How many requirement levels does a medical device need?

No standard mandates a number. Most single-product companies do well with three: user needs, system (product) requirements, and subsystem requirements split into software and hardware. A software-only device can often merge the last two into one software requirements level. More levels than you can keep traced is worse than fewer.

Where do risk controls fit into the requirement levels?

Risk control measures from your ISO 14971 process become requirements at whichever level implements them — usually system or software level — and each carries a trace back to the risk it controls. That link is what lets you show every control was implemented and verified, which is exactly what reviewers check.

Can we manage requirement levels in a spreadsheet?

You can start there, and many teams do. The pain arrives with change: when one user need moves, every linked system requirement, software requirement, risk control and test must be re-checked, and a spreadsheet makes you find them by hand. Whatever tool you use, the requirement IDs, levels and links — not the formatting — are the part that has to survive an audit.

We work with agile user stories. Do we still need formal requirement levels?

Yes, but they coexist fine. User stories are a good way to discover and discuss requirements; they are not a controlled requirements baseline. The usual pattern is to let stories drive the work and maintain the levelled, identified, version-controlled requirements as the regulated record that stories feed into.

Requirement Levels for Medical Devices: User Needs to Software Requirements

Q: What is the difference between a user need and a design input?

A user need describes what the user or patient must achieve in their world, in their language — it is validated by checking the device works for real users in real conditions. Design inputs (system requirements) are the engineering restatement: measurable, testable properties of the device — they are verified by tests against acceptance criteria. 'The nurse must be able to silence an alarm without leaving the bedside' is a user need; 'the alarm shall be silenceable from the touchscreen within 2 seconds' is a design input.

Why levels exist

Validation and verification need different things to check against.

The FDA's design-control model — which ISO 13485's design and development clauses mirror — draws one line that explains the whole structure: verification confirms the design outputs meet the design inputs; validation confirms the device meets user needs and its intended use. Two different questions, answered against two different kinds of statements.

That's why a flat, single-level requirements list always breaks down. If everything from "intuitive for night-shift nurses" to "TLS 1.3 for all connections" lives in one list, you can't say what gets validated with users and what gets verified on the bench — and your traceability can't show that high-level intent actually decomposed into things that were built and tested.

Verification asks "did we build it right?" Validation asks "did we build the right thing?" The levels exist so each question has something concrete to be checked against.

The levels

Three levels cover most devices. Four if hardware is real.

LEVEL 1
USER NEEDS

What the user must achieve, in their world.

Written in the user's language, free of solutions. Sources: intended purpose, clinical workflows, usability engineering, regulatory demands. These are what your validation — usability studies, clinical evaluation — is judged against.

UN-012 The clinician must be able to review a patient's dose history during a consultation, without leaving the room or logging into a second system.

LEVEL 2
SYSTEM
REQUIREMENTS

The device's measurable answer.

The engineering restatement — what FDA calls design inputs. Each is testable, with acceptance criteria, and traces up to one or more user needs. Risk control measures from ISO 14971 enter the structure here (or below) as requirements like any other.

SYS-047 The system shall display the dose history for the selected patient within 3 seconds of selection, covering at least the previous 12 months. (traces to UN-012)

LEVEL 3
SOFTWARE / HARDWARE
REQUIREMENTS

What each subsystem must do.

System requirements decompose to the discipline that implements them. For software this is the IEC 62304 software requirements level (clause 5.2) — the baseline your software architecture and software testing answer to. Hardware gets its own parallel set where it exists.

SW-203 The dose-history service shall return the records for a patient ID in under 800 ms for datasets up to 10,000 administrations. (traces to SYS-047)

A software-only device (SaMD) often collapses levels 2 and 3 into a single software requirements level — legitimate, as long as user needs stay separate and the trace to risk controls and tests is kept. The rule of thumb: use the fewest levels that keep validation targets and verification targets apart. Levels you can't maintain are worse than levels you don't have.

What standards expect

Nobody mandates a count — everybody assumes the structure.

Source	What it asks of your requirements
ISO 13485 §7.3.2–7.3.3	Design inputs must include functional, performance, usability and safety requirements, applicable regulatory requirements and risk management outputs — and must be reviewable, unambiguous and verifiable. Outputs must be traceable to inputs.
IEC 62304 §5.2	A software requirements level distinct from system level: software requirements must be documented, analysed for completeness and consistency, and traceable to system requirements and to the risk controls implemented in software.
FDA design controls (QMSR)	The user-needs / design-inputs split is what makes design validation and design verification two different activities. Under the QMSR this now runs through ISO 13485's clauses, but the model is unchanged.
EU MDR	The intended purpose anchors the technical file; the GSPR matrix expects device requirements you can point at as the method of conformity, and Annex II §3 asks for the design information that connects them.

Writing good rows

Rules that hold at every level.

One requirement, one statement. If it contains "and", it's probably two requirements — and two test cases pretending to be one.
Testable, or it isn't a requirement. "Fast", "intuitive", "robust" are aspirations. Numbers, limits and observable behaviours are requirements. If you can't sketch the test, rewrite the row.
Solution-free at the top. A user need that says "via a dropdown menu" has already designed the device. Push the how down a level; keep the what at the top.
Stable IDs, owned rows. Every requirement gets an identifier that never changes meaning, an owner, and a version history. Your trace matrix, risk file and test reports will all cite these IDs for years.
Risk controls are requirements with a second parent. A control measure traces both to the risk it mitigates and into the requirement tree like any other row — that double link is what closes the loop in front of an auditor.

Tracing between levels

The links are the deliverable.

The levels only pay off if the links between them are real: every system requirement traces up to at least one user need, every software requirement up to a system requirement, every row down to the verification that proves it — and risk controls thread through the same structure. Reviewers read this as a graph: pick a user need, walk down to the tests; pick a test failure, walk up to what's affected.

Two orphan checks tell you whether the structure is healthy. Orphan requirements — rows with no parent — mean someone is building things nobody asked for. Childless requirements — rows with no verification — mean promises nobody is checking. Both checks should run continuously, not the week before an audit, because both accumulate silently every time the requirements change.

Common failures

Where levelled requirements go wrong.

The copy-paste cascade. The same sentence appears at three levels with cosmetic edits. If a level adds no decomposition — no added precision, no split into parts — it's adding maintenance cost, not clarity.
User needs written by engineers, for engineers. If level 1 talks about APIs and databases, validation has nothing user-shaped to validate against. Keep the user's vocabulary at the top.
Levels that exist only in document names. A "URS" and an "SRS" with no row-to-row links between them is one level wearing two costumes. The links, not the documents, are the structure.
Requirements frozen after design transfer. Change requests, complaints and risk reviews keep producing requirement changes for the life of the device. A baseline that can't absorb change traceably will be wrong within a quarter.
The 800-row single level. Usually the sign of a team that skipped user needs entirely and wrote implementation notes as requirements. Painful to fix later; cheap to avoid early.

FAQ

Common questions.

How many levels do we actually need?

No standard mandates a number. Three serves most single-product companies: user needs, system requirements, and software/hardware requirements. SaMD teams often run two. The test is functional: can validation and verification each point at their own level? If yes, you have enough.

What's the difference between a user need and a design input?

A user need lives in the user's world and language — it's validated with real users. A design input is the device's measurable answer — it's verified with tests. "The nurse must be able to silence an alarm without leaving the bedside" is a need; "the alarm shall be silenceable from the touchscreen within 2 seconds" is an input.

Where do risk controls fit in?

They become requirements at the level that implements them, with a trace back to the risk they control. One row, two parents: the hazard chain on one side, the requirement tree on the other. That's the loop reviewers walk.

Is a spreadsheet enough for this?

To start, yes — and the IDs, levels and links you define there are exactly what survives a later migration. The pain arrives with change: every moved requirement means hand-finding every linked row, risk and test. When that re-checking becomes someone's job title, the spreadsheet has done its tour of duty.

We use agile user stories. Do we still need this?

Yes — and they coexist well. Stories are how you discover and discuss; the levelled, identified, version-controlled requirements are the regulated record the stories feed. Teams that try to make Jira tickets be the design inputs usually rediscover why the levels exist, mid-audit.

Requirement levels: from user needs to software requirements.