The Food and Drug Administration (FDA or the Agency), the US regulating authority in the sphere of medical devices, has developed a guidance document dedicated to the device software functions and mobile medical applications. The latest version of the policy was issued in September 2019.

Due to its legal nature, the document provides additional non-binding recommendations and clarifications on the matter but does not introduce new rules and requirements. The Agency explicitly states that an alternative approach could be applied, provided such an approach complies with the respective regulatory requirements and has been approved by the Agency in advance.

Regulatory Background 

The Agency acknowledges the increasing importance of software applications and mobile apps used for medical purposes. Nowadays, they offer a wide range of functions related to the healthcare sphere. In order to ensure legal clarity, the FDA has developed the present policy describing how existing legislation should be applied. The aspects highlighted therein should be considered by the medical device manufacturers (software developers), distributors, and other parties involved in operations with medical devices. In particular, the document outlines the scope of software products and functions subject to supervision and regulation by the FDA under the current regulatory framework. 

The scope of the present guidance covers such concepts as “Software as a Medical Device (SaMD)” and “Software in a Medical Device (SiMD),” together referred to as “device software functions.” According to the document, software functions that meet the definition of a device may be deployed on mobile platforms, other than general-purpose computing platforms, or in the function or control of a hardware device; if a software function that meets the definition of a device is deployed on a mobile platform, it may be referred to as a “mobile medical app.” However, the regulatory approach the guidance describes could be applied irrespectively of the particular platform the software in question runs on. Thus, its scope covers the software functions running on both mobile platforms and general-purpose computing platforms. 

The Agency also acknowledges that certain software functions fall outside the definition of a medical device set forth by the Federal Food, Drug, and Cosmetic (FD&C) Act. Hence, they also fall beyond the scope of authority of the FDA. Moreover, in certain cases, even if the software function formally meets the definition of a medical device, it could still be subject to exemption due to the low risk associated thereto. In such a case, the regulating authority would abstain from enforcing the applicable requirements. 

In general, the regulatory approach utilized by the Agency is based on the software functions and not the platform upon which they are running. As stated in the guidance, the FDA intends to apply its regulatory oversight to only those software functions that are medical devices and whose functionality could pose a risk to patient`s safety if the device were to not function as intended. 

The recommendations provided in the present FDA guidance on software functions are intended to clarify how the regulatory requirements should be applied. The document also contains references to the applicable FDA-recognized voluntary consensus standards the medical device manufacturers may use in order to demonstrate conformity with the applicable regulatory requirements. 

General Principles 

The Agency states that the complexity of mobile apps is increasing together with general technological improvements and increases in the computational power of portable devices. Depending on the intended purpose, mobile applications could be used in numerous situations. 

The two main ways they could be used are:

1. Assisting individuals in their own health and wellness management. In most cases, the risks associated with such use are relatively low, and so are the regulatory requirements to be applied. 

2. Assisting healthcare professionals in providing care to the patients. Due to the significant risks associated with such use, a risk-based approach should be applied. The responsible entity shall identify and evaluate the risks associated with the use of its software product and duly implement the measures and controls necessary to ensure it is used in a safe and efficient manner and that the risks associated thereto will be reduced to the lowest extent possible. 

The basics of the regulatory approach to software products used in the healthcare sphere were developed by the FDA in 1989. In particular, they were described in the document “FDA Policy for the Regulation of Computer Products,” also known as the “Draft Software Policy.” However, the Agency acknowledges that the complexity of software products has increased dramatically from that time. Hence, the regulatory approach requires improvement as well. In response to new issues arising, the aforementioned document was repealed in 2005. 

Despite the formal absence of a general regulatory policy for software products used for medical purposes, the FDA applies an approach based on the classification of software products falling within the scope of the definition of a medical device set forth by the FD&C Act. Such a classification should be used to determine the particular regulatory requirements to be applied. According to the document, the Agency has already decided that when a software application is used to analyze medical device data, it has traditionally been regulated as an accessory to a medical device or as medical device software. Currently, such products are covered by the scope of the definition of a “Software as a Medical Device (SaMD).” 

The FDA additionally emphasizes the importance of proper evaluation of risks associated with the software produces. Moreover, such risks could be quite specific due to the specific nature of software products themselves, as well as the platform used. The Agency provides an example of when the interpretation of radiological images could be adversely affected by the smaller screen size, lower contrast ratio, and uncontrolled ambient light of the mobile platform. Thus, all such risks should be taken into consideration when developing a regulatory approach to such products. 

The Agency also reserves the right to improve and modify the approach described in the present guidance, should it be reasonably necessary to address newly identified risks or introduce the amendments related to the advancement of technologies in general. 

Key Definitions 

In order to assist medical device manufacturers and other parties involved in interpreting and applying existing regulations, the guidance also provides the definitions of the most important terms and concepts used in this context. The definitions described in the guidance include the following: 

  • Mobile platform – a commercial off-the-shelf (COTS) computing platform, with or without wireless connectivity, that is handled in nature. 
  • Mobile application (app) – a software application that can be executed on a mobile platform, or a web-based software application that is tailored to a mobile platform but is executed on a server.

Apart from the ones listed above, the document also provides the definitions of such terms as “mobile medical application,” “regulated medical device,” and “mobile medical app manufacturer.” 

In summary, the present guidance describes the policy to be applied with regard to mobile applications meeting the definition of a medical device. The document highlights the key aspects to be considered when applying a risk-based approach used to determine the particular requirements the software in question should be subject to. 


How Can RegDesk Help?

RegDesk is a next-generation web-based software for medical device and IVD companies. Our cutting-edge platform uses machine learning to provide regulatory intelligence, application preparation, submission, and approvals management globally. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Applications that normally take 6 months to prepare can now be prepared within 6 days using RegDesk Dash(TM). Global expansion has never been this simple. ​