Singapore: Updates to the HSA's Software as a Medical Device regulatory framework

In brief

In April 2022, the Health Sciences Authority (HSA) published its revised Regulatory Guidelines for Software Medical Devices ("SaMD Guidelines"). It has also finalised its new Guidelines on Risk Classification of Standalone Medical Mobile Applications and Qualification of Clinical Decision Software ("SaMD-CDSS Risk Classification"), which had been released for public consultation in July to August 2021.


Contents

Key takeaways

  • The HSA regularly publishes guidance documents to clarify their current policy stance and practice on the regulation of medical devices. These documents are intended to help companies meet the regulatory requirements governing their medical device dealings and are updated from time to time to improve regulatory efficiency and clarity, especially where new technologies not covered in the general guidelines emerge. The HSA may also publish working drafts for consultation by relevant stakeholders prior to finalising a guidance document. We cover the HSA's publication of the draft SaMD-CDSS Risk Classification in our August 2021 newsletter here.  
  • With the rapid pace of technological advancement and the growing popularity of telemedicine, medical devices have become increasingly reliant on software for safe and effective function, as well as interoperability with other devices. Companies are also exploring how emerging technologies like Artificial Intelligence can be used in clinical settings. The revised SaMD Guidelines and new SaMD-CDSS Risk Classification therefore offer additional guidance to address potential queries that medical device manufacturers and suppliers may have in relation to the risk classification, pre-market registration, and change notification requirements of their software medical device products.
  • Additionally, including guidance on the HSA's regulatory stance on software medical devices with non-medical device (non-MD) functions along with the new SaMD-CDSS Risk Classification brings the HSA's software medical device regulatory framework in closer alignment with various recommendations and standards set by international medical device associations. 

In more detail

In April 2022, the Health Sciences Authority (HSA) published its revised Regulatory Guidelines for Software Medical Devices ("SaMD Guidelines"). It has also finalised its new Guidelines on Risk Classification of Standalone Medical Mobile Applications and Qualification of Clinical Decision Software ("SaMD-CDSS Risk Classification"), which had been released for public consultation in July to August 2021.

Revised SaMD Guidelines

The SaMD Guidelines aim to provide clarity on the regulatory requirements for software medical devices at each stage of its life cycle. This is intended to assist stakeholders involved in the development and supply of software medical devices to handle various demands, such as requirement management, risk assessment, software verification and validation, change management, traceability, among other aspects.

In these latest revisions to the guidelines, the HSA has clarified the cybersecurity information required for a medical device product registration application. The revised SaMD Guidelines provide that medical devices with wireless features or internet-connected and network-connected functions should submit evidence that device's security or the effectiveness of its controls have been verified. Such evidence may include:

  • Descriptions of test methods, results, and conclusions;
  • A traceability matrix between security risks, security controls, and testing to verify said controls; and
  • References to any standards and internal standards of procedures or documents used.

The Revised SaMD Guidelines also include new guidance on the HSA's regulatory stance on software medical devices with non-MD functions. Such non-MD functions include, among others:

  • Storing, converting or transferring patient data;
  • Those intended to provide general patient education and facilitate access to commonly referenced information; and
  • Those allowing the automation of general office operations in a healthcare setting.

In relation to such devices, the Revised SaMD Guidelines set out the following requirements:

  1. Information and validation of the non-MD function(s) are not required at the product registration stage.
  2. Manufacturers must still consider if the non-MD function(s) impacts the device's safety and performance. Any potential risks should be analysed, mitigated, and supported by the appropriate verification to ensure that any mitigation measures are effective.
  3. The risk management processes set out in (2) shall be documented as part of the manufacturer's quality management system.   

Finally, the flowchart that aids companies in determining the Change Notifications required in respect of a registered Artificial Intelligence Medical Device (AI-MD) incorporating Machine Learning has been amended.

New SaMD-CDSS Risk Classification

The new SaMD-CDSS Risk Classification has two broad objectives: (1) to help dealers determine the risk classification of software medical devices; and (2) to clarify when clinical decision support software (CDSS) are regulated as medical devices, and the regulatory requirements governing them.

(i) Risk Classification of software medical devices

Similar to the HSA's Guidance on the Risk Classification of General Medical Devices ("General MD Risk Classification"), the new SaMD-CDSS Risk Classification appears to classify software medical devices based on the severity of the consequences posed to the patient in the event of device failure. To this end, the SaMD-CDSS Risk Classification considers the following factors when determining risk:

  1. The significance of information provided by the software medical device in healthcare decision making - i.e. whether it influences decisions to treat, diagnose, drive or inform clinical management;
  2. The severity of the patient's situation or condition; and
  3. Where applicable, existing guidance set out in the General MD Risk Classification.

(ii) Regulation of CDSS

CDSS are standalone software capable of performing functions (which may or may not be MD-functions) for healthcare professionals, patients and caregivers to support clinical practice, clinical and patient management. The table below broadly outlines when a CDSS would be regulated as a medical device:

Intended use

Regulated as a medical device?

Any medical function i.e. investigating, detecting, diagnosing, preventing, monitoring, treating or managing any medical condition, disease, anatomy or physiological process

Yes

Solely to display or print medical information about a patient* or other medical information (i.e. demographic information, drug labelling, clinical guidelines, studies or recommendations)

*This does not include real time patient information intended for patient monitoring or treatment decisions

No

Any intended use that does not meet the definition of a medical device in the First Schedule of the Health Products Act

No

 

In the event that the CDSS is regulated as a medical device, the SaMD-CDSS Risk Classification further provides that it would be regulated as Class A medical devices if they meet all of the following criteria:

  1. The CDSS is intended to analyse patient information found in physical or electronic form (i.e. their medical history, care or treatments received, diagnoses, and medications taken) or other medical information;
  2. The CDSS is not intended to acquire, process (except for software function solely to convert medical images or data to compatible formats), or analyse a medical image, signal, or pattern from another medical device, in-vitro device or signal acquisition system;
  3. The CDSS is intended only to support healthcare professionals in making decisions about prevention, diagnosis, treatment or alleviation of a disease or condition; and
  4. The CDSS is not intended to replace the clinical judgment of a healthcare professional to make a clinical diagnosis or treatment regarding an individual patient AND where the healthcare professional is capable independently reviewing the basis of the CDSS's recommendation.


LOGO_Wong&Leow_Singapore

© 2022 Baker & McKenzie.Wong & Leow. All rights reserved. Baker & McKenzie.Wong & Leow is incorporated with limited liability and is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a "principal" means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an "office" means an office of any such law firm. This may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.

Contact Information

Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.