1. Definitions
Medical software includes all software used for healthcare, particularly for medical devices or medical devices (embedded software), and software that is itself a medical device (standalone software).
IEC/CD1 82304-1 (Health Software – Part 1: General requirements for product safety) distinguishes between the following terms:
- HEALTH SOFTWARE
Software intended to be used specifically for maintaining or improving health of individual persons, or the delivery of care
- MEDICAL SOFTWARE
Software intended to be used specifically for incorporation into a physical medical device or intended to be a SOFTWARE MEDICAL DEVICE
- SOFTWARE MEDICAL DEVICE
Software intended to be a medical device in its own right
- MEDICAL DEVICE SOFTWARE
Software intended to be used specifically for incorporation into a physical medical device
This clarifies that medical software can be a medical device but does not have to be.
Fig. 1: Medical software includes medical device software and software as a medical device (click to enlarge).
2. Regulatory requirements
a) Medical software – a medical device?
The question often arises as to when medical software meets the definition of a medical device. You can find a further discussion on this topic in the article on the classification of software as a medical device and in the article on the qualification and classification of IVD medical device software.
b) Regulations, laws, standards
Software that is a medical device or part of a medical device must meet the regulatory requirements:
- In Europe, the medical device regulations (MDR, IVDR) are relevant. However, these only contain relatively general regulations for software, which this article presents.
- IEC 62304 defines the life cycle processes for medical device software.
- IEC 82304-1 applies to all “health software”. IEC 82304-1 also requires conformity with the requirements of IEC 62304.
- There are also MDCG guidelines, e.g., MDCG 2019-11 and MDCG 2023-4.
- The FDA sets out specific requirements in its guidance documents, including specific requirements for medical software. It also answered many questions specifically about software as a medical device in this FAQ.
3. Support for medical device manufacturers
Benefit from the support of the Johner Institute:
Contact us right away so that we can discuss the next steps. This will ensure that the “approval” is a success and that your software or devices are quickly launched on the market.
The MDR contains the Classification Rule 11. This rule is especially for software. The Rule 11 has serious implications: it bears the potential to further undermine Europe’s innovation capacity. Manufacturers should familiarize themselves with the MDCG’s interpretation to avoid misclassifying software and to be able to follow the reasoning of notified bodies and authorities. This article…
Details
The Health Insurance Portability and Accountability Act (HIPAA) is a US law that establishes requirements for processing protected health data. Institutions that collect or process these data in the USA and their subcontractors must comply with HIPAA if they want to avoid sanctions. For European companies in particular, HIPAA is a regulation that is difficult to understand…
Details
We have known how vulnerable IT security is in the healthcare sector since February 2016, when the IT infrastructures of many clinics were brought to a standstill by a simple virus attack. As a result, the authorities are paying closer attention to ensuring that not only clinics but also manufacturers guarantee the IT security of…
Details
Practical guidance based on the experience of the Johner Institute, Oliver Hilgers, and Stefan Bolleininger The discussion about class I software continues to rage. This article provides guidance regarding the MDR rules for the classification of medical software. 1. Background a) Relevance of the issue Whether or not medical software counts as class I software is…
Details
Decision Support Systems are also increasingly being used in medicine. If they are medical devices, they must meet the legal requirements (e.g., the general safety and performance requirements). The hype surrounding Artificial Intelligence, in particular Machine Learning, and users such as Watson are raising hopes for the performance of Decision Support Systems. This article presents…
Details
Threat modeling is a “mandatory” topic for all manufacturers of medical devices that contain or are software. This is because threat modeling is a structured process for the systematic analysis of IT security risks that auditors consider to be the “state of the art.” 1. Why should you use threat modeling? Reason 1: To develop secure devices…
Details
IEC 82304 is now available. This is a good reason to take a closer look at this standard for “health software products.” IEC 82304: Why another standard? Closing the IEC 62304 validation gap IEC 62304 was launched with the claim of being applicable to all medical device software – whether standalone or embedded. However, the…
Details
Software risk analysis depends on the following: Software itself cannot cause harm. It always happens via hardware or people. However, this does not mean there is no need for risk analysis in software. The opposite is the case! What distinguishes risk analysis for software from other medical devices In the case of (standalone) software, harm…
Details
IEC 60601-1 defines a PESS, a Programmable Electronic Subsystem, as a system based on one or more central processing units, including their software and interfaces. The standard does not reveal what it means by system; in this context, it is a medical device component. For this, IEC 60601-1 sets out specific requirements for the PESS.…
Details