Software as a Medical Device (SaMD) – Basics to know

In today’s world of healthcare, technology plays an important role in the life cycle of medical devices and software has become an integral part of majority of products that serve both medical and non medical purposes.

There are three types of medical devices related to software. Namely, Software as a Medical Device (SaMD), Software in a medical device and software used in the manufacture or maintenance of a medical device.

Use of SaMD is increasing gradually.  It can be used across a wide range of technological platforms such as medical device platforms, commercial “off-the-shelf” platforms, and virtual networks to name a few. Previously these were referred by industry, international regulators, and health care providers as “standalone software,” “medical device software,” and/or “health software,” and can sometimes be confused with other types of software.

Definition:

The definition of SaMD as defined by IMDRF is as follows “software intended to be used for one or more medical purposes that perform these purposes without being part of a hardware medical device.”

Since the software possesses unique features which extend beyond the traditional medical device, there is a need to come up with a common framework and principles that enables all the stakeholders to promote innovation which is safe and protects patient safety. By keeping this in mind, International Medical Device Regulators Forum (IMDRF) in 2013 formed a group known as Software as a Medical Device Working Group (WG) aimed to develop guidance supporting innovation and timely access to safe and effective SaMD globally. The group mainly works on key definitions of SaMD, risk categorization, QMS and clinical evaluation of SaMD.

Following are the guidelines released by IMDRF to outline the key considerations of SaMD.

GuidelinesTopics Covered
IMDRF/SaMD WG/N10Key Definitions
IMDRF/SaMD WG/N12Possible framework for Risk Categorization and corresponding considerations
IMDRF/SaMD WG/N23Application of QMS
IMDRF/SaMD WG/N41Clinical Evaluation

Consideration as SaMD:

Software that is embedded as part of a hardware medical device and is necessary to drive the intended medical purpose IS NOT a SaMD. However, if the software is interfaced with other hardware medical devices and acts as an additional enhancement for its medical purposes can be considered as a SaMD.

Fitness or wellness apps are not considered as SaMD. It is clearly mentioned in both EU MDR 2017/745 and 520(o) (1) (A) – (D) of the FD&C Act (FDA) that are endorsed by IMDRF. In simple terms, a fitness or wellness software that are not related to diagnosis, cure, mitigation, prevention or treatment of a disease is not qualified to be called as SaMD.

The examples of “Not a SaMD software” are given below:

a) Mobile apps intended to manage stress

b) Mobile apps related to general lifestyle

c) Mobile apps that track baby’s sleeping and feeding habits

d) Apps that track sleeping patterns

Categorization of SaMD:

There are four risk categories identified based on the impact the SaMD has on the patient or public health. 

Classification:

Unfortunately, different regulatory agencies have different criteria for classification.

United States:

The SaMD classification criteria used by USFDA are as same as traditional medical devices. Additionally, SaMD involves level of concern. While it may be strongly correlated with risk class, but level of concern is not used to determine your device’s risk classification.

EU:

There is no specific class for SaMD in EU. However, Medical device software uses the same risk classification as traditional medical devices: class I, class IIa, class IIb, and class III.

Rule 11 of EUMDR states:

Software intended to provide information which is used to take decisions with diagnosis or therapeutic purposes is classified as class IIa, except if such decisions have an impact that may cause: 

a) Death or an irreversible deterioration of a person’s state of health, in which case it is in class III; or

b) A serious deterioration of a person’s state of health or a surgical intervention, in which case it is classified as class IIb. 

Software intended to monitor physiological processes is classified as class IIa, except if it is intended for monitoring of vital physiological parameters, where the nature of variations of those parameters is such that it could result in immediate danger to the patient, in which case it is classified as class IIb. 

All other software is classified as class I.

IMDRF:

The IMDRF has put forth a guidance document to categorize SaMD. Based on the information provided in the document, there are four categories and the categorization is based on two factors namely, state of healthcare situation and significance of the information provided by the SaMD. The categorization table is provided below.

However, the IMDRF categorization is not widely used. But, it is helpful in determining the risk class in EU. One of the EU document, MDCG 2019-11, includes a table that combines both the IMDRF categorization and EU risk classes.

IEC 62304:

The IEC 62304 classification system has three levels based on the severity of injury that a software failure could cause: 

-Class A – no injury

-Class B – non-serious injury

-Class C – serious injury or death

Challenges in regulating SaMD:

-Software acting as medical device makes the data accessible over network. By keeping this in mind, it is important to maintain the data safety while aligning the functionality and efficiency of the product.

-With the diversification of software in the healthcare, the security concerns are high. Stakeholders, regulators, and various authorities at multiple levels must comply with regulations set by the FDA to fast track approval of the Software being developed for healthcare applications.

-Due to the dynamic evolve of internet there is a need to balance innovation and adaptability without putting the user’s data at risk.

SaMD is a growing sector and with new parties entering the domain, new ideas are pouring in. Developers need to Developers need to balance innovation and regulatory compliance to develop smart healthcare without compromising data sensitive to user.

KN CONSULTING AND SERVICES is a well-oiled marvel in the field of Medical devices regulatory consulting. We can provide you with flexible and detailed planning and consulting services suiting to your needs.

Medical Device Single Audit Program

History:

The Medical Audit Single Audit Program (MDSAP) was developed by the International Medical Device Regulators Forum (IMDRF) to allow third party auditors to conduct a single audit of a medical manufacturer that covers ISO 13485:2016 and the respective regulatory requirements.

A working group was established for MDSAP in 2012. Then, IMDRF initiated a three year pilot program between 2014 and 2016.

The main goal of the MDASAP program is to establish a union internationally that can work together to provide oversight and safety on a global scale to the medical device manufacturers.

Participating partners:

International partners that are participating in the MDSAP include:

MDSAP Members:

a) Therapeutic Goods Administration of Australia (TGA)

b) Brazil’s Agência Nacional de Vigilância Sanitária (ANVISA)

c) Health Canada (HC)

d) Japan’s Ministry of Health, Labour and Welfare, and the Japanese Pharmaceuticals and Medical Devices Agency

e) U.S. Food and Drug Administration (USFDA)

MDSAP Official Observers:

a) European Union (EU)

b) United Kingdom’s Medicines and Healthcare products Regulatory Agency (MHRA)

c) The World Health Organization (WHO) Prequalification of In Vitro Diagnostics (IVDs) Programme

MDSAP Affiliate Members:

a) Argentina’s National Administration of Drugs, Foods and Medical Devices (ANMAT)

b) Ministry of Health of Israel (NEW)

c) Republic of Korea’s Ministry of Food and Drug Safety

d) Singapore’s Health Sciences Authority (HSA)

Status of MDSAP adoption in participating countries:

a) US: FDA will accept the results of MDSAP audits rather than conducting inspection. However, the agency still conducts its own initial visits to manufacturers and ‘for cause’ inspections.

b) Canada: after January 1st 2019, HC fully transitioned to accept only MDSAP compliance audits from the manufacturers.

c) Brazil: the authority will accept MDSAP for initial audits. However, it will continue to conduct its own inspections and audits for high risk devices.

d) Japan: the authority has fully adopted MDSAP and will accept MDSAP audit results in place of J-QMS audit.

e) Australia: another adopter of MDSAP. The authority recognizes manufacturers who pass the audit and satisfied their QMS requirements. The TGA recognizes MDSAP certificates as equivalent to CE certificates.

Eligibility:

a) Any manufacturer may participate in the audit program if their product falls under the scope of at least one participating country and subject to QMS requirements

b) Located anywhere in the world are eligible to participate

c) Only the MDSAP participating countries will have access to audit report

d) Manufacturers cannot select which of the 5 regulatory schemes to be included in the audit scope. All country specific requirements of the manufacturer’s target sale countries must be included

MDSAP actors:

Regulatory Authorities (RA): They are responsible for designating the Auditing Organizations (AO).  There are certain criteria to be fulfilled to designate AO. The RA’s will continue to monitor the program and they have the final decision.

Auditing Organization (AO): They plan, conduct and report the audit to RA’s.

Manufacturer: they engage with the AO for QMS audits. If there is any non conformity, they need to provide corrective action plan.

Benefits of MDSAP certification:

-Reduces the burden for a manufacturer in case of audits and inspections

-Minimizes business obstacles, reduces cost and saves time due to the single audit process

-Helps the manufacturer to enter new markets with ease

-Consistent multiple regulatory programs by participating regulators

-Positive image for the company

MDSAP audit cycle:

The MDSAP audit program is based on three year audit cycle. The initial audit, also referred to as ‘Initial Certification Audit’ consists of stage 1 and stage 2 audit. The initial audit is followed by partial surveillance audit and a complete Re audit, also referred to as ‘Recertification audit’ in the third year. A recertification audit may include stage 1 audit, if there are any significant changes to the already audited QMS.

Special audits are extraordinary audits that are not part of the planned audit cycle. These audits mainly focus on specific elements of QMS. These include audits conducted in response to an application for the extension to the scope of an existing certification, to determine whether or not the extension can be granted or as short-notice audits conducted to investigate potentially significant complaints, or if specific information provides reasons to suspect serious non-conformities of the devices, or for other reasons.

Unannounced audits: The MDSAP participating regulatory authorities require AO to conduct unannounced audits in circumstances where high grade non-conformities have been detected.

MDSAP audit process:

The MDSAP audit process involves seven chapters or processes. They are, four primary processes, one enabling process and two supporting processes which are mentioned below.

-Management

-Measurement, Analysis and Improvement

-Design and Development

-Production and Service Controls

-Purchasing

-Device Marketing Authorization and Facility Registration, and

-Medical Device Adverse Events and Advisory Notices Reporting

Each chapter contains multiple audit tasks that are verified during the audit. Each audit task references the applicable clauses of ISO 13485:2016. Below table gives an overview of number of tasks mentioned in each chapter.

MDSAP PROCESSNUMBER OF TASKS
Management11
Device Marketing Authorization and Facility  Registration03
Measurement, Analysis and Improvement16
Medical Device Adverse Events and  Advisory Notices Reporting02
Design and Development17
Production and Service Controls29
Purchasing12

MDSAP audit sequence:

The MDSAP audit sequence follows a process approach and has four primary processes – Management process, Measurement, Analysis and Improvement process, Design and Development process and a Production and Service Controls process with links to the supporting process for Purchasing. Also, it has two additional supporting processes: Device Marketing Authorization and Facility Registration and Medical Device Adverse Events and Advisory Notices Reporting. These are necessary to fulfill specific requirements of the participating MDSAP regulatory authorities.

The audit sequence should be followed as designed. However, under certain circumstances, judicious exceptions to the audit sequence are allowed considering there is sufficient justification and the core elements of the MDSAP Audit Approach, are respected.

The flowchart shown in Figure 1 illustrates the MDSAP audit sequence and interrelationships.

Figure 1.  Audit sequence

MDSAP grading system:

The MDSAP grading system was created to clarify and address inconsistencies within traditional audit grading approaches that make use of ‘Major findings’ or ‘Opportunity for Improvement’.

Non Conformities (NC) are assigned a grade between 1 and 5, which is calculated using a two step scoring system.

To determine the initial score, four point NC matrix is used. There are two categories based on clauses of ISO 13485:2016.

Indirect – Clauses 4.1 through 6.3, which have indirect impact on safety and performance of a medical device, it includes general documentation, and quality manual(s).

Direct – Clauses 6.4 through 8.5.3, which has direct impact on medical device safety and performance. The documents are mainly related to design, production, CAPAs etc.

Below table gives an insight in to the NC grading system.

Credits: MDR guide

Why choose KN consulting

KN consulting and services takes a proactive approach in informing our customers about the regulatory changes concerning the industry.

-Saves time and money

-Faster market access

-Expert guidance