Software per Medical Device Regulation

In the current digital age, technology has found its way into our lives in multiple areas. The healthcare domain not in the least. The use of software in the field of medical devices has been emerging for multiple years. For example, a medical device that makes use of software to combine maternal parameters such as age, concentration of serum markers and information obtained through fetal ultrasound examination to evaluate the risk of trisomy 21.^[1]  As the standard of care shifts, regulatory requirements needed to shift as well to guide medical device manufacturers from early-stage considerations, such as intended use, to post-market surveillance strategies.^[2] With the publication of the European Medical Device Regulation 2017/745 (EU MDR), a solid framework has been provided to not only qualify different types of software as a medical device but more importantly classify them into different risk classes early in a product’s lifecycle. With this, associated requirements can be identified to maximize medical device quality and thus patient safety.^[3]

We are currently in a transition period between the previous and the upcoming legislation. How did we get here? When the European Active Implantable Medical Device Directive was published in 1990, the word “software” was only referenced four times. It was not deemed a medical device on its own but merely seen as an addition for the proper functioning of any instrument, apparatus, etc. to fulfil its intended use. Moreover, it was stated that software that drives a device or influences the use of a device falls automatically into the same class as that device. No separate classification and thus requirements for stand-alone software were presented.^[4] The amendment of the Active Implantable Medical Device Directive and Medical Device Directive 93/42/EEC in 2007 made a first step in considering the growing importance of software in the field of medical devices, whether it is software incorporated in a device or as stand-alone. With this important addition to the directives, the validation of software in accordance with the state of the art became an essential requirement, taking into account the principles of development lifecycle, risk management, validation and verification while being supported by a strong quality management system.^[5]

The EU MDR has replaced the EU Medical Device Directives as of May 26th, 2021, leading to more stringent regulatory requirements that need to be met before medical devices can be used in clinical practice.³ An important first step in the process towards EU MDR-compliance, is the determination of the correct classification of the software.

Firstly, an assessment should be made whether the EU MDR applies to the specific software by getting a clear view on its intended use. Software can qualify as a medical device, independent of its complexity or associated risks, as long as it is intended for use with human beings or the data is used for a medical purpose. Even if the software on its own does not meet the definition of a medical device, it can be subject to the EU MDR if it is intended to drive or influence the use of a hardware medical device. On the other hand, software that is used for general purposes, even within healthcare, does not qualify as a medical device. For example, software that is used for storing, communicating, or looking up records in a database.²

Subsequently, the software must be classified according to the EU MDR classification into one of the four risk classes, as required by Article 51 of the EU DMR. Again, the intended use of the software is key in this assessment. Software which drives a device or influences the use of a device, will fall within the same class as that device. If the software is independent of any other device, it will be classified in its own right. Medical device software that has its own intended medical purpose, is subject to classification Rule 11 of the EU MDR. This rule applies to software used to provide information to take diagnostic or therapeutic decisions, software used to monitor physiological purposes or to software that has any other medical purpose.³ The exact classification will depend on the significance of the information that is provided by the software and the criticality of the healthcare situation or patient condition. However, as medical device software is considered an active medical device, per EU MDR Article 2(4), other rules might also apply. In case multiple rules could be applicable, the strictest rule should be decisive.²

Depending on the classification, the medical device manufacturer will need to identify the applicable General Safety and Performance Requirements and show product compliance. As the risk class of the device increases, the requirements become stricter. Class I medical device, with the lowest perceived risks, can be placed on the market by means of self-declaration of compliance with the regulation. As for class IIa and higher, the involvement of a notified body is required to review a product’s conformity and to deliver a certificate before the product can be put on the market. In addition to product compliance, manufacturers need to demonstrate an EU MDR-compliant quality management system. For medical device software, this means good software development and lifecycle practices in order to consistently deliver products with the required quality, safety and performance. Other standards (e.g., EN 62304, Medical device software – Software life cycle processes and ISO 13485, Medical devices – Quality management systems) can help to demonstrate product or organization compliance with the EU MDR.²

Companies with MDD-certified medical devices, have until May 2024 to comply their technical documentation with the new EU regulations. Although these conditions and requirements can guide the industry to ensure a higher standard of safety and quality, it can also be quite challenging for medical device manufacturers to effectively get products on the market compliant with these new regulations.

At Modis, we have a multidisciplinary team that can guide you in finding the right classification of your medical device, identifying the regulatory deficiencies, and helping you achieve compliance.

^[1] Medical Device Coordination Group Document. (2019). MDCG 2019-11, Guidance on Qualification and Classification of Software in Regulation (EU) 2017/745 – MDR and Regulation (EU) 2017/746 – IVDR.

^[2] Beckers, R., Kwade, Z., Zanea, F. (2021). The EU medical device regulation: Implications for artificial intelligence-based medical device software in medical physics. Physica Medica, European Journal of Medical Physics, 83, 1-8

^[3] Regulation 2017/745 of the European Parliament and of the Council on medical devices (2017). https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32017R0745

^[4]  Council Directive 90/385/EEC on the approximation of the laws of the Member States relating to active implantable medical devices (1990). https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31990L0385&from=EN

^[5] Directive 2007/47/EC of the European Parliament and of the Council amending Council Directive 90/385/EEC on the approximation of the laws of the Member States relating to active implantable medical devices, Council Directive 93/42/EEC concerning medical devices and Directive 98/8/EC concerning the placing of biocidal products on the market (2007). https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2007:247:0021:0055:en:PDF