Insights & Intelligence for Regulatory Leaders

Expert guides, insights, and practical resources to help MedTech regulatory teams stay informed, make better decisions, and operate smarter.

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

Man and woman looking at a laptop screen together in an office setting.

Featured

Rimsys Announces Rimsys AI to Eliminate Repetitive Tasks and Enhance Decision-Making for MedTech Regulatory Teams

Rimsys, the leading Regulatory Information Management (RIM) platform for the MedTech industry, today announced the launch of Rimsys AI, a suite of embedded artificial intelligence (AI) agents.

The ultimate guide to the EU MDR and IVDR general safety and performance requirements (GSPR)

April 3, 2026

4 min read

This article is an excerpt from The ultimate guide to the EU MDR and IVDR general safety and performance requirements (GSPR) ebook.

Overview

With the initial rollout of the European Medical Device Regulation (MDR) complete, medical device companies are shifting focus to the sister In Vitro Diagnostic Regulation (IVDR) which has rolling effective dates starting in May 2022. Like the MDR, the IVDR also includes new General Safety and Performance Requirements (GSPR). The expanded 2nd edition of this ebook includes a detailed summary of the IVDR GSPR regulations in addition to those of the MDR. It provides you with practical guidance on how to meet the GSPR requirements for all types of medical technology products. This ebook, however, should not take the place of reviewing the actual regulations and consulting regulatory experts when needed

Timeline

The EU MDR submission became mandatory from the previous MDD directive on May 26, 2021, and the EU IVDR effective date is quickly approaching. In fact, all submissions for new devices under the new EU IVDR must be implemented no later than May 25, 2022. Below is a high-level overview of key dates for both regulations.

*Note that the timeline for compliance was extended in 2021. Class D (high-risk) devices have until 2025 to comply with IVDR, while Class C devices have until 2026. Class B and Class A sterile devices have until 2027 to comply with IVDR.

Terminology

What’s the difference between Essential Requirements, General Safety and Performance Requirements (GSPR), and Essential Principles. In order to have a meaningful dialogue, let’s first discuss the three (3) main terms used in the industry.

#1 Essential requirements

The ‘Essential Requirements’ is the backbone for establishing conformity with the Medical Device Directive (MDD 93/42/EEC) and the Active Implantable Medical Device Directive (AIMDD 90/385/EEC). Detailed within Annex I of the MDD and AIMDD, the ‘Essential Requirements’ laid out the requirements that devices must meet in order to state compliance to the directives. With the implementation of the new EU Medical Device Regulation (MDR 2017/745), the ‘Essential Requirements’ will become superseded by the new EU MDR General Safety and Performance Requirements (GSPRs).

#2 Essential principles

The IMDRF laid out Essential Principles requirements in a document entitled Essential Principles of Safety and Performance of Medical Devices and IVD Medical Devices. From a high-level perspective, three basic tenets make up these ‘Essential Principles’:

A device must be designed to be safe and perform effectively throughout its lifecycle.
Device manufacturers must maintain all design characteristics.
Devices must be used in a way that is consistent with how it was designed.

Many countries use the term ‘Essential Principles’ when compiling the documentation required to determine compliance to the law. For instance, the Australian Therapeutic Goods Administration (TGA) uses the term ‘Essential Principles Checklist’. Regardless of the term used, Essential Principles are of similar nature and overlap many of the Essential Requirements and new GSPRs.

#3 General safety and performance requirements (GSPR)

As of May 26, 2021, medical device manufacturers must start to comply with Annex I – General Safety and Performance Requirements (GSPRs) of the new EU Medical Device Regulation (MDR 2017/745). GSPRs are specific to the European MDR and IVDR. If you hear any other term (i.e. Essential Principles), it most likely means it is not referencing the European market.

EU MDR/IVDR Annex I

Annex I of the EU MDR and IVDR details the specific requirements of the General Safety and Performance Requirements (GSPRs). The GSPRs are broken down into three (3) chapters in Annex I, MDR 2017/745 and IVDR 2017/746:

Chapter 1 - General requirements
Chapter 2 - Requirements regarding design and manufacture
Chapter 3 - Requirements regarding the information supplied with the device

Chapter 1 - General requirements

Both the EU MDR and the EU IVDR outline General Safety and Performance Requirements (GSPRs) in great detail for medical device designers and manufacturers. The general requirements for each are almost identical and consist of the following:

Devices must perform in a way that aligns with the intended design.
They must not compromise the health or safety of a patient, user, or any other person associated with the device.
Risks must be reduced as much as possible, but not so much that they negatively affect the risk-benefit ratio.
Device manufacturers must implement and maintain a thorough, well-documented, and evaluative risk management system that continues to be updated throughout the life cycle of a device.
Manufacturers and designers must include any necessary measures for protecting users in cases where risks cannot be completely eliminated.
Manufacturers must provide users with information about any potential risks that remain. This information must be clear, easy to understand, and considerate of the users’ technical knowledge level, use environment, and any applicable medical conditions.
Devices must withstand the stresses of normal use for the duration of their lifecycle. Devices must be designed, manufactured, and packaged in a way that protects them from damage during transport and storage.
When it comes to risks and negative side effects that are known and foreseeable, designers and manufacturers must make every effort to minimize negative outcomes. They must also ensure that potential risks are acceptable when compared to the potential benefits of a device to its users.

Chapter 2 - Requirements regarding design and manufacture

The GSPRs also provide key details regarding specific information about the performance, design and manufacture of medical devices. As it relates to design inputs, the MDR and IVDR GSPRs provide highly detailed requirements relating to a device’s technical information. Further detail can be found in the comparison tables in Appendix A and Appendix B, where we have compared MDR to MDD and IVDR to IVDD.

Chapter 3 - Requirements regarding the information supplied with the device

The final key area of governance within the GSPRs relates to specific information a manufacturer must supply with a device. The general requirements for this information states that, “Each device shall be accompanied by the information needed to identify the device and its manufacturer, and by any safety and performance information relevant to the user, or any other person, as appropriate.” The requirements provide further detail as far as location - specific information that must be provided on the following:

The device label includes its UDI.
The user instructions.
The packaging of a device that is intended to maintain its sterile condition.

Medical devices are subject to significant regulations and a full understanding of EU MDR and/or IVDR labeling as defined in Annex 1 Chapter 3.

EU MDR/IVDR Annex II

In addition to the specific requirements identified within Annex I of the EU MDR and IVDR, Annex II, Technical Documentation, identifies additional requirements. Specifically, in both EU MDR and IVDR’s Section 4 – General Safety and Performance Requirements it states:

“the documentation shall contain information for the demonstration of conformity with the general safety and performance requirements set out in Annex I that are applicable to the device taking into account its intended purpose, and shall include a justification, validation and verification of the solutions adopted to meet those requirements. The demonstration of conformity shall include:

(a) the general safety and performance requirements that apply to the device and an explanation as to why others do not apply;

(b) the method or methods used to demonstrate conformity with each applicable general safety and performance requirement;

(d) the precise identity of the controlled documents offering evidence of conformity with each harmonised standard, CS or other method applied to demonstrate conformity with the general safety and performance requirements. The information referred to under this point shall incorporate a cross reference to the location of such evidence within the full technical documentation and, if applicable, the summary technical documentation.”

Let’s break this down into each part.

Requirement

(a) the general safety and performance requirements that apply to the device and an explanation as to why others do not apply;

What needs to be documented for the requirements that apply or the requirements that do not apply?

Each and every section of the EU MDR GSPR or EU IVDR should be assessed in its own right as it pertains to your medical device. When a requirement applies, a simple statement may be made that this requirement applies to the device. In practice this is often achieved using a checklist or table, with a column for applicability and a Yes/No answer against each requirement. When a requirement applies, you can move on to the other parts of demonstrating conformity regarding methods used and standards applied.

When a requirement is not applicable, a statement must be made to that effect, i.e. a ‘No’ in the applicability column. Additionally, it must be fully and properly justified. Such a justification may be something like ‘The device is not powered and is therefore not an active device. This requirement does not apply.' The justification should clearly state why the requirement has been deemed not to apply so that your notified body can understand your reasoning

Requirement

(b) the method or methods used to demonstrate conformity with each applicable general safety and performance requirement;

What is meant by “method or methods used”?

This relates to the way you complied with that GSPR requirement, historically it would be listed as a standard or other documentation reference that you have applied to demonstrate compliance, however, the question of ‘method or methods used’ is new to the MDR and it is expected that a verbal description be provided such as:

i. Risk analysis weighed against clinical evaluation benefit
ii. Performance intended demonstrated by design requirements, verification and validation

Requirement

(c) the harmonized standards, common standards (CS) or other solutions applied;

What are harmonized standards, common specifications (CS), and “other solutions”?

Harmonized standards

These are standards that have been specifically developed and assessed for compliance to a regulation or directive. They are published in the Official Journal of the European Union (sometimes just referred to as ‘the OJ’) and if you comply with these standards then there is a ‘presumption of conformity’ with that directive or regulation to which they have been harmonized. These harmonized standards can only be created by a recognized European Standard Organization (such as CEN or CENELEC). When a standard is harmonized, an annex is added that describes how the standard conforms to the directive or regulation. When using harmonized standards, you should make sure that you understand how the standard conforms so that you do not claim compliance when the standard either does not meet that requirement or only partially meets that requirement.

If a standard does not meet a certain requirement of the directive or regulation, or indeed only partially meets it, then you must employ additional mechanisms for compliance. If a harmonized standard meets part of a directive or regulation, then by complying with that standard you also fully meet the corresponding requirement(s) The list of harmonized standards continues to grow - refer to the “Healthcare Engineering” section of the European Commission’s Harmonized Standards page for current information. In this case, using an MDD harmonized standard and documenting a justification for doing so (i.e. how you believe the standard demonstrates compliance with the GSPRs), should provide sufficient evidence

Common specifications

Common Specifications (CS) are a new concept in the MDR. They allow the European Union to add additional requirements that must be met in order to claim compliance where harmonized standards do not exist or where relevant standards are considered insufficient. The definition of a Common Specification is:

‘A set of technical and/or clinical requirements, other than a standard, that provides a means of complying with the legal obligations applicable to a device, process or system.’

Requirement

(d) the precise identity of the controlled documents offering evidence of conformity with each harmonized standard, CS or other method applied to demonstrate conformity with the general safety and performance requirements. The information referred to under this point shall incorporate a cross- reference to the location of such evidence within the full technical documentation and, if applicable, the summary technical documentation;

What is the expectation for incorporating a "cross-reference to the location of such evidence within the full technical documentation"?

This means that someone looking at the document should be able to identify exactly where in the technical documentation that the compliance evidence can be found. For example, this may refer to test reports and their exact location, or it could even reference locations within a large document, depending on the GSPR and your particular documentation. (i.e. if you have included usability risks as part of a larger risk assessment, you may need to say ‘See Technical File XXX, Section XX, Doc RMF001 rev 3 lines 65-78’). In other cases it could just mean the whole document reference, i.e. Have you done risk management? – then yes, it is RMF001 rev 3. What the specific reference actually is depends on how you have managed your technical documentation and how defined it is (i.e. separate reports or one big one). There should be no ambiguity as to where the document is located

An example of a completed GSPR checklist could look something like this (applicable and nonapplicable examples are shown):

GSPR	Description	Applicable?	Methods Applied	Standards & Solutions	Evidence
7	Devices shall be designed, manufactured, and packaged in such a way that their characteristics and performance during their intended use are not adversely affected during transport and storage, for example, through fluctuations of temperature and humidity, taking account of the instructions and information provided by the manufacturer	Yes	Design considers packaging requirements. Packaged product has been verified through shipping and transit testing. Product was stored at extremes of temperature and humidity.	EN ISO 13585 QMS EN ISO 15223-1 Labelling ISTA 2A Testing	Design procedure XXXXXX, rev XX located in document management system QMS certificate XXXXXX Package design drawings XXXXXX, rev XX located in document management system Product label XXXXXXX, rev XX found in section XX of Tech File XX ISTA 2A test report title XXXXX, dated XX/XX/XX found in section XX of Tech File XX Storage condition test report title XXXXX, dated XX/XX/XX found in section XX of Tech File XX
11.5	Devices labelled as sterile shall be processed, manufactured, packaged and sterilised by means of appropraite, validated methods.	No	N/A - This does not apply to this device (device id XXXXX) as it is not a sterile device and cannot be sterilised.	N/A - This does not apply to this device (device id XXXXX) as it is not a sterile device and cannot be sterilised.	N/A - This does not apply to this device (device id XXXXX) as it is not a sterile device and cannot be sterilised.

Proactive monitoring & maintenance

Specification developers and manufacturers must continually maintain their technical documentation to stay compliant. Part of this process is to ensure that they take into account the "generally acknowledged state of the art".

Proactive monitoring

'State of the art'

There is no formal definition of ‘state of the art’ within the EU MDR or IVDR, although it is mentioned many times. ‘State of the art’ is an ongoing debate; however, it generally means that it embodies what is currently and generally accepted as good practice in the medtech industry. The ‘state of the art’ does not necessarily imply the most technologically advanced solution.

One consensus on state of the art is being up to date and compliant with the current and in effect standards that are applicable to your device. This means that if a standard is updated that your medical device is compliant with, you must evaluate that update to ensure that it would meet the EU MDR or EU IVDR ‘state of the art’ requirement. This is not a new requirement from the EU MDD but it is spelled out more clearly in the EU MDR.

The specification developer or manufacturer is ultimately responsible for determining if the updated standard applies or does not apply to their device(s). Either way, the justification should be documented within a gap analysis.

Monitoring for changes

Of course, 'state of the art' only applies if you actually know if something changed. This is why you need to develop a process for monitoring the standards that compliance is claimed. Every single standard that is associated with your technical documentation must be actively monitored, reviewed, and reported on.

If you have a product on the market and need a better way to monitor and maintain your General Safety and Performance Requirements (GSPR) or Essential Principles, Rimsys can help. Rimsys digitizes and automates GSPR and Essential Requirements so you can dynamically update and proactively monitor changing standards and evidence files.

When a standard or evidence file changes, you will automatically be notified and can update one GSPR or all of your GSPRs as applicable with a single click of a button. If additional information is needed, such as testing, it’s also invaluable to ensure that all devices are identified. What used to take weeks of manual, error-prone administrative tasks is now done in seconds within a fully validated, secure, maintenance-free, cloud-based solution

Maintenance

Maintaining and updating your technical documentation is generally the hardest part of staying compliant. Robust processes must be established to ensure nothing slips through the cracks and show up as nonconformances during regulatory audits.

Gap analysis

In addition to meeting the ‘state of the art’ requirements and the continuous proactive monitoring of standards, once a change has been detected that affects the technical documentation, a proper and thorough gap analysis must be completed.

The gap analysis between the old versions and the new versions, or an evaluation of a brand new standard, must occur and be properly documented. The gap analysis should detail what is applicable and what is not applicable, with your supporting justification.

If something within the new or revised standard was applicable to your device, additional engineering testing, documentation, justification, and, in some instances design changes, may be needed to ensure compliance

GSPR updates

Once the gap analysis has been properly documented, specification developers and manufacturers must update their GSPRs.

These updates include finding the withdrawn or superseded standard or evidence file throughout each row within your GSPR table, for every single device on the market on which this change is applicable. This could be one table or dozens of tables depending on the complexity of the products and your product mix.

Without a holistic RIM system to help you, this is an error-prone process as is it tedious, administrative, and extremely easy to miss an inappropriate referenced standard or evidence file.

Extreme diligence on the regulatory or engineering team must occur to ensure these critical updates to the GSPRs are not missed and a gap analysis must be properly referenced throughout. Any justification for including or excluding a new standard or evidence file will be scrutinized by regulatory auditors, and without proper maintenance, may lead to additional review time.

Comparison table: EU MDR Annex I GSPRs vs EU MDD Annex I Essential Principles

To continue reading this eBook including Comparison Table of the EU MDR Annex I GSPR vs. the EU MDD Annex I Essential Requirements, please register to download the full version.

The beginner's guide to the FDA PMA submission process

April 3, 2026

4 min read

This article is an excerpt from The beginner's guide to the FDA PMA submission process ebook.

Introduction

If your organization is planning to market a new medical device in the United States, you first need to determine which regulatory class the device falls under. The vast majority of medical devices regulated by the FDA are either Class I or Class II medical devices, requiring a 510(k) premarket notification or a simple registration if exempt from 510(k) requirements. However, if your device sustains or supports life, is implanted, or presents a “potential unreasonable risk of illness or injury,” your device is likely a Class III device which will require Premarket Approval (PMA) from the FDA before it can be marketed in the United States. Novel devices, for which there are no existing substantially equivalent devices, are automatically classified as Class III as well. Novel devices with a lower risk profile, however, may qualify for the De Novo process instead of the PMA. Just 10% of devices regulated by the FDA are Class III devices.

This ebook provides an overview of the PMA process and its requirements, but it is not designed to be the only resource used in compiling a PMA submission. The FDA provides significant documentation on this process, starting with the regulation governing premarket approval that is located in Title 21 Code of Federal Regulations (CFR) Part 814.

Chapter 1: PMA Basics

FDA: Background and device oversight

Before we explain what a PMA is, let’s first talk generally about the Food and Drug Administration (FDA) and device oversight. The FDA is the U.S. governmental agency responsible for overseeing medical devices, drugs, food, and tobacco products. When it comes to medical devices, the FDA’s mission is to “protect the public health by ensuring the safety, efficacy, and security of...medical devices.” At the same time, the FDA also has an interest in “advancing public health by helping to speed innovations.” In other words, the FDA’s goal is to make sure devices are safe and effective for public use, while also ensuring that devices have a quick and efficient path to market.

In order to achieve this balance of safety and efficiency, the FDA has three different levels of oversight depending on the risk level of the device: (1) exempt from premarket notification, (2) Premarket Notification, also known as 510(k), and (3) Premarket Approval (PMA).

‍

PMA submissions - medical device classes

‍

When is a PMA required?

The PMA process is the most stringent regulatory process for medical device approval under the FDA and applies to almost all Class III devices. To determine whether your device requires a PMA, you must first Classify your device by searching the Product Classification Database. The database will provide you with similar devices; their name, classification, and link to the Code of Federal Regulations (CFR) if applicable.

If a substantial equivalent is found in the Product Classification Database with a submission type of 510(k), you should submit a 510(k), not a PMA.
If the product classification database identifies your device as Class III and/or requiring a PMA - you should submit a PMA.
If your device involves a new concept and does not have a classification regulation in the CFR, the database will list only the device type name and product code. In this case, the three-letter product code can be used to search the PMA database and the 510(k).
If your device cannot be found in the product classification database because it is a new type of device and should be classified as a Class III device because of the level of risk it presents*.

Class III devices support or sustain human life, are of substantial importance in preventing impairment of human health, or present a potential and unreasonable risk of illness or injury.

Note that if your device is a new concept without a substantial equivalent, but does not present the level of risk of a class III device, it may be eligible for the De Novo process as a class I or class II device.

PMA vs 510(k)

Not only are PMA and 510(k) processes applicable to different types of devices, they have different purposes.

510(k): A 510(k) is intended to demonstrate that the device for which approval is being sought is as safe and effective as a currently marketed device that does not require a PMA.

PMA: A PMA is intended to prove that a new device is safe and effective for the end user. A PMA is much more detailed and in-depth than a 510(k). Device manufacturers are typically required to present human clinical trial data, in addition to laboratory testing data.

The difference in complexity between a PMA and 510(k) also affects the time needed to process the submissions. The FDA typically accepts or rejects a 510(k) submission within 30-90 days, at which point the device is posted to the FDA’s 510(k) database. A PMA submission can take up to 180 days to be processed, at which point the FDA can approve or deny the application. The FDA may also issue an “approvable” or “not approvable” letter, which the applicant can choose to respond to, thereby adding time to the submission process.

PMA application methods

There are a number of types of PMA application methods. While most devices which require a PMA will follow the traditional process, be sure to verify that you are using the correct application process to maximize your chances for success and avoid unnecessary delays:

Traditional PMA

The most common method for attaining FDA clearance for Class III devices, the traditional PMA is the appropriate option for most devices that have completed clinical testing.

Modular PMA

The modular PMA is the appropriate application method for devices that have not yet completed clinical testing. Applicants complete individual “modules,” with final confirmation granted once all sections are completed. For additional information on specific requirements of a modular PMA, read the FDA’s Premarket Approval Application Modular Review.

Product Development Protocol

Use the Product Development Protocol (PDP) with medical devices that are based on well-established technology. The PDP process for gaining market approval merges the clinical evaluation and development of information, and involves an agreement between the manufacturer and the FDA. The process provides the advantage of early predictability for the manufacturer and allows early interaction that can identifyFDA concerns as soon as possible in the development process. Because the PDP identifies the agreed upon design and development details, a completed PDP is considered to have an approved PMA. For additional information, read more about the FDA’s PMA Application Methods.

Humanitarian Device Exemption

A Humanitarian Use Device (HUD) is specifically defined as a device intended to benefit patients that are affected by a disease or condition that affects less than 8,000 individuals in the U.S. per year. TheHumanitarian Device Exemption (HDE) approval process is designed to encourage clinical activity around rare conditions, and does have certain restrictions, including:

After receiving HDE approval, a HUD is eligible to be sold for profit only if the device is intended to address a disease or condition that occurs primarily in pediatric patients, or occurs in pediatric patients in small numbers.
If an HDE is approved to be sold for profit, the FDA will determine an annual distribution number(ADN). Any devices sold beyond the ADN limit are required to be sold for no profit.

For more information see the FDA’s explanation of the Humanitarian Device Exemption.

CBER Submissions‍

There are two centers within the FDA responsible for evaluating medical devices. While the majority of devices will go through the Center for Devices and Radiological Health (CDRH), some will be managed by The Center for Biologics Evaluation and Research (CBER). CBER regulates medical devices related to blood and cellular products, including blood collection and processing procedures as well as cellular therapies. This ebook focuses on submissions made through the CDRH, but you can view CBER Regulatory Submissions – Electronic and Paper for more information on the CBER process.

Chapter 2: FDA Interactions

To continue reading this eBook, including a walk through of the different types of required and optional FDA meetings and communications, a detailed list of the contents of a traditional PMA submission, and an overview of quality management system requirements, please register to download the full version.

An overview of 21 CFR Part 11 regulations for medical device companies

April 3, 2026

4 min read

What is 21 CFR Part 11?

21 CFR Part 11 refers to the federal regulation that address electronic records and electronic signatures associated with FDA requirements. This single, relatively small, part of the Code of Federal Regulations is extremely significant for companies with FDA-regulated products because it impacts every document signature, electronic file, and FDA submission. Codified in 1997, interpretations of this FDA-issued regulation continue to be debated and re-evaluated as the technology supporting electronic records and signatures changes. In this article, we’ll discuss the regulation and generally accepted interpretations.

Note that discussions and statements in this document are our observations only and should not be taken as fact. You can refer directly to the regulation here.

Part 11: General Provisions

The General Provisions section of 21CFR11 addresses the scope of the regulation, when and how it should be implemented, and defines some of the key terms used. It states that the purpose of Part 11 is to define the criteria under which electronic records, electronic signatures, and handwritten signatures attached to electronic records are equivalent to, and as reliable as, handwritten signatures on paper documents.

Fundamentally, any record that is maintained, used, or submitted under any FDA records regulation is subject to Part 11, and the FDA will accept electronic records in lieu of paper records if an organization can prove that their records and systems meet the Part 11 requirements.

The General Provisions subpart also sets forth a number of definitions, and we’ve listed the ones that are most significant to our discussion here:

Closed System: A computer system or software whose access is controlled by the same people who are responsible for the information stored in the system. Because the opposite of a closed system, and “open system,” is subject to additional scrutiny be sure that you are able to thoroughly explain and provide documentation for a decision to classify your system as a “closed system.”
Open System: A computer system or software whose access is not controlled by the same people who are responsible for the information stored in the system.
Digital Signature: An electronic signature created in a manner that can be verified, ensures the identity of the signer, and maintains the integrity of the document and signature. This often involves the use of cryptography and/or biometric data.
Electronic Signature: Symbols that represent a legally binding equivalent to an individual’s handwritten signature (as adopted and authorized by the signer).

Part 11: Electronic Records

The Electronic Records section sets forth the requirements for administration of closed and open electronic record-keeping systems, then discusses signature manifestations and requirements for establishing a link between signatures and records.

Part 11 defines a “closed system” as any computer system in which the users controlling access to the system are the same people who are responsible for the data in the system. Today, most systems can be classified as closed systems, but take special care to document control procedures around software that is hosted offsite or classified as a SaaS solution.

This section of the regulation deals with the controls that need to be in place for all applicable electronic record systems by defining:

Procedures to ensure that all electronic records are authentic, have integrity, and can ensure confidentiality (where that is appropriate).
Validation requirements for systems that maintain electronic records to ensure that all records are accurate, reliable, and that the system performs consistently according to regulatory requirements.
Audit trail requirements for all regulated records to ensure a complete history of all changes to records are maintained.
Controls around system access and document signatures.

Part 11: Electronic Signatures

The Electronic Signatures section defines the components of electronic signatures and the required controls and procedures necessary for using them.

In general, an organization must be able to demonstrate that electronic signatures:

Are unique to each individual, and that the individual assigned an electronic signature has had their identity and level of authorization verified.
Must be based either on biometric data (such as fingerprints) or made up of two distinct pieces (ie: a User ID and password)
Require appropriate controls to ensure that they are verified periodically, cannot be used by someone other than the intended user, and are immediately deactivated if compromised in any way.

Practical application of 21CFR Part 11 for regulatory affairs professionals

21 CFR Part 11 is a critical regulation, and one that can be open to interpretation. Below, we cover some of the key areas that should be of concern for RA professionals. This is an overview of key areas only, and should not be taken as complete instruction or guidance for 21CFR part 11 compliance.

System compliance and validation

Any system that you are using to store electronic records that fall under FDA regulations needs to be compliant with Part 11. This includes everything from spreadsheets to full-featured RIM and document management systems.

Software vendors will often document how their systems are developed to be compliant, and may even support system validation during implementation - but it is ultimately the responsibility of the user organization to ensure that their systems and processes are compliant with Part 11. System validation is the process of documenting that your system meets all of the Part 11 requirements. Software vendors can support this process by ensuring that their systems are built on a highly secured infrastructure that can be demonstrated and proven.

The Rimsys system was built from the ground up to meet the stringent requirements of not only 21 CFR Part 11, but other industry standards and good practices guidelines (GxP). We have put in place a rigorous validation program, built by industry experts and supported by a secure and well-documented infrastructure. For more information, visit the Rimsys Security and Privacy page.

Audit trails

Audit trails are the required system logs that track the who, when, and what of every change made to data that falls under Part 11. Audit trails should be generated and time-stamped by the system, with no ability for users to change that information. Audit trails serve two purposes under 21 CFR Part 11:

To demonstrate that documented policies and procedures are being followed, including that only users with the appropriate authority are managing data.
To prove that data retention policies are being adhered to (see below).

At any time, you should be able to view the history of any record, from a Design History File to a submission document, in order to determine what changes have been made, when they were made, and by whom.

Record retention

21 CFR Part 11 specifies that electronic records must be protected and readily available throughout the defined record retention period. Additionally, 21 CFR Part 820 specifies that records related to the quality, manufacturer, regulatory submissions, or any other data that falls under FDA regulation, should be maintained for the life of the medical device and for a minimum of two years from the date of first commercial distribution. This is often referred to as “cradle to grave” tracking.

This means that regulatory professionals need to not only be aware of their company’s record retention policy, but need to ensure that any system being used to track regulatory submissions or other data subject to audit meets Part 11 and Part 820 requirements. Note that record retention requirements apply also to paper records where they are the source document.

Electronic and digital signatures

An important piece of 21 CFR Part 11 is its definition of electronic and digital signatures. “Electronic signature” is used to define any set of symbols that are used in place of a handwritten signature, whereas a “digital signature” is an electronic signature based on methods that ensure the identity of the signer where the integrity of the data can be verified. A digital signature can be based on biometric data (such as fingerprints) or secure user IDs and passwords that are controlled to ensure only one authorized user can use the signature.

As a regulatory affairs professional, you should ensure that:

Everyone on your team who needs to sign documents has their own unique digital signature and understands the importance of protecting it. Sharing of electronic credentials is a common FDA audit observation. Also ensure that users who are not required to sign documents have appropriate access to data to discourage other users from sharing login credentials with them.
You are following your company’s policies concerning electronic signature audits so that passwords remain updated and strong and signatures are revoked when a user leaves or changes positions.
You immediately report any possible loss, theft, or sharing of user credentials or devices that generate identification codes.

While 21 CFR Part 11 is usually considered more of a “quality regulation,” it is important that regulatory teams within medical device organizations fully understand this regulation and its compliance implications. To learn more about the regulations, click below to read our regulatory brief.

Why UDI is a regulatory concern - and not just an operational process

April 3, 2026

A leading global microbiology manufacturer makes regulatory information instantly accessible

April 3, 2026

RIM for medical devices - challenges and opportunities for automation

April 3, 2026

Regulatory strategy as a competitive advantage

Wendy Levine

March 27, 2023

4 min read

This article is an excerpt from the Regulatory strategy as a competitive advantage ebook.

The regulatory revenue opportunity

It is well known that medical technology (medtech) companies are highly regulated, given the potential risks their products present. Understanding and complying with the complex regulations in each country is, therefore, a necessary part of marketing and selling medical devices. To realize any revenue from a medical device, it must not only demonstrate compliance with all applicable regulations, it must also receive and maintain market clearance from each country in which it is to be sold. No market clearance means no revenue. Given the key role regulatory compliance plays in revenue attainment, regulatory teams, tools, and processes present a significant opportunity for differentiation for organizations willing to invest in them.

For the majority of medtech companies, however, regulatory departments have traditionally been treated as operational cost centers, with departmental improvements focused on cost reduction and efficiency improvements. Limited investment in people and tools, and limited interest in digital transformation, have left regulatory teams across the medtech industry underfunded and under-resourced.

This has led to great resourcefulness within the RA community, where most members can point to heroes within their team who worked long hours to meet a submission deadline, headed off a disaster by uncovering a pending expiration, created ad-hoc systems to organize information and streamline communication between the RA and QA teams for smoother audits, or have otherwise gone above and beyond their typical responsibilities.

Regulatory teams, however, have the potential to be a revenue-driving competitive weapon for companies that are willing to look at them a little differently and invest in regulatory performance above regulatory cost-effectiveness. Well-supported regulatory teams can provide a true competitive advantage by providing the resources and direction to:

Capture market share by being first to market with novel devices.
Avoid lost revenue by effectively tracking and planning for registration renewals/updates.

Out-pace competitors and grow market share by adapting to regulatory changes more quickly and taking advantage of competitors’ non-compliance or inability to enter a new market.

We believe we are entering a new era for regulatory affairs within the medtech industry. One in which RA teams have a seat at the table when go-to-market, competitive positioning, and strategic decisions are being made.

Regulatory responsibilities

In the medtech industry, regulatory affairs (RA) teams have a broad range of responsibilities across the product lifecycle:

Premarket regulatory strategy

Obtaining market clearance for a new medical device is the primary activity typically attributed to RA teams. It is not unusual for a regulatory team to be given market entrance projects with little warning, but ideally, the RA team would be brought in as early as possible to contribute to go-to-market discussions.

Premarket regulatory strategy, at a minimum, involves:

Determining the most appropriate pathway to market approval. For example, a 510(k) or PMA submission in the U.S.
Working with quality, product, and other teams to gather information needed for market submission.
Establishing communication with applicable regulatory bodies and third-party approved auditors.

Compiling and submitting required documentation for market approval. This includes managing follow-up activities, questions, and requests for additional information throughout the approval process.

Forward-thinking organizations often look to bring in RA teams even earlier in the process. As regulatory experts, RA professionals can provide unique insight into product development plans. In consultation with R&D teams, can help to refine product strategies, and steer development in areas that will reduce regulatory hurdles when new products are ready to be commercialized.

Maintaining regulatory compliance for existing products

While the primary focus of regulatory teams is often considered to be new market submissions, the majority of their time is actually spent on maintaining compliance for products that are already in-market. Even in situations where market registrations do not expire, constant vigilance is required to ensure that devices remain compliant with current regulations. These efforts take a considerable time for a typical RA team because information is often spread across disparate systems, where it can be difficult to find and confirm.

Maintaining regulatory compliance for approved devices includes:

Staying on top of changing standards and making changes as required to existing technical files and other documentation.
Submitting appropriate documentation updates when there is a change made that could potentially affect the efficacy or safety of the product, such as a material switch or facility change.
Understanding pending regulatory changes and proactively addressing any that have an impact on devices currently in-market.
Tracking registration expirations and preparing for timely re-submissions to ensure there is no lapse in market clearance.

Post-market activity

Post-market surveillance and vigilance activities are required by most countries and should involve the cooperation of the quality and regulatory teams. Ensuring that changing post-market reporting requirements are understood and complied with is an important regulatory responsibility.

Regulatory teams typically play a role in:

Post-market surveillance of adverse events, complaints, and any issues associated with a device in the field.
Assembling and submitting any required periodic safety reports to country/regional health authorities.
Post-market vigilance and reporting of serious events to the appropriate regulatory agencies.
Any required communication with regulatory authorities regarding adverse events or concerning trends in product quality.

Limitations of the “cost-center” approach to regulatory affairs

Ask any RA professional, and they are likely to tell you that they work long hours and are often scrambling to meet looming deadlines...

To continue reading this ebook, download the full version.

Essential principles

Bruce McKean

March 23, 2023

4 min read

What are Essential Principles?

Essential Principles (EPs) are requirements established by a country’s health agency. Medical device manufacturers need to prove that they comply with these requirements in order to sell their device in each country where they are required. This is often tracked in a burdensome table in which each requirement is explained by applicable standards and other items used to demonstrate compliance with each requirement. The manufacturer will link their evidence files to prove that they meet the requirement or provide an explanation as to why it is not applicable in their situation.

Think of this like cliff-notes for the submission and related documents. Submission documents, their locations, and explanations can all vary depending on the device type, manufacturer, and their processes.

What countries require Essential Principles?

Not every country requires EPs for their submissions. Some of the main countries that do require them include:

The European Union – where they are called General Safety and Performance Requirements (GSPR)
Australia
Malaysia
Singapore (accepts EU documentation in most cases)
China

What do Essential Principles look like?

GSPR (General Safety and Performance Requirements) in the European Union are an example of Essential Principles requirements. The language in the GSPR comes directly from Annex 1 of the EU MDR of 745/2017 for medical devices and EU IVDR 2017/746 for in-vitro diagnostic devices. Medical device manufacturers are taking the text of this regulation, numbering and all, and documenting whether they apply to it, the standards that they apply to, and then providing their evidence.

Let’s look at an example that directly comes from EU MDR 2017/745, Regulatory text, Annex I, 7th requirement:

“Devices shall be designed, manufactured and packaged in such a way that their characteristics and performance during their intended use are not adversely affected during transport and storage, for example, through fluctuations of temperature and humidity, taking account of the instructions and information provided by the manufacturer.”

The validation of the Essential Principles for this particular requirement would be displayed in a table like the one below. Note that the description column in the table and in the EU MDR regulatory requirement are identical to each other.

GSPR	Description	Applicable?	Methods Applied	Standards & Solutions	Evidence
7	Devices shall be designed, manufactured and packaged in such a way that their characteristics and performance during their intended use are not adversely aﬀected during transport and storage, for example, through ﬂuctuations of temperature and humidity, taking account of the instructions and information provided by the manufacturer.	Yes	Design considers packaging requirements. Packaged product has been veriﬁed through shipping and transit testing. Product was stored at extremes of temperature and humidity.	EN ISO 13485 QMS, EN ISO 15223-1 Labeling,ISTA 2A Testing	Design procedure XXXXXX, rev XX located in document management system QMS certiﬁcate XXXXXXX Package design drawings XXXXXXX, rev XX located in document management system Product label XXXXXXX, rev XX found in section XX of Tech File XX ISTA 2A test report title XXXXX, dated XX/XX/XX found in section XX of Tech File XX Storage condition test report title XXXXX, dated XX/XX/XX found in section XX of Tech File XX

These tables change constantly, and it is a large administrative burden on the regulatory professional to quickly identify changes, perform a gap analysis (check for changes and do testing if needed), and update the tables when required. In addition, we have seen the following issues caused by changing standards:

Large companies can have hundreds to thousands of Essential Principles tables. Without a bulk upload, this can take an incredibly long time to process all of those documents.
Errors can occur with standards updates by missing a product that is associated to a standard.
If a gap analysis is done too late and testing a product to a revised or new standard is required - your product might need to be blocked from a market for months, which could mean massive revenue loss.

Accidentally missing a reference to new testing data because only the standard was updated.

Rimsys allows regulatory professionals to be notified of standard changes and even do bulk additions and deletions of documents, standards and certificates to your Essential Principles Tables, which can save regulatory professionals countless hours in administrative work. For more information on how one of our customers benefited from our Essential Principles tool, reducing their EP and GSPR maintenance by 99%, read our Bisco case study.

‍

FDA consensus standards

Wendy Levine

March 14, 2023

4 min read

FDA Standards and Conformity Assessment Program

The FDA Standards and Conformity Assessment Program (S-CAP) seeks to drive the “development, recognition, and appropriate use of voluntary consensus standards for medical devices, radiation-emitting products, and emerging technologies.” Conformity to relevant standards is voluntary, unless a standard is “incorporated by reference” directly into a regulation. However, demonstration of conformity with FDA-recognized standards in a premarket submission is encouraged by the agency and will streamline the review process.

According to the FDA, S-CAP is designed to:

Produce and implement clear policies to promote the appropriate use of standards in regulatory processes.
Anticipate the need for and leads the development of national and international consensus standards.
Advance initiatives to enhance confidence in conformity assessment activities.
Foster innovation and standardization in technologies that facilitate patient access to novel devices.
Provide leadership in standards quality and utilization through outreach and global harmonization.

What is a voluntary consensus standard?

The FDA recognizes standards that medical device manufacturers may use to demonstrate that they have met a relevant requirement of the FD&C act. The FDA may recognize all or part of a standard established by an international Standards Development Organization (SDO). Not all standards recognized internationally are recognized by the FDA.

The most common SDO is the International Organization for Standardization (ISO), and some of the most recognized ISO standards for medical devices include:

ISO 14971- Applications of risk management to medical devices
ISO 10993 – Biologic evaluation of medical devices
ISO 11137 – Sterilization of healthcare products

Note that ISO 13485 is not recognized by the FDA for use in standard market submissions, but it is recognized as a quality standard under the MDSAP program.

Some of the other recognized SDOs include:

ANSI – American National Standards Institute
ASQ – American Society for Quality
IEC – International Electrotechnical Commission

In some cases, FDA consensus standards have an identical U.S. adoption, such as IEC 60601-2-47 and ANSI/AAMI/IEC 60601-2-47. For a full list of recognized standards, see the FDA’s Recognized Consensus Standards database (the “Standards Organization” field lists all SDOs).

Using consensus standards in premarket submissions

Demonstrating conformity with FDA-recognized standards can facilitate the premarket review process for:

510(k) submissions
De Novo requests
Investigational Device Exemption (IDE) applications
Premarket Approval (PMA) applications
Product Development Protocols (PDP)
Humanitarian Device Exemption (HDE) applications
Investigational New Drug (IND) applications
Biologics License Application (BLA) for devices that are regulated by CBER as biological products

It is important to recognize that conformance to a recognized standard often satisfies only a portion of the requirements of a premarket submission. When using an FDA-recognized consensus standard, a manufacturer should submit a Declaration of Conformity (DOC) to the standard and list it in the CDRH Premarket Review Submission Cover Sheet (form FDA 3514). Elements of a Declaration of Conformity include:

Name and address of the applicant/sponsor responsible for the DOC.

Product/device identification, including product codes, device marketing name, model number, and any other unique product identification data specific to the DOC in question.

Statement of conformity.

A list of standards for which the DOC applies including, for each standard, the options selected, if any.

The FDA recognition number for each standard.

The date and place of issuance of the DOC.

Signature, printed name, and function of the sponsor responsible for the DOC.

Any limitation on the validity of the DOC (ex: how long the declaration is valid, what was tested, or concessions made about the testing outcomes).

Supplemental documentation requirements in support of a DOC

Supplemental documentation in support of a DOC is often required. Adherence to a standard may not be sufficient for the FDA to make a regulatory decision. The example used in the FDA’s guidance document, Appropriate Use of Voluntary Consensus Standards in Premarket Submissions for Medical Devices, is that of ISO 14971. ISO 14971, Application of risk management to medical devices, does not list all of the detailed acceptance criteria for necessary performance tests. According to this guidance, the following general principles should be followed when determining the need for supplemental documentation:

When the consensus standard includes both a test method or test procedure with a single set of predefined acceptance criteria, FDA should generally not request data relating to the specific consensus standard in the DOC.
When the consensus standard describes a test method or procedure, but does not include acceptance criteria, the submitter should provide an assessment of the results and how conformity was determined.
When the consensus standard includes choices related to, for example, what is to be tested, which test methods to use, or acceptance criteria to assess conformity, the submitter should include an explanation for the choices and selections made.

Managing standards updates

When a consensus standard is replaced by a newly recognized standard, the older version is withdrawn following a transition period. That transition period is provided to allow submitters time to prepare to use a new version of the standard. During the transition period, the submitter may continue to use the old version of the standard, though a justification for use of the older version should be provided in instances where adherence with a new version would require significant questions to be addressed.

Transition periods will vary based on the scope of the change to the standard and can be found in the standard’s supplemental information sheet (SIS). When a standard changes during an active review of a premarket submission, the FDA will continue to review the submission based on the previous version of the standard.

Learn more about how Rimsys can help your regulatory team manage standards.

‍

RIM for medtech vs. RIM for pharma

Wendy Levine

March 10, 2023

4 min read

Regulatory affairs professionals at large medical device companies must manage heavy submission workloads, registrations for products currently on the market, and ever-changing regulatory requirements. Regulatory information management (RIM) systems have been available for some time, but only in the pharmaceutical industry. This means that many regulatory professionals in the medical device industry continue to rely on paper documents, spreadsheets, and other outdated tools and methods to manage their work.

Medtech RA teams who implement RIM systems built for the pharma industry do not have the functionality they need to manage the complex workflows associated with medical device submissions and registration maintenance. In fact, at Rimsys we have worked with a number of medical device manufacturers who moved away from their RIM pharma system without successfully implementing it.

What is RIM for the pharmaceutical industry?

RIM systems designed for the pharmaceutical industry (Pharma RIM) provide a centralized system for managing the drug approval process. Pharma RIM systems differ in their scope, but often handle processes from pre-registration through post-registration including the creation and management of dossiers for investigational New Drug (IND) and Clinical Trial Application (CTA) submissions.

Pharma RIM systems also provide content/document management capabilities, often tied to Master Data Management (MDM) functionality which provides for the storage, retrieval, and integration of the large amounts of data tracked by pharmaceutical companies. In addition, Pharma RIM systems can assist with electronic submissions of regulatory dossiers.

Why Pharma RIM doesn’t work for medical device manufacturers

On the surface, regulatory solutions for the pharmaceutical and medical device industries appear similar. Both industries are highly regulated, require controlled workflow and document management, and have complex market entrance requirements.

However, the regulatory requirements governing the development and marketing of a drug are very different from that of a medical device in the following areas:

Harmonization of regulatory requirements

Global harmonization of pharmaceutical guidelines, through the International Conference for Harmonisation (ICH), is much more complete than in the medical device industry. Regulatory professionals working in the medical device industry must manage market-specific device classification rules, submission regulations, reporting requirements, and more.

The harmonized requirements in the pharmaceutical industry mean that, while submissions need to be made to each market, they are largely the same.

Change management requirements

Medical devices typically have multiple versions, iterations, and packaging options that inherently make market submissions and registrations more difficult to manage than in the case of pharmaceuticals. In addition, a medical device may undergo changes as the result of a supplier change, software update, or a corrective action made to the manufacturing process or product (among other possible changes). In most markets, any change that has the potential to affect the safety or efficacy of a device must be reported. However, the reporting requirements, including timing and submission formats, vary with each market. RA professionals must understand and track every requirement in every market.

Updates to pharmaceutical products, such as labeling changes, are less common and the notification process is more streamlined because of globally harmonized processes.

Regulatory pathways and options

For many medical devices, the regulatory pathway is not always clear – leaving RA teams to determine the path most likely to succeed and, in some cases, most advantageous to obtaining clearance in additional markets. For example, a new device in the United States might achieve faster approval through the 510(k) process, but the manufacturer must reference a predicate device already on the market. Whether the FDA accepts the identified device as a predicate and whether a PMA process would provide the company a greater competitive advantage, are strategic questions for the RA team to answer.

Devices are classified based on different criteria in different countries, making it necessary to analyze the device classification separately for each market as well. If the device is software or a combination device, the approval process may differ from the typical device approval pathway in some countries, but not others. In some cases, multiple options are available, such as participation in the MDSAP program.

Product complexity

From a regulatory data standpoint, medical devices are significantly more complex than drug products. In a pharma RIM system, a new drug is set up in the same manner as existing drugs. For a medical device, there are many more data points that need to be tracked and standards that need to be identified based on such things as whether the device is sold sterile, contains electronic equipment, or includes software.

A medtech RIM system allows each device to be configured and tracked appropriately for each market.

What are medtech RIM systems?

Holistic RIM systems for medical device manufacturers enable users to create a single source of truth for all data associated with regulatory submissions and registration management. RIM systems are used by regulatory teams to digitize data and automate key processes across the organization.

Medtech RIM system functions are designed to support a range of regulatory activities across a product’s lifecycle. In addition to centralizing core regulatory data and managing regulatory registrations and certificates, RIM systems can also support:

Submission planning, authoring, and assembly
Market entrance requirements and pre-built submission templates
Collaborative content authoring and project management
UDI management
Standards management
Essential principles/GSPR management, including bulk updating

RIM systems are product-centric, structuring data around individual regulated products and their requirements, market by market. This means that RIM systems can track product-specific data and link standards with individual products to easily identify those affected by standards updates.

RIM for regulatory projects and processes

Digitization and automation of regulatory data are more critical as global regulations continue to change and become more complex. Getting a medical device to market is a difficult process, but RIM software cuts the time and costs associated with product registrations while providing tools essential for ensuring ongoing compliance. Choosing a RIM system designed specifically for the medtech industry will provide your RA team with the tools they need. To get your regulatory ducks in a row, only a RIM system will do!

To learn more about the Rimsys RIM system, talk to one of our experts today.

‍

The role of regulatory affairs teams throughout the product lifecycle

Karen Cohn

March 9, 2023

4 min read

The lifecycle of a medical device

The time from when a medical device enters the market to the time it leaves, and the business and regulatory processes associated with that journey, are referred to as a product lifecycle. Regulatory affairs (RA) professionals have responsibilities at each stage of the product lifecycle and will collaborate with most sections of the business on one or more activities. In this article, we discuss the regulatory responsibilities that are typical in a large, global medical device manufacturer.

Cross collaboration with RA across the globe

The Regulatory Affairs professional at the manufacturer often does not complete regulatory activities alone. Major medical manufacturers have RA employees stationed across the globe. The international RA employees or local distributor will provide insight into their country’s regulatory requirements and will often be the individuals that have direct contact with their country’s government agency.

For example: When a manufacturer is working on a Registration in China, the Regulatory Affairs Engineer in the U.S. may be on an 8pm call coordinating with a Regulatory Affairs Professional in China.

Manufacturing RA Responsibilities

Provide details and information on the medical device.
Assist in-country RA in providing manufacturing SME team support on governmental questions during submission review.
Provide appropriate documentation from the SME teams to help complete the regulatory submission.

In-country RA Responsibilities

Provide insight on the in-country medical device requirements.
Identify Standards particular to the country.
Manage in-country specific submission deliverables.
Identify devices that need to be provided for in-country testing (if applicable).

Each major lifecycle stage – pre-market, market placement, and post-market – are discussed below.

Pre-market

Research and development

A new medical device begins with an idea for a product and an R&D process that will eventually include the quality and regulatory departments. Once designed, these devices are heavily tested to industry standards that are applicable to the device. Higher risk devices must also go through clinical trials before being brought to market. Information on compliance with standards and results from testing are included in the submission documents used to obtain market access.

Each department plays a role in ensuring that a device and all supporting information is ready to request market entrance.

Regulatory responsibilities

Identify applicable standards that will apply to the new device.
Collaborate with R&D to understand the functions of the new device.
Identify the intended use of the device.
Classify the device for major markets.
Collaborate with in-country RA for any additional device testing.

R&D responsibilities

Test the new device to the standards that regulatory tells them to or find a vendor that does that testing.
Compile the testing reports.

Business role responsibilities

Approve the financials for the R&D work.
Have an initial scope of regions where the device would be sold.

Initial business case

In parallel to the R&D preparation, a business plan will be developed by the Sales and Marketing teams, along with the Product and Project Managers (“business” teams). The business plan will detail where a product will be distributed and sold. It is incredibly important for the regulatory team to have a full understanding of this plan as early as possible so that they can research regulatory requirements and develop a regulatory plan.

The initial business case is often a back-and-forth conversation between those developing the business plan and the manufacturing and regulatory teams. The business often asks and heavily relies on the regulatory professional to describe the submission processes per country, to note any particularly challenging country for registration, and to explain why there are more requirements in some markets.

Regulatory Responsibilities

Notify the business of the cost of the submissions for all markets that the business intends to sell in (Market Access Submissions cost money).
Notify the business of the cost of man-hours on a per-registration basis.
Notify the business of the labeling costs.
Translating the manual into multiple languages.
Applying country-specific labeling on the package or on the device.

Business Responsibilities

Make good financial decisions on go-to-market.
Approve staffing resources for the regulatory activity.
Create a priority for submission activity.

Regulatory Plan

The regulatory department creates a plan of how to gain market access based on the initial business case. For large expansive launches in many countries, a regulatory plan may need to consider over 100 country requirements, which often includes a phased approach to product launches.

Regulatory responsibilities are often split between the RA resources at the manufacturer and those that are in the country in which the device is being marketed. While they vary by company, responsibilities often look something like this:

Manufacturing RA responsibilities

Draft the regulatory plan.
Provide classification for country of origin and some major markets.
Provide appropriate documentation from the SME teams to complete the regulatory submission.

In-country RA responsibilities

Provide insight on the in-country medical device requirements.
Classify the device per country standards.
Identify in-country specific submission deliverables that need manufacturing SME support.
Identify devices that need to be provided for in-country testing (if applicable).
Provide timeline estimations for international submissions.

Initial pre-market submissions

In regulated markets, a company needs to “register” their device prior to shipping, selling or marketing a device in the country. These submissions often contain confidential business information and test reports that were identified as needed in the regulatory plan. Once the device is accepted, a certificate is given to the manufacturer allowing the product to be sold in that market.

Typically, manufacturers begin by registering in their country of origin and a small subset of highly marketable countries. This phase often includes the USA and EU. Once a majority of those submissions are completed, submissions to other markets are addressed in a phased approach. There can be multiple waves of these registrations, and the entire registration process can last for months. Registration projects also often overlap for the manufacturing regulatory professional.

Manufacturing regulatory responsibilities

Provide appropriate documentation from the SME teams to complete the regulatory submission.
Notify SME teams when support is needed.
Coordinate and compilate SME answers to governmental questions.
Update the business on the submission progress.
Notify the business when the submission is complete.

SME teams responsibilities

Provide adequate information about the device per the regulatory plan.
Notify the manufacturing regulatory team of any governmental questions and ask for support when needed.
Notify the manufacturing regulatory team of submission progress.
Provide SME support to develop the submission and answer governmental questions.

Business responsibilities

Provide funding for this activity.

Expansion to the rest of the globe

Once the initial launch is completed or near completion, submission activity now begins in every other market that the business approves to launch in. For large and expansive businesses, this launch can be over 100 countries, which can mean 100 regulatory product registrations.

Manufacturing regulatory responsibilities

Provide appropriate device information to in-country RA for submission support.
Notify SME teams when support is needed.
Coordinate and compilate SME answers to governmental questions.
Update the business on the submission progress.
Notify the business when any submissions are complete.

In-country RA responsibilities

Complete in-country submission deliverables.
Identify standards particular to the country.
Manage in-country specific submission deliverables.
Identify devices that need to be provided for in-country testing (if applicable).

SME teams responsibilities

Provide adequate information about the device per the regulatory plan.
Provide SME support to develop the submission and answer governmental questions.

Rimsys provides regulatory teams with the ability to manage requirements, content plans, documents, and tasks for new registrations.

Marketing the device

Once a device is fully registered in the regulated country, it can be marketed. However, any marketing material that is created often goes through an additional legal and regulatory review as any inaccuracy can lead to fines for mislabeling the device.

Manufacturing regulatory responsibilities

Coordinate with clinical to ensure claims are aligned.
Review marketing content to ensure regulatory compliance.
Notify the business when approvals are received so marketing knows when they can begin marketing the device in that country.

Marketing responsibilities

Create drafted content which could be product sheets, social media posts, or presentations for conferences.
Accept regulatory review of the marketing materials.

Market placement

Change management

Businesses add features and change medical devices all of the time. They may shift where the manufacturing facility is located, add an accessory, change a motor - all of these changes need to be assessed and submission may need to be done prior to market entry for those changes. These changes also need to be assessed on a global scale. The more countries that are involved, the more complex that process is.

For every change, a survey is often sent out to the in-country regulatory teams, and they are often responsible for completing that assessment for their country. These are typically called impact surveys. It is then up to the RA team at the manufacturer to compile those responses and to receive approval from the business to complete any additional submissions to governments that may be required.

R&D responsibilities

R&D and project teams determine a change is needed.
Notify the manufacturing regulatory team of the upcoming change.

Manufacturing regulatory responsibilities

Fully understand the change that is coming from R&D.

In-country regulatory responsibilities

In-country specialist completes the impact survey.
Notify the manufacturing regulatory team if additional submission activity is needed, along with the timeline for that activity and the deliverables/support required.

Business responsibilities

Approve the submission activity and finance it as needed.

Renewals

After the initial submission, most countries will require a renewal submission after a set number of years to keep the device in the market. It is critical that renewal dates are tracked and managed appropriately. Missed renewal dates may require several months to over a year of work to obtain market approval again. During that time, all sales of the product are stopped.

Manufacturing regulatory responsibilities

Notify the business of upcoming renewals.
Coordinate with in-country RA to provide documents and assist in the submission for the renewal.
Coordinate SME support for governmental questions if needed.

In-country regulatory responsibilities

Notify manufacturing regulatory in a timely manner when renewals are needed.
Submit the renewal to the government authority.

Business responsibilities

Approve the renewals.

Rimsys simplifies global submission management with integrated tools that provide complete control over submission authoring, assembly, and publishing.

Post-market

Audits

Governments and other regulatory bodies will often audit the medical device manufacturer to ensure that they are in compliance with current regulations.

Manufacturing regulatory responsibilities

Gathering device marketing registration history and facility registration for a specific set of countries to be presented by the auditor.
Familiarizing yourself with the registrations and recent regulatory work that has occurred in the country to be prepared for auditor's questions.
Responding to auditors questions if you are on “Audit Duty”.

Quality department responsibilities

Manage the facility tour.
Be responsible for the majority of the Quality Management System (QMS).

Research and development

Provide the subject matter expert (SME) with explanations of how testing was developed for the product and the outcomes of said testing.

Post-market surveillance and reporting

Manufacturers must have ways of accepting customer complaints. In certain cases, when the complaints relate to health and safety concerns pertaining to the device, the manufacturer may need to report these complaints to their government or other countries where the device is sold.

Correctional activities (recalls)

If a company finds a health and safety risk to their device, the company as a whole may need to gather all of the devices that are affected and either repair them or destroy them.

Obsolescence

Obsoleting a product is often a regulatory step and a submission step as well. There are many reasons to take a device out of a market; low sales, new requirements causing additional work that is not financially feasible, or new devices being available that are part of a newer generation that are safer for the user are a few reasons.

Business responsibilities

Notify manufacturing RA and in-country marketing of the obsolescence of the device in the market.

Manufacturing RA responsibilities

Notify in-Country RA of the obsolescence and expected date that the business will stop supporting the device in that market.

In-country RA responsibilities

Submit obsolescence notification to the authority.

Learn more about how Rimsys supports the regulatory teams of some of the world’s leading Medtech companies.

‍

RIM vs ERP software for medical device companies

Wendy Levine

March 2, 2023

4 min read

Regulatory affairs professionals at large medical device companies must manage heavy submission workloads, registrations for products currently on the market, and ever-changing regulatory requirements. Many RA teams are still relying on paper documents, spreadsheets, and other outdated tools and methods to complete this work, while others have taken steps toward digitization and automation of key processes.

Regulatory teams often struggle to find software tools designed specifically for their workflows. ERP (Enterprise Resource Planning) systems are sometimes used by RA teams to track product attributes, such as selling status and support/service history. ERP systems, however, are not designed to handle the complexities of regulatory workflows nor the type of data that needs to be securely managed within a medtech company.

What is ERP software?

Enterprise Resource Planning (ERP) software encompasses a wide range of systems that typically manage multiple sectors within an organization. Originally designed for manufacturers, ERP systems are now used by industries as varied as public utilities, wholesale distributors, service organizations, and retail companies.

ERP systems manage the data and workflows associated with almost every sector within an organization, including:

Manufacturing
Device identification/history
Purchasing and sourcing
Service delivery
Finance
Human resources
Engineering
Asset management
Supply chain
Customer management and sales

Modern ERP systems are designed to provide a single, integrated platform to manage the majority of functions within an organization. The trade-off, however, is that because functionality needs to meet the needs of a variety of organizations, it will often fall short in highly regulated industries that require very specific data, workflows, and controls.

What are RIM systems?

Regulatory information management (RIM) systems have been around for years in the pharmaceutical industry but are relatively new in the medical device industry. Holistic RIM systems enable users to create a single source of truth for all data associated with regulatory submissions and registration management. Think of a RIM system as an ERP system for regulatory teams that is used to digitize data and automate key processes across the organization.

Submission planning, authoring, and assembly
Collaborative content authoring and project management
UDI management
Standards management
Essential principles/GSPR management, including bulk updating

RIM systems are product-centric, structuring data around individual regulated products and their requirements, market by market. This means that RIM systems can track product-specific data, such as UDI records, and link standards with individual products to easily identify products affected by standards updates and assess their impact.

Integrating ERP and RIM systems

The most common point of integration between ERP and RIM systems is an “available to sell” setting at the product level. Product information in a RIM system will include registration status for each country and an indication of whether the product can currently be marketed and sold there. It is critical that the ERP system restrict distribution and/or sale of a product automatically based on the selling status set by the regulatory team.

ERP systems will also often be integrated with Product Lifecycle Management (PLM) systems used by product development and manufacturing teams to manage product information and at every step of a product’s lifecycle, including product data, records, specifications, and configurations. ERP systems can also be integrated with eQMS (electronic quality management systems) and RIM systems to ensure coordination of risk management activities, product updates, and quality data between the regulatory, quality, development, and manufacturing teams. Ideally, your regulatory team is notified as early as possible of any planned updates or changes to a product that is in-market or pending market approval.

RIM for regulatory projects and processes

Digitization and automation of regulatory data are more critical as global regulations continue to change and become more complex. Getting a medical device to market is a difficult process, but RIM software cuts the time and costs associated with product registrations while providing tools essential for ensuring ongoing compliance. ERP systems are central to an organization’s operation, but their broad focus simply does not provide the detailed functionality needed by regulatory teams. Integrate your ERP system with a holistic RIM system to give your regulatory team the tools they need to bring your products to market successfully and to maintain compliance. To get your regulatory ducks in a row, only a RIM system will do!

To learn more about the Rimsys RIM system, talk to one of our experts today.

‍

Insights & Intelligence for Regulatory Leaders

Rimsys Announces Rimsys AI to Eliminate Repetitive Tasks and Enhance Decision-Making for MedTech Regulatory Teams

The ultimate guide to the EU MDR and IVDR general safety and performance requirements (GSPR)

Table of contents

Overview

Timeline

Terminology

EU MDR/IVDR Annex I

EU MDR/IVDR Annex II

Harmonized standards

Common specifications

Proactive monitoring & maintenance

Proactive monitoring

Monitoring for changes

Maintenance

Gap analysis

GSPR updates

Comparison table: EU MDR Annex I GSPRs vs EU MDD Annex I Essential Principles

The beginner's guide to the FDA PMA submission process

Table of Contents

Introduction

Chapter 1: PMA Basics

FDA: Background and device oversight

When is a PMA required?

PMA vs 510(k)

PMA application methods

Traditional PMA

Modular PMA

Product Development Protocol

Humanitarian Device Exemption

CBER Submissions‍

Chapter 2: FDA Interactions

An overview of 21 CFR Part 11 regulations for medical device companies

What is 21 CFR Part 11?

Part 11: General Provisions

Part 11: Electronic Records

Part 11: Electronic Signatures

Practical application of 21CFR Part 11 for regulatory affairs professionals

System compliance and validation

Audit trails

Record retention

Electronic and digital signatures

Why UDI is a regulatory concern - and not just an operational process

A leading global microbiology manufacturer makes regulatory information instantly accessible

RIM for medical devices - challenges and opportunities for automation

Regulatory strategy as a competitive advantage

Table of Contents

The regulatory revenue opportunity

Regulatory responsibilities

Premarket regulatory strategy

Maintaining regulatory compliance for existing products

Post-market activity

Limitations of the “cost-center” approach to regulatory affairs

Essential principles

What are Essential Principles?

What countries require Essential Principles?

What do Essential Principles look like?

FDA consensus standards

FDA Standards and Conformity Assessment Program

What is a voluntary consensus standard?

Using consensus standards in premarket submissions

Supplemental documentation requirements in support of a DOC

Managing standards updates

RIM for medtech vs. RIM for pharma

What is RIM for the pharmaceutical industry?

Why Pharma RIM doesn’t work for medical device manufacturers

What are medtech RIM systems?

RIM for regulatory projects and processes

The role of regulatory affairs teams throughout the product lifecycle

The lifecycle of a medical device

Cross collaboration with RA across the globe

Pre-market

Research and development

Initial business case

Regulatory Plan

Initial pre-market submissions

Expansion to the rest of the globe

Marketing the device

Market placement

Change management