Guidance for manufacturers on health apps and software as medical devices
This guidance is aimed at manufacturers and health professionals who wish to develop and market health apps and software that are medical devices. The purpose of the guideline is to clarify the criteria for qualification of software and apps as medical devices and to highlight the legislative requirements that medical device manufacturers must fulfil.
The development and use of software in medical treatment are increasing. This guidance covers only medical device software in its own right and apps (stand-alone software). Software which is a part of or is incorporated in another medical device (e.g. software in scanners or x-ray equipment) is not considered to be stand-alone software and therefore falls outside the scope of this guidance.
Legislation and definitions of apps and software that are medical devices
The Danish Medicines Agency's (DKMA) guidance on software and apps is based on the EU Commission's guidance document MEDDEV 2.1/6 2012 – Qualification and Classification of stand alone software and the Danish Executive Order of 15 December 2008 on Medical Devices. The executive order implements Council Directive 93/42/EEC concerning medical devices into Danish law. Therefore, the DKMA guidance does not contain requirements that go beyond the common European assessment framework for apps and software.
The medical device definition covers software, including apps, that has a medical purpose and is intended to be used specifically for diagnostic or therapeutic purposes.
According to section 1(2)(i) of the Danish executive order, a medical device means any instrument, apparatus, appliance, software, material or other article, whether used alone or in combination, including the software intended by its manufacturer to be used specifically for diagnostic or therapeutic purposes and necessary for its proper application, intended by the manufacturer to be used for human beings for the purpose of:
a) diagnosis, prevention, monitoring, treatment or alleviation of disease,
b) diagnosis, monitoring, treatment, alleviation of or compensation for an injury or handicap,
c) investigation, replacement or modification of the anatomy or of a physiological process, or
d) control of conception,
and which does not achieve its principal intended action in or on the human body by pharmacological, immunological or metabolic means, but which may be assisted in its function by such means.
What is the purpose of your app?
It is the responsibility of the manufacturer to define the intended purpose. The purpose of a device is determined by the manufacturer and not by virtue of how it is applied by the users. For example, an app intended to monitor the heart rate during exercise does not qualify as a medical device, not even if the user chooses to use the app for a medical purpose. In other words, it is the manufacturer who describes what the software/app is intended to be used for.
If the intended purpose is within the definition of the executive order, it must fulfil the requirements in the applicable legislation and classified according to risk and CE marked. The intended purpose of your software/app must appear from the information about the device on the labelling, instructions and/or in promotional materials.
Some words can make it more likely that your software/app will be classified as a medical device if appearing in your description of the intended purpose. They include: alarms, analyses, calculates, diagnoses, interprets, generates, controls, converts, monitors or measures (the list is non-exhaustive).
Many health apps do not have a medical purpose that falls within the definition of a medical device. These health apps are not medical devices and therefore should not be CE marked.
The risk classification of apps and software that are medical devices follow the applicable classification rules in Annex IX of the Danish Executive Order on Medical Devices and the EU Commission's guidance document MEDDEV 2.4/1 – Classification of medical devices. Apps and software (stand-alone software) are regarded as active medical devices because they depend on a source of electric energy. Software, which drives a medical device or influences the use of a device, automatically falls in the same risk class. Supplementary classification rules apply to active medical devices. The classification rules generally applied to software and apps are rules 2, 9, 10, 12 and 14, cf. Annex IX of the Danish executive order. The majority of the apps that can be CE marked as medical devices are Class I medical devices (lowest risk class).
The DKMA has made a decision diagram for software and apps with elaborative text. The diagram shows how to determine if your software/app is a medical device and how to classify the device based on risk.
In vitro diagnostics (IVD)
Software and apps (stand-alone software) may also be in vitro diagnostic (IVD) medical devices. The requirements for such devices and procedures for CE marking appear from the Danish Executive Order no. 1269 of 12 December 2005 on In Vitro Diagnostic Medical Devices.
To qualify as an IVD medical device, the device must firstly satisfy the definition of a medical device, cf. the above; Secondly it must satisfy the definition of an IVD medical device in section 1(2) of the Danish Executive Order on In Vitro Diagnostic Medical Devices.
An in vitro diagnostic medical device is defined in the executive order as any medical device which is a reagent, reagent product, calibrator, control material, kit, instrument, apparatus, equipment, or system, whether used alone or in combination, intended by the manufacturer to be used in vitro for the examination of specimens, including blood and tissue donations, derived from the human body, solely or principally for the purpose of providing information:
a) concerning a physiological or pathological state,
b) concerning a congenital abnormality,
c) to determine the safety and compatibility with potential recipients, or
d) to monitor therapeutic measures.
The purpose is thus to provide information concerning e.g. physiological states and diseases or information based on specimens from the human body, e.g. blood, tissues or secretion, making it possible to monitor treatment, etc.
An accessory which is not itself an IVD medical device, but which is to be used together with a device to enable that device to be used according to its intended purpose is considered to be an independent medical device for IVD.
IVD medical devices are not classed according to risk, but are placed in the following major groups:
- two devices lists based on risk (List A and List B, cf. Annex II of the Executive Order on In Vitro Diagnostics Medical Devices)
- devices for self-testing
- devices for performance evaluation
- general products
Qualification and classification of IVD medical devices depend on the way in which patient data are generated. If your software/app involves an expert system which processes information solely from IVD medical devices, then the software/app is regulated by the Executive Order on In Vitro Diagnostics Medical Devices. If data come solely from medical devices, then the software/app falls under the Executive Order on Medical Devices. In case data are combined and come from both IVD medical devices and medical devices and are analysed together, then the software/app is an IVD medical device (e.g. testing for trisomy 21).
Examples of software/apps for IVD include devices which, based on a sample from the body, can predict risk of developing a disease, provide information on differential diagnoses or identify bacteria.
Essential requirements and other important areas
Medical devices, including software and apps falling within the definition, must satisfy the essential requirements laid down in the Danish Executive Order no. 1263 of 15 December 2008 on Medical Devices. The requirements provide for e.g. a process for the development and design of safe products, clinical evaluation, risk analysis, labelling and information about the manufacturer. Furthermore, it is required that instructions, etc. be worded in Danish and that a market surveillance system be established.
Development and design: The development of software and apps which are medical devices must conform to safety principles, taking into account the generally acknowledged state of the art, cf. Annex IX of the Danish executive order.
In selecting the most appropriate solutions, the manufacturer must apply the following principles in the following order:
- eliminate or reduce risks as far as possible (inherently safe design and construction)
- where appropriate take adequate protection measures including alarms if necessary, in relation to risks that cannot be eliminated
- inform users of the residual risks due to any shortcomings of the protection measures adopted.
Clinical evaluation and risk analysis: Manufacturers must at any given time be able to document the safety and performance of their device. Manufacturers must prepare a risk analysis, regardless of the risk class of the device. The risk analysis must include considerations about any risks associated with technical and clinical aspects of the device, e.g. treatment method, technical solutions and the design of the device. Further guidance about risk analyses can be found in the harmonised standard EN ISO 14971. The clinical evaluation is to establish that the risks associated with the use of the device are acceptable when weighed against the expected benefits of the device. Further information about the clinical evaluation can be found in the following Danish guidance.
Market surveillance system: Medical device manufactures are required to continuously ensure that their products satisfy the essential requirements relating to safety and performance as provided in the medical devices legislation. In order to ensure the continued safety of medical devices, it is necessary to institute continuous surveillance of the devices in the post-production phase after they have been taken into use. Further information about market surveillance can be found in our Danish guidance.
Labelling, manufacturer's information and requirement for Danish: Medical device manufacturers must ensure that every device is labelled so as to ensure its identification and its safe and proper use. Labelling and instructions are considered to be integral parts of the product. All information, whether in print or electronic form, necessary to ensure the safe and proper use of the device (as described by the manufacturer), must be in Danish when transferred to the final user. Further information about the labelling and language requirements can be found in our Danish guidance.
Registration of manufacturers
Medical device manufacturers are required to register with the Danish Medicines Agency. The registration contributes to the Danish Medicines Agency's market surveillance activities and promotes patient safety. A registration form and further information and guidance on the registration requirements are available in Danish on our website.
Examples of apps that are medical devices
In the following, we give examples of apps that are medical devices. The list is non-exhaustive and the examples serve to illustrate functionality that makes it likely that the app/software falls within the definition of a medical device, cf. the Danish Executive Order on Medical Devices.
Decision support apps: This could be apps applying automated reasoning such as a simple calculation, or a series of complex algorithms, e.g. for dose calculations, symptom tracking or clinicians guides. This type of app would typically be covered by the medical devices legislation. One such example could be an app that is to support the use of a medicine and can adjust the dose based on entered information or measurements specific to the person taking the medicine.
Diagnostic apps: An app which serves as a diagnostic aid, e.g. by analysing an image of a mole to detect skin cancer, is a medical device.
Monitoring apps: An app which monitors a patient and collects information, entered by the user or measured automatically by the app or delivered by another device, would generally be considered as a medical device if the output data has decision-supporting or decision-making potential and thus may affect the treatment of an individual patient. It could also be an app which makes specific recommendations about treatment on the basis of data analysis or which analyses the results of a specific treatment and monitors therapeutic measures. Apps acting as accessories to medical devices: for example measurement of temperature, blood pressure and blood sugars or other physiological parameters.
Examples of apps that are not medical devices
It is important to keep in mind that many health-related apps do not fall within the definition of a medical device. If an app does not have a specific medical purpose it cannot be CE marked as a medical device. In the following, we give some explanatory examples of health-related apps that are not considered to be medical devices.
Apps designed to remind users to take their medication are not medical devices. Some apps have built-in reminder and notes functionality. They may also provide general information about how to take medicine correctly and general information about medicines. Since they have no specific medical purpose, they do not fall within the definition of a medical device. Thus, they are not intended to be used specifically for diagnostic of therapeutic purposes.There is a variety of health-apps on the market that offer health-related functionality without having a medical purpose, e.g. apps that measure the heart rate during exercise. The majority of these health-related apps are considered to be fitness or wellness apps to be used for various purposes related to diet, exercise, lifestyle, etc. These apps are not medical devices and should not be CE marked.
Decision diagram for apps and software
The legal requirements can often be supplemented by standards, which give more detailed technical guidance on the products (product standards) or procedures such as quality systems or risk-management systems (process standards). The harmonized standards applicable for medical devices are means to meet the legal requirements. Compliance with the standards is voluntary, but they may offer useful guidance in the development of software and apps to ensure quality, functionality and safety. In addition to the harmonized standards, other standards can be relevant tools concerning software.
List of selected harmonized standards for medical devices:
- EN 980:2008 Symbols for use in the labelling of medical devices
- EN ISO 13485:2012 Quality management systems – Requirements for regulatory purposes
- EN ISO 14155:2011 Clinical investigation of medical devices for human subjects
- EN ISO 14971:2012 Medical Devices – Application of Risk Management to Medical Devices
- EN 60601-1:2006 Medical electrical equipment – Part 1: General requirements for basic safety and essential performance
- EN 60601-1-6:2010 Medical electrical equipment - Part 1-6: General requirements for basic safety and essential performance - Collateral Standard: Usability
- EN 62304:2006 Medical device software – Software life cycle processes
- EN 62366:2015 Medical devices – Application of usability engineering to medical devices
Other relevant standards for apps and software:
- CEN/TS 15260:2006 CEN Health informatics – Classification of safety risks from health informatics products
- ISO/IEC 20000-serien Information technology – Service management
- ISO/TS 25238:2007 ISO Health informatics – Classification of safety risks from health software
- ISO/TR 27809:2007 ISO Health informatics – Measures for ensuring patient safety of health software
- IEC/TR 80002:2009 Medical device software – Guidance on the application of ISO 14971 to medical device software
- IEC 82304:2015 Health software – Part 1: Requirements for product safety
- ISO/IEC 90003:2015 Software engineering – Guidelines for the application of ISO 9001:2000 to computer software