India's healthcare sector is rapidly moving toward digital innovation, where medical device software plays a vital role in improving patient safety and diagnosis. As technology merges with healthcare, the need for clear rules and compliance becomes essential.

To support this, the Central Drugs Standard Control Organisation (CDSCO) has released a draft guidance document for manufacturers and importers of medical device software. This draft aims to clarify the regulatory expectations under the Medical Device Rules, 2017 (MDR-2017). It explains the process for licensing, clinical evaluation, and post-market vigilance. The document also ensures that every software-based medical device used in India meets safety, quality, and performance standards before reaching the market.

Overview of the Draft Guidance Document

The draft guidance document on medical device software provides a clear framework for ensuring safe design, development, and use of digital health technologies in India. Issued by the Central Drugs Standard Control Organisation (CDSCO), it aims to guide manufacturers, importers, and stakeholders in complying with the Medical Device Rules, 2017 (MDR-2017).

The document outlines key principles for risk management, the software lifecycle, quality assurance, and post-market surveillance. It covers various types of medical device software, including standalone systems and software used with medical equipment. The guidance also highlights international standards such as ISO 13485, ISO 14971, and IEC 62304, promoting global alignment. By establishing clear regulatory expectations, the draft helps ensure that every software-based medical device marketed in India maintains high safety, accuracy, and performance standards for improved healthcare outcomes.

Purpose and Scope of the Guidance

The CDSCO Draft Guidance on Medical Device Software under MDR 2017 explains the main aim and the coverage of the rules governing software used in healthcare. The purpose of this guidance is to ensure that every Software as a Medical Device (SaMD) or Software in a Medical Device (SiMD) works safely and meets all quality standards.

• It helps manufacturers and importers follow clear steps for approval, testing, and documentation as per the medical device software regulation. The scope of this guidance covers all types of software that perform medical functions, such as diagnosing, monitoring, or treating health conditions. The main points are:
• Applies to all medical device software made or imported in India.
• Covers both standalone and embedded medical software.
• Explains responsibilities for safety, validation, and compliance.
• Supports better control, traceability, and post-market surveillance.
• Ensures full alignment with MDR 2017 and CDSCO guidance standards.

Types of Medical Device Software

The CDSCO Draft Guidance under MDR 2017 categorises medical device software into various types based on its functionality and intended use. Each type plays a special role in healthcare and must meet safety and quality rules before use. This helps doctors, hospitals, and patients trust that every system works as intended and gives correct results.

1. Software in a Medical Device (SiMD)

Software in a Medical Device, also known as SiMD, is a program built directly into medical equipment to help it function properly. It controls or manages the machine's functions and ensures that it gives accurate results during medical use. Examples include software in infusion pumps that control medicine flow or programs inside imaging machines that manage scanning operations. This type of software cannot function alone and always depends on the hardware it supports

2. Software as a Medical Device (SaMD)

Software as a Medical Device (SaMD) operates independently, not as part of any physical medical tool. It can be installed on computers, tablets, or phones to perform medical functions, such as diagnosing or monitoring health. Examples include mobile apps that monitor heart rate or AI tools that analyze medical images. SaMD plays an important role in modern digital healthcare by offering quick, accessible, and reliable support to doctors and patients.

Risk-Based Classification of Medical Device Software

The Medical Device Rules (MDR) 2017 classify all medical devices, including Medical Device Software (MDSW), based on potential risk to patients. This ensures that higher-risk software faces stronger regulatory checks. The system applies equally to both Software in a Medical Device (SiMD) and Software as a Medical Device (SaMD).

Classification Categories

Software controlling hardware takes the same class as the device. Standalone software is classified independently.

Key Factors

• Significance of Information: Software used for diagnosis or treatment carries a higher risk (Class C/D), while supportive tools are lower risk (Class A/B).
• Healthcare Condition: Software for critical diseases like cancer or heart issues is Class D; for less severe use, Class A/B.
• CDSCO confirms the final class and updates it regularly to ensure patient safety under MDR 2017.

Applicable Standards for Medical Device Software

All medical device software must follow the standards set by the Bureau of Indian Standards (BIS) or those notified by the Ministry of Health and Family Welfare. If unavailable, devices must comply with ISO, IEC, or validated manufacturer standards, ensuring safety and performance. The following standards may apply to all medical device software:

1. IS/ISO 13485 standard (Medical Devices—Quality Management Systems— Requirements for Regulatory Purposes)
2. IS/ISO 14971 Medical devices — Application of risk management to medical devices.
3. IEC/TR 80002-1 Medical device software – Part 1: Guidance on the application of ISO 14971 to medical device software.
4. IS/ISO/TR 80002-2 Medical Device Software Part 2 Validation of Software for Medical Device Quality Systems.
5. IS/IEC/TR 80002-3 Medical device software Part 3: Process reference model of medical device software life cycle processes.
6. IS 16124 Systems and Software Engineering - Software Life Cycle Processes.
7. IS/ISO/IEC 62304 Medical device software – Software life cycle processes.
8. IS/IEC 82304-1 Health software: Part 1 general requirements for product safety.
9. IEC 81001-5-1 adds requirements about cybersecurity.
10. IEC 62366-1 adds requirements about man-machine interface ergonomics.
11. IS 16458/ISO/IEC 16085 — Systems and Software Engineering — Life Cycle Processes — Risk Management
12. IS/ISO/IEC 23894 — Information Technology — Artificial Intelligence — Guidance on Risk Management
13. IS/ISO/IEC 42001 — Information technology — Artificial intelligence — Management system
14. IS/ISO/IEEE 11073 Health Informatics - Point-of-Care Medical Device Communication
15. ISO 24291 — Health informatics — Applications of machine learning technologies in imaging and other medical applications

Quality Management System (QMS) Requirements for Medical Device Software

The requirements of QMS for medical device software are:

1. Every manufacturer of medical device software must set up a Quality Management System (QMS) that covers the entire software lifecycle. It includes design, development, configuration, product planning, deployment, and maintenance to ensure safety and performance.
2. Indian manufacturers must keep proper records and follow all QMS procedures that show compliance with the Fifth Schedule of MDR 2017. An undertaking confirming this compliance must be submitted while applying for a manufacturing license.
3. For imported medical device software, foreign manufacturers must make sure their production facilities meet QMS standards. They need to provide a notarized QMS certificate issued by a recognized national or regulatory authority when applying for an import license.
4. A well-maintained QMS helps control quality, reduce errors, and ensure that all software products meet the MDR 2017 regulatory requirements and CDSCO guidance for medical devices.

Licensing Authorities for Medical Device Software under MDR 2017

Under the MDR 2017, all medical device software, whether SaMD or SiMD, must have proper licenses for manufacturing, import, and sale in India. Licensing depends on the device's risk class (A-D) and is managed by two main authorities.

Key Licensing Roles

CLA (Central Licensing Authority): Managed by CDSCO, handles high-risk (Class C & D), imports, and investigational devices.
SLA (State Licensing Authority): Manages low-risk (Class A & B) manufacturing and sale within states.

Note:

• Class A non-sterile, non-measuring devices need only registration via the MD Online Portal.
• Applicants must confirm their software's classification from CDSCO before applying.
• The system ensures faster approvals, regulatory balance, and patient safety across all medical device software categories.

Documents Required for Various Licences

Here are the documents required for a Test Licence and Manufacturing/Import Licence under MDR 2017 for medical device software.

1. Documents Required for Test Licence

A test licence allows limited manufacture or import of medical device software for clinical investigation, evaluation, demonstration, or training, not for sale.

• Application in Form MD-12 (for manufacturing) or Form MD-16 (for import).
• Licence issued in Form MD-13 or MD-17, respectively.
• Online submission through the NSWS Portal with documents as per Rule 31/Rule 40 and Second Schedule of MDR 2017.
• Mention the number of copies/installations/downloads required.

2. Documents Required for Manufacturing or Import Licence

A manufacturing or import licence is essential for sale or distribution. Apply online through the MD Online Portal with fees as per the Second Schedule and documents listed in the Fourth Schedule of MDR 2017. Include:

• Legal documents such as the company constitution, tenancy/ownership proof, Site/Plant Master File, and organisation chart.
• For importers, a Power of Attorney and Wholesale/Manufacturing Licence (Form MD-42).
• Technical details like executive summary, intended use, software version, algorithms, and update management plan.
• Substantial equivalence data comparing with the predicate software for performance and safety validation.

Clinical Investigation and Clinical Performance Evaluation

Before any study involving an Investigational Medical Device (IMD) or new In Vitro Diagnostic (IVD) software begins, prior approval from the Central Licensing Authority (CLA) is mandatory.

1. Application Forms

• For Clinical Investigation:  Apply in Form MD-22, permission granted in Form MD-23.
• For Clinical Performance Evaluation:  Apply in Form MD-24, permission granted in Form MD-25.

2. Submission Mode

All applications are submitted online through the CDSCO MD Online Portal with documents and prescribed fees under Rules 51 & 59 and the Second Schedule of MDR 2017.

3. Applicability

This rule applies to all medical device software defined as IMD or new IVD that involves human participants or biological specimens.

Permission to Manufacture or Import IMD or New IVD Prior to Commercialization

Before marketing, manufacturers or importers must obtain permission to legally produce or bring investigational or new IVD software into India.

1. Permission Forms

• For IMD:  Apply in Form MD-26, permission issued in Form MD-27.
• For new IVD:  Apply in Form MD-28, permission issued in Form MD-29.

2. Submission Details

Applications must be filed online via the CDSCO MD Portal, including the required documents and fees, per the Fourth and Second Schedules of MDR 2017.

3. Clinical Data Requirement

When a clinical investigation or performance evaluation is done in India, the generated clinical data must accompany the permission application.

Essential Principles of Safety and Performance

Medical device software must meet the safety and performance standards set by the Central Drugs Standard Control Organization (CDSCO). Manufacturers are responsible for proving compliance with the Essential Principles Checklist before marketing their products.

• Software Development Standards: Developers must follow updated and recognized practices throughout the software lifecycle, including design, risk control, testing, and validation.
• Mobile Platform Considerations: When the software runs on mobile devices, factors such as screen size, internet connection, and lighting must be considered for safe use.
• System Requirements: Each software must define minimum system specifications, such as hardware, network, and cybersecurity needs, to ensure smooth and safe performance.

Risk Management for Medical Device Software

Risk management ensures that medical device software remains safe, effective, and reliable throughout its entire lifecycle. It helps identify and control risks that may impact patients, data, or system functionality.

• Key Risks in Software: Software-based devices face challenges such as cybersecurity threats, frequent updates, user errors, and data privacy issues that can affect safety.
• Compliance with Standards: Manufacturers and importers must comply with global standards such as IS/ISO 14971 (Risk Management) and IS/ISO 62304 (Software Lifecycle). Submitting a Risk Management Plan (RMP) and Risk Management Report (RMR) is mandatory.
• Process and Monitoring: A clear risk management plan should be created before release, covering development, updates, and post-market monitoring. Each change or update must be tracked for its effect on safety and performance.
• Algorithm Change Protocol (ACP): For AI or ML-based software, an ACP must explain how algorithms will be managed, updated, and monitored to prevent risks. It includes data handling, retraining, performance checks, update control, and rollback plans.
• Documentation and Continuous Review: Every risk-related decision and dataset must be recorded. Regular reviews and surveillance should continue even after launch to detect and correct new risks quickly.

Post-Market Surveillance and Vigilance

After a medical device software is approved and launched, continuous monitoring becomes essential to ensure its safety and performance. This process is called Post-Market Surveillance (PMS) and Vigilance. It helps identify new risks, software errors, or cybersecurity issues that may arise during real-world use.

• Continuous Monitoring: Manufacturers must track user feedback, complaints, and performance data to detect any issues early.
• Incident Reporting: Any serious malfunction, data breach, or safety concern must be reported to the Central Licensing Authority (CLA) within the time limits defined in MDR 2017.
• Corrective and Preventive Action (CAPA): When a risk or issue is found, the manufacturer must take timely corrective steps to fix it and prevent it from happening again.
• Periodic Safety Updates: Regular reports must be submitted to CDSCO to confirm the continued safety and effectiveness of the software.

Key Takeaways for Manufacturers and Importers

Medical device software must comply with strict safety, quality, and licensing requirements under the MDR 2017. Both manufacturers and importers hold shared responsibility for ensuring compliance at every stage, from design to post-market use.

• Establish a Quality Management System (QMS) that covers the entire software lifecycle.
• Obtain proper licenses from CLA or SLA based on the device's risk classification.
• Follow essential safety principles and maintain strong risk management practices.
• Submit accurate documentation and stay updated with CDSCO's latest guidelines.
• Implement continuous surveillance to ensure safe operation and quick action on any reported issue.

Conclusion

The CDSCO Draft Guidance on the Conduct of Medical Device Software marks a major step toward strengthening India's digital healthcare regulation. It creates a clear and structured framework for classifying, testing, licensing, and monitoring software used in medical devices under MDR 2017. By setting transparent rules, it ensures that every software, whether embedded (SiMD) or standalone (SaMD), is developed, validated, and managed with complete safety and performance assurance.

This guidance also brings Indian regulations closer to international standards, supporting innovation while protecting patient health. It encourages manufacturers and importers to maintain strong quality systems, follow risk management practices, and stay accountable even after product launch through post-market surveillance.

By focusing on transparency, safety, and compliance, CDSCO's approach builds greater trust in medical technology and digital health solutions. This move not only enhances patient confidence but also helps India emerge as a reliable hub for safe and high-quality medical device software in the global market.