The FDA’s expectations for SaMD (Software as a Medical Device) submissions have moved decisively toward a total product life cycle (TPLC) approach that emphasizes transparent device description, rigorous risk and performance characterization, comprehensive data management and bias mitigation plans, human factors evidence, and post-market monitoring and change control, especially for AI/ML-enabled SaMD. Sponsors must show how they manage model training, validation, clinical performance (including human-device team performance), cybersecurity, labeling, and intended use, and how they will monitor and control modifications across the device lifecycle. Practical action items for life-science and pharma manufacturing teams include early regulatory planning, data strategy alignment, robust risk/performance documentation, validation protocols that include real-world and human-in-the-loop testing, and a clearly defined post-market surveillance and change management plan to satisfy FDA reviewers and speed market access.
What’s Driving the Shift in SaMD Regulatory Scrutiny?
Software now drives diagnosis, triage, therapy planning, and device ecosystems. Regulatory expectations are catching up. The FDA has recently (January 2025) published draft recommendations that are specifically targeted at AI-enabled device software functions and how to present lifecycle and marketing submission evidence. These recommendations build on prior FDA guidance about premarket submissions for device software functions and on international SaMD workstreams, and they reflect practical expectations reviewers will apply when assessing safety and effectiveness across the full product lifecycle. For organizations in life sciences and pharma manufacturing who either partner with digital health vendors or are developing SaMD, understanding and operationalizing these expectations reduces regulatory friction, shortens review cycles, and mitigates patient safety and commercial risk.
What the FDA now expects, a high-level summary.
The modern FDA review is centered on five interlocking expectations:
(1) clear device description and intended use
(2) rigorous clinical and performance validation (including human-device team performance where appropriate)
(3) robust data governance and training/validation datasets with bias assessment
(4) cybersecurity, labeling, and human factors, and
(5) documented lifecycle management and post-market controls for modifications. For AI/ML-enabled SaMD, the emphasis on lifecycle (how models are updated and monitored) is particularly strong. These expectations aim to move away from a one-time snapshot review to a sustained assurance posture that covers both premarket evidence and postmarket evidence generation and controls.
Key submission elements the FDA wants explained (and how to prepare them)
Device description and intended use: FDA reviewers will look for an explicit, unambiguous description of what the SaMD does, the clinical problem it addresses, the clinical context of use, and the intended user (clinician, patient, technician). This description must tie directly to the claim statements and to the validation and labeling you include in the submission. Practical step: draft a one-page “intended use trace” that maps claims → capabilities → user interactions → validation evidence.
Risk and hazard analysis: SaMD submissions must include a structured risk analysis (hazard identification, severity and probability assessment, mitigation controls). For software, this includes software-specific risks such as algorithmic errors, data drift, interoperability failures, automation complacency, and failure modes from incorrect inputs. Use a risk register aligned with the Quality System Regulation (QSR) expectations (design controls, CAPA, nonconforming product procedures). This register should be granular enough that each risk maps to test cases and mitigation evidence.
Performance evidence and clinical validation: The FDA’s draft guidance highlights that performance testing should be appropriate to the device’s risk and purpose, and may need to include human-device team performance testing, not just standalone algorithm metrics. Sponsors must provide analytic validation (does the software measure what it claims?) and clinical validation (does it improve clinical outcomes or decision-making in the intended use context?). Test sets should be statistically robust, representative, and include external/hold-out datasets. For AI/ML models, provide transparent performance metrics (sensitivity, specificity, predictive values, AUROC) plus clinically meaningful thresholds and uncertainty bounds.
Datasets, data governance, and bias assessment: Expect regulators to scrutinize training, tuning, and validation datasets. You must document dataset provenance, inclusion/exclusion criteria, labeling quality and inter-rater agreement, dataset partitioning, and rationale for any data augmentation or synthetic data usage. Importantly, the FDA expects bias assessment and mitigation strategies, demonstrating representativeness across age, sex, race/ethnicity, clinical settings, and device types where relevant. Practical step: publish a dataset passport within your submission that summarizes sample sizes, geographies, demographics, and labeling procedures.
Algorithm architecture, explainability, and transparency: Provide clear documentation of model type (e.g., classical ML vs deep neural network), inputs and outputs, pre- and post-processing steps, hyperparameter selection, and performance tradeoffs. For black-box models, include explainability or interpretability analyses (feature importance, saliency maps, counterfactuals) and how those outputs will be presented to users. The FDA is not mandating a single explainability method, but reviewers will expect sponsors to justify the approach and show how it supports safe use.
Human factors, labeling, and instructions for use: Usability testing and labeling are core submission elements. The FDA expects human factors/usability data for clinical users (and patients if relevant) that demonstrates the target user can operate the SaMD safely and effectively under realistic conditions. Labeling should clearly state intended uses, limitations, performance characteristics, and instructions for handling erroneous outputs. Do not hide known limitations; transparency reduces off-label use risk.
Cybersecurity and interoperability: Describe system architecture, data flows, encryption, authentication, patching policies, and third-party dependencies. Document how the device handles updates, data integrity checks, and what happens when connectivity is lost. For cloud-hosted SaMD, include vendor controls and SLAs. Cybersecurity evidence and threat modeling are expected parts of a modern SaMD submission.
Change control and lifecycle management (especially for AI/ML): This is where the January 2025 draft guidance adds significant detail. For AI-enabled functions, the FDA expects a lifecycle plan that explains how you will manage model changes, including planned updates, retraining triggers, performance monitoring thresholds, validation of deployed updates, and rollback plans. For models that adapt over time (self-learning or continuous learning), the agency wants a transparent process that preserves assurance of safety and effectiveness following updates, including post-market surveillance metrics and real-world performance monitoring. Document your algorithm change protocol and pre-specified acceptance criteria for new model versions.
Post-market surveillance and real-world performance monitoring: The FDA’s lifecycle view expects continuous monitoring. Define key performance indicators (KPIs) you will track (accuracy, false positive/negative rates, usage patterns, user feedback, adverse event reports), the data sources for monitoring, reporting thresholds, and corrective actions. A clear link between monitoring metrics and your change control procedures is essential.
Evidence expectations relative to device risk
The quantity and depth of evidence should be commensurate with the device’s risk classification and clinical impact. Higher-risk intended uses (e.g., diagnosis that directly guides therapy) require stronger clinical evidence (larger cohorts, prospective clinical studies), while lower-risk decision-support functions may be supported by retrospective performance datasets and robust accuracy analyses. Use IMDRF SaMD risk frameworks to justify the level of evidence you provide; international convergence on risk-based evidence is accelerating, and FDA reviewers will compare your approach to these frameworks.
Regulatory pathways and emerging expectations for AI/ML
Most AI/ML SaMD products have historically used the 510(k) pathway where predicate-based substantial equivalence applies. But for novel functions or higher risk classes, De Novo or PMA pathways may apply. The submission route shapes expectations: a PMA will require rigorous clinical evidence and possibly randomized studies. For adaptive AI models, the FDA’s guidance clarifies how lifecycle documentation and post-market controls can support regulatory decisions irrespective of the pathway. Also, demonstrate alignment with relevant FDA guidances (e.g., premarket submissions for device software functions, cybersecurity, human factors).
Data and statistics: what the reviewers are seeing now
Regulatory reviewers are seeing rapidly increasing volumes of AI-enabled SaMD submissions. Published analyses of the FDA’s public device lists indicate hundreds to thousands of AI/ML-enabled devices were listed by mid-2024 and into 2025, with growth across specialties such as radiology, cardiology, and neurology; the rapid growth is a key driver of the FDA’s lifecycle focus. This growth means reviewers are more experienced but also more exacting about dataset quality, bias mitigation, and lifecycle controls. Provide clear statistics in your submission (sample sizes, prevalence, confidence intervals) and avoid small datasets unless justified.
Adoption trend (FDA AI device approvals by year)
2019: 80
2020: 114
2021: 130
2022: 162
2023: 226
2024: 235
2025 (to mid-year): 148
Note: these counts come from aggregated device lists and literature reviews and illustrate exponential adoption; cite the FDA device listings and peer-reviewed summaries for exact counts in your submission.
How pharma manufacturing and life-science leaders should operationalize these expectations
- Start regulatory strategy at concept: Include regulatory reviewers early in project governance. Map intended use, clinical context, and likely regulatory pathway in the project charter and maintain traceability from claims to test evidence.
- Build a defensible data strategy: Treat data as a regulated material. Invest in curated, labeled data repositories with audit trails, versioning, and data passport documentation. Ensure demographic coverage and anticipate bias mitigation strategies before model training. Document data lineage and governance.
- Quality systems and documentation: Integrate SaMD development into QMS workflows (design controls, supplier management, CAPA, change control). Provide reviewers with traceable evidence that design outputs map to design inputs, verification and validation plans were followed, and CAPA processes are in place for real-world findings.
- Robust validation: Use multi-center, multi-device external validation when possible. For AI models, provide pre-specified statistical plans, threshold justification, and clinically oriented endpoints. Include human-in-the-loop performance tests where device output influences clinician behavior.
- Packaging explainability for reviewers: Provide reproducible descriptions of model architecture and training pipelines, plus summary explainability outputs that demonstrate consistent, clinically rational behavior. Include code or pseudo-code for reviewers if possible (with IP protective measures) and provide a clearly annotated model performance report.
- Lifecycle management playbook: Create and include an Algorithm Change Protocol (ACP) in your submission that documents how you will evaluate, validate, and deploy updates, including thresholds for retraining and rollbacks. Align ACP to post-market KPIs and monitoring dashboards.
- Post-market monitoring and governance: Deploy monitoring systems that capture statistical performance drift, usage patterns, adverse events, and user feedback. Establish governance committees that meet regularly to review metrics, approve updates, and trigger CAPA where needed.
- Interoperability and cybersecurity: Create architecture diagrams, data flow maps, and risk mitigations for every external dependency. Include evidence of penetration testing and vulnerability management programs.
Common pitfalls that slow reviewers and how to avoid them
• Weak dataset documentation- address by providing a dataset passport and labeling QC metrics.
• Overreliance on single-center retrospective datasets- address by planning for external validation or prospective studies.
• Lack of transparency about model changes- address with a clear ACP and versioning policy.
• Inadequate human factors testing- address with scenario-based usability tests showing safe use.
• Poor cybersecurity documentation- address with threat modeling and vulnerability remediation evidence.
International alignment: IMDRF and global reviewers
International Medical Device Regulators Forum (IMDRF) SaMD work continues to inform convergent expectations for risk characterization, device descriptions, and evidence levels. Using IMDRF conceptual frameworks in your submissions helps with global filings and harmonizes evidentiary arguments across jurisdictions. The IMDRF 2024–2025 documents emphasize device and software risk characterization and encourage a TPLC approach similar to the FDA’s guidance, which supports global submission strategies.
Practical checklist for a submission package
• Executive summary with intended use and claim traceability
• Device description and architecture diagrams
• Risk analysis and mitigation mapping for tests
• Dataset passport (training/validation/test) with demographics and labeling QC
• Analytic and clinical validation reports (including human-device team testing)
• Human factors/usability study report
• Cybersecurity assessment and mitigation plan
• Algorithm Change Protocol and lifecycle management plan
• Post-market surveillance plan and KPIs
• Labeling, instructions for use, and user training materials
• Quality System documentation references (Design History File, CAPA, supplier controls)
Case example (anonymized)
A medium-sized manufacturer partnered with a vendor to develop an AI-enabled image triage SaMD. They mapped claims to use cases, created a dataset passport with 40,000 annotated images from five sites, ran external validation on two independent hospital datasets, performed human-device team simulations showing improved triage accuracy, and submitted an ACP describing scheduled retraining triggered by a performance drop of>3% in sensitivity. The result: a streamlined review and a conditional clearance with post-market reporting requirements. This illustrates how aligning engineering, clinical, and regulatory workstreams reduces friction.
Preparing for the reviewer’s questions, anticipate these areas.
• How representative are your datasets? (supply passport and bias analysis)
• How will you detect and respond to model performance drift in the field? (Describe monitoring and thresholds.)
• How will human users interact with and potentially override device outputs? (supply human factors testing)
• What are the failure modes and mitigations? (provide risk register and tests)
• How will you secure patient data and device updates? (present cybersecurity and vendor controls)
The path forward for pharma and life-science leaders
The FDA’s evolving expectations make it clear that SaMD submissions are judged by how well manufacturers manage product safety and effectiveness across the lifecycle, not only at a single premarket moment. For pharma manufacturing and life-science leaders, this means integrating regulatory thinking, data governance, quality systems, clinical validation, and operational monitoring early into digital product development. Teams that treat data and models as regulated assets, create transparent validation packages, and present robust lifecycle controls will realize faster reviews, lower post-market surprises, and stronger commercial outcomes. The regulatory bar is rising, but it is also more predictable: the agency’s focus on lifecycle management and real-world performance provides a clear roadmap for rigorously demonstrating safety and effectiveness.
Most frequently asked questions related to the subject.
Q1: Do I need a clinical trial to get FDA clearance for SaMD?
A1: It depends on risk and intended use. Lower-risk clinical decision support may be supported by robust retrospective validation and human factors testing; higher-risk diagnostic or therapy-directing tools generally need stronger clinical evidence, which may include prospective studies.
Q2: How much dataset diversity is enough?
A2: There is no universal threshold; reviewers expect justification that the datasets are representative for the intended use. Provide demographic breakdowns, device types, clinical settings, and external validation. Document sampling strategies and labeler quality.
Q3: Can I use synthetic data in my submission?
A3: Synthetic data can supplement training but cannot replace real-world validation. Document generation methods, limitations, and how synthetic data affects performance. Provide real-world external validation.
Q4: What should be in an Algorithm Change Protocol?
A4: Pre-specified retraining triggers, acceptance criteria for new model versions, validation procedures, rollback strategies, and post-deployment monitoring metrics. Tie the ACP to CAPA and QMS processes.
Q5: How many AI/ML devices has the FDA listed?
A5: Public device lists and literature reviews report hundreds to over a thousand AI/ML-enabled devices by 2024–2025, reflecting rapid adoption across specialties; use the FDA device list CSV to provide exact counts at submission time.
If you want to explore these compliance topics in more depth, visit the Atlas Compliance blog for detailed insights, real-world case studies, and up-to-date regulatory analysis.