Anytime you want to launch a medical device on the market, you quickly come to the question of which legal regulations you have to comply with. This article will give you six tips you can use as a guide to help you negotiate your way through the “regulatory jungle.”
In this article, you will also learn:
The first question you should ask yourself is: is your product actually a medical device at all? If not, it will be subject to other regulations or even no regulations at all.
The intended purpose is the key to answering the question “medical device, yes or no?”
The manufacturer itself determines the intended purpose for the product. This defines what the product is to be used for. What else the product could be used for or what properties it has is irrelevant.
If the product is intended to be used for medical purposes as defined by Regulation 2017/745 on medical devices (MDR), then it is a medical device.
Article 2 of the MDR defines a medical device as follows:
“For the purposes of this Regulation, the following definitions apply:
‘medical device’ means any instrument, apparatus, appliance, software, implant, reagent, material or other article intended by the manufacturer to be used, alone or in combination, for human beings for one or more of the following specific medical purposes:
and which does not achieve its principal intended action by pharmacological, immunological or metabolic means, in or on the human body, but which may be assisted in its function by such means.
The following products shall also be deemed to be medical devices:
Example: heart rate tracker software
The product could also be an in vitro diagnostic medical device (IVD). IVDs are medical devices and fall under the corresponding legal regulations.
Classification as an IVD is also based on the intended purpose, as the definition from Art. 2 of the IVDR makes clear:
“‘In vitro diagnostic medical device’ means any medical device which is a reagent, reagent product, calibrator, control material, kit, instrument, apparatus, piece of equipment, software or system, whether used alone or in combination, intended by the manufacturer to be used in vitro for the examination of specimens, including blood and tissue donations, derived from the human body, solely or principally for the purpose of providing information on one or more of the following:
(a) concerning a physiological or pathological process or state;
(b) concerning congenital physical or mental impairments;
(c) concerning the predisposition to a medical condition or a disease;
(d) to determine the safety and compatibility with potential recipients;
(e) to predict treatment response or reactions;
(f) to define or monitoring therapeutic measures.
Specimen receptacles shall also be deemed to be in vitro diagnostic medical devices;”
Source: Article 2 IVDR
The intended purpose ultimately also determines the risk class of a medical device. This risk class in turn determines, among other things, which conformity assessment procedure the device has to go through (see Steps 3a) and 3b)).
There are special requirements for accessories or software, which we discuss in a separate article.
You can also read more about the difference between medical devices and other products in the keyword article Medical Device.
If your product is a medical device, the next step is to find out which legal requirements the device and the manufacturer have to comply with. For the German market, these come from German and European law.
European law is above German law in the legal hierarchy. This means that you must give priority to binding European law.
EU regulations are directly binding for manufacturers and individuals. So, you have to differentiate these from EU directives that do not apply directly to you.
Regulations are directly binding EU legal acts. They do NOT have to be implemented by member states to be effective.
This means regulations function like “European laws.”
Manufacturers must, therefore, give priority to EU regulations over German law.
In contrast, directives issued by the EU are only binding for the member states. In order for them to be also binding for citizens and companies, they have to be transposed into national law.
Manufacturers should therefore be primarily guided by the German law that implements the directive, not the directive itself.
This distinction is crucial because national legislators have a margin of appreciation when it comes to implementing a directive. In fact, a lot of national laws go beyond the requirements of the directives.
This was the case, for example, with the German Medizinproduktegesetz (MPG) that added additional requirements that went beyond those of the former Medical Devices Directive (MDD), for example, the requirements to have a medical device consultant and a safety officer. Since then, however, the MDD has been replaced by the MDR and the MPG by the Medizinprodukterecht-Durchführungsgesetz (MPDG). The MPDG complements and adds to the new MDR and IVDR regulations as well.
Other regulations may apply if the manufacturers act as economic operators or according to the product portfolio:
EU directives continue to exist for some topics, e.g.:
In addition to European law, manufacturers have to consider national law. This is particularly relevant if the national law:
German law, like EU law, also has varying degrees of “force.” It consists of:
To cut a long story short: both. Unfortunately, you cannot just use either the German or the European regulations because German law is embedded in the European regulatory structure.
Therefore, the bottom line is that manufacturers must always follow applicable European and national regulations.
To make it easier for you to find the relevant regulations, we have compiled a selection of the most important national and international regulations that apply to medical devices in Europe and Germany. We are constantly updating this Regulatory Radar Light overview(German) for you.
The article International Medical Device Authorizations: 5 Steps to New Markets looks at the requirements for international authorizations.
Once you have determined which regulations apply to your device, you have to identify the requirements they impose. As a rule, these involve:
The conformity assessment procedure for your device depends on its risk class. The conformity assessment procedure is the procedure for demonstrating that your device complies with the relevant legal requirements.
There are stricter requirements for devices with high risk classes than for those with lower risk classes.
The rules for the classification of your device can be found in Annex VIII of the MDR or Annex VIII of the IVDR. You should also refer to the corresponding guidance documents.
The risk class determines the conformity assessment procedure.
You can read more on the classification according to the MDR in our article Classification of Medical Devices.
You can read more on the classification of IVDs in the article Classification of In Vitro Diagnostic Medical Devices: How to Avoid Over-Classification.
The conformity assessment procedure steps differ according to the risk class:
If you place medical devices on the market, you need to have a quality management system (QMS). The minimum requirements can be found chiefly in the MDR/IVDR.
There is, however, one peculiarity: For class I/class A devices, the QM system does not have to be certified by a notified body, but in all other cases, it does
Find more information on the topic of the QM system in our QM Systems & ISO 13485 overview.
You can see what a QM SOP instruction should look like in our article Creating Standard Operating Procedures for QM.
The technical documentation consists of documents that medical device manufacturers must provide. This technical documentation is the prerequisite for the conformity assessment and thus for the authorization of medical devices.
It is regulated in Annex II of the MDR and of the IVDR.
More information on the technical documentation requirements can be found in our Technical Documentation for Medical Devices overview.
The clinical evaluation (performance evaluation for IVDs) is the part of the technical documentation where all the knowledge about the device is brought together. It is used to verify the safety and performance (including the clinical benefit) of the device when used as intended by the manufacturer
Find out more about the clinical evaluation in our overview article Clinical Evaluation of Medical Devices.
If necessary, the clinical evaluation has to be supplemented by a clinical investigation. In clinical investigations, the required clinical data are generated through supervised use of the device in humans. For the IVD performance evaluation, the equivalent would be a clinical performance study.
The articles Medical Device Clinical Investigations: The 7 Biggest Challenges and, for IVDs, In Vitro Diagnostic Medical Device Performance Evaluations: 8 Steps to Conformity explain when such clinical investigations are required.
In addition to the clinical evaluation, manufacturers also have to ensure the usability of their device. The usability evaluation makes sure that the device can be used safely by the intended users in the intended use environment for the intended purpose and that there are no unacceptable risks resulting from the use of the device.
As a result, the usability evaluation demonstrates that the device is safe to use. No performance data is collected on the device, which makes this different from the clinical evaluation.
In most cases, a final summative study is required to objectively demonstrate that the device is safe to use.
You can find further information in our overview article Usability & IEC 62366.
Both the MDR and IVDR require a person responsible for regulatory compliance (PRRC) to be appointed. This person has to ensure:
Appointing a person responsible for regulatory compliance is mandatory. Failure to comply with these obligations could result in fines of up to EUR 30,000 in Germany.
You can find further information on the responsible person in our article MDR/IVDR – ‘Person Responsible for Regulatory Compliance’ (PRRC)”.
Once you have identified which legal requirements apply for your device and your organization, you have to meet these requirements (and demonstrate that you have done so).
You can use, among other things, standards to help with this.
Medical device manufacturers can use standards to demonstrate that their device meets the requirements of the legal regulations. Standards represent the state of the art. Their application is voluntary. But because they are often widely recognized, they make it easier to demonstrate conformity due to standardization and their consistent application.
Standards are produced by independent (non-governmental) standards organizations. The name of each standard is preceded by an abbreviation to indicate which organization developed the standard.
What actually constitutes the state of the art that the standards describe and how this is identified is explained in the article State of the Art: It's Worse Than You Think
Harmonized standards are aligned with European specifications and recognized by public bodies. Therefore, if manufacturers comply with these standards, there is a presumption of conformity with the requirements of EU specifications.
You can find more information in our article Harmonized Standards: Provision of Evidence for Medical Device Manufacturers
Which standard you need depends mostly on the device.
The following standards are good starting points for your research:
For some MDR/IVDR requirements, there are no harmonized standards that manufacturers can use. This is where the “common specifications” established and published by the EU Commission come into play.
The MDR and IVDR define common specifications as follows:
"‘common specifications’ [...] means a set of technical and/or clinical requirements, other than a standard, that provides a means of complying with the legal obligations applicable to a device, process or system.”
You can find out more about "common specifications" in our article Common Specifications: Competition for Standards?
Now that you know which standards and regulations apply to you, you need to implement them accordingly. This means:
Do not forget to assign the unique device identification (UDI). This identification number makes it easy to identify and track medical devices.
Find out more about the mandatory UDI system in our Unique Device Identification (UDI) article.
Additional sources are not legally binding. However, they can help, for example, with the interpretation of laws, regulations or standards. These additional sources include:
There are also specifications that refer to the superseded EU Medical Device Directive but that are still relevant, at least in the transitional period.
Once you have met all the necessary requirements, you can launch your device on the market. When doing so, you must remember to:
In the declaration of conformity, a manufacturer declares that its device complies with the legal requirements.
So, after ensuring that all the requirements have been met, the manufacturer issues this declaration of conformity for its device. The necessary certificates from a notified body may be needed for this.
You can find out exactly what the declaration of conformity contains in our article EU Declaration of Conformity.
Find out more in our article EUDAMED: European Database on Medical Devices.
In addition, manufacturers have to register their devices with the Federal Institute for Drugs and Medical Devices (BfArM) or via EUDAMED.
Even after you have launched your device on the market, you are still responsible for its safety and performance. You should have already established processes for this in your quality management system. These processes include:
Even after you have launched your device on the market, you have to surveil it.
Post-market surveillance is a proactive and systematic process for establishing corrective and preventive actions (CAPAs) from information about medical devices that have already been placed on the market.
You can find out more about post-market surveillance in our article Post-Market Surveillance and Surveillance of Devices on the Market.
Vigilance means that every “serious incident” and every safety-related corrective action has to be officially reported to the relevant authorities. Therefore, unlike post-market surveillance, vigilance is reactive, not proactive.
The reporting obligations are set out in Article 87 of the MDR and Article 82 of the IVDR.
When launching a medical device on the market, manufacturers have to take numerous legal requirements into account. At first glance, this can seem overwhelming. However, our six steps can act as a guide and help you get your medical device through the regulatory authorization process smoothly.
If you are still unsure or have further questions, you can contact your notified body or the Johner Institute.