Software as a Medical Device

Regulatory oversight is crucial for ensuring the safety and efficacy of Software as a Medical Device (SaMD) solution. Understanding global regulations is essential for developers to navigate risk classification, quality management, post-market surveillance, and international standards, thereby ensuring compliance and fostering innovation in healthcare digitalization.

Software as a Medical Device

SaMD presents a range of advantages that are reshaping the healthcare landscape, which empowers clinicians with advanced diagnostic capabilities and enables patients to engage in their healthcare journey actively.

With its ability to provide timely, accurate, and personalized insights, SaMD enhances diagnostic accuracy, optimizes treatment decisions, and facilitates remote monitoring. SaMD improves patient outcomes and reduces healthcare costs. Its growing popularity is evident in the increasing adoption by healthcare providers and patients worldwide, driven by the desire for more efficient, accessible, and data-driven healthcare solutions.

In this introductory overview, we offer a compelling roadmap to harness the full potential of SaMD while ensuring compliance with regulatory standards. 

What is software as a medical device (SaMD)?

Software as a medical device refers to any software meant for medical use that is not a component of a physical medical device. SaMD encompasses a wide range of software applications designed to perform medical functions such as diagnosis, monitoring, treatment, or prevention of diseases. It operates on various platforms, like smartphones, tablets, and computers, without requiring dedicated hardware.

Definitions for SaMD

  1. SaMD refers to software intended for one or more medical purposes that perform those purposes without being part of a hardware medical device, according to the International Medical Device Regulators Forum (IMDRF).
  2. FDA defines SaMD as software that meets the definition of a device in 181 section 201(h) of the FD&C Act and is intended to be used for one or more medical purposes without being part of a hardware device.

If you need more details regarding SaMD and its definition, please click the below link for FDA guidance on policy for device software functions and mobile medical applications. 

Examples of SaMD

SaMD, or Software as a Medical Device, encompasses a range of digital tools designed to improve healthcare delivery. Following are some examples of SaMD out of many.

  • Mobile applications for tracking vital signs
  • Diagnostic software analyzing medical images
  • Health management platforms for chronic disease monitoring
  • Decision support systems aiding clinical decision-making

Global market for SaMD 

According to recent analyses, the value of the global SaMD market was USD 1.2 billion in 2023. Projections indicate that by 2032, it is expected to soar to USD 5.4 billion, exhibiting a compound annual growth rate (CAGR) of 16.7%.

Global SaMD Market Forecast in 2023

In 2023, the global Software as a Medical Device (SaMD) market witnessed remarkable growth, with North America emerging as a frontrunner. Screening devices dominated usage, reflecting a growing emphasis on preventive healthcare. This surge underscores the pivotal role SaMD plays in advancing healthcare accessibility and efficacy worldwide.

Market split by regions in 2023

Software as a Medical Device

Market split by application in 2023

Software as a Medical Device

Regulatory background of SaMD

The global regulatory background of SaMD is essential for ensuring patient safety and compliance. This regulatory background encompasses guidelines and requirements established by regulatory authorities worldwide to oversee the development, marketing, and use of SaMD.  

Regulatory agencies categorize SaMD based on the risks associated with their use. 

Common classification

Risk classRiskExample
Class 1Low riskBasic health-tracking apps
Class 2Moderate riskDiagnostic software analyzing non-invasive data
Class 3High riskSoftware influencing treatment decisions

Software safety classification according to IEC 62304

The software safety classification of IEC 62304, the international standard on software lifecycle has three levels based on the severity of injury that a software failure could cause: 

  • No injury – Class A
  • Non-serious injury – Class B
  • Serious injury or death – Class C

SaMD categorization according to IMDRF

The IMDRF (International Medical Device Regulators Forum) categorization has four possible categories rather than three.

State of healthcare situationTreat or diagnoseDrive clinical managementInform clinical management

While the IMDRF categorization may initially appear complex, it holds significance in assessing risk classes within the EU. Despite its perceived complexity, many companies rely on it primarily for this purpose. It aids in determining risk classes for most businesses operating in the EU. 

SaMD classification according to MDCG 2019-11 

One of the aforementioned EU guidance, MDCG 2019-11, includes a table that combines IMDRF categorization and EU risk classes.

Situation HighTreat or diagnose- IMDRF 5.1.1MediumDrives clinical management- IMDRF 5.1.2LowInforms clinical management (Everything else)
Critical Situation or patient condition- IMDRF 5.2.1Class Ⅲ(Category Ⅳ.ⅰ)Class Ⅱb(Category Ⅲ.ⅰ)Class Ⅱa(Category Ⅱ.ⅰ)
Serious Situation or patient condition- IMDRF 5.2.2Class Ⅱb(Category Ⅲ.ⅱ)Class Ⅱa(Category Ⅱ.ⅱ)Class Ⅱa(Category Ⅰ.ⅱ)
Non-serious Situation or patient condition (Everything else)Class Ⅱa(Category Ⅱ.ⅲ)Class Ⅱa(Category Ⅰ.ⅲ)Class Ⅱa(Category Ⅰ.ⅰ)

Overview of regulatory frameworks for SaMD across countries and regions

The regulatory landscape for SaMD varies across countries and regions, with each jurisdiction implementing its framework. This overview highlights the main aspects of SaMD regulation in various countries, providing insight into the diverse approaches taken by regulatory authorities worldwide.

CountryRegulatory body
United States (US)The U.S. Food and Drug Administration (FDA) regulates SaMD under the Digital Health Precertification (Pre-Cert) Program.SaMD manufacturers must adhere to the FDA’s Quality System Regulation (QSR) and meet specific regulatory requirements.
European Union (EU)SaMD in the EU falls under the Medical Devices Regulation (MDR) or the In Vitro Diagnostic Medical Devices Regulation (IVDR), depending on its intended use.Manufacturers must obtain CE marking through conformity assessment procedures.
CanadaHealth Canada regulates SaMD under the Medical Devices Regulations (MDR) and the Interim Order (IO) for the importation and sale of medical devices.SaMD manufacturers must demonstrate compliance with safety and effectiveness requirements.
JapanThe Pharmaceuticals and Medical Devices Agency (PMDA) oversees SaMD regulation in Japan.SaMD must undergo regulatory review and obtain marketing approval before commercialization.
AustraliaThe Therapeutic Goods Administration (TGA) regulates SaMD as a medical device.SaMD manufacturers must register their products on the Australian Register of Therapeutic Goods (ARTG).
ChinaChina’s National Medical Products Administration (NMPA) governs SaMD through various regulations, including the Medical Device Regulation (MDR).

Software development, maintenance, and risk management process 

  • SaMD development faces challenges due to regulations favoring a linear approach.
  • Compliance with regulations like IEC 62304 and AAMI TIR 45 is feasible with agile methods.
  • IEC 62304 outlines the software lifecycle: development, maintenance, risk management, configuration management, and problem resolution.
  • Processes involve analysis, architectural design, implementation, verification, testing, and maintenance.
  • Maintenance includes establishing a plan, analyzing problems, and implementing modifications.
  • The risk management process aligns with ISO 14971, covering hazardous situations, risk control, verification, and change management.
  • Risk management is integral to all processes in SaMD development.

Cybersecurity, SaMD regulations, and guidance  

  • Safety is crucial in medical devices, with cybersecurity now an essential consideration for SaMD.
  • High-profile attacks in healthcare underline the urgent need for cybersecurity measures.
  • Healthcare is frequently targeted by cyberattacks, highlighting its vulnerability.
  • Device makers must prioritize cybersecurity from the outset rather than adding it as an afterthought.
  • MDCG 2019-16 guides EU MDR and IVDR compliance.
  • IMDRF’s guidance offers international best practices for medical device cybersecurity.
  • The PATCH Act in the US proposes stricter cybersecurity requirements.
  • Start early to integrate cybersecurity into SaMD design for regulatory compliance and safer products.

Challenges in marketing SaMD

Using software as a medical device poses challenges, but adhering to necessary standards mitigates the burden. Common industry challenges include regulatory compliance, technological complexity, and market differentiation. Addressing these hurdles ensures the safe and effective deployment of software-based medical devices in healthcare settings.

A few challenges are discussed below.

  • Regulatory compliance: Ensuring compliance with regulations such as the FDA’s Quality System Regulation (QSR) and the European Medical Device Regulation (MDR) can be complex and time-consuming.
  • Safety and efficacy: Ensuring the software is safe and effective for its intended use, including addressing cybersecurity concerns is crucial.
  • Validation and verification Validating and verifying the software needs regulatory requirements and performs as intended in real-world scenarios is essential but can be resource-intensive.
  • Continuous updates: Need to manage software updates while maintaining compliance.
  • Interoperability: Ensuring the software can integrate with other medical devices and systems is crucial for providing comprehensive patient care.
  • Data privacy and security: Protecting patient data from unauthorized access or breaches is a significant concern, requiring robust security measures.
  • Long-term maintenance: Providing ongoing support, maintenance, and updates is necessary.

Postmarket requirements for SaMD

  • SaMD, despite its unique challenges like cybersecurity, is subject to the same postmarket regulations as hardware medical devices.
  • FDA, QSR, EU MDR, or IVDR regulations still apply to SaMD postmarket requirements.
  • IEC 62304 standard for software development aids in fulfilling postmarket requirements in software maintenance and problem-resolution processes.
  • Certain features inherent to SaMD necessitate a different approach in addressing postmarket stages of the device lifecycle.


SaMD plays a major role in revolutionizing healthcare delivery, offering innovative diagnosis, treatment, and patient care solutions. Understanding the global regulatory landscape is crucial for SaMD manufacturers to navigate compliance requirements and ensure safe and effective deployment in healthcare settings.

Are you developing a Software Medical Device (SaMD) and have any questions about it?

Do you have further questions, or do you need our regulatory support for your SaMD globally? Alternatively, perhaps you require assistance in moving forward with your product for business development. Please provide your detailed requirements to connect with our team and discuss your needs.

Provide your work email, where we can contact you