Both regulations entered into force on 26 May 2017, hence the new MDR rules will apply from 26 May 2020 and the IVDR rules from 26 May 2022.
Billed as the most significant changes to medical device legislation in decades, these new regulations seek to increase the safety and effectiveness of medical devices available in the EU market and address weaknesses in the regulations revealed in several high-profile incidents. Medical device and in vitro diagnostic device manufacturers large and small who supply product to the EU market will be impacted and need to start planning now on how to transition to the new requirements.
There are a number of changes being introduced by the new regulations which will impact many parts of your organisation and supporting suppliers. Some of the most significant changes are as follows.
Economic operators (the collective description for manufacturers, importers, distributors, suppliers, subcontractors and EU authorised representatives) carry the ultimate responsibility for conformity to regulations. The legislation outlines the general obligations of each or these parties, explaining both what they need to do and how they need to do it.
Whilst the classification system (Class III, Class IIa, Class IIb and Class I) is retained, some rules have been tightened. Some industry commentators anticipate this could result in some devices moving to higher classes of product. Moreover, a number of types of products that were previously exempt from the regulations are now included in the scope.
Additional requirements have been included for each of these aspects of product registration and approval. These may require further product information or testing to be provided to support approval. Transitioning arrangements for existing products or products currently undergoing conformity assessment are being clarified, but some industry experts are concerned that these new requirements could require all products to be registered as they transition to the new legislation.
The regulations introduce further requirements for vigilance and post-market surveillance undertaken by both the economic operators and the national authorities.
All manufacturers and their representatives must have an appropriate QMS.
The regulations require that manufacturers and authorised representatives have permanently at their disposal at least one person responsible for regulatory compliance. This is not necessarily an employee, but must be accessible to the organisation. The person is responsible for ensuring the conformity of devices are checked prior to release, including checking that technical documents and certificates of conformity are accurate.
The legislation includes a series of requirements for notified bodies who will be required to be re-designated as part of the regulation. It is targeted to have this complete towards the end of 2018.
Notified bodies will be required to undertake unannounced audits of manufacturers and their authorised representatives. Notified bodies will have to provide schedules of unannounced audits to their national authorities.
The legislation includes the creation of a pan-EU expert committee, the MDCG. This will comprise representatives from the member states and will assist the Commission in the implementation and operation of the new legislation.
UDIs will be introduced on all medical devices. They will be placed on the label of the device, implant cards for Class III devices, and in the case of re-useable devices, potentially on the device as well. These UDIs will be used to provide traceability of use of devices.
The Commission will establish a centralised EU database for the storage of information on medical devices (EUDAMED). This will facilitate the communication of both pre- and post-approval product information between economic operators, the Commission, member states and, in some cases, healthcare professionals and the public. It is targeted to have this database available towards the end of 2018.
As can be seen from the above changes, the requirements for the new legislation are varied, impacting the majority of parties involved in the supply and governance of medical devices to the EU market across the entire lifecycle of each device. The legislation is in force now so companies need to act to define their strategies for transition.
Article 10(9) of the EU MDR and Article 10(8) of the EU IVDR state that:
‘Manufacturers of devices, other than investigational devices, shall establish, document, implement, maintain, keep up to date and continually improve a quality management system that shall ensure compliance with this Regulation in the most effective manner and in a manner that is proportionate to the risk class and the type of device.
The quality management system shall cover all parts and elements of a manufacturer’s organisation dealing with the quality of processes, procedures and devices. It shall govern the structure, responsibilities, procedures, processes and management resources required to implement the principles and actions necessary to achieve compliance with the provisions of this Regulation.’ 
The article then lists a series of aspects that the QMS shall address. To achieve product certification under the new regulations, companies will need to be compliant with these new requirements.
For some companies, particularly those where their products have been incorporated into the new regulations but were not subject to previous versions of the legislation, a QMS may be a completely new requirement. This can be a significant undertaking and must be planned accordingly.
International Organization for Standardization (ISO) 13485 Quality Management for Medical Devices  was updated in 2016 and contains new requirements and more emphasis on a risk-based approach to the overall QMS process. Previous versions of this document have outlined the standard that many organisations have used as the basis for their QMS. The requirements of ISO 13485:2016 and the new regulations have some overlapping provisions, but for companies wishing to retain ISO certification, compliance with both will be necessary. At the time of writing this article, it was anticipated in the industry that the ISO standard and the new regulations would be harmonised.
However, in the short term, this presents a situation in which regulatory and quality professionals need to ensure that their QMS is updated for both the requirements of ISO 13485 and the new regulations.
It is important to consider in your implementation activities that your goal should not just be to have your new QMS in-place but also ensure that it is fully in-use. This latter condition is often the most challenging, necessitating significant change management activity across your organisation. However, without ensuring in-use, you cannot consider that your QMS is audit ready.
For companies faced with these challenges, it begs the obvious question ‘So where do we start?’
The logical first step is to define the company’s strategy for how to tackle the new regulations. Typically, strategy development would include the following.
From our experience of delivering large and complex legislative-driven change, there are a number of things to think about when defining your strategy.
The impacts of the regulations are cross-functional, so make sure that you have all relevant functions involved in defining your strategy. Avoid the temptation to ‘slice and dice’, allowing each function to independently develop their approach. The company needs a holistic response so develop your strategy as a true cross-functional activity. All stakeholder groups involved in the delivery of the legislation need to contribute effectively or the whole process is at risk of failure. Therefore, all parties must buy into their roles in the processes and actively contribute to them. This will rarely happen if they are simply passive bystanders in the design of the capabilities or the delivery of the resulting activities.
Providing guidance to the team on what would be permissible or not, defining the ‘rules of game’ to all parties. This provides a boundary and decision-making framework for solutions being developed and should be approved and managed by the governance team.
Given the cross-functional and cross-organisational nature of the regulations, establishing the right inclusive leadership and governance is key to the long-term success of the activity. A cross-functional governance team should therefore be established to steer the definition, establishment and ongoing delivery of your strategy. This governance body should include membership from all the stakeholder groups involved.
The implementation of solutions to address new legislative drivers is complex, not least because, through the implementation journey, the legislation evolves. Unforeseen situations and challenges will arise, timelines may change, Delegated Acts may introduce further local requirements. Therefore, solutions defined need to have sufficient flexibility to cope with further emerging requirements. This is not easy but is a key challenge of which solution design teams must be made aware.
In large and complex operations, it may be necessary to implement solutions at multiple locations. It can therefore be beneficial to develop standard approaches for solutions that can be replicated at each of these locations, rather than ‘re-inventing the wheel’ at each one. This provides two benefits – it can be more efficient in preparing the solutions, and learnings across the organisation can be shared. However, if taking this approach, local requirements must be highlighted and built into the developed solutions.
These regulations are complex and evolving, touching many parts of an organisation. With the challenges facing the leadership that is charged with implementing such capabilities, they need to have a broad range of skills, the drive and motivation to anticipate risks and issues, as well as ensure they are effectively managed proactively. Furthermore, there will be many technical challenges to address so the leadership of the program needs to have the technical strength and breadth to succeed in managing these.
Good change management practice encourages the involvement of those impacted early in the activity. The local country teams will be key in supporting implementation and ongoing operation of solutions implemented, as well as undertaking a significant role in product re-registration and labelling updates. Involving them early will ensure solutions are fit for purpose and that they buy into the activities you need them to do.
The implementation of the new regulations will take many years and requirements will probably evolve. The environment you operate in and your company will likely change in this time as well. Your strategy is therefore not a one-time activity. It needs to grow and evolve as the surroundings change. Hence, you need to build in regular reviews of the strategy to ensure it remains pertinent and comprehensive.
As can be seen from the above, developing your strategy is a key point in your journey to address the issues presented by EU MDR/EU IVDR. It will help your company understand what needs to be done and how resources will be marshalled to address those challenges. The strategy processes need to be timely – giving enough time to undertake the strategy process itself effectively – and giving enough time to subsequently implement the new requirements. Not only this, but it is an ongoing process tuning the company’s response as situations change. Appropriate flexibility and risk mitigation needs to be built into your solutions and deployment plans. A good strategy will help facilitate a successful response to the legislation across your organisation.
Andrew Love is a Vice President at Be4ward. He was previously Head of Global Packaging Design at GlaxoSmithKline.
The article was first published in gmp review Vol.16 No.3 October 2017 and is reprinted in our LOGFILE Newsletter by courtesy of gmp review.
Excerpt from gmp review