Need Regulatory Help? Try Our Platform
Post your regulatory questions or request quotations from verified pharmaceutical consultants worldwide. Get matched with experts who specialize in your market.
December 16, 2025
Approximately 5 minutes
Singapore's SaMD Regulation: Cybersecurity, AI, and Compliance
Singapore's SaMD Regulation: Cybersecurity, AI, and Lifecycle Compliance
Software as a Medical Device (SaMD), which includes standalone software, web-based applications, mobile apps, and Artificial Intelligence (AI) solutions, is comprehensively regulated by the Health Sciences Authority (HSA) in Singapore. HSA employs a lifecycle approach, outlined in its Regulatory Guidelines for Software Medical Devices, covering development, registration, and post-market obligations.
Classification and Registration
The HSA follows the International Medical Device Regulators Forum (IMDRF) framework for classifying SaMD, which is based on the significance of the information provided by the software and the state of the healthcare situation or condition. SaMD is categorized into four risk classes (A, B, C, D).
| SaMD Classification (IMDRF) | Risk Level | Example SaMD Functions |
|---|---|---|
| Class A | Low Risk | Provide information that drives clinical management, but non-serious condition (e.g., patient education app). |
| Class B | Low to Medium Risk | Process, analyze, or create information for clinical management in non-serious conditions (e.g., basic diagnostic image viewing). |
| Class C | Medium to High Risk | Process or analyze information for clinical management in serious conditions (e.g., software suggesting treatment options for cancer). |
| Class D | High Risk | Provide critical information for clinical management in critical conditions or states (e.g., software that monitors patient data to recommend immediate life-saving intervention). |
All registrable SaMD must undergo the standard product registration process, adhering to the requirements of the determined risk class.
Key Regulatory Focus Areas for SaMD
1. Cybersecurity Requirements
The HSA places a high emphasis on cybersecurity risk management throughout the SaMD lifecycle. Registration dossiers must be supported by a documented cybersecurity strategy, including:
- Secure-by-Design Architecture: Integrating security measures from the initial development phase.
- Threat Modeling: Systematic identification and assessment of potential vulnerabilities.
- Vulnerability Assessments: Ongoing testing to detect and mitigate risks.
- Incident Response Plans: Detailed plans for real-time threat detection and response in the post-market phase.
2. Versioning and Traceability
Clear and consistent software versioning is mandatory for proper identification and post-market traceability. Labeling requirements for SaMD (GN-23) specify that:
- The software version number must be clearly displayed (e.g., on the splash screen or user interface for downloaded or web-based apps).
- The versioning data must be submitted as part of the registration dossier and must reflect changes in functionality, user interface, or bug fixes.
3. Managing Changes (Change Notifications)
Any change to a registered SaMD requires a Change Notification to the HSA. Changes are classified based on their impact:
- Significant Changes: Require a more rigorous technical review and include major algorithm modifications, introduction of new AI features, or interface redesigns that impact usability or safety.
- Non-Significant Changes: Typically administrative or minor bug fixes that do not affect the intended use or risk profile.
4. AI-Powered Medical Devices (AI-MD)
AI-based SaMDs must comply with all medical device regulations and specific data privacy laws in Singapore, such as the Personal Data Protection Act (PDPA). The HSA's guidance (GL7) outlines principles for manufacturers implementing adaptive or continuously learning algorithms, emphasizing:
- Addressing the regulatory implications of continuous learning models and model retraining.
- Ensuring ongoing performance monitoring and collecting real-world evidence.
- Periodic reporting to the HSA on AI model performance.
Ask Anything
We'll follow up with you personally.
Related Articles
Approximately 5 minutes
Medical Device Registration in Singapore: HSA's Multi-Route Reliance System
Singapore's HSA regulates medical device registration using a risk-based classification (Class A-D) and four reliance pathways: Immediate, Expedited, Abridged, and Full. Registration requires a local **Registrant** and is facilitated by approvals in **Reference Countries** to streamline the process and reduce review timelines from 310 days (Full) to immediate.
Approximately 5 minutes
IVD Device Registration in Singapore: HSA's Risk-Based Reliance Pathways
The HSA regulates IVD devices in Singapore based on GHTF risk classification (A-D). Registration leverages approvals from **Reference Countries** to determine the pathway (Immediate, Expedited, Abridged, or Full), thereby significantly reducing review times, which can range from **0 working days** (Immediate) to **310 working days** (Full for Class D). All applications must be submitted by a local **Registrant**.
Approximately 5 minutes
Medical Device Classification in Singapore: A Risk-Based GHTF Approach
Singapore’s Health Sciences Authority (HSA) classifies medical devices (MD) and IVDs into four risk classes (**Class A, B, C, D**) following **GHTF guidance**. Risk is determined by factors like intended use, invasiveness, and duration of contact. Higher-risk devices require more stringent registration. Special rules apply to **Software as a Medical Device (SaMD)** and devices for telehealth or aesthetic purposes.
Approximately 5 minutes
Medical Device Grouping for Registration in Singapore: HSA's Cost-Saving Pathways
Singapore's HSA permits medical device and IVD manufacturers to consolidate multiple products into a single registration application through various grouping mechanisms, such as **Family**, **System**, and **Group**. This approach reduces costs and processing time, provided the devices share criteria like intended purpose, risk class, and design. Specific rules exist for IVD analyzers, test kits, and dental devices.
Approximately 5 minutes
Singapore's GDPMDS: The Mandatory QMS for Medical Device Distribution
The **Good Distribution Practice for Medical Devices (GDPMDS)**, formalized under SS 620:2016, is a mandatory Quality Management System (QMS) standard in Singapore. It is enforced by the **HSA** and required for all companies involved in the **importation and wholesale** of medical devices and IVDs. GDPMDS certification is the foundational step for obtaining a Medical Device Dealer's License.
Approximately 5 minutes
Medical Device Labeling: HSA Compliance and AMDD Harmonization
Singapore's HSA mandates medical device and IVD labeling be in **English** and align with the **ASEAN Medical Devices Directive (AMDD)**, detailed in **GN-23**. The label must contain information for safe identification and use, including product owner details, batch/lot number, and sterilization status. IVDs have additional requirements covering intended purpose, performance characteristics, and specimen type.
Approximately 5 minutes
Medical Device License Maintenance: Annual Fees and Change Notifications
Maintaining a medical device registration in Singapore requires payment of an **Annual Retention Fee** and mandatory reporting of all changes via **Registration Modification (Change Notifications)** to the HSA. Changes are categorized as Administrative, Review, or Technical, with processing times ranging from **30 to 90 days** depending on the device class and the nature of the change. Major changes, such as a change in intended use, require a **new product registration**.
Approximately 5 minutes
Post-Market Surveillance: Mandatory Adverse Event Reporting
Singapore's HSA mandates post-market surveillance for all medical devices under the Health Products Act. The local **Registrant/Distributor** is primarily responsible for reporting Adverse Events (AEs) occurring in Singapore, which must be reported within **48 hours (public health threat)** to **30 days (potential serious injury upon recurrence)**, depending on the severity. Manufacturers are responsible for providing all necessary information, with the clock starting immediately upon notification of the event.