Skip to content

Medical Device Regulation (MDR) Regulation (EU) 2017/745 on medical devices

The EU 2017/745 MDR provide a framework to ensure the safety and effectiveness of medical devices. The regulation set out general requirements for manufacturers to provide their medical devices with a secure design by providing a risk management system, a quality management system, as well as an updated post-market surveillance system. The regulations require manufacturers to create post-market surveillance systems aiming to gather and analyse relevant data about quality, performance, and safety of a device throughout its entire lifetime to take preventive and corrective actions. The MDR and IVDR refer to devices that incorporate software or for software that are devices in themselves to be developed and manufactured in accordance with the state of the art in terms of development life cycle, risk management, including information security, verification, and validation. It also demands manufacturers to set out minimum requirements concerning hardware, IT networks characteristics and IT security measures, including protection against unauthorized access.

Info

Related documents

NEMECYS contribution:

Requirements:

RQ1: Device performance

Devices shall achieve the performance intended by their manufacturer and shall be designed and manufactured in such a way that, during normal conditions of use, they are suitable for their intended purpose.

Section of MDR: 1

RQ2: Risk reduction

Reduction of risks as far as possible without adversely affecting the benefit-risk ratio.

Section of MDR: 2

RQ3: Risk management system
  1. Establish and document a risk management plan for each device.
  2. Identify and analyse the known and foreseeable hazards associated with each device.
  3. Estimate and evaluate the risks associated with, and occurring during, the intended use and during reasonably foreseeable misuse.
  4. Eliminate or control the risks referred to in point (3), in accordance with the MDR-Req-04.
  5. Evaluate the impact of information from the production phase and, in particular, from the post-market surveillance system, on hazards and the frequency of occurrence thereof, on estimates of their associated risks, as well as on the overall risk, benefit-risk ratio and risk acceptability.
  6. Based on the evaluation of the impact of the information referred to in point (e), if necessary amend control measures in line with the MDR-Req-04.

Section of MDR: 3

RQ4: Risk control measures

To reduce risks, Manufacturers shall manage risks so that the residual risk associated with each hazard as well as the overall residual risk is judged acceptable.

  1. Eliminate or reduce risks as far as possible through safe design and manufacture.
  2. Where appropriate, take adequate protection measures, including alarms if necessary, in relation to risks that cannot be eliminated.
  3. Provide information for safety (warnings/precautions/contra-indications) and, where appropriate, training to users.

Manufacturers shall inform users of any residual risks.

Section of MDR: 4

RQ5: Minimisation of foreseeable risks, and any undesirable side-effects

All known and foreseeable risks, and any undesirable side-effects, shall be minimised and be acceptable when weighed against the evaluated benefits to the patient and/or user arising from the achieved performance of the device during normal conditions of use.

Section of MDR: 8

RQ6: Combination/connection of devices/systems

If the device is intended for use in combination with other devices or equipment the whole combination, including the connection system shall be safe and shall not impair the specified performance of the devices. Any restrictions on use applying to such combinations shall be indicated on the label and/or in the instructions for use. Connections which the user has to handle, such as fluid, gas transfer, electrical or mechanical coupling, shall be designed and constructed in such a way as to minimise all possible risks, such as misconnection.

Section of MDR: 14.1

RQ7: Interaction between software and the IT environment

Devices shall be designed and manufactured in such a way as to remove or reduce as far as possible the risks associated with the possible negative interaction between software and the IT environment within which it operates and interacts.

Section of MDR: 14.2.d

RQ8: Interoperability and compatibility with other devices or products

Devices that are intended to be operated together with other devices or products shall be designed and manufactured in such a way that the interoperability and compatibility are reliable and safe.

Section of MDR: 14.5

RQ9: Repeatability, reliability and performance

Devices that incorporate electronic programmable systems, including software, or software that are devices in themselves, shall be designed to ensure repeatability, reliability and performance in line with their intended use. In the event of a single fault condition, appropriate means shall be adopted to eliminate or reduce as far as possible consequent risks or impairment of performance.

Section of MDR: 17.1

RQ10: Development and manufacture in accordance with the state of the

art taking into account the principles of development life cycle, risk management, including information security, verification and validation

For devices that incorporate software or for software that are devices in themselves, the software shall be developed and manufactured in accordance with the state of the art taking into account the principles of development life cycle, risk management, including information security, verification and validation.

Section of MDR: 17.2

RQ11: Minimum IT requirements

Manufacturers shall set out minimum requirements concerning hardware, IT networks characteristics and IT security measures, including protection against unauthorised access, necessary to run the software as intended.

Section of MDR: 17.4

RQ12: Unauthorised access

Devices shall be designed and manufactured in such a way as to protect, as far as possible, against unauthorised access that could hamper the device from functioning as intended.

Section of MDR: 18.8

RQ13: Lay persons

Devices for use by lay persons shall be designed and manufactured in such a way that they perform appropriately for their intended purpose taking into account the skills and the means available to lay persons and the influence resulting from variation that can be reasonably anticipated in the lay person's technique and environment. The information and instructions provided by the manufacturer shall be easy for the lay person to understand and apply.

Section of MDR: 22.1

RQ14: Residual risks (information supplied by the manufacturer)

Residual risks which are required to be communicated to the user and/or other person shall be included as limitations, contra-indications, precautions or warnings in the information supplied by the manufacturer.

Section of MDR: 23.1 g

RQ15: Warnings or precautions (information on the label)

The label shall bear warnings or precautions to be taken that need to be brought to the immediate attention of the user of the device, and to any other person. This information may be kept to a minimum in which case more detailed information shall appear in the instructions for use, taking into account the intended users

Section of MDR: 23.2 m

RQ16: Residual risks, contra-indications and any undesirable

side-effects, (information in the instructions for use)

The instructions for use shall contain any residual risks, contra-indications and any undesirable side-effects, including information to be conveyed to the patient in this regard

Section of MDR: 23.4 g

RQ17: Minimum IT requirements (information in the instructions for use)

For devices that incorporate electronic programmable systems, including software, or software that are devices in themselves, the instructions for use shall contain minimum requirements concerning hardware, IT networks characteristics and IT security measures, including protection against unauthorised access, necessary to run the software as intended.

Section of MDR: 23.4 ab

** ISO 13485:2016

Relevant tools

Spyde risk

Tags: data protectionprivacy