Software Development Lifecycle (SDLC) and Quality Gates for SaMD Compliance

5 min read

The Digital Health or Software as a Medical Device (SaMD) Industry is booming, and in this rapidly evolving domain, ineffective or slow procedures are not only inconvenient but costly. Such delays are sometimes caused by flaws that have been discovered either in the software being developed or in the documentation of the software during a specific phase of the Software Development Life Cycle (SDLC). The best defense? In the early stages, which are also done in a structural manner and called quality gates, the idea is to spot and pre-empt problems before they turn into a major problem.

Why Early Defect Detection Is Critical in SaMD Projects

Software defects, whether due to logic errors, incomplete requirements, or inconsistent documentation, are a common risk in any development process. But in SaMD, the stakes are higher. Every feature, risk control, and test result must be traceable, justified, and auditable by a Notified Body.

The deeper into the SDLC a defect is found, the more expensive and time-consuming it becomes to fix. Industry data consistently shows that a bug found during the maintenance phase may cost 50 to 100 times more to fix than if it were caught during requirements gathering.

In SaMD development, defects don’t just relate to software logic- they also include:

Missing or inconsistent risk control documentation
Undefined or poorly defined software requirements
Gaps in traceability matrices between risks, requirements, and verification
Misaligned software architecture and implementation

These issues can derail entire submissions. Worse, if caught during Notified Body assessment, they can invalidate prior verification efforts, requiring manufacturers to redo significant parts of the technical file, leading to months of delay and substantial costs.

What Are SDLC Quality Gates- and Why Are They Valuable?

Quality gates are formal checkpoints built into your SDLC to assess the completeness, consistency, and correctness of software artefacts and activities before moving to the next phase.
It might be helpful to think of them as they are compliance backstops. When well-executed, they:

Reduce technical debt
Identify issues with the documentation before they occur and hamper deliverables such as regulatory submission
Align development teams on key milestones
Prevent downstream rework
Enhance links between requirements, risks and their controls, and verification and validation outputs
Build trust in your product and be more confident of it passing through regulatory hurdles

IEC 62304: The Foundation for Quality-Gate Integration

The IEC 62304 standard, the cornerstone of medical device software development, supports a range of SDLC models, including waterfall, V-model, and iterative (e.g., Agile-like) approaches. This flexibility allows manufacturers to adapt their processes, but it comes with a responsibility: no matter the model, all development artefacts must be consistent, traceable, and controlled.
Quality gates are particularly important before entering the software verification phase. According to IEC 62304, software must be:

Brought under configuration management (i.e., controlled versioning and change history)
Properly classified based on risk
Documented with consistent, baselined outputs, including risk analyses, design inputs, and verification plans

This ensures that verification is based on a solid, review-ready foundation, minimizing the risk of surprises or rejections during assessment.

IEC 82304: Ensuring Quality in SaMD

The IEC 82304 standard provides comprehensive guidance on the software lifecycle for health software, covering everything from planning, design, and development to post-market activities. As IEC 82304 focuses on health software, its application in SaMD ensures that development follows structured and standardized approaches that guarantee safety and performance.

Key provisions under IEC 82304 include:

Risk management processes that align with IEC 62304
Detailed documentation for software verification, ensuring traceability and validation
Periodic software updates to ensure ongoing compliance with regulatory requirements
Post-market surveillance and reporting of software-related incidents

This standard serves as an essential addition to the quality-gate framework by addressing both pre-market and post-market considerations for SaMD development.

Stages in which Quality Gates bring value

Even though using quality gates throughout the SDLC can be effective, they are most effective before:

Software Requirements Finalization
- Prevent requirements from being incomplete, ambiguous, or untestable.
- There should be harmony between the user requirement profiles, the envisaged uses for the systems and the various risk management measures.
Architecture & Design Completion
- Review architectural compliance and conformity to the safety factors classification.
- Ensure that all the risk controls that have been identified are incorporated into the design.
Software Verification Initiation
The most critical gate.
All documentation used, prepared and existing must be accounted for during the reconciliation process.
After this stage, any identified issue means entering the official problem-solving and change management process with a significant increase in time and effort required to resolve it.

Best practices for the quality gate review before verification of software

There are three essential stages that one can follow while preparing for a quality-gate review, and they include the following:
Step 1: Review Baseline Technical Documentation
Check all technical file artefacts for both completeness and internal consistency.

Development & integration plans
- Risk analyses and controls
- Software requirements specifications
- Architecture and detailed design documents
- Verification methods and protocols

Tip: This evaluation has been conducted using abridged checklists based on IEC 62304, IEC 82304, and ISO/TR 80002-1 when evaluating the structured assessment.

Step 2: Audit the Baseline Software Code
Ensure the implemented software:

Matches the approved design
- Accommodates all safety classifications and all of the intended risk control measures
- Correlates to the further integration and verification activities scheduled

Tip: The best practices identified here should incorporate the usage of static code analysis tools and peer reviews in order to detect inconsistencies before actually testing them.

Step 3: Conduct Informal Test Execution
Use “mock” runs of the verification tests to confirm:

Verification that all requirements of the developed software have been met
- Functional performance and behavior
- Risk control effectiveness

This proactive testing helps avoid:

Test failures due to Test-case gaps
- Spent significant amounts of time on refinement and don’t have proper verification results matching documented risk control.
- Ad hoc and eventual reconfigurations that necessitate new configuration baselines

Common Defects Uncovered by Notified Bodies That Can Be Avoided

Poor quality-gate execution can result in common issues flagged during Notified Body reviews, such as:

Software requirements that are not linked to verification outcomes
Unverified or weakly justified risk controls
Verification protocols missing edge cases or failure scenarios
Mismatches between actual software behavior and documented claims

These issues often require major rework, project delays, and even re-audits.

FDA Guidelines for SaMD Compliance

The FDA has also released a series of guidelines relevant to SaMD developers, providing clarity on regulatory requirements, and ensuring that products meet safety and performance standards for approval in the U.S.

Key FDA guidelines for SaMD include:

Software as a Medical Device (SaMD): Clinical Evaluation – A document outlining how clinical evaluations must be conducted and documented.
Risk Management for SaMD – The FDA emphasizes the importance of risk management, aligning with IEC 62304 and ISO 14971 standards.
FDA Guidance on Software Validation – This provides specific recommendations for software validation to ensure that the product meets safety and performance criteria.
Cybersecurity for SaMD – The FDA has stringent guidelines for ensuring the cybersecurity of medical devices, with regular updates to address emerging threats.

The Investment That Pays Off

Quality-gate reviews do take time, but they are an investment, not a cost. When integrated into your SDLC, they help teams:

Maintain consistent documentation and development cadence
Prevent non-conformities that derail certification
Create a culture of cross-functional accountability
Achieve faster time to market with fewer surprises

Skipping these reviews may save a few days in the short term, but it will likely cost weeks or months in the long run.

The road to SaMD certification is full of regulatory checkpoints. Proactively embedding quality gates into your SDLC, especially before software verification, gives your team the structure, foresight, and control to get it right the first time. Don’t wait for your Notified Body to uncover critical defects. Catch them early, fix them fast, and move forward with confidence.

That’s where Freyr steps in.
We don’t just identify gaps, we build systems that close them. With deep domain expertise across IEC 62304, IEC 82304, ISO 14971, FDA regulations, and global SaMD regulatory frameworks, Freyr empowers your teams to embed audit-ready quality gates that withstand scrutiny and accelerate approvals. To learn more, connect with a Freyr SaMD Expert today.

Aspect	USA	EU	Australia	China	UAE
Regulatory Authority	FDA	EFSA & Member State Authorities	FSANZ	SAMR & NHC	ESMA & MOHAP
Major Regulation Governing Compliance	Federal Food, Drug, and Cosmetic Act (FFDCA); 21 CFR Part 110 (Current Good Manufacturing Practices)	Regulation (EC) No 178/2002 (General Food Law); Regulation (EU) No 1169/2011 on Food Information to Consumers	Food Standards Code (Australia New Zealand Food Standards Code)	Food Safety Law of the People's Republic of China (Revised 2015); GB Standards for Food Safety	UAE.S GSO 9:2017 (GCC General Requirements for Prepackaged Food)
Pre-market Approval Required?	No pre-market approval except for novel ingredients, color additives, or specific claims	No pre-market approval for general foods, but novel foods or health claims require EFSA approval.	No pre-market approval unless it's a novel food or makes health claims	Pre-market registration is required for novel foods, health foods, or products with new ingredients	Pre-market approval is required for certain foods, health products, and products with new ingredients
Processed Food Labeling Compliance /Labeling Requirements	Mandatory labeling as per FDA guidelines (Nutrition Facts, Ingredient Declaration, Allergens)	Must comply with EU Food Information Regulation (1169/2011); includes allergens, nutrition, and origin labeling.	Must follow FSANZ Food Standards Code for labeling; nutrition panels, allergens, and ingredient lists required	Must follow GB 7718-2011 (National Food Safety Standards) for labeling; mandatory nutrition facts, allergens, and shelf-life	Must follow GSO 9:2017 for pre-packaged food labeling; Arabic labeling, allergens, and nutrition facts required
Timeline for Registration	No fixed timeline: products can enter the market once compliant	No formal registration unless novel food; EFSA approval for health claims takes 12-18 months	No formal registration unless it's a novel food or makes health claims	Typically, 12-24 months for novel foods, shorter for regular processed foods	Approval may take 6-12 months for certain products. Regular processed foods can enter the market once label approval is obtained

Medicinal Products Regulatory Services

Medical Devices Regulatory Services

Cosmetics Regulatory Services

Food Supplements Regulatory Services

Food Product Service

Food Product Compliance

Novel Food Registration

Chemicals Regulatory Services

Medicinal Products Regulatory Services

Medical Devices Regulatory Services

Consumers

Freyr Digital

Stay Ahead of the Curve With Our Innovative Regulatory Software Solutions

Why Early Defect Detection Is Critical in SaMD Projects

What Are SDLC Quality Gates- and Why Are They Valuable?

IEC 62304: The Foundation for Quality-Gate Integration

IEC 82304: Ensuring Quality in SaMD

Stages in which Quality Gates bring value

Best practices for the quality gate review before verification of software

Common Defects Uncovered by Notified Bodies That Can Be Avoided

FDA Guidelines for SaMD Compliance

The Investment That Pays Off

Subscribe to Freyr Blog

Recent Blog

Blog Tags

No Results Found.

Related Blogs

How can we help you?

Please let us know your requirements, and we will contact you.