To respond to the emerging trend of adopting software in health care, China has told its regulators what to look for when approving software and how evaluating its quality and performance, with a focus on the data and life cycle management.
Definition of SaMD
According to the “Guideline on Medical Device Software” published in March 2022, medical device software includes independent software (software as medical device, SaMD) and software components. Independent software refers to software that functions as a medical device or its accessory, while software components are parts of or accessories to a medical device. Independent software must meet the following three characteristics:
• it must have one or more medical purposes,
• it must be able to fulfill its intended purpose without requiring medical device hardware,
• and it must operate on a general computing platform.
Independent software can be classified into general-purpose software and specialized software. General-purpose software is used in conjunction with multiple medical devices through general data interfaces, such as PACS (Picture Archiving and Communication Systems) or central monitoring software. Specialized software works with specific medical devices through either general or specialized data interfaces, such as Holter data analysis software or ophthalmic microscope image processing software.
SaMD GMP
If you know China GMP system well, you might be familiar with the following guidelines issued in previous years:
1. Good Manufacturing Practice for Medical Devices
2. Good Manufacturing Practice Annex on Class III Medical Devices
3. Good Manufacturing Practice Annex on Sterile Medical Devices
4. Good Manufacturing Practice Annex on Implantable Medical Devices
5. Good Manufacturing Practice Annex on In Vitro Diagnostic Reagents
6. Good Manufacturing Practice Guidelines for Onsite Inspection
7. Good Manufacturing Practice Guidelines for Onsite Inspection of Sterile Medical Devices
8. Good Manufacturing Practice Guidelines for Onsite Inspection of Implantable Medical Devices
9. Good Manufacturing Practice Guidelines for Onsite Inspection of In Vitro Diagnostic Reagents
The tenth GMP came up in 2019. NMPA published the “Good Manufacturing Practice Annex on Independent Software” on July 12, 2019, which took effect on July 1, 2020. The document provides a comprehensive framework for managing the production quality of independent medical software, focusing on its lifecycle and cybersecurity.
To acknowledge the global nature of the medical device industry, it significantly refers to Software as a Medical Device (SaMD): Application of Quality Management System, published by International Medical Device Regulators Forum (IMDRF), and international standard IEC 62304.
After satisfying Good Manufacturing Practice on Medical Devices, software manufacturers have to meet the eight special requirements listed in the Standalone Software Annex:
Personnel
Personnel involved in software development, testing, and maintenance must possess the appropriate professional knowledge, practical experience, and skills relevant to their roles. Developers and testers should not overlap in roles, particularly in black-box testing, to ensure objectivity. User testers should have experience with the software product or receive adequate training.
Equipment
Throughout the software lifecycle, an adequate and effective development and testing environment must be maintained, including hardware, software, development tools, network resources, and measures for virus protection, data backup, and recovery. Documentation should be maintained for these environments, specifying requirements for regular verification, updates, and maintenance.
Design and Development
A process control procedure should be established, documented, and aligned with the software lifecycle model. This includes planning, requirement analysis, design, coding, verification and validation, software updates, risk management, defect management, traceability analysis, configuration management, document control, and cybersecurity assurance. Software safety levels must align with the software’s intended use, scenarios, and core functionalities, with any adjustments requiring external risk control measures.
Risk management is critical and should be implemented throughout the software lifecycle, considering factors such as product identification, analysis, evaluation, control, and monitoring of software functions, interfaces, user interfaces, third-party software, and cybersecurity.
Configuration management should be documented and include version control, source code management, tool control, and the use of third-party software. Software version control must follow compliance-based naming conventions, ensuring clarity and consistency.
Traceability analysis is essential for ensuring that software development and updates meet traceability requirements, with procedures documented and applied throughout the software lifecycle.
Third-party software usage should be documented, ensuring risk management, validation, defect management, traceability, configuration management, and cybersecurity. If open-source software is used, adherence to the relevant open-source license agreements is required.
Procurement
The procurement of third-party software should be managed with appropriate documentation, quality control measures, and supplier evaluations. Agreements with suppliers should clarify requirements related to software needs, delivery methods, acceptance criteria, and intellectual property rights.
Production Management
Software release processes must be documented, covering the creation of product files, software archiving, version identification, and methods of delivery, with appropriate safeguards against viruses and ensuring repeatability.
Quality Control
Documentation must detail the software release process, including version identification, installation/uninstallation testing, product integrity checks, and release approvals.
Sales and After-Sales Service
Software deployment should be documented, covering delivery, installation, configuration, and user training. In the event of software discontinuation, documentation should cover post-discontinuation services, data migration, and user notifications.
Incident Monitoring, Analysis, and Improvement
Data analysis procedures must address software defects and cybersecurity incidents. An emergency response plan for cybersecurity events should be documented, including risk management, verification of response measures, user notifications, and recall processes.
NMPA also states that three already issued guidelines, Software Technical Review Guideline, Cyber Security Technical Review Guideline, and Mobile Device Technical Review Guideline can be used as references for standalone software registration.
For an English copy of the software GMP guideline or want further info on the eight requirements listed above, please email us at info@ChinaMedDevice.com.
SaMD Onsite Inspection
NMPA issued the “Good Manufacturing Practice Guideline for Onsite Inspection of Standalone Software” on June 4, 2020. The document provides a thorough framework to ensure medical device software complies with high-quality and regulatory standards through robust life cycle management.
Concerning the manufacturing process of SaMD, the guideline mandates the manufacturers to be inspected for following areas:
Organizational Structure and Personnel
The guidelines emphasize a robust management structure tailored for medical device production, requiring clear departmental roles and independent quality management to avoid conflicts of interest. The enterprise leader is accountable for overall quality, ensuring necessary resources, infrastructure, and a conducive work environment. Regular management reviews are mandated to assess the quality management system’s effectiveness and drive continuous improvement. Key personnel must be well-versed in relevant laws, possess practical quality management experience, and receive specialized training to maintain competence.
Facilities and Equipment
Facilities must meet specific production requirements, ensuring an environment that supports product quality with appropriate lighting, temperature, humidity, and ventilation controls. Adequate storage must be provided for materials and products, with proper segregation and labeling. The software development and testing environment should be well-maintained, secure, and equipped with up-to-date tools and resources, including virus protection and data backup. Equipment used in production must be clearly labeled and managed through established procedures for use, cleaning, and maintenance.
Document Management
A strong document management system is essential, encompassing quality manuals, procedural documents, and records as required by regulations. Document control must ensure that documents are systematically drafted, reviewed, approved, and updated, with obsolete documents clearly marked to prevent misuse.
Design, Development, and Procurement
The guidelines call for a documented software lifecycle process, covering all phases from planning to risk management and traceability. Configuration management and traceability analysis are crucial to ensure that all software versions and updates are controlled and compliant. Procurement procedures must ensure that all purchased items meet specified requirements, with rigorous supplier evaluations and audits to maintain high standards throughout the software’s lifecycle.
Production Management
Products must be produced according to an established quality management system to meet mandatory standards and technical requirements. Software release processes should be documented to ensure repeatability, with specific requirements for physical and network delivery methods. All products must have traceable production records, including details such as product name, model, batch number, production date, and operator information.
Quality Control
A quality control procedure must be established, covering the responsibilities of inspection departments, personnel, and equipment usage. Inspection instruments must be regularly calibrated and protected to ensure accurate results. Inspection records, including those for software products, should be maintained for traceability.
Sales and After-Sales Service
Sales records must be kept to ensure traceability, including product details and customer information. After-sales service capabilities should align with the products, and customer feedback must be tracked and analyzed. Software deployment and shutdown processes should be documented to cover activities such as delivery, installation, and user training.
Non-Conforming Product Control
A procedure should be in place for controlling non-conforming products, including identification, isolation, and review. If non-conformities are discovered post-sale, appropriate actions like recalls or destruction should be taken.
Adverse Event Monitoring and Improvement
A system for monitoring and responding to adverse events must be established, including procedures for data analysis, corrective actions, and quality management system audits. There should be a focus on network security event responses and regular internal audits to ensure compliance and continuous improvement.
NMPA has certified its own inspection personnel and strengthened on-site inspections conducted in domestic China and overseas. From Jan 2016 to June 2020, five group of inspectors, totaling 230 people, have been appointed by NMPA Center of Food and Drug Inspection.
Check out our technical review on AI-aided Software Guideline. The article was published on BioWorld, a Hong Kong-based biotech magazine.
China Med Device can deliver trainings and help conduct mock-up audit to ensure your fully compliance with China GMP requirements. info@ChinaMedDevice.com.