One of the sections of the HSA guidance addresses the matters related to activity controls. Under the general rule, any parties involved in operations with medical devices should be duly licensed, should such a license be required by the applicable legislation. In particular, it is necessary to develop and implement the quality management system (QMS) which will ensure that:
- The software product is developed by the requirements set forth by the applicable standard (for instance, ISO 13485);
- The software and its versions could be easily tracked (version control), especially in case of issues identified and Field Safety Corrective Actions were taken to address them;
- There is a duly implemented post-market surveillance procedure necessary to ensure the effectiveness of recalls or corrections undertaken to address the safety- and performance-related issues identified after placing the product on the market without undue delay;
- The records related to the software are duly maintained, and all important information is stored to be used once needed.
The document also refers to the respective HSA guidance on establishment licenses for different types of entities involved in operations with medical devices – GN-02: Guidance on Licensing for Manufacturers, Importers, and Wholesalers of Medical Devices. At the same time, there are specific aspects to be considered in the context of software medical devices.
To assist in interpreting the applicable regulatory requirements, the guidance provides examples of different situations and describes the approach to be applied in each of them concerning licensing and compliance with the applicable standards. These situations include the following ones:
- Local entities intending to import and distribute a software application in physical form should implement the quality management system based on ISO 13485 or GDPMDS, and also obtain an importer’s or wholesaler’s license respectively;
- Local entities with authorization from overseas developers/product owners to provide access/distribute a software application through the internal or local online platforms where users will download and install the software application on their computing device should comply with the same requirements as described hereinabove, except the situation when the product is provided to the general public – should it be the case, it would be sufficient to have an importer’s license;
- Local entities intending to grant user access to a software application through a cloud service where hospital users can access it through the internet without installation on their computing device should comply with the same requirements in terms of the applicable standards and hold a wholesaler’s license;
- Local entities intend to develop a software application locally. The software development will comprise the designing, programming, testing, and maintenance of the software application. Such entities should have a QMS duly implemented and based on ISO 13485, and also obtain a manufacturer’s license. The authority also mentions that an entity holding a valid manufacturing license is also entitled to distribute its products without obtaining additional licenses.
Another important aspect addressed in the document relates to changes to the software already placed on the market and change notification requirements. The HSA acknowledges that the software could be subject to numerous changes during its life cycle. According to the guidance, such changes could be intended to:
- Correct faults;
- Improve the software functionality and performance to meet customer demands, and
- Ensure the safety and effectiveness of the device are not compromised.
About the changes to the software, the regulating authority applies a risk-based approach which provides that the regulatory requirements to be followed should depend on the significance of changes. As it is described in the guidance, significant changes would trigger a rigorous assessment which is reasonably necessary to ensure such changes would not adversely impact the safety and performance of the product. At the same time, even minor changes considered as non-significant should still be communicated to the regulating authority by the virtue of the respective notification. The HSA also mentions that in certain cases such a notification could contain information about several changes. It is also allowed to submit information about minor changes when applying for review for significant changes requiring additional attention. Under the general rule, a notification on changes should be submitted no later than in 6 months from the date such changes were implemented. Should a notification cover several changes, this period should be calculated from the date the first changes described in the notification were implemented. Additionally, all the changes should be duly recorded by the respective record-keeping requirements, so the manufacturer should have in place all the documents related to changes implemented.
The present HSA guidance also outlines the scope of changes that are not eligible for bundling. According to the guidance, these changes include the ones related to:
- Artificial Intelligence (AI) based devices (e.g. machine learning, neural networks, and natural language processing); and
To assist medical device manufacturers in interpreting and following the regulatory requirements on change notification addressed herein, the guidance also provides detailed flow charts describing the way the category of changes should be determined depending on the type of software in question. According to the flowcharts, the most important aspects to be considered when determining the regulatory status of the changes and the particular requirements to be applied include, inter alia, the following ones:
- Changes to an algorithm the software is based on,
- In addition of new features or software applications,
- Addition or removal of alarm function,
- The way and extent to which the changes in question impact the performance of the software,
- Change in the operating system,
- The way the change is subject to review impacts the control of the device.
The flowchart describes the approach to be applied in each of the cases depending on the aspects described hereinabove.
In summary, the present HSA guidance addresses the most important aspects related to the general requirements the parties involved in operations with software medical devices should follow depending on the particular type of activity they are undertaking (in terms of licensing and compliance with the applicable international standards). The document also provides additional clarifications regarding existing requirements on change notification concerning modifications to the software already placed on the market and describes the way the regulatory status of such changes should be determined.
How Can RegDesk Help?
RegDesk is a next-generation web-based software for medical device and IVD companies. Our cutting-edge platform uses machine learning to provide regulatory intelligence, application preparation, submission, and approvals management globally. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Applications that normally take 6 months to prepare can now be prepared within 6 days using RegDesk Dash(TM). Global expansion has never been this simple.