Building Software as a Medical Device (SaMD)

We build medical software for clinical deployment at Guy's & St Thomas' NHS Foundation Trust

The CSC Team develops software applications for routine clinical usage. This includes Software as a Medical Device (SaMD). The development of medical software requires extra safety considerations above normal software development, particularly around clinical and patient safety, data security, usability, and managing changes.

The CSC Team provides both software and clinical expertise across a broad range of hospital settings. We are embedded within Guy’s & St Thomas’ NHS Foundation Trust, which gives us direct access to clinical databases including PACS, CRIS and EPR.

The Software Building Process

The CSC Quality Management System

The CSC team develops medical software within a quality management system (QMS) that is ISO 13485:2016 compliant.

The scope of our ISO 13485 certificate is as follows:

The design and manufacture of software medical devices that use machine learning to perform inference on images for the purpose of diagnosis. The design and manufacture of software medical devices that use machine learning to perform inference on non-image-based data.

All devices will only be used within the Guys & St Thomas’s NHS Foundation Trust.

The scope of this certificate is limited to the quality management system and does not make any claims about the conformity of the products generated by the quality management system to regulatory requirements.

We have gained ISO13485:2016 certification for our QMS from a notified body in 2022.

The QMS sits within the GSTT Medical Physics Department and utilises key departmental processes and resources for audits, management review, HR, and purchasing. It incorporates all aspects of the standards and regulations listed on the page below, as relevant to the scope.

The following software and packages are validated for use for projects under this QMS:

See our blog series on our journey to building a certified Quality Management System (in progress).

Key Roles
Quality Management Officer     Allocate resources for software development
Quality Representatives     Training, document control, expertise in the QMS
Development Lead     CSC lead on a project, responsible for software development, document generation and project management
Clinical Safety Officer     Responsibility for Clinical Risk Management Activities for a project

Key Features
>     ISO 13485:2016 compliant     Regular internal audits by certified Quality manager
>     GitHub Based     Developer friendly, accessible, version controlled
>     Automated Document generation     minimises developer workload for document generation on subsequent releases
>     To be made open source     SOP and record templates to be made available
>     Annual External Audit     Maintains compliance

Regulations and Standards

UK MDR 2002 – UK Medical Device Regulations
Link to Document – UK MDR 2002

UK-MDR 2002 is the current applicable regulation for medical devices within the UK. It encodes MDR 2002 into law, with requirements for companies to have a uk-based responsible person. UK MDR 2002 is applicable to applications developed by the CSC as they will be deployed into clinical use. The software we build includes AI applications that we intend to deploy on the AIDE platform, or as stand alone medical devices.

Although the CSC does not initially intend to put the software we create onto the UK market, we still work within a quality management system that is ISO 13485:2016 compliant to ensure best practises when developing SaMD.

ISO 13485 : 2016 – Quality management system for medical software development
Link to Document – ISO 13485 : 2016

The main standard required for CE/UKAS marking and by UK DMR 2002

ISO 14971 : 2019 – Clinical Risk Management
Link to Document – ISO 14971 : 2019

BS EN 62304 : 2006 – Medical Device Software, Software lifecycles processes
Link to Document – BS EN 62304 : 2006

This standard provide a framework for developing medical software, which relies on working within a ISO 13485 quality management system.

Key points include:
- Maintaining good traceability of meeting customer requirements
- Enforcing clinical safety
- Classification of the software (A/B/C)
- Modularity for verification/unit testing
- Change management

BS EN 62366-1 : 2015 – Application of usability engineering to medical devices
Link to Document – BS EN 62366-1 : 2015

DCB 0129 – Clinical Risk Management: its Application in the Manufacture of Health IT Systems
Link to Document – DCB 0129

DCB 0160 – Clinical Risk Management: its Application in the Deployment and Use of Health IT Systems
Link to Document – DCB 0160

External Authorities

Classification of medical devices
Reporting incidents