The Singapore Health Sciences Authority (HSA) has published Revision 4 of GL-04: Regulatory Guidelines for Software Medical Devices including Machine Learning-Enabled Medical Devices – A Life Cycle Approach. This updated guideline introduces significant enhancements reflecting HSA’s strengthened focus on lifecycle governance, cybersecurity expectations, and oversight of machine learning technologies within Software as a Medical Device (SaMD).
Revision 4 updates multiple sections of the guideline to clarify regulatory applicability, expand cybersecurity requirements, and provide a more structured framework for managing changes to software, including ML-enabled SaMD.
Read the full guideline here: https://www.hsa.gov.sg/docs/default-source/hprg-mdb/guidance-documents-for-medical-devices/gl-04-r4-regulatory-guidelines-for-software-medical-devices—a-life-cycle-approach-(2025-dec)-pub.pdf?sfvrsn=857a2001_1
Purpose of the Guideline Revision
- To clarify the scope of GL-04, particularly the inclusion of machine learning features in software medical devices.
- To update and expand regulatory expectations across the software life cycle, including cybersecurity and post-market responsibilities.
- To align definitions and regulatory language with international standards (IMDRF, ISO 81001-1).
- To formally incorporate the Change Management Program (CMP) as a regulatory pathway for implementing pre-specified SaMD and ML-enabled modifications.
Scope of Application
This guideline applies to:
- Software embedded in medical devices
- Software as a Medical Device (SaMD)
- Artificial Intelligence-enabled Medical Devices (AIMD) including Machine Learning
- Manufacturers implementing software changes under the CMP framework
Revision 4 explicitly expands the scope to include machine learning features used in medical device software, clarifying regulatory oversight for ML-enabled software.
Key Highlights
Section 1.1 – Scope
The scope now explicitly includes machine learning features, confirming that ML-enabled functions fall under HSA’s regulatory requirements for SaMD.
Section 1.3 – Topics Covered
The list of topics has been expanded to formally include:
- Machine Learning-enabled Medical Devices (MLMD)
- Change Management Program (CMP)
These additions strengthen alignment with international digital health regulatory trends.
Section 1.4 – Definitions
Revision 4 introduces new and updated definitions, harmonized with IMDRF and international standards, including:
- Artificial Intelligence-enabled Medical Device (AIMD)
- Machine Learning (ML) and MLMD, aligned with IMDRF AIMD work
- Compensating controls, aligned with IMDRF cybersecurity guidance
- Cybersecurity, updated to reflect ISO 81001-1 terminology
Section 8 – Cybersecurity
Cybersecurity guidance has been reorganized and expanded, adding a new emphasis on operating system end-of-support (EOS).
Key updates include:
Section 8.2.4 – Post-Market Cybersecurity Planning
Reinforced expectations for patching and updates, including explicit consideration of OS end-of-support in cybersecurity risk management.
Section 8.2.5 – Addressing Risks for Operating System Reaching End of Support
A new subsection outlines requirements for:
- Manufacturer communications on EOS
- Documentation of EOS timelines
- Labelling updates
- Prohibition of supplying devices running unsupported operating systems when risks cannot be adequately mitigated
Section 9 – Machine Learning-Enabled Medical Devices (MLMD)
The previous “AI-MD” section has been reframed to focus specifically on MLMD. Updates provide clearer expectations for:
- Regulatory classification
- Pre-market registration for ML-enabled functions
- Documentation and evaluation of ML models
This ensures more consistent oversight of ML-based algorithms used in medical devices.
Section 10 – Change Management Program (CMP)
Revision 4 formally incorporates the CMP framework, aligned with GN-37 Revision 1. CMP provides a regulatory pathway for faster implementation of pre-specified SaMD and ML updates following HSA approval.
Key points:
- Manufacturers must submit a declaration and implementation record within 1 year of CMP approval.
- Annual declarations are required thereafter.
- Detailed CMP requirements are outlined in GN-37 Revision 1.
This pathway supports more efficient, controlled deployment of software updates while maintaining regulatory oversight.
Implications to Clients and Stakeholders
GL-04 Revision 4 reflects HSA’s reinforced focus on continuous lifecycle governance for SaMD and MLMD. Manufacturers are expected to demonstrate:
- Stronger change control processes
- Robust cybersecurity risk management and EOS planning
- Comprehensive post-market performance monitoring
- Clear documentation and justification for ML model behavior and updates
While regulatory expectations have increased, the integration of the CMP offers a streamlined mechanism for deploying pre-approved software and ML updates, particularly beneficial for manufacturers with mature QMS and well-defined change boundaries.
Overall, the revision enhances regulatory clarity and raises compliance expectations but provides greater flexibility for organisations prepared to operate within the updated lifecycle framework.
This update is provided for regulatory awareness and operational planning.
Contact Information
For inquiries or support regarding regulatory requirements for Software as a Medical Device (SaMD) or Machine Learning-enabled Medical Devices (MLMD) in Singapore, please contact
