CE Marking

CE Marking, Declaration of Conformity, Design Dossier, Technical File, MEDDEV, NB-MED, DoC, TF, DD, CE Certificate, 93/42/EEC, 2007/47/EC, MDD, IVDD and AIMD.

Auditing Risk Management Files

What do you look at and look for when you are auditing risk management files to ISO 14971 and the new Regulation (EU) 2017/745?

Your cart is empty

Next week, November 15th @ Noon EST, you will have the opportunity to watch a live webinar teaching you what to look at and what to look for when you are auditing risk management files to Regulation (EU) 2017/745 and ISO 14971. Risk Management Files are one of the essential requirements of technical documentation required for CE Marking of medical devices. Most quality system auditors are trained on how to audit to ISO 13485:2016 (or an earlier version of that standard), but very few quality system auditors have the training necessary to audit risk management files.

Why you are not qualified to audit risk management files

Being a qualified lead auditor is not enough to audit the risk management process. When you are auditing a risk management file, you need risk management training and lead auditor training. To audit the risk management process, you will also need training on applicable guidance documents (i.e., ISO/TR 24971:2020) and applicable regulations (i.e., Regulation 2017/745 and/or Regulation 2017/746). There may also be device-specific guidance documents that specify known risks and risk controls that are considered state-of-the-art.

Creating an audit agenda

Once you have scheduled an audit of risk management files, and assigned a lead auditor, then the lead auditor needs to create an audit agenda. The audit can be a desktop audit that is performed remotely, or it can be an on-site audit. Regardless of the approach, the audit should include interviewing participants in the risk management process documented in the risk management file. As a rule of thumb, I expect a minimum of 30 minutes to be spent interviewing the process owner and one or more other participants. Then I spend an additional 60 minutes of auditing time reviewing documents and records.

Your audit agenda should specify the following items at a minimum:

  1. the method of auditing to be used,
  2. date(s) of the audit,
  3. the duration of the audit,
  4. the location of the audit, and
  5. the auditing criteria.

The auditor(s) and the auditee participants should be identified in the audit agenda. Finally, you should specify which documents and records are required for audit preparation. These documents will be used to help identify audit checklist questions and to determine a sampling plan for the audit. At a minimum, you will need a copy of the risk management procedure and a list of the risk management files that are available to audit. You may also want to request the audit plan for each of those risk management files.

What did you look at and look for during your risk management audit?

When you audit the risk management process, you could take any of the following approaches or a combination of more than one. You could audit the process according to the risk management procedure. You could audit the process according to the risk management plan(s) for each risk management file. You could audit using the process approach to auditing. Finally, you could audit in accordance with specific requirements in the ISO 14971:2019 standard and applicable regulations (i.e., Regulation 2017/745). Regardless of which approach you take, your audit notes and the audit report should identify which documents and records you sampled and what you looked for in each document. Providing only a list of the documents is not enough detail.

Creating an auditing checklist for risk management files

Auditors with limited experience are taught to create an audit checklist by creating a table that includes each of the requirements of the audit criteria. For a risk management file, this would include a list of each of the requirements in ISO 14971 for a risk management file (i.e., Clause 9???). However, this approach is more like the approach that you should be using for a gap analysis. The better approach for creating an audit checklist for risk management files is to start by creating a turtle diagram. In the “process inputs” section (i.e., step 2 of 7), you would add questions derived from your review of the risk management plan(s). In the “process outputs” section (i.e., step 3 of 7), you would add questions specific to the risk management report and other records required in a risk management file. In the “with whom” section (i.e., step 5 of 7), you would add questions related to training and competency. You might also identify additional people involved in the risk management process, other than the process owner, to interview as a follow-up trail. In the “how done” section (i.e., step 6 of 7), you would add questions specific to the procedure and forms used for the risk management process. Finally, in the “metrics” section (i.e., 7 of 7), you would verify that the company is conducting risk management reviews and updating risk management documentation in accordance with the risk management procedure and individual risk management plan(s).

Audits are just samples

Just because you can generate a lot of questions for an audit checklist does not mean that you are required to address every question. Audits are intended to be a “spot check” to verify the effectiveness of a process. You should allocate your auditing resources based on the importance of a process and the results of previous audits. I recommend approximately three days for a full quality system audit, and approximately 90-minutes should be devoted to a process unless it is the design control process (i.e., Clause 7.3 of ISO 13485) which typically requires three to four hours due to the importance and complexity of the design controls process. Therefore, you should schedule approximately 30 minutes to interview people for the risk management process and approximately 60 minutes should be reserved for reviewing documents and records. With this limited amount of time, you will not be able to review every record or interview everyone that was involved in the risk management process. This is why auditors always remind auditees that an audit is just a sampling.

Which records are required in a risk management file?

The contents of a risk management file is specified in ISO 14971:2019, Clause 4.5. There are only four bullets in that section, but the preceding sentence says, “In addition to the requirements of other clauses of this document.” Therefore, your risk management file should address all of the requirements in ISO 14971:2019. What I recommend is a virtual risk management folder for each risk management file. As the auditor, you should also request a copy of the risk management policy and procedure. An example of what this would look like is provided below. The numbers in front of each subfolder correspond to the sub-clause or clause for that requirement in ISO 14971:2019.

Risk Management File Example Auditing Risk Management FilesWhich records are most valuable when auditing risk management files?

As an auditor, I typically focus on three types of targets when auditing any process. First, I will sample any corrective actions implemented in response to previous audit findings. Second, will sample documents and records associated with any changes made to the process. Changes would also include any changes that were made to individual risk management files or the creation of a new risk management file. Finally, my third target for audit sampling is any item that I feel is at risk for safety or performance failures. The severity of the safety or performance failure is also considered when prioritizing audit sampling. In the context of a risk management file, I always verify that production and post-production activities are being conducted as planned. I try to verify that risk analysis documentation was reviewed for the need to update the documentation in response to complaints and adverse events.

More auditor training on risk management files

We are recording a live webinar intended to teach internal auditors and consultants how to perform a thorough audit of risk management files against the requirements of the new European Regulation (EU) 2017/745 and ISO 14971.

PXL 20221101 183748328 Auditing Risk Management Files
Auditing Risk Management Files
In this new webinar, you will learn how to conduct a process audit of risk management files. You will learn what to look at and what to look for in order to verify compliance with Regulation (EU) 2017/745 and ISO 14971:2019. The webinar will be approximately one hour in duration. Attendees will be invited to participate in the live webinar and receive a copy of the native slide deck. Anyone purchasing after the live event will receive a link to download the recording of the live event and the native slide deck.
Price: $64.50

In addition to this webinar on auditing risk management files, we also have other risk management training webinars available. The webinar on auditing risk management files will be hosted live on November 15, 2022 @ Noon EST (incorrect in the live video announcement).

Auditing Risk Management Files Read More »

What are the IVDR risk management requirements?

This article reviews unique IVDR risk management requirements for CE Marking of in vitro diagnostic (IVD) devices in Europe.

Last week I posted a blog about “How to create an IVDR checklist.” The article was very popular because we included a form for downloading a free IVDR checklist. That form included the opportunity for people to ask a question about the IVDR. One of the subscribers, a gentleman from New Zealand, entered a very simple comment: “risk management requirements.” My first thought was that the risk management file is the required technical documentation for the IVDR. Then I quickly remembered that in 2012, EN ISO 14971:2012 was released with three new annexes for the three directives: ZA (for the MDD), ZB (for the AIMD), and ZC (for the IVDD). In Annex ZC there were seven deviations, and even though ISO 14971 was updated in 2019, the international standard continues to deviate from the European regulations in significant ways. Therefore, this blog provides an overview of the IVDR risk management requirements.

If you are already compliant with ISO 14971:2019, do you meet the IVDR risk management requirements?

The biggest difference between the ISO 14971:2019 standard and the IVDR risk management requirements is that the standard only requires a benefit-risk analysis to be performed if risks are unacceptable. In contrast, the IVDR requires that a benefit/risk analysis be performed for all risks and the overall residual risk. Therefore, you must include a benefit/risk analysis in your technical file submission regardless of risk acceptability. The harmonized version of the standard (i.e. EN ISO 14971:2019/A:11:2021) was released in December of 2021. If you already purchased ISO 14971:2019, you only need to purchase the amendment which consists of Annex ZA (comparison between the standard and Annex I of MDR) and ZB (comparison between the standard and Annex I of the IVDR).

In the amendment, it states that manufacturers must have a risk management policy that is compliant with Annex I of the EU regulation. There are notes at the beginning of each harmonization annex that indicates that the risk management process needs to be compliant with the IVDR, which means risks have to be ‘reduced as far as possible’, ‘reduced to a level as low as reasonably practicable’, ‘reduced to the lowest possible level’, ‘reduced as far as possible and appropriate’, ‘removed or reduced as far as possible’, ‘eliminated or reduced as far as possible’, ‘prevented’ or ‘minimized’, according to the wording of the corresponding section in Annex I of the IVDR. The comparison table has a column with remarks/notes. In most cases, the deficiency identified states, “Device-specific execution of the process is not covered.” There are also two remarks/notes that state “Device-specific and usability-specific execution of the process is not covered.” 

Where are the IVDR risk management requirements?

Blog tip 1024x183 What are the IVDR risk management requirements?

IVDR risk management requirements are found in Annex II, Section 5 of the IVDR. However, there are 228 references to the word risk throughout the IVDR. The following risk-related requirements in IVDR are particularly important:

  • Article 10, Sections 2 & 8(e) – risk management procedure requirement
  • Annex I, Section 3 – reiteration of risk management procedure requirement, but specific steps in the risk management process are identified (e.g. a risk management plan, hazard identification, estimation of risks, evaluation of risks, etc.)
  • Annex I, Section 4 – Priority of risk control measures
  • Annex I, Section 5 – Elimination or reduction of use-related risks
  • Annex III, Section 1(b) – Reassessment of the benefit-risk analysis and risk management using post-market surveillance data

How should you document your risk management file for the IVDR?

In your risk management file of course. There is no format requirement for risk management files, but there are requirements for the content and there is a GHTF guidance document for risk management, and ISO/TR 24971:2020 is a new guidance document on the application of ISO 14971 to medical devices. Neither of these guidance documents is specific to IVDR risk management requirements. Annex H of ISO/TR 24971:2020, however, provides guidance specific to IVD devices.

What do the IVDR risk management requirements include for risk analysis?

In our March 23, 2022 blog posting, I described four types of risk analysis:

  1. Design risk analysis
  2. Process risk analysis
  3. Software hazard analysis
  4. User-related risk analysis (URRA)

Of these four types of risk analysis, only the software hazard analysis is sometimes not applicable. For an FDA 510(k) submission, you would need to provide software hazard analysis and URRA in the actual submission. The other two types of risk analysis would only be included in your design history file (DHF), and the FDA would review the design and process risk analysis during a routine inspection when the DHF is sampled as part of the design control process.

In contrast, the IVDR requires that a complete risk management file be submitted as part of the technical file (see Annex II, Section 5):

“Benefit-risk analysis and risk management

The documentation shall contain information on:

    • the benefit-risk analysis referred to in Sections 1 and 8 of Annex I, and
    • the solution adopted and the results of the risk management referred to in Section 3 of Annex I.”

The above documentation typically consists of design risk analysis and does not typically include process risk analysis, software hazard analysis, or use-related risk analysis. These other three risk analysis documents are IVDR risk management requirements, but they are referenced by the technical file in other sections. The most obvious IVDR risk management requirements are referenced in Annex I, Sections 1-9. These are referred to as the General Safety and Performance Requirements (GSPRs), and this requirement is typically met by including a GSPR checklist in the technical file to meet the requirement of Annex II, Section 4.

The process risk analysis is typically included with manufacturing information to meet the requirement of Annex II, Section 3.2. This documentation may include, any and all of the following elements:

  1. a process failure mode and effects analysis (pFMEA)
  2. a risk control plan including all processes from receiving inspection to final inspection and product release
  3. a process validation plan that is risk-based and linked to the risk control plan

The best practice for estimation of process risks is to link the probability of occurrence and probability of detection to the quantitative data gathered during process validation. In addition, you may establish a risk management policy that prescribes specific types of process risk controls (e.g. automated inspection) for the highest risk processes where manufacturing process errors are not acceptable residual risks. For example, an inspection of printed circuit board assemblies (PCBAs) typically requires automated optical inspection (AOI) methods, because visual inspection is not sufficient by itself and not all PCBAs allow sufficient ICT coverage, and functional testing is limited.

The software hazard analysis, if applicable, is typically performed in accordance with IEC/TR 80002-1:2009, Guidance on the application of ISO 14971 to medical device software. In the software hazard analysis, it is unnecessary to estimate the probability of occurrence of harm. Instead, it is only necessary to identify hazards and estimate harm. Examples of these hazards include loss of communication, mix-up of data, loss of data, etc. Software failures are systemic in nature and the probability of occurrence cannot be determined using traditional statistical methods. Therefore, we recommend that you assume that the failure will occur and estimate software risks based on the severity of the hazard resulting from the failure. For these reasons, it is recommended that software hazard analysis documentation is maintained as a separate document from your design risk analysis. The software hazard analysis documentation should be referenced in your risk management report, but the software hazard analysis should be included as part of your software verification and validation. The IVDR requires that you include a summary of software verification and validation in Annex II, Section 6.4 rather than the complete hazard analysis document.

A use-related risk analysis should be part of your useability engineering file for IVD devices as required by EN 62366-1:2015. Use-related risks are mentioned in Annex I, Section 5:

“In eliminating or reducing risks related to use error, the manufacturer shall:

    • reduce as far as possible the risks related to ergonomic features of the device and the environment in which the device is intended to be used (design for patient safety), and
    • Give consideration to the technical knowledge, experience, education, training and use environment, where applicable, and the medical and physical conditions of intended users (design for lay, and professional, disabled or other users).”

The above requirement includes not only the ability to read and interpret test results of IVD devices but also the ability of laypersons to properly self-select if an IVD is intended to be sold as an over-the-counter product. Usability also is mentioned in Article 78, Section 3(f):

“for the identification of options to improve the usability, performance and safety of the device;”

Therefore, there should be specific elements of your post-market surveillance plan that are designed to gather feedback on the usability of your IVD device. 

When should risk management activities be performed for IVD devices?

The IVDR does not specifically define when in the design and development process the various risk management activities shall be performed. However, the required risk management activities are specified in the IVDR within Annex I. ISO 14971:2019, however, is more descriptive of the risk management activities and the risk management process. Therefore, your risk management plan should align with the process defined in ISO 14971:2019, Clause 4.1.

Unfortunately, most companies do not include risk management as an integral part of the design and development process. Instead, risk management documentation is created retroactively as part of the documentation preparation for technical file submission. For this reason, most medical device executives fail to see the benefit associated with the risk management process. Even biomedical engineers struggle to appreciate the necessity of following the process outlined in the risk management standard in order to prevent device malfunctions and use errors.

The following is a list of the required risk management activities in the order that they should be occurring. Each activity also references the applicable clause of ISO 14971:2019. We have also grouped the activities into the five phases of design and development:

Design Controls with risk 1024x542 What are the IVDR risk management requirements?

Design Planning

    • Risk management planning (Clause 4.4)

Design Inputs

    • Identification of hazards and hazardous situations (Clause 5.4)

Design & Development

    • Risk estimation (Clause 5.5)
    • Risk evaluation (Clause 6)
    • Risk control option analysis (Clause 7.1)
    • Implementation of risk control measures (Clause 7.2)
    • Residual risk evaluation (Clause 7.3)

Design Verification and Validation

    • Benefit/risk analysis (Clause 7.4)
    • Risk control effectiveness verification (Clause 7.6)

Design Release

    • Evaluation of overall residual risk (Clause 8)
    • Risk management review (Clause 9)

If your company is preparing a 510(k), the company may be able to submit the 510(k) immediately after completion of risk control effectiveness verification. You may also be able to postpone the benefit/risk analysis until you submit your IVD technical file for CE Marking approval. The benefit/risk analysis is not required by ISO 14971 unless the risks are unacceptable, and the FDA does not require a benefit/risk analysis except for novel devices seeking market authorization through a De Novo Classification Request or a Pre-Market Approval (PMA). The FDA also does not require the submission of the complete risk management file.

IVDR risk management requirements are quite different than the US FDA requirements for risk management. An IVD technical file must include a risk management summary report that summarizes all activities that were performed according to the risk management plan. A benefit/risk analysis is required for each risk and the overall risk. The Notified Body auditor is also expected to sample the complete risk management file during quality system audits. Finally, the IVDR includes a requirement for a post-market surveillance plan that includes the collection of production and post-production data as feedback on the risk management process and a post-market clinical performance follow-up (PMPF) plan. 

What production and post-production information should you be collecting for IVD devices?

Medical device manufacturers struggle to see the benefits of requiring a post-market surveillance system, and smaller companies, in particular, complain that the cost of the new European post-market surveillance requirements is excessive and prohibits innovation. However, the primary role of post-market surveillance is to ensure rapid initiation of containment and corrective actions for devices that malfunction and/or present unacceptable risks to the intended users and intended patient population. The purpose of generating the post-market surveillance data is defined in the IVDR within Article 78, Section 3.

The minimum requirements for post-market surveillance are defined in Annex III, Section 1(a):

  • Information concerning serious incidents, including information from PSURs, and field safety corrective actions;
  • records referring to non-serious incidents and data on any undesirable side-effects;
  • information from trend reporting;
  • relevant specialist or technical literature, databases and/or registers;
  • information, including feedback and complaints, provided by users, distributors, and importers; and
  • publicly-available information about similar medical devices.

The IVDR is not prescriptive regarding what production data shall be collected for post-market surveillance, but the reason for this is that there are many different types of manufacturing processes with different process risks. In addition, the IVDR includes software as a medical device where there is no manufacturing process at all. Therefore, the best approach for determining what production data to collect is the review your process risk analysis (e.g. pFMEA). The process risk analysis for each manufacturing process should allow you to identify the manufacturing process steps that have the greatest residual risks (e.g. risk priority number or RPN) and potentially the highest severity of the effect. The risks should be identified as a priority for post-market surveillance. You should also include process parameter monitoring data for any validated processes (e.g. sterilization time, temperature, and pressure). Finally, you should also monitor rejects at incoming inspection, in-process inspection, and final inspection operations.  

Other IVD Risk Management Resources

The following resources may be helpful for creating and maintaining your IVD risk management file:

  1. EN ISO 14971:2019 + A11:2021
  2. ISO/TR 24971:2020
  3. GHTF/SG3/N15R8
  4. Regulation (EU) 2017/746 (i.e. IVDR)
  5. IEC/TR 80002-1:2009
  6. EN 62366-1:2015 + A1:2020

Note: Whenever possible, hyperlinks to the Estonian Centre for Standardization and Accreditation (EVS) are provided for procedures, because we find that this source is frequently the least expensive, and digital versions are available on-demand as a multi-user license.

What are the IVDR risk management requirements? Read More »

How to create an IVDR checklist

This article provides an IVDR checklist for updating your ISO 13485 quality system to comply with EU Regulation 2017/746.

IVD Checklist 1024x474 How to create an IVDR checklist

Why I created an IVDR checklist?

Hundreds (if not thousands) of IVD manufacturers are currently updating their ISO 13485:2016 certified quality system from compliance with the In Vitro Diagnostic Directive (i.e. Directive 98/79/EC) or IVDD to the new EU In Vitro Diagnostic Regulation (i.e. Regulation 2017/746). Revision of technical files and the associated procedures for creating your technical files is a big part of these updates. However, there is much more that needs to be updated than just the technical documentation. Therefore, IVD manufacturers are asking Medical Device Academy to conduct remote internal audits of their quality system to identify any gaps. Usually, we conduct internal audits using the process approach to auditing, but this is one of the scenarios where the element approach and an audit checklist are invaluable.

If you would like to download our IVDR checklist for FREE, please fill in the form below.

How do you use an audit checklist?

An audit checklist is used by quality system auditors to collect objective evidence during an audit. This objective evidence verifies compliance with regulatory requirements or internal procedural requirements. If the auditor is unable to find supporting evidence of compliance, the auditor may continue to search for data or identify the requirement as a nonconformity. Typically the checklist is in four columns using a tabular form. The left-hand column lists each requirement. The next column is where the auditor documents records sampled, procedures reviewed, and personnel interviewed. In the third column, the auditor indicates what they were looking for in the records, procedures, or during the interview. Some of the information in the second and third columns can often be entered prior to starting the audit by reviewing audit preparation documents (e.g. procedures and previous audit reports). In the fourth column the auditor will enter the objective evidence for conformity collected during the audit.

How to create an IVDR quality plan

Most of the companies that are preparing for an IVDR audit by their notified body already have ISO 13485:2016 certification and they are using the self-declaration pathway for CE Marking under the IVDD. Under the IVDR, a notified body must now review and approve the technical file. The notified body must also confirm that their quality system has been updated to include the IVDR requirements. The Technical File requirements are found in Annex II and III; while most of the quality system requirements are found in the Articles.  The quality system requirements include:

  1. a risk management process in accordance with Annex I – deviations from ISO 14971:2019 will be necessary)
  2. conduct a performance evaluation–including a post-market performance follow-up (PMPF). This requirement is defined in Article 52 and Annex XIII
  3. create and maintain a technical file in accordance with Annex II & III
  4. create and maintain a Declaration of Conformity in accordance with Article 17
  5. CE Mark the product in accordance with Article 18
  6. implement a UDI system in accordance with Article 24, 26, and 28
  7. record retention requirements for the technical file, Declaration of Conformity, and certificates shall be increased from 5 years to 10 years
  8. set-up, implement, and maintain a post-market surveillance system in accordance with Article 78
  9. document a procedure for communication with Competent Authorities, Notified Bodies, Economic Operators, Customers, and/or other Stakeholders
  10. update procedures for reporting of serious incidents and field safety corrective actions in the context of vigilance to require reporting within 15 calendar days
  11. update the product labeling to comply with Annex I, section 20
  12. revise the translation procedure to ensure translations of the instructions for use are available in all required languages of the member states, and make sure these translations are available on the company website
  13. create a procedure for utilization of the Eudamed database for registration, CE Marking applications, UDI data entry, and vigilance reporting

Which IVDR requirements are already met by your quality system?

Some companies also manufacture medical devices that must comply with Regulation (EU) 2017/745. For those companies, many of the above requirements are already incorporated into their quality system. In this case, you should still include all of the IVDR checklist requirements in your plan, but you should indicate that the requirement has already been met and audited previously.

Content related to our IVDR checklist

On Friday, April 1, 2022 @ 11 am EDT (8 am Pacific), Rob Packard will be Joe Hage’s guest speaker on the weekly MDG Premium Live video (please click on the link to register). The topic of the live presentation will be “How to create an IVDR quality plan.” #MedicalDevices #MDGpremium

How to create an IVDR checklist Read More »

MDR Gap Analysis, how small changes in EU 2017/745 can result in BIG…

A profound realization was made while performing a routine MDR gap analysis of Medical Device Academy’s technical documentation procedure.

%name MDR Gap Analysis, how small changes in EU 2017/745 can result in BIG...

In this article I wanted to discuss the functional effect that a gap analysis can have on your entire quality system. Everything mentioned below is because I performed a MDR gap analysis against a single procedure which resulted in the addition of three words to a single sentence. This small modification was made simply for clarification of a sentence that was already compliant without the change. Those three words made me reexamine the entire procedure. Then I tried to identify possible interpretations of that one sentence both before and after the modification. Finally, I questioned how adding three words might affect quality systems as a whole.

What was the section reviewed in the MDR gap analysis?

The MDD (i.e. 93/42/EEC) did not include a section that defined the requirements for technical documentation. The MDD does not include the phrase “device description,” or “intended patient population.” Therefore, when the MDR came into force, companies were forced to update their technical documentation procedure to comply with the new Annex. The section of the regulation that I was performing the MDR gap analysis against was Annex II. Specifically, subsections 1.1a) and 1.1c):

  • 1.1(a) “product or trade name and a general description of the device including its intended purpose and intended users“;
  • 1.1c) “the intended patient population and medical conditions to be diagnosed, treated and/or monitored and other considerations such as patient selection criteria, indications, contra-indications, warnings;

(taken from the English Version of Regulation EU 2017/745 on 08/30/2018)

There are only two places in the MDD where the phrase “intended users” is found: Article 11(14) and Annex I(1). In Annex I(1) of the MDD, the Directive clarified that design of devices shall include: “consideration of the technical knowledge, experience, education and training and where applicable the medical and physical conditions of intended users (design for lay, professional, disabled or other
users).” The introduction of the phrase “intended patient population” in the MDR forced me to reevaluate the wording we were using in our SYS-025 Technical Documentation Procedure. The wording we were using was: “users and patients.” Therefore, first I added the word “intended” before “users” and “patient”, and second I added the word “population” after “patient.”

Why would the MDR require these specific changes?

These are very small changes but the changes were meant to more clearly explain that documentation was needed for very specific areas. Previous versions of the procedure left more room for interpretation that intended users may not have been differentiated as strongly from intended patients, especially for cases where they are one in the same. These two subsections of Annex II, 1.1 (a) and 1.1 (c), outline that there are two specific populations of real people that must be taken into account within the device description and design specification areas of your technical documentation:

  • the intended users, and
  • the intended patient.

Even if the user and the patient represent the same person, these are two separate areas that require technical documentation. Intended users, whom may or may not be within the “intended patient population” that the device was designed for, should be entirely separate on your technical documentation.

Take for example, a home use lancet device included within a glucometer kit. The intended user is probably going to be the diabetic patient who wishes to check their blood glucose levels at home. In this case the intended user would also be a member of the intended patient population.

However, because this is not always the case there should be a clear separation of the documentation between the intended users of 1.1(a) and the intended patient population in 1.1(c). An example of this would be something like a surgical scalpel. A medical device that would probably be intended to be used by a physician within the controlled environment of a surgical procedure. In this example scenario the intended patient population would differ from the user because the patient would be the population of people who would need to undergo the above mentioned surgical procedures, but the user of the device is the physician or surgeon actually performing the procedure.

Considerations going beyond my MDR gap analysis

Everything that we are talking about is for intended patient populations or intended users. Documentation regarding these areas is important for several reasons and strong record keeping early on in the device development stages will help with things like statistical analysis, tracking and trending, and even possible modifications to Instructions For Use or labeling in the future. Most people performing a gap analysis would just make the changes and move forward without a second thought. However, the phrase “intended patient population” was introduced to the MDR for a reason, and it forced me to think beyond the task at hand.

Let us look back at our diabetic patient with the home use glucometer kit. I like fleshing my characters out, and providing a back story really helps me mentally associate these fictitious characters with the potential real-life patients they may represent.

I am going to name him Matthew D. Mellitus Jr. He is 28 years old. A morbidly obese type II diabetic, and a married father of two. Beyond the extraordinary play on words with Mr. D. Mellitus, II is I promise that there is a purpose behind this.

Matt is the intended user of the specific glucometer kit that he has. It contains within it, a glucometer, alcohol prep pads, a lancet device, spare lancets, and a container of test strips. He is also a member of the intended patient population because he is a diabetic with orders from his primary care physician to check his blood glucose levels at home.

One day while at home his spouse finds that it appears he is sleeping at an odd time of day and is rather unarousable. Knowing that he is diabetic she checks his blood sugar using that same glucometer kit. Now this is a broad made up but plausible scenario. Is his spouse an “intended user”? Sure, Matt the diabetic is still a member of the “intended patient population”, but ask yourself some of these follow up questions:

  • Did the manufacturer of the glucometer kit design and document the intended user to include caretakers of the “intended patient population”?
  • If not, does this mean that Matt’s spouse was using the glucometer in an off-label manner?
  • If both caretakers and patients are intended users, are the Instructions For Use written in such a manner that they are clearly understood when applied to testing blood glucose levels on others as well as yourself?
  • Perhaps this was an unforeseen human factor when designing the glucometer kit that needs further study?

I promise that questions like these are better asked and incorporated into the design and development of a medical device early on rather than having to address them post-market release and have to consider recalls, notifications, corrective actions, etc. in the future.

Do the questions end with my MDR gap analysis?

All of the above discussion resulted from a single sentence, being tweaked just a little bit, in order to make a procedure more clear and leaving less room for interpretation.These are just theoretical questions that should be asked. As the ‘rabbit hole’ always seems to go deeper and branch off so do some of these theoretical situations. This was just a bit of a back and forth conversation with myself regarding a very specific section of Annex II. As we delve deeper into the proverbial rabbit hole, consider again the situation where Matt’s spouse used the device. If she was not an “intended user,” does this qualify as “misuse of the device”? Maybe, or maybe not, but each situation will result in different answers to these questions.

If you go back to Annex I, Chapter 1, Section 3(c) it states, “estimate and evaluate the risks associated with, and occurring during, the intended use and during reasonably foreseeable misuse.” If that is considered misuse, is it ‘reasonably foreseeable’ (taken from the English Version of Regulation EU 2017/745 on 08/31/2018)? What is considered misuse? The EU MDR does not have misuse in its definitions. In fact, the term misuse is only even used three times. To narrow down whether or not this is reasonably foreseeable misuse we need to find a working definition within an accepted harmonized standard or other regulation that applies to the governance of medical devices within the same manner that the EU MDR does.

That same thoroughness needs to be applied to how misuse may be considered foreseeable. Maybe through human factors studies? Maybe through post market surveillance it is discovered that the device is sometimes used by someone other than an intended user, or for something other than the intended purpose. Should misuse be discovered, or suspected does it fall under the realm of it being ‘reasonably foreseeable?’ Ask these questions early, ask them often and then don’t be afraid to ask if they still apply in the future. Have regulations or standards changed? Proactive measures can help discover issues sooner. This lets risks be addressed sooner and ultimately could prevent negative outcomes and experiences from the patients these devices are meant to help.

Conclusions of this MDR gap analysis

I had these thoughts while updating Medical Device Academy’s procedures. First, procedures should always be living documents that can grow and change as standards and regulations metamorphasize to meet the needs of the ever evolving medical device community. This MDR gap analysis applies largely to technical documentation and as such we updated our technical documentation procedure. Every time we analyze quality system documents and technical documentation through the lens of a new standard or regulation, we are certain to expand our appreciation for the complexity of medical device design and development.

MDR Gap Analysis, how small changes in EU 2017/745 can result in BIG… Read More »

Which changes are forgotten in your MDR labeling procedure?

Did you forget any of the MDR labeling procedure requirements when you were updating your device labeling for CE Marking?

MDR Labeling Procedure

Don’t forget to subscribe to our YouTube channel for more medical device quality and regulatory training. The topic of this article is how to create an MDR labeling procedure for compliance with Regulation (EU) 2017/745 (MDR) for CE Marking of medical devices. The MDR does not actually include a requirement for a labeling procedure. In fact, the MDR doesn’t even specifically require that you have ISO 13485:2016 certification. ISO 13485:2016, clause 7.5.1 states that you shall implement “defined operations for labeling and packaging,” but the standard doesn’t specifically say that “the organization shall document procedures” for labeling. In 21 CFR 820.120, the FDA states that “each manufacturer shall establish and maintain procedures to control labeling activities.” But there is no similar requirement in the MDR.

MDR Quality System Requirements

Article 10 is the section of the MDR that defines the obligations for device manufacturers to create quality system procedures, but a labeling procedure is not specifically mentioned. Article 10(9)(a) states that your quality system shall include “a strategy for regulatory compliance, including…procedures for management of modifications to the devices covered by the system,” and this would include label changes and other control of other design changes. The next paragraph states that your quality system shall include, “identification of applicable general safety and performance requirements.” The general safety and performance requirements (GSPRs) are found in Annex I of the MDR, and the very last GSPR (i.e. GSPR 23) is for your label and instructions for use.

Then, which changes do you need to make for the MDR labeling procedure?

The GSPRs in Annex I of the MDR are longer than the Essential Requirements that were in the MDD. In addition to the new requirements for UDI compliance (which you should address in a UDI Requirements Procedure), GSPR 23 has new general requirements (i.e. 23.1) and new requirements for information on the sterile packaging (i.e. 23.3). There is also a more detailed specification for the information on the label (i.e. 23.2) and the information in the instructions for use (i.e. 23.4). The approach for demonstrating compliance with the GSPRs suggested in the MDR is to provide a checklist. Therefore, most manufacturers of CE Marked devices have replaced their Essential Requirements Checklist (ERC) with a GSPR checklist. However, if you are reviewing a draft label for approval, you don’t want to review and update your entire 22-page, GSPR checklist for every label.

The more efficient approach is to create one or more labeling checklists that are specific to the requirements in GSPR 23. If you create a separate checklist for the label, the information on the sterile packaging, and for the information in the instructions for use, then you would have three shorter checklists to complete. The label checklist and the checklist of the information on the sterile packaging would be only one page each, while the checklist for the instructions for use would be approximately four pages. There may be additional labeling requirements for specific countries and types of devices. Electrical medical equipment also has specific labeling requirements in IEC 60601-1 and IEC 60601-1-2. You will also need to create a user needs specification that can be used as criteria for summative usability testing (i.e. validation that the design and risk controls implemented meet the user needs specification). You should also document a use-related risk analysis (URRA), and perform formative testing, in order to identify critical tasks which need to be in the instructions for use to prevent use errors.

Are there any other MDR requirements that you should address in a labeling procedure?

There are two other requirements that should be addressed in your labeling procedure. The first is the general labeling requirements in GSPR 23.1. Withing GSPR 23.1, there are actually nine “sub-requirements.” The first “sub-requirement” in GSPR 23.1 is to provide the identity of the device, your company, and any safety and performance information needed by the user on the packaging or the instructions for use, and on your website. Many manufacturers do not want to make this information available on their website, because it makes it easier for competitors to copy the instructions for use, but this is not optional. This requirement and the other eight requirements in GSPR 23.1 could be included in your procedure or as part of a fourth labeling checklist associated with your MDR labeling procedure.

The second requirement is the requirement to translate your instructions for use into an official Union language(s) determined by the member state where your device will be made available to the intended user or patient. Creating these translations, and verifying the accuracy of the translations, can be expensive and burdensome–especially if your device is sold in most of the member states.

You might also consider implant cards as labeling requirements and try to add them to your MDR labeling procedure. However, if the requirement for implant cards (see Article 18 of the MDR) is applicable to your company you should create an implant card procedure instead because this is a detailed and critical requirement that will not apply to most of the other labels in your company. You should make sure that the implant card procedure is compliant with MDCG 2021-11 released in May 2021 and MDCG 20201-8 v2 release in March 2020. These guidance documents also have great examples of how to design your implant cards.

Other changes in labeling requirements

The ISO 15223-1:2016 standard has been revised and was expected for release at the end of 2020. However, only draft versions are currently available (i.e. ISO/DIS 15223-1:2020). This new version of the standard for symbols to be used with labeling will also need to be updated shortly in your MDR labeling procedure. This new version is already referenced in the medical device standard for information provided by the manufacturer (i.e. EN ISO 20417:2021)–which supersedes EN 1041:2008. Consultants and chat rooms have argued over whether the requirement for identifying the importer must be on the label or if it could be presented in other documents. EN ISO 20417:2021 resolves this dispute in section 7.1: “Where necessary, the label of a medical device or accessory shall include the name or trade name and full address of the importer to which the responsible organization can refer.” In the note following that clause, it clarifies that “This can be required by the authority having jurisdiction.” There is even a new symbol referenced for importers (i.e. Symbol 5.1.8 in ISO 15223-1).

If you have specific questions about device labeling or MDR compliance, please use our calendly app to schedule a call with a member of our team. You can also purchase our labeling and translation procedure (SYS-030) to save yourself the time and effort of making your own versions of the labeling checklist described above.

About the Author

Rob Packard 150x150 Which changes are forgotten in your MDR labeling procedure?

Robert Packard is a regulatory consultant with 25+ years of experience in the medical device, pharmaceutical, and biotechnology industries. He is a graduate of UConn in Chemical Engineering. Robert was a senior manager at several medical device companies—including the President/CEO of a laparoscopic imaging company. His Quality Management System expertise covers all aspects of developing, training, implementing, and maintaining ISO 13485 and ISO 14971 certification. From 2009-2012, he was a lead auditor and instructor for one of the largest Notified Bodies. Robert’s specialty is regulatory submissions for high-risk medical devices, such as implants and drug/device combination products for CE marking applications, Canadian medical device applications, and 510(k) submissions. The most favorite part of his job is training others. He can be reached via phone 802.258.1881 or email. You can also follow him on Google+, LinkedIn or Twitter.

Which changes are forgotten in your MDR labeling procedure? Read More »

Implant Card Requirement – A New Requirement of EU 2017/745

This article breaks down and reviews the new implant card requirement as well as Article 18 of EU 2017/745.

We also have available for sale, SYS-037 Implant Card Procedure written to be Article 18 compliant of Regulation (EU) 2017/745, and includes;

  • SYS-037 A, Implant Card Procedure
  • FRM-044 Checklist for Information to be supplied to the patient with an implant
  • FRM-045 Implant Card Checklist for Article 18 Reg 2017-745
  • Native Slide Deck for Implant Card Webinar
  • Recording of the Implant Card Webinar

Implant Card Procedure Implant Card Requirement   A New Requirement of EU 2017/745

Implant Card Requirement, a new requirement from Regulation (EU) 2017/745.

One of the new changes to the regulation is an introduction of a new requirement for implantable devices. These devices must now come with an “implant card” that contains information about the implanted medical device for the patient. The responsibility of the implementation of the new implant card rules lies with the manufacturer of the implantable device and the health institution as required by the EU member states.

What is an implantable device?

Before discussing the specifics of the implant card, we must first define what an implantable device is to determine if the implant card requirements apply to your device or devices. Article 2 Definitions, number 5 of Regulation (EU) 2017/745 defines and outlines what is considered an implantable device.

(5) ‘implantable device’ means any device, including those that are partially or wholly absorbed, which is intended:

– to be introduced in the human body, or

– to replace an epithelial surface or the surface of the eye,

By clinical intervention and which is intended to remain in place after the procedure.

Any device intended to be partially introduced into the human body by clinical intervention and intended to remain in place after the procedure for at least 30 days shall also be deemed to be an implantable device;

(Taken from http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32017R0745 English version)

Is my device considered implantable?

Working with the above definition of an implantable device, you can now compare those requirements against your own devices to determine if they are considered to be an implantable device or not. This can be done by performing a gap analysis of the definition against your device.

Consider what your device is and ask yourself the following questions:

Is my device intended to be partially or wholly absorbed?

If the answer is no, then your device may not be an implantable one. If it is, then you must keep asking yourself questions until you can sufficiently determine your device’s status as implantable or not.

Is my device intended to be introduced in the human body?

No. Ok, that is fine, but is it intended to replace an epithelial surface or the surface of the eye?

To make an awful analogy of the process, it is almost like playing a game of Guess Who with your device. Instead of asking your device if they have red hair or a mustache, you have to ask your device questions like, “Are you intended to remain in place after the procedure?”.

The gap analysis is fine, but you also have to consider some other factors within the wording of the definition. Be careful navigating the specifics because the devil is in the details. In the definition, which is only eighty-nine words long, by the way, uses the word “intended” three different times.

That is important because the definition applies not only to some of the characteristics and uses of the device but also to the intent behind the device. Just because the device can be wholly introduced into the body does not mean that the device is ‘intended’ to be. A better example would be, by clinical intervention, can your device remain in place after the procedure? Could it, perhaps, but is it intended to be? Also, is it the intent of the device to be done so by clinical intervention?

Where to find the implant card requirement?

Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices is where the introduction of implant cards can be found. The definition of an implantable device is found in Article 2 Definitions, definition number 5.

Article 18- ‘Implant card and information to be supplied to the patient with an implanted device’ is where the implant card requirements can be found. This article contains three sections and four subsections pertaining to implant cards.

Article 18 Implant card requirement and information to be supplied to the patient with an implanted device

Below is article 18 in its entirety so that we can discuss it further in detail.

“1. The manufacturer of an implantable device shall provide together with the device the following:

(a) information allowing the identification of the device, including the device name, serial number, lot number, the UDI, the device model, as well as the name, address and the website of the manufacturer;

 

(b) any warnings, precautions or measures to be taken by the patient or a healthcare professional with regard to reciprocal interference with reasonably foreseeable external influences, medical examinations or environmental conditions;

 

(c) any information about the expected lifetime of the device and any necessary follow-up;

 

(d) any other information to ensure the safe use of the device by the patient, including the information in point (u) of Section 23.4 of Annex I.

The information referred to in the first subparagraph shall be provided, to make it available to the particular patient who has been implanted with the device, by any means that allow rapid access to that information and shall be stated in the language(s) determined by the concerned Member State. The information shall be written in a way that is readily understood by a layperson and shall be updated where appropriate. Updates of the information shall be made available to the patient via the website mentioned in point (a) of the first subparagraph.

Also, the manufacturer shall provide the information referred to in point (a) of the first subparagraph on an implant card delivered with the device.

  1. The Member States shall require health institutions to make the information referred to in paragraph 1 available, by any means that allow rapid access to that information, to any patients who have been implanted with the device, together with the implant card, which shall bear their identity.
  2. The following implants shall be exempted from the obligations laid down in this Article: sutures, staples, dental fillings, dental braces, tooth crowns, screws, wedges, plates, wires, pins, clips, and connectors. The Commission is empowered to adopt delegated acts in accordance with Article 115 to amend this list by adding other types of implants to it or by removing implants therefrom.”

(taken from http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32017R0745)

Who does the implant card requirement apply to?

Section 1. of Article 18 states explicitly that it is the manufacturer who shall supply the information. Fortunately, it is also outlined what information needs to be included and some guidance on how to provide the information.

Take note, though, that the article states it “shall” be provided, “together with the device.” This means that merely having the information available or accessible such as a downloaded PDF on your website, is not sufficient to comply with section 1. Because that is not being supplied together with the device as outlined.

Section 2. of Article 18 applies to member states’ requirements of health care institutions.

Section 1 of Article 18

Section 1 is by far the most extended section of the article and outlines precisely what information must be provided with the implantable device. Not only is this information that must be provided, it specifically must be provided by the manufacturer. The subsections are broken down by topic and can be summarized as the information, warning, maintenance, and misc. Sections.

Section 1. Sub-Section A

This sub-section outlines the specific identifying information that must be provided. It is even specifically “information allowing the identification of the device.” For devices that are produced and manufactured compliant with other standards such as ISO 13485 or the QSR portion of the United States Code of Federal Regulations, a lot of this information is the same information that is required for traceability.

Besides the generic “information allowing the identification of the device,” the other specific information that ‘shall’ be provided is:

  • The name of the device,
  • The device serial number,
  • The lot number of the device,
  • The UDI,
  • The model of the device,
  • The name of the manufacturer,
  • The manufacturers address,
  • The manufacturers’ website.

They don’t just want your device’s driver’s license; they want the driver’s license, library card, passport, blood type, and favorite color. This is done for a purpose but also carries some implications on the maintenance actions of the manufacturer.

First such strict ID requirements mean that the device is traceable and identifiable. There should be absolutely no doubt about who made the device. In the event of an incident, that device should be traceable back to when and where the individual components were created and assembled into the final device. For traceability of an incident, tracking for corrective or preventive action, or just general inventory tracking this is the type of strict diligence that is expected when the end-user or patient is receiving medical care with an implantable device. There is no demonizing of this requirement. Yes, it is strict, but it is also just part of good housekeeping for a manufacturer in general. Only now it must be provided to the patient receiving care with the device as well.

What is implied is that the information provided along with the device is somewhat of a living document, and the information could vary a bit from patient to patient. Because things like lot numbers or any number of trackable metrics used with the UDI are included, the implant card information cannot be generically the same for each device but that it will have sections that are specific to individual devices. Sure this may initially create some logistical headaches for keeping track that the implant cards don’t get mixed up in situations where the devices are being manufactured, but this creates a level of accountability that is designed for the ultimate safety of the end patient.

Section 1. Sub-section B

Sub-section B contains the warning information of the device. The first part is pretty self-explanatory as meaning literally what is stated “any warnings” and “precautions”. It is the next part that I do not interpret literally. Where it says “measures to be taken by the patient or a healthcare professional with regard to reciprocal interference with reasonably foreseeable external influences, medical examinations or environmental conditions”.

If I were the manufacture of an implantable medical device, I would most definitely include measures to be taken by the patient as well as measures to be taken by a healthcare professional. There are a couple of spots that use the word ‘or’, and if it were me, I would read it ‘as well as’.

I say that for a few reasons. One is that without explicit clarification of a governing body as exactly what a silly little word like that is intended to me, this creates an area that is open for debate. Does that ‘or’ mean that at least one of those needs to be included and the rest can be excluded?

As one who likes to err on the side of caution, if you have the information available, why would you not provide it? By going above and beyond not only demonstrates your goodwill but also avoids hang-ups where an auditor might not agree with how you viewed the requirement, and you end up with a nonconformity, or in the same situation with an incident investigator. Ink is cheap; liabilities are expensive.

Section 1. Sub-section C, and Sub-section D.

These two subsections are relatively short and straight forward.

“(c)         any information about the expected lifetime of the device and any necessary follow-up;

How long can the user expect your device to last once it has been implanted?  I there any maintenance they should be performed? Perhaps once a year, a physician needs to double-check the device placement?

(d)         any other information to ensure the safe use of the device by the patient, including the information in point (u) of Section 23.4 of Annex I.”

The rest of Section 1. Of Article 18.

“The information referred to in the first subparagraph shall be provided, to make it available to the particular patient who has been implanted with the device, by any means that allow rapid access to that information and shall be stated in the language(s) determined by the concerned Member State. The information shall be written in a way that is readily understood by a layperson and shall be updated where appropriate. Updates of the information shall be made available to the patient via the website mentioned in point (a) of the first subparagraph.

Also, the manufacturer shall provide the information referred to in point (a) of the first subparagraph on an implant card delivered with the device.”

(Taken from http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32017R0745 English version)

At the end of this section, it provides a little bit more information about the purpose of the article but also lays out some guidelines for how to make the required information available.

I specifically mentioned earlier that having the information slapped on a website is not enough by itself. The text states, “any means that allow rapid access to that information”. Certainly, available on the internet is a means that allows rapid access, and it is if you have internet. Using a web-based approach like that is assuming that all the possible patients all have the technology and budget to reach the information. This means that every single possible patient needs a means to access the internet, and the money to pay for internet access. Also, being able to simply access the information rapidly isn’t necessarily providing the information “together with the device” as required.

You also need to have a conversation with your notified body and determine what languages are required by the member state in which your device is sold. It does not do the patient much good if they do not understand the language in which the information is being presented. It also needs to be presented in easy to understand terms, not in technical jargon.

Updates, unlike the initial presentation of information, needs to be included on your website. Specifically, the website that was included in the implant card given to the patient.

Section 2. of Article 18

Unlike what we saw in Section 1. Section 2. Outlines requirements for the health institutions and not the manufacturer. More specifically, Section 2. Requires member states to require health institutions to perform actions.

This section makes health institutions provide the same information that manufacturers had to provide to patients who have been implanted with a device, with the same stipulations as to how the information is provided. However, it also includes the health institution to include their identity on the implant card as well.

  1. Member States shall require health institutions to make the information referred to in paragraph 1 available, by any means that allow rapid access to that information, to any patients who have been implanted with the device, together with the implant card, which shall bear their identity.

(Taken from http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32017R0745 English version)

Exemptions allowed in Article 18.

Section 3 of Article 18 is the list of exempted implants, exempted devices are:

  • Sutures
  • Staples
  • Dental Fillings
  • Dental Braces
  • Tooth Crowns
  • Screws
  • Wedges
  • Plates
  • Wires
  • Pins
  • Clips

This is not an exhaustive list and can change with time at the discretion of the Commission. What it has done is taken implanted devices and exempted some of the most common and widely used ones. Thankfully so too, imagine if every staple needed an implant card to be presented to the receiving patient with individual batch and identifying numbers. Then coordinate the effort with a health institution so that the card also bears their identification as well. This would quickly become exhaustive.

  1. The following implants shall be exempted from the obligations laid down in this Article: sutures, staples, dental fillings, dental braces, tooth crowns, screws, wedges, plates, wires, pins, clips, and connectors. The Commission is empowered to adopt delegated acts in accordance with Article 115 to amend this list by adding other types of implants to it or by removing implants therefrom.”

(Taken from http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32017R0745 English version)

Implant Card Requirement – A New Requirement of EU 2017/745 Read More »

Auditing Technical Files

This article explains what to look at and what to look for when you are auditing technical files to the new Regulation (EU) 2017/745 for medical devices.

Your cart is empty

Auditing Technical Files what to look at and what to look for 1024x681 Auditing Technical Files

On August 8th, 2019, we recorded a live webinar teaching you what to look at and what to look for when you are auditing technical files (a link for purchasing the webinar is at the end of this article). Technical files are the technical documentation required for CE Marking of medical devices. Most quality system auditors are trained on how to audit to ISO 13485:2016 (or an earlier version of that standard), but very few quality system auditors have the training necessary to audit technical files.

Why you’re not qualified to auditing technical files

If you are a lead auditor, you are probably a quality manager or a quality engineer. You have experience performing verification testing and validation testing, but you have not prepared a complete technical file yourself. You certainly can’t describe yourself as a regulatory expert. You are a quality system expert. A couple of webinars on the new European regulations are not enough to feel confident about exactly what the content and format of a technical file for CE marking should be.

Creating an auditing checklist

Most auditors attempt to prepare for auditing the new EU medical device regulations by creating a checklist. The auditor copies each section of the regulation into the left column of a table. Then the auditor plans to fill in the right-hand columns of the table (i.e., the audit checklist), with the records they looked at and what they looked for in the records. Unfortunately, if you have never created an Essential Requirements Checklist (ERC) before, you can only write in your audit notes that the checklist was completed and what the revision date is. How would you know if the ERC was correctly completed?

In addition to the ERC, now called the Essential Performance and Safety Requirements (i.e., Annex I of new EU regulations), you also need to audit all the Technical Documentation requirements (i.e., Annex II), all the Technical Documentation on Post-Market Surveillance (i.e., Annex III), and the Declaration of Conformity (i.e., Annex IV). These four annexes are 19 pages long. If you try to copy and paste each section into an audit checklist, you will have a 25-page checklist with more than 400 things to check. The result will be a bunch of checkboxes marked “Yes,” and your audit will add no value.

Audits are just samples

Every auditor is trained that audits are just samples. You can’t review 100% of the records during an audit. You can only sample the records as a “spot check.” The average technical file is more than 1,000 pages long, and most medical device manufacturers have multiple technical files. A small company might have four technical files. A medium-sized company might have 20 technical files, and a large device company might have over 100 files. (…and you thought the 177-page regulation was long.)

Instead of checking many boxes, “Yes,” you should look for specific things in your audit records. You also need a plan for what records to audit. Your plan should focus on the essential records and any problem areas identified during previous audits. You should always start with a list of the previous problem areas because there should be corrective actions that were implemented, and the effectiveness of corrective actions needs to be verified.

Which records are most valuable when auditing technical files?

I recommend selecting 5-7 records to sample. My choices would be: 1) the ERC checklist, 2) the Declaration of Conformity, 3) labeling, 4) the risk management file, 5) the clinical evaluation report, and 6) post-market surveillance reports, and 7) design verification and validation testing for the most recent design changes. You could argue that my choices are arbitrary, but an auditor can always ask the person they are planning to audit if these records would be the records that the company is most concerned about. If the person has other suggestions, you can change which records your sample. However, you don’t want to sample the same records every year. Try mixing it up each year by dropping the records that looked great the previous year, and adding a few new records to your list this year.

What to look for when auditing technical files

The first thing to look for when you audit records: has the record been updated as required? Some records have a required frequency for updating, while other records only need to be updated when there is a change. If the record is more than three years old, it is probably outdated. For clinical evaluation reports and post-market surveillance reports, the new EU regulations require updating these reports annually for implantable devices. For lower-risk devices, these reports should be updated every other year or once every three years at a minimum.

Design verification and design validation report typically only require revisions when a design change is made, but a device seldom goes three years without a single change–especially devices containing software. However, any EO sterilized product requires re-validation of the EO sterilization process at least once every two years. You also need to consider any process changes, supplier changes, labeling changes, and changes to any applicable harmonized standards.

Finally, if there have been any complaints or adverse events, then the risk management file probably required updates to reflect new information related to the risk analysis.

Which record should you audit first?

The ERC, or Essential Performance and Safety Requirements checklist, is the record you should audit first. First, you should verify that the checklist is organized for the most current regulations. If the general requirements end with section 6a, then the checklist has not been updated from the MDD to the new regulations–which contains nine sections in the general requirements. Second, you should make sure that the harmonized standards listed are the most current versions of standards. Third, you should ensure that the most current verification and validation reports are listed–rather than an obsolete reports.

More auditor training on technical files…

We recorded a live webinar intended to teach internal auditors and consultants how to perform a thorough audit of CE Marking Technical Files against the requirements of the new European regulations–Regulation (EU) 2017/745.

With access to this training webinar, we are also providing a native presentation slide deck, and an audit report template, including checklist items for each of the requirements in Annex I, II, III, and IV of the MDR.

Slide1 300x225 Auditing Technical Files

We also provide an exam (i.e., a 10-question quiz) to verify training effectiveness for internal auditors performing technical file auditing. If you submit the completed exam to us by email in the native MS Word format, we will correct the exam and email you a training certificate with your corrected exam. If you have more than one person that requires a training certificate, we charge $49/exam graded–invoiced upon completion of grading.

Technical File Audit Report Auditing Technical Files
Technical File Auditing for Compliance with MDR
This webinar provides an audit report template and teaches auditors how to conduct technical file auditing for compliance with Regulation (EU) 2017/745.
Price: $129.00

In addition to this webinar on auditing technical files, other training webinars are available. For example, we have a webinar on risk management training. If your firm is preparing for compliance with the new MDR, you might also be interested in the following information provided on this website:

Please note: A link for logging into this Zoom webinar will be delivered to the email address provided in the shopping cart transaction. After verifying the transaction, please check your email for the login information. To view the available webinars, click here. If you cannot participate in the live Zoom webinar, a link for downloading the recording will be emailed to you.

Auditing Technical Files Read More »

MDR Quality Plan – for EU Regulation 2017/745 Compliance

This article outlines an EU MDR quality plan for compliance with European Regulation 2017/745 for medical devices by the May 26, 2020 transition deadline.

Days until MDR Transition 1024x126 MDR Quality Plan   for EU Regulation 2017/745 Compliance

Biggest MDR quality plan mistakes

Implementing an MDR quality plan is not just about updating your technical file and the procedures specific to CE Marking of medical devices. You need to make sure that you have planned to provide adequate resources for the successful implementation of your plan. Resources fall into four major categories, and all four should be addressed in a formal MDR quality plan that you have reviewed and approved during a management review meeting (i.e., ISO 13485:2016, Clause 5.6.3d). First, you need to provide adequate training. Second, you need to provide adequate equipment–such as UDI printing software and an electronic quality system database. Third, you need to provide adequate personnel. Fourth, you need to revise and update your quality system procedures.

European companies concentrated enormous resources in 2018 to prepare for the implementation of the EU Regulations in 2020. This may seem early, but most of those companies are realizing they should have started in 2017–immediately after Regulation 2017/745 was approved by the European Parliament and Council. In contrast, most companies in the USA were focusing on ISO 13485:2016 certification and MDSAP certification. Unfortunately, many CEOs were told that there is a “soft-transition,” and they have until 2024 to implement the new regulations. While it is true that most CE Certificates issued by notified bodies will be valid until their expiration date, and that date could be as late as May 25, 2024, it is not true that companies have until 2024 implement the new regulations. Quality system requirements in Article 10 of the MDR, and compliance with the MDR for economic operators, must be implemented by May 26, 2020. Any medical devices that are being reclassified will require full implementation by May 26, 2020, as well. Finally, notified bodies cannot renew 100% of the CE Certificates on May 25, 2020, to give manufacturers the full 4-year transition for certificates. Your certificate will expire based upon the certificate renewal cycle that is already established.

Required procedures for your EU MDR quality plan

You might not know that ISO 13485:2016 certification is not required for CE Marking of medical devices. Although ISO 13485 certification is the most popular way for companies to demonstrate quality system compliance with EU regulations, the actual requirement is to comply with the thirteen procedural requirements in Article 10 of EU Regulation 2017/745. Specifically, those thirteen procedures are:

  1. Conformity assessment procedure / significant change procedure – SYS-025
  2. Identification of safety and performance requirements (i.e., Essential Requirements Checklist) – FRM-038
  3. Management responsibilities – SYS-003
  4. Resource management, including suppliers – SYS-004 and SYS-011
  5. Risk management – SYS-010
  6. Clinical evaluation – SYS-041
  7. Product realization, including design, production, and service – SYS-008, SYS-012, and SYS-013
  8. UDI requirements – SYS-039
  9. Post-market surveillance – SYS-019
  10. Communication with competent authorities notified bodies and other economic operators – SYS-049 (new requirement)
  11. Vigilance reporting, including serious incidents and field safety corrective actions – SYS-036 and SYS-020
  12. Corrective and preventive actions – SYS-024
  13. Monitoring and measurement of processes – SYS-017

Note: If you are interested in one of the procedures listed above that does not have a hyperlink, please contact me via email at rob@13485cert.com. The procedures are available, and the links will be provided during the next two weeks. The only exception is SYS-026. That is a new procedure in draft format, and it will be the subject of a future blog. Medical Device Academy will be revising each of the above procedures for compliance with EU Regulation 2017/745 in accordance with the MDR quality plan that we have outlined in this blog article. These procedures are all compliant with ISO 13485:2016, and updates for compliance with the EU MDR will be made available at no additional charge.

The priority of requirements for MDR quality plan

There are seven major changes required for compliance with the European Regulation 2017/745. These priorities are listed in order of highest to lowest effort and cost that will be required to comply, rather than the chronological order. First, some medical devices are being reclassified. Second, new CE certificates must be issued under the new conformity assessment processes. Third, technical documentation must be updated to meet Annex II of Regulation 2017/745. Fourth, post-market surveillance documentation must be updated to comply with Annex III of Regulation 2017/745. Fifth, specific documentation must be uploaded to the Eudamed. Specifically, manufacturers must upload UDI data, labeling, and periodic safety update reports (PSUR). Sixth, all economic operators must be registered with Eudamed and comply with Regulation 2017/745, or new economic operators will need to be selected. Seventh, quality system procedures will need to be updated to comply with Regulation 2017/745.

The implementation timeline for MDR quality plan

If any of your devices are being reclassified, you will need to implement all of the above changes before the May 26, 2020 transition date. For example, reusable medical instruments are currently Class I medical devices, and manufacturers utilize Annex VII of the MDD as the conformity assessment process. Under EU Regulation 2017/745, these reusable instruments will require notified body involvement to issue a CE Certificate. This is a lot of work to complete in 17 months (i.e., 513 days and counting), and notified bodies will have a large backlog of technical files to review for existing customers before they can review documentation for new customers.

If your company already has CE Certificates for your medical devices, and none of your devices are being reclassified, you will need to implement only the sixth and seventh items listed above before the May 26, 2020 deadline. Uploading information to Eudamed is likely to be extended beyond the May 26, 2020 deadline, and the transition may be staggered by risk classification–just as the US FDA did for UDI implementation in the USA. The second, third, and fourth changes listed above will require compliance before your existing CE Certificate(s) expire. The best-case scenario could be four (4) years after the transition deadline.

MDR Quality Plan – for EU Regulation 2017/745 Compliance Read More »

MEDDEV 2.7/1 rev 4: How will your clinical evaluation change?

Article overviews of the new MEDDEV 2.7/1 rev 4 for clinical evaluation of medical devices, including a quality plan to comply with the latest revision.

MEDDEV 271 rev 4 MEDDEV 2.7/1 rev 4: How will your clinical evaluation change?

What’s new in MEDDEV 2.7/1 rev 4 for clinical evaluations?

The third and fourth revisions both give manufacturers three choices: 1) a clinical literature review, 2) performing a clinical study, and 3) a combination of literature review and performing a clinical study. However, the fourth revision is completely re-written. The fourth edition is 19 pages longer, and it is now much harder to use the “literature only” route. The fourth revision includes stringent requirements for demonstrating equivalence between another device and your device. Therefore, many companies are now struggling to update their clinical evaluation reports to satisfy this new guidance document.

Overview of the content in MEDDEV 2.7/1 rev 4

The third and fourth revisions of the guidance both have a 5-stage process for clinical evaluations, but in the third revision, only articulated stages 1 through 3 as stages leading up to writing a clinical evaluation report. The figure in section 6.3 of revision four now identifies a planning Stage 0, and the writing of the clinical evaluation report is referred to as Stage 4. Therefore, there is a lot more detail describing the planning and report writing stages than there was in revision 3. In addition, Stage 2 (Appraisal of clinical data) has been expanded from a single page to eight pages.

Based upon the above changes, you can infer that Competent Authorities have been unsatisfied with the quality of clinical data being provided to support the essential requirements for safety and performance. In turn, Notified Bodies are expected to be much more critical of the data presented, and more guidance is provided to manufacturers. There is also much more guidance and more examples provided in the appendices, while the 12-page clinical evaluation checklist that was provided in revision three has been replaced by one page of bulleted items for Notified Bodies to consider.

Demonstration of equivalence

It is no longer sufficient to list several devices that are similar to your device and include those devices in your search of clinical literature. Now you may only select one device for equivalence. You must also provide a thorough analysis of equivalence with that device based on clinical, technical, and biological characteristics. This comparison includes providing drawings or pictures to compare the size, shape, and elements of contact with the body.

Updating clinical evaluations

The new European Medical Device Regulations (EMDR) is expected to specify minimum requirements regarding the frequency of updating clinical evaluations, but MEDDEV 2.7/1 rev 4 discusses this in section 6.2.3. The frequency of updating your clinical evaluations must be justified and documented. Many considerations for this justification are discussed, but the end of that section indicates that devices with significant risks (e.g., implants) require at least annual updates to the clinical evaluation report. For devices with non-significant risks, and where the device is well established (e.g., a long clinical history), 2-5 years is the range of possible frequency. Longer than five years are not allowed.

Who should perform clinical evaluations?

Many device manufacturers are receiving nonconformities because the evaluators are not sufficiently qualified, or the qualifications are not documented. The qualifications must follow 6.4 of the new guidance, and the qualifications set by your company should be documented in your procedure for clinical evaluations. You will need to document these qualifications with more than an abstract, but you will also need to present a declaration of interest for each evaluator. Evaluators need knowledge in clinical study design, biostatistics, information management, regulatory requirements, and medical writing. Evaluators also need knowledge specific to the device, its technology, and its application. Evaluators must also have a higher education degree in the field and five years of experience or ten years of experience if they do not have a higher education degree. Due to the breadth and depth required of qualifications required, it may be necessary to assemble a team to perform evaluations.

Creating a quality plan for compliance with MEDDEV 2.7/1 rev 4

Seven steps need to be included in your quality plan for compliance with MEDDEV 2.7/1 rev 4:

  1. update your external standards to replace MEDDEV 2.7/1 rev 3 with MEDDEV 2.7/1 rev 4
  2. revise your procedure and associated templates for a literature review and clinical evaluation report to meet the requirements of MEDDEV 2.7/1 rev 4
  3. document the qualifications of evaluators for clinical evaluations
  4. document a plan/schedule for updating your clinical evaluation reports for each product family
  5. train evaluators, regulatory personnel and any applicable internal auditors on the requirements of MEDDEV 2.7/1 rev four and updated procedures and forms
  6. begin updating clinical evaluations according to your plan
  7. perform an internal audit of your clinical evaluation process

Learning more about MEDDEV 2.7/1 rev 4

If you are interested in learning more about this revised guidance document, please register for our live webinar on Friday, January 27 @ Noon EST by clicking on the button below.

Click Here 300x115 MEDDEV 2.7/1 rev 4: How will your clinical evaluation change?

MEDDEV 2.7/1 rev 4: How will your clinical evaluation change? Read More »

Finally, New European Medical Device Regulations are Confirmed!

This article announces confirmation of the New European Medical Device Regulations by negotiators of the Dutch presidency of the Council and EU Parliament.

Confirmed Finally, New European Medical Device Regulations are Confirmed!

Announcement of New European Medical Device Regulations

Yesterday, May 25, the European Parliament and the Dutch presidency of the Council reached an agreement and it was announced in press release.

The agreement is subject to confirmation by permanent members of the Council and Parliament’s Envi Committee. The new regulations include the following substantial changes:

  • A scrutiny process for high risk (i.e., Class IIb implants and Class III) products
  • Eudamed database will be expanded to provide public access to information about Notified Bodies, Economic Operators (i.e. – manufacturers, importers, distributors, authorized representatives, etc.) and comprehensive product information
  • Eudamed database will become publicly accessible for searching market surveillance and vigilance data (similar to the FDA’s MAUDE database)
  • Implementation of a Unique Device Identifier (UDI) requirement in Europe.

The Eudamed database will be an invaluable global resource for manufacturers, physician and patients.

Next Steps for New European Medical Device Regulations

The next step in the process of approving the new regulations is an invitation of the Council’s Permanent Representatives Committee and the Parliament’s ENVI Committee to endorse the agreement. The regulations will finally be adopted by the Council and the Parliament after Committee approvals and we can expect implementation of the regulations this fall. The new regulations will have a three year transition after publication for medical devices and a five year  transition for in vitro diagnostic medical devices.

MedTech Summit June 13-17

On June 13 I will be in Brussels at the MedTech Summit hosted by Informa Life Science. There will be 300+ attendees with a fantastic assembly of industry experts representing the Competent Authorities, Notified Bodies and manufacturers. This meeting provides a unique opportunity to learn and discuss the details of the New European Medical Device Regulations and the challenges we will all face in the preparation for the transition to the New European Medical Device Regulations. I will have the pleasure of speaking about risk management and its integration with device design, post-market surveillance and labeling. I will also be Chairperson for the Labeling Stream in June 16.

Please stay tuned to my blog feed. I will be posting related blogs over the next month.

Register for the MedTech Summit

Click on the blue text above to register or you can also call Informa Life Sciences at: +44 (0) 20 7017 7481 or registrations@informa-ls.com.

New Live Webinar on MDRs June 9, 2016

I’m releasing an updated procedure for MDRs and I am offering webinar bundle to train people how to comply with 21 CFR 803 and the procedure. The webinar is scheduled for June 9. I’m even offering two times to accommodate companies in Europe as well as the USA.

Here’s a link for the webinars page.

Finally, New European Medical Device Regulations are Confirmed! Read More »

Scroll to Top