Seeing Red (And Yellow): Notified Body BSI’s ‘Scorecard’ Shows Plenty Of Work Needed To Meet E.U.’s 19-Point MDR/IVDR Compliance Plan (1 Of 2)

Oct 12, 2022 | News

Seeing Red (And Yellow): Notified Body BSI’s ‘Scorecard’ Shows Plenty Of Work Needed To Meet E.U.’s 19-Point MDR/IVDR Compliance Plan (1 Of 2)The Medical Device Coordination Group released in August a 19-point action plan that the MDCG says will make sure medical products can be certified to the E.U.’s new MDR and IVDR regulations within prescribed transition time frames.

The Position Paper, MDCG 2022-14, also includes recommendations for boosting the work output of notified bodies, and asks NBs to increase their use of hybrid remote/onsite audits to quicken the compliance process, among other things. (READ MORE: “MDCG Urges Compliance To E.U.’s MDR/IVDR In 19-Point Action Plan,” MEDIcept Insight, Sept. 2, 2022)

“If you haven’t read this, it’s definite bedtime reading for you,” Jayanth Katta, Regulatory Director & Head of Medical Devices for BSI, said of the paper, titled “Transition to the MDR and IVDR: Notified body capacity and availability of medical devices and IVDs.” He went on: “If you’re in the regulatory role, you should read it. It’s quite an important document and has 19 different actions to help with the transition.”

In an Oct. 12 presentation at BSI’s 11th Annual Medical Device Roadshow, Katta addressed every point of the action plan and color-coded each using the traffic light colors green, yellow and red to indicate how far along, in his view, each action point is.

This MEDIcept Insight is part one of two, covering action points one through nine. Katta’s comments below were lightly edited for content, brevity and clarity.

1. Notified bodies should use hybrid audits.

“The first action, action No. 1, was a recommendation from the … MDCG that notified bodies are encouraged to make use of hybrid audits. BSI is well into its implementation of the hybrid audit program. …Just one note: Team NB has published a position paper on the notified bodies and our implementation of hybrid audits. If you haven't read it or you’re not aware of it, please take a look.”

2. Leverage evidence from Directive conformity assessments, where possible, to avoid duplication of work.

“The second one, I think, is quite an interesting one. …Instead of reviewing the data again, if the data has been assessed in the past, why don’t we just leverage those past assessments so as to save some time. So that’s the that’s the idea behind it. Now, given it’s green, because some notified bodies are already doing this, but this is kind of bringing it into the limelight and letting other notified bodies also do it.”

At BSI, “we’ve always encouraged our reviewers to leverage past assessments where possible. Sometimes the challenges are just typically because of … the practicality of looking at the evidence in the past, especially if the evidence is from many years ago. And our assessment processes and the depth of assessments were very different back then, from now. So, there were some practical issues in using past assessments. But this document now provides a framework on how it can be done.” [Editor’s Note: The document Katta mentions is a draft position paper currently under review that was written by BSI and other notified bodies that offers general principles of how NBs can leverage previous assessments.]

“There’s been quite a lot of interest in this measure from industry. And I’ve seen some of the discussion … about this. And a lot of people think is this is going to be a quick gap analysis – but I can tell you now, that is not what it is.”

Among other things, NBs will “have to check that the device hasn’t changed, …check that the process hasn’t changed, …check that the state of the art hasn’t changed. We have to check that we have access to the previous assessment reports, and that they are detailed enough with clear conclusions. …Then we can say, ‘Right, we can use that past assessment.’ So, there are lots of steps involved.”

3. Ensuring the “appropriate surveillance” of legacy devices.

“The third one is about appropriate surveillance for the legacy devices, which are not moving to the MDR. Now, there is already another MDCG document MDCG 2022-4, which lays out the principles of what the notified bodies should do in relation to these legacy devices. The document originally said notified bodies must continue their surveillance program, QMS audits, technical file surveillance, audits, et cetera. But now this document, 2022-14, is saying that the directive sampling plans for legacy devices can be abandoned. That’s a huge change. You can imagine that will definitely save some time for the notified body as well. But there are certain things to remember which complicate this matter a little bit.

“It’s not as simple as, ‘Well, this device is not moving to MDR, hence we don’t have to do any surveillance audits anymore.’ What we have to think about is, is this device also certified under the UKCA scheme? If you have a UKCA certificate, we might still need [to] audit to maintain that UKCA certificate, and even potentially renew it. So, we would have to make that assessment as to whether we can abandon the audit or whether we need it for supporting the UKCA scheme, because most UKCA certificates at the moment are issued based on the Directive certificates.

“…The other thing to do is, we need to think of all the nonconformities that may have been raised in the past assessments. Just because we abandoned the audit doesn’t mean we abandon the nonconformities as well. We still have to close them out. And so that means maybe we replace a surveillance technical audit with a nonconformity closure audit. …What we’ve told our staff is that you can stop the Directive audits for legacy devices. But before you stop, think about the UKCA certificates, think about the nonconformities. But what we are also working on is how do we change our QMS audits to be able to verify maintenance of the technical files. So, BSI will issue further communication on that shortly once we know how we are going to address that.”

4. The MDCG will review its guidance with an eye toward eliminating administrative workload for notified bodies.

“This is quite an interesting one. So MDCG promises that they will review all the guidance they have published and eliminate any administrative provisions that have been put on the notified bodies. Now, that begs the question, why didn’t they do that in the first place? Anyway, we are where we are. But it’s a positive development in the sense that they kind of acknowledge that maybe some of the MDCG documents went over what the legislations were saying, even beyond what the legislative requirements were.

“The traffic light is red because [the MDCG] said they’re working on it, but we haven’t seen anything in substance to back that up. …We are still waiting to see where this is going to go and how much of this administrative burden will be reduced.”

5. In the framework of EUDAMED, notified bodies should be able to upload relevant information machine to machine.

This is about “EUDAMED and the certificate module that notified bodies have to interact with. The current minimum viable product, which is what they call it that they are building, doesn’t have any nice functionality. It’s not very user-friendly. It’s being built to meet the legislative requirements. So that means they were not going to enable machine-to-machine integration with notified bodies. That means notified bodies would have to manually submit all of the information into the EUDAMED system when we are ready to interact with EUDAMED. And just as a reference point, when we submit one certificate into EUDAMED, we have to answer between 30 and 40 questions before we submit a certificate.

“…And here is the clincher on that: Once you submit the information there is no way to correct any errors. Even if you made a typo, there is no way to correct it. The only way to correct it is, we reissue the certificate and submit a next version of the certificate into the system to correct a previous error. So obviously notified bodies have been complaining about this. And so, we’re hoping that the machine dimension integration would mean that some of that manual burden will be taken away. But we haven’t seen any progress yet. So that’s why it’s red.”

6. Foster capacity-building.

“No. 6 is about the MDCG encouraging the notified bodies to foster capacity building and mentoring, and coaching the new notified bodies. This is again an interesting one, because Team NB, which is the voluntary association of notified bodies, does a lot of training to other notified bodies. BSI experts go and participate in it to deliver a lot of training. So, there is a lot of mentoring that already takes place.

“…But I think in terms of coaching, you can imagine that will be quite difficult, because it’s like you as a manufacturer calling your competitor to say, ‘We’ll coach you, come and watch us and how we build our devices.’ So that’s a little bit unrealistic, we think. But we do a lot of training together. …So, there is some activity already there. So that’s why that’s in yellow status.”

7. Prepping Commission-delegated acts to change how often notified bodies are completely reassessed.

“No. 7 is about the reassessment of designations. It was meant to happen. The first cycle was going to be three years and then subsequently every four years. It is now agreed that reassessments of designations will move to once every five years. …Postponing this would mean that [NBs] don’t have to prepare as much for it, so we can focus on MDR requirements, and that’s already happened. …So, it is positive. And that’s why that’s a green traffic light.”

8. Those involved in the assessment, designation and notification of conformity assessment bodies should speed up the process.

“Action No. 8 is a note for the European Commission to speed up its designation process. …At the moment it’s taking between 18 months and 24 months, and that’s why the MDCG thinks that needs to be sped up. It’s in red status, because we haven’t seen … what the Commission is going to do to improve the timelines.”

9. The MDCG is exploring adding codes to the designation of notified bodies.

“The next action is to simplify the process of adding codes to notified bodies. So, when they’re initially designated, a notified body might only have a restricted scope so they won’t cover all the product types. But if they want to now certify new product types, they have to go through … a scope extension assessment. That normally takes quite a lot of time, so they’re trying to shorten that and simplify that process. But again, we haven’t seen any developments on that side, so that’s why it’s in red status.”

…And remember, with so much at stake with the rollout of the new regulations in the E.U., your company shouldn’t wing it when it comes to MDR/IVDR compliance. MEDIcept is your go-to source for comprehensive medical device regulatory solutions. We have a long history of success in helping clients achieve and maintain compliance with global regulations.

Check us out at or drop us an email at