Medical Device Vigilance

What Does Vigilance Mean?

The term vigilance means constant attention.

For medical devices and IVDs, it is about manufacturers implementing a vigilance system that enables them to identify and report reportable or serious incidents and trends from collected data.

For example, the data is collected as part of complaint handling or post-market surveillance (PMS).

How does one learn about such incidents?

Manufacturers are often made aware of serious incidents through customer complaints. However, it is also possible that an authority was contacted regarding such an incident and then contacts the manufacturer.

In principle, all data from post-market surveillance can also contain information about serious incidents – and must therefore be reported.

Further information on data sources can be found in the blog post on post-market surveillance.

Vigilanz

What happens if a reportable incident occurs with your own product?

A serious incident must be reported in any case. If there are doubts whether it is such an event, it must still be reported as a precaution.

It’s Better to Over-Report than Under-Report!

Medical devices can help patients, but they can also cause harm. That’s no shame – unfortunately, many manufacturers perceive it that way. It is not necessarily due to the medical device itself or that it was poorly designed. Every manufacturer has determined as part of their risk management that certain risks are associated with the product. Damage can thus occur depending on its respective probability. So where does the surprise come from when something does happen?

There is No Benefit without Risk!

Of course, we do not want to trivialize the fact that patients are harmed. No one should take this lightly. But depending on the product, it is also not realistic that none of the risks will lead to harm.

What must be reported when?

The MDR includes the word vigilance in 28 places and, for example, states that the manufacturer’s quality management system must include “procedures for the reporting of serious incidents and field safety corrective actions within the scope of vigilance” [Article 10, general obligations of manufacturers]. Every manufacturer must have implemented such a quality management system according to Article 10 – even those who only manufacture Class 1 medical devices. So, it’s not possible without a vigilance process.

Article 87 on the reporting of serious incidents and field safety corrective actions is crucially relevant for the manufacturer and their vigilance process. It describes that every manufacturer who places medical devices on the Union market must report certain events:

  • Reporting no later than 15 days: “Any serious incident in relation to devices made available on the Union market, other than expected side-effects which are clearly documented in the product information, quantified in the technical documentation and subject to trend reporting in accordance with Article 88;”
    However, for the reporting of serious incidents, there are the following restrictions or stricter deadlines:
  • Reporting no later than 2 days: “[…] in the event of a serious public health threat”
  • Reporting no later than 10 days: “[…] in the event of death or an unanticipated serious deterioration in a person’s state of health”
  • “any field safety corrective action in relation to devices made available on the Union market, including field safety corrective actions taken in a third country in relation to a device which is also legally made available on the Union market, if the reason for the field safety corrective action is not exclusively related to the device made available in the third country concerned.”
    In this case, the report is made before the measure is implemented, unless there are urgent reasons against it.

Who must be reported to?

In Germany, reports are currently made to the BfArM (Federal Institute for Drugs and Medical Devices). However, in principle, who must be reported to differs depending on the Member State of the European Union.

In the future, the Vigilance module will be available in EUDAMED. Reports will then be made via it.

Reporting an Incident to the BfArM – How Does That Work?

Currently, serious incidents under MDR and IVDR are reported using the MIR form, which you can download here. MIR stands for Manufacturer Incident Report”

After downloading, many browsers cannot open the document. You should therefore open and edit the file manually with a PDF program.

The document has 12 pages. To complete it, information that may not be immediately available may be required. Therefore, note that you can also make preliminary or initial reports to meet the reporting deadlines. In these cases, you submit an incomplete report and provide missing information later.

There are different types of reports:

  • Combined initial and final report
  • Initial report
  • Follow-up report
  • Final report

Refer to the following overview here for what information is required depending on the type of report.

The EU’s electronic system

The regulation describes an “electronic system for vigilance and post-market surveillance” in Article 92 of the MDR. This refers to a module in EUDAMED that does not yet exist as of today (2023-01-04). It is currently under development and will be available in the future.

Through this EUDAMED module, manufacturers of medical devices are to provide the following information:

  • Reports of serious incidents
  • Reports of field safety corrective actions
  • Periodic summary reports
  • Safety reports in accordance with Article 86 (PSUR)
  • Field safety notices

Furthermore, the module will be used by the competent authorities of the Member States and the EU Commission for the exchange of information among themselves.

After a manufacturer has entered data into EUDAMED, it will be made available to the competent authority and notified bodies. Notified bodies will thereby gain access to the data of products for which they have issued a conformity certificate. Their access is therefore more restricted compared to the authorities’ access.

A new feature for improved transparency is public access to vigilance data. Through this, healthcare professionals and the public will be able to view vigilance data in EUDAMED in the future. Previously, access to vigilance data on incidents and recalls, for example, from individual authorities such as the BfArM (Germany) or FAGG (Belgium) was possible, but not very convenient. An EU-wide module with public access will indeed create increased transparency at this point. However, it is still questionable whether this will practically change anything for the average patient. Generally, a patient will not be aware of EUDAMED. However, Article 87 (10) of the MDR assigns Member States the task of encouraging patients to report serious incidents through suitable measures, such as an information campaign. Through these measures, it could be achieved that EUDAMED truly “reaches” the patient.

Authorities and Vigilance

If a competent authority receives reports from healthcare professionals, users, or patients about suspected serious incidents, this authority informs the product manufacturer. The latter must then check whether it is indeed a serious incident or not. If so, this serious incident must be reported according to usual procedures. This also applies to EUDAMED, once it is available.

If the manufacturer does not believe it is a serious incident, this decision must be justified and coordinated with the authority. Should no agreement be reached, the authority’s opinion prevails, and it must still be reported.

“The Commission, in cooperation with the Member States, shall set up systems and processes to actively monitor the data within the [electronic system] to identify trends, patterns or signals in the data that may reveal new risks or safety concerns. If a previously unknown risk is identified or if the frequency of an expected risk leads to a significant and adverse change in the benefit-risk determination, the competent authority or, where appropriate, the coordinating competent authority shall inform the manufacturer […], who shall then take the necessary corrective actions.” [Article 90, MDR]

Accordingly, the data in EUDAMED should be systematically monitored and analyzed. It is open whether data sets must be manually reviewed by authority staff or whether software, possibly even AI-based, will provide support. As soon as we have further information on this, we will add it here.

Particularly interesting in this paragraph are the points “previously unknown risk”. To determine whether a risk (for the manufacturer) was previously unknown, the risk analysis of the respective technical documentation of the product would have to be checked. It is therefore completely unclear how an authority is to determine whether a risk was unknown and whether a corrective action is appropriate. Even for products approved with the involvement of a notified body, such detailed data on the respective risk analyses are not stored in EUDAMED. It therefore remains to be seen how this part of the MDR will be implemented in practice.