FDA Guidance

FDA guidance documents are not regulations (they don't have the force of law), but they represent FDA's current thinking on how to comply with applicable regulations and what to include in premarket submissions. Deviating from FDA guidance is possible, but requires a well-documented alternative approach.

For medical device software, FDA has issued an evolving series of guidance documents that reflect the rapid maturation of digital health and software-as-a-medical-device (SaMD) products. Keeping current with FDA guidance is essential — guidance that was current during development may have been revised by the time of submission.

Software Quality Guru monitors FDA guidance developments continuously and helps clients navigate the practical implications for their specific device types and submissions.

FDA's 'Software as a Medical Device: Clinical Evaluation' (2017, IMDRF-aligned) and the 'Software Functions Subject to 510(k) Requirements' guidance established the regulatory framework for SaMD classification and clinical evaluation expectations.

The 'Software in a Medical Device' guidance (2023 draft, replacing the 2005 final) specifies documentation content expected in premarket submissions for software-containing devices. It covers: software description, hazard analysis, development lifecycle, software verification, and validation testing documentation.

Key documentation expectations include: Software Description Document (or equivalent), software safety classification with rationale, anomaly list for SOUP components, and test documentation organized by software safety class.

FDA's 'Clinical Decision Support Software' guidance (2022 final) clarifies which CDS software functions are and are not regulated as medical devices — a critical threshold for many digital health products.

The guidance establishes a four-factor test for non-device CDS: (1) directed to healthcare professionals, (2) displays the basis for recommendations, (3) intended for conditions that are not serious/life-threatening, and (4) the clinician can independently review the basis.

Products that don't satisfy all four criteria may be regulated as medical devices. The guidance also addresses the Cures Act CDS exclusion from Section 520(o)(1)(E), providing a framework for developers to evaluate their CDS products' regulatory status.

FDA's 'Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions' (final, September 2023) represents the most significant update to FDA cybersecurity expectations in a decade.

The guidance covers: TPLM (Third-Party Library Management) and SBOM requirements, cybersecurity risk management aligned to NIST Cybersecurity Framework, SBOM content expectations (CycloneDX or SPDX format), testing documentation (penetration testing, SAST, DAST), and postmarket cybersecurity plans.

The guidance is now binding in a new sense — Section 524B of the FD&C Act (enacted 2023) gives FDA authority to refuse to accept premarket submissions lacking required cybersecurity information, making compliance truly mandatory for network-capable devices.