SaMD or SiMD? And what does EU MDR Rule 11 say?
Four questions to determine your software's classification under IMDRF and EU MDR Rule 11 - plus the cybersecurity evidence each path requires.
Reviewed by
Christian Espinosa
Founder & CEO, Blue Goat Cyber
Is the software embedded in a hardware medical device (firmware, integral controller)?
What does the software primarily do? (IMDRF significance to medical decision)
Severity of the healthcare situation or condition
Is any part of the software hosted in the cloud or accessible over a network?
What you'll see after you submit
Your four answers become a class meter and an evidence checklist
- ClassMeter infographic: Class I → IIa → IIb → III bar with your Rule 11 placement highlighted.
- SaMD vs SiMD reasoning card, written so a Notified Body reviewer would accept it as the rationale paragraph.
- Cybersecurity evidence list (SBOM, threat model, pen test, IEC 82304-1 / 62304, MDCG 2019-16) auto-tailored to your answers.
- Printable one-pager you can attach to your design-input rationale and risk file.
Common misconceptions
What teams usually get wrong
-
Myth: If our software is mobile-only, it must be SaMD.
Reality: Form factor doesn't decide it. A mobile app that's the user interface for a hardware device's firmware can still be SiMD - what matters is whether the software is integral to a regulated hardware device.
-
Myth: Rule 11 only escalates closed-loop control software.
Reality: Rule 11 also pushes 'inform → diagnose / monitor' upward whenever the healthcare situation is serious or critical. Most clinical decision support lands in IIa or IIb, not Class I.
-
Myth: Class I SaMD means no Notified Body involvement.
Reality: Only Class I non-sterile, non-measuring, non-reusable surgical software self-certifies. The moment Rule 11 pushes you to IIa or higher, a Notified Body is required for the CE mark.
-
Myth: Cloud hosting doesn't change the classification.
Reality: Classification stays the same, but cloud-hosted SaMD triggers extra MDCG 2019-16 evidence (operating-environment specification, shared-responsibility matrix, cloud pen test) that local-only SaMD avoids.
References & further reading
Primary sources behind this tool
- MDR 2017/745 Annex VIII - Classification Rules (Rule 11) - European Commission
- MDCG 2019-11 - Qualification and Classification of Software - MDCG
- MDCG 2019-16 Rev.1 - Guidance on Cybersecurity for Medical Devices - MDCG
- IEC 82304-1:2016 / IEC 62304:2006+A1:2015 - Health software product safety & lifecycle - IEC
- IMDRF/SaMD WG/N12 - Possible Framework for Risk Categorization - IMDRF
Recent regulatory + supply-chain activity
Tracked signals that change what reviewers expect. Items move on as new ones land.
Pair this with the long-form guidance.
SaMD cybersecurity requirements
FDA Section 524B, IEC 82304-1, EU MDR Rule 11 in one guide.
Learn moreSaMD vs SiMD cybersecurity
Side-by-side comparison of cyber obligations for each path.
Learn moreEU MDR premarket cybersecurity
Notified-body ready cyber evidence aligned to MDCG 2019-16.
Learn moreMore tools
PCCP, 524B checker, SBOM readiness.
Learn more