3 QMS Principles for Software As a Medical Device (SaMD) Manufacturers

Software as a Medical Device (SaMD) is a rapidly growing subset of the medical device industry, and many companies with software development capabilities are branching out into the medical device field.

However, any company that manufactures SaMD faces rigorous regulatory requirements, especially when it comes to their quality management systems (QMS).

The International Medical Device Regulators Forum (IMDRF) defines SaMD as software that is intended to be used for one or more medical purposes and performs those purposes without being part of a hardware medical device.

And any medical device that falls under this definition should follow IMDRF’s document, Software as a Medical Device: Application of a Quality Management System. This document offers guidance on the application of existing standardized and generally accepted QMS practices for SaMD.

For the purposes of this article, we will be focusing on Section 5.0 of the guidance, which explains three key QMS principles for SaMD manufacturers.

FREE ON-DEMAND WEBINAR: Click here for the free recording + slides showing you how to set up an agile QMS that runs concurrently with your SaMD development processes.

 

1. SaMD leadership and organizational support

The diagram below shows the three QMS principles as three concentric circles. Leadership and organizational support make up the outer circle and serve as the foundational principle of the other two principles.

SaMD Quality management principles

Figure 1: SaMD Quality Management Principles: Leadership and Organization Support, Processes, and Activities

The IMDRF guidance states that SaMD manufacturers should have, “An organizational structure that provides leadership, accountability, and governance with adequate resources to assure the safety, effectiveness, and performance of SaMD.”

Management within a SaMD company is responsible for leadership and governance over all activities across the lifecycle of the SaMD. This includes “defining the strategic direction, responsibility, authority, and communication to assure the safe and effective performance of the SaMD.”

Members of a company’s leadership team are also responsible for implementing the QMS and developing quality policies and objectives. Additionally, they must provide the structure and support for establishing and monitoring the processes to maintain quality objectives and policies.

On top of that, company leadership is also responsible for verifying the effectiveness of everything they’ve implemented. Verification activities may include conducting internal audits and management reviews to ensure the QMS is effective.

Finally, the management team is responsible for making sure the company has the resources to facilitate an effective SaMD development lifecycle. That means having the right people, tools, information, and communication networks to meet the requirements of both regulators and customers.

 

2. SaMD lifecycle support processes

The IMDRF guidance states that a QMS for SaMD should have: “A set of SaMD lifecycle support processes that are scalable for the size of the organization and are applied consistently across all realization and use processes.”

The basic processes outlined in the guidance are:

 

Product planning

The aim of the product planning process is to provide a roadmap that can be used throughout the SaMD development lifecycle. It defines the phases, activities, responsibilities and resources that will be needed for developing your SaMD.

 

Risk management

IMDRF suggests using its guidance as a possible framework for categorizing the risk of your SaMD, followed by an appropriate risk management process that will be integrated through the entire software lifecycle:

In order to estimate, evaluate, and control risk, hazards from a variety of sources should be identified and mitigated, including those that are:

  • User-based

  • Application-based

  • Device-based

  • Environment-based

  • Security-based

 

Document and record control

These controls are proof that you have followed the procedures outlined in your QMS and that you have achieved results. Your documents should provide a rationale for decision-making—for instance, why you chose some lifecycle processes instead of others.

Your document and record control can be either electronic or paper-based, but it should be easy for users of those records, including external contractors, to collaborate and share them.

By that measure, paper documentation won’t cut it for most companies. That’s why Greenlight Guru built our Medical Device Success Platform (MDSP) with Intelligent Document Management at its core. If you’re still using a paper-based QMS, sign up for a demo to see how Greenlight Guru can streamline your document control process.

 

Configuration and management control

IMDRF guidance states, “Control of configurable items, including source code, releases, documents, software tools, etc., is important in order to maintain the integrity and traceability of the configuration throughout the SaMD lifecycle.”

Configuration control means you need records of all of the constituent parts of the SaMD and any change history. The purpose of these records is to enable recovery or recreation to a past version, as needed.

Your configuration documentation is also helpful in the end user setting. For example, a clinic may use this information to assess whether your SaMD can be installed with its current hardware and software setup.

 

Measurement, analysis, and improvement of processes and products

Measurement and analysis of quality data can be used to objectively assess the performance of a SaMD throughout the development lifecycle, so that manufacturers can identify trends and areas for improvement.

This data can be gathered from a number of potential sources, such as bug reports, customer feedback, nonconformities, service reports, and trend reports, as well as verification activities from corrective or preventive measures taken to address nonconformities.

As you can see, the goal of these lifecycle support processes is to create clear and repeatable processes for decision-making. By establishing these processes, you’re creating a risk-based framework for promoting patient safety.

 

3. SaMD realization and use processes

The IMDRF’s third quality management principle for SaMD requires:

 

A set of realization and use processes that are scalable for the type of SaMD and the size of the organization; and that takes into account important elements required for assuring the safety, effectiveness, and performance of SaMD.

There are key lifecycle processes that should be identified in the methodologies used by SaMD manufacturers. Just remember, the processes from the previous two sections should be applied to the following activities around SaMD realization and use, which are common to the software engineering lifecycle:

  1. Requirements management - This is about ensuring the software meets the needs of users or patients. Requirements management is a customer-driven process, and all requirements should tie back to user and patient needs.

  2. Design - This includes the components, interface, and architecture of the software. These should be in line with the intended use and user requirements.

  3. Development - This is the phase that transforms requirements and design into SaMD. This should follow good development practices, including appropriate review activities such as peer review, code review, and creator self-review.

  4. Verification and validation - These activities are about ensuring the design and development meet requirements and that the software meets user needs. 

  5. Deployment - This includes the delivery, installation, setup, and configuration to support the effective distribution of the SaMD to the user.

  6. Maintenance - All software has ongoing maintenance needs in the form of updates and change activities. IMDRF notes, “When a previously deployed SaMD requires maintenance, all appropriate SaMD lifecycle support processes, and SaMD realization and use processes should be considered. Maintenance activities should preserve the integrity of the SaMD without introducing new safety, effectiveness, performance, and security hazards.”

Keep in mind that regardless of the methodology you use for your SaMD, all of these processes should be included in its execution.

FREE ON-DEMAND WEBINAR: Click here for the free recording + slides showing you how to set up an agile QMS that runs concurrently with your SaMD development processes.

Achieve full traceability between your software requirements, design specifications & risk management

The IMDRF takes care to note that the three QMS principles are not separate activities. That means everything from high-level decisions made by management to the execution of a single process is connected in some way.

With a paper-based QMS, it’s practically impossible to see the interconnected nature of your quality management processes and data. Legacy systems place the onus on each user of the QMS to create a comprehensive picture of the system in their mind and establish connections based on whim or trends.

But with Visualize from Greenlight Guru, the relationships within your QMS are fully visible to your entire team. It removes the complexity, burden, and risk associated with quality system visibility and traceability.

 

Greenlight Guru Visualize QMS Solution

Greenlight Guru Visualize

SaMD manufacturers can efficiently navigate through the Greenlight Guru Medical Device Success Platform (MDSP), powered by Machine Learning and Natural Language Processing technologies, to create a visual map of virtual links between connected items within your QMS.

If you’re ready to achieve closed-loop quality system traceability for your SaMD, then get your free demo of Greenlight Guru now.


Looking for a design control solution to help you bring safer medical devices to market faster with less risk? Click here to take a quick tour of Greenlight Guru's Medical Device QMS software