Don't know where to start? Watch our free starter videos and save lots of time and consultant fees

Articles Getting Started

June 17, 2020

Start Here: The Blueprint for Certifying Medical Software

Dr. Oliver Eidel

Besides curing cancer and achieving nuclear fusion, getting software certified as Medical Device seems to be the most complex endeavour known to mankind.

Well, actually, certifying software as a Medical Device is pretty simple - once you know what to do. Unfortunately, a whole consultant industry has spawned around this topic and most consultants are paid by the hour. So a lot of people are incentivized to make this very complex.

But that’s not you. You want to get stuff done in a simple way. So here’s a step-by-step guide. Good luck!

What Does This Apply To?

This only applies to the EU (MDR, and partially IVDR). We don’t have much experience with FDA certifications. There is probably a lot of overlap as many of the standards are the same.

Roughly speaking, you can split the work into two areas: Company-wide stuff and product-specific stuff.

On a company-wide level, you need to establish a Quality Management System (QMS) which is compliant with ISO 13485.

And on a product level, you need to write so-called Technical Documentation for each product.

Follow These Steps

Write Your Intended Use

Write down what your software does and in which context it is used. This is not only your starting point, but the most important document for your regulatory compliance. It determines whether you are a medical device or not.


Intended Use for Software as a Medical Device


Next, it’s important for you to know which Medical Device Class your software belongs to.

Device Classification

The so-called class of your Medical Device determines what you have to do to get it certified. This can have a huge impact: Class I Medical Devices under MDD don’t need an external audit, so you can bring it to market as soon as you’re ready!

So you need to be very sure of this before you get started. I wrote a separate article on this topic.


Medical Device Classification


Found Your Company

For class II and III products, you need a Notified Body to audit your Quality Management System and Technical Documentation. The prerequisite for entering a business relationship with one of those is that your company already exists.

This often puts startups in a tricky spot: Often they’re not founded yet, or they’re still part of some parent organization like an University or an incubator.

There’s not much you can do about this. Just found your company.

Buy and Read Standards

You might assume that the standards you have to comply with are freely available. Nope! But the good news is that there’s a hack which allows you to access them for reasonable prices.

Now you’re probably thinking “Damn, I don’t have time to read those standards”. But do you have to read them? Yeah, you sure do.


Accessing Standards For Less Than 30€


Find a Notified Body

Unless your device is classified as class I, you now need to find a Notified Body. Those are companies who are allowed to audit medical device manufacturers and certify their devices.


Choosing a Notified Body


Do Clinical Evaluation

You need to do your clinical evaluation which provides evidence for the medical benefits of your software.


Clinical Evaluation Report (CER) For Medical Devices: 3 Easy Steps


Hire or Train Regulatory People

There are two sorts of people you must have as a medical device manufacturer:

  1. A person responsible for regulatory compliance under MDR, or under MDD a medical device safety officer
  2. At least one medical device consultant

Here’s how to get them.


People You Need: Person Responsible for Regulatory Compliance, Safety Officer, Medical Device Consultants


Set Date for QMS Audit and Technical Documentation Hand-In

Once you’ve found a Notified Body, it’s time to set some dates with them. You’ll be setting two dates:

  1. The QMS audit: Typically, three days (!) in which an auditor drops by and checks out your company.
  2. Technical Documentation hand-in: A deadline until when you plan to hand in your Technical Documentation of your product.

So you need to do some planning and estimations. For 1., you need to estimate until when you can set up your QMS until it’s ready to be audited. For 2., you need to know until when your product will be completely developed.

Speaking from experience, all companies miss all deadlines, always. So estimate conservatively. And have a plan B for what to do once you miss your deadline. Inform your Notified Body early enough, you won’t be the first company to postpone their audit.

Got those dates? Then let’s get down to work.

Company-Wide: Quality Management System

You need to implement a Quality Management System in your company based on ISO 13485. That’s a standard.

What does that mean? The ISO 13485 is mainly about processes. It states that your company has to have certain processes which are described there. For example, a process to handle customer complaints. And a process to evaluate suppliers before purchasing things from them.

You need to set up those processes in your company and document them, e.g. by having flowcharts or writing them down. You also need to prove that you’re actually adhering to those, so if your customer complaint process says that you always send flowers to your customers, you better have some flowers lying around to prove it! That was a joke.

I’ll write an article about setting up a 13485-compliant QMS in the future.

Product-Specific: Technical Documentation

For each product you want to certify, you need to create documentation. It’s called “Technical Documentation”. It needs to cover some very specific things which are stated in certain standards: The IEC 62304 for your Software Lifecycle, the ISO 14971 for Risk Management and the IEC 62366 for Usability Engineering.

While these standards also make you implement some processes, more importantly, they specify what the output of those processes should be. For example, you need to write a Software Development Plan. And you need to conduct User Testing with your (final) software.


Writing Technical Documentation


On a slighty different note: You want to get your medical software certified under MDR but don't know where to start? No worries! That's why we built the Wizard. It's a self-guided video course which helps you create your documentation yourself. No prior knowledge required. You should check it out.

Or, if you're looking for the most awesome (in our opinion) eQMS software to manage your documentation, look no further. We've built Formwork, and it even has a free version!

If you're looking for human help, did you know that we also provide some limited consulting? It's limited because we are not many people. We guide startups from start to finish in their medical device compliance.

Congratulations! You read this far.

Get notified when we post something new.

Sign up for our free newsletter.

Dr. Oliver Eidel

I'm a medical doctor, software engineer and regulatory dude. I'm also the founder of OpenRegulatory.

Through OpenRegulatory, I've helped 100+ companies with their medical device compliance. While it's also my job that we stay profitable, I try to dedicate a lot of my time towards writing free content like our articles and templates. Maybe that will make consulting unnecessary some day? :)

If you're still lost and have further questions, reach out any time!


If you have any questions or would like to share your opinion publicly, feel free to comment below. If you'd like to reach out privately, send us a message.

No QMS on this planet will save you from creating crappy software.