There are specific technical and regulatory considerations for Software as a Medical Device (SaMD), many of which are still evolving. It is challenging to stay informed in this fast-changing landscape, especially with new regulations around artificial intelligence and cybersecurity. To help address these challenges, it is advantageous to partner with a company like Kitware that is experienced with navigating both the quality and regulatory aspects of SaMD engineering. There are many ways our team can provide support to medical device companies throughout a typical SaMD product lifecycle.
Understanding the evolving SaMD regulations
SaMD products are stand-alone medical devices that may perform a variety of functions, such as clinical decision support, therapeutic guidance, diagnostics, or patient monitoring. Since this is a relatively new area in the medical device industry, the regulatory landscape is still evolving. As technology advances and integrates the latest innovations (e.g. artificial intelligence), regulatory agencies including the U.S. Food and Drug Administration (FDA) are continuously updating their guidance documents.
Some of the technical and regulatory considerations you should be aware of for SaMD versus traditional hardware-based medical devices include cybersecurity risk mitigation, human factor engineering, unique installation and operational qualification requirements, software-oriented post-market surveillance processes, and evolving guidance from the FDA specifically related to AI software.
How to maximize speed-to-market for SaMD products
Whether you are just starting out or an established medical company pivoting to software, the many considerations for SaMD can be overwhelming. Good regulatory and quality advisors are essential for ensuring compliance with all of the evolving software standards, but it is equally important to find an engineering partner with hands-on experience building compliant SaMD products. An experienced engineering team can work more efficiently with your regulatory and quality teams to optimize speed-to-market and minimize costs. And bringing experienced SaMD partners on board early in your software design process will help avoid costly mistakes and delays.
SaMD engineering experts will positively impact your medical software product development lifecycle
IEC 62304 is the internationally harmonized standard that defines the product lifecycle process for medical device software. This standard is recognized by regulatory agencies around the world including the FDA. IEC 62304 describes product lifecycle activities in the following areas:
- New product software development process.
Compliant medical device software is heavily focused on end-to-end product planning, testing, and documentation. It is critical to identify the right user needs and design inputs early in the process to avoid costly development iterations and revisions. Regulatory compliance requires traceability between all user needs and requirements and documented verification and validation testing.
Expert SaMD engineers will understand how to design and document code modules that meet these traceability requirements under your Quality Management System (QMS). A well-planned software project leads to a well-executed project and a smoother regulatory pathway.
- Software maintenance (post-market release).
Post-market software maintenance is done under the same QMS framework as new product development and requires the same risk analysis and regulatory oversight. For example, maintenance activities that introduce new software features and bug fixes may require regulatory re-submissions.
Expert SaMD engineers will know how to work with your quality and regulatory team to triage and organize maintenance work to minimize unnecessary QMS and regulatory burdens.
- Risk management.
Risk management activities are part of every stage of the SaMD product lifecycle. Medical software involves many detailed engineering decisions that can affect risk and change your burden of proof for safety and effectiveness. For example, basic human factors decisions in user interface design can dramatically alter risk categorizations.
Expert SaMD engineers are key team members for your risk management activities. They will work closely with your quality and regulatory teams to ensure your product design stays aligned with your regulatory pathway.
- Configuration management (including the development environment).
Configuration management in medical device software is all about attention to detail. It is a level of rigor that goes well beyond what is required for non-regulated software.
Expert SaMD engineers are familiar with the increased requirements for medical software documentation, especially when engineering higher-risk category devices and AI components. Not only will this experience increase efficiency in your internal QMS process, but it becomes crucial to your company when facing audits and working with notified bodies.
- Issue tracking and resolution (post-market surveillance).
Issue tracking and resolution, including Corrective and Preventative Actions (CAPAs), drives the maintenance cycle and is required by law as an important part of ensuring the safety and efficacy of your medical device. Collectively these activities are critical to supporting customers and the long-term success of your SaMD business. As your product matures, your software team will spend the bulk of their time on these activities.
As with every other SaMD lifecycle phase, post-market surveillance activities gain efficiencies from expert SaMD engineers who know how to work proactively with your quality and operations teams to manage CAPAs and fix the issues.
As SaMD software has evolved, the heightened importance of several additional considerations in engineering for safety and effectiveness have emerged, to include the following:
Cybersecurity vulnerabilities are a special category of risk for medical software, especially for connected devices and devices storing protected health information (PHI). Regulatory oversight of cybersecurity risk management is increasing. As of March 29, 2023, the FDA may issue a “refuse to accept” decision for premarket submissions that do not include compliant plans for monitoring and addressing cybersecurity vulnerabilities. These plans must adopt a whole lifecycle approach, including post-market patches and updates.
PHI management, data encryption, and software process management are all specialized software engineering skill sets, making expert SaMD engineers who understand and mitigate cybersecurity risks an increasingly important part of your team.
- Artificial Intelligence (AI).
The FDA is clarifying how to demonstrate safety and effectiveness through the post-market phase for AI in medical device software. AI in the medical software context is defined as machine learning algorithm components that are planned to be iteratively updated over time. In their draft guidance on AI, the FDA discusses the use of a Predetermined Change Control Plan (PCCP) for machine learning-enabled software functions that can reduce the burden of repeated regulatory filings. Navigating the AI regulatory landscape is shaping up to be a highly technical venture.
Expert SaMD engineers will be vital to ensuring machine learning components are properly engineered and will work with your quality and regulatory teams to develop compliant PCCPs for complex algorithmic components.
Stay on top of all the latest changes with AI, cybersecurity, and SaMD
Finding a company to support both the regulatory and engineering guidelines is difficult. That’s why Kitware is proud to offer our customers comprehensive support for software medical devices. We provide regulatory experience and software engineering support throughout all phases of the SaMD product lifecycle, whether we are supplementing your internal engineering team, consulting on medical device software design and testing, contributing to specialized areas of development (e.g. machine learning and PCCPs), or helping with post-market surveillance activities and CAPA support. Kitware’s software engineers are recognized leaders in medical computing, machine learning, and software engineering, and are comfortable working closely with your team to provide support in these areas. We also bring considerable experience in software cybersecurity, as we work extensively with the U.S. government on classified projects. Kitware’s commitment to open source development can also provide a unique competitive advantage in terms of speed-to-market, lower documentation overhead, and more robust, bug-free code.
Take the next step in your SaMD lifecycle
This discussion of a SaMD lifecycle is a high-level illustration of a typical software process. It is important that every company develop its own compliant quality management system and operating procedures that are appropriate for their organization and device risk categorization. Kitware is happy to help you navigate this process. The FDA publishes extensive guidance on best practices for SaMD development (some related guidance documents are listed below), but you can contact our team to discuss how we can support you through a compliant engineering process for SaMD products.
- The US Code of Federal Regulations governing medical devices (CFR 21)
- IEC 62304: The internationally harmonized standard on medical device software lifecycle processes
- ISO 14971: Application of Risk Management to Medical Devices
- FDA definition of Software as a Medical Device
- FDA guidance on software validation
- FDA definitions and advice on Human Factors
- The International Medical Device Regulators Forum
- FDA draft guidance on AI
- Search page for FDA Guidance
- Cybersecurity “Refuse To Accept” Guidance
Want to learn more? Read some of Kitware’s other related blog posts
- Partner with Kitware to Fast-Track Your Medical Software Product Development
- Leverage Kitware’s Expertise to Develop Your Mobile Medical Imaging Application
- Kitware leads development of Medical Image Quality Assurance (MIQA) software
- Kitware Launches MIQA, a New Open System for Medical Image Quality Assurance
- Deploying your MONAI machine learning model within 3D Slicer