Medical Software Development according to Medical Device Regulation (MDR) – part 3: Quality management system

Part 1. The MDR in brief and the software qualification and risk classification
Part 2. The conformity assessment routes, software modules and impact of changes

The ISO 13485 standard is generally accepted throughout the world as “state of the art” with respect to Quality Management System (QMS) requirements. Most companies apply ISO 13485:2016 to pave the road to regulatory compliance. It must be noted that even though device certificates may be valid till 2024, all QMS must meet the MDR regulations by 26-May-2020. The audits after this date will be made against the MDR. 

MDR Article 10 defines the general obligations of manufacturers. Much is already covered by ISO 13485:2016, but there are several QMS requirements that are not explicit in it, including:

• Technical documentation content and formatting, and document storage retention
• Strategy for regulatory compliance, including the person responsible for regulatory compliance
• General safety and performance requirements
• Clinical evaluation and investigation
• UDI, labeling and interaction with Eudamed database
• Resource management, supply chain and economic operators
• Post-Market Surveillance system (PMS), including PMS plan, periodic safety update report, post-market clinical follow-up and performance follow-up
• Vigilance criteria and timescales, incidents and field safety corrective actions

MDR Article 8 defines the use of harmonized standards. However, only a few standards are harmonized for the MDR by the date of its application. As the MDR requires “state of the art”, manufacturers are instructed to follow the most current version of a standard, even if it has not been harmonized under the MDR. The use of standards helps fulfill the general safety and performance requirements defined in MDR Annex I. There will not be new standards for the MDR, instead there will be supplement Z annexes to the standards to support the regulatory aspect.

The key standards for medical software development include:

• ISO 13485: Medical devices – Quality management systems – Requirements for regulatory purposes
• ISO 14971: Medical devices – Application of risk management to medical devices
• IEC 62304: Medical device software – Software life-cycle processes
• IEC 62366: Medical devices – Application of usability engineering to medical devices
• IEC 82304-1: Health software – Part 1: General requirements for product safety

MDR Article 9 defines the introduction of common specifications (CS) as a set of technical and/or clinical requirements where no harmonized standard exists, or where the harmonized standard is not considered sufficient. Manufacturers shall comply with the CS in a timely manner unless they can justify that they have adopted solutions that ensure a level of safety and performance that is at least equivalent thereto.

Your Notified Body will audit and assess the QMS and PMS processes at least on a yearly basis. In addition, the Notified Body will perform unannounced audits of the manufacturer and of the manufacturer’s suppliers or subcontractors at least once every five years.

Audits typically include assessment of technical documentation, taking samples from the production process and analyzing samples from the market. Where the manufacturer uses a harmonized standard or CS related to the QMS, conformity with those standards or CS is assessed.

Download our free guide: Medical Device Regulation on Software Development – Key points to consider