Software as a Medical Device (SaMD) is defined by the International Medical Device Regulators Forum (IMDRF) as software intended to be used for one or more medical purposes that performs those purposes without being part of a hardware medical device. SaMD is a standalone entity that runs on general-purpose computing platforms, such as smartphones, cloud servers, or workstations, and is itself the medical device—not a component driving or controlling a physical instrument.
Glossary
Software as a Medical Device (SaMD)

What is Software as a Medical Device (SaMD)?
Software as a Medical Device (SaMD) is software intended to be used for one or more medical purposes that performs those purposes without being part of a hardware medical device.
The classification and regulatory scrutiny of SaMD are determined by the intended use statement and the risk posed to the patient. A diagnostic radiology AI that detects stroke in CT scans is a high-risk SaMD requiring rigorous clinical validation, while a mobile app that calculates insulin dosage based on user inputs is also regulated but may follow a different pathway. SaMD must comply with lifecycle standards like IEC 62304 for software development and ISO 14971 for risk management, ensuring that every algorithm update is traceable and validated.
Key Characteristics of SaMD
Software as a Medical Device (SaMD) is defined by its independence from hardware and its direct role in clinical decision-making. The following characteristics distinguish SaMD from general-purpose software or software that merely drives a hardware medical device.
Hardware Independence
SaMD operates on general-purpose computing platforms (e.g., smartphones, cloud servers, workstations) without being embedded in a physical medical device. Its medical functionality is entirely software-driven.
- Key distinction: If the software is necessary for a hardware medical device to function, it is not SaMD—it is software in a medical device (SiMD).
- Example: A radiology image processing app running on a commercial tablet is SaMD; the firmware inside an MRI machine is not.
Intended Medical Purpose
SaMD must perform one or more medical purposes without being part of a hardware medical device. These purposes include:
- Diagnosis or screening: Detecting or identifying a disease or condition.
- Monitoring: Tracking physiological processes or disease progression.
- Prediction: Forecasting the likelihood of a clinical event or outcome.
- Treatment or therapy: Providing recommendations that directly influence patient management.
- Mitigation: Reducing the severity of a disease or condition.
Risk-Based Classification
SaMD is classified by regulatory bodies based on the severity of the clinical condition and the significance of the information it provides to the healthcare decision.
- Class I (Low Risk): Software that informs clinical management for non-serious conditions.
- Class II (Moderate Risk): Software that aids in diagnosis or triage for serious conditions.
- Class III (High Risk): Software that provides critical information for life-threatening conditions where an error could lead to patient death or irreversible harm.
- Example: A melanoma detection app suggesting biopsy is Class III; a calorie tracking app is not SaMD at all.
Regulatory Submission Pathway
The route to market depends on the device's novelty and risk profile:
- 510(k) Premarket Notification: Demonstrates substantial equivalence to a legally marketed predicate device. Most common for moderate-risk SaMD.
- De Novo Classification: For novel devices of low-to-moderate risk with no predicate. Creates a new classification regulation.
- Premarket Approval (PMA): The most stringent pathway, reserved for high-risk Class III devices requiring clinical evidence of safety and effectiveness.
- Example: An AI-based retinal screening tool with no predicate would pursue the De Novo pathway.
Continuous Learning Distinction
SaMD is categorized by whether its algorithm changes after deployment:
- Locked Algorithm: The model's parameters are fixed. Any update requires a new regulatory submission unless covered by a Predetermined Change Control Plan (PCCP).
- Adaptive Algorithm: The model learns from new data in real time. This requires rigorous pre-authorization of the learning mechanism, boundaries, and monitoring plan.
- Regulatory expectation: Manufacturers must define the scope of allowed modifications before deployment, not seek forgiveness after.
Lifecycle Documentation Requirements
SaMD development demands a structured Quality Management System (QMS) and comprehensive documentation:
- IEC 62304: Governs software development lifecycle processes, from planning to maintenance.
- ISO 14971: Mandates systematic risk management throughout the product lifecycle.
- Design History File (DHF): A complete record proving the device was developed according to the approved design plan.
- Software Bill of Materials (SBOM): A formal inventory of all third-party and open-source components, critical for cybersecurity risk assessment.
Frequently Asked Questions
Clear, technically precise answers to the most common questions about Software as a Medical Device (SaMD) and its regulatory framework, designed for engineering and regulatory affairs leadership.
Software as a Medical Device (SaMD) is software intended to be used for one or more medical purposes that performs those purposes without being part of a hardware medical device. The definitive definition comes from the International Medical Device Regulators Forum (IMDRF) , which specifies that SaMD is a medical device in its own right, not software that drives or controls a physical medical instrument. SaMD operates on general-purpose computing platforms, such as smartphones, cloud servers, or workstations, and can be deployed across multiple hardware systems. The critical distinction is the intended purpose: if the software analyzes patient data to diagnose, treat, mitigate, or prevent a disease, it is SaMD. Software that merely stores medical records, facilitates billing, or manages administrative workflows is explicitly excluded. The FDA's Digital Health Center of Excellence provides guidance on this boundary, emphasizing that the clinical function—not the platform—determines the classification.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Understanding SaMD requires familiarity with the interconnected regulatory concepts that govern its development, clearance, and post-market lifecycle.
Intended Use & Indications for Use
The foundational regulatory statements that define a SaMD's purpose and scope. The Intended Use Statement declares the general purpose (e.g., diagnosis, screening), while the Indications for Use precisely specify the patient population, anatomical site, and clinical context. These statements determine the device classification and the stringency of the required premarket submission. A narrow, well-defined indication is critical for a successful regulatory pathway.
IEC 62304: Software Lifecycle
The international standard for medical device software development and maintenance. It classifies software safety into three classes (A, B, C) based on the severity of potential harm. Compliance requires a documented Software Development Plan, rigorous Software Requirements Specification, and detailed architectural design. For SaMD, this standard mandates strict configuration management and problem resolution processes throughout the entire lifecycle.
Predetermined Change Control Plan (PCCP)
A regulatory mechanism specifically for machine learning-enabled SaMD. A PCCP is an FDA-authorized plan that details the types of modifications a manufacturer intends to make to a model post-clearance without requiring a new 510(k). It defines the SaLPM (Software as a Medical Device Pre-Specifications)—the planned changes to performance, inputs, or intended use—and the Algorithm Change Protocol (ACP)—the verification methods to ensure safety and effectiveness are maintained.
Clinical Evaluation & Analytical Validation
The evidence generation process required to demonstrate a SaMD's safety and performance. Analytical Validation assesses the technical accuracy of the algorithm's output in a controlled setting. Clinical Evaluation goes further, verifying that the device achieves its intended purpose in the target patient population, generating real-world clinical data. This process is continuous, feeding into Post-Market Surveillance (PMS) to monitor ongoing safety.
Cybersecurity Risk Management
A mandatory, iterative process for SaMD, governed by FDA guidance. It requires a Cybersecurity Risk Assessment to identify threats and vulnerabilities, a Software Bill of Materials (SBOM) to list all third-party components, and a plan for coordinated vulnerability disclosure. The goal is to ensure the device's safety and effectiveness are not compromised by cyber exploits, with security controls integrated into the design from the outset.
Quality Management System (QMS)
The formalized organizational backbone for SaMD development, typically aligned with ISO 13485. A QMS documents all processes, procedures, and responsibilities for design, production, and post-market activities. Key outputs include the Design History File (DHF), which proves the device was developed according to plan, and the CAPA (Corrective and Preventive Action) system, which manages nonconformities and drives continuous improvement.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us