Quality requirements for apps
As more and more apps become available on the market, it has become harder for users to know which apps are worth obtaining. For developers, a set of rules for the approval of an app is complex, and new requirements are on the way.
We are seeing a steady flow of innovative products and services in many areas within healthcare technology. The area where the development is most rapid is probably apps for mobile platforms. As you could read about here in Medicoteknik earlier in the year, the use of apps for mobile telephones and other online devices is one of the biggest trends. Our world is teeming with apps, and it is not always easy to know which are good and which are bad, what works and what doesn’t work. And most important of all; is the app safe to use? And perhaps even more importantly; how do you develop a safe app?
How do you assess the quality of an app?Of course, you can do a search of app reviews, but this provides no guarantee that the app has been developed and tested with consideration for quality and security. No recognised quality stamp exists generally for healthcare apps, which could help the user or the app developer.
If the app can be considered to fit the definition of ‘medical device’, then there is help available, as it is then legally required to have a CE mark. The CE mark indicates that the app developer, as the marketing party, guarantees that the app complies with current requirements for safety and performance, as required in the European Medical Directive 93/42/EEC.
When can an app be considered a medical device?In brief, apps that are used as reminders to take pills, do exercises or remember a medical consultation are not categorised as medical devices – in Europe. Nor are apps for communication purposes or apps with general information about a disease or ordinary fitness training apps categorised as such.
If the app is intended, for example, to keep an eye on insulin levels, has a function that calculates medicine dosage or suggests diagnoses, then it is a medical device. In general, you can say that when the app is used in connection with diagnostics, treatment of disease or remedying of a handicap or injury and is for the benefit of the individual patient, then it is covered by the legislation for medical devices (see also the Danish Medicines Agency’s guidelines “Guidelines for citizens on healthcare apps and software as medical devices”).
Significance of the CE marking – what does the app developer need to go through?The CE marking may only be used on the software if the app developer can document that the medical directive has been complied with. It hides a number of standards that are supposed to be followed. Key to all these requirements is safety and effectiveness.
A person cannot directly come to harm from a smartphone app, but the app can contribute towards an injury occurring. In this way then there can be a risk associated with using an app. For example, a rounding error can cause a suggested dose of medicine that is too low. If the doctor prescribes according to the app’s suggestion, and the patient takes this dose, then there is a risk of more or less serious side effects and in the worst-case scenario, a blood clot.
One of the most important elements in CE marking is risk management. This involves analyses being performed throughout the entire development process on how a potential error in the software could contribute to patient injury. Inventing one’s own analysis methods is permitted, but it must be possible to prove the validity of the method to the authorities. It is therefore recommended that recognised methods are used, as referred to in relevant standards and guidelines. Each time you decide to make a change to your software, a risk assessment must be carried out wherein it is considered whether the new feature, bug fixing, change in user interface or other can contribute in any way to the occurrence of injury.
One method of preventing errors and thereby reducing the risk of injuries is to develop the app according to documented processes. The basis for the CE marking requires the software developer to install and work according to established processes, including beyond the work with risk management. There are specific requirements for the drafting of a development plan and establishment of processes for the handling of changes, bug fixing, configuration management and maintenance of the app. It is required that the app is developed structurally on the basis of documented, set architecture, requirements and specifications and naturally, testing of the app on various levels depending on how safety critical the software is assessed as being.
Besides safety, authorities as well as users naturally require an app to work clinically and for it to be used as intended. It is up to the app developer to show that the app can be used clinically and gives the expected results. In some cases, clinical evidence can be demonstrated via trials and studies reported in literature, e.g. if others have used the same algorithms or medical protocols. While this may sound simple, it requires a comprehensive literature search that includes both good results and bad ones, as well as studies and reporting. Literature is not always adequate evidence and in which case it will be necessary to carry out a clinical study with actual patients.
Usability is something all app developers will no doubt be familiar with. In the case of medical devices this requires that usability is assessed and tested. There is however a small difference in terms of the normal perception of the term, as here there must be a focus on the app being used without the user being able to make mistakes that would give rise to injury. For example, this could be that critical patient levels are not marked clearly enough, so the doctor overlooks them. This adds an aspect to the usability that requires more work, but increases safety in use of the app.
Innovation and CE markingThe activities described above will take time. It will often prove however that the hardest thing, and the one many regard as the biggest pain, is the documentation itself. A great deal more documentation of the software itself as well as the activities performed is required than for non-regulated software. Architecture, requirements, specifications, test protocols, error reports, validation etc. must be documented and filed.
This means that it will take longer to get the app into use, and it will be more expensive compared to ordinary health apps. Today the CE marking is a self-declaration for the vast majority of apps, whereby the developer/manufacturer can CE mark the app without the involvement of a Notified Body, which assesses the documentation on behalf of the authorities.
In principle, the app developers can ensure the regulatory requirements are met themselves by studying relevant standards, establishing activity plans and documentation. What is often seen however is that app developers recognise the sheer scale of carrying out this task themselves, especially if they do not have the regulatory preconditions for it. It is extremely time demanding, and there is a big risk that it will hinder the rapid innovative development. It can thus only be recommended that the developers of new apps make sure to ally themselves with some regulatory qualified experts, who can help them move quickly towards a valuable CE mark.