medical device regulation

Trust but Verify: It’s OK to Ask Questions

From due diligence for investments and M&A to internal and supplier auditing, being bold enough to ask questions may ultimately save your organization and reputation.

In the medical device and biologics industries, there is a lot of pressure to keep the ball rolling while also keeping it in bounds.  Navigating financial progress must be made while remaining compliant to regulatory requirements and ensuring safety for the patients and users of your products.  Such a tightrope is a challenge but is also certainly possible with the right resources and skills.  This article evaluates one approach that individuals can take in any role and at any level in an organization: asking questions.

I continue to marvel with disgust at the massive ruse Theranos management deployed against patients, medical professionals, investors, business partners, regulators, and the public at large.  This was one of several recent debacles that stain the reputation of a largely compassionate and honest industry.  As I learn more about the Theranos debacle, my curiosity digs at the endless stream of lies perpetuated (whether intentionally or naively) by Elizabeth Holmes, her executive leadership, and top shareholders.  How could they have such audacity and fearlessness in leveraging such lies to advance the company?  Why did investors, potential business partners, and more media outlets not question the many claims that have now been exposed as total lies?  Why were outsiders so accepting of Theranos’ inability to offer concrete evidence of any claims?  In my own work, I’ve instantly identified more subtle cases of false and misleading information – why did it take so long for that to happen with Theranos?  Let’s probe some examples so you understand my bewilderment and how I would’ve responded as a certified auditor and experienced due diligence professional.

First, Elizabeth Holmes claimed that the Theranos diagnostic device was deployed in medevac helicopters in Afghanistan by the Department of Defense.  A second whopper was that the Theranos device did not need FDA approval to be marketed in the US.  To her credit, Ms. Holmes stated that although the device did not require marketing authorization, they would seek FDA approval (actually, this supposed strategy highlights the possibility that Theranos had no regulatory affairs staff or consultants).  The final fib we’ll discuss is how Theranos convinced potential investors that pharmaceutical companies were using the device in clinical trials.  I understand the need for tact during discussions regarding acquisitions, mergers, or investment and the hesitation to appear incredulous.  But these are perfect opportunities to probe for information simply on the grounds of genuine curiosity!  If the negotiations are so fragile that asking legitimate questions will jeopardize the deal, that may highlight the suspect nature of the idea or organization for sale.

As an auditing and executive professional, some questions I would’ve asked when faced with the claims of medevac use would have been:

·        What is the use and even advantage of the technology on a medevac helicopter?  How does the technology in this application meet user needs?

·        What feedback has the company received from combat zones on the advantages compared to other methods of testing?

·        How is a precision instrument running 200 tests on two drops of blood validated to function in such a rough environment?

·        What documentation is available demonstrating DoD or FDA approval for such use of the device?

·        Do you have a photograph or video of the product being used in this application?

·        What training was provided for use of the device?

Regarding the claim that FDA approval is not required for such a device, did anyone question such a definitive statement lacking any supporting detail?  As a regulatory expert, I understand I approach this with much more knowledge than the average individual.  However, did such a bold claim with such serious financial and safety implications not warrant some insistent questioning or background investigation?  During due diligence, taking information at face value is a dangerous gamble.  In this situation, I would’ve asked for:

·        An FDA response to a  513(g) Request for Information;

·        FDA pre-sub meeting minutes;

·        Even informal documentation from FDA such as email correspondence; or,

·        A regulatory strategy or rationale from a qualified regulatory affairs professional.

When Theranos implied the device was being used by pharmaceutical companies in clinical trials, were no follow-on questions posed by these investors?  At a minimum, some additional information or verification would have been possible if this claim was true and asking for confirmation would not be out of line.  If presented with papers documenting clinical performance of the device and branded with the logos of major pharmaceutical companies implying a partnership, I would ask:

·        Which of the 200 tests performed by the Theranos device were being used in each study and why?  Any investigational use (drug or device) should correspond with an entry on (hint, hint!).

·        What feedback did Theranos receive from the investigators?

·        Most importantly, would Theranos provide references or contacts at the pharma companies?

Theranos may very well have responded citing a cloud of secrecy and insisting confidentiality.  Which in turn would prompt another question – given the supposed confidentiality, why leverage the relationships in the first place?  Without a reference or some evidence of legitimacy, I would treat that information as null and possibly counterfeit.  To proponents of a deal, this may seem extreme but skepticism is entirely reasonable without evidence.

Why was there seemingly such eagerness to patently accept the claims made by Holmes et al.?  Why did such shallow and unsubstantiated lies prop up Theranos so long and enable them to receive billions in investments?  It seems that the answer to this question is that the right questions were not asked or there was no persistence in the line of questioning.  In my extensive history of auditing and performing due diligence assessments, I’ve never regretted asking questions, I’ve only regretted not.  At the worst, my research and analysis were ignored.  But even in those situations, the pressure test I applied to the organization was suitable to have identified any egregious violations. 

Ensure you have the right team involved in auditing and assessing target companies and recipients of your investment funds; qualified quality and regulatory personnel are essential.  During acquisitions and investment due diligence, don’t let the excitement blind you to reality.  When auditing, hold firm on your line of questioning and don’t allow yourself to be distracted or placated.  The sting of regret from poor due diligence outlasts and outweighs the excitement of the accomplishment.  As stewards of the finances, safety, and well-being of so many, we must ask questions even if it’s uncomfortable.  As penned by Suzanne Massie (Ronald Reagan’s adviser on Russian affairs) and stated often by President Reagan during diplomacy with the Soviet Union, “Trust, but verify.”  No one should criticize you for asking legitimate questions; if verification were not necessary, due diligence and audits wouldn’t be performed in the first place.

Brosseau Consulting is available to assist your organization with due diligence, auditing, or other business matters requiring keen evaluation and analysis.  Please contact Bryan here for more information and a complimentary initial consultation on how Brosseau Consulting can assist you in meeting goals and minimizing risk.

EU MDR: What We Can Learn from Other Professions

In Bryan’s latest contribution to MedTech Intelligence, a different perspective on EU MDR implementation and advice on engaging executive management for the resources needed for EU MDR:

Supplier Quality Considerations For Quality and Regulatory Service Providers

Advice on selecting and managing quality and regulatory suppliers in my latest contribution to MedTech Intelligence:

Corrections, Corrective Actions, and Preventive Actions: Effectively Handling Nonconformances in Compliance with the EU MDR

Beyond the Checkbox

Bryan has given the blog a short summer vacation!  Please see the link below for an article Bryan contributed to MedTech Intelligence.  More content and linked articles will follow soon!

Economic Operators: A Supplier Quality Approach for Manufacturers

While the existing Medical Devices Directive addresses requirements for authorized representatives, importers, and distributors, the new EU Medical Device Regulation contains additional requirements for these entities. The EU MDR introduces a new term, “economic operator”.   Economic operator means a manufacturer, authorized representative, importer, distributor, entity that combines products into systems or procedure packs, or entity that sterilizes systems or procedure packs for distribution.  Requirements for the organizations now termed “economic operators” have increased under the new EU MDR. While the requirements generally require entities to assess compliance upstream, I recommend that manufacturers also assess compliance of downstream economic operators (e.g. importers and distributors). If not before, these organizations are now providing services commensurate with what is typically considered from suppliers. Consider applying elements of supplier management best practices to ensure all organizations involved in the distribution of your products in the EU comply with the MDR.  In some cases, you may already be aware that some economic operators are struggling with the new requirements. By acting now, you ensure your business partners are prepared and reduce a risk of distribution interruption in the EU.

A manufacturer’s current agreements with importers, distributors, and authorized representatives should spell out all existing regulatory requirements.  This includes maintaining product traceability, proper storage of product (particularly those with specific storage conditions), reporting adverse events to the manufacturer, and assisting in the event of any field safety corrective actions (recalls).  This article describes additional requirements to be met by economic operators, how a manufacturer might verify or assist with their compliance, and manufacturers’ obligations regarding other economic operators.


This MDR contains new and revised general requirements for economic operators.  The applicability of some previous requirements is expanded to include all economic operators (e.g. post-market surveillance). In other cases, completely new processes are introduced (e.g. Eudamed registration).

Communication and Post-Market

Requirements for the manufacturer’s quality management system now include procedures for handling communications with economic operators. Ensure that your procedures for handling complaints, feedback, and adverse event reports define economic operators and how such information received from them is handled in your organization. Verify that such procedures meet the new requirements for post-market surveillance.

The post-market surveillance plan required per Article 84 of the MDR must include methods and protocols to communicate effectively with competent authorities, notified bodies, economic operators and users. By definition in the regulation, “post-market surveillance” includes economic operators as participants. You must proactively engage economic operators to ensure adequate collection of post-market data for evaluating real-world device safety and performance.  Therefore, coordination with all economic operators is required in developing and executing your post-market surveillance plan. By relying on economic operators for this participation, their compliance is critical and should be verified.

Post-market surveillance is not the only area requiring communication with economic operators. Consider other areas where communications are received from economic operators and apply similar procedural and contractual requirements (processing of orders, patient confidentiality, user inputs for design and development, contracts, etc.).


Upon request by a competent authority, economic operators must identify any organization to whom they have supplied a medical device or from whom they have received a medical device. Additionally, economic operators must keep and store the unique device identifier (UDI) of certain devices they have received or distributed.  This requirement for UDI records applies to Class III implantable devices as well as any group of devices determined by the EU commission in the future. As part of your ongoing regulatory intelligence strategy, ensure your organization is prepared to address this requirement when these devices are identified by the commission.

Verify each economic operator maintains detailed distribution records and can make such information available to the competent authorities upon request.  Ensure any systems used by you or an economic operator for inventory control and distribution meet these requirements. Also, don’t forget to assess any electronic systems for validation requirements.


Electronic registration (in Eudamed) of economic operators will be required and a single registration number (SRN) will be assigned to each.[1] Manufacturers will use their SRN to register devices by UDI and apply to the notified body for conformity assessment. Some economic operators will also reference the applicable UDIs in their registrations.

All economic operators must register in Eudamed prior to placing a device on the market and must update data in the system within one week of any change. Electronic registration is not limited to devices with certificates issued under the new regulation; you also must register devices with certificates issued under previous regulation (Directive 90/385/EEC or Directive 93/42/EEC). Section 1 of Part A of Annex VI outlines the specific information that must be entered in Eudamed for economic operators.

Ensure you have a plan for using Eudamed and for ensure all economic operators are prepared. Notify downstream economic operators when you have entered information into Eudamed and confirm when they have done so.

Competent Authority Requests and Inspections

Economic operators must be prepared to provide the competent authorities with technical documentation or samples of devices free of charge. And, economic operators are subject to unannounced inspections by the competent authorities. Therefore, each economic operator should have documented procedures or policy to comply with these requirements.  Or, at a minimum, these requirements should be documented in your contracts or agreements with economic operators. For example, your agreement should include a requirement for the economic operator to notify you if a competent authority arrives for an unannounced inspection.

Economic operators must also cooperate with actions taken by the competent authorities when they believe a device does not comply with the regulations or presents an unacceptable risk to users, patients, other persons, or public health. The regulation apportions the responsibility for such corrective actions across all economic operators. Therefore, each economic operator in the supply chain must cooperate with the others in recalling devices or otherwise remedying a problem with distributed product. Where an economic operator fails to address non-compliance within the timeframe specified by the authorities, the applicable national government will intervene to ensure the affected product is no longer available on the market. This means it is preferable for all involved economic operators to handle such situations quickly and efficiently to avoid intervention by the member states.

These interrelated responsibilities must be clearly defined across your organization and all economic operators.  Your agreements with economic operators and your procedures are the best places to describe these general responsibilities and the specific requirements described in the following section. Verify that your procedures are consistent with your economic operators’ procedures or policies.


Articles 11 through 14 identify obligations for the following specific economic operators: authorized representatives, importers, and distributors.

Authorized Representatives

Each manufacturer is required to designate an authorized representative in the European Union.  This is not a new general requirement and you should already have an authorized representative if you are placing devices on the market in the EU (or “putting them into service” as defined in the MDR). There may be only one authorized representative for each device or device family. An agreement (called a “mandate” in the MDR) between the manufacturer and authorized representative must be maintained which outlines the authorized representative’s new responsibilities and requires the authorized representative to:

-          verify the manufacturer’s declaration of conformity, technical documentation, and correct conformity assessment for the devices covered by the agreement

-          maintain the documentation in the bullet above as well as applicable certificates (record retention requirements outlined in the MDR apply)

-          comply with the applicable requirements in the EU MDR

-          provide information (directly) or samples (through request to the manufacturer) upon request from competent authorities and cooperate with competent authorities on corrective or preventive action to mitigate risks related to devices covered by the agreement

-          foreword reports of incidents associated with the devices to the manufacturer

-          terminate the agreement with the manufacturer if the manufacturer does not comply with the EU MDR

Other responsibilities for the authorized representative include accepting liability for defective devices and reporting to the competent authority the termination of an agreement with a manufacturer. The agreement must also define arrangements for a change in the manufacturer’s authorized representative (see Article 12 for details). If desired, the manufacturer may identify other responsibilities for the authorized representative in the agreement.

As representation in the EU, the authorized representative is identified in numerous documents. The authorized representative must be identified in the declaration of conformity, product labeling, and the UDI record in the Eudamed database.  The authorized representative will also be identified on certificates issued by the notified body. You should already identify your authorized representative in your product labeling, but you will need to plan for Eudamed as described in the section titled ‘Registration’ above.

Like manufacturers, each authorized representative must have aPerson responsible for regulatory compliance”.  Refer to Article 15 for the detailed requirements associated with this role. I recommend documenting the required communication between the regulatory compliance personnel at your organization and the authorized representative.  This is particularly important for incident reporting requirements, post-market surveillance, and changes in technical documentation.


Importers may only place devices on the market in the EU after verifying compliance with the EU MDR. Importers must:

-          verify the device is CE-marked, has a declaration of conformity, and has compliant labeling including the unique device identifier (UDI) and instructions for use

-          verify the manufacturer has an authorized representative in the EU

-          provide any requested information to the manufacturer, authorized representative and distributor for the investigation of complaints

-          ensure devices are stored under the specified conditions

-          maintain any relevant certificates and declarations of conformity generated by the manufacturer for the devices imported

-          identify the importer’s name and address on product labeling without obscuring the manufacturer’s original information.

Article 13 also outlines requirements for an importer if they believe the device may be out of compliance with the regulation, to mitigate any risks posed by a device after it is placed on the market, or in the event of a falsified device. A falsified device is a device with a deliberately false presentation of its identity, source, CE marking certificates and/or documents relating to CE marking procedures.


Like importers, distributors may only place devices on the market in the EU after verifying they comply with the EU MDR. Distributors must:

-          verify the device is CE-marked and has a declaration of conformity 

-          verify that the importer for the device (if applicable) meets the requirements for importers

-          verify that the manufacturer has provided the required information with the device and has assigned a UDI

-          ensure devices are stored under the specified conditions

-          maintain any relevant certificates and declarations of conformity generated by the manufacturer for the devices distributed

-          provide information to the competent authority upon request to demonstrate conformity of the device (alternatively, the distributor may ensure that the manufacturer or authorized representative will provide this information upon request)

To ensure the devices meet these requirements, the distributor may sample devices for inspection. 

Article 14 also outlines requirements for distributors if they believe the device may be out of compliance with the regulation, to mitigate any risks posed by a device after it is placed on the market, or in the event of a falsified device.

Manufacturer Obligations Imposed on Economic Operators

If an economic operator “own-brands” a device, changes the intended purpose of the device, or modifies the device in certain matters, that economic operators assumes the regulatory obligations of a manufacturer.  Exceptions are provided for certain types of repackaging and relabeling where the device, its safety, and its intended use are not affected (e.g. translation of labeling). Assess any activities performed by your economic operators to verify that manufacturer obligations are met if required.

As a manufacturer, you will need to verify that responsibilities are clearly delineated between you and the other economic operators. And, you must verify that each economic operator is performing its duties as defined in the MDR and your agreement with them. The information presented in this article provides a summary of requirements and recommendations, but you should ultimately determine the method that best works for you and your economic operators. With varying resources and levels of experience, your economic operators will likely require varying levels of assistance in preparing for MDR.


To ensure business partners who meet the definition of economic operators are compliant with new requirements and to ensure uninterrupted operations in the European Union, I recommend the following:

1.       Contact economic operators now to verify their awareness of new requirements and assess their plan for compliance.  Consider forwarding them this article to help them understand requirements.

2.       Review Articles 11 to 14 in detail to determine requirements for economic operators associated with your devices.

3.       Revise your contracts and agreements with economic operators to incorporate new requirements.

4.       Plan to assess economic operators in some manner. If you haven’t already done so, consider adding economic operators to your supplier quality program. Also consider adding them to your audit schedule to assess compliance to the EU MDR. 

5.       As with other changes for EU MDR, revise your own policies and procedures for compliance with these new requirements.

While you are organizing for your own compliance to the EU MDR, assisting your economic operators with the transition may seem burdensome. Contact Brosseau Consulting LLC to assist your economic operators with the transition, perform assessments of their compliance, or to assist with your own transition to the EU MDR. I am available by email to or by telephone at 770-855-7372.


[1] Of note, the regulation specifically identifies a contingency if Eudamed is not fully functional by May 26, 2020. Refer to Article 123, paragraph 3, subparagraph (d) of the MDR for details.