What Notified Bodies Look for When Reviewing Your Medical Device Technical Documentation Under the EU MDR
If you’ve been involved in medical device regulatory affairs for 5+ years, you know all too well that the requirements around technical documentation associated with European CE Marking have tightened. The June 2016 release of guidance document MEDDEV 2.7-1 rev 4 on clinical evaluations gave many regulatory professionals heartburn and was followed by the May 2017 release of the European Medical Device Regulation (MDR 2017/745). Late 2019 saw the release of the updated ISO 14971 risk management standard and three IMDRF clinical guidance documents.
Why the deluge? Here’s one factor. About 10 years ago, the French PIP breast implant scandal rocked the Notified Body world and made European Competent Authorities (Ministries of Health) stand up and take notice. EU regulators recognized a need to overhaul the regulation of medical devices and have stricter oversight of the Notified Bodies designated to regulate medical device manufacturers on their behalf. As such, Notified Bodies are increasingly under the microscope of regulatory scrutiny from the top down. This also expedited the Medical Devices Directive (MDD 93/42/EEC) being replaced with the much stricter Medical Device Regulation (MDR 2017/745).
So, now that the bar for technical documentation has been raised, it begs the question: What will EU Notified Bodies be looking for during your next technical documentation review? If you have not yet had the pleasure of going through this, you may have some trepidation about what to expect. That’s understandable. Often, Notified Bodies will audit your QMS on-site while they conduct a remote review of your technical documentation for CE Marking. Although regulatory professionals – especially for Class I and IIa devices – have been working on strengthening their technical documentation for years, many have not yet had their technical documentation put to the test under the MDR.
What Your EU Notified Body Is Required to Do
Here’s how things typically used to work. Your Notified Body would issue an MDD CE certificate valid for five years. Toward the end of that certificate term, the manufacturer would send a new technical file to their Notified Body. Those files would (sometimes) get a cursory review and be renewed. Now the MDR essentially forces an automatic review of one or more of your technical documentation files during every surveillance audit. This means that under the EU MDR your device is approved for up to five years but not automatically approved for a five-year term, as issues may be uncovered during a routine QMS audit. The intent of this sampling of technical documentation under the EU MDR is to prevent the type of occurrences that happened under the MDD. Plainly put, Notified Bodies often were not seeing changes made to products over time and a cursory review every five years was not sufficient.
How might this play out? Here’s a real-world scenario. Your device might be three years into a five-year term and, during a surveillance audit, your Notified Body may ask you to provide additional and more detailed information about technical documentation. In this manner, the European model is moving more toward the US model whereby FDA inspects not only the quality management system but also product information too, even if a device already has 510(k) clearance.
It’s helpful to understand what your Notified Body must do as part of the technical documentation review. By the way, this technical documentation review can occur either remotely as part of obtaining a CE certificate or during a routine QMS audit. According to Annex VII of the EU MDR, your Notified Body must:
- Assess your technical documentation based on its predefined sampling plan.
- Assess your product technical documentation safety and performance requirements: Annex I.
- Take into account requirements related to preclinical testing and clinical evaluations.
- Ensure that technical documentation findings are appropriately and consistently classified based on a procedure to assess compliance with requirements of the EU MDR and relevant standards.
The auditor examining your documentation must have proven knowledge and experience, and understand the device technology and its clinical application. In some cases the auditor may bring in external experts who have direct or current expertise with the device and the clinical conditions in which it is used. You can read extensive information on this in Section 3 of Annex VII.
General Safety and Performance Requirements (GSPR)
Annex I – it all starts here, and you may recall these requirements being called the “Essential Requirements” in the MDD. To better define their intent, the EU MDR now calls these “General Safety and Performance Requirements” (GSPR). Frankly, many Notified Bodies used to gloss over the “Essential” Requirements during an audit, but not any longer. Notified Bodies now use these requirements as a backbone of their review and apply them using a traceability matrix. You’ll definitely want to study and follow these requirements because you can bet that your Notified Body will use them as a guide.
Key Areas Likely to Be Scrutinized
You can expect your Notified Body to dig deep into many areas of your technical documentation, but you would be well advised to pay special attention to the following areas:
- Clinical data – Consider this: The MDD mentions the word clinical just 48 times. In the MDR, it is mentioned 684 times. Factoid aside, you already knew this was important because you have read MEDDEV 2.7-1 rev 4, right? As such, you can expect intense scrutiny of your clinical evidence and supporting clinical data of the device. If your clinical data is lacking, your Notified Body may require more physical or laboratory tests. See Annex IX, Chapter II.
- Intended purpose, indications for use, and claims – If your device’s intended purpose and indications for use are fairly broad, it may be time to tighten them up. Notified Bodies will be looking at your specific claims and how they are supported by your clinical data. That will be especially true for Class I devices that were formerly self-declared but are now subject to EU MDR oversight.
- Equivalency – Are you claiming equivalence with another medical device? If so, you’ll want to read this article. From the Notified Body perspective, they are going to carefully scrutinize your clinical evidence to assess the suitability of using that data. They will be looking at specific claims and whether they are supported by preclinical data, clinical data, and risk analysis. Notified Bodies are also required to document their conclusions about your equivalence claims and whether they are adequate to demonstrate conformity with the GSPR. If your device is innovative or has new indications for use, don’t be surprised if your Notified Body requires more testing to be done.
- Labeling – Expect your Notified Body to carefully examine your instructions for use and tie them back to your stated claims and intended purpose. If materials are an important part of your device (e.g., implants), expect your materials disclosure to receive attention.
- Performance testing – Many companies have conducted lab testing for their devices, and this was often fine under the MDD regime. In the past, some companies performed lab testing on individual components but did not validate the entire system. (Blood glucose meters are a good example of this.) Notified Bodies want to see more emphasis on product validation measuring performance in an actual use environment.
- Benefit-risk analysis – You are certainly familiar with ISO 14971 and risk management, having been in the medical industry for many years. The EU MDR (and ISO 14971:2019) now stress the importance of measuring benefits, not just risks. If you have not yet done work to shore up your benefit-risk analysis, read this excellent article on doing so.
- Residual risk – ISO 14971:2019 and the EU MDR also emphasize the need to reduce risk to the lowest levels practicable. As such, your Notified Body will be looking into your risk analysis more closely, especially your assessment of residual risk. This feeds into the general narrative that risk management should be a continual process, and you’ll need to show proof that you are treating it as such.
- Postmarket Surveillance (PMS) – PMS data is more important than ever to regulators, and follows the general line of thinking that risk management is not a “one and done” project but rather an ongoing process. Expect your Notified Body to request proof showing that you have been proactive in your PMS efforts.
How Notified Bodies Choose Which Documentation to Review
Annex IX, Section 2.3 talks about how Notified Bodies must select samples of your technical documentation and the need to document their rationale for their selection of samples. Their sampling must take the following into account:
- Risks associated with the intended use of the device
- Novelty of the technology and similarities in design and sterilization methods
- Complexity of the manufacturing process
- Results of any previous relevant assessments and nonconformities raised related to physical, chemical, biological, or clinical properties
- Range and classes of devices produced
- Available postmarket surveillance information
- Prevalence and volume of distribution into Europe for a product type
Here’s a pro tip from BSI, the largest European medical device Notified Body: “…as far as is practical, [MDR] submissions should be “stand alone,” and not refer to previous [MDD] submissions for evidence of compliance. The reason is that the reviewer must assess the documentation in the context of the intended submission and confirm that it is still relevant within this context. If a submission draws upon information previously submitted to BSI, please include the relevant report or document which demonstrates compliance, rather than directing the reviewer to the earlier review. This will save time.”
On that note, make sure you leave PLENTY of time for Notified Body review. COVID has wreaked havoc with so many things, including the ability of Notified Bodies to conduct timely review of technical documentation – and that’s if your Notified Body is even able to do MDR reviews at all!
European Competent Authorities Are Watching Too
Typically, European Competent Authorities have kept a low profile, especially when it comes to low- and medium-risk devices (which comprise 95% of device volume). But now manufacturers – especially self-declared Class I devices – can expect to see more market surveillance from Competent Authorities. We have seen evidence of Competent Authorities in the Netherlands and Belgium, for example, inspecting Class I self-declared manufacturers! COVID-19 also saw the temporary loosening of compliance restrictions for personal protective equipment (PPE) and other medical equipment needed for the pandemic. Not surprisingly, products of questionable efficacy made their way onto the EU market. In the near term, you can expect to see more involvement from Competent Authorities, but this is also part of a longer-term trend to assert more control for reasons explained earlier.
Want to Learn More?
Regardless of where you are on the EU MDR transition spectrum, we have the training and consulting support to help.
On the training side, our Implementing the EU MDR class provides an overview of what’s changed and tips for making the transition. Our EU MDR Auditor class teaches experienced auditors how to audit to the new regulation. Both are available as live or virtual instructor-led trainings.
On the consulting side, our EU MDR team can help review and structure your Technical Documentation in accordance with EU MDR requirements.