Medical software

1. Definitions

Medical software includes all software used for healthcare, particularly for medical devices or medical devices (embedded software), and software that is itself a medical device (standalone software).

IEC/CD1 82304-1 (Health Software – Part 1: General requirements for product safety) distinguishes between the following terms:

HEALTH SOFTWARE
Software intended to be used specifically for maintaining or improving health of individual persons, or the delivery of care
MEDICAL SOFTWARE
Software intended to be used specifically for incorporation into a physical medical device or intended to be a SOFTWARE MEDICAL DEVICE
SOFTWARE MEDICAL DEVICE
Software intended to be a medical device in its own right
MEDICAL DEVICE SOFTWARE
Software intended to be used specifically for incorporation into a physical medical device

This clarifies that medical software can be a medical device but does not have to be.

Medical software also includes medical device software and software as a medical device.

Fig. 1: Medical software includes medical device software and software as a medical device (click to enlarge).

2. Regulatory requirements

a) Medical software – a medical device?

The question often arises as to when medical software meets the definition of a medical device. You can find a further discussion on this topic in the article on the classification of software as a medical device and in the article on the qualification and classification of IVD medical device software.

b) Regulations, laws, standards

Software that is a medical device or part of a medical device must meet the regulatory requirements:

In Europe, the medical device regulations (MDR, IVDR) are relevant. However, these only contain relatively general regulations for software, which this article presents.
IEC 62304 defines the life cycle processes for medical device software.
IEC 82304-1 applies to all “health software”. IEC 82304-1 also requires conformity with the requirements of IEC 62304.
There are also MDCG guidelines, e.g., MDCG 2019-11 and MDCG 2023-4.
The FDA sets out specific requirements in its guidance documents, including specific requirements for medical software. It also answered many questions specifically about software as a medical device in this FAQ.

Further information

3. Support for medical device manufacturers

Benefit from the support of the Johner Institute:

Do you have questions about developing and approving medical devices that contain or are software? Our free micro-consulting will provide you with answers.
In the medical software compact seminar, you will acquire the prescribed competencies. You will learn about and fulfill the legal requirements for software development.
The Medical Device University’s video training will help you to create a lean and IEC 62304-compliant “software file” step by step. In addition, a complete set of templates takes a lot of work off your hands.
You can also benefit from the support of our experts. They will help you to document your software briefly, precisely, and in compliance with the laws and standards and prepare you for audits and tech file reviews.
Have the IT security of your software evaluated using penetration tests.

Contact us right away so that we can discuss the next steps. This will ensure that the “approval” is a success and that your software or devices are quickly launched on the market.

Threat modeling – An introduction

By Prof. Dr. Christian Johner May 23, 2022 Leave a comment

Threat modeling is a “mandatory” topic for all manufacturers of medical devices that contain or are software. This is because threat modeling is a structured process for the systematic analysis of IT security risks that auditors consider to be the “state of the art.”

Validation of machine learning libraries

By Prof. Dr. Christian Johner February 25, 2020 Leave a comment

More and more manufacturers are using machine learning libraries, such as scikit-learn, Tensorflow, and Keras, in their devices as a way to accelerate their research and development projects. However, not all manufacturers are fully aware of the regulatory requirements that they have to demonstrate compliance with when using machine learning libraries or how best to…

Details

Software change: What the FDA expects from you

By Luca Salvatore June 6, 2019 Leave a comment

In a guidance document, the FDA explains how to implement a software change in a regulatory-compliant manner. It describes when you need a new 510(k) submission (Premarket Notification) and when you “only” need to document the changes.

Details

Accessories for medical devices: Definition and regulatory requirements

By Markus Gerhart May 14, 2019 Leave a comment

What a lot of people understand by accessories is different from the definition of the term in the German Medical Device Act (MPG). This article gives you an overview of the definition of the term, the regulatory requirements, and typical questions.

Details

Parameterization of software

By Janos Hackenbeck February 12, 2019 Leave a comment

The parameterization of software – in this context, we can also talk about customizing or configuring software – often leads to discussion, e.g., regarding responsibilities and the differentiation to in-house production. This article gives manufacturers and their customers important advice on what to look out for when parameterizing software and how to avoid the usual pitfalls.

Details

Guideline IT Security

By Christian Rosenzweig December 6, 2018 Leave a comment

On November 21, the Johner Institute, together with TÜV SÜD, TÜV Nord, and with the support of Dr. Heidenreich (Siemens), published a guideline on IT security specifically for medical device manufacturers.

Safety classes according to IEC 62304

By Claudia Schmitt December 14, 2017 Leave a comment

IEC 62304 has introduced the concept of safety classification to allow medical device manufacturers to adapt the effort required for software documentation to the degree of possible harm that a software defect would cause. This article will help you determine the safety classes and document compliant with IEC 62304. Update: No more presumption of conformity…

Details

IEC 82304 – What the standard requires of “health software”

By Dr. Tina Priewasser September 14, 2016 Leave a comment

IEC 82304 is now available. This is a good reason to take a closer look at this standard for “health software products.”

Health Breach Notification Rule

By Prof. Dr. Christian Johner April 19, 2016 Leave a comment

The Health Breach Notification Rule defines when health records providers have to report which security issues to whom, within what time frame and in what form. This article provides a brief overview of the requirements of the US Federal Trace Commission (FTC).

Federal Trade Commission FTC: for medical device manufacturers?

By Prof. Dr. Christian Johner April 18, 2016 Leave a comment

The Federal Trade Commission (FTC) is an US agency that aims to ensure compliance with competition law and consumer protection. This article explains the circumstances that require you (e.g., as a medical device manufacturer) to comply with the FTC requirements and the specifics of these requirements. The case of Lumosity shows how radically the FTC…

Details

Name	Borlabs Cookie
Provider	Owner of this website, Imprint
Purpose	Saves the visitors preferences selected in the Cookie Box of Borlabs Cookie.
Cookie Name	borlabs-cookie
Cookie Expiry	1 Year

Name	Google Tag Manager
Provider	Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Purpose	Cookie by Google used to control advanced script and event handling.
Privacy Policy	https://policies.google.com/privacy?hl=en
Cookie Name	_ga,_gat,_gid
Cookie Expiry	2 Years

Accept	Google Analytics
Name	Google Analytics
Provider	Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Purpose	Cookie by Google used for website analytics. Generates statistical data on how the visitor uses the website.
Privacy Policy	https://policies.google.com/privacy?hl=en
Cookie Name	_ga,_gat,_gid
Cookie Expiry	2 Months

Accept	YouTube
Name	YouTube
Provider	Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Purpose	Used to unblock YouTube content.
Privacy Policy	https://policies.google.com/privacy?hl=en&gl=en
Host(s)	google.com
Cookie Name	NID
Cookie Expiry	6 Month