Blog - News and Updates

The roles and responsibilities of economic operators under the IVD Reg

Sep 04, 2018

During the transition to the new IVD Regulation 2017/746/EU, manufacturers of in vitro diagnostic medical devices will need to include the understanding of the product distribution flow within their gap assessments to the new regulation.

The current IVD directive 98/79/EC details responsibilities for manufacturers, authorised representatives, importer and distributors. The new IVD Regulation which comes into force in May 2022 provides an update of those responsibilities.

Summary of Key Manufacturers Responsibilities

  • Design and manufacture IVDs in accordance with requirements of the regulation
  • Create and maintain a risk management file (ISO14971)
  • Complete performance evaluation
  • Compilation and maintenance of technical documentation and EU declaration of conformity
  • Maintain an effective Quality Management System and undergo a conformity assessment (ISO13485) process
  • Assign unique device identifiers (UDI) to applicable products and ensure all packaging and IFU requirements are met

Virtual manufacturers (formerly own brand labelling) who use third party providers to design and manufacture their products must now accept additional legal responsibility for the creation and maintenance of the product technical documentation and declaration of conformity. They must also maintain these documents within a quality management system which is subject to conformity assessment by a notified body.

Where the manufacturer is located in a third country outside the EU, they must appoint an Authorised Representative to act on their behalf within the EU for devices placed on the market.

Note: The requirement to establish an EU Authorised Representative may be applicable to UK manufacturers in the event of a ‘no deal’ Brexit arrangement.

Summary of key responsibilities of an Authorised Representative

  • Ensure technical documentation and conformity assessment is completed by the manufacturer
  • Hold current versions of the technical documentation and declaration of conformity
  • Adhere to all product registration obligations
  • Adhere to vigilance reporting obligations within the EU on behalf of the manufacturer

Both manufacturers and authorised representatives are required to appoint a person responsible for regulatory compliance, this person, or people, must have enough experience to assess the compliance of the device before being placed on the market. This includes reviewing the technical documentation and post market surveillance activities against the requirements of the manufacturers quality management system. The responsible persons are also responsible for the reporting and commination to the competent authorities of any vigilance activities related to the device within the EU.

Summary of key responsibilities of an importer

  • Ensure that the device is in conformity to the regulation
  • Ensure that the device is CE marked and registered (in Eudamed)
  • Ensures that a declaration of conformity is available
  • Checks that if an authorised representative is required, in appointed by the manufacturer and included within the packaging
  • The device meets all labelling requirement of the regulation including IFU and assignment of a UDI
  • Ensures that the packaging includes the importer name and address
  • Maintains and monitors stability of the product throughout transport and storage
  • Maintain and provide complaint and non-conformance data to the manufacturer

The importer is the first point of landing for devices that are manufactured in a third country. It is therefore important that the importer ensures that the products being received meet all the requirements of the regulation prior to distribution. The importer must be recognised within the packaging (IFU or label) and must have a process to collect, store and provide customer feedback to the manufacture as part of post market surveillance.

Summary of key responsibilities of a distributor

  • Ensures that the device is CE marked and declaration of conformity is available
  • Device is accompanied by an IFU
  • Importer name and address is on the packaging
  • A UDI is assigned

Distributors must establish a suitable sampling method to check that the incoming devices meet all the regulatory requirements. They must also maintain records of any customer feedback and provide it to the manufacturer.

If you are any of the above within the IVD market then it would be beneficial to talk to your suppliers/customers to ensure that the responsibilities for each are defined.

IVDeology Ltd can help IVD and Medical Device Manufacturers, Authorised Representatives, Importer and Distributors make an assessment of the responsibilities and provide support for all aspects of quality and regulatory compliance.

Please contact either Stuart or Nancy to find out more:

Risk Management in IVDs

Jun 26, 2018

Written by Stuart Angell, Director IVDeology Ltd

Risk is something we deal with all day, every day in our busy lives. Sitting down with my breakfast writing this I had to boil water in my kettle, carry hot coffee to my desk in a mug, toast some bread in my toaster, retrieve butter from my electric fridge... 

Risk is everywhere, but did I worry about burning myself on the hot water? or electric shock from my toaster? No, because I am confident that the equipment that I used was safe to use. The products are CE marked, and I have confidence that the manufacturer has demonstrated that the kettle, or toaster are safe and effective for their intended use.

For medical devices, and in-vitro diagnostics, this responsibility of the manufacturer is the same, so that people like me (for a self-test, or a trained person for a lab or near patient test) have confidence that the device is safe and effective to use. The current state of the art for assessing risks for medical devices is the international harmonised standard ISO 14971:2012; Medical devices – Application of risk management to medical devices and it provides a backbone for an effective quality management system (demonstrated by the increased reference within ISO13485:2016 and MDSAP) and a core part of the General Safety and Performance Requirements of the MDR and IVDR.

ISO14971:2012 Process

ISO14971:2012 provides a systematic approach to ensure that all risks associated with the design, manufacturing & delivery and use of the device are identified, considered and controlled as far as possible. Not only is this assessment performed as part of design and development of the device and continuously reviewed throughout the product life-cycle.

"Risk assessment is part of design and development of the device 

and continuously reviewed throughout the product life-cycle."

The standard provides very good guidance on how to construct and manage a risk management system. It also includes a series of informative Annex notes giving further details and examples on the risk management process and tools that could be used.

A common tool for risk assessment is an FMEA (failure mode and effects analysis) which focuses on the potential (or actual) failure modes resulting from a design or process step associated with a device.

An example FMEA template can be downloaded.. IVDeology Ltd FMEA Template.xlsx

The FMEA tool is very useful for initial brainstorming of risks, contributing factors and upstream impacts as you design your product or your manufacturing process. The IVDeology template uses the quantitative estimation of severity of harm (SEV), occurrence or harm (OCC) or ability to detect failure (DET) each with a score from 1 (low) to 10 (high). In practice the rating can be difficult to estimate during early design stages therefore the risk assessment should be reviewed at each stage of the product life-cycle. The severity, occurrence and detection values multiplied together result in a Risk Profile Number (RPN) from 1 to 1000. The higher the number the greater risk and therefore greater consideration should be given to implement mitigating controls, however all risks should be evaluated to identify opportunities to reduce risks.

Risk should be lowered as far as possible by implementing additional controls into the design of the product, design and control of the production process (including in-process testing) to ensure the inherent safe design and construction of the device.

Note: Provision of additional warnings given to the user within the information of use (IFU) should not be considered a risk reduction strategy.

"Risks should be lowered as far as possible by design changes

 or design or control of the production processes. Additional warnings

 in the IFU should not be considered for a risk reduction strategy"

For each design change or process improvement (risk reduction) identified within the FMEA template, suitable methods of verification or validation should be described or referenced. This ties in Risk Management to product verification and validation mechanisms (and supply control) essential for ISO13485:2016.

Design Control, Supplier Control and Risk Management

When all risks have been mitigated to as low as possible, each residual should be reviewed with respect to the benefit of the device given the intended use and intended purpose defined by the manufacturer. If the risk is low then the risk-benefit of he device can be easily justified, however if the residual risks continue to be high then the risks could outweigh the benefit and further controls should be considered.

For effective risk-benefit evaluation the manufacturer must gain a full understanding of the intended use and intended purpose of the device (how, why, when, what its used for and who by) and what the implications (clinical benefit) are when a result is obtained. This information should be continuously reviewed when the product is placed on the market using suitable post-market activity e.g. customer feedback & complaints, literature reviews, post market performance studies.

"Integration of Risk Management into the QMS will not only reduce the burden

 of Risk Management file maintenance but actively support design control,

 change management, vigilance reporting, supplier management and CAPA"

An effective Risk Management file which is fully implemented and maintained can be a highly useful tool in other parts of a quality management system. Below are some examples of potential interactions with the QMS:

Design Control - Early risk assessment of design characteristics using a design FMEA, together with an understanding on the intended use and intended purpose of the device can shape your design process based on the risk of the products including the extent of verification and validation mechanisms

Production Development – Evaluation of risks associated with process steps, equipment or materials used can reveal the areas of highest risk to product safety and performance. These ‘hot spots’ should have more stringent in-process checks, higher sampling rates or functional in-process tests compared to less critical areas of the process.

Change Management – Any potential changes to the device design or production process can be reviewed against the risk management file. The impact of the change can be included into the risk assessment (FMEA) to ensure that it does not have any adverse impact on safety or performance. In addition, the level of change verification or validation can be justified according to the risk profile (RPN) of the change.

Supplier Management – The selection and control of suppliers can be determined by the impact on the safety and performance of the product using the risk assessment process. Critical suppliers, where there is the biggest risk to product should have greater controls in place.

CAPA and Vigilance Reporting – Evaluation of potential or actual failure modes within the risk assessment (FMEA) will provide a good starting point to determine the risk on product (and customer, user or patient) when potentially reportable events occur. This can be very useful when time restrictions require clear, objective decisions. In addition, an active risk assessment process can provide guidance on the most likely causes of failure (contributing factors) to focus on during root cause investigations.

The overall result in a well-established risk management process is the ability of the manufacturer of a device to determine with a degree of confidence that the product it places on market is safe and effective for use and meets the requirements of the IVD regulations so that when the user sees the CE mark, they are confident in the devices safety and performance.

Do you have further questions? We can help! IVDeology Ltd provide expert solutions for medical device companies in quality and regulatory affairs.  Contact us at or visit us at

We are proud to be BIVDA Associate Members

IVDeology Ltd Proud To Be BIVDA Associate Members