10 Most Common GSPR Gaps in Class IIb Medical Device Software

After analyzing over 100 compliance assessments, we’ve identified the GSPR (General Safety and Performance Requirements) gaps that appear most frequently in Class IIb medical device software submissions.

1. Insufficient Cybersecurity Documentation (GSPR 17.1)

The Gap: Many manufacturers fail to adequately document cybersecurity measures and risk assessments.

What’s Required:

• Cybersecurity risk assessment
• Security controls documentation
• Secure development lifecycle evidence
• Vulnerability management plan

How to Fix: Implement and document a comprehensive cybersecurity risk management process aligned with IEC 81001-5-1.

2. Missing Clinical Evaluation Report (GSPR 1)

The Gap: Software developers often underestimate clinical evaluation requirements.

What’s Required:

• Clinical Evaluation Report (CER)
• Clinical evidence of safety and performance
• Equivalence demonstration (if applicable)

3. Inadequate Usability Engineering File (GSPR 5)

The Gap: Usability testing is done but not properly documented according to IEC 62366-1.

4. Incomplete Software Validation (GSPR 17.2)

The Gap: Software validation doesn’t cover all intended use scenarios or clinical claims.

##5. Missing Post-Market Surveillance Plan (GSPR 3)

The Gap: PMS plan is generic or doesn’t address software-specific risks.

Need help identifying GSPR gaps? Captain Compliant provides automated gap analysis for MDR compliance.