The EU Medical Devices Regulation (MDR) entered into force in May 2017 and will fully apply from 26 May 2020 (for further details please see "EU Medical Devices Regulation to apply from May 2020 – preparations underway"). This article responds to important questions relating to the new regulation.
While the existing medical device regime requirements will remain, the MDR imposes additional requirements and stricter standards on medical device manufacturers and broadens the scope of product coverage. For example, the new regulation covers medical devices which are:
- sold online; or
- used in remote diagnostic and therapeutic services.
Compared with existing medical regulations, the MDR reclassifies certain types of medical device (eg, medical device standalone software) under stricter classification rules. Further, the new regime's classification criteria require some authorised products to undergo a second conformity procedure. The possibilities for conducting such a procedure will also change, as will original equipment manufacturer (OEM) and product lifecycle management (PLM) structures.
The new regime imposes stricter and more time-consuming archiving and documentation requirements on medical device manufacturers, including:
- implementing a post-market surveillance system;
- reporting to the European Databank on Medical Devices (Eudamed);
- implementing a unique device identification (UDI) application system; and
- appointing a compliance officer.
Overall, the MDR's stricter regime demands greater effort from device manufacturers in regard to documentation requirements and costs.
The MDR imposes higher technical documentation standards on manufacturers. For example, clinical data and product-related descriptions such as those relating to a product's intended use and structure must be provided in greater detail than under the current directive.
Further, manufacturers will be required to implement a quality management system for certain medical devices. This system must create a strategy for regulatory compliance, identify applicable general safety and performance requirements and communicate with competent authorities, notified bodies and other economic operators. They must also implement a post-market surveillance system with stricter reporting obligations.
Under the MDR, all future products must have a UDI. Therefore, a UDI system will be implemented to enhance the traceability and effectiveness of post-market safety-related activities. For standalone software medical devices, more specific regulations will apply to product changes (eg, relating to algorithms and database structures).
Persons qualified in and in charge of ensuring compliance with applicable regulations must continuously liaise with the authorities and record and notify any events relating to marketed devices.
The MDR also aims to increase transparency by making information on medical devices and studies publically available. Therefore, Eudamed will be extended and made (at least partly) accessible to not only governmental institutions, but also manufacturers, notified bodies and the public.
Under the MDR, archiving periods for documents such as technical documentation and conformity declarations have been increased from five to 10 years (for non-implants) from the last product covered by the conformity declaration being placed on the market; this also applies to EU importers. Notably, according to ISO 13485, the archiving period must last for (at least) a product's lifecycle. This is especially important for products with a lifecycle of 10 years or more.
Under existing OEM-PLM-structures, private label manufacturers are generally responsible for products' market authorisation and post-market surveillance. Product labels therefore list only private label manufacturers as manufacturers. Further, private label manufacturers generally cannot access products' technical documentation due to (for example) restrictions imposed by OEMs.
However, the MDR requires private label manufacturers to have full access to products' technical documentation. Thus, the existing OEM-PLM structures and related agreements must be adapted to comply with the new requirements.
Some notified bodies already require full access to OEM technical documentation when auditing a private label manufacturer.
The MDR emphasises the product lifecycle approach to safety, which should be supported by relevant clinical data provided by manufacturers and assessed by notified bodies in the course of the conformity procedure.
The MDR thus implements stringent requirements for designating notified bodies, with increased control from and monitoring by national competent authorities and the European Commission. In future, notified bodies' surveillance of manufacturers will be more rigorous to reduce the risks associated with unsafe medical devices. Further, more stringent documentation will be required from notified bodies.
The MDR also implements a so-called 'scrutiny procedure'. Notified bodies may be required to report any new applications for conformity assessments of high-risk products to an expert panel (the Medical Device Coordination Group).
To ensure MDR compliance, manufacturers must:
- check product portfolios to discover whether more of their devices fall within the scope of the MDR compared with the currently applicable EU directives;
- identify whether their medical devices are classified correctly under the new risk classification criteria;
- ensure that medical devices (in particular, device labelling, technical documentation and quality management systems) comply with MDR requirements, common specifications for particular groups of products and general safety and performance requirements;
- ensure that the increased clinical evidence requirements are met;
- consult responsible notified bodies to evaluate potential compliance issues and develop a plan to address them;
- pass a conformity assessment by a notified body, if required;
- assign basic UDIs to all products and submit these to the UDI database;
- ensure that a person responsible for regulatory compliance is in place;
- submit key information relating to their business and authorised representative (and importer if they are based outside the European Union) to Eudamed;
- ensure that sufficient financial coverage is in place to cover any potential liability;
- meet post-market surveillance and vigilance requirements (eg, by conducting field safety corrective actions and reporting serious incidents to the competent authority); and
- ensure internal processes are in place to meet the new vigilance reporting timescales.
The MDR entered into force in May 2017 and will fully apply from 26 May 2020. Therefore, manufacturers of formerly certified medical devices have just under one year of the three-year transition period to comply with the new regime. For certain devices that meet specific requirements, this transition period may be extended until 26 May 2024.
Are there any grandfathering provisions for currently certified medical devices?
No. Unless an extension is granted, all currently certified medical devices and active implantable medical devices must be recertified in accordance with the new requirements by 26 May 2020.
The 'sell-off' provision aims to limit the period in which currently certified medical devices that have already been placed on the market are made available. Any medical devices in the supply chain that have not reached their final user (eg, a hospital) by 27 May 2025 will no longer be marketable and must be withdrawn from the supply chain. If a currently certified medical device reaches its final user by this deadline, its further provision will not be subject to the MDR.
After 27 May 2024 and subject to a case-by-case assessment, relevant authorities and notified bodies may limit or withdraw the CE marks of non-compliant products and remove such products from the market. In more extreme cases, a non-compliant manufacturer may be banned from marketing its device in the European Union, at least for a specific period, even if the product was marketed under the previously applicable EU directives.
In addition, EU member states must lay down rules for penalising infringements of the MDR and take all necessary measures to ensure that these rules are implemented.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.