Get Started
Get Started
Sensor Bio hero image for biosensor sdk evaluation — v5.3 spec
Biometrics & Data

Biosensor SDK Evaluation: How to Assess Wearable Software Platforms for Clinical Use

This guide explains how clinical teams evaluate wearable signal quality. It covers measurement limits and practical interpretation of recovery data.

A biosensor SDK evaluation should assess five criteria before integration: whether raw waveform data is accessible, platform and connectivity architecture, signal quality reporting, security and compliance posture, and vendor documentation stability.1

This guide is written for mobile and embedded software engineers, digital health product managers, and clinical informatics leads who are evaluating biosensor hardware vendor SDKs before committing to an integration. If you are already at the stage where a vendor is proposing a contract, the SDK evaluation should be nearly complete. Most teams start it too late. The SDK choice is an architecture decision, not a procurement one. It sets the clinical and regulatory ceiling of your product for years after launch, and replacing an SDK post-integration is not a refactor: it is a re-integration, a re-validation, and potentially a re-certification process.

What a biosensor SDK is and why the choice is a long-term architecture decision

A biosensor SDK is the software layer between the hardware sensor and your application. In a wearable PPG or ECG device, the SDK handles Bluetooth LE pairing and reconnection logic, streams data from sensor to mobile or cloud application, controls access to raw waveform samples or computed metrics, reports signal quality, and manages data buffering, timestamping, and gap handling.2

The SDK choice is not a build-versus-buy convenience question. It determines what data your application can access at all. An SDK that exposes only computed heart rate and SpO2 as numeric outputs prevents your engineering team from implementing custom algorithms, validating vendor computations against a reference standard, or producing a regulatory submission that explains the signal processing chain. Switching SDKs post-integration means re-integration, re-validation, and potentially re-certification. The cost compounds further if the integration has already reached clinical deployment: any gap in the data record introduced during migration may need to be documented and explained to IRBs or regulatory reviewers, extending the switching timeline well beyond what a purely technical estimate would suggest.

The biosensor SDK evaluation performed before signing a vendor agreement sets the clinical and regulatory ceiling of the entire product. Start it earlier than feels necessary.

Raw waveform access vs. computed features: the most consequential SDK decision

The single most important dimension in any biosensor SDK evaluation is whether the SDK exposes raw waveform data or only computed features.3

A raw waveform SDK delivers time-series ADC samples from the PPG photodetector at the sensor’s native sampling rate, typically 25 to 256 Hz, plus accelerometer data. This enables custom algorithm development, independent validation of vendor computations against an ECG ground truth, full regulatory documentation of the signal processing chain, deployment-specific beat detection tuning, and signal quality classification by your own criteria. Clinical research programs examining autonomic nervous system function, including investigations into phenomena explored in polyvagal theory: evidence, accuracy, and clinical use, depend on access to the full, unprocessed signal rather than vendor-computed summaries. Raw waveform access requires engineering capacity to implement signal processing: beat detection, artifact rejection, and metric computation. That investment is real, but it is also recoverable. The cost of choosing a computed-features-only SDK and later discovering you need raw access is not.

A computed features only SDK delivers vendor-computed values, such as heart rate, RMSSD, and SpO2, typically at a low output rate of one reading per five seconds. Integration is faster. That trade is acceptable for engagement tracking and wellness applications where the regulatory bar is low and the metrics are informational rather than clinical. But it creates a black box: the vendor’s algorithm is not independently reproducible or auditable by your team. Any regulatory submission must rely on the vendor’s own validation study as the sole evidence basis. Metric definitions may differ from published normative reference values, and there is no way to verify the discrepancy without the underlying signal.4

If your application will ever make a clinical claim or support a regulatory submission citing a biosensor-derived metric, raw waveform access is required. Computed-features-only SDKs are not compatible with clinical-grade regulatory documentation. Choose based on where your product is heading, not just where it starts.

Platform coverage, connectivity, and real-world performance requirements

Platform and connectivity performance are operational requirements, not afterthoughts. Validate all of the following before signing a vendor agreement, not after.5

Platform coverage: iOS and Android support is required for any patient-facing application. Verify that background Bluetooth LE operation is supported on iOS. Apple restricts background BLE for applications not using Core Bluetooth correctly, and SDK implementations vary widely. This is not a theoretical concern: when background BLE fails in real deployments, the device silently stops collecting data while the user continues wearing it, creating gaps in the clinical record that cannot be recovered. For cross-platform frameworks such as React Native or Flutter, verify that native SDK functionality is fully available in the wrapper. Reduced functionality and higher latency are common in cross-platform BLE wrappers and are rarely documented clearly by vendors.

Connectivity performance: test these in your lab before signing.

  • Connection drop rate over a 4-hour continuous session in a realistic use environment
  • Automatic reconnection time after drop (target: <10 seconds)
  • Data latency from sensor event to application receipt (≤500 ms for real-time biofeedback; ≤5 seconds for trend monitoring)
  • Measured device battery drain during continuous PPG streaming on both iOS and Android hardware (verify against vendor claims)
  • Data completeness percentage under realistic interference conditions: body movement, Wi-Fi routers, concurrent BLE device presence

A vendor who cannot provide measured connection reliability and battery drain data under realistic conditions either has not conducted deployment testing or is unwilling to share results. Neither is acceptable for a clinical integration commitment.

Signal quality reporting: minimum acceptable SDK output

A biosensor SDK evaluation that does not scrutinize signal quality reporting has not evaluated the most consequential variable in clinical data quality.6

Minimum required signal quality outputs:

  • Signal quality index (SQI) or equivalent: a per-sample or per-epoch quality score; values below threshold must be flagged as unreliable and excludable from metric computation via the SDK API
  • Perfusion index (PI): the ratio of pulsatile to non-pulsatile PPG signal; PI below 0.3 to 0.5% indicates likely unreliable optical contact or low peripheral perfusion
  • Motion artifact flag: binary or graded indicator that accelerometer data shows movement during the PPG recording window
  • Off-body detection: flag indicating the sensor is not in contact with skin

Why this matters: a computed RMSSD value from a 5-minute window that included 2 minutes of motion artifact and 90 seconds of poor perfusion is not equivalent to a clean 5-minute resting RMSSD. Without signal quality metadata propagated through the data stream, clinical dashboards cannot distinguish valid readings from corrupted readings.7 That distinction is not minor: it affects the validity of every clinical decision made downstream from the data. For teams building applications where autonomic metrics matter clinically, understanding the physiological basis of what these signals actually measure is equally important. The explainer on vagal tone meaning: signal, noise, and measurement limits covers how autonomic activity maps to HRV signals your SDK must capture cleanly, and why the signal quality layer is the foundation everything else depends on. Research programs examining longer-term autonomic patterns, including phenomena like those described in parasympathetic saturation explained: what the research shows, are only detectable with continuous, high-quality signal that has been properly filtered and quality-gated at the SDK layer.

How to test during biosensor SDK evaluation: Stream a 30-minute session with deliberate quality variation: rest, walking, cold hands, and sensor removal and replacement. Verify that SQI values track actual quality conditions. Verify that flagged periods are programmatically excludable via the API.

Security, compliance, and FHIR interoperability requirements

Security and compliance requirements are non-negotiable for any biosensor SDK that handles physiological data from patients or clinical research subjects.

Data security minimums:

  • TLS 1.2 or higher for all data transmitted from device to cloud
  • AES-256 encryption at rest for any data buffered locally on the mobile device
  • Authenticated API sessions with no unauthenticated data endpoints
  • No default raw data transmission to vendor infrastructure without explicit opt-in; verify by monitoring network traffic during SDK integration testing

HIPAA compliance: If any biosensor data is associated with a patient identifier (name, MRN, date of birth, or any combination that constitutes PHI under 45 CFR 164), the SDK vendor is a HIPAA Business Associate. A signed BAA is required before integration. Request SOC 2 Type II certification as evidence of independently audited security controls. Most health system vendor agreements require it, and vendors without it represent unacceptable risk regardless of their technical capabilities.8

FHIR interoperability: HL7 FHIR R4 Observation resource output is required for EHR integration pathways. Physiological readings should map to standard LOINC codes: 8867-4 for heart rate, 59408-5 for SpO2, 80404-7 for RMSSD. Proprietary output formats without FHIR mapping create custom integration work at every EHR vendor. Each bespoke connection multiplies integration cost indefinitely, turning what should be a standardized data exchange into a series of one-off engineering projects that compete with your core product roadmap for development resources.9

Vendor stability, documentation quality, and lock-in risk

Technical capability is necessary but not sufficient. SDK vendor stability and documentation quality determine whether the integration survives past the first product release.

Documentation minimum bar: Complete API reference with parameter definitions, return types, error codes, and rate limits. Working code examples in Swift, Kotlin, and the SDK’s supported cross-platform frameworks. A changelog with semantic versioning where breaking changes are flagged explicitly. A published data model specifying field names, units, precision, and null conditions. If the documentation exists only as a PDF, that is itself a risk signal: PDF documentation is not versioned, not searchable across releases, and typically not maintained with the same discipline as web-hosted reference documentation.

Vendor stability signals to verify before signing:

  • Active SDK maintenance: date of last release, unresolved platform bugs in the public issue tracker
  • SLA for bug fixes and updates after major iOS and Android OS releases (OS updates break BLE implementations regularly; verify the vendor’s track record)
  • Breaking change history: has the SDK broken backward compatibility previously, and what migration support was provided?
  • Customer references in a comparable clinical integration context

Lock-in risk checklist:

  • Does the SDK require processed data to pass through vendor infrastructure? (data lock-in risk)
  • Does the SDK use a proprietary data format with no export path? (portability risk)
  • Does the vendor’s terms of service retain any rights to physiological data? (legal risk for patient data)10

That last item carries more weight than teams typically assign it during vendor selection. A terms-of-service clause granting the vendor rights to customer physiological data may be invisible during a quick contract review and consequential years later, when the vendor changes its data governance policies or is acquired. Read the terms of service carefully before integration work begins, and ask your legal team to review the data rights language specifically.

The 30-day proof-of-concept evaluation checklist

The following gate structure converts biosensor SDK evaluation criteria into a pass/fail PoC framework. Gates 1 through 3 are integration blockers: any single failing item in those gates means the evaluation cannot proceed to contract. Gate 4 items are advisory. Failing them should trigger an explicit escalation and documented acceptance of risk, not automatic approval.

Gate 1: Data access (must pass to proceed)

  • Raw PPG waveform accessible at native sampling rate (≥100 Hz for HRV use cases)
  • Signal quality index reported per epoch
  • Motion artifact flag present in data stream
  • Off-body detection flag present

Gate 2: Platform and connectivity (must pass to proceed)

  • iOS and Android background BLE operation confirmed in test conditions
  • Connection drop rate <5% over 4-hour session
  • Automatic reconnection within 10 seconds of drop
  • Battery impact measured and acceptable for intended use duration

Gate 3: Security and compliance (must pass to proceed)

  • BAA available and signed if PHI is involved
  • TLS 1.2+ encryption in transit confirmed
  • Encryption at rest confirmed for local device buffering
  • No default data transmission to vendor infrastructure without explicit opt-in

Gate 4: Documentation and vendor stability (advisory: escalate if failing)

  • Complete API reference available with versioning history
  • Changelog with explicit breaking-change flags
  • Confirmed SLA for OS update compatibility
  • Customer reference in clinical integration context available
SDK Dimension Minimum Acceptable Clinical-Grade Requirement
Waveform access Computed features with published validation Raw ADC samples at ≥100 Hz; fully documented processing pipeline3
Signal quality Basic signal loss detection Per-epoch SQI, PI, motion artifact flag, off-body detection; all programmatically accessible6
Platform coverage iOS + Android foreground only iOS + Android background BLE; verified cross-platform wrapper parity
Security TLS in transit TLS 1.2+ in transit; AES-256 at rest; no default vendor telemetry; BAA available8
Interoperability Documented data format HL7 FHIR R4 Observation output; LOINC vital sign mapping; SMART on FHIR support9
Vendor stability Active maintenance Semantic versioning; explicit breaking-change history; OS-update SLA; clinical reference customer

FAQ

What is a biosensor SDK and how does it differ from a device API?

A biosensor SDK is a software development kit provided by a hardware vendor that abstracts the low-level device communication layer (Bluetooth LE pairing, data streaming, and local buffering) into a callable library for iOS, Android, or server-side applications. A device API is the endpoint specification for cloud or server-side data retrieval after the SDK has already transmitted data upstream. The SDK evaluation matters more than the API evaluation because the SDK determines what data is captured at the source: if the SDK discards raw waveform data before transmitting to the cloud, no API can recover it. A biosensor SDK evaluation should always begin at the device-to-SDK layer, not the cloud API layer.12

Why does raw waveform access matter for regulatory submissions?

FDA submissions for software as a medical device (SaMD) and digital therapeutics that cite biosensor-derived metrics require a documented signal processing chain. If the SDK only delivers computed outputs (heart rate as a numeric value, for example), the regulatory submission cannot describe how that metric was computed, what artifact rejection was applied, or how beat detection was validated in the study population. The entire evidentiary basis must then rely on the vendor’s own published validation study, which may have been conducted in a different population under different conditions. Raw waveform access enables your team to document and independently validate the complete processing chain from ADC sample to clinical metric, which is required for submissions where the biosensor metric is a primary endpoint or gating criterion.34

What sampling rate does a PPG biosensor SDK need to support HRV metrics?

Sampling rate requirements depend on the specific HRV metrics the application computes. For time-domain HRV metrics (RMSSD, pNN50), a native PPG sampling rate of 64 to 100 Hz enables reliable beat detection with appropriate peak-finding algorithms. For frequency-domain HRV analysis (LF power, HF power, LF/HF ratio), 128 to 256 Hz is required to preserve intra-beat waveform morphology for accurate spectral decomposition. Below 64 Hz, quantization errors in peak detection can approach the magnitude of the biological variability being measured, making RMSSD estimates unreliable. A biosensor SDK evaluation for any HRV application should confirm that the SDK exposes the native sampling rate without downsampling, and that the documented sampling rate is achievable under realistic BLE connection conditions, not only in a lab with a direct device connection.

What are the signs of an SDK that will cause problems post-integration?

Warning signs that a biosensor SDK evaluation should flag as high-risk: the SDK changelog contains breaking changes without migration guides; the last release was more than six months ago with no communication about OS compatibility; documentation is a PDF rather than versioned web documentation; the vendor cannot provide a customer reference in a clinical deployment context; the SDK does not expose signal quality metadata programmatically; terms of service include provisions granting the vendor rights to customer physiological data; and the vendor does not offer or declines to sign a Business Associate Agreement. Any single one of these is an escalation flag. Multiple flags together are grounds to stop the biosensor SDK evaluation and require a different vendor.10

Does a biosensor SDK vendor need to sign a HIPAA Business Associate Agreement?

Yes, if the SDK handles any data that can be associated with a patient identifier (name, medical record number, date of birth, device ID linked to a patient record, or any combination that constitutes protected health information under 45 CFR 164). If the SDK transmits, receives, maintains, or processes PHI on behalf of a HIPAA-covered entity, the vendor is a Business Associate and a signed BAA is legally required before any data flows through the SDK in a patient care context. A vendor who refuses to execute a BAA is not suitable for clinical deployment. Confirm BAA availability during the biosensor SDK evaluation process, before technical integration work begins, not after.8

How should a team evaluate a biosensor SDK if the vendor does not provide a test device before contract signing?

Require a 30-day paid or time-limited evaluation license before committing to a full integration contract. Any vendor unwilling to provide evaluation access is accepting a significant information asymmetry that benefits only the vendor. During the evaluation period, run the full Gate 1 through Gate 4 checklist against the actual SDK in a realistic test environment, not the vendor-provided demo environment. Specifically test background BLE connectivity under iOS, connection reliability during body movement, signal quality tracking across deliberately varied conditions, and encryption behavior by monitoring device network traffic. Document results against each gate before the evaluation period expires. A biosensor SDK evaluation that did not include hands-on testing of these conditions is not complete.52

For digital health and research teams building longitudinal physiological monitoring programs, understanding how the full signal stack (from raw PPG waveform through SDK to derived metrics) determines data quality and regulatory defensibility is prerequisite architecture knowledge. Review PPG signal quality fundamentals and what determines waveform fidelity, explore the modality comparison of PPG, ECG, and pulse oximetry for hardware selection context, and see how Sensor Bio’s open platform architecture is designed for raw waveform access, validated signal pipelines, and research-grade data output. Teams ready to evaluate a biosensor integration partner can start here.

References

References

  1. Malasinghe LP, Ramzan N, Dahal K. Remote patient monitoring: a comprehensive study. Journal of Ambient Intelligence and Humanized Computing. 2019;10:57–76. doi:10.1007/s12652-017-0598-x.
  2. Pantelopoulos A, Bourbakis NG. A survey on wearable sensor-based systems for health monitoring and prognosis. IEEE Transactions on Systems, Man, and Cybernetics. 2010;40(1):1–12. doi:10.1109/TSMCC.2009.2032660.
  3. van Gent P, Farah H, van Nes N, van Arem B. Analysing noisy driver physiology real-time using off-the-shelf sensors. Transportation Research Part F. 2019;67:149–161. PMID: 31632440.
  4. Makowski D, Pham T, Lau ZJ, et al. NeuroKit2: a Python toolbox for neurophysiological signal processing. Behavior Research Methods. 2021;53:1689–1696. PMID: 33528536.
  5. Dias D, Paulo Silva Cunha J. Wearable health devices, vital sign monitoring, systems and technologies. Sensors (Basel). 2018;18(8):2414. PMID: 30044415.
  6. Allen J. Photoplethysmography and its application in clinical physiological measurement. Physiological Measurement. 2007;28(3):R1–R39. PMID: 17322588.
  7. Orphanidou C, Bonnici T, Charlton P, et al. Signal-quality indices for the electrocardiogram and photoplethysmogram: derivation and applications to wireless monitoring. IEEE Journal of Biomedical and Health Informatics. 2015;19(3):832–838. PMID: 24858022.
  8. US Department of Health and Human Services. HIPAA Security Rule. 45 CFR Parts 160 and 164. Available at: hhs.gov/hipaa.
  9. HL7 International. HL7 FHIR R4 Specification: Observation Resource, Vital Signs Profile. 2019. Available at: hl7.org/fhir/R4/observation-vitalsigns.html.
  10. Grundy Q, Chiu K, Held F, Continella A, Bero L, Gilchrist R. Data sharing practices of medicines related apps and the mobile ecosystem: traffic, content, and network analysis. BMJ. 2019;364:l920. PMID: 30814091.

BUILD ON TRUTH

Turn biometric signal into clinical infrastructure

Sensor Bio gives care teams, researchers, and digital health operators direct access to the data and workflows needed to monitor what happens between visits.

BUILD WITH US