Medical apps: Classification as a medical device, certification, interfaces and updates
When is an app a medical device?
What constitutes a medical device is regulated by Section 3 of the Medical Device Regulation and possibly soon by Article 2 of the announced European Medical Device Regulation. According to this, it is only important that the manufacturer places the app on the market for a medical purpose.
The factually significant guidelines of the European Commission, MEDDEV 2.1/6, are helpful. In October 2015, the BfArM also published a guidance document specifically for medical apps with aids for differentiation and examples. According to this, a strong indication of a medical device exists if individual functions of the app can be described with terms such as: alert, analyze, calculate, detect, diagnose, interpret, convert, measure, control, monitor or amplify. Apps that are used for diagnostic support are cited as an example.
Which risk class?
Medical apps will predominantly be assigned to risk class I. This is also the assumption of the above-mentioned BfArM guidance. The exact classification is based on the eighteen classification rules in Annex IX of the European Medical Devices Directive (Directive 93/42/EEC). According to § 13 para. 3 MPG, a decision on classification can be requested from the BfArM.
If the medical app falls under risk class I, the conformity assessment can be carried out without the involvement of a notified body. The app manufacturer can ultimately issue the CE certificate itself.
How is the initial certification carried out?
The initial certification takes place in three steps: fulfillment of the so-called Essential Requirements, clinical evaluation and summary conformity assessment. The fulfillment of the essential requirements is divided into three steps: preparation of the technical documentation, compliance with the technical standards and validation. The clinical evaluation demonstrates that the medical app is suitable for the intended use. This proof can be provided through an evaluation of scientific literature or through a clinical trial. Finally, an assessment is made that all regulations have been complied with, followed by CE marking.
Interfaces
With regard to all interfaces (in particular the interface to the operating system and network connection), it must first be assessed whether they are potentially part of the app and should therefore be included in the certification procedure. All interfaces must be included in the technical documentation; a risk assessment must be carried out. In the future, support from operating system manufacturers may increasingly help with this. For example, Apple announced a "ResearchKit" in April 2015, which is intended to help as a framework for the creation of medical apps. Developers who use this ResearchKit must have their app approved by Apple via an "Ethics Board".
Updates
An app is not static. Rather, regular updates with small improvements and enhancements are desired by the market and are also necessary to eliminate common "little bugs". However, medical device law basically assumes a static product that hardly changes after certification. It should be noted that third-party updates, e.g. from the operating system manufacturer, also have an impact on the app itself. The following four categories must be distinguished: Updates due to changes in legal regulations, updates due to changes in technical standards, updates by the manufacturer based on findings from market observation and updates from third-party software with an influence on your own app. The specifics of each of the above categories must be taken into account. In each case, however, it must be checked whether the original intended purpose has changed (recertification if necessary), whether the technical documentation needs to be adapted, whether the risk classification has changed and whether a notified body needs to be involved.
Observance of technical standards
The technical standards should already be taken into account during development. This can save considerable time and effort during subsequent certification. In particular, the IEC 62304 standard, which is a harmonized European standard for software in medical devices and describes the software life cycle, should be mentioned. It contains regulations on
software development
software maintenance
software risk management
software configuration management
and dealing with problems in connection with software.
Other standards, such as DIN EN ISO 13485 on the quality management system for medical devices, must also be observed.
Conclusion
MEDDEV 2.1/6 and the current guidance issued by the BfArM make it increasingly easy to distinguish between wellness products and medical devices. Medical apps are generally assigned to risk class I, meaning that the manufacturer can certify itself. Interfaces and updates must be given special consideration as a special feature of medical apps.
Update: The EU Medical Device Regulation (MDR) has now come into force (but is not yet applicable) and is gradually taking effect. The MDR leads to some fundamental changes, e.g. with regard to the classification of software, which is now based on No. 6.3 Annex VIII of the MDR (Rule 11).