|
February 14, 2020
Last December 24, 2019, HSA requested industry stakeholders to comment to the drafted guidance for Software Medical Devices. The document released will help HSA to clarify the regulatory requirements for software medical devices for the benefit of software manufacturers. The guidance covered the following items:
- Quality Management System
- Pre-Market Product registration
- Software manufacturers and distributors
- Changes to a registered software
- Post Market Management of software medical devices
- Cybersecurity
- Artificial Intelligence Medical Devices
HSA stated the following software products are included in the scope of this guidance:
- Software embedded in Medical Devices
- Standalone software
- Standalone mobile applications
- Web-based software
Quality Management System and Pre-Market Product registration
For software manufacturers who may not be familiar with medical device Quality Management System (QMS), HSA explained the principles of ISO 13485 in detail. In addition, HSA introduced the CSDT document format for pre-market registration of software products. The guidance focused in the following sections of CSDT that has special notes for software registration.
Essential Principles for safety and performance of medical devices
Table 1. Essential Design and Manufacturing principles applicable to Software
|
Essential design and manufacturing principles
|
Software embedded in medical devices
|
(i) Standalone software (ii) standalone mobile applications (iii) Web-based software
|
|
Essential Principles applicable to medical devices and IVD medical devices
|
|
General requirements
|
Ö
|
Ö
|
|
Clinical evaluation
|
Ö
|
Ö
|
|
Chemical, physical and biological properties
|
If applicable
|
|
|
Sterility, packaging and microbial contamination
|
If applicable
|
|
|
Considerations of environment and conditions of use
|
Ö
|
Ö
|
|
Requirements for active medical devices connected to or equipped with an energy source
|
Ö
|
|
|
Medical devices that incorporate software or are standalone software or mobile applications
|
Ö
|
Ö
|
|
Medical devices with a diagnostic or measuring function
|
Ö
|
Ö
|
|
Labelling and Instructions for use
|
Ö
|
Ö
|
|
Protection against electrical, mechanical and thermal risks
|
Ö
|
|
|
Protection against radiation
|
Ö
|
|
|
Protection against the risks posed by medical devices intended for use by lay persons
|
Ö
|
Ö
|
|
Medical devices incorporating materials of biological origin
|
If applicable
|
|
|
Essential Principles applicable to medical devices other than IVD medical devices
|
|
Particular Requirements for Implantable Medical Devices
|
Ö
|
|
|
Protection against the Risks Posed to the Patient or User by Medical Devices Supplying Energy or Substances
|
Ö
|
|
|
Medical Devices Incorporating a Substance Considered to be a Medicinal Product/Drug
|
Ö
|
|
|
Essential Principles applicable to IVD medical devices
|
|
Performance Characteristics
|
Ö
|
Ö
|
2.) Labelling requirements
- Labels supplied in physical form
- o i.e. CD/DVD
- o Physical label and Instruction for Use as per GN-23
- Supplied without any physical form
- o i.e. downloadable software, web-based software
- o screenshot of the splash screen which displays the elements for identification, including software version number.
- o If end-user will download and install the software, following info should be present:
- § Internet address or web link to allow the end-user to download the software
- § Software download procedure together with installation guide
3.) Software versioning and traceability: Essential for identification and post market traceability.
4.) Software verification and validation: Should comply with IEC 62304: Medical device software – Software life cycle processes. In addition, HSA reminded manufacturers that the software version between these documents and the one for registration should be consistent.
5.) Clinical evidence: The following are the required clinical evidence for software
Table 2: Clinical Evidence requirements for Software registration
|
Device Characteristics
|
Information Generated by Software Device
|
|
Treat and Diagnose
|
Drive Clinical Management
|
Inform Clinical Management
|
|
Critical
|
- Literature Reviews
- Post-Market Experience
- Clinical Studies
|
- Literature Reviews
- Post-Market Experience
|
- Literature Reviews
- Post-Market Experience
|
|
Serious
|
- Literature Reviews
-
- Post-Market Experience
-
- Clinical Studies
|
- Literature Reviews
-
- Post-Market Experience
|
- Literature Reviews
-
- Post-Market Experience
|
|
Non-serious
|
- Literature Reviews
-
- Post-Market Experience
|
- Literature Reviews
-
- Post-Market Experience
|
- Literature Reviews
-
- Post-Market Experience
|
6.) Risk management: Should comply to ISO 14971 Medical Devices — Application of Risk Management to Medical 413 Devices. For embedded software, risk management is required for the medical system including hardware.
7.) Supporting documents for cybersecurity: The following applicable for connected Medical Devices (wireless, Bluetooth)
- Cybersecurity control measures in place (e.g. design controls)
- Cybersecurity vulnerabilities (known and foreseeable) and risk analysis and mitigation measures implemented.
- On-going plans, processes or mechanisms for surveillance, timely detection and management of the cybersecurity related threats during the useful life of the device, especially when a breach or vulnerability is detected in the post-market phase.
Software manufacturers and distributors
HSA states the role of software manufacturers and Distributors after product registration approval:
- Ensure the software is developed and manufactured under an appropriate and effective quality management system (e.g. ISO 13485 or GDPMDS).
- Ensure traceability of the software medical device. This is essential to track and trace the software (e.g. software version) to the users (e.g. physicians or patients) in the event of a Field Safety Corrective Action (FSCA) or product defect.
- Provide assurance that there is proper procedure in place for post-market surveillance and response. Ability to handle product recalls and implement corrective actions (e.g. bug fixes, cyber alerts, software patches) in a timely and effective manner (Planning, conducting and reporting of corrective action) and to identify any recurring problems requiring attention.
- Ensure proper maintenance and handling of device related records and information (e.g. customer complaints, distribution records, recall data) throughout the lifecycle of the software.
Changes to a registered software
HSA showed the change notification process for software products. It is important to note that software changes will not be limited to the following flowcharts. Consulting GN-21 is advised when dealing with any type of change notification.
Post Market Management of software medical devices
As part of post market management, HSA listed a non-exhaustive list of common issues and errors they experienced for software that can result to a Field Safety Corrective Actions (FSCA) or Adverse Event (AE)
Cybersecurity
Cybersecurity serves as an important requirement during evaluation of software medical devices. Disruption of medical devices availability and/or functionality is highly possible during cybersecurity attacks. As a consequence, this event may render hospital networks unavailable, delaying patient care. HSA listed several considerations in relation to cybersecurity:
- Secure Device design
- Customer Security Documentation
- Cyber risk management
- Verification and Validation
- On-going plan for surveillance and timely detection of emerging threats (post market plan
Artificial Intelligent Medical Devices (AI-MD)
Manufacturer and developers of AI-MD are required to follow the following guidelines:
- Personal Data Protection Act 749
- Human Biomedical Research Act 750
- Private Hospitals and Medical Clinics Act
AI-MDs have same degree of comparability with software when it comes to requirements. HSA mentioned some specific additional considerations for these group of devices:
- Continuous learning capabilities
- Level of human intervention
- Training of models
- Retraining
In addition, the guidance described the following information that should be submitted for pre-market registration of AI-MDs:
- Dataset
- AI Model
- Performance and Clinical Evaluation
- Deployment
For Post Market Monitoring, HSA noted that developers, distributors, implementers and users should work together towards an established monitoring process to ensure performance of deployed devices in clinical settings. In addition, local companies of registered AI-MDs are required to submit periodic post market reports to HSA.
References:
Regulatory Guidelines for Software Medical Devices – A Lifecycle Approach
Tags:
Singapore Registration, Guidance Public Consultation, Software, Artificial Intelligence
|
