Medical Apps, also referred to as Mobile Medical Apps, are applications for mobile devices such as smartphones or tablets that support medical professionals or patients in the diagnosis, treatment or monitoring of a disease or injury.
This article describes when medical apps are subject to the legal requirements for medical devices and how manufacturers can meet these regulatory requirements.
„(1) ‘medical device’ means any instrument, apparatus, appliance, software, implant, reagent, material or other article intended by the manufacturer to be used, alone or in combination, for human beings for one or more of the following specific medical purposes:
and which does not achieve its principal intended action by pharmacological, immunological or metabolic means, in or on the human body, but which may be assisted in its function by such means.“
Medical Device Regulation
Mobile Applications are, according to FDA software, applications that run on mobile platforms such as commercial "handhelds", whereby it is immaterial whether they work via a wireless connection (WiFi or 3G) or not. Even web applications that are designed specifically for mobile devices fall within the definition of "Mobile Application".
The Mobile Medical Applications are now those who additionally satisfy the definition of Medical Devices. This is where the challenge of distinguishing between the Medical Devices and Non-Medical Devices begins. Very helpful for this differentiation, are the examples that the FDA gives:
The FDA gives examples of mobile apps that fall within the gray area and can be valued separately:
Finally, the FDA gives examples of Mobile (Health) Applications that are not medical devices, i.e. not to be classified as a Mobile Medical Application:
Interestingly, there are Medical Apps for which the FDA does not enforce compliance with the regulations.
Need assistance to get approval respectively CE-mark for your Medical App?
Once a mobile application is classified as a medical device, the relevant requirements of the FDA must be considered.
Relevant Requirements:
How extensive the demands of the Quality System Regulations must be met, mainly depends on the risk from the respective app. The FDA distinguishes different classes which are not to be confused with the level of concern.
The FDA does not enforce all Mobile Medical Apps compliance with the legal requirements. This discretion also applies to medical apps that are classified as Medical Device Data Systems.
The classification of Medical Apps of medical devices and non-medical devices, such as that made by the FDA, can be transferred substantially and directly to the definition of the term in Europe according to Medical Device Directive (MDD) respectively Medical Device Regulation MDR. However, the documentation requirements differ.
The technical documentation must include:
Unlike the FDA, the scope of the created (not submitted!) "Software file" depends on the software safety class. This safety class roughly corresponds to the FDA's Level of Concern.
In Europe, manufacturers who ‘just’ develop medical apps for commercial devices (tablets and smartphones), but don’t develop specific hardware for them, don’t have to prove compliance with IEC 60601-1, the standard for electromagnetic compatibility or electrical safety. An extension of the terminal, for example the above instrument for blood glucose monitoring strips, negates this simplification.
The interpretation of auditors and authorities is that Mobile Medical Apps must be treated as any other medical device. While this is correct, in practice there are many challenges that the manufacturers of these "medical apps" should be aware of in order to successfully pass the "certification" of their apps.
Failing to cope with these challenges may cause:
Whereas classical medical device manufacturers develop their embedded software for one runtime environment (for example, hardware, operating system), app developers need to support a variety of platforms. This diversity concerns:
For a HF surgical device, it is relatively easy to specify the users and use environments. In Medical Apps, which are often offered without restrictions to a group of users, the same task can be particularly challenging for risk management:
Mobile Medical Apps mostly use server functionality. Thus, they are dependent on a secure client-server communication. Security here is CIA:
Furthermore, it’s usual in the App-environment, to release several versions per quarter, sometimes per month. The development cycles, just like the technology cycles, are becoming shorter. This entails the following potential problems:
Definition of the product: Many app makers, especially if they develop a server part, are not even able to tell what is now part of the medical device. Is the server hardware part of it? The operating system of the server? The web / application server? The database? The PHP runtime environment? This ambiguity also stems from the fact that there is often only one instance of the device (at least on the server part) of the product. Sometimes millions of copies of "Normal" medical devices are sold. In this case it is clear what is part of it and what isn’t.
Medical apps deal with medical data. To comply with the relevant data protection rules in a country is already challenging. The challenge now is to meet the data protection laws of many countries. It must also be clarified which laws apply where in the country: The country where the user is located? The country in which the server is? The country, which the patient comes from?
Classification: In Europe, it is noteworthy that many apps fall into Class I. Even very critical apps, for example, those for the calculation of cytostatics. However, the MDR will change the classification.
Manufacturer is also operator: Once the manufacturer operates the server (or can operate) they must also refer to the statutory provisions, that are meant for the operator. Key points here are the MPBetreibV or IEC 80001.
Lack of experience: There is hardly any product category in which there are as many new "players" who have little idea about the medical device law, as in the Medical Apps: agencies, marketing departments, startups. But ignorance is no excuse.
In recent years, manufacturers of Medical Apps, called Mobile Medical Applications by the FDA, brought in almost explosively growing number of medical apps into the market. Stores like Apple's AppStore or Google Play are full of applications for tablets and smartphones.
You can condemn or love Medical Apps. Either way, these apps are on the rise. Whether these are to be used already to replace classical medical devices, can be reasonably discussed. A doctor who uses his iPhone as a substitute for an EKG, I probably would not visit a second time. But it is supposed to happen, as Gizmodo reports.
Some manufacturers go a step further. In total Star Trek style, there is now a little scanner that is carried over the patient and then gives information about the status of their health.
The proportion of these mobile apps, which demonstrably meet the regulatory requirements (particularly the FDA and the European legislator) is negligible. Medical device manufacturers failed to operate a risk management in order to develop the software in accordance with a lifecycle model and to document and demonstrate the suitability for use of their products. However, the authorities are taking the producers of mobile apps increasingly more into focus.
With the speed with which the web technologies develop, the developers of mobile apps must keep up because the share in the technologies of these Apps is also growing. Contributing to this are not just the cross-platform development tools like Apache Cordoba, but also the standardization of technologies within the platform-specific tools.
We appreciate the innovative strength of the manufacturers of Mobile Medical Apps. Contact us now, we would like to help you: