Guest Column | September 11, 2017

Learn From Past Mistakes: Preparing For MDSAP And International Commercialization

By Marcelo Trevino, independent expert

In today’s complex and constantly changing medical device world, it is more important than ever to fully understand regulations — particularly those regarding communication with Notified Bodies — to be able to comply with quality and regulatory requirements in Europe. Regulatory literacy will be even more critical as organizations begin implementing MDSAP requirements to comply with requirements from the U.S. (FDA), Australia (TGA), Brazil (ANVISA), Canada (Health Canada), and Japan (MHLW / PMDA). The task is particularly challenging to small and early stage start-up organizations, where there is pressure to quickly release a medical device products in the market.  

In this article, I will summarize some of the most common European regulatory compliance mistakes I have seen over the last few years, as well as provide insight on how to avoid them.

U.S. Regulatory Clearance Does Not Equal CE Mark/Worldwide Approval

Many organizations assume regulatory clearance in the U.S. can be used as a gateway to CE Mark approval in Europe, and all over the world. However, there is no mutual recognition among regulatory agencies and, particularly in Europe, there are multiple organizations responsible for regulatory approval: notified bodies, member states, and competent authorities. While getting clearance from the FDA can make the CE Mark process easier (organizing technical files/design dossier), organizations should have a clear understanding that the approval process is judged by a different set of criteria.

Medical devices in Europe are governed by medical device directives (MDD: Medical Device Directive, AIMD: Active Implantable Medical Device Directive, IVDD: In Vitro Diagnostics Directive). In addition, depending on the device technology, there are other directives that might apply to each device.

Previous FDA regulatory clearance does not affect a certification decision; to commercialize a product in Europe, the product must meet the essential requirements dictated by the appropriate Directive for that product. The same concept applies when commercializing products in other parts of the world.

Poorly Assembled Design Files / Design Dossiers / Technical Files Fall Apart Under Regulatory Scrutiny

Adequate organization of Design Dossier or Technical File information is very important when submitting a product to Notified Bodies or regulatory agencies for evaluation. Reviewers could waste a significant amount of time trying to find information, which only delays the evaluation and the overall approval process. When organizing dossiers, it is important to understand that technical experts will need to easily access the requested documentation. This can be done by separating or combining files depending on complexity, adding bookmarks, and ensuring all referenced documentation is included. The documents GHTF/SG1/N011 and NB-MED/2.5.1 can be used as guidance to ensure files are properly assembled.


Always Include Risk-Appropriate Clinical Evaluation Reports

In Europe, essential requirements demand a risk-appropriate Clinical Evaluation Report of the device to be commercialized, or such a report for an equivalent device. Personnel conducting the evaluation must have appropriate qualifications on the research methodology, technology to be evaluated, and the clinical diagnosis. A simple literature review and predicate device substantial equivalence is not enough.

Furthermore, when devices are CE marked based on a Clinical Evaluation Report with literature from comparative devices that have no clinical trial, a Post-Market Clinical Follow-up (PMCF) must be conducted. It is important to establish a solid strategy to conduct an assessment for the report, keeping in mind state-of-the-art and EU patient populations. If differences are found throughout the study, justifications shall address impact in the overall safety and performance of the device.

Coordinating development of a Clinical Evaluation Report is a critical certification task that should be prioritized. Information from this report should be utilized as a device design input, addressing findings from similar devices where clinical safety or performance is impacted. MEDDEV 2.7/1 offers great guidance on this topic.  

Approval Pathway For Some Combination Devices Is Complex And Lengthy

In Europe, some U.S. medical devices are considered a cosmetic or a drug, so combination products do not meet the definition of a medical device in Europe. When a product is primarily a cosmetic, but has medical device uses, it can be classified as a medical device under MDD, but the focus of the device should be on the medical use. In many cases, manufacturers create technical files, CER, Post-Market Surveillance (PMS) plans, and risk management activities that focus on the cosmetic use only, which becomes problematic.

Organizations should keep in mind that, in the U.S., cosmetic devices do not require demonstration of performance (only safety issues considered for MDR). But, in Europe, regulations require that all medical devices demonstrate safety and effectiveness, even if they are only considered a cosmetic in the U.S.

In addition, certain substances within a device are considered a drug under European regulations — for example, vitamins, herbs, extracts, etc. This can lead to a lengthy approval path due to review requirements from the Notified Body and a medicinal consultation with a Competent Authority. Competent Authorities will assess if the drug is known for the indicated use. Notified Bodies are required to request a significant amount of information associated with medicinal substances, such as dosage and formulation. In addition, scientific data (in vitro or in vivo studies) must be provided for combination devices not classified as Class III combination devices when manufacturers claim the drug is contained within the device, but is not liable to act as allowed per the regulation.

When classifying a device in Europe, classification is based on risk level and where/how product is used. Many times, a product can fall under multiple directives, and several rules might apply to that device. In these cases, the more stringent rules prevail, resulting in higher classification. MEDDEV 2.4/1 can be used as a guidance when classifying a medical device.

Adequate Management Of Subcontractor Activities Is Critical

Subcontractors must possess appropriate certifications to prevent obstacles in the device approval process. In some cases, device manufacturer subcontractors do not have a QMS, their certificate is expired, or it does not include the scope for the product/service provided to the manufacturer. In other cases, the certificate is not issued by an EU/EEA-accredited Notified Body, or the address listed in the certificate is different than the address provided/specified by the manufacturer. Accreditation, location, and scope of a subcontractor QMS are very important.

Since we operate in a global manufacturing environment, it is very common to see manufacturers in 2017 outsourcing many activities: design, manufacturing, testing, etc. Still, manufacturers ultimately are responsible for the device being placed on the market, so it is important that they execute appropriate controls over those subcontractors to address MDD/essential requirements and international requirements.

Depending on the criticality of a subcontractor, audits may need to be conducted by manufacturer, even if the subcontractor holds an ISO 13485 or ISO 9001 certificate from a Notified Body. This is because some Notified Bodies might disagree with qualification criteria, particularly for critical subcontractors, so the criteria should be discussed with them ahead of time.

Manufacturers can verify that subcontractor certifications were issued by a Notified Body or affiliate by accessing the European Commission’s New Approach Notified and Designated Organisations (NANDO) Information System.

It also is a best practice to ensure that design and/or manufacturing controls used by suppliers are appropriate for the device risk, and to keep objective evidence of the controls applied: surveys, audits, first article inspections, etc. Subcontractors should have documented procedures to allow effective and timely investigations resulting from NCMRs, CAPAs, Risk Management Activities, etc.

Additional common mistakes to avoid include undefined subcontractor re-evaluation criteria, inadequate documented quality agreements, excess reliance on the supplier with unjustified delegation of responsibilities, or unidentified subcontractor controls within the quality system.

Post-Market Surveillance Plans Should Be Adequate And Properly Executed

When organizations have several devices with different levels of risk, a general PMCF or PMS plan might not be adequate. In many cases, plans need to be specific to a device, or group of devices, to confirm clinical performance and safety throughout the expected device lifetime. European Medical Device Regulations require that the clinical evaluation and related documentation are updated with data obtained from the PMS. Hazards identified during PMS activities should be compared to those identified in the original device risk management file to determine if previous assumptions are still valid. Ensuring that risk management activities and PMS activities are effectively synchronized is critical to ensuring continued device certification. MEDDEV 2.12/1 and MEDDEV 2.12/2 can be utilized for additional guidance on this topic.

Manage Conformity With Harmonized Standards, And Address Critical Regulation Requirements

When harmonized standards are not utilized, manufacturers should establish a solid rationale to explain their decision. Each harmonized standard contains an “Annex ZA,” which cross-references clauses in the standard to any applicable essential requirements. Organizations are expected to stay up to date on all changes affecting them — for example, MHRA, EU MDR, Canada Gazette amendments, or unique requirements imposed by countries where product manufactured by the organization is being sold, etc. Regulatory requirements must be properly addressed in the organization’s QMS documentation.

Below are some additional critical quality system considerations from Europe, and elsewhere around the world, that often cause non-conformances and delays in the approval process:

  • Device Lifetime — Has it been identified? What is the basis for the lifetime now? How is this determined and documented?
  • Record Retention Period — Is this in accordance with all international country regulations? Does the organization have a system to comply and maintain requirements imposed by all countries where it sells?
  • Design Inputs — Do they consider state-of-the-art, essential requirements, and outputs of risk analysis?
  • Design Validations —Do they demonstrate that the device performs as intended? Are they carried out on initial production or equivalents? Do they include performance of device software? Are risk analyses performed at appropriate stages in the design process?
  • Changes To Existing Quality System — Is there a process to inform the Notified Bodies or regulatory agencies of any plans for substantial changes to the quality system, or the products that are covered? Are changes assessed to verify that, after implementation, the quality system still will meet requirements?
  • Preservation Of Product — Are the device’s characteristics and performance not adversely affected by storage or transportation? Are temperature conditions that would be typical of shipment considered? Are packaging and transportation activities validated?
  • Risk Analysis / Feedback — Is data being analyzed properly, and are risk analyses reviewed to take proper action? Is the risk management file updated regularly? Is risk management considered throughout product realization, in addition to the risk analysis conducted on the product as part of the design activities?

Lessons learned from complying with regulations while obtaining and maintaining certification in Europe should be carefully analyzed to avoid similar problems with the implementation of MDSAP. Organizations should carefully plan and develop robust systems that will allow proper implementation and maintenance of a quality system that has a uniform structure overall, but varies in conformance with certain requirements by country.

As organizations expand markets, it is important to consider these requirements, and to pay close attention to those that — in some cases — face more scrutiny from regulators. Now more than ever, organizations must develop quality systems that can be adapted to constant change. The MDSAP model can be used as an example that, if properly implemented, can be replicated to customize requirements from additional countries.  

About The Author

Marcelo Trevino is the President, Global Regulatory Affairs and Quality Systems, at TregMedical, a life sciences group focused on global medical device regulatory, quality, and compliance. Marcelo can be reached at:

Marcelo has 23+ years’ experience in quality and regulatory affairs, serving in multiple senior leadership roles with different organizations while managing a variety of medical devices: surgical heart valves, patient monitoring devices, insulin pump therapies, surgical instruments, orthopedics, medical imaging/surgical navigation amongst others. He has an extensive knowledge of medical device management systems and medical device regulations worldwide (ISO 13485:2016, ISO 14971:2019, EU MDD/MDR, MDSAP). Mr. Trevino holds a B.S. degree in Industrial and Systems Engineering and an MBA in Supply Chain Management from the W.P. Carey School of Business at Arizona State University. He is also a certified Quality Management Systems Lead Auditor by Exemplar Global.

He has experience working on Lean Six Sigma Projects and many Quality/Regulatory Affairs initiatives in the US and around the world including Third Party Auditing through Notified Bodies, Supplier Audits, Risk Management, Process Validation and remediation activities.

Additionally, he is a Certified Six Sigma Black Belt and Biomedical Auditor through the American Society for Quality (ASQ) and holds Certificates in Environmental & Sustainability Management Regulatory Affairs Management from University of California, Irvine.

He regularly publishes articles to assist corporations in their quest for exceptional quality and regulatory compliance.