The European Union Medical Device Regulation (EU MDR) 2017/745 added a specific rule for Software as a Medical Device (SaMD) or software-only products which did not exist in the previous EU Medical Device Directive (MDD). Conversely, the United States has implemented various regulations and guidance for SaMD and software contained in medical devices over the past few years. In fact, updates to the United States regulations have created initiatives concerning software, use of software applications for personalized use, and regulating Artificial Intelligence (AI) based software. The FDA currently is recognized as the leader of implementing regulations and guidance for software applications. We will discuss, contrast, and compare how software is viewed and regulated in these two jurisdictions: the United States and the European Union.
Software is produced in many different forms, depending on needs and integration with a medical device. These are commonly referred to as:
- Software in a Medical Device (SiMD)
- Software as a Medical Device (SaMD); also referred to as software-only applications
- In general, all software can be referred to as Medical Device Software (MDSW)
For simplicity of the article, we will discuss the requirements in general for SiMD and SaMD products–collectively referred to as MDSW. There are subtle differences when reviewing details between SiMD and SaMD, though in general, overall requirements are the same.
Software design and development often follows its own processes within a medical device manufacturer, or is part of overall design control process, or even externally outsourced by some manufacturers. Comparing the two regulatory regions, development of software is quite similar because companies use quality system standards, such as ISO 13485 and IEC 62304, for managing software processes. The biggest difference between the regulatory systems is how software risks, criticality, and clinical application is applied, as the classifications are different. In the United States, some Class II software applications may be considered Class I in the European Union and vice versa. . However, some aspects of medical device classification are different between the two regions because software class may not be considered the same. Software documentation is also generally the same between the two regions because the standard IEC 62304 is used internationally for types of software documentation required.
The biggest difference is the United States FDA are much more progressive and current on compliance requirements for software. This is shown by the publication of guidance on cybersecurity, requirements of cybersecurity in device submissions, and addressing Artificial Intelligence (AI) or Machine Learning (ML) as part of submission content. In the European Union these are lacking any specific guidance or support for how these are reviewed or applied by Notified Bodies for certification review. The FDA has created the Digital Health Center of Excellence actively developing, revising, and maintaining regulations related to software. This group within the regulator focuses on sharing ideas, engaging stakeholders, strategic implementation of regulations, and increasing awareness of digital health activities for medical devices. There are plans to bring these concepts to an international level through the International Medical Devices Regulators Forum (IMDRF) of which the United States and European Union are active members. The IMDRF also publishes various guidance documents related to SaMD, clinical evidence of software applications, cybersecurity, and change management.
Another difference between the US and EU comes in the review process and classification. Table 1 provides some comparisons and contrasts with topics in MDSW regulated by the United States and the European Union.
Management of software in the EU can still be a struggle for many organizations due to a lack of clear guidance documents and challenges of interpretation in the rule-based classification system. There is no central or core group managing or directing how software applications are managed, regulated, or supporting continuing evolution of software with medical devices. This can be quite challenging because reliance on software requirements are often defined by the company with no clear guidance. Then, during the review process for CE Marking this results in significant interpretations being made between and within Notified Bodies. Organizations must rely on international guidance through IMDRF or building on a good base from other regulatory agencies, such as the FDA, to generate complete software documentation.
Currently, the United States has a progressive and proactive approach toward managing MDSW through defined requirements and guidance. Many organizations utilize these guidance documents from the FDA for development, life cycle approach, and software documentation. They are then applying these concepts to other regulated regions, including the European Union. Even while the FDA has an active approach to managing medical device software, the software industry still often moves faster than the regulatory agencies can produce guidance. Medical device manufacturers can utilize existing guidance published, software development life cycle approach, and good practices defined by their quality system to properly manage software development, changes, and maintenance. There are significant differences between the United States and European Union, including device classification and approach on types of software which are regulated.
Stay informed on how each of these regions regulates medical device software through these publications and further assistance from NAMSA.
Richard Vincins
Richard Vincins has been in the industry for 30+ years, focused on medical devices specifically in these therapeutic areas: catheter technology for numerous clinical applications, laser medical devices for surgical and aesthetic procedures, software applications for digital health and In-Vitro Diagnostic (IVD) medical devices. Achieved 510(k) clearance several times in less than 60 days for Class II products through US FDA Implemented a full Quality Management System for ISO 13485 certification in less than 9 months for Class II electromechanical product Updated and submitted Class IIb medical device Technical Documentation for EU MDR 2017/745 compliance obtaining approval in less than 6 months His previous roles have been in quality engineering, quality assurance, compliance, regulatory affairs and clinical development support. Prior to joining NAMSA, Richard held positions with Emergo Consulting, bioMerieux, Lumenis, Medtronic and C.R. Bard. He’s spent the last 15 years in consulting, spanning multiple companies and medical device types. In his role as Vice President of Quality Assurance Consulting at Emergo, he compiled and submitted numerous 510(k) applications for US FDA, supported IDE and clinical applications, generated Technical Documentation for EU MDD/EU MDR, and provided technical writing services for clinical evaluations, biological evaluations and risk management files. His role in leading consultants and teams led to the clearance and approval of new, novel medical devices in the U.S., Europe, Canada and other markets around the world.