CDSCO Issues Draft Guidance on Medical Device Software: Clarity for SaMD and SiMD Developers

INTRODUCTION

India’s digital health market has expanded rapidly, and software-driven tools now play a critical role in diagnostics, monitoring and clinical decision support. However, the regulatory treatment of such tools has often been unclear, particularly where software operates independently of hardware or relies on cloud-based functionality. To address these gaps, the Central Drugs Standard Control Organisation (CDSCO) has released its Draft Guidance Document on Medical Device Software, proposing a structured framework for regulating Software as a Medical Device (SaMD) and Software in a Medical Device (SiMD) under the Medical Devices Rules, 2017 (MDR).

CLARITY ON WHAT QUALIFIES AS A MEDICAL DEVICE

The draft confirms that software performing a medical purpose—diagnosis, prediction, prevention, treatment or physiological monitoring, will fall within the MDR regime. Lifestyle, wellness and fitness applications remain outside the scope. The guidance formally distinguishes between SaMD, which functions independently, and SiMD, which is embedded in or integral to hardware. Importantly, the document clarifies that cloud-based and networkbased medical software also qualify as medical devices when they support clinical functions.

RISK-BASED CLASSIFICATION FRAMEWORK

The draft introduces a risk-based classification aligned with global practice, categorising software from Class A (low risk) to Class D (highest risk) based on the severity of clinical impact if the software malfunctions. High-risk SaMD, particularly artificial intelligence/machine learning (AI/ML), based diagnostic or decision-support tools, would face more stringent validation and oversight requirements. Licensing pathways are also clarified: Class A and B software would be licensed by State Licensing Authorities, whereas Class C and D fall under CDSCO at the central level.

LIFECYCLE EXPECTATIONS AND TECHNICAL CONTROLS

Reflecting a modern understanding of software as an evolving product, the draft requires developers to maintain comprehensive documentation across design, architecture, verification, validation, testing and release processes. A strong emphasis is placed on Quality Management Systems (QMS) and cybersecurity, recognising the interconnected nature of today’s digital medical tools. AI/ML-based systems receive additional attention, with CDSCO underscoring the need for transparent algorithm change-management protocols, including documentation of model retraining, update triggers, and mechanisms to track performance drift over time. For imported software, the draft also requires foreign manufacturers to demonstrate compliance with an equivalent QMS framework.

KEY COMPLIANCE AREAS

The draft guidance mandates a structured approach to software development and maintenance, including:

1. Software development lifecycle documentation covering design, verification, validation, testing and release management;
2. QMS aligned with internationally recognised standards for both domestic and imported products;
3. Cybersecurity controls addressing vulnerabilities, access management, encryption and update procedures;
4. Change-management protocols, particularly for AI/ML models whose behaviour may evolve post-deployment;
5. Technical documentation detailing architecture, intended use, limitations and risk controls; and
6. Post-market surveillance mechanisms for real-world performance monitoring, incident reporting, corrective actions and emerging cybersecurity threats.

CONCLUSION

CDSCO’s draft guidance provides long-awaited clarity for health-tech and med-tech companies by defining licensing pathways, documentation expectations and lifecycle obligations for SaMD and SiMD, including those deployed through cloud-based environments. While high-risk and AI-driven systems may encounter heightened compliance requirements, the framework ultimately enhances regulatory predictability. By strengthening risk-based oversight and post-market responsibilities, the draft signals a balanced regulatory approach, and companies would be well-advised to assess its implications early to prepare for a more structured compliance environment.

Disclaimer: The views in this article are author's point of view. This article is not intended to substitute legal advice. In no event the author shall be liable for any direct, indirect, special or incidental damage resulting from or arising out of or in connection with the use of this information. For any further queries or follow up, please contact us at communication@businesslawchamber.com.