Regulatory Open Forum

This message was posted by a user wishing to remain anonymous

Dear all,

we had class I software under MDD and now it's classified as IIa MD under MDR (MDR certificate in progress). No significant changes are allowed now, as the MDR certificate is not issued yet. Let's say the software version under certification is 1.0; my question is- when we get the MDR certificate for this software version 1.0, will the certificate apply also to the next version of the same software after we make significant changes (version 2.0)? or once significant change is applied will new MDR certificate needs to be issued for the next version of the software (v.2.0)?

Thank you for your thoughts!

Anon,

This is similar to the forum posting yesterday: https://connect.raps.org/discussion/technical-file-reviews-by-notified-body-1#bma5fc1209-47bc-42de-a750-018a0281ff49.  In short answer to your question, yes the EU MDR CE Certificate would apply to version 2.0, but depends on certificate content.  The change from version 1.0 to 2.0 would need to be evaluated to determine the notification and/or review needing to be performed by the Notified Body.  CE Certificates now are generally assigned to the finished product and not dependent on the software version ... though I can see this changing in the next few years for Software as a Medical Device (SaMD) or stand alone software.  You would need to see the CE Certificate once issued to see the scope of the products listed on the certificate including if the version is indicated.  Some companies bind themselves because they call their product "Great App 1.0" which is reflected on the certificate.  Then when it becomes "Great App 2.0" indeed they would need to get a new CE Certificate or amending current because it would be a "new" product.  Generally, SaMD software on the CE Certificate is named the application name, without the version number.  Again at a minimum, changing from version 1.0 to 2.0 would need to notify the Notified Body to determine whether re-review needs to be performed or review at next surveillance audit (or documented internally though probably not the case).

------------------------------
Richard Vincins ASQ-CQA, MTOPRA, RAC
Vice President Global Regulatory Affairs
------------------------------

Original Message:
Sent: 16-Aug-2023 12:09
From: Anonymous Member
Subject: MDR certificate-sofware

This message was posted by a user wishing to remain anonymous

Dear all,

we had class I software under MDD and now it's classified as IIa MD under MDR (MDR certificate in progress). No significant changes are allowed now, as the MDR certificate is not issued yet. Let's say the software version under certification is 1.0; my question is- when we get the MDR certificate for this software version 1.0, will the certificate apply also to the next version of the same software after we make significant changes (version 2.0)? or once significant change is applied will new MDR certificate needs to be issued for the next version of the software (v.2.0)?

Thank you for your thoughts!

Hi Anon,

a little late to the question and I also replied this to the thread Richard mentiond, but some additional (lengthy) points:

As Richard says the details of change management for devices that require Notified Body (NB) participation are complicated and there currently is no guidance available. So there is no straightforward answer to your question without knowing more details. MDCG 2020-3 covers only the very specific case of significant changes to legacy devices, that is only partially applicable to the change management of MDR devices. The latter depends on the device class and the associated conformity assessment procedure – with additional influence from the actual wording of the certificate and the contractual arrangements with the NB.

Roughly speaking the MDR differentiates between two cases: Quality Management System Certificates (Annex IX Chapter I or Annex XI Part A) and TD Assessment Certificates (Annex IX Chapter II, Annex X and as a more exotic case Annex XI Part B).
For pure QMS certificates, only substantial changes to the quality management system or the device range (meaning the scope of the certificate) require NB review and approval (e.g. Annex IX, 2.4). In theory you can change your device or add new devices as much as you like as long as you stay within the scope of your certification and do not substantially change your QMS (whatever that may mean) without the need for an additional audit or review by the NB. The NB will then evaluate the changes during the annual surveillance audits, including TD reviews according to a sampling plan.

In practice, additional restrictions apply due to the wording of the certificate (detailing the scope of the QMS) and the information that must be provided to the NB so that they can perform their sampling planning. According to Annex XII, 4(b), "EU quality management system certificates and EU quality assurance certificates shall include the identification of the devices or groups of devices, the risk classification, and, for class IIb devices, the intended purpose." Like Richard pointed out it is important here not to be over-specific. If the device identification includes the version number, then new versions would require an updated certificate (even though it might be that the NB will not perform an additional TD review). The broader the scope of the certificate is kept the more changes can be made without the need for NB approval. In addition, the NB will want to know at least about new devices within the scope of your certification (even if no approval is required) to be able to plan their mandatory TD review sampling plans and will probably have respective contractual arrangements.

For TD Assessment Certificates "[c]hanges to the approved device shall require approval from the notified body which issued the EU technical documentation assessment certificate where such changes could affect the safety and performance of the device or the conditions prescribed for use of the device" (Annex IX, 4.10) with a similar formulation for Annex X certificates in Annex X, 5. In this case it might make sense to take a look at the interpretation of "significant change to the design or intended purpose" discussed in MDCG 2020-3 (also it still is not exactly the same).

According to Annex XII, 4(a), "EU technical documentation assessment certificates, EU type-examination certificates and EU product verification certificates shall include a clear identification, including the name, model and type, of the device or devices, the intended purpose, as included by the manufacturer in the instructions for use and in relation to which the device has been assessed in the conformity assessment procedure, risk classification and the Basic UDI-DI as referred to in Article 27(6);". In these cases the device identification is more detailed and the NB will probably at least expect the major revision number on the certificate. In consequence, an approval by the NB and a TD review are more likely in these cases.

I hope that does not add too much confusion. If you would like to discuss this more in detail or for an actual example, just contact me directly.

Best regards
Christoph

------------------------------
Christoph Kiesselbach
Reutlingen
Germany
------------------------------

Original Message:
Sent: 16-Aug-2023 12:09
From: Anonymous Member
Subject: MDR certificate-sofware

This message was posted by a user wishing to remain anonymous

Dear all,

we had class I software under MDD and now it's classified as IIa MD under MDR (MDR certificate in progress). No significant changes are allowed now, as the MDR certificate is not issued yet. Let's say the software version under certification is 1.0; my question is- when we get the MDR certificate for this software version 1.0, will the certificate apply also to the next version of the same software after we make significant changes (version 2.0)? or once significant change is applied will new MDR certificate needs to be issued for the next version of the software (v.2.0)?

Thank you for your thoughts!