Software as a Medical Device (SaMD): Regulatory & Development Guide

Software as a Medical Device (SaMD) has fundamentally changed the clinical landscape. From AI-driven diagnostic image scanning to standalone smartphone apps used for real-time clinical decision-making, digital health tools are scaling faster than ever. However, understanding exactly how SaMD is regulated, classified, and maintained is critical to securing market access under current MHRA and EU Notified Body expectations.
Software as a Medical Device (SaMD)

Updated 20th June 2026

What is SaMD?

According to the International Medical Device Regulators Forum (IMDRF), SaMD is defined as software intended to perform one or more medical purposes without being part of a hardware medical device. Crucially, SaMD operates independently of any physical diagnostic or therapeutic hardware—it runs on general-purpose computing platforms, mobile devices, or in cloud environments.

Common examples of standalone medical software include:

  • Mobile apps that actively monitor or calculate insulin dosages for chronic diabetes management.

  • Computer-aided detection (CAD) software that analyzes medical images to identify malignant tumors.

  • Machine learning algorithms that process patient data streams to provide specific treatment recommendations to clinicians.

Key Architectural Note: If your software controls or directly drives a physical hardware medical device, it is typically classified as Software in a Medical Device (SiMD) or embedded firmware. If you are unsure which framework your product falls under, specialized SaMD consulting can help map your architecture before you commit to development.

Software as a Medical Device (SaMD)

Regulatory Considerations for SaMD

Navigating international regulatory frameworks remains one of the most significant hurdles for digital health startups and established manufacturers alike.

1. SaMD Under the EU MDR (2017/745)

Under the European Medical Device Regulation (MDR), the rules for software classification became substantially more stringent, particularly through the introduction of Rule 11. Most standalone software intended for diagnostic or therapeutic decision-making is automatically pushed out of Class I and into Class IIa, IIb, or Class III. This means that self-declaration is rarely an option; the vast majority of SaMD products entering the EU require a full Notified Body audit.

2. SaMD Under UK Regulations (MHRA)

In Great Britain, standalone software must comply with the Medical Devices Regulations 2002 and secure a UKCA mark. The MHRA places heavy emphasis on robust post-market monitoring and lifecycle risk management. Manufacturers must demonstrate strict adherence to ISO 14971 to identify and continuously mitigate software anomalies throughout the entire product lifecycle.

Technical and Development Challenges

  • Developing regulatory-compliant medical software requires balancing agile development speeds with rigid quality management guidelines:

    • Data Privacy and Cybersecurity: SaMD must adhere to strict data security frameworks, incorporating GDPR compliance by design alongside secure encryption protocols for transmitting patient health data.

    • Lifecycle Control (IEC 62304): Regulators require your software code to be built under a controlled lifecycle. For a comprehensive breakdown of software safety classes (Class A, B, C) and technical file documentation, see our complete guide on IEC 62304 compliance 

healthcare professional using Software as a Medical Device (SaMD)

How Specialized SaMD Consulting Drives Commercial Success

Errors made during the initial classification and design phases can lead to millions in lost development hours or catastrophic Notified Body rejections. Partnering with an experienced compliance team streamlines your route to market.

At Patient Guard, we provide end-to-end SaMD consulting to guide developers through complex digital health frameworks. Our services include:

  • Precise qualification and risk classification under EU MDR (Rule 11) and MHRA guidelines.

  • Establishing an ISO 13485 compliant Quality Management System (QMS) optimized for software lifecycles.

  • Compilation of audit-ready Technical Documentation, including software development plans, verification protocols, and traceability matrices.

  • Strategic alignment with evolving requirements, such as the EU AI Act and FDA digital health guidelines.

SaMD Regulatory & Compliance FAQ

Software qualifies as SaMD under the EU MDR if it has a specific medical intended purpose, such as diagnosing, preventing, monitoring, predicting, or treating a disease or injury. If the software merely logs data, manages administrative hospital tasks, or tracks general fitness, it does not qualify as a medical device.

SaMD can be updated as frequently as your development cycle requires, but you must implement a robust configuration and change management process under IEC 62304. Minor bug fixes or security patches rarely require regulatory re-submission, but any update that alters the core algorithm, changes the intended use, or impacts clinical safety requires a formal impact assessment and may require notifying your Notified Body or the MHRA.

Yes, AI and machine learning are increasingly common in SaMD, particularly for diagnostic imaging and triage. However, AI software faces intense regulatory scrutiny regarding algorithmic bias, transparency, and data training validation. Manufacturers must align their development with emerging frameworks like the EU AI Act and specific FDA/MHRA guiding principles for Good Machine Learning Practice (GMLP).

Cybersecurity is a core component of your technical file. Regulators expect manufacturers to implement secure lifecycle processes, perform continuous vulnerability testing, establish strict user access controls, and provide a software bill of materials (SBOM). You must demonstrate that your software is resilient against data breaches and unauthorized access that could compromise patient safety.

David Small BSc (Hons), MSc, MTOPRA

David Small BSc (Hons), MSc, MTOPRA

Reviewed by
David Small, BSc (Hons), MSc, MTOPRA
Founder & CEO |
20+ years in medical device regulatory affairs,  MDR/IVDR compliance and quality systems.

Patient Guards Recent Posts

EU Authorised Representative Services for Medical Device & IVD Manufacturers

Selling medical devices or IVDs in Europe? If your company is based outside the EU, appointing an EU Authorised Representative (EC Rep) is a legal requirement under EU MDR 2017/745 and IVDR 2017/746. Patient Guard provides expert EU Authorised Representative services, EUDAMED support, regulatory guidance, and ongoing compliance management to help manufacturers access and maintain the European market with confidence.

Read More »

Patient Guards Related Services

Patient Guards Regulatory Tools

Need Training?

Do you need training on Quality Management Systems or EU MDR/ EU IVDR? then check out our training courses.

Share this guide:

Most Popular

EU Authorised Representative Services for Medical Device & IVD Manufacturers

Selling medical devices or IVDs in Europe? If your company is based outside the EU, appointing an EU Authorised Representative (EC Rep) is a legal requirement under EU MDR 2017/745 and IVDR 2017/746. Patient Guard provides expert EU Authorised Representative services, EUDAMED support, regulatory guidance, and ongoing compliance management to help manufacturers access and maintain the European market with confidence.

Read More »
patient guard
Patient Guard

Sign up to our newsletter

Be the first to hear industry news and how Patient Guard can help you.

Get the latest updates on medical device regulation

Sign up to our newsletter and we’ll deliver news and insights straight to your inbox.
Patient Guard Regulatory Affairs and Quality Assurance

Get the Medical Device Technical Checklist

Thank you! The checklist is now ready to download.

checklist-tablet