The New EU Medical Device Software Requirements

With the EU’s new medical device software (MDSW) requirements, the guidance related to qualification, classification, clinical evaluation and cybersecurity present challenges for software as a medical device (SaMD) manufacturers. Approaches to MDSW under the EU Medical Device Regulation (MDR) 2017/745 and In Vitro Diagnostic Regulation (IVDR) 2017/746 are much stricter than other regulations and require a deeper dive.

The Regulatory Affairs Professionals Society details these changes in Medical Device Software Under the EU MDR. Here is a synopsis of their findings to help you navigate the process.

Qualification:

Qualification is the activity that determines whether the MDSW is covered under the MDR. To that end, MDCG 2019-11 offers a qualification workflow that takes manufacturers through the following questions:

  • Is the product software in accordance with the definition of the MDCG 2019-11 guidance?
  • Is the software an annex XVI device, an accessory for a medical device according to MDR art 2(2)?
  • Is the software driving or influencing the use of a (hardware) medical device?
  • Is the software performing an action on data different from storage, archival, communication or simple search?
  • Is the action for the benefit of individual patients?
  • Is the software an MSDW according to the definition of the guidance?

Classification:

Classification determines the risk class of a medical device. Software under the MDR is an active device and must follow active device classification rules. The final classification will be determined by the highest classification of the MSDW after all classification rules are applied.

To avoid being assigned a classification that is too high, follow MDR Annex VIII Rule 3.3 and MDCG 2019-11 guidance, which is based on International Medical Device Regulators Forum (IMDRF) recommendations. For example, according to this guidance, because most software has an indirect influence on treatment or diagnosis, the classification should be lower. And any software that drives a medical device or influences its use should be assigned the same risk class as the device itself.

Evaluation:

The most recent clinical evaluation guidance (MEDDEV 2.7.1 rev 4) was not written with MDSW in mind. Yet governing bodies expect clinical evaluations to follow the guidance, using the Clinical Evaluation Assessment Report (CEAR) template for the review. Therefore, manufacturers should have solid understanding of the CEAR, keeping in mind the following omissions from MEDDEV which create critical gaps for MDR requirements:

  • No references to the MDR, such as articles, annexes, and general safety and performance requirements (GSPR) sections.
  • No discussion about MDR Article 61(10) that technical data can replace clinical data under certain conditions
  • Missing MDR requirements for clinical evaluation plan, identifying GSPRs requiring (clinical) data and defining which level of clinical evidence is required
  • Clinical investigation for class IIb implantables and class III devices
  • Post-market surveillance plan, post-market clinical follow-up plan and clinical development plan
  • Common specifications
  • Stricter requirements for clinical data
  • Qualified assessment of sufficient level of clinical evidence

Clinical Evidence:

According to the MDR, clinical evidence is based on a very strict definition of clinical data from an original or equivalent device, with clinical data coming mainly from clinical investigations (and not from post-market surveillance clinical data). To help MSDW manufacturers navigate the regulation, the Medical Device Coordination Group (MDCG) created a suite of documents that offer guidance specific to:

  • Sufficient clinical evidence for legacy devices
  • Clinical evaluation
  • Clinical (MDR) or performance (IVDR) evaluation of medical device software

Note, both MDR and MDSW clinical evaluations are required.

Cybersecurity guidance

With the recent prevalence of ransomware attacks on hospitals around the world, MDCG 2019-16 guidance on cybersecurity was developed to protect MDSW—and updated guidance is expected soon.  The guidance also requires that manufacturers inform the hospital asset owner and system integrator on how the MDSW can be protected.

Manufacturers are strongly encouraged to carefully study the MDCG guidance for the MDR, as it contains solutions for common problems, plus additional requirements for acquiring the MDR CE mark. If you have any questions or are looking for additional information about the new EU medical device software requirements, contact our regulatory team.

Need help with your medical device?

Let Vantage MedTech show how to bring your idea from concept to prototype to FDA/CE approval with a free custom project analysis.