Software in Medical Devices, by MD101 Consulting

To content | To menu | To search

The essential list of guidances for software medical devices


This page gathers the guidances and other documents about CE mark and FDA 510k for software medical devices. I limited the list to documents, which have an impact on design.

Go to the list of FDA guidances

CE Mark Guidances

I picked the documents in websites of the following organisms:

If you’re looking for documents about other steps of the software lifecycle (clinical evaluation & investigation, post-market surveillance and vigilance), you’ll find what you’re looking for in those websites.

Is your software a medical device?

The MEDDEV 2.1.6 Qualification and Classification of stand alone software contains information to let you determine if your software is a medical device. I hope for you that your software falls out of the scope of medical devices. You will save money! But I’ll be sad, because you won’t need to read my blog any more :-)

Has it a measuring function?

The MEDDEV 2.1/5 of June 1998 Medical Devices with a measuring function contains contains criteria which indicate that a device has a measuring function. Note that usually standalone software doesn't have a measuring function. If valid measurement data are given by another medical device, and are processed by the standalone software to compute new data, then it shouldn't have a measuring function.

What is its classification?

The MEDDEV 2.4.1 rev9 Classification of medical devices contains a comprehensive interpretation of the classification rules of the 93/42 directive.

Not yet sure of its classification?

Have a look at the last version of the Manual on borderline and classification of medical devices. It has, amongst other things, a section about Picture Archiving and Communication Systems (PACS) and a chapter dedicated to mobile applications.

How should I proceed to CE mark?

The NB-MED 2.2/rec4 revision 5 Software and Medical Devices contains indications about how applying the annexes II to VII of the 93/42 CE directive.
This is explained with more details on the page How to qualify, classify, and CE mark Software.

How should I design it?

Official documents on CE mark are not talkative about software design. You have to rely on IEC 62304 standard (see posts in the "standards" category of this blog).
The FAQ on IEC 62304 of TEAM-NB gives a good bunch of recommendations to apply this standard for CE mark compliance. It also gives a lot of additional hints related to questions that are asked in this web page.

Outside Europe, the FDA published more that 10 years ago the "General Principles of Software Validation" guidance. The link to this very useful guidance is in the section about FDA guidances below on this page.

How to do clinical evaluation?

I put the clinical evaluation in the list hence it may have an impact on design. The MEDDEV 2.7.1 rev 4 Clinical evaluation - Guide for manufacturers and notified bodies contains recommendations about clinical evaluation.
The NBOG CL 2010-1 Checklist for audit of Notified Body’s review of Clinical Data-Clinical Evaluation is also interesting to see what is expected from the notified body during clinical data evaluation.

What information should I put in the technical file?

The NB-MED/2.5.1/Rec5 Technical Documentation contains the structure of the design dossier submitted (or not, if you’re in class I) to the notified body. It’s a very generic document and doesn’t contain a lot about software.
The GHTF SG1 N11 Summary Technical Documentation for Demonstrating Conformity to the Essential Principles of Safety and Performance of Medical Devices (STED) has some more information about software.
See also my templates repository page on design documents you should provide with your design dossier.
Furthermore, you may have a look at the NBOG_BPG_2009_1 Guidance on Design-Dossier Examination and Report to see what data notified bodies expect to find in your design dossier.

What do I put in the declaration of conformity?

If you do it by yourself (you’re in class I), the MDEG – 2009–12-01 Guidance notes for manufacturers of class I medical devices contains all information about CE mark of class I devices.
Have a look also at the NB-MED 2.5.1 Rec4 Content of mandatory certificates contains interesting information on what notified bodies want to see in the declarations of conformity of manufacturers.

How do I handle design changes?

This is a big issue with software, which are always perfectible and need to be continuously improved. The NB-MED/2.5.2/Rec2 Reporting of design changes and changes of the quality system contains information on when and how to report changes to design.
Have a look also at the NB-MED/2.5.1/Rec6 Renewal of EC Design-Examination and Type-Examination and the NBOG BPG 2014-1 Renewal of EC Design-Examination and Type-Examination Certificates. They both contain recommendations about when to decide to renew the design examination by a notified body. The first one is somewhat replaced by the second one, which is newer. However the NBOG BPG 2014-1 doesn't say that it supersedes the NB-MED/2.5.1/Rec6.

But the most interesting document on design changes was published in 2014: the NBOG BPG 2014-3 Guidance for manufacturers and Notified Bodies on reporting of Design Changes and Changes of the Quality System. It contains the section 5.1 with lots of examples related to software changes.

Do I have to translate it?

Another really big issue for software, where translation may lead to design changes. The MDEG 2008-12- II-6.3 Mandatory Languages Requirements for Medical Devices is made for you.
Warning! It’s a bit old. You should have a look at the most recent regulations of member states. The advantage is if you find that a language is mandatory in this document, you won’t have to do further investigations.

Do I have to print the instructions for use?

The easiest way to deliver the IFU is to give it in an electronic format. The Council Decision on electronic instructions for use of medical devices gives information about when printing instructions is mandatory.
See also the NB-MED position about e-IFU.

Here's my list so far for CE mark.

Let's see now the FDA 510k guidances for software.

FDA 510k Guidances

I picked all the documents on FDA's website: medical devices guidances search page
This is my unique source of information. Compared to what is found about CE mark, the FDA has the immense virtue to gather all the precious information! I think that FDA guidances are a little verbose. But their content is always of good level and may be used to find answers on subjects that EU guidances don’t tackle.

What is the classification of my device?

Classification of devices is most of times straightforward, with the help of the FDA database on classification of medical devices. However, things are changing quickly for software with the rush of medical devices manufacturers on mobile applications. We have the :

That's a lot of information. There's an article dedicated to these guidances.

How do I design it ?

Surely the most important document of the FDA about software design (after the CFR, of course!), the General Principles of Software Validation; Final Guidance for Industry and FDA Staff is one of the most comprehensive documents about software design, verification and validation in the medical devices industry. It covers all steps of software design and more. Read it carefully!

What about COTS and SOUP?

COTS (Components Off The Shelf) are software not developed internally. COTS include software found at runtime and software used for design. For example: COTS include java runtime and java SDK.
IEC 62304 standard defines the concept SOUP (Software of Unknown Provenance) as software used in the medical device, but not developed with the level of scrutiny required by regulations. The SOUP definition doesn't include software used for design. For example: COTS include java runtime only, not java SDK.
The guidance on Off-The-Shelf Software Use in Medical Devices deals with problems about hazards brought by this kind of software.

What about human factors engineering?

Human factors in a recent subject of concern of regulation agencies. FDA is not the last one in the race for new guidance about it with the Guidance on Applying Human Factors and Usability Engineering to Optimize Medical Device Design.
This guidance integrates the latest developments on ergonomics found in IEC 62366 and AAMI HE75 standards.
There is also a long page on FDA website dedicated to human factors.

What about cyber security?

Software security is a non-functional requirement, which is probably the most difficult to implement if software wasn’t initially designed the right way. There are two documents on cybersecurity while designing software medical device.
The first one is the guidance on Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. It is not easy to apply as it defines a cybersecurity management process.
The second document is the guidance about Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software. Its scope is narrower as it focuses on problems about updating COTS software (like installing a patch delivered by the COTS editor), which have impact on security.
The last guidance on cybersecurity deals with phases after design, when software is placed on the market: the draft Guidance on Postmarket Management of Cybersecurity in Medical Devices. It is still a draft guidance but is the only one you'll find on cybersecurity management when the device is placed on the market.
There is also a page on FDA website dedicated to cybersecurity.

Do I have to print the instructions for use?

The guidance on Acceptable Media for Electronic – Product User Manuals contains new information about cases where delivering user manuals in printed format is mandatory. If you fall out of the scope of mandatory print copies of instructions for use, enjoy.

What do I put in my 510k submission ?

FDA gives instructions about software in medical device in the Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices. Another document more specific on medical Imaging software is the Guidance for the Submission Of Premarket Notifications for Medical Image Management Devices.

My device changes, should I submit a new 510k ?

The guidance on 510(k) Device Modifications: Deciding When to Submit a 510(k) for a Change to an Existing Device contains a very well done decision tree and a lot of explanations with new information about software. This guidance was issued in 1997 and a new draft guidance Deciding When to Submit a 510(k) for a Change to an Existing Device was published by the FDA.
The two guidances above are for all types of medical devices, a new draft guidance was also published by the FDA: Deciding When to Submit a 510(k) for a Software Change to an Existing Device. Rely on this last guidance when changes are only made in software. Even if it is in draft state, this is the only one on this subject.

First version on February 22nd 2012
Second version on October 29th 2015.
Updated on August 2016
Reason: periodic review of articles
Fixed dead links and updated guidances info.

Published on Wednesday 22 February 2012 by Mitch