On January 3, 2019, the National Medical Products Administration (“NMPA”) published a draft standalone software appendix of medical device good manufacturing practice (“Draft Standalone Software GMP” or “Draft Appendix”) for public comment (available here).  Comments are due on January 30, 2019.

China revised its medical device GMP in 2014, which apply to all classes of devices regardless of whether they are imported or made in China.  Subsequently, NMPA added various appendices (fulu) to articulate special requirements for certain types of devices, including sterile, implantable, and in vitro diagnostic devices.    The Draft Appendix sets out proposed special requirements for software that falls under the definition of medical device.

In China, the definition of a medical device covers software that either itself constitutes a device (i.e., standalone software) or is an accessory/component of a device (i.e., component software).  The Draft Standalone Software GMP expressly applies to standalone software and it states that it applies, “by reference,” (mutatis mutandis) to component software.  If finalized, the Draft Standalone Software GMP would be effective on an undetermined date in 2020.

The Draft Appendix is a relatively simple document with four main sections:

  • scope and general principles of the Draft Appendix ;
  • special requirements for various aspects of the manufacturing and post-market processes (see below);
  • definitions of key terms; and
  • miscellaneous provisions.

Key features of the Draft Standalone Software GMP include the following:

Staffing Requirements

Among other requirements, the development staff and testing staff are required to have experience in software development and/or testing, although the Draft Appendix does not go into detail about what specific qualifications or number of years’ experience specific types of staff members need.  The manufacturer must have different staff for developing the product and conducting black-box functionality testing — i.e., no staff member may perform both those functions concurrently.

Protocols and Documents

The manufacturer is required to formulate various protocols governing key aspects of the manufacturing process and life cycle of the software:

  • Facilities (e.g., the maintenance of development and testing environment);
  • Software development (e.g., software life cycle control process (including demand analysis, design, coding, verification, upgrading, among others), configuration, version control, traceability, use of software, and testing);
  • Procurement (e.g., vendor quality control, and vendor review);
  • Manufacturing management (e.g., publication of software, including creation of software document, backup, archive, anti-virus protection);
  • Quality control (e.g., release of software, including version control, installation and uninstallation testing, integrity check, release approval);
  • After-sale service (such as delivery, installation, configuration, deployment, training, cessation of operation),
  • Management of defective products (e.g., evaluation, resolution, and risk management), and
  • Adverse events monitoring, analysis and AE-related product improvement (e.g., cybersecurity emergency control process).

The Draft Appendix simply states that these protocols are required, and sets out their general scope, but otherwise does not describe the protocols in detail.  Under the Draft Appendix, the manufacturer is required to keep proper records evidencing the compliance of the above protocols.

Procurement of Cloud-Computing Service Arrangements

Given the development of cloud technology in the past few years, an increasing number of software devices, both standalone software and component software, have built-in cloud technology, such as cloud computing and cloud storage.  This software can substantially lower the initial capital investment by institutional users by avoiding the need for them to own their own data servers or otherwise building out their computing capacity.

The Draft Appendix sets out the general requirements related to cybersecurity and the network applicable for the software itself, as well as the requirements for any cloud-computing service procured by the developer.  Specifically, if the software developer procures a cloud-computing service, the agreement must specify each party’s responsibility and liability with respect to cybersecurity and patients data privacy.  However, it is not clear whether Draft Standalone Software GMP requires that all cloud-based (e.g., cloud data storage) software procurement agreements be in compliance with the above requirement.

Permanent Software Outage Procedures

The Draft defines a “permanent software outage” (or “software retirement”) as the point at the end of software’s life cycle when the manufacturer ceases sales and after-sale services.  For these circumstances, the manufacturer must set requirements for follow-up customer service, data transfer, patient data privacy, customer notification process.  Proper records are required.  It is not clear whether and how this requirement relates to cases in which the manufacturer relies on the cooperation of a cloud service provider, or whether the cloud service agreement must take the requirements of the protocol into account.

Adverse Events

The Draft Standalone Software GMP contains a brief section on “adverse event monitoring, analysis, and improvement.”  All of these terms are undefined, and it is not clear how this new regulation relates to the Administrative Measures on Medical Device Adverse Event Monitoring and Re-Evaluation (“AE Measures”) that NMPA revised in August 2018 (see here).

This section contains two provisions.  The first notes that data analysis procedures must cover cybersecurity incidents.  This is different from the concept of an adverse event defined under the AE Measures which covers events in which there is an actual or potential harm to the human body.  The second provision requires establishment cybersecurity emergency response system, although the precise requirements of this system are not clear.

*                                 *                                  *

The Draft Standalone Software GMP provides general and high-level guidance regarding the compliance requirements on the manufacturing of software device.  Chinese and foreign medical device companies developing or manufacturing software device should continue to monitor developments for the final version (including any further explanation or guidance) and should consider submitting comments.

Email this postTweet this postLike this postShare this post on LinkedIn
Photo of John Balzano John Balzano

John Balzano represents companies and business associations on U.S. and China regulatory and policy matters related to food, drugs, medical devices, cosmetics, and other regulated products.

John has over a decade of experience with legal and regulatory issues related to China, particularly with…

John Balzano represents companies and business associations on U.S. and China regulatory and policy matters related to food, drugs, medical devices, cosmetics, and other regulated products.

John has over a decade of experience with legal and regulatory issues related to China, particularly with regard to products regulated by the State Administration for Market Regulation, the National Medical Products Administration (NMPA), and other agriculture, animal and healthcare (including digital health) products and services. He assists clients with developing strategies to obtain pre-market approvals for these products in China, including clinical development, understanding relevant pricing and reimbursement policies, and reviewing distribution and promotional plans.

He also advises on regulatory compliance, due diligence, and enforcement matters for China operations, including drafting and revising and integrating China and global standard operating procedures, assessing the functions of regulatory departments in China, responding to inspection results and enforcement inquiries, and implementing product recalls. John also has significant experience designing strategies to handle professional consumer litigation for food and cosmetic companies operating in China and working with local counsel.

He advises companies and industry associations on their advocacy strategies, including the notice and comment process before NMPA and other regulatory agencies.

John has particular experience in the U.S. advising on the requirements for the acquisition and transfer of biospecimens for research purposes.