Afraid of the new MDRs?

By Matteo Gubellini, Chief Regulatory Officer at SoftComply

Who’s afraid of the MDRs and the new approach to risk management in the EU?

Well, everyone!

The new and scary regulations for medical devices in the European Union will be made effective towards the end of this month.

Driven by the necessity of updating an old process and look proactive with the recent scandals of the PIP implants, the EU politicians have reacted, promising tougher controls, increased requirements and more scrutiny from the Notified Bodies – in other words, drastic measures. More than 300 pages of regulations will be given to all medical device companies to comply with by Q1 2020.

For months now, articles, blog posts and white papers have appeared everywhere, describing how our lives will be made a misery by the new MDRs (and how you will not manage the compliance without pricey expert services). This has not helped.

From the height of my experience not as a consultant, a high-level auditor, ex-FDA nor as an ex-Notified Body employee, but as a person who has worked in the medical device industry for the past 10 years, I opened the content of the MDRs and had a (quick) look into it, focusing on my area of expertise, the risk management.

This is what I found:

1) First, the world as we know it will not come to an end with the introduction of the MDRs…

2) Secondly, the MDRs are actually more readable than the current MDDs as they are written in a less legal language…

3) Finally, most of the updates simply bring the EU regulations in line with the existing industry standards and the FDA regulations.

And specifically for the Risk Management (Section 3 Annex I):

“Manufacturers shall establish, implement, document and maintain a risk management system.” – ok., nothing new here…

“Risk management shall be understood as a continuous iterative process throughout the entire lifecycle of a device, requiring regular systematic updating.” – and that’s not new either…

In carrying out risk management manufacturers shall:

(a) “establish and document a risk management plan for each device;” – so you need a Risk Management Plan just like before…

(b) “identify and analyse the known and foreseeable hazards associated with each device;” – conduct a Hazards Analysis like always…

(c) “estimate and evaluate the risks associated with, and occurring during, the intended use and during reasonably foreseeable misuse;” – carry out Risk Estimation and Evaluation as usual…

(d) “eliminate or control the risks referred to in point (c) in accordance with the requirements of Section 4;” – you surely mitigated risks before… but wait…

(e) “evaluate the impact of information from the production phase and, in particular, from the post-market surveillance system, on hazards and the frequency of occurrence thereof, on estimates of their associated risks, as well as on the overall risk, the benefit-risk ratio and risk acceptability;” – evaluate feedback from production then… hm, this reminds me of something I have seen before…

(f) “based on the evaluation of the impact of the information referred to in point (e), if necessary amend control measures in line with the requirements of Section 4.” – right, I know this… IT REMINDS ME OF ISO 14971.

You should have not been surprised with any of these requirements!

But in case you were, you are in the same amount of trouble you were before….

But this is not the only good news.

Section 4 Annex I says:

“[…] In selecting the most appropriate solutions, manufacturers shall, in the following order of priority:

(a) eliminate or reduce risks as far as possible through safe design and manufacture;

(b) where appropriate, take adequate protection measures, including alarms if necessary, in relation to risks that cannot be eliminated; and

(c) provide information for safety (warnings/precautions/contra-indications) and, where appropriate, training to users.

Manufacturers shall inform users of any residual risks.”

After years of not being able to take credit for any warning given to the user, not even if I tattooed it on their arms, after having endless discussions with the Notified Bodies, and word-smithing Risk analysis to justify why instructions can actually mitigate risk…


We help medical device companies automate their compliant Risk Management with the help of the SoftComply Risk Manager – our Atlassian add-on for JIRA.

Leave a Reply

Your email address will not be published. Required fields are marked *