What it Means to be Software as a Medical Device (SaMD)

Learn why ImPACT Applications’ concussion assessment tools are considered medical devices and how it impacts software development, privacy, and compliance.

What is Software as a Medical Device (SaMD)?

The term software as a medical device (SaMD) is defined by the International Medical Device Regulators Forum (IMDRF) as "software intended to be used for one or more medical purposes that perform these purposes without being part of a hardware medical device." This means that it doesn’t require the purchase of another device like an x-ray machine or an imaging machine.
ImPACT Applications’ tools are considered software as a medical device because they can run on any standard desktop or laptop computer and don’t require the purchase of a hardware device.

How are Medical Devices Classified?

FDA regulated medical devices are classified into three categories depending on their level of risk:

  • Class I (low to moderate risk)
  • Class II (moderate to high risk)
  • Class III (high risk)

ImPACT, ImPACT Pediatric, and ImPACT Quick Test are Class II medical devices.

SaMD Privacy and Security Requirements

Because of the sensitive data that’s commonly held by medical devices, SaMD companies are required to have privacy and security measures in place to mitigate risk.
At a minimum, these measures include:

  • Application security (including authentication and authorization)
  • Data encryption (including data in transit and at-rest)
  • System management and hosting (including patching, hosting locations, types of hosting services)

ImPACT Applications’ data is processed in accordance with privacy and cybersecurity requirements, standards, and industry best practices, and is in compliance with global regulations such as HIPAA, PIPEDA, GDPR, etc. There are four separate data centers that help maintain EU data security compliance. There is a strict and comprehensive quality management system for medical device product development, safety, security and privacy risk management. Additionally, ImPACT Applications is SOC 2 Type 2 audited.

International Regulations and Compliance

Clearances and Laws

ImPACT Applications' tools have received clearance as concussion-specific devices from the FDA, Health Canada, Australian TGA, and other regulatory agencies worldwide. In addition to clearance, each country has their own set of regulations and laws that medical device companies must comply with.

Quality Management System

Global regulatory agencies also require quality system regulation, which requires that companies have Standard Operating Procedures (SOP) that describe the processes and activities a company performs.
ImPACT Applications has several SOPs that describe how tests are developed and software is deployed. There is documentation of software requirements, design specifications, test protocols, and reports. Any changes to the software, no matter how small, must be documented. For any significant changes, there’s a requirement for the FDA to review it to make sure it’s been implemented correctly and there’s enough data to support it.

Verification of Compliance

In the U.S., the FDA conducts regular audits of ImPACT Applications’ documentation and procedures to ensure compliance. Globally, there is a standard called ISO 13485 which describes the quality management systems for medical devices. ImPACT Applications is an ISO 13485 certified global company.

Key Takeaways

ImPACT Applications’ tools are considered software as a medical device (SaMD), which means they are highly regulated and developed under very strict control. Compliance with the global laws and regulations is monitored and there are penalties for non-compliance.