IMDRF SaMD
IMDRF SaMD
AUTHORING GROUP
29 January 2024
IMDRF/SaMD WG/N81 DRAFT: 2024
Preface
© Copyright 2024 by the International Medical Device Regulators Forum.
This work is copyright. Subject to these Terms and Conditions, you may download,
display, print, translate, modify and reproduce the whole or part of this work for your
own personal use, for research, for educational purposes or, if you are part of an
organisation, for internal use within your organisation, but only if you or your
organisation do not use the reproduction for any commercial purpose and retain all
disclaimer notices as part of that reproduction. If you use any part of this work, you must
include the following acknowledgement (delete inapplicable):
“[Translated or adapted] from [insert name of publication], [year of publication],
International Medical Device Regulators Forum, used with the permission of the
International Medical Device Regulators Forum. The International Medical Device
Regulators Forum is not responsible for the content or accuracy of this
[adaption/translation].”
All other rights are reserved and you are not allowed to reproduce the whole or any part
of this work in any way (electronic or otherwise) without first being given specific written
permission from IMDRF to do so. Requests and inquiries concerning reproduction and
rights are to be sent to the IMDRF Secretariat.
Incorporation of this document, in part or in whole, into another document, or its
translation into languages other than English, does not convey or represent an
endorsement of any kind by the IMDRF.
2
IMDRF/SaMD WG/N81 DRAFT: 2024
Contents
1. Introduction 4
2. Purpose and Scope 6
2.1. Purpose of the document 6
2.2. Scope of the document 6
3. References 8
4. Device Characterization Considerations 9
4.1. Intended Use/Intended Purpose Statement 9
4.2. Device Description - Medical Device Software 10
3
IMDRF/SaMD WG/N81 DRAFT: 2024
1 1. Introduction
2 Software plays an increasingly critical role in healthcare, with a wide range of products
3 serving a variety of medical and administrative purposes in a range of clinical or
4 private settings. A subset of software that is used in healthcare is regulated as a
5 medical device globally by regulatory authorities.
6 In 2013 the International Medical Devices Regulators Forum (IMDRF) introduced the
7 concept of Software as a Medical Device (SaMD) and subsequently proposed a
8 possible risk categorization framework (IMDRF/SaMD WG/N12 FINAL:2014). Building
9 on the collective experience of its members, the IMDRF SaMD WG now has an
10 opportunity to add to those initial concepts by providing guidance related to device
11 characterization and risk characterization, for a broadened scope of medical device
12 software.
13 The term “SaMD” has evolved to include a more diverse landscape of software and
14 varied interpretations across jurisdictions. The concepts presented in this document
15 are not exclusive to any specific interpretation of the term SaMD, rather can be helpful
16 to consider more broadly for any software that meets the definition of a medical
17 device.
18 In this document we refer to this relevant set of software as “medical device software”
19 as a shorthand for document useability. This complex collection of software includes
20 various intersecting and distinct subsets, for example:
21
22 • Software that is intended to generate information for use in achieving one or more
23 medical purpose;
24 • Software that is part of a hardware medical device;
25 • Software that is not part of a hardware medical device and independent of other
26 medical devices);
27 • Software that is necessary for a hardware medical device to achieve its intended
28 use/intended purpose;
29 • Software that is driven or influenced by another medical device;
30 • Software with an output intended for a human user, medical device, and/or non-
31 medical device;
32 • Software that uses inputs from humans, medical devices, and/or products that are
33 not medical devices.
4
IMDRF/SaMD WG/N81 DRAFT: 2024
5
IMDRF/SaMD WG/N81 DRAFT: 2024
6
IMDRF/SaMD WG/N81 DRAFT: 2024
105 • This document is not intended to replace or conflict with existing IMDRF
106 publications such as those published by the Artificial Intelligence (AI) or
107 Cybersecurity Working Groups; however, it is acknowledged that there are direct
108 relationships and overlap with those publications, and this document is intended to
109 be complementary.
110 • The content in this document is not regulation and does not imply a convergence of
111 regulations or categorization rules across jurisdictions. Additional work may be
112 required to apply and align these concepts in a given jurisdiction.
7
IMDRF/SaMD WG/N81 DRAFT: 2024
113 3. References
114 • IMDRF SaMD WG N10 FINAL:2013 Software as a Medical Device: Key
115 Definitions
125 • IEC 62304 Medical device software — Software life cycle processes
126 • AAMI TIR57 Principles for medical device security – Risk Management
8
IMDRF/SaMD WG/N81 DRAFT: 2024
142 This information is essential for identifying and validating the relevant user and clinical
143 requirements, assessing the adequacy of supporting evidence, identifying and
144 controlling risks, determining user-centered labelling and transparency requirements,
145 managing product changes, ensuring proper use while mitigating against misuse, and
146 enabling patient-centered healthcare.
147 The following two sub-sections discuss considerations for manufacturers when
148 characterizing medical device software within the intended use/intended purpose
149 statement and device description. These considerations can support the determination
150 of the pertinent and meaningful information to include within medical device software
151 documentation, regulatory submissions, device labelling and user interfaces. All
152 features and attributes listed may not be relevant for every device but are included for
153 consideration. What is communicated will be dependent on the stakeholder and the
154 characteristics determined to have an impact on risk for the specific device.
9
IMDRF/SaMD WG/N81 DRAFT: 2024
171 In order to foster and encourage clear and comprehensive intended use statements
172 for medical device software, Key Elements of an intended use/intended purpose
173 statement are captured in section 4.1.1 below. A sample statement guide can be
174 found in Appendix A. It is important to note that not all elements will be applicable to
175 every medical device software and the information provided in these sections is solely
176 for consideration by manufacturers in the development of the medical device software
177 labelling, documentation and regulatory submissions, as appropriate. The sample
178 statement may not be appropriate for all medical device software depending on the
179 technology and intended use.
197 The following four subsections discuss detailed and interrelated information that can
198 be relevant to the characterization of a medical device software, organized according
199 to the following four types or categories of information:
10
IMDRF/SaMD WG/N81 DRAFT: 2024
215 A medical device may be used in different stages of the care pathway, such as
216 diagnosis (e.g., primary diagnosis, screening, triage, staging, etc.); treatment (e.g.,
217 relieving symptoms or restoring function); prevention (e.g., averting the occurrence of
218 a disease or condition); prediction (e.g., disease prognosis, anticipated treatment
219 response, etc.) or monitoring (e.g., ongoing assessment of patient parameters).
220 Understanding the specific medical purpose that the device performs or is used in
221 achieving is a key part of characterizing the medical device software.
222 The condition or disease for which the medical device software is meant to be applied,
223 and the general state of that condition or disease (for example, the grade, stage or
224 level), are important pieces of information at the center of characterizing a medical
225 device software and determining the associated criticality or seriousness of the
226 situation and importance of the output.
227 Finally, the intended patient population provides an important boundary within which
228 the medical device software is meant to apply and another defining feature of the
229 medical device software characterization. In this document, the term patient is used to
230 refer to individuals that receive or await healthcare with the use of the medical device
231 software. The intended patients may be in a specific subgroup of the population (e.g.,
232 specific age, sex, gender, ethnicity, race, disability, diagnosis; or a fragile and/or
233 vulnerable group; etc.), or specific intersection of subgroups of the population (e.g.,
234 specific age group + specific sex + those at risk of a specific condition)
235 The following table summarizes the identified features and attributes that help
236 characterize the medical problem and/or objective.
Medical Purpose Diagnosis (e.g., primary diagnosis, screening, triage, etc.), Prevention,
Monitoring, Mitigation, Prediction, Treatment, etc.
11
IMDRF/SaMD WG/N81 DRAFT: 2024
246 The intended user could be a non-clinical user, a non-physician medical professional,
247 a general practitioner medical doctor (MD), a specialist physician, or a combination of
248 these users. A non-clinical user, or lay-user, includes those users that are not trained
249 or qualified to provide medical care, which might include a caregiver or patient user, or
250 other users without medical qualifications. Licensed medical professionals that are
251 non-physicians include nurses, dentists, psychologists, radiation therapists,
252 physiotherapists, etc. General practitioner (GP) medical doctors include, for example,
253 primary care physicians or family doctors, while specialist physicians include
254 radiologists, oncologists, dermatologists, psychiatrists, pathologists, surgeons, etc.
255 The intended use environment describes the setting in which patient healthcare, with
256 the medical device software, is meant to take place. This could be a non-clinical
257 environment, a general healthcare environment, or a specialty healthcare
258 environment. A non-clinical environment would include home-use; general healthcare
259 environments would include primary care clinics, dental offices, etc.; and a specialty
260 healthcare environment would include, for example, emergency rooms, intensive care
261 units, dermatology clinics, surgical operating rooms, and oncology departments within
262 a hospital.
263 Another important aspect of the context of use is the finality of the software output
264 and/or its weight in relation to the outcome of the healthcare task/intervention. The
265 timing within the healthcare task/intervention is a feature that helps to contextualize
266 the output in terms of being early, midway, or late in the healthcare task/intervention.
267 Similarly, the role of the software output within the healthcare task/intervention
268 illustrates the relationship of the output amongst the steps in the healthcare
269 task/intervention, in terms of relative chronology and the software’s dependence on
270 and/or input to the other steps. Taken together, these two features help to describe
271 the impact or influence a software may have on the overall trajectory and outcome of a
272 patient’s care. These are important to understand the “weight” of the software’s use
273 and can help to identify where and how effects from the software use can alter the
274 course of a patient’s healthcare experience.
275 The following table summarizes the identified features and attributes that can help
276 characterize the context of use.
12
IMDRF/SaMD WG/N81 DRAFT: 2024
Intended User Lay user/nonclinical user (e.g., caregiver, patient user, user without medical
qualifications),
Timing Within Healthcare Early (e.g., triage, prediction of future diagnoses, early investigations upon
Task/Intervention suspicious symptoms or information, physiological signal or medical image
acquisition for use in diagnosis or treatment planning),
* Note: these 3 phases (Early, Midway and Late) described above serve as
reference points, and it is not crucial to state which phase should be applied.
Rather, it is important to characterize the timing of the output relative to the
final intervention, decision, or action as well as the relative chronology of how
the product will be introduced in relation to other steps (e.g., prior steps,
concurrent steps, conditional steps, subsequent steps) and current standard
medical practices.
Role Of Software Output Within Software output’s relationship to the healthcare task/intervention steps,
the Healthcare Task/Intervention such as the output’s contribution to the relevant healthcare decision or action
(for example, intended as an aid that is combined with current practice);
alteration of standard/current practice (for example, intended to replace or
substitute all or part of current practice, to provide a new scheme, etc.);
dependence on other steps (e.g., uses output values or clinical decisions from
prior steps, concurrent steps, conditional steps); and/or influence over other
steps (e.g., provides input to concurrent steps, subsequent steps, conditional
steps, or final intervention/decision).
13
IMDRF/SaMD WG/N81 DRAFT: 2024
283 The types of output provided by a medical device software could be a clinical
284 interpretation or intervention, a workflow recommendation, or data or information for
285 use in a medical purpose. Clinical interpretations or interventions can include, for
286 example, a probability, prediction, detection, diagnosis, severity, prognosis, grade, or
287 stage of a disease or condition; or the prescription, treatment, therapy, recommended
288 dosage or treatment plan for a disease or condition. A workflow recommendation, in
289 contrast, is not an interpretation on the clinical decision or action but rather an
290 intermediate step in the workflow, such as recommended contrast dye dosage;
291 imaging technique, modality, or parameters; surgical tool choice; supplementary
292 medical tests, etc. Data for use in medical purpose is output by a medical device
293 software for use in a medical purpose and is typically more objective, such as
294 anatomy measurements or volumes, segmented or contoured organs, tissues;
295 processed, reconstructed, or de-noised images; processed signals or waveforms such
296 as from electrocardiographs or electroencephalographs.
297 The input to the medical device software influences the function of the device and is
298 fundamental to understanding the medical device software, the output, and the
299 associated risks and considerations. The source of those inputs may be a human user
300 (e.g., patient inputted symptoms or conversations), a medical device (e.g., a medical
301 image), or a non-medical device or consumer product (e.g., smart-phone photos, EHR
302 data from patient chart). Notably, the inputs to a medical device software do not
303 necessarily have to be medical information or to come from a medical device.
304 Regulators may consider the impact that non-medical data or data sources have on
305 the safety and effectiveness of a medical device software. However, the use of non-
306 medical data sources in a medical device software does not change the regulatory
307 status of the source of non-medical data.
308 The level of automation of the task and output refers to the degree to which the output
309 requires and receives review and approval by the user, which can range from fully
310 automated or conditionally automated to semi-automated, and manual. A fully
311 automated output does not require review or approval and cannot be modified by the
312 user, while conditionally automated tasks have some outputs that are flagged for
313 review and the user has a way to go back and edit the output, for example if it is
314 assigned low confidence or high risk. Semi-automated outputs are made available for
315 critical assessment and approval or editing and, finally, for manual outputs, the user
316 controls the generation of the output. The level of automation is determined
317 irrespective of whether the user is a clinical or non-clinical user.
14
IMDRF/SaMD WG/N81 DRAFT: 2024
328 The level of intelligibility, transparency, and explainability of the underlying logic is also
329 an important characteristic of a medical device software. This includes the information
330 about the software algorithm or technology utilized (such as, deterministic formulae;
331 machine learning approaches; mathematical simulations; etc.) and information about
332 how an output or result was reached or the basis for a decision or action. This aspect
333 could be attributed as explained and comprehensible; partially explained or partially
334 evaluable (e.g., output provided with saliency maps); or as not explained or
335 incomprehensible (e.g., Black Box). Understanding this aspect of a medical device
336 software contributes to the assessment of risks and uncertainties, as well as
337 determining supporting evidence expectations.
338 The destination or target of the output could include outputs intended to be provided to
339 human users, or to medical devices or consumer products (either with or without
340 intermediate use by a human user).
341 The following table summarizes the identified features and attributes that can help
342 characterize the device function and/or use.
Level of Task Automation Fully automated (i.e., output does not require review/approval and cannot
be modified by the user),
Conditionally automatic (some outputs are flagged for review or user has
a way to go back and edit the output, for example if assigned low
confidence/high risk),
Semi-automatic (processed output is made available for critical
assessment and approval or editing),
Degree of Clinical Autonomy Independent/Autonomous (i.e., output impacts subsequent clinical action
or decision without clinical user in the loop),
15
IMDRF/SaMD WG/N81 DRAFT: 2024
Destination/Target of Output Input to human user; Input to medical device; Input to a consumer
product
345
359 Another aspect of software change management is the infrastructure for installation,
360 updates and error corrections. Updates and changes to the software can be provided
361 in response to software failures, errors, opportunities for improvement, critical
362 performance updates, and recalls. Software-specific risks and risk controls can
363 depend on the software distribution channels (app stores, manufacturer homepage,
364 web application, etc.) and software installation locations (mobile phones, hardware
365 medical devices, or personal computers (PCs) of the users, server anywhere in the
366 world or one single server at the manufacturer site).
367 Distribution channels, such as app stores offering medical device software, may not
368 be regulated in all jurisdictions. Surveillance challenges and unclear responsibilities
369 may occur in cases of recalls, field safety corrective actions and distribution of
370 information. Furthermore, software installation location can influence the effectiveness
371 and speed of access to updates or the deactivation of erroneous or recalled software
372 and the traceability of affected installations and users.
373 The following table summarizes the identified features and attributes that can help
374 characterize the device change management, including the degree of change
375 autonomy, the change domain and infrastructure for installation, updates and error
376 correction.
16
IMDRF/SaMD WG/N81 DRAFT: 2024
Installation, Update and Error Distribution channels (e.g., app stores, manufacturer homepage, web
Correction Infrastructure application),
379
17
IMDRF/SaMD WG/N81 DRAFT: 2024
Devices
18
IMDRF/SaMD WG/N81 DRAFT: 2024
412 Further, it is important to consider that software-specific hazards often sit at the
413 junction of both safety and cybersecurity risks. Therefore, it can be helpful to consider
414 software-specific considerations pertaining to harm as a combination of how harm is
415 defined for safety and cybersecurity. In other words, medical device software-specific
416 consideration of harm could be viewed as relating to injury or damage to the health of
417 people 2 and reduction of effectiveness 3 – where “reduction of effectiveness” can result
418 from inadequate, incorrect, or absent data supplied to a human or product at an
419 inappropriate time, rate, or with an inadequate method. For example, injection of
420 unwanted or unintended bias into a decision-making system, whether or not it results
421 in direct harm to a patient, can be understood as a harmful reduction in effectiveness.
422 In other words, the introduction of the particular software solution has had a negative
423 impact on the decision-making system. Often, this can also be viewed as accounting
424 for “indirect harm” from the software, as noted above.
425 Performance-related hazards pertinent to software – that is, specifically information-
426 related hazards - can impact the function of other products or systems, how workflows
427 or processes are informed, and can directly impact user decision making. As such, a
428 harmonized discussion of how to identify, characterize, and contextualize these
429 possible harms and their impact on device risk can provide greater understanding for
430 why risk categorization for medical device software may be highly variable across
431 regulatory jurisdictions, as well as how to articulate these differences more
432 consistently.
433 Key Points:
434 • When evaluating the risk posed by software, both direct and indirect harms should
435 be considered.
436 • Because hazards associated with software are typically information-based
437 hazards (such as delayed, inappropriate, or erroneous information), it is important
438 to consider potential harm as both injury or damage to health as well as a
439 reduction in effectiveness when accounting for indirect harms.
440 • The possible harms and associated risks related to implementing software are
441 dependent on a device’s specific intended use.
442
443 Below, general considerations for identification and analysis of software-specific
444 hazardous situations are discussed, as well as considerations when carrying forward
445 these hazardous situations as part of risk estimation. These approaches are intended
446 to provide a shared means of discussing the unique risks posed by software that
447 meets the definition of a medical device, and how such an understanding may drive
448 device risk categorization across any number of risk categorization systems, layers in
449 part or in whole.
450
2While ISO 14971:2019 defines harm as “injury or damage to the health of people, or
damage to property or the environment.” it can be helpful to consider, more
specifically, harm as it relates to “injury or damage to the health of people” when
discussing medical device safety in this document. The narrower definition of patient
harm has the net effect of prioritizing regulatory review of those changes necessary to
protect public health.
3Harm is defined in TIR57: 2016/(R)2023 as “physical injury or damage to the health
of people, or damage to property or the environment, or reduction in effectiveness, or
breach of data and systems security” as described in IEC 80001-1:2021.
19
IMDRF/SaMD WG/N81 DRAFT: 2024
20
IMDRF/SaMD WG/N81 DRAFT: 2024
494 For medical device software, this determination requires the identification of the
495 potential direct and indirect harms associated with hazardous situations, such as
496 erroneous outputs from the software, followed by an assessment of the severity of
497 those harms, such as reductions in life expectancy, psychological injury, or
498 inappropriate or unnecessary invasive treatment. While probability of harm can
499 generally be helpful to consider when estimating risk, there is not broad consensus on
500 a method for quantitatively estimating probability of occurrence of software failure.
501 Additionally, cybersecurity risk management often considers exploitability of
502 vulnerabilities rather than probability of occurrence of harm; and it is generally
503 understood that probability of software-related harms can be influenced by factors like
504 usability, which can make estimation further challenging. 4 To this end, when
505 estimating software-specific risks, it can be helpful to set the probability of software
506 failure to 1 and if possible, estimate the probability based on other factors to perform
507 risk estimation.
508 The guiding questions in section 5.1 can provide a basis for isolating software-specific
509 hazards and for contextualizing their potential severity of harm, on the basis of
510 understanding how applying a specific software solution can affect the way the
511 medical device intended use/purpose is achieved.
512 These concepts can then be leveraged for risk characterization (e.g., through risk
513 assessment per ISO 14971) and the determination of the severity of direct or indirect
514 harm caused by a given, software-specific hazardous situation (e.g., catastrophic,
515 critical, serious, minor, negligible). Once harms are identified, the approach to
516 “software-contributed” risk estimation is not unique. That said, when software may
517 need to be considered in the context of a broader device to achieve an intended
518 use/purpose, it can also be helpful to consider whether the software becomes a
519 single-point failure for a given possible harm and, if so, how this may impact risk
520 estimation and associated mitigations.
21
IMDRF/SaMD WG/N81 DRAFT: 2024
531 Different jurisdictional authorities may have distinct philosophies and legal obligations
532 which shape their different risk-based classifications. Therefore, the discussion
533 provided in section 5 and further illustrated in Appendix B is intended as a common
534 basis for considering and articulating how characterization features impact the risk of
535 software that meets the definition of a medical device, particularly through the lens of
536 the interdependent factors shaping an understanding of risk specific to software for a
537 given intended use/purpose. Put another way, this document intends to provide insight
538 into how a particular software risk categorization could be concluded without
539 prescribing a single “correct” and universal category to any given device. As noted
540 previously, among other complications, software-specific risks may have a significant
541 but not exclusive influence on the risk categorization applicable to a given device. In
542 premise, this document can serve as the basis for discussing a given understanding of
543 a medical device software’s risk within a broader device system or regulatory
544 structure.
22
IMDRF/SaMD WG/N81 DRAFT: 2024
23
IMDRF/SaMD WG/N81 DRAFT: 2024
585 The [name of medical device software] is software intended for use in the
586 [medical purposes] of [conditions/diseases/disorders] in [intended patient
587 populations]. This software is intended to be used by [intended user
588 populations] in [intended use environments]. This medical device software is
589 contraindicated for [contraindications]. This medical device software uses
590 [inputs] in order to produce [description of outputs]. These outputs are
591 [description of how the output is intended to be used, how it fits in the clinical
592 or healthcare workflow and how it contributes to the final healthcare
593 decision/action].
24
IMDRF/SaMD WG/N81 DRAFT: 2024
594 Appendix B:
595 Characterization Feature
596 Summary Table
Information Characterization Feature Potential Feature Attributes
Grouping
Context of Intended User Lay user/nonclinical user (e.g., caregiver, patient user,
Medical user without medical qualifications),
Device
Licenced medical professional, non-physician (e.g.,
Software
registered nurse, dentist, psychologist, radiation therapist,
Use
physiotherapist, etc.),
25
IMDRF/SaMD WG/N81 DRAFT: 2024
Timing Within Healthcare Early (e.g., triage, prediction of future diagnoses, early
Task/Intervention investigations upon suspicious symptoms or information,
physiological signal or medical image acquisition for use in
diagnosis or treatment planning),
Role Of Software Output Within the Software output’s relationship to the healthcare
Healthcare Task/Intervention task/intervention steps, such as the output’s contribution
to the relevant healthcare decision or action (for example,
intended as an aid that is combined with current practice);
alteration of standard/current practice (for example,
intended to replace or substitute all or part of current
practice, to provide a new scheme, etc.); dependence on
other steps (e.g., uses output values or clinical decisions
from prior steps, concurrent steps, conditional steps);
and/or influence over other steps (e.g., provides input to
concurrent steps, subsequent steps, conditional steps, or
final intervention/decision).
26
IMDRF/SaMD WG/N81 DRAFT: 2024
Level of Task Automation Fully automated (i.e., output does not require
review/approval and cannot be modified by the user),
27
IMDRF/SaMD WG/N81 DRAFT: 2024
Installation, Update and Error Distribution channels (e.g., app stores, manufacturer
Correction Infrastructure homepage, web application),
597
28
IMDRF/SaMD WG/N81 DRAFT: 2024
29
IMDRF/SaMD WG/N81 DRAFT: 2024
Medical Problem Medical Purpose •Is the medical device software intended to be used as
and/or Objective adjunctive or alongside other tools or treatment? Is the
medical device software intended to replace or augment
a system or process? If it is meant to augment, in what
manner is the medical device software augmentative (for
example, is the software output additive or confirmatory
to another process or outcome)?
Intended Condition/Diseases/ Disorders •How, if at all, does the condition/disease (for example,
and Grade/Stage/Level acute or chronic) that the medical device software intended
for impact the criticality of the data output by the
software?
Intended Patient Population •Does the intended patient population include a specific
vulnerable subgroup?
Context of Intended User •Does the medical device software enable new/different
Medical Device users to achieve the clinical task than those who would
Software Use perform the task without the software?
30
IMDRF/SaMD WG/N81 DRAFT: 2024
Intended Use Environment •Is use of the medical device software providing a clinical
task or service in an environment that would not
otherwise have such tasks or services available (e.g.,
would otherwise require an expert present)?
Timing Within Healthcare •Does the user have adequate time to review the basis
Task/Intervention for the information output by the software or to review and
curate the information being used as input to the software?
Role Of Software Output Within the •Does an erroneous output from the software at the
Healthcare Task/Intervention intended point in the workflow put the patient on a path
toward subsequent harm?
Device Function/ Output Type •Is the output supplementing additional information to
Use contribute to a clinical interpretation or workflow
recommendation? Is it a replacement or substitution for
information meant to determine a clinical interpretation,
workflow recommendation, or as data for use in a medical
purpose?
31
IMDRF/SaMD WG/N81 DRAFT: 2024
•Is the output Boolean, e.g., values that are either true, or
false?
Input Source •Is the input source from a human user, medical device, or
consumer product?
Level of Task Automation •Does the user control generation of the output?
Degree of Clinical Autonomy •Is a user in the loop? Is the user in the loop a health care
professional?
Medical Device Degree of Learning/Change •Does the medical device software independently change
Software Management Autonomy its underlying algorithms?
Change
•How often is medical device software performance
Management
verified?
32
IMDRF/SaMD WG/N81 DRAFT: 2024
Installation, Update and Error •What specific channels are used to distribute the
Correction Infrastructure medical device software?
610
33
IMDRF/SaMD WG/N81 DRAFT: 2024
629 Scenario: The software is intended to analyze health related data including
630 data from electronic health records, laboratory tests, and other diagnostic
631 tests to identify individuals with pre-diabetes (i.e., an early marker of diabetes)
632 with an output that is reviewed by healthcare practitioners.
634 The Product X is software intended for use in the diagnosis of prediabetes
635 in adult men and women at risk of developing diabetes. This software is
636 intended to be used by medical professionals in general healthcare
637 environments. This medical device software is developed using a machine
638 learning model. This medical device software is used for patients without
639 an existing diabetes diagnosis. This medical device software uses specific
640 data within the electronic health records (EHR) in order to produce a
641 conditionally automatic algorithm output that provides likelihood of
642 developing diabetes. These outputs are conditionally independent/
643 autonomous (i.e., output is presented to healthcare providers for review
644 above a threshold %) and are intended to be used as a clinical workflow
645 recommendation for additional testing or follow-up based on
646 established guidelines.
34
IMDRF/SaMD WG/N81 DRAFT: 2024
Medical Purpose •Is the medical device software intended to be used as adjunctive or alongside other tools or
treatment? Is the medical device software intended to replace or augment a system or
process? If it is meant to augment, in what manner is the medical device software
augmentative (for example, is the software output additive or confirmatory to another
process or outcome)?
•Is the output of the software, itself, intended to be therapeutic or a treatment? Is the
software output used for decision making with diagnosis or therapeutic purposes? Is the
software used to monitor physiological processes or vital physiological parameters? Does the
software have alarm functions used to prompt immediate intervention?
Intended •How, if at all, does the condition/disease (for example, acute or chronic) that the medical
Conditions/ device software is intended for impact the criticality of the data output by the software?
Diseases/
•Does the condition/disease modify the timing of when the information is needed or is
Disorders and
provided or must be used?
Grade/Stage/Level
•Does the condition/disease define the sensitivity or accuracy of the information needed for
the input or output of the software? Could the nature of variation of monitored parameters
result in immediate danger to the patient?
•Could the decisions or diagnostics made by the software output have an impact that may
cause death or an irreversible deterioration of condition/disease or a serious deterioration in
condition/disease or a surgical intervention?
Intended Patient •Does the intended patient population include a specific vulnerable subgroup?
Population
•How diverse is the intended patient population? How generalized does the information need
to be to perform adequately across the intended patient population? How specific?
•Does the medical device software accurately reflect the demographics, backgrounds, and
characteristics of the population the software will be used for?
652
653 In this example, we first consider questions related to the Medical Problem and/or
654 Objective:
655 In considering the Medical Purpose, we recognize that this medical device software is
656 intended to be used alongside other tools or treatments i.e., used alongside additional
657 diagnostic test results, treatments, and data available in electronic health records. The
658 medical device software is intended to augment a system or process i.e., the software
659 output is used as a tool to aid in the diagnosis of pre-diabetes. Here, it is helpful to
660 consider that the software is intended to augment and aid, which suggests the output
661 may not be the sole influence on the related clinical decision point. If the software
662 output is not a single point failure that will lead to patient harm, this can impact our
663 understanding of the software’s risk.
35
IMDRF/SaMD WG/N81 DRAFT: 2024
679 The Intended Patient Population in which this medical device software is intended to
680 be used includes the general public but may include vulnerable subgroups such as
681 individuals of different ethnicities, different age groups (e.g., <40, 40-60, >60 years
682 old). The intended patient population is the general public that is representative of the
683 demographics in the local userbase which may include regional, state, or at the
684 national level. This information needs to be broadly generalizable to perform
685 adequately. As a diagnostic aid the performance of the software must have adequate
686 sensitivity and specificity; however, the performance is dependent on the prevalence
687 of the condition (i.e., pre-diabetes) being tested. Because this software is intended for
688 a general population, the software may need to operate in consideration of a wide
689 variety of patients in the intended population.
36
IMDRF/SaMD WG/N81 DRAFT: 2024
Intended User •Does the software enable new/different users to achieve the clinical task than those
who would perform the task without the software?
•Does the user have the expertise, or access to the expertise, necessary to
understand the inputs and/or outputs of the software?
Intended Use •Is use of the medical device software providing a clinical task or services in an
Environment environment that would not otherwise have such services available (e.g., would
otherwise require an expert present)?
•Can external factors, both physical and digital, affect the use, input or output of the
device?
•Do the expected virtual conditions and computing environment require additional
software controls and/ or impact the users’ access to the software?
Timing Within Healthcare •Does the user have adequate time to review the basis for the information output by
Task/Intervention the software or to review and curate the information being used as input to the
software?
•Could the software output initiate a healthcare intervention that would not
otherwise be identified by a particular user or in a particular setting (e.g., pre-
screening information prompting a patient to speak to a doctor about a possible
condition)?
Role Of Software Output •Does an erroneous output from the software at the intended point in the workflow put
Within the Healthcare the patient on a path toward subsequent harm?
Task/Intervention
•Is the frequency of output appropriate to its role and timing in the workflow (e.g., is
there a potential for notification fatigue)?
•Does the software create a single point of failure in the clinical task/intervention?
691 Continuing the example, we consider questions related to the Context of Device Use:
692 In considering the Intended User, we recognize this medical device software enables
693 both new and different users (i.e., different Health Care Providers (HCPs)) to achieve
694 the clinical task (i.e., to identify individuals with pre-diabetes) that would otherwise not
695 be performed without the software. This medical device software can be used by
696 different intended users (i.e., different primary care and/or specialty HCPs). The
697 software is analyzing health related data in electronic health records that does not
698 require the user (i.e., HCP) to have specialized training. This medical device software
699 requires the user (i.e., HCP) to have the necessary expertise to understand the input
700 (i.e., type of data in electronic health records that the software analyzes) and the
701 output (i.e., pre-diabetes) produced by the software.
37
IMDRF/SaMD WG/N81 DRAFT: 2024
702 The Intended Use Environment for this medical device software includes providing
703 services in a healthcare (i.e., clinical) environment and is not intended to function
704 outside healthcare settings or in those settings where healthcare is not being delivered
705 with access to an electronic health record (i.e., settings using paper-based records).
706 External factors (i.e., those factors that can impact the function of the medical device
707 software) such as physical (e.g., physical related factors) and digital (e.g., broadband,
708 internet connectivity, access issues to different healthcare databases) factors, may
709 have a minor or negligible effect on the use, input, or output of the device. Further, the
710 restricted intended use environment reduces the variability of operating conditions
711 where the software must perform adequately.
712 As for the Timing within Healthcare Task/ Intervention, we recognize that the output of
713 this medical device software is considered routine and non-urgent. The user has
714 adequate time to review the output of this medical device software and to curate and
715 review the basis or information used as its input. Because of the intended timing, the
716 impact of the software’s risks may overall be considered lower than those risks might
717 be in a time-critical or urgent use case. Because some patients for whom review might
718 be impactful to their future care could be missed if the software does not present their
719 cases for review, there is a possible harm that could occur distantly from the use of
720 the software.
721 When considering the Role of Software Output within the Healthcare
722 Task/Intervention, we recognize that as a recommendation for further testing, the risk
723 of output from the software at the intended point in the workflow putting the patient on
724 a path toward subsequent harm is low. The frequency of output from the software and
725 timing in the clinical workflow do not present risks of notification fatigue. The software
726 also does not present a single point of failure in the clinical task/intervention as other
727 data within the patient’s primary care routine to identify symptoms of prediabetes.
728 As we consider questions related to the Context of Device Use, the Intended User for
729 the medical device software in the scenario provided is limited to healthcare
730 practitioners in the Intended Use Environment of a health care facility. This, in
731 combination with the Timing within Healthcare Task/Intervention and Role of Software
732 Output within the Healthcare Task/Intervention considerations indicates that these
733 characterisation features pose a lower impact on overall risk characterization.
734
735 A.2.3 Device Function Use
Output Type •Is the output supplementing additional information to contribute to a clinical interpretation
or workflow recommendation? Is it a replacement or substitution for information meant to
determine a clinical interpretation, workflow recommendation, or as data for use in a
medical purpose?
•Is the output commonly accepted in clinical practice or based upon sound scientific
principles? Is the output proprietary?
•Is the output Boolean, e.g., values that are either true, or false?
Input Source •Is the input source from a human user, medical device, or consumer product?
•Is the input source unique or could the data be obtained through other methods or
sources?
38
IMDRF/SaMD WG/N81 DRAFT: 2024
•Is an adequate input source governed by specific parameters such as rate, sensitivity,
or precision?
•Is the input data direct or informed or transformed by other tools, products, or
intermediaries?
•Are there multiple input sources or data types? Are they interdependent?
•Are some outputs are flagged for review or provide a way to go back and edit the output,
for example if assigned low confidence/high risk?
Degree of Clinical •Is a user in the loop? Is the user in the loop a health care professional?
Autonomy
Intelligibility/Transpar •Is the functionality of the product explained and understood by the user?
ency/Explainability of
•Is the functionality of the product explained and understood by users other than the
Underlying Logic
patient? Is different information provided to different user groups or patients?
including the
Algorithm/Technology •Is the functionality partially explained or partially able to be evaluated by the user?
used and How and (e.g., output provided with saliency maps)?
Output is Reached
Destination/Target of •Is the output the only instruction/data/information needed to drive the target’s next
Output action?
736
737 Continuing the example, we consider questions related to the Device Function/ Use:
738 In considering the Output Type, we recognize this medical device software provides
739 additional information (i.e., diagnosis of a pre-diabetes state) that supplements clinical
740 recommendations (e.g., for subsequent diagnostic testing) with data that is used for a
741 medical purpose (e.g., recommendations for lifestyle modification and/or treatments).
742 The output of this medical device software is commonly accepted in clinical practice
743 (i.e., the diagnosis of pre-diabetes) and, provided it has been adequately validated
744 with an appropriate indication for use, is based on sound scientific principles. This
745 medical device software output is considered proprietary, because the specific
746 calculation to arrive at a threshold to present the output to the HCP for review is
747 devised by the company and is not simply a well-known and accepted threshold or
748 calculation. Access to the output of this medical device software is first made available
749 to the HCP who ordered the use of this software (i.e., analysis of health-related data
750 for an individual who does not have pre-diabetes to determine if pre-diabetes is
751 present in this individual). Thereafter, the output of this medical device software is
752 accessible by HCPs who are providing care to this individual and information is not
753 withheld from the HCP on the basis of a specific product access tier. The information
754 is also not meant to be shared with a wide variety of users such that varying levels of
755 access is implemented, such as might be the case if the product’s outputs were meant
756 for review by both patients and their providers.
39
IMDRF/SaMD WG/N81 DRAFT: 2024
757 The Input Source of this medical device software is unique and limited to the data that
758 is available in electronic health records for individuals in whom this software will be
759 used. The input data cannot be obtained through other methods or sources. The input
760 source of this medical device software is governed by specific parameters, notably
761 structured data in electronic health records (e.g., diagnostic testing results, vitals
762 measurements, demographic information). The input data of this medical device
763 software is not transformed by other tools or products. This medical device software
764 contains one input source (i.e., data in electronic health records) but includes multiple
765 interdependent data elements (e.g., demographic data, laboratory and diagnostic
766 testing results, treatments). These structured, regular data inputs from known sources
767 of expected uniform quality do not appear to introduce novel or altered risks as a
768 result of introducing the software solution. An HCP would review the same data to
769 make an independent decision if the software was not available.
770 In considering the Level of Task Automation, we recognize the user does not control
771 generation of the output for this medical device software. The output of this medical
772 device software does not require review/approval or allow modification by the user,
773 and the output of this medical device software does not enable retrospective editing of
774 the output. Because of the nature of the task this software is meant to perform, which
775 does not immediately impact a next clinical action without review and provides a new
776 datapoint (threshold) rather than a modification of existing data, the level of task
777 automation may not introduce risks specific for this device software. We also
778 recognize the user can review the basis for the output of this medical device software
779 and the user does not control or review the inputs for this medical device software.
780 Only certain outputs of the software will be elevated to the HCP’s attention, which
781 suggests that the software solution may introduce a different risk than those present if
782 the task was completed manually (e.g., failing to identify at-risk patients to present to
783 the HCP that they might otherwise have noted if reviewing the data manually).
784 In terms of the Degree of Clinical Autonomy, a clinician is in the loop to review any
785 outputs flagged by the software and to make the next decision in the clinical workflow
786 – such as follow up tests for the patient. However, as noted above, a clinician will not
787 be informed of patients who have not met the threshold to be considered “at risk” by
788 the software.
789 Considering the Intelligibility/Transparency/Explainability of Underlying Logic, we
790 recognize the functionality of this medical device software is explained (i.e., within its
791 indication for use and ordering requirements) and is understood by the user. The
792 functionality of this medical device software is explained to and can be evaluated by
793 the user (i.e., input data includes structured data elements in electronic health
794 records). The analysis (i.e., statistical or computational approach) is partially explained
795 to the user.
796 Considering the Destination/Target of Output, this software likely does not provide an
797 output that would be the sole instruction/data/information to drive the HCP user’s next
798 step. The output will present cases for the HCP to review and introduce a single new
799 datapoint (patient has been identified as above a threshold). The HCP will have the
800 patient’s data for review in addition to the information that the patient has exceeded
801 the threshold to help inform their next decision. However, as noted above, the HCP
802 will not be presented with any data on patients who do not exceed the software’s
803 threshold, which could result in no decision made for such patients.
40
IMDRF/SaMD WG/N81 DRAFT: 2024
804 After consideration of questions related to Device Function Use it may be considered
805 that the output type, supplementing additional information to contribute to a clinical
806 interpretation or workflow recommendation, in this case a prediction or diagnosis
807 commonly accepted in clinical practice or based upon sound scientific principles, may
808 not greatly impact the risk of the device. However, the specific threshold calculation is
809 proprietary and the software is replacing a manual review of a patient record and
810 introduces the possibility of incorrectly filtering patients for review by the HCP.
811 A.2.4 Device Change Management
Degree of •Does the medical device software independently change its underlying algorithms?
Learning/Change
•How often is medical device software performance verified?
Management
Autonomy •Are updates to algorithmic performance driven by non-clinical or clinical users, or
manufacturer driven, or a combination of these users?
Installation,
•What specific channels are used to distribute the medical device software?
Update and Error
Correction
•Does the medical device software have multiple installation locations? Where are
Infrastructure
corrections initiated?
41
IMDRF/SaMD WG/N81 DRAFT: 2024
826 In summary, for such a product, overall impact on risk posed, or introduced, by the
827 software takes into consideration multiple characterization features across information
828 groupings, and those that are most relevant to the particular device software may be
829 different depending on the device’s intended use/purpose. For this reason, it is critical
830 to have a clear description of the software to help build an understanding of the role of
831 the medical device software and its unique implementation. For this example device,
832 the particular software solution may introduce risks related to the automation of a
833 previously manual step and new failure points in the intended workflow. However,
834 because of the device’s medical purpose and context of use, these potential risks may
835 not have notably high impact. These considerations can be taken together when
836 considering how the decision to design this software solution may impact the overall
837 risk of the device or raise different hazards.
42
IMDRF/SaMD WG/N81 DRAFT: 2024
Scenario 1.2: The software is intended to be used to reduce and relieve pain in
osteoarthritis patients that cannot take other pain relief medication.
847 In both scenarios in example 1 above, the intended use of the medical device software
848 is to provide therapy to reduce and relieve pain, where the cause of such pain (i.e., the
849 Intended Condition/Disease/Disorder and Grade/Stage/Level) is not the primary
850 distinguishing feature that contributes to understanding the risk of the medical device
851 software. Rather, in this case, understanding whether the medical device software is
852 intended to be used adjunctively (i.e., the Medical Purpose) contributes significantly to
853 potential hazards considered in the risk analysis of the software.
854 In scenario 1.2, the software is meant to provide therapy for patients who cannot
855 utilize other pain relief therapy. Because the software is itself intended as therapy and
856 cannot be used with, or adjunct to, additional treatment, the risk of the software could
857 be considered higher in scenario1.2 than 1.1. The failure of the software output to
858 provide efficacious therapy may be considered a single-point failure for achieving the
859 intent of patient pain reduction or relief, and therefore the intended medical purpose
860 may contribute to the hazards considered in risk analysis more than the software used
861 in conjunction with other therapy, described in scenario 1.1.
862 In these two scenarios for a similar medical device software, we see that within the
863 Medical Problem and/or Objective information grouping, characterization features
864 contribute to the risk of the software differently. For such a product, the Intended
865 Condition/Disease/Disorder and Grade/Stage/Level does not solely impact the risk
866 posed by the software, but a more detailed understanding of the Medical Purpose
867 contributes to a more complete understanding of the medical device software’s risk.
43
IMDRF/SaMD WG/N81 DRAFT: 2024
Scenario 2.1: The software is intended to aggregate data and highlight trends from
a wearable monitor for patients diagnosed with heart failure to help patients monitor
their risk of hospitalization. The software helps to provide simple data visualizations
to better understand the patient’s longitudinal data, such as tracking an individual’s
health, care usage, and outcomes over time.
Scenario 2.2: The software is intended to aggregate data and highlight trends from
a wearable monitor for patients diagnosed with heart failure to help patients and
their healthcare provider with longitudinal data about the patient’s heart health. The
software provides simple data visualizations, including highlighting trends, to help
the healthcare provider monitor their patient’s risk of hospitalization between
regularly scheduled visits and could be used to inform treatment-related decisions.
868 In example 2 above, the intended user for the medical device software in scenario 2.1
869 is limited to patients seeking to obtain more information about their own condition. In
870 scenario 2.2, healthcare providers are included in the intended user group and have
871 access to the data in addition to the patient themselves. In this case, a health care
872 professional has specialized training that provides them with additional context to
873 understand the data and trends the medical device software is highlighting, which a
874 patient may not have. For this reason, it might be considered that the Intended User in
875 scenario 2.2 may reduce hazards considered in risk analysis more than scenario 2.1,
876 because at least one intended user in scenario 2.2 has expertise and training to
877 appropriately understand and respond to the data they are receiving. The health care
878 professional is provided access to the data such that it is not essential for the patient
879 to independently identify if and when their data should be conveyed to their doctor.
880 However, it may also be worth considering that there is greater variability in the
881 Intended Users of the medical device software in scenario 2.2 than scenario 2.1,
882 because of the introduction of the clinician user. This difference also impacts the
883 understanding of risk posed by the software, where the information must be conveyed
884 adequately and appropriately to the different user groups. It is important to consider
885 that multiple factors may influence the risk associated with any given characterization
886 feature – a clinician or trained user does not always independently indicate a decrease
887 or increase applicable hazards in the risk analysis of a device.
44
IMDRF/SaMD WG/N81 DRAFT: 2024
888 In example 3 above, the Input Source in scenario 3.1 is limited to measurements
889 obtained by a regulated medical device. In scenario 3.2, measurements are obtained
890 by a wearable consumer product that is not subject to regulatory oversight as a
891 medical device. In this case, the wearable consumer product may allow for expanded
892 opportunities for collecting patient data, however the aspects of the performance of
893 the wearable consumer product may be outside of the control of the developer. For
894 this reason, it may be considered that the Input Source in scenario 3.2 may pose more
895 applicable hazards for risk analysis than in scenario 3.1, because the manufacturer
896 developing the software may not have life cycle control over the source of the data it is
897 analyzing to monitor the severity of symptoms. In this case, additional steps may be
898 necessary for the manufacturer to monitor performance of the wearable consumer
899 product and to communicate any changes in performance to the user. In contrast,
900 scenario 3.1 which obtains measurements form a regulated medical device, benefits
901 from the verification and validation needed to obtain authorization (in cases where the
902 intended use is fit for purpose), which may reduce applicable hazards due to a greater
903 accuracy and precision of measurements of a product developed for the intended use.
904 Regulations applicable to software using consumer products to perform regulated
905 device functions vary by jurisdiction.
45
906
www.imdrf.org
Disclaimer
© Copyright 2024 by the International Medical Device Regulators Forum.
This work is copyright. Subject to these Terms and Conditions, you may download,
display, print, translate, modify and reproduce the whole or part of this work for your
own personal use, for research, for educational purposes or, if you are part of an
organisation, for internal use within your organisation, but only if you or your
organisation do not use the reproduction for any commercial purpose and retain all
disclaimer notices as part of that reproduction. If you use any part of this work, you must
include the following acknowledgement (delete inapplicable):
“[Translated or adapted] from [insert name of publication], [year of publication],
International Medical Device Regulators Forum, used with the permission of the
International Medical Device Regulators Forum. The International Medical Device
Regulators Forum is not responsible for the content or accuracy of this
[adaption/translation].”
All other rights are reserved, and you are not allowed to reproduce the whole or any
part of this work in any way (electronic or otherwise) without first being given specific
written permission from IMDRF to do so. Requests and inquiries concerning
reproduction and rights are to be sent to the IMDRF Secretariat.
Incorporation of this document, in part or in whole, into another document, or its
translation into languages other than English, does not convey or represent an
endorsement of any kind by the IMDRF.