Software in Medical Devices, by MD101 Consulting

To content | To menu | To search

New FDA Draft Guidance on MDDS

The FDA released on june 20th 2014 a new draft guidance about:

  • Medical Devices Data Systems (MDDS) subject to 21 CFR 880.6310,
  • Medical image storage devices subject to 21 CFR 892.2010, and
  • Medical image communications devices subject to 21 CFR 892.2020.

Link to FDA MDDS draft guidance: EDIT - draft guidance superseded by final guidance, see this post

Scope of the draft guidance

The scope of the draft is Health IT systems and Picture Archiving and Communication Systems (PACS). But only the server side.

Some Picture Archiving and Communication Systems (PACS) are in the scope of this draft guidance: those that are PACS servers for storing and communicating images, without any other purpose, and are of class I.
The scope of this draft guidance is not PACS Viewers (classification 21 CFR 892.2050) which are of class II, and are subject to 510k procedure.

This draft guidance excludes also IT systems that are in the scope of 21.CFR 892.9 and 21.CFR.880.9, namely those with functions riskier that data storage and communication, like active patient monitoring.

The new rule

This draft guidance establishes a new rule:

The FDA does not intend to enforce compliance with the regulatory controls, including registration and listing, premarket review, postmarket reporting and quality system regulation for manufacturers of these types of devices.

This draft guidance brings more problems that it withdraws, in its current state:

  • This is a preliminary version. It could change in the coming months: either simply withdrawn, or heavily modified,
  • In the meantime, manufacturers shall continue to be compliant with FDA rules for class I systems, without knowing what will be the status of such systems in a few months,
  • Only requirements about registration and listing, premarket review, postmarket reporting, and QSR, are mentioned,
  • Other requirements like labelling, Medical Device Recall and some others are not mentioned. We don't know what FDA position is about those ones.

Big change

However, if the final version of this guidance confirms the position of the FDA, this will be a welcomed relaxation of the US regulations about Health IT systems!
Imagine that you can design Health IT systems without QSR controls!

FDA position and EU position

Another way to see this new position of FDA is to compare it with EU regulations about Health IT.
FDA position converges gradually towards EU position. According to MEDDEV 2.1/6 EU guidance about standalone software, Health IT systems are not medical devices.

Regulatory strategy and software architecture

We have here the case where regulatory strategy can have an impact on software architecture.
It could become interesting to split IT systems in two or three tiers (or as many tiers as you need), like:

  • Client
  • Risky services server, like diagnosis aid,
  • Other services server, like communication,
  • Storage server, like RDMBS.

Controversial thoughts

This draft guidance is published after the final guidance about mobile medical apps. This draft guidance also edits the mobile medical apps guidance, by changing the examples given for mobile medical apps.
If you have a look at FDA public calendar in december 9-13 2013 and in december 16-20 2013, you'll notice that official of Apple and Google met FDA officials. The subject of FDA-Apple meeting is clearly mobile medical apps.
My controversial thought is: Apple and Google are putting the pressure on the FDA, in order to offer cloud storage services for health data, like quantify-self data, without being subject to FDA general or special controls.

Don't take what I write for granted!


And thanks to Elsmar Cove forum. That was the first website to publish something about this:
EDIT: elsmar cove forums is dead, see RIP elsmar cove.


1. On Wednesday, 14 March 2018, 17:28 by Hans

Hello Mitch,

On their website about MDDS the FDA currently says:

"Risks associated with MDDS include the potential for inaccurate, incomplete, or untimely data transfer, storage, conversion, or display of medical device data. In some cases, this can lead to incorrect patient diagnosis or treatment. Based on evaluation of these risks, the FDA has determined that general controls such as the Quality System Regulation (21 CFR part 820), will provide a reasonable assurance of safety and effectiveness. Therefore, special controls and premarket approval are not necessary."

Does this mean that IEC 62304 classification of all MDDS software will automatically be Class A (since MDDS is low risk), or is there still a chance it could be class B or C (e.g. if misdiagnosis can lead to injury or death)?

It seems like it would be too burdensome to use class B or C process controls for software that the FDA says does not require premarket approval, but I could be wrong.


2. On Monday, 26 March 2018, 16:11 by Mitch

Hi Hans,

The regulatory classification is decorrelated from the IEC 62304 safety class. It's highly probable that low risk devices are in class A but not 100% sure. There is still a tiny chance to have class B or C for MDDS. To my mind, this is more theoretical than practical.


Add a comment

Comments can be formatted using a simple wiki syntax.

This post's comments feed