For medical device manufacturers an efficient risk management is an important contribution to patient safety. In this respect, the Medical Device Regulation (MDR, ) as new European regulatory framework does not change this view. Article 10 (2) MDR does request an established, documented, implemented and maintained risk management system. Furthermore, the chapter I of the “Safety and Performance Requirements” in Annex I MDR highlights the term “risk” at several points (e. g. sections 1-5, 8, and 9).
Software as Medical Device
Either types of software as part of a medical device (embedded) and as medical device on its own (stand-alone) have to fulfil the above mentioned requirements. In addition, the European legislator defined some software-specific requirements in Annex I concerning possible risks:
- 14.2.(d): “Devices shall be designed and manufactured in such a way as to remove or reduce as far as possible: […] (d) the risks associated with the possible negative interaction between software and the IT environment within which it operates and interacts; […]”
- 17.1.: “Devices that incorporate electronic programmable systems, including software, or software that are devices in themselves, shall be designed to ensure repeatability, reliability and performance in line with their intended use. In the event of a single fault condition, appropriate means shall be adopted to eliminate or reduce as far as possible consequent risks or impairment of performance.”
- 17.2.: “For devices that incorporate software or for software that are devices in themselves, the software shall be developed and manufactured in accordance with the state of the art taking into account the principles of development life cycle, risk management, including information security, verification and validation.”
- 17.3.: “Software referred to in this Section that is intended to be used in combination with mobile computing platforms shall be designed and manufactured taking into account the specific features of the mobile platform (e.g. size and contrast ratio of the screen) and the external factors related to their use (varying environment as regards level of light or noise).”
- 17.4.: “Manufacturers shall set out minimum requirements concerning hardware, IT networks characteristics and IT security measures, including protection against unauthorised access, necessary to run the software as intended.”