Software as Medical Device: The MDSAP Adaptation Challenge

How cloud-based AI and machine learning devices expose gaps in traditional audit approaches

The Medical Device landscape has transformed dramatically over the past decade, with software-based solutions increasingly dominating innovation pipelines. 

Yet as manufacturers of Software as Medical Device (SaMD) navigate the Medical Device Single Audit Program (MDSAP), they encounter a fundamental mismatch between cutting-edge technology and traditional audit methodologies designed for physical devices.

This disconnect creates unique challenges that expose the limitations of current regulatory frameworks. As Sean Gibbons, a Regulatory Affairs manager, stated on an the recent AKRA TEAM Webinar: "Anyone working in the Software as Medical Device space, especially cloud-based …finds that because we're on that cutting edge, a lot of these auditing schemes were made for more classical medical devices."

The implications extend beyond mere inconvenience, potentially affecting market access timelines and compliance strategies for some of the most promising medical technologies emerging today.

The Evolution of Medical Device Technology

The Medical Device industry has undergone a seismic shift from predominantly hardware-based solutions to sophisticated software platforms. 

Traditional devices like surgical instruments, implants, and diagnostic equipment followed predictable development and manufacturing patterns that regulatory frameworks could easily accommodate.

Today's landscape includes AI-powered diagnostic algorithms, cloud-based patient monitoring systems, and machine learning platforms that continuously evolve based on real-world data. These technologies challenge fundamental assumptions about device design, manufacturing, and post-market oversight.

Modern Medical Devices exist as dynamic, evolving software entities rather than static, manufactured products.

IEC 62304, the international standard for Medical Device software lifecycle processes, provides some guidance, but its scope predates many current technological capabilities. The standard addresses software development but doesn't fully account for cloud-based deployment models or continuous learning algorithms.

Traditional Audit Frameworks vs. Modern Device Types

MDSAP's process-based approach, outlined in the  document, divides quality management systems into discrete processes: management, design and development, production, and post-market activities. 

This framework works well for traditional Medical Devices with clear boundaries between development and manufacturing phases.

Software as Medical Device challenges these boundaries. Development may be continuous, production might involve cloud deployment rather than physical manufacturing, and post-market activities could include algorithm updates that significantly modify device behavior.

Traditional audit categories become blurred when dealing with software that evolves continuously rather than following discrete development cycles.

The ISO 13485:2016 quality management standard similarly reflects manufacturing-centric thinking. Terms like "production," "installation," and "servicing" require creative interpretation when applied to cloud-based software platforms that may never exist in physical form.

Specific Challenges for SaMD Companies

Software as Medical Device manufacturers face unique compliance challenges that traditional audit approaches struggle to address effectively. 

Version control becomes exponentially more complex when dealing with algorithms that may update automatically based on new data inputs.

Cloud-based deployment models create additional complications. Traditional concepts of "manufacturing sites" become meaningless when software exists across distributed server networks managed by third-party cloud service providers.

SaMD companies must navigate audit frameworks designed for physical products while managing virtual, distributed technology platforms.

Data security and privacy requirements add another layer of complexity. While regulations like 21 CFR Part 820 address quality system requirements, it doesn't specifically address cybersecurity considerations that are fundamental to cloud-based Medical Devices.

The FDA's Cybersecurity in Medical Devices guidance provides additional requirements and guidelines, but the implementation of such guidance documents tend to lag behind medtech innovation by a significant time period.

Algorithm Versioning and Validation Requirements

One of the most significant challenges facing SaMD companies involves managing algorithm versions and validating performance across different iterations. 

Traditional medical devices undergo discrete design changes with clear validation requirements before market release.

Machine learning algorithms present a fundamentally different paradigm. They may evolve continuously as they process new data, creating validation challenges that current regulatory frameworks struggle to address systematically.

Algorithm versioning requires new approaches to validation that account for continuous learning rather than discrete design changes.

The IMDRF Software as Medical Device guidance provides some direction, but practical implementation within MDSAP audits remains challenging. Auditors must assess validation approaches for technologies that may not have existed when they received their training.

Manufacturers must demonstrate that algorithm changes maintain safety and effectiveness while potentially improving performance. This requires sophisticated validation protocols that go beyond traditional design validation approaches outlined in existing quality standards.

Data Management and Real-World Performance Monitoring

Cloud-based SaMD platforms generate unprecedented amounts of data about device performance and patient outcomes. 

This data represents both an opportunity for improved post-market surveillance and a challenge for traditional quality management approaches.

Real-world performance monitoring becomes essential for algorithms that learn from usage data. Traditional post-market surveillance, focused on complaints and adverse events, may miss subtle performance degradations that could affect patient care.

Real-world performance monitoring for SaMD requires continuous assessment rather than periodic reviews typical of traditional devices.

Data governance becomes critical for maintaining compliance across multiple jurisdictions with different privacy and data protection requirements. The EU's GDPR and various national data protection laws create compliance requirements that extend beyond traditional Medical Device regulations.

Current MDSAP audit approaches may not adequately address these data management requirements, and medical device companies need to undertake other activities to assess their compliance related to data privacy and protection laws. 

Regulatory Framework Adaptations Needed

Addressing the SaMD challenge within MDSAP requires significant adaptations to current audit methodologies. 

Auditor training must expand to include software development practices, cloud infrastructure assessment, and data security evaluation.

The process-based audit approach needs modification to account for continuous development and deployment models. Traditional concepts of design transfer, production, and installation require redefinition in the context of software deployment and updates.

Regulatory frameworks must evolve from product-centric to service-centric models to effectively oversee modern Medical Device technologies.

Quality management standards need updates to address software-specific requirements more explicitly. The current regulatory frameworks do not fully address the unique aspects of software validation in real-world environments. 

Risk management approaches, currently based on ISO 14971, need enhancement to address cybersecurity risks, data privacy considerations, and the dynamic nature of learning algorithms.

Future-Proofing Audit Approaches for Emerging Technologies

The pace of technological change in medical devices shows no signs of slowing. 

Artificial intelligence capabilities continue advancing, quantum computing applications are emerging, and Internet of Medical Things (IoMT) ecosystems are expanding rapidly.

MDSAP must develop more flexible audit approaches that can adapt to emerging technologies without requiring fundamental framework overhauls. This might involve modular audit components that can be quickly added to the MDSAP Audit Approach .

Future audit approaches must embrace technological flexibility while maintaining rigorous safety and effectiveness standards.

Continuous professional development for auditors becomes essential. Traditional medical device auditing expertise must expand to include software engineering principles, data science concepts, and cybersecurity assessment capabilities, at least to the extent required to be covered by medical device regulations.

Collaboration between regulatory authorities, standards organizations, and industry stakeholders will be crucial for developing effective approaches. The FDA's Digital Health Center of Excellence and similar initiatives in other jurisdictions provide models for this collaboration.

The Software as Medical Device revolution represents both a challenge and an opportunity for MDSAP. While current audit frameworks struggle with modern technology paradigms, addressing these gaps could position MDSAP as a leader in next-generation medical device oversight.

Success will require acknowledging that traditional manufacturing-focused audit approaches need fundamental adaptation for software-centric medical devices. This evolution is not optional - it's essential for maintaining the relevance and effectiveness of regulatory oversight in an increasingly digital healthcare landscape.

The question is not whether MDSAP will need to adapt to Software as Medical Device, but how quickly and effectively it can evolve to meet the needs of manufacturers developing tomorrow's breakthrough medical technologies.