Software as a medical device
Software within digital health apps can be classified as medical devices, if the intended purpose relates to one of the following pursuant to section 3 no. 1 Medical Devices Act (“MPG”, Medizinproduktegesetz) and article 2 of the Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, which shall apply from 26 May 2021 (as established by Regulation (EU) 2020/561) (“MDR”):
- diagnosis, prevention, monitoring, treatment or alleviation of disease,
- diagnosis, monitoring, treatment, alleviation or compensation of injuries or handicaps,
- investigation, replacement or modification of the anatomy or of a physiological process,
- control of conception.
The differentiation between a medical device and a consumer product - which does not fall within the scope of the MPG and MDR – can largely be influenced by the manufacturer based on the intended purpose which is defined by him.
Not only is the explicitly described intended purpose (Zweckbestimmung) relevant, e.g., for an authority decision on qualification as a medical device, but so are the instructions for use and the promotional materials (e.g., website, information in App Store) regarding the specific product.
Possible indicative terms in connection with the intended use of corresponding functions can be, for example:
- alarming, analysing, calculating, detecting, diagnosing, interpreting, converting, measuring, controlling, monitoring, amplifying.
Indicative functions for classification as a medical device can be, amongst others, the following:
- decision support or decision-making software, e.g., regarding therapeutic measures,
- calculation, e.g., of dosing of medicines (as opposed to mere reproduction of a table from which users can deduce the dosage themselves),
- monitoring patients and collecting data, e.g., by measurements if the results thereof have an influence on diagnosis or therapy.
Pure data storage, archiving, lossless compression (i.e., using a compression procedure that allows the exact reconstruction of the original data), communication, or simple search functions do not in themselves result in classification as a medical device.
Medical devices are—generally speaking—assigned to risk classes. The classification is decisive for the conformity assessment procedure that the respective product must undergo. The classification is mainly based on the vulnerability of the human body (invasiveness) and takes into account the potential risks associated with the release or exchange of energy (activity) and the duration of use of the medical device. They are assigned to Classes I, II a, II b or III, whereby Class I comprises those products with the lowest risk potential.
A key difference between the regulations of the MPG and the MDR are the classification rules for software medical devices.
According to the MPG, the classification of medical devices is based on section 13 para. 1 MPG in conjunction with Annex VIII of the Directive 93/42/EEC (“MDD”). According to rules 9 to 12 most medical apps belong to risk class I.
They can, however, also be classified as Class IIa or IIb medical devices, for example when diagnosing or controlling vital functions since the health risks for the user are increased.
Under annex VIII chapter III, rule 11 MDR, the classification rules for software devices are listed. In principle, it is still possible for a software medical device to fall into Class I. However, according to the views expressed in the German legal literature, it is assumed that software medical devices will have to be upgraded in principle and will generally fall under Class IIa.
If a product is considered as medical device, it is necessary to affix it with a CE marking, cf. section 6 MPG, article 20 and annex V MDR.
If the manufacturer brings a medical device onto the market or puts it into operation without the required CE marking, this constitutes an administrative offence in case of negligence and a criminal offence in the case of intent, sections 41 no. 2, 42 para 1 MPG, article 113 MDR according to which member states lay down the sanctions applicable to infringements of the provisions of the MDR and take all necessary measures to enforce them. Member States may submit these provisions to the Commission by 25 February 2021. In Germany, sanctions are regulated in section 92 et seq. Medical Devices Implementation Act. (See also Q6). Furthermore, this is a so-called “unfair act” within the meaning of the German Unfair Competition Act (“UWG”, Gesetz gegen den unlauteren Wettbewerb), so that the manufacturer can be sued for stopping distribution and for damages
1.1 Is it considered a “medical device” or a “product” to which liability can attach, and if so, under what regulations?
Software within digital health apps as medical devices can be qualified as “products” to which liability can attach.
The term “products” often refers only to movable, physical objects. There are some doubts in the legal literature whether software can also be covered by the product definition.
The fact that software is explicitly mentioned in the MDR is a justified basis for this discussion and in our opinion speaks in favour of including software in the scope of application of product liability law.
Thus, strong arguments support the fact that the general rules on product liability apply also to software medical devices.
The applicable rules are section 1 Product Liability Act (Produkthaftungsgesetz) , sections 823 para 1and 831 as well as section 823 para 2 of the German Civil Code (Bürgerliches Gesetzbuch) in connection with section 4 MPG.
Special provisions that focus on liability, e.g., regarding artificial intelligence within the software of digital heath apps does not– so far–exist in German law.
1.2 If your response to Q1.1 is yes, please state whether there are any exclusions/exemptions applicable with regard to liability, and/or whether those are applicable only under certain circumstances (e.g., for in-hospital use)?
There aren't exclusions or limitations of liability that apply solely to the liability of software medical devices.
Rather, the liability exclusions that also apply to other products are applicable.
The liability according to the German Civil Code requires, for example, negligence. According to the Product Liability Act, the manufacturer's obligation to pay compensation is excluded under certain conditions, cf. section 1 para 2 Product Liability Act.
Furthermore, the duties of vigilance and observation apply to both medical products and other products.