White Paper
If you are involved with Software as a Medical Device (SaMD), what regulatory guidance documents do you need to read, and in what order? With over 100 documents to choose from, it can be an overwhelming task. While you will still need regulatory experts, you can get started on building your background by using the table of documents we present at the end of this article. We recommend focusing on the highest-priority documents first, followed by the medium- and then low-priority documents. These documents will help you identify your SaMD’s software classification as well as understand and plan for what you need to submit to the FDA for clearance. Completing these crucial steps ahead of submission will save you time and set your software up for success.
In short, it is standalone software that serves as a medical product in and of itself. While SaMD may take data input from external sensors, it is distinguished from software that is embedded in a medical device (known as SiMD, or Software in a Medical Device). For a more detailed exploration of SaMD, read our white paper “Software as a Medical Device (SaMD): What it is and Why it Matters?”
With the exception of four guidance documents from the IMDRF, SaMD is neither specifically called out in FDA or EMA regulatory and guidance documents, nor in medical device standards. This makes it more challenging to explore the document landscape. Our table below will help guide your regulatory journey.
In general, you always want to defer to the final guidance, unless the draft guidance is newer, clearer, safer and not inconsistent with the final guidance. Draft guidance can be extremely helpful when it is clarifying or closing gaps in the current guidance. It can also prepare you for major upcoming changes.
Use the tables below to help guide your reading. If you’ve still got questions, or simply want to talk to SaMD regulatory experts, feel free to contact us.
Reference | Notes | Priority |
---|---|---|
Greenlight Guru: The Ultimate Guide to Design Controls for Medical Device Companies | Good place to start on Design Controls and summary level. Deals with contrast between 13485 and Part 820. | High |
Classify Your Medical Device | How to study and market your device, from the FDA. | High |
ISO 13485: 2016, Quality management systems─Requirements for regulatory purpose | International Standard, foundational/ referenced by other standards like IEC 62304 and 14971. Recognized and adopted in the EU; FDA transitioned to this from 820. | High |
IEC 62304:2006/Amd 1:2015, Medical device software ─Software lifecycle processes | This maps ISO 13485 and ISO 14971 to Software Lifecycle Processes. Written as waterfall, with a one paragraph appendix that says you can use it in non-waterfall ways. Software Safety Classification and Segregation for scaling design controls is a very useful part of this. | High |
Greenlight Guru: The Definitive Guide to ISO 14971 Risk Management for Medical Devices | Another good high-level read from Greenlight Guru – read before 14971. | High |
ISO 14971: 2019, Medical devices─Application of risk management to medical device | Referred to by ISO 13485, IEC 62304 and FDA Guidance. Must read. | High |
Understanding Intended Use from ISO TR 24971:2020 | Summarizes key understandings from ISO 24971. | High |
Deciding When to Submit a 510(k) for a Software Change to an Existing Device; Guidance for Industry and Food and Drug Administration Staff, 2017 | Important for when you are looking to have more frequent releases. | High |
Reference | Notes | Priority |
---|---|---|
AAMI TIR45:2023; Guidance on the use of agile practices in the development of medical device software | Maps IEC 62304 to Agile practices. This is a pretty fast read as a companion to IEC 62304. Does not deal with Risk Management or Cybersecurity; this is being addressed in the next version, currently under development at AAMI. | Medium |
Reference | Notes | Priority |
---|---|---|
Post Market Management of Cybersecurity in Medical Devices; Guidance for Industry and Food and Drug Administration Staff, 2016 | Useful context for how you design for monitoring and how you incorporate for maintenance. | Medium |
Content of Premarket Submissions for Management of Cybersecurity in Medical Devices; Draft Guidance for Industry and Food and Drug Administration Staff, 2018 | Useful context. Similar process to patient Risk Management, just focused on Cybersecurity risk. Use the draft guidance from 2018, rather than the one in force from 2014: More current thinking, not likely to change. | Medium |
FDA: Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, 2023 | FDA’s important new guidance on Cybersecurity. | High |
Reference | Notes | Priority |
---|---|---|
Good Machine Learning Practice for Medical Device Development: Guiding Principles | AI machine learning position paper by the FDA. A baseline set of principles on good machine learning practices. A more comprehensive document is expected in 2023. | Medium |
Proposed Regulatory Framework for Modifications to Artificial Intelligence/Machine Learning (AI/ML)-based Software as a Medical Device (SaMD) | U.S. FDA Artificial Intelligence and Machine Learning Discussion Paper. A more comprehensive document that lays out how the FDA might regulate changes to AI/ML based software. There’s a particular emphasis on continuous online learning and what types of changes would not require additional regulatory filing. The position paper relies on the FDA Precertification working model, which is currently only used in the precertification pilot. Nevertheless, the content is useful if you are looking to implement a factor for an AI algorithm-based SaMD. | Medium |
Marketing Submission Recommendations for a Predetermined Change Control Plan for Artificial Intelligence/Machine Learning (AI/ML)-Enabled Device Software Functions, 2024 | Updating AI/ML algorithms in devices after they are in market and without an FDA refiling. | Medium |
Reference | Notes | Priority |
---|---|---|
IEC 62366 Application of Usability Engineering to Medical Devices | The FDA’s guidance on applying design and Human Factors practices to medical device design. | Medium |
Reference | Notes | Priority |
---|---|---|
Multiple Function Device Products: Policy and Considerations; Guidance for Industry and Food and Drug Administration, 2020 | Context for developing on Mobile and Cloud, useful analogies for what you need to test and validate, and how to do it. | Medium |
AAMI CR510:2021 Appropriate Use of Public Cloud Computing for Quality Systems and Medical Devices, 2021 | The first guidance on putting medical device functions on a public cloud directly managed by a cloud services provider. | Medium |
FDA: Medical Device Accessories – Describing Accessories and Classification Pathways; Guidance for Industry and FDA Staff, 2017 | Useful if mobile or web apps are considered accessories. | Medium |
FDA: Policy for Device Software Functions and Mobile Medical Applications; Guidance for Industry and Food and Drug Administration Staff, 2019 | Useful more on what the FDA intends to exercise enforcement discretion on. | Low |
Credits to Bob Moll for developing the original version of this blog in 2022.
White Paper
Webinar
White Paper
Webinar
Article
White Paper
Article
Webinar