The Central Drugs Standard Control Organisation (CDSCO) has released extensive draft guidance for medical device software under the Medical Devices Rules (MDR), 2017. This move aims to harmonise India’s device-software oversight with global standards, bringing clarity to classification, licensing, documentation, and post-market surveillance.
Defining Medical Device Software
Software is a medical device if it serves a medical purpose such as diagnosis, monitoring, prevention, or treatment. The guidance distinguishes between:
- Software in a Medical Device (SiMD) – Embedded in hardware (e.g., firmware in pacemakers, software in IVD analysers).
- Software as a Medical Device (SaMD) – Stand-alone tools performing medical functions (e.g., diagnostic apps, AI-based imaging tools).
Software used only for data management or general communication isn’t classified as a medical device.
Risk-Based Classification
Software is categorised into Classes A to D based on risk:
| Category | Example | Risk Level |
|---|---|---|
| SiMD | Shares same risk as parent hardware | Linked |
| SaMD | Based on significance of information & the patient’s condition | A–D |
An SaMD used for diagnosis in a critical condition = Class D (High Risk).
Regulatory Pathway & Licensing
The draft includes a full regulatory flowchart from prototype to commercialisation:
| Device Class | Licensing Authority |
|---|---|
| A & B | State Licensing Authority (SLA) |
| C & D | Central Licensing Authority (CLA) |
For Investigational Medical Devices (IMD) or new IVDs, prior permission from CLA is required before any clinical investigation (Forms MD-23, 25, 27, 29).
Quality Management & Technical Documentation
Manufacturers must maintain a QMS covering the complete software lifecycle:
- Domestic: self-declaration
- Overseas: notarized ISO 13485 certificate
The Device Master File (DMF) must include:
- Substantial Equivalence table vs predicate device
- Risk Management Report addressing cybersecurity, algorithm changes (ACP), and deployment risks
- System Architecture, SRS, SDS documents
- Standards Compliance with BIS/ISO (e.g., ISO 13485, ISO 62304)
Post-Market Surveillance & Vigilance
Software’s update nature makes PMS critical. Manufacturers must:
- Track adverse events, errors, and vulnerabilities
- Report SUSARs and recalls within 15 days
- Implement Field Safety Corrective Actions (FSCA), such as patches or bug fixes, swiftly.
Why It Matters
- Clarity and Harmonisation: Align India’s framework with EU MDR and IMDRF guidance.
- Lifecycle Oversight – Recognises software’s evolving risks.
- Higher Accountability – Formalises AI/ML algorithm change documentation.
- Market Predictability – Streamlines licensing for faster innovation while maintaining safety.
Next Steps for Manufacturers
- Classify software (SiMD / SaMD / non-medical).
- Assess gaps in QMS, documentation, and risk processes.
- Develop algorithm change protocols for AI/ML.
- Prepare DMF & PMF as per CDSCO templates.
- Strengthen PMS systems and cybersecurity vigilance.
- Submit feedback to CDSCO within 30 days (via the official Google Form).
Conclusion
India’s 2025 draft guidance marks a transformative shift—recognising that medical software is as critical as hardware. By aligning with ISO 62304, risk-based classification, and AI-focused vigilance, CDSCO sets the foundation for a safer, globally harmonised MedTech ecosystem.
Companies that adapt early will enjoy smoother approvals, stronger trust, and a competitive edge in the Indian market.
