Skip to content
8foldgovernance master
  • Services
    • AI Governance
    • Medical Devices
      • Regulatory Roadmap
      • ISO 13485 Design & Build your QMS
      • Quality Management as a Service
      • Technical File Creation & Registration
      • UK Responsible Person
      • Post Market Surveillance
    • International Standards
      • ISO 13485 Certification
      • ISO 42001 Certification
      • ISO 9001 Certification
      • ISO 27001 Certification
    • DTAC
      • DTAC Management
    • Information Governance
      • Data Security & Protection (DSPT)
      • DSPT Audit
      • HIPAA Compliance
    • Clinical Safety and Risk Management
      • DCB0129
      • DCB0160
      • Clinical Safety Officers (CSO)
    • CQC Services
      • CQC Compliance Assessment
      • CQC Registration Support
      • CQC-as-a-Service
      • CQC Regulatory Review & Strategy
    • Cyber Security
    • Governance, Risk & Compliance Advisory
    • 8foldTraining
  • About
    • Meet the Team
    • Partnerships
    • Join Us
  • Blog
  • Case Studies
  • Contact
  • Services
    • AI Governance
    • Medical Devices
      • Regulatory Roadmap
      • ISO 13485 Design & Build your QMS
      • Quality Management as a Service
      • Technical File Creation & Registration
      • UK Responsible Person
      • Post Market Surveillance
    • International Standards
      • ISO 13485 Certification
      • ISO 42001 Certification
      • ISO 9001 Certification
      • ISO 27001 Certification
    • DTAC
      • DTAC Management
    • Information Governance
      • Data Security & Protection (DSPT)
      • DSPT Audit
      • HIPAA Compliance
    • Clinical Safety and Risk Management
      • DCB0129
      • DCB0160
      • Clinical Safety Officers (CSO)
    • CQC Services
      • CQC Compliance Assessment
      • CQC Registration Support
      • CQC-as-a-Service
      • CQC Regulatory Review & Strategy
    • Cyber Security
    • Governance, Risk & Compliance Advisory
    • 8foldTraining
  • About
    • Meet the Team
    • Partnerships
    • Join Us
  • Blog
  • Case Studies
  • Contact
  • +44 (0)1273 569172
Book a Call

← From our blog

FAQ: Software as a Medical Device: What you need to know

  • Published: March 31, 2025
  • Category: Medical Devices

Share this post

Avatar photo
Daniel Mannion

Share this post

Introduction

Software as a Medical Device (SaMD) has become a crucial component of modern healthcare, providing innovative solutions for diagnosing, monitoring, and treating diseases. However, Medical Device Regulations and Standards are often not well-tailored to software products and software development. In this blog, we will share some advice on how to understand Medical Device requirements in the context of Software as a Medical Device.

Compliance requirements in the UK and EU have deviated significantly over the past 4 years (since the UK left the EU) with the UK retaining the EU Medical Device Directive (with some changes and additions) and the EU moving on to the EU Medical Device Regulation; this article focuses on the UK perspective for SaMD, but 8fold can provide advice and guidance for the UK, EU, US and many other international markets.

Need Help With your Medical Device ?Book a Free Call

What is Software as a Medical Device (SaMD)?

SaMD refers to software designed to perform medical functions without being integrated into a physical hardware device (which is known as Software in a Medical Device – SiMD).

According to the UK Medical Device Regulator (MHRA), SaMD includes software applications used for diagnosing, preventing, monitoring, or treating diseases. The key factor in determining whether software qualifies as a medical device is its intended purpose. The intended purpose directly impacts the software’s classification, as it defines the level of risk associated with its use and, consequently, the regulatory requirements it must meet.

Is my software SaMD?

The MHRA provides guidance on how to determine whether a piece of software qualifies as a medical device under UK regulations depending on what the software is intended to do (its Intended Purpose). If necessary, the MHRA will look at both what you’ve stated internally and in any submissions to them as well as marketing material associated with the product, so it’s important to make sure your marketing materials (such as your website, brochure, social media platforms or videos) don’t promise something your product isn’t intended to do.

The MHRA provides guidance on the requirements for software to comply with the UK Medical Device Regulations, including:

  • Implementation of a Quality Management System
  • Creation of a Technical File
  • Application of Essential Requirements in Design and Release
  • Post-Market Surveillance and Incident Reporting

These guidance documents are informed and supported by international standards such as IEC 62304, ISO 13485 and ISO 14971.

  • IEC 62304 defines the life cycle processes required for the safe design, development and maintenance of medical device software. By following this standard, manufacturers can manage software development, maintenance, and risk, ensuring the software functions as intended while reducing the chance of failures that could harm patients.
  • ISO 13485 provides guidelines for building a QMS – a system designed to ensure that all processes in a company work together efficiently, with clear roles and responsibilities, making it easier to manage and continuously improve product quality while keeping patients safe.
  • ISO 14971 outlines the risk management process for medical devices, including software. It ensures that all potential risks are identified, assessed, and mitigated throughout the product’s lifecycle.

Compliance with these standards is critical in ensuring the safety and effectiveness of the software and forms a key part of your Quality Management System (QMS). While this may sound daunting, you may find (especially with IEC 62304) that you are already meeting many of the requirements; after all, these requirements and standards are simply an accumulation of best practices for making a safe and effective medical device.

SaMD is viewed through the same lens as other Medical Devices, and stringent regulatory requirements are put in place to keep patients safe from dangerous or ineffective devices. These requirements provide a structured approach to the development, maintenance, and risk management of medical software, ensuring that potential hazards are identified and mitigated before, during and after release.

Need Help Building a QMS Compliant with these standards?

Book a free, no obligation discovery call with a member of our team.
Get In Touch →
8foldGovernance team — UK healthcare compliance experts
FAQ: Software as a Medical Device: What you need to know

Medical Device Classifications.

In the UK (and EU), there are four classifications of Medical Devices, but only three classifications apply to SaMDs in the UK – Class I, IIa and IIb – the higher the number, the more risk. The UK and EU have different rules for classification, with the EU’s being significantly more stringent (especially for SaMDs). 

Classification levels are based on the risks associated with the type of software and corresponding levels of oversight from regulators. Class I devices are low risk, allowing for self-certification, while Class IIa, IIb devices require third-party conformity assessments plus annual audits and surprise audits due to their higher risk profiles. The device’s intended purpose determines its classification and regulatory requirements. 

The UK risk classifications are:

Class I

Class I SaMD is considered lower risk, supporting non-critical healthcare functions. Manufacturers can self-certify compliance but must still adhere to at least IEC 62304, ISO 13485 and ISO 14971. Postmarket surveillance and registration (either directly or through a UK Responsible Person) with the MHRA are also required to ensure ongoing product safety. Class I classification is determined by exclusion – If SaMD doesn’t fall into Class IIa or Class IIb, then it is Class I.

Class IIa

Class IIa SaMDs are moderate risk – controlling the delivery of low hazard energies for therapies or diagnosis or the delivery or removal of pharmaceuticals, imaging radiopharmaceutical distribution and diagnosing or monitoring physiological processes.

Class IIb

Class IIb are the highest risk SaMDs – controlling the delivery of hazardous energies (like neutron therapy) and controlling or monitoring active devices (like pacemakers).

Audits for Medical Devices Notified.

Audits are essential for verifying compliance with regulatory standards for Class IIa and IIb SaMD. Audits are conducted by Notified Bodies (for the EU and/or UK) or Approved Bodies (for UK only) and focus on the manufacturer’s quality management system, but also review the product’s technical file (including the Risk Management File), clinical evidence, and post-market surveillance. Regular post-market audits ensure continued compliance and address emerging safety concerns.

FAQ: Software as a Medical Device: What you need to know

The Role of the Technical File in Conformity Assessment.

The technical file is a crucial part of the conformity assessment for SaMD, containing all documentation that demonstrates regulatory compliance for the SaMD. It includes records of the risk management process (following IEC 62304 and ISO 14971), software verification and validation, clinical evaluations, labelling, and post-market surveillance plans. The technical file must be reviewed and approved by a Notified/Approved Body before the release of a SaMD. 

The Technical File must also be regularly updated (and for some product changes, re-approved) to maintain ongoing compliance.

How should AI-enabled Software as a Medical Device (AIaMD) ) be treated differently from other SaMDs?

All of the above information about SaMDs also applies to AI-enabled SaMDs, but there are specific considerations for AIaMDs.

Artificial Intelligence algorithms tend to be opaque – the method of their action is not just complicated but is by its nature (nearly) impossible to understand other than as a black box (by comparison of inputs and outputs). This means that explainability (to users and to regulators) is key in achieving compliance and ensuring patient safety.

When first working with an AIaMD, it is important to consider how the AIaMD might impact clinical practice, which means understanding how the developer has created and tested their algorithms. Risks related to AI algorithms include:

  • Poor quality training and testing data – should be mitigated by a data plan or strategy.
  • Bias the algorithm – should be identified and resolved by testing based on a thorough understanding of the biology and medicine behind the algorithm.
  • Usability – should be examined by usability studies.

Developers of AIaMD developers should be able to provide information on how they addressed these risks as part of their Risk Management File and product technical file.

There are new guidelines and standards for managing AI in Medical Devices and healthcare in general as regulators and standards agencies get to grips with the state of the art in AI – we have an ongoing series of blogs identifying the latest in these documents.

AI algorithms in Medical Devices should be released in a fixed state – i.e. for one version of the SaMD, the outputs of the software should be the same each time you use it for the same inputs. The UK regulations do not allow for “Adaptive” algorithms in SaMDs, and changes to an AI algorithm in a Class IIa or IIb SaMD will likely require approval from your Notified/Approved Body before each release. 

AIaMDs also fall under the EU AI Act in the EU and may fall under future UK AI regulations – which will add further requirements to the company’s QMS and product’s technical file to be reviewed by Notified/Approved Bodies.

Finding a route forward.

Understanding how Medical Devices Regulations apply to SaMDs and AIaMDs can be a minefield as most guidance is not tailored to Software; however, it is what we specialise in – get in touch if you’d like some advice about your SaMD or AIaMD product and what the fastest route to the UK, EU or US market is.

We’re the experts that have your back.

Let us help you find a route from from where you are, to where you need to go. We’re here to help.

Book a Call with our Expert Team

Other Articles​

Loading...
IEC 62304 vs EU MDR classification

Implementing IEC 62304: 5 Common Mistakes

Read More →

July 3, 2026
FAQ: What is a Technical File?

FAQ: What is a Technical File?

Read More →

May 9, 2026
What is IEC 62304

FAQ: What is IEC 62304?

Read More →

April 27, 2026
8foldgovernance master

+44 (0) 1273 569172

info@8foldgovernance.com

SERVICES

  • AI Governance
  • Medical Device Registration
  • ISO Compliance
  • Full DTAC Support
  • Information Governance
  • Clinical Safety
  • Data Security & Protection
  • CQC Services
  • Cyber Security
  • 8foldTraining

LINKS

  • Contact
  • About
  • Meet The Team
  • Blog
  • Join Us
  • Case Studies
  • Charity Work
  • Partnerships
  • FAQs
DSPT Data Security And protection Toolkit 8Fold
Information Governance Badge 8 Fold
NPSORE
ABHI Member

 © 2026 8fold | Privacy Policy | Cookie Policy | Terms & Conditions

X We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies. However you may visit Cookie Settings to provide a controlled consent.
Read More ACCEPT Cookie settings
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
Save & Accept