Most manufacturers use harmonized standards to demonstrate the conformity of their devices with the general safety and performance requirements. This also applies to medical device manufacturers, for example.
1. Standards and harmonized standards
a) Definitions and more
EU Regulation 1025/2012 defines the term harmonized standard.
“a European standard adopted on the basis of a request made by the Commission for the application of Union harmonisation legislation“
Standards are documents written by national or international standardization commissions to document the general accepted state of the art. They usually do not describe best practices or even the scientific state of the art but rather the minimum consensus requirements that the standards committee could agree upon.
The state of the art describes how very good companies proceed. In contrast, the scientific state of the art describes what is theoretically possible.
Specific encryption methods with a defined key length, for example, correspond to the state of the art. They, therefore, represent a level that a professional company should not fall below. The scientific state of the art, on the other hand, knows quantum-physical procedures for encryption and decryption.
Read more about the distinction between state of the art and scientific state of the art here.
The EU has published the harmonized standards in its official journals. If manufacturers comply with these harmonized standards, auditors and assessors, for example, assume that the legal requirements are met, specifically, the general requirements.
b) Chain of evidence
This chain of evidence can be illustrated with an example:
element of the chain of evidence | example |
legal requirements | MDR basic requirement on software lifecycle processes |
harmonized standard | IEC 62304 |
QMS and documented procedures | software development standard operating procedure or the software development plan, which require code review, among other things |
documents and records | documented code review on day X, performed by person Y with output Z |
Compliance with harmonized standards is not legally mandatory, neither in the EU nor with the FDA. However, without the harmonized standards, manufacturers will find it difficult to prove that their devices comply with the state of the art and meet the legal requirements. This can become a problem during audits and legal proceedings.
c) Examples of harmonized standards for medical device manufacturers
The harmonized standards in the context of medical devices include:
- EN IEC 62304: Software life-cycle processes for medical devices
- EN IEC 62366-1: Application of usability to medical devices
- EN ISO 14971: Application of risk management to medical devices
- EN IEC 60601-1: Medical electrical equipment and systems: Basic safety and essential performance
- EN ISO 13485: Medical devices – Quality management systems – Requirements for regulatory purposes
The Johner Institute supports manufacturers in monitoring more than 6,000 (harmonized) standards and laws. It provides software for this purpose or takes over the monitoring process.
2. Standards in the context of MDR and IVDR: The theory
The MDR continues to recognize the concept of harmonized standards that may serve as “chain of evidence.” It writes in Article 8:
“Devices which are in conformity with the relevant harmonised standards, or the relevant parts of those standards, the references of which have been published in the Official Journal of the European Union, shall be presumed to be in conformity with the requirements of this Regulation covered by those standards or parts thereof.“
MDR Article 8
In addition to the harmonized standards, there are also Common Specifications. Article 9 of the MDR states:
“where no harmonised standards exist or where relevant harmonised standards are not sufficient, or where there is a need to address public health concerns, the Commission […] may […] adopt common specifications (CS) in respect of the general safety and performance requirements set out in Annex I […]“
MDR Article 9
This means that manufacturers have to use multiple evidence tools.
The requirements of the IVDR are analogous.
3. Standards in the context of MDR and IVDR: The practice
a) The problems with the standards
So many problems appear in the meantime that the question of their future relevance arises. Examples of the problems are:
Problem 1: Heterogeneous quality
While central standards such as those for quality management (ISO 9001 and ISO 13485) are solid, the quality of many standards suffers:
- They do not represent the state of the art but rather the authors’ opinion.
- The standards lack internal consistency, requirements appear to be arbitrarily selected, and process and product requirements are not precisely differentiated.
- The requirements are so vague that their review is difficult.
- Definitions are missing.
- There is no coordination with the concepts of other standards, which imposes unnecessary effort on manufacturers.
Problem 2: Lack of up-to-date information
The quality of the standards also depends on how up-to-date they are. The main parts of IEC 62304, for example, date back to 2005, two years before the first iPhone was released. At that time, smartphones, cloud computing, and AI were not nearly as important as today. The NSA scandal was still eight years in the future. Is a standard like this supposed to reflect the state of the art?
Problem 3: Lack of coverage of regulatory requirements
Even current harmonized standards usually do not address all the requirements of the EU regulations.
The “Z annexes” provide an overview of which regulatory requirements manufacturers can assume to be fulfilled when complying with the respective harmonized standard and which they cannot.
Problem 4: High prices
Standards sometimes cost several hundred euros. The Johner Institute monitors over 6000 regulatory documents on behalf of manufacturers and notified bodies. A notable portion are standards. Even if the typical manufacturer only needs a subset, the financial burden is still worth mentioning.
Estonian standards (also in English and with harmonized content) cost only a fraction.
Problem 5: Hesitant and incomplete harmonization
In 2017, the MDR came into force. More than six years later, only a fraction of the standards that were harmonized under the MDD and AIMD have been harmonized. The situation is analogous for the IVDR.
b) The causes
There are many causes that contribute to these problems:
- Bureaucracy
There are standards bodies that shut themselves down with bureaucracy. People are more busy with regulations, internal rules, international coordination, and sometimes disputes than with the actual standards work. - Lack of resources/competence
This is another reason why it is not easy to attract the best in a field to work on standards. The highest level of competence is required: domain expertise, scientific methodology, the capability to develop abstract models, and at the same time ensure practical relevance and feasibility in practice. - Competing preferences
The EU Commission does not give the impression that it gives the same importance to standards as it did in the past. The EU spends millions on HAS consultants, who give the impression of rather dragging out the procedure. Moreover, with the Common Specifications, the EU has created an alternative to the standards, which it holds in its own hands.
c) The consequences for manufacturers and notified bodies
The problems with standards mean that authorities and notified bodies sometimes refer to legislation, sometimes to the latest versions of standards, sometimes to harmonized versions of standards, and sometimes to other best practices and guidelines.
For manufacturers, this means
- legal uncertainty in audits and approvals,
- more effort for subsequent improvements,
- higher costs, and thus
- a longer time-to-market.
All this happens in a competitive environment that challenges manufacturers to and beyond their limits.
d) Possible solutions
There are several approaches to solving these problems in Europe. We should pursue all of them(!).
Returning to the original idea
It would be very helpful to speed up again, to improve the standards, to update them, to harmonize them, and to offer them at affordable prices. We members of the standards committees are already working for free.
However, the likelihood of such a restart is limited if there is a lack of will, and correctly practiced bureaucracy seems more important than contributing to the well-being of society, e.g., patients.
Nevertheless, or precisely for this reason, our request: Get involved in the standards committees!
The EU also recognizes and emphasizes the importance of standards for progress.
Optimize efficiency on the manufacturer side
The tasks of manufacturers consist of more than “just” proving the conformity of their devices and processes. There are opportunities for optimization:
- The wheel does not have to be reinvented every time: When it comes to software, not only can components and frameworks be reused but also entire backend services.
- Many tasks can be avoided completely through automation. Legal compliance can be verified automatically, as the Fit for Future Program impressively demonstrates.
Create de facto standards
The decision on the conformity of devices and processes is a binary one: compliant or non-compliant. This decision arises from many micro-decisions, for example, is the required list of SOUPs available? Yes or no?
These decisions need to be mapped into algorithms – which we do. If there is an agreement on these algorithms, a de facto standard, and thus, legal certainty and ultimately the basis for automation is created.
4. Is certification necessary?
Manufacturers wonder if they need to certify themselves or their devices to a standard. The short answer is:
If a conformity assessment procedure (e.g., under Annex II or Annex IX of the MDR) requires a quality management system, manufacturers must have that QM system certified by a notified body. If successful, they receive a certificate confirming conformity with the relevant Annex (and usually also with ISO 13485).
When reviewing the QM system, the notified bodies also check,
- whether the manufacturers work in conformity with the harmonized standards such as ISO 14971 or IEC 62304 and
- whether the specifications of the QM system require a procedure that conforms to these standards.
A certificate confirming compliance with the requirements of ISO 14971, IEC 62304, IEC 62366-1, etc. is neither required nor common.
Exceptions include standards such as IEC 60601-1, but again, the manufacturer does not need to be certified. Instead, it is advisable to select a test laboratory that performs the tests in accordance with this standard or standard family.
5. Which standard to use?
a) DIN or EN or ISO/IEC?
A frequently asked question is: Which variants of the standards should be used? The DIN, the EN, the ISO, or the IEC?
Harmonized standards can be used to prove that devices or systems meet the requirements of European directives or regulations. Therefore, the European standards should be used, i.e., the EN standards. The national standards, i.e., the standards with a prefix such as “DIN EN,” are identical in content and can therefore also be used.
In contrast to the “EU variants,” the international standards (ISO, IEC) do not have the Z annexes. The Z annexes contain the “mapping” of the regulatory requirements to the normative requirements (EU directives, EU regulations). This means: the Z annexes describe which regulatory requirements are fully, partially, or not at all covered by the standard.
Harmonization has nothing to do with numbering. For example, DIN EN 14971 is not the standard on risk management for medical devices (which is DIN EN ISO 14971) but one on “Textiles – Knitted fabrics – Determination of the number of meshes per unit length and unit area.”
b) Which version of the standard?
There is always discussion about the transition periods. Unfortunately, there are no clear rules. But the following rules of thumb can help:
- If a standard is harmonized, then use that version.
- If the standard itself specifies a transition period, then follow it.
- Otherwise, assume a transition period of three years.
- For new devices, work with the latest versions.
- For devices already on the market, do a gap analysis no later than three years after a new version is published.
6. Conclusion and summary
Harmonized standards should help manufacturers and notified bodies gain a common understanding of how the requirements of the MDR and IVDR should be met.
Unfortunately, harmonization of standards is faltering, so this objective is only partially met. Nevertheless, manufacturers should use relevant standards. After all, they describe the state of the art and help to demonstrate that regulatory requirements are met.
Change history
- 2024-05-08: Introduction and chapter 1.a) rewritten, table inserted in chapter 1.b), editorial changes to better separate the areas that affect all manufacturers in Europe and those that are specific to medical devices
- 2023-09-06: Chapter 2 disassembled, chapter 3 added
- 2023-04-03: Article completely revised and updated, “news” and “issues” sections removed and integrated into the text where necessary
- 2022-06-09: In the “news” section, section “June 2022” added
- 2022-03-16: In the “news” section, section “January 2022” added
- 2021-07-27: In the “news” section, section “July 2021” added
- 2021-04-26: In the “news” section, “April 2021” section added
- 2020-11-08: New draft for a Standardization Request added, text adapted in this respect