EU MDR: Step-By-Step Guide To Becoming Compliant
Besides curing cancer and achieving nuclear fusion, getting software certified as Medical Device under the EU MDR seems to be the most complex endeavour known to mankind.
Well, actually, certifying software as a Medical Device is pretty simple - once you know what to do. Unfortunately, a whole industry full of shady consultants has emerged around this topic and most consultants are paid by the hour. So a lot of people are incentivised to make this very complex, because then they can bill many hours.
But you got lucky, because you found this website. With all the free articles and templates we offer here, you should be able to get everything done by yourself, saving lots of time and money.
This article summarises everything you need to know in an easy, step-by-step structure. Good luck! Oh, and if you were looking for the actual EU MDR text, here's the link to the EU website)
Well, actually, certifying software as a Medical Device is pretty simple - once you know what to do. Unfortunately, a whole industry full of shady consultants has emerged around this topic and most consultants are paid by the hour. So a lot of people are incentivised to make this very complex, because then they can bill many hours.
But you got lucky, because you found this website. With all the free articles and templates we offer here, you should be able to get everything done by yourself, saving lots of time and money.
This article summarises everything you need to know in an easy, step-by-step structure. Good luck! Oh, and if you were looking for the actual EU MDR text, here's the link to the EU website)
Step 1: Is Your Device a Medical Device Under The EU MDR?
The first step is to determine whether what you're building (software or hardware) is a medical device at all. Check out the definition of a medical device according to the MDR here. If you think you fall under that definition, we've written up some example devices here (compare yourself to them).
A few quick side notes: Contrary to what many others say, MDR class I software does exist, but different competent authorities have different interpretations, e.g. if you're company is located in Berlin, you're screwed. Also, Telemedicine software is not class II (it's not a medical device at all). In Germany, the BfArM offers to do an "official" classification assessment, but you shouldn't do it because it easily takes one year or more.
A few quick side notes: Contrary to what many others say, MDR class I software does exist, but different competent authorities have different interpretations, e.g. if you're company is located in Berlin, you're screwed. Also, Telemedicine software is not class II (it's not a medical device at all). In Germany, the BfArM offers to do an "official" classification assessment, but you shouldn't do it because it easily takes one year or more.
- EU MDR Classification: MDR class I software | Telemedicine software | Classification examples | BfArM classification request & Result | MDR medical device definition
- FDA classification: FDA risk classification overview
Step 2: Are You Targeting EU MDR Or FDA Compliance?
Depending on which market you want to sell in, you have two options: The EU MDR for (you guessed it) the EU market, or the US FDA for, well, the US market. This website right now is mainly about the EU MDR, but we'll be adding some US FDA content in the future. Also note that our eQMS software supports EU MDR and US FDA.
So, umm.. you just need to decide here and if you're targeting the EU market, stay on this website (cool!). If you're targeting the US market, well, you might have to look for helpful content on other websites of shady consultants (ugh), but you could still use our software to automate your documentation.
So, umm.. you just need to decide here and if you're targeting the EU market, stay on this website (cool!). If you're targeting the US market, well, you might have to look for helpful content on other websites of shady consultants (ugh), but you could still use our software to automate your documentation.
Step 3: How Long Does It Take, And How Much Does It cost?
Funnily enough, most consultants aren't able to answer this question, so I'll cut right to the chase:
Duration
- MDR class I: You can be done in 2-3 months if you choose our "method" (articles and templates here, and optionally our consulting). With other consultants, 3-4x longer, around 12 months.
- MDR class IIa and higher: You can get the work on your side done in 2-3 months (again, with our method), but you'll have to wait for a so-called Notified Body to audit you and get their results which can easily take another 3-9 months. So 12 months in total.
Cost
- MDR class I: None, if you do it yourself. 750€ / month for a so-called external Person Responsible for Regulatory Compliance (PRRC), similar to a GDPR Data Protection Officer (DPO).
If you do it with consultants: 20-30k€ if you choose us, much more (~100k€) if you choose others. - MDR class IIa and higher: At the very least, you pay the cost for your auditors (the Notified Body) which can be anywhere between 30k€ and 100k€ (crazy), here's an article.
If you do it with consultants: 60-70k€ if you choose us, much more (~120k€) if you choose others.
- Duration: How long does it take? | Duration & cost (video)
- Cost: How much does it cost? | Duration & cost (video)
Step 4: What's The Work To Be Done For The EU MDR?
Roughly speaking, you can split the work into two areas: Company-wide stuff and product-specific stuff.
On a company-wide level, you need to establish a Quality Management System (QMS) which is compliant with ISO 13485.
And on a product level, you need to write so-called Technical Documentation for each product.
That's it.
And what are those requirements all about? They are spelled out in so-called standards, e.g. the ISO 13485. Those are PDFs you have to purchase (yes, seriously). But the good news is that there's a hack: You can purchase them from the friendly Estonian website for much less money. Check out our guide an accessing standards here.
On a company-wide level, you need to establish a Quality Management System (QMS) which is compliant with ISO 13485.
And on a product level, you need to write so-called Technical Documentation for each product.
That's it.
And what are those requirements all about? They are spelled out in so-called standards, e.g. the ISO 13485. Those are PDFs you have to purchase (yes, seriously). But the good news is that there's a hack: You can purchase them from the friendly Estonian website for much less money. Check out our guide an accessing standards here.
- Accessing standards: How to & prices | Purchasing standards walkthrough (video)
Now, let's look at the company-wide stuff first.
Step 4a: Company-Wide Stuff: Set Up a QMS
For your company, you have to set up a so-called Quality Management System (QMS). Regulators think that this improves the quality of your products while there actually is only very little evidence to back up this claim.
But anyway, moving forward.. you only have to do this once for your company. Your best bet would be to read our articles on quality management here.
But anyway, moving forward.. you only have to do this once for your company. Your best bet would be to read our articles on quality management here.
- All quality management articles
- Corrective and preventive action (CAPA): What is a CAPA?
- Post-market surveillance & KPIs: PMS guide | Example KPIs
- Software validation: How to
- Supplier management: How to
Step 4b: Product-Specific Stuff: Technical Documentation
For each of your products, you have to write something called Technical Documentation. Greatly simplified as always, this includes writing down all the features of your software ("software requirements"), all risks it might have ("risk management") and doing a user test ("usability engineering").
Let's look at a few examples next. You can find more information in the IEC 62304 Walkthrough and ISO 14971 Walkthrough.
Let's look at a few examples next. You can find more information in the IEC 62304 Walkthrough and ISO 14971 Walkthrough.
Write Your Intended Use And Do Classification (Again)
Write down what your software does and in which context it is used. This is not only your starting point, but the most important document for your regulatory compliance. It determines whether you are a medical device or not. Read this article on Intended Use for Software as a Medical Device.
As part of this, you'll also be doing your medical device classification under the EU MDR. Note that you've already done that further above when you were determining whether your device was a medical device at all; now, you're doing it again, but in a more "final" way as you're probably more confident in which features your device will have. Check out the links above for classification articles.
As part of this, you'll also be doing your medical device classification under the EU MDR. Note that you've already done that further above when you were determining whether your device was a medical device at all; now, you're doing it again, but in a more "final" way as you're probably more confident in which features your device will have. Check out the links above for classification articles.
- General technical documentation: Writing technical documentation | Intended use for a medical device
- Software documentation (IEC 62304): Walkthrough | Writing software development plan | Software requirements | Software verification | Software architecture | Software system testing | Software release
- Risk management (ISO 14971): Walkthrough | Risk acceptance matrix
- Usability (IEC 62366): Walkthrough | Summative evaluation
- UDIs: Overview | Save money with IFA hack
- Other topics: Translations
Step 5: Actually Found Your Company
For class IIa and higher products, you'll need a Notified Body to audit your Quality Management System and Technical Documentation. The prerequisite for entering a business relationship with one of those is that your company already exists.
This especially puts University-backed startups in a tricky spot: Often they’re not founded yet as they're still somewhat part of their University. So you need to solve this problem first - found your company. Depending on how "German" your University or their incubator is, this might easily take 1-2 years. Good luck.
This especially puts University-backed startups in a tricky spot: Often they’re not founded yet as they're still somewhat part of their University. So you need to solve this problem first - found your company. Depending on how "German" your University or their incubator is, this might easily take 1-2 years. Good luck.
Step 6: Buy and Read EU MDR Standards
You might assume that the standards you have to comply with are freely available. Nope! But the good news is that there’s a hack which allows you to access them for reasonable prices.
Now you’re probably thinking “Damn, I don’t have time to read those standards”. But do you have to read them? Yeah, you sure do. Check out the links further above on how to access the standards.
Now you’re probably thinking “Damn, I don’t have time to read those standards”. But do you have to read them? Yeah, you sure do. Check out the links further above on how to access the standards.
Step 7: Find an EU MDR Notified Body
Unless your device is classified as class I, you now need to find a Notified Body. Those are companies who are allowed to audit medical device manufacturers and certify their devices.
- Choosing notified bodies: Recommendation | Notified body reviews | Overview
Step 8: Do The Clinical Evaluation
You need to do your clinical evaluation which provides evidence for the medical benefits of your software. Personally, I think this is very painful and borderline shady / unnecessary (how come every manufacturer arrives at the conclusion that their product is "safe"?), but anyway, you have to do it. My colleagues wrote way better articles on this than I could ever have. Here's on doing the literature review, here's one on clinical evidence, another one on the clinical development plan, and.. anyway, I'm getting tired of linking articles here, you'll find them if you look for them.
- Literature review: Literature search | Literature review
Step 9: Hire or Train Regulatory People, Find PRRC
It's a regulatory requirement that you have a so-called Person Responsible for Regulatory Compliance (PRRC). This is similar to a GDPR Data Protection Officer (DPO). Here's an article about people you need.
Step 10: Set Date for QMS Audit and Technical Documentation Hand-In
Once you’ve found a Notified Body, it’s time to set some dates with them. You’ll be setting two dates:
- The QMS audit: Typically, three days (!) in which an auditor drops by and checks out your company.
- Technical Documentation hand-in: A deadline until when you plan to hand in your Technical Documentation of your product.
So you need to do some planning and estimations. For 1., you need to estimate until when you can set up your QMS until it’s ready to be audited. For 2., you need to know until when your product will be completely developed.
Speaking from experience, all companies miss all deadlines, always. So estimate conservatively. And have a plan B for what to do once you miss your deadline. Inform your Notified Body early enough, you won’t be the first company to postpone their audit.
Got those dates? Cool.
Speaking from experience, all companies miss all deadlines, always. So estimate conservatively. And have a plan B for what to do once you miss your deadline. Inform your Notified Body early enough, you won’t be the first company to postpone their audit.
Got those dates? Cool.
Step 11: Actually Hand Everything In And Get Audited
Just hand everything in and get your audit results. In most cases, auditors always find something, because finding nothing doesn't quite feel right. And in all cases, those things will likely be completely different than what you expected - as an example, at one company we worked with the auditors noted that we cited standards with their wrong year, e.g. the ISO 13485:2016 instead of ISO 13485:2015. Hm.
Anyway, most of this is out of you control. Do the audits and get the results.
Anyway, most of this is out of you control. Do the audits and get the results.
On a different note: Do you need any help with your EU MDR efforts?
We've worked with 100+ companies and helped them certify their devices in weeks, not months. Talk to us now – first calls are free! Check out our services and prices here.
Or, if you don't like talking to humans, check out our Wizard. It's a foolproof, step-by-step video course for getting your compliance done yourself.
And if you're looking for the best QMS software for lean, founder-led companies, check out Formwork. It automates your compliance, and there's even a free version for you to try out!
Congratulations! You read this far.
Get notified when we post something new. Sign up for our free newsletter.
No spam, only regulatory rants. Unsubscribe anytime.
0 comments
No comments yet. Be the first one to share your thoughts!
Dr. Oliver Eidel
I’m a medical doctor, software engineer and regulatory dude. I’m also the founder of OpenRegulatory.
Through OpenRegulatory, I’ve helped 100+ companies with their medical device compliance. While it’s also my job that we stay profitable, I try to dedicate a lot of my time towards writing free content like our articles and templates. Maybe that will make consulting unnecessary some day? :)
If you’re still lost and have further questions, reach out any time!
Through OpenRegulatory, I’ve helped 100+ companies with their medical device compliance. While it’s also my job that we stay profitable, I try to dedicate a lot of my time towards writing free content like our articles and templates. Maybe that will make consulting unnecessary some day? :)
If you’re still lost and have further questions, reach out any time!