Blogs

Software as a medical device (SAMD) - classification overview

Wendy Levine

February 7, 2022

4 min read

What is software as a medical device (SaMD)?

As the pace of technological innovation continues to increase, the definition of what constitutes a medical device also continues to evolve as countries update regulations. In 2013, the International Medical Device Regulators Forum (IMDRF) created the Software as a Medical Device working group. Currently chaired by the U.S. FDA, the working group is chartered with developing guidance that encourages innovation while assuring safe and effective products. While SaMD is regulated differently in different countries, this article will focus on the many similarities, and some differences, between the FDA regulations in the U.S. and the MDR regulations in the EU.

In general, medical device software falls into 3 different categories:

Software as a Medical Device (SaMD): The IMDRF defines SaMD as “software intended to be used for one or more medical purposes that perform these purposes without being part of a hardware medical device.” We list specific examples below, but typically the software classified as SaMD isdesigned to run on generally available hardware, such as Windows computers or mobile devices, or online in the “cloud”. While they may be utilizing data from another medical device, SaMD performs its function independently of any medical equipment or hardware.
Software in a Medical Device: Sometimes referred to as SiMD, Software in a medical device cannot operate separately from its device, or perform its primary function without the device. For example, the software used to program and run an MRI machine would be useless without the MRI machine. Software in this category is regulated together, and as part of, the whole device.
Software as an Accessory to a Medical Device: Similarly to Software in a Medical Device, software in this category cannot fulfill a medical purpose on their own. In some cases, a manufacturer may be able to bundle or embed the software in the medical device (making it SiMD) and/or also sell the software separately, making it an accessory.

Similarly, in Europe, the European Commission’s Medical Device Group (MDCG) defines Medical Device Software (MDSW) as a having its own intended purpose. Software which controls a medical device or is otherwise part of a medical device and does not serve a separate medical purpose does not qualify as MDSW, but is regulated by the MDR.

Software in the SaMD category is both a medical device AND software - with relevant regulatory and quality considerations that are specific and unique to each category, yet which must work in tandem. For example, software development best-practices, referenced by the IMDRF SaMD working group, call for iterative feedback loops allowing for quick turnaround of feature requests and bug fixes. While the ability to provide the latest technology and features to the market is an important advantage with SaMD, it does not supersede applicable medical device regulations governing patient safety and efficacy.

Examples of software as a medical device (SaMD)

Because SaMD software, by definition, is capable of running independently of any specific medical device or hardware, there is a relatively clear line between Software as a Medical Device and other medical software:

Software as Medical Device (SaMD)	Not SaMD
Software that evaluates MRI images and makes diagnosis recommendations.	Software that controls an MRI machine (SiMD).
A mobile app that monitors a patient’s heart rate or glucose levels and makes treatment recommendations to the patient and/or patient’s doctor.	Software that allows a patient to control their insulin pump based on glucose readings (SiMD).
An application, based on machine learning algorithms, that reviews patient health data and makes treatment recommendations.	Software that securely stores patient health and treatment history (Digital Health Records or Medical Information System).

SaMD regulatory overview and framework

Why does SaMD have independent regulatory considerations?

Over the past decade, the IMDRF, FDA, and other regulatory bodies have worked to better align regulations with the quickly evolving capabilities and nature of digital devices. Software-only devices (SaMD) generate unique opportunities and considerations:

Because SaMD software typically runs on publicly available hardware:

SaMD software must not only be designed to work on specific platforms (usually multiple), but must also be tested and updated frequently as new hardware and operating systems become available.
Agile software development methodologies can provide an environment in which fast product feedback loops are supported within the required regulatory framework.

Because SaMD software can be made readily available to the general public, or specific patient groups, using their own devices:

SaMD software can generate faster user/patient feedback - both for medical professionals and for the device manufacturer. Given this environment, regulatory bodies generally want to enable the market to safely take advantage of new innovations as quickly as possible.
Product testing needs to take into account the unique and varied environments in which the software may be used, potentially in environments the product is not intended for. The software developer cannot control updates to operating systems or internet browsers, other software that may be running on a user’s device, or the ability for the user to potentially share software or data with others.
The advantages of quickly delivering product fixes and updates need to be measured against potentially introducing new, possibly misunderstood or unwanted features, to all users at once.

SaMD and MDSW risk-based categories

As with all medical devices, the FDA and European MDR classify SaMD and MDSW, respectively, based on the potential impact to patient or public health. The SaMD categorization framework from the IMDRF is an effort “to introduce a foundational approach, harmonized vocabulary, and general and specific considerations, for manufacturers, regulators, and users alike to address the unique challenges associated with the use of SaMD...” This framework provides guidance only for today’s medical software developers, as well as regulatory bodies, such as the FDA. The chart below lists these risk categories by the state of the healthcare situation or condition and by the significance of the information provided by the SAMD:

SaMD categories

State of healthcare situation or condition	Treat or diagnose	Drive clinical management	Inform clinical management
Critical	IV	III	II
Serious	III	II	I
Non-serious	II	I	I

‍‍SaMD Category I:

SaMD Category I software can provide information for both Serious and Non-Serious health conditions or diseases. Software dealing with serious conditions can be classified in Category I only if it is providing information to inform, not drive, clinical management and is of low impact. Otherwise, Category I SaMD software provides information related to non-serious diseases or health conditions.

Example: Software that collects exercise-related data, such as heart rate, number of steps, and distance walked. If the information is stored and/or transmitted for use by a qualified professional the software is considered to be in Category I, as long as the information is not used by the software to make treatment recommendations directly to the patient or healthcare provider.‍

SaMD Category II:‍

SaMD software in Category II may be used to provide information relevant to a non-serious, serious, or critical healthcare condition or disease, depending on the significance of the information it provides to the healthcare decision. Software that is used to treat or diagnose a health condition is only classified in Category II for non-serious health conditions. Software that provides information regarding serious or critical health conditions or diseases will be classified in Category II only if it provides information to drive or inform, respectively, clinical management decisions (as opposed to providing treatment or diagnosis recommendations directly).‍

Example: SaMD that monitors a diabetic patient’s carbohydrate intake and blood glucose level to calculate recommended insulin dose.‍

SaMD Category III:

SaMD software that provides information to treat or diagnose serious conditions - or which drives clinical management for a critical condition - is classified in Category III.‍

Example: SaMD that analyzes individual data from at-risk populations for a specific type of cancer, and is used to develop preventative intervention strategies. ‍

SaMD Category IV:

SaMD Category IV software provides information used to treat or diagnose a critical health condition and is considered to be very high impact.‍

Example: SaMD that evaluates images of skin lesions in order to determine malignancy. ‍

For SaMD intended to be used in multiple healthcare situations, the software will be categorized at the highest category according to the SaMD definition statement. ‍

SaMD within the FDA and MDR regulatory framework

The graph below relates SaMD categories with FDA medical device classes, and further identifies where an independent review is recommended by the FDA. For additional information see Software as a Medical Device (SaMD): Clinical Evaluation. Guidance for Industry and Food and Drug Administration Staff.‍

Note that FDA regulatory classifications more closely align with the IMDF’s SaMD categories than do those defined by under the European MDR. In the U.S., a device is classified by identifying similar, predicate devices. The simpler 510(k) pre-market submission can be used if a manufacturer can show that their device is substantially equivalent to a Class I or II device. With few exceptions, devices that are Class III are subject to the more rigorous Pre-Market Authorization (PMA) process. Devices where no substantial equivalent can be shown are subject to to the PMA or De Novo regulatory submissions processes. The De Novo process was implemented in 2010 to provide a pathway for novel devices with lower risk profiles.

Medical Device Software is classified by the European Commission’s Medical Device Coordination Group (MDCG) into Class I, II, or III. For devices falling under the IVDR, the MDR defines four classes using letters; A, B, C, and D.

Intervention type	Treat or diagnose	Drive clinical management	Informs clinical management
Critical	III	IIb	IIa
Serious	IIb	IIa	IIa
Non-serious	IIa	IIa	IIa

In the EU, a rules-based framework is used to classify devices. MDSW classification is relatively complex, using a series of 22 “waterfalling” rules with yes/no questions that lead to a final classification of each device. While we won’t go into detail in this article on each of the rules, Rule 11 does deserve discussion. (You can read the Guidance on Classification of Software for MDR and IVDR here).

The MDR’s “rule 11” regarding MDSW classification was released in 2017. This rule states, in part, that “Software intended to provide information which is used to take decisions with diagnosis or therapeutic purposes is classified as class IIa.” The rule then provides 2 exceptions that increase the MDSW classification in cases where the decisions could cause “a serious deterioration of a person’s state of health or a surgical intervention” (class IIb), or could cause “death or an irreversible deterioration of a person’s state of health” (class III).

As a result of this rule, very few MDSW products can be classified as Class I, meaning that the majority of MDSW is subject to conformity assessments by a Notified Body. Medical software manufacturers marketing their product in Europe should therefore not rely on previous product classifications as a guide.

The future of regulatory approval for software as a medical device (SaMD)

The FDA recently released a new draft guidance document addressing the Content of Premarket Submissions for Device Software Functions. This is a major update of the 2005 guidance on pre-market submissions for software in medical devices and is also long overdue, given the pace of change in the software industry (the FDA originally committed to delivering this update in their fiscal year 2019 as part of the MDUFA IV agreement). This guidance sets out requirements for all pre-market submissions, including 510(k), DeNovo, and PMA submissions.

The recent draft document provides additional guidance around the documentation required for premarket submissions. It defines an “enhanced” level of documentation required for software that is a Class III device, combination product, Blood Establishment Computer software, or when the failure of the software would present probable risk of death or serious injury.

Staying on top of medical device classifications

Classifying a medical device and gaining regulatory clearance can be a complex process, especially if the device contains software or other emerging technology where some regulatory bodies may be further along than others in developing applicable regulations. For additional information about some of the common pathways to market for new products in the U.S., read our Beginner’s Guide to the FDA 510(k) and Beginner’s Guide to the FDA De Novo Classification Process.

Interested in learning how Rimsys can automate your submission process? Request a custom demo of our RIM platform.

Share this post

Featured

Rimsys Announces Rimsys AI to Eliminate Repetitive Tasks and Enhance Decision-Making for MedTech Regulatory Teams

Rimsys, the leading Regulatory Information Management (RIM) platform for the MedTech industry, today announced the launch of Rimsys AI, a suite of embedded artificial intelligence (AI) agents.

Defining nonconformance

Very simply, a nonconformance occurs when a specification is not met. The FDA defines a specification in 21 CFR 820.3 as “any requirement with which a product, process, service, or other activity must conform,” and ISO 13485:2016 as a “need or expectation that is stated, generally implied, or obligatory.”

While managing nonconformance starts with fully defining specifications; it is the identification, tracking, and resolution of nonconformance that is a focus of medtech quality and regulatory teams and a requirement of both ISO 13485:2016 and the FDA’s 21 CFR Part 820 quality system regulation.

Identifying nonconformance occurrences

As part of a compliant quality system, medical device manufacturers should implement procedures to identify and address both major and minor non-conformances. Nonconformances may be identified through processes found in multiple subsystems that are part of an overall quality management system within the organization.

The systems and subsystems in which nonconformances are identified typically include:

ERP
Regulatory information management (RIM)
Product lifecycle management (PLM)
Document management
Customer service / customer management
Complaint handling
Device history records
Audit management
CAPA
Training/learning management
Calibration/preventative maintenance
Development change management

Evaluating nonconformance

Once a nonconformance is identified, it should be evaluated in a timely manner, and a determination made as to the disposition of any affected products. Requirements for additional investigation and reporting should also be identified. Based on the severity of the nonconformance and its effect on the safety and efficacy of devices being manufactured or already in the market, a CAPA (corrective/preventative action) record may need to be created. In the U.S., this is defined in the quality regulation 21 CFR Part 820.100.

To disposition a nonconformance, consider the following:

Will the existing system detect the nonconformance if it recurs in time for remediation?
How likely is it that this issue will recur?
What is the impact of the non-conformance (i.e., could it affect patient health)?

Issues that are more severe or are more likely to recur should trigger a more immediate and comprehensive response.

Nonconformances that are escalated and handled under CAPA are based on risk and can include those that have or could have an impact on a product or process that is:

Not easily corrected
Recurring
Severe

In addition, nonconformances that rise to the level of a CAPA require significant resources and typically result in a full project to identify root cause(s), containment, and corrective actions, and monitoring for effectiveness.

Nonconformances that don’t require a CAPA have simpler resolutions that include documenting actions taken to correct the issue (or justification for no action). If the issue is not recurring, there may be no other action required. For example, a nonconforming material received from a vendor may be a singular issue that was easily identified through existing inspection procedures and is not expected to recur. In this case, the material is returned to the vendor and no additional action is required.

Processes that are out of conformance are often resolved through improved documentation and/or additional user training. However, be sure that the true root cause of the nonconformance is identified as procedural nonconformances can signal additional issues.

Documenting nonconformances

An important part of nonconformance procedures is the nonconformance report (NCR) or other documentation procedures. Nonconformances are typically documented within the subsystem in which they were identified. Some organizations will have a nonconforming system in which issues originating from all subsystems are documented. Centralized nonconformance systems allow for trending and other analysis across all subsystems, the results of which may generate CAPAs.

The requirements for documenting a nonconformance may vary by subsystem. In general, however, nonconformance documentation records:

The requirement/specification that was not met.
The objective evidence supporting the determination.
The action that is being taken to address the nonconformity.

Nonconformances are a common point of focus during quality audits by regulatory bodies, including the FDA, and should follow a well-documented process. Auditors will often try to determine if the quality system is functioning effectively by looking at self-identified nonconformances and comparing them to externally reported nonconformances. This is to ensure that nonconforming products were not released, or that the appropriate actions were taken to resolve issues in the field.

The importance of nonconformance reports

Nonconformances related to distributed products of higher risk result in nonconformance reports issued to government authorities through vigilance reporting, medical device reporting, and field action/recall reports. For example, the FDA requires that a medical device report be submitted within 30 days of a serious adverse event (see 21 CFR Part 803 Subpart E). Strong reporting procedures for nonconformances of all types are important in identifying trends, addressing issues before they become critical, and as part of a complete quality management system.

A nonconformance reporting procedure is only part of a strong quality system. Read An overview of 21 CFR part 820 and ISO 13485 overview for more information on establishing quality systems for medtech companies.

‍

Why we developed Rimsys from the ground up

Wendy Levine

May 26, 2022

4 min read

Rimsys has had quite a year already! In early December, we closed on $16 million in Series A financing and since then we have been carefully growing the company to better serve our customers and the regulatory affairs community. We have almost doubled our employee count and redesigned the Rimsys system to deliver deeper functionality that is even easier to use. We had our first in-person employee meeting here in Pittsburgh at the end of April where we introduced our new mission statement, and we are all excited to be doing our part to improve global health!

All of these changes made us think back to the founding of Rimsys and how far we have come. So - I sat down with Rimsys Founder and CEO, James Gianoutsos, to talk about the genesis of the company and how he knew that a new type of system designed for medtech regulatory affairs professionals was needed, and needed to be built from the ground up.

Q: What was the biggest challenge you faced as a regulatory professional that led you to form Rimsys?

James: The biggest challenge I saw while working at Philips for many years was completely understanding the complexity and the nuances around everything regulatory from a product standpoint. This really came to light whenever we acquired products. Just seeing firsthand how inefficient and out of compliance these manufacturers really were, and how hard it was from an administrative standpoint just to get into compliance and then to stay compliant, was striking.

I was working with a smaller medical device company which had acquired products from Philips. Philips provided the company with a list (a color-coded Excel spreadsheet) of all of their products that the company had acquired along with the registration status of those products globally. After digging into the spreadsheet for several months, we found that about 50% of it was wrong, incomplete, or just completely missing. The company was trying to keep track of registration information, but the available tools were making it nearly impossible. I realized that this was the challenge, and that there really wasn’t a solution on the market that could solve that problem in an easy manner and in a medtech regulatory-focused way.

‍Q: There were solutions on the market that were geared more towards the pharmaceutical industry, correct?

‍James: Yes. So I did what every other regulatory professional did, which was to Google “regulatory software,” and I saw that there just really wasn’t anything on the market that fit our needs. The solutions on the market really were pharma-specific, even those that said they worked with medical devices. The workflows and regulatory requirements for medtech are very specific for each market, depending on the product type and risk class and so many other factors. To use a pharma system that was already on the market just wasn’t even an option because it was like comparing apples to oranges. It is completely different from the regulatory and workflow side of things.

‍Q: There are existing tools used by the regulatory community, such as quality management and document management systems. Did you envision the new RIM system integrating with existing tools, replacing them, or a little of both?

‍James: I never set out to replace those types of systems, no. In fact, I knew that existing system architecture and infrastructure couldn’t handle the specific medtech regulatory workflows but needed to connect to those systems. There have always been PLM (Product Lifecycle Management) systems that contain a company’s product master data, but those systems were never meant to be workflow-driven based on regulatory requirements. At the same time, they are critical for organizing and maintaining product-specific metadata. Then there are ERP systems, which are really about making sure companies have sales flags (i.e. regulatory blocks) in place, appropriate shipping codes, or selling status linked to product registration status. Regulatory professionals are concerned about answering two questions for ERP users; one, “does the product have a valid and current registration within the country or market,” and two, “if it is registered, are we selling and shipping into that market.” Lastly, quality/document management systems house critical documentation and records needed for registrations. The problem with these systems is that there are no regulatory workflows and no way to compile technical documentation, leaving the documents and records siloed from the regulatory filings.

To do the things that a regulatory affairs professional, in a critical regulatory department, does for their company, the system really had to be built from the ground up with all of these systems in mind. It had to be product-centric. It had to integrate with all these other sources of information, because there really wasn’t a common connection point between your products, your documentation, and the records that you needed to compile and how that relates to getting products on the market. We had no way to communicate to our other systems that a product is actually available for sale in that market or that it confidently can, or more importantly cannot, ship to that market.

‍Q: What was the most difficult piece of functionality to implement in Rimsys?

James: Well, at the time it kind of all seemed difficult! No, really the most difficult part was thinking thoughtfully and strategically about how data was going to be mapped and used in conjunction with other data elements, in order to make the system most helpful from a user perspective. We wanted to single-source information to enhance and streamline regulatory workflows, but then also make sure that it was as user friendly as possible. There are a lot of stakeholders that need information or have input into regulatory workflows. Quality assurance, marketing operations, R&D, engineering, sales - all of those specific stakeholders need to view information in a way that is understandable to them.

We worked hard to bring all that information, streamline complex regulatory workflows, and all of those internal and external data sources together in an understandable and user-friendly way.

Q: How important has the technology itself been in the creation of Rimsys?

James: Technology has been a huge advantage for us from day one. Our team had quality and regulatory backgrounds, so we knew what companies would expect from us. We knew we had to be 21 CFR Part 11 compliant. We knew we had to be ISO 27001 certified. We knew we had to have SOC2 Type 2 reports. We knew we had to integrate with a company’s existing IT infrastructure. We really had to build this thing from the ground up on a GxP compliant platform that we could build upon and expand, without having to go back and reinvent the wheel every time we added new functionality.

It’s continued to pay dividends for us because it was something that we thought about from the beginning and that gave us a lot of flexibility. We already had the system and infrastructure in place that we could then expand upon a lot more quickly than we would have been able to otherwise. It’s like the difference between building a house today and trying to remodel a house that was built in the year 1900. If you break down a wall in the older house, there might be so many hidden issues behind that wall - load bearing issues, knob and tube wiring, asbestos, etc. With new modern infrastructure, it is just night and day in terms of adapting quickly with changing regulations and a fast-paced market.

Q: Was there any specific technology you can talk about that became important to the development of Rimsys?

James: Our choice of technology was driven by our desire to build a system that was user friendly and built on a modern infrastructure that felt familiar to our users. So, we took a lot of the Google framework to build an application that didn’t look like enterprise software, but looked and felt more like a consumer product that is inviting, not overwhelming.

The other thing is that we built the system from day one to integrate because we knew we had to connect with a lot of different sources of information. We strategically built the system with API’s in mind.

Q: What is Rimsys doing differently than other software companies in the regulatory space?

James: We are creating a holistic solution, which is different from what is out there now. We know that registration management is just one key aspect of what regulatory affairs teams need. In order to create a proper regulatory system, we had to take into account all of the data and dependencies and build a system specifically for medtech regulatory teams and other key consumers of regulatory data. There has to be a single source of truth for this data, because otherwise it becomes a nightmare at the end of the day. Existing software solutions were siloed and purpose-built for other industry needs, such as eQMS, PLM and ERP. None of those systems can do what a holistic RIM platform can do. Because of the complex workflows, the regulatory needs are far too broad and interdependent, that data infrastructure is completely different, data sources are too numerous, and the systems offer limited support to bring everyone and everything together into a cohesive, streamlined, compliant and medtech-specific solution.

Another key component of what we are doing is to institutionalize regulatory knowledge and resources into Rimsys—this is at the heart of who we are and what we do. Having the only purpose-built, holistic RIM platform built by and for regulatory professionals specific for the medtech industry really couldn’t be done without internalizing that experience within our own team.

Q: What are you most proud of when it comes to Rimsys?

James: I think there are two things that immediately come to mind. Having our Rimsys 5 platform launch is really exciting. This is the fifth iteration of our platform, and we did it by listening to our customers and iterating over and over again to get it right. We had to go back to the drawing board a couple of times, not because what we had written wasn’t working, but because our customers that were using the system every day gave us better ways to do things. Rimsys 5 is a really proud moment because this is the platform that we are taking into the future, that will let us get to the next level where we are truly empowering regulatory professionals to make critical decisions and do the job that they are meant to do.

The ability for us to listen to our customers, take that feedback and move fast is the second thing I’d mention here. We know that this has to be a validated system, but we are able to make changes and add features in a way that is thoughtful and gets our customers what they need right away. Regulatory professionals are very particular. I know since I am one, and making sure they are comfortable using Rimsys from day 1 is critically important. Being a customer-centric company really makes our experience as a team extremely rewarding.

Q: Where is Rimsys going next? What are you most excited about?

I think I am most excited about Rimsys being an advocate for the medtech regulatory community and helping them wherever we can. Regulatory has a seat at the table now and it is a great feeling to see that we’re able to help these companies to streamline their workflows, accelerate time to delivery for life-saving products and maintain that compliance to keep those products on the market. Regulatory affairs is a mission critical department that the medtech industry cannot underestimate. It’s empowering because while we are helping our customers, they are helping us and every single one of our other customers through the journey of regulatory uncertainty that everyone is going through right now. It feels like a real partnership between us, our customers, and the industry as a whole and I am excited to see where that will take us.

I am also really excited about where we are going with regulatory intelligence. We are just scratching the surface of this now, but you will see regulatory intelligence data built into Rimsys and providing RA professionals with tools that can really provide a competitive advantage for their company. The release of Rimsys 5 platform (“Phase 1”) provides us that platform that will take us into “Phase 2” of Rimsys, with embedded intelligence that will further empower regulatory professionals to make decisive, correct and confident decisions for their products and their company.