Staying Compliant Post-Launch

Post-market surveillance (PMS) is required for all devices.

Requirements:

• Plan for data collection
• Trend analysis and signal detection
• Regular updates to clinical files
• Vigilance reporting (e.g. EUDAMED)

For Class IIa+, submit PSUR every 1–2 years.

This post is part of SaMD Europe Launch Guide.

This content has been enhanced by GenAI tools.

CE Mark ≠ Reimbursement

Each EU country has its own reimbursement process.

Highlights:

– Germany (DiGA): Fast track, 12-month provisional access

– France: Multiple programs (ETAPES, PECAN)

– UK: NICE approval + local commissioning (ICBs)

Evidence needs differ, it can be Randomized Controlled Trials (RCTs) or real-world evidence depending on system.

Learn more on Scaling MedTech: From Product to Market

This post is part of SaMD Europe Launch Guide.

This content has been enhanced by GenAI tools.

MDR Requirements

SaMD must show:

• Clinical association (medical logic)
• Analytical validity (correct processing)
• Clinical validation (real-world benefit)

Documentation:

1. Clinical Evaluation Plan (CEP) = how you’ll gather evidence
2. Clinical Evaluation Report (CER) = full evaluation
3. Post-Market Clinical Follow-up (PMCF) = follow-up after launch

Use real-world evidence, literature, or clinical studies.

This post is part of SaMD Europe Launch Guide.

This content has been enhanced by GenAI tools.

Get CE Mark

Most SaMD is Class IIa or higher—requiring Notified Body involvement.

Key Steps:

1. Prepare tech documentation (Annex II, III)
2. Implement QMS (ISO 13485)
3. Create clinical evaluation plan (CEP) and report (CER)
4. Work with a Notified Body

Class-specific routes:

• Class I: self-certify
• Class IIa-III: Notified Body review + ongoing surveillance

This post is part of SaMD Europe Launch Guide.

This content has been enhanced by GenAI tools.

Security = Safety

Under EU MDR, cybersecurity is a General Safety and Performance Requirement. Failure to secure software is a patient safety risk.

Technical Steps:

• Secure architecture and testing (MDCG 2019-16)
• Access control, encryption, logging
• Vulnerability management and patches

GDPR Considerations:

• Health data = special category
• Explicit consent and purpose limitation
• DPIA (Data Protection Impact Assessment) required if high-risk AI involved

This post is part of SaMD Europe Launch Guide.

This content has been enhanced by GenAI tools.

To enter the EU market, your SaMD must be developed under a Quality Management System (QMS) that complies with ISO 13485.

What You Need

• ISO 13485: General quality framework
• ISO 14971: Risk management integration
• IEC 62304: Software development lifecycle

Best Practices

• Build your QMS, don’t buy a generic one
• Ensure continuous documentation and audits
• Tie QMS to real clinical risk management

Cybersecurity Integration

Use MDCG 2019-16 as a guideline for secure development. Cybersecurity is considered a safety issue under EU MDR, it is not just IT hygiene.

Learn More:

• ISO 13485:2016
• IEC 62304

This post is part of SaMD Europe Launch Guide.

This content has been enhanced by GenAI tools.

EU MDR’s Annex VIII, Rule 11 determines how software is classified:

• Class IIa: Most diagnostic and therapeutic decision-support tools
• Class IIb: Tools whose incorrect use may lead to serious harm
• Class III: Life-critical functions (e.g., software controlling pacemakers)

What Determines the Class?

• The intended use and severity of the condition it addresses
• Whether the software makes decisions or just informs them
• If a human-in-the-loop can reliably override the software

Example:

• Software interpreting chest X-rays → Class IIa or IIb
• Sepsis detection app triggering alerts → Class IIb or III

References:

• MDCG 2019-11 rev.1
• IMDRF SaMD Categories

This post is part of SaMD Europe Launch Guide.

This content has been enhanced by GenAI tools.