Software as a Medical Device: Why defining intended use and risk categorization is critical for manufacturers

By Pamela Gwynn

The medical device industry is increasingly leveraging advances in technology to develop devices that balance innovation with safety and effectiveness. In recent years, software has become an integral component in medical devices intended for a variety of purposes. From lifestyle applications to devices that can monitor life-threatening conditions in real time, software as a medical device (SaMD) technology is rapidly replacing more traditional, mechanically driven devices and transforming modern healthcare delivery around the world.

However, SaMD presents a complex level of variability when it comes to assessing regulatory compliance. SaMD products currently on the market cover the entire range of risk categories used by regulatory authorities as part of their assessment, from low-risk devices and applications intended for use primarily by consumers to high-risk devices that are essential in diagnosing and treating serious health conditions.

This range of risks makes it especially important to define the intended medical function of SaMD and its clinical impact, and to apply a rigorous risk management framework in the device development process.

Software as a Medical Device: A definition

The International Medical Device Regulators Forum (IMDRF), a group of international medical device regulators from the European Union, the U.S., Japan, China, and other countries, defines SaMD as “software intended to be used for one or more medical purposes that perform these purposes without being part of a hardware medical device.” Some examples of SaMD include software used for diagnostic or therapeutic purposes, such as the software that drives image processing technology to detect cancer and other diseases, or software used in the design, production and testing of medical devices.

In contrast, software installed on a computer and used for office-related hospital operations, such as billing or insurance code tracking or to provide educational resources and tools for medical training, is not considered to be SaMD. Applications installed on smartphones and used by patients and consumers to access health-related information are also not SaMD for the purposes of regulatory overview.

Software has been used in conjunction with medical devices since the 1970s when it was first deployed in magnetic resonance imaging (MRI) systems and other scanning devices. But today, healthcare providers can use SaMD technologies to remotely collect critical patient information, diagnose medical conditions and determine appropriate treatments. SaMD also plays an essential role in electronic medical record systems used by hospitals and healthcare professionals.

The expansive use of SaMD is expected to foster significant industry growth in the years ahead. The SaMD global market is projected to reach $5 billion (USD) by the year 2033, representing an average compound annual growth rate (CAGR) of 13.6% during the period between 2024 and 2033. (See “Update on Software as a Medical Device (SaMD) Industry”)

Key challenges with SaMD

The benefits of SaMD technology also come with some critical issues and challenges that must be considered in current and future development efforts. Like any software-driven product or device, reliability and interoperability are high on the list of considerations. But these are even more important when it comes to the development of SaMD since poor design or inadequate testing can impede the delivery of essential care to patients and users.

Cybersecurity is also a growing concern for SaMD and all software-dependent devices. Cyberattacks against SaMD and other medical devices and systems are on the rise. According to cases filed with the U.S. Department of Health and Human Services, approximately 400 cyberattacks against healthcare institutions were reported in the U.S. in 2024, with more than 150 so far through March 2025. Data theft and ransomware attacks related to the U.S. healthcare system are more consequential than other types of cyberattacks since they potentially threaten the lives of patients and caregivers.

Addressing these and other issues that directly impact patient safety requires SaMD companies to develop robust designs and procedures to mitigate potential safety risks. In addition to design considerations, SaMD should incorporate strong encryption methodologies, receive frequent software updates and be regularly assessed for potential vulnerability to the latest cyberthreats.

Defining intended use and applying a structured risk framework to SaMD development

Regulatory review of most SaMD products and other devices intended for medical use is subject to a rigid categorization system that defines the intended use of the device and the potential risk associated with the device’s use. To assist SaMD manufacturers and developers in evaluating their devices on these two factors, the IMDRF details a useful risk categorization framework.

The IMDRF framework provides the following criteria for each of its four classes of risk, summarized as follows (ranked from greatest risk to least risk):

• Category IV – SaMD that provides information to treat or diagnose a disease or condition in a critical situation or condition is a Category IV risk and is considered to be of very high impact.
• Category III – SaMD that provides information to treat or diagnose a disease in a serious situation or condition and to drive clinical management of that disease or condition is a Category III risk and is considered to be of high impact.
• Category II – SaMD that provides information to treat or diagnose a disease or condition in a non-serious situation or condition and to drive or inform clinical management of that disease or condition in a non-serious situation or condition is a Category II risk and is considered to be of medium impact.
• Category I – SaMD that provides information to drive clinical management of a disease or conditions in a non-serious situation or condition, and which provides information to inform clinical management for a disease or conditions in a serious or non-serious situation or condition is a Category I risk and is considered to be of low impact.

For SaMD manufacturers and developers, using this categorization framework to clearly define intended use and to detail the specific risks associated with that use is essential to preparing the data necessary to meet the requirements of regulatory authorities reviewing their devices.

How UL Solutions supports SaMD compliance efforts

UL Solutions offers SaMD manufacturers and development teams a full range of evaluation and certification services to assess the safety and effectiveness of SaMD and other health software solutions. Our services include assessment to several key industry standards, including:

• IEC 82304-1, Health software – Part 1: General requirements for product safety.
• IEC 62304:2006, Medical device software – Software life cycle processes.

Demonstrating alignment to these and other SaMD-related standards and regulations through applicable testing or certification can help reduce the risk of delays in the regulatory review and approval processes. In addition, UL Solutions can assist in developing plans for software maintenance and other post-market activities, helping reduce the risk of product recalls in the future.

Earning a UL Mark or certification for your SaMD communicates a commitment to quality and safety to consumers and users while helping mitigate development risks.

Conclusion

For SaMD manufacturers and developers, successfully navigating the regulatory review and approval process starts with having a clear definition of the device’s intended use and robust evidence supporting its performance risk category. Adopting a formal risk assessment process during the design and development of new SaMD is an important tool in addressing these issues, thereby helping to streamline regulatory review and approval.

Within UL Solutions we provide a broad portfolio of offerings to all the medical device industries. This includes certification, Approved/Notified Body and consultancy services. In order to protect and prevent any conflict of interest, perception of conflict of interest and protection of both our brand and our customers brand, we have processes in place to identify and manage any potential conflicts of interest and maintain impartiality.