MDR in Full Swing: Ranking of Lesser-Known Issues

This report focuses on the less obvious aspects that have emerged during MDR certifications managed so far and for which targeted solutions were necessary to complete the conformity assessment process.

May 2024 is approaching rapidly, marking an iconic date: the last opportunity to take advantage of the extension for those who want and can extend the validity of their certificate to 2027 or 2028, depending on the device class and in compliance with the required conditions.

Here’s a ranking of the less known aspects in order of impact, to be considered during the MDR certification process in the years to come.

5th Place: Sufficient Financial Coverage

The main obstacle in this case doesn’t concern the notified bodies’ requests, but insurance companies lacking policies designed for such needs. This situation results in high premiums and uncertainty about the insurance’s consistency with the Regulation’s requirements. Although solvable over time, it’s crucial not to underestimate the importance of this aspect and to seek timely assistance from your insurer.

It should be noted that the bodies lack the means for a detailed examination: the priority is the protection of the manufacturer rather than satisfying their requests.

4th Place: Cybersecurity

Suddenly, all medical devices capable of connecting to a network or having hardware access for data exchange are considered extremely dangerous.

Cybersecurity has revolutionized any previous modus operandi, leading bodies to request the application of international standards not adopted or harmonized in the EU, the need to refer to FDA guidelines, the performance of penetration tests and vulnerability analyses despite the absence of clear regulatory requirements.
The cybersecurity topic has only one certainty: the notified body’s technical expert will always have a trick up their sleeve to complicate the certification process. Even for devices that have been on the market for years.

To address this topic, we will publish a guide article. In the meantime, the regulatory references to consider in order to respond to most requests include:

• IEC 81001-5-1:2021 – Health software and health IT systems safety, effectiveness and security – Part 5-1: Security Activities in the product life cycle
• MDCG 2019-16 Rev.1 – Guidance on Cybersecurity for medical devices
• Manufacturer Disclosure Statement for Medical Device Security – Guideline issued by a US standardization body, which provides useful forms for transferring relevant information on device vulnerabilities and cybersecurity specifications to the IT managers of the facilities where the devices will be installed.

3rd Place: the most Significant Budget Item

Despite the European Commission’s recommendations on transparency of notified bodies’ prices, the most significant component in certification costs comes from the application of an hourly rate, the one for managing non-conformities in technical documentation.
Non-conformities often refer to topics that have been comprehensively addressed, but simply not identified by the evaluator given the volume of documents and content.

To obtain a realistic cost estimate, it’s necessary to budget for approximately 60% more than the initial quote.

The development of well-formatted documentation, with clear summaries and titles that exactly match the terms provided by the Regulation, MDCGs, or standards, has allowed us to reduce the number of such discrepancies and consequently the costs.

2nd Place: the Illusion of Legacy Devices

The past and the presence of an MDD certificate count for nothing and do not allow taking any aspect for granted. Notified bodies are using the transition to MDR to eliminate previous concessions or agreements with manufacturers.

Whether it’s an unchanged production process accepted for years, a rationale for analyzing biocompatibility aspects, or an internal test report referring to unchanged standards, many things that were previously acceptable thanks to more widespread competence and technical logic in managing certifications, are no longer acceptable.

It’s advisable to review previous audit reports to identify any discrepancies whose management was agreed upon in the past with the body or to re-examine discussion topics, often of a technical nature, that led to an unwritten bilateral agreement, because this is where the main obstacles of the new certification process might be hiding.

1st Place: Biblical Timeframes

Obtaining the certificate in less than 10 months from the finalization of technical documentation is impossible.

It’s essential to plan realistically, choose components not subject to planned obsolescence, and identify truly innovative features during the design phase, not just aimed at matching competing devices.

Of course, the hope is that over time, the increase in notified bodies will lead to shorter assessment timeframes; the availability of safer and more effective medical devices, as well as the desired uniformity in conformity assessment, will also depend on time.

However, time itself is the biggest concern: industry operators hoped that the estimates were not realistic. They said that such timeframes would not facilitate the medical device market; a market that not only represents a mere source of profit for manufacturers, but also a source of development of technologies crucial for improving the health of millions of people.