At the beginning of the development of a software medical device, the central question is: Which risk class applies to my product?
Risk classification has serious implications and significantly influences the cost and time frame of product development. In extreme cases, risk classification can therefore determine the success or failure of a young company.
Classification is carried out in accordance with MDR based on the intended purpose. However, this regulation often leads to confusion and leaves room for interpretation, especially when it comes to determining whether a product falls into risk class I or IIa.
Legal manufacturers are therefore faced with the following questions:
- How should I deal with this scope for interpretation when classifying medical devices?
- What are the consequences of this decision?
- Is risk class II really that much worse than risk class I? What are the specific differences for you as a manufacturer?
In this article, we provide answers that are as specific as possible and help you better understand the consequences of the classification decision.
Table of contents
- 1. Risk classes according to MDR
- 2. Vague classification rules for software medical devices
- 3. Differences: Risk class IIa vs. risk class I
- 4. Business risks: Risk class I compared to risk class IIa
- 5. Conclusion
1. Risk classes according to MDR
The MDR essentially distinguishes between the following risk classes: I, IIa, IIb, and III.
The rationale behind this is that as product risk increases, regulatory requirements also become stricter (risk-based approach). You can find detailed guidelines for determining the risk class for software medical devices at the following link: To the guidelines: Risk classification of software medical devices
This article focuses primarily on the differences between Class I and IIa.
Note: We use the notation IIa instead of 2a and I instead of 1, as this is also used in the MDR.
2. Vague classification rules for software medical devices
As described above, according to MDR, the risk posed by a product should be the main factor in determining its risk class—this can already be inferred from the term itself.
One might think that software that does not pose any significant risk falls into risk class I. But no: unfortunately, this blank statement is not valid.
When determining the risk class of (standalone) software products, the famous Rule 11 of the MDR is particularly relevant—and this is causing headaches for many manufacturers.
Brief summary of Rule 11 according to MDR
As we have already dealt with Rule 11 of the MDR in detail in another article, here you will find only a brief summary of those aspects that are relevant to this article.
According to Rule 11, all medical devices that fulfill one of the following purposes are classified in at least risk class IIa:
- Software intended to provide information that is used for therapeutic or diagnostic purposes and
- Software intended for monitoring physiological processes
According to Rule 11, the distinction between risk classes I and IIa is therefore not really risk-based—only the intended use is decisive. Neither the severity nor the probability of possible damage plays a role here.
But what are ‘therapeutic or diagnostic purposes’? Which software products still fall into Class I? We have addressed this question in detail in this article: Go to article: Which products currently still fall into risk class I?
3. Differences: Risk class IIa vs. risk class I
As mentioned above, it makes a huge difference whether you are registering a Class I or Class IIa medical device. Here we describe aspects that are particularly relevant for you as a manufacturer:
- 1. Difference: Conformity assessment for approval
- 2. Difference: Obligations after approval
- a. Displaying changes
- b. Re-auditing
- c. Reporting requirements after market entry (PSUR)
3.1. Difference: Conformity assessment for approval
Requirements: Risk class I
As a manufacturer of a Class I medical device, you are naturally obliged to comply with the requirements of the MDR. This includes, for example, setting up a quality management system and preparing the technical documentation for the product. The advantage, however, is that you, as the manufacturer, can declare conformity with the MDR yourself, without involving an external party. This option arises from the low risk profile of such Class I products.
Additional requirements: Risk class IIa
As a legal manufacturer of Class IIa (or higher) medical devices, the situation is different. You are required to be audited by an external and independent organization (notified body). Only when this audit has been successfully completed will you receive confirmation of conformity and be able to place the medical device on the market.
Impact on the schedule
- Waiting time: Many designated bodies are consistently busy. It is therefore advisable to make an appointment well in advance. However, you should expect to wait several months before the designated body begins the audit.
- Duration of the audit: There is no legal time limit for how long an audit by a notified body may take. You should allow at least 6 to 12 months for this audit process. This will significantly delay the market entry of your medical device, which can be a major problem, especially for start-ups.
- Establishment of a quality management system: As a manufacturer of Class I products, you also need a quality management system, but Annex IX only becomes relevant once a notified body is involved. Among other things, this states that the notified body must verify your quality management system and its conformity with any harmonized standards (e.g., ISO 13485). For this reason, manufacturers usually obtain ISO 13485 certification at this point.
Impact on costs
- Audit costs: The costs for the audit by the notified body are, of course, borne by you as the manufacturer. Based on our experience, these amount to at least €50,000 up to €200,000.
- Personnel costs: The audit by the designated body must also be prepared and accompanied by you. Any deviations found by the designated body must be rectified by you as the manufacturer, which means that you will need to plan for additional personnel and time resources.
- Opportunity costs: The audit process with the notified body delays your market entry by many months or even years. Accordingly, you also lose company revenue for this period. This can also be the decisive factor in insolvency, especially for start-ups.
3.2. Difference: Obligations after approval
3.2.1. Difference: Displaying changes
Requirements for risk class I
Manufacturers of Class I medical devices must also follow a change process and review, approve, and implement any product changes. This includes evaluating whether the change has an impact on the risk classification.
Nevertheless, changes to Risk Class I software are possible without the involvement of an external body. You can publish changes much more quickly because you do not have to wait for the outcome of an external review.
Additional requirements for risk class IIa
From risk class IIa onwards, product modifications become somewhat more complicated because the notified body must also be involved. So-called ‘significant’ modifications must be reported and may require re-testing. Modifications that must be reported include changes to the intended purpose or adjustments that affect the performance of the product.
Impact of risk class IIa: Timetable
- Review of changes: Minor changes should be possible without additional review. However, as soon as the changes to the product become more significant, you will again be dependent on approval from the notified body. In this case, a review may take some time before you can publish the change.
Impact of risk class IIa: Costs
- Costs for testing: The notified body will charge you for any testing—just as it did for the initial audit for market approval. The more extensive the testing of a product change, the higher the financial costs will be.
- Delayed release: The release of new features can also be relevant for business if, for example, these features are needed by many potential users. In this case, you may also lose revenue while the notified body is still conducting its assessment.
3.2.2. Difference: Re-auditing
Requirements for risk class I
As a manufacturer of risk class I software, you will not be audited on a regular basis. The only significant checks you need to prepare for are so-called manufacturer monitoring by the supervisory authorities. These can take place at irregular intervals. The supervisory authority will request and review specific documents from you (e.g., the risk management process). However, the scope and frequency of these checks are usually significantly less than the audits carried out by the notified body (for risk class IIa and higher).
Additional requirements for risk class IIa
The situation is slightly different here. We have already mentioned the audits carried out by the notified body (e.g. for initial market approval or product changes). However, even if you do not make any product changes, the certificate issued by the notified body is not valid indefinitely. As a rule, you must undergo a complete audit and an inspection of the technical documentation by the notified body after five years at the latest. A surveillance audit and a random check of the technical documentation are also carried out annually.
In summary, there are various tests that are carried out:
- MDR audit and review of technical documentation (at least every 5 years)
- MDR surveillance audit (annual)
- Manufacturer monitoring by supervisory authority (irregular)
Impact of risk class IIa: Timetable
- The regular audits or inspections should not affect the product development schedule.
Impact on costs
- Costs for testing organizations: Each test carried out by the designated body must be paid for, as described above. The more frequently a test is carried out, the higher the costs will naturally be.
- Personnel costs: As described above, audits tie up human resources in preparation, implementation, and follow-up. Costs rise significantly for you, especially if deviations need to be corrected. You must plan for the time required to conduct the audit as well as for the time needed for preparation and follow-up.
Medical devices: testing and audits by the notified body
3.2.3. Difference: Reporting requirements after market entry
Requirements for risk class I
The reporting obligations for manufacturers of risk class I medical devices are essentially limited to registering the medical device and reporting serious incidents and trends.
Additional requirements for risk class IIa
In addition to the requirements for risk class I, manufacturers of risk class IIa products are required to prepare a Periodic Safety Update Report (PSUR) and submit it independently to the notified body. It is advisable to prepare this PSUR as part of post-market surveillance (PMS) and post-market clinical follow-up (PMCF). You are also required to carry out PMS and PMCF activities for Class I devices, but there is generally no reporting obligation.
This PSUR must be updated at least every two years for Class IIa products and annually for higher-class products.
Impact of risk class IIa: Timetable
- The product development schedule is not affected by the preparation of the PSUR.
Impact of risk class IIa: Costs
- Human resources: The preparation of the PSUR also requires human resources. The amount of work involved depends primarily on the data to be analyzed and any new findings.
4. Business risks: Risk class I compared to risk class IIa
You now know that medical device approval under risk class IIa entails considerable additional costs and significant delays in market entry.
However, we have already mentioned that determining the risk class under MDR for software products is ambiguous and (unfortunately) open to interpretation. As a result, manufacturers of risk class I products have little certainty that this class has been determined correctly.
If you classify your product in risk class I, there are a number of risks due to the existing uncertainty:
- Risk: Supervisory authority disagrees with classification
- Risk: Legal proceedings following complaints from competitors or users
- Risk: Changes to regulations and their interpretation
We will briefly discuss each of these risks in the following sections.
4.1. Risk: Supervisory authority disagrees with classification
As a manufacturer of a Risk Class I product, your competent supervisory authority is authorized to monitor you at irregular intervals. You will be subject to unannounced inspections.
There is also a risk that the supervisory authority will disagree with your risk classification. A possible scenario would then be as follows:
- Supervisory authority requests product information and documents from you
- The regulatory authority reviews all documentation and concludes that the product actually falls into risk class IIa
- Regulatory authority confronts you with its assessment
- You discuss and argue against it
- Regulatory authority remains unconvinced
- Supervisory authority gives you the choice of increasing the risk class or withdrawing the product from the market
In this case, you can proceed with subsequent classification as risk class IIa and search for a notified body. Nevertheless, you should be mentally prepared for this eventuality.
4.2. Risk: Legal proceedings following a lawsuit
Not only supervisory authorities, but also courts can influence the risk class of your products.
These are only involved if legal proceedings are initiated. Both competitors and users of your products could potentially enter into legal disputes with you. In this case, you may have to justify your risk classification.
Scenario of a lawsuit filed by a competitor:
Imagine you have developed a Class IIa medical device software product. After two years, a clinical trial, and final approval from the notified body, you have finally made it onto the market and can now hopefully recoup the investments you have made over the last few years with your first sales.
The next day, a competitor launches a product that is almost identical to yours—except that they have certified it as a Class I product themselves. Your competitor has therefore waived the audit by a notified body and can now invest all their resources in marketing and sales.
What does that trigger in you? The natural reaction would be a feeling of injustice. And that feeling sometimes leads to legal proceedings.
Cases such as Dermanostic show that court rulings can also result in manufacturers (e.g., of Class I products) having to withdraw their products from the market and/or reclassify them to a higher class. Although such cases are relatively rare, they should be considered a potential business risk.
4.3. Risk: Changes to regulations and their interpretation
The current version of the MDR and the MDCG guidance documents (especially MDCG 2019-11) are usually used as a basis for determining the risk class. However, the individual experience of manufacturers is also a valuable source for correct classification.
However, since most of these sources have no legal validity and no rules are set in stone, there is always a chance that the rules of the game will change. For example, the following topics are currently the subject of intense debate in the industry:
- A new version of MDCG 2019-11 is in the works: This document is especially helpful for software manufacturers in determining the risk class of their product. It contains much more specific information than the MDR and is therefore one of the most important sources of information. Even though MDCG guidance documents have no legal validity, they still have a very strong influence on the opinions of testing bodies, as some of them are even involved in their creation.
- Possible adjustments to the MDR: Although there is currently no specific information on this, there are ongoing efforts to amend parts of the MDR. This could also include the classification rules, which manufacturers have repeatedly complained about.
- Higher authorities influence individual state supervisory authorities: The BfArM or even the Federal Ministry of Health (BGM) could influence your supervisory authority. A stricter interpretation of Rule 11 by higher authorities could therefore lead to increased scrutiny or even stricter measures by your competent supervisory authority. This could also include a higher classification of your product.
5. Conclusion
The costs and time required to bring a new product to market vary greatly between risk class I and risk class IIa.
- Timeframe until market entry: The approval of Class IIa software can take more than a year longer than for a Class I medical device.
- Costs: Due to the costs for the notified body and the commitment of internal resources, additional costs of €100,000 or more must be expected for risk class IIa. In addition, there are opportunity costs for lost sales due to the delay in market entry.
What is not a problem for large corporations initially becomes an existential threat for start-ups. The requirements of risk class IIa are unmanageable for many young companies and lead to insolvency. As a result, many innovative products never make it to market and cannot improve supply.
It is therefore extremely important for Germany and Europe that software products with low risks can continue to be classified in risk class I in the future. The risks posed by digital health applications (DiGA), for example, are generally very low. However, these applications have an enormous positive impact on patient care. We therefore hope that this will be taken into account in the future update of the MDCG classification guideline.
In the meantime, the above guidelines should help you better understand the current situation regarding the classification of software medical devices.
If you are planning to develop medical software and are looking for a development partner, please contact us. As a specialized service provider, we focus on the regulatory-compliant development of medical apps and health software. We help you implement a product that will ultimately be successful on the market and provide lasting benefits to users.
