FDA Software Precertification News

Software-based medical devices tend to develop more quickly than typical hardware-based medical devices; so, in response, the FDA has turned to an agile regulatory model for software as a medical device (“SaMD”). The FDA describes the Software Precertification Program as a voluntary pathway, with tailored assessments of the safety and effectiveness of software technologies. Rather than solely considering organizations’ Quality Management Systems, the Software Precertification Program envisions an FDA or accredited third party broad assessment of an organization. The assessment would consider the quality of the software design, testing, clinical practices, performance monitoring, and post-market data collection of safety and effectiveness. The FDA intends for pre-certified organizations to have their lower risk SaMD products exempted from premarket review, and their higher risk SaMD products to experience faster review.

The laudable goal of the program is to have less burdensome regulatory oversight, achieved by assessing organizations’ processes for quality and transparency. For manufacturers with a “culture of quality and organizational excellence,” precertification provides efficient regulatory oversight over SaMD. The safety, effectiveness, and performance of such an organization’s SaMD would be verified in order to build stakeholder confidence that pre-certified organizations have demonstrated their ability to create, maintain, and improve SaMD. The FDA intends for the program to be open to any size organization developing medical devices that could be subject to FDA oversight. Note, however, that non-device software functions are not within the scope of the program – for example, software functions that are intended for administrative support, electronic patient records, or the display of data.

The Precertification Program evaluates “organizational excellence” based on five culture of quality and organizational excellence (“CQOE”) principles: product quality, patient safety, clinical responsibility, cybersecurity responsibility, and proactive culture. Organizations would be well-served to demonstrate excellent development, testing, and maintenance of high quality SaMD; as well as providing a safe patient experience throughout. Clinical responsibility requires addressing patient issues like labeling and human factors, plus responsible clinical evaluations. And, an evaluation will consider an organization’s proactiveness – in regard to cybersecurity issues, as well as general proactiveness over surveillance, user needs assessment, and continuous learning.

The four key, interdependent program components are:

  1. Excellence Appraisal and Precertification. In considering whether an organization is one that can produce safe and effective SaMD products, the FDA works through five elements:
    1. Eligibility
    2. Application
    3. Appraisal
    4. Status determination
    5. Maintenance and monitoring

An organization is likely to be eligible if they show domains where excellence commitments are observable, and if the organization tracks key indicators to ensure their activities are performing. The FDA recently clarified that the “business unit,” or the boundaries of the organization, should be clearly defined by the organization before it is considered for precertification. The precertification application should describe the business unit and the organization’s portfolio of software products.

Then, in the appraisal process, the FDA will assess whether an organization has demonstrated how its specific processes of product development are aligned with the “Excellence Principles.” Organizations should aim for macro-level excellence principles like leadership and transparency, as well as micro-level excellence throughout the work environment and development process. An organization exemplifying excellence would have strategic direction from the top, with leaders sharing relevant information with all stakeholders to build confidence. Appropriate resources should be allocated across all lifecycle processes, and the infrastructure should be supportive of risk management that is focused on patient safety. The FDA envisions tight control over outsourced processes, as well as clearly articulated software configuration and requirements management. The design and development prong should ensure safe, effective, and secure SaMD, with verification and validation that assures the software meets operational requirements. Finally, even after smooth deployment, there should be maintenance that preserves the integrity of software by protecting modifications from any new hazards. The FDA intends to evaluate an organization based on objective, observable evidence of their Key Performance Indicators (“KPIs”) that meet the aforementioned elements. The appraisal process may be followed by site visits, interviews, or other methods wherein organizations could provide measurements of how their practices fulfill each element.

The FDA’s stated intent for the varying levels of certification is to distinguish between organizations that have successfully marketed and maintained products, and those that have not. Aggregate appraisal results for each excellence principle would inform precertification status determination. However, an organization does not necessarily have to max out each element – the FDA intends to ask whether more than one measure shows concordance to the elements. Precertification Level One allows inexperienced organizations that have demonstrated all five excellence principles to market their lower-risk software without review, while their higher-risk software would receive streamlined review. Level two allows organizations with a track record of successful marketing and maintenance of products (who have also demonstrated all five excellence principles) to market certain lower- and moderate-risk software without review, with streamlined review for other types of software.

  1. Review Pathway Determination. This component of the Precertification Program aims to develop a risk-based framework so organizations may determine the appropriate premarket review pathway for their particular SaMD products. Risk categorization is crucial, and is based on an organization’s precertification status, precertification level, and the SaMD’s risk category. An organization should be ready to proffer the elements necessary for identifying modifications (core functionality and device description of the SaMD) and the elements necessary to give confidence in the SaMD (organizational excellence and real-world performance information).

In a recent update to the precertification guidance, the FDA indicated that the risk of a SaMD can be understood by a clear definition statement about the intended medical purpose of the SaMD. The statement should explain how the SaMD meets the definition of a medical device (i.e., whether the device is intended to treat or diagnose, drive clinical management, or inform clinical management). An understanding of the risk of a SaMD is also based upon the description of the SaMD’s core functionality, which should identify critical features of the SaMD and why they are significant in regard to the information the SaMD provides for the healthcare decision.

  1. Streamlined Premarket Review Process. A pre-certified organization will be considered for streamlined review after a successful excellence appraisal and determination that their SaMD product meets the requirement for FDA review. The FDA’s stated intent is to “conduct an interactive review supported by automated analysis, where appropriate,” as well as to “provide a decision on the marketing of the pre-certified organization’s SaMD product within a shorter timeline than other premarket review processes.”

An organization undergoing the review process should be prepared for an interactive review of supporting information – like clinical evaluation results and risk management for the device’s intended use. If an organization’s SaMD is not authorized for market, the FDA would conduct an after-action review to identify gaps in the evidence submitted. The organization could help determine a plan for future resubmission; however, if an organization frequently failed streamlined review their precertification status would likely be reassessed.

The FDA seeks to make review as least burdensome as possible, in terms of the amount and type of information required in premarket review. Organizations should be sure to provide the main product-specific elements that are typical of a premarket notification submission, but not necessarily all of the items listed are needed for every product.

  1. Real-World Performance (“RWP”). Finally, the RWP component seeks to develop performance data domains and analytic methodologies for Precertification Program activities. The FDA has indicated they intend to monitor the post-launch trends of product-specific performance (not necessarily raw data).

Organizations should proactively monitor RWP data, because they can use that data to support product claim modifications, changes in intended use, or expansions of product functionality. There are at least three types of data domains that organizations can track: real-world health analytics (ex: human factors and usability, clinical safety, health benefits), user experience analytics (ex: user satisfaction, issue resolution, user engagement and feedback), and product performance analytics (ex: cybersecurity and product performance).

Organizations using RWP data should divulge what RWP data elements are being collected to monitor the safety and effectiveness of SaMD, and how often the data is collected. Plus, organizations should have a methodology for using RWP analytics as inputs into the precertification appraisal, and thresholds triggering the need for review of the precertification status. Overall, monitoring of RWP will result in increased public confidence in the Precertification Program, and increased responsiveness to emerging issues.

Crisis Prevention and Recovery LLC provides SoftwareCPR®, ValidationCPR, and RegulatoryCPR services and can help you with remediation as well as proactive efficient processes and has participated in the FDA Pilot Precertification on a consulting basis. Contact us at 781-721-2921, www.softwarecpr.com, or email office@softwarecpr.com for more information.

About the author

Amy enjoys researching and writing about developments in medical technology and how that intersects with US law. She received her J.D. from the University of Florida Levin College of Law in 2020 and now works as a Regulatory Associate for SoftwareCPR®, a general-purpose regulatory consulting firm that is recognized globally for their expertise with standards and national regulations pertaining to medical device, mobile medical app, and HealthIT software.

SoftwareCPR Training Courses:

IEC 62304 and other emerging standards for Medical Device and HealthIT Software

Our flagship course for preparing regulatory, quality, engineering, operations, and others for the activities and documentation expected for IEC 62304 conformance and for FDA expectations. The goal is to educate on the intent and purpose so that the participants are able to make informed decisions in the future.  Focus is not simply what the standard says, but what is meant and discuss examples and approaches one might implement to comply.  Special deep discount pricing available to FDA attendees and other regulators.

3-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Brian Pate

Next public offering:  June 5-7, 2024
Boston, MA

Email training@softwarecpr.com to request a special pre-registration discount.  Limited number of pre-registration coupons.

Registration Link:

Register Now


Risk Management (Public or Private)

Our newly updated ISO 14971:2019 Medical Device Risk Management, A Software Organization’s Perspective training course is now open for scheduling!

  • Coverage of ISO 14971:2019, IEC 62304; amd1, and IEC/TR 80002-1.
  • System level hazards analysis – mapping to software, cybersecurity, and usability
  • Why FMEA is incomplete for medical device risk management.
  • How to perform software hazards analysis.
  • And more!

3-days onsite with group exercises, quizzes, examples, Q&A.

Instructors: Dr. Peter Rech, Brian Pate

Next public offering:  TBD


Being Agile & Yet Compliant (Public or Private)

Our SoftwareCPR unique approach to incorporating agile and lean engineering to your medical device software process training course is now open for scheduling!

  • Agile principles that align well with medical
  • Backlog management
  • Agile risk management
  • Incremental and iterative software development lifecycle management
  •  Frequent release management
  • And more!

2-days onsite with group exercises, quizzes, examples, Q&A.

Instructors: Mike Russell, Ron Baerg

Next public offering:  TBD


Medical Device Cybersecurity (Public or Private)

This course takes a deep dive into the US FDA expectations for cybersecurity activities in the product development process with central focus on the cybersecurity risk analysis process. Overall approach will be tied to relevant standards and FDA guidance documentation. The course will follow the ISO 14971:2019 framework for overall structure but utilize IEC 62304, IEC 81001-5-1, and AAMI TIR57 for specific details regarding cybersecurity planning, risk characterization, threat modeling, and control strategies.

2-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Dr Peter Rech, 2nd instructor (optional)

Next public offering:  TBD

Corporate Office

15148 Springview St.
Tampa, FL 33624
Partners located in the US (CA, FL, MA, MN, TX) and Canada.