2019 FDA Guidance - Policy for Device Software Functions and Mobile Medical Applications

Innolitics introduction 🔗

This guidance is important for anyone developing a mobile app that is a medical device. It also provides some insight into FDA’s thinking about Software as a Medical Device (SaMD) more broadly.

At Innolitics, we help companies create and clear medical-device software. If you could use help with regulatory strategy surrounding medical devices, or are interested in building a “mobile medical application,” we’d be happy to help you get onto the market.

Preamble 🔗

Document issued on September 28, 2022.

For questions about this document regarding CDRH-regulated devices, contact the Division of Digital Health by e-mail at digitalhealth@fda.hhs.gov.

For questions about this document regarding CBER-regulated devices, contact the Office of Communication, Outreach, and Development (OCOD) at 1-800-835-4709 or 240-402-8010.

Contains non-binding guidance.

I. Introduction 🔗

The Food and Drug Administration (FDA) recognizes the advances in software functionality, the rapid pace of innovation, and their potential benefits and risks to public health. FDA is issuing this guidance document to inform manufacturers, distributors, and other entities about how FDA intends to apply its regulatory authorities to select software functions intended for use on mobile platforms (mobile applications or “mobile apps”) or on general-purpose computing platforms. Given the rapid expansion and broad applicability of software functions deployed on mobile or other general-purpose computing platforms, FDA is issuing this guidance document to clarify the subset of software functions to which FDA intends to apply its authority.

FDA refers to software functions that are device functions as “device software functions.” Device software functions may include “Software as a Medical Device (SaMD)” and “Software in a Medical Device (SiMD).”¹𝄒² Software functions that meet the definition of a device may be deployed on mobile platforms, other general-purpose computing platforms, or in the function or control of a hardware device. If a software function that meets the definition of a device is deployed on a mobile platform, it may be referred to as a “mobile medical app.” The policies described in this guidance are independent of the platform on which they might run, are function-specific, and apply across platforms. Therefore, the policies described using terms such as “mobile medical apps,” “mobile medical app manufacturers,” “device software functions,” and “device software function manufacturers” are not specific to whether the function is deployed on a mobile platform or other general purpose-computing platform.

Many software functions are not medical devices (meaning such software functions do not meet the definition of a device under section 201(h) of the Federal Food, Drug, and Cosmetic Act (FD&C Act)), and FDA does not regulate them as devices. Some software functions may meet the definition of a medical device, but because they pose a lower risk to the public, FDA intends to exercise enforcement discretion over these devices (meaning it does not, at this time, intend to enforce requirements under the FD&C Act).

Consistent with FDA’s existing oversight approach that considers functionality of the software rather than platform, FDA intends to apply its regulatory oversight to only those software functions that are medical devices and whose functionality could pose a risk to a patient’s safety if the device were to not function as intended.

FDA is issuing this guidance to provide clarity and predictability for software manufacturers. This document was previously updated to be consistent with the guidance “Medical Device Data Systems, Medical Image Storage Devices, and Medical Image Communications Devices,” originally issued on February 9, 2015.³ This guidance was also updated on September 27, 2019, to be consistent with section 3060(a) of the 21st Century Cures Act (Cures Act), which amended section 520 of the FD&C Act, removing certain software functions from the definition of device in section 201(h) of the FD&C Act. The guidance was minorly updated in accordance with the changes described in the guidance “Changes to Existing Medical Software Policies Resulting from Section 3060 of the 21st Century Cures Act.”⁴ Examples of mobile apps and software on the FDA website⁵ (that were added after September 25, 2013) were incorporated into the appropriate appendices of this document for consistency. This guidance also is now being minorly updated to reflect the issuance of the final rule, “Medical Devices; Medical Device Classification Regulations To Conform to Medical Software Provisions in the 21st Century Cures Act” (86 FR 20278)⁶ and the guidance “Clinical Decision Support Software” (referred to as CDS guidance throughout the rest of this document) issued on September 28, 2022⁷ in this latest revision.

For the current edition of FDA-recognized standard(s) referenced in this document, see the “FDA Recognized Consensus Standards Database.”⁸ For more information regarding use of consensus standards in regulatory submissions, please refer to the FDA guidances titled “Appropriate Use of Voluntary Consensus Standards in Premarket Submissions for Medical Devices”⁹ and “Standards Development and the Use of Standards in Regulatory Submissions Reviewed in the Center for Biologics Evaluation and Research.”¹⁰

In general, FDA’s guidance documents do not establish legally enforceable responsibilities. Instead, guidances describe the Agency’s current thinking on a topic and should be viewed only as recommendations, unless specific regulatory or statutory requirements are cited. The use of the word should in Agency guidances means that something is suggested or recommended, but not required.

II. Background 🔗

As mobile platforms become more user friendly, computationally powerful, and readily available, innovators have begun to develop mobile apps of increasing complexity to leverage the portability mobile platforms can offer. Some of these new software functions are specifically targeted to assist individuals in their own health and wellness management. Other software functions are targeted to health care professionals as tools to improve and facilitate the delivery of patient care.¹¹

In 1989, FDA prepared a general policy statement on how it planned to determine whether a computer-based product and/or software-based product is a device, and, if so, how FDA intended to regulate it. The document, “FDA Policy for the Regulation of Computer Products,” became known as the “Draft Software Policy.” After 1989, however, the use of computer and software products as medical devices grew exponentially and the types of products diversified and grew more complex (and that trend has continued). As a result, FDA determined that the draft policy did not adequately address all of the issues related to the regulation of all medical devices containing software. Therefore, in 2005, the Draft Software Policy was withdrawn.¹²

Although FDA has not issued an overarching software policy, the Agency has formally classified certain types of software applications that meet the definition of a device and, through classification, identified specific regulatory requirements that apply to these devices and their manufacturers. These software devices include products that feature one or more software components, parts, or accessories, as well as devices that are composed solely of software.

FDA has previously clarified that when a software application is used to analyze medical device data, it has traditionally been regulated as an accessory to a medical device¹³ or as medical device software. In 2014, the International Medical Device Regulators Forum established globally harmonized vocabulary for such software applications and defined the term “Software as a Medical Device (SaMD).”¹⁴

As is the case with traditional medical devices, certain software functions that are device functions (referred to in this document as “device software functions”) can pose potential risks to public health. Moreover, certain device software functions may pose risks that are unique to the characteristics of the platform on which the software function is run. For example, the interpretation of radiological images on a mobile device could be adversely affected by the smaller screen size, lower contrast ratio, and uncontrolled ambient light of the mobile platform. FDA intends to take these risks into account in assessing the appropriate regulatory oversight for these products.

Additionally, the Cures Act, enacted on December 13, 2016, amended section 520 of the FD&C Act to remove certain software functions from the definition of device (201(h) of the FD&C Act). FDA has published the following guidance documents that help provide clarity on the types of software functions that do not meet the definition of device:

• Changes to Existing Medical Software Policies Resulting from Section 3060 of the 21st Century Cures Act¹⁵
• Clinical Decision Support Software¹⁶
• Medical Device Data Systems, Medical Image Storage Devices, and Medical Image Communications Devices¹⁷
• General Wellness: Policy for Low Risk Devices¹⁸

This guidance clarifies and outlines FDA’s current thinking. The Agency will continue to evaluate the potential impact these technologies might have on improving health care, reducing potential medical mistakes, and protecting patients.

III. Definitions 🔗

A. Mobile Platform 🔗

For purposes of this guidance, “mobile platforms” are defined as commercial off-the-shelf (COTS) computing platforms, with or without wireless connectivity, that are handheld in nature. Examples of these mobile platforms include mobile computers such as smart phones, tablet computers, or other portable computers.

B. Mobile Application (Mobile App) 🔗

For purposes of this guidance, a mobile application or “mobile app” is defined as a software application that can be executed (run) on a mobile platform (i.e., a handheld commercial off-the-shelf computing platform, with or without wireless connectivity), or a web-based software application that is tailored to a mobile platform but is executed on a server.

C. Mobile Medical Application (Mobile Medical App) 🔗

For purposes of this guidance, a “mobile medical app” is a mobile app that incorporates device software functionality that meets the definition of a device in section 201(h) of the FD&C Act;¹⁹ and either is intended:

• to be used as an accessory to a regulated medical device; or
• to transform a mobile platform into a regulated medical device.

The intended use of a mobile app determines whether it meets the definition of a “device.” As stated in 21 CFR 801.4,²⁰ intended use may be shown by labeling²¹ claims, advertising materials, or oral or written statements by manufacturers or their representatives. When the intended use of a mobile app is for the diagnosis of disease or other conditions, or the cure, mitigation, treatment, or prevention of disease, or is intended to affect the structure or any function of the body of man, the mobile app is a device under section 201(h) of the FD&C Act if it is not a software function excluded from the device definition by section 520(o) of the FD&C Act.

One example is a mobile app that makes a light emitting diode (LED) operate. If the manufacturer intends the system to illuminate objects generally (i.e., without a specific medical device intended use), the mobile app would not be considered a medical device. If, however, through marketing, labeling, and the circumstances surrounding the distribution, the mobile app is promoted by the manufacturer for use as a light source for doctors to examine patients, then the intended use of the light source would be similar to a conventional device such as an ophthalmoscope.

In general, if a software function is intended for use in performing a medical device function (i.e., for diagnosis of disease or other conditions, or the cure, mitigation, treatment, or prevention of disease), it is a medical device, regardless of the platform on which it is run. For example, mobile apps intended to run on smart phones to analyze and interpret EKG waveforms to detect heart function irregularities would be considered similar to software running on a desktop computer that serves the same function, which is regulated under 21 CFR 870.2340 (“Electrocardiograph”). FDA’s oversight approach to software functions is focused on their functionality, just as we focus on the functionality of conventional devices. Our oversight is not determined by the platform. Under this guidance, FDA would not regulate the sale or general/conventional consumer use of smartphones or tablets. FDA’s oversight applies to software functions performing medical device functions, such as when a mobile medical app or software application transforms a mobile platform or a general purpose computing platform into a medical device. However, as previously noted, we intend to apply this oversight authority only to those software applications whose functionality could pose a risk to a patient’s safety if the software applications were to not function as intended.

D. Regulated Medical Device 🔗

For purposes of this guidance, a “regulated medical device” is defined as a product that meets the definition of device in section 201(h) of the FD&C Act and that has been cleared or approved by FDA’s review of a premarket submission or otherwise classified by FDA.

This definition can include novel devices, whether or not on a mobile platform, that FDA will clear or approve by the review of a premarket submission or otherwise classify. Examples of regulated medical devices are identified in Appendix C.

E. Mobile Medical App Manufacturer 🔗

For purposes of this guidance, a “mobile medical app manufacturer” is any person or entity that manufactures mobile medical apps in accordance with the definitions of manufacturer in 21 CFR Parts 803, 806, 807, and 820.²² A mobile medical app manufacturer may include anyone who initiates specifications, designs, labels, or creates a software system or application for a regulated medical device in whole or from multiple software components. This term does not include persons who exclusively distribute mobile medical apps without engaging in manufacturing functions; examples of such distributors may include owners and operators of mobile application stores (“app stores”). Examples of mobile medical app manufacturers include any person or entity that:

• Creates, designs, develops, labels, re-labels, remanufactures, modifies, or creates a mobile medical app software system from multiple components. This could include a person or entity that creates a mobile medical app by COTS software components and markets the product to perform as a mobile medical app;
• Initiates specifications or requirements for mobile medical apps or procures product development/manufacturing services from other individuals or entities (second party) for subsequent commercial distribution. For example, when a “developer” (i.e., an entity that provides engineering, design, and development services) creates a mobile medical app from the specifications that were initiated by the “author,” the “author” who initiated and developed specifications for the mobile medical app is considered a “manufacturer” of the mobile medical app under 21 CFR 803.3. For purposes of this guidance, manufacturers of a mobile medical app would include persons or entities who are the creators of the original idea (initial specifications) for a mobile medical app, unless another entity assumes all responsibility for manufacturing and distributing the mobile medical app, in which case that other entity would be the “manufacturer.”²³ Software “developers” of a mobile medical app that are only responsible for performing design and development activities to transform the author’s specifications into a mobile medical app would not constitute manufacturers, and instead the author would be considered the manufacturer;
• Creates a mobile medical app and hardware attachments for a mobile platform that are intended to be used as a medical device by any combination of the mobile medical app, hardware attachments, and the mobile platform;
• Creates a mobile medical app or a software system that provides users access to the medical device function through a website subscription, software as a service,²⁴ or other similar means.

In contrast, the following are examples of persons or entities that are NOT considered to be mobile medical app manufacturers (i.e., persons not within the definition of manufacturer in 21 CFR Parts 803, 806, 807, and 820). Because they are not manufacturers, none of the persons or entities in these examples would have to register their establishments, list their products with FDA,²⁵ or submit a premarket application:

• Manufacturers or distributors of mobile platforms who solely distribute or market their platform and do not intend (by marketing claims – e.g., labeling claims or advertising material) the platform to be used for medical device functions. When mobile medical apps are run on a mobile platform, the mobile platform is treated as a component of the mobile medical app’s intended use.²⁶ Therefore the mobile platform manufacturer is exempt from the Quality System regulation and registration and listing requirements.²⁷ For example, if it is possible to run mobile medical apps on Brand Name Phone but Brand Name Phone is not marketed by Brand Name Company as intended for use as a medical device, then Brand Name Company would not be considered a mobile medical app manufacturer or a medical device manufacturer. Also, in this example, the Brand Name Phone sold to consumers would not be regulated by FDA as a medical device. FDA does not consider entities that exclusively distribute mobile medical apps, such as the owners and operators of app stores to be medical device manufacturers based on their ownership of or operation of these app stores. FDA also does not consider mobile platform manufacturers to be medical device manufacturers just because their mobile platforms could be used to run a mobile medical app regulated by FDA.
• Third parties who solely provide market access to mobile medical apps (i.e., solely distribute mobile apps), but do not engage in any manufacturing functions as defined in 21 CFR Parts 803, 806, 807, and 820. Examples of such third parties may include owners and operators that are only engaged in providing an app store that allows mobile medical app manufacturers to commercially distribute their mobile medical apps.
• Providers of tools, services, or infrastructure used in the development, distribution, or use of a mobile medical app. Examples include providers of internet connectivity (i.e., internet service), providers of general-purpose computer or information technology, or providers that host the web service for content or software application. Other examples of providers of tools, services, or infrastructure include customer support services, data center hosting services, cloud hosting services, application hosting services, wireless carriers, or providers of software development kits. However, a creator of a mobile medical app or a software system that provides users access to the medical device function through a website subscription, software as a service,²⁸ or other similar means is considered a mobile medical app manufacturer.
• Licensed practitioners, including physicians, dentists, and optometrists, who manufacture a mobile medical app or alter a mobile medical app solely for use in their professional practice and do not label or promote their mobile medical apps to be generally used by other licensed practitioners or other individuals.²⁹,³⁰ For example, if Dr. XYZ, a licensed practitioner, creates a mobile medical app called the “XYZ-recorder” that enables attaching an ECG electrode to a smartphone, and provides the “XYZ-recorder” to his/her patient to use it to record the patient’s electrocardiographic readings for 24 hours, Dr. XYZ is not considered a mobile medical app manufacturer. If Dr. XYZ is in a group practice (including a telehealth network) and permits other physicians in the practice to provide the XYZ-recorder to their patients, Dr. XYZ is not considered a mobile medical apps manufacturer. However, if Dr. XYZ, the licensed practitioner, distributes the “XYZ-recorder” and, through labeling or promotion intends to make it generally available to or to be generally used by other physicians (or other specially qualified persons), Dr. XYZ would be considered a mobile medical app manufacturer.
• Persons who manufacture mobile medical apps solely for use in research, teaching, or analysis and do not introduce such devices into commercial distribution. We note that while persons conducting research using mobile medical apps involving human subjects are exempt from registration and listing, they may instead be subject to investigational device exemption regulations.³¹,³²

IV. Scope 🔗

This guidance explains FDA’s intentions to focus its oversight on a subset of software functions. Mobile medical apps, as defined in Section III, include only those mobile apps that meet the definition of a device and either are intended:

• to be used as an accessory to a regulated medical device; or
• to transform a mobile platform into a regulated medical device.

Appendix A provides examples of software functions, that do NOT meet the definition of a device and, therefore, are NOT device software functions or mobile medical apps for the purposes of this guidance.

Section V.B and Appendix B provide examples of software functions, some of which are mobile apps, that MAY meet the definition of a device but for which FDA intends to exercise enforcement discretion because they pose a low risk to patients.

FDA’s policies regarding accessories to medical devices are not unique to device software functions and go beyond the scope of this guidance. Specifically this guidance does not address FDA’s general approach for accessories to medical devices which is described in the guidance “Medical Device Accessories - Describing Accessories and Classification Pathways”.³³

Additionally, FDA’s approach to software that performs patient-specific analysis to aid or support clinical decision-making, is described in a separate guidance titled “Clinical Decision Support Software”.³⁴

If you are developing a software function that meets the definition of a device (such as a mobile medical app) with an entirely new intended use, we encourage you to contact FDA to discuss what regulatory requirements may apply.

V. Regulatory Approach for Device Software Functions 🔗

As described in this guidance, FDA intends to apply its regulatory oversight to only those software functions that are medical devices and whose functionality could pose a risk to a patient’s safety if the device were to not function as intended. This approach to overseeing device software functions is consistent with our existing approach to overseeing medical device functionality of a product and the risks it poses to patients regardless of the shape, size, or the platform. FDA believes that this subset of device software functions poses the same or similar potential risks to the public health as currently regulated devices if they fail to function as intended.

FDA strongly recommends that manufacturers of all software functions that may meet the definition of a device follow the Quality System³⁵ regulation (that includes good manufacturing practices) in the design and development of their device software functions, and initiate prompt corrections to their devices, when appropriate, to prevent patient and user harm.

For device software functions, manufacturers must meet the requirements associated with the applicable device classification. If the device, on its own, falls within a medical device classification, its manufacturer is subject to the requirements associated with that classification. A device software function, like other devices, may be classified as class I (general controls), class II (special controls in addition to general controls), or class III (premarket approval).³⁶

A. Device software functions: Subset of software functions that are the focus of FDA’s regulatory oversight 🔗

Software functions may take a number of forms, but it is important to note that FDA intends to apply its regulatory oversight to only the subset of software functions identified below and in Appendix C. These software functions can transform a general-purpose computing platform or mobile platform into a regulated medical device by using attachments, display screens, sensors, or other such methods. Regardless of the mechanism behind the transformation, FDA considers such software to be device software functions.

The following are software functions that FDA considers to be device software functions subject to regulatory oversight:

1. Software functions that are an extension of one or more medical devices by connecting³⁷ to such device(s) for purposes of controlling³⁸ the device(s) or analyzing medical device data.
   • Examples of these types of software functions include: software that provides the ability to control inflation and deflation of a blood pressure cuff through a mobile platform and mobile apps that control the delivery of insulin on an insulin pump by transmitting control signals to the pumps from the mobile platform. In some cases, software that meets the definition of a device may be used in combination with other devices. In these cases, the device software function may be considered an accessory if it supports, supplements, and/or augments the performance of one or more parent devices. FDA’s “Medical Device Accessories - Describing Accessories and Classification Pathways”³⁹ guidance document should be referenced for information pertaining to the regulation of accessories to medical devices.
2. Software functions (typically, mobile apps) that transform the mobile platform into a regulated medical device by using attachments, display screens, or sensors or by including functionalities similar to those of currently regulated medical devices. Software functions that use attachments, display screens, sensors, or other such similar components to transform a mobile platform into a regulated medical device are required to comply with the device classification associated with the transformed platform.
   • Examples of these types of software functions include: a software function that uses a mobile platform for medical device functions, such as attachment of a blood glucose strip reader to a mobile platform to function as a glucose meter; or attachment of electrocardiograph (ECG) electrodes to a mobile platform to measure, store, and display ECG signals; a software function that uses the built-in accelerometer on a mobile platform to collect motion information for monitoring sleep apnea; a software function that uses sensors (internal or external) on a mobile platform for creating electronic stethoscope function is considered to transform the mobile platform into an electronic stethoscope; manufacturers of such a mobile app are required to follow the requirements of 21 CFR 870.1875(b) (Electronic stethoscope); and similarly, a software function that displays radiological images for diagnosis transforms the mobile platform into a Medical image management and processing system under 21 CFR 892.2050. FDA has cleared several mobile medical apps with attachments to a mobile platform. Specifically, patient monitoring mobile apps that monitor a patient for heart rate variability from a signal produced by an electrocardiograph, vector cardiograph, or blood pressure monitor are classified as cardiac monitoring software under 21 CFR 870.2300 (Cardiac monitor (including cardiotachometer and rate alarm)). Other mobile medical apps that use a hardware attachment or interface to a monitoring system that have been cleared include an automatic electronic blood pressure monitor under 21 CFR 870.1130 and a perinatal monitoring system under 21 CFR 884.2740.
3. Software functions that become a regulated medical device by performing patient-specific analysis and providing specific output(s) or directive(s) to health care professionals for use in the diagnosis, treatment, mitigation, cure, or prevention of a disease or condition. Additionally, software functions that perform patient-specific analysis and provide patient-specific diagnosis or treatment recommendations to patients, caregivers, or other users who are not health care professionals.
   • Examples of these types of software functions include: software functions that use patient-specific parameters and calculate dosage or create a dosage plan for radiation therapy; Computer Aided Detection software (CAD) image processing software;⁴⁰ and radiation therapy treatment planning software;⁴¹ software function that analyzes patient-specific medical information to detect a life-threatening and/or time critical condition, such as stroke or sepsis, and generate an alarm or an alert to notify a health care professional;⁴² software function that analyzes readings from a blood glucose monitor and alerts the user of readings outside a predetermined range; software function that analyzes an ECG waveform output from an FDA-cleared device to detect or diagnose arrhythmias (e.g., atrial fibrillation).⁴³ We believe that these types of software present the same level of risk to patients regardless of the platform on which they run.

FDA encourages manufacturers of such device software functions that perform patient-specific analysis to contact FDA to discuss what, if any, regulatory requirements may apply. For additional examples see Appendix C.

B. Software functions for which FDA intends to exercise enforcement discretion (meaning that FDA does not intend to enforce requirements under the FD&CAct) 🔗

In general, FDA intends to exercise enforcement discretion for software functions that:

1. Help patients (i.e., users) self-manage their disease or conditions without providing specific treatment or treatment suggestions; or
2. Automate simple tasks for health care professionals.

Some software functions in the above categories and listed below may be considered device software functions, and others might not. For these examples listed below that are devices, FDA intends to exercise enforcement discretion because they pose a low risk to patients.

The following examples represent software functions for which FDA intends to exercise enforcement discretion:

1. Software functions that provide or facilitate supplemental clinical care, by coaching or prompting, to help patients manage their health in their daily environment – These are software functions that supplement⁴⁴ professional clinical care by facilitating behavioral change or coaching patients with specific diseases or identifiable health conditions in their daily environment. Examples include:
   • Software functions that coach patients with conditions such as cardiovascular disease, hypertension, diabetes, or obesity, and promote strategies for maintaining a healthy weight, getting optimal nutrition, exercising and staying fit, managing salt intake, or adhering to pre-determined medication dosing schedules⁴⁵ by simple prompting.
2. Software functions that are specifically marketed to help patients communicate with health care professionals by supplementing or augmenting the data or information by capturing an image for patients to convey to their health care professionals about potential medical conditions – These products either pose little or no risk, or are the sole responsibility of the health care professionals who have experience with them in medical applications. Examples include:
   • Apps specifically intended for medical uses that utilize the mobile device’s built-in camera or a connected camera for purposes of documenting or transmitting pictures (e.g., photos of a patient’s skin lesions or wounds) to supplement or augment what would otherwise be a verbal description in a consultation between health care professionals or between health care professionals and patients/caregivers.
3. Software functions that perform simple calculations routinely used in clinical practice – These are software functions that are intended to provide a convenient way for clinicians to perform various simple medical calculations taught in medical schools⁴⁶ and are routinely used in clinical practice. This software is generally tailored for clinical use, but retains functionality that is similar to simple general-purpose tools such as paper charts, spread sheets, timers, or generic mathematical calculators. Examples of such general-purpose tools include medical calculators for:
   • Body Mass Index (BMI);
   • Total Body Water / Urea Volume of Distribution;
   • Mean arterial pressure;
   • Glasgow Coma Scale score;
   • APGAR score;
   • NIH Stroke Scale; or
   • Delivery date estimator.

See Appendix B for additional examples of software functions for which FDA intends to exercise enforcement discretion.

VI. Regulatory Requirements 🔗

This guidance is intended to assist manufacturers in determining if a software function meets the definition of a device. Additional information can be found in “Device Advice: Classify Your Medical Device.”⁴⁷ This section describes in greater detail the regulatory requirements applicable to device software functions under this guidance (as described in Section V).

Manufacturers of device software functions are subject to the requirements described in the applicable device classification regulation below. Depending on the classification and the associated regulation for the device software function, manufacturers are required to follow associated controls established by the regulation.

In general, the associated controls for each class of device are outlined below.

Class I devices: General Controls, including:

• Establishment registration, and Medical Device listing (21 CFR Part 807);
• Quality System (QS) regulation (21 CFR Part 820);
• Labeling Requirements (21 CFR Part 801);
• Medical Device Reporting (21 CFR Part 803);
• Premarket Notification (21 CFR Part 807);
• Reporting Corrections and Removals (21 CFR Part 806); and
• Investigational Device Exemption (IDE) requirements for clinical studies of investigational devices (21 CFR Part 812).

Class II devices: General Controls (as described for Class I), Special Controls, and (for most Class II devices) Premarket Notification.

Class III devices: General Controls (as described for Class I), and Premarket Approval (21 CFR Part 814).

Appendix D provides a brief summary of the above requirements. Additional information is available at “Overview of Medical Device Regulation”⁴⁸ and “How to Study and Market Your Device.”⁴⁹ If you need further assistance, you may contact the Division of Industry and Consumer Education (DICE): Email: DICE@fda.hhs.gov; phone: 301-796-7100 or 800-638-2041. For CBER, you may contact the Manufacturers Assistance and Technical Training Branch (MATTB): Email: Industry.Biologics@fda.hhs.gov; phone: 240-402-8020 or 800-835-4709.

Appendix A Examples of Software Functions that are NOT Medical Devices 🔗

This Appendix provides a representative list of software functions to illustrate the types of software that could be used in a health care environment, in clinical care, or patient management, but are not considered medical devices. Because these software functions are not considered medical devices, FDA does not regulate them. FDA understands that there may be other unique and innovative software functions that may not be covered in this list that may also constitute health care related software. **This list is not exhaustive**; it is only intended to provide clarity and assistance in identifying when a software function is not considered to be a medical device.

Specific examples of software functions that FDA does not consider to be devices and with no regulatory requirements under the current laws administered by FDA include:

1. Software functions that are intended to provide access to electronic “copies” (e.g., e-books, audio books) of medical textbooks or other reference materials with generic text search capabilities – These are not devices because the software is intended to be used as reference material and is not intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease by facilitating a health professional’s assessment of a specific patient, replacing the judgment of clinical personnel, or performing any clinical assessment. Examples of these types of software functions include:
   • Medical dictionaries;
   • Electronic copies of medical textbooks or literature articles such as the Physician’s Desk Reference or Diagnostic and Statistical Manual of Mental Disorders (DSM);
   • Library of clinical descriptions for diseases and conditions;
   • Encyclopedia of first-aid or emergency care information;
   • Medical abbreviations and definitions; and
   • Translations of medical terms across multiple languages.
2. Software functions that are intended for health care professionals to use as educational tools for medical training or to reinforce training previously received – These may have more functionality than providing an electronic copy of text (e.g., videos, interactive diagrams), but are not devices because they are intended generally for user education and are not intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease by facilitating a health professional’s assessment of a specific patient, replacing the judgment of clinical personnel, or performing any clinical assessment. Examples of these types of software functions include:
   • Medical flash cards with medical images, pictures, graphs, etc.;
   • Question/Answer quiz apps;
   • Interactive anatomy diagrams or videos;
   • Surgical training videos;
   • Medical board certification or recertification preparation apps; and
   • Games that simulate various cardiac arrest scenarios to train health professionals in advanced cardiopulmonary resuscitation (CPR) skills.
3. Software functions that are intended for general patient education and facilitate patient access to commonly used reference information – This software can be patient-specific (i.e., filters information to patient-specific characteristics), but is intended for increased patient awareness, education, and empowerment, and ultimately supports patient-centered health care. These functions are not devices because they are intended generally for patient education, and are not intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease by aiding clinical decision-making (i.e., to facilitate a health professional’s assessment of a specific patient, replace the judgment of a health professional, or perform any clinical assessment). Examples include software functions that:
   • Provide a portal for health care professionals to distribute educational information (e.g., interactive diagrams, useful links, and resources) to their patients regarding their disease, condition, treatment, or upcoming procedure;
   • Help guide patients to ask appropriate questions to their physician relevant to their particular disease, condition, or concern;
   • Provide information about gluten-free food products or restaurants;
   • Help match patients with potentially appropriate clinical trials and facilitate communication between the patient and clinical trial investigators;
   • Provide tutorials or training videos on how to administer first-aid or CPR;
   • Allow users to input pill shape, color, or imprint, and displays pictures and names of pills that match this description;
   • Find the closest medical facilities and doctors to the user’s location;
   • Provide lists of emergency hotlines and physician/nurse advice lines; and
   • Provide and compare costs of drugs and medical products at pharmacies in the user’s location.
4. Software functions that automate general office operations in a health care setting and are not intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease. Examples include software functions that:
   • Determine billing codes like ICD-9 (international statistical classification of diseases);
   • Enable insurance claims data collection and processing and other apps that are similarly administrative in nature;
   • Analyze insurance claims for fraud or abuse;
   • Perform medical business accounting functions or track and trend billable hours and procedures;
   • Generate reminders for scheduled medical appointments or blood donation appointments;
   • Help patients track, review, and pay medical claims and bills online;
   • Manage shifts for doctors;
   • Manage or schedule hospital rooms or bed spaces;
   • Provide wait times and electronic check-in for hospital emergency rooms and urgent care facilities;
   • Allow health care professionals or staff in health care settings to process payments (for example, using a HIPAA compliant app to process payments); and
   • Track or perform patient satisfaction survey after an encounter or a clinical visit.
5. Software functions that are generic aids or general-purpose products – This software is not considered a device because it is not intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease. Examples include software functions that:
   • Use the mobile platform as a magnifying glass (but are not specifically intended for medical purposes);⁵⁰
   • Use the mobile platform for recording audio, note-taking, replaying audio with amplification, or other similar functionalities;
   • Allow patients or health care professionals to interact through email, web-based platforms, video, or other communication mechanisms (but are not specifically intended for medical purposes);
   • Provide maps and turn-by-turn directions to medical facilities; and
   • Allow health care professionals to communicate in a secure and protected method (for example using a HIPAA compliant app to send messages between health care professionals in a hospital).
6. Software functions that are intended for individuals to log, record, track, evaluate, or make decisions or behavioral suggestions related to developing or maintaining general fitness, health or wellness, such as those that:
   • Provide tools to promote or encourage healthy eating, exercise, weight loss, or other activities generally related to a healthy lifestyle or wellness;
   • Provide dietary logs, calorie counters, or make dietary suggestions;
   • Provide meal planners and recipes;
   • Track general daily activities or make exercise or posture suggestions;
   • Track a normal baby’s sleeping and feeding habits;
   • Actively monitor and trend exercise activity;
   • Help healthy people track the quantity or quality of their normal sleep patterns;
   • Provide and track scores from mind-challenging games or generic “brain age” tests;
   • Provide daily motivational tips (e.g., via text or other types of messaging) to reduce stress and promote a positive mental outlook;
   • Use social gaming to encourage healthy lifestyle habits; and
   • Calculate calories burned in a workout.
7. Software functions that enable individuals to interact with electronic health record (EHR) software certified under the ONC Health IT Certification Program – These are software functions that provide individuals with access to health record systems or enable them to gain electronic access to health information stored within an EHR system. Software functions that only allow individuals to view, transfer, or download EHR data are also included in this category. These software functions are generally meant to facilitate general patient health information management and health recordkeeping activities:
   • Software functions for health care professionals certified under the ONC Health IT Certification Program, such as those that help track or manage patient immunizations by documenting the need for immunization, consent form, and immunization lot number.
   • Software functions certified under the ONC Health IT Certification Program that prompt the health care professional to manually enter symptomatic, behavioral, or environmental information, the specifics of which are pre-defined by a health care professional, and store the information for later review.
8. Software functions that enable patients or health care professionals to interact with EHR systems (e.g., transfer, store, convert formats, display electronic patient records) that are certified under the ONC Health IT Certification Program, or interact with personal health record (PHR) systems.
9. Software functions that allow a user to record (i.e., collect and log) data, such as blood glucose, blood pressure, heart rate, weight, or other data from a device to eventually share with a heath care professional, or upload it to an EHR that is certified under the ONC Health IT Certification Program, or upload it to an online (cloud) database, or upload it to a PHR.
10. Software functions that provide a list of appropriate cholesterol-lowering drugs to a health care professional to consider based on a patient’s cholesterol levels and demographics found in the EHR, and the basis for the recommendations is provided to the health care professional, so the health care professional does not rely primarily on the recommendations in making a clinical decision about a patient.⁵¹
11. Software functions that provide health care professionals easy access to information related to patients’ health conditions or treatments (beyond providing an electronic “copy” of a medical reference), and enable the health care professional to independently review the basis of the information provided by the software function, such that the health care professional does not rely primarily on the information to make a clinical decision about an individual patient:⁵²
    • These software functions match patient-specific medical information (e.g., diagnosis, treatments, allergies, signs or symptoms) to reference information routinely used in clinical practice (e.g., practice guidelines) to facilitate assessments of specific patients. For example, a software function that uses a patient’s diagnosis and other medical information to provide an HCP with current practice treatment guidelines for common illnesses or conditions such as influenza, hypertension, and hypercholesterolemia.⁵³
    • The software function matches patient-specific medical information to peer-reviewed literature publications on related topics and enables the health care professional to independently review the basis for the information.
    • Drug-drug interaction and drug-allergy contraindication notifications to avert adverse drug reactions. These software functions that identify drug-drug interactions and drug-allergy contraindications, based on the current version of FDA-approved drug or device labeling or other up-to-date and peer-reviewed sources and patient-specific information, to attempt to prevent adverse drug reactions, and the software functions enable the health care professional to independently review the basis for the information. For example, a software function that identifies drug-disease interactions and contraindications, such as notifying an HCP that a patient with asthma should not be prescribed a non-selective beta-blocking drug.⁵⁴
12. Software functions that provide patients with simple tools to organize and record their health information – These are software functions that provide patients with tools to organize and record health information without providing recommendations to alter or change a previously prescribed treatment or therapy. Examples include:
    • Software functions that provide simple tools for patients with specific conditions or chronic disease (e.g., obesity, anorexia, arthritis, diabetes, heart disease) to record their events or measurements (e.g., blood pressure measurements, drug intake times, diet, daily routine, or emotional state) and share this information with their health care professional as part of a disease-management plan.
13. Software functions that are specifically marketed to help patients document, show, or communicate to health care professionals regarding potential medical conditions – These products either pose little or no risk, or are the sole responsibility of the health care professionals who have used them in medical applications. Examples include:
    • Software that serves as a videoconferencing portal specifically intended for medical use and to enhance communications between patients, health care professionals, and caregivers.
14. Software functions that help asthmatics record (i.e., collect and log) inhaler usage, asthma episodes experienced, location of user at the time of an attack, or environmental triggers of asthma attacks.
15. Software functions that record the clinical conversation a clinician has with a patient and sends it (or a link) to the patient to access after the visit.
16. Software functions that meet the definition of Non-Device-MDDS–⁵⁵ These are software functions that are solely intended to transfer, store, convert formats, and display medical device data or results, without controlling or altering the functions or parameters of any connected medical devices. These do not include software functions intended to generate alarms or alerts or prioritize patient-related information on multi-patient displays, which are typically used for active patient monitoring to enable immediate awareness for potential clinical intervention, and are considered device software functions because these functions involve analysis or interpretation of laboratory test or other device data and results.
17. Software functions that display patient-specific medical device data – These include software functions that display medical images directly from a Picture Archiving and Communication System (PACS) server;
18. Software functions that are intended for transferring, storing, converting formats, or displaying clinical laboratory test or other device data and results, findings by a health care professional with respect to such data and results, general information about such findings, and general background information about such laboratory test or other device, unless such function is intended to interpret or analyze clinical laboratory test or other device data, results and findings. Examples include:
    • Software functions that transfer, store, convert formats, and display medical device data without modifying the data and do not control or alter the functions or parameters of any connected medical devices (i.e., software functions that meet the definition of Non-Device-MDDS);
    • Software functions that meet the definition of Non-Device-MDDS and connect to a nursing central station and display (but do not analyze or interpret) medical device data to a physician’s mobile platform for review;
    • Software functions that are not intended for diagnostic image review such as image display for multidisciplinary patient management meetings (e.g., rounds) or patient consultation (and include a persistent on-screen notice, such as “for informational purposes only and not intended for diagnostic use”).

Appendix B Examples of Software Functions for which FDA intends to exercise enforcement discretion 🔗

This Appendix provides examples of software functions that MAY meet the definition of medical device but for which FDA intends to exercise enforcement discretion. These software functions may be intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease. Even though this software MAY meet the definition of medical device, FDA intends to exercise enforcement discretion for these types of software functions because they pose lower risk to the public. FDA understands that there may be other unique and innovative software functions that may not be covered in this list that may also constitute health care related software. **This list is not** **exhaustive**; it is only intended to provide clarity and assistance in identifying the software functions that will not be subject to regulatory requirements at this time.

1. Software functions that help patients with diagnosed psychiatric conditions (e.g., post-traumatic stress disorder (PTSD), depression, anxiety, obsessive compulsive disorder (OCD)) maintain their behavioral coping skills by providing a “Skill of the Day” behavioral technique or audio messages that the user can access when experiencing increased anxiety.
2. Software functions that provide periodic educational information, reminders, or motivational guidance to pregnant people, smokers trying to quit, or people recovering from addiction.
3. Software functions that use global positioning system (GPS) location information to alert asthmatics of environmental conditions that may cause asthma symptoms or alert an addiction patient (substance abusers) when near a pre-identified, high-risk location.
4. Software functions that use video and video games to motivate patients to do their physical therapy exercises at home.
5. Software functions that prompt a user to enter which herb and drug they would like to take concurrently and provide information about whether interactions have been seen in the literature and a summary of what type of interaction was reported.
6. Software functions that use patient characteristics such as age, sex, and behavioral risk factors to provide patient-specific screening, counseling, and preventive recommendations from well-known and established authorities.
7. Software functions that use a checklist of common signs and symptoms to provide a list of possible medical conditions and advice on when to consult a health care professional.
8. Software functions that guide a user through a questionnaire of signs and symptoms to provide a recommendation for the type of health care facility most appropriate to their needs.
9. Software functions that are intended to allow a user to initiate a pre-specified nurse call or emergency call using broadband or cellular phone technology.
10. Software functions that enable a patient or caregiver to create and send an alert or general emergency notification to first responders.
11. Software functions that keep track of medications and provide user-configured reminders for improved medication adherence.
12. Software functions that provide historical trending and comparison of vital signs (e.g., body temperature, heart rate, blood pressure, or respiratory rate).;
13. Software functions that aggregate and display trends in personal health incidents (e.g., hospitalization rates or alert notification rates).
14. Software functions allow a user to collect (electronically or manually entered) blood pressure data and share this data through email, track and trend it, or upload it to a personal or electronic health record.
15. Software functions that provide oral health reminders or tracking tools for users with gum disease.
16. Software functions that provide prediabetes patients with guidance or tools to help them develop better eating habits or increase physical activity.
17. Software functions that display, at opportune times, images or other messages for a substance abuser who wants to stop addictive behavior.
18. Software functions that provide patients and/or caregivers information about drug-drug interactions and relevant safety information (side effects, drug interactions, active ingredient) as a report based on demographic data (e.g., age, gender), clinical information (current diagnosis), and current medications.

Appendix C Examples of Software Functions that are the focus of FDA’s regulatory oversight (Device Software Functions and Mobile Medical Apps) 🔗

This Appendix provides examples of software functions that are considered medical devices (i.e., device software functions), and on which FDA will focus its regulatory oversight. This software meets the definition of a device under section 201(h) of the FD&C Act and its functionality poses a risk to a patient’s safety if the software were to not function as intended. Each example below provides a non-exhaustive list of possible relevant product code(s) and/or regulation number.

FDA also encourages device software manufacturers to search FDA’s public databases, such as the “Product Classification”⁵⁶ database and the “510(k) Premarket Notification”⁵⁷ database, to determine the level of regulation for a given device and for the most up-to-date information about the relevant regulatory requirements.

Software functions (typically mobile apps) that transform a mobile platform into a regulated medical device and therefore are the focus of FDA’s regulatory oversight: These mobile apps use a mobile platform’s built-in features such as light, vibrations, camera, or other similar sources to perform medical device functions (e.g., mobile medical apps that are used by a licensed practitioner to diagnose or treat a disease). Possible product codes: Varies depending on the intended use and software function; see additional examples below.

• Software functions that use a sensor or lead that is connected to a mobile platform to measure and display the electrical signal produced by the heart (electrocardiograph or ECG). Possible product code(s): DPS, MLC, OEY (21 CFR 870.2340), MLO, MWJ, DSH (21 CFR 870.2800).
• Software functions that use a sensor or electrode attached to the mobile platform or tools within the mobile platform itself (e.g., microphone and speaker) to electronically amplify and “project sounds associated with the heart, arteries and veins and other internal organs” (i.e., an electronic stethoscope). Possible product code: DQD (21 CFR 870.1875(b)).
• Software functions that use a sensor or electrode attached to the mobile platform or tools within the mobile platform itself (e.g., accelerometer) to measure physiological parameters during CPR and give feedback about the quality of CPR being delivered. Possible product code: LIX (21 CFR 870.5210).
• Software functions that use a sensor attached to the mobile platform or tools within the mobile platform itself to record, view, or analyze eye movements for use in the diagnosis of balance disorders (i.e., nystagmograph). Possible product code: GWN (21 CFR 882.1460).
• Software functions that use tools within the mobile platform (e.g., speaker) to produce controlled levels of test tones and signals intended for use in conducting diagnostic hearing evaluations and assisting in the diagnosis of possible otologic disorders (i.e., an audiometer). Possible product code: EWO (21 CFR 874.1050).
• Software functions that use a sensor attached to the mobile platform or tools within the mobile platform itself (e.g., accelerometer) to measure the degree of tremor caused by certain diseases (i.e., a tremor transducer). Possible product code: GYD (21 CFR 882.1950).
• Software functions that use a sensor attached to the mobile platform or tools within the mobile platform itself (e.g., accelerometer, microphone) to measure physiological parameters (e.g., limb movement, electrical activity of the brain (EEG)) during sleep and are intended for use in diagnosis of specific diseases or conditions such as sleep apnea. Possible product code(s): OLV (21 CFR 882.1400), LEL (21 CFR 882.5050), BZQ, MNR, PRK (21 CFR 868.2375), FLS, NPF (21 CFR 868.2377).
• Software functions that use an attachment to the mobile platform to measure blood oxygen saturation for diagnosis of specific disease or condition. Possible product code(s): DQA, NLF, MUD, NMD (21 CFR 870.2700) or DPZ (21 CFR 870.2710).
• Software functions that present donor history questions to a potential blood donor and record and/or transmit the responses to those questions for a blood collection facility to use in determining blood donor eligibility prior to collection of blood or blood components. Possible product code: MMH (21 CFR 864.9165).
• Software functions that use an attachment to the mobile platform to measure blood glucose levels. Possible product code: NBW (21 CFR 862.1345).
• Software functions that use an attachment to the mobile platform (e.g., light source, laser) to treat acne, reduce wrinkles, or remove hair. Possible product code: OLP, OHT, OHS (21 CFR 878.4810), OZC (21 CFR 890.5740).
• Software functions that use a microphone or speaker within a mobile platform to serve as a audiometer to allow health care professionals to determine hearing loss at different frequencies. Possible product code: EWO (21 CFR 874.1050).
• Software functions that analyze an image of a skin lesion using mathematical algorithms, such as fractal analysis, and provide the user with an assessment of the risk of the lesion.

Software functions that connect to an existing device type for purposes of controlling its operation, function, or energy source and therefore are the focus of FDA’s regulatory oversight: These software functions are those that control the operation or function (e.g., changes settings) of an implantable or body worn medical device. Possible product codes: Varies depending on the intended use and function of the parent medical device; see additional examples below.

• Software functions that alter the function or settings of an infusion pump. Possible product codes: MEB, FRN, LZH, LZG, OPP, MEA (21 CFR 880.5725), FIH (21 CFR 876.5820), LKK.
• Software functions that act as wireless remote controls or synchronization devices for computed tomography (CT) or X-Ray machines. Possible product code: JAK (21 CFR 892.1750), IZL (21 CFR 892.1720), KPR (21 CFR 892.1680).
• Software functions that control or change settings of an implantable neuromuscular stimulator. Possible product code(s): GZC (21 CFR 882.5860).
• Software functions that calibrate, control, or change settings of a cochlear implant. Possible product code(s): MCM.
• Software functions that control the inflation or deflation of a blood-pressure cuff. Possible product code: DSJ (21 CFR 870.1100), DSK (21 CFR 870.1110), DXN (21 CFR 870.1130).
• Software functions that are used to calibrate hearing aids and assess the electroacoustic frequency and sound intensity characteristics emanating from a hearing aid, master hearing aid, group hearing aid, or group auditory trainer. Possible product code ETW (21 CFR 874.3310).

Software functions that are used in active patient monitoring or to analyze patient-specific medical device data and therefore are the focus of FDA’s regulatory oversight:

• Software functions that acquire or process physiological signals that connect to bedside (or cardiac) monitors for active patient monitoring. Possible product code(s): DSI, MHX, MLD (21 CFR 870.1025), DRT, MWI, MSX, PLB (21 CFR 870.2300).
• Software functions that process uterine contraction and fetal heart rate data for remote monitoring of labor progress. Possible product code(s): HGM (21 CFR 884.2740).
• Software functions that are intended to process images for diagnostic review may be regulated as a medical image management and processing system. Possible product code(s): LLZ (21 CFR 892.2050).
• Software function that uses a variant call format (VCF) file containing patient-specific genetic variants and mutations identified from a Next Generation Sequencing (NGS) Analyzer and provides recommendations for FDA-approved treatments based on those findings. Possible product code: QIC.⁵⁸
• Software function that analyzes patient-specific measurements (e.g., ST-segment elevation or depression as reported on ECG reports and cardiac enzyme laboratory results from the EHR) to identify patients potentially experiencing myocardial ischemia or infarction.⁵⁹
• Software function intended for health care professional management of heart failure patients that analyzes patient-specific medical information (e.g., daily heart rate, SpO2, blood pressure, or other output from wearable product) to predict heart failure hospitalization.⁶⁰
• Software function that analyzes the radiologist’s reported imaging findings and other patient-specific medical information taken by an health care professional upon admission as input to a stroke triage algorithm that indicates whether to transfer the patient to a major stroke center for an intervention.⁶¹

Appendix D Brief description of certain device regulatory requirements 🔗

This Appendix provides a high level description of certain regulatory requirements for medical devices, including device software functions. FDA has additional resources and publications online that describe these and other requirements in detail.

1. Establishment Registration and Medical Device Listing Under 21 CFR Part 807, manufacturers of medical devices are required to annually register their establishments⁶² with FDA and provide a list of the devices they market. The registration and listing requirement is a means of keeping FDA advised of who is manufacturing devices, and of the types of devices an establishment is manufacturing. Medical device manufacturers are required to register their establishments with FDA and to list⁶³ by identifying to FDA the devices they are marketing.

   Additional information can be found in “Device Advice: Device Registration and Listing.”⁶⁴ If you need further assistance, you may contact the Division of Risk Management Operations, Regulatory Policy and Systems Branch: Email: reglist@fda.hhs.gov, phone: 301-796-7400. Assistance is also available from, Division of Industry and Consumer Education (DICE): Email: DICE@fda.hhs.gov, phone: 301-796-7100 or 800-638-2041. For CBER, you may contact the Manufacturers Assistance and Technical Training Branch (MATTB): Email: Industry.Biologics@fda.hhs.gov; phone: 240-402-8020 or 800-835-4709.

2. Investigational Device Exemption (IDE) requirements Conducting clinical studies in accordance with the IDE requirements (21 CFR 812)⁶⁵ helps to ensure clinical data are credible, accurate, and ethically procured. Furthermore, an IDE allows an investigational device to be used in a clinical study, for example in order to collect safety and effectiveness data required to support⁶⁶ a marketing submission to FDA (e.g., Premarket Approval (PMA), Premarket Notification (510(k)), De Novo, Humanitarian Device Exemption (HDE)). Clinical studies with devices of significant risk must be approved by FDA and by an Institutional Review Board⁶⁷ (IRB) before the study can begin. Studies with devices of non-significant risk must be approved by the IRB only before the study can begin.

   Medical device manufacturers who intend to conduct research involving human subjects are encouraged to engage with FDA through the Q-submission Program⁶⁸ to receive feedback on testing and development activities.

   Further information regarding the investigational device exemption and Good Clinical Practice (GCP) can be found in the webpage, “Device Advice: Investigational Device Exemption.”⁶⁹

3. Labeling requirements Medical device manufacturers are required to comply with applicable labeling regulations found in 21 CFR Part 801 for medical devices and 21 CFR Part 809 for in vitro diagnostic products.

4. Premarket submission for approval or clearance Medical device manufacturers should identify the current classification covering their device. Manufacturers are required to prepare and submit to FDA an appropriate premarket submission, as required for their device classification.

   Additional information can be found in “Device Advice: Device Registration and Listing.”⁷⁰

5. Quality System Regulation (QS Regulation) Medical device manufacturers are required to comply with the QS regulation.⁷¹ The QS regulation does not prescribe in detail how a manufacturer must produce a specific device, but provides a framework for all manufacturers to develop and follow to help ensure that their products consistently meet applicable requirements and specifications. As part of this framework, manufacturers are required to develop requirements for their products that will result in devices that are safe and effective, and to establish methods and procedures to design, produce, and distribute their devices.

   Furthermore, manufacturers are required, as part of the QS regulation (21 CFR 820.30), to appropriately verify and validate their device software functions along with the computing platform to ensure safe and effective operation of the device.

   Manufacturers are required to ensure that adequate controls and processes are in place through purchasing controls to ensure safe distribution, installation, and operation of the device software function.

   Additional information regarding the QS regulation can be found at “Quality System (QS) Regulation/Medical Device Good Manufacturing Practices.”⁷²

6. Medical Device Reporting (MDR) (Adverse event reporting) The Medical Device Reporting (MDR) regulation requires manufacturers and importers of medical devices to submit reports to FDA whenever they receive or otherwise become aware of information, from any source, that reasonably suggests that a device they market may have caused or contributed to a death or serious injury, or has malfunctioned and the device or a similar device that they market would be likely to cause or contribute to a reportable death or serious injury if the malfunction were to recur.⁷³ MDR requires medical device manufacturers to:

   • Submit MDR reportable events involving their medical devices as described in 21 CFR 803.10(c) and 803.50;
   • Submit 5-day reports as described in 21 CFR 803.53;
   • Submit supplemental reports as described in 21 CFR 803.56;
   • Develop, maintain, and implement written procedures for the identification and evaluation of all medical device events to determine whether the event is MDR reportable as described in 21 CFR 803.17;
   • Conduct an investigation of each event and evaluate the cause of the event as described in 21 CFR 803.50(b)(3); and
   • Establish and maintain complete files for all complaints concerning adverse medical device events as described in 21 CFR 803.18.

   The MDR report (FDA Form 3500A)⁷⁴ must contain all the information described in 21 CFR 803.52 that is reasonably known to the manufacturer. Information reasonably known includes any information that:

   • Can be obtained by contacting a user facility, importer, or other initial reporter;
   • Is in the possession of the manufacturer; or
   • Can be obtained by analysis, testing, or other evaluation of the device.

   For additional instructions on how to complete the 3500A form, refer to the document titled “Instructions for Completing Form FDA 3500A.”⁷⁵

   For additional guidance on the MDR regulation and the reporting requirements, refer to the FDA guidance “Medical Device Reporting for Manufacturers.”⁷⁶

   For Questions about Medical Device Reporting, including interpretation of MDR policy:

   • Call: (301) 796-6670 (voice)
   • Email: RSMB@fda.hhs.gov
   • Mail: Food and Drug Administration, Center for Devices and Radiological Health, Reporting Systems Monitoring Branch, 10903 New Hampshire Avenue, WO Bldg. 66, Room 3217, Silver Spring, MD 20993-0002

7. Correcting Problems A medical device manufacturer may voluntarily take action at any time or may be requested to take action by FDA to correct problems. Voluntary action is usually taken by device manufacturers. Examples of the types of actions that a device manufacturer may be requested to take include, but are not limited to:

   • Inspecting the device for problems;
   • Repairing the device;
   • Adjusting settings on the device; and
   • Upgrading software to reduce risk from a “bug” or unintended response.

Under certain circumstances, FDA may initiate a request that a manufacturer address a problem with a device through other means, including by removal of the product from the market. When recommending corrective action, FDA intends to take into account the essential role that certain device software functions take as an integral part of a larger patient care system.

Reporting Corrections to FDA:

In accordance with 21 CFR 806.10, medical device manufacturers are required to promptly report, within 10 working days from the time the correction is initiated, to FDA certain actions concerning device corrections and removals. Specifically, medical device manufacturers are required to report to FDA any corrections made to a device to reduce a risk to health posed by the device or to remedy a violation of the FD&C Act caused by the device that may present a risk to health.

The reporting requirement does not extend to all modifications to devices. For example, certain actions that would improve the quality of a mobile medical app but that would not reduce a risk to health posed by the mobile medical app or remedy a violation of the FD&C Act are not required to be reported under 21 CFR 806.1(b).⁷⁷ If there is not a “risk to health” involved, a report to FDA is not required, but the device manufacturer must keep a record of the correction. An example of such action taken by the manufacturer could be changes made to correct a defect that creates a nuisance for the user but does not present a risk to the health of the user or patient.

More information about reporting requirements under 21 CFR Part 806 is available in “Device Advice: Recalls, Corrections, and Removals.”⁷⁸

Appendix E Frequently Asked Questions (FAQs) 🔗

1. I have a software function that is not identified in this guidance. What is the best way to get additional information from FDA about my product? Answer: FDA recognizes that this guidance does not describe all types of software used in health care. Some manufacturers may be unsure whether their software function is considered a medical device that is subject to regulatory oversight, or whether their medical device could be under FDA’s intent to exercise enforcement discretion. If the device is subject to regulatory oversight, manufacturers may have questions about which regulatory requirements are applicable to their software function.

   After reviewing this guidance, FDA encourages software manufacturers to contact the Agency to obtain more information using one of the following ways:

   • Phone or email – For information about regulatory requirements, contact the Division of Industry and Consumer Education (DICE). Email: DICE@fda.hhs.gov; phone: 301-796-7100 or 800-638-2041.
     For information about whether your software or mobile app is considered a medical device, contact digitalhealth@fda.hhs.gov.
     If your question relates to apps used in blood establishments or another area of CBER regulation, contact the Office of Communication, Outreach and Development, Center for Biologics Evaluation and Research; email: ocod@fda.hhs.gov; phone: 1-800-835-4709 or 240-402-7800.
   • Online – FDA has several resources and publications online that describe various regulatory requirements in detail. FDA’s “Device Advice”⁷⁹ website and online courses at “CDRH Learn”⁸⁰ are a good place to start. Other sections in this guidance provide links to more detailed information related to more specific topics.
   • Letter – For written feedback about the classification and the regulatory requirements that may be applicable to a device software function, manufacturers should use the 513(g) process. Specifically, a manufacturer should submit the following for a 513(g) submission:
     • User fee;
     • Cover letter;
     • Description of the software;
     • Description of what the software is to be used for; and
     • Any proposed labeling or promotional material for the software and, as applicable, any labeling or promotional material of a similar, legally marketed device, if available.

   FDA will generally issue a response to the 513(g), in the form of a confidential letter to the manufacturer, within 60 days of receipt of the request for information. For more specific information about what to include in a 513(g) and where to send it, refer to FDA’s guidance “FDA and Industry Procedures for Section 513(g) Requests for Information Contains Nonbinding Recommendations Under the Federal Food, Drug, and Cosmetic Act.”⁸¹ For more information about 513(g) user fees, refer to FDA’s guidance “User Fees for 513(g) Requests for Information”⁸²

2. Why does FDA recommend that manufacturers follow the Quality System (QS) regulation for those software that MAY be devices and could be device software functions but for which FDA intends to exercise enforcement discretion? Answer: FDA believes all manufacturers of medical device software should have in place an adequate quality management system that helps ensure that their products consistently meet applicable requirements and specifications and can support the software throughout its total life cycle. Adequate quality management systems incorporate appropriate risk management strategies, good design practices, adequate verification and validation, and appropriate methods to correct and prevent risks to patients and adverse events that may arise from the use of the product. All of these elements are part of FDA’s QS regulation.

3. Is FDA’s QS regulation similar to software development practices I already use? Answer: Most likely. Though not all of the principles in the QS regulation are applicable to the development and manufacture of quality device software functions,⁸³ the majority of them are applicable and are consistent with commonly used and accepted good software development practices, such as those from the Institute of Electrical and Electronics Engineers’ (IEEE), Software Engineering Body of Knowledge (SWEBOK), and Carnegie Mellon Software Engineering Institute’s Capability Maturity Model Integration (CMMI) methods.

   FDA’s approach to QS regulation is also harmonized with certain international standards such as ISO 9001 and ISO 13485.⁸⁴ Similar to these international standards, the QS regulation does not prescribe in detail how a manufacturer must produce a specific device, but provides a framework for all manufacturers to develop and follow to help ensure that their products consistently meet applicable requirements and specifications. The QS regulation can apply to and be scaled for any size manufacturer and any type of product. It also allows for a manufacturer to choose those requirements most appropriate for its given device and manufacturing process.⁸⁵

4. What are some examples of parts of the QS regulation that are of particular importance to device software functions and where can I find more information about them? Answer: Though not a complete list, some examples of principles within the QS regulation that are relevant to all device manufacturers include risk assessment and management, design controls, and corrective and preventive actions. Risk assessment and management is a critical part of good quality management systems. Good design practices are important to the development and manufacture of safe medical devices. It is also important for manufacturers to have procedures in place to identify, analyze, correct, and prevent software-related causes of patient or user harm. References related to these examples are provided in Appendix D of this guidance. Additional references about these principles that manufacturers may find useful include FDA’s guidances on “Design Control Guidance for Medical Device Manufacturers,”⁸⁶ and “General Principles of Software Validation.”⁸⁷

5. Do all the device software function manufacturers have to submit a premarket submission and receive FDA clearance or approval before marketing? Answer: No, not all manufacturers have to submit a premarket submission (i.e., a 510(k) or PMA) prior to marketing their device software function. This determination depends on the classification of the device. Manufacturers of devices that are exempt from 510(k) or PMA requirements do not have to file a submission with FDA prior to marketing their device. For example, the majority of class I devices are exempt from the premarket submission requirements and are subject to the least regulatory control.

   Regardless of whether medical devices are subject to the premarket submission requirements, most medical devices (including Class I devices) have to comply with other basic regulatory requirements that are called “General Controls.” More information about what “General Controls” are and what a medical device manufacturer should do to comply with these requirements, can be found in “Device Advice: General Controls for Medical Devices”⁸⁸ and “Regulatory Controls.”⁸⁹

6. Some FDA classifications state they are “510(k) exempt.” What does 510(k) exempt mean and how do I know if it applies to my product? Answer: If a classification states the device type is “510(k) exempt,” this means that the manufacturer is not required to submit a premarket notification (i.e., a 510(k)) prior to marketing the device. However, the 510(k) exemption may be subject to certain limitations. Manufacturers are encouraged to confirm the device’s exempt status and any limitations to that status that may apply in accordance with 21 CFR Parts 862 – 892. The webpage “Medical Device Exemptions 510(k) and GMP Requirements” contains additional information about 510(k) exempt devices.⁹⁰

7. If a 510(k) is required for my device software function, what type of software documentation does FDA recommend I include in the submission? Answer: FDA’s recommendations for the software-related documentation that you provide in your premarket submission are addressed in detail in FDA’s “Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices.”⁹¹

   If the device software function uses off-the-shelf software, manufacturers should also refer to FDA’s “Guidance for Industry, FDA Reviewers, and Compliance on Off-the-Shelf Software Use in Medical Devices.”⁹²

8. I am a medical device manufacturer and making my product labeling available electronically using a mobile app. Is my app considered a mobile medical app? Answer: Mobile apps that provide electronic access and are intended for use as a digital version of medical device labeling or instructions for use are not considered a medical device on their own and therefore are not considered mobile medical apps. These are apps from a device manufacturer that provide information to support the company’s own device. Examples include apps that provide an electronic copy of cleared or approved medical device labeling or apps that provide video instruction for how to use a medical device. These types of apps are not considered devices within themselves, but instead are considered part of the medical device labeling and are subject to the regulatory labeling requirements relevant to that particular product.
9. Is an electronic method of collecting clinical investigations, for example through a mobile app, considered a device software function, and if so, what requirements apply? Answer: Software used for data collection in clinical studies (such as electronic Patient Reported Outcomes (ePRO) apps) is not considered on its own to be a device software function. However, manufacturers and users of this type of software should see FDA’s guidance related to use of computers in clinical trials, “Electronic Source Data in Clinical Investigations,”⁹³ issued on September 17, 2013.
10. I am a medical device manufacturer. Is an electronic method of collecting and storing quality systems information in my manufacturing process considered a medical device? Answer: Software used in the production process for medical devices, or for collecting, storing and maintaining quality system data collection for medical devices (including complaint submissions) is not considered a medical device on its own. This software does not meet the definition of medical device, but is part of the quality system. However this software is required to comply with the appropriate good manufacturing practices (GMP) regulations.⁹⁴

Appendix F Additional Resources 🔗

A. Guidance Documents 🔗

The webpage “Guidances with Digital Health Content”⁹⁵ contains an up-to-date list of all guidance documents with Digital Health content.

B. Standards 🔗

The “Recognized Consensus Standard database”⁹⁶ can be searched for the most up-to-date list of voluntary consensus standards recognized by FDA. A standard’s inclusion in the list below does not indicate it is currently recognized by FDA.

AAMI = Association for the Advancement of Medical Instrumentation

ANSI = American National Standards Institute

IEC = International Electrotechnical Commission

IEEE = Institute of Electrical and Electronics Engineers

ISO = International Organization for Standardization

1. ISO/IEC/IEEE 90003 Software engineering – Guidelines for the application of ISO 9001:2015 to computer software.
2. ISO 9001 Quality management systems – Requirements.
3. ISO 13485 Medical devices – Quality management systems – Requirements for regulatory purposes.
4. ISO 9000 Quality management systems – Fundamentals and vocabulary.
5. ISO 14971 Medical devices — Application of risk management to medical devices.
6. IEC 62304 Medical device software – Software life cycle processes.
7. IEEE Std 1012 IEEE Standard for System, Software, and Hardware Verification and Validation.
8. ISO/IEC 25051 Software engineering – Systems and software product Quality Requirements and Evaluation (SQuaRE) – Requirements for quality of Ready to Use Software Product (RUSP) and instructions for testing.
9. ISO/IEC/IEEE 12207 Systems and software engineering – Software life cycle processes.
10. AAMI TIR36 Validation of software for regulated processes.
11. IEC/TR 80002-1 Medical device software – Part 1: Guidance on the application of ISO 14971 to medical device software.
12. ANSI/AAMI ES60601-1 Medical electrical equipment – Part 1: General requirements for basic safety and essential performance (particularly clause 14).
13. IEC 61508-2 Functional safety of electrical/electronic/programmable electronic safety-related systems – Part 2: Requirements for electrical/electronic/programmable electronic safety-related systems.

Footnotes 🔗