Software as a Medical Device (SaMD) Startup Guide to Compliance for 2025

Introduction

The first contact with the Medical Device regulatory world is a shock for most startups. These companies usually have excellent technical and clinical ideas on how to improve the patient’s life, but little knowledge of the legal burdens required to bring the medical device to the market.

The technical world of reasonable certainties clashes with the legal verbiage which is often left to broad interpretation.

You can’t deny the complexity of these regulations, but with this guide we hope to give an initial direction to these companies.

The Bottom Line: the Law

In order to release a product in a market/country you ultimately need to comply with the local laws. In some cases, multiple countries came together to develop a unique set of laws, e.g. EU.

A few cases:

• USA: The Code of Federal Regulations (CFR), in particular Title 21
• EU: Medical Device Regulation (MDR) and In-Vitro Diagnostic Medical Device Regulation (IVDR)
• Canada: The Medical Device Regulations
• UK: Medical Device Regulations 2002 / MDD / IVDD / AIMDD

Laws are country/market specific. They talk about general principles of safety and performance of devices, but they go into details of classification, submissions, approvals, post-market activities, legal responsibilities and liability, fees, etc.

Often, a device needs to be approved before being placed in the market, but this is sometimes waived for simpler and low risk devices.

There are almost 200 countries in the world, so the idea of having to comply with multiple different sets of regulations is overwhelming.

That’s where Standards come to help.

The Standards

Independent, non-governmental organizations such as ISO and IEC have developed international standards that cover a wide variety of processes, including some specific to Medical Devices. Governments around the world can “adopt” these standards so companies have a “presumption of conformity” to the regulations.

The most important example is ISO 13485 “Medical devices — Quality management systems — Requirements for regulatory purposes”. When a country adopts it (e.g. a General Consensus Standard in the US and a Harmonized Standard in the EU) it means that if a company follows it then it is considered compliant to the part of the law that mandates the structure of the Quality Management System for Medical Devices.

So rather than a burden, a company should consider these standards a clear way to comply with “vague” legal requirements.

Other relevant examples:

• ISO 14971 for Risk Management
• IEC 62304 for Software (Standalone or part of a medical device)
• ISO 62366 for Usability Engineering
• ISO 15223 for Symbols

Where to begin?

1. Is my product a Medical Device? There are specific definitions and if a product meets them then it MUST be treated as medical device, and if not it CANNOT be considered such.
2. What is the Intended Use of the device? This is a very specific statement about the clinical application and benefits of the device. It is extremely important to define it in the early stages of the development as it is the basis for the following steps. Ask yourself questions such as:
   1. What medical condition is the device supposed to treat and to what extent?
   2. What is the operating principle?
   3. Is there any specific population that is in scope or must be excluded?
   4. Are there cases where the device should NOT be used (contraindications)?
3. Identify where you want to market your device. In certain cases regulations for certain devices are not equivalent and it may make a significant difference in the regulatory approach and timeframe.
4. Classify your device. This must be done for every market, and the Intended Use is key to this classification. Identify similar or equivalent devices already on the market and check their classification and approval process, it is a good starting place.
5. Identify if you will need specific Company certifications, such as ISO 13485. Although this is not strictly required everywhere and for all devices, it is pretty much expected by any regulatory agency.
6. Define a regulatory path and timeline.
   1. When do you want to release your device?
   2. How long does it typically take to get approval?
   3. When do I need to have my certifications in place?
   4. When do I need to start putting together my product technical documentation and Quality System documentation?
   5. Will we need to conduct clinical trials?

Classification of SaMD

SaMD is classified as any other medical device, according to the local regulations:

• US: classification panels
• EU: classification rules
• UK: IMDRF Classification alignment to Device Class

How to get there faster

A Company can take all the burden with the internal resources (it has been done before), but it will take time to understand the regulations and standards, especially if there is no expertise in the Company.

Like any other process, it comes down to “resources”:

• Employees;
• Finances;
• Time.

It is similar to the Project Management Triangle (Scope-Resources-Time). If you want a short time-to-market then you need to hire knowledgeable employees and/or spend money on consultants to bring in knowledge. If “money is too tight to mention” then expect longer timeframes.

Internal Knowledge

Regardless of the approach you want to use, eventually you will be expected to have internal knowledge of standards, regulations and your own quality system. Consultants can speed up the process, but they won’t be able to participate to audits, leaving internal employees alone with the Auditor. You want to be ready for that.

Meeting all these medical device requirements may sound overwhelming for a small startup but they are achievable. Here’s a story of BiomeDx, an agile medtech company, about how they mastered the ISO 13845 certification when the company only had a few people.

Check out the SoftComply Document Management Solution on Confluence Cloud that helps speed up compliance for your SaMD.