The lean SaMD regulatory approval starter kit: like an MVP but for documentation

Once you understand your intended use and identify the right predicate device, the next question founders face is immediate and urgent: “What documentation do we actually need for our FDA submission?”

This is often the moment when innovators discover ISO 13485, IEC 62304, ISO 14971, FDA’s cybersecurity expectations, postmarket controls, and the long list of documents that seem to accompany every regulatory requirement. Many respond by assuming they need a massive QMS platform and dozens of processes before they can move forward.

The truth is more encouraging: your first SaMD submission needs a lean, targeted set of documents built around ISO 13485, not a heavyweight quality system. When done correctly, ISO 13485 acts as the backbone of your documentation, and the other standards slot in like modular components that attach only where required.

This article explains how to build your MVP documentation package, centered on ISO 13485 and expanded just enough to satisfy FDA expectations for software and AI, and nothing more.

Why ISO 13485 Should Be the Foundation of Your SaMD Documentation

ISO 13485 is the global quality management standard for medical devices, and it provides the structure regulators expect:

• Design controls

• Risk management integration

• Document control

• Verification and validation

• Supplier management

• Postmarket surveillance

• Corrective and preventive action

When implemented in a lightweight, early-stage way, ISO 13485 gives you:

• A controlled place to store all of your submission evidence

• Traceability across your entire software lifecycle

• A clear narrative that FDA reviewers immediately understand

• A stable framework that can scale with your company

Every other software or AI-related standard attaches to this foundation. If ISO 13485 is the skeleton, the other standards are the organs that make it function.

The Modular Approach: Layering Standards on Top of ISO 13485

FDA does not expect startups to implement every standard in full. Instead, they expect:

• ISO 13485 as the overarching quality system

• ISO 14971 as the risk management engine within it

• IEC 62304 as the software lifecycle structure

• Cybersecurity documentation as needed for your connectivity

• AI/ML documentation when algorithms influence clinical output

• Usability engineering when clinicians interact with the software

These standards work together, not separately.
And they can be implemented incrementally, not all at once.

This modular approach is what makes an MVP documentation set possible.

Your MVP Documentation Package (Built on ISO 13485)

Below is the leanest, regulator-ready document set you need for your first 510(k) or De Novo submission. Every document fits into ISO 13485, and the other standards extend it where appropriate.

1. Intended Use & Indications for Use (ISO 13485 + FDA requirement)

The core statement that defines everything: classification, pathway, testing, and risk.

2. Design and Development Plan (ISO 13485)

A simple, high-level plan that shows you understand your development stages, reviews, and responsibilities.

3. Risk Management File (ISO 14971, integrated into 13485)

The cornerstone of your documentation:

• Hazard identification

• Risk estimation and control

• Residual risk evaluation

• Traceability to requirements and tests

Regulators expect ISO 14971 to be fully embedded into your 13485 design controls.

4. Software Development Documentation (IEC 62304 + 13485 design controls)

IEC 62304 defines your software lifecycle, but it fits neatly inside ISO 13485.
Your MVP includes:

• Software architecture diagram

• Software itemization and classification

• Requirements specification

• Unit, integration, and system testing

• Maintenance and bug-handling procedures

IEC 62304 provides structure, and ISO 13485 provides the control.

5. Verification & Validation Evidence (ISO 13485 + IEC 62304)

FDA cares less about your development style and more about your proof. Your MVP V&V package includes:

• Verification against each software requirement

• Validation in clinically relevant scenarios

• Usability/human factors testing if clinician-facing

• Dataset validation for AI models

A simple traceability matrix connects all of this, satisfying ISO 13485 design control requirements.

6. AI/ML Documentation (Built on 13485 + ISO 42001 principles)

If your software uses AI in a medically meaningful way, you need:

• Model training description

• Dataset representativeness and bias evaluation

• Performance metrics across subgroups

• Drift monitoring plan

• Change control strategy for future retraining

ISO 42001 is not required, but its governance concepts help you create a structured, reviewer-friendly narrative within your QMS.

7. Cybersecurity Documentation (FDA guidance + ISO 27001 principles)

Modern SaMD is rarely offline. Your MVP cybersecurity package includes:

• Threat modeling

• Vulnerability assessment

• Authentication/authorization strategy

• Encryption approach

• Update/patching workflow

• Secure development practices

These documents expand your ISO 13485 processes to cover digital safety.

8. Configuration & Change Management (ISO 13485 + IEC 62304)

FDA needs to see that software updates are controlled and traceable.
A small, well-organized process is enough at MVP stage.

Why You Do Not Need a Heavy QMS Platform for Your First Submission

Many early-stage companies think regulatory compliance requires:

• A high-cost QMS platform

• Automated document management

• A full set of enterprise workflows

• Formal CAPA boards and monthly reviews

This is simply not true.

A lean ISO 13485 system, built with lightweight tools and expert guidance, is fully acceptable to FDA.
You can maintain:

• Document control

• Traceability

• Design reviews

• Risk management integration

• V&V evidence

• Change management

…all without a thousand-dollar-per-month QMS subscription.

Expensive platforms are useful later, when:

• Your engineering team grows

• You need formal collaboration tools

• You manage multiple submissions

• You enter international markets

But for your first submission, the priority is clarity, not software.

You need the right documents, not the fanciest system.

ISO 13485 Is Your Foundation and Everything Else Builds on It to Suit your Intended Use

Your first SaMD submission does not require a complex, enterprise-grade quality system. It requires:

• A lean ISO 13485 foundation

• Layered, modular additions from IEC 62304, ISO 14971, cybersecurity, and AI governance

• Focus on traceability, risk, and software performance

• Clear documentation, not expensive tools

By treating ISO 13485 as the core and adding only what applies to your product, you keep your documentation tight, efficient, and submission-ready.

If you want help building a lean, modular QMS aligned with ISO 13485, or assembling the complete MVP documentation package for your SaMD, Unigen can guide you through each step and help you avoid unnecessary cost and complexity. Contact us to get started.