In the course of continuous improvement of the regulatory framework for software as a medical device (SaMD), the International Medical Device Regulators Forum (IMDRF) has developed a new approach to SaMD risk categorization and corresponding consideration. The proposed regulatory principles published by the IMDRF, a voluntary association of medical device regulating authorities, should be taken into consideration for the purpose of the national regulations` development and improvement. 

Regulatory Background 

Nowadays the role the software plays in healthcare increases dramatically since it is being actively used for medical and non-medical needs and purposes. The IMDRF additionally emphasizes that the software is actually used as a part of a complex system that also includes hardware, networks, and people operating it. 

According to the general approach which is commonly used nowadays, the medical software is the one that meets the definition of a medical device and, hence, is treated accordingly. Today the regulations are paying most attention to the medical device software being a part of medical equipment (hardware medical devices) and are covering the aspects associated with the potential risks associated with the direct harm to the patient`s health. At the same time, more and more software products could be used separately for medical purposes – for example, using general-purpose hardware or cloud-based platforms. This peculiarity of modern medical software, together with the increasing role of connections and networks, results in quite specific features and behavior requiring an entirely new regulatory approach. In particular, the IMDRF outlines the following features requiring special attention:

  • The behavior of software as a medical device could differ substantially depending on the platform it is deployed on, 
  • The users of the medical software should duly monitor the updates issued by the manufacturer (developer) and install them in a timely manner to ensure the safety and effectiveness,
  • It is quite difficult to control and monitor the spreading of the medical software since it exists only in the intangible form and thus could be easily replicated without any restrictions (except cases when special technical measures are in place to prevent unauthorized use). 

The lifecycle of the software as a medical device is also different since it has shorter development cycles, faster distribution, and frequent changes made by its manufacturer (developer) to improve the safety and performance. 

The present IMDRF recommendations are dedicated solely to the software as a medical device – software intended to be used for one or more medical purposes that perform these purposes without being part of a hardware medical device. The document is intended to describe the general approach to be applied by the national regulating authorities and legislative bodies in the context of the SaMD regulations. However, it should not be construed as a substitution for any existing categorization rules and requirements.

IMDRF SaMD Recommendations: the Scope 

By publishing the present document, the IMDRF intends to: 

  • Introduce a unified vocabulary and categorization approach,
  • Outline the requirements regarding the way SaMD should be described and the information to be provided in order to be sufficient for the decision-making process,
  • Describe the criteria to be used for SaMD risk categorization,
  • Provide the appropriate considerations to be applied at all the steps of the lifecycle of medical software.  

As it was already mentioned before, the SaMD risk categorization developed by the IMDRF is not intended to replace the existing one, but to describe an approach to be considered. Actually, it is mostly a suggested common approach to the SaMD risk categorization in general, rather than particular rules to be implemented as part of the national legislation since such an implementation would require a significant alignment and harmonization with the existing regulatory framework. Moreover, the IMDRF states that the suggested approach should not impact any risk-related standards, requirements, or risk management activities.

First of all, the document issued by the IMDRF provides the definitions of the most important terms used in the context of SaMD. The document also outlines certain aspects associated with the most important concepts associated with medical devices, such as a medical purpose or changes to SaMD. The IMDRF also describes the aspects impacting significantly the safety of the patients – for example, the output information and the way it should be used. According to the document, the most important factors are:

  1. Significance of the information provided by the SaMD to the healthcare decision, and
  2. State of the healthcare situation or condition. 

These factors should be also taken into consideration for the purpose of SaMD characterization.

SaMD Characterization 

The two factors associated with the use of the SaMD described hereabove are being used as a basis for the evaluation of factors important for the characterization of the software as a medical device. 

From the point of significance of the information provided by SaMD to healthcare decisions, the IMDRF suggests to distinguish the following categories:

  • Treating or diagnosing,
  • Driving clinical management,
  • Informing clinical management.

From the point of healthcare situation or condition the software is intended to be used in, the IMDRF outlines the following: 

  • Critical situation or condition, 
  • Serious situation or condition, 
  • Non-serious situation or condition.

SaMD Definition Statement 

Another important concept associated with medical software is a defining statement. Under the general rule, the indication of the intended use of SaMD should be included in various sources of information to be provided by the medical software manufacturer (developer), including specifications and instructions for use. 

According to the IMDRF recommendations on SaMD risk categorization, the definition statement should be used by the manufacturer to determine the categorizing framework and also to manage changes that could potentially result in changes to the category the particular medical software should be assigned to. The IMDRF states that the definition statement should consist of the following elements: 

  1. The indication of the significance of the information provided by the SaMD to the healthcare decision, i.e. the intended medical purpose of the SaMD.


  • The state of the healthcare situation or condition the SaMD is intended for. 


Description of the SaMD`s core functionality – the section describing the most important functions and features of the SaMD.

SaMD Risk Categorization 

Besides the characterization rules and definition statement concept, the IMDRF recommendations on SaMD risk categorization describe the proposed approach to SaMD risk categorization. As it was already mentioned before, it should be based on the factors outlined in the SaMD definition statement. The IMDRF also suggests a set of principles to be applied in the context of SaMD risk categorization, namely:


  • The SaMD definition statement should be complete and accurate since it should be used as a basis for categorization, 
  • The particular categories the SaMD should be assigned to would actually depend on the combination of both the significance of the information and the healthcare situation or condition,
  • Depending on the level of impact, the four categories (I, II, III, and IV respectively) should be applied for SaMDs, 
  • Among the aforementioned categories, the Category I should be associated with the lowest impact, while the Category IV with the highest,
  • In case if due to the intended use of the SaMD indicated in the SaMD definition statement provided by the manufacturer several categories are applicable, the highest one should be applied, 
  • In case of significant changes to the software impacting the definition statement, the categorization should be changed accordingly, 
  • Each SaMD should be assigned to a separate category even if it is intended to be used in connection with other devices (both software and hardware) or networks.


Summarizing the information provided here above, the IMDRF recommendations on SaMD risk categorization describe the suggested approach to the characterization and categorization of SaMDs depending on the intended purpose, including the importance of the information provided by the SaMD and the healthcare situations and conditions it is intended to be used in. 

How Can RegDesk Help?

RegDesk is a next-generation web-based software for medical device and IVD companies. Our cutting-edge platform uses machine learning to provide regulatory intelligence, application preparation, submission, and approvals management globally. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Applications that normally take 6 months to prepare can now be prepared within 6 days using RegDesk Dash(TM). Global expansion has never been this simple.