The Food and Drug Administration (FDA or the Agency), the US regulating authority in the sphere of healthcare products, has published a guidance document describing the current policy for device software functions and mobile medical applications. The scope of the guidance covers mobile apps that meet the definition of a device and either are intended:

  • To be used as an accessory to a regulated medical device; or
  • To transform a mobile platform into a regulated medical device. 

Should the software function fall outside the scope of the definition of a medical device, it will not be subject to regulation by the FDA. Moreover, certain software functions that actually meet the definition of a medical device could still be exempted from regulation due to the low risks associated thereto.

It is important to mention that the scope of the regulatory policy addressed in the guidance does not cover software that performs patient-specific analysis to aid or support clinical decision-making.

The authority encourages all parties conducting the development of a software function that falls within the scope of the present policy, and that could potentially be subject to regulation under the existing framework to contact the Agency and discuss the requirements.

Regulatory Approach for Device Software Functions 

The current regulatory approach employed by the FDA is based on the assumption that software functions that meet the definition of a medical device expose patients to the same risks as general medical devices and thus should be subject to the same regulatory control and oversight conducted by the FDA as general medical devices. 

According to the document, the FDA strongly recommends that manufacturers of all software and mobile apps that may meet the definition of a device follow the Quality System regulation (that includes good manufacturing practices) in the design and development of their device software functions, and initiate prompt corrections to their devices, when appropriate, to prevent patient and user harm. Additionally, the Agency states that a device software function should comply with the regulatory requirements applicable for a medical device assigned to the same class under the risk-based classification. 

As with general medical devices, software functions could be assigned to one of the following classes:

  • Class I – general controls;
  • Class II – special controls in addition to general controls;
  • Class III – premarket approval. 

It is important to note that the scope of the FDA policy is limited to the particular function that meets the definition of a medical device. Usually, such a function is intended to facilitate the use of a non-medical platform in a medical device subject to regulatory overview. In order to assist the parties involved in the development of such software in determining whether it is subject to regulation under the existing framework, the guidance further provides examples of software functions that would be treated as device software functions, namely:

  1. Software function intended to be connected to a medical device for further processing data deriving from it or controlling the operations of such device. According to the guidance, such software functions should be regulated as accessories to the medical devices with which they are intended to work. Thus, when assessing a device function of this type, the authority will pay special attention to the extent to which it is connected to a medical device in order to identify and assess the risks associated thereto. Consequently, device software functions of this type should comply with any and all regulatory requirements that are applicable for the devices with which they are intended to be used in accordance with their class under the risk-based classification. 
  2. Software function transforming a mobile platform into a medical device that is subject to regulation. For this purpose, a software function could require the use of additional sensors or attachments. Usually, a software function of this type is a mobile app. For example, an attachment of electrocardiograph (ECG) electrodes to a mobile platform to measure, store, and display ECG signals, or a software function that uses sensors (internal or external) on a mobile platform for creating electronic stethoscope function is considered to transform the mobile platform into an electronic stethoscope. In such cases, medical device manufacturers creating such products would have to ensure compliance with the regulatory requirements applicable to such devices. The authority also mentions that several mobile apps operating as described above have already been approved for use in the US. 
  3. Software function that becomes a regulated medical device by performing patient-specific analysis and providing patient-specific diagnosis, or treatment recommendations. Similar operations are performed by medical devices already placed on the market under the general regulatory framework. For instance, this could be a software function intended to analyze data collected from another medical device, including Computer Aided Detection software (CAD) image processing software

As mentioned, the FDA encourages developers to seek additional advice if there is any lack of clarity regarding the regulatory status of the device software function in question.

Software Functions Subject to Exemption 

The guidance also outlines the cases when the regulating authority will not enforce general requirements set forth under the Food, Drug, and Cosmetic (FD&C) Act. In particular, the FDA intends to exercise enforcement discretion for software functions that:

  1. Help patients (i.e., users) self-manage their disease or conditions without providing specific treatment or treatment suggestions; or
  2. Automate simple tasks for health care providers. 

According to the applicable regulatory requirements, certain software functions falling within the scope outlined above should be considered device software functions, while others shouldn’t. The approach to be applied by the Agency for determining whether the particular device should be subject to regulation and whether the regulatory requirements corresponding to the respective class should be enforced depends on the risks associated with such software function. In particular, the FDA will extend the scope of the enforcement discretion to software functions intended to: 

  • Provide or facilitate supplemental clinical care;
  • Simplify access to patient-related data, including the details about conditions and treatment;
  • Assist patients in communicating with healthcare providers; 
  • Perform routine calculations used in daily operations.

In summary, the present guidance outlines the scope of device software functions that are subject to regulatory oversight due to the risks associated thereto and also highlights the most important aspects to be considered by medical device manufacturers (software developers) when determining the regulatory status of their product. The policy also describes cases when the Agency will exempt certain software functions from the regulatory oversight due to the low risks associated thereto and provides examples of such functions. 


How Can RegDesk Help?

RegDesk is a next-generation web-based software for medical device and IVD companies. Our cutting-edge platform uses machine learning to provide regulatory intelligence, application preparation, submission, and approvals management globally. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Applications that normally take 6 months to prepare can now be prepared within 6 days using RegDesk Dash(TM). Global expansion has never been this simple. ​