Medical Device Software: Considerations for Device and Risk Characterization

On February 2, 2024, the International Medical Device Regulators Form (IMDRF) Software as a Medical Device (SaMD) Working Group released a draft guidance document for public comment. This document expands on previous work relating to device characterization and risk characterization for an evolving and broadened scope of medical device software.

Due to the wide variations of medical device software, intended purposes, intended users and regulatory requirements in different jurisdictions around the globe, it can be difficult to have a harmonized risk classification approach. The IMDRF draft guidance document intends to find common ground regarding device and risk characterizations to support harmonization and better communication between stakeholders. It also provides a common vocabulary and identifies fundamental elements to consider when drafting intended use/intended purpose statements for medical device software.

This document applies to any software that meets the definition of a medical device such as Software as a Medical Device (SaMD), Software in a Medical Device (SiMD), mobile apps, cloud applications, etc. It was drafted relying on established risk management principles such as those in ISO 14971:2019 Risk Management for Medical Devices. This guidance document is intended to complement and not conflict or replace existing risk management practices or publications.

 

Device Characterization Considerations

Software can have varying intended uses, purposes and complexities.

A chapter of the guidance document discusses elements that assist in characterization of the medical device software:

• Key elements to incorporate into an Intended Use/Intended Purpose statement
• Categories of information to be incorporated into the medical device software description
• How the software addresses the medical problem and/or objective
• Intended user and intended use environment considerations
• Medical device software function and use descriptions as well as inputs and outputs discussion points
  • Information on how the result or output was reached and the algorithm or technology used
• Change management of medical device software, including discussing the degree and control of software training, learning and updates
• Distribution methods for the software

 

Medical Device Software Risk Characterization

This chapter of the guidance document discusses the unique risks that come with medical device software, as software is not a tangible item. Software-specific hazards need to consider both safety and cybersecurity risks.

Key points of consideration covered in this section include:

• Evaluation of the risk posed by the software in both direct and in-direct harms
• Information-based hazards associated with the software that could lead to harm (e.g., delayed, inappropriate or erroneous information)
• Possible harms and risks when implementing software dependent on the devices intended use

The risk characterization section ties the previous section on device characterization with risk assessment and management. It also points to an appendix that provides considerations in developing an understanding of “why the characteristic matters to the intended use/purpose of the software”. This is then used to help identify specific hazardous situations related to the software design and intended use/purpose.

The unique aspects of risk estimation for medical device software are also addressed. The document states that there is not a broad consensus on a method for quantitatively estimating the probability of occurrence of software failure. Also, cybersecurity risk management considerations focus more on the exploitability of vulnerabilities rather than the probability of occurrence of harm.

The document contains several Appendices which provide helpful examples of the discussion points made in the main document.

• Appendix A: Sample Intended Use/Intended Purpose Statement
• Appendix B: Characterization Feature Summary Table
• Appendix C: Example Considerations to Understand Software Hazards Associated with Device Design and Intended Use
• Appendix D: Example of Discussing Information Risk in Application to Risk Characterizations
• Appendix E: Examples Comparing Specific Risk Considerations

 

Next Steps

The IMDRF, Software as a Medical Device Working Group, welcomes public feedback on this draft guidance document. A link to the draft document and comment form is included below.

Medical Device Software: Considerations for Device and Risk Characterization | International Medical Device Regulators Forum (imdrf.org)

The closing day for comments is Thursday, May 2, 2024.

 

How can NAMSA Help?

NAMSA has experience working with medical device software developers for a wide variety of products. We provide regulatory and quality consulting services to orgnaizations that design, produce, develop, supply, or deploy and use any of the following:

• Software as a Medical Device (SaMD)
• Mobile Medical Apps
• Medical devices of all types with a particular focus on “active” devices and in vitro diagnostic (IVD) devices with or without software components or accessories
• Clinical Decision Support and health analytical software
• Software as a Service (SaaS) within the healthcare sector
• Artificial Intelligence (AI), deep learning, machine learning, big data algorithms

To learn more about NAMSA’s full quality and regulatory service offerings, please visit: https://namsa.com/services/regulatory/. Contact our leading quality and regulatory experts https://namsa.com/namsa-expertise/subject-matter-experts/.