The ABCs of Medical Device Software Compliance under EU Regulations 2017/745 and 2017/746 – April Komplin’s Presentation – Q&A

April Komplin is a valuable member of the Celegence team due to her expertise and highly successful career in Quality Management Systems and Regulatory Affairs. At her previous position at a medical device start up, she built their QMS from the ground up and the company is now ISO 13485:2016 certified and will achieve CE Marks for seven medical devices in 2021. Additionally, she covered compliance for 21 locations across North America for an In Vitro Diagnostic device manufacturer.

During our Medical Device Virtual Summit – 2021, April Komplin presented a feature presentation titled “The ABCs of Medical Device Software Compliance under EU Regulations 2017/745 and 2017/746.” Throughout this presentation, she reviewed numerous frequently asked questions. Check out part one and part two of her presentation.

A full transcript of April Komplin’s Q&A session is available to download (and to read below) and just press play to watch the clip now. 

A: It is your risk management plan and your risk assessments, whether you have 1, 2, 5 or even more than that, you can move on to your benefit risk analysis, and finally your risk management report. And those items together will comprise your risk management file.

Ensure the requirements of ISO 14971 are incorporated into your programs and documentation. This standard will be cited many times in your GSPR analysis, which is of course a technical file requirement for both the MDR and the IVDR.

A: Well, they are both risk-based, they’re both three levels, but both ask different questions to arrive at the classification. So, manufacturers who are attempting global clearance should refer to both separately.

A: We recommend that manufacturers reach out to multiple notified bodies if they haven’t already. Some are months out from the ability to take on new clients.

A: Review all of the regulations, and simply put, notified body involvement is required for devices higher than class 1 in the MDR and higher than class A of the IVDR.

A: The UK will accept a CE mark until June 30th, 2023. During this transition time, manufacturers will begin to transition to UKCA, so the UK conformity assessment will be in effect.

A: IEC 62304 is very program oriented, so be ready to show your procedures during your onsite MDR or IVDR audit. In the technical file submission, consider the following: the summary information into your dossier, which would include interoperability, security controls, reference to design and items such as that. Also consider writing a formal 62304 report. You also may submit your test plans, your maintenance plans, and your validation reports and your software requirements specifications as required by your notified body.

Procedures are not typically included in a technical file submission. These will be needed for the first part of your conformity assessment, and your onsite MDR or IVDR audit.

The requirements of IEC 62304 should be blended into your other quality procedures, which includes but is not limited to, software design and development, risk management, change control, control of nonconformities, CAPA, post-market surveillance and vigilance reporting.

IEC 62304 is program oriented, so be ready to show your procedures during your onsite audit.

Note: It’s recommended to cite your reference standards and regulations at the end of your procedures.

A: Just remember that there are more requirements for safety classes B and C than they are for A. Below is a list; note that all procedures are also required by ISO 1345/MDR/IVDR.

Procedures listed here:

• Software requirements specification
• Software development plan
• Software maintenance plan
• Software test plan
• Change control procedure
• Control of nonconformities procedure
• CAPA procedure
• Post-market surveillance procedure
• Vigilance reporting procedure
• Gap analysis and documentation of follow-up activities
• Legacy software planning