---
title: "SaMD Regulatory Requirements - Standards and Guidelines Roadmap"
type: white-paper
publisher: Ketryx
source: "https://www.ketryx.com/assets/samd-regulatory-requirements"
content: text extracted from PDF (layout/tables/figures not preserved)
---

# SaMD Regulatory Requirements - Standards and Guidelines Roadmap

*Source: [https://www.ketryx.com/assets/samd-regulatory-requirements](https://www.ketryx.com/assets/samd-regulatory-requirements)*

---

SaMD Standards and Guidelines: A Roadmap for Successful Regulatory Submissions Brochure

Introduction Software as a Medical Device, or SaMD is revolutionizing healthcare by making it more accessible to a broader range of patients on a number of levels. If you’re one of this new exciting class of developers you may be struggling with integrating modern product development methodology with patient safety and regulatory compliance. By definition, SaMD typically includes software or mobile apps designed to treat, diagnose, cure, mitigate, or prevent disease or other conditions. The SaMD category has experienced rapid growth in recent years and has been of particular interest to many investors. Because an SaMD operates on different platforms and interconnects to virtual networks or general- use hardware, however, it carries an increased cybersecurity risk as well as a commensurate increase in the use of off-the-shelf software. This larger trend of more software, more connectivity, more data, and more interdependence, has required a new regulatory framework that prioritizes both patient safety and healthcare innovation. As an SaMD developer you must follow certain software-specific guidelines from the FDA and other Standards Bodies, which we’ve documented in the following checklist. Both are key to a successful submission. Establish a legal foundation for the process of developing medical devices Documents provide process details and artifacts that regulators want to be able to review prior to the device entering the market. FDA Regulations FDA Guidances ketryx.com 1

PATCH Act of 2022 H.R. 7084, also known as the “PATCH Act of 2022,” outlines a framework for minimal cybersecurity focus within medical devices. The FDA is taking steps to help protect consumers in an ever-evolving connected world. This act sets out a minimal set of tasks for both pre and post market submissions with the intent of establishing cybersecurity processes into a product development cycle. This act is good for the industry. Catching potential risks both before and during a product’s market availability is a golden opportunity to avoid potentially catastrophic ramifications and maintain trust. The act specifies creation, tracking, and submission of the following: ketryx.com 2 Software Bill of Materials (SBOM) Product cyber-anomaly response plan Product software releases on a ‘reasonably justified regular cycle’ Collect and maintain additional information in the future Product monitoring plan Coordinated messaging of cyber vulnerabilities Ability to release a critical vulnerability patch ‘as soon as possible’

Validation vs. Verification First, let’s quickly define the difference between verification and validation as SaMD is uniquely a medical product and system itself. Thus, SaMD system requirements must be verified to have been implemented correctly, and the product must be validated to ensure it satisfies the user’s need and that the right product was built for the customer. Validation ranges from human factors testing, clinical evaluation to determine the efficacy of the software for its intended use and demonstration that risk controls are effective. ketryx.com 3 Is the act of showing that devices do what you wanted them to do Shows that what you wanted the device to do is the right thing for users. Verified Validated Quality System Regulation (QSR) 21 CFR Part 820 This regulation defines the requirements manufacturers must meet to produce and market medical device products in the U.S. To demonstrate a reasonable assurance of safety and effectiveness for devices that use software, 21 CFR Part 820 is often a necessary part of the premarket submission. These next set of regulations outline specific requirements with respect to design, development, manufacturing, and post-market surveillance of products. For companies developing Software as Medical Device, the most critical sections are: This clause requires that any device containing software (including Class I) must have design controls in place and be validated to its intended use. Specifically section (i) refers to the need for software developers to validate their automated processes (e.g., build system or Jira) Part 820.30 Design Controls Part 820.70 Production and Process Controls

21st Century Cures Act (Pub. L. 114-255) – amended Section 514 (c) of the Federal Food, Drug, and Cosmetic Act (FD&C Act) In summary, this statement allows a medical device manufacturer to demonstrate compliance with the 21 CFR 820 regulations and FDA Guidance by declaring conformance to the Standards listed below that are recognized by the FDA. In many ways, this approach is a more practical means of demonstrating compliance for a manufacturer rather than attempting to establish their own Quality Management System to include Design Controls, Validation, and Risk Management processes. (21 U.S.C 360d(c)(1)(A). [Manufacturers] shall, by publication in the Federal Register... recognize all or part of an appropriate standard established by a nationally or internationally recognized standard development organization for which a person may submit a declaration of conformity in order to meet a premarket submission requirement or other requirement. “ ketryx.com 4

Standards for the SaMD category include: ketryx.com 5 This standard provides the requirements for a comprehensive Quality Management System for the design and manufacture of medical devices. ISO 13485 Medical Devices This standard specifies a process for a manufacturer to analyze, specify, develop, and evaluate the usability of a medical device as it relates to safety. ANSI/AAMI/IEC 62366-1 – Medical Devices – Part 1 Application of Usability Engineering to Medical Devices This standard defines the lifecycle processes needed to establish the safety and effectiveness of medical devices containing software. It is a global standard accepted by most national regulators, including the FDA. ANSI/AAMI/IEC 62304 Medical Device Software – Software Lifecycle Processes This standard provides the requirements for the application of risk management for medical device products. Through these standards, companies building medical device products can understand how to apply risk management and ensure their device is safe and reliable. ANSI/AAMI/ISO 14971 Medical Devices – Application of Risk Management to Medical Devices This TIR provides guidance on methods to perform information security risk management for a medical device in the context of the Safety Risk Management process required by ISO 14971. AAMI TIR57:2016 Principles for Medical Device Security – Risk Management This TIR provides guidance on addressing post-market security risk management within the risk management framework defined by ANSI/AAMI/ISO 14971. AAMI TIR97:2019 Principles for Medical Device Security – Post-market Risk Management for Device Manufacturers

ketryx.com 6 Y our First Submission Now that you’re familiar with all of the standards necessary to create SaMD, how do you apply them to your existing development process? Attempting to balance rapid iterations, safety and risk management requirements can be time-consuming and daunting to software developers new to the regulatory process. Ketryx is the first and only software solution that overlays the existing on-premise and cloud-based tools in MedTech environments to become a living part of the development process. Ketryx is the unifying thread that connects and traces all tasks, activities and workflows throughout the product lifecycle from design to post-launch. Ketryx records data directly from the systems used to build the product and automatically submits this information to the FDA for traceability and compliance purposes. As a result, all team members can still use the tools in which they are comfortable during the development process while remaining compliant, eliminating the hours spent on hand-offs and approvals. By reducing the amount of cutting/pasting and retyping information, manufacturers minimize the possibility of human error, releasing better software and improving patient outcomes. With intelligent guardrails, Ketryx doesn’t allow any project to progress unless it is validated and guides users on next steps to stay compliant and move the project forward. Quality professionals gain the peace of mind that they’ve built a defensible system that operates only as they’ve defined in their SOPs. In fact, they can rely on Ketryx to infuse their control processes in every stage of the product lifecycle, ensuring quality at the source and compliance throughout the process.

Essentially, Ketryx ensures that any software developer can become a regulated developer with minimal training. Developers can focus on coding and product impact rather than endless documentation and repetitive hand-offs that lead to frustration and costly errors.

ketryx.com 7 About Ketryx Ketryx is the first and only Connected Lifecycle Management software for MedTech that seamlessly creates traceability across the application lifecycle. Compliant by Design, Ketryx embeds guardrails to eliminate the manual, error-prone cutting and pasting from traditional disconnected medical systems to reduce the risk of defects while delivering enhanced patient outcomes. © Ketryx Corporation, 2023.
