This article was written by Kim O'Connell, Luke Hawthorne and Nell Morgan
1 Overview
The increasing pace of digital health, wearables, and apps generally have spawned an increasing number of innovative software-based products that are able to assist with, or may aim to replace, conventional medical decisions and treatments. These range from wearable technology that allows users to track their heartrate for fitness purposes, to software intended to analyse cardiac MRIs and make related diagnoses. Given the potential therapeutic and diagnostic uses of such products, Australia's medical devices regulator, the TGA, has taken an increasing interest in their regulation – and has fortunately liberalised some regulatory requirements.
The TGA has released recent guidance to accompany the reforms, which will assist to guide developers and "sponsors" of devices in the Australian market.
1.1 What has changed?
In Australia, software-based medical devices are regulated by the Therapeutic Goods Administration (TGA) and must be included in the Australian Register of Therapeutic Goods (ARTG) before they can be legally supplied, except where an exemption applies.
Recent legislative amendments[1] seek to better equip the scheme to deal with the increasing number of software-based medical devices available on the market.
These changes have introduced:
- "carve-outs" (i.e. exclusions and an exemption) for certain software products so that they are not subject to TGA regulation;
- new classification rules for software-based medical devices; and
- updates to the Essential Principles which clarify the mandatory requirements for sponsors and manufacturers of medical devices.
1.2 What do I need to do now?
These amendments are now in place, having commenced on 25 February 2021, subject to transitional provisions discussed below. Businesses who are involved in, or invest in, the digital health and apps need to familiarise themselves with the new amendments to ensure they comply with—and take advantage of—these regulations going forward. In particular, 'carve-outs' given to specific types of software products may facilitate easier access to the market in Australia.
2 Excluded or exempt software-based medical devices – does my product fall within one of the "carved out" categories?
Under the Therapeutic Goods Act, software and applications that fall within the definition of a "medical device" are regulated by the TGA, whilst those that fall outside the definition (e.g. general health management and some fitness software) are not.[2]
Whilst the recent reforms have not changed this basic premise, they have helpfully set out some clear categories of software-based products that are not considered to be medical devices, and are therefore outside the ambit of TGA regulation (although they will still be subject to Australian consumer law and privacy regulation, amongst others). Welcomed by the medical device industry, the rationale of the reforms has been to reduce unnecessary regulatory burden and oversight of software products, especially for software products that are low risk.
2.1 Exclusions
Provided the software in question is:
- not intended to be used in clinical practice; and
- not intended to be used for the purpose of diagnosis, treatment, or making a recommendation or decision about the treatment, of a disease, condition, ailment or defect,
the following categories of software will be excluded from the scope of the Regulations:[3]
3 The new classification rules – how will my medical device be classified?
As part of the recent reforms, the Regulations have been amended to include new classification rules for software-based medical devices, as well as other programmed and programmable medical devices. The classification system dictates the level of regulatory scrutiny to which the relevant products will be subject. Relevantly, within the four-tier classification system for medical devices—which consists of Class I, Class IIa, Class IIb and Class III—devices in Class I are subject to the lowest level of oversight, while those in Class III are subject to the highest.[4]
3.1 Transition arrangements
The following classification rules commenced on 25 February 2021, which means that they cover any new applications to include devices in the ARTG after that date.
Any devices which had already been included, or were under application for inclusion, in the ARTG prior to that date will also be subject to reclassification according to the new rules. If, under the updated scheme, a product becomes subject to a higher classification, the sponsor/ manufacturer of the device will be allowed to continue to supply the device under the specified transition arrangements. That is, manufacturers must:
- Notify the TGA that they have an eligible medical device before 25 August 2021 or within 2 months of the start date of their ARTG entry, whichever is the later date;
- Obtain the appropriate evidence of conformity assessment; and
- Submit an application for their device to be included in the ARTG under the new classification rules before 1 November 2024.
If a manufacturer does not notify the TGA of their relevant medical devices before the above deadline, they will be required to cease supplying those devices from 25 August 2021. Likewise, if an application is not submitted by the end of the transition period, supply of the relevant devices must be ceased on or before 1 November 2024.
3.2 Changes to classification of certain categories of devices
If the software in question is intended to be used for any of the following purposes, it will be subject to classification (or reclassification) according to the associated rules:
| Purpose of the software-based medical device |
Other factors |
Classification |
| To diagnose or screen for a disease or condition |
The disease or condition may lead to a person's death, or a severe deterioration in health, without urgent treatment, or "may pose a high risk to public health". |
Class III |
| The disease or condition is serious or "may pose a moderate risk to public health". |
Class IIb |
|
| The factors above do not apply. |
Class IIa |
|
| To provide information to a relevant health professional so they can diagnose a disease or condition |
The disease or condition may lead to a person's death, or a severe deterioration in health, without urgent treatment, or "may pose a high risk to public health". |
Class IIb |
| The disease or condition is serious or "may pose a moderate risk to public health". |
Class IIa |
|
| The factors above do not apply. |
Class I |
|
| To monitor the state or progression of a disease or condition |
The information to be provided could indicate that people "may be in immediate danger or that there may be a high risk to public health". |
Class IIb |
| The information could indicate that people "may be in other danger or that there may be a moderate risk to public health" |
Class IIa |
|
| The factors above do not apply. |
Class I |
|
| To specify or recommend a treatment or intervention |
The treatment or intervention, or absence of, may lead to a person's death or a severe deterioration in health, or "may pose a high risk to public health". |
Class III |
| The treatment or intervention, or absence of, may be harmful to a person or "may pose a moderate risk to public health". |
Class IIb |
|
| The factors above do not apply. |
Class IIa |
|
| To recommend a treatment or intervention to a health professional, so that the health professional can make a decision |
The treatment or intervention, or absence of, may lead to a person's death or a severe deterioration in health, or "may pose a high risk to public health". |
Class IIb |
| The treatment or intervention, or absence of, "may otherwise be harmful to a person" or "may pose a moderate risk to public health" |
Class IIa |
|
| The factors above do not apply. |
Class I |
|
| To provide therapy through the provision of information |
The therapy may result in the death of the person, or a severe deterioration in the state of their health. |
Class III |
| The therapy may result in serious harm to the person. |
Class IIa |
|
| The factors above do not apply. |
Class I |
4 Changes to the Essential Principles – what requirements do my devices need to meet?
In order to supply a medical device in Australia, the sponsor or manufacturer of the device must be able to show that it satisfies the relevant Essential Principles. The Essential Principles relate to the safety and performance of a device,[5] and can be found in full in Schedule 1 of the Regulations.
Changes have been made to these principles both to clarify the existing requirements, and to introduce new requirements regarding the provision of information to users, as set out below.
4.1 Transition arrangements
The new principles will apply to any device for which an application for inclusion in the ARTG is made after 25 February 2021.
Any devices which had already been included, or were under application for inclusion, in the ARTG prior to this date will also be subject the additional requirements. Such devices will be automatically eligible for the transition period, which means they can continue to be supplied without meeting the new requirements until 1 November 2024.
4.2 Amendments to the Essential Principles that apply to software-based medical devices
The following amendments to the Regulations[6] are of particular note in relation to software-based medical devices:
| Essential Principle |
Concern |
Changes |
| 12.1 |
Medical devices incorporating electronic programmable systems |
Amended to clarify the requirements in relation to cyber security, the management of data and information, and development, production and maintenance. |
| 13.2(3) |
Location of information to be provided on medical devices |
Amended to allow information to be provided electronically for software-based devices, rather than on a leaflet. |
| 13B |
Provision of information to users of medical devices |
New Essential Principle created requiring the current version and build number of a device to be accessible by, and identifiable to, users of the device. The information must be provided in English and can also be in any other language. |
4.3 Spotlight on Essential Principle 12.1 – Cyber security, the management of data and information, and development, production and maintenance
The proliferation of digital health products comes with increasing privacy and cyber risk for ARTG sponsors and for users.
Essential Principle 12 is directed at medical devices connected to or equipped with an energy source. Prior to the recent reforms, Essential Principle 12.1 had been narrowly concerned with ensuring that any electronic programmable systems incorporated in medical devices performed in accordance with the intended purpose of the device. This included a requirement that the system be reliable, repeatable, and that any consequent risks associated with a single fault condition in the system be minimised.
The updated principle now addresses, in much greater detail, the standards that such devices must meet. Such devices must be developed, produced and maintained in line with the generally acknowledged state of the art, including design, development life cycle, development environment, version control, quality and risk management, security, verification and validation, change and configuration management and problem resolution.
Of particular concern are Essential Principles related to the cybersecurity of the device or app, where best practice must be followed including in relation to:
- Protection against unauthorised access, influence or manipulation.
- Minimisation of risks associated with known cybersecurity vulnerabilities.
- Facilitation of the application of updates, patches, compensating controls and other improvements.
- Disclosure of known vulnerabilities in the device and associated mitigations.
- Making available sufficient information for a user to make decisions with respect to the safety of applying, or not applying, updates and other improvements.
Further information
Our team has experience navigating the complex regulation of medical devices and data-based risk in Australia, and can assist clients in understanding how the regime in Australia operates, and what devices must seek registration before coming to market.
For further information, the new guidance note issued by the TGA titled "Regulatory changes for software based medical devices" reflecting these requirements is accessible at <https://www.tga.gov.au/resource/regulatory-changes-software-based-medical-devices>.
[1] Amendments made to the Therapeutic Goods (Medical Devices) Regulations 2002 (Cth) (the Regulations) by the Therapeutic Goods Legislation Amendment (2019 Measures No. 1) Regulations 2019 (Cth), and the Therapeutic Goods (Excluded Goods) Amendment (Software-based Products) Determination 2021 (Cth).
[2] The definition of a medical device is provided in section 41BD of the Therapeutic Goods Act 1989 (Cth). Two key determinations must be made in order to establish whether a software product is a medical device: first, whether the software product is intended to be used for a medical purpose; and second, whether the software product falls under any exclusion criteria.
[3] The exclusions can be found in the Therapeutic Goods (Excluded Goods) Amendment (Software-based Products) Determination 2021 (Cth) and amended Schedule 1 of the Therapeutic Goods (Excluded Goods) Determination 2018 (Cth).
[4] Manufacturers and sponsors should note that the new classification rules do not apply to in vitro diagnostic (IVD) medical devices.
[5] Therapeutic Goods Act 1989 (Cth), s 41C.
[6] Therapeutic Goods Legislation Amendment (2019 Measures No. 1) Regulations 2019 (Cth).
