Medical software

1. Definitions

Medical software includes all software used for healthcare, particularly for medical devices or medical devices (embedded software), and software that is itself a medical device (standalone software).

IEC/CD1 82304-1 (Health Software – Part 1: General requirements for product safety) distinguishes between the following terms:

HEALTH SOFTWARE
Software intended to be used specifically for maintaining or improving health of individual persons, or the delivery of care
MEDICAL SOFTWARE
Software intended to be used specifically for incorporation into a physical medical device or intended to be a SOFTWARE MEDICAL DEVICE
SOFTWARE MEDICAL DEVICE
Software intended to be a medical device in its own right
MEDICAL DEVICE SOFTWARE
Software intended to be used specifically for incorporation into a physical medical device

This clarifies that medical software can be a medical device but does not have to be.

Medical software also includes medical device software and software as a medical device.

Fig. 1: Medical software includes medical device software and software as a medical device (click to enlarge).

2. Regulatory requirements

a) Medical software – a medical device?

The question often arises as to when medical software meets the definition of a medical device. You can find a further discussion on this topic in the article on the classification of software as a medical device and in the article on the qualification and classification of IVD medical device software.

b) Regulations, laws, standards

Software that is a medical device or part of a medical device must meet the regulatory requirements:

In Europe, the medical device regulations (MDR, IVDR) are relevant. However, these only contain relatively general regulations for software, which this article presents.
IEC 62304 defines the life cycle processes for medical device software.
IEC 82304-1 applies to all “health software”. IEC 82304-1 also requires conformity with the requirements of IEC 62304.
There are also MDCG guidelines, e.g., MDCG 2019-11 and MDCG 2023-4.
The FDA sets out specific requirements in its guidance documents, including specific requirements for medical software. It also answered many questions specifically about software as a medical device in this FAQ.

Further information

3. Support for medical device manufacturers

Benefit from the support of the Johner Institute:

Do you have questions about developing and approving medical devices that contain or are software? Our free micro-consulting will provide you with answers.
In the medical software compact seminar, you will acquire the prescribed competencies. You will learn about and fulfill the legal requirements for software development.
The Medical Device University’s video training will help you to create a lean and IEC 62304-compliant “software file” step by step. In addition, a complete set of templates takes a lot of work off your hands.
You can also benefit from the support of our experts. They will help you to document your software briefly, precisely, and in compliance with the laws and standards and prepare you for audits and tech file reviews.
Have the IT security of your software evaluated using penetration tests.

Contact us right away so that we can discuss the next steps. This will ensure that the “approval” is a success and that your software or devices are quickly launched on the market.

HIPAA in a nutshell

By Prof. Dr. Christian Johner February 20, 2023 Leave a comment

The Health Insurance Portability and Accountability Act (HIPAA) is a US law that establishes requirements for processing protected health data. Institutions that collect or process these data in the USA and their subcontractors must comply with HIPAA if they want to avoid sanctions. For European companies in particular, HIPAA is a regulation that is difficult to understand…

Details

IT security in healthcare

By Christian Rosenzweig February 17, 2023 Leave a comment

We have known how vulnerable IT security is in the healthcare sector since February 2016, when the IT infrastructures of many clinics were brought to a standstill by a simple virus attack. As a result, the authorities are paying closer attention to ensuring that not only clinics but also manufacturers guarantee the IT security of…

Details

Class I software

By Prof. Dr. Christian Johner December 20, 2022 Leave a comment

Practical guidance based on the experience of the Johner Institute, Oliver Hilgers, and Stefan Bolleininger The discussion about class I software continues to rage. This article provides guidance regarding the MDR rules for the classification of medical software.

Details

Decision Support Systems as medical devices

By Dr. Catharina Bertram September 30, 2022 Leave a comment

Decision Support Systems are also increasingly being used in medicine. If they are medical devices, they must meet the legal requirements (e.g., the general safety and performance requirements). The hype surrounding Artificial Intelligence, in particular Machine Learning, and users such as Watson are raising hopes for the performance of Decision Support Systems. This article presents…

Details

Threat modeling – An introduction

By Prof. Dr. Christian Johner May 23, 2022 Leave a comment

Threat modeling is a “mandatory” topic for all manufacturers of medical devices that contain or are software. This is because threat modeling is a structured process for the systematic analysis of IT security risks that auditors consider to be the “state of the art.”

Validation of machine learning libraries

By Prof. Dr. Christian Johner February 25, 2020 Leave a comment

More and more manufacturers are using machine learning libraries, such as scikit-learn, Tensorflow, and Keras, in their devices as a way to accelerate their research and development projects. However, not all manufacturers are fully aware of the regulatory requirements that they have to demonstrate compliance with when using machine learning libraries or how best to…

Details

Software change: What the FDA expects from you

By Luca Salvatore June 6, 2019 Leave a comment

In a guidance document, the FDA explains how to implement a software change in a regulatory-compliant manner. It describes when you need a new 510(k) submission (Premarket Notification) and when you “only” need to document the changes.

Details

Accessories for medical devices: Definition and regulatory requirements

By Markus Gerhart May 14, 2019 Leave a comment

What a lot of people understand by accessories is different from the definition of the term in the German Medical Device Act (MPG). This article gives you an overview of the definition of the term, the regulatory requirements, and typical questions.

Details

Parameterization of software

By Janos Hackenbeck February 12, 2019 Leave a comment

The parameterization of software – in this context, we can also talk about customizing or configuring software – often leads to discussion, e.g., regarding responsibilities and the differentiation to in-house production. This article gives manufacturers and their customers important advice on what to look out for when parameterizing software and how to avoid the usual pitfalls.

Details

Guideline IT Security

By Christian Rosenzweig December 6, 2018 Leave a comment

On November 21, the Johner Institute, together with TÜV SÜD, TÜV Nord, and with the support of Dr. Heidenreich (Siemens), published a guideline on IT security specifically for medical device manufacturers.

Name	Borlabs Cookie
Provider	Owner of this website, Imprint
Purpose	Saves the visitors preferences selected in the Cookie Box of Borlabs Cookie.
Cookie Name	borlabs-cookie
Cookie Expiry	1 Year

Name	Google Tag Manager
Provider	Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Purpose	Cookie by Google used to control advanced script and event handling.
Privacy Policy	https://policies.google.com/privacy?hl=en
Cookie Name	_ga,_gat,_gid
Cookie Expiry	2 Years

Accept	Google Analytics
Name	Google Analytics
Provider	Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Purpose	Cookie by Google used for website analytics. Generates statistical data on how the visitor uses the website.
Privacy Policy	https://policies.google.com/privacy?hl=en
Cookie Name	_ga,_gat,_gid
Cookie Expiry	2 Months

Accept	YouTube
Name	YouTube
Provider	Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Purpose	Used to unblock YouTube content.
Privacy Policy	https://policies.google.com/privacy?hl=en&gl=en
Host(s)	google.com
Cookie Name	NID
Cookie Expiry	6 Month