9 Common Misconceptions About Medical Device Regulations 

1. Regulations are the same for all medical devices

EU medical devices are categorized into 4 risk classes: Class I, Class IIa, Class IIb, and Class III. Your device designation is determined by things like invasiveness (is the device implanted?), intended purpose, duration of use, active vs. non-active (meaning if the device needs an energy source or not), and potential risks involved with its use (is it life-sustaining?). 

You can use our free tool to determine your risk class. All device classes of devices require a clinical evaluation, a post-market surveillance plan, and a post-market clinical follow-up.

*Slightly different requirements for subclasses Im, Is, and Ir

Resources 

• Free device designation tool 
• To see more detailed requirements based on your risk class, check out the MDR’s guidance
• To learn more about post-market surveillance activities, read our PMS blog

2. I need a clinical trial for my medical device

Most low-risk devices don't need a clinical trial if there is a similar product on the market. The need for a clinical trial is based on your device’s risk class and the availability of existing–and relevant–clinical data. 

You can use your clinical evaluation procedure to show equivalency to an existing product in terms of safety and performance. Equivalency to another device can mean that your device has:

• The same intended use
  • Example: A new type of insulin pump may claim equivalency to an existing insulin pump if both are designed to deliver insulin to diabetic patients in a controlled manner to manage blood glucose levels. As long as the intended use—managing diabetes via insulin delivery—remains the same, equivalency can be claimed.
• The same technical characteristics
  • Example: If you're developing a new implantable heart pacemaker, you can claim equivalency to an existing pacemaker if the technical aspects, like electrical output, lead placement, battery life, and energy delivery method, are identical to those of the existing product. This ensures both devices function in a similar way, providing the same technical performance.
• The same biological safety as the existing product
  • Example: A hip implant made of titanium alloy can claim equivalency to an existing hip implant made from the same material. Since the biological safety (biocompatibility) of the material has been proven for long-term implantation without causing adverse reactions, your device can claim equivalency in terms of biological safety.

If there are no other devices that are equivalent, even if it’s only a class I, you’ll need to do a clinical trial. If your device is similar to another device, but employs new technology or a new feature, a new clinical trial is still required. 

Clinical data is needed to validate the algorithm's performance for devices with software components that include algorithms (like SaMD or AI-based devices). This is particularly true if the software affects clinical decisions or patient outcomes.

On the other hand, Class III devices and implantables often WILL require a clinical investigation in order to get them through audits because, simply put, they are higher risk and need it in order to justify that they’ll be safe when they hit the market. 

Resources

• MDR guidance on clinical evaluations

3. Only the physical parts of the device are regulated 

Regulations cover more than the physical device; they also cover things like labeling, software, and firmware. 

For labeling, devices in the EU need to have a Unique Device Identifier (UDI), which is essentially just a barcode that provides traceability for the product. The UDI has to be displayed on different levels of packaging: the device itself, its primary packaging, and in some cases, higher levels of packaging like a large shipment or batch of devices. Packaging requirements ensure that all necessary info is supplied and available to the user, like instructions for use, warnings, expiration dates, etc. You can read more about UDI types and labelling in our UDI blog.

According to MDR, any software that drives or influences the medical device’s use needs to comply with regulatory standards. This software needs to undergo as much scrutiny as the other hardware parts of the medical device. This means that the software must be validated through testing so you can be sure it works correctly and doesn’t pose any unacceptable risk to patients or users. It also needs to be maintained with updates and monitored for performance and safety as part of your post-market surveillance activities. 

Software itself can be a medical device as well, even when it is not matched with any hardware parts. This is typically called Software as a Medical Device (SaMD). Software that is used inside a hardware medical device is called Software in a Medical Device (SiMD).

Resources

• For more information about labeling, check out our UDI blog
• Post-market surveillance blog 
• MDR guidance on software validation 

4. I need an expensive eQMS in order to get through an audit

While an expensive eQMS software may make navigating an audit easier, it’s not a requirement. Plenty of companies, specifically startups and other small enterprises, have successfully created their QMS and technical documentation from scratch using much simpler and cheaper methods. 

At its core, a QMS is just a well-organized file storage system with access controls to ensure that only authorized personnel can view or modify documents. The document lifecycle in a QMS follows three basic stages: draft (where the document is created or updated), live (the approved and active version that everyone follows), and archived (previous versions that are stored for reference but no longer in use). 

Historically, many companies have managed their QMS entirely on paper, which is still an option, though not recommended due to the difficulty in tracking changes and approvals. Today, there are purpose-built eQMS solutions that can be complex and expensive. However, many organizations opt for off-the-shelf software like Google Drive or Confluence for document storage and approvals, and tools like JAMA Systems for requirements tracing. Whether using a simple system or an expensive eQMS, the key is having sound document lifecycle management and access controls. Both approaches can get you through an audit if implemented well.

eQMS systems are only as good as their users. This really just means that an expensive eQMS does not guarantee compliance or a smooth audit process. These systems are tools and their effectiveness depends on how they are used. Without a strong understanding of regulatory requirements and good quality management practices, even the most advanced eQMS can fail to meet an auditor’s expectations. 

In conclusion, while an eQMS can provide convenience and efficiency, it is by no means a necessity to pass an audit. The focus should always be on having comprehensive, well-documented processes and procedures, whether in an electronic system or just a file folder.

Resources

• Check out Formly.AI’s eQMS on our website

5. My device classification can't change, or I don’t need a new CE mark after modifications to my device

Device classification is based on what your device does. If you add a feature that completely changes what your device does, it may also change your classification. The reverse is true too, some devices can be "slimmed down" to be Class I instead of Class IIa, which can be a strategic business decision. Lower-class devices are subject to fewer regulations, can enter the market more quickly, have lower development/compliance costs, and may allow you to target a different audience or a less complex use case. 

Device classification under MDR depends on intended purpose, duration and type of contact with the body, and potential risks. For example, a software medical device that adds a feature to "monitor, treat, or prevent" disease will generally be classified as Class IIa or higher due to the increased risk associated with its functionality. Conversely, a device that removes high-risk functions may be downgraded to a lower class, such as from Class IIa to Class I, if the remaining features pose less risk.

What you need to consider here is what constitutes a “significant change” and if you need to pursue a new CE mark. Significant changes include modifications to a device’s design, intended use, or technical specifications. If any of these changes are made, you may need to reapply for CE marking, showing that you comply with the new classification requirements. This process involves submitting updated documentation to your Notified Body that aligns with the device’s new risk profile. 

Formly's platform simplifies data management change control because all your data is centralized in one system. When you update information in one place, it automatically updates everywhere else, ensuring consistency and reducing the risk of overlooking a necessary update. This makes it easier to handle regulatory changes, submit new documentation, or apply for a new CE mark if required. 

Resources

• ISO 13485:2016 change management guidelines
• Formly platform

6. I just need technical documents for certification, I don't need to know them 

Regulatory compliance isn’t only about having the right documents on file; you also have to adhere to the processes those documents describe. Auditors expect that your organization "lives its QMS"—actively implementing and maintaining the documented procedures.

If your approach to compliance is to just “check the boxes” for certification, you’re setting yourself up for failure. Without a process-based mindset, any changes or updates to your product or quality system could lead to reactionary rather than planned responses. This could result in missing important regulatory requirements, accidentally failing to comply with updated standards, or overlooking critical safety or quality controls. A reactive approach often means you're playing catch-up, which is risky when it comes to medical devices where compliance is crucial for patient safety and market access.

For example, if your team isn’t really familiar with your QMS processes, a small change in the design or manufacturing of your device might get made without realizing it needs to be reviewed or reported to your Notified Body. This could lead to issues like breaking regulations, facing penalties, or even having to recall your product.

Being process-based means that your team understands and follows the documented procedures as part of their daily activities rather than treating compliance as an afterthought. When you’re proactive and process-focused, you’re better equipped to handle changes smoothly, maintain compliance, and avoid unintentional regulatory breaches. Your QMS should be a living system that guides how your organization operates, ensuring that everyone knows the processes and their importance.

7. When I have my certification, I'm done with all this regulatory and quality stuff

Getting your CE mark is a significant milestone, but not the end of your regulatory journey. Post-market requirements are actually a large part of maintaining your certification so that your device continues to meet regulatory requirements throughout its lifecycle. 

Your QMS is not a one-time setup; it needs ongoing maintenance and updates. This includes managing any changes to the device, updating documentation, conducting internal audits, and maintaining records of all quality-related activities. Notified Bodies may conduct periodic audits to ensure that your QMS is still effective and that you are complying with all relevant regulations.

Post-market requirements vary based on the risk class of your device, with higher-risk devices necessitating the closest monitoring. Having an active post-market surveillance plan in place as part of your QMS can help you identify and solve any issues with your device, especially when addressing any complaints or adverse events. If something goes wrong with your product, using your QMS effectively helps you fix it the right way because it contains SOPs for dealing with issues. 

Notified Bodies review your PMS activities to ensure you are actively monitoring your device's performance and implementing necessary corrective actions like recalls, updates, or field safety notices. 

Having a solid platform for managing your documentation and data makes monitoring your device for issues and updating documentation to maintain compliance so much easier. For example, the data management built into the Formly system makes this really simple to do.

Resources

• Learn more about post-market requirements and what it takes to keep your device on the market after your CE mark in our PMS blog
• Learn more about the corrective actions process in our CAPA blog

8. Having a certification won't slow down all our software releases we have planned 

The reality is that developing and releasing software in a regulated environment, like medical devices, is inherently slow. There are more steps and scrutiny. Software development and release processes are subject to controls to ensure compliance with regulations and are safe before they are released to the public. This means every change must be evaluated, documented, and validated before release. This keeps you from introducing new risks, but it can slow development and release cycles compared to less regulated industries. 

With that said, slower releases do not have to be a significant stumbling block if you have a well-defined QMS with change management processes in place. Having clear guidelines for change control, validation, and documentation can minimize the impact of regulatory requirements on your release schedule.

By focusing on process efficiency and team training, you can maintain a steady release schedule while still meeting all necessary regulatory requirements. Making sure your team knows the rules makes sure your releases go very smoothly. Remember, compliance and quality do not have to come at the expense of innovation and progress. Instead, they can be integrated into your development workflow.

9. Being compliant with MDR is up to one person at our company

Maintaining compliance is a collective effort that requires collaboration across multiple departments. Remember, a trained team is an efficient team when it comes to the QMS. 

Compliance with MDR involves understanding and implementing a lot of requirements that touch on every aspect of your business. Here are some examples: 

• Marketing Teams have to make sure that all promotional materials and claims about the device are accurate and based on factual data because misleading claims can lead to regulatory issues.
• Human Resources is responsible for ensuring that all employees receive proper training on the regulatory requirements and quality management practices relevant to their position.
• Clinical Teams contribute by performing clinical evaluations and safety monitoring so the device continues to meet its intended use and safety standards.
• Quality Teams are tasked with maintaining the QMS with activities like ensuring all processes are followed correctly, managing documentation, and conducting internal audits to keep everything aligned with MDR requirements.
• Research and Development Teams will have to follow change control processes to assess the impact of proposed changes on device safety. 

By ensuring all departments understand their role in maintaining compliance, your company can effectively navigate the complexities of MDR and avoid potential pitfalls. Compliance is not the job of a single person (though you do need a designated person responsible for regulatory compliance)—it’s a team effort that supports the safety and effectiveness of your medical devices in the market.

‍