Key takeaways

• The HSA regularly publishes guidance documents to clarify their current policy stance and practice on the regulation of medical devices. These documents are intended to help companies meet the regulatory requirements governing their medical device dealings and are updated from time to time to improve regulatory efficiency and clarity, especially where new technologies not covered in the general guidelines emerge. The HSA may also publish working drafts for consultation by relevant stakeholders prior to finalising a guidance document. We cover the HSA's publication of the draft SaMD-CDSS Risk Classification in our August 2021 newsletter here.  
• With the rapid pace of technological advancement and the growing popularity of telemedicine, medical devices have become increasingly reliant on software for safe and effective function, as well as interoperability with other devices. Companies are also exploring how emerging technologies like Artificial Intelligence can be used in clinical settings. The revised SaMD Guidelines and new SaMD-CDSS Risk Classification therefore offer additional guidance to address potential queries that medical device manufacturers and suppliers may have in relation to the risk classification, pre-market registration, and change notification requirements of their software medical device products.
• Additionally, including guidance on the HSA's regulatory stance on software medical devices with non-medical device (non-MD) functions along with the new SaMD-CDSS Risk Classification brings the HSA's software medical device regulatory framework in closer alignment with various recommendations and standards set by international medical device associations. 

In more detail

In April 2022, the Health Sciences Authority (HSA) published its revised Regulatory Guidelines for Software Medical Devices ("SaMD Guidelines"). It has also finalised its new Guidelines on Risk Classification of Standalone Medical Mobile Applications and Qualification of Clinical Decision Software ("SaMD-CDSS Risk Classification"), which had been released for public consultation in July to August 2021.

Revised SaMD Guidelines

The SaMD Guidelines aim to provide clarity on the regulatory requirements for software medical devices at each stage of its life cycle. This is intended to assist stakeholders involved in the development and supply of software medical devices to handle various demands, such as requirement management, risk assessment, software verification and validation, change management, traceability, among other aspects.

In these latest revisions to the guidelines, the HSA has clarified the cybersecurity information required for a medical device product registration application. The revised SaMD Guidelines provide that medical devices with wireless features or internet-connected and network-connected functions should submit evidence that device's security or the effectiveness of its controls have been verified. Such evidence may include:

• Descriptions of test methods, results, and conclusions;
• A traceability matrix between security risks, security controls, and testing to verify said controls; and
• References to any standards and internal standards of procedures or documents used.

The Revised SaMD Guidelines also include new guidance on the HSA's regulatory stance on software medical devices with non-MD functions. Such non-MD functions include, among others:

• Storing, converting or transferring patient data;
• Those intended to provide general patient education and facilitate access to commonly referenced information; and
• Those allowing the automation of general office operations in a healthcare setting.

In relation to such devices, the Revised SaMD Guidelines set out the following requirements:

1. Information and validation of the non-MD function(s) are not required at the product registration stage.
2. Manufacturers must still consider if the non-MD function(s) impacts the device's safety and performance. Any potential risks should be analysed, mitigated, and supported by the appropriate verification to ensure that any mitigation measures are effective.
3. The risk management processes set out in (2) shall be documented as part of the manufacturer's quality management system.   

Finally, the flowchart that aids companies in determining the Change Notifications required in respect of a registered Artificial Intelligence Medical Device (AI-MD) incorporating Machine Learning has been amended.

New SaMD-CDSS Risk Classification

The new SaMD-CDSS Risk Classification has two broad objectives: (1) to help dealers determine the risk classification of software medical devices; and (2) to clarify when clinical decision support software (CDSS) are regulated as medical devices, and the regulatory requirements governing them.

(i) Risk Classification of software medical devices

Similar to the HSA's Guidance on the Risk Classification of General Medical Devices ("General MD Risk Classification"), the new SaMD-CDSS Risk Classification appears to classify software medical devices based on the severity of the consequences posed to the patient in the event of device failure. To this end, the SaMD-CDSS Risk Classification considers the following factors when determining risk:

1. The significance of information provided by the software medical device in healthcare decision making - i.e. whether it influences decisions to treat, diagnose, drive or inform clinical management;
2. The severity of the patient's situation or condition; and
3. Where applicable, existing guidance set out in the General MD Risk Classification.

(ii) Regulation of CDSS

CDSS are standalone software capable of performing functions (which may or may not be MD-functions) for healthcare professionals, patients and caregivers to support clinical practice, clinical and patient management. The table below broadly outlines when a CDSS would be regulated as a medical device:

In the event that the CDSS is regulated as a medical device, the SaMD-CDSS Risk Classification further provides that it would be regulated as Class A medical devices if they meet all of the following criteria:

1. The CDSS is intended to analyse patient information found in physical or electronic form (i.e. their medical history, care or treatments received, diagnoses, and medications taken) or other medical information;
2. The CDSS is not intended to acquire, process (except for software function solely to convert medical images or data to compatible formats), or analyse a medical image, signal, or pattern from another medical device, in-vitro device or signal acquisition system;
3. The CDSS is intended only to support healthcare professionals in making decisions about prevention, diagnosis, treatment or alleviation of a disease or condition; and
4. The CDSS is not intended to replace the clinical judgment of a healthcare professional to make a clinical diagnosis or treatment regarding an individual patient AND where the healthcare professional is capable independently reviewing the basis of the CDSS's recommendation.

© 2022 Baker & McKenzie.Wong & Leow. All rights reserved. Baker & McKenzie.Wong & Leow is incorporated with limited liability and is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a "principal" means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an "office" means an office of any such law firm. This may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.