SaMD: a glance at the regulatory framework

SaMD regulatory framework

Digital therapies are at the center of many of the debates on innovation in healthcare and represent a technology sector in great turmoil. But what are the roles and responsibilities of manufacturers? That’s the question to explore by taking a look at the SaMD regulatory framework.

Alice Ravizza, founder of USE-ME-D, talks about it during the first day of the Digital for Clinical Days organized by Advice Pharma at the Politecnico di Milano.

Safety, demonstrable clinical benefit and consistent quality

The medical devices put on the market have to respect some requirements:

  • be safe;
  • have a consistent quality over time;
  • produce a clinical benefit.

To create this framework, it is necessary to put in place some actions:

  • an analysis of the risks associated with the use of the medical device;
  • good design practices;
  • a controlled distribution;
  • adequate control systems, to verify that the quality is constant over time.

As expected, low- or intermediate-class medical devices require less effort to maintain quality than the high-class ones.

Instruments: regulatory and technical standards

Medical devices are the subject of a complex regulation, which includes the Regulation (EU) 2017/745, the GDPR regulation, and the European Regulation which manages the technical security of data from the point of view of cyber security.

On the other hand, the technical requirements are described in the ISO standards.

The medical device legislation defines the manufacturing companies. This means that the company owns the conceptual idea, i.e., that it has obtained the CE certification of the product and holds the responsibility for making the technology available to users.

However, the use of the term ‘manufacturers’ does not imply that whoever holds the certification of the product coincides with who actually manufactures it.

General obligations of manufacturers

The Article 10 of the Regulation (EU) 2017/745 requires for the manufacturer to:

  • establish, document, implement and maintain a system for risk management (as described in Section 3 of Annex I) in order to offer to market a safe technology;
  • conduct a clinical evaluation (in accordance with the requirements set out in Article 61 and Annex XIV) including a Post Marketing Clinical Follow-up (PMCF): the product not only has to be technically safe, but must also produce a clinical benefit in accordance with the clinical pathway;
  • draw up and keep up to date technical documentation for the device (including the elements set out in Annexes II and III), to allow the conformity of the device with the requirements of this Regulation to be assessed: the product has not only to be constructed but also described in terms of risks and benefits.

Quality management system

Manufacturers are responsible for the procedures necessary to ensure that series production continues to comply with the requirements included in the MDR.

The changes that may occur over time do not only concern the characteristics of the product, but also any changes in the legislation.

Manufacturers are responsible for implementing a quality management system that would guarantee compliance with the Regulation in the most effective way and in a way that is proportionate to the risk class and type of device.

With this in mind, companies must get used to working in a repeatable manner, in order to react promptly to the evolution of the software and the regulatory context and because it is also necessary for the production of the device to be perfected over time.

A SaMD series production

The quality management system must guarantee the ability to make available products adaptable to different contexts. So, the devices must be customizable. In fact, while remaining the same from the quality point of view, the software must be adapted to the different needs of the healthcare facilities in which it will be used.

The minimum requirements

The minimum requirements for medical devices are always the same and, consequently, also the technical procedures do not change.

The concept of safety and efficacy is understood as that associated with the state of the art available at that time. The ISO 14971 standard assumes that there is no zero risk, but requires that all clinical risks must be identified and minimized.

The system, as a whole, is called upon to mitigate the risk in all the phases of which it is composed. Technical standards require for the project to include a clear list of the requirements necessary to minimize risks. Furthermore, they also require a verification certifying that the product is actually available for the correct technical operation and that, if required, it can be connected to other devices.

Post Marketing Surveillance

In the context of the post-marketing activity, the manufacturers of all medical devices must keep the technology under control after it has been made available to users, in a way that is proportionate to the risk class and appropriate to the type of device, based on MDR article 83.

They are required to collect data and metadata for the purposes of Post Marketing Surveillance (PMS).

One of the crucial aspects in this phase is the need to balance the technical requirement to collect as much data as possible with the obligation, imposed by the GDPR, to minimize the amount of data collected. In order to achieve the appropriate balance, it is necessary to identify the most strategic information to collect in terms of quality, safety, and performance of the medical device.

Obligations of the persons

Up to now, the obligations envisaged for companies and legal persons have been studied in depth, but the legislation also imposes obligations on individuals. Specifically, the figure in question is the Person Responsible for Regulatory Compliance (PRRC), similar to the Qualified Person (QP) who operates in the pharmaceutical environment.

The MDR articole 15 imposes for this person a role of guarantee and supervision, strong skills in the biomedical field and business experience.

The PRRC is responsible for ensuring:

  • the compliance of the devices with the legislation;
  • the correct compilation of the technical documentation;
  • the fulfillment of post-marketing surveillance and accident reporting obligations;
  • finally, the compliance of clinical trials (where provided) with the Regulations.

Development and management agreements

On the occasion of the Digital for Clinical Days, Silvia Stefanelli, founder and owner of the Stefanelli&Stefanelli law firm, addresses this topic.

Development and management agreements are contracts that contain various elements, not only civil but also specific to the MDR. They concern the design, manufacturing and marketing phases of medical devices. The parties involved are the customer (the person interested in the creation of a software) and the supplier (the one who has the technical competence and who manufactures the product).

The new Regulation has extended the notion of SaMD: therefore many products that were previously not considered medical devices have now become so.

Furthermore, from the point of view of drafting the contracts, the role of the various subjects has become more relevant. It is necessary to establish who does what: if the customer is also a manufacturer or even a distributor, if the supplier is only a supplier or also a manufacturer and distributor.

Contents of the contract

First of all, the contract must establish the developer’s remuneration: the person who develops the software, in fact, makes available an intellectual activity, a know-how.

Depending on the interests involved, the lender can recognize to the developer:

  • a predetermined fee;
  • a rental fee for the license to use;
  • royalties;
  • another utility of a contractual nature.

The remuneration method depends on the distinction between software use license and software transfer, and on the related contractual regulations.

In fact, these are two different contracts. While the user license is a service contract (in which it is necessary to determine the maintenance and intervention methods on the software by the developer), the transfer is in fact a sale (and therefore the contract must establish, among the other aspects, how the source codes will be transferred).

The holder of the rights of economic exploitation

In this regard, Regulation (EU) 2017/745 (MDR) is not the only one to be applied. The determination of the owner of the rights of economic exploitation involves other disciplines, including that on copyright (Italian Law 633/1941 art. 2).

If the parties do not want the copyright to remain to the developer but want it to pass to the client, they must define these aspects in the agreement. Otherwise, the general discipline is applied.

As for the know-how, there may be elements that make up the developer’s trade secret. In this sense, the EU Directive 2016/943 protects all those elements that cannot be patented.

Establishing who manufactures and who distributes

Here too, it is necessary to identify who does what, in particular who manufactures and who distributes.

If, in the first phase, the roles had to be clear in order to draft the appropriate contractual clauses, in this second phase it is imposed by the same Regulation 2017/745, which prescribes different obligations according to the different figures.

It is convenient that the person who will hold the qualification of manufacturer (which assumes an important series of obligations) under the MDR would also hold all the rights of economic exploitation of the product.

Advertising of medical devices: an open debate

Exclusive rights can be subject to territorial (for example, with reference only to some States) and temporal (for example, for a certain period of time) constraints.

If the financier or the developer wants to derive indirect economic benefit from the public knowledge of his contribution at the realization of a medical device, the contract must regulate the way in which information and promotional campaigns will be carried out.

Advertising for medical devices, as we know, is still an open and debated topic. Decree 46/97 imposed an authorization regime, but these limits are no longer present in Regulation 2017/745. Despite this, the Ministry of Health expressed its position in the Circular of 12 November 2021, establishing that the regulations previously in force must continue to be applied.

Data protection

The software must be designed to ensure that the data processing is safe and compliant with the MDCG 2019-16 Guidance on Cybersecurity for medical devices.

Furthermore, it is necessary to understand clearly and define which data will be processed, for what purposes, and by whom.