QMS for Software as a Medical Device [SaMD] Lessons Learned from a Quality Perspective MedCon 2015 Francis Blacha, Robert Banta
Evolution from Physical to Digital Devices From To icloud Platform Mechanical injection pens: --Instructions for Use (IFU) (printed) --Labeling (printed) --Patient Inserts (PI) (printed) --Secondary Packaging (required) --Cartons (required) App running on mobile device Software as a Medical Device (SaMD): --Instructions for Use (IFU) (on screen) --Labeling (on screen) --Patient Inserts (PI) (none) --Secondary Packaging (none) --Cartons (none) 2
QS Elements Commonalities & Differences Physical vs Digital Devices Elements Common? Different? Data Integrity Training Product Launch Approvals CAPA Cybersecurity Risk Management Human Factors Purchasing Controls/Supplier Management Digital Connectivity Complaints Recall/Market Withdrawal Change Control/Configuration Management Labelling/IFUs 3
QS Elements Commonalities & Differences Physical vs Digital Devices Challenge: Evaluate & enhance Device QMS to enable Development & Commercialization of SaMDs icloud Platform App running on mobile device 4
Assessing QMS: Support Development & Commercialization of SaMD Typical linear development life cycle model for physical devices Source: http://www.qualitydigest.com/inside/fda-compliance-column/no-fda-guidance-or-specific-regulation-don-t-overlook-criticality-product.html 5
Assessing QMS: Support Development & Commercialization of SaMD Typical nonlinear (iterative) development life cycle model for SaMD Source IBM: http://www.ibm.com/developerworks/rational/library/compliant-agile-medical-device/fig05_lg.html 6
QMS Building Blocks System of Quality Model 1. Integrating Standards: Provide clear expectations on how to achieve quality objectives. The standards describe what and who is responsible. 2. Business Processes: Simple and effective, provide information on how operations are to be performed to meet requirements per the integrated standards. 3. Organizational: Defined roles to assure clear responsibilities and accountabilities. Skills must meet the needs of the specific roles. 4. Governance/Management Oversight: Ensures management is involved when decisions are required at the appropriate accountable levels. 7
System of Quality Model Applying the Lilly System of Quality results in consistent outputs: High-quality products Accurate and complete safety and efficacy data through design, execution, monitoring and continuous improvement of Quality These outputs are achieved via: Applying sound scientific principles Balancing product commercialization effort commensurate with risk Facilitating continuous improvement 8
Lessons Learned So Far Some Recent Experiences Source: http://www.pmmajik.com/project-pmo-lessons-learned-overview/ 9
Integrated Standards Device Classification Integrated Standards U.S. Medical Device Classification Decision Process Decision Process Determine Intended Use Class III Outcomes PMA Submission & GMP s required Determine Product Codes(s) & Regulation Number(s) Class II 510(k) Submission & GMP s required Device? Yes Class I No submission, but GMP s are required No No submission, GMP exempt, except for specific provisions Mobile App (NOT mobile medical apps) 10
Integrated Standards Device Classification Integrated Standards Stand Alone S/W Determine Intended Purpose Device? No EU Device Standalone Software Decision Process 1 Yes Decision Process Active medical device No Drive or influence another device? Yes Classification Rules 9-12 Classified the same as the other device Outcomes & Requirements Class I Class IIa Class IIb (It depends) Annex VII: Tech Documentation Declaration of Conformity AE reporting & complaint handling Recalls Annex II: Quality System Notified Body Cert Tech Documentation Declaration of Conformity AE reporting & complaint handling Recalls 1 MEDDEV 2.1/6 January 2012 NOT a medical device the software does not perform an action on data, or it performs an action limited to storage, archival, Communication, simple search 11
Integrated Standards Device Classification Integrated Standards International Medical Device Regulators Forum (IMDRF) Source: http://www.imdrf.org/docs/imdrf/final/meetings/imdrf-meet-140829-washington-presentation-samd.pdf 12
Integrated Standards Integrated Standards Device Classification IMDRF Framework for Risk Categorization of SaMDs Source: http://www.imdrf.org/docs/imdrf/final/meetings/imdrf-meet-140829-washington-presentation-samd.pdf 13
Integrated Standards Integrated Standards Standards Analysis Mapping Standards Applicable to SaMDs Source: http://www.emdt.co.uk/article/developing-medical-device-software-iso-62304 14
Integrated Standards Standards Analysis Integrated Standards Evaluation of Various Standards Assessed traditional Device Standards associated with software, including: Software Validation Medical Device Software Device QSR Device QSM 15
Integrated Standards Standards Analysis Integrated Standards Mapping Standards Applicable to SaMDs 16
Standards Analysis Exercise Output was a Roadmap addressing IEC 62304 Risk-scaled Deliverables across Design Control Phases Integrated Standards SaMD Medical Device Software Lifecycle Model (IEC 62304: 2006) 17
Integrated Standards Analysis Output Integrated Standards Developed a Global Quality Standard that defines SaMD quality requirements for (among others): Design controls Risk management (including cybersecurity) Human Factors Distribution Purchasing Controls Labeling Privacy Data Integrity Product Recall 18
Business Processes Human Factors Business Processes SaMD Formative Human Factors Studies Formative HF Study to verify the effectiveness of knowledge gained Essential to have a cross-functional HF team Users interact with software Users/Programmers verify changes Usability experts take user feedback Programmers make design changes based on feedback Rapid iteration of HF Studies allows for easier change/verify cycles in software versus conventional change/verify cycles for physical devices. 19
Business Processes Product Recall Business Processes SaMD Recall/Market Withdrawal Commonalities/Differences Plan for physical removal from market Accomplished via print media and traditional mailings Physical removal from market Physical counting of recalled product Problem Identification Risk Assessment & Decision to recall Recall plan & communication planning Issue recall communications Recall / Market Withdrawal Monitor/review recall Effectiveness/ Update stakeholders Recall Complete Plan for SaMD deactivation or forced software upgrade Accomplished via e-mail notifications Digital deactivation or forced software upgrade Measured digitally via SaMD connection with cloud 20
Business Processes Patient Instructions Business Processes Labels and Instructions for Use (IFU) Physical Device Label attached to device IFU included with packaging Label update via printing of new labels IFU update via printing of new IFU Label and IFU subject to loss, alteration, or replacement without authorization SaMD Label integrated into software and displayed on screen IFU integrated into software and displayed on screen Label updated electronically via software upgrade IFU updated electronically via software upgrade Software label and IFU cannot be lost, altered, or replaced 21
Organization: Roles and Responsibilities Organization SaMD require new technical expertise: Mobile Application Software Engineer IT Network Infrastructure Specialist Global Information Security Architect Source: http://www.pmoplanet.com SaMD require identification of right span of control plus clear accountability: Device classification Software safety classification determination Risk management process ownership Patient safety decision ownership Cloud service provider supplier chain ownership 22
Organization: Defining Roles and Responsibilities Organization SaMDs require clear lines of accountability for among other items issue escalation/resolution regarding: SaMD commercialization decisions SaMD launch approvals Privacy decisions Data analytics usages Cybersecurity practices (app level and Cloud level) Due diligence of Cloud vendors Source: http://blog.procore.com/ 23
Organization - Capability Example of Team Participants Organization Physical Device Team: Project Manager Regulatory Affairs/Qualified Person Medical Device Development Engineer Medical Device Quality Assurance Representative Human Factors Consultant Medical Affairs Consultant Additional Software skills: Mobile Application Software Developer Global Information Security Architect IT Quality Assurance Representative Cloud Infrastructure Consultant 24
Governance/Management Oversight Gov./Mgmt. Oversight Focusing on governance/ management oversight: Management involvement Problem escalation Decision making Auditing Source: http://www.praxity.com/about-us/pages/the-governance-of-the-alliance.aspx 25
Governance/Management Oversight Gov./Mgmt. Oversight 26
So far Lessons Learned Early identification of the regulatory classification for SaMD both US and OUS Establish global quality standard (quality requirements) Ensure involvement of IT team in oversight of Cloud infrastructure Modify recall/market withdrawal processes to address SaMD technology capability Formative HF Studies enhanced by modifying SaMD code from daily patient interactions Enhance product surveillance processes and patient safety processes to address the unique technology associated with SaMD 27
Conclusion System of Quality Model used to enhance device QMS to support development and commercialization of SaMD Created a Quality standard that addresses design control and product commercialization requirements for MMA/SaMDs Integrated Standards Business Processes Increased HF Study design enhancements Modified recall/ market withdrawal Adapted process controls for e-labels/e-ifus Established Cloud change control governance Developed cross-functional due diligence process for selection of Cloud vendors Addressed auditing responsibilities for MMA/SaMDs Governance/ Management Oversight Organization Brought mobile app software SMEs into device design team Added Cloud infrastructure vendor & established supplier controls for Cloud vendor 28
Questions? 29