The purpose of this article is to highlight new facets of EU Medical Device Regulation (MDR) in the medical device industry. The article contains references to both MDR legal articles and recommendations that will challenge organizations to take a more holistic viewpoint of their products, resources, and regulatory toolkit to be compliant in the EU.
The application date of 2017/745 MDR1 is 26 May 2021, when it will officially supersede the 93/42/EC Medical Device Directive (MDD) that came into effect in 1993. Medical device companies that market their products in the EU are now responsible for meeting new, comprehensive requirements and compliance expectations during the entire lifecycle of their products.
Every medical device manufacturer, importer, and distributor who wants to continue marketing their product into the EU or initiate business in the EU after 26 May 2021 will be responsible for MDR compliance.2 This is a significant change for many different organizations around the world. The rigor required by EU notified bodies will affect the time and resources companies need to become Medical Device Regulation compliant based on the risk of the device.
Have questions about MDR Implementation? Contact Us Now →
Lifecycle management in the medical device industry is constantly evolving because of new legal regulations; the complex risks associated with modern technology; the more advanced levels of oversight for legacy products; and increased exposure of development cycle process gaps. These changes present a challenge for notified bodies to become accredited under the new regulations, resulting in a smaller number of MDR-designated notified bodies.
Consequently, the timelines for conformity assessments of quality system and technical documentation have also increased. This directly challenges organizations to develop more proactive lifecycle strategies when preparing to obtain their CE mark,3 the formal sign of conformity received from a notified body indicating that the device has met both quality system and technical documentation requirements of the EU Medical Device Regulation and can be placed in the EU market.
The foundation of MDR legislation is based on historical product lifecycle issues and quality concerns. These new legislative parameters are designed to drive an increase in both regulatory education and corporate accountability across the entire industry.4
Economic operators in the supply chain become responsible for reporting complaints to the device manufacturer, which includes registering medical devices distributed across their supply chain to healthcare providers. Notified bodies also now have a legal responsibility based on product lifecycle quality control and can be held liable based on the manufacturer device class.
Postmarket surveillance (PMS), vigilance, and market surveillance are covered in articles 83-100 of the MDR, and address/cover the following:5
PMS and vigilance activities are meant to drive awareness and initiate field corrective actions addressing field-related issues. In addition, these activities help assure sufficient knowledge of an evolving device technology landscape to assess the benefit-risk profile for a medical device.
PMS as described in the articles 83-86 is designed to increase the accountability and reporting visibility of data included in clinical evidence plans and reports. Vigilance, as described in the articles 87-92, tend to be more reactive and deals with reporting of serious incidents and field safety corrective actions.
An effective PMS program provides:
- Real-world experience using a broad spectrum of physicians and patients, outside the confines of pre- and postmarket trial(s);
- Early warning signs of problems by continuously and systematically collecting and evaluating data;
- Incentives for early corrective action, such as initiating corrective and preventive actions or a device recall;
- Increased compliance with relevant legislation; and
- Additional value beyond compliance (e.g., usability).
Vigilance defines the type of incidents that medical device companies report, which can affect the long-term risk associated with both the device class and timelines for recertification. Guidance documents from the Medical Device Coordination Group can clarify the interpretation of the new regulation and increase understanding of the planning and resources needed from the manufacturer based on these new risk qualifications.
Manufacturers will need to be agile enough to react to the data analysis and quickly address necessary corrective actions. Having a cross-functional triage process driven by risk management can help the regulatory team make appropriate risk-based decisions. Through the analysis, the benefit becomes a deeper understanding of periodic safety, complaints, literature, and overall performance of the device.
One should also consider need for oversight of current products already sold in the marketplace. Reporting must be approved by the person responsible for regulatory compliance, and clinical approval relies on the expertise of the individual creating the reporting.
Risk management processes to gather information from the field will help address the severity of new issues or recurrence of existing issues. Manufacturers and organizations will now have accountability to remedy issues and have accountability if recurring or existing issues are not resolved. Senior level executives must drive accountability throughout the organization to increase the level of accountability by the entire regulatory and quality assurance team.
Many medical device companies are learning as they go while still conducting their necessary daily business. They should also consider how much new accountability is needed across their respective enterprises. There are new educational resources that can help companies understand the regulation and resulting accountability gaps, but a greater level of investigation will be achieved primarily through a detailed internal audit.
Unique Device Identifier (UDI)
The incorporation of unique device identifiers (UDIs) in the Medical Device Regulation will help with the traceability of devices, similar to the US Food and Drug Administration UDIs, and will enhance the effectiveness of PMS and vigilance. The UDI requirements define a more targeted approach to field safety corrective actions and supply chain monitoring, including the prevention of potential counterfeit products. UDI activities comprise of UDI registration, obligation to place UDI on devices, and UDI data submission.
The implementation of MDR UDI has different timelines, depending on the device classifications, but all devices need to complete the UDI registration to obtain a basic UDI device identifier (DI) from one of the issuing entities, such as GS1 or the Health Industry Business Communications Council.
The basic UDI-DI is the primary identifier referenced in the technical documentation and the main key for records in EUDAMED, the European database for on medical devices. The obligation to place UDI on devices and UDI data submission will be required on 26 May 2021 for Class III and implantable Class IIb devices; on 26 May 2023 for Class IIa and non-implantable Class IIb devices; and 26 May 2025 for all Class I devices.
In addition, there should be a strategy in place for legacy devices if the new elements of MDR regulation are to be completed. The UDI label design for packaging configurations should be considered to ensure compliance with the increased regulatory expectations in the delivery channel.
The potential for harmonization within the medical device industry is increasing as the industry moves closer to a universal label based on requirements from multiple countries and regulatory bodies. Translations may differ slightly between countries because of on language variations, but the device tracking process should be easier once the label is finalized and regulatory approval is given.
Traceability and market surveillance will invite new analyses beyond the design and application of the label.
The requirements notified bodies have to meet under the EU MDR are extensive and are listed on Annex VII of the EU MDR.6 With the new regulation, there will be fewer notified bodies than the number of MDD-designated, so companies should find and engage with their notified bodies as early as possible in the regulatory submission process. MDD legislation allowed for a less stringent certification process for lower-risk classes of devices.
With new MDR compliance standards now in place, medical devices that were previously in one class may move into another level of risk. This may increase the accountability needed for select product lines and application use cases.
Be deliberate about reviewing the product portfolio and recognize there may be changes needed in the expertise within the regulatory team. Employees could be cross-trained over time to facilitate compliance within the new MDR process and work with the different notified bodies.
In addition, not all notified bodies have the technical capabilities for performing conformity assessment for all types of devices and technologies, which may also present challenges and slow down the assessment process.7
If a product’s classification requires involvement of a notified body for conformity assessment, it is worth noting that successful teams often engage early with their notified body to align with their expectations based on the risk level of their products.
Under MDD, notified bodies also had a consultative opportunity to counsel companies, but that will no longer be available to medical device companies. Without this advisory input from the notified body, companies are at risk of legal liabilities as they try to meet the MDR requirements on their own.
It is therefore important they address ways to compensate for no longer having advisory input from the notified body, for example, by working with a consultant who is not associated with the notified bodies. In addition, the regulatory team should identify the professional skill sets needed for engaging with a notified body and develop educational strategies for training employees who will be working with a notified body for the first time.
Manufacturers commonly have questions during postmarket surveillance about understanding the difference between what is, and what is not, state-of the-art in design. For the sake of clarity, “state of the art” is intended to define new products that have been developed and approved for sale. This is unique to devices that are already in the field and have some form of legacy CE marking. A new device cannot be considered state of the art until this updated regulatory approval is given.
The term “state of the art” is a widely used term but was specifically defined within the medical device context in ISO/IEC Guide 63:2019,8 which says state of the art is the “developed stage of technical capability at a given time as regards products, processes, and services, based on the relevant consolidated findings of science, technology, and experience.”
EU MDR mentions the term “state of the art” 12 times but does not define it. MEDDEV’s Clinical Evaluation document9 describes it as the current knowledge/state of the art in the corresponding medical field, such as applicable standards and guidance documents, information relating to the medical condition managed with the device and its natural course, benchmark devices, other devices and medical alternatives available to the target population.
As new technologies build upon existing platforms, the intent of the term is to ensure that a proposed device technology is considering the benefits and risks of the similar existing devices that are on the market. The objective being driven by EU MDR and notified bodies is that a proposed device technology meets, at a minimum, the current benefit and risk profile or is able to improve upon the existing profile for similar devices.
Software as Medical Device (SaMD)
The technology landscape for medical devices is quickly evolving as new devices such as software as a medical device, wearables, and combination products come to market. The challenge for manufacturers is to be aware of the benefits and risks related to the device technology under development.
Demonstrating an understanding of state of the art and incorporating it into the design and development processes will lead to favorable conformity assessment with a notified body. EU MDR raises the bar on the requirements toward having robust postmarket surveillance, vigilance, and clinical evaluation programs. These programs help manufacturers demonstrate to a notified body that their device technology will go to market with an acceptable benefit-risk profile.
Clinical evaluation validates the intended use of a medical device and establishes the safety and efficacy in a clinical setting.10 A critical facet of the MDR is to obtain CE marking through the conformity assessment process. There are unique standards and protocols that have been established and must be followed when developing CE marking for regulatory approval.
CEP and CER
The Medical Device Regulation has increased the amount of supporting data medical device companies need to provide to with their submissions for approval of a clinical evaluation, which includes monitoring the performance and intended use of a product based on standards of efficacy. Two of the critical steps of Medical Device Regulation include generating a clinical evaluation plan (CEP) and clinical evaluation report (CER).
Clinical Evaluation Plan (CEP)
The CEP presents the rationale, objectives, design, methodology, monitoring, statistical considerations, organization, and conduct of a clinical investigation. It is the blueprint for demonstrating how the device will meet clinical and performance claims made in the intended purpose throughout its lifecycle. The Medical Device Coordination Group has not published a template for CEP, although it has one for the clinical evaluation assessment report and provides guidance on templates for the PMCF evaluation report and PMCF plan.
The CEP is tightly coupled with PMS, risk management, and usability of the device. As an example, if the usability aspect of a product fails to perform during the clinical investigation as anticipated, then the regulatory or clinical team may incorporate those usability failures as part of the clinical evaluation plan to inform later PMS, risk management, and usability considerations. Other inputs for the CEP include, but are not limited to, sterility and biocompatibility.
Clinical Evaluation Report (CER)
The CEP will also provide a roadmap for creating the CER, which would be submitted to a notified body or competent authority as needed to communicate the overall benefit-risk profile for a medical device. The CER is more detailed and includes:
- Intended use, device description, device classification, clinical evaluation plan, common specifications, if applicable, applicable standards, product equivalence, and state of the art;
- Clinical literature review, clinical investigations, and related documentation;
- PMS, postmarket clinical follow-up (PMCF), and the plan for updates and reporting;
- Labeling, instructions for use, summary of safety and clinical performance (nonclinical and clinical); and
- Summary of all available data and conclusions.
The items provided above incorporate the 4 stages for creating a CER, as outlined by MEDDEV.9 Because the report is submitted to a notified body or competent authority it would require the integration and coordination of a cross-functional regulatory and/or clinical team to capture the full range of necessary information. As such, the report is an important tool for communicating an understanding of the device among regulators.
The purpose of PMS is to continuously verify the benefits of medical devices throughout the product lifecycle and identify previously unknown risks through observation and analysis of real-world, daily practical usage. If PMS observations suggest changes might be needed in the clinical evaluation plan or report, then PMCF studies must be done to obtain supporting data for updating and revising the CEP/CER to reflect the new findings.
Be proactive in defining how the regulatory/clinical team will monitor uses of the device for both approved and off-label use cases. Also be prepared to proactively integrate your clinical findings and risk management strategies into a cohesive route to regulatory compliance.
Person Responsible for Regulatory Compliance (PRRC)
Medical device manufacturers need to have oversight of product development throughout the lifecycle, lifecycle (from design, manufacturing, postmarket surveillance/vigilance activities, and so on.)
Manufacturers must have at least one person in the company who is a medical device expert and can be designated as the person responsible for regulatory compliance (PRRC). The PRRC ensures the conformity of the device is appropriately checked; the technical documentation and EU declaration of conformity are written up and kept current; and the PMS and vigilance obligations are met. Micro- and small enterprises are not required to have a PRRC but need to have such a person at their disposal.11
The PRRC is often designated by a company’s senior management, which underscores the level of responsibility of the position and importance of coordinating collaboration across a number of teams to maintain compliance. The position carries significant legal responsibility for the PRRC because the company could hold them accountable for data quality errors that may lead to noncompliance over time.
As such, companies are required to have liability insurance in case they are sued by EU citizens who might suffer physical, device-related harm.
Given the extent of the changes under the MDR, organizations are being challenged to take a more holistic viewpoint of their products, resources, and regulatory toolkit to maintain product compliance in the EU. Lifecycle management is just one piece of the puzzle to maintaining regulatory compliance. There are unique approaches to lifecycle management under the new Medical Device Regulation that should be considered.
Postmarket surveillance helps establish a process for identifying and rectifying issues during the course of the product lifecycle. Notified bodies now have a process to absorb the feedback from clinical evaluations to ensure medical devices being designed and manufactured meet the stated intended use. The UDI makes it significantly easier to prioritize what issues need to be addressed and ensure tracking mechanisms are in place so field corrective actions can be accurately executed.
That is possible because the UDI has specific product information – lot number, date of manufacturing, expiration date, and so on – which can be used to recall products that are defective. These pieces of information are both human and machine readable (the latter, by barcode or radio-frequency identification), which makes it easier to remove a product from the supply chain.
Quality Management System
And finally, the quality management system (QMS) is the critical element for the regulatory team to implement and manage a successful PMS strategy.12 This “listening system,” comprised of all the aforementioned elements, provides a company the closed-loop feedback needed from the real-world situations to improve clinical performance.
This helps minimize the cost containment of a product recall by recalling only noncompliant devices based on the specific UDI information, which can help device firms align across the supply chain.
CEP, clinical evaluation plan; CER, clinical evaluation report; MDD, Medical Device Directive; MDR, [EU] Medical Device Regulation; PMCF, postmarket clinical follow-up; PMS, postmarket surveillance; PRRC, person responsible for regulatory compliance; UDI, unique device identifier; UDI-DI, UDI device identifier.
About the authors
Seyed Khorashahi, MSc, is executive vice president of medical devices and chief technical officer at Regulatory Compliance Associates (RCA).
Mark Agostino, MSc, RAPS, is managing director of QARA Biomed and senior medical device good manufacturing practice expert at Redica Systems. His areas of expertise include quality assurance and regulatory affairs for medical device and combination products. He has provided guidance to sponsors and contract service providers on meeting requirement for the design history and technical files for the FDA and under the EU Medical Device Regulation; compliance with ISO 14971:2019; implementing supplier quality processes; conducting internal and external audits; preparing global regulatory submissions; and ensuring compliance to global standards and regulations. Agostino has a master of science degree in biomedical engineering from Worcester Polytechnic Institute, Mass., and an executive MBA from Suffolk University, Boston. He is a member of RAPS and can be reached at firstname.lastname@example.org
Citation Khorashahi S, Agostino M. Strategic lifecycle approach to medical device regulation. Regulatory Focus. May 2021. Regulatory Affairs Professionals Society.
All references were accessed on 24 May 2021. Except for reference 6, 8, and 9, all references are for Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017, https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32017R0745&qid=1620164088978&from=EN, with page numbers provided for the specific sections.
- Reg. 2017/745, Articles 1-4:13-20.
- Reg. 2017/745, Articles 1-4.
- Reg. 2017/745, Articles 19-20:32.
- Reg. 2017/745, Articles 25-34:34-40.
- Reg. 2017/745, Articles 83-100:71-82.
- Reg. 2017/745, Annex VII:123-139.
- Reg. 2017/745, Articles 51-60:49-55.
- International Organization of Standardization/International Electrotechnical Commission. Guide to the development and inclusion of aspects of safety in International Standards for medical devices: Terms and definitions [3.18]. https://www.iso.org/obp/ui/#iso:std:iso-iec:guide:63:ed-3:v1:en Dated 2019. Accessed 24 May 2021.
- European Commission. Guidelines on medical devices. Clinical evaluation: A guide for manufacturers and notified bodies [Directives 93/42/EEC and 90/385/EEC (MEDDEV 2.7.1 Rev. 4) https://ec.europa.eu/docsroom/documents/17522/attachments/1/translations/en/renditions/native.
- Reg. 2017/745, Articles 61-82:55-71.
- Reg. 2017/745, Article 15:28.
- Reg. 2017/745, Article 10:23-5.
Regulatory Compliance Associates® (RCA) provides regulatory compliance consulting to the following industries for resolution of compliance and regulatory challenges:
We understand the complexities of running a life science business and possess areas of expertise that include every facet of R&D, operations, regulatory affairs, quality, and manufacturing. We are used to working on the front lines and thriving in the scrutiny of FDA, Health Canada, MHRA and globally-regulated companies.
As your partners, we can negotiate the potential minefield of regulatory compliance and regulatory due diligence with insight, hindsight, and the clear advantage of our unique expertise and experience.
- Founded in 2000
- Headquartered in Wisconsin (USA)
- Expertise backed by over 500 industry subject matter experts
- Acquired by Sotera Health in 2021
About Sotera Health
The name Sotera Health was inspired by Soteria, the Greek goddess of safety, and reflects the Company’s unwavering commitment to its mission, Safeguarding Global Health®.
Sotera Health Company, along with its three best-in-class businesses – Sterigenics®, Nordion® and Nelson Labs®, is a leading global provider of mission-critical end-to-end sterilization solutions and lab testing and advisory services for the healthcare industry. With a combined tenure across our businesses of nearly 200 years and our industry-recognized scientific and technological expertise, we help to ensure the safety of over 190 million patients and healthcare practitioners around the world every year.
We are a trusted partner to more than 5,800 customers in over 50 countries, including 40 of the top 50 medical device companies and 8 of the top 10 pharmaceutical companies.
To begin the Regulatory Compliance Associates® scoping process today, please enter your information in the blue form below and click the submit button at the bottom of the webpage.