Review of regulatory requirements in the US, EU and Serbia on software - mobile application as a medical device - state of the art

The number of software - mobile applications intended for use in the field of people’s health and well-being is constantly increasing. The aim of this review is to compare regulations on software – mobile applications as medical devices in the United States of America (USA), European Union (EU) and Serbia, with reference on the efforts for international harmonization of the regulations. The goal is to increase awareness of the broader healthcare professionals’ (HCPs) audience about this topic. Publicly available information from official regulatory bodies websites was analyzed and synthesized for two regions and one country of interest. The results show differences in regulatory approaches in this area between two biggest medical device markets – the USA and the EU, while regulations in Serbia are being harmonized with the EU. Regulations clearly define criteria that software – mobile application needs to meet to be assessed as a medical device; on the other hand, they leave a number of applications that provide health-related services out of the regulated scope. Based on the increased awareness of regulations, recommendations for future research can be directed towards greater involvement of HCPs in patient counseling and decision making regarding the selection of mobile applications, to prevent the use of inadequate mobile applications and ensure that their patients are correctly using the right applications with positive effects on health and well-being.


Introduction
Unlike medicines, for which the regulations for conducting clinical trials and marketing authorizations are clearly defined and highly harmonized among most countries in the world, in the field of medical devices, efforts are still underway to achieve internationally agreed and acceptable guidelines.
IMDRF or the International Medical Device Regulators Forum is a voluntarily organized group, established in October 2011, which brings together representatives of regulatory bodies of different countries involved in the setting of the regulations in the field of medical devices. The aim of this group is to enable the acceleration of the adoption and international harmonization of regulations for medical devices through the work of its task force for global harmonization. The members of the forum as per different regions of the world are USA and Canada, Brazil, EU and Russia, Australia, Singapore, China, South Korea and Japan. The World Health Organization (WHO) is a designated observer (1).
Certainly, a significant challenge for regulating and harmonizing regulations in this area is the fact that medical devices cover a very wide range of different categories and products.
In the 21st century, digitalization is rapidly being implemented in all spheres of life and the use of digital technologies is becoming standard for many processes; therefore, their use in health care is increasing as well.
One of the forms of digital technologies which are very accessible to the general population and can nowadays be developed relatively easily and quickly for various purposes are mobile applications.
The number of applications aimed at improving the health and well-being of people in various ways is growing, and as regulations in this area are not fully defined, software -mobile applications that have not passed special controls or are made by individuals or companies that are not competent to provide health advice can be easily accessible to patients.
One of the main issues recognized by the IMDRF for Software as a Medical Device was that the application of existing regulations and control mechanisms does not anticipate or address specific public health risks of software-mobile applications as a medical device. On the other side, the problem was that they do not ensure appropriate balance between patient or consumer protection and public health promotion by enabling innovation (2).
In more recent years, significant efforts were made to address the identified gaps, with the good example of changes in the EU regulations related to medical devices.
The US market is the leading and largest part of the global market for medical devices, followed by the EU market in the second place (3).
The United States has the longest history of regulation in the field of medical devices. In 1938, the US Congress passed the Federal Food, Drug, and Cosmetic Act (FDCA), which gives jurisdiction to the Food and Drug Administration (FDA) to oversee the safety of food, medicine and cosmetics. The FDCA is a revision of the original Food and Drug Act of 1906, and it introduces stricter criteria for labeling drugs with the need for adequate instructions for safe use. This law introduces the need for manufacturers to prove the safety of the drug to the FDA and obtain a marketing authorization before placing it on the market (4).
Changes in US regulations usually came as a result of adverse events that needed to be prevented. Regarding medical devices, it is important to mention the Medical Device Amendments, which were adopted in 1976, after injuries to thousands of women due to the use of intrauterine devices, to increase the safety and efficacy of medical devices, when categorization of medical devices into three classes was introduced (5, 6).
A more recent change in regulations is the adoption of the 21st Century Cures Act, adopted on 13 December 2016, which is designed to accelerate the development of medical products and enable faster and more efficient delivery of innovations and achievements to the patients (7).
The field of medical devices is also highly regulated in the EU, whose regulations are currently the basis for the harmonization and adoption of national regulations in the Republic of Serbia.
The aim of this review is to analyze and compare regulatory requirements that define the use of software -mobile applications as medical devices in the US and the EU as leading participants in the process of setting regulations at the global level.
An additional goal of this review is to assess current regulatory requirements for software -mobile applications as medical devices in Serbia, as a country of interest, and compare them with the US -EU requirements.
The intention of the paper is to bring this topic closer to a wider healthcare professionals' public, allowing HCPs to stay well informed and understand when a software -mobile application falls under the regulation for medical devices, and when it does not.

Materials and methods
The literature review included the collection and synthesis of information and data from publicly available documents from the official websites of regulatory bodies and organizations dealing with the topic of software -mobile applications as medical devices.
For the US, primarily the FDA data available at https://www.fda.gov/ and the United States Code data available through the Office of the Law Revision Counsel at https://uscode.house.gov/ were used.
For the EU, primarily the European Commission data available at https://ec.europa.eu/health/index_en, as well as EU regulations available at https://eurlex.europa.eu/homepage.html were used.
For Serbia, primarily the data of the Agency for Medicines and Medical Devices of Serbia were used, available at https://www.alims.gov.rs/ciril/.
For international harmonization of regulations, primarily the data of the IMDRF available at https://www.imdrf.org/ were used.
The available data regarding software -mobile applications were extracted, synthesized by region/country and compared.

Results and Discussion
Regulations in the United States related to software -mobile applications as medical devices In the United States, the adoption of regulations relating to food and medicine, including software -mobile applications as medical devices, is the responsibility of the Congress, and all U.S. laws are organized on topics within the United States Code. Current regulations regarding software -mobile applications are found under Title 21, and Chapter 9 is titled Federal Food, Drug and Cosmetic Act (8,9).
In the United States, in accordance with current regulations, a software -mobile application can be defined as a contrivance which is intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals, and which does not achieve its primary intended purposes through chemical action within or on the body of man or other animals and which is not dependent upon being metabolized for the achievement of its primary intended purposes.
In accordance with Title 21 section 360J (o) (Regulation of medical and certain decisions support software) (10), the definition of a medical device does not include software with the following functions: 1. To provide administrative support of a health care facility, taking into account financial and billing activities, patient information and visit scheduling, data analytics and other similar functions; 2. To encourage or maintain healthy lifestyle which is not related to the diagnosis or handling of a disease; 3. To act as an electronic patient record, with the intention to transfer, store, convert or display them as an equivalent of a paper medical chart. The function of such software is not to interpret or analyze patient data, as such data are to be handled by health care professionals; 4. To be used for transfer, storage, format conversion or displaying of laboratory tests or other clinical data by a health care professional. The function of such software is not to interpret or analyze data.
Those four mentioned criteria that can exclude software from being considered a medical device are not applicable if the function of the software is to acquire, process or analyze a medical image or a signal from device with the intention to -display, analyze or print medical information; -provide recommendations or support health care professional about decisions on how to handle a disease or condition; -enable health care professional to independently review the basis of software recommendations so that a health care professional is not primarily relying on software recommendations to make a decision for a particular patient.
The regulation allows the possibility that software from mentioned categories can be considered to be a medical device in case it is determined that, based on experience, a certain medical device is likely to have serious adverse effects on health. The regulation provides procedures on how and when other classification approaches can be applied and decisions made related to a specific medical device.
Medical devices classification into three classes, applicable for software -mobile applications, is defined within the Title 21, Chapter 9, Subchapter 5 (11).
Class I includes devices for which the general controls defined in the regulations can prove effectiveness and safety, and devices that fall into this class are most often exempt from the need to send a notice to the FDA before marketing.
Class II includes devices where safety and effectiveness can be demonstrated by special controls defined in regulations, and for this category of devices it is usually sufficient to send a notice to the FDA (510k Pre-market notification) before placing it on the market.
Class III includes devices for which safety and effectiveness cannot be demonstrated by general and special controls defined in regulations, and these devices require an FDA pre-approval procedure (PMA) (11,12).
Under the Device Software Functions and Mobile Medical Applications policy, issued by the FDA, software functions are divided into software as a medical device (SaMD) and software within a medical device (SiMD) (13).
In this policy, a mobile application or "mobile app" is defined as: "a software application that can be executed (run) on a mobile platform or a web-based software application that is tailored to a mobile platform but is executed on a server".
The policy further defines Mobile medical applications (MMA) as mobile applications whose function meets the criteria from the definition of a medical device, and which are meant to be used as an addition to a regulated medical device or to transform a mobile application into a regulated medical device.
The FDA does not regulate software features/mobile applications that do not meet the criteria for a medical device.
For the following software features/mobile medical applications that meet the criteria for a medical device and have a low risk to the patient, the FDA may apply enforcement discretion not to enforce the prescribed requirements: -To help patients or users to self-manage their disease or conditions but not by providing treatment suggestions; -To enable automation of simple tasks for health care providers; -To provide or make supplemental clinical care easier for patients, by coaching or prompting them to manage their health in their daily environment; -To provide easy access to information for patients regarding their related health conditions or treatments by using their specific information and matching them with reference information routinely used in clinical practice; -To help communication between patients and healthcare professionals by creating and providing patient specific data or information to healthcare professionals; -To perform simple calculations that are regularly used in clinical practice.

Regulations in the European Union related to software -mobile applications as medical devices
In the European Union, the Parliament and the Council are in charge of adopting regulations for all medical devices, including software -mobile applications at the European Union level.
To enable better protection of patients using software -medical devices, as well as ensure patient safety related to the use of any other medical devices, there is currently an ongoing process of replacing the existing three directives with two new regulations aimed at modernizing and strengthening regulations in this area. Additional Regulations 2020/561 and 2022/112, adopted due to the public health crisis caused by the COVID19 pandemic, have postponed the start of implementation of Regulation 2017/745 to May 26, 2021 and amended the transitional provisions of Regulation 2017/746 for certain in vitro diagnostic medical devices and the application of conditions for internal devices (14).

Table I Overview of directives and regulations for medical devices in the European Union (15-21)
In order for a software -mobile application as a medical device to be placed on the market in the European Union, it is necessary to go through the review process with applicable regulations, which is performed by the competent body for conformity assessment defined by the member states. As standard for all medical devices, the certificate of conformity for softwaremobile applications is represented by the CE (Conformité Européenne) mark. With this mark the manufacturer indicates that the software -mobile application is in compliance with the applicable requirements set out in regulations. Each compliant software -mobile application receives its own Unique Device Identifier (UDI), presented as a sequence of numerical or alphanumeric characters which are created by using internationally accepted standards for the identification and coding of medical devices that allow unique identification of a specific medical device on the market.

UDI is divided into Device Identifier (UDI DI) and Product Identifier (UDI PI).
For software, UDI is assigned at the system level, and only for software that is commercially available as standalone, or software which constitutes a device in itself.
For minor software revisions which are not linked with safety purposes, security patches or operating efficiency (bug fixes and usability enhancements as examples), only the UDI PI changes, while the UDI DI is not affected.
As per Regulation (EU) 2017/745 (18) and given specific medical purposes, software -medical device can be defined as software intended by the manufacturer to be used, alone or in combination, for human beings for one or more of the below mentioned specific medical purposes, which does not achieve its principal intended action by pharmacological, immunological or metabolic means, in or on the human body, but which may be assisted in its function by such means.
Specific medical purposes as per regulation may be: a) Diagnosis, prevention, monitoring, prediction, prognosis, treatment or alleviation of disease; b) Diagnosis, monitoring, treatment, alleviation of, or compensation for, an injury or disability.
As per the same regulation, software is additionally classified in the category of active devices, which means that the operation of the device depends on a source of energy that is not generated by the human body or by gravity, and which acts by changing the density of that energy or converting it.
Annex VIII to Regulation (EU) 2017/745 (18) defines the rules for the classification of software -mobile applications, as well as other medical devices, and emphasizes that the application of the rules must be guided by the intended use of the medical device.
If software -mobile application is intended for use in combination with another medical device, each device must be classified separately.
Software, which drives a device or is influencing the use of a device, is to be classified in the identical class as that device. Table II shows the distribution of software -medical devices by class, depending on the intended use and risk for user.  In contrast to regulations, guidance documents are not legally binding and reflect the positions of parties that were consulted in the document preparation process.
Mobile application as such is not defined in the Regulation documents, but guidance documents clarify that criteria defined for software as medical devices apply to mobile applications as well (22,23).
The Guidance on qualification and classification of software (24) additionally defines Medical Device Software (MDSW) as software that is intended to be used, alone or in combination, for a purpose as specified in the definition of a "medical device" in the medical device's regulations.
In the context of this review, it is important to notice that since 2020 United Kingdom (UK) is no longer part of the EU and has a separate set of regulations, which are in general highly harmonized with the EU requirements.
The UK Medicines and Healthcare products Regulatory Agency (MHRA) has a Guidance document for medical device as stand-alone software that includes (mobile) apps. This document provides practical aspects for software -mobile application classification and differentiation concerning whether an app is a medical device or not for both professional and lay users (25).

Regulations in Serbia related to software -mobile applications as medical devices
In the Republic of Serbia, the field of medical devices including software -mobile applications is regulated by the Law on Medical Devices adopted by the National Assembly of the Republic of Serbia and published in the Official Gazette, "Official Gazette of RS", no. 105/2017 (26).
By law, medical devices are divided into general, in vitro diagnostic and active implantable medical devices.
Software belongs to the category of general medical devices and its definition is fully harmonized with the current definition in the European Union.
According to the degree of risk for the user, software -mobile applications, as general medical devices, are divided into medical devices with low degree (class I), low to medium (class IIa), medium to high (class IIb) and high (class III) degree of risk for the user.
The classification of medical devices is further regulated by the Rulebook on essential requirements for medical devices (27), which is also harmonized and refers to the regulations of the European Union.
The Agency for Medicines and Medical Devices of Serbia is responsible for the registration of all medical devices including software -mobile applications. Register (28) of all registered software -mobile applications classified as medical devices is available on the Agency's website, where it can be easily checked which software -mobile applications are registered for use in the country. Table III shows a comparison of the main similarities and differences in the regulation of software -mobile applications as medical devices in the US, EU and Serbia.

IMDRF main considerations related to mobile applications as medical devices
The IMDRF defined software as a medical device as software intended for use for one or more medical purposes, which performs its purpose without being part of a hardware medical device (2).
Mobile applications that meet the defined requirements are included in the group of software as medical devices.

Future research
Software -mobile applications that do not meet the requirements for a medical device, and thus do not go through the review process in accordance with national regulations, but are intended for use in the field of health and well-being of people, are available on the market. Therefore, regulations, practical use and role of HCPs in the field of mobile applications that are not classified in the category of medical devices are an important topic for further research. Special focus should be placed on software -mobile applications that can be used by patients with chronic diseases, which is an area with fastgrowing needs for HCPs support, where some applications which are not classified as medical devices can be useful and contribute to the health and well-being of the individual, but require greater caution, verification of intended use and credibility of manufacturers. It would be useful to understand whether HCPs have regulatory knowledge and can distinguish between various software -mobile applications available on the market with the intended use of improving the health and well-being of people, and how competent are they to support their patients in this area. Further research can lead to the improvement of HCPs' awareness and increased understanding, in order to allow them to better support patients in the selection of software -mobile applications that they use, thus contributing to a reduction in inadequate software applications and an increase in the proper use of mobile applications that can actually improve patients' health and well-being.

Conclusion
Based on the review of regulations, we can conclude that in the USA, EU and Serbia, the conditions which software -mobile applications need to meet in order to be considered medical devices are defined, and when those conditions are met, regulated requirements for marketing authorization of a medical device are applied.
On the other hand, the regulations for medical devices do not apply to softwaremobile applications that do not belong to any of the categories of possible intended use from the definition of a medical device, although their intended use is to improve the health and well-being of an individual.
Software -mobile applications as medical devices are differently regulated in the USA and the EU, which represent the largest markets for medical devices, while the regulations in Serbia are directed towards harmonization with the EU regulations.
The existing differences in the regulation of this area require additional efforts to achieve internationally harmonized regulations.
Understanding the legal framework and conditions that software -mobile applications must meet in order to be considered medical devices provides a basis for HCPs practical decision-making and taking a more active role in supporting patients in the proper selection of software -mobile applications.