If your company has or is looking to place medical devices on the EU market, you need to know about new requirements under Europe’s medical device and in-vitro diagnostic device regulations, MDR and IVDR respectively.
There are a number of quality management system (QMS) requirements that have been introduced under these regulations and device manufacturers will need to comply with all that apply, both for new and existing devices to be legally sold on the EU marketplace.
Here’s a quick rundown of some key updates you need to know about and apply within your QMS for compliance with EU MDR & IVDR:
If you’re already selling a device on the EU marketplace, the best place to start is making sure you have a good understanding of the current processes and procedures from within your quality system so you can determine exactly what’s needed for transitioning to the new requirements under MDR and IVDR.
Review applicable regulations and standards for each and determine any gaps in procedures and records. It’s important to do this as early as possible so that you’re not putting any product operations on hold while you scramble to meet new requirements.
If you’re new to the EU, then the best place to start is setting up your QMS according to the applicable requirements from ISO 13485:2016. You should also get in touch with a Notified Body as soon as possible to plan your upcoming audits.
Be prepared that many Notified Bodies are asking manufacturers for key information upfront, most of which can be found in the technical documentation for a medical device. The reason for this is so that the Notified Body can confirm they have what they need to conduct audits smoothly and in a timely manner.
Unlike the previous Medical Device Directive (MDD), the new EU MDR is less focused on the pre-approval stage of medical device manufacturing, and instead, promotes a life-cycle approach to medical device regulation.
The following QMS requirements are taken from the new EU MDR:
The quality management system shall address at least the following aspects:
A strategy for regulatory compliance, including compliance with conformity assessment procedures and procedures for the management of modifications to the devices covered by the system;
Identification of applicable general safety and performance requirements and exploration of options to address those requirements;
Responsibility of the management;
Resource management, including selection and control of suppliers and subcontractors;
Risk management as set out in Section 3 of Annex I;
Clinical evaluation in accordance with Article 61 and Annex XIV, including post-market surveillance follow-up (PMPF).
Product realization, including planning, design, development, production and service provision;
Verification of the UDI assignments made in accordance with Article 27(3) to all relevant devices and ensuring consistency and validity of the information provided in accordance with Article 29;
Setting-up, implementation and maintenance of a post-market surveillance system, in accordance with Article 83;
Handling communication with competent authorities, notified bodies, other economic operators, customers and/or other stakeholders;
Processes for reporting of serious incidents and field safety corrective actions in the context of vigilance;
Management of corrective and preventive actions and verification of their effectiveness;
Processes for monitoring and measurement of output, data analysis and product improvement.
The unique device identification (UDI) requirements are also a significant change introduced in the new medical device regulation. Your device’s UDI information must be listed on your declaration of conformity and be uploaded to EUDAMED, which is continuing to be rolled out. Those familiar with the system equivalent in the US will see the similarities to those requirements from FDA.
The in-vitro diagnostic device regulation (IVDR) includes new requirements for risk classification, conformity assessment procedures, and clinical evidence which is to be managed within the manufacturer’s quality system.
The QMS requirements taken from the new EU IVDR should look familiar by now, as they are almost identical to the EU MDR requirements for QMS.
The quality management system shall address at least the following aspects:
A strategy for regulatory compliance, including compliance with conformity assessment procedures and procedures for management of modifications to the devices covered by the system.
Identification of applicable general safety and performance requirements and exploration of options to address those requirements.
Responsibility of the management.
Resource management, including selection and control of suppliers and sub-contractors;
Risk management as set out in Section 3 of Annex I.
Performance evaluation, in accordance with Article 56 and Annex XIII, including PMPF.
Product realisation, including planning, design, development, production and service provision.
Verification of the UDI assignments made in accordance with Article 24(3) to all relevant devices and ensuring consistency and validity of information provided in accordance with Article 26.
Setting-up, implementation and maintenance of a post-market surveillance system, in accordance with Article 78.
Handling communication with competent authorities, notified bodies, other economic operators, customers and/or other stakeholders.
Processes for reporting of serious incidents and field safety corrective actions in the context of vigilance.
Management of corrective and preventive actions and verification of their effectiveness.
Processes for monitoring and measurement of output, data analysis and product improvement.
IVDR acknowledges that there is a requirement to reduce risks as far as possible, while also taking into account the “state of the art” status of these devices. Manufacturers will need to identify how a device meets these state of the art requirements and provide evidence to support this as part of its technical file.
Once again, post-market surveillance procedures and activities are a major QMS requirement of IVDR, too. An important part of complying with these requirements is making sure that as you monitor and gather feedback from users, you have a feedback loop system for going back and updating your risk management file in order to effectively monitor the performance of the device.
Regarding clinical data, there are updated requirements as well as the potential for additional ongoing clinical evidence requirements that may apply.
As indicated earlier, post-market surveillance (PMS) requirements are among the biggest changes under the MDR and IVDR. You need a PMS plan and to make consistent updates to your risk management file, technical file and clinical evaluation report. All Class I devices require a PMS report.
Under IVDR, the following areas are to be fed or updated from post-market surveillance data:
Some additional key considerations include what manufacturers must do when post-market data indicates an update is needed. You may need to update your performance monitoring data, your indications for use, your labeling, and any other area impacted. If any CAPAs are involved, you’ll need to update with any lessons learned from those.
Making these updates using a purpose-built QMS solution can significantly reduce the risk of human error and avoid costly rework. Greenlight Guru’s Document Management solution uses AI and ML technologies that allow manufacturers to seamlessly execute changes, gain visibility of all connections, and understand the impact and downstream effects of those updates on your quality system data.
Another requirement of IVDR states that for Class C and D devices that are outside of performance studies will need to have a safety and performance summary report. This report should live in a manufacturers’ quality system and be made easily accessible and clearly understood to end users and/or patients of the device. The requirement states that this report must also be uploaded to EUDAMED.
Here are four things that IVDR specifies must be included in a safety and performance summary report:
A description of the device, including a reference to the previous generation(s) or variants if such exist, and a description of the differences, as well as, where relevant, a description of any accessories, other devices and products, which are intended to be used in combination with the device;
The summary of the performance evaluation as referred to in Annex XIII, and relevant information on the post-market performance follow-up (PMPF);
Information on any residual risks and any undesirable effects, warnings and precautions.
Additional requirements per Article 29 IVDR.
Here are some additional quality system standard operating procedure (SOP) updates for MDR and IVDR:
From Article 86, all Class IIa, IIb and III medical devices must complete a periodic safety update report. For IIa devices, the requirement is that this must be done every two years; all other device classes have an annual requirement. Additionally, all Class III devices and implantable devices must submit their PSUR to EUDAMED.
What goes into this report? You should include the main findings of your post-market surveillance, any conclusions from your benefit-risk analysis, and all data from sales volume and usage of your device.
Your SOP’s need to be updated to reflect new requirements for incidents and FSCAs. You need to have templates or forms for reporting any serious incidents, and you also need detailed timeline requirements.
The new SOP outlines requirements for conducting a statistical analysis of incidents and reporting to EUDAMED. It also incorporates risk management considerations that should be followed during an investigation.
A new term to be familiar with here is economic operators, a group of entities, such as suppliers and manufacturers, which now carry their own set of requirements.
Each economic operator from within your supply chain must be part of a documented approval process and you must have an SOP for maintaining traceability throughout the supply chain.
Any distribution agreements should specify which economic operators are responsible for what, in relation to the specific regulations that apply. These documents are subject to audit scrutiny.
UDI requirements should be defined for each device in accordance with MDR. Your SOP needs to define storage for the UDI, with electronic document storage being the preferred option. The SOP must detail a process for importing UDI information into EUDAMED. You must also keep an up-to-date list of UDIs.
Your regulatory compliance officer plays an important role and must be qualified to do the job. You need to be able to show that the person you designate is regularly conducting reviews and has access to the most up-to-date and relevant information to do so.
This SOP update requires you to be able to show that your QMS is active and records are made available for 10-15 years after your last device is placed on the market.
An underlying expectation of both EU MDR and IVDR is that manufacturers keep good, transparent QMS records. In a few areas, the requirements even specify electronic records as the preferred format.
You need to be able to prove closed-loop quality system traceability and compliance with the requirements — an electronic QMS solution is the best way for you to do that. Greenlight Guru is the only eQMS software specifically built by medical device professionals for medical device professionals. You can easily compile, store, update, and share everything listed in the record-keeping requirements from MDR, IVDR, FDA, and more.
Get your free demo of Greenlight Guru now!
Looking for a design control solution to help you bring safer medical devices to market faster with less risk? Click here to take a quick tour of Greenlight Guru's Medical Device QMS software
Etienne Nichols is a Medical Device Guru and Mechanical Engineer who loves learning and teaching how systems work together. He has both manufacturing and product development experience, even aiding in the development of combination drug-delivery devices, from startup to Fortune 500 companies and holds a Project...