# FDA Risk Classification for Software as a Medical Device (SaMD)

Author: Sebastian Skorka
Published: 2025-11-04
Updated: 2025-11-12
Source: https://openregulatory.com/articles/fda-risk-classification-for-software-as-a-medical-device-samd

---

The Food and Drug Administration (FDA) plays a vital and hands-on role in the United States, ensuring medical devices are safe and effective before they ever reach a patient. This regulatory oversight covers everything from standard surgical tools to cutting-edge Software as a Medical Device (SaMD).

This guide will walk you through that system, focusing especially on how the FDA handles SaMD, detailing the criteria for each class, and offering clear, real-world examples.
FDA's Risk-Based Classification System for Medical Devices

Medical devices are sorted into three classes based on the risk they pose to patients and users, which determines the level of regulatory scrutiny required. The classes are based on the level of control necessary to assure the safety and effectiveness of the device. These classes are:
• Class I (Low Risk): Devices in this category pose the lowest risk to the patient and/or user. Most Class I devices are exempt from premarket notification requirements. Examples include non-sterile, manual surgical instruments and elastic bandages.
• Class II (Moderate Risk): Devices that are higher risk than Class I and require greater regulatory controls to provide reasonable assurance of the device's safety and effectiveness. Class II devices usually require premarket notification (510(k)). Examples include powered wheelchairs and some pregnancy test kits.
• Class III (High Risk): Devices that support or sustain human life, are of substantial importance in preventing impairment of human health, or present a potential, unreasonable risk of illness or injury. These devices require premarket approval (PMA), demonstrating safety and effectiveness. Examples include implantable pacemakers and breast implants.


SaMD: Classification and Regulatory Requirements

SaMDs are defined as software that performs one or more medical purposes without being part of a physical medical device - or in other words Stand Alone Software. The regulators at the FDA classify SaMDs basedmostly on the risks asscociated to the intended use. There are some general criteria:
• Significance:  The SW provides medical relevant information. How critical is the information for decision making or diagnosis?
• Situation:  In which clinical situation is the SW used?

Class I SaMD: Low Risk

Class I medical devices have the lowest risk. However, they need to comply with General Controls (like establishment registration, device listing, and adhering to manufacturing standards) and the manufacturer needs to implement a QMS for the organisation. Class I software is often exempt from more complex premarket notifications. 
• Example: A mobile phone app that tracks fitness associated values and provides health related advices.

Class II SaMD: Moderate Risk

Class II SaMD are associated with a moderate risk. The manufacturer usually has to submit a 510(k) or premarket notification, in addition, most of these devices also have to comply with special controls. The Special Controls address further requirements. Typical examples are labeling, PMS requirements or specific performance standards which are quite individual and device specific.
• Example: A mobile application that calculates and recommends precise insulin doses for a diabetic patient. The app also includes educational content and the option to manage appointments with the physician. This requires 510(k) clearance to demonstrate safety and performance comparable to existing dosing applications.

Class III SaMD: High Risk

The most rigorous process applies to Class III medical devices and the process is called premarket approval (PMA). In addition to special controls and the QMS, the PMA requires an exhaustive set of data to proof the safety and performance of the SW. This often includes clinical trials.
• Example: An advanced AI-driven diagnostic tool that analyzes complex medical imaging (like mammograms or CT scans) to detect the early stages of a serious disease like cancer. This kind of technology bears a very high risk to the patient if it fails. Therefore, clinical validation for this SW is essential.

Conclusion

The FDA's risk-based classification system is the gatekeeper for medical devices in the U.S. It doesn't just mandate a specific regulatory pathway; it underpins the entire ecosystem of safety, effectiveness, and public health. For industry professionals, mastering this system isn't just about compliance—it's about successfully bringing vital technology to the healthcare market. Interested how to classify your device in the European Union? We got you covered.