CE Mark Process for SaMD: Your Comprehensive Guide

European Union Medical Device Regulation (EU MDR) broadened the scope for SaMD compared to the old Medical Device Directive (MDD). Many software products previously considered low risk are now moderate or high risk under MDR. Moreover, as per EU MDR, SaMD is treated as a medical device in its own right. Thus, SaMD requires CE marking, compliance with General Safety and Performance Requirements, and conformity assessment. In this blog, we will detail the CE mark process for SaMD.

What is SaMD under EU MDR?

Under EU MDR, Software as a Medical Device (SaMD) is defined as standalone software with a direct medical purpose, such as diagnosis, prevention, monitoring, or treatment, without being part of or driving a hardware device. It is regulated under EU MDR 2017/745, Annex VIII, Rule 11, which applies a risk-based classification system. If the software merely controls or drives a device, it is not a SaMD but part of the device. Therefore, SaMD is a software intended for one or more medical purposes that performs these functions independent of a hardware.

Examples of SaMD

• Diagnostic software: AI tools analyzing medical images for cancer detection; mobile apps that interpret ECG signals.
• Therapeutic software: Apps delivering cognitive behavioral therapy (CBT); software guiding insulin dosing recommendations.
• Monitoring software: Apps tracking chronic conditions like diabetes or heart disease; remote patient monitoring platforms for vital signs.
• Clinical decision support: Algorithms suggesting treatment plans; disease risk calculators and personalized medicine tools.

Key compliance requirements under EU MDR for SaMD

• EU MDR Rule 11 classification: EU MDR Rule 11 classification is applicable to SaMD.
• Quality management system (QMS): ISO 13485 compliance is required for Class IIa and above SaMDs.
• Technical documentation: Annex II and III files cover risk management, validation, usability, cybersecurity, and clinical evaluation. These will be required as part of technical documentation.
• Notified body involvement: Notified body will be required for Class IIa, IIb, III SaMDs.
• CE marking: As per EU MDR guidelines, SaMDs mandatorily require CE marking.
• Post-market surveillance: Continuous monitoring and reporting of performance and safety is necessary for SaMD.

EU MDR Rule 11 classification for SaMD

To understand the CE mark process for SaMD, it is important to understand the EU MDR Rule 11 classification for SaMD. We have provided an overview of EU MDR Rule 11 classification for SaMD.

• Class I: Applies only to software with minimal impact, such as simple image viewers or administrative tools. These are low-risk and do not require notified body involvement. CE marking is possible through self-certification.
• Class IIa: Software that provides information used for diagnostic or therapeutic decisions, where failure poses low risk. Examples include monitoring apps for non-critical conditions. Requires notified body review of technical documentation and QMS.
• Class IIb: Software where incorrect output could cause serious deterioration of health or require surgical intervention. Examples include diagnostic tools for cancer or cardiovascular disease. Stronger notified body oversight and stricter conformity assessment are mandatory.
• Class III: Software where failure could result in death or irreversible deterioration of health. Examples include software controlling active implantable devices or critical life-support systems. Requires the highest level of regulatory scrutiny and notified body involvement.

Requirements for CE mark process for SaMD

We have highlighted the requirements you need to fulfil for the CE mark process for SaMD.

• Clinical evaluation and evidence: Manufacturers must provide clinical evidence showing that the SaMD achieves its intended medical purpose safely and effectively. This may include performance studies, literature reviews, or real-world data. Continuous updates to clinical evaluation are required as part of post-market surveillance.
• EU MDR Rule 11 classification: SaMD must be classified under EU MDR Rule 11, which specifically addresses software intended for medical purposes. Depending on its intended use and risk, SaMD can be classified into Class I, IIa, IIb, or III. Higher-risk classifications require stricter conformity assessments and notified body involvement.
• Notified body (NB) assessment: For SaMD classified as Class IIa, IIb, or III, a notified body must review and approve the conformity assessment. The NB evaluates technical documentation, QMS compliance, and clinical evidence to ensure regulatory requirements are met. Their approval is mandatory before the CE mark can be affixed.
• Quality management system (QMS): Manufacturers must implement a QMS compliant with ISO 13485 to ensure consistent design, development, and maintenance of the SaMD. Additionally, this system covers processes, such as risk management, design controls, and corrective actions. For Class IIa and above, notified bodies will audit the QMS before CE marking.
• Technical documentation: Comprehensive technical documentation is required. This covers risk analysis, clinical evaluation, usability, cybersecurity, and validation evidence. Moreover, the documentation must demonstrate that the SaMD meets safety and performance requirements.
• Post-market surveillance and vigilance: CE-marked SaMD must have a robust system for monitoring performance and safety once the product is placed in the market. Manufacturers must collect, analyze, and report adverse events or performance issues. This ensures ongoing compliance and patient safety throughout the product lifecycle.

CE mark process for SaMD

We have detailed the CE mark process for SaMD.

1. Define medical purpose and EU MDR risk class

The first step is to clearly define the medical purpose of the software, such as diagnosis, monitoring, treatment, or prevention. Based on this intended use, apply EU MDR Rule 11 to classify the SaMD into Class I, IIa, IIb, or III. Correct classification is critical because it determines the conformity assessment route and regulatory requirements. Misclassification can lead to audit findings, delays, or rejection by notified bodies.

2. Implement a robust QMS framework

For Class IIa and above, manufacturers must implement a QMS aligned with ISO 13485. The QMS should cover design, development, risk management, validation, and post-market surveillance processes. It ensures consistent compliance and provides a framework for corrective and preventive actions. Notified bodies will audit the QMS as part of the CE mark process.

3. Compile comprehensive technical evidence

Manufacturers must compile technical documentation. This includes device description, intended use, risk management file (ISO 14971), clinical evaluation, usability engineering, cybersecurity controls, and validation evidence. The documentation must demonstrate compliance with General Safety and Performance Requirements. It also serves as the primary evidence reviewed by notified bodies.

4. Designate an EU authorized representative

Non-EU manufacturers must appoint an authorized representative under Article 11 MDR. This representative acts as the legal contact point within the EU for regulatory authorities and notified bodies. They are responsible for ensuring compliance and handling regulatory communications. Without this appointment, CE marking cannot proceed for non-EU companies.

5. Register manufacturer and device in EUDAMED

Manufacturers must register both the company and device in the European Database on Medical Devices (EUDAMED). This step ensures transparency, traceability, and regulatory oversight. Registration includes assigning a Single Registration Number (SRN) to the manufacturer. It is mandatory before placing the SaMD on the EU market.

6. Undergo conformity assessment and notified body review  

For Class I devices, manufacturers can self-declare conformity and affix the CE mark. For Class IIa, IIb, and III, notified body involvement is required to review technical documentation and audit the QMS. The notified body ensures that the SaMD meets all EU MDR requirements. Their approval is mandatory before CE marking can be granted.

7. Affix CE mark and ensure visibility

Once conformity is established, the CE mark is affixed to the software. The CE mark demonstrates compliance with EU MDR and allows the SaMD to be marketed in the EU. It must be visible on packaging, labeling, and digital interfaces where applicable. Notably, affixing the CE mark without proper approval is a regulatory violation.

8. Maintain vigilant post-market oversight

Manufacturers must continuously monitor the performance and safety of the SaMD after market entry. This includes collecting adverse event data, reporting serious incidents, and implementing corrective actions. For Class IIa and above, periodic safety update reports (PSUR) are required. Post-market surveillance ensures ongoing compliance and patient safety throughout the lifecycle.

In this blog, we have detailed the CE mark process for SaMD. We provide comprehensive CE mark support service to help you easily secure the CE mark your SaMD. Drop an email at [email protected] or call/Whatsapp on 9996859227 to hire our CE mark experts.