eu medical device regulation

Trust but Verify: It’s OK to Ask Questions

From due diligence for investments and M&A to internal and supplier auditing, being bold enough to ask questions may ultimately save your organization and reputation.

In the medical device and biologics industries, there is a lot of pressure to keep the ball rolling while also keeping it in bounds.  Navigating financial progress must be made while remaining compliant to regulatory requirements and ensuring safety for the patients and users of your products.  Such a tightrope is a challenge but is also certainly possible with the right resources and skills.  This article evaluates one approach that individuals can take in any role and at any level in an organization: asking questions.

I continue to marvel with disgust at the massive ruse Theranos management deployed against patients, medical professionals, investors, business partners, regulators, and the public at large.  This was one of several recent debacles that stain the reputation of a largely compassionate and honest industry.  As I learn more about the Theranos debacle, my curiosity digs at the endless stream of lies perpetuated (whether intentionally or naively) by Elizabeth Holmes, her executive leadership, and top shareholders.  How could they have such audacity and fearlessness in leveraging such lies to advance the company?  Why did investors, potential business partners, and more media outlets not question the many claims that have now been exposed as total lies?  Why were outsiders so accepting of Theranos’ inability to offer concrete evidence of any claims?  In my own work, I’ve instantly identified more subtle cases of false and misleading information – why did it take so long for that to happen with Theranos?  Let’s probe some examples so you understand my bewilderment and how I would’ve responded as a certified auditor and experienced due diligence professional.

First, Elizabeth Holmes claimed that the Theranos diagnostic device was deployed in medevac helicopters in Afghanistan by the Department of Defense.  A second whopper was that the Theranos device did not need FDA approval to be marketed in the US.  To her credit, Ms. Holmes stated that although the device did not require marketing authorization, they would seek FDA approval (actually, this supposed strategy highlights the possibility that Theranos had no regulatory affairs staff or consultants).  The final fib we’ll discuss is how Theranos convinced potential investors that pharmaceutical companies were using the device in clinical trials.  I understand the need for tact during discussions regarding acquisitions, mergers, or investment and the hesitation to appear incredulous.  But these are perfect opportunities to probe for information simply on the grounds of genuine curiosity!  If the negotiations are so fragile that asking legitimate questions will jeopardize the deal, that may highlight the suspect nature of the idea or organization for sale.

As an auditing and executive professional, some questions I would’ve asked when faced with the claims of medevac use would have been:

·        What is the use and even advantage of the technology on a medevac helicopter?  How does the technology in this application meet user needs?

·        What feedback has the company received from combat zones on the advantages compared to other methods of testing?

·        How is a precision instrument running 200 tests on two drops of blood validated to function in such a rough environment?

·        What documentation is available demonstrating DoD or FDA approval for such use of the device?

·        Do you have a photograph or video of the product being used in this application?

·        What training was provided for use of the device?

Regarding the claim that FDA approval is not required for such a device, did anyone question such a definitive statement lacking any supporting detail?  As a regulatory expert, I understand I approach this with much more knowledge than the average individual.  However, did such a bold claim with such serious financial and safety implications not warrant some insistent questioning or background investigation?  During due diligence, taking information at face value is a dangerous gamble.  In this situation, I would’ve asked for:

·        An FDA response to a  513(g) Request for Information;

·        FDA pre-sub meeting minutes;

·        Even informal documentation from FDA such as email correspondence; or,

·        A regulatory strategy or rationale from a qualified regulatory affairs professional.

When Theranos implied the device was being used by pharmaceutical companies in clinical trials, were no follow-on questions posed by these investors?  At a minimum, some additional information or verification would have been possible if this claim was true and asking for confirmation would not be out of line.  If presented with papers documenting clinical performance of the device and branded with the logos of major pharmaceutical companies implying a partnership, I would ask:

·        Which of the 200 tests performed by the Theranos device were being used in each study and why?  Any investigational use (drug or device) should correspond with an entry on (hint, hint!).

·        What feedback did Theranos receive from the investigators?

·        Most importantly, would Theranos provide references or contacts at the pharma companies?

Theranos may very well have responded citing a cloud of secrecy and insisting confidentiality.  Which in turn would prompt another question – given the supposed confidentiality, why leverage the relationships in the first place?  Without a reference or some evidence of legitimacy, I would treat that information as null and possibly counterfeit.  To proponents of a deal, this may seem extreme but skepticism is entirely reasonable without evidence.

Why was there seemingly such eagerness to patently accept the claims made by Holmes et al.?  Why did such shallow and unsubstantiated lies prop up Theranos so long and enable them to receive billions in investments?  It seems that the answer to this question is that the right questions were not asked or there was no persistence in the line of questioning.  In my extensive history of auditing and performing due diligence assessments, I’ve never regretted asking questions, I’ve only regretted not.  At the worst, my research and analysis were ignored.  But even in those situations, the pressure test I applied to the organization was suitable to have identified any egregious violations. 

Ensure you have the right team involved in auditing and assessing target companies and recipients of your investment funds; qualified quality and regulatory personnel are essential.  During acquisitions and investment due diligence, don’t let the excitement blind you to reality.  When auditing, hold firm on your line of questioning and don’t allow yourself to be distracted or placated.  The sting of regret from poor due diligence outlasts and outweighs the excitement of the accomplishment.  As stewards of the finances, safety, and well-being of so many, we must ask questions even if it’s uncomfortable.  As penned by Suzanne Massie (Ronald Reagan’s adviser on Russian affairs) and stated often by President Reagan during diplomacy with the Soviet Union, “Trust, but verify.”  No one should criticize you for asking legitimate questions; if verification were not necessary, due diligence and audits wouldn’t be performed in the first place.

Brosseau Consulting is available to assist your organization with due diligence, auditing, or other business matters requiring keen evaluation and analysis.  Please contact Bryan here for more information and a complimentary initial consultation on how Brosseau Consulting can assist you in meeting goals and minimizing risk.

EU MDR: What We Can Learn from Other Professions

In Bryan’s latest contribution to MedTech Intelligence, a different perspective on EU MDR implementation and advice on engaging executive management for the resources needed for EU MDR:

EU MDR Supplier Quality Requirements: Convergence of Best Practice and Regulation

EU MDR Supplier Quality Requirements examined in my latest contribution to MedTech Intelligence:

Beyond the Checkbox

Bryan has given the blog a short summer vacation!  Please see the link below for an article Bryan contributed to MedTech Intelligence.  More content and linked articles will follow soon!

Risk Management Under the New EU Medical Device Regulation

The new EU Medical Device Regulation (Regulation 2017/745) adopts a more universally risk-based approach compared to the EU Medical Device Directive (93/42/EEC, the “MDD”).  The new regulation also aligns requirements for medical devices more closely with the harmonized standard for risk management (EN ISO 14971:2012).  More explicit requirements for manufacturers are laid out regarding the maintenance of a risk management program and life-cycle risk management.  Responsibilities and authority for both Notified Bodies and member states are defined. For example, the standard requires that notified body auditors must have knowledge and experience in risk management as well as device-related standards and guidance.  And, Competent Authorities will perform market surveillance which will include risk assessment and management.  This surveillance may include a review of documentation, evaluation of device samples, or announced and unannounced inspections of economic operators (review this definition and the associated regulatory requirements in detail!).  With the increased scrutiny on Notified Bodies and their increased responsibilities, manufacturers will likely find that Notified Bodies are less lenient on compliance to the requirements as they relate to risk.  For these reasons and to ensure continued device performance and safety, compliance to the more detailed regulatory requirements for risk management is imperative. 

The general requirements for risk management in the new regulation are familiar from the MDD and ISO 14971 albeit more explicitly described than in the MDD.  As before, devices are required to achieve the performance intended and must be designed and manufactured to fulfill their intended purpose. The devices must not compromise safety and the individual and cumulative risks must be outweighed by the clinical benefit.  Risk management is emphasized in the regulation as an iterative process throughout the entire lifecycle of a device (a key input in developing the new regulation was to implement more of a lifecycle approach).  The following are required for each device:

-          a risk management plan for each device

-          identification and analysis of possible hazards associated with each device

-          estimation of risk associated with the intended use and misuse of the device

-          risk mitigation (reduction or elimination of risk)

-          assessment of production and post-market information on the documented risk assessment

-          changes to control measures (e.g. safety by design, alarms, safety information) when required based on the assessment of production and post-market information

The first four points are currently addressed in the risk management files maintained by most manufacturers for their devices. However, weak linkages between production and post-market information and the risk management file are common. Additionally, where a “checkbox approach” to risk management is employed, device design (specifically, control measures) may not be adequately evaluated in response to production and post-market information. Consider strengthening procedures around risk management and production and post-market information to comply with these requirements.  Also ensure that you are evaluating the device design in response to post-market information.

Per the regulation, the manufacturer must establish, document, implement and maintain a system for risk management as part of the quality system.  Therefore, thorough documentation of requirements and procedures for risk management is required.  In other words, your risk management and related procedures (clinical evaluation, post-market surveillance, etc.) must provide clear instructions that are consistent with the regulation and contain the applicable elements.  If you currently have very basic procedures and forms and must verbally describe how your risk activities are performed, you will need to update your risk program.  For example, if you use Failure Modes and Effects Analysis (FMEA) with a rating system based on the combination of severity, occurrence, and/or detection, you must describe in your procedure how this document is generated, define the scoring system, and state how this document is linked to other documents (e.g. design inputs/outputs, hazard/harm listing, and historical data for the device or similar devices). The technical file for each device must include the results of the risk management process including the benefit-risk analysis, the solutions adopted to address risks, and the updated PSUR (see section below titled CLINICAL EVALUATION AND POST-MARKET SURVEILLANCE for more information regarding the PSUR).  All risk documentation for each product must be maintained and readily available per record retention requirements.


Annex I contains the most detailed information for manufacturers regarding risk management during design. A side note: re-processors assume risk management responsibilities to ensure the device properties are not changed with reprocessing and to address the use of the reprocessed device (essentially, preprocessors are treated as manufacturers in this regard).  Risk control measures must be state of the art and adopted in the following order of priority:

1.       Eliminate or reduce risks as far as possible through safe design and manufacture

2.       Adequate protection measures for risks that cannot be eliminated (e.g. alarms)

3.       Provide information or user training for safety and disclose any residual risks

Item 3, above, diverges slightly from the requirement of EN ISO 14971:2012 which allows the manufacturer to determine which residual risks are to be disclosed (for residual risks deemed acceptable).  The EU MDR simply states that the manufacturer “shall inform users of any residual risks” (refer to the section below titled RESIDUAL RISK for more information regarding this requirement).

As with the MDD, Annex 1 of the MDR provides general requirements for medical devices such as sterilization, material characteristics, performance requirements, etc.  All risks associated with device characteristics must be eliminated or mitigated and individual and cumulative risks must be acceptable when weighed against the benefit of the device.  Each applicable technical aspect addressed in Annex I should be represented in the risk management file for your device.  For example, if your device is provided sterile you should consult areas addressing sterility in Annex I when assessing risks for your device.  Of note, the regulation specifies that risk be evaluated for the device when used under the conditions and for the purposes intended. One does not need to wildly imagine scenarios where the device may cause risks when used in a manner that is grossly inconsistent with the labeled indication and instructions; however, for reasonably foreseeable misuse, those risks should be evaluated.


Earlier, I mentioned the disclosure of risks to users as it relates to the current requirements in ISO 14971. The new regulation specifically prohibits manufacturers from “failing to inform the user or the patient of a likely risk associated with the use of the device in line with its intended purpose”. The regulation also allows manufacturers to use a pictogram following the CE Mark to identify any special risk.  I recommend defining the symbol in the labeling, especially if it is not defined in the harmonized standard ISO 15223-1. The use of risk mitigation is also applied to distributed devices as the regulation discusses corrective action taken for devices that have already been placed on the market. Therefore, residual risks must be addressed at every stage of the device lifecycle, including when those risks are identified after distribution.


Risk management and clinical evaluation are interdependent and thus must be cross-referenced and updated concurrently and regularly.  Clinical risks must be identified in the risk management file and addressed as part of clinical investigations, the clinical evaluation and post-market clinical follow up (PMCF).  During the post-market phase, manufacturers must systematically and actively gather post-market information and update the technical documentation relating to risk assessment and clinical evaluation.  The clinical evaluation must be performed according to a plan and include an assessment of nonclinical testing, clinical investigation results, and post-market information.  Post-market information includes but is not limited to feedback, complaints, field corrective actions, recalls, etc.  The PMCF plan should expand on these inputs to also include pro-active solicitation of post-market information - consider clinical trials, clinical registries, or detailed and thorough solicitation of feedback from frequent users (for example, user surveys where you may account for the overall experience with your device at one or more specified facilities).  Like the clinical evaluation plan, the PMCF plan must also be linked to the risk management processes. You must specify methods and procedures for identifying and analyzing emergent risks based on post-market evidence and referencing the risk management activities/documents for the device. 

Data gathered through post-market surveillance must be used to update the benefit-risk determination and improve risk management.  Further to an increase in serious adverse events, any statistically significant increase in the frequency or severity of any incidents (incidents that are not serious or expected side-effects) that could may lead to unacceptable risks or benefit-risk profile should be acted upon and reported to the Competent Authorities.  This increased occurrence is established in comparison to the foreseeable frequency and severity as specified in the technical file (this likely refers to the clinical history for similar devices leading to the estimated frequency and severity in the risk file).  If you do not already identify risk thresholds and tie your post-market surveillance back to those limits, now is the time to start.

In addition to the requirement for a PMCF, manufacturers of class IIa, class IIb and class III devices must also prepare a periodic safety update report (PSUR) for each device (and groups of devices where relevant).  The PSUR includes the results and conclusions of the post-market surveillance analysis and any corrective or preventive action taken, and the updated benefit-risk determination.  The PSUR must also include the “denominator” for the data in the form of sales volume or estimated usage of the device. The PSUR must be updated periodically (timeframe is based on device risk class) and must be done so with consideration for risk activities.

Another new requirement specifically for implantable and Class III devices is the Summary of safety and clinical performance.  Residual risks, undesirable effects, warnings and precautions must all be included in the Summary of safety and clinical performance which is submitted to the Notified Body (NB) during conformity assessment and uploaded by the NB to EUDAMED.

CE marking without clinical evidence for your device or an equivalent device will no longer be possible for many devices. Where clinical data is not used to demonstrate safety and performance, the notified body will be rigorously inspecting your risk management file to ensure that risks are adequately characterized and mitigated without clinical data.  There must be adequate linkages between clinical evaluation and risk management to ensure that the clinical evaluation includes an assessment of risk.  To ensure that risk is adequately assessed as part of the clinical valuation, your clinical evaluation plan must identify the parameters used to evaluate risks and the benefit-risk ratio, assessment against the state-of-the-art (refer to MEDDEV 2.7/1 Rev. 4 for more information), and an evaluation of specific risks related to medicinal, animal-origin, or human-origin materials incorporated in your device.  Additionally, procedures for clinical evaluation must clearly describe risk management activities as they relate to the clinical evaluation.

In summary, your risk management, clinical evaluation, PMCF, and PSUR procedures and plans must all be synchronized, and each resulting report must each consider the data and results of the others.


As you may now realize, clinical investigations will be required for more medical devices under the new medical device regulation. The regulation specifically identifies the use of clinical investigations as a method of assessing the benefit-risk ratio of medical devices.   Additionally, risk assessment must be used in justifying any foreseeable risks to trial subjects when weighed against the benefits. A robust evaluation of the risks to subjects and the benefits must be documented in the clinical investigation plan. The plan must also include an ongoing monitoring strategy for the risks and the benefit-risk ratio. The new regulation also requires that subjects are notified of risks by way of the informed consent and outlines requirements for possible risks to incapacitated and minor subjects. Investigators must also be notified of the benefit-risk analysis and summary of risk management in the investigator’s brochure. Specific risks must be identified in the investigator’s brochure including those related to medicinal, human-derived, or animal-derived substances incorporated in the device.  For clinical trial applications, member states are required to assess the minimization of risks and the risks compared to the clinical benefits of the device. 


The transition to the new medical device regulation also comes with the potential for additional requirements for your devices after you have demonstrated compliance to the MDR.  In addition to the continued use of harmonized standards, the regulation introduces a new regulatory concept for medical devices: Common Specifications. Common Specifications will be implemented by the European Union Commission and will address requirements for both products and quality system management. That is, there will be Common Specifications for safety and performance requirements for devices (specifically, high-risk devices such as implantable and class III devices) and quality system requirements (for technical documentation and risk management, among other areas). You will need to ensure that you search for Common Specifications when you perform your periodic review of new or revised regulatory requirements.  This review is typically performed at least once a year (and preferably more often) to identify new or revised regulations applicable to your devices or QMS.  When a Common Specification is implemented for risk management, you will want to ensure that your risk management processes and documentation are compliant.


The new requirements described in this document represent a small portion of the work needed to comply with the EU MDR. While the task of becoming compliant may seem daunting, I recommend the following simple steps to get you started:

-          Review the EU MDR and highlight new requirements and differences between the new regulation in the existing regulations and standards with which you comply.

-          Develop a general plan for revising your procedures and other documented Quality Management System requirements. This plan should include assignments for responsible parties within your organization.

-          Hold regular meetings with the involved parties to verify activities are performed to schedule.

-          If you haven’t already discussed the transition with your Notified Body, do so now.

-          Attend any training opportunities you can regarding the EU MDR.

Of course, Brosseau Consulting is available to assist you with the transition.  Hiring an expert may very well be your quickest and most sure path to compliance.