software that drives a medical device or determines how it is used;
software that acts as an accessory to a medical device;
software used in the design, production, and testing of a medical device; or
software that provides quality control management of a medical device.
History
Medical software has been in use since at least since the 1960s, a time when the first computerized information-handling system in the hospital sphere was being considered by Lockheed. As computing became more widespread and useful in the late 1970s and into the 1980s, the concept of "medical software" as a data and operations management tool in the medical industry — including in the physician's office — became more prevalent. Medical software became more prominent in medical devices in fields such as nuclear medicine, cardiology, and medical robotics by the early 1990s, prompting additional scrutiny of the "safety-critical" nature of medical software in the research and legislative communities, in part fueled by the Therac-25 radiation therapy device scandal. The development of the ISO 9000-3 standard as well as the European Medical Devices Directive in 1993 helped bring some harmonization of existing laws with medical devices and their associated software, and the addition of IEC 62304 in 2006 further cemented how medical device software should be developed and tested. The U.S. Food and Drug Administration has also offered guidance and driven regulation on medical software, particularly embedded in and used as medical devices.
Medical device software
The global IEC 62304 standard on the software life cycle processes of medical device software states it's a "software system that has been developed for the purpose of being incorporated into the medical device being developed or that is intended for use as a medical device in its own right." In the U.S., the FDA states that "any software that meets the legal definition of a device" is considered medical device software. A similar "software can be a medical device" interpretation was also made by the European Union in 2007 with an update to its European Medical Devices Directive, when "used specifically for diagnostic and/or therapeutic purposes." Due to the broad scope covered by these terms, manifold classifications can be proposed for various medical software, based for instance on their technical nature, on their level of safety, or on their primarily function.
Software as a medical device
The dramatic increase in smartphone usage in the twenty-first century triggered the emergence of thousands of stand-alone health- and medical-related software apps, many falling into a gray or borderline area in terms of regulation. While software embedded into a medical device was being addressed, medical software separate from medical hardware — referred to by the International Medical Device Regulators Forum as "software as a medical device" or "SaMD" — was falling through existing regulatory cracks. In the U.S., the FDA eventually released new draft guidance in July 2011 on "mobile medical applications," with members of the legal community such as Keith Barritt speculating it should be read to imply "as applicable to all software... since the test for determining whether a mobile application is a regulated mobile 'medical' application is the same test one would use to determine if any software is regulated." Examples of mobile apps potentially covered by the guidance included those that regulate an installed pacemaker or those that analyze images for cancerous lesions, X-rays and MRI, graphic data such as EEG waveforms as well as bedside monitors, urine analyzers, glucometer, stethoscopes, spirometers, BMI calculators, heart rate monitors and body fat calculators. By the time its final guidance was released in late 2013, however, members of Congress began to be concerned about the how the guidance would be used in the future, in particular with what it would mean to the SOFTWARE Act legislation that had recently been introduced. Around the same time, the IMDRF were working on a more global perspective of SaMD with the release of its Key Definitions in December 2013, focused on " a common framework for regulators to incorporate converged controls into their regulatory approaches for SaMD." Aside from "not necessary for a hardware medical device to achieve its intended medical purpose," the IMDRF also found that SaMD also couldn't drive a medical device, though it could be used as a module of or interfaced with one. The group further developed quality management system principles for SaMD in 2015.
International standards
IEC 62304 has become the benchmark standard for the development of medical device software, whether standalone software or otherwise, in both the E.U. and the U.S. Leading industry innovation in software technologies has led key industry leaders and government regulators to recognize the emergence of numerous standalone medical software products that operate as medical devices. This has been reflected in regulatory changes in the E.U. and the U.S.. Additionally, quality management system requirements for manufacturing a software medical device, as is the case with any medical device, are described in the U.S. Quality Systems Regulation of the FDA and also in ISO 13485:2003. Software technology manufacturers that operate within the software medical device space conduct mandatory development of their products in accordance with those requirements. Furthermore, though not mandatory, they may elect to obtain certification from a notified body, having implemented such quality system requirements as described within international standards such as ISO 13485:2003.