Most medical device companies want to enter more than one market. US manufacturers will often look to Europe for expansion possibilities and vice versa.
A priority for manufacturers is usually to take the most expedient route to market and while several influences come into play, the regulatory environment can be the biggest hurdle to get through. In the US, there are regularly updated FDA regulations, while EU MDR took effect in May 2021 (replacing the previous MDD).
That leaves several questions for manufacturers planning a regulatory strategy. What is the best route to take? How much harmonization exists between FDA and MDR? Is there a way to strategically support both while avoiding doubling up on any work?
EU MDR vs. FDA
The good news is that with the recent adoption of EU MDR, FDA and EU regulations are now a much closer match than they were previously. This is especially the case with regard to quality system requirements (both compliant with ISO 13485), prerequisites for conformity assessment, and conformance with harmonized standards (the IMDRF standards for SaMD is one of those).
With that said, there are some key differences:
Medical device classifications
FDA’s classification system is based upon device risk, with Class I (low risk) and Class II (moderate risk) mostly falling under the 510(k) pathway to market. This framework is based upon manufacturers being able to prove that their device is substantially equivalent to a predicate on the market.
Class III devices are classified as high risk and require the PMA pathway, along with a substantial amount of data that validates and demonstrates the risk-benefit of the device.
In contrast, EU MDR has four device categories and five risk-based classifications. The categories are: non-invasive devices, invasive medical devices, active medical devices, and special categories (this includes contraceptive, disinfectant, and radiological diagnostic medical devices.) The risk classifications are:
- Class I – Non-sterile or no measuring function (low risk)
- Class I – Sterile and a measuring function (low/medium risk)
- Class IIa (medium risk)
- Class IIb (medium/high risk)
- Class III (high risk)
The risk classification assigned will determine the depth and amount of data required under MDR to get the approval of the medical device. Each device class has its own testing requirements (whereas under FDA, Class I and some Class II devices don’t require clinical testing).
There are several differences in the definitions laid out by FDA versus EU MDR. While many things remain similar, you’ll need to look out for some more substantial differences.
FDA regulations are based on 21-CFR- Quality System Regulations. These are split into sections that define regulations for each device category. Device safety and effectiveness is a common requirement, while companies must adhere to the requirements for their risk profile and for their chosen pathway to market.
Under EU MDR, the definitions and details are much more comprehensive. For example, MDR goes into detail about the responsibilities of economic operators and of notified bodies – those who provide the assessment function for MDR. It also has a range of additional definitions that are different from the FDA, such as penalties, funding obligations, and rules for cooperation between member states.
The testing requirements
Manufacturers of Class I medical devices that don’t require sterilization and don’t provide a measuring function don’t require an FDA audit of their testing. Manufacturers can simply self-declare, supply appropriate documentation, and put the device on the market.
Most Class II devices going through 510(k) will have to follow the testing protocol for that pathway, along with keeping a robust Design History File (DHF). Manufacturers must also keep their Device Master Record (DMR) up-to-date and have a compliant Quality Management System (QMS).
Class III devices go through PMA and require extensive technical sections with data to convince FDA to approve the device. These are divided into non-clinical and clinical investigations.
Under MDR, some Class I devices are categorized as a medium risk; these, along with Class IIa medium-risk devices require conformity assessments based on Annex XI of the MDR (Part A). Class IIb and Class III devices have extensive technical documentation requirements, risk evaluation, and at least two audits from notified bodies. The first audit reviews QMS and your quality manual for compliance with ISO 13485, while the second reviews your Technical File and facility.
UDI (Unique Device Identification) is basically a serial number made up of numeric or alphanumeric characters under a device coding and standard system that is globally accepted.
FDA’s rules require UDI for every version or model of a device. The UDI must be readable to humans as well as in the AutoID format.
MDR makes some updates to EU medical device regulation with their modified requirements. A UDI-DI allows for the grouping of regulated medical devices within EUDAMED, the EU regulatory database for regulated medical devices. Another difference from FDA is that the UDI on labels and software need to be identical and that the cleaning process for reusable devices is to be considered within the system.
Many of the documentation requirements are very similar between FDA and EU MDR regulations. For example, documentation is required for most aspects of risk management, design, and manufacturing.
Both FDA and MDR require documentation of verification and validation activities, planning, and architecture. For CE marking, notified bodies also require a design manufacturing report along with any manufacturing validation activities.
A key difference is that EU MDR requires a Clinical Evaluation Report (CER). This summarizes the data collected by manufacturers and may include a literature review of the device or equivalent devices. It also lists search results from vigilance databases to identify known hazards and risks of device use.
What about connected medical devices?
The main difference between EU MDR and FDA for connected devices is the classification process itself. Most devices in the US get to market via the 510(k) pathway, so device classification is determined by finding a predicate device and matching the class. If there isn’t a predicate, you have a more extensive approval process through FDA.
In the EU, all connected devices are classified using a rules-based framework. For example, MDSW (medical device software – they don’t use the term SaMD) has 22 waterfalling rules to work through to reach a device classification.
Besides that, both the US and EU are members of IMDRF, and other regulations for connected devices are more or less harmonized.
Can you support MDR and FDA with the same documentation?
The answer to this is yes and no – sorry it’s not more straightforward! For the most part, EU MDR regulations are on par with FDA. You’ll have similar risk requirements along with several other key documents and data points.
There are some differences as outlined above, as well as some more minor differences in terms of report formatting and requirements. Keeping a robust, up-to-date QMS will be your best chance of meeting both sets of regulations without doing unnecessary extra work or rework. The best electronic QMS systems are set up with regulatory compliance in mind and allow you to easily drop key information into the right places to comply with each regulatory body.
A good place to start is with your device classification under each. This determines the pathway you need to follow and the requirements thereof. It’s worth spending time on setting up your QMS properly early on as having the right information in the right place can help to speed your submissions and time to market.
FDA does have MDSAP (Medical Device Single Audit Program), which is an effort to harmonize inspection requirements between different countries. Currently, the EU is only participating as an observer.
One thing to bear in mind is that EU MDR is a very new update on the medical device landscape and is widely touted to be a predictor of where medical device regulations are headed as a whole.
For medical device companies, if you want to enter both the US and EU markets, then you need to be very aware of the similarities and differences. Start your regulatory strategizing early so that you have the best chance of speeding your path on both markets. An experienced regulatory consultant for both markets can be well worth it if you simply don’t have the experience or time.
If you’re building a connected medical device, you must meet regulatory requirements for cybersecurity and data protection. Galen Data provides the connectivity platform that meets stringent requirements. Talk to us about how we can help to connect your device for both the EU MDR and FDA.