EU MDR vs. U.S. QSR and the Role of Digitization

The differences in the ways medical devices are regulated in the U.S. and Europe are subtle but important to understand. This article examines those differences and explains how digitization facilitates adherence to the regulatory requirements in both regions.

U.S. Quality System Regulation (QSR)

On February 23, 2022, the FDA issued a proposed rule to amend the current good manufacturing practice (CGMP) requirements of the QSR to align with the international consensus standard for quality management systems (QMS) for medical devices used by regulatory authorities globally, specifically ISO 13485:2016. The alignment will reduce the burden of duplicating medical device regulation compliance efforts and record keeping redundancies currently imposed on device manufacturers. The updated QSR will incorporate the requirements of ISO 13485:2016 as the foundational medical device quality management system requirements and will include additional requirements to align with existing requirements in the Federal Food, Drug, and Cosmetic Act. The intention is to promote consistency in the regulation and provide timelier introduction of safe, effective, high-quality devices for patients. Additionally, edits to 21 CFR Part 4 will be made to clarify the device CGMP requirements for combination products. The current Quality System Inspection Technique (QSIT) will be reviewed and, as applicable, revised to incorporate the requirements of the finalized rule.

The ISO 13485 requirements for compliance are substantively the same as under the current Part 820, with risk management requirements being the most noticeable difference. In 21 CFR 820, the only risk-specific requirement is listed in §820.30(g), as it relates to risk analysis as a part of design validation. ISO 13485 details risk requirements for application of a risk-based approach to the control of processes needed for the QMS. These include software validation, product realization, design control, purchasing, process validation, equipment, and feedback.

EU Medical Device Regulations (MDR)

The transition period for MDR QMS compliance was May 21, 2022. The MDR replaces the earlier Medical Device Directive (MDD) and the Active Implantable Medical Device Directive (AIMDD). CE mark submissions are performed within the new MDR unless the product was CE marked under the MDD where the CE mark will not expire until May 25, 2024. The manufacturer’s QMS for these devices must be compliant under several MDR Article 120 requirements.

Significant changes to post-market surveillance and vigilance of marketed devices have been included in the MDR.

Successful filing of CE mark submissions under the MDR will need understanding of the requirements for clinical and performance evaluations to prepare compliant — and convincing — reports since there are more rigorous requirements within the MDR for these elements.

EU MDR vs. U.S. QSR

The U.S. FDA marketing pathways include Premarket Notification (510(k)), De Novo, Exempt, Premarket Approval (PMA), Product Development Protocol (PDP), Humanitarian Device Exemption (HDE), and Biologics License Application (BLA).

The first step for a 510(k) submission is identifying the right class for the device using the FDA’s medical device databases.

• Class I devices: Low risk, requiring general regulatory controls – 510(k).
• Class II devices: Moderate risk, requiring general and special regulatory controls – 510(k).
• Class III devices: Higher potential risks of illness or injury (e.g., implantable devices and devices that support or sustain human life or are of substantial importance in preventing impairment of human health) – PMA.

Device classifications in the MDR are based on four categories of devices: non-invasive devices, invasive medical devices, active medical devices, and a special category. Classifications are based on risk, which determines the scale of data and evaluation required:

• Class I: Non-sterile or no measuring function (low risk).
• Class I: Sterile and/or has a measuring function (low/medium risk); the MDR adds reusable surgical instruments to this group.
• Class IIa: Medium risk.
• Class IIb: Medium/high risk.
• Class III: High risk.

Every device class has separate testing requirements, as discussed in different chapters and Annexes of the MDR. Software may have additional requirements.

MDR Clinical Testing Process Differences

Evaluations to be completed in preparation of a 510(k) submission include:

• Preliminary safety testing.
• Risk estimation.
• Hazards identification.
• Hazards management planning.
• Risk mitigation strategy planning.
• Risk control analysis.
• Risk control effectiveness verification.
• Overall residual risk analysis.
• Risk vs. benefit analysis.
• Risk management review.

Class I devices are evaluated per Annex IV and V and are exempt from conformity assessment by the Notified Body (NB) for CE marking. Some medium-risk Class I devices and Class IIa devices may need to undergo conformity assessments based on Annex XI (Part A). Class IIb and Class III devices need strong technical documentation of device type examinations, conformity verification, product verification, and extensive risk evaluation during the conformity assessments with the NBs, per Annex II, X, and XI (Part A and B).

Digitization in Medical Device Manufacturing

Digitization in manufacturing reduces the burden to comply with current regulations for medical devices. Benefits include ease of data access, more efficiency and effectiveness of stakeholder time, and improved asset life cycles, customer service, security, and product quality. It can help increase productivity and competitiveness with enhanced stakeholder skills. Top management should identify critical information to protect and perform risk assessments to evaluate risk levels to data loss or compromise.

Digitization in manufacturing process controls must define infrastructure needs, security requirements, data flow, data sharing between systems, and process controls. Privacy should be consistently evaluated at each data collection process where identity is recorded, including data receipt from applications, the internet, cameras, and security systems (both computer-based and mobile). Cybersecurity (corporate and mobile) and website controls should also be included in process control evaluations. The following areas should be evaluated:

• Physical security.
• Operational security.
• Personnel security.
• Contingency and disaster recovery planning.

Implementation, training, and execution can be enhanced with the use of outside experts for specialty help (e.g., AI, automation, wireless infrastructure, etc.). Planned obsolescence should be included within the process controls to ensure technology and compatibility requirements remain efficient and effective, if not state of the art. System upgrades can be tested in parallel, phased, or a pilot implementation approach. Use of standard application programing interfaces (APIs) can reduce future innovation implementation nuances.