity risks; integration with ISO 14971 FDA Cybersecurity Guidance
Security Requirements Specification AuthN, AuthZ, encryption, logging, integrity FDA Cybersecurity guidance
Threat Model / Security Risk Assessment Assets, threats, attack vectors, mitigations FDA Cybersecurity guidance, ISO 14971
Secure Architecture & Data Flows Trust boundaries, encryption points, network zones FDA Cybersecurity guidance
Software Bill of Materials (SBOM) Components, versions, vulnerabilities FDA Cybersecurity guidance
Vulnerability Management Plan Monitoring, triage, patch strategy FDA Cybersecurity guidance
Vulnerability & Patch Records Issues, severity, remediation FDA Cybersecurity guidance
Secure SDLC Evidence Code reviews, SAST/DAST, dependency scanning FDA Cybersecurity guidance, IEC 62304
Security Test Plan & Reports Pen tests, fuzzing, abuse cases FDA Cybersecurity guidance
Access Control Design & Matrix Roles, permissions, least privilege Security best practice
Logging & Audit Trail Design Logging strategy, retention, monitoring FDA Cybersecurity guidance
Cybersecurity Incident Response Plan Monitoring channels, workflow, communication FDA Cybersecurity guidance
Privacy Post‑Market Cybersecurity Reviews Trends, incidents, improvements FDA Cybersecurity guidance
Data Inventory & Classification Data types, flows, sensitivity Privacy‑by‑design, DPIA practice
Privacy Data Flow Diagrams Collection, processing, storage, sharing Privacy‑by‑design
Consent & Legal Basis Design Consent flows, withdrawal, records GDPR‑style frameworks
DPIA / Privacy Risk Assessment Processing risks + mitigations DPIA practice
Data Minimization & Purpose Limitation Justification for each data element Privacy‑by‑design
Data Retention & Deletion Policy Retention periods, deletion triggers Privacy‑by‑design
Privacy‑Focused Access Control Role-based access, segregation of duties Privacy‑by‑design
Data Subject Rights Procedure Access, deletion, export, objection GDPR‑style frameworks
Third‑Party Processing Register Processors, subprocessors, safeguards GDPR‑style frameworks
Data Processing Agreements (DPAs) Contractual privacy/security obligations GDPR‑style frameworks
Privacy Notice / Transparency Clear explanation of data use, rights Privacy‑by‑design
Post‑Market Privacy‑Relevant Logging Access, export, deletion events Privacy‑by‑design
Post‑Market Surveillance Plan Data sources, analysis, triggers QMSR, ISO 13485
Complaint Handling Records Complaints, investigations, CAPA 21 CFR 820.198
Adverse Event / Incident Reports Reportability assessments, submissions FDA/MDR vigilance
CAPA Records Root cause, actions, effectiveness checks 21 CFR 820.100
Change Control Procedure & Records Change proposals, impact assessments 21 CFR 820.30(i), IEC 62304
Change Impact Assessments Impact on safety, performance, security, privacy QMSR, IEC 62304
Release Notes & Version History Features, fixes, security/privacy changes IEC 62304
Periodic Safety/Performance Review Aggregated findings, trends, decisions PMS best practice

Read more