Design Related Risks in Software as a Medical Device (SaMD) Development

Is your product really a SaMD?

The Food and Drug Administration (FDA) and the European Medicines Agency (EMA) present similar, but slightly different, definitions for Software as a Medical Device (SaMD). It’s important to understand if your product’s intended purpose (or intended use) falls within or outside of the scope of SaMD in each respective regulatory market. Determining whether your device is a SaMD will drive product requirements, design, documentation, and approval pathways. Incorrectly categorizing your software may result in missing requirements or gaps in your Design History or Technical File that can delay the time to market.

Have you determined the risk classification?

The risk classification of a SaMD drives its development strategy, from requirements through design and manufacturing. Typically, lower risk devices have fewer requirements than higher risk devices. Understanding and properly identifying the risk classification early in development and having a plan to maintain the highest level of quality no matter the risk category, can help prevent rework and the potential of failure to obtain regulatory clearance.

Regulatory bodies like the FDA and EMA require manufacturers to implement a risk management process to ensure that the benefits of the SaMD outweigh the risks.

The US uses the International Medical Device Regulators Forum’s (IMDRF) risk classification for SaMD, where their document, “Software as a Medical Device: Possible Framework for Risk Categorization and Corresponding Considerations”, uses risk management principles (e.g., principles in international standards) to identify generic risks for SaMD. The IMDRF’s risk classification system has four categories, with Category IV being the highest risk. SaMD that provides information to treat or diagnose a disease in a critical situation is considered Category IV.

It should be noted that the US and EU have different approaches to classifying SaMD. In the US, manufacturers classify SaMD by using previous devices as a guide, called a predicate device, in the premarket approval process. In the EU, manufacturers use a rules-based framework. Depending on classification factors, determining a SaMD’s class will drive design and submission requirements.

Have you considered cybersecurity requirements?

Identifying the cybersecurity and privacy requirements for your SaMD is key to thoughtfully building in the right protections for your patients and customers. Understanding the unique requirements for each country and/or regulatory environment upfront can drive intentional development and result in a product that complies worldwide. Cybersecurity breaches can cause harm to patients by exposing protected information to bad actors or, potentially, interfering with device functionality and directly impacting a patient’s health.

Most importantly, how are you protecting patient safety?

When developing a SaMD, it’s important to have an experienced team who understands SaMD development best practices, and the framework required to develop a product that meets regulatory requirements and functions according to its intended purpose and meets user needs. Cutting corners or not properly testing software can lead to failures or software bugs, which may introduce unnecessary risks to patients.

Considering human factors and usability in SaMD design is another way to protect patient safety. Human factors, or usability engineering, helps manufacturers design products that users can safely and effectively interact with, and limits potential use errors. The objective of usability is to design a product for the intended user of the software, including considerations for their cognitive abilities, physical abilities, or use environments.

Clinical validation of the SaMD is also important to verify the clinical safety and effectiveness based on the intended use. Clinical validation confirms that the SaMD can achieve the product’s intended use as it relates to the clinical benefit and is conducted by the manufacturer to support the SaMD’s premarket approval.

Monitoring an SaMD for safety and effectiveness doesn’t stop at the point of approval. Post-market monitoring and surveillance is key to having a pulse on the on-going safety to patience in the field. Manufacturers must have processes post-release to actively collect user feedback, investigate complaints, implement appropriate software updates to patch vulnerabilities and issues, conduct systematic and on-going cybersecurity risk assessments, and report adverse events to regulatory authorities; essentially establishing that the software remains safe and functions as intended when it’s on the market.

Why choose Innovenn for your SaMD development projects?

Innovenn can not only assist with determining your SaMD’s risk classification, but can also support your device development from early design and validation, through serial global regulatory submissions and post-launch governance planning.

By combining deep regulatory knowledge, risk management with advanced human factors expertise, Innovenn serves as a trusted partner enabling regulatory approvals, product adoption, and market success in health & wellness innovation. From program roadmaps, determining design requirements, testing and validation, all the way through regulatory submission, our team has the ability to de-risk development to avoid scientific or process failure.

To learn more and speak to one of our Subject Matter Experts, please contact us.