R-001-005 List of applicable standards and regulations
Introduction
In accordance with Regulation (EU) 2017/745 (MDR), especially Annex II (Technical Documentation), Annex IX (Conformity Assessment), and Article 10(9), the manufacturer must maintain an up-to-date list of all applicable standards, regulations, and guidance documents relevant to the product and the QMS. This list is compiled at the QMS and reviewed at least annually and whenever necessary (e.g., when new or revised standards are published, or regulatory requirements change). Documents are organized in folders according to topic or country.
The following tables provide a comprehensive overview of all applicable standards and regulations stored in the QMS, as required by MDR Annex II, Section 4 and Annex IX, Section 2.3. Each table corresponds to a specific folder or regulatory domain.
Spanish Regulations
| Code | Name | Source | Version | Date | Compliance |
|---|---|---|---|---|---|
| 02_01 | Instrucción PS1/2022 sobre el procedimiento de licencia previa de funcionamiento de instalaciones de productos sanitarios | AEMPS | PS 1/2022 | 2022-04-01 | Full (applicable requirements according to the type of product) |
| 02_02 | CERTPS-ManualEmpresa: Certificado de libre venta | AEMPS | 2.1 | 2023-11-21 | Full (applicable requirements according to the type of product) |
| 02_03 | R_DEX_18_Guía para la elaboración de la documentación técnica: Marcado CE MDR | CNCPS | 3 | 2024-12-01 | Full (applicable requirements according to the type of product) |
| 02_04 | Real Decreto 192/2023 por el que se regulan los productos sanitarios_7416 | BOE | Not specified | 2023-03-21 | Full (applicable requirements according to the type of product) |
| 02_05 | Real Decreto 1907/1996 sobre publicidad y promoción comercial de productos, actividades o servicios con pretendida finalidad sanitaria | BOE | Not specified | 1996-08-06 | Full (applicable requirements according to the type of product) |
| 02_06 | Real Decreto 1591/2009 por el que se regulan los productos sanitarios | BOE | Not specified | 2009-11-06 | Full (applicable requirements according to the type of product) |
| 02_07 | Real Decreto 1090/2015 por el que se regulan los ensayos clínicos con medicamentos, los Comités de Ética de la Investigación con medicamentos y el Registro Español de EstudioClínicos | BOE | Not specified | 2015-12-24 | Full (applicable requirements according to the type of product) |
| 02_08 | Ley Orgánica 3/2018 de Protección de Datos Personales y garantía de los derechos digitales (LOPDGDD) | BOE | 3/2018 | 2018-12-06 | Full (aplicable a datos personales tratados en el marco de productos sanitarios) |
| 02_09 | Esquema Nacional de Seguridad (ENS) - Real Decreto 311/2022 | BOE | 311/2022 | 2022-05-03 | Parcial (aplicable a sistemas de información en el sector público y a proveedores de servicios tecnológicos) |
US Code of Federal Regulations (CFR - Title 21) and HIPAA
| Code | Name | Source | Version | Date | Compliance |
|---|---|---|---|---|---|
| 03_01 | Part 11 — Electronic Records; Electronic Signatures — Rules on the validity of electronic records and electronic signatures. | FDA | Not specified | 20230602 | Partial |
| 03_02 | Part 801 — Labeling — Requirements for the content, format and placement of labeling. | FDA | Not specified | Not specified | Partial |
| 03_03 | Part 803 — Medical Device Reporting (MDR) — Obligation to report deaths, serious injuries and malfunctions. | FDA | Not specified | Not specified | Partial |
| 03_04 | Part 806 — Reports of Corrections and Removals — Obligation to report market corrections and removals. | FDA | Not specified | Not specified | Partial |
| 03_05 | Part 807 — Establishment Registration and Device Listing — Requirements to register the establishment and list the device. Includes the 510(k) notification (Subpart E). | FDA | Not specified | Not specified | Partial |
| 03_06 | Part 812 — Investigational Device Exemptions (IDE) — Requirements for clinical investigations. | FDA | Not specified | Not specified | Partial |
| 03_07 | Part 820 — Quality System Regulation (QSR) / QMSR — Quality Management System (QMS) requirements for design, manufacturing, packaging, etc. | FDA | Not specified | 20230927 | Full (applicable requirements according to the type of product) |
| 03_08 | Part 822 — Postmarket Surveillance — Requirements for postmarket surveillance studies (Section 522), if required. | FDA | Not specified | Not specified | Partial |
| 03_09 | Part 860 — Medical Device Classification Procedures — Procedures to classify or reclassify devices. | FDA | Not specified | Not specified | Partial |
| 03_10 | Parts 862-892 — Classification Panels — Specialty-based classification list. Used to find product code and predicate for 510(k). | FDA | Not specified | Not specified | Partial |
| 03_11 | Health Insurance Portability and Accountability Act (HIPAA) — US law for data privacy and security provisions for safeguarding medical information. | HHS | Not specified | 1996-08-21 | Full (applies to protected health information in the US) |
EU Medical device Regulations and GDPR
| Code | Name | Source | Version | Date | Compliance |
|---|---|---|---|---|---|
| 04_01 | Directive 93/42/EEC concerning medical devices | European Commission | M5 | 2007-10-11 | Full (applicable requirements according to the type of product for the Legacy Device) |
| 04_02 | Regulation 2017/745 on medical devices | European Commission | M1 | 2020-04-24 | Full (applicable requirements according to the type of product) |
| 04_03 | Regulation 2017/2185 related to codes and medical devices | European Commission | 2017-11-24 | Partial | |
| 04_04 | Regulation 2023/607 amending Regulations (EU) 2017/745 and (EU) 2017/746 as regards the transitional provisions | European Commission | 2023-03-20 | Full (applicable requirements according to the type of product for the Legacy Device) | |
| 04_05 | Commission regulation 2021/2226 on electronic instructions for use of medical devices | European Commission | 2021-12-14 | Full (applicable requirements according to the type of product) | |
| 04_06 | Regulation (EU) 2024/1689 - Artificial Intelligence Act | European Commission | 2024-07-12 | Partial | |
| 04_07 | Regulation (EU) 2016/679 General Data Protection Regulation (GDPR) — EU law on data protection and privacy. | European Parliament and Council | 2016/679 | 2016-04-27 | Full (applies to personal data processing in the EU) |
Guides
There are both European (MDCG, MedDev) and US (FDA) guidelines applicable to medical device software, including those with AI and cybersecurity, especially for Class II devices. Below are the main guideline categories consulted during the preparation of medical device documentation.
EU Guidelines
| Code | Name | Source | Version | Date | Compliance |
|---|---|---|---|---|---|
| 05_01 | Manual on borderline and classification in the community regulatory framework for medical devices | 1.22 | 2019-05-01 | Partial | |
| 05_02 | Additional guidance regarding the vigilance system as outlined in MEDDEV 2.12-1 rev.8 | European Commission | 8 | 2018-11-04 | Partial |
| 05_03 | MDCG 2020-5 Clinical evaluation - Equivance | MDCG | 0 | 2020-04-01 | Partial |
| 05_04 | MDCG 2020-7 PMCF plan template | MDCG | 0 | 2020-04-01 | Partial |
| 05_05 | MDCG-2020-8 PMCF evaluation report template | MDCG | 0 | 2020-04-01 | Partial |
| 05_06 | MDCG-2020-1 Guidance con clinical evaluation of MD software | MDCG | 0 | 2020-03-01 | Partial |
| 05_07 | MDCG 2022-4 Guidance on appropriate surveillance regarding the transitional provisions under Article 120 of the MDR about devices covered by certificates according to the MDD or the AIMDD | MDCG | 2 | 2024-05-01 | Full (applicable requirements according to the type of product) |
| 05_08 | MDCG 2022-2021 Guidance on PSUR according to regulation (EU) 2017/745 MDR | MDCG | 0 | 2022-12-01 | Partial |
| 05_09 | MDCG 2023-3 Questions and answers on vigilance terms and concepts as outlined in the Regulation (EU) 2017/745 on medical devices | MDCG | 2 | 2025-01-01 | Full (applicable requirements according to the type of product) |
| 05_10 | Meddev 2.1/6 Guidelines on the qualification and classification of stand-alone software used in healthcare within the regulatory framework of medical devices | European Commission | 0 | 2016-07-01 | Partial |
| 05_11 | Meddev 2.7/1 Guidelines on medical devices | European Commission | 4 | 2016-06-01 | Partial |
| 05_12 | 2023/C 163/06 Content and structure of the summary of the clinical investigation report | European Commission | 2023-05-08 | Full (applicable requirements according to the type of product) | |
| 05_13 | MDCG 2020-3 Guidance on significant changes regarding the transitional provision under Article 120 of the MDR about devices covered by certificates according to MDD or AIMDD | MDCG | 1 | 2023-05-01 | Partial |
| 05_14 | Manual on borderline and classification for medical devices under Regulation (EU) 2017/745 on medical devices and Regulation (EU) 2017/746 on in vitro diagnostic medical devices | 3 | 2023-09-01 | Partial | |
| 05_15 | Principles and practices for medical device cybersecurity | IMDRF | 2020-03-18 | Partial | |
| 05_16 | Machine Learning-enabled Medical Devices: Key Terms and Definitions | IMDRF | 2022-05-06 | Full (applicable requirements according to the type of product) |
US Guidelines
| Code | Name | Source | Version | Date | Compliance |
|---|---|---|---|---|---|
| 05_17 | Software as a Medical Device (SaMD): Clinical Evaluation | FDA/IMDRF | IMDRF/SaMD WG/N41FINAL:2017 | 2017-12-21 | Full (applicable requirements according to the type of product) |
| 05_18 | Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices | FDA | FDA-2019-D-5588 | 2021-11-04 | Full (applicable requirements according to the type of product) |
| 05_19 | Artificial Intelligence and Machine Learning (AI/ML) Software as a Medical Device Action Plan | FDA | N/A | 2021-01 | Full (applicable requirements according to the type of product) |
| 05_20 | Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions | FDA | FDA-2021-D-1158 | 2023-09-27 | Full (applicable requirements according to the type of product) |
| 05_21 | General Principles of Software Validation; Final Guidance for Industry and FDA Staff | FDA | FDA-2008-D-0094 | 2002-01-11 | Full (applicable requirements according to the type of product) |
| 05_22 | Deciding When to Submit a 510(k) for a Software Change to an Existing Device | FDA | FDA-2017-D-6569 | 2017-10-25 | Full (applicable requirements according to the type of product) |
| 05_23 | Postmarket Management of Cybersecurity in Medical Devices | FDA | FDA-2016-N-2261 | 2016-12-28 | Full (applicable requirements according to the type of product) |
| 05_24 | Design Considerations and Pre-market Submission Recommendations for Interoperable Medical Devices | FDA | FDA-2015-N-0001 | 2017-09-06 | Full (applicable requirements according to the type of product) |
| 05_25 | Computer Software Assurance for Production and Quality System Software | FDA | FDA-2022-D-0795 | 2022-09-13 | Full (applicable requirements according to the type of product) |
Clinical Practice Guidelines (EU and US)
| Code | Name | Source | Version | Date | Compliance |
|---|---|---|---|---|---|
| 05_26 | Guideline for good clinical practice E6 (R2) Step 5 | EMA/ICH | E6 (R2) | 2017-06-14 | Partial |
International Standards
| Code | Name | Source | Version | Date | Harmonized/Recognized (number) | Compliance |
|---|---|---|---|---|---|---|
| 06_01 | ISO 13485:2016 Medical devices. Quality management systems. Requirements for regulatory purposes | ISO | E | 2016-03-01 | EU Harmonized: EN ISO 13485:2016 / FDA Recognized: Yes (No. 5-114) | Establishes the requirements for a quality management system specific to medical devices. All QMS processes are aligned to ensure compliance with this standard. |
| 06_02 | IEC 62304:2006/A1:2015 Medical device software - Software life cycle processes | AENOR | 2015-06-01 | EU Harmonized: EN ISO 62304:2006/A1:2015 / FDA Recognized: Yes (No. 13-79) | Defines the life cycle requirements for medical device software. Applied to all software development and maintenance activities for our products. | |
| 06_03 | IEC 82304-1:2016 Health software - Part 1: General requirements for product safety | IEC | 1 | 2016-10-01 | EU Harmonized: EN IEC 82304-1:2021 / FDA Recognized: Yes (No. 13-135) | Specifies safety and security requirements for health software products. Considered in the design and technical documentation of all health software. |
| 06_04 | ISO 14155 Investigación clínica de productos sanitarios para humanos. Buenas prácticas clínicas | UNE | 2020 | EU Harmonized: EN ISO 14155:2020 / FDA Recognized: Yes (No. 2-156) | Provides requirements for the design, conduct, recording, and reporting of clinical investigations. Applied to all clinical investigations involving our devices. | |
| 06_05 | ISO14971:2019 Medical devices - Application of risk management to medical devices | ISO | 2019-12-01 | EU Harmonized: EN ISO 14971:2019 / FDA Recognized: Yes (No. 5-117) | Establishes a process for risk management for medical devices. All risk management activities are performed in accordance with this standard. | |
| 06_06 | ISO15223-1:2021 Medical devices - Symbols to be used with medical device labels, labelling and information to be supplied | ISO | 2021-07-01 | EU Harmonized: EN ISO 15223-1:2021 / FDA Recognized: Yes (No. 5-120) | Specifies symbols for use in medical device labeling. All labeling and IFU are reviewed for compliance with this standard. | |
| 06_07 | ISO24791 Medical devices - Guidance on the application of ISO14971 | ISO | 2 | 2020-06 | EU Harmonized: EN ISO 24791:2020 / FDA Recognized: No | Provides guidance on the application of ISO 14971 for risk management. Used as a reference to ensure best practices in risk management. |
| 06_08 | ISO62366-1:2015/A1:2020 Medical devices - Part 1: Application of usability engineering to medical devices | AENOR | 2020-08-01 | EU Harmonized: EN ISO 62366-1:2015/A1:2020 / FDA Recognized: Yes (No. 5-119) | Specifies usability engineering requirements to ensure safe use of medical devices. Usability is addressed in product design and documentation. | |
| 06_09 | ISO27001 Tecnología de la información. Técnicas de seguridad. Sistemas de gestión de la seguridad de la información. Requisitos | UNE | 2017-02-01 | EU Harmonized: EN ISO 27001:2017 / FDA Recognized: No | Provides requirements for an information security management system. Considered for the protection of information in our QMS and IT systems. | |
| 06_10 | ISO27002 Tecnología de la información. Técnicas de seguridad. Código de prácticas para los controles de seguridad de la información | AENOR/MINCOTUR | 2017-05-01 | EU Harmonized: EN ISO 27002:2017 / FDA Recognized: No | Offers guidelines for organizational information security standards and practices. Used as a reference for IT security controls. | |
| 06_11 | Good machine learning practice for MD development: guiding principles | FDA, Health Canada / Medicines & Healthcare products regulatory agency | 2021-10-01 | IMDRF: GMLP / FDA Recognized: No / EU Harmonized: No | Provides guiding principles for the development of machine learning-enabled medical devices. Used to inform development and validation of AI/ML components. | |
| 06_12 | Proposed regulatory framework for modifications to AI/ML-based SaMD | FDA | 2019-04-02 | FDA Recognized: No / EU Harmonized: No | Outlines a regulatory approach for modifications to AI/ML-based software as a medical device. Used as reference for regulatory strategy. | |
| 06_13 | IEC 81001-5-1:2021 Health software and health IT systems safety, effectiveness and security — Part 5-1: Security — Activities in the product life cycle | IEC | 1 | 2021-12-01 | EU Harmonized: EN IEC 81001-5-1:2021 / FDA Recognized: No | Specifies requirements for cybersecurity activities throughout the product life cycle of health software and IT systems. Applied to ensure security in product development and maintenance. |
Signature meaning
The signatures for the approval process of this document can be found in the verified commits at the repository for the QMS. As a reference, the team members who are expected to participate in this document and their roles in the approval process, as defined in Annex I Responsibility Matrix of the GP-001, are:
- Author: Team members involved
- Reviewer: JD-003, JD-004
- Approver: JD-001