Eclevar Australia provides an update on Australian regulatory requirements for software-based medical devices – January 2023
TGA is aligning its regulatory framework with the latest developments in software-based medical devices, including artificial intelligence and machine learning, and providing classification criteria for clinical decision support software (CDSS)
Software based medical devices are medical devices that either incorporate software or are software themselves – the latter are also known as software as medical device or SaMD. Software that falls under the definition of a medical device is regulated as a medical device by the TGA unless excluded.
Examples of SaMD include computer programs and applications, mobile apps, software as a service (cloud based), websites and browser delivered products. Some SaMD may be an accessory to a medical device. Accessories are regulated as separate medical devices.
Software that is an integral part of a medical device is sometimes referred to as SiMD (software in a medical device) and is usually supplied with the hardware device. The TGA regulates this software as part of that device. Examples include embedded software or firmware in a left ventricular assist device.
Software used to program or control a medical device through a connection, either physical or utilising wireless technology such as Bluetooth or WiFi, has the same risk classification as the medical device. Such software is a medical device in its own right if it is supplied separately from the related device. Examples include clinical software used to program a left ventricular assist device using a PC or laptop.
On 25th February 2021 the TGA implemented regulatory changes for software-based medical devices. These changes include:
- clarifying the boundary of regulated software products, including so-called ‘carve outs’ (through either an exemption or exclusion) from the scope of TGA regulation
- ‘Exemption’ means that the product is a medical device, it is not required to be included in the ARTG, but TGA retains oversight for advertising, adverse events, and notification. Example: surgical workflow software that describes the steps of a surgical procedure to a surgeon as per accepted clinical guidelines
- ‘Exclusion’ means that the product is completely unregulated by the TGA. Examples: consumer health products; technology enabling telehealth, healthcare or dispensing; electronic patient data management; laboratory IT systems.
- introducing new classification rules – there is a transition period that applies to the new classification rules for software-based medical devices, which ends on 1st November 2024; details are available in the TGA guidance Regulatory changes for software based medical devices of August 2021
- updating essential principles for software-based medical devices – with new requirements for software identification; cybersecurity; data management; as well as software development, production, and maintenance lifecycle
The intention of these changes was to align with international regulatory best practice while reducing unnecessary regulatory burden where appropriate. International regulatory convergence efforts are underway within the International Medical Device Regulatory Forum (IMDRF). There are two working groups tasked with issuing new or improving existing IMDRF guidance documents:
- WG Software as Medical Device (SaMD) chaired by Health Canada
- WG Artificial Intelligence-based Medical Devices (AI-MD) chaired by South Korea’s Ministry of Food and Drug Safety (MFDS)
- WG Medical Device Cybersecurity co-chaired by U.S. FDA and Health Canada
The largest proportion of SaMD and AI-ML based medical devices are in the clinical decision support software (CDSS) space. In October 2021, the TGA published the guideline Clinical decision support software which clarifies how to determine whether a CDSS is regulated by the TGA.
The basis for the decision whether the CDSS is a medical device regulated by the TGA or not is the intended purpose as stated by the manufacturer. If the software has multiple functions, it is the responsibility of the manufacturer to review the intended purpose of each function and determine whether it meets the definition of a medical device and thus fall under the scope of TGA regulation.
TGA’s Guidance Exemption for Certain Clinical Decision Support Software published in August 2022 provides examples and detailed interpretation of the exemption criteria for certain CDSS, and it complements the general Guidance Clinical decision support software originally published in February 2021 and revised in October 2021.
High risk class software-based medical devices require clinical evaluation based on clinical trials. In this context, clinical trials are performed as a validation using medical data collected from patients rather than testing directly on human subjects. Critical legislative requirements when using patient information are those applying to privacy and data protection, such as the Privacy Act in Australia, the General Data Protection Regulation (GDPR) in the EU, and the Health Insurance Portability and Accountability (HIPAA) Act in the U.S.