CE marking for medical software & Apps
Which medical software requires CE certification?
Medical devices, such as infusion pumps, catheters and MRI scanners, must be certified according to European CE rules. However, it is not always clear to a manufacturer whether his product is considered a medical device and which requirements he should take into account regarding the certification, the technical documentation and the instructions for use. This is especially the case in regard to any embedded software. Determining the correct risk class proves to be essential.
The certification or CE marking of a medical device indicates that the device complies with all European legal requirements regarding safety, health, and environmental and consumer protection. Software and apps that are essential to the proper functioning of a medical device must also be CE marked. For example, the software that is incorporated in an MRI scanner – embedded software – must also be certified so that the scanner can be certified as well, based on Directive 93/42/EEC.
A trickier product category is software that is not an integral part of dedicated medical hardware, such as software designed for presenting MRI-scanner images on a computer screen, or applications that measure blood values and bodily functions, or compensate hearing loss. Many manufacturers struggle with the question whether this type of ‘stand-alone’ software are to be regarded as medical devices, just like the infusion pump and the MRI scanner (according to the Medical Devices Directive 93/42/EC). Do we consider an application that offers advice based on a survey to be a medical device? Does Directive 93/42/EC also apply to this type of software? And if so: which requirements must be taken into account regarding the CE marking, technical documentation, labelling and instructions for use of this medical application? Is the manufacturer allowed to carry out the certification procedure himself?
Medical device and its risk class
In order to assist the manufacturer, a guideline was drafted in order to determine whether a ’stand-alone’ software must be regarded as a medical device. According to this guideline, referred to as MEDDEV 2.1/6, any software with a diagnostic or therapeutic function – such as an app that calculates the correct insulin dose or advices a doctor’s consult – without a doubt must be considered as a medical device. This also applies to software that is essential for the functioning of medical hardware. However, software that is merely used for saving and/or compressing data, or for facilitating conversations between health professionals, is not considered to be a medical device.
The recently published Medical Devices Regulation, which will replace the Medical Devices Directive in 2020*, contains a number of significant clarifications regarding this subject. Software that is specifically intended to be used for one or more medical purposes, must be regarded as a medical device and must be affixed with a CE marking. Software that is intended for general purposes, or for lifestyle and wellness purposes is not considered to be a medical device, and therefore does not need to be affixed with a CE marking.
If a device and/or its software is considered to be a medical device, the manufacturer must determine the device’s risk class. The risk class is a determining factor when it comes down to the certification process itself. For example, which requirements must the technical documentation meet? Is the manufacturer allowed to carry out the certification procedure himself, without any external party (as long as the resulting documentation becomes available upon request)? If the relevant risk class does not permit this, external auditing is required. To determine which risk class is relevant, classification rules need to be applied to the software. These rules can be found in Annex IX (rules 9 – 12) of MEDDEV 2.1/6. Based on these rules, software is classified according to either risk class I (‘low’), IIa (‘medium’) or IIb (‘high’).
If software meets the standards of the first risk class, then this software is considered a low risk medical device, and in this case the manufacturer is allowed to carry out the certification procedure himself. This applies to, e.g., software that provides advisory information based on a survey. Software with a ‘measuring function’ and a low risk factor can also meet the standards of the first risk class (class lm). In that case the manufacturer can largely carry out the certification procedure himself: he must see to it, however, that the assessment of the measuring function is outsourced to a Notified Body, recognized by the government.
In the case of risk classes IIa and IIb – medium and high level risk, e.g. because vital bodily functions are being monitored, or energy is supplied to the body – complete external certification is required, carried out by a Notified Body that is recognized by the government.
Certification of medical software
Regardless of its classification, medical software must meet the essential requirements of Directive 93/42/EEC. These include, among other things, requirements regarding validation, verification, clinical evaluation, labeling and risk management.
Drawing up the technical documentation is an important part of any certification process and shows that the requirements have been met and that the software was developed in a structured manner (based on a quality management system). This documentation contains, among other things, an extensive risk analysis, test reports, overviews of the risk management, executed calculations, data collection and clinical evaluations. The technical documentation also contains information on the design, the manufacturing process and the functioning of the software.
For the purpose of classifying medical software and drawing up technical documentation, the following harmonized European standards are applied:
- IEC 62304 – Medical Device Software – Software life cycle processes.
- IEC 60601-1 – Medical Electrical Equipment – General requirements for basic safety and essential performance.
Requirements technical documentation
The requirements for the technical documentation depend on the risk class of the medical software. The requirements for class I are described accurately in Annex VII of Directive 93/42/EEC, for IIa in Annex II or Annex VII in combination with Annex V, and for IIb in Annex II or Annex III in combination with Annex V. Furthermore, there is a non-binding directive that also applies outside the EU.
Since the Medical Devices Directive – which was published in 1993 – at first did not cover the certification of medical software, most of the requirements of the abovementioned Annexes are virtually useless to the manufacturers of medical software. In this case the Medical Devices Regulation once again provides assistance to the manufacturers of medical software by listing specific requirements for medical software. The manufacturer of medical software must be able to ensure repeatability, reliability and the performance of these systems according to the intended use, as well as a state-of-the-art development. He must also take into account information security, verification and validation. Software that is intended to be used in combination with mobile computing platforms must be designed taking into account the specific features of the mobile platform (e.g. size of the screen) as well as the external factors (e.g. varying environment as regards level of light or noise).
Requirements for labelling
Each medical device must bear a label. Article 13.3 of Directive 93/2/EEC, Annex I presents an accurate list of the data that must be mentioned on the label. The data varies from the manufacturer’s name and address and special storage and handling conditions up to warnings and precautions. The CE marking must also be affixed to each medical device.
Considering the fact that it is not possible to label medical software, requirements with regard to e.g. “time limit for using” or “single use” are not applicable in this case. Data such as the manufacturer’s name and address and the CE marking of course can be mentioned digitally.
According to the Medical Devices Regulation manufacturers of medical software must set out the minimum requirements concerning hardware, conditions of IT networks characteristics and IT-security measures, including protection against unauthorized access.
Requirements for the instructions for use
Each medical device must include instructions for use, unless the product falls within the scope of risk class I or IIa and could be used safely without such instructions. This should become evident from the manufacturer’s risk analysis. Directive 93/42/EEC (Article 13.6, Annex I) clearly states which particulars must be included in the instructions for use, for example safety instructions. The particulars also include the data on the label, as well as data regarding the functions and application of medical software.