FDA Regulations for Software as a Medical Device (SaMD) in the United States

Leave a Comment / blog / By

Software as a Medical Device (SaMD) refers to standalone software intended to be used for one or more medical purposes (e.g., diagnosis, screening, monitoring, mitigation, treatment, or alleviation of disease) without being part of a hardware medical device. This includes mobile apps, AI/ML-based diagnostic tools, cloud-based imaging analysis software, clinical decision support systems, and other digital health solutions running on general-purpose computing platforms (smartphones, PCs, servers, etc.).

In the United States, SaMD is regulated by the U.S. Food and Drug Administration (FDA) under the Federal Food, Drug, and Cosmetic Act (FD&C Act). The FDA treats SaMD as a medical device if it meets the statutory definition (intended use for diagnosis, cure, mitigation, treatment, or prevention of disease). The agency provides detailed guidance on when software qualifies as SaMD and how to regulate it, with key documents updated through 2025–2026.

Key FDA Guidance Documents for SaMD

  • Policy for Device Software Functions and Mobile Medical Applications (2023 Final Guidance) – Clarifies when software is a medical device.
  • Software as a Medical Device (SaMD): Clinical Evaluation (IMDRF/SaMD WG/N56FINAL:2020) – Adopted by FDA; outlines clinical evaluation framework.
  • Artificial Intelligence/Machine Learning (AI/ML)-Based Software as a Medical Device (SaMD) Action Plan (2021, with 2025 updates) – Focuses on AI-enabled SaMD, including Predetermined Change Control Plans (PCCPs).
  • Good Machine Learning Practice for Medical Device Development (2021, joint with Health Canada & MHRA) – Best practices for AI/ML SaMD.
  • Cybersecurity in Medical Devices (2023 Final Guidance) – Mandatory for all connected SaMD.

Risk-Based Classification for SaMD

The FDA classifies SaMD using the same three-class system as traditional devices (Class I, II, III), based on risk to patient health:

  • Class I (Low Risk): General controls only (e.g., informational apps without treatment claims).
  • Class II (Moderate Risk): General controls + special controls (most SaMD; e.g., diagnostic apps for non-life-threatening conditions).
  • Class III (High Risk): Premarket Approval (PMA) required (rare for SaMD; e.g., software controlling life-sustaining devices).

Risk is determined by:

  • Intended use (diagnosis vs. monitoring).
  • Impact on clinical decision (treat vs. inform).
  • Severity of condition (critical vs. non-critical).

Examples:

  • Class II: AI radiology tool for lung nodule detection.
  • Class III: Algorithm for real-time insulin pump dosing.

Regulatory Pathways for SaMD

  • Class I: General controls; most exempt from 510(k) premarket notification.
  • Class II: 510(k) clearance (most common for SaMD) – demonstrate substantial equivalence to a predicate device.
  • Class III: Premarket Approval (PMA) – extensive clinical data.
  • De Novo Pathway: For novel, low- to moderate-risk SaMD without predicate (creates new classification).
  • Breakthrough Devices Program: Expedited review for innovative SaMD addressing unmet needs.

Special Considerations for AI/ML-Based SaMD

  • Predetermined Change Control Plans (PCCPs): Allow pre-approved modifications to AI/ML models (e.g., retraining with new data) without new submissions.
  • Transparency & Explainability: Required for high-risk AI SaMD (bias mitigation, training data details).
  • Cybersecurity: Mandatory risk assessment and mitigation per 2023 guidance.

Post-Market Requirements

  • Quality System Regulation (QSR / 21 CFR Part 820): Full compliance for Class II/III.
  • Adverse Event Reporting: Mandatory via MedWatch.
  • Post-Market Surveillance: Real-world performance monitoring, especially for AI/ML.
  • Software Updates: Minor changes often require no new submission; major changes may need 510(k) supplement.

2026 Context & Trends

The FDA continues to refine its AI/ML framework (2025 updates to PCCP guidance) and emphasizes cybersecurity amid rising connected health risks. The agency aligns closely with IMDRF standards, making U.S. approvals influential globally. Manufacturers benefit from Digital Health Center of Excellence resources and pre-submission meetings.

This framework balances innovation with safety—most SaMD enters via 510(k), with growing use of PCCPs for evolving AI tools.

By Mark Smith

Follow us on X @realnewshubs and subscribe for push notifications.

Follow and subscribe us increase push notification.

FAQ Schema

Question: What is SaMD under FDA regulations? Answer: Standalone software intended for medical purposes (diagnosis, monitoring, treatment) without hardware integration, regulated as a medical device.

Question: How does the FDA classify SaMD? Answer: Risk-based: Class I (low), II (moderate), III (high) based on intended use, clinical impact, and condition severity.

Question: What is the most common pathway for SaMD approval? Answer: 510(k) clearance for Class II (demonstrating substantial equivalence to a predicate device).

Question: How does the FDA handle AI/ML changes in SaMD? Answer: Through Predetermined Change Control Plans (PCCPs), allowing pre-approved modifications without new submissions.

Review Schema

Item Reviewed: FDA Regulations for Software as a Medical Device (SaMD) Reviewer: Mark Smith Review Rating: 4.7/5 Review Body: FDA provides a clear, risk-based framework for SaMD with strong emphasis on AI/ML innovation via PCCPs and cybersecurity—gold standard for digital health, balancing safety and access. Essential for developers targeting the U.S. market.

Leave a Reply