FDA Updated Software Guidance

In September 2022, FDA Updated the Software Guidance Policy for Device Software Functions and Mobile Medical Applications.  Last revised in September 2019, the policy is intended to clarify FDA’s regulatory oversight on software functions, including those used on mobile platforms and general-purpose computing platforms as well as software in the function or control of a hardware device.  Here are some of the key takeaways from 2022 update:

  • Alignment with 21st Century Cures Act: FDA explains that the policy was updated in accordance with the changes described in the guidance Changes to Existing Medical Software Policies Resulting from Section 3060 of the 21st Century Cures Act.  Further updates to the policy from the FDA are also expected to harmonize with the final rule Medical Devices; Medical Device Classification Regulations To Conform to Medical Software Provisions in the 21st Century Cures Act” (86 FR 20278) and the FDA guidance Clinical Decision Support Software.
  • Moving accessories into the grey zone: Software functions that are extensions of medical devices by connecting to control or analyze data which may be used in combination with other devices now may be categorized as an accessory by the FDA whereas in the 2019 guidance, these software functions were considered accessories by the FDA.
  • Expanded software examples: The updated guidance includes examples of software functions cleared by the FDA through 510(k) submissions.  In addition, the guidance includes extensive examples of software functions that FDA does and does not consider as medical devices as well as software functions that FDA intends to exercise enforcement discretion.  Some examples which FDA had explicitly listed as software FDA intends to exercise enforcement discretion from the 2019 guidance are no longer mentioned in the revised 2022 guidance.
  • Patient and medical information: The updated guidance provides more detailed explanation on how to determine whether software used to record patient medical information is considered a medical device.  FDA mentions different scenarios and environments in which this type of software may be used and how the FDA intends on regulating these software.

FDA’s policy is a solid starting point for device and software manufacturers to develop their regulatory strategy.  An analysis of a software’s features and claims will also help manufacturers and developers classify their product and for innovative products, FDA meetings such as a presub (Q-sub) are encouraged.

SoftwareCPR Training Courses:

IEC 62304 and other emerging standards for Medical Device and HealthIT Software

Our flagship course for preparing regulatory, quality, engineering, operations, and others for the activities and documentation expected for IEC 62304 conformance and for FDA expectations. The goal is to educate on the intent and purpose so that the participants are able to make informed decisions in the future.  Focus is not simply what the standard says, but what is meant and discuss examples and approaches one might implement to comply.  Special deep discount pricing available to FDA attendees and other regulators.

3-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Brian Pate

Next public offering:  TBD

Email training@softwarecpr.com to request a special pre-registration discount.  Limited number of pre-registration coupons.

Registration Link:




Being Agile & Yet Compliant (Public or Private)

Our SoftwareCPR unique approach to incorporating agile and lean engineering to your medical device software process training course is now open for scheduling!

  • Agile principles that align well with medical
  • Backlog management
  • Agile risk management
  • Incremental and iterative software development lifecycle management
  •  Frequent release management
  • And more!

2-days onsite (4 days virtual) with group exercises, quizzes, examples, Q&A.

Instructors: Mike Russell, Ron Baerg

Next public offering: March 7 & 28, 2024

Virtual via Zoom

Registration Link:

Register Now



Medical Device Cybersecurity (Public or Private)

This course takes a deep dive into the US FDA expectations for cybersecurity activities in the product development process with central focus on the cybersecurity risk analysis process. Overall approach will be tied to relevant standards and FDA guidance documentation. The course will follow the ISO 14971:2019 framework for overall structure but utilize IEC 62304, IEC 81001-5-1, and AAMI TIR57 for specific details regarding cybersecurity planning, risk characterization, threat modeling, and control strategies.

2-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Dr Peter Rech, 2nd instructor (optional)

Next public offering:  TBD

Corporate Office

15148 Springview St.
Tampa, FL 33624
Partners located in the US (CA, FL, MA, MN, TX) and Canada.