CE-marking medical software

When does medical software need a CE certification?

Medical devices, such as infusion pumps and MRI scanners, need to be certified according to European CE rules. For a manufacturer, however, it is not always clear whether his product needs a ‘medical’ CE certification. This is especially true for any embedded software.

When CE certified, a medical device complies with all European legal requirements regarding safety, health and environment. If the device includes software, this software should also comply with EU standards. For example, the software embedded in a MRI scanner, should also be tested in order for the scanner to receive a ‘medical’ CE certification based on Directive 93/42/EEC.

A more tricky category concerns software that is not an integral part of dedicated medical hardware, like software to show scanner images on a computer screen, that is, software that also could be used in other, non medical, products. Does Directive 93/42/EEC also apply to this kind of software? And if so: which requirements should be taken into account?

Request quote →

Medical device and its risk class

To help the manufacturer, a guideline is available to determine whether software can be considered as ’stand alone’ (i.e., as non dedicated) or indeed as dedicated medical software. This guideline is MEDDEV 2.1/6. From this guideline, it becomes apparent that any software with a diagnostic or therapeutic function – such as an app that calculates the correct amount of insulin needed – should be considered medical software. Software that is essential for the functioning of a medical device, should also be considered dedicated medical software and therefore comply with Directive 93/42/EEC.

If indeed a device and/or its software is considered to be ‘purely’ medical, the manufacturer has to decide which risk class its product belongs to. The risk class is a determining factor when it comes to the certification process itself. For example, can the manufacturer certify himself without any external party (as long as the resulting documentation becomes available upon request)? If the relevant risk class does not permit this, external auditing is necessary. To determine which risk class is relevant, classification rules need to be applied. These rules can be found in appendix IX of MEDDEV 2.1/6. Risk classes are I (‘low’), IIa (‘medium’) and IIb (‘high’).  In case of risk class IIa or IIb, external auditing is necessary, carried out by an institute that is recognized by the government.

Requirements technical dossier

Any medical device should include a user manual, unless the product could be considered as belonging to risk class I or IIa and could be used safely without such manual. Directive 93/42/EEC clearly states which items should be in the user manual, for example safety instructions. Also, information on maintenance should be part of a user manual.