Posted on

Taking Back Some Time

The world of IVDeology can be all consuming some times, with so much change, opportunity for growth and learning new things it can be hard to find the time to recharge the batteries. 

Since the creation of the company by myself and Nancy in 2018,  it has always been difficult to fully get away from the day to day running of the business, and the work phone is never too far from your hand (I am sure all small business owners often face this same dilemma). However we have build a truly awesome team around us, bringing positivity, togetherness and excellent IVD knowledge to run, organise and manage the running of the company, So last week I had a full week off, sailing in my Dinghy at the Wilsonian Sailing Club on the river Medway in the South East of the UK where I live.

During the week we, had the benefit of a great coach, some super safety boats keeping watch and keeping us safe, and some lovely weather to help us enjoy the week. 

Having an old wooden boat, I did have some complications, bits and bobs fell off or snapped during the week and I had to make some running repairs – check out my previous blog on boat maintenance and boat repairs, and how this can be related to a Quality Management System.

(See the above patch up job fixing a hole in the rear of my boat (the transom port without the flap… which fell off, when the mainsheet snapped!))

I have only been sailing for a year, and I still have enormous fear and anxiety whenever I step in the boat. It is much easier for me not to try, or find excuses why I can’t go out it in. But similar to running a business, if you never try, you never learn something new, and you never succeed.

And I had a truly great time!

So on reflection of the week, I am hugely grateful for the folk at the sailing club for supporting me, teaching me new things about sailing – but also for my great IVDeology family who I can trust to run the company smoothly in my absence.

5 key learning points:

  • Be positive and you can achieve great things 
  • Trust your team, they are better than you can ever believe they can be
  • Take some time out for yourself
  • Preventative boat maintenance is key
  • Gorilla Tape fixes everything – including holes in a hull of a boat

Happy Sailing all!

Posted on

Impact of IVDR Transition in Australia

Last month the TGA, the competent authority in Australis has issued an update on the  Transition to new manufacturer evidence for IVD medical devices (tga.gov.au). This document explains the new requirements for manufacturers to demonstrate that they meet the requirements for IVD in Australia.

Typically, the use of CE marking has been used to demonstrate compliance to the TGA requirements, and the EU declaration of Conformity, along with an ISO 13485 certificate. However, with the transition to the IVDR, the TGA are requiring new evidence to be provided.  

For new devices, an alternative to an ISO 13485 certificate is required, namely an MDSAP certificate covering ISO 13485 requirements. They will also be accepting IVDD certificates with existing ISO 13485 certificates during, and aligned to the IVDR transition dates.

Summary of TGA cut-off dates

Posted on

Reflections on MedTech Summit: is 2023 the year of opportunity?

The annual MedTech Summit was held this year in Brussels. The IVD stream provides 2 days of focused content relevent to the IVD Industry, strongly focusing on the EU IVDR. I was fortunate to present a session on Intended Purpose under the IVDR, something that is very critical to the transition to IVDR. Anyone who has listened to me present previously knows that I strongly recommend a good, early understanding of the Intended Purpose of the device.

In an attempt to summarise the discussions over the last 2 days, I have three main take away messages:


See IVDR as a positive opportunity

Since the IVDR was first published, the industry had widespread concern with the problems the industry would face to get ready for the higher compliance. Delays in infrastructure, including a slower update of Notified Bodies to support the process, resulted in additional transitional timelines for class B, C and D devices. 

Feedback from a number of Notified Bodies now suggest that they are all open for new applications, and they have the resource to support manufacturers for conformity assessments. It is the manufacturers themselves who are not ready for the application process. While it is understandable that external political, economic and practical factors are delaying manufacturers readiness to IVDR, there is no better time to push forward with the process. While some elements still need to be addressed (EUDAMED, EURLs), on the whole, the industry has enough knowledge, guidance and resource to successfully implement IVDR. 

So if you haven’t started, don’t delay, start the process! You can get through it. NBs have the time and capacity (for now) to support you through the process. We know that this capacity will be taken up from 2024 as we get nearer the deadlines: so get ahead of the crowd – there is no better time to make a start!


Make the best effort you can on your technical documentation

All devices will need to have an new or updated series of technical documentation to be ready for IVDR, irrespective of class. From the discussions, the message is clear. Closely follow Annex I, II, III and guidance provided by the NBs as best you can. Really take on board the principles of Clear, Organised, Unambiguous, and Readily Searchable when building your documents. 

There is a correlation between the time and effort building your technical documentation, including your analytical and clinical data, and the successful outcome and time taken for the conformity assessment. The better you prepare the higher a chance of success.


Make UKCA work for your business goals

Hopefully you will have seen the update from the MHRA on the timelines for UKCA marking. More will be coming in the months ahead as we gear up to the new MDR2002 (UKCA). However, up until June 2025, manufacturers placing new devices on the UK market can benefit from the existing MDR requirements based on the IVDD. The majority of devices remain self-declared (except high risk devices, and self-tests), so while you still need to meet the safety and performance requirements of the UK regulation, this remains a quicker and cheaper route to market compared to the EU, FDA (and UK beyond 2025). Once your devices are placed on market, you will have 5 years to build up your QMS and Technical Documentation to meet the new UKCA requirements.

For SMEs especially, this would allow devices to be on market, producing revenue quicker, and in an important market, while you continue to develop and grow your regulatory compliance. But you don’t have long, now is the time to start this process!


Overall, being at events like MedTech Summit, it reminds me how great our industry is. The effort, positivity and willingness to make a better healthcare system for patients is truly remarkable, keep up the great work people, we can and will overcome!!

For further information or further insights on UKCA or IVDR, or how IVDeology can help you with your regulatory goals, please contact [email protected] to book a call with me.

Posted on

UKCA, MDR2002 and why May 2025 is so important

The MHRA have provided a further update to the implementation of the future regulation of IVDs in Great Britain on the 16th June 2023. This follows on from earlier updates pushing back the timelines for UKCA marking for IVDs.

Here are the key timelines for placing IVDs on market in Great Britain:


When using CE marking

  • In Vitro Diagnostic Medical devices (IVDs) compliant with the EU in vitro diagnostic medical devices directive (EU IVDD) can be placed on the Great Britain market up until the expiry of certificate, or 30 June 2030. This is only applicable for devices where a declaration of conformity has been drawn up prior to 26 May 2022
  • IVDs compliant with the EU in vitro diagnostic medical devices regulation (EU IVDR) can be placed on the Great Britain market up until the 30 June 2030.

For devices continuing to utilise the IVD Directive certification (IVDD List A, List B or Self-test devices): while in practise, the 30 June 2030 offers a long lead-time, in reality this is dependent on the expiry of your CE certification. Article 110 of the IVDR states that IVDD CE certificates can be used up to their expiry or until 27 May 2025. Beyond that date, devices which have an IVDD Certificate can not be placed on market in either the UK or EU.

General IVDs under the IVD Directive, for which the conformity assessment did not require a notified body, can only be placed on the Great Britain market if the involvement of a notified body would be required under the IVDR (Class A Sterile, B, C, D) up until 30 June 2030, taking into account the IVDR transition dates applicable for each device class.

What are the deadlines for EU IVDR (2017/746/EU)?

The transition dates are as follows:

26 May 2022 – Class A, New devices

26 May 2025 – Class D devices

26 May 2026 – Class C devices

26 May 2027 – Class B, Class C Sterile

This has been explained in an info graphic by the MHRA.


When using UKCA Marking

Devices can now be placed on the UK market under a UKCA. Currently, this can be completed under the existing MDR2002 (similar to the EU IVD Directive). From the 26 May 2025, all new devices placed on market under UKCA will be required to meet the new regulatory framework, which is due to be published later this year.

It is expected that devices placed on market under the UKCA before 25 May 2025, must comply with the new regulatory framework from 30 June 2030.

The transition process above gives the industry an opportunity to benefit from the use of the existing UK MDR (IVDD) framework, where general devices can continue to use self-declaration before the deadline (707 days to go!!) While progress can be made on compliance to EU IVDR.


Further Updates

Further information will be provided regarding Post Market Surveillance requirements (expected in the next 3-6 months) and the full draft regulation at the end of 2023 – early 2024.

We encourage IVD manufacturers to review their device portfolios, classification and certification against the timelines above, and start preparing for the transitional process. IVDeology are currently supporting a number of international companies through the IVDR and UKCA transition. For more information on how we can support you, book a call with Casey or e-mail [email protected].

Posted on

Integrating ISO27001 and ISO13485

Information Security and Quality Management Systems (ISO 27001 and ISO 13485) : How can they be integrated? 


By Fiona Beardwell, Regulatory Specialist and Linda Garrod, QMS specialist

ISO 27001 details the requirements for establishing, implementing and maintaining an information security management system (ISMS) for managing and protecting company information including personally identifiable information. Those medical device companies seeking to work with government organisations, like the NHS, quickly discover the expectation for some form of Information Management and Cyber security system. ISO 27001 certification is one way to fulfil these expectations, and the principles covered by ISO 27001 are closely aligned with the NHS digital toolkit/data security requirements. 

As many medical devices now include a software element or are software-only devices (known as SaMD – software as a medical device), information security has become increasingly important to manufacturers. Furthermore, tightened privacy laws across the globe place additional responsibilities on manufacturers to protect patient data and prevent cyber-attacks which could result in patient harm. Rather than having separate and disjointed management systems for information security (ISO 27001) and Quality Management System for medical devices (ISO 13485), having one holistic system established within the organisation, ideally during the Design and Development, will support creation of safe and secure medical devices and supporting systems. Both standards apply a risk based approach to the Management System.

ISO 13485 applies risk in the context of risk to safety and performance of the medical device. For ISO 27001, risk and opportunities are key inputs into the planning of the Management system from a prospective of achieving ISMS intended outcomes, reducing undesired effects and aiding determination of the Annex A controls to be applied. Therefore, I would recommend approaching information security risks and medical device risk management separately. Where the information security risks relate to an SaMD or onboard software of a physical medical device, relevant elements of the information security risks shall become an input to the ISO 14971 risk assessment process. ISO 27001 and ISO 13485 apply the same core management system principles of Plan, Do, Check, Act and following this approach aids designing standardised approaches to processes.. 

So, for those looking to start your ISMS & QMS journey, the first key steps falls within the Plan phase, where you;

• Identify all the applicable industry standards and regulatory requirements relevant to your device, systems and the information involved.

• Identify your interested parties including patients, users, customers, suppliers and regulators and their requirements/expectations. 

• Identifying your existing business systems, resources, organisational competencies and infrastructure needs 

Pulling all these elements together and identifying any conflicting requirements allows you to devise a clear plan for creation of your managements system, as well as your quality and information security objectives, which will drive your future activities. Commented [LG1]: Might be worth including global privacy laws as another reason for info security and an increase in cyber attacks

The ‘Do’ phase can be the longest and most intense part of any management system implementation as you create meaningful policies and procedures, designed with the user in mind, guiding your team through the processes needed to consistently generate the desired output, support production of safe devices, securely manage data and utilise a risk based approach to all activities. While it may be optimal to create a holistic management system from the start that doesn’t mean, if you already have an established ISO 13485 QMS, that incorporating the requirements of ISO 27001 is impossible. In fact in many areas the requirements can be built into your existing ISO 13485 procedures and simply complemented with additional policies and procedures where appropriate. 

Where your management system contains requirements from multiple sources, your ISO 13485 mandated Quality Manual is an excellent place to explain the applicable regulations and the interactions of the processes. I would recommend providing an overview in the opening sections of the manual, including where possible a visual depiction of the interacting QMS and ISMS processes, and then providing additional detail on the specifics of the Information Security Management System at the end of the manual. This structure will help to provide top level clarity of the interacting processes with easy access to further information where required. This can be particularly useful in certification audits to easily explain the elements relevant to each standard. The ‘Check’ and ‘Act’ phases of both standards ensure security of processes and data, safety of devices and continual improvement of the management system. Internal audits are a feature of both standards and allow for reflection on the processes implemented and potential opportunities to improve. A good management system is never done; it should always grow and adapt as the risks and requirements within the field in which it operates evolve. Elements such as change control, management review, nonconformity and corrective action can drive continual improvement, which is crucial to all Management Systems.

ISO 27001 confers a number of benefits to your organisation:

1) Compliance – provides a framework to comply with regulations regarding data protection, privacy and IT governance and contractual obligations. 

2) Gives you a marketing edge to differentiate your company from competitors. 

3) Reduces expenses cause by incidents. Preventing incidents in the first place saves money in the long run. 

4) Strengthens your organisation by defining responsibilities and processes. 

So If you need any help with integrating ISO 27001 into your company, or even want to begin implementing your QMS as a starting point, then please contact us here and Casey will point you in the right direction

Posted on

Reflections of an external PRRC

As you may know, IVDeology provides compliance support to IVD companies around the world. We love working with SME IVD manufacturers and economic operators (UKRP, Distributors, Importers) who don’t always have sufficient capabilities or bandwidth to address the quality or regulatory compliance needs required under IVD regulations in the EU, UK or rest of the world. Being part of our customer’s compliance support bubble, we can really help them understand how to navigate compliance, either pre-registration or as part of post-market surveillance activities. 

IVD manufacturers who place devices on the EU market, under the EU IVDR, are required to have a Person Responsible for Regulatory Compliance (PRRC), defined under Article 15. For UK SMEs, this role can be outsourced within the same geographic area (the UK). 

The role of a PRRC is to ensure that:

  • The conformity of the device is checked,
  • The Technical Documentation and Declaration of Conformity are available and up to date,
  • Effective post market surveillance is performed,
  • Any performance evaluation studies are performed correctly,

Our team have all had roles similar to this within big IVD companies, and having a good oversight of design & development, change control, risk management and vigilance is key to making sure the device remain compliant. This however can be difficult as an outsider looking in. This is why is it important to build a good relationship and a high level of trust between the manufacturer and external PRRC. But it also requires a good quality and regulatory culture within the manufacturer, even if they do not a QA or RA head count – and this is the tricky bit!

Leadership has an important role to play here, in fostering a great understanding throughout the company of Quality/Regulatory culture, and this should be done as part of the relationship building with the external PRRC. For the business leaders I say – please don’t consider that QA RA compliance responsibilities lies completely with the external party. You still have a responsibility to build an understanding of QARA internally, the external PRRC plays an important role in helping you do this. 

We are aware that this takes an investment of time and unfortunately money, but having an external PRRC, when done right, can make a massive positive difference to your organisation, maintain compliance, and can reduce the need for an additional expensive headcount.

To learn more about the support IVDeology provide, and how to implement the PRRC role, either internally or externally within your organisation, contact Casey for further information.

IVDeology are proud sponsors of TEAM PRRC

Posted on

Experiences from an Audit

Its mid-morning, and you’ve been called by your management to the ‘Audit Holding Pen’, the backroom next to the room where an external auditor is performing an assessment of your Quality Management System, your QA manager is in the room and already looking stressed and tired. 

About an hour later, you get called in, specifically to discuss a non-conformance report you raised 8 months prior. The audit room is quiet, but the auditor smiles and invites you to sit down next to them, and in front of your NC report. They ask you to explain what happened, what steps you took and how you investigated the non-conformance – but your mind goes blank. You can barely remember your name, let alone how you completed the investigation!…

For anyone who has been in an audit, they may have similar stories, but whatever the experience, it can be a very challenging environment, especially if you are new to audits.

The purpose of the audit is to make an independent assessment of your quality management system, or Quality/Regulatory ecosystem. This can be via a notified body, competent authority, customer or corporate party. The audits can be planned, or unannounced, and can vary in scope and length. 

With many diagnostics companies, the transition to EU IVDR, UKCA or transferring to the USA (FDA), having external audits is a new addition to your organisation. Handling an audit effectively is a key skill that takes years of practise, but there are some things you can do to give you best chance of success:

  • Build a process for audit management: When the auditor turns up on your doorstep, it is really important that everyone knows what to do. Who should receive them? Where can they go while you notify your team and organise your audit management?
  • Ensure management buy in: Strong leadership is key here, pull in whoever needs to be involved, this may be top or middle management depending on your organisation. Keep the communication stream going, this will give them a heads up on the audit progress, and allow you quick access to any expertise you may need.
  • Be clear on roles and responsibilities: While sometimes it is easier to control the audit within a closed group, the reality is that you may need the support of others throughout the day. If you are the main auditee, your time will be focused in the room. Establish a role outside the audit room who can coordinate documents, people and tea/coffee. Giving your staff experience of the audit process is a great development opportunity, we’ve all got to learn somehow!
  • Establish good quality culture: There is no substitute for building a strong quality environment around you. Building robust processes which are well understood and followed, will make the audit go much smoother! Establishing a good quality culture takes time, but adds real value and makes life much easier in the long run.
  • Build in mock audits into your quality system: If your team are new to external audits, why not perform a few mock audits in addition to your internal audit programme. It may be disruptive for a day, but the organisation will learn so much from it. It will also give people some additional confidence when it comes to the real thing.

Our team all have their own stories from grilling, or being grilled at an audit. We can help you in a number of ways:

  • Mock audit: We can be an independent external auditor, to come in and help your company test your audit robustness. We can use our audit management experience to interview your team and give you honest, constructive feedback on how you can effectively manage the process
  • Audit training: Our workshop events can help you establish a process to manage your audits, and help you assign the roles and responsibilities your team needs
  • In-audit support: Sometimes you just need a steady hand in the audit. We can sit with you in your audits and help you explain, justify and understand the audit requirements and outcomes. 
  • Post-audit support: We can help you understand, plan and implement any corrective actions from audit non-conformances

However you manage the process, the audit process should be seen as a positive experience, and it is critical to the continued growth and improvement of your quality management system. For more information, including how we can help you with your audits, book a meeting with our team.

Posted on

Happy 1st Birthday, EU IVDR date of application!

It’s officially a year after the date of application (DoA) for the EU IVDR, and although there are transition dates for the legacy devices, the requirements for post-market surveillance (PMS), market surveillance, vigilance, registration of economic operators and of devices have been in place since the DoA – 26th May 2022. 

Therefore, there is a need for manufacturers to comply with the Post Market Surveillance obligations for ALL CE-marked products now.

So, what does this mean for me today? 

All manufacturers of CE-marked devices must have a PMS procedure within their QMS that aligns with the requirements established in Articles 78 to 81, Annex III and Annex XIII Part B. The procedure should link to the relevant procedures for Risk Management, CAPA and Performance Evaluation.

A PMS Plan must be created for each of your devices (according to Annex III). This should include:

  • what data you will be collecting for your device – data such as complaints, adverse events, trends, production information, literature searches, feedback from users, importers & distributors; how frequently will you be collecting the data,
  • how you plan to analyse the data collected – what methods you will use, who will complete the analysis.
  • what you will then do with the results – reassessment of the benefit-risk analysis, investigations, determining the need for any CAPAs or communication with customers, Competent Authorities, Notified Bodies and Economic Operators.

It should include proactive data collection, such as from customer surveys, not only relying on data from complaints and trends. It should also include a Post Market Performance Follow-up Plan (according to Annex XIII Part B) or a justification as to why this is not necessary. 

The plan should also include the frequency of review required. For Class A & B, you can justify the frequency of PMS reporting based on the risk of your device. For Class C and D CE-marked products, the requirement is for PMS to be carried out annually and therefore the first ANNUAL review will be coming up! 

For Class A & B devices the outcome of the Post Market Surveillance will be documented in a PMS Report (according to Article 80) where the results are summarised together with the conclusions drawn and any actions required are documented. For Class C & D, the outcome of the PMS will be documented in a Periodic Safety Update Report (PSUR) (according to Article 81), unless they are still currently CE marked under the IVDD where under the transition, according to the published guidance MDCG-2022-8 on legacy devices, a PMS report is the minimum requirement for these devices unless a manufacturer voluntarily prepares a PSUR. The PSUR, in addition to the results, conclusions and actions required by the PMS Report, also includes the conclusion of the benefit-risk determination, the findings of the PMPF and volume of sales, estimation of the size and characterisation of the population using the device and the usage frequency.

So, what should I do next?

  • Make sure that you have the relevant procedures and templates in place to meet the IVDR requirements for PMS.
  • If you are a manufacturer of a Class A or B device, ensure that you have a PMS plan in place for all your devices and that you are collecting the data that you have determined within the plan is appropriate.
  • If you are a manufacturer of a Class C or D device, start preparing for your first PMS review and creating the required report for your device.

If you want to know more or feel that IVDeology could help, then book a call with Casey here

Posted on

Post Market Surveillance – What’s expected?

The MHRA recently announced plans to release new requirements later this year for post market surveillance for IVDs for implementation mid-2024 ( if you missed this, you can read about it here in another post of ours here). However this does not mean that manufacturers currently do not have obligations for post market surveillance (also known as PMS). 

Even under the IVD Directive, which the UK MDR 2002 references, post market activities are required. Annex III part 5 states:

“The manufacturer shall institute and keep up to date a systematic procedure to review experience gained from devices in the post-production phase and to implement appropriate means to apply any necessary corrective actions, taking account of the nature and risks in relation to the product.”

This means that as manufacturers you still need to be collecting data on how effective your device is – monitoring your customer complaints and feedback, any incident reporting, your manufacturing information, looking at your trends, to mention just a few possible sources of information. This data should then be reviewed to determine whether any updates are required and if so these actions should be documented appropriately. Potential updates could impact your:

  • Risk Management File – Is the Severity of the risks impacted? Does it impact your frequency of occurrence of known risks? Are there new risks that you haven’t included?
  • Instructions for Use & Labelling – Do you need to add additional warnings? Are your instructions clear enough?
  • Training – Is any training that you provide sufficient? Is additional training necessary for your users?
  • Other products – Does the issue impact other devices you manufacture? 

Moving forward, we are also wondering what to expect in the new requirements. The consultation response released by the UK government indicates that they want “to clarify and strengthen the requirement for manufacturers to implement a post-market surveillance system”. It is expected that the new requirements will be broadly similar to the requirements for post market surveillance in the IVD Regulation. Good news if as a manufacturer you are also CE marking your device, this is likely to mean that most of the new expected requirements will be in place and when further guidance is shared by the MHRA, your procedure will only require some small adjustments to accommodate any local differences. 

Post market surveillance can often feel like a very time-consuming, resource heavy exercise which many manufacturers only complete in order to meet the regulatory requirements. However this is such a waste. As a manufacturer, PMS enables you to collect real-world data of your device being used by your intended users in your intended use environment – data levels which no clinical trial would be able to replicate. This data can then be used to show that your device is still safe and effective, something which all regulatory authorities will be looking for. 

So as a manufacturer what should you do next:

  • Review your procedure – make sure it aligns with the MHRAs requirements
  • Create a PMS plan – ISO/TR 20416 gives great guidance for this
  • Determine what data you have available for your device and where that data comes from. Look at the best way for collating and analysing the data you have available

If you need any assistance with your post-market surveillance procedure or creating your PMS plan then IVDeology can help. Book a call here and have a chat with our friendly team.

Posted on

That’s a RAPS!

On 8th and 9th May 2023 I took part in something that I think could be a huge step forward in providing a credential for Regulatory professionals looking to move into or already covering the role of Person Responsible for Regulatory Compliance (PRRC). The RAPS regulatory compliance certification programme. The IVD regulation is clear as to the requirements that the PRRC must have in education and experience. However, the minimum level of degree level qualification in law, medicine, pharmacy or other scientific discipline and one year’s regulatory or quality specific IVD experience is not, in my opinion, enough to equip an individual for this highly responsible role.

The Regulatory Affairs Professional Society (RAPS) has been offering the Regulatory Affairs Certification (RAC) since 1991 and in 2019 they initiated the Device specific RAC. The introduction of this credential has gained traction and is often stated as preferred that a candidate holds this credential in US job adverts. With the PRRC role now being a requirement for compliance to the IVD Regulation in the EU RAPS has again risen to the need for a tangible credential which demonstrates an in depth knowledge of the IVD Regulation 2017/746 or the Medical Device Regulation 2017/745.

The process that I was involved with was to provide subject matter expertise, along with other SMEs, to review each of the questions constructed for this new certification examination. We were given the instructions to review for content, and accuracy, to check source references and also provide wording for adjustment to any questions we considered required amendment. This process took two full days, carefully checking and also identifying where questions had been repeated, or where there may be too many questions focussed on the same area.

I really enjoyed the chance to work with a group of experts, from many different backgrounds, to ensure that the final collection of questions would provide a true test of an individual’s knowledge of the IVD Regulation and hence a pass would provide a clear credential for public scrutiny. While there is no suggestion that this new certification programme should be made compulsory for those wishing the be a PRRC it can go a long way to provide confidence that someone is ready to perform in this role

If you’d like to learn more about our services, including appointing a PRRC, please get in touch here