Regulatory Focus™ > News Articles > IMDRF Proposes Framework for Regulating Device Software, Auditing Organizations

IMDRF Proposes Framework for Regulating Device Software, Auditing Organizations

Posted 02 April 2014 | By Alexander Gaffney, RAC

The International Medical Devices Regulators Forum (IMDRF), the regulators-only successor group to the Global Harmonization Task Force (GHTF), has released for consultation two new documents intended to form the basis for the future regulation of device software and facility audits.

The two programs in question are the Medical Device Single Audit Program (MDSAP) and IMDRF's attempts to regulate software as a medical device consistently across member states.

Background: MDSAP

At its core, MDSAP is intended to allow third parties to assist in inspecting medical device manufacturing facilities on behalf of regulators, allowing the findings to be used broadly, thereby saving money while ensuring more frequent inspections.

The development of the MDSAP program is being coordinated by Kimberly Trautman, associate director of international affairs at the US Food and Drug Administration (FDA). Trautman has previously explained that auditing standards for organizations will "complement" the ISO 13485 standard, which deals with the quality regulations medical device manufacturers must follow.

"IMDRF seeks modifications to achieve a harmonized standard amongst its members," Trautman explained at a regulatory meeting in 2012 held by the Regulatory Affairs Professionals Society (RAPS). Other regulators, including Health Canada's Mike Ward, called MDSAP the "future of regulation," noting that it will allow third parties to step in and help meet the needs of regulatory authorities.

In the meantime, IMDRF has been working through a number of thorny issues, among them how to ensure audit consistency among parties, which standards will complement the ISO 13485 standards, and how to best oversee auditing organizations.

In April 2013, IMDRF released two draft guidance documents on the program which respectively covered several core components of the program: requirements for auditing organizations, and training requirements for auditors.

Then, in July 2013, IMDRF released two new MDSAP documents dealing with assessor competency training and how regulators should monitor auditing organizations. One month later, in August 2013, FDA also put out a contract notice indicating its interest in building an "audit and inspection data system" for the MDSAP program.

New MDSAP Notice

On 1 April 2014, IMDRF released a new MDSAP document for consultation outlining what the "grade assessment" process used to assess auditing organizations will look like, and how auditing organizations will be recognized, re-recognized or cease to be recognized in the case of a deficient inspection.

As IMDRF notes, auditing organizations will be assessed once every three to four years, with ongoing surveillance conducted throughout the interim period to ensure ongoing compliance. Organizations will also be given an initial assessment at year zero to ensure they are capable of meeting IMDRF auditing standards.

At the end of either the third or fourth year, IMDRF will then re-recognize the auditing body through an on-site inspection.

All nonconformities discovered during the course of an assessment will be "graded" on a scale of 1 (low levels of nonconformities) to 4 (serious nonconformities involving fraud or recurrences of Grade 3 nonconformities).

The exact processes used to conduct assessments are contained within IMDRF's document, MDSAP Assessment Outcomes and Recognition/Re-recognition Decision by Regulatory Authorities.

Background: Software

IMDRF has also been tackling a number of other complicated regulatory topics, such as the regulation of medical device software. The initiative, being spearheaded by Bakul Patel-the author of the FDA guidance on mobile medical applications-has already resulted in the publication of a document in July 2013 on stand-alone medical software.

As IMDRF explained in that guidance, "software for medical purposes is becoming increasingly important and … can appear in many forms and on many computing platforms."

"Existing regulations adequately address public health risks of software when embedded in a traditional medical device," IMDRF continued. "However, existing regulations do not readily translate or address the unique public health risks posed by standalone software nor assure an appropriate balance between patient/consumer protection and promoting public health by facilitating innovation. Existing regulatory controls can have limited applicability when software can be developed, distributed, and accessed in a distributed environment through the internet."

New Software Document

IMDRF's latest document, Software as a Medical Device: Possible Framework for Risk Categorization and Corresponding Controls, builds upon the prior document by proposing a risk recognition and control framework for device software.

The goal, IMDRF writes, is to categorize devices "based on their risk profiles," and then to "identify controls that assure [their] safety and effectiveness."

Those familiar with FDA's regulatory framework for mobile medical apps and device software will find that much of the guidance is familiar, if not in language then at least in concept. For example, software will be deemed a medical device based on its intent to treat a health condition.

But unlike FDA, software will be subject to a risk assessment based on a four-category test:

  • Type 1 Software: Very high impact devices
  • Type 2 Software: High impact devices
  • Type 3 Software: Medium impact devices
  • Type 4 Software: Low impact devices

Type 1 devices would be those that might help diagnose cancer, while heart rate monitors would fall under Type III, and daily health tracking software would be a Type IV device.

Extensive definitions are provided in the document to help guide categorizations of devices into risk classes.

Some devices will also be subject to quality management system regulations, as well as postmarket surveillance requirements, IMDRF said.

Comments on both documents are due by 31 May 2014.

IMDRF Consultations

Software Overview

MDSAP overview

Regulatory Focus newsletters

All the biggest regulatory news and happenings.