Policy for Device Software Functions and Mobile Medical Applications
This guidance outlines FDA's regulatory approach for device software functions and mobile medical applications. It focuses on software functions that meet the definition of a medical device and are either intended to be used as an accessory to a regulated medical device or to transform a mobile platform into a regulated medical device. The guidance clarifies which software functions FDA intends to regulate and which ones will be subject to enforcement discretion based on risk level.
Recommended Actions
- Determine if your software function meets the definition of a medical device
- Identify the device classification and applicable regulatory requirements
- Implement a Quality Management System compliant with QS regulation
- Develop and maintain procedures for:
- Design controls
- Risk management
- Verification and validation
- Adverse event reporting
- Corrections and removals
- Register establishment and list devices with FDA if required
- Prepare and submit appropriate premarket submission if required
- Ensure labeling compliance
- Maintain records of design, development, and any changes
- Monitor post-market performance and report issues as required
- Contact FDA for guidance if unclear about requirements for your specific software function
Key Considerations
Non-clinical testing
- Manufacturers must verify and validate their device software functions along with the computing platform
- Testing should ensure safe and effective operation of the device
Software
- Software functions must meet requirements associated with their device classification (Class I, II, or III)
- Quality System regulation applies to software development and maintenance
- Software validation and verification required
- Adequate controls needed for safe distribution, installation and operation
Labelling
- Must comply with applicable labeling regulations in 21 CFR Part 801 for medical devices
- Must comply with 21 CFR Part 809 for in vitro diagnostic products
Safety
- Must implement risk management strategies
- Must have procedures to identify, analyze, correct and prevent software-related causes of patient/user harm
- Must report adverse events under Medical Device Reporting requirements
Other considerations
- Registration and listing requirements apply
- Premarket submission may be required depending on classification
- Corrections and removals must be reported to FDA when required
- Quality System regulation compliance required
- Record keeping requirements apply
Relevant Guidances
- Content of Premarket Submissions for Device Software Functions
- Off-The-Shelf Software in Medical Devices: Documentation Requirements for Premarket Submissions
- Software Validation for Medical Device Production, Quality Systems, and Device Components
- Cybersecurity in Medical Devices: Design, Implementation, and Premarket Submissions
- Changes to Medical Device Definition for Software Functions Under the 21st Century Cures Act
- Clinical Evaluation of Software as a Medical Device (SaMD)
- Clinical Decision Support Software Functions: Criteria for Non-Device Classification and Implementation Requirements
- Content of Premarket Submissions and Lifecycle Management for Artificial Intelligence and Machine Learning-Enabled Medical Devices (Draft)
- Computer Software Assurance for Production and Quality System Software (Draft)
Related references and norms
- ISO/IEC/IEEE 90003: Software engineering – Guidelines for the application of ISO 9001:2015 to computer software
- ISO 13485: Medical devices – Quality management systems – Requirements for regulatory purposes
- IEC 62304: Medical device software – Software life cycle processes
- ISO 14971: Medical devices — Application of risk management to medical devices
- IEEE Std 1012: IEEE Standard for System, Software, and Hardware Verification and Validation
Original guidance
This post is licensed under CC BY 4.0 by the author.