How to Manage Software as a Medical Device (SaMD) Technical Files with MDR and FDA?

Navigating the regulatory labyrinth for Software as a Medical Device (SaMD) is fraught with complexities.

It's about precision and compliance. To align with the Medical Device Regulation (MDR) in the European Union and the Food and Drug Administration (FDA) requirements in the United States, developers must construct a meticulous technical file or dossier. This document, a compendium of evidence demonstrating safety, quality, and efficacy, is paramount. Without it, Market access remains firmly out of reach, clinging to a thread of regulatory limbo.

What is the technical file in MDR and FDA context?

The technical file—or technical documentation under the European Union's Medical Device Regulation (MDR)—serves as a comprehensive dossier, encompassing all aspects of a medical device. For Software as a Medical Device (SaMD), this entails detailed records of the design, development, and performance, underscoring its safety and compliance with the stringent requirements set forth by the MDR.

In the FDA parlance, equivalent documentation for SaMD falls under "Device Master Records" (DMR) and "Device History Records" (DHR). While DMR contains the recipe for producing a device, including software specifications, DHR comprises the production history of each device. It is incumbent on developers to ensure that their documentation under the MDR or the FDA faithfully delineates the intricacies and compliance of their software, critical for securing market access and maintaining post-market surveillance.

Purpose and documents in the technical file

The raison d'être of the technical file is to substantiate SaMD compliance. It encapsulates development processes and product safety evidence within stringent regulatory frameworks.

Pivotal documents constitute the file, such as Risk Management Files and Clinical Evaluation Reports, mirroring the lifecycle stages of the SaMD. Fuse solutions like MatrixRequirements integrate these items to ensure documentation integrity.

Clear demarcations are imposed between the FDA's DMR and DHR, and MDR's Technical Documentation. The latter's breadth extends further to encompass Post-Market Surveillance and Vigilance data pertinent to SaMDs.

Navigating the MDR involves collating the General Safety and Performance Requirements (GSPR) annex, along with harmonized standards and Common Specifications. Each piece fortifies the technical file's foundation.

Strategic tooling with platforms like MatrixRequirements optimizes this information cascade. It ensures technical file completeness and facilitates a seamless audit trail for both MDR and FDA inspections.

Differences in the documents, the naming and the content between MDR and FDA

Under the MDR, comprehensive Technical Documentation is necessary, compared to the Design History File (DHF) and Device Master Record (DMR) required by the FDA. The naming conventions reflect divergent regulatory frameworks, underscoring distinct compliance pathways.

The FDA specifies the content in design controls under 21 CFR 820.30. The MDR requires a Technical File or Technical Documentation per Annex II and III.

MDR's Technical Documentation demands a General Safety and Performance Requirements (GSPR) checklist, while the FDA's DHF emphasizes design inputs, outputs, verification, and validation activities. The scope of documents needed and specificity of content can be markedly different, reflecting each agency’s focus on the lifecycle of SaMD.

Pertaining to content, there's an expectation of demonstrating clinical evaluation and performance, monitored through post-market activities under the MDR, which is analogously conceptualized through the FDA's post-market surveillance requirements. However, the depth and manner of evidence collection may vary, as MDR tends to be more prescriptive in post-market clinical follow-up expectations. This influences the nature of the documents such as Clinical Evaluation Report (CER) in the EU and Summary of Safety and Clinical Performance (SSCP), and can lead to differences in the technical file's structure and contents.

You can learn more about the Software Validation Documentation with the FDA in our latest video.

What information should be included in a technical file for medical devices?

The technical file for medical devices should include detailed information about the design, development, and manufacturing of the device. This comprehensive documentation is essential for demonstrating compliance with regulatory requirements and ensuring the safety and effectiveness of the device. The following information should be included in the technical file:

  1. Device Description: Provide a clear and concise description of the device, including its intended use, specifications, and any accessories or components.

  2. Design and Manufacturing: Describe the design process, including risk assessments, design inputs and outputs, and verification and validation activities. Include detailed manufacturing processes, materials used, and quality control procedures. For SAMD, this includes the SW configuration, SBOM, and SOUP information.

  3. Labeling and Instructions for Use: Include all labeling materials, such as labels, user manuals, and package inserts. These should be comprehensive and clear, providing instructions for safe and effective use of the device.

  4. Essential Requirements: List and demonstrate compliance with applicable essential requirements or standards. These requirements may include safety, performance, and biocompatibility criteria.

  5. Clinical Evaluation: Provide a thorough analysis of the clinical data gathered to demonstrate the device's safety and performance. This includes summaries of clinical investigations, post-market surveillance data, and literature reviews.

  6. Risk Management: Include a comprehensive risk management plan that identifies and evaluates potential risks associated with the device. This plan should outline the steps taken to mitigate and manage these risks.

  7. Sterilization and Packaging: If applicable, provide information on the sterilization methods used and the packaging materials and processes employed to maintain the device's sterility and integrity. Although sterilization does not apply to SAMD, the Packaging for deployment is crucial for the product delivery and quality and should be documented and validated.

  8. Shelf Life and Storage Conditions: Specify the device's shelf life and recommended storage conditions to ensure its stability and effectiveness throughout its intended lifespan. Also although shelf life or storage does not apply for software, evaluation of function-limiting future conditions like from underlying HW or operation systems should be considered and documented.

  9. Test Reports and Certificates: Include test reports and certificates for the device, such as electrical safety, electromagnetic compatibility, and biocompatibility testing. For SAMD, this includes the testing for various HW and OS platforms that might be used as well as integrations and special user interaction cases like setup, start, and close-down, the usability validation, and cybersecurity evaluation.

  10. Manufacturer Information: Provide detailed information about the manufacturer, including manufacturing facility locations, quality management system certification, and any authorized representatives or distributors.Remember, the technical file serves as a comprehensive record of a medical device's design, manufacturing, and performance. It is important to keep this documentation up to date and readily available for regulatory authorities and notified bodies during audits or inspections.

Understanding SaMD Classification

In the realm of Software as a Medical Device (SaMD), classification serves as the foundation for regulatory scrutiny and sets the stage for the technical documentation required. Distinctions between the classifications hinge upon intended medical purposes and the potential risks associated with the software’s use. Factors such as the severity of the condition addressed and the significance of the information provided to healthcare decisions play critical roles in determining the level of regulatory oversight.

Under the MDR, SaMD may fall into one of four risk-based categories, ranging from Class I (lowest risk) to Class III (highest risk). Similarly, the FDA aligns SaMD into distinct categories based on function and risk, with classifications I, II, and III corresponding to rising risk levels. The complexity of a device's function, the nature of the healthcare situation or condition, and the potential consequences of inaccurate output are pivotal in ascertaining its classification. This stratification is essential as it predicates the extent of evidence and rigor required in the technical documentation for premarket submissions.

MDR Criteria and Categories

Under MDR, SaMD classifications reflect potential risks and intended uses. Complexity, clinical context, and reliance dictate the regulatory rigor. Appropriate category placement is crucial for compliance.

The MDR framework organizes SaMD into four distinct categories, where each category corresponds to a risk classification level. Class I represents minimal risk, incrementing to Class III, which denotes significant risk.

"Europe's MDR classifies SaMD more granularly than the FDA."

Detailed criteria under MDR ensure stringent assessment for higher-classified SaMD. Categories are defined with patient safety in mind, requiring robust evaluation before market entry. These classifications influence the technical file's content and structure crucially.

FDA Risk-Based Framework

The FDA classifies SaMD based on the seriousness of the health condition and the significance of the information provided by the software. This binary framework ensures a clear and structured approach to risk assessment, guiding developers through the necessary regulatory pathways.

In this framework, software associated with treating or diagnosing serious conditions faces greater scrutiny. Simpler workflows dictate less comprehensive requirements, tailored to specific functionalities and their implications.

The risk categorization guides the depth of the technical documentation required for premarket approval or clearance. A higher-risk SaMD, involving critical healthcare decisions, necessitates extensive validation and verification, ensuring reliability, safety, and effectiveness prior to market release.

Key to the FDA's risk-based approach is the assurance of clinical performance and cybersecurity resilience. As SaMD increasingly integrates into diverse healthcare settings, the technical file must encompass not only detailed design and development documentation but also thorough risk analysis, user experience considerations, and plans for post-market surveillance. This holistic view spearheads the safe and effective implementation of digital health technologies.

Key Documentation for MDR Compliance

For MDR compliance, the technical documentation serves as a critical dossier, detailing the device's lifecycle from conception to post-market activities. Under the MDR, this comprises the General Safety and Performance Requirements (GSPR) checklist, clinical evaluations, risk management files, and the specifics of software development and lifecycle management, grounded in the harmonized standards, such as IEC 62304 for software lifecycle processes. Requisite information must be both granular and expansive, enabling a full appraisal of the SaMD's conformity to stringent European regulations.

Notably, the MDR's Annex II enumerates the precise content obligatory for the technical file, including the device description and specifications, information on the quality management system, pre-clinical and clinical data, and records of post-market surveillance. These elements must be methodically documented, regularly updated, and readily accessible to demonstrate sustained compliance with the regulatory framework.

General Safety and Performance Requirements

The GSPR checklist is crucial for ensuring the safety and performance of SaMD in the medical device sector. It provides a comprehensive framework for developers to demonstrate compliance with specified intentions and avoid disproportionate risks. Compliance is mandatory, and the checklist serves as the benchmark for assessing SaMD, including cybersecurity and data privacy considerations. Tools like MatrixRequirements help developers create and maintain comprehensive documentation that meets the checklist requirements, supporting traceability and updates for continuous post-market monitoring. Manufacturers must ensure their documentation reflects current standards to satisfy regulatory scrutiny.

Clinical Evaluation for SaMD

Clinical evaluation is intrinsic to SaMD regulatory compliance. It critically appraises the safety and effectiveness of the software throughout its lifecycle.

Under MDR, clinical evaluation follows a structured process, involving a comprehensive assessment of clinical data pertaining to the SaMD's intended use. It necessitates methodical collection, appraisal, and analysis of this data, ensuring it aligns with established standards.

The FDA outlines a similar pathway, mandating that a robust clinical evaluation demonstrates a reasonable assurance of safety and effectiveness. This involves clinical data derived from scientific literature, clinical experience, or analytical studies.

Considering the adaptive nature of SaMD, continuous clinical evaluation is indispensable. Post-market clinical follow-up often feeds back into the clinical evaluation, fostering ongoing improvement of the SaMD.

It is essential to pivot this process around a well-maintained, dynamic technical file. This underscores the relevance of leveraging systems like MatrixRequirements to anchor this living document.

Essential Elements of FDA Submission

For developers navigating FDA submission, the Pre-Market Notification (510(k)), Pre-Market Approval (PMA), or De Novo Classification process will dictate the specific documentation required. Essential elements of an FDA submission for SaMD include an elaborate Device Description, detailing the software’s intended use, architecture, and functioning. The inclusion of a comprehensive Cybersecurity Plan is paramount, demonstrating protection mechanisms for patient data. Software Documentation underlies the entire submission, encompassing requirements, specifications, risk management, validation, and verification processes. Validation and Verification Documentation attest to the SaMD's performance and safety through rigorous testing. Clinical performance data must be aggregated and analyzed, contributing to the submission's Clinical Evaluation section, where the clinical benefits are highlighted. A well-articulated Regulatory Strategy will delineate the product’s classification and regulatory pathway, while the Labeling and User Information must encompass all necessary details to ensure safe and effective usage. Utilizing a platform like MatrixRequirements, which supports robust item-based information management, can mitigate complexities by enabling traceability and facilitating the reuse of information in these multifaceted documents.

Software Pre-Market Documentation

Creating a comprehensive Technical File for SaMD under MDR and FDA is a meticulous process.

Where the MDR demands the inclusion of a General Safety and Performance Requirements (GSPR) checklist, the FDA, conversely, requires a Premarket Submission that encapsulates the software's essence.

These documents must detail the Design and Development, including architecture, algorithms, and user interface. They should thoroughly outline the Risk Management activities tailored to software specifics.

The Clinical Evaluation or Clinical Performance data within these files serve as evidence of the software's efficacy and safety. Functioning within the rigorous frameworks of both MDR and FDA mandates the Post-Market Surveillance plan's integration.

MatrixRequirements fortifies the integrity of these submissions by ensuring seamless Traceability and Information Reusability.

Quality System and Cybersecurity Info

The Quality System encompasses distinct procedures aligned with regulatory compliance and product quality assurance.

For MDR, it hinges on annexes II and III, prescribing methods for maintaining device quality and safety throughout its lifecycle. Cybersecurity emerges as pivotal in the SaMD landscape, demanding dedicated sections within the Technical File.

FDA's part 820 Quality System Regulation demands analogous rigor, shaping cybersecurity into its software validation and risk analysis processes. This includes clear strategies for identifying, protecting against, responding to, and recovering from cyber threats.

Both MDR and FDA expect regular updates and patches as part of the SaMD's lifecycle management, ensuring sustained cybersecurity posture and compliance. Coherent Quality Management Systems, under both frameworks, integrate cybersecurity as a core element, reflecting the evolving digital threat landscape.

MatrixRequirements aids in structuring documentation for cybersecurity compliance, simplifying adherence to dynamic regulatory requirements.

Leveraging Technology for Compliance

In the realm of SaMD development, establishing and maintaining comprehensive Technical Files is no trivial matter. Modern management platforms like MatrixRequirements can significantly lessen the burden by providing an infrastructure that fosters a systematized approach to document organization and version control. This ensures that pertinent information is readily accessible and up-to-date, reducing the occurrence of oversights that could potentially lead to non-compliance.

Embracing technology solutions that offer item-based information management elevates the efficacy of Quality Management Systems (QMS), specifically in the context of MDR and FDA compliance. These platforms facilitate traceability and reuse of information, which is a critical aspect when addressing the multitude of documents that agencies require. Through tools like MatrixRequirements, developers can streamline the creation, update, and navigation of the Technical File components, thereby aligning seamlessly with the stringent regulations governing SaMDs.

Tracing Requirements with Digital Tools

Effective traceability in SaMD development is non-negotiable for regulatory compliance.

  • Utilization of digital platforms for real-time updates and collaborations

  • Implementation of item-based tracking to link requirements with specific artifacts

  • Assurance of data integrity through automatic change logs and version control

  • Streamlining audits with easily navigable requirement-to-evidence relationships

  • Deployment of configuration management tools for consistent documentation across the life cycle

Centralized digital tools offer unparalleled visibility into the traceability matrix.

This approach significantly reduces regulatory risks and enhances overall product quality.

Managing Revisions and Updates

The fluid nature of SaMD development mandates a robust protocol for managing revisions and updates. Continuous integration and delivery practices necessitate an effective system that can handle iterative changes while ensuring compliance.

Consistency in documentation across iterations is crucial for regulatory acceptance. Modifications must be clearly annotated and justified.

In the context of SaMD, revisions often entail algorithm updates, changes in user interface, or modifications in the data management procedures. Each revision warrants a thorough documentation process, enabling clear visibility of the evolution of the software and its compliance trajectory.

Given the dynamic regulatory environment, SaMD developers must prepare for frequent amendments in standards and guidelines. A resilient revision management system should thus be designed to accommodate not only software changes but also shifts in regulatory requirements. Such a system would capture all necessary revisions, enabling the creation of "living" documents that evolve alongside the SaMD throughout its life cycle.

In conclusion, understanding the technical file requirements for SaMD under MDR and FDA is crucial for medical device software developers. The technical file serves as a comprehensive documentation of the SaMD, ensuring compliance with regulatory standards and demonstrating the safety and effectiveness of the software. By adhering to the specific content and document naming requirements outlined by MDR and FDA, developers can streamline the regulatory process and expedite the approval of their SaMD. Utilizing a platform like MatrixRequirements can further enhance information management, facilitating traceability and reuse of information across multiple documents. By prioritizing the creation of a robust technical file, developers can showcase their expertise and attention to detail, ultimately contributing to the successful launch and market adoption of their SaMD.

Learn more about Software Validation Documentation in our video.

About the Author
Regina Preysing
Partnerships Manager