SaMD Regulatory Consulting & Certification
Navigate the complex regulatory landscape for Software as a Medical Device, AI/ML diagnostics, and digital health products across FDA, EU MDR, CDSCO, and 30+ global markets.
What Is SaMD and Why Does It Need Regulatory Approval?
Software as a Medical Device (SaMD) is software intended to perform medical functions independently — without being part of a hardware device. As defined by the IMDRF, SaMD includes diagnostic algorithms, AI-powered imaging analysis, clinical decision support systems, and patient monitoring applications.
SaMD is regulated as a medical device in every major market. The classification, approval pathway, clinical evidence requirements, and post-market obligations depend on the risk level of the software’s clinical application.
- AI/ML Diagnostics: Radiology AI, pathology analysis, ECG interpretation
- Clinical Decision Support: Treatment recommendations, risk scoring, triage
- Patient Monitoring: Remote monitoring apps, vital sign analysis
- Therapeutic Software: Digital therapeutics, CBT apps, physiotherapy
- Companion Diagnostics: Genomic analysis software, biomarker platforms
- IVD Software: Lab information systems, diagnostic algorithm platforms
Our SaMD Consulting Services
End-to-end regulatory support from concept to market across global jurisdictions
SaMD Classification & Strategy
Determine your SaMD classification across FDA, EU MDR, CDSCO, and target markets. Define the optimal regulatory pathway — 510(k), De Novo, CE marking, or CDSCO Class C/D. Identify clinical evidence requirements early.
Dossier and Regulatory Submission
Complete preparation of regulatory submissions: FDA 510(k)/De Novo packages, EU MDR technical documentation, CDSCO Form MD-15, and other market-specific dossiers. Software-specific documentation including IEC 62304 lifecycle files.
AI/ML Device Guidance
Specialized support for AI/ML-based SaMD: predetermined change control plans (PCCP), algorithm validation protocols, training data documentation, bias assessment, and locked vs. adaptive algorithm strategies.
Cybersecurity Documentation
Complete cybersecurity premarket documentation: threat modeling, SBOM (Software Bill of Materials), vulnerability assessment, security architecture, penetration testing coordination, and FDA cybersecurity guidance compliance.
Clinical Evidence Strategy
Design your clinical evidence package: analytical validation study design, clinical performance evaluation, real-world data strategies, literature reviews, and clinical investigation protocol development where required.
QMS & IEC 62304 Implementation
Implement ISO 13485 with SaMD-specific processes: IEC 62304 software lifecycle, agile-to-design-controls mapping, software risk management (ISO 14971), configuration management, and CAPA for software defects.
SaMD Classification Across Markets
How SaMD is classified differently by FDA, EU MDR, and CDSCO
| SaMD Type | FDA (US) | EU MDR | CDSCO (India) | Risk Level |
|---|---|---|---|---|
| General wellness / lifestyle | Not regulated as device | Not regulated as device | Not regulated | None |
| Clinical decision support (non-critical) | Class I / Exempt | Class IIa (Rule 11) | Class A/B | Low |
| Diagnostic imaging AI (non-life-threatening) | Class II / 510(k) | Class IIa/IIb (Rule 11) | Class B/C | Medium |
| AI-powered triage / stroke detection | Class II / De Novo | Class IIb (Rule 11) | Class C | Medium-High |
| Digital therapeutics (treatment) | Class II / De Novo | Class IIa/IIb | Class B/C | Medium |
| Cardiac monitoring / arrhythmia detection | Class II / 510(k) | Class IIb/III (Rule 11) | Class C/D | High |
| Cancer diagnostic AI / treatment planning | Class II-III / PMA or De Novo | Class III (Rule 11) | Class D | High |
| Companion diagnostics software | Class III / PMA | Class C (IVDR) | Class C/D | High |
Key Standards for SaMD Compliance
The technical standards your SaMD must comply with for regulatory approval
IEC 62304 — Software Lifecycle
Defines software development, maintenance, and risk management processes. Classifies software safety into Classes A, B, C. Required by FDA, EU MDR, CDSCO, and most global regulators. Integrates with ISO 14971 for risk management.
ISO 14971 — Risk Management
Comprehensive risk management process for medical devices including SaMD. Covers hazard identification, risk estimation, risk evaluation, risk control, and residual risk assessment. Required by all major regulatory authorities.
IEC 81001-5-1 — Health Software Security
Cybersecurity lifecycle requirements for health software. Covers secure design, threat modeling, vulnerability management, security testing, and incident response. Referenced by FDA cybersecurity guidance and EU MDR requirements.
IEC 82304-1 — Health Software Products
Requirements for health software products intended for use outside of hardware medical devices. Covers software safety classification, verification and validation, user documentation, and release management.
ISO 13485 — Quality Management System
QMS standard with SaMD-specific requirements for design controls, configuration management, software CAPA, and post-market surveillance. The foundation for all SaMD regulatory submissions.
IMDRF SaMD Framework
International Medical Device Regulators Forum guidance on SaMD definition, classification, QMS, and clinical evaluation. Adopted by FDA, Health Canada, TGA, and increasingly by CDSCO as the basis for SaMD regulation.
AI/ML Medical Device Regulation
AI/ML-based SaMD products face unique regulatory challenges. Adaptive algorithms that learn and evolve require special regulatory frameworks that traditional software approval pathways weren’t designed for.
NexorTest’s team stays current with the rapidly evolving AI/ML regulatory landscape across all major markets, including the FDA’s predetermined change control plan (PCCP) framework, CDSCO’s 2025-2026 AI/ML guidance, and EU MDR requirements for continuously learning systems.
- FDA PCCP: Predetermined change control plan for algorithm updates
- Algorithm Validation: Training, tuning, and test dataset documentation
- Bias Assessment: Demographic, geographic, and clinical bias evaluation
- Transparency: Explainability documentation for clinical users
- Real-World Monitoring: Post-market algorithm performance tracking
- CDSCO AI/ML Guidance: Oct 2025 draft + Jan 2026 cancer diagnostic classification
- Locked vs. Adaptive: Strategy for locked algorithms vs. continuous learning
Why NexorTest for SaMD?
Unlike consulting-only firms, we provide end-to-end support from design through approval
Multi-Market, Single Strategy
One regulatory strategy and documentation set designed to satisfy FDA, EU MDR, CDSCO, UKCA, TGA, and SFDA simultaneously. Reduces cost by 40-60% vs. managing each market separately.
Design + Regulatory + Testing
We support your SaMD from regulatory design architecture through IEC 62304 lifecycle implementation, cybersecurity testing, and final submission. One team, one timeline, zero coordination gaps.
AI/ML Specialization
Dedicated AI/ML regulatory expertise covering FDA PCCP framework, CDSCO 2025-2026 AI guidance, EU MDR clinical evaluation for ML algorithms, and algorithm validation study design.
SaMD FAQ
Common questions about Software as a Medical Device regulation
What is Software as a Medical Device (SaMD)?
SaMD is software intended to be used for medical purposes without being part of a hardware medical device. Examples include AI-powered radiology software, ECG analysis algorithms, diabetes management apps, clinical decision support systems, and digital therapeutics. SaMD is distinct from Software in a Medical Device (SiMD), which is embedded within hardware.
How is SaMD classified by the FDA?
The FDA classifies SaMD as Class I (low risk, often exempt), Class II (moderate risk, 510(k) or De Novo), or Class III (high risk, PMA). Classification is based on the IMDRF framework considering the significance of the information provided and the seriousness of the healthcare situation. The FDA’s Digital Health Center of Excellence handles SaMD submissions.
Does SaMD require CE marking under EU MDR?
Yes. Under EU MDR Rule 11, SaMD is classified as Class IIa, IIb, or III depending on the clinical decision impact. Class IIa and above require Notified Body involvement. Clinical evaluation, technical documentation, IEC 62304 compliance, and cybersecurity documentation are all mandatory for CE marking.
What is the CDSCO pathway for SaMD in India?
CDSCO regulates SaMD under MDR 2017 with specific AI/ML guidance issued in October 2025 and January 2026. SaMD ranges from Class A to Class D. Applications go through SUGAM portal using Form MD-14 (Class A/B) or MD-15 (Class C/D). Clinical evidence, IEC 62304, and cybersecurity documentation are required.
Can NexorTest handle SaMD across multiple markets simultaneously?
Yes. We design a single regulatory strategy covering FDA, EU MDR, CDSCO, UKCA, TGA, and SFDA simultaneously, significantly reducing cost and time-to-market. We also provide the underlying QMS (ISO 13485) and testing support, making NexorTest a true single-window SaMD partner.
What is IEC 62304 and why does SaMD need it?
IEC 62304 is the standard for medical device software lifecycle processes covering development, maintenance, risk management, and configuration management. It classifies software safety into Classes A, B, C. Compliance is required or referenced by all major regulatory authorities for SaMD approval.
How are AI/ML-based medical devices regulated?
AI/ML devices face additional requirements: FDA’s predetermined change control plan (PCCP) for algorithm updates, training data documentation, bias assessment, algorithm validation, transparency/explainability documentation, and real-world performance monitoring. EU MDR and CDSCO have issued specific 2025-2026 guidance for AI/ML devices.
What cybersecurity requirements apply to SaMD?
SaMD must include: threat modeling, security architecture, SBOM (Software Bill of Materials), vulnerability assessment, penetration testing, encryption/authentication controls, patch management plan, and incident response procedures. The FDA, EU MDR, and IEC 81001-5-1 all have specific cybersecurity requirements.
What clinical evidence is needed for SaMD?
Clinical evidence includes analytical validation (algorithm performance on test data), clinical validation (real-world clinical performance), and clinical evaluation. For AI/ML: training data representativeness, sensitivity/specificity metrics, multi-site validation, and comparison against reference standards are required.
Ready to Bring Your SaMD to Market?
Get a free SaMD regulatory pathway assessment. Our specialists will evaluate your software, classify it across target markets, and provide a clear roadmap to approval.