SaMD Compliance

Software-based medical technologies have transformed modern healthcare, yet they present unique regulatory challenges under the MDR and IVDR. Software classified as a medical device must demonstrate compliance not only with general safety and performance requirements but also with software-specific standards governing development, validation, risk management, and cybersecurity. The introduction of Rule 11 under the MDR has elevated the classification of many software products, resulting in higher evidentiary expectations and greater regulatory scrutiny. For manufacturers, this environment demands a disciplined, traceable, and auditable compliance approach that integrates regulatory requirements into every stage of the software lifecycle.

Our SaMD Compliance services provide a comprehensive solution for establishing and maintaining conformity for software products regulated as medical devices. We begin by performing a regulatory classification and applicability assessment in accordance with MDR Annex VIII, Rule 11, and MDCG 2019-11 guidance. This assessment determines whether the software qualifies as a medical device, defines its risk class, and identifies the appropriate conformity assessment route. Clear classification at the outset ensures that regulatory and technical strategies are aligned and that development efforts proceed efficiently.

We then support clients in developing and implementing a software lifecycle management framework consistent with IEC 62304. This includes defining development planning, software risk management, verification and validation, configuration control, and problem resolution processes. Each process is tailored to the software’s intended purpose, complexity, and integration with hardware components or networks. Our consultants ensure that lifecycle documentation demonstrates full traceability between design inputs, software requirements, verification results, and risk controls, providing the structured evidence regulators expect.

Cybersecurity and data protection represent critical components of SaMD compliance. We assist in establishing security-by-design principles that integrate threat modelling, access control, and vulnerability management throughout the development lifecycle. Our methodologies align with MDCG 2019-16 and best practices, ensuring that cybersecurity measures are both technically sound and proportionate to device risk. We also support the development of software update and patch management procedures that maintain security integrity without disrupting regulatory compliance.

Clinical evaluation and performance validation are addressed as part of our integrated approach. We assist in developing clinical evaluation reports and performance testing plans that substantiate intended claims, demonstrate clinical benefit, and satisfy MDR Annex XIV requirements. For machine learning–based or adaptive software, we provide strategies to document algorithm performance and maintain regulatory control during continuous learning and version updates.

Through disciplined implementation of regulatory and technical controls, we help organisations transform software innovation into safe, compliant, and market-ready medical technologies. Our services provide the structure, documentation, and expertise necessary to achieve and maintain conformity in an evolving digital health landscape.

For further information on how our SaMD Compliance services can support your software development and regulatory approval activities, please contact our digital health and regulatory affairs team.