On 13 February 2019, Australia's Therapeutic Goods Administration (TGA) released a consultation paper seeking comment on how software, including Software as a Medical Device (SaMD) is currently regulated in Australia (the Paper). This new Paper follows the TGA's recent consultation on draft regulatory guidance and information materials to assist industry to understand and comply with their responsibilities to ensure that medical devices are cyber secure.

Rapid developments in emerging medical device technology have caused regulators worldwide to review applicable legislation in order to ensure continued clarity and stability in the regulatory environment. Through the release of this Paper, the TGA is also showing its commitment to engage with industry stakeholders through the process of developing and refining new regulatory recommendations and guidelines. In summary, the Paper proposes three main changes:

  • updating classification rules for medical devices to ensure SaMD products are classified according to the potential harm they could cause to patients;
  • requiring SaMD products be included on the Australian Register of Therapeutic Goods and have an Australian sponsor;
  • providing clear and transparent safety and performance requirements for SaMD and other regulated software.

Regulation of SaMD is problematic in light of the swift emergence of new players in the market, who may not have had the opportunity to engage with the TGA, or lack awareness of existing regulatory requirements in Australia. Further, cyber security challenges arise due to the growing complexity of the cyber threat landscape, and the absence of current regulatory guidelines to effectively address this issue.

As part of its wider project to assist the development of digital health technologies in Australia, the TGA has engaged the CSIRO to conduct research in order to build an understanding of Australia’s SaMD innovators, and to learn how and when agencies such as the TGA can support them in demonstrating safety of their products on the global market. It has also engaged CSIRO to conduct research into medical device cyber security and develop a TGA guidance document to assist players in the medical devices market to implement best-practice approaches to cyber security.

Parties wishing to comment on the proposed regulatory changes outlined in the Paper are invited to submit their responses here, by 5:00 pm AEST 31 March 2019.