With the growing complexity and sophistication of medical device software, the Regulatory requirements for their registration are becoming increasingly stringent. In 2022, the National Medical Products Administration (NMPA), China introduced revised guidelines specifically addressing the registration process for medical device software. The guidelines provide a comprehensive overview of the Regulatory standards that manufacturers and developers must adhere to when registering their products in China. Thus, these guidelines are crucial for manufacturers and developers as they navigate the registration process in China’s medical device software market, and they can seek assistance from our Regulatory experts for easier and faster market entry.

The revised guidelines cover the following key aspects:

• Introduction of Medical Device Software: Software as a Medical Device (SaMD) refers to software that serves one or more medical purposes or uses. It fulfils its intended function independently, without relying on any medical device hardware, and operates on a general-purpose computing platform. Examples of SaMD include medical image processing software, Holter data analysis software, and ophthalmic microscope image processing software.
  
  On the other hand, Software in a Medical Device (SiMD) refers to software that serves one or more medical purposes or uses; it either controls/drives medical device hardware or operates on a specialized medical computing platform. SiMD encompasses software components that are embedded in the hardware of medical devices, such as electrocardiographs, electroencephalographs, Computed Tomography (CT), and Magnetic Resonance Imaging (MRI) image acquisition workstations. Such software components, often referred to as firmware, play a vital role in the functioning of medical devices.

• Requirements for Software Development and Testing: During the registration process, applicants are required to submit various documents related to software testing, verification, and validation. It is important to consider the software testing requirements in conjunction with the characteristics of the product and the risk levels associated with the software. This, in turn, helps ensure that the test coverage adequately addresses statements, judgments, conditions, paths, and other aspects, ultimately guaranteeing the quality of software verification and confirmation.
  
  To achieve comprehensive testing, testing all source codes is essential. This can be accomplished by employing a combination of different testing methods, such as white box testing, black box testing, gray box testing, and other applicable approaches. By using these diverse testing methods, the applicant can thoroughly examine the software from various angles, ensuring that potential issues and vulnerabilities are identified and addressed effectively.

• Requirements for Clinical Evaluation: On the one hand, standalone software typically undergoes clinical evaluation that is primarily based on its functions. If necessary, the evaluation may also encompass the software algorithms. On the other hand, software components, along with the corresponding medical devices, are generally evaluated as integrated units.
  
  Clinical evaluation of post-processing functions can follow the requirements for independent software evaluations. Moreover, the post-processing function can also be evaluated as a unified entity along with the medical device with which it is associated. This approach ensures that the clinical evaluation comprehensively assesses both the independent software components and its integration with the specific medical device, thereby addressing the entire functionality and performance of the system.

• Requirements for the Software Registration Research Document:

1. Self-developed Software Research Report: This report is applicable to both the initial release and re-release of self-developed software. It should include the following four (04) main sections:
   • a) Basic Information: This section provides an overview of the software, including its purpose, intended users, and any relevant background information.
   • b) Implementation Process: This section describes the process of software development, including the methodologies, tools, and technologies used.
   • c) Core Functions: This section outlines the main functionalities and features of the software.
   • d) Conclusions: The concluding section summarizes the findings and conclusions of the research, highlighting the software’s performance, usability, and any other relevant evaluation results.
2. Self-developed Software Update Research Report: This report applies to the re-release of self-developed software and focuses on different types of maintenance, which include:
   • a) Perfective Maintenance: This explains any enhancements or improvements made to the software’s existing features to enhance its functionality or performance.
   • b) Flexibility Maintenance: This discusses any modifications or adaptations made to the software to improve its flexibility or adaptability to different environments and user requirements.
   • c) Corrective Maintenance: This addresses any bug fixes, error corrections, or issues resolved in the software.
3. Off-the-shelf Software Research Document: This document pertains to software that is not developed in-house and is commercially available. The specific requirements for this document may vary, but it generally includes an evaluation of the off-the-shelf software’s functionality, performance, usability, and compatibility with the intended use and the medical device with which it is associated. The research document should provide comprehensive information on the off-the-shelf software, including its specifications, vendor details, and any relevant evaluation or testing results.

• Requirements for Software Cybersecurity: Top of FormWhen addressing medical device cybersecurity, it is essential to adopt a comprehensive approach that encompasses information and data security. Cybersecurity considerations are particularly crucial when medical device software involves any combination of the following three (03) functions:

1. Electronic Data Exchange
2. Remote Access and Control
3. User Access

In such cases, cybersecurity measures must be thoroughly considered to safeguard the integrity and protection of the medical device and its associated data.

Decode more about software registration in China. Reach out to a trusted Regulatory partner!