1. Guideline for Medical Device Cybersecurity
The guideline is applicable for the registration of medical devices related to Cyber-security, including Class II and Class III products that exist as software only and medical devices containing software (including in vitro diagnostic medical devices) with one or more of the three functions : 1) electronic data interchange, 2) remote access and control, 3) user access, applicable for the registration of self-developed software, off-the-shelf software.
Main concepts involved include Confidentiality, Integrity, Availability, Authenticity, Non-repudiation, Accountability, Reliability.

Concerning Major cyber-security updates:
The updates that affect the safety or effectiveness of medical devices, namely major function updates, shall apply for the amendment of product registration.

Concerning Minor cyber-security updates:
The updates that do not affect the safety and effectiveness of medical devices, including minor function updates and patch updates (which are controlled by the quality management system). There shall be no need to apply for the amendment of product registration. Corresponding documents will be submitted when any amendment application is applied next time.

Documentation for product registration submission:
The software cybersecurity research report shall be separately provided in the original submission dossier related to software research materials. Description and usage guidance related to the cybersecurity shall be provided in the Instruction for Use.

2. Guideline for Medical Device Software Registration Review
Scope of application: it is applicable to the registration and application of medical device software, including class II and III that exist as software only and medical devices containing (including in vitro diagnostic medical devices); applicable for the registration of self-developed software, off-the-shelf software.

Requirements for software research materials for product registration:
Submit self-developed software research report, external software environmental assessment report (if applicable) and GB/T 25000.51 self-test report.


3. Guidelines for Registration and Review of AI Medical Devices
An AI medical device is defined as a medical device that uses Artificial intelligence technology to achieve its intended use (i.e. medical use) based on "medical device data".

Product registration information requirements:
(A) Algorithm research data

Security level

Medium, severe

New type

In the software research materials, by the algorithm as a unit, submit each artificial intelligence algorithm or algorithm combination research report

Mature types

Basic algorithm information can be clearly defined in software research materials, without providing algorithm research materials.

Mild

It is only necessary to specify the basic information of the algorithm in the software research materials, without providing the algorithm research materials.


(B) User training program:
In principle, a separate user training program should be provided for products of severity level, intended to be used by patients or used in primary care institutions.

(C) Product technical requirements:
If the product contains performance indicators based on the test database, the basic information of the test database must be specified in the appendix.

Kindly yet refer to the 3 official NMPA Guidelines included in the reference section below for more information on the topics introduced above:

 


Reference:

Guidelines for Medical Device Cybersecurity Registration Review (2022 Revision)
Guidelines for Medical Device Software Registration Review (Revised Edition 2022)
Guidelines for Registration and Review of AI Medical Devices

Share: