A guy showing his hand with some kind of stain on it, a smartphone showing a checkmark. All together symbolizing mole assessment via medical app as an example for risk classification .

Risk Classification of a Medical App

Depending on the risk classification of medical software such as medical apps, manufacturers must perform a conformity assessment procedure, clinical evaluation, or even clinical investigations before they may place their device on the market. The risk classification is therefore important even in the early stage of the life cycle of a device. The new EU Medical Device Regulation (EU-MDR) defines new rules for the risk classification of medical devices. In this article we explain how manufacturers must apply the new EU MDR rules and compare it to the existing EU Medical Device Directive (EU MDD) rules.

Medical App for Mole Assessment

In the following paragraphs we use an example of an app for the assessment of moles. This app allows users to take pictures of moles on the skin and subsequently store and analyze them. Based on image processing algorithms, the app provides detailed assessment of the scanned moles. Additionally, the app assesses the probability that the scanned mole is a melanoma in order to support early diagnosis of skin cancer.

There are two different software versions that address two different user groups. One version can be used by patients for an initial self assessment while the other version is only available to healthcare professionals for medical diagnosis.

Current Risk Classification according to EU MDD

A risk classification of this app is only necessary if the app is a medical device. Therefore, in a first step, the manufacturer needs to determine whether the app is a medical device or not.

If there is any doubt as to whether an app is a medical device, the guidelines of the EU Commission can help. The EU MDD guideline document MEDDEV 2.1/6 is currently available for software as a medical device. In addition, Section 9 of the Borderline Manual describes the qualification and classification of software as a medical device.

According to section 9.8, the mole assessment app is a medical device because it is characterized as follows: “This app, which is not incorporated in a medical device, uses computer image processing technology to make assessments of moles, whereby performing an action on data other than just storage, for the medical benefit of individual patients”. This description is in full accordance with the medical device definition (including software) in Art. 1 (2) EU MDD:

“any […] software […] whether used alone or in combination, including the software intended by its manufacturer to be used specifically for diagnostic and/or therapeutic purposes and necessary for its proper application, intended by the manufacturer to be used for human beings for the purpose of […]

In a second step the risk classification according to Rule 12 of Annex IX EU MDD leads to risk class I for the mole assessment app (see Borderline Manual).

In the following paragraph we show you how the risk classification will change for this app by applying the new EU MDR rules.

Future Risk Classification according to EU MDR

What is the difference if the EU MDR is used as a basis? As explained in a previous article, manufacturers must apply the newly introduced rule 11 (Annex VIII EU MDR) for stand-alone software such as a medical app.

The following figure gives guidance for software risk classification using the mole assessment app as an example. Moreover, this example is considering the previously mentioned two user versions.

Risk Classification of a Mole Assessment App

Note that applying rule 11 ensures that even the supposedly harmless patient version cannot be classified as risk class I.

If both user versions are part of the same product, the higher class IIb applies, according to Annex VIII, section 3.5 EU MDR.

What are the Consequences of the new Risk Classification?

Because of the higher EU MDR risk classes IIa or IIb compared to the former MDD assignment to class I a manufacturer needs to involve a notified body.

The conformity assessment routes have not changed much with the introduction of the EU MDR. According to Art. 52 (4, 6) EU MDR, products of risk classes IIa and IIb are both subject to a conformity assessment as specified in chapters I (quality management system) and III (administrative provisions) of Annex IX including an assessment of the technical documentation.

It seems that the conformity assessment procedures would basically be identical for the two user versions of the mole assessment app. But be careful! For example, in terms of risk management it makes a difference whether the app is used for an initial self-assessment or professional diagnosis.

Our Recommendations

For the application of the new risk classification according to the EU MDR we recommend the following:

  • Note that the qualification of an app as medical device in most of the cases does not change under the new regulatory framework of the EU MDR. However, this has to be checked carefully for each individual case.
  • The mole assessment app is a good example of how a minor difference in the intended purpose can affect the risk classification.
  • As manufacturer of software as medical device, e. g. medical apps, keep yourself informed of any changes and interpretation guidance for the EU MDR. For example, it is currently not clear whether there would be any differences between the two user versions in our example regarding the evaluation of the technical documentation. The original text of the EU MDR requires a limited assessment for class IIa products while the current corrigendum of the EU MDR changes this.