In order to strengthen the quality control of software medical device products, the State Drug Administration has prepared the "Appendix Independent Software for Medical Device Manufacturing Quality Control Specifications (Draft for Comments)" (hereinafter referred to as "Appendix") and solicited public comments. This appendix is ​​expected to be formally implemented in 2020. All manufacturers of independent software products listed in China need to comply with this appendix.

This appendix applies to the special requirements of independent software production quality control specifications, and is used for reference for products with software components. NMPA puts forward special requirements in various production links, such as personnel, equipment, design and development, procurement, production management, quality control, sales and after-sales service, unqualified product control, adverse event monitoring analysis and improvement...etc. If the product has additional network functions or uses off-the-shelf software, the relevant requirements also need to be considered.

Among them, NMPA mentioned that manufacturers should combine the characteristics of software life cycle models, establish corresponding control programs and form files in the design and development process, and manufacturers can manage from the following three general directions:

1. Determining software requirements analysis, software design, software coding, verification and validation, software updates, risk management, defect management, traceability analysis, configuration management, file and record control, use of off-the-shelf software, network security assurance, software release , Software deployment, software outage and other activities.

2. The requirements for quality assurance activities of the software life cycle process should be appropriate to the software security level. Before the risk control measures are taken, the software security level should be comprehensively judged in combination with the intended use, use environment and core functions of the software, and the level can only be reduced by external risk control measures.

3. Software risk management activities should be implemented in accordance with risk management control procedures, combining product identification, analysis, evaluation, control and monitoring of software functions, interfaces, user interfaces, off-the-shelf software, network security and other risks, and throughout the software life cycle process.



Official press release