Implementing a Unique Device Identification (UDI) system is not just a compliance task—it needs to be seamlessly integrated into the Quality Management System (QMS) and, ideally, into the build pipeline. This integration minimizes manual work and ensures consistency.

Being prepared for unannounced audits is essential. Establish Standard Operating Procedures (SOPs) that outline how to act in such cases: provide a comfortable environment, offer refreshments, and promptly assemble your experts to address auditors’ questions. This preparation helps maintain composure and efficiency during audits.

Clinical evaluations under MDR require demonstrable safety and performance endpoints, which can be challenging to substantiate retrospectively. Establishing equivalence, especially for software, often necessitates a deep dive into the core algorithm. Be prepared for thorough scrutiny if you choose this path.

It’s insufficient to rely solely on a single scientific database. Utilize diverse scientific publication databases to ensure comprehensive coverage and avoid overlooking critical studies.

Auditors expect state-of-the-art cybersecurity measures, including vulnerability scans and penetration tests, even if these are not explicitly required. It is advisable to implement these measures proactively.

The MDCG 2019-16 rev.1 guideline provides a framework that emphasizes the classic risk management cycle: Plan – Analyze – Evaluate – Mitigate .

Additionally, FDA guidance offer more detailed examples and can serve as valuable extensions.

The level of detail in an inspection depends on the auditor’s expertise. If they focus on cybersecurity, be prepared for detailed discussions on risk scores. We have found that using the Common Vulnerability Scoring System (CVSS) has been satisfactory for auditors so far.

Usability studies and risk management are central to MDR compliance, even though usability is only mentioned in the MDR in the context of Post-Market Surveillance (PMS). Auditors are increasingly focusing on documentation and traceability and require that all measures – even best practices – are explicitly documented. Keep the original records of your suppliers as they might be requested for further inspections.

This iterative process extends over the entire product life cycle. A one-page summary of tests carried out with a small group is insufficient; comprehensive documentation is required.

For software, post-market monitoring includes collecting data from support channels, monitoring the software bill of materials (SBOM), crash reports and compatibility checks with new operating systems or devices. Changes to SOUP (Software of Unknown Provenance) components or the underlying operating systems occur frequently and require constant vigilance. The more your product gains importance on the market, the more feedback you can expect, which requires thorough documentation and analysis.

Trend analysis and effective data collection methods are essential for producing the Periodic Safety Update Report (PSUR) and maintaining compliance. Selecting the right statistical methods is critical. Recommended methods include Weibull analysis (as recommended in ISO 24971), Nelson’s rules (as recommended in ISO/TR 20416), the Mann-Kendall test or the Neumann trend test (for normally distributed populations).