MDR, Health app compliance, Data Protection

The MDR – a step-by-step guide for eHealth

The MDR will be enforced from May 2020. To help companies prepare for it, the EU has published a step-by-step implementation plan. Here we explain how the 12 step plan applies to eHealth companies.

MDR & GDPR: practical tips and tools for health innovators

Register for our webinar

Step 1 Pre-assessment

As we explain in our eBook, the MDR covers any software that has a medical purpose. It’s important you check if this is the case for your product. If it is, you need to:

  • Ensure your management team are aware of the implications and importance of the MDR. In particular, failure to get a suitable MDR CE mark by May 2020 will mean you can’t market or sell your product in the EU.
  • You need to understand the challenges this may pose in terms of staffing, team knowledge and budget. For many eHealth companies, the MDR will be entirely new, so you may need to upskill your workforce.

Step 2 Gap analysis and planning

There are a number of important things you need to do here. The results of this step will determine how onerous the MDR burden will be for your company:

  • Assess whether your product(s) are performing a medical purpose. If they are, assess what class of medical device they are. Our infographic can help you with this.
  • Check the requirements for clinical evidence, quality management system, risk management and technical documentation.
  • Plan for post-market surveillance, post-market clinical follow-up and traceability.
  • Review any gaps identified.

Step 3 Quality management system

A key focus of the MDR is on quality management. It poses strict requirements on companies to have an adequate QMS. Typically this means getting ISO 13485 certification.

  • Review your QMS and establish if it’s adequate.
  • Ensure your providers also have an adequate QMS and, if not, sign quality agreements or put in place SOPs. You can find out more about this in our MDR eBook. NB, currently, Chino.io is the only provider with ISO 13485 certification.
  • Nominate a responsible member of management.

Because of the accountability aspects of MDR, you need to clarify your legal position. This includes:

  • Ensuring you have the correct legal structures in place.
  • Ensure you have adequate liability insurance.

Step 5 Portfolio

For companies with existing products, you need to assess the cost/benefits of seeking MDR certification. The MDR makes 2 key changes relating to software. Firstly, stand alone software can now be a medical device. Secondly, it introduces a new class of high-risk software. So, you could find your app is now a Class III medical device!

  • Consider the costs if your product’s risk class increases.
  • Be aware of the new focus on post-market surveillance, which will add to the ongoing costs of a product.
  • Review your supply chain, with particular reference to their QMS (see step 3).

Step 6 Master implementation plan

This is the main step. You need to create a proper roadmap for implementing each element of the MDR certification process.

  • Define sub projects if needed. Getting certified requires: QMS, clinical evaluation, documentation, unique device IDs, labelling, registration, supplier relations, post-market surveillance and reporting systems.
  • Ensure everyone knows who is responsible for the roadmap.
  • Take note of when any existing certificates expire (all MDD certificates will expire on 26th May, 2020 for medical devices.

Step 7 Notified Bodies

Choose a suitable Notified Body (currently BSI is the only one)  and get in touch with them. For EU-based companies, this will often be the one in your country, but it doesn’t need to be.
NB, be aware that the notified bodies are under a lot of pressure with the MDR, so you may find the process is delayed.

Step 8 Regulatory training

Make sure your staff are trained and aware of the implications of the MDR.

Step 9 Execute master plan

You need to actually implement your master plan. This means:

  • Implement the clinical evaluation, documentation, unique device IDs, labelling, registration, supplier relations, post-market surveillance and reporting systems plans.
  • Nominate a project manager to be responsible across all the above items.
  • Verify that everyone understands the overall and individual responsibilities.

Step 10 Review efficiency

It’s important to make sure you review your progress. The May 2020 deadline is absolute. So:

  • Hold regular progress meetings involving senior staff.
  • Keep your gap analysis up to date so you know what is still missing.
  • Perform regular risk analyses.
  • Regularly review your processes to see if you are working effectively.

Step 11 Submission to Notified Body

This is the culmination of the process. It’s important to liaise with your chosen Notified Body and to agree a submission deadline.

Step 12 Ongoing monitoring

The MDR includes the need for ongoing monitoring and post-market surveillance. However you also need to:

  • Actively monitor the regulatory environment and make sure you keep track of new guidelines that are expected to be published.
  • Establish your procedures for dealing with (unannounced) inspections by the Notified Bodies. This will include being able to show them all relevant documentation. A well-implemented QMS will simplify this process considerably.

The MDR is likely to have a big impact on many companies. But if you keep your head, plan effectively and ensure you have good management, you shouldn’t have any major problems.

MDR and eHealth: How to build MDR compliant applications

Download here
Author image

About Toby Moncaster

Toby is a seasoned technical author with a love of data security & networking. He spent a decade in R&D, project and product management. He received his computer science PhD from Cambridge in 2018.
  • Berlin