Skip to content
8foldgovernance master
  • Services
    • AI Governance
    • Medical Devices
      • Regulatory Roadmap
      • ISO 13485 Design & Build your QMS
      • Quality Management as a Service
      • Technical File Creation & Registration
      • UK Responsible Person
      • Post Market Surveillance
    • International Standards
      • ISO 13485 Certification
      • ISO 42001 Certification
      • ISO 9001 Certification
      • ISO 27001 Certification
    • DTAC
      • DTAC Management
    • Information Governance
      • Data Security & Protection (DSPT)
      • DSPT Audit
      • HIPAA Compliance
    • Clinical Safety and Risk Management
      • DCB0129
      • DCB0160
      • Clinical Safety Officers (CSO)
    • CQC Services
      • CQC Compliance Assessment
      • CQC Registration Support
      • CQC-as-a-Service
      • CQC Regulatory Review & Strategy
    • Cyber Security
    • Governance, Risk & Compliance Advisory
    • 8foldTraining
  • About
    • Meet the Team
    • Partnerships
    • Join Us
  • Blog
  • Case Studies
  • Contact
  • Services
    • AI Governance
    • Medical Devices
      • Regulatory Roadmap
      • ISO 13485 Design & Build your QMS
      • Quality Management as a Service
      • Technical File Creation & Registration
      • UK Responsible Person
      • Post Market Surveillance
    • International Standards
      • ISO 13485 Certification
      • ISO 42001 Certification
      • ISO 9001 Certification
      • ISO 27001 Certification
    • DTAC
      • DTAC Management
    • Information Governance
      • Data Security & Protection (DSPT)
      • DSPT Audit
      • HIPAA Compliance
    • Clinical Safety and Risk Management
      • DCB0129
      • DCB0160
      • Clinical Safety Officers (CSO)
    • CQC Services
      • CQC Compliance Assessment
      • CQC Registration Support
      • CQC-as-a-Service
      • CQC Regulatory Review & Strategy
    • Cyber Security
    • Governance, Risk & Compliance Advisory
    • 8foldTraining
  • About
    • Meet the Team
    • Partnerships
    • Join Us
  • Blog
  • Case Studies
  • Contact
  • +44 (0)1273 569172
Book a Call

← From our blog

Expert Insights: SaMD Curious? Preparing to become a Regulated Medical Device

  • Published: March 10, 2025
  • Category: Medical Devices

Share this post

Headshot of a man with long hair, a beard and glasses, wearing a patterned shirt
Dan York

Share this post

Introduction to SaMD

The use of specialist software in the healthcare industry is ever-increasing. Even if they are not currently a medical device, organisations such as the NHS already impose strict compliance requirements on your organisation through the NHS DTAC in order to meet their minimum standards for use.

As you look to expand the functionality of your software – particularly with the increasing ease of implementing AI-based solutions – it’s possible that your product may fit the definition of  Software as a Medical Device. Adding features in this way might be a great way to expand your product’s appeal to more specialist customers, but becoming a medical device brings about an increased level of regulatory rigour which is important to consider before committing to improving your product in this way.

In this blog, written by our Quality and Regulatory Specialist, Dan York we unpack the considerations for digital health businesses considering the transition to becoming a regulated medical device and how to adequately prepare.

Need Help with IEC SaMD? Get In Touch

What is a Medical Device?

A medical device is any device (for example an instrument, a material or a piece of software) that is intended for human medical use. They are defined based on their intended use and include devices that treat, diagnose or monitor medical issues, things that support or restore the human body or devices that help a patient regain independence which may have been lost as a consequence of clinical outcomes.

Software as a Medical Device (SaMD)

SaMD refers to software designed to perform medical functions without being integrated into a physical device. According to the MHRA (the UK’s regulator), SaMD includes software applications used for diagnosing, preventing, monitoring, or treating diseases. The key factor in determining whether software qualifies as a medical device is its intended purpose. This intended purpose defines the level of risk associated with its use and, therefore, impacts the software’s classification and the regulatory requirements it must meet. 

In the UK, SaMDs fall into one of three classifications, based on their function and level of risk. Briefly, these are:

  • Class IIb – Highest Risk, devices that control the delivery of hazardous energy or ones that monitor other active devices, such as pacemakers or insulin pumps.
  • Class IIa – Medium Risk, including devices that provide diagnostic information or control the delivery of pharmaceuticals.
  • Class I – Low Risk, for SaMD that doesn’t fall into the other categories.
Get Expert Guidance Now

What to Know Before Selling Your Medical Device: Essential Tips and Insights to Consider.

Before you can sell your product as a medical device, there are some important activities which you need to carry out to ensure your product compliant with the regulatory requirements of the territories you plan to market in.

Step 1

Step One: Regulatory Strategy

Before you can prepare to make changes to your organisation and to your product, your first task is to get a thorough understanding of the scope of the work. A regulatory strategy is the best way to do this. Using information about your product, its features and potential impact on patients, along with your intended markets (many countries have their own unique medical device regulatory requirements) you can draw up a list of the relevant standards and regulations that you need to be compliant with. This, in turn, will set you up for success by knowing what your quality management system or QMS and technical documentation (Technical File) should look like.

You might even find that your product isn’t considered a medical device in some countires, speeding access to that market.

Circular icon with the number 2

Step Two: Identifying Standards and Certification

There are many international standards and technical documents that relate to medical devices and SaMD. Some of which require external certification, others you may just need to follow to meet regulatory requirements. Some of the most common ones are:

ISO 13485

ISO 13485 - Medical Device Quality Management Systems.

The requirements for your QMS include product development and delivery, document management, competence and training and quality assurance through objectives. This standard is key for all medical devices (including software and IVDs) and will be the foundation for your quality processes and procedures.

Find out more
ISO 1497

ISO 14971 - Medical Device Risk Management.

This standard outlines what you should be considering in terms of risk management, particularly as it relates to clinical and patient safety, along with a framework for reviewing and addressing those risks.

Find out more
IEC 62304

IEC 62304 - Medical Device Software Lifecycle.

Requirements related to how you should be structuring your software lifecycle, including verification and validation, usability and risk management.

Find out more
ISO 27001 iso 27001 certification iso 27001 certification price

ISO 27001 - Information Security Management.

While not directly related to medical devices, you will be required to have a cybersecurity framework in place to protect the integrity of your product, and ISO 27001 is a great way to structure that as part of a wider management system.

Find out more
Step 3

Step Three: Build Technical Documentation

To sell a SaMD product into various territories, you may be required to produce a Technical File. This is a structured set of documents, the exact details of which vary from country to country, which describe the technical details of your software. This includes testing plans and results, an evaluation of its usability and a description of its clinical and technical functions

Circular icon with the number 4

Step Four: Training

Achieving compliance and certification to international standards takes more than just creating specific technical documents. Anybody involved with the product should also be familiar with your quality management system and their role within it. ISO 13485 imposes requirements not only on your product but on processes related to its production and preservation. This includes managing risks related to suppliers and third-party components through focused evaluations, keeping careful records of all products sold, such that they can easily be identified and recalled if necessary and having general awareness of your company’s quality policy and commitment to meeting regulatory requirements. 

Setting up your QMS so that it is easy to understand and follow is critical – that’s why we support our clients to build processes into their existing systems rather than trying to get to grips with new eQMS software and all the extra training that comes with it. eQMS software can also cost from £20,000 per annum for even the smallest companies.

Get in contact with us if you’d like your Quality Management System to run easily in familiar software without massive licence fees.

Get Expert Guidance Now

On-going Activities

Getting started as a medical device is the biggest hurdle and once you have a compliant QMS in place it is much easier to manage. However, this doesn’t mean you don’t have to keep on top of new tasks and organisational goals to keep selling your product into the market.

Audits and Recertification

To ensure conformity with standards and regulations, you will need to audit your QMS routinely and efficiently. Some of these audits will be internal, carried out by trained members of staff or by bringing in an approved supplier with the experience necessary to review your system. In addition, your certification body will also carry out periodic audits, some as a matter of surveillance (usually annually) but also to verify that you can maintain your certification (typically every three years) so these will need to be scheduled around your other important tasks.

Risk Classification Report Type Frequency Must be provided to a Notified Body?
Class I
Post Market Surveillance Report
Every 3 years
No
Class IIa
Periodic Safety Update Report
Every 2 years
Yes
Class IIb
Class III
Annual

Regulatory Intelligence

Once you’ve got a product on the market, you must stay abreast of any changes or updates in the regulatory landscape that affect your product(s). This typically involves having someone with an appropriate understanding of the regulations periodically check for notifications from regulators. Updates can potentially lead to you needing to update your technical documentation to reflect new information or occasionally update your procedures so that you remain compliant.

Need help tracking regulatory changes and making appropriate updates to your quality documentation? – we can help. Check out Quality Management as a Service.

Quality Management as a Service

Need help tracking regulatory changes and making appropriate updates to your quality documentation?

Get In Touch →
8foldGovernance team — UK healthcare compliance experts
Preparing for SaMD Regulation Expert Insights: SaMD Curious? Preparing to become a Regulated Medical Device Preparing for SaMD Regulation

Post Market Surveillance and Vigilance

A vital part of selling a medical device of any kind is that you monitor the effectiveness and safety of your product once it’s in your customer’s hands. This involves carefully reviewing feedback and complaints to ensure they don’t lead to further issues or even harm to a patient and also keeping careful eyes on any incidents caused by similar products on the market. The other half of this is vigilance reporting; if you do encounter a problem which may be hazardous to patients, then it becomes your obligation to report it to the appropriate authorities and take appropriate remedial actions.

There have recently been a number of changes made to Post Market Surveillance and Vigilance under UK Medical Device Regulations which you can learn about in our blog, here.

Our Our Advice

Transitioning to a software medical device manufacturer can be a daunting and expensive process for businesses that may have already invested time and energy in other compliance activities such as the NHS DTAC. However, by becoming a medical device, this opens a world of possibilities in terms of innovation through enhanced product features which in turn can lead to better patient outcomes.

With some expert advice, you may also find that you’ve already created the documentation and processes you need without knowing it. 

If you’re considering the transition and need further advice or guidance, get in touch – we would love to help

We’re the experts that have your back.

Let us help you find a route from from where you are, to where you need to go. We’re here to help.

Book a Call with our Expert Team

Other Articles​

Loading...
IEC 62304 vs EU MDR classification

Implementing IEC 62304: 5 Common Mistakes

Read More →

July 3, 2026
FAQ: What is a Technical File?

FAQ: What is a Technical File?

Read More →

May 9, 2026
What is IEC 62304

FAQ: What is IEC 62304?

Read More →

April 27, 2026
8foldgovernance master

+44 (0) 1273 569172

info@8foldgovernance.com

SERVICES

  • AI Governance
  • Medical Device Registration
  • ISO Compliance
  • Full DTAC Support
  • Information Governance
  • Clinical Safety
  • Data Security & Protection
  • CQC Services
  • Cyber Security
  • 8foldTraining

LINKS

  • Contact
  • About
  • Meet The Team
  • Blog
  • Join Us
  • Case Studies
  • Charity Work
  • Partnerships
  • FAQs
DSPT Data Security And protection Toolkit 8Fold
Information Governance Badge 8 Fold
NPSORE
ABHI Member

 © 2026 8fold | Privacy Policy | Cookie Policy | Terms & Conditions

X We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies. However you may visit Cookie Settings to provide a controlled consent.
Read More ACCEPT Cookie settings
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
Save & Accept