India aims to be the pharmacy of the world. 1 To achieve this dream, it is important that drugs and medical devices "made-in-India" are trusted by regulators and users globally. A robust regulatory framework for evaluating and approving drugs and medical devices is key to building this trust. With this in mind, this article will highlight two areas under the Medical Device Rules, 2017 ('MD Rules') that may not be on par with international standards. These are software validation (i.e., ensuring the safety of software used in medical devices) and risk management (i.e., ensuring that the benefits of using a medical device outweigh its risks). The article will first provide an overview of the MD Rules. We then discuss the two stated issues and argue for their redressal, referencing international standards and developments.

Current position under the MD Rules, 2017:

To ensure affordable healthcare, it is imperative to innovate and manufacture new medical devices locally. Under the MD Rules, such new devices are treated as "investigational medical devices" ('New medical devices'). 2 New medical devices are those for which no predicate device (a first time and first of its kind device that has been approved for manufacture, sale, or import) 3 exists in India. A new medical device can also be a device that is already in the market but is proposed to be used on a new population (e.g., a device meant for adults is being used on children) or has a new intended use (e.g., device meant to monitor heart rate will be used to send out an automatic alert to hospitals). New medical devices must go through clinical investigation under the MD Rules. Clinical Investigation is a systematic study to assess the safety, performance, and effectiveness of a medical device. In an earlier  post, we mapped the clinical investigation process step-by-step and listed the documents to be submitted at the time of applying for permission to conduct a clinical investigation.

Diving deeper into these documents it becomes evident that terms like risk, benefit, and software validation have been interspersed across these documents, without clarity on what these terms signify or how they will be assessed. Regulators and industry alike suffer from this lack of clarity.

This lack of clarity gives rise to two challenges. Firstly, how to conduct software validation. Software validation involves assessing whether the software is performing such that it consistently enables the intended use of the medical device. Secondly,  how to ensure risk management. Risk management involves assessing whether the benefits of using the device outweigh the risks of using it. Both these issues are at the heart of ensuring medical devices that are "made-in-India" can be trusted. Here there is a need to strengthen the MD Rules, and thus, provide the opportunity to strengthen the MD Rules. 

The need to tackle these issues better under the MD Rules is amplified by recent regulatory developments. Through a February 2020 notification, the Health Ministry expanded the definition of medical devices to include software and other accessories that are intended to: 4

  1. Diagnose, prevent, monitor, treat, alleviate, or assist in any injury or disability;
  2. Investigate, replace, modify or support the anatomy or physiological process;
  3. Support or sustain life;
  4. Disinfect medical devices; and
  5. Control contraception.

Laying down frameworks for ensuring the safety and efficacy of software as a medical device becomes more important keeping this expanded definition in mind. This is because standalone software can now be classified and treated as a medical device under the MD Rules.

Let us look at a few examples to understand the ramifications of this notification where standalone software and software components of a medical device are concerned. Take the watch applications of Apple and Samsung that monitor and capture electrocardiogram readings. Based on this new notification such applications would be considered as medical devices. These applications are standalone software that are considered medical devices because they can perform more than one function listed in the expanded definition above. Interestingly both these applications have received approval as medical devices from American regulators. 5Continuous glucose monitors are a great example to understand how this notification will affect software components of a medical device. Such devices have a small needle that probes into the arm and uses a sensor to collect and transmit real-time data to one's smartphone. The medical device hardware here is the needle probe and sensor portions while the software component is the technology driving the data collection and transmission. One such device has already been approved by American regulators. 6 In the cases of both the Watch Applications and the Continuous Glucose Monitor, software validation is necessary, especially in light of the new notification that recognizes both types of medical devices. With this recognition, it becomes important to have a clear process to assess the safety of the software. This is done through software validation and risk management.

Scope for strengthening the MD Rules:

A. Software validation:

The MD Rules mentions that software validation needs to be conducted and a summary of the results to be provided in the Investigator's Brochure. 7 Additionally, the Health Ministry issued Guidelines in 2018 that also indicate the need to ensure the safety and efficacy of software components and standalone software. 8These guidelines call for two things to be ensured: 9

  • Ensuring repeatability, reliability, and performance  according to the intended use  of the software, 
  • Ensuring that the software is validated according to the state of the art  and using principles of the development lifecycle, risk management, verification, and validation.

Several issues emerge on the implementation of these Guidelines. Firstly,  it is unclear how the medical device industry is meant to demonstrate these two points. Secondly,  how the regulators will judge if the standalone software or software components are performing safely is unknown. And finally, whether the software will be classified based on risk and therefore be held up to different risk-based standards of scrutiny? Revamping the MD Rules based on existing international standards could address these issues.

B. Risk Management of Medical Devices:

To implement risk management, terms like "risks", "benefits" and "harms" need to be defined, so that they can be measured, controlled, and tracked. Additionally, clear metrics for measuring and controlling need to be laid down. Neither are these terms defined in the MD Rules nor are there any metrics or frameworks for assessing them.

The 2018 Guidelines issued by the Health Ministry outline the need to mitigate harm and risk, but it remains unclear what framework the authorities will use to ensure this. The 2018 Guidelines places the onus of risk management on the manufacturer, asking that known risks are eliminated and residual risks are communicated with users, 10 without explaining how risks, harms, and benefits can be identified. The lack of clarity on what framework to use to identify risks, harms, and benefits, and how to weigh them against each other will create problems in proving the safety and efficacy of the medical device. This is something that other regulators have delved into in greater detail. 11 Studying what other regulators have done would help revamp the MD Rules to address these challenges.

Global Standards on Clinical Investigation:

Referencing internationally accepted standards is a good starting point to address the issues of software validation and risk management of medical devices. Global standards for clinical investigation practices have been laid down by organizations like the International Medical Device Regulators Forum ('IMDF'), and the International Organization for Standardization (ISO). The first such standard was released by ISO in 2003, which was subsequently updated in 2011. 12 These standards were adopted by regulators in the US and Europe. The MD Rules adopted by India in 2017 were also in line with these standards.

These standards have been reviewed and updated again in 2020 to address new concerns. 13The 2020 version addresses questions on how to evaluate software 14 and clarifies certain critical concepts for clinical investigations. For example, in the 2020 version concepts like "harms", "risks", "benefits", and "residual risk", which are relevant for the risk management plan, are defined and covered in great detail. Risk management plans detail how risk is analyzed evaluated, controlled, and monitored. Sponsors must submit this plan at the time of applying for permission to conduct a clinical investigation. At the end of the clinical investigation, a risk management report, which contains data on risks and their controls, is submitted. 15

The European and American regulators were quick to adopt these standards. India, however, is yet to do so. It remains to be seen when India will initiate the process of updating the MD Rules to the 2020 standards, and what the resulting instrument will be. 


The 2011 ISO standards which formed the basis for the MDR have been updated to address issues of software validation and risk management in medical devices. Additionally, there are lessons to be drawn from the American and European regulators. The time is right for regulators to examine the regulatory landscape for clinical investigation in India and abroad. In an earlier  post, we highlighted the piece-meal approach of Indian regulators to medical device regulation, calling for more industry engagement to co-create regulations that are on par with international requirements. The industry should work with the regulator to address issues with the clinical investigation approval process for medical devices. If these issues of software validation and risk management remain unaddressed in India, it will be challenging to prove the safety and efficacy of indigenously manufactured devices to the world.


1.  ENS Economic Bureau, PM Modi: India playing role of pharmacy to the world, October 09, 2020

(Available at:

2.  Rule 3(x), Medical Devices Rules 2017: Investigational Medical Devices are devices which does not have its predicate device as defined in clause (zm); or which is licensed under sub-rule (4) or sub-rule (6) of rule 20, sub-rule (1) of rule 25, or sub-rule (1) of rule 36 and claims for new intended use or new population or new material or major design change;

3.  Rule 3(zm), Medical Devices Rules, 2017

4.  S.O.E.648(E), February 11, 2020 (Available at:

5.  Nicole Westman, FDA confirms Samsung's Galaxy Watch 3 is cleared for EKG, just like the Apple Watch (accessed on February 03, 2021)

6.  Alexandra Sifferlin, Why Perfectly Healthy People Are Using Diabetes Monitors (Accessed on: February 03, 2021)

7.  Table 4, Seventh Schedule, Medical Device Rules, 2017

8.  Para 5.8 of the Essential Principles for safety and performance of medical devices guidelines, April 19, 2018 (Available at:

9.  Para 5.8 of the Essential Principles for safety and performance of medical devices guidelines, April 19, 2018 (Available at:

10.  Para 4.2. Essential Principles for safety and performance of medical devices guidelines

11.  Factors to Consider Regarding Benefit-Risk in Medical Device Product Availability, Compliance, and Enforcement Decisions | Guidance for Industry and Food and Drug Administration Staff. December 27, 2016 (Available at:–Compliance–and-Enforcement-Decisions—Guidance-for-Industry-and-Food-and-Drug-Administration-Staff.pdf)

12.  ISO14155: 2011 Clinical investigation of medical devices for human subjects – Good Clinical Practice (Available at:

13.  ISO 14155:2020, Clinical investigation of medical devices for human subjects — Good clinical practice (Available at:; released July 2020) 

14.  "demonstration of the analytical validity (the SaMD's output is accurate for a given input), and where appropriate, the scientific validity (the SaMD's output is associated to the intended clinical condition/physiological state), and clinical performance (the SaMD's output yields a clinically meaningful association to the target use) of the SaMD, the requirements of this document apply as far as relevant" – ISO 14155:2020

15.  ISO 14971:2019 Medical devices — Application of risk management to medical devices (Available at:; at para 3.13 and 3.18

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.