Medizinische Fachangestellte benutzt ein Tablet
metamorworks / stock.adobe.com
2023-03-01 expert contribution

Approval, certification and CE marking of medical devices

How to bring medical technology and medical software onto the European market in a compliant manner 

Kontakt
Dipl.-Ing. Hans Wenner

Are you developing hardware or software for medical or health-related purposes and want to bring it to market? Then you are confronted with a multitude of laws, regulations, directives and standards, because before you can place your product on the market, you have to prove that it is safe and fulfills its medical purpose. We are happy to help you with our many years of experience. Together with you, we will bring your new product onto the regulated market safely, quickly and with as little effort as possible. 

But first, a conceptual clarification: strictly speaking, there is no "approval" of medical devices in Europe. The prerequisite for being able to legally market a medical device in Europe is a CE marking of the medical device. This is affixed by the manufacturer himself, provided he has proven that his product is safe and fulfills its medical purpose. For medical devices with a higher risk class than I, this is accompanied by certification by a notified body. Further testing and certification by testing houses may also be required, but there is no approving authority in Europe. 

Nevertheless, the term "approval" has also become commonplace for medical devices. No wonder, because the entire approval process is complicated enough. A little linguistic simplification is helpful. This technical article is intended to contribute a little to the simplification by showing the basic path to CE marking of medical devices. In addition to this basic path, there are many special rules, exceptions and specifics to consider, which we will not go into here. The pitfall is definitely in the detail work. 

Intended purpose: What exactly is the product supposed to do? 

At the beginning of the approval of a medical device is the question of its intended purpose. The intended purpose specifies the purposes for which a product may and may not be used. The manufacturer defines the intended purpose himself. If the product is used for purposes other than those intended by the manufacturer, the responsibility for such misuse lies at least in part with the user. 

The intended purpose determines in particular whether the product is a medical device from a regulatory point of view and whether the European Medical Device Regulations (MDR and IVDR) apply. In addition, the intended purpose decisively determines which risk class the product falls into. 

A product that is not a medical device may not be used as a medical device. A product that meets the requirements for a medical device, but which is not intended for this purpose by the manufacturer, may not as a rule be placed on the market as a product in circumvention of the requirements of the MDR or the IVDR. However, the demarcation in individual cases is difficult and may be subject to legal evaluation.  

Important components of the intended purpose are, for example, the: 

  • medical indication 
  • Patient groups 
  • Age groups 
  • Operator groups 
  • Product features 
  • Functional features 
  • Usage environment or 
  • Type of IT integration. 

The intended purpose significantly influences the scope of proof of the legal requirements. On the one hand, the goal should be to reduce the regulatory burden by focusing the purpose. On the other hand, a narrower purpose may mean a smaller patient group and thus a smaller market. Small patient groups may also be disadvantageous for clinical proof if it is difficult to include subjects or patients in the clinical trials. 

Note: In addition to the "intended purpose" of a medical device, its "intended use" is differentiated. You can find out why the two terms are similar but not synonymous in this technical article on the subject of the intended use of medical devices

Qualification: When is a product a medical device?

One of the most frequently discussed questions in the approval of a medical device is whether the product is a medical device at all. To answer this question, the intended purpose of the product must be compared with the medical device definition of the MDR or the IVDR. 

In simplified terms, the MDR defines medical devices as objects of all kinds including software primarily according to their areas of application. These are: 

  • Diagnosis, prevention, monitoring, prediction, prognosis, treatment or alleviation of disease. 
  • Diagnosis, monitoring, treatment, alleviation or compensation of injury or disability 
  • Examination, replacement, or modification of anatomy or of a physiological or pathological process or condition; and 
  • Obtaining information through the in vitro examination of specimens derived from the human body, including organ, blood and tissue donations.  

In addition, products for the prevention or promotion of conception and for cleaning, disinfection or sterilization are medical devices within the meaning of the law. 

Medical devices must be intended for human use. In addition, the principle of action is important. Medical devices act in or on the human body (exception: software), but not pharmacologically, metabolically or immunologically. The MDR also applies to certain products without a medical use, such as contact lenses. 

The IVDR supplements the MDR's definition of a medical device with specific aspects characteristic of in vitro diagnostic devices (IVDs). Accordingly, an IVD is used for the in vitro examination of samples derived from the human body, including blood and tissue donations, and is intended to provide certain diagnostic or therapeutic-relevant information. An IVD is also considered a medical device. 

Both MDR and IVDR also define accessories as items that are not medical devices per se, but are intended by the manufacturer to be used in conjunction with a medical device. 

Often, the qualification as a medical device turns out to be difficult. This is the case, for example, with: 

  • Wellness products 
  • Medicinal products 
  • Cosmetics 
  • products with cells or tissues 
  • biotechnological products 
  • personal protective equipment 
  • software 

Special rules apply to products that combine a medical device with an IVD or a drug. In the case of a combination with a medicinal product, the manufacturer must differentiate in particular the extent to which the device and the medicinal product belong together and the function of the medicinal product component with regard to the overall effect. The classification is then based on either medical device or drug regulations. 

As mentioned above, software as a medical device is often the subject of intense discussion when it comes to qualification. In the technical article "Medical Software and Medical Apps: Qualification, Classification and Approval as a Medical Device", we go into more detail about the specific requirements. 

Legal basis: Which laws, regulations or directives apply? 

Both the MDR and IVDR are European regulations and apply directly in all EU member states: 

  • Medical Devices Regulation EU (2017/745) (MDR) with an effective date of May 26, 2021. 
  • In vitro diagnostic medical devices regulation EU (2017/746) (IVDR) with an effective date of May 26, 2022. 

Both regulations already entered into force in 2017 and have already been amended or corrected several times. The transition period between the EU regulations and the old EU directives is currently still ongoing. Therefore, there are a number of transitional arrangements for products that have already been placed on the market under the old directives. 

Depending on what type of medical device it is, requirements of other EU regulations or directives may apply. These are, for example: 

  • Directive 2001/83/EC for medicinal products for human use 
  • Directive 2006/42/EC on machinery 
  • Regulation (EC) No. 1907/2006 on chemical substances (REACH) 
  • Regulation (EC) No. 1394/2007 on advanced therapy medicinal products (ATMP) 
  • Directive 2010/63/EU on the protection of animals used for scientific purposes 
  • Regulation (EU) No. 528/2012 on biocidal products 
  • Directive 2011/65/EU on substances in electrical and electronic equipment (RoHS II) 
  • Regulation (EU) No. 722/2012 on the use of active implantable medical devices and medical devices manufactured with tissues of animal origin 
  • Regulation (EU) No. 207/2012 on electronic instructions for use for medical devices. 
  • Directive 2013/59/Euratom on radiation protection 
  • Directive 2014/53/EU on radio equipment 
  • Regulation (EU) 2016/425 on personal protective equipment 
  • Regulation (EU) 2016/679 on data protection (DSGVO). 

European directives and regulations are joined on a case-by-case basis by implementing acts or delegated acts that supplement or update existing European laws. At the national level, the European laws are supplemented by further laws and regulations or transposed into national law. In Germany, these are primarily 

  • the Medical Device Law Implementation Act (MPDG), 
  • the Medical Devices Operator Ordinance (MPBetreibV) and 
  • the Medical Devices User Notification and Information Ordinance (MPAMIV). 

The MPDG has gradually replaced the "old" Medical Devices Act (MPG) in view of the transition from EU directives to EU regulations. The old Medical Devices Safety Plan Ordinance (MPSV) has become the MPAMIV, which has been adapted to the requirements of the MDR. The MPBetreibV has been retained, but also adapted in the course of the transition to the new EU regulations. 

In addition to the legal foundations, there are a large number of other regulatory documents, especially (harmonized) standards and various guidelines, above all those of the Medical Device Coordination Group (MDCG). In contrast to legal acts, such as laws, regulations and directives, the application of guidelines and standards is not mandatory, but "voluntary". Nevertheless, many of these standards and guidelines have become a de facto standard, and their application is assumed. 

Risk class: Which one does the product have? 

The MDR follows a risk-based approach and provides for the classification of products into risk classes I, IIa, IIb and III. The higher the number the higher the risk class and the higher the regulatory requirements to be met. The MDR includes 22 classification rules that the manufacturer must use to classify a product. The rules incorporate a number of criteria, including primarily technical, design, material and biological characteristics, invasiveness, duration of contact, site of action and method of use. 

Medical devices assigned to Class I that 

  • have a measuring function (class Im), 
  • are reusable surgical instruments (class Ir) or 
  • are to be placed on the market in sterile condition (class Is), 

represent a special case. Although these are medical devices of the lowest risk class I, the manufacturer must involve a Notified Body to a certain extent for the declaration of conformity. More on this in the following sections. 

The IVDR provides for risk classes A, B, C and D, with class A representing the lowest risk and class D representing the highest risk. The IVDR provides for 7 classification rules. Assignment to a risk class is based primarily on the use specified in the intended purpose. Class A IVDs placed on the market in a sterile condition (Class As) are a special case and require the involvement of a Notified Body. This is always the case for classes B, C and D. 

In the case of new products and their combinations, the risk classification of medical devices regularly leads to intensive discussions about the interpretation of the rules and always requires consideration of each individual case. Here, too, specific requirements apply to medical software, including Classification Rule 11 of the MDR. In our technical article "Classification of medical devices according to MDR: Rule 11 for software" we explain details. 

Economic operators: Who is the marketer? 

The MDR and the IVDR specify who must fulfill which requirements in order to be allowed to place a medical device on the European Union market. The regulations distinguish between individual economic operators. 

The central economic operator is the manufacturer itself, which the MDR defines as a natural or legal person who manufactures a product or has it developed, manufactured or reprocessed as a new product and markets this product under its own name or brand. Other economic operators are the authorized representative, distributor or importer, to whom different rights and obligations apply than to the manufacturer. 

The Regulations also define the concept of making a medical device available on the market as any supply of a device, other than investigational devices, for distribution, consumption or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge. 

Placing on the market, on the other hand, is the first time a medical device is made available on the market. Alternatively, a medical device may "only" be put into service on the market. Putting into service refers to the time at which a device, with the exception of investigational devices, is made available to the end user as a product that can be used for the first time on the Union market as a ready-to-use product in accordance with its intended purpose. 

The question of the constellation in which a product is developed and made available on the market decides quite decisively what marketing effort is incurred, which in turn must be refinanced on the market. Therefore, such a consideration should be carried out at the beginning of a product development and considered as part of the business model development. 

Obligations of manufacturers: What are the individual requirements? 

The manufacturer bears full responsibility for a given product and places it on the market with all rights and obligations. To this end, the manufacturer must prove that his product meets the requirements of the MDR or IVDR. A central role is played by the following points, which arise primarily from Article 10 of the MDR or IVDR: 

  • clinical evaluation (MDR) or performance evaluation (IVDR).  
  • Risk management system 
  • essential safety and performance requirements 
  • Quality management system 
  • instructions for use and labeling 
  • technical documentation 
  • liability insurance 
  • responsible person 
  • authorized representative 
  • registration 
  • Declaration of conformity 

The manufacturer must also fulfill all relevant obligations and requirements after placing a medical device on the market. The EU regulations always emphasize the importance of the entire product life cycle. 

Clinical evaluation or performance evaluation 

Manufacturers use clinical data to determine whether a medical device is safe and performs well. The MDR refers to this as clinical evaluation, while the IVDR refers to it as performance evaluation. 

At its core, a clinical evaluation is a systematic collection and evaluation of clinical data from a wide variety of sources. According to the MDR, the manufacturer is required to conduct a clinical evaluation throughout the product life cycle. Thus, a clinical evaluation also includes a clinical follow-up of the medical device in the market. Clinical evaluation must be part of the quality management system and is closely linked to risk management. These requirements also apply to performance evaluation for IVDs. 

The manufacturer demonstrates that the medical device  

  • Achieves the intended performance, 
  • is designed and manufactured to be fit for its intended purpose,  
  • is safe and effective,  
  • does not compromise the clinical condition and safety of patients or the safety and health of users or third parties, as applicable, 
  • has an acceptable benefit-risk profile, 
  • is compatible with a high level of health protection and safety, and  
  • is based on the generally accepted state of the art. 

The clinical benefit-risk profile therefore plays an important role. Here, manufacturers must weigh the clinical benefits against the clinical risks, including undesirable side effects, according to  

  • Type of effect, 
  • intensity, 
  • duration and 
  • frequency  

in the most precisely defined target group and indication qualitatively and, if possible, also quantitatively. 

The performance evaluation required by the IVDR focuses on demonstrating the 

  • scientific validity, 
  • analytical performance, and 
  • clinical performance.  

Clinical data are indications of the safety or performance of a device and can come from the following sources:  

  • clinical trials or performance studies of a device,  
  • other studies reported in the scientific literature on a product that can be shown to be similar to the product in question,  
  • peer-reviewed scientific literature on other clinical experience with either the product in question or a product that can be shown to be similar to the product in question, 
  • evidence obtained from routine diagnostic testing (in the case of performance evaluations), or  
  • clinically relevant data from post-marketing surveillance (clinical follow-up). 

The MDR uses the term "clinical trial" instead of the more commonly used term "clinical study". The IVDR refers to "performance studies". 

In principle, the manufacturer conducts clinical trials when it  

  • wants to market a product with new functions and properties,  
  • has modified a medical device in such a way that safety and performance are affected, 
  • market a medical device with a new intended purpose, or  
  • wishes to market implantable devices or devices in risk class III.  

In the latter case, however, there are a number of exceptions. 

At the outset of a new project, it should be clear what specific medical use and medical need is being addressed and what product claim will be derived from that. The clinical evaluation must confirm this and should therefore be considered from the beginning of the project. Therefore, clinical evaluation is best started at the same time as the development of a new product begins. 

Clinical evaluation and especially clinical testing are among the most time-consuming components of medical device approval. In the articles "Clinical evaluation of medical devices according to MDR" and "Clinical investigations of medical devices according to MDR" we discuss the requirements in detail. 

Risk management system 

The use of medical devices always involves risks for patients and users. These risks must be as low as possible compared to the benefits of a medical device. Manufacturers of medical devices must therefore establish a risk management process. This process is described for medical devices in the ISO 149714 standard. EU regulations explicitly require medical device manufacturers to keep risk management up to date throughout the product life cycle. 

When medical devices are used, desired and undesired effects occur. The desired effects are part of the intended use of medical devices. The undesired effects are "side effects." In addition, unexpected events may occur, which may then result in undesirable effects. In risk assessment, the manufacturer systematically analyzes these effects and assigns severity levels.  

In addition to the severity level, the probability of occurrence is decisive, i.e., the probability of an undesirable effect occurring in conjunction with the probability that an undesirable effect will lead to harm. The risk posed by a medical device is the combination of severity levels and probabilities of adverse effects. 

The manufacturer relates the risks to the expected benefits. A product is only sufficiently safe if the benefits outweigh the risks. The manufacturer defines his risk acceptance criteria in this way. At this point, the connection between risk management and clinical evaluation also becomes clear. There, too, the (clinical) benefit-risk profile is the focus of consideration. The MDR and the IVDR therefore explicitly call for both processes to be appropriately linked. 

The definition of a sufficient benefit-risk profile by the manufacturer is very important for the subsequent marketing of the product. For a company, risks in terms of reputation, liability and financial loss are at stake. Therefore, manufacturers are well advised not to leave this decision to individuals. It is important to involve different professional viewpoints and top management at this point. 

Risk management is one of our top topics. We regularly offer hands-on training on this. With the ARGOS process, we have also developed a special cybersecurity risk management approach for medical devices. If you would like to delve into the topic in more detail, we recommend our technical article "Risk Management for Medical Devices: ISO 14971". 

Essential safety and performance requirements 

The MDR and IVDR define extensive essential safety and performance requirements. In individual cases, the applicability of the safety and performance requirements depends on the nature of a product. For example, a medical app does not need to meet requirements related to the surface properties of a material. Or the development of a novel wound dressing generally does not require consideration of exposure to ionizing radiation. The manufacturer thus identifies the safety and performance requirements applicable to his product. In particular, he uses the results of the risk management process for this purpose. 

The next step is to prove that the individual requirements are met. As a rule, the manufacturer uses technical standards for this purpose. The EU regulations explicitly require that the state of the art be taken into account and refer to the use of harmonized standards. Harmonized standards are listed in the Official Journal of the EU and have the advantage of triggering a presumption of conformity. When a manufacturer applies a harmonized standard, there is a presumption that the corresponding safety and performance requirement of the EU regulation is met. Unfortunately, the process of harmonizing standards has stalled in recent years. Currently, there are very few harmonized standards that reference the safety and performance requirements of the MDR as well as the IVDR. Standards harmonized with EU directives and listed in the Official Journal of Europe do not trigger presumption of conformity with EU regulations. In addition, the listed harmonized standards have in most cases been superseded by more recent editions. 

The application of standards is not mandatory. Manufacturers may also apply other technical documents. Ultimately, it is a matter of meeting the requirements of the EU regulations and making this technically plausible. Since the state of the art must be taken into account in any case, it is recommended to always use current documents, i.e. in the case of standards, always the current edition. It is also advisable to always use documents that can be assumed to have the broadest possible acceptance and high technical quality. This speaks in favor of using international ISO or IEC standards that have been developed in an international consensus process. 

In many cases, product testing is required to demonstrate compliance with safety and performance requirements. In most cases, the test requirements are presented in the corresponding standards. Product tests are carried out by accredited testing institutes such as the VDE Institute, which issue a test certificate after successful testing. The test certificate is then an important part of the inspection of the technical documentation by a Notified Body. 

Quality management system 

The quality management system is a central component of a medical device manufacturer. With the MDR and the IVDR, the importance of quality management has increased even further. Manufacturers of medical devices in risk class I are also required to have a quality management system. Many other requirements are directly linked to quality management. 

The goal of quality management is to achieve defined quality objectives in a reproducible manner. To this end, an organization systematizes all workflows, defines processes based on them, and documents them. The quality management system thus encompasses all the work processes of an organization, including their documentation. 

A quality management system is not static. The goal is to achieve continuous improvements in quality and to meet the requirements of all stakeholders. Therefore, the organization must continuously control the processes and implement improvement measures. This is where the PDCA cycle model plays an important role, describing a cycle of Plan > Do > Check > Act. The latter step includes ongoing corrective and preventive actions (CAPA).  

The quality management system considers 3 types of processes: 

  • Management Processes, 
  • core processes and 
  • support processes.  

The core processes comprise the value-adding workflows, i.e. this is where the organization plans, develops, produces and markets its products or services. The support processes relate, for example, to material procurement or corrective and improvement measures. In particular, the management processes define the quality objectives, provide resources and infrastructure, and communicate the quality philosophy to the organization.  

ISO 9001 is the internationally recognized standard for quality management systems. It focuses on improving customer satisfaction. In the case of medical devices, however, this is not the only decisive requirement. Here, in particular, the quality objective of patient safety is added. 

For this reason, the ISO 13485 standard extends the requirements for a quality management system when it comes to the provision of medical devices and associated services. Manufacturers must meet both customer and regulatory requirements, which result in detail from the MDR and IVDR. The standard can also be applied by suppliers providing products or associated services. Our technical article "Quality management for medical devices according to MDR and ISO 13485" explains further details. 

Instructions for use and labeling 

EU regulations require manufacturers to provide a comprehensive and defined set of information about the product. Such information may appear on the product itself, on labels, packaging or in the instructions for use. The essential safety and performance requirements contain a list of information that must be included in the instructions for use or as part of the product labeling. 

The instructions for use ("user manual") are the information provided by the manufacturer to inform the user about the intended purpose and correct use of a product and about any precautionary measures to be taken. Residual risks identified as a result of risk management and of which a user must be informed are included as restrictions, contraindications, precautions or warnings in the instructions for use or labels. 

Instructions for use should be provided with each product. Exceptions include, for example, IVDs and Class I and IIa medical devices, whose safe and intended use is acceptable without such information. In certain cases, the instructions for use may also be available to the user exclusively in electronic form.  The technical paper "Instructions for use for medical devices" provides more detailed information on the relevant requirements and their implementation. 

Labeling means written, printed, or graphically represented information placed either on the product itself or on the packaging of each unit or on the packaging of multiple products. Labeling includes, but is not limited to, the name or trade name of the product, the manufacturer's address, and details identifying the product. This includes the Unique Device Identifier (UDI), newly introduced with the MDR and IVDR, as a unique product identifier. The UDI concept is further explained in the following sections. 

Instructions for use and labeling must be provided in the official languages of the EU Member States in which the product is to be sold. EU Member States may also specify alternative languages. Information on the safe use of the device (e.g. precautions, warnings) must always be displayed in the national languages. Manufacturers of implants must also provide an implant ID card for identification and information access about the implant. 

Technical documentation

The technical documentation is a compilation of all relevant documents of a product. It must be kept up to date throughout the entire product life cycle. The technical documentation is the basis for the conformity assessment and thus for the CE marking of a product. 

MDR and IVDR specify in detail how technical documentation should be structured. The technical documentation is part of the documentation obligations even after the product has been placed on the market. Manufacturers should note that they can make the technical documentation available to the competent authorities for at least 10 years after placing a product on the market. For implants, this minimum period is extended to 15 years. 

If a competent authority checks whether an assessment by a notified body has been properly carried out, this also includes the technical documentation of a medical device. In addition, a Member State in which a Notified Body is established may require that documentation, including technical documentation, be provided. 

The EU regulations structure the technical documentation as follows: 

  • Product description: This section serves to clearly describe and identify the product. It indicates the functional elements and mode of action of the product and how it performs as intended. The manufacturer also presents the risk classification of the device and justifies why it is a medical device. In addition, this section includes information on the UDI, the Declaration of Conformity, and the Summary Safety and Clinical Performance Report in the case of implantable and Class III medical devices. 
  • Manufacturer Information: In this section, the manufacturer provides all information required by the device user. Essential contents of this section refer to the product labeling and the instructions for use. 
  • Design and manufacture: In this section, the manufacturer describes the phases of product design and manufacture. There is a close link with quality management. 
  • Essential safety and performance requirements: The manufacturer systematically presents which essential safety and performance requirements apply to a medical device and whether they are met. This includes a respective justification if this is not the case. 
  • Benefit-risk analysis and risk management: The results or the documents of the risk management flow directly into the technical documentation. These are essentially the risk management plan, the risk analysis incl. control measures and the risk management report, which contains the assessment of the benefit-risk ratio. 
  • Verification and validation: In this section, the manufacturer documents all analyses, tests, inspections, studies, etc., which serve to demonstrate the conformity of the medical device. In addition to laboratory data, simulation data or results from preclinical investigations, the results of the clinical evaluation and its documentation are included here in particular. 

Since medical devices can be very different, there are also different requirements for their verification and validation. Consequently, the corresponding technical documentation differs in terms of structure and content. The documentation contains not only test results, but also all information on methodology and test set-up as well as study protocols. Depending on the type of medical device and the resulting requirements, test results are primarily documented in the following areas: 

  • Materials used 
  • Biocompatibility 
  • physical, chemical and microbiological parameters 
  • electrical safety 
  • electromagnetic compatibility 
  • software validation (in conjunction with hardware and software configurations) 
  • stability and durability 
  • drug components 
  • tissues or cells of human or animal origin as components of the medical device 
  • Pharmacology (absorption, distribution, metabolism, excretion, interactions, tolerability and toxicity) 
  • Sterility parameters 
  • Compound configuration parameters for interconnected medical devices 
  • Specimen types 
  • Measurement function parameters 
  • Measurement accuracy and ranges 
  • Sensitivity and specificity 

The technical article on "Technical documentation of medical devices according to MDR" provides further details on structure and procedure. 

Liability coverage

EU regulations require manufacturers to make arrangements to ensure adequate financial cover for their potential liability. These arrangements must be appropriate to the class of risk, the type of product and the size of the company. 

The manufacturer of medical devices is liable for damages caused by defective products. These are primarily technical and design errors or, in the case of software, errors in the program code. However, there are a number of other potential causes of liability, e.g. inadequate instructions for use, lack of warnings, false marketing statements about product performance, inadequate data protection or copyright infringements. The manufacturer of medical devices is therefore liable if it fails to fulfill its contract with a customer. In practice, the issue here is usually whether a particular medical device has a defect and thus fails to achieve the contractually agreed condition. The defect does not necessarily represent a safety risk. Often, protracted and expensive disputes arise in the event of damage because the customer and the manufacturer have not reached precise agreements on important performance features of a product. It is then unclear into whose area of responsibility the defect falls. 

Furthermore, the manufacturer of medical devices can generally be held liable for defects caused by a defective product. Since life, health and property are protected by law, there is consequently no contract with an individual affected person here. The manufacturer has various obligations to prevent his medical devices from violating the rights of others. He can also be held liable for damages resulting from a defect in a medical device, whether he is at fault or not. 

Product liability insurance is the tool of choice to limit liability risks and meet the requirements of the MDR and IVDR. The amount of financial coverage depends individually on the type and risk class of the medical device in question and the size of the company. The exact design is subject to a case-by-case consideration and should incorporate the risk analysis. Depending on where a medical device is to be marketed, country-specific conditions may also play a role. 

Responsible person 

EU regulations have introduced the role of the responsible person, who is responsible for ensuring compliance with regulatory requirements. This relates primarily to the manufacture of medical devices and their post-market surveillance. Manufacturers must designate at least one responsible person. This person must have the "required expertise in the field of medical devices." 

The tasks of the responsible person are: 

  • Checking the products for conformity with the existing quality management system before they are released,  
  • Creation or continuous updating of the technical documentation and the EU declaration of conformity, 
  • Fulfillment of obligations resulting from post-market surveillance of medical devices,  
  • Fulfillment of reporting obligations arising from vigilance requirements,  
  • Declaration of "safety" of investigational devices for clinical trials. 

The organizational integration is to be interpreted in such a way that responsible persons must be employees of the manufacturer. The responsibilities mentioned may also be distributed among several persons, provided that this is clearly regulated in writing. If there are several manufacturers under the umbrella of a group structure, each individual manufacturer requires at least one responsible person. 

Micro and small enterprises, i.e. those that employ fewer than 50 people and whose annual turnover or annual balance sheet does not exceed €10 million, are exempt. Such manufacturers must have "permanent and permanent recourse" to a responsible person. This means that external service providers can completely take over the function of the responsible persons for small and micro enterprises - provided that a corresponding contractual arrangement is in place. This exception also applies to authorized representatives of manufacturers not approved in the EU. 

The new function of the responsible person according to MDR possibly leads to decisions in the sense of product safety and patient protection conflicting with operational or commercial interests of the manufacturer. This area of tension can lead to an increased personal risk for the responsible person. For this reason, EU regulations stipulate that responsible persons must not be disadvantaged in connection with their correct performance of duties. This applies to both employed and external responsible persons. 

If you would like to take a closer look at this topic, we recommend the article "The responsible person according to MDR: rights and obligations". 

Authorized representative

If the manufacturer of a product is not established in one of the EU Member States, he must appoint an authorized representative. The authorized representative is mandated in writing by the manufacturer and must also accept this mandate in writing. Hereafter, the authorized representative shall perform the tasks specified in the mandate. These include: 

  • Verifying that the EU declaration of conformity and the technical documentation have been drawn up and that the manufacturer has carried out an appropriate conformity assessment procedure. 
  • Maintaining a copy of the technical documentation, EU declaration of conformity and, where applicable, certificates of changes, etc. 
  • Compliance with registration requirements 
  • Handing over all information and documentation required to prove the conformity of a product upon request of a competent authority 
  • Forwarding to the manufacturer requests for samples or for access to a product from a competent authority of the Member State in which the authorised representative has its registered place of business 
  • Cooperating with the competent authorities in any preventive or corrective action or mitigation of product hazards 
  • promptly inform the manufacturer of complaints and reports from health care professionals, patients and users about suspected incidents involving a device 
  • Termination of the mandate if the manufacturer breaches its obligations under MDR or IVDR. 

The mandate cannot delegate all of the manufacturer's obligations. The MDR and IVDR define exceptions here. However, the authorized representative is jointly and severally liable for defective products on the same basis as the manufacturer if the latter has not complied with the general obligations of the MDR or IVDR and is not established in a Member State. 

Registration

Before a product can be placed on the market, it requires various registrations: 

  • Registration of the manufacturer, importer and authorized representative in the European database for medical devices (Eudamed). 
  • Registration of devices in the UDI database (part of Eudamed) 
  • in Germany: (if applicable) obligation to notify the product in the medical device information system 

By registering in Eudamed, the manufacturer receives a "Single Registration Number" (SRN). The SRN is needed to apply for a conformity assessment at a Notified Body and to get access to Eudamed. This is required to comply with notification and reporting obligations. 

One part of Eudamed is the UDI database. UDI stands for Unique Device Identification and is used to identify individual products on the market. The UDI code is a unique (alpha)numeric string. There are 3 different UDI codes: 

  • Basic UDI-Device Identification (Basic UDI-DI).  
  • UDI-Device Identification (UDI-DI) 
  • UDI-Production Identification (UDI-PI) 

The Basic UDI-DI is a registration number for a group of products with the same intended purpose, same risk class and comparable design and manufacturing characteristics. It can be understood as an identifier of a product model. 

The basic UDI-DI does not appear on the label or packaging of a product. It is used, among other things, in the manufacturer's declaration of conformity and the technical documentation. The basic UDI-DI is primarily used to summarize information on a specific medical device model. 

The UDI-DI is used to uniquely identify a product. The UDI-PI contains information on the manufacture of a product. This is, for example, batch and serial numbers or manufacturing and expiry dates. 

The manufacturer registers the product with the base UDI-DI together with other required data elements in the UDI database. If certification by a Notified Body is required, the registrations must be made in advance. The Notified Body refers to the base UDI-DI on the certificate. The data entered in Eudamed must be checked regularly and kept up to date. 

The practical implementation of the UDI is a challenge, especially for manufacturers with highly diversified product portfolios. The technical article "UDI Unique Device Identification for medical devices according to MDR" provides further details. The manufacturer also notifies the national regulatory authorities of the medical device he has placed on the market. In Germany, this is done via the Medical Devices Information System of the Federal Institute for Drugs and Medical Devices (BfArM). If medical devices in the European Economic Area have already been registered via a European authorized representative, an additional registration in the Medical Devices Information System of the BfArM is not necessary. 

Declaration of conformity: How do I get CE marking?

Every medical device marketed in Europe must be compliant with the requirements of the MDR or IVDR. The manufacturer declares the conformity of the product in a declaration of conformity, the minimum details of which are specified by the MDR and IVDR. In this way, the manufacturer formally assumes responsibility for the medical device placed on the market. 

Prior to this, the product undergoes a conformity assessment procedure, which is based on the documentation presented in the previous sections and serves to demonstrate conformity. Only after the conformity assessment procedure has been completed may the manufacturer affix the CE marking to the product. 

The MDR describes several possible conformity assessment procedures. The selection and design of the procedure depends on many factors, which are primarily related to the type of medical device and its risk class. In general, the higher the risk class of a product, the more demanding and thus more complex the conformity assessment procedure. 

The quality management system also plays an important role. In the simplest case, i.e., a Class I or A product, it is sufficient if the manufacturer has a quality management system that meets the requirements of the MDR or IVDR. In this case, neither certification of the quality management system nor a product file review by a Notified Body is required. 

In the case of higher class devices, manufacturers usually choose the conformity assessment procedure with a complete quality management system certified according to ISO 13485. In this case, the manufacturer sets up a complete quality management system (if he does not already have one) and has it certified by a Notified Body, including the respective technical documentation of a product. In this way, the manufacturer ensures compliance with the requirements via the implementation of the quality management system. 

An alternative conformity assessment procedure is product conformity testing. This can also be accompanied by a quality management system certified by a Notified Body that relates to production (production quality assurance). Alternatively, there is the possibility of individual product testing. In addition, a type examination including assessment of the technical documentation may be required. 

There are a number of exceptions and special requirements for certain products, which will not be discussed further here (more information in the technical paper "Conformity assessment for medical devices: Which procedure leads to the CE mark?"). In all conformity assessment procedures, the manufacturer subsequently issues an EU declaration of conformity. The manufacturer then affixes the CE mark to the product. If a Notified Body is involved, the CE marking must include the 4-digit identification number of the Notified Body. Excluded from the conformity assessment procedure are custom-made products or products that are manufactured and used in health care facilities. For these, "slimmed down" rules apply. 

Post-market surveillance: What happens after the product has been placed on the market?

Medical device manufacturers monitor their products on the market. The MDR and IVDR require manufacturers to systematically and actively collect information on the use of a product after it has been placed on the European market (post-market surveillance, PMS). 

Based on this, manufacturers keep the technical documentation of their products up to date and cooperate with the national authorities responsible for vigilance and market surveillance. The aim is to increase the safety and performance of medical devices. The manufacturer continuously determines whether corrective or preventive action is required and, if so, informs the competent authorities or the Notified Body. 

If the manufacturer identifies a serious incident or initiates a field safety corrective action, he must report it immediately. The MDR refers to this separately regulated reporting procedure as vigilance. 

Post-Market Clinical Follow-Up (PMCF) (or Performance Follow-Up for IVDs) refers to the clinical follow-up of a product after it has been placed on the market. It is an ongoing process that keeps the clinical evaluation of the product current. Post-market clinical follow-up is part of post-market surveillance. For this purpose, the manufacturer collects and evaluates clinical data of his product in the market. The product must bear a CE mark and be intended for use. The manufacturer also uses the PMCF to determine whether its product may be systematically misused, i.e., used incorrectly or in excess of its marketing authorization. In this way, the manufacturer verifies that the intended use has been appropriately chosen. 

Market surveillance is carried out by the competent authorities. These check whether products on the market comply with the requirements of the MDR and do not pose a hazard. For this purpose, the competent authorities can inspect medical devices on the basis of random samples. In the most extreme case, the authorities can cause a product to be withdrawn from the market. Details are regulated in the respective national laws. 

Manufacturers set up a PMS process as part of their quality management system. This should be appropriate to the risk class and type of product and ensure that data on the quality, performance and safety of a product are actively collected and analyzed throughout the product's life. 

The manufacturer must then use the data collected to 

  • Update the risk management and risk-benefit assessment of his product, 
  • update the product manufacturing, instructions for use and labeling, 
  • update the clinical evaluation (PMCF), 
  • update the summary report on safety and clinical performance, 
  • Identify the need for preventive or corrective action and initiate as appropriate, 
  • notify the competent authorities or Notified Body as appropriate, 
  • identify any serious incidents, initiate field safety corrective actions and report them, 
  • Identify how usability, performance and safety of the product can be improved, 
  • identify and report trends; and 
  • Update technical documentation. 

Manufacturers report serious incidents to the appropriate authorities through Eudamed and initiate safety corrective actions as appropriate. The reporting deadline depends on the severity of the incident. A detailed discussion of the requirements can be found in the technical paper "Post-Market Surveillance and Vigilance of Medical Devices according to MDR". 

Conclusion

The approval of a medical device requires know-how, adequate financial resources and time. The pitfall is in the details, because the practical implementation of the requirements usually leads to the question "How?", i.e. how is a specific requirement to be interpreted in the individual case and how is the fulfillment of the requirement to be practically implemented in a process that is as lean and compliant as possible?    

MDR and IVDR have increased the effort required for CE marking of medical devices. The transition situation makes the approval of medical devices more difficult, for example due to a lack of capacity at Notified Bodies, long processing times or ambiguities in the interpretation of the various requirements. 

This makes it all the more important for manufacturers to plan in detail what they will have to do in terms of effort and methodological issues. Many problems can be avoided at an early stage if regulatory requirements are taken into account right from the start and undesirable developments are avoided. 

We will be happy to support you in the approval of your medical devices and, together with you, bring your new product onto the European market safely, quickly and with as little effort as possible. If you first need a dedicated roadmap for your medical device, combined with an estimate of the costs and duration of the approval of your medical device, we recommend our "CE Roadmap". 

Subscribe to the newsletter

Hand eines Arztes mit modernem PC-Interface
everythingpossible / Fotolia

Current information on our specialist articles and specialist events on the approval of medical devices and software.

Register now!