FDA Regulatory Requirements for Medical Device Software (SaMD and SiMD)

Even seasoned regulatory professionals struggle to understand the myriad regulatory requirements pertaining to medical device software. A bewildering morass of national regulations, guidance, international standards, and overlapping documents make coding seem like the easy part. Fear not – in this article, we will give you a mountain-top view of your obligations and where to find the information you need to ensure a successful submission and ongoing compliance.

Let’s start with US FDA requirements.

How Does US FDA Regulate Medical Device Software?

FDA is years ahead of other regulators, including Europe, when it comes to the specificity of regulatory guidance pertaining to medical device software. FDA has been publishing software guidance documents for more than 20 years and has been especially prolific in the last 3 to 5 years. To their credit, FDA recognizes the importance (and prevalence) of software in all sorts of devices and is making a concerted effort to ensure that its regulatory framework does not stifle innovation. In recent years, new or updated guidance has been published covering all sorts of issues, including:

• Quality management system (QMS) and premarket submission considerations related to cybersecurity – April 2022
• Content of premarket submissions for device software functions – November 2021
• Artificial intelligence / machine learning (AI / ML)-based software as a medical device (SaMD) – January 2021
• Clinical decision support software – September 2019
• Mobile Medical Applications – September 2019
• Off-the-shelf software used in medical devices – September 2019
• Plus, several more! See the entire list know more.

FDA guidance is not the only thing you should follow. A variety of international standards go even further into the weeds on topics such as medical device cybersecurity, interoperability, life-cycle management, and more.

Build an instant library of medical device software guidance documents. A vast array of guidance documents related to medical device software has been published by international standards organizations, European authorities, and FDA. We’ve assembled a list of 45-plus documents including links to download them.

FDA Requirements for Off-the-Shelf (OTS) Medical Device Software

We call this out specifically because many medical device manufacturers assume that because they are using OTS software in their design, they are not responsible for its performance. Ah, but they are, and FDA makes that crystal clear in the prologue for the software guidance itself. If problems arise with the device operation and it’s linked back to OTS software, don’t try to point your finger at the provider of the OTS software. This guidance will tell you what needs to be done so you don’t get a nasty surprise after you submit your 510(k).

“The medical device manufacturer using OTS software generally gives up software life cycle control, but still bears the responsibility for the continued safe and effective performance of the medical device.”

Off-The-Shelf Software Use in Medical Devices: Guidance for Industry and Food and Drug Administration Staff, SEPTEMBER 2019

What’s the difference between SaMD and SiMD? FDA separates medical device software into two buckets. Software as a Medical Device (SaMD) is a product in and of itself, meaning there is no physical hardware. An example would be software that processes images to detect cancer. Software in a Medical Device (SiMD) is far more common and includes any software embedded into a physical device.

How Does Europe Regulate Medical Device Software?

Depending on your perspective, you may be horrified or delighted (probably the latter) to know that while Europe regulates software in / as medical devices, the European Commission does not publish nearly as much guidance on software-specific issues as FDA. Aside from classification Rule 11 in the Medical Device Regulation (2017/745) and Rule 14 in the In Vitro Diagnostic Regulation (2017/746), you also won’t find a lot of software-specific information in the regulations. Before you get too excited, understand that Europe generally relies on references to international standards published by NIST, IMDRF, ANSI, and other standards organizations to cover specific issues related to cybersecurity, interoperability, software life cycle, and risk management.

Before you dig into all of those documents, download MDCG 2019-11 titled “Guidance on Qualification and Classification of Software in Regulation (EU) 2017/745 – MDR and Regulation (EU) 2017/746 – IVDR.” This guidance provides information on the classification of medical device software, handling changes to software, and other topics. It also distinguishes between medical devices that are stand-alone devices versus software that are embedded into physical medical devices.

Other software guidance documents published by the European Commission include:

• European Artificial Intelligence Act (proposed draft) – April 2021
• MDCG 2019-16: Guidance on Cybersecurity for medical devices – July 2020
• MDCG 2020-1: Guidance on Clinical Evaluation (MDR) / Performance Evaluation (IVDR) of Medical Device Software – March 2020
• MDCG 2018-5: UDI Assignment to Medical Device Software – October 2018

Want to Learn More?

This article has only scratched the surface of the regulations that pertain to medical device software in the US and Europe. Take the next step with our in-depth training class on medical device software regulations and standards. It will give you the knowledge and confidence you need to ensure full compliance with the EU MDR, IVDR, and FDA regulations related to software.

Get answers right now. Call