Pre-production brief
| Field | Definition |
|---|---|
| Role | Health-software founder, product lead, or first RA/QA owner preparing SaMD review. |
| Scenario | A software feature may be regulated and the team needs to sort scope, CDS, cybersecurity, QMSR, and submission questions before consultant review. |
| Concrete problem | The team is jumping to pathway names before documenting the actual software function and source-backed boundaries. |
| Useful output | A SaMD review packet with function map, CDS worksheet, software evidence checklist, cybersecurity prompts, QMSR context, and open questions. |
| TrueMedDevice role | Organize current FDA public guidance and review artifacts without determining device status, pathway, CDS status, cybersecurity adequacy, or compliance. |
Start with the function, not the platform
FDA's software guidance is function-focused. A cloud platform, mobile app, dashboard, model, or integration layer does not answer the pathway question by itself.
The packet should describe the software function in plain terms: who uses it, what input it receives, what output it provides, what decision it supports, and what the user is expected to do with the output.
Map Non-Device CDS criteria carefully
FDA's current CDS guidance should be applied to the function, not to the product name. A CDS-like function must be mapped against the statutory criteria, including whether it displays, analyzes, or prints medical information; supports or provides recommendations to a health care professional; and enables independent review of the basis for the recommendation.
If the function is patient-facing, hides the basis for the recommendation, analyzes signals or patterns from medical images or devices, or drives a decision the user cannot independently review, the packet should flag unresolved review questions instead of calling it Non-Device CDS.
Cybersecurity is a submission-evidence workstream
For connected SaMD or software with cybersecurity risk, FDA's current cybersecurity guidance should be part of the evidence map. The useful question is not whether a generic security checklist exists; it is whether the submission packet can show the risk-management, SBOM, vulnerability, testing, labeling, and maintenance evidence that qualified reviewers expect to see.
Do not claim that having an SBOM, threat model, or vulnerability process makes the software acceptable. Treat each as an artifact to review.
QMSR is already in effect
For device manufacturers, QMSR is not a future issue as of this article date. FDA's QMSR page states the rule became the inspection framework on February 2, 2026, alongside the new inspection process.
For a software company, this means the pathway packet should also ask how requirements, design controls, risk management, release control, complaints, CAPA, suppliers, and cybersecurity maintenance will live inside the quality system.
What TrueMedDevice can prepare
TrueMedDevice can prepare a SaMD review packet: function map, current FDA source ledger, CDS criteria worksheet, software documentation checklist, cybersecurity evidence prompt list, QMSR context note, fee-source links, and consultant handoff questions.
Source ledger
What it can tell you
FDA's current final CDS guidance and Non-Device CDS criteria.
What it cannot decide
Whether a specific software function is Non-Device CDS or a regulated device function.
What it can tell you
FDA's policy guidance for device software functions and mobile medical applications.
What it cannot decide
Whether a specific product claim or software feature is inside or outside active FDA oversight.
What it can tell you
FDA's recommended software documentation for premarket submissions.
What it cannot decide
The final documentation sufficiency for a specific SaMD submission.
What it can tell you
FDA's current recommendations for cybersecurity documentation in premarket submissions for devices with cybersecurity risk.
What it cannot decide
Whether a specific threat model, SBOM, vulnerability process, or security test plan is sufficient.
What it can tell you
FDA's QMSR overview and effective-date context for device manufacturers.
What it cannot decide
Whether a software company's QMS is compliant.
What it can tell you
FDA's final PCCP recommendations for planned modifications to AI-enabled device software functions.
What it cannot decide
Whether a specific SaMD should include a PCCP.
What it can tell you
Current device user-fee tables for planning context.
What it cannot decide
The submission path, review timing, or small-business eligibility for a specific product.
Frequently asked questions
Does this page decide whether my software is a medical device?
No. It helps describe the software function and map current FDA guidance so qualified reviewers can evaluate the question.
What changed in the CDS discussion?
FDA's current CDS guidance is January 2026. A current packet should use that guidance rather than stale 2022-only framing.
Does cybersecurity documentation apply to every SaMD?
The article does not decide that. It helps identify when cybersecurity risk and FDA cybersecurity guidance should be part of the review packet.
Need a SaMD pathway packet before the consultant call?
TrueMedDevice can organize your software-function, CDS, cybersecurity, QMSR, source-ledger, and open pathway questions into one review packet.