Regulatory Open Forum

Hello,

has anyone experience in technical file reviews for software updates by a Notified Body.

For a new SW, it is obvious that a technical file review will be performed, but what is case of updates taht do not affect the general SW behaviour nor the intended use ?

• A TF review is always required
• A TF review is only required for major SW changes (changes in intended use, risk management, ...)
• A TF is not required as the manufacturer should have it under control
• TF review is part of the yearly follow-up audit

Greetings,

Hello Franky,

The area of software lifecycle management is probably still a bit of mystery - black box - to reviewers, Notified Body reviewers and others, unless they have specific experience, training, and/or qualifications in software development/coding.  Probably the best source you can use at the moment is MDCG 2020-3 referring to Software Changes - Chart C for types of non-significant changes and significant changes.  We have found there is a very wide - as big as an ocean - variation in interpretation of software changes (though this is no different from most regulatory reviewers).  It is software, so there is still the mysterious black box phenomena with software applications, especially complex software applications.  Your approach is as expected for the Technical Documentation review - which I see most Notified Bodies take this approach on the review.  When there is a "significant change" a notification should be sent to the Notified Body to determine whether a review is always required, review at the next annual surveillance, or documented internally (these are usually non-significant change).  Software can be challenging however because this can change much more frequently the other components or materials of a medical device or as a Software as A Medical Device which is stand-alone.

------------------------------
Richard Vincins ASQ-CQA, MTOPRA, RAC
Vice President Global Regulatory Affairs
------------------------------

Hi Franky,

a little late to the question, but some additional (lengthy) points:

As Richard says the details of change management for devices that require Notified Body (NB) participation are complicated and there currently is no guidance available. So there is no straightforward answer to your question without knowing more details. MDCG 2020-3 covers only the very specific case of significant changes to legacy devices, that is only partially applicable to the change management of MDR devices. The latter depends on the device class and the associated conformity assessment procedure – with additional influence from the actual wording of the certificate and the contractual arrangements with the NB.

Roughly speaking the MDR differentiates between two cases: Quality Management System Certificates (Annex IX Chapter I or Annex XI Part A) and TD Assessment Certificates (Annex IX Chapter II, Annex X and as a more exotic case Annex XI Part B).
For pure QMS certificates, only substantial changes to the quality management system or the device range (meaning the scope of the certificate) require NB review and approval (e.g. Annex IX, 2.4). In theory you can change your device or add new devices as much as you like as long as you stay within the scope of your certification and do not substantially change your QMS (whatever that may mean) without the need for an additional audit or review by the NB. The NB will then evaluate the changes during the annual surveillance audits, including TD reviews according to a sampling plan.

In practice, additional restrictions apply due to the wording of the certificate (detailing the scope of the QMS) and the information that must be provided to the NB so that they can perform their sampling planning. According to Annex XII, 4(b), "EU quality management system certificates and EU quality assurance certificates shall include the identification of the devices or groups of devices, the risk classification, and, for class IIb devices, the intended purpose." Like Richard pointed out it is important here not to be over-specific. If the device identification includes the version number, then new versions would require an updated certificate (even though it might be that the NB will not perform an additional TD review). The broader the scope of the certificate is kept the more changes can be made without the need for NB approval. In addition, the NB will want to know at least about new devices within the scope of your certification (even if no approval is required) to be able to plan their mandatory TD review sampling plans and will probably have respective contractual arrangements.

For TD Assessment Certificates "[c]hanges to the approved device shall require approval from the notified body which issued the EU technical documentation assessment certificate where such changes could affect the safety and performance of the device or the conditions prescribed for use of the device" (Annex IX, 4.10) with a similar formulation for Annex X certificates in Annex X, 5. In this case it might make sense to take a look at the interpretation of "significant change to the design or intended purpose" discussed in MDCG 2020-3 (also it still is not exactly the same).

According to Annex XII, 4(a), "EU technical documentation assessment certificates, EU type-examination certificates and EU product verification certificates shall include a clear identification, including the name, model and type, of the device or devices, the intended purpose, as included by the manufacturer in the instructions for use and in relation to which the device has been assessed in the conformity assessment procedure, risk classification and the Basic UDI-DI as referred to in Article 27(6);". In these cases the device identification is more detailed and the NB will probably at least expect the major revision number on the certificate. In consequence, an approval by the NB and a TD review are more likely in these cases.

I hope that does not add too much confusion. If you would like to discuss this more in detail or for an actual example, just contact me directly.

Best regards
Christoph