Medical Device Traceability Matrix: Template, Structure, and Best Practices

← All articles

The traceability matrix is one of the most scrutinised documents in any 510(k) software submission. FDA reviewers use it to answer a simple question: does every requirement have a test, and does every test link back to a requirement?

This guide explains what the matrix needs to contain, how to structure it, and the mistakes that trigger Additional Information (AI) letters.

What is a traceability matrix?

A traceability matrix is a document that maps requirements to the other artefacts that implement, verify, or validate them. In a medical device DHF, it typically traces:

User Needs → SRS Requirements — every user need is addressed by at least one requirement
SRS Requirements → Design Outputs — every requirement is implemented in the architecture
SRS Requirements → Test Cases (SSTC) — every requirement is verified by at least one test
Risk Controls → SRS Requirements — every risk control identified in ISO 14971 risk management traces to a requirement

IEC 62304 requirement

IEC 62304 §5.7.5 explicitly requires traceability between software requirements and test cases for Class B and C software. FDA expects this in every 510(k) software submission regardless of class.

What columns does a good traceability matrix need?

At minimum, your requirements-to-tests matrix should include:

Column	Description	Example
Requirement ID	Unique identifier from your SRS	SRS-042
Requirement Summary	Short description (not the full text)	Session timeout after 5 min inactivity
Safety Critical?	Whether this is a safety requirement	Yes / No
Test Case ID(s)	SSTC IDs that verify this requirement	TDCS-118, TDCS-119
Test Status	Pass / Fail / Not Executed	Pass
Risk Control Ref	ISO 14971 risk control ID, if applicable	RC-007
Notes	Rationale for any deviations or exceptions	—

The matrix template structure

Coverage requirements

The matrix must demonstrate bidirectional coverage:

Forward coverage: Every SRS requirement has at least one test case. No orphaned requirements.
Backward coverage: Every test case links to at least one SRS requirement. No tests that test things not in the SRS.

FDA reviewers will literally scan for:

SRS requirements with an empty "Test Case(s)" column
Test cases in the SSTC that don't appear anywhere in the matrix
Safety-critical requirements with fewer tests than you'd expect

The most common gap: Requirements added late in development (usually after a change request) that weren't retroactively added to the traceability matrix. Always update the matrix when you add requirements.

The risk-to-requirements link

If your device is Class B or C, the traceability chain must extend from your ISO 14971 risk management file into the SRS. Specifically, every risk control in your Risk Management Report that is implemented in software must trace to a specific SRS requirement.

This means your traceability matrix (or a supplementary document) needs a column for Risk Control Reference. If RC-007 says "Software shall enforce maximum dose limit", then SRS-042 ("The system shall reject any dose input exceeding 250 Gy") must reference RC-007.

FDA reviewers will cross-reference your Risk Management Report and your SRS. Disconnected risk controls and requirements are a finding.

Maintaining the matrix through changes

A traceability matrix is only as good as the process for keeping it current. Common failure modes:

Requirements change, matrix doesn't. Change control must include "update traceability matrix" as a mandatory step.
Test cases change, matrix isn't updated. If TDCS-118 is split into TDCS-118a and TDCS-118b, the matrix entry for SRS-042 must be updated.
New requirements added without matrix entry. Late-phase requirements often get lost. Your review checklist before submission should verify matrix coverage of all SRS requirements.
Test failures not reflected. If a test fails and the requirement is modified to match observed behaviour (rather than fixing the software), the matrix must reflect the re-test and its outcome.

Format and tooling

FDA doesn't mandate a specific format. We've seen compliant submissions with:

Excel spreadsheets
Word documents with tables
Purpose-built requirements management tools
PDF exports from structured databases

What matters is completeness and accuracy — not the tool. That said, manual Excel maintenance of large matrices is error-prone. A tool that auto-generates the matrix from linked requirements and test cases reduces the risk of human error and makes updates trivial.

"We submitted with an Excel traceability matrix for our first product. By version 2.0, we had 450 requirements and three engineers spending a week every release keeping it current. The second product was built in a proper tool from day one." — Medical device startup CTO

Pre-submission checklist

Before sending your 510(k), verify:

☐ Every SRS requirement ID has at least one SSTC test case listed
☐ Every SSTC test case appears in the matrix linked to a requirement
☐ All safety-critical requirements are marked as such
☐ Every software risk control in the Risk Management Report traces to an SRS requirement
☐ All test statuses reflect the actual most recent test run, not a previous version
☐ Requirements added after the last matrix review are included
☐ Test cases for failed tests reference the resolution (re-test, accepted risk, or requirement change)

Build and maintain your traceability matrix in PreQMS

Requirements and test cases linked automatically. Traceability matrix generated from your live data — always current, always complete.

Book a 30-minute demo

Medical Device Traceability Matrix: Structure, Template, and Common Mistakes