An overhaul of regulation of software as a medical device - what's on the horizon?

Intellectual Property Patents & Trade Marks

In brief 5 min read

Proposed new regulatory rules for software as a medical device will, if enacted, have serious implications for suppliers to the Australian market, who will likely have to meet more stringent requirements that could conflict with those in the US and Europe. Special Counsel Ric Morgan and Senior Associate Tracy Lu look at the changes, and at what you should be considering now.


The digital era of healthcare is well and truly upon us, and the Therapeutic Goods Administration (the TGA) is making a concerted effort to catch up to the pace of development, most recently focusing on regulation of software as a medical device. Further to the guidance it published in December 2018, the TGA has also released a consultation paper and hosted a webinar on regulation of software as a medical device. Submissions will close on 31 March.

How is software currently regulated?

The threshold question is whether the particular software falls under the definition of 'medical devices' as set out in section 41BD of the Therapeutic Goods Act 1989 (Cth).

If the software does not fall under the definition of 'medical devices' (eg it is a general fitness app, or it is a platform that aggregates information about how to live a healthy lifestyle), it would not be regulated by the TGA.

If the software is part of a medical device (such as software or embedded firmware), it is not regulated separately, but is regulated as part of the device.

If the software controls or adjusts a medical device through Bluetooth or WiFi features, it is considered to be a medical device for regulatory purposes (as an accessory under s41BD(1)(b)), and is regulated separately, but at the same risk classification level as the device it controls or adjusts.

Software as a medical device (SaMD) is standalone software that falls under the definition of a 'medical device' and is not associated with another medical device. Under rule 2.1, Part 2 of Schedule 2 of the Therapeutic Goods (Medical Devices) Regulations 2002 (Cth) (the Regulations), all non-invasive medical devices not covered by another specific rule under Parts, 2, 4 or 5, are Class I. According to the Australian Regulatory Guidelines for Medical Devices, which are currently under review, 'non-invasive medical devices' are devices that do not touch patients or contact only intact skin. This would capture all SaMDs. It also appears that Parts 4 and 5 of Schedule 2 would not apply, as a practical matter, to SaMDs.

This means under the current regulatory regime, all SaMDs would be classified as Class I medical devices, being the lowest risk classification. This is the case regardless of the risk a particular piece of software may pose to the patient, which may vary greatly depending on the software's functionality, whether the software would change over time if it incorporates AI or machine learning, and the disease or condition for which the software is intended to be used.

Proposed changes

The consultation paper proposes three key changes:

  • New, detailed classification rules should be introduced to classify SaMDs according to their actual risk levels.
  • SaMDs should be excluded from the personal importation exemption in the Regulations, in recognition of the fact that many consumers could now personally 'import' / download an overseas-produced SaMD, and the exemption provision was not designed with this manner or volume of 'imports' in mind.
  • Essential principles for medical devices should include clear and transparent requirements for demonstrating the safety and performance of SaMDs.
New classification rules

This proposal, if enacted, is likely to have the largest impact on suppliers of SaMDs, who will have to look closely at the rules to determine whether a higher classification would apply to their devices.

Some examples of the specific categories set out in the proposed rules include:

  • software that screens patients to determine the need for further assessment for a disease that is fatal or debilitating in a short timeframe, or that poses a risk to public health, would be Class III;
  • software that recommends a treatment or intervention for a clinician to decide and administer would be Class IIa; or
  • software that directs patient activity based on input from the patient, and could result in patient harm, would be Class IIb.

A higher classification would mean more stringent regulatory requirements. For instance, with conformity assessments (which are assessments to determine that a medical device is safe and performs as intended and conforms to the list of Essential Principles for medical devices):

  • Class I medical devices – manufacturers are required to perform a self-assessment only;
  • Class IIa and IIb medical devices – the manufacturer's quality management system is required to be subject to an initial and ongoing review by a Conformity Assessment Body; and
  • Class III medical devices – the manufacturer's quality management system is required to be subject to an initial and ongoing review by a Conformity Assessment Body, and the design of the device is also required to be reviewed by a Conformity Assessment Body.

The practical questions suppliers should consider are:

  • whether the proposed categories sufficiently cover all of both their current products, and pipeline of products in the reasonably foreseeable future;
  • whether a current or planned product would have an inappropriate classification under these proposed changes; and
  • if a higher classification would apply, what does the business need to do to meet the more stringent requirements and how long would it take to adapt its practices?
Exclusion from personal importation exemption

Currently, under Item 1.1 of Part 1, Schedule 4 to the Regulations, an exemption from regulation applies in relation to devices imported for personal use by the importer, or a member of the importer's immediate family, if certain conditions are met. As the consultation paper notes, this exemption was intended to allow for the importation of a small number of products, for a short period of time, but not to apply to many individuals downloading their own SaMDs for use over the long term.

Accordingly, it is proposed all SaMDs, including those provided by way of download and by overseas suppliers, should have a sponsor in Australia and be included on the Australian Register of Therapeutic Goods.

The enforcement of this requirement is likely to be challenging, as the TGA would have to depend on the cooperation of large international app platform operators to prevent or stop supply in the event of non-compliance. Patients and health practitioners may also be concerned this may adversely affect their access to innovative SaMDs, as overseas providers may not consider Australia to be a sufficiently large market to invest in achieving regulatory compliance. This would particularly be the case in relation to a downloadable product that is designed as a 'one size fits all' for all global markets.

Changes to essential principles

The proposed changes are straightforward and focus on, unsurprisingly, cybersecurity and software development risks. Given the high risk to a patient if an SaMD is compromised, or there is a data breach involving health information (see our Data breaches in the healthcare sector: the reality, the costs and how to prevent them), consumers already expect suppliers of SaMDs to be adopting best practice cybersecurity and software development principles, and be transparent about their practices. Therefore, it may be that, practically speaking, the proposed changes are only cementing what suppliers are already doing in the marketplace. However, it may also be that they result in Australia-specific requirements that, while overlapping with European or US requirements, impose additional or inconsistent obligations.