On January 3, 2019, the National Medical Products Administration (“NMPA”) published a draft standalone software appendix of medical device good manufacturing practice (“Draft Standalone Software GMP” or “Draft Appendix”) for public comment (available here). Comments are due on January 30, 2019.
China revised its medical device GMP in 2014, which apply to all classes of devices regardless of whether they are imported or made in China. Subsequently, NMPA added various appendices (fulu) to articulate special requirements for certain types of devices, including sterile, implantable, and in vitro diagnostic devices. The Draft Appendix sets out proposed special requirements for software that falls under the definition of medical device.
In China, the definition of a medical device covers software that either itself constitutes a device (i.e., standalone software) or is an accessory/component of a device (i.e., component software). The Draft Standalone Software GMP expressly applies to standalone software and it states that it applies, “by reference,” (mutatis mutandis) to component software. If finalized, the Draft Standalone Software GMP would be effective on an undetermined date in 2020.
The Draft Appendix is a relatively simple document with four main sections:
- scope and general principles of the Draft Appendix ;
- special requirements for various aspects of the manufacturing and post-market processes (see below);
- definitions of key terms; and
- miscellaneous provisions.
Key features of the Draft Standalone Software GMP include the following:
Staffing Requirements
Among other requirements, the development staff and testing staff are required to have experience in software development and/or testing, although the Draft Appendix does not go into detail about what specific qualifications or number of years’ experience specific types of staff members need. The manufacturer must have different staff for developing the product and conducting black-box functionality testing — i.e., no staff member may perform both those functions concurrently.
Protocols and Documents
The manufacturer is required to formulate various protocols governing key aspects of the manufacturing process and life cycle of the software:
- Facilities (e.g., the maintenance of development and testing environment);
- Software development (e.g., software life cycle control process (including demand analysis, design, coding, verification, upgrading, among others), configuration, version control, traceability, use of software, and testing);
- Procurement (e.g., vendor quality control, and vendor review);
- Manufacturing management (e.g., publication of software, including creation of software document, backup, archive, anti-virus protection);
- Quality control (e.g., release of software, including version control, installation and uninstallation testing, integrity check, release approval);
- After-sale service (such as delivery, installation, configuration, deployment, training, cessation of operation),
- Management of defective products (e.g., evaluation, resolution, and risk management), and
- Adverse events monitoring, analysis and AE-related product improvement (e.g., cybersecurity emergency control process).
The Draft Appendix simply states that these protocols are required, and sets out their general scope, but otherwise does not describe the protocols in detail. Under the Draft Appendix, the manufacturer is required to keep proper records evidencing the compliance of the above protocols.
Procurement of Cloud-Computing Service Arrangements
Given the development of cloud technology in the past few years, an increasing number of software devices, both standalone software and component software, have built-in cloud technology, such as cloud computing and cloud storage. This software can substantially lower the initial capital investment by institutional users by avoiding the need for them to own their own data servers or otherwise building out their computing capacity.
The Draft Appendix sets out the general requirements related to cybersecurity and the network applicable for the software itself, as well as the requirements for any cloud-computing service procured by the developer. Specifically, if the software developer procures a cloud-computing service, the agreement must specify each party’s responsibility and liability with respect to cybersecurity and patients data privacy. However, it is not clear whether Draft Standalone Software GMP requires that all cloud-based (e.g., cloud data storage) software procurement agreements be in compliance with the above requirement.
Permanent Software Outage Procedures
The Draft defines a “permanent software outage” (or “software retirement”) as the point at the end of software’s life cycle when the manufacturer ceases sales and after-sale services. For these circumstances, the manufacturer must set requirements for follow-up customer service, data transfer, patient data privacy, customer notification process. Proper records are required. It is not clear whether and how this requirement relates to cases in which the manufacturer relies on the cooperation of a cloud service provider, or whether the cloud service agreement must take the requirements of the protocol into account.
Adverse Events
The Draft Standalone Software GMP contains a brief section on “adverse event monitoring, analysis, and improvement.” All of these terms are undefined, and it is not clear how this new regulation relates to the Administrative Measures on Medical Device Adverse Event Monitoring and Re-Evaluation (“AE Measures”) that NMPA revised in August 2018 (see here).
This section contains two provisions. The first notes that data analysis procedures must cover cybersecurity incidents. This is different from the concept of an adverse event defined under the AE Measures which covers events in which there is an actual or potential harm to the human body. The second provision requires establishment cybersecurity emergency response system, although the precise requirements of this system are not clear.
* * *
The Draft Standalone Software GMP provides general and high-level guidance regarding the compliance requirements on the manufacturing of software device. Chinese and foreign medical device companies developing or manufacturing software device should continue to monitor developments for the final version (including any further explanation or guidance) and should consider submitting comments.