SaMD and post market surveillance of users

[Rymed]

Howdy folks

I’m with a startup developing a class iib phone application and I just got an advisor in who recommends being more proactive with our post market surveillance.

He’s suggesting that the software needs to log every feature that the patient is using and every error the patient encounters, to meet the reporting requirements. From my research I suppose he’s referring to the PSUR. As it’s PMS data, we then have to retain it for 10 years and for reasons we cannot anonymise the data.

My tech lead has told me that this is pure bananas, and I have to agree with him this seems off-base. Are all med device companies sitting on a mountain load of personal data and paying out of their nose for storage costs? What are you guys doing for this?

 

[shimonv]

To log "every feature" and "every error" seems an overkill. There is a lot that goes into the decision making process of what to log, and what data to save on your servers, and which data is necessary for the periodic safety update report (PSUR). To be more "proactive" with this or that is a slogan. Follow your design and development plan.

 

[Rymed]

What are some factors that goes in to the decision and what do you mean by follow the design and development plan?

I missed to consider post market surveillance in initial product requirements, but that doesn’t seem like a good enough reason not to change the software now.

Thanks for the comment, it’s been a struggle to figure out what needs to be done.

 

[yodon]

Agree with @shimonv that logging EVERYTHING would be overkill. I agree with the advisor, though, about being proactive.

PSUR reporting aside, some thoughts about data collection:

• Does use indicate new risks or greater occurrence of identified risks than originally considered in the risk file?
• Do errors indicate the UI is not promoting safe and effective use?
• Is there any indication that the software is being used outside of it's intended use?

I don't recall the EU position on cybersecurity, but in the US, the FDA is cracking down pretty hard. They expect logging for access with monitoring for potential breaches. Probably a good idea regardless.

 

[shimonv]

What are some factors that goes in to the decision and what do you mean by follow the design and development plan?

I missed to consider post market surveillance in initial product requirements, but that doesn’t seem like a good enough reason not to change the software now.

Thanks for the comment, it’s been a struggle to figure out what needs to be done.

@Rymed
Post market surveillance is not a product requirement; it is the method to monitor product performance after it has been released. Data collection is based on the infrastructure (design) and data that can be extracted from the device. Which data is logged and available for analysis is something that you determine as part of risk management and design consideration for service and support.
I suspect you are hang-up on something which is just one piece (and not a critical one) in the design and development maze. That is why I suggest following your development plan, which is part of the design and development process.

I don't mean to be disrespectful, but a good advisor should start with a regulatory strategy, and design and development pan where you list the development stages and what is required in each of them. Typically, PSUR is something that you deal with towards the end, where you have a better understanding of how the product will look like. Somehow, I don't think you are towards the end...

Hope it makes sense.

Good luck,
Shimon