Medical Device Software Regulations (WIP)


The purpose of this lesson is to familiarize you with the processes related to bringing medical software devices to market and ensuring postmarket compliance. The terminology is important when communicating with clients and regulatory consultants.

Learning Material

Please carefully read the article A Brief Introduction to the United States Medical Software Regulations, for Developers and the articles linked therein. Also peruse the various articles at this FDA website (many of which are linked to by the Innolitics article).


To learn as much as possible from these exercises, write your responses before revealing the provided answers. If any exercises seem irrelevant, you can skip them and instead write a justification as to why they are unimportant. These justifications will help us improve the lesson for future employees.

Exercise 1

What government agency is responsible for regulating medical devices? Trace its place in the hierarchy of governmental agencies and departments up to the executive branch.


The agency responsible for regulating medical devices is the Center for Devices and Radiological Health (CDRH). The CDRH is under the Food and Drug Administration (FDA), which is in turn under the cabinet-level department of Health and Human Services (HHS).

Exercise 2

What is considered a medical device?


Here is a single sentence summary: a medical device is an item intended to treat or diagnose disease or affect the structure or function of the body that does not achieve its effect through chemical action.

A more detailed definition is given in Section 201(h) of the Food, Drug, and Cosmetic Act.


Exercise 3

What is considered software as a medical device (SaMD)? What are other types of software (non-SaMD) that are related and used in medical devices?


Quoting the FDA, SaMD is,

Software intended to be used for one or more medical purposes that perform these purposes without being part of a hardware medical device.

Related to SaMD are:

  1. Software in a medical device
  2. Software used to produce a medical device


Exercise 4

What are the kinds of pathways towards marketing a device in the United States and what are the differences between them?

  • 510(k) Premarket notification is used if the device can be shown to be similar to a similar predicate device
  • De Novo is used for devices with no predicate, but which can provide “reasonable assurance of safety”
  • Premarket approval is for high risk devices


Exercise 5

Premarket prefixes many phrases, and it is important to distinguish to what each phrase refers.

What are the differences between

  • premarket submission?
  • premarket notification?
  • premarket approval?
  • premarket clearance?

A premarket submission refers to a request for review by the FDA for clearance, approval, or classification, referring to the appropriate market pathway for the device, i.e., 510(k), PMA, or De Novo, respectively. E.g., if a 510(k) submission is successful, it would be called cleared by the FDA but not approved, and a successful PMA would be called approved. Lastly, a 510(k) submission in full is called a premarket notification 510(k).

Exercise 6

What is the intended purpose of a quality management system (QMS)?


A quality system is used to show that a postmarket device continues to meet requirements.


Exercise 7

In the context of medical devices, what are the differences between regulations, guidance documents, and standards? Write an example of each one.


FDA guidance documents are not legally binding but describe current best practices towards conforming to FDA regulations, which are legally binding federal laws. On the other hand, standards provide a common language that can be used to show a device has certain properties or meets certain criteria. So, standards can ease the process by which a device is demonstrated to follow a guidance document or conform to a regulation.



Exercise 8

What act protects protected health information (PHI)?


The Health Insurance Portability and Accountability Act (HIPAA)

Exercise 9

How does HIPAA define a covered entity? Is Innolitics a covered entity? Are our clients typically covered entities?


HIPAA defines covered entities as entities belonging to one of the three categories listed below.

  • Health care providers
  • Health plans
  • Health care clearinghouses

An example in the health care provider category would be a medical doctor, and an example under the health plan category is a health insurance company. You can find the rest by following the link in the references below.

Innolitics is not a covered entity, and Innolitics’ clients are usually not covered entities.


Exercise 10

What is a business associate and how does one interact with covered entities?


Quoting the HHS,

A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.

To make a crude analogy, a covered entity is the front-end while business associates are the backend services with respect to PHI. HHS demands that both of these conform to HIPAA regulations.

Continuous Lesson Improvement

Please help us make these lessons as relevant and up-to-date for future engineers as possible!

You can help in several ways:

  • Shorten or clarify the writing. We're all busy and less is more.
  • Ask if the purpose of the lesson is unclear. We want all of the lessons to seem useful.
  • Remove exercises or learning material that aren't useful.
  • Add more exercises, exercise answers, or learning material as appropriate.

You can quickly open the lesson page in the GitHub editor. Create a new branch and pull request and assign it to David.