EU MDR Quality Procedures

EU MDR Quality Procedures

According to the EU Commission amendment for the new Transitional Provisions for the EU-MDR and IVDR (official from 20th March 2023), manufacturers need to have a quality management system in place (in accordance with Article 10(9)) no later than 26 May 2024. This is done by applying conformity assessment to a notified body where the manufacturer confirms its QMS complies with the MDR.

We can build a complete ISO 13485-compliant QMS for your Company, write specific Standards Operating Procedure (SOP) as you requested, or only review your existing SOP for its compliance.

We identified 12 EU MDR quality procedures (SOPs) that every Company should include in their QMS:

• Strategy for regulatory compliance – which may consist of quality objectives, processes for identification of relevant legal and GSPR requirements, choice of conformity assessment procedures, and others (see MDCG 2019-7);
• Handling communication with competent authorities, notified bodies, other economic operators, customers, or other stakeholders;
• Management of corrective and preventive actions;
• Documentation control;
• Change control;

• Organization structure, the responsibilities of the managerial staff as to critical procedures and their organizational authority;
• System for recording and reporting incidents and field safety corrective actions (art. 87 and 88) and their analysis (art. 89);
• Procedure to keep up to date the post-market surveillance system (art. 83);
• Procedure for the clinical Evaluation (including clinical evaluation plan) per Article 61 and Annex XIV, including PMCF;
• Resource management, including selection and control of suppliers;
• Risk management (Section 3 of Annex I);
• Identification and traceability of devices (art. 25)

Frequently Asked Questions

Question: A quality service provider (not a manufacturer) for medical device manufacturers wrote that one of their customers was audited by a Notified Body (NB). NB told them that our ISO 13485:2016 certificate was invalid as it had not been issued by an NB. They explain that non-NB parties are unaware of MDR quality issues and, therefore, they don’t accept such certificates. Is the approach of NB correct?

Answer: No, such NB approach is not correct. We received similar complaints from our clients. NBs could be concerned about everything. However, such concern doesn’t give them the right to “invalidate” the ISO 13485 certificate issued by the non-NB accreditation body. If NB suspects that the non-NB party that issued the ISO 13485 certificate is unaware of MDR-related quality aspects, they should check them during their annual audit. After all, the manufacturer is expected to meet quality MDR expectations, and it can summarize them, e.g., in the Strategy for regulatory compliance procedure, which may include the control of your service providers.

Question: Does the personnel carrying out cybersecurity tasks need to have appropriate education, experience and/or training?

Answer: Certainly, like for all other job positions in the Company. This is ISO 13485 (6.2 Human Resources) requirement: “Personnel performing work affecting product quality shall be competent with appropriate education, training, skills, and experience. The organization shall document the process(es) for establishing competence, providing needed training, and ensuring awareness of personnel.”

Question: Do penetration testing laboratories (suppliers), must be accredited?

Answer: The recommendation is to use Penetration testing laboratories which are accredited, if possible.  The company is usually not requested to audit these suppliers. Instead, for the criteria for evaluation and selection of suppliers (as per ISO 13485 cl. 7.4.1), the company could use other means for rating performance and ability of penetration-testing suppliers, such as penetration test report reviews and questionnaires.

For more information, please get in touch with the BioReg team.