Anvisa, the Brazilian national healthcare authority, has published a regulation dedicated to the software with the intended medical purpose.
Purposes of the New Brazilian SaMD Regulation
The document outlines the main regulatory issue to be solved by the legislative means. According to the document, the software with the intended medical purpose rapidly develops nowadays due to its innovative flexibility. At the same time, existing rules and regulations do not meet the new needs arising from the further spreading of medical software. The ANVISA states that some of the rules are not applicable to medical software (e.g. the requirements on labeling or packaging). Thus, there is a certain regulatory gap to be solved.
The proposed regulatory framework is intended to implement additional measures in order to prevent or mitigate risks associated with the use of medical software. In particular, it is necessary to develop a new approach to the regulation based on the information necessary to ensure the safety and performance of the software as a medical device (SaMD). According to the position of the regulating authority, it is also important to expand the awareness of the issues associated with the medical software and to establish the special exemption criteria for certain SaMDs. The new regulation should cover such aspects as:
- Harmonization of international SaMD regulation,
- Registration and notification as separate procedures,
- Statistical systems of medical data,
- Cybersecurity threats and vulnerabilities,
- Transparency of the information regarding compatibility and connections.
The new regulatory framework on medical devices to be implemented in Brazil is actually based on existing regulations adopted in the US, Europe, Australia, Canada, and also on the recommendations for the International Medical Device Regulators Forum (IMDRF).
As the result, ANVISA expects that the special controls in the sphere of medical devices would be reinforced, especially in the part of the safety and performance matters. The authority also intends to reduce the informational imbalance between the manufacturers (developers) and users of medical software.
The main regulation on registration of medical devices has been adopted earlier in October 2001. The scope of the document covers medical devices (equipment), medicinal materials, and in vitro diagnostic medical devices. The medical devices category also includes the software as a medical device which constitutes an independent medicinal product.
Examples of medical software include:
- The software intended for processing the images used for diagnostic purposes,
- Diagnostic software (e.g. those measuring the glucose level),
- Certain applications.
The scope of the new SaMD framework covers the following types of medical software:
- The software with the intended medicinal purpose designed to operate on non-specific equipment, and
- Special medical software operating medical devices.
The new regulation also refers to the special international standards, such as IEC 62304: 2006 Software for medical devices. However, medical software is not subject to certification since there is no regulated certification process for medical software in Brazil due to the absence of the standard allowing to certify it. At the same time, there is a possibility of voluntary certification.
Basics of the New Approach to Medical Software Regulation
Despite the aforementioned regulations cover medical software, some of the rules set forth therein cannot be applied due to the nature of the software (thus, such rules could be applied only for medicinal products having physical form while medical software exists only in the intangible form). At the same time, certain points that are important in the case of medical software are actually falling outside the scope of the aforementioned regulations – for example, such aspects as version control.
The ANVISA also states that medical software is subject to recalls more often than any other type of medical device.
As it was mentioned before, Brazil is also taking steps to implement the principles developed by the IMDRF – a voluntary association of regulating authorities in the sphere of medical devices focused on the development of the new regulatory approaches based on the issues the industry faces nowadays.
The regulating authority mentions that the Brazilian medical software market could be hardly evaluated. However, its certain key features still could be outlined, namely:
- General complexity of the sphere,
- The relatively short lifecycle of the product – some of them could become out-of-the-date even before sufficient information regarding their benefits and risks would be collected,
- The sector is represented by large global companies, as well as local businesses. Approximately 90% of market participants are small or mid-size companies (the revenue is lower than 50 million Brazilian Reals). Only 10% of the companies are large and have a significant market share.
- The taxation regime is the same for all types of medical devices.
- Brazil faces a significant increase in demand for medical devices.
- The information about the rules on the use of various types of medical software is not easily accessible.
- There is a significant imbalance in technical and economical information. For example, there is no standard nomenclature allowing us to determine substituting products.
- Harmonization of the terminology actually depends on the standardization of approaches to the information. The authority states that nowadays the country faces certain issues with the classification of medical devices.
- The informational imbalance creates additional benefits for those having specific knowledge about the products e.g. for doctors, suppliers (manufacturers or distributors), or administrators responsible for procuring medical devices.
- Innovations in the medical software segment are based on continuous improvements.
According to the information published by the authority, the medical software market is highly globalized due to the ease of supplying the software via the Internet. The ANVISA also highlights the following specific features of the Brazilian medical software market:
- Most of the manufacturers are still using medical software based on the platforms that are already out-of-the-date (e.g. Windows XP). These platforms are neither subject to new security updates and nor compatible with new details and improvements.
- There are certain obsolete systems that could not be replaced within a short period of time.
- Medical software manufacturers (developers) are not always following the latest trends in cybersecurity which becomes of the essence nowadays.
- Products used in the healthcare sphere could have various configurations and platform version, that creates needs in standardization.
- There are certain approaches to verification and validation of computer systems in Brazil. However, most of them are only in the early stages of the development process.
Besides the aforementioned information, the document published by the ANVISA also describes the approach to risk-based classification to be applied in the case of medical software. The authority pays special attention to the risk associated with cybersecurity issues. Some of the risks are also associated with personal data protection. As a conclusion of medical software risk analysis, the ANVISA states that information systems lack information about the safety and effectiveness of medical software, including software-as-a-service (SaaS). The existing approach to risk-based classification cannot be applied in the case of medical software, while the IVD software should be subject to special classification rules.
Summarizing the information provided here above, the new document published by the ANVISA describes the approaches to the regulation of medical software in Brazil, including the overview of the current situation and issues the industry faces nowadays.
How Can RegDesk Help?
RegDesk is a next-generation web-based software for medical device and IVD companies. Our cutting-edge platform uses machine learning to provide regulatory intelligence, application preparation, submission, and approvals management globally. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Applications that normally take 6 months to prepare can now be prepared within 6 days using RegDesk Dash(TM). Global expansion has never been this simple.