Laws governing medical devices in the EU and their effect on free and open source software

FOSSBazaar is no longer being updated. The information on this site is preserved for your convenience but may be out of date. Please visit Linux Foundation's Open Compliance Program for current information and activities.

cfarrell's picture

Changes to Member State implementation of Directive 93/42/EEC (3) of 14 June 1993 concerning Medical Devices as required by Directive 2007/47/EC

Background

Member States of the European Union recently implemented Directive 2007/47/EEC of September 5th 2007 concerning Medical Devices. This Directive amended Directive 93/42/EEC from June 14th 1993. Given that this Directive should now have become part of the national legislation of each EU Member State, it is a good time to take a look at how the provisions of the Directive could apply to open source software.

Council Directive 93/42/EEC came about as it was recognised that the content and scope of the laws, regulations and administrative provisions in force in the Member States with regard to the safety, health protection and performance characteristics of medical devices and certification of such devices are different. This difference posed an actual threat to the free movement of good and services with the Community. As such, the Directive sought to harmonise national provisions with regard to the use of medical devices.

Software as a 'medical device'

As well as recognising various medical equipment and apparatus as 'medical devices', the 1993 Directive also recognised the role of software as potentially having important bearing on the proper functioning of such medical equipment. Article 2(a) of the 1993 Directive stated that “'medical device' means any instrument, apparatus, appliance [...] including the software necessary for its proper application intended by the manufacturer to be used for human beings [...]”.

The amending Directive of 2007 sought to broaden the scope of application of the legislation with respect to software and stated in Section (6) of the preamble: “It is necessary to clarify that software in its own right, when specifically intended by the manufacturer to be used for one or more of the medical purposes set out in the definition of a medical device, is a medical device. Software for general purposes when used in a healthcare setting is not a medical device”. This inclusion of standalone software as a medical device was duly incorporated into the national legislation of the Member States. The updated version of Article 2(a) of the 1993 Directive now read “'medical device' means any instrument, apparatus, appliance, software, material or other article, whether used alone or in combination, together with any accessories including the software intended by its manufacturer to be used specifically for diagnostic and/or therapeutic purposes and necessary for its proper application [...]”.

The distinction made between standalone software as a medical device and general purpose software used in a medical context reflects at least partly a clarifying document from the European Commission (DG Enterprise) (MEDDEV 2.1/I April 1994) in which it was stated that in the case of software intended for use with multipurpose informatic equipment “a distinction must be made between software providing for a proper therapeutic tool and software for handling general patient-related data. Only in the first case may a medical purpose be determined”. The MEDDEV document proceeded to give some examples; software for the calculation of anatomical sites of the body, image enhancing software intended for diagnostic purposes and software for programming medical devices were cited as examples of software with a medical purpose.

As the distinction between “proper therapeutic tool” and “software for handling general patient-related data” did not find its way into the 2007 Directive (except, arguably, through Section 6 of the preamble), it remains difficult to say with any degree of certainty whether or not Electronic Medical Record software such as the gnumed.org or care2x.org – both of which handle medical records, which are at least arguably “general patient-related data” - fall under the scope of the 2007 Directive, as implemented in national legislation.

Placing a medical device on the Community market

Having seen that standalone software can indeed be determined to be a 'medical device' for the purposes of the Directive, the question of when and how such software is determined to be brought to market is equally important in the overall context of the legislation. Article 1 (2)(h) of the original 1993 Directive stated that 'placing on the market' means “the first making available in return for payment or free of charge of a device other than a device intended for clinical investigation, with a view to distribution and/or use on the Community market, regardless of whether it is new or fully refurbished”. This definition was not changed by the 2007 Directive. If and when software qualifies as a medical device, the software is then effectively brought to market when first made available – irrespective of whether or not a fee was charged. As it is not evident that any provision was made for open source software, it is presumed that the making available of software through a service such as Sourceforge.org or through the openSUSE Build Service would constitute 'placing on the market' for the purpose of the Directive.

Who or what are manufacturers?

According to Article 1(2)(f) of the 1993 Directive 'manufacturer' means the natural or legal person with responsibility for the design, manufacture, packaging and labelling of a device before it is placed on the market under his own name, regardless of whether these operations are carried out by that person himself or on his behalf by a third party. As the prohibitions on bringing a medical device to market apply also to the manufacturer of the device, in the case of open source software, this could place the open source project, its developers and its downstream packagers/distributors in danger of being placed in the position of “placing a medical device on the market”.

Requirements on bringing software to market as a medical device

If software is determined to be a medical device, both the 1993 and the 2007 Directives state that it can only be placed on the market if it complies with the essential requirements laid down in the respective Directives. In the Member State legislation this generally appears as a statement to the effect that a medical device can only be placed on the market if it has a CE certification (e.g. §6(1) of the Gesetz über Medizinprodukte). The steps necessary to obtain CE certification for a medical device are referenced in the Member State legislation (e.g. in Germany §7 Gesetz über Medizinprodukte). As seen from the definition of 'placing on market', it would thus seem that at the point at which software is 'first [made] available', a CE certification should already have been obtained (i.e. the software as a 'medical device' would need to meet the essential requirements at that point. The manufacturer is the legal or natural person who takes responsibility for bringing the initial bringing to market of the medical device.

Non-compliance

The Directives leave it up to the implementing Member State to decide on how to effectively enforce the requirements of the Directive. Non-compliance with national legislation implementing these Directives is punishable, for example, in Germany (§41 MPG), by fine or imprisonment of up to three years of any person who brings a medical device to market contrary to the provisions of §6.1 and §6.2 of the Gesetz über Medizinprodukte. Furthermore, according to §42 of the Gesetz über Medizinprodukte, it is an administrative offence. In Ireland, Section 26 (5) of Statutory Instrument 252/1994 (which implemented the original 1993 Directive) states that a person guilty of an offence under the regulations is liable on summary conviction, to imprisonment for a period not exceeding six months or to a fine, or to both. Section 26 (2) of the same regulation make it clear that if the offence was committed by a body corporate with the knowledge of the officers of that body corporate, then such officers shall also be guilty of an offence.

Open Source Software as a 'medical product'

As can be seen from the foregoing explanation and examples, the question of whether standalone software can constitute a medical device in the context of the Directives has been answered in the affirmative. The question of when such standalone software actually is a medical device is still rather vague. The clarifying statements from the European Commission document MEDDEV 2.1/I from April 1994, which stated that software for handling 'general patient-related data' should not be attributed a 'medical purpose' do not seem to have been incorporated into either the later Directives or the national legislation of the Member States. As such, where it can be assumed the Electronic Medical Record software would not be determined to be a 'medical device', this cannot be stated with certainty. Software which has both an Electronic Medical Record function and an image enhancing function would almost certainly be deemed to be a medical product.

The uncertain legal situation surrounding standalone software as a medical device caused aycan Digitalsysteme GmbH to assess the risk of bringing the LGPL licensed OsiriX (a DICOM viewer for medical images) software to market as such, as too high. Instead, aycan Digitalsysteme decided to bring OsiriX to market as a 'medical device' – i.e. to jump through all the administrative hoops necessary to get a CE certification for the software and to thus reduce legal uncertainty. According to a presentation on “Open Source Software in der Medizin – Chancen und Risiken” by Stephan Popp from aycan Digitalsysteme, getting the software classified, creating a specification for the software, writing a user manual, creating a test plan and bug fixing took two years to complete. The software was thereafter CE and FDA certified as a Class II Medical Device. Customers of aycan Digitalsysteme were thus able to leverage the advantages of the open source software with the benefits of using a registered medical device.

Conclusion

It is quite clear that standalone software can be deemed to be a medical device for the purposes of the Member State legislation implementing the Directives from 1993 and 2007. Uncertainty exists around the question of when exactly software, including open source software, will be deemed to be a medical device. Whereas it would seem that software which simply manages general patient-related data would not fall into the category of 'medical device', software for e.g. determining anatomical positions or software for enhancing images almost certainly would. It has been shown that responsibility for placing a medical device on the Community market can be attributed to the manufacturer and that the 'first making available' of the medical device is the time at which the manufacturer must ensure that the essential requirements of the legislation are met (ideally by securing the necessary certification, as aycan Digitalsysteme did). Failure to fulfil the requirements imposed on a manufacturer of medical devices can have serious consequences – from fines to imprisonment. Furthermore, the avenue of suing for unfair competition would surely remain open to a company which invests considerable resources in obtaining the necessary certification, against a company or individual who does not.

A developer of open source software whose target audience is the medical profession would be well advised to consider the implications of releasing the software. There are doubtless many open source medical applications which more than likely fall outside the scope of 'medical device'. Nonetheless, seeking the advice of a lawyer would be a reasonable step to take, given the uncertainty that currently exists.