IMDRF Primer: Understanding the International Foundation of SaMD Regulation

[What Is IMDRF?]

The International Medical Device Regulators Forum (IMDRF) is a voluntary group of medical device regulators from around the world that works to accelerate international regulatory harmonization. Established in 2011, the management committee comprises twelve regulatory authorities: Japan (MHLW/PMDA), the United States (FDA), the European Union (EC), Canada (Health Canada), Australia (TGA), the United Kingdom (MHRA), Brazil (ANVISA), China (NMPA), Russia, Singapore (HSA), South Korea (MFDS), and Switzerland (Swissmedic, joined 2025).

Why IMDRF matters for QA/RA professionals: IMDRF guidance documents sit upstream of national regulations and submission requirements. When you trace the rationale behind a premarket submission requirement — whether from FDA, PMDA, or the European Commission — you frequently find an IMDRF document at the source.

[From GHTF to IMDRF]

IMDRF succeeded the Global Harmonization Task Force (GHTF), which operated from 1993 onward as a joint forum of regulators and industry. By the late 2000s, the need for a regulator-only decision-making body became apparent. IMDRF was formally established in 2011, inheriting the GHTF work products on QMS, post-market surveillance, and device classification.

[Key SaMD Guidance Documents]

The IMDRF SaMD Working Group has produced four foundational documents that underpin SaMD regulation globally.

■ SaMD: Key Definitions (IMDRF/SaMD WG/N10FINAL:2013)
Establishes the international definition of Software as a Medical Device. This definition is directly reflected in FDA's Software as a Medical Device guidance and Japan's MHLW guidance on software device applicability.

■ SaMD: Possible Framework for Risk Categorization (N12FINAL:2014)
A two-axis framework classifying SaMD into four categories (I-IV) based on the significance of the information provided and the healthcare situation.

■ SaMD: Application of Quality Management System (N23FINAL:2015)
Maps ISO 13485 QMS requirements to SaMD-specific lifecycle considerations, including continuous deployment and cloud-based delivery models.

■ SaMD: Clinical Evaluation (N41FINAL:2017)
Structures clinical evaluation around three elements: valid clinical association, analytical validation, and clinical performance.

[Cybersecurity Guidance]

IMDRF's Cybersecurity Working Group documents serve as the common conceptual basis for FDA's 2023 final cybersecurity guidance, EU MDCG 2019-16, and Japan's cybersecurity-related notifications.

■ Principles and Practices for Medical Device Cybersecurity (IMDRF/CYBER WG/N60FINAL:2020)
Defines principles for integrating cybersecurity across design, development, and post-market maintenance. The SBOM requirement and CVD policy concepts in FDA's current guidance trace to this document.

■ Coordinated Vulnerability Disclosure (CVD)
Defines the roles and processes for reporting, receiving, and disclosing vulnerabilities — the framework behind FDA's requirement to include a CVD policy in premarket submissions.

[Practical Notes for Submissions]

- When citing IMDRF documents in a regulatory submission, use the official document number in the format: IMDRF/SaMD WG/N10FINAL:2013.
- All IMDRF guidance is freely available at www.imdrf.org and linked directly from the MSC Regulatory Watch database.
- In February 2024, IMDRF released a draft guidance expanding scope from SaMD to include Software in a Medical Device (SiMD), mobile apps, and cloud-deployed software.

[Mapping to National Regulations]

IMDRF N10 (Definitions) -> FDA "Software as a Medical Device" guidance; MHLW Notification 0323 No.1 (2023)
IMDRF N12 (Risk Categorization) -> PMDA classification review; FDA risk-based SaMD framework
IMDRF N23 (QMS) -> ISO 13485 + national QMS regulations
IMDRF N41 (Clinical Evaluation) -> PMDA premarket submission performance evaluation data
IMDRF N60 (Cybersecurity) -> FDA 2023 Final Cyber Guidance; EU MDCG 2019-16; Japan cyber notifications

This editorial is MSC's analysis of publicly available regulatory information. Always verify regulatory decisions against primary sources.