With the increased prevalence of software aimed at improving our day to day health, diagnosing illnesses and treating medical conditions, there has been a recent focus on developing regulations to address new types of medical devices.
When is software a medical device?
In Australia the Therapeutic Goods Administration (TGA) regulates health related software that is a medical device as defined in section 41BD of the Therapeutic Goods Act 1989 (Cth) as follows:
Any instrument, apparatus, appliance, material or other article (whether used alone or in combination, and including the software necessary for its proper application) intended, by the person under whose name it is or is to be supplied, to be used for human beings for the purpose of one or more of the following:
- Diagnosis, prevention, monitoring, treatment or alleviation of disease;
- Diagnosis, monitoring, treatment, alleviation of or compensation for an injury or disability;
- Investigation, replacement or modification of the anatomy or of a physiological process; and
- Control of conception;
And that does not achieve its principal intended action in or on the human body by pharmacological, immunological or metabolic means, but that may be assisted in its function by such means…
In practice, this means that software like apps that provide information about your daily step count or track your heart rate and are aimed at helping you manage a healthy lifestyle would not be considered a medical device. However, software that may assist in processing X-ray images or an app that assists patients in making a diagnosis would be considered a medical device and is regulated by the TGA.
How is Software as a Medical Device Regulated?
The regulation of Software as a Medical Device (SaMD), like the regulation of most technologies, is struggling to keep pace with the ongoing influx of new and updated SaMDs. The current regulation of SaMDs by the TGA is centred on a risk based approach under the Australian Regulatory Guidelines for Medical Devices (Guidelines). As the current Guidelines do not cater to the unique characteristics of SaMDs, many of these medical devices are considered low risk by the TGA.
In accordance with the Guidelines, all SaMDs are required to be registered on the Australian Register of Therapeutic Goods. In order to be registered the following criteria must be met:
- Manufacturers of SaMD products must obtain a Conformity Assessment certificate, unless the SaMD is categorised in the lowest risk classification; and
- The SaMD must satisfy the TGA’s Essential Principles under the Therapeutic Goods Act (Cth) and the Guidelines.
The TGA’s Essential Principles, amongst other things, include requirements regarding the safety, purpose, design, construction and transport of medical devices. Following registration on the Australian Register of Therapeutic Goods there are also additional obligations that will be imposed on owners of SaMDs such as the recently introduced Therapeutic Goods Advertising Code (No. 2) which came into effect on 1 January 2019.
Where are we heading?
The TGA is currently developing amendments to the Guidelines to better address the unique regulatory challenges posed by SaMDs. On 18 July 2019, the TGA released new guidelines regarding cyber security for the manufacturers and sponsors of medical devices. SaMDs often require a degree of internet connectivity that makes them vulnerable to cyber security threats. In addition, they are an attractive target for hackers as they allow access to health information which represents one of the most lucrative forms of data.
Most importantly, these new guidelines make it clear that cybersecurity needs to be a key consideration for both manufacturers and sponsors throughout the entire life cycle of an SaMD in order to effectively comply with the TGA’s Essential Principles.
On an international level, the TGA is currently working closely with the International Medical Device Regulators Forum (IMDRF), an international group of medical device regulators, to develop harmonious and consistent international regulation of SaMD. The IMDRF have published a number of technical documents which provide additional guidance on what constitutes an SaMD and how it should be regulated. The IMDRF is currently developing a regulatory guidance document with a particular focus on medical devices that are intended for a specific individual, such as 3D printed implantable devices. It is likely that the IMDRF will continue to develop regulatory guidelines for SaMD in an attempt to maintain pace with the continued developments in the digital health space.
Manufacturers and sponsors of SaMDS should keep an eye on the actions of the IMDRF as the TGA’s continued involvement in the IMDRF suggests that any future domestic developments in this space would be consistent with international guidelines.
Need further advice?
If you are unsure if your software or app is an SaMD or you need to register your SaMD with the TGA, our team can provide tailored advice about your duties and obligations and assist you with any future steps.
This article was written by Karen Keogh, Partner and Luke Depares, Law Graduate.