The International Medical Device Regulators Forum (IMDRF), a voluntary association of medical device regulating authorities collaborating on the improvement of the existing legal framework, has developed detailed proposals related to the application of quality management system in case of software as a medical device (SaMD). It is important to mention that the present document actually constitutes a part of the proposed framework for SaMD, which also includes guidelines on applicable terminology, and on the risk categorization rules

Regulatory Background 

The IMDRF recognizes the increasing importance of medical software widely used in all spheres of healthcare. Among the variety of software products used for medical purposes, one specific category could be distinguished – software as a medical device. The products related to this category could be used independently of the hardware medical devices. At the same time, the IMDRF states that the regulations on medical software existing nowadays are mostly related to the software being a part of a medical device (e.g. the software operating the medical equipment), while the software as a medical device requires special treatment due to its specific features, such as the possibility to be launched on various devices, most of which are not medical devices (e.g. smartphones or tablets). Another important aspect relates to cybersecurity issues and personal data protection – since SaMDs are often used on the devices connected to the networks, it is necessary to ensure the highest level of protection against unauthorized third-party intervention in normal operations of the software.

The present IMDRF document is dedicated to the Quality Management System (QMS) principles to be applied in the context of SaMD. It is stated that the QMS plays an important role in ensuring the safety and effectiveness of medical devices. The general QMS principles are established by the ISO 9000 family international standards, and also by the various methodologies, standards, and guidelines used by organizations engaged in the medical software development for the purpose of the software quality control. The main practices to be applied for medical devices, in general, are outlined in the international standard ISO 13485 – Medical Devices – Quality Management Systems – Requirements for Regulatory Purposes. 

In the case of medical software, it becomes especially important to establish efficient controls to ensure the quality of the software and the safety of the patients.

The IMDRF recommendations describe certain good software quality and engineering practices to be considered by the medical software developers. As it was already mentioned before, the present document actually extends the proposed SaMD framework described in the previous documents dedicated to the software-related terminology and characterization.

Scope of the SaMD QMS Framework

By publishing these guidelines, the IMDRF intends to provide additional details and recommendations regarding the actual implementation of the generally accepted best practices in the field of quality management systems in the SaMD context. 

In particular, the present document is intended to:

  • Provide medical software manufacturers and other parties involved in SaMD development with the additional information about the software-specific best practices related to the quality control, providing that such a party is already familiar with the common software development process, but needs additional information related to the QMS application for medical devices, 
  • Describe the way the QMS should be applied and implemented by entities responsible for SaMD development, including the aspects related to the SaMD lifecycle support processes,
  • Emphasize the safety-related aspects of SaMD development and use, 
  • Assist medical software manufacturers in the application of the quality management system, 
  • Supplement the SaMD regulatory framework. 

The IMDRF guidelines on the QMS for SaMDs consist of the following key elements: 

  • Brief description of the most important terminology used in the context of SaMD development, 
  • General information about the SaMD development process and lifecycle, 
  • Description of the particular measures to be applied in both large organizations and small start-ups, provided in the form of examples, 
  • References to the applicable QMS-related international standards, including ISO 13485:2003. 

It is also important to mention that the scope of application of the present document covers only the software products meeting the definition of software as a medical device irrespectively of the particular platform it is based on, while any other types of software, even those intended for medical purposes, are actually falling outside the scope of the document. The IMDRF also emphasizes that the present recommendations do neither prescribe the particular way the QMS should be implemented nor contradict or replace any existing QMS principles, regulations, or standards. The QMS principles outlined in the document are intended solely to be used as a basis for the future legal framework development, and not to substitute any existing national or international regulations on the medical software in general and SaMD in particular.

SaMD Quality Management Principles 

According to the document, the general medical device QMS principles could be applied irrespectively of the type of medical device, size of the organization, technologies used, and other similar factors. However, all the abovementioned factors should be duly considered when determining the particular way the quality management system should be established. 

In general, the SaMD development process is actually based on common software development principles and approaches. For some steps and elements of such a process, certain general principles for medical devices could be also applied. 

In accordance with the IMDRF recommendations, an effective QMS for SaMD should be based on a set of main principles, namely: 

  • A proper organizational structure ensuring the effectiveness of the managerial activities and accountability, 
  • An efficient SaMD lifecycle support processes that also should be scalable enough to meet the needs of the organization, 
  • A set of scalable processes established for assuring the safety, effectiveness, and performance of SaMD.

The IMDRF also mentions that all the main principles described hereabove should be considered in a close connection, providing that the necessary connections should be established. In particular, an efficient governance system should create a solid basis for the SaMD lifecycle support processes, while the aforementioned processes should be applied with regard to all SaMD realization and use processes. 

In order to assist medical software developers in achieving and ensuring compliance with these principles, the IMDRF guidance describes in detail each of the principles and its core elements to be taken into consideration. In particular, the principle related to the organization itself covers such aspects as the governance structure, resource and infrastructure management, and also the personnel-related matters. The principle related to the SaMD lifecycle support processes addresses such aspects as product planning, patient safety-focused risk management process, document and record control, configuration management and control, and also the measurement, analysis, and improvement of processes and products. 

Summarizing the information provided here above, the IMDRF proposed SaMD regulatory framework describes the most important aspects to be considered in order to ensure the safety and performance of medical software determined as a SaMD. The document provides important recommendations to be considered by the SaMD developers within the whole development cycle and also describes the way the basic quality management system principles should be applied in the context of medical software in general and SaMD in particular.

How Can RegDesk Help?

RegDesk is a next-generation web-based software for medical device and IVD companies. Our cutting-edge platform uses machine learning to provide regulatory intelligence, application preparation, submission, and approvals management globally. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Applications that normally take 6 months to prepare can now be prepared within 6 days using RegDesk Dash(TM). Global expansion has never been this simple.