Why Software Regulation Matters in Your Hospital
Real incidents that shaped EU software device regulation
Therac-25
Software bug in radiation therapy machine caused massive overdoses β 6 patients received up to 100Γ intended dose. 3 died.
Infusion Pump Hacks
Researchers demonstrated remote manipulation of infusion pump dosing via hospital Wi-Fi. FDA issued alerts for multiple pump brands.
HSE Ransomware 2021
Ireland's HSE shut down all IT systems for weeks. Surgeries cancelled, patient records inaccessible. Cost: β¬100M+.
500K+
Health apps on app stores globally
82%
of hospitals use connected medical devices
Class IIa+
Most diagnostic SaMD now requires Notified Body
2028
AI Act fully applies alongside MDR
Is It a Medical Device? Visual Guide
The first question: does this software fall under MDR?
IS a Medical Device (SaMD)
AI radiology analysis
Detects tumours in CT scans
ECG interpretation app
Diagnoses arrhythmias from smartphone ECG
Continuous glucose monitor app
Alerts when blood sugar is dangerous
Drug dosing calculator
Calculates chemotherapy doses based on patient data
Sepsis prediction AI
Predicts sepsis risk from vitals and lab results
NOT a Medical Device
Hospital scheduling system
Books appointments, no medical decisions
EHR storage/retrieval
Stores patient records without analysing them
Telemedicine video call
Video platform only β no diagnosis built in
General fitness tracker
Steps, calories β no medical claims made
Hospital bed management
Administrative capacity tracking
The Key Test
Ask: βDoes the manufacturer intend this software to be used for diagnosis, monitoring, treatment, or prediction of disease/injury?β
If YES β it's a medical device under MDR. The intended purpose β not the technology β determines regulatory status.
SaMD Classification Wizard
Answer a few questions to find out the likely MDR class for any software
Step 1 of up to 4
Does the software have a stated medical purpose (diagnosis, monitoring, treatment, prediction)?
Rule 11 Classification β Visual Pyramid
How MDR classifies software β from lowest to highest risk
Key Change from MDD: Under the old MDD, most standalone software was Class I (self-certified). Under MDR Rule 11, most diagnostic/therapeutic software is now at least Class IIa β requiring Notified Body involvement.
π΄
Class III β Life-Critical
Decisions that could cause death or irreversible harm
π
Class IIb β Serious Risk
Could cause serious harm or surgical intervention
π‘
Class IIa β Moderate Risk
Diagnostic/therapeutic decisions β non-serious manageable harm
π’
Class I β Low Risk
Monitors non-vital parameters only β no diagnostic decisions
β¬οΈ Higher risk = More regulatory scrutiny, Notified Body involvement, and clinical evidence required
AI Act vs MDR β What Staff Need to Know
Two EU regulations, one hospital β here's how they fit together
If AI software is used for a medical purpose, both regulations apply simultaneously
MDR
Safety & Performance
AI Act
Trustworthiness & Transparency
Both Apply
One CE assessment
MDR (2017/745)
AI Act (2024/1689)
What This Means for Hospital Staff
π€ AI diagnostic tool?
Must have CE mark (MDR) AND meet AI Act transparency requirements. You should know how the AI was trained and its limitations.
π¨ββοΈ Human oversight
AI Act requires that high-risk AI decisions can be overridden by a human. Never blindly trust an AI output β verify it clinically.
π Procurement checklist
When buying AI-enabled devices, ask for: CE certificate, AI Act conformity, data quality report, and bias testing documentation.
Cybersecurity β Protecting Patients & Data
MDR Annex I Β§17.2/17.4 makes cybersecurity a legal requirement
Infusion Pump Manipulation
Threat: Attacker changes drug dosage remotely
Impact: Patient overdose or underdose
Defence: Network segmentation, device authentication
Imaging System Ransomware
Threat: CT/MRI systems locked by ransomware
Impact: Delayed diagnosis, cancelled procedures
Defence: Offline backups, patching, incident response plan
Patient Monitor Spoofing
Threat: False vital signs displayed on monitors
Impact: Wrong treatment decisions
Defence: Encrypted communication, tamper detection
EHR Data Breach
Threat: Patient records stolen and sold
Impact: Privacy violation, GDPR fines, loss of trust
Defence: Access controls, encryption, audit logging
Hospital Cybersecurity Checklist
EUDAMED & UDI β The EU Transparency System
How every medical device gets tracked across Europe
The 6 EUDAMED Modules
Actor Registration
UDI / Devices
NB Certificates
Clinical Studies
Vigilance & PMS
Market Surveillance
π¦ Anatomy of a UDI (Unique Device Identifier)
UDI-DI (Device Identifier)
- β’ Unique to the device model/version
- β’ Identifies manufacturer + specific device
- β’ βAccess keyβ to EUDAMED data
- β’ Changes when safety profile changes
UDI-PI (Production Identifier)
- β’ Unique to the individual unit/batch
- β’ Includes lot number, serial number, expiry
- β’ Enables recall traceability
- β’ Links device to specific patient
On the label: UDI appears in both human-readable (HRI) and machine-readable (barcode/AIDC) format. For SaMD, UDI-DI can be shown in the software's user interface.
Instant device lookup
Faster recall response
Automated inventory
Patient-device linking
Key Takeaways
Irish Context β SaMD & the HPRA
Software as a Medical Device (SaMD) falls under HPRA oversight in Ireland. If your hospital is developing or procuring clinical decision support software, confirm its regulatory status with the manufacturer.
The HPRA follows MDCG 2019-11 guidance for qualifying and classifying software β the same framework covered in this module.
This is educational content only and is not an accredited or externally verified course. Always refer to official HPRA publications and your facility's own policies.
Knowledge Check
8 questions Β· 80% required to pass
Q1.Scenario: Your hospital is evaluating an AI-powered app that analyses chest X-rays and flags potential pneumothorax. The manufacturer markets it as a "clinical decision support tool". Under MDR, is this app a medical device?
Q2.Scenario: A vendor offers your hospital an app that calculates chemotherapy dosages based on patient weight, kidney function, and tumour type. If the app gives an incorrect dose, a patient could die. Under MDR Rule 11, what class would this SaMD likely be?
Q3.Scenario: An app used in your ED triages patients by analysing symptoms and vital signs, assigning urgency scores. A wrong triage could delay treatment for a heart attack patient. What MDR class is most appropriate?
Q4.Scenario: Your hospital's appointment scheduling system also stores patient records but does not analyse, interpret, or make any clinical recommendations. Is it a medical device under MDR?
Q5.Scenario: A security researcher demonstrates they can remotely change the drug dosing on your hospital's networked infusion pumps. Which MDR requirement directly addresses this risk?
Q6.Your hospital is buying an AI-powered radiology tool that will be CE-marked under MDR. A colleague asks: "Does the new EU AI Act apply too, or just MDR?" What is the correct answer?
Q7.A medical device you use daily has been recalled. Using the UDI system, what information does the UDI-PI (Production Identifier) help your hospital determine?
Q8.Your hospital's clinical engineering team is reviewing cybersecurity for connected medical devices. Which of the following should be their FIRST priority?
0/8 answered
Print-Friendly Summary
One-page PDF for ward reference & quick revision
Was this module useful?