Medical device compliance is the process of adhering to legal, safety, and quality standards and practices established by regulatory bodies for the design, manufacture, marketing, servicing, and product lifecycle management of therapeutic or diagnostic devices.

The overarching goal of medical device compliance is to ensure safe, effective, and reliable medical devices for healthcare providers and to prevent unsafe devices from ever being marketed to healthcare providers or used on patients.

FDA medical device regulations

The US Food and Drug Administration (FDA) regulates medical devices under the authority of the Federal Food, Drug, and Cosmetic (FD&C) Act. The FD&C Act lays out a regulatory compliance framework that specifies:

• A three-tiered, risk-based medical device classification system
• Submission pathways for the approval and listing of devices in each classification, as well as exceptional unclassified devices
• Annual registration of medical device manufacturers (called establishments) and their devices
• Compliance with a quality management system regulation governing manufacturers’ design and production processes, corrective and preventive actions (CAPA), and record keeping
• Postmarket medical device reporting (MDR) corrections, recalls, and surveillance

This framework is designed to regulate medical device companies and the medical device industry in a way that prioritizes patient safety while encouraging and supporting healthcare innovation. Compliance is administered primarily through the FDA’s Center for Devices and Radiological Health (CDRH).

FDA device classifications

Section 513 of the FD&A Act defines three medical device classifications based on a device’s intended use, and on the level of risk it poses to patients or clinical staff in the event of malfunction or improper use. A device’s classification is the primary factor in determining the regulatory requirements for listing and marketing the device in the United States.

Class I devices (low-risk devices)

Class I devices pose minimal risk of harm or injury to patients or users. Examples of Class I devices include simple medical supplies such as bandages, tongue depressors, and certain hand-held examination and surgical tools (e.g., scalpel blades), but they can also include more complex devices, including laser surgery instruments and medical device mounting arms.

Class I devices represent roughly 35% of all medical devices marketed in the United States.

Class II devices (moderate risk devices)

Class II devices present a moderate risk and require a higher degree of regulatory control to help ensure patient and operator safety. Examples of Class II devices include:

• Certain types of needles or tubes (e.g., catheters)
• Sophisticated mechanical devices like ventilators, nebulizers, or fetal monitors
• Diagnostic or test devices (such as certain scopes, MRI machines, or HIV test kits)
• Wall arms or mobile workstations (particularly powered mobile workstations) designed to hold specialized medical devices or monitors, computer equipment, and peripherals.

The Class II devices represents the largest class of listed medical devices (53%) marketed in the United States.

Class III devices (high-risk devices)

Class III devices are devices that sustain the life of the patient or pose the highest risk of serious patient injury or death as a result of device malfunction or improper use. Examples of Class III devices include:

• Implantable mechanical or biological devices such as pacemakers, heart valves, stents, cochlear implants, and bone-grafting material
• Critical care devices such as defibrillators, insulin infusion pumps, or intracranial pressure monitors
• Critical test and treatment kits, such as HPV test kits and snake bite kits.

Just 9% of medical devices marketed in the United States are Class III devices.

Submission pathways

FDA regulations also specify the submission or regulatory processes, or pathways, required for listing and legally marketing a medical device.

Premarket approval

The longest and most stringent submission pathway, premarket approval (PMA), is required for all Class III devices. A PMA application must include extensive, valid scientific evidence that the device is safe and effective for patients. This evidence typically includes:

• Complete design history and manufacturing information that demonstrates compliance with FDA quality management system (QMS) requirements throughout the product development process, as well as a detailed description of manufacturing facilities, methods, and controls in line with good manufacturing practices (GMP).
• Non-clinical study results, including results from bench testing (mechanical and electrical tests), animal tests, software or firmware validation tests, sterilization tests, and durability and shelf-life studies.
• Clinical testing and investigation findings, including results of testing on human subjects within and outside of the United States. Signed informed consent documents and data showing reasonable assurance of device safety and effectiveness must be included with this clinical testing data.
• A comprehensive risk assessment that includes a thorough risk/benefit analysis, identifying all known or foreseeable risks posed by the device and documenting best practices and strategies for minimizing those risks.

A PMA application also includes a full description of the device and its intended function, as well as the intended functions of any key components and accessories, proposed complaint labeling, package inserts, user manuals, and instructions, and a Summary of Safety and Effectiveness Data (SSED), a publicly available summary of all data supporting FDA approval of the device.

The FDA premarket approval cycle typically lasts for at least 180 days, with some approvals taking a year or more.

510(k) premarket notification

510(k) premarket notification is required for most Class II devices and a small percentage of Class I devices. The main objective of a premarket notification submission is to demonstrate that the new medical device is substantially equivalent to an existing listed and legally marketed medical device (sometimes called a predicate)—a device for which safety and effectiveness have already been established.

As a result, much of the evidence required in a PMA application is not always required in a premarket notification submission. For example, in a premarket notification submission, non-clinical test results are often adequate; clinical test results are required only when necessary to demonstrate substantial equivalence.

While the vast majority of Class I devices – about 93 percent – are exempt from premarket notification, a few must undergo this submission path to be listed. Examples include Class I devices that present somewhat greater than minimal risk, such as certain handheld surgical tools or specialized in vitro diagnostic devices.

While most Class II devices require premarket notification, some, such as mercury or electronic thermometers, AC-powered hospital beds, and even some implantable medical information transmitters, are fully exempt or exempt with special conditions.

Device manufacturers can search for exempt, listed devices similar to theirs using the FDA’s Product Classification Database via the following link: https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfPCD/classification.cfm

De Novo classification request

The De Novo classification request path began as a way for medical device manufacturers to reclassify devices that were classified as Class III devices after failing premarket notification as Class I or Class II devices. Since 2012, De Novo Classification has been expanded to provide a submission path for devices for which no substantially equivalent predicate exists. This process does not require submitting a premarket notification.

Humanitarian Device Exemption (HDE)

Introduced as part of the Safe Medical Devices Act of 1990, the HDE pathway is designed to encourage innovation in therapeutic devices to treat or diagnose conditions so rare that the costly clinical trials required for premarket approval would not be financially feasible for the manufacturer.

To qualify for an HDE, the device must enable as yet unmet treatment or diagnostic needs for a condition affecting fewer than 8,000 people per year in the United States. For approval, the manufacturer must only demonstrate that the device does not pose an unreasonable risk of illness or injury and that its probable benefit outweighs that risk.

Requirements for resubmission

Compliant devices may need to be resubmitted if the device is modified or in response to an FDA demand. The requirements differ depending on the change to the device and the original submission pathway.

For example, devices submitted under 510(K) premarket notifications must be resubmitted when changed in a way that could significantly impact the device’s safety or effectiveness. This can include anything from certain changes in labeling – such as a change in medical indications for the device’s use, to mechanical or digital changes that impact the device’s performance or operation. Other changes, such as changes to labels for clarity, or changes to a manufacturing process that does not impact the device’s design, do not require a resubmission although do require a Letter to File documenting the decision-making process for not submitting.

Understanding resubmission requirements is increasingly important for medical device manufacturers, as new rapid prototyping and manufacturing technologies enable them to continually innovate their products.

Special cases: Combination devices, software, AI

Certain atypical medical devices must also be classified according to potential risk. Determining that risk, and the corresponding submission path, may be trickier.

Combination devices combine a device with a drug (or a biological product). Medicated stents, antibiotic catheters, and prefilled syringes (such as EpiPens) are familiar examples of combination devices.

The component that provides the most consequential therapeutic effect—called the primary mode of action or PMOA—determines the submission pathway. If that is the device, then the device is classified and submitted as described above. If it is the drug or biologic, the device is regulated by FDA Center for Drug Evaluation and Research (CDER) or Center for Biologics Evaluation and Research (CBER).  

Software as a medical device (SaMD) is any software intended for medical use without being part of or installed on a hardware medical device. Even within that definition, many types of software –including electronic health records (EHR) software, wellness apps and medical office software, do not require regulation. 

Medical software vendors need to first classify the software based on risk (e.g., is it used for critical treatment or diagnosis, or non-critical information management) and then submit via the appropriate path. It is worth noting that artificial intelligence (AI) solutions that change over time based on use or retraining may require periodic resubmission. 

Manufacturing regulations

Quality management

Quality management 

As of February 2, 2026, all medical device manufacturers in the United States must comply with the FDA’s Medical Devices: Quality Management System Regulation (QMSR), which governs the methods, facilities and controls used in the design, manufacture, packaging, labeling, storage and servicing of medical devices.  

The QMSR effectively replaces the FDA’s 21 CFR Part 820 Quality System Regulation by 1) amending that regulation’s current good manufacturing practice (CGMP) requirements, and 2) incorporating by reference ISO 13485:2016, the most recent version of the ISO 13485 global standard for medical device manufacturers’ quality management systems (QMS). This harmonizes the FDA’s CGMP framework with the medical device regulatory frameworks utilized by other governments and regulatory authorities. 

The QMSR applies not only to manufacturers of completed medical devices, but to manufacturers of components (such as tubing in a respirator, or parts in an X-Ray machine) and third-party manufacturing partners.  

Medical device reporting (MDR)

The FDA’s Medical Device Reporting regulation mandates that device manufacturers, reporters and user facilities report when devices cause or contribute to adverse events. Specifically: 

• Device manufacturers must report deaths, serious injuries and malfunctions to the FDA 

• Device importers must report deaths and serious injuries to both the FDA and the manufacturer 

• User facilities—hospitals, outpatient treatment facilities, surgical and urgent care centers—must report deaths to the FDA and the manufacturer, and serious injuries to the manufacturer only. 

The QMSR requires that medical device manufacturers include MDR obligations—, such as feedback and complaint handling and records of MDR decisions, as part of their quality management systems. 

Postmarket surveillance

FDA postmarket surveillance requirements mandate the collection of data after a device enters the market, intending to identify potential safety risks and performance issues so they can be addressed before they harm patients. In addition to mandatory device reporting (MDR), examples of postmarket surveillance requirements include

• Quality management system surveillance
• Mandatory postmarket surveillance studies of certain Class II or Class III devices (e.g., life-sustaining outpatient devices, or devices implanted in a patient for more than one year)
• Unique device identifiers on device labels and packaging
• Device tracking for high-risk devices.

Corrective and Preventive Actions (CAPA)

The QMSR mandates that medical device manufacturers maintain documented processes for implementing corrective actions (actions addressing device problems that have actually occurred) and preventive actions, (actions addressing potential device problems that have not yet occurred). 

CAPA requirements are rigorous. Manufacturers must establish and document processes for systematically reviewing and analyzing quality data from across their quality management systems, investigating any non-conforming data, taking corrective or preventive actions, and evaluating and communicating the actions’ effectiveness. 

Not surprisingly, CAPA is one of the most closely scrutinized components of medical device regulatory submissions and is consistently among the most cited deficiencies in FDA establishment inspections. 

Compliance in the EU, other regions

The European Union (EU) and other nations have compliance frameworks of their own. They are similar to each other and the FDA compliance framework in some notable ways. Most, for example, mandate device classification according to risk and almost all include quality management system (QMS) standards based on ISO 13485 (with the notable exception of China).  

Nevertheless, today manufacturers that intend to market a device in multiple regions must still pursue different compliance strategies for each region. 

The QMSR’s incorporation of ISO 13485 by reference is one example of an attempt to streamline multi-market medical device compliance for FDA-approved devices. In addition, the International Medical Device Regulators Forum (IMDRF), which includes regulators from the United States, the EU, the United Kingdom, Japan, Australia, Brazil, Russia, Singapore and South Korea, has developed guidance that has helped reduce some of the differences across these and other regions’ regulatory frameworks. 

The foregoing is intended to be a general summary of various regulatory schemes, although it is not intended to provide legal advice.  Every device and manufacturer is different, so obtain legal advice specifically applicable to your circumstances. GCX does not provide legal advice or guarantee that its services or products will ensure that a client complies or will comply with any law or regulation.