Step 1: Determine if the product is a medical device

The first question you should ask yourself is: is your product actually a medical device at all? If not, it will be subject to other regulations or even no regulations at all.

The intended purpose is the key to answering the question “medical device, yes or no?”

The manufacturer itself determines the intended purpose for the product. This defines what the product is to be used for. What else the product could be used for or what properties it has is irrelevant.

If the product is intended to be used for medical purposes as defined by Regulation 2017/745 on medical devices (MDR), then it is a medical device.

Article 2 of the MDR defines a medical device as follows:

Example: heart rate tracker software

• When used for fitness purposes (e.g., in a smartwatch), the analysis software is not a medical device.
• However, if the intended purpose is to use the data from the software to diagnose or monitor a disease, the analyzing software is a medical device.

The product could also be an in vitro diagnostic medical device (IVD). IVDs are medical devices and fall under the corresponding legal regulations.

Classification as an IVD is also based on the intended purpose, as the definition from Art. 2 of the IVDR makes clear:

The intended purpose ultimately also determines the risk class of a medical device. This risk class in turn determines, among other things, which conformity assessment procedure the device has to go through (see Steps 3a) and 3b)).

There are special requirements for accessories or software, which we discuss in a separate article.

You can also read more about the difference between medical devices and other products in the keyword article Medical Device.

Step 2: Identify relevant legal regulations

If your product is a medical device, the next step is to find out which legal requirements the device and the manufacturer have to comply with. For the German market, these come from German and European law.

a) European law

European law is above German law in the legal hierarchy. This means that you must give priority to binding European law.

EU regulations are directly binding for manufacturers and individuals. So, you have to differentiate these from EU directives that do not apply directly to you.

EU regulations

Regulations are directly binding EU legal acts. They do NOT have to be implemented by member states to be effective.

This means regulations function like “European laws.”

Manufacturers must, therefore, give priority to EU regulations over German law.

EU directives

In contrast, directives issued by the EU are only binding for the member states. In order for them to be also binding for citizens and companies, they have to be transposed into national law.

Manufacturers should therefore be primarily guided by the German law that implements the directive, not the directive itself.

This distinction is crucial because national legislators have a margin of appreciation when it comes to implementing a directive. In fact, a lot of national laws go beyond the requirements of the directives.

This was the case, for example, with the German Medizinproduktegesetz (MPG) that added additional requirements that went beyond those of the former Medical Devices Directive (MDD), for example, the requirements to have a medical device consultant and a safety officer. Since then, however, the MDD has been replaced by the MDR and the MPG by the Medizinprodukterecht-Durchführungsgesetz (MPDG). The MPDG complements and adds to the new MDR and IVDR regulations as well.

What are the most important EU regulations for manufacturers?

• Regulation 2017/745 on medical devices (MDR) (binding)
• Regulation 2017/746 on in vitro diagnostic medical devices (IVDR) (binding)

Other regulations may apply if the manufacturers act as economic operators or according to the product portfolio:

• Regulation (EU) 2012/207 - Regulation on electronic instructions for use of medical devices (binding)
• Regulation (EU) 2016/679 - Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (binding)

EU directives continue to exist for some topics, e.g.:

• Machinery Directive 2006/42/EC (if the medical device contains moving parts)
• RoHS 2011/65 (EU) - Directive on the restriction of the use of certain hazardous substances in electrical and electronic equipment (this directive is subject to ongoing amendments by delegated directives. These are issued by the EU Commission to amend existing regulations. There is more information on these on the EU's web pages.)

b) National law

In addition to European law, manufacturers have to consider national law. This is particularly relevant if the national law:

• establishes completely independent regulations,
• implements European directives or
• adds to European regulations.

German law, like EU law, also has varying degrees of “force.” It consists of:

• Laws
  • Example: Medizinprodukterecht-Durchführungsgesetz (MPDG) (German)
• Ordinances
  • Example: Medizinprodukte-Anwendermelde- und Informationsverordnung (MPAIMV)(German)
  • Example:Medizinprodukte-Betreiberverordnung (MPBetreibV)(German)
• Other guidelines
  • Example:Technical Guidelines(German) from the German Federal Office for Information Security (BSI).

c) Which applies to you: German or European law?

To cut a long story short: both. Unfortunately, you cannot just use either the German or the European regulations because German law is embedded in the European regulatory structure.

Therefore, the bottom line is that manufacturers must always follow applicable European and national regulations.

d) Regulatory Radar Light

To make it easier for you to find the relevant regulations, we have compiled a selection of the most important national and international regulations that apply to medical devices in Europe and Germany. We are constantly updating this Regulatory Radar Light overview(German) for you.

Step 3: Define the regulatory requirements

Once you have determined which regulations apply to your device, you have to identify the requirements they impose. As a rule, these involve:

a) Classifying the device

The conformity assessment procedure for your device depends on its risk class. The conformity assessment procedure is the procedure for demonstrating that your device complies with the relevant legal requirements.

There are stricter requirements for devices with high risk classes than for those with lower risk classes.
The rules for the classification of your device can be found in Annex VIII of the MDR or Annex VIII of the IVDR. You should also refer to the corresponding guidance documents.

• The MDR has risk classes I to III.
• The IVDR has risk classes A to D.

The risk class determines the conformity assessment procedure.

c) The quality management system

If you place medical devices on the market, you need to have a quality management system (QMS). The minimum requirements can be found chiefly in the MDR/IVDR.

There is, however, one peculiarity: For class I/class A devices, the QM system does not have to be certified by a notified body, but in all other cases, it does

d) Technical documentation

The technical documentation consists of documents that medical device manufacturers must provide. This technical documentation is the prerequisite for the conformity assessment and thus for the authorization of medical devices.

It is regulated in Annex II of the MDR and of the IVDR.

e) Clinical evaluation/performance evaluation

The clinical evaluation (performance evaluation for IVDs) is the part of the technical documentation where all the knowledge about the device is brought together. It is used to verify the safety and performance (including the clinical benefit) of the device when used as intended by the manufacturer

If necessary, the clinical evaluation has to be supplemented by a clinical investigation. In clinical investigations, the required clinical data are generated through supervised use of the device in humans. For the IVD performance evaluation, the equivalent would be a clinical performance study.

f) Usability evaluation

In addition to the clinical evaluation, manufacturers also have to ensure the usability of their device. The usability evaluation makes sure that the device can be used safely by the intended users in the intended use environment for the intended purpose and that there are no unacceptable risks resulting from the use of the device.

As a result, the usability evaluation demonstrates that the device is safe to use. No performance data is collected on the device, which makes this different from the clinical evaluation.

In most cases, a final summative study is required to objectively demonstrate that the device is safe to use.

g) Responsible Person

Both the MDR and IVDR require a person responsible for regulatory compliance (PRRC) to be appointed. This person has to ensure:

1. The conformity of the devices is checked in accordance with the quality management system before their release (Article 10(9))
2. The technical documentation and the EU declaration of conformity are drawn up and kept up-to-date (Article 10(4) and (6)).
3. Post-market surveillance is performed in accordance with the EU regulations (Article 10(10)).
4. The reporting obligations according to the EU regulations are complied with (Article 10(13)).
5. In the case of investigational devices, the statement referred to in Annex XV, Chapter 2 is issued.

Appointing a person responsible for regulatory compliance is mandatory. Failure to comply with these obligations could result in fines of up to EUR 30,000 in Germany.

Step 4: Comply with the regulatory requirements

Once you have identified which legal requirements apply for your device and your organization, you have to meet these requirements (and demonstrate that you have done so).

You can use, among other things, standards to help with this.

a) What are standards?

Medical device manufacturers can use standards to demonstrate that their device meets the requirements of the legal regulations. Standards represent the state of the art. Their application is voluntary. But because they are often widely recognized, they make it easier to demonstrate conformity due to standardization and their consistent application.

Standards are produced by independent (non-governmental) standards organizations. The name of each standard is preceded by an abbreviation to indicate which organization developed the standard.

Overview of the most important standards organizations with abbreviations

• DIN
  • Deutsches Institut für Normung (EN: German Institute for Standardization, registered association based in Berlin)
• EN
  • European standards organizations Comité Européen de Normalisation (CEN; EN.: European Committee for Standardization), Comité Européen de Normalisation Electrotechnique (CENELEC; EN.: European Committee for Electrotechnical Standardization)
  • CEN: Standards for European standardization in technical fields
  • CENELEC: Standards for European standardization in electrotechnical fields
• ETSI
  • European Telecommunications Standards Institute (ETSI)
  • Private, non-profit organization for European standards in the field of information and communication technology
• ISO
  • International Organization for Standardization
  • Standards in all areas not covered by the IEC or the ITU
• IEC
  • International Electrotechnical Commission
  • Electrotechnical/electronics field
     
• IEEE
  • Institute of Electrical and Electronics Engineers
  • Standards mainly in the fields of electrotechnology and information technology
• ITU
  • International Telecommunication Union
  • Telecommunications field

b) What are harmonized standards?

Harmonized standards are aligned with European specifications and recognized by public bodies. Therefore, if manufacturers comply with these standards, there is a presumption of conformity with the requirements of EU specifications.

c) How do you find the appropriate standard?

Which standard you need depends mostly on the device.

1. Identify which requirements your device has to comply with
   (e.g., check Annex I of the MDR/IVDR, common specifications, any other regulations; see Step 2).
2. Check whether there is a standard for the requirement. If there are harmonized standards, you should prioritize these.

The following standards are good starting points for your research:

• ISO EN 13485: Medical devices — Quality management systems — Requirements for regulatory purposes
• ISO EN 14971: Application of risk management to medical devices
• IEC EN 62366-1: Application of usability engineering to medical devices
• IEC EN 62304: Medical device software — Software life cycle processes
• IEC EN 60601-1: Programmable electrical medical systems: basic safety and essential performance characteristics 
• DIN EN ISO 10993-1: Biological evaluation of medical devices: Evaluation and testing within a risk management process

d) Common specifications

For some MDR/IVDR requirements, there are no harmonized standards that manufacturers can use. This is where the “common specifications” established and published by the EU Commission come into play.

The MDR and IVDR define common specifications as follows:

e) Implementing standards/regulations

Now that you know which standards and regulations apply to you, you need to implement them accordingly. This means:

1. Either translating the requirements into a process and establishing this process in your company (e.g., software life cycle processes according to IEC 62304). You need to create SOPs and corresponding specification documents for this.
2. And/or designing and developing the device so that it meets the requirements (e.g., creepage distance specifications according to IEC 60601-1). You can demonstrate this with appropriate tests.

Do not forget to assign the unique device identification (UDI). This identification number makes it easy to identify and track medical devices.

f) Additional sources

Additional sources are not legally binding. However, they can help, for example, with the interpretation of laws, regulations or standards. These additional sources include:

• IMDRF documents
  Documents from the International Medical Device Regulators Forum   
• Manual V1.22 on borderline and classification 
  Manual on Borderline and Classification in the Community. Regulatory Framework for Medical Devices      
• MDCG documents
  • Not legally binding implementation and decision guidance for the MDR and IVDR. However, these documents are usually taken into account by notified bodies.
  • Find out more in our article on the MDCG.
• MEDDEVdocuments     
  • Not legally binding implementation and decision guidance for the MDD. 
  • Careful! Since the introduction of the MDR and IVDR, a lot of these no longer apply. However, a lot of MEDDEV documents published under the MDD and IVDD are still relevant as the “state of the art.”
  • Find out more in our article on MEDDEV.
• Recommendation 2013/473/EU   
  Commission Recommendation of 24 September 2013 on the audits and assessments performed by notified bodies in the field of medical devices

There are also specifications that refer to the superseded EU Medical Device Directive but that are still relevant, at least in the transitional period.

• NB-Med/Team NB documents
  NB-Med (Association of Notified Bodies) documents
• 2013/172/EU Commission Recommendation of 5 April 2013 on a common framework for a unique device identification system of medical devices in the Union
• ZLG documents
  Answers and decisions from the Notified Bodies’ Experience Exchange Group
• EK-Med documents
  ZLG subgroup

Step 5: Authorization

Once you have met all the necessary requirements, you can launch your device on the market. When doing so, you must remember to:

a) Declare conformity

In the declaration of conformity, a manufacturer declares that its device complies with the legal requirements.

So, after ensuring that all the requirements have been met, the manufacturer issues this declaration of conformity for its device. The necessary certificates from a notified body may be needed for this.

b) Register as a manufacturer
Manufacturers must register with the European Database on Medical Devices (EUDAMED).

c) Register the devices

In addition, manufacturers have to register their devices with the Federal Institute for Drugs and Medical Devices (BfArM) or via EUDAMED.

Step 6: Surveil devices on the market

Even after you have launched your device on the market, you are still responsible for its safety and performance. You should have already established processes for this in your quality management system. These processes include:

a) Post-market surveillance

Even after you have launched your device on the market, you have to surveil it.

Post-market surveillance is a proactive and systematic process for establishing corrective and preventive actions (CAPAs) from information about medical devices that have already been placed on the market.

b) Vigilance

Vigilance means that every “serious incident” and every safety-related corrective action has to be officially reported to the relevant authorities. Therefore, unlike post-market surveillance, vigilance is reactive, not proactive.

The reporting obligations are set out in Article 87 of the MDR and Article 82 of the IVDR.

7. Conclusion

When launching a medical device on the market, manufacturers have to take numerous legal requirements into account. At first glance, this can seem overwhelming. However, our six steps can act as a guide and help you get your medical device through the regulatory authorization process smoothly.

If you are still unsure or have further questions, you can contact your notified body or the Johner Institute.