Software in a Medical Device vs. Software as a Medical Device: Understanding the Differences - Part 2

14 Dec 2023

Medical Software Development

Part 1 of this blog sheds light on an interesting reality that software-enabled medical devices provide: iteration. Companies providing SaMD/SiMD solutions are enabled to iterate faster than ever before in the medical device industry.

Software is traditionally developed with an agile mindset, continually iterating and improving the product; however, the FDA still strongly prefers a waterfall approach when it comes to medical devices. Thoughts on how to blend these two processes to achieve the safest, highest-quality, and fastest-iterating product will be covered in a separate post – for now let's take a look at the standards that are expected to be followed when developing medical software and how they may, or may not, change when developing SiMD vs SaMD.

IEC 62304

This is the de facto software development standard. Whether the software is part of an imaging machine, a wearable, a standalone application, or a robot; it needs to have a defined software development process that includes everything from how the software is developed, controlled, configured, and tested, to how its risk will be managed, to how it is released, maintained, and monitored when out in the field.

ISO 14971

Another standard that will be similar across both types of medical software is risk management. It is absolutely critical to show regulators that you have analyzed the risk of your product and have lowered it as far as possible. Risk assessment formats are similar in SiMD and SaMD risk files; be sure to incorporate risks from cyberattacks and data leaks as well.

IEC 62366

Usability and human factors are critical for showing that the patient and/or user has been taken into account when developing a medical product. In SaMD products, there's opportunity to utilize wire-framing and prototyping tools to execute formative or summative studies and iterate quickly if needed. Conversely, in SiMD, more traditional industrial design prototyping methods will need to be utilized as the user interface (UI) generally controls some other piece of hardware. For anything critical to the device that contains a user interface, I strongly recommend integrating usability and human factors testing into your software development process as even changing the color of a button could have unforeseen impacts.

Cybersecurity

Cybersecurity has been thrown into the spotlight as of late with the FDA's Right to Refuse Policy. As there are no definitive consensus standards, those suggested in the FDA cybersecurity guidance serve as the current guideline for what is acceptable in a 510(k) submission. Both SiMD and SaMD need to undergo cybersecurity testing. Prepare for these by developing documents such as Threat Models, Vulnerability Assessments, and SBOMs. Unless a SiMD product is considered a 'connected device' it's likely the attack surface for the device will be quite small (ports on the physical device or the possibilities of tampering). On the other hand, unless a SaMD product is self-contained (not cloud-based) it will absolutely need to have a comprehensive cybersecurity analysis and subsequent testing to show that it is a secure product.

Privacy

Both product types must comply with the privacy laws in the area which they are being sold and it is strongly recommended to integrate these requirements at the onset of development rather than retroactively, e.g., the Health Insurance Portability and Accountability Act (HIPAA), Personal Information Protection and Electronic Documents Act (PIPEDA), General Data Protection Regulation (GDPR), etc. In the case of SiMD it is recommend not to house protected health information (PHI)/PII directly on the device.

Closing Thoughts

The integration of software into the medical device landscape marks a significant shift in how we approach healthcare. Traditional medical device manufacturers and tech giants are both realizing the immense potential of software-driven health and medical solutions. As we witness the emergence of SaMD, it's clear that the lines between conventional medical devices and software solutions are becoming increasingly fluid.

This evolving landscape is not without its challenges; ensuring patient safety, navigating regulatory requirements, and maintaining robust cybersecurity measures remain at the forefront of concerns. And while software offers the potential for rapid development and iteration, it also requires a measured approach to ensure that patient welfare is not compromised.

The growth of SaMD and SiMD is indicative of the broader trend in healthcare—a shift towards more personalized, accessible, and data-driven care. It's a testament to how far we've come in blending technology with health and serves as a reminder of the responsibilities we bear in ensuring that innovations benefit patients safely.

In conclusion, as we delve deeper into the world of SaMD and SiMD, the importance of understanding the nuances and intricacies cannot be overstated. As the lines blur between software and medical devices, our primary focus should always remain on delivering safe, effective, and innovative solutions for better patient outcomes.