One of the most difficult sections of Technical Documentation (TD) is Software. Normally, our clients receive at least two rounds of supplementary questions from the Chinese authority (NMPA). This article is designed to help you match the required contents with the official software and cybersecurity guidance to ensure a first-time-right submission.1 Medical Device Software Research

1 Medical Device Software Research

Based on the "Medical Device Software Registration Review Guidelines 2022"

1.1 Core Principles and Classifications

Defining Medical Device Software in China

The guideline begins by clarifying what counts as medical device software. China adopts the IMDRF framework and distinguishes between independent software (SaMD) and software components (SiMD) embedded in a device. SaMD is defined as software that achieves its medical purpose without dedicated hardware, running instead on general purpose computing platforms. 

The guideline further differentiates system software, application software, middleware, and support software, clarifying which elements are considered part of the medical device and which belong to the external environment. Only software essential to the device’s medical function is treated as part of the regulated product.

Software Lifecycle and Its Regulatory Implications

China requires manufacturers to adopt a structured software lifecycle aligned with international standards. The lifecycle spans planning, requirements, design, coding, testing, release, deployment, maintenance, and retirement. The guideline emphasizes that lifecycle control is inseparable from safety. Because defects are inherent, regulators expect robust processes, traceability, and risk based testing rather than reliance on final inspection.

Lifecycle documentation must demonstrate traceability between requirements, design, code, tests, and risk controls. This traceability is not optional; it is a core mechanism for demonstrating that the software behaves as intended and that risks have been systematically mitigated.

Software Testing, Verification, and Validation

The guideline distinguishes between testing, verification, and validation, aligning with IEC 62304 and IMDRF terminology. Testing includes unit, integration, and system testing, using black box, white box, or grey box methods. Verification ensures that each development output meets its input requirements, while validation confirms that the final software meets user needs and intended use.

Software Updates and Versioning

China places unusual emphasis on the classification of software updates. Updates are categorized as major or minor, depending on whether they affect safety or effectiveness. Major updates require a formal registration change, while minor updates are controlled through the quality system. The guideline provides detailed criteria—for example, changes to core algorithms, intended use, or operating platforms are typically major updates. Versioning rules must clearly distinguish update types, and the “software release version” is tied directly to regulatory change control.

Core Functions, Algorithms, and Intended Use

A distinctive feature of the Chinese guideline is its analytical framework for software functions, algorithms, and intended use. Functions are classified as core or non core, and as processing, control, or safety functions. Algorithms are categorized by importance, complexity, and interpretability. Intended use is divided into auxiliary decision making and non decision making functions. This structure is used to determine risk classification, testing depth, and clinical evaluation requirements.

Software Safety Classification

A fundamental requirement is the Full Lifecycle Quality Control. This means documentation must span from concept and requirements analysis to verification, validation, and final decommissioning. The "Software Safety Level" (Serious, Moderate, or Mild) dictates the depth of this documentation.

• Serious: Possible direct or indirect death or serious injury.

• Moderate: Possible direct or indirect slight injury.

• Low: No possibility of injury.

1.2 Summary of Registration Template Requirements

• Basic Information: You must define the software identifier, physical topology, and the Typical Operating Environment. This includes specific hardware configurations and an external software environment list (OS, middleware, and support software) using "compatible versions" rather than vague terms like "or higher".

• Implementation Process: This covers the development overview, risk management, and SRS. A critical element is the Traceability Analysis, which must link requirements, design, source code (down to software units), unit/integration/system testing, and risk control.

• Legacy and OTS Software: For "Off-The-Shelf" (OTS) or legacy software where full lifecycle records are unavailable, you must provide a specific list and a cybersecurity evaluation.

1.3 Requirements for Change Registration and Renewal

The NMPA classifies updates into Major and Minor changes.

• Major Software Updates (Requires Change Registration): These are enhancements that affect safety or effectiveness. Examples include changes in core algorithms, input/output data types, clinical workflows, or migrating to an incompatible platform (e.g., Windows to iOS).

• Minor Software Updates: These include bug fixes (corrective updates) or UI text changes. These do not require immediate registration but must be managed under the QMS and submitted during the next change or renewal.

• Renewal: Applicants must submit a Software Update History Report summarizing all changes since the last approval to ensure the versioning matches the recorded "Software Version Naming Rules".

2 Medical Device Cybersecurity Research

Based on the "Guiding Principles for Cybersecurity Registration Review of Medical Devices 2022"

2.1 Cybersecurity Framework and Data Privacy

Cybersecurity guidance applies to any device with electronic data exchange, remote access, or user access. The NMPA focuses on the "Security Triad": Confidentiality, Integrity, and Availability (CIA).

A key distinction is made between Medical Data (patient-sensitive info) and Device Data (logs/operational info). Documentation must prove effective isolation between these data types and ensure that personal information is protected from unauthorized access or tampering.

Medical Data vs. Device Data

The guideline distinguishes medical data (which may include personal information) from device data (which must not contain personal information). This distinction affects data protection measures, access control, and regulatory obligations under China’s cybersecurity and personal information laws.

Electronic Interfaces and Network Exposure

Any device with electronic data exchange, remote access, or user access falls within the cybersecurity scope. The guideline provides detailed definitions of network interfaces, physical interfaces, and storage media, emphasizing that interface characteristics determine cybersecurity risk and required controls.

Cybersecurity Capabilities

The guideline lists 22 cybersecurity capabilities—from authentication and audit logging to malware detection and SBOM management—that manufacturers must evaluate for applicability. These capabilities form the basis for design controls, testing, and user instructions.

Cybersecurity Verification and Validation

Cybersecurity testing includes threat modeling, vulnerability scanning, penetration testing, fuzzing, and secure code review. These activities must be integrated into the software lifecycle rather than treated as an afterthought.

Cybersecurity Updates and Incident Response

Like software updates, cybersecurity updates are classified as major or minor. Manufacturers must maintain a vulnerability monitoring and disclosure process and establish an incident response mechanism covering detection, assessment, mitigation, and communication.

2.2 Summary of Registration Template Requirements

• Cybersecurity Capabilities: You must evaluate 22 specific capabilities, including Automatic Log-off (ALOF), Malware Detection (MLDP), and Software Bill of Materials (SBOM). If a capability is not applicable, a detailed technical justification is mandatory.

• Vulnerability Assessment: You must submit a report detailing known vulnerabilities (CVE/CVSS scores) and proof of mitigation through testing such as vulnerability scanning and penetration testing.

• Traceability: Similar to software, you must trace cybersecurity requirements through design and testing.

2.3 Cybersecurity Changes and Renewal 

• Major Cybersecurity Changes: Adding new network functions (e.g., adding 5G/Cloud features) or significant changes to data architecture are considered major and require a new registration.

• Cybersecurity Patches (CSUP): Regular security patches are generally minor changes. However, if a patch alters the device's intended use or core performance, it may trigger a major change.

• Renewal and Incident Response: For renewals, you must demonstrate a functioning Emergency Response Mechanism. This includes a summary of post-market security incidents, updated SBOMs for any third-party components, and a report on how newly discovered vulnerabilities were handled during the product's lifecycle.

What we can support

To succeed in China’s regulatory system for active medical devices with software and standalone medical software (SaMD), you need a partner who understands both the technical and compliance expectations. We support manufacturers with full Chinese registration services or, if preferred, only the software related development and documentation required by NMPA.

To make your submission faster and fully aligned with the 2022 software and cybersecurity guidelines, we provide professionally prepared software documentation templates tailored for the Chinese market. These templates help you meet conformity requirements from the first submission through the entire lifecycle.

Beyond initial approval, we also assist with change registration, minor update control, and renewal, ensuring your software remains compliant as it evolves.

If you want a smooth, reliable pathway into China for both device embedded software and standalone software, we are ready to support you.