All terms
Software Safety Case
A structured argument, supported by evidence, that a device's software is acceptably safe (and increasingly, secure) for its intended use.
Reviewed by Christian Espinosa, Founder, Blue Goat CyberLast reviewed May 5, 2026
Definition
A software safety case is a structured, documented argument - supported by traceable evidence - that a medical device's software is acceptably safe in its intended use environment. Modern MedTech safety cases increasingly include cybersecurity arguments because exploitable vulnerabilities can produce safety harms. Goal-Structuring Notation (GSN) is the most common formalism, though many MedTech teams use less formal narrative-plus-evidence structures. What the regulation says
FDA's 2023 cybersecurity guidance expects cybersecurity evidence to be integrated with safety risk evaluation under ISO 14971. The combined safety-and-security case is the unifying artifact reviewers look at to assess overall residual risk. EU MDR Annex I §17.2 expects analogous integration.
What this means in practice
A safety case is most useful when authored in parallel with development - claims drive what evidence the team needs to gather, evidence informs which claims can be made. Late-authored safety cases tend to be ex-post justifications rather than design drivers. Common pitfalls
- •Authoring the safety case after the fact - robs it of its design-influencing role.
- •Treating cybersecurity as a separate case from safety.
Frequently asked questions
Not legally required. FDA accepts equivalently rigorous narrative arguments. EU regulators and notified bodies sometimes prefer GSN-style structure.
Primary references
3 sourcesLink health: 2 verified 1 bot-blocked· last checked 2026-05-09
FDA·1ISO·1MDCG·1
- 1
FDA Cybersecurity Guidance (Sept 2023)Bot-blockedFDAfda.gov
- 2
ISO 14971:2019 Risk Management for Medical DevicesVerifiedISOiso.org
- 3
MDCG Cybersecurity GuidanceVerifiedMDCGhealth.ec.europa.eu
Inline markers like [1] jump to the matching reference above.