Medical Device Software Development in 2026: IEC 62304, FDA SaMD, and What to Expect
Medical device software (SaMD) development requires IEC 62304-compliant software lifecycle processes, FDA classification under 21 CFR Part 820/830, and a Quality Management System per ISO 13485. Class I SaMD (lowest risk): typically exempt from 510(k), needs basic QMS documentation. Class II SaMD: 510(k) clearance required (6–12 months, $30,000–$80,000 FDA fees). Class III SaMD: PMA approval (18–36 months, high cost). Development cost adds 40–80% over standard software for documentation, validation, and regulatory compliance.
Commercial Expertise
Need help with Healthcare?
Ortem deploys dedicated Healthcare Software squads in 72 hours.
Next Best Reads
Continue your research on Healthcare
These links are chosen to move readers from general education into service understanding, proof, and buying-context pages.
HIPAA-Compliant Development
Build healthcare apps with full HIPAA compliance — audit logs, encryption, BAAs, and secure APIs.
View HIPAA serviceHealthcare Industry Expertise
See Ortem's deep experience across EHR, telehealth, patient engagement, and clinical data systems.
View healthcare pageGet a Healthcare Tech Consultation
Talk to Ortem engineers about your clinical app, HIPAA compliance plan, and build timeline.
Book free sessionMedical device software sits at the intersection of software engineering and regulatory science. The software itself may not be more complex than a consumer app — but the processes surrounding it (documentation, validation, change control, risk management) are significantly more rigorous. Here is what that actually means for a development project.
Is Your Software a Medical Device?
The first question is whether your software qualifies as a medical device under FDA or EU MDR regulations. Software is a medical device (SaMD) if it meets the intended use definition:
FDA definition: Software that is intended to be used for one or more medical purposes that perform these purposes without being part of a hardware medical device.
Key trigger questions:
- Does the software provide a diagnosis, treatment recommendation, or clinical decision?
- Does it analyze patient-specific data to produce a clinical output?
- Is it intended to affect the structure or function of the body?
Examples of SaMD: AI diagnostic imaging tools, clinical decision support that recommends specific treatments, software controlling drug dosing, remote patient monitoring that alerts clinicians to deterioration.
Examples of software that is NOT SaMD: Hospital administrative software, general wellness apps without clinical claims, medical education software, clinical communication tools.
If your software triggers the SaMD definition, stop development until you have a regulatory strategy. Building without classification certainty means you may have built a non-compliant product.
IEC 62304 Software Lifecycle Requirements
IEC 62304 defines what a compliant software development process looks like. The standard assigns safety classes based on the potential severity of harm from software failure:
Class A: No injury or damage to health is possible. Example: administrative healthcare software. Class B: Non-serious injury is possible. Example: software driving a non-life-critical alert. Class C: Death or serious injury is possible. Example: software controlling drug infusion, diagnostic AI for critical conditions.
Required deliverables by safety class:
| Activity | Class A | Class B | Class C |
|---|---|---|---|
| Software development plan | Required | Required | Required |
| Software requirements | Required | Required | Required |
| Software architecture | Not required | Required | Required |
| Software detailed design | Not required | Not required | Required |
| Unit testing | Not required | Required | Required |
| Integration testing | Not required | Required | Required |
| System testing | Required | Required | Required |
| Change request tracking | Required | Required | Required |
| Traceability matrix | Required | Required | Required |
Class C adds design documentation at the function/module level and requires bidirectional traceability from every requirement through design, implementation, unit test, and system test.
The Documentation Reality
Most development teams underestimate documentation scope. For a mid-complexity Class B medical device software:
- Software Development Plan: 15–30 pages defining development methodology, tools, roles, and process
- Software Requirements Specification: Each requirement numbered, testable, and linked to clinical need
- Software Architecture Document: System decomposition, interfaces, rationale for architecture decisions
- Hazard Analysis: Risk assessment per ISO 14971 — what can fail, what is the harm, what are mitigations
- Test Plans: Unit test plan with pass/fail criteria; integration test plan; system test plan
- Test Results: Documented evidence of each test execution
- Traceability Matrix: Requirement → design → implementation → test — every row must be complete at submission
Estimate 30–50% of total project cost in documentation, process compliance, and validation activities for Class B. Class C: 50–70%.
Development Process Adjustments
Compliant medical device development requires specific process controls:
Change control: Every code change after baseline is a formal change request with impact assessment. The casual "push a fix to production" workflow does not exist in medical device development. Changes require documented justification, impact analysis on safety, regression testing, and approval before deployment.
Version control as regulatory evidence: Every release must be reproducible from version control. Your git history, build scripts, and dependency lockfiles are regulatory records.
Defect tracking: All software problems (bugs) must be tracked, classified by severity, and resolved or formally accepted through a review process. A bug tracker is a regulatory requirement, not just a project management tool.
Software release process: Each software release requires a Software Release Checklist confirming all requirements tested, all known defects dispositioned, documentation complete, and authorized approver sign-off.
Regulatory Pathway Options
FDA 510(k) Substantial Equivalence: For Class II devices. Demonstrates your device is substantially equivalent to a legally marketed predicate device. Timeline: 6–12 months average (FDA review target is 90 days, but cycles of questions extend this).
FDA De Novo: For novel Class II devices without a predicate. More rigorous than 510(k). Timeline: 12–24 months.
FDA PMA (Premarket Approval): For Class III devices. Full clinical evidence required. Timeline: 24–36+ months. Rarely the right path for software-only devices.
EU MDR CE Marking: For European market. Requires a Notified Body review for Class IIa and above. QMS certification per ISO 13485 required. Timeline: 12–24 months for Notified Body review.
Ortem Technologies works with medical device and health tech companies on regulated software development. We can engage for full IEC 62304-compliant development or for specific phases (architecture, software requirements specification, validation testing) alongside your existing team.
Discuss your medical device software project → | Healthcare software development →
About Ortem Technologies
Ortem Technologies is a premier custom software, mobile app, and AI development company. We serve enterprise and startup clients across the USA, UK, Australia, Canada, and the Middle East. Our cross-industry expertise spans fintech, healthcare, and logistics, enabling us to deliver scalable, secure, and innovative digital solutions worldwide.
Get the Ortem Tech Digest
Monthly insights on AI, mobile, and software strategy - straight to your inbox. No spam, ever.
About the Author
Director – AI Product Strategy, Development, Sales & Business Development, Ortem Technologies
Praveen Jha is the Director of AI Product Strategy, Development, Sales & Business Development at Ortem Technologies. With deep expertise in technology consulting and enterprise sales, he helps businesses identify the right digital transformation strategies - from mobile and AI solutions to cloud-native platforms. He writes about technology adoption, business growth, and building software partnerships that deliver real ROI.
Frequently Asked Questions
- IEC 62304 is the international standard defining software development lifecycle requirements for medical device software. It is required by the FDA as part of the Quality System Regulation (21 CFR Part 820) and by EU MDR for CE marking. The standard defines three safety classes (A, B, C) based on potential harm from software failure, with Class C requiring the most rigorous documentation, testing, and change control processes.
- FDA classifies SaMD using two dimensions: the significance of the information provided (inform clinical management, drive clinical management, treat or diagnose) and the healthcare situation/condition (critical, serious, non-serious). Higher significance + more critical condition = higher risk class. A diagnostic AI that recommends cancer treatment (high significance + critical condition) is Class III. A wellness app that tracks general fitness (inform + non-serious) may be Class I exempt from 510(k).
- FDA 510(k) clearance for SaMD costs: FDA user fee $21,760–$26,585 (2026 rates, small business rates available), regulatory consultant fees $50,000–$150,000, clinical validation studies $50,000–$500,000 depending on scope, quality management system implementation $30,000–$80,000, and total timeline 6–18 months. Total 510(k) budget: $150,000–$500,000 depending on device complexity and required clinical evidence.
Stay Ahead
Get engineering insights in your inbox
Practical guides on software development, AI, and cloud. No fluff — published when it's worth your time.
Ready to Start Your Project?
Let Ortem Technologies help you build innovative software solutions for your business.
You Might Also Like
Healthcare App Development Cost in 2026: What You Will Actually Pay
Healthcare Software Development Company: What to Look For in 2026
