When you’re becoming a medical device manufacturer in Germany, there are two sorts of people you need. There’s no way around that. The good news is that you don’t need to employ all of them. But let’s start from the beginning.

First, it depends whether you’re getting certified under MDD or MDR. For MDD, you need these:

1. A medical device safety officer
2. At least one medical device consultant

And under MDR, you need these:

1. A person responsible for regulatory compliance
2. At least one medical device consultant

You might have noticed that the only change from MDD to MDR is that the safety officer is gone and the person responsible for regulatory compliance has appeared. Exciting!

Let’s look at each of those roles.

Medical Device Safety Officer (MDD)

Medical Device Safety Officer Requirements

The requirements for this person are defined in MPG §30. In human language, they are:

• Each company needs one.
• You have to register this person with the authorities.
• The person needs to be qualified, either by having a University degree in a scientific, medical or technical field or another qualification which provides the skills for doing the tasks of the medical device safety officer (it’s hardly possible to be more vague). In addition to that, the person needs at least two years of “job experience”.
• The medical device safety officer has to collect and evaluate events regarding risks of the medical device, and he must coordinate appropriate measures. He must notify the authorities, if necessary.
• The safety officer must not be put at a disadvantage in the company.

Okay, most of it is pretty straightforward. Except the part about qualifications which sounds like some weird legalese. Let’s look at some examples of people who would be qualified as a medical device safety officer. It should hopefully become more clear.

• Someone who studied medicine and worked at a startup developing software as a medical device for more than two years (that’s me).
• Someone who studied medicine and worked as a physician for two years in a hospital (Note: The “job experience” is not defined as “job experience in regulatory compliance”. So any sort of job experience would work, in my opinion).
• Someone who didn’t study at all but worked in regulatory affairs for at least two years, and has lots of paperwork and trainings to prove it.
• Someone who studied biology, worked in research for one year, then worked at a startup developing software as a medical device for another year.

Clear as day, right?

Even though it’s not explicitly stated, that person should also have undergone some sort of training on what it means to be the safety officer. Many notified bodies like TÜV SÜD / NORD do these trainings regularly. They’re often combined with the medical device consultant training and shouldn’t take more than a day. I did one. I can’t say that it was interesting. But I guess it’s good to see whether your knowledge is complete.

Which brings us to the tasks of the safety officer.

Medical Device Safety Officer Tasks & Responsibilities

Translated into human language, the task is “see what goes wrong with the medical device and notify the authorities if shit hits the fan”.

Let’s look an example:

In company X, the safety officer gets cc’ed on all customer complaints which arrive via email. The safety officer is also regularly updated by the software developers on problems and bugs they have discovered in the product. The safety officer has to determine whether any of these complaints / problems pose new risks to users / patients. He may request support from experts (like physicians) to assess this. If a significant risk is discovered which poses serious harm to patients, he notifies the authorities and customers. He coordinates with the development team on appropriate measures to reduce harm to users.

In larger companies, the safety officer wouldn’t have to get cc’ed in all customer complaints. Instead, customer support agents would only forward complaints which fulfil certain criteria, something like “this sounds like someone could get hurt”.

Also note that the safety officer can notify the authorities even without getting approval from upper management. The whole idea is that the safety officer is independent - he can make his own judgement and act upon it. This is of course a gigantic conflict of interest as the safety officer is often employed in the company. I can imagine lots of ways how this can go wrong.

Speaking about employment, the safety officer can also be brought in externally, e.g. a consultant paid a monthly rate.

And finally: The safety officer is personally liable for fulfilling his duties. He’s not necessarily liable for everything that goes wrong with the company’s medical device, but he’s liable for assessing all problems and reporting them to authorities, if necessary.

Finding a Medical Device Safety Officer

So how to you go about finding one for you company? Here’s my suggested procedure:

1. Check whether one of your people fulfils the requirements. Maybe you have someone who studied medicine or something science-y.
2. Send that person to a one-day training, e.g. at TÜV.

If you don’t have a person internally, consider getting a consultant. Don’t hire someone full-time for this.

If you’re considering hiring someone for regulatory work anyway, consider whether that person fulfils the requirements to be your safety officer.

Next, let’s look at the person responsible for regulatory compliance.

Person Responsible for Regulatory Compliance (PRRC) (MDR)

Under the newer legislation, MDR, a safety officer is no longer necessary. Instead, you need a “person responsible for regulatory compliance” (PRRC). Sounds more complicated? It is, kind of.

PRRC Requirements

They are defined in the MDR, article 15. They’re quite similar to the requirements of the safety officer (see above). I’ve highlighted the differences in bold:

• Each company needs at least one.
• You have to register this person with the authorities (not defined in MDR, but will probably be required per country).
• The person needs to be qualified, either by having a University degree in law or scientific, medical or technical field and at least one year of job experience in the regulatory field or quality management systems. Or: Four years of job experience in the regulatory field or with quality management systems.
• Companies with 49 employees or less can have an external person for this, otherwise it must be an employee.
• The PRRC is responsible for various things, e.g. whether the products are manufactured in a compliant way, based on the quality management system; whether technical documentation is complete and up to date.
• The PRRC must not be put at a disadvantage in the company.

Generally speaking, the qualifications have become more strict because now specific job experience in regulatory work is required. And if a person doesn’t have one of the listed University degrees (law has been added to the list, by the way), then it has become much more difficult as four years are now required.

Some examples:

• Someone who is a physician and has worked as regulatory affairs manager in a Healthcare company.
• Someone who hasn’t got a University degree and who has worked as clinical evaluation manager in a regulatory affairs department at a medical device manufacturer.

PRRC Tasks & Responsibilities

The responsibilities of the PRRC are much more far-reaching than those of the safety officer. I won’t go into too much detail here (read the MDR yourself, article 15), but basically the person is responsible for the products being manufactured in a compliant way, the technical documentation being complete and compliant, etc. Pretty much the definition of “this person is responsible for regulatory compliance in this company”.

The PRRC can also be an external person (e.g. consultant) if the company has 49 employees or less.

Other than that, the same things (conflict of interested, liability) apply as mentioned above for the safety officer.

Finding a PRRC

Same as for medical safety officer. Consider getting an external person if your company is small (49 people or less) and none of you fulfils the requirements.

Certainly not the easiest read. Congratulations for reading this far. The last and final person is rather straightforward, so you’re almost done!

Medical Device Consultant

When you hear “medical device consultant”, you probably think about hiring consultants who help you cerify your software as a medical device. Well, this consultant is different. Here, “medical device consultant” refers to people who sell your products and/or instruct users how to use them. So: People in your company who do sales and user trainings.

Practically speaking, that means that you’ll have more than one of those in your company, and most likely they’ll all be your employees.

That’s defined in MPG §31. We’ll look at some more examples later on, but let’s first look at the requirements for this position.

Medical Device Consultant Requirements

The requirements are easier to fulfil than for the prior positions. Good news! Well, someone has to sell your product and you can’t expect all of those people to be doctors and have a thousand years of regulatory job experience.

Specifically, the requirements are:

• Anyone who informs “expert groups” in handling medical devices is a medical device consultant and must be qualified (see next point).
• The person is trained in a scientific, medical or technical field (not necessarily a University degree) and has received training regarding the medical devices he or she will be working with. Or: The person has worked with those medical devices for one year and has received training in how to handle them, if necessary.
• That knowledge has to be updated regularly.
• The medical device consultant must keep track of events which may pose risks to users / patients and forward them to the safety officer.

Pretty simple, right? Regulatory compliance is always simple.

So what does that mean for your company? Any person who sells your device or informs users how to handle it is by definition a medical device consultant. Examples could be:

• You’ve developed a new device for surgeries. Your sales team approaches surgeons and tells them how great your product is. They are acting as medical device consultants.
• Your business team starts talking to insurances and tries to get your app reimbursed by them. Even though the insurances aren’t the end users, they are “expert groups” and therefore your business team needs to be trained as medical device consultants.
• One of your product managers does an off-site training for users for your medical software. That product manager is acting as medical device consultant.

Okay. And how to those poor people fulfil the requirements for being a medical device consultant?

• By having proof of their job training / degree. By the way, you always need proof for those degrees, also for the positions above.
• And by being (regularly) trained by your company regarding the medical devices they’ll be handling. Like always, you need proof for that, e.g. attendance signatures from your internal training seminars. Fun!

Medical Device Consultant Tasks

This can be briefly summarized as: The most important task of medical device consultants is to inform the safety officer if things go wrong. Example situations:

• A customer calls and complains that the software regularly makes their mobile phones explode.
• A user sends an email that their user profile data got swapped with someone else’s profile and now their disease data is all mixed up.

You get the idea. The medical device consultants subsequently must inform the medical device safety officer. That’s all.

Thinking along these lines, it would make sense to train your customer support agents as medical device consultants, too.

Conclusion: Lots to do

This was definitely my longest and most painful article so far. Congratulations for reading it completely. Let’s grab a beer if you’re in Berlin.