Clinical Decision Support vs Clinical Decision Making: Where the FDA SaMD Line Falls in 2026

⚕ This content is for educational purposes only and is not a substitute for professional medical, legal, or clinical advice. Consult a qualified professional for guidance specific to your situation.
Clinical Decision Support vs Clinical Decision Making: Where the FDA SaMD Line Falls in 2026
Quick Answer
The FDA SaMD framework classifies AI clinical software as a regulated medical device when it acquires patient-specific data and generates diagnostic or therapeutic outputs a clinician cannot independently verify. Clinical decision support tools escape device regulation under the 21st Century Cures Act only if they meet all four statutory criteria: no physiological signal analysis, clinician-addressable recommendations, support for independent review and no intent to replace clinical judgment. Adaptive AI systems should be designed for Predetermined Change Control Plan compatibility now.

The FDA SaMD framework is the single most consequential regulatory boundary in clinical AI right now. Engineers shipping diagnostic models, clinical informaticists deploying NLP-based screening tools and compliance officers reviewing vendor contracts all need to know exactly where software transitions from a clinical decision support tool into a regulated medical device. Getting that wrong carries serious legal exposure. Getting it right creates a durable compliance posture that survives software updates, model drift and agency guidance revisions.

This article maps the current FDA SaMD framework against real-world clinical AI use cases, walks through the four-quadrant risk classification model, explains when a 510(k) submission becomes mandatory and unpacks the Predetermined Change Control Plan guidance that changes how adaptive AI systems are regulated across their full development lifecycle.

Why the CDS-SaMD Distinction Defines Clinical AI Risk

Clinical decision support software has existed since the 1980s. Rule-based drug interaction checkers, dosage calculators and evidence-based order sets all qualify. The FDA historically left most of that software alone. The 21st Century Cures Act, signed into law in 2016, codified that hands-off posture for certain CDS categories and directed the FDA to focus regulatory attention on higher-risk software functions.

What changed the stakes is machine learning. A static drug interaction checker applies fixed rules a clinician can inspect and override. A large language model generating a differential diagnosis, a computer vision algorithm flagging a retinal scan for diabetic retinopathy or an NLP pipeline scoring depression severity from clinical notes does something qualitatively different. It generates outputs a clinician may not be able to independently verify in real time. That opacity is precisely what the FDA SaMD framework is designed to address.

The core regulatory question is not whether the software uses AI. The question is whether the software is intended to diagnose, cure, mitigate, treat or prevent a disease or condition. If the answer is yes, the software is a medical device under the Federal Food Drug and Cosmetic Act regardless of whether it runs on a dedicated device, a hospital server or a cloud API.

The FDA SaMD Framework: Four Risk Tiers and What Triggers Oversight

The FDA adopted the International Medical Device Regulators Forum definition of Software as a Medical Device in 2017 and has built its subsequent guidance on that foundation. The IMDRF framework classifies SaMD along two axes: the significance of the information provided by the software (treat or diagnose, drive clinical management or inform clinical management) and the severity of the condition the software addresses (critical, serious or non-serious).

Those two axes produce a four-category risk matrix. Category I software carries the lowest risk: informing clinical management for non-serious conditions. Category IV carries the highest: treating or diagnosing critical conditions. The FDA generally requires premarket review for Category III and IV software and applies a risk-proportionate approach to Categories I and II.

For clinical mental health AI specifically, the risk tier depends heavily on how the output is framed. A tool that surfaces validated PHQ-9 scores from structured intake data and presents them to a Licensed Clinical Doctor for independent review sits differently in the matrix than a tool that generates a DSM-5 diagnosis code and routes the patient to a specific care pathway without clinician review. The first is likely CDS. The second almost certainly triggers SaMD classification.

The FDA's 2019 discussion paper on a proposed regulatory framework for AI and ML-based SaMD and its subsequent 2021 action plan introduced a total product lifecycle approach. That approach acknowledges that a model trained today will perform differently after six months of real-world data exposure. Regulatory oversight has to account for that drift. The Predetermined Change Control Plan concept emerged directly from that recognition.

The 510(k) Trigger: When AI Becomes a Medical Device

A 510(k) premarket notification is the most common pathway to FDA clearance for moderate-risk medical devices. The submitting organization must demonstrate that its device is substantially equivalent to a legally marketed predicate device. For software, that means identifying a cleared SaMD with comparable intended use and technological characteristics.

The 510(k) trigger in AI-assisted clinical tools comes down to three practical questions.

First: does the software acquire, process or analyze patient-specific data and return patient-specific results rather than general population data? A clinical NLP pipeline reading a single patient's progress notes to score suicidal ideation risk meets this threshold. A population analytics dashboard summarizing aggregate risk scores across a panel does not necessarily meet it.

Second: is the intended use diagnostic or therapeutic? If a vendor's marketing materials, user documentation or algorithm design indicate the software is meant to diagnose a specific condition, that declared intent is binding regardless of how the output is technically labeled. The FDA reviews intended use declarations carefully and has cited misleading labeling in warning letters.

Third: can a clinician independently review the basis for the recommendation without specialized technical training? This is the transparency criterion that separates a large portion of modern ML-based tools from their rule-based predecessors. When a Random Forest model or a transformer-based scoring system generates a risk prediction, the clinician typically cannot inspect the reasoning chain the way they could inspect a decision tree. That opacity does not automatically trigger 510(k) requirements but it is a significant factor in the FDA's assessment of whether the software provides recommendations a healthcare professional can independently review.

Organizations that deploy AI-assisted mental health screening tools without performing this three-question analysis are taking on regulatory risk they may not have quantified. At TheraPetic® Healthcare Provider Group, our clinical technology team applies these criteria to every intake AI module before deployment, working alongside our Licensed Clinical Doctors to ensure the human review layer is both structurally present and clinically meaningful rather than a nominal checkbox.

The CDS Safe Harbor and Its Four Criteria

The 21st Century Cures Act created a statutory safe harbor for certain CDS software, excluding it from device regulation. To qualify, a CDS tool must meet all four of the following criteria simultaneously.

The software must not acquire, process or analyze medical images, signals from in vitro diagnostics or signals acquired from a patient. Clinical NLP tools reading free-text notes occupy a gray zone here because progress notes are patient-generated data, though not signals in the physiological sense. The FDA has provided limited formal guidance on this edge case as of 2026.

The software must display, analyze or print medical information that is not specific to an individual patient, or it must support or provide recommendations to healthcare professionals about prevention, diagnosis or treatment of a disease for an individual patient. The second clause is where most mental health AI tools try to anchor.

The intended purpose must be to support or enable a healthcare professional's independent review of the recommendations. This is the most operationally significant criterion. The FDA interprets "independent review" to mean the clinician can reach the same conclusion using the software's underlying data and clinical reasoning without relying on the algorithm's output as an authoritative conclusion. If the user interface design discourages deviation from the algorithm's recommendation, the FDA has indicated that can undermine a CDS classification claim.

The software must not be intended for use to replace the clinical judgment of a healthcare professional. Marketing language matters here. Any positioning that suggests the AI replaces clinical assessment rather than informs it is a red flag in an FDA review.

If a tool fails any one of these four criteria, the CDS safe harbor does not apply and the FDA will analyze the software under the standard SaMD framework. Engineering teams building AI intake tools, risk stratification algorithms or symptom triage models should treat these four criteria as a design checklist, not an afterthought.

Predetermined Change Control Plans and Adaptive AI

The traditional regulatory model assumed a medical device was a fixed artifact: clear it once, sell it. That model breaks down completely with adaptive ML systems. A model fine-tuned on new clinical data, a retrieval-augmented generation architecture pulling from an updated knowledge base or a transformer checkpoint updated to reflect revised DSM-5 criteria is functionally a different software product after the update. Under the traditional model, each update could theoretically require a new premarket submission.

The FDA's proposed Predetermined Change Control Plan guidance addresses this directly. A PCCP allows developers to specify in advance the types of modifications they expect to make to an AI-based SaMD, the methods they will use to validate those modifications and the performance criteria that must be met before a change is deployed. If the FDA accepts the PCCP as part of an initial clearance, the developer can implement the described changes without a new 510(k) submission, provided the changes stay within the PCCP's defined boundaries.

This is architecturally significant for anyone building clinical AI on top of foundation models. A RAG pipeline pulling from a clinical knowledge graph that is updated quarterly needs a change management story. A fine-tuned clinical NLP model retrained on new EHR data every six months needs one too. The PCCP framework gives developers a path to build that story into the regulatory submission rather than scrambling retroactively each time the model changes.

As of 2026, the PCCP guidance remains in proposed form pending finalization. The FDA has accepted voluntary PCCP submissions and indicated it is working toward a final guidance document. Organizations shipping adaptive clinical AI should be designing their model governance pipelines to be PCCP-compatible now, not after the final guidance drops. That means version-controlled model registries, prospectively defined performance thresholds and documented drift detection protocols.

Research published in NEJM AI and npj Digital Medicine has begun examining the performance drift problem empirically, documenting how clinical ML models trained on historical EHR data degrade when deployed in different health systems or after significant changes in patient population demographics. The PCCP framework does not solve that drift but it creates a regulatory structure within which drift monitoring is a compliance requirement rather than an optional engineering practice.

Clinical Mental Health AI: Where TheraPetic® Draws the Line

At TheraPetic® Healthcare Provider Group, we operate on both sides of this regulatory line by design. Our HANK AI system, which powers initial intake and psychosocial screening for support animal documentation through verify.mypsd.org, is architected explicitly as a CDS tool rather than a diagnostic engine.

HANK AI surfaces structured clinical indicators, validated screening instrument scores and patient-reported history to our Licensed Clinical Doctors. It does not generate DSM-5 diagnoses. It does not route patients to care pathways without clinician review. Every clinical determination is made by a credentialed human clinician who can access the underlying data, apply independent clinical judgment and deviate from any algorithmic suggestion without technical or workflow friction. That architecture is not accidental. It reflects a deliberate reading of the CDS safe harbor criteria and a commitment to human oversight that our clinical leadership, under the direction of Dr. Patrick Fisher, PhD, LPC, NCC, considers both ethically required and regulatorily sound.

The data governance layer for this system runs through mydatakey.org, which handles HIPAA-compliant deidentification and data subject rights management. Keeping the AI infrastructure decoupled from identifiable patient data wherever possible is part of how we maintain both compliance and patient trust.

For engineers and clinical informaticists building similar systems, the practical takeaway is this: design the human review layer as a structural requirement, not a UI feature. The clinician's ability to independently reach the same conclusion as the algorithm, using the same underlying data, is the technical and legal foundation of a defensible CDS classification. If your system architecture makes independent review difficult or unlikely in practice, the FDA will notice. So will plaintiffs' attorneys.

The FDA SaMD framework is not a bureaucratic obstacle to clinical AI innovation. It is a risk management structure that, when understood correctly, actually clarifies what you can build and how. The organizations that will deploy the most capable clinical AI at scale in the years ahead are the ones investing now in regulatory literacy at the engineering level, not just in the compliance department.

Frequently Asked Questions

Frequently Asked Questions

What is the single factor most likely to push clinical AI from CDS into SaMD territory?
The clearest trigger is intended use language that implies the software diagnoses a specific condition in an individual patient without requiring independent clinician verification. If the user interface or marketing materials position the AI output as a conclusion rather than a recommendation, the FDA will treat that as diagnostic intent. Engineering teams should audit their UX copy and documentation with the same rigor they apply to the model itself.
Does using a large language model automatically require a 510(k) submission?
No. The regulatory classification depends on intended use and risk level, not the underlying technology. An LLM that summarizes a patient's history for a clinician's review is likely CDS. An LLM that generates a DSM-5 diagnosis code or a specific treatment recommendation the clinician is expected to follow without independent review is almost certainly SaMD. The architecture of human oversight matters more than the model type.
How does a Predetermined Change Control Plan affect ongoing model retraining?
A PCCP accepted by the FDA as part of an initial clearance allows developers to retrain or update an AI model within predefined boundaries without filing a new 510(k) for each change. The PCCP must specify what types of changes are anticipated, what validation methods will be used and what performance thresholds must be maintained. Organizations retraining clinical models on new EHR data should design their MLOps pipelines to generate the documentation a PCCP requires.
Can a mental health intake AI qualify for the CDS safe harbor if it uses validated screening instruments like the PHQ-9?
It can qualify if all four statutory criteria are met simultaneously. Using a validated instrument like the PHQ-9 strengthens the case for CDS classification because the scoring logic is transparent and clinician-reviewable. The critical design requirement is that the Licensed Clinical Doctor can independently verify the score and override the algorithmic output without workflow barriers. If the system architecture makes that independent review nominal rather than substantive, the safe harbor protection weakens.
Where can organizations find the current FDA guidance documents on SaMD and AI-based medical software?
The FDA publishes SaMD guidance at fda.gov under the Digital Health Center of Excellence. Relevant documents include the 2017 SaMD framework guidance, the 2019 proposed framework for AI and ML-based SaMD and the proposed Predetermined Change Control Plan guidance. The FDA also publishes a software precertification program history that provides useful context for how the agency's thinking evolved toward the current total product lifecycle approach.
FDA SaMDclinical decision support510k clearanceclinical AIPredetermined Change Control Planmedical device softwareHIPAA clinical AI
← Back to Blog