MedQair
Icon-search-5 Linkedin Whatsapp
Book a Call

FAQ

What is the MDIS platform by MedQAIR?

MDIS is a platform to track and trace Basic UDI, and UDI-DI’s between economic operators, such as the Legal Manufacturer, the Authorised Representative, the Importer and the Distributor. The platform is designed to facilitate secure sharing of technical documentation and accompanying documentation (the IFU and Product Label), ensure compliant documentation reviews by each Economic Operator, and automate registration onto regulatory databases, such as EUDAMED.

The software platform is designed to support the contracted Economic Operator, it can be used by the Legal Manufacturer to manage the downstream Economic Operators, such as the Authorised Representative, the Importer and the Distributor. Similarly, the software platform can be used to manage the upstream Economic Operators, such as an Authorised Representative or Distributor managing multiple Legal Manufacturers, and their provided Technical Documentation and or their Accompanying Documentation, such as the IFU and Product Label per Basic UDI and each consequent UDI-DI.

It is developed to ensure that the technical documentation and accompanying documentation of the Legal Manufacturers is available to each Economic Operator in the medical device distribution chain. In the event of Post-Market incidents, the Economic Operators have continuous access to the latest version of the Documentation, and the system will facilitate Vigilance reporting to regulatory databases, such as EUDAMED through the IMDRF coding systems.

The software platform is designed to support an effortless upload of technical documentation and accompanying documents to facilitate quick and easy sharing across Economic Operators. The technical documentation and accompanying documents are split into separate sections to ensure that each Economic Operator only gains access to those sections relevant to their duties, for example, the Distributor will only gain access to the Labeling materials relevant to their region.

The software platform is designed to automate registration into regulatory databases such as EUDAMED. Once all data for EUDAMED is present, it can be pushed through the EUDAMED API towards EUDAMED, any new UDI-DI added to the system can simply upload the new UDI-DI into EUDAMED, and into future supported databases, such as GUDID and SWISSDAMED.

If, for any need, access to documentation needs to be cancelled, the user can withdraw access. Note that there are legal obligations for Economic Operators for continued access, even when a contract with a Legal Manufacturer has been cancelled. As such information shared prior to end of contract date will continue to be accessible for the relevant Economic Operators.

When a Legal Manufacturer makes use of MDIS, they can add their Authorised Representatives, Importers and Distributors (within and outside of the EU), share their Technical Documentation through a single portal, and update each of the Economic Operators in the event of adding or changing Basic UDI and UDI-DI details. It ensures that the Legal Manufacturer can demonstrate that they have fulfilled their duties per the medical device regulations, and provide continuous (24/7) access in a secure manner to all Economic Operators involved.

Similarly, the Legal Manufacturer can embed the use of MDIS into their QMS procedures on national product release level. For example, after a review of the local Distributor of their required duties in the system (e.g. review of Accompanying Documentation in a local language), the Distributor can ‘approve’ the documentation, so that a Legal Manufacturer can securely release their medical devices onto national markets in the EU after the CE mark has been granted. A level of national release that is often complex to manage for Legal Manufacturers, since the CE mark applies to the full European Union.

When an Authorised Representative makes use of MDIS, they can document their reviews and approvals of the Technical Documentation, CE certificate, registration in EUDAMED completed by the respective Legal Manufacturers. As shown in 2024 by the Dutch healthcare inspectorate, many Authorised Representatives lack the required documented approvals of Technical Documentation and associated documents prepared by the Legal Manufacturer.

These tasks can be assigned in MDIS to the PRRC, which can be an employee of the Authorised Representative, or in the event of a micro-enterprise or SME, an external PRRC who is contracted by the Authorised Representative to perform these duties.

The use of MDIS further supports Authorised Representative to gain 24/7 access to the documentation of each of the manufacturers they are representing in their local markets. The Authorised Representative can easily create accounts for Legal Manufacturers to upload the required documentation. Similarly, these Legal Manufacturers can use the system to facilitate EUDAMED registration.

As an Importer of medical devices, you also share a portion of the liability of the making available of medical devices onto the market. Similar as an Authorised Representative, tasks may be assigned to the Importer, which include review of parts of the documentation and accompanying documentation. The Importer may further add its own product label to the product prior to bringing it onto the market.

Within MDIS, Importers are capable of managing the information that belongs to various Legal Manufacturers in a single software system, and ensure they stay abreast with the latest changes made by the Legal Manufacturers.

As a Distributor of medical devices the number of Legal Manufacturers represented could easily run into a larger group of Legal Manufacturers. More limited than the Authorised Representative and the Importer, the Distributor has fewer verification tasks assigned, and may be able to sample verification activities.

Irrespective, as a Distributor where regulatory compliance might not be at the forefront of business activities, ensuring compliance with the regulatory requirements may not be straightforward. MDIS can support Distributors in ensuring compliance with regulatory activities, such as review of accompanying documentation and review of EUDAMED registrations.

MDIS is designed to support the verification workflows between all Economic Operators as intended by the regulatory frameworks. When using MDIS compliance is evidenced for the Legal Manufacturer, the Authorised Representative, the Importer and the Distributor.

Even when you are an Authorised Representative and an Importer, the system allows you to fulfill both roles and evidence compliance in both roles.

The Legal Manufacturer is requested to share their Technical Documentation, Accompanying Documentation (e.g. IFU, Product Label), DOC, and potentially the CE certificate in the MDIS system. Consequently, the relevant parts of those documents are shared with the Authorised Representative, Importer and or the Distributor.

Each party can use the system and provide access to the other Economic Operators, unlocking the required verification workflows. Verification refers to the activity at the party completing the information, and validation by the Economic Operators reviewing and completing their validation activities.

Within MDIS, all Documentation, verification activities, and past revisions are stored to ensure full traceability for Basic-UDI DI’s and their UDI-DI history. Logs are stored and made available to each of the Economic Operators to ensure their actions completed are traceable and can be used to evidence compliance.

As a paying customer of MDIS, there are more functionalities available. When making the system available to other Economic Operators, they will be required to complete the tasks to support the paying customer, but won’t be able to link other Economic Operators.

For example, as a Distributor, you can request a Legal Manufacturer to share their Accompanying Documentation in MDIS, yet at the same time the Legal Manufacturer cannot share the information with other Distributors, unless they become themselves customer of MDIS.

Specific user roles can be assigned to the PRRC of the Legal Manufacturer and the Authorised Representative, so that the execution of the PRRC required activities become more transparent.

At MedQAIR, we have a full team of regulatory experts available to support with the implementation of MDIS, and to provide generic Regulatory, Quality and Information Security support.

The MDIS system is designed to support compliance with generic medical device distribution regulations that apply globally. It currently adds compliance with EUDAMED in specific, however other databases will be added in time.

When visiting the MedQAIR website, users can schedule a free demo with the team of MedQAIR.

MedQAIR was founded by Leon Doorn, who has over 15 years of regulatory affairs experience, and Ivo Flipse, who has a similar background. MedQAIR is advised by Willibrord Driessen, who once founded Qserve Consultancy, and is a key opinion leader within regulatory compliance. Add-on, lead by Hugo Messer and Jeroen van Duffelen is further a co-founder and support with the software development of MDIS.

Post-market compliance activities along the full economic operator chain have been introduced with the implementation of the new Medical Device Regulations in the European Union. Many of the activities introduced did not exist beforehand.

At the same time, the UDI requirements are new and so is the registration need within the EUDAMED System which will be enforced for medical devices in 2026.

Especially for Authorised Representatives, Importers and Distributors, the new regulatory environment adds requirements.

With the introduction of the MDR and the IVDR, the regulatory responsibilities have not shifted towards the Authorised Representative, Importer and or the Distributor, but have rather been extended. Where prior the main responsibilities resided with the Legal Manufacturer, it is now shared along the full chain of Economic Operators.

There are various challenges when distributing documentation over the full economic operator chain. For example, ensuring that with the release of updates (new UDI-DI’s), each of the Economic Operators receive the updated documentation that is relevant to their business.

Similar it may be challenging to ensure that all verification tasks for each of the Economic Operators along the medical device distribution are documented in a systematic and transparent manner. Additionally, EUDAMED registration may be overlooked when releasing a new UDI-DI onto the market.

The use of a system, such as MDIS can support Economic Operators such as the Legal Manufacturer, Authorised Representative, the Importer and the Distributor to complete their mandatory regulatory tasks.

Regulatory requirements along the full chain are increasing, and transparency requirements are increasing. This duplicates requirements over various jurisdictions, e.g. registration in EUDAMED, GUDID, PARD, SWISSDAMED, etc, which can be simplified and labour can be reduced by managing the activities through a single platform that integrates APIs to the various regulatory databases. In the future further automation and connections are planned, such as to eQMS systems.

Obviously, regulatory authorities may audit the evidence from each Economic Operators to verify compliance against regulatory requirements, which may lead to warnings and penalties.

However, the bigger risk may be associated with Legal Manufacturers bringing faulty medical devices onto the market. In such event, it is pertinent that each of the Economic Operators must be able to demonstrate that they have completed their tasks as demanded by law, to demonstrate they fulfilled their regulatory needs and have done the needed to verify the regulatory compliance of the products involved.

Failure to demonstrate such compliance may lead to liability on the end of the Authorised Representative, the Importer and or the Distributor.

Each of the Economic Operators may be at risks of receiving warnings by Regulatory Authorities, penalties, and potentially in the event of patient harm liability.

Digital solutions, such as MDIS, support Legal Manufacturers, Authorised Representatives, Importers and Distributors to make sure post-market regulatory compliance requirements of the MDR and IVDR are met.

As MDIS connects the various Economic Operators, collaboration between the parties is completely built into the system.

The increased Documentation sharing and reviewing tasks increase the demand for each party to ensure that they review the right documentation throughout the full product lifecycle and with the release of new UDI-DI’s. Similarly, maintaining regulatory databases which often require similar information leads to unnecessary duplicate regulatory burden.

Legal Manufacturers need to provide Technical Documentation, Accompanying Documentation, Declarations of Conformity and CE Certifications (where applicable) to Economic Operators, of which each requires different portions.

Keeping all these parties up-to-date, especially when releasing new UDI-DI’s may not be a straightforward and simple process, especially when bringing markets into various regulatory jurisdictions, with various requirements, various products and various Economic Operators.

Having a centralised system to securely share documentation along the full Economic Operator chain facilitates transparency, and allows for Regulatory Authorities to audit compliance.

Furthermore, it supports Legal Manufacturers to obtain feedback directly from the market for their evaluation and potentially reporting to Regulatory Authorities through future EUDAMED and GUDID API’s.

The requirements set out in Article 10 cover a wide range of quality requirements, specifically those with regards to post-market compliance can partially be covered by using a system such as MDIS. Other systems such as eQMS and eTD solutions are well positioned to support with the other requirements.

Compared to the previous regulatory frameworks (MDD and IVDD), the Authorised Representatives have been provided with more clear instructions under the MDR and IVDR on activities which must be executed to ensure that medical devices they represent are compliance with regulatory requirements.

In addition, the role of the PRRC was non-existent under the MDR and IVDR, and demands that Authorised Representatives have in-house expertise available with regards to Quality and Regulatory Affairs.

As an Authorised Representative, one can only hope that the Legal Manufacturer shares all documentation with regards to medical device releases and updates for review and ensures that Technical Documentation is made available 24/7.

As the Authorised Representative, who is not in the lead of the manufacturing and release of medical devices, the activities of the Legal Manufacturer may not always be transparent, whilst as the same time the Authorised Representative may automatically assume part of the liability for those products placed onto the market.

Specifically for Authorised Representatives having continued access to the Technical Documentation and being able to demonstrate completion of verification activities is important to ensure compliance.

The activities are critical to demonstrate compliance and reduce legal liability.

Authorised Representatives benefit from structured workflows in demonstrating regulatory compliance with Article 11 of the MDR and the IVDR.

The Importer role is often a role shared with the Authorised Representative or the Distributor. Both Economic Operators face challenges in obtaining the right documentation at the right time from the Legal Manufacturer. As for the Authorised Representative, these parties may face regulator non-compliance if not demonstrably performing the tasks required by Article 13 or Article 14.

Importers require the information from the manufacturers to perform their tasks under Article 13. Especially when representing multiple Legal Manufacturers, it may be complex to receive information in a systematic and structured manner and document the verification tasks in a structured manner. As such digital systems can support to evidence compliance.

The Importer role is frequently combined with that of the Authorised Representative or Distributor. Both Economic Operators often encounter difficulties in receiving the necessary documentation from the Legal Manufacturer in a timely manner. Similar to the Authorised Representative, these parties risk regulatory non-compliance if they cannot demonstrate fulfillment of the responsibilities outlined in Article 13 or Article 14.

Today, medical device feedback processes between Economic Operators are disconnected. Often the Legal Manufacturer has no insight in the post-market feedback received by other Economic Operators. At the same time, there are strict evaluation and reporting timelines in place that require information to be shared.

With added requirements through the IMDR classification coding, tools such as MDIS can help to streamline reporting between Economic Operators and by reporting to the Regulatory Authorities.

Digital compliance systems, such as MDIS, have the ability to trace products along the full Economic Operator chain, starting with the Legal Manufacturer, all the way downstream to the Distributor, and back up to the Legal Manufacturer.

It ensures the availability of Technical Documentation, Accompanying Documentation, Declaration of Conformity and where applicable the CE certificate for Basic-UDI-DIs and the UDI-DIs.

It is important that systems ensure the traceability of UDI-DI’s for Basic UDI-DI’s from the Legal Manufacturer all the way onto the market. In addition, having integrations with systems of EUDAMED help to streamline compliance processes. Systems should ensure the secure sharing of data, and having the documentation available 24/7.

The MDIS platform is unique, there are no other systems which facilitate to cross-Economic Operator cooperation. It saves valuable time by sharing the documentation across the Economic Operators, and by facilitating EUDAMED registration.

As the Legal Manufacturer uploads their documentation, all parties have automatically access to the items that are relevant to them. None of the parties needs to rely on legacy sharing systems which require manual actions, such as sharing drives, folders, or other types of file-sharing systems.

All data stored within MDIS is stored in a ISO/IEC 27001 compliant environment. Data integrity is further verified through verification actions by each of the Economic Operators.

Having all information in a single location support audit readiness and makes demonstration of compliance to Regulatory Authorities and Notified Bodies simpler than ever.

MedQAIR provides end-to-end regulatory support for medical and IVD device manufacturers, with expertise in EU MDR, IVDR, FDA, and Health Canada compliance. Services cover both pre-market and post-market phases, tailored to traditional, software-based, and AI-enabled devices.

Key services include:

  • Authorised Representative (AR): Legal representation for non-EU manufacturers, ensuring EU market access
  • PRRC Services: Outsourced compliance responsibility per MDR/IVDR Article 15
  • Regulatory Affairs: Multi-region strategy, gap analysis, and Notified Body coordination
  • Technical Documentation: Support with GSPR, risk files, CERs, PMS, and EUDAMED data
  • SaMD & AI Compliance: Support for software classification, cybersecurity, and EU AI Act readiness
  • Post-Market Compliance: Vigilance reporting, UDI tracking, and coordination across the supply chain

MedQAIR combines deep regulatory knowledge with practical support across global markets.

MedQAIR supports manufacturers, authorised representatives, and other economic operators in meeting the regulatory obligations set out in the EU Medical Device Regulation (MDR 2017/745) and In Vitro Diagnostic Regulation (IVDR 2017/746). This includes both pre-market and post-market activities required to maintain compliant access to the European market.

Key areas of support include:

  • Authorised Representative (AR) Role
  • Person Responsible for Regulatory Compliance (PRRC)
  • Regulatory Strategy & Documentation
  • EUDAMED Registration & UDI Management
  • Vigilance & Post-Market Surveillance
  • Software and AI-Enabled Devices

Through a structured, standards-based approach, MedQAIR enables manufacturers to confidently meet EU market requirements, avoid costly delays, and maintain compliance throughout the product lifecycle.

Yes. MedQAIR supports regulatory submissions for the US (FDA), Canada (Health Canada), and other global markets. This includes preparing 510(k), De Novo, PMA, and Canadian licensing documentation, as well as aligning technical files for multi-market compliance.

Consultations can be requested directly through the MedQAIR contact page or by emailing the team via the contact information provided on the website. A regulatory expert will follow up to understand the specific needs and propose next steps.

MedQAIR provides comprehensive support in preparing, reviewing, and maintaining technical documentation in line with MDR Annex II & III or IVDR equivalents. This includes:

Device description and intended purpose

Classification and conformity assessment route

General Safety and Performance Requirements (GSPR) checklist

Risk management file

Clinical Evaluation Reports (CER) or Performance Evaluation Reports (PER)

Post-Market Surveillance (PMS) plan and reports

Labelling and Instructions for Use (IFU)

Software lifecycle documentation (for SaMD and AI-enabled devices)

Traceability information including Basic UDI-DI and UDI-DI

EUDAMED registration data

Documentation is prepared to meet the expectations of Notified Bodies and competent authorities, ensuring audit-readiness and market approval.

Technical files are prepared according to the structure defined in MDR Annex II and III (or IVDR equivalents), ensuring alignment with regulatory expectations and Notified Body requirements. The process typically includes:

Defining the device’s intended purpose and classification

Identifying the applicable conformity assessment route

Compiling evidence for General Safety and Performance Requirements (GSPR)

Developing or reviewing the risk management documentation

Preparing Clinical Evaluation Reports (CER) or Performance Evaluation Reports (PER)

Structuring Post-Market Surveillance (PMS) plans and reports

Including labelling, packaging, and Instructions for Use (IFU)

Ensuring traceability through Basic UDI-DI and UDI-DI data

Including relevant software documentation for digital and AI-based devices

All documentation is compiled in a format suitable for submission to Notified Bodies and for registration in EUDAMED.

The core components of technical documentation, as required under EU MDR Annex II (and IVDR equivalent), typically include:

Device Description and Specification

  • Intended purpose
  • Device variants and configurations
  • Reference to previous or similar generations

Design and Manufacturing Information

  • Description of design stages and methods
  • Manufacturing processes and sites

General Safety and Performance Requirements (GSPR)

  • Checklist demonstrating conformity with applicable GSPR
  • Applied standards and evidence of compliance

Risk Management Documentation

  • Risk analysis, evaluation, and control measures
  • Alignment with ISO 14971

Product Verification and Validation Data

  • Bench testing, usability, biocompatibility, electrical safety, etc.
  • Software validation (for SaMD or embedded software)

Clinical Evaluation Report (CER)

  • Clinical data, literature review, and equivalence justifications

Labeling and IFU

  • Device labels, symbols, packaging, and translated Instructions for Use

Post-Market Surveillance (PMS) Plan and Report

  • Procedures for ongoing monitoring and periodic safety updates

UDI and EUDAMED Registration Information

  • Basic UDI-DI, UDI-DI, and registration details per Article 29 MDR

Each component must be complete, up to date, and traceable to support conformity assessment and regulatory audits.

Yes. MedQAIR supports U.S. FDA submissions, including:

510(k) premarket notifications (Traditional, Special, Abbreviated)

De Novo classification requests for novel, low- to moderate-risk devices

Premarket Approval (PMA) applications for high-risk Class III devices

Services include regulatory strategy, documentation preparation, predicate device analysis, risk and benefit assessment, and submission readiness reviews.

Technical documentation must be updated whenever there are relevant changes that could affect the device’s safety, performance, or regulatory status. This includes:

  • Design or manufacturing changes
  • Updates in clinical data or risk assessments
  • Changes in regulatory requirements or standards
  • Feedback from post-market surveillance or vigilance activities
  • Label or IFU revisions
  • UDI or EUDAMED updates

For many devices, updates are triggered at regular intervals—such as during the annual Post-Market Surveillance (PMS) review, Periodic Safety Update Reports (PSURs), or before audits and notified body renewals. Documentation must remain current, accurate, and traceable throughout the device’s lifecycle.

The process involves aligning with both EU MDR/IVDR and FDA requirements:

Regulatory Classification & Strategy

  • Determine device class and submission route (e.g., 510(k), PMA, MDR Annex IX)

Core Documentation

  • Device description, risk management, verification/validation, and manufacturing info
  • Software and clinical data, if applicable

EU Requirements

  • GSPR checklist, CER/PER, PMS plan, UDI, IFU, and EUDAMED registration

FDA Requirements

  • Predicate device comparison (510(k)), labeling per 21 CFR, submission formatting (eSTAR)

Review & Submission

  • Ensure consistency, traceability, and audit readiness for Notified Bodies or FDA

The goal is a harmonized, compliant file set tailored to both regulatory systems.

MedQAIR supports medical device manufacturers and economic operators in meeting EUDAMED and UDI-related obligations under MDR and IVDR by:

Registering actors (e.g. manufacturers, ARs, importers, distributors) in EUDAMED with validated Single Registration Numbers (SRNs)

Submitting device and UDI information in compliance with Part B of MDR Annex VI, including Basic UDI-DI and UDI-DI data

Ensuring the correct assignment and formatting of UDI elements for different packaging levels

Coordinating updates to UDI records when devices are modified or reclassified

Maintaining traceability across the economic operator chain via version-controlled documentation

MedQAIR also provides tools and structured workflows through its MDIS platform to automate and track these submissions, ensuring timely updates and audit readiness.

Yes. MedQAIR acts as a European Authorised Representative (AR) for non-EU manufacturers, fulfilling the legal obligations under EU MDR and IVDR. This includes:

  • Serving as the official point of contact with EU authorities
  • Verifying technical documentation and declarations of conformity
  • Ensuring UDI and EUDAMED registration
  • Cooperating with Post-Market Surveillance and Vigilance activities

For Importers, MedQAIR provides regulatory support to help meet Article 13 obligations, including:

  • Verification of CE marking, labelling, and accompanying documents
  • Coordination with manufacturers and ARs
  • Documentation traceability and regulatory readiness

These services ensure that both ARs and Importers remain compliant with their specific responsibilities under EU regulations.

AI-based medical device software must comply with:

  • EU MDR or IVDR: Classification (often under Rule 11), technical documentation, clinical evaluation, and risk management
  • Software Standards: IEC 62304 (lifecycle), ISO 14971 (risk), IEC 62366 (usability), and cybersecurity guidance
  • EUDAMED & UDI: Registration and traceability under EU device regulations
  • ISO 13485 & ISO 27001: Quality and information security management
  • EU AI Act (upcoming): High-risk AI systems will need to meet new requirements for transparency, data governance, and human oversight

Compliance must address both medical device safety and AI-specific risks.

MedQAIR helps manufacturers navigate MDR/IVDR and upcoming EU AI Act requirements by supporting device classification, technical documentation, risk management, software lifecycle processes (IEC 62304), and aligning with AI-specific standards for transparency, data governance, and cybersecurity.

Yes. MedQAIR supports the preparation of regulatory documentation for AI algorithms, including intended use, model architecture, training and validation data, performance metrics, risk analysis, change management, and compliance with MDR, IEC 62304, ISO 14971, and upcoming EU AI Act requirements.

To demonstrate explainability and transparency, manufacturers should:

  • Clearly define the intended purpose and decision logic of the AI model
  • Describe the model architecture and training process, including datasets used
  • Document performance metrics, limitations, and potential biases
  • Provide human-readable justifications for outputs, where possible
  • Implement human oversight mechanisms
  • Maintain version control and traceability of model updates
  • Align with emerging guidance under the EU AI Act and standards like ISO/IEC 23894

This ensures regulatory readiness and builds trust in clinical use.

Validation of AI-based medical devices requires:

  • Training and test datasets: Well-characterized, clinically relevant, and representative of the target population
  • Performance metrics: Sensitivity, specificity, accuracy, AUC, etc., evaluated against ground truth
  • External validation: Independent dataset testing to confirm generalizability
  • Bias and robustness analysis: Identification of potential performance gaps across subgroups
  • Clinical validation data: Evidence showing the model performs safely and effectively in the intended clinical context
  • Traceability and version control: For data, model versions, and changes over time

This data must be documented in the technical file and aligned with MDR/IVDR and relevant standards.

Yes. we at MedQAIR support both FDA (510(k), De Novo, PMA) and EU (MDR/IVDR) regulatory pathways for AI-driven software. This includes classification, technical documentation, risk and performance evaluation, and compliance with standards like IEC 62304, ISO 14971, and upcoming EU AI Act requirements.

Verification documentation for Software as a Medical Device (SaMD) typically includes:

  • Software Requirements Specification (SRS)
  • Architecture and design documentation
  • Verification and validation test plans and reports
  • Unit, integration, and system-level testing results
  • Traceability matrix linking requirements to tests
  • Cybersecurity and risk control verification
  • Software version history and change management records

These must align with IEC 62304, ISO 14971, and be included in the technical file to meet MDR/IVDR or FDA expectations.

Verification confirms that the software was built correctly. It meets the specified requirements (e.g. through code reviews, unit tests, and system testing).

Validation confirms that the right software was built. It fulfills its intended purpose in the clinical context (e.g. via usability testing, clinical performance, and real-world evaluation).

In short: Verification = “Did we build it right?”
Validation = “Did we build the right thing?”

Validation of machine learning models in Software as a Medical Device (SaMD) involves:

  • Defining the intended use and clinical context
  • Using representative, high-quality training and test datasets
  • Evaluating performance using metrics like sensitivity, specificity, and AUC
  • Testing on independent (external) datasets to confirm generalizability
  • Assessing robustness and bias, especially across subpopulations
  • Documenting all processes including data handling, model versioning, and updates
  • Ensuring traceability from requirements to test results

All validation must align with MDR/IVDR, FDA guidance, and relevant standards like IEC 62304, ISO 14971, and ISO/IEC 24029.

Yes. MedQAIR develops test protocols and validation reports for AI-based medical devices, covering:

  • Model performance testing (e.g. sensitivity, specificity, AUC)
  • Dataset selection and characterization
  • External validation procedures
  • Robustness and bias analysis
  • Traceability from requirements to results
  • Compliance with IEC 62304, ISO 14971, and MDR/IVDR documentation requirements

Reports are prepared to support both EU and FDA submissions

Updates and revalidation of adaptive AI systems are managed through a structured change control process, including:

  • Version control and documentation of model changes
  • Impact assessment to determine if revalidation or regulatory resubmission is needed
  • Re-testing and performance verification using updated and external datasets
  • Assessment of clinical relevance, safety, and bias after changes
  • Maintaining traceability from previous to updated model versions
  • Alignment with regulatory expectations for locked vs. adaptive algorithms under MDR and FDA guidance

This ensures continued compliance, transparency, and patient safety throughout the product lifecycle.

A Risk Management File (RMF) is a structured set of documents that demonstrates how risks associated with a medical device are identified, evaluated, controlled, and monitored throughout its lifecycle.

It is necessary because:

  • It is mandatory under ISO 14971 and required by both EU MDR/IVDR and FDA
  • It ensures patient safety and regulatory compliance
  • It provides documented evidence of risk acceptability, including for software and AI-based systems
  • It supports decision-making during design, development, and post-market phases
  • It includes key elements such as a risk management plan, hazard analysis, risk control measures, and a risk-benefit evaluation

The RMF must be kept up to date and aligned with the device’s technical documentation.

Risk assessments for software-based medical devices follow ISO 14971 and typically involve:

  1. Defining intended use and system boundaries
  2. Identifying potential hazards (e.g. data corruption, incorrect outputs, cybersecurity threats)
  3. Estimating risks based on severity and probability of harm
  4. Implementing risk control measures (e.g. error handling, access control, redundancy)
  5. Verifying risk controls through testing and documentation
  6. Evaluating residual risks and overall risk–benefit ratio
  7. Monitoring risks post-market, including software updates and user feedback

Special attention is given to software-specific risks, such as algorithmic errors, logic flaws, and unintended behavior in real-world settings.

MedQAIR follows internationally recognized standards for risk management documentation, including:

  • ISO 14971 – Risk management for medical devices (primary standard)
  • ISO/TR 24971 – Guidance on the application of ISO 14971
  • IEC 62304 – Software lifecycle processes, including risk control integration
  • ISO/IEC 27001 – For information security risks (especially in connected devices)
  • ISO/IEC 23894 / ISO/IEC TR 24028 – For AI-specific risk management (where applicable)

Documentation is structured to align with MDR/IVDR, FDA, and Notified Body expectations.

Yes. MedQAIR supports the development of complete Risk Management Files (RMFs) for regulatory submissions under MDR, IVDR, and FDA. This includes:

  • Risk management plan
  • Hazard identification and risk analysis
  • Risk evaluation and control measures
  • Residual risk and benefit-risk assessment
  • Risk control verification evidence
  • Post-market risk monitoring procedures

All documentation is aligned with ISO 14971, ISO/TR 24971, and integrated with technical files to meet Notified Body and FDA expectations.

MedQAIR provides cybersecurity support for Software as a Medical Device (SaMD), including:

  • Threat and vulnerability assessments aligned with MDR, IVDR, and FDA expectations
  • Security risk analysis integrated into the overall risk management file (per ISO 14971 and ISO/IEC 27005)
  • Support for cybersecurity documentation, including Software Bill of Materials (SBOM), patch management, and access control
  • Alignment with standards such as IEC 81001-5-1 (health software cybersecurity) and MDCG 2019-16
  • Guidance on secure software development and lifecycle planning per IEC 62304 and ISO 27001
  • Incident response planning and post-market surveillance of security vulnerabilities

These services help ensure regulatory compliance, data protection, and resilience of connected and AI-enabled devices.

MedQAIR supports clinical evaluation (for medical devices) and performance evaluation (for IVDs) by:

  • Preparing or reviewing Clinical Evaluation Reports (CERs) and Performance Evaluation Reports (PERs) in line with MDR and IVDR requirements
  • Conducting literature reviews, equivalence assessments, and gap analyses
  • Supporting clinical data collection plans, including post-market clinical follow-up (PMCF) and performance follow-up (PMPF)
  • Ensuring alignment with MDCG guidance documents and relevant standards
  • Coordinating with external CROs or clinical experts when clinical investigations are required

All documentation is structured to meet expectations of Notified Bodies and Competent Authorities.

A Clinical Evaluation Report (CER) is required for all medical devices under EU MDR 2017/745, regardless of risk class.

Specifically, a CER is needed:

  • Before CE marking, as part of the technical documentation
  • During conformity assessment, to demonstrate clinical safety and performance
  • Throughout the lifecycle, with updates based on post-market surveillance and PMCF data
  • When significant changes to the device, indications, or intended use are made

The CER must follow MDR Annex XIV Part A and relevant MDCG guidance (e.g. MDCG 2020-13).

A Clinical Evaluation Report (CER) is required for medical devices under EU MDR. It assesses clinical data to demonstrate safety, performance, and conformity with General Safety and Performance Requirements (GSPR).

A Performance Evaluation Report (PER) is required for in vitro diagnostic devices (IVDs) under EU IVDR. It focuses on scientific validity, analytical performance, and clinical performance to demonstrate intended use.

Both are mandatory for CE marking but apply to different device categories under separate regulations.

Clinical evaluation for software-only medical devices (SaMD) involves:

  • Defining the intended purpose and clinical context of use
  • Reviewing scientific literature and relevant clinical guidelines
  • Assessing existing clinical data (e.g. from prior studies, real-world use, or equivalent devices)
  • Demonstrating clinical performance through usability studies, diagnostic accuracy, or clinical validation
  • Evaluating benefit-risk profile and documenting findings in the Clinical Evaluation Report (CER)

The process follows MDR Annex XIV and MDCG 2020-1 for software-specific evaluation.

Yes. MedQAIR can review, update, or audit existing Clinical Evaluation Reports (CERs) and Performance Evaluation Reports (PERs) to ensure they meet current EU MDR/IVDR and MDCG guidance.

Support includes:

  • Gap analysis against latest regulatory expectations
  • Literature update and data reassessment
  • Integration of PMS and PMCF/PMPF data
  • Formatting and traceability improvements
  • Preparation for Notified Body review or renewal submissions

A compliant Performance Evaluation Report (PER) under IVDR must include:

  • Scientific validity: Evidence linking the analyte to the clinical condition
  • Analytical performance: Data on sensitivity, specificity, precision, etc.
  • Clinical performance: Data showing the IVD’s effectiveness in real-world or clinical settings
  • Risk–benefit analysis: Assessment of overall device safety and performance
  • PMPF: Post-market performance follow-up plan and summary

All must follow Annex XIII of the IVDR and relevant MDCG guidance.

Not always. A Biological Evaluation Report (BER) is typically required only if the software-based device includes hardware components that come into direct or indirect contact with the patient or user (e.g. sensors, wearables, embedded systems).

If the device is pure software (e.g. standalone SaMD with no physical interface), a BER is usually not required, but a justification for its exclusion should be documented in the technical file under MDR Annex II.

The primary standard for biological safety evaluations is:

  • ISO 10993 series – Biological evaluation of medical devices

Key parts include:

  • ISO 10993-1: Evaluation and testing within a risk management process
  • ISO 10993-5: Tests for in vitro cytotoxicity
  • ISO 10993-10: Tests for irritation and sensitization
  • ISO 10993-18: Chemical characterization of materials

These standards guide the selection of tests based on device type, duration, and nature of body contact, and are required for compliance under EU MDR and FDA regulations.

A Biological Evaluation Report (BER) summarizes the assessment of biological risks related to a medical device. For regulatory submission, it typically includes:

  • Device description and materials (including body contact type and duration)
  • Toxicological risk assessment based on material composition
  • Summary of applicable ISO 10993 tests (e.g. cytotoxicity, sensitization, irritation)
  • Rationale for test selection or omission
  • Results of biological tests or chemical characterization
  • Conclusion on biological safety and biocompatibility

The BER must be aligned with ISO 10993-1 and form part of the technical documentation under MDR or FDA submissions.

Material biocompatibility risks are assessed through a structured process based on ISO 10993-1, including:

  1. Identifying materials in direct or indirect contact with the body
  2. Characterizing chemical composition and potential leachables
  3. Determining contact type and duration (e.g. skin, mucosal, blood; short-term vs. long-term)
  4. Reviewing existing data and literature for known risks
  5. Conducting biological tests (e.g. cytotoxicity, sensitization, irritation) if needed
  6. Evaluating results in the context of the device’s intended use and overall risk profile

The outcome supports the biological safety section of the technical file and informs the Biological Evaluation Report (BER).

MedQAIR provides comprehensive quality management support tailored to medical devices, IVDs, and software-based products. Services include:

  • Implementation of ISO 13485: Quality Management System (QMS) setup, documentation, and internal audits
  • QMS remediation and upgrade: For MDR/IVDR or FDA compliance
  • Software lifecycle quality integration: Including IEC 62304 and SaMD-specific controls
  • Supplier and document control systems
  • Audit preparation and support: For Notified Bodies, FDA, or internal audits
  • QMS training and interim quality leadership

Support is adapted to startups, scale-ups, and established manufacturers preparing for EU, US, or global market entry.

Yes. MedQAIR assists manufacturers in preparing for MDR or IVDR audits by:

  • Conducting mock audits and gap assessments
  • Reviewing technical documentation, QMS, and PMS processes
  • Verifying alignment with MDR/IVDR requirements and MDCG guidance
  • Providing audit readiness checklists and corrective action support
  • Training teams on audit procedures and expectations

Support is tailored to Notified Body audits, surveillance assessments, and unannounced inspections.

MedQAIR supports manufacturers in developing and maintaining compliant Post-Market Surveillance (PMS) systems by:

  • Preparing PMS Plans aligned with MDR/IVDR Annex III and Article 83
  • Defining data sources, responsibilities, and evaluation methods
  • Supporting Periodic Safety Update Reports (PSURs) and Post-Market Clinical Follow-up (PMCF)
  • Providing templates, workflows, and documentation reviews
  • Integrating PMS data with vigilance, risk management, and clinical evaluation activities

This ensures continuous monitoring of device performance and compliance throughout the product lifecycle.

Yes. MedQAIR assists manufacturers and Authorised Representatives in setting up Person Responsible for Regulatory Compliance (PRRC) roles in line with EU MDR Article 15 and IVDR Article 15. Support includes:

  • Providing qualified PRRC personnel on an outsourced or interim basis
  • Defining roles, responsibilities, and accountability within the QMS
  • Ensuring compliance oversight for technical documentation, conformity assessments, PMS, and vigilance
  • Aligning documentation and training with regulatory expectations

This helps fulfil mandatory obligations while maintaining compliance continuity.

Unlock Your Quick Guide to AI Act Compliance!

Explore AI-enabled SaMD requirements with our easy step-by-step guide.

Get Your Free eBook

Cookies help us improve your experience on our website. By using our site, you consent to the use of cookies as described in this policy.

Accept
Reject