USFDA • SaMD

FDA for Software as a Medical Device (SaMD)

When your software is the device — FDA strategy for Software as a Medical Device: classification, the right pathway, clinical evaluation, cybersecurity, and the documentation a modern digital-health product needs to reach the US market.

Service Overview

Some of the most interesting medical products today have no hardware at all — the software is the medical device. An app that analyses images to flag disease, an algorithm that triages patients, a program that turns a phone’s sensor into a diagnostic: these are Software as a Medical Device, or SaMD, and the FDA regulates them as medical devices in their own right. For a digital-health company, that can be a jarring realisation — you built software, and now you are a medical-device manufacturer with all that entails. Navigating that is a distinct skill, and it is what this service is for.

SaMD raises questions ordinary devices do not. Software has no physical wear, but it changes constantly — updates, new versions, and increasingly models that learn — and the FDA has had to develop approaches for regulating something that is meant to evolve. It also lives in a connected world, so cybersecurity is not optional but central. And its risk is defined not by what it touches but by what it does with information: the seriousness of the condition it informs and the significance of the decision it drives. The whole regulatory frame has to be understood on software’s terms.

As with any device, it starts with whether the software is even a medical device and, if so, its classification and pathway. Not all health software is regulated — the FDA distinguishes higher-risk clinical software from lower-risk wellness and administrative tools — and getting that line right is the first, foundational judgement. For regulated SaMD, the same routes apply as for other devices, most commonly the 510(k), and the FDA regulatory strategy that selects the route is as important here as anywhere.

What differs is the evidence and the documentation. Software needs its development and its verification and validation documented in a way suited to software, its clinical evaluation framed around the information it provides and the decision it supports, and — critically — a serious cybersecurity approach that the FDA now expects as part of the premarket submission. For products that learn, there are emerging mechanisms, like predetermined change control plans, to allow controlled evolution without a new submission for every update. These are the areas where SaMD expertise genuinely pays off.

SaMD still sits within the broader US framework. It needs its quality system — adapted for software development — its establishment registration and listing, and usually a 510(k) submission. The difference is that every one of these is coloured by the fact that the device is software, so they have to be handled by people who understand both the regulation and the realities of building and maintaining software products.

We provide FDA regulatory support for Software as a Medical Device — determining whether and how the software is regulated, selecting the pathway, framing the clinical evaluation, building the software and cybersecurity documentation, and planning for controlled change — so digital-health products reach the US market without the regulatory side becoming the thing that stalls an otherwise fast-moving company.

Determination of whether your software is a regulated medical device
SaMD classification and FDA pathway selection
Software development and V&V documentation suited to software
Clinical evaluation framed around the software’s function
Cybersecurity documentation to current FDA expectations
Change-control planning for software that evolves or learns

Key Takeaways

  • Software can be a regulated medical device in its own right (SaMD) when it drives a clinical decision, with no hardware attached.
  • Risk is judged on two axes: how serious the condition is and how much the software drives the decision.
  • Cybersecurity documentation is now a hard gate — the FDA can refuse to accept a submission that lacks it.

When Is Software a Medical Device?

The first and most consequential question for any health software is whether it is a regulated medical device at all. The FDA draws a line between software that performs a medical function — diagnosing, treating, informing clinical decisions — and software that supports general wellness or administration. A meditation app or a hospital scheduling tool is not a medical device; software that analyses an image to detect a tumour clearly is. But between those poles sit many products whose status is genuinely arguable, and misjudging it in either direction is costly.

Getting this determination right is foundational, because it decides whether the entire regulatory apparatus applies. A company that assumes its software is unregulated and is wrong faces enforcement and a scramble to comply retroactively; one that over-regulates an unregulated wellness product burdens itself needlessly. We assess your software’s intended use and function against the FDA’s framework and the relevant guidance, so you know where you stand before you build a regulatory strategy — or decide you do not need one.

  • Not all health software is a regulated device.
  • The line turns on medical function versus wellness/administration.
  • Misjudging it either way is expensive — get the determination right first.

Classifying and Routing SaMD

Once software is established as a regulated device, it is classified and routed like any other device — but the risk logic is framed around information. What matters is the seriousness of the condition the software addresses and the significance of the decision its output drives: software informing a critical treatment decision for a serious condition is higher risk than software providing information for a minor one. That risk framing feeds into the FDA classification and the pathway, most commonly the 510(k) for moderate-risk SaMD, with De Novo for genuinely novel software types.

We classify the SaMD and select the pathway with this information-centric risk view, which is where software-specific understanding matters. A product’s risk — and therefore its route and evidence burden — depends heavily on exactly what claim it makes about the information it provides, and small differences in the intended-use statement can shift the whole regulatory picture. We help frame that intended use deliberately, so the software is positioned on the route that fits its genuine function and claim.

Documenting Software Development and Validation

Software needs its development documented in a way that suits software, and the FDA has expectations for this. Rather than physical design controls, the emphasis is on software development processes, requirements and architecture, and verification and validation appropriate to code — unit and integration testing, system testing against requirements, and validation that the software does what users need in the real clinical context. The level of documentation the FDA expects scales with the software’s risk, so a higher-risk SaMD carries a heavier documentation burden.

We help build this software documentation to the FDA’s expectations without imposing process that a nimble software team cannot live with. The tension in SaMD is real: regulators want rigour and traceability, while software companies value speed and iteration. Good SaMD regulatory work finds the documentation that genuinely satisfies the FDA while fitting how modern software is actually built, rather than forcing a hardware-era process onto a software product where it does not belong.

Clinical Evaluation for Software

SaMD needs clinical evaluation, but framed around what software does — provide information. The FDA and international frameworks think about this in terms of a valid clinical association (is there a genuine link between the software’s output and the clinical condition?), analytical validation (does the software correctly process the input to produce the intended output?), and clinical validation (does the output achieve the intended purpose in the target population?). This structure gives a clear way to plan what evidence a given SaMD actually needs.

We frame the clinical evaluation around this logic, so the evidence generated is the evidence the software’s claim requires — no more, no less. For some SaMD, existing literature and the software’s own validation suffice; for others, particularly novel or higher-risk products, a clinical study is needed. Identifying which, early, is exactly the kind of judgement that prevents a company from either over-investing in unnecessary clinical work or being caught short at submission without the evidence its claim demands.

  • Valid clinical association: is the output genuinely linked to the condition?
  • Analytical validation: does the software process input correctly?
  • Clinical validation: does the output achieve its purpose in real use?

Cybersecurity: No Longer Optional

Connected medical software is a security target, and the FDA now treats cybersecurity as a core part of a device submission rather than an afterthought. For SaMD and connected devices, the agency expects to see how security has been designed in — threat modelling, security controls, a software bill of materials identifying components, vulnerability management, and a plan for handling and patching security issues over the product’s life. A submission that treats cybersecurity lightly is increasingly likely to be held up, because the FDA has made clear it will not accept devices that cannot show they are secure.

We help build the cybersecurity documentation the FDA expects, integrated with the software development rather than bolted on at the end. This has become one of the defining features of modern SaMD regulation, and it is an area that moves quickly as threats and expectations evolve. Handling it well means designing security in from the start and documenting it in the form the FDA wants — turning a potential submission blocker into a demonstrated strength of the product.

Software That Changes: Managing Evolution and AI

The deepest tension in SaMD is that software is meant to change, while traditional device regulation assumes a fixed product. Every update, and especially the continuous learning of AI/ML-based software, sits awkwardly against a framework built for devices that stay the same. The FDA has been developing approaches to this, including the concept of a predetermined change control plan that lets a manufacturer specify in advance the changes it may make — within defined limits and methods — without a new submission for each one. For a product that evolves, this can be transformative.

We help plan for change from the outset, so your software is not trapped needing a fresh submission for every improvement. That means thinking, at strategy stage, about how the product will evolve and how to build the regulatory approach — including a predetermined change control plan where appropriate — to permit controlled evolution. For AI/ML products in particular, this forward planning is essential, because a learning system that cannot be updated without re-clearing is a system whose greatest strength is regulatorily frozen. Getting this right is where SaMD regulation is genuinely at the frontier.

SaMD Risk (IMDRF framework)

Clinical DecisionCondition SeverityRisk
InformNon-seriousLowest
DriveSeriousHigher
Treat / DiagnoseCriticalHighest

Required Documentation

Device Determination & Intended Use
SaMD Classification Analysis
Software Development Documentation
Software V&V Reports
Clinical Evaluation (association/analytical/clinical)
Cybersecurity Documentation & SBOM
Predetermined Change Control Plan
Premarket Submission Package

"Accurate documentation is 70% of the battle. Our experts pre-audit every file before submission."

Our Delivery Workflow

01

Determine & Classify

We determine whether the software is a regulated device and classify and route it.

02

Document & Evaluate

We build software V&V and clinical evaluation framed around the software’s function.

03

Secure

We build the cybersecurity documentation the FDA now expects as part of the submission.

04

Plan for Change

We plan controlled evolution — including change control plans for updating and AI/ML products.

FAQ

Frequently Asked Questions

Have questions? Find direct, humanized answers about the regulatory approvals and timelines.

SaMD is software intended to perform a medical function — such as diagnosing, treating or informing clinical decisions — without being part of a hardware device. The FDA regulates it as a medical device in its own right, which means a software company becomes a device manufacturer.
No. The FDA distinguishes software performing a medical function from general wellness and administrative software. A meditation app or scheduling tool is not a device; software analysing an image to detect disease is. Many products sit in between, so the determination needs careful judgement.
On risk framed around information — the seriousness of the condition the software addresses and the significance of the decision its output drives. That feeds into the FDA classification and pathway, most commonly the 510(k) for moderate-risk SaMD, or De Novo for novel software types.
Clinical evaluation framed around valid clinical association, analytical validation and clinical validation. For some SaMD, literature and the software’s own validation suffice; for novel or higher-risk products, a clinical study may be needed. We identify which early.

Launch Your Product In Record Time

Red tape shouldn't decide your launch date. We keep the paperwork moving and the queries answered, so approvals come through sooner.

Start My Application
Compliant With 2024 Amendments