DEV Community

James Whitfield
James Whitfield

Posted on

CE marking under MDR — what's actually new vs what teams keep getting wrong

#qms #medtech #regulatory

I’ve managed Technical Files and CE-marking efforts for Class IIa/IIb devices through MDR audits and notified-body reviews. The media copy on MDR often makes it sound like "more paperwork" — in my experience that's the least useful framing. MDR is a different risk-and-evidence regime. Below is what I found to actually be new in practice, the mistakes teams keep repeating, and the concrete adjustments that helped us survive an audit.

What is genuinely new (or newly enforced)

  • A lifecycle approach to evidence: Clinical evaluation and post-market data must be maintained continuously, not delivered as a one-off dossier. Annex II/III of the MDR expect Technical Documentation that evolves.
  • Stronger clinical expectations: Clinical data must be commensurate with risk and technology. Relying solely on literature reviews for devices with different indications or substantial changes is risky.
  • Post-market surveillance (PMS) is elevated: PMS plans, proactive data collection, PSUR-like periodic evaluation, and explicit links from PMS to CAPA are expected.
  • Person Responsible for Regulatory Compliance (PRRC): The role is more explicit and auditors ask for demonstrated responsibility and authority, not just a job title on an org chart.
  • Increased scrutiny of software and classification rules: Rule changes and guidance mean software can be higher-risk than teams assume; classification drives conformity routes.
  • Supply chain and economic-operator responsibilities: Importers/distributors and manufacturers have clearer obligations; agreements and procedures need updating.
  • UDI and traceability expectations: Labeling and traceability requirements tie into vigilance and PMS more tightly.

These are not theoretical: auditors we worked with wanted evidence of how clinical inputs fed risk management, how post-market findings drove design changes, and how someone (the PRRC) could be held accountable for regulatory decisions.

What teams still get wrong

  • Treating MDR as "more forms" rather than a systems change
    • Common symptom: Teams dump additional documents into the existing Technical File but don’t change workflows that generate evidence (clinical, PMS, supplier surveillance).
  • Late clinical strategy work
    • Teams often attempt a rushed clinical evaluation just before submission. Auditors look for an ongoing plan: objectives, data sources, acceptance criteria, and updates over time.
  • Siloed PMS and CAPA
    • PMS and vigilance data are collected but sit in a report library. If you can’t show how a signal triggered a CAPA or risk-control change, that's a gap.
  • Underestimating software risk/classification
    • We had engineers assume a UI-only device was low-risk; notified body pushed for a higher classification and evidence set.
  • PRRC as an afterthought
    • Hiring someone with the right CV isn’t enough. Auditors expect to see documented authorities, involvement in releases/changes, and evidence they reviewed / signed regulatory decisions.
  • Poor traceability mapping
    • Auditors expect to trace clinical claims → risk analysis → design outputs → verification/validation → labeling. Weak matrices make reviews painful.
  • Supplier agreements not updated
    • Economic-operator responsibilities and MDR’s tighter supply expectations mean legacy supplier clauses are insufficient.

Practical steps that helped us

  • Run an Annex II/III mapping workshop
    • Assign an owner per Annex section and map existing artifacts (design inputs, risk file, clinical evidence, labeling) to the required headings. This revealed missing process links more than missing documents.
  • Make clinical evaluation a living artifact
    • Maintain a clinical evaluation plan (CEP) and a clear evidence-log: literature, PMS-derived data, and any studies. Tie the CEP to the risk management file.
  • Integrate PMS into change control
    • Add a mandatory PMS entry point into your change-request form and require PRRC review for higher-risk changes.
  • Tighten supplier governance
    • Update supplier contracts with MDR-relevant clauses and add supplier performance indicators into your PMS dashboards.
  • Operationalize PRRC responsibilities
    • Document explicit approval gates: who signs off on Technical Documentation, clinical strategies, and release of lots/devices. Show evidence of decisions.
  • Improve traceability tooling
    • We used a traceability matrix that linked clinical claims to risk controls and V&V artifacts. Even a well-structured spreadsheet beats an ad hoc folder structure.

A few caveats from our audits

  • Notified bodies differ in focus. Some will dig deep into clinical justification, others into PMS system effectiveness. Expect variability and be ready to demonstrate systemic control, not just artifacts.
  • EUDAMED / system rollouts and guidance documents evolve — treat guidance as live and document your interpretation and implementation choices.

If you have 90 days before your audit, prioritize this

  • Map Annex II/III to existing evidence
  • Produce a current clinical evaluation synopsis and CEP
  • Show at least one completed PMS → signal → CAPA → verification chain
  • Demonstrate PRRC involvement in a recent release or change

MDR is less about adding a few documents and more about proving your system produces defensible clinical and safety evidence across a device’s lifecycle. Shifting from "file-centric" to "evidence-flow" is the hardest but highest-value change.

What's one practical template, checklist, or trick you used to make Annex II/III traceability effortless during an audit?

Top comments (0)