The Health Sciences Authority (HSA), Singapore’s regulating agency in the sphere of healthcare products, has published a guidance document dedicated to software medical devices. In particular, the document describes a life cycle approach and the way it should be applied to software medical devices. The guidance is intended to provide additional clarifications regarding the applicable regulatory framework, as well as recommendations to be considered by medical device manufacturers and other parties involved in operations with medical devices. The scope of the document covers all the aspects associated with medical devices starting from the initial design and development stage and includes obligations of medical device manufacturers after the product is placed on the market. 

The authority additionally emphasizes that the document describes the current position of the regulating authority, but should not be construed as implementing new rules and requirements the parties involved should follow.

Regulatory Background 

The HSA acknowledges the increasing importance of software used for medical purposes, including the software used to operate medical devices. Moreover, it is stated that novel technologies, such as Artificial Intelligence, are now widely used in healthcare products as well. This results in a situation when entirely new risks arise about medical devices – for instance, the ones associated with cybersecurity matters. To mitigate new risks, the HSA encourages medical device manufacturers to implement a Total Product Life Cycle (TPLC) approach. According to the guidance, this will include requirement management, risk assessment, software verification and validation, change management, traceability, and various aspects through a software’s life cycle. 

The scope of the guidance covers software products that are covered by the definition of a medical device as set forth by existing legislation. According to the guidance, this will include software that is intended for medical purposes such as investigating, detecting, diagnosing, monitoring, treating, or managing any medical condition, disease, anatomy, or physiological process. 

As described by the HSA, the software covered by the scope of the present guidance could be supplied in various forms including, inter alia, the following ones:

  • Software embedded in medical devices;
  • Standalone software;
  • Standalone mobile applications;
  • Web-based software. 

The authority additionally mentions that the clarifications and recommendations provided in the guidance are applicable irrespectively of the class of software medical device in question under the risk-based classification. As it was mentioned before, it covers the aspects arising at all the steps of the software’s life cycle. The document also covers certain software-related requirements, including the ones related to cybersecurity or the use of AI technology. Due to the complexity of software, and also the rapid development of innovative technologies, the regulating authority reserves the right to review and amend the document to ensure its provisions are up-to-date. 

The scope of the guidance covers such aspects as:

  • Quality Management System (QMS) for software medical devices;
  • Pre-market product registration requirements;
  • Dealer’s licensing requirements;
  • Change notification;
  • Post-market management of software medical devices;
  • Cybersecurity;
  • Artificial Intelligence. 

First of all, the document provides definitions of the most important terms and concepts used in the context of software medical devices including such terms as “Artificial Intelligence”, “AI-medical device”, “Clinical evaluation”, “Cybersecurity”, “Manufacture”, “Mobile application”, “Off-the-shelf or commercially-off-the-shelf software”, “Product owner”, “Registrant”, and “Standalone software”. 

Quality Management System (QMS) for Software Medical Devices 

The present guidance provides a brief overview of QMS and the way it should be applied to software medical devices. The document also describes good practices to be duly employed by medical device manufacturers (software developers) to ensure the safety, quality, and effectiveness of software medical devices. 

Under the general rule, any medical device manufacturer is responsible for developing and implementing a Quality Management System to ensure consistency of manufacturing processes, as well as the appropriate quality of medical devices manufactured. The HSA emphasizes that the same applies in the case of software medical devices. General regulatory requirements to be applied in terms of QMS are set forth by the international standard ISO 13485 – Medical Devices – Quality Management Systems – Requirements for regulatory purposes. These requirements describe the particular way a QMS should be developed and implemented by the entity involved in operations with medical devices. 

The document further describes the main principles a QMS should be based on, namely: 

  • Leadership and organization;
  • Life cycle supported process;
  • Product realization activities (the scope of this principle covers key activities undertaken about any software product: defining the requirements, design and development, verification and validation, deployment or implementation, maintenance and servicing, and decommissioning). 

As described by the HSA, the process of development and implementation of a QMS by the medical device manufacturer should be based on the particular needs and manufacturing processes undertaken. 

The first principle emphasizes the importance of decision-making processes for ensuring the safety and effectiveness of a final software product. For instance, as explained by the regulating authority, the top management of the company is responsible for ensuring there are sufficient resources in place. 

The second principle addresses several important processes including the following ones:

  • Product Planning – a dynamic process that requires considering new information once it becomes available;
  • Risk Management, which should be duly implemented at all the steps of the product’s life cycle;
  • Document and Record Control, ensuring all decision-making and other processes are duly documented, and all important documents are kept strictly by the appropriate requirements;
  • Configuration Management and Control includes the steps to be taken to ensure traceability of software configurations, as well as the proper integration of the software to the environment it is intended to be used in;
  • Measurement, Analysis, and Improvement – all the data collected about a software medical device should be duly collected and rigorously analyzed to identify potential or existing safety- and performance-related issues, and also further used to develop and implement corrective actions necessary to address the newly identified risks;
  • Outsource Management describes the approach to be applied when outsourcing important procedures associated with manufacturing medical devices (developing software medical devices), provided that the product owner remains the one responsible for the safety and performance of a final product. 

The present HSA guidance highlights the most important aspects associated with the software medical devices, including specific matters to be taken into consideration due to the nature of software products. The document describes the approach to be applied by medical device manufacturers to ensure the safety and effectiveness of software medical devices. 

Sources:

https://www.hsa.gov.sg/docs/default-source/hprg-mdb/gudiance-documents-for-medical-devices/regulatory-guidelines-for-software-medical-devices—a-life-cycle-approach.pdf 

How Can RegDesk Help?

RegDesk is a next-generation web-based software for medical device and IVD companies. Our cutting-edge platform uses machine learning to provide regulatory intelligence, application preparation, submission, and approvals management globally. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Applications that normally take 6 months to prepare can now be prepared within 6 days using RegDesk Dash(TM). Global expansion has never been this simple.


Want to know more about our solutions? Speak to a RegDesk Expert today!