The RA Manager's Guide to RPM: Navigating EU MDR and FDA Compliance

Author: Jian Wang (王健), RAC
Vice President, Quality & Regulatory Affairs at VistaMed Technologies
Jian Wang is a certified Regulatory Affairs professional (RAC) with over 18 years of experience masterfully navigating the complex landscape of international medical device regulations, personally leading VistaMed's successful FDA, CE, and ISO certification efforts.

I recently reviewed a technical file from a promising medical device start-up. They had impressive clinical claims and a sleek-looking device. But when I got to their post-market surveillance plan, it was a single paragraph. It vaguely promised to "monitor customer complaints and literature." They had no concrete mechanism for collecting the real-world performance data needed to back up their claims and ensure ongoing safety after the product launched.

From my perspective, this is a fatal flaw. In today's regulatory environment, it's not enough to prove a device is safe and effective at the moment of launch. You must prove it stays safe and effective throughout its entire lifecycle.

This is where the conversation about Remote Patient Monitoring (RPM) shifts for a Regulatory Affairs professional. The clinical team sees a tool for patient care. I see a powerful compliance engine. The true "benefit" of a well-designed RPM platform is not just clinical; it is a profound risk mitigation and compliance automation tool.

The Core Questions for Regulatory Due Diligence

For an RA Manager, vetting a potential RPM partner isn't about the screen brightness or the color of the device. It's about drilling down into the architecture of their quality and compliance systems. These are the questions I ask.

How does an RPM platform help meet Post-Market Surveillance (PMS) requirements under EU MDR?

This is the most critical question for any device sold in Europe. The EU's Medical Device Regulation (MDR 2017/745) has dramatically elevated the requirements for Post-Market Surveillance. A passive system of waiting for complaints is no longer sufficient. The regulation mandates a proactive, living process.

Specifically, your PMS plan must feed into your Post-Market Clinical Follow-up (PMCF) plan and your Clinical Evaluation Report (CER). You need a constant stream of real-world data to confirm your device's safety and performance. An integrated RPM platform is that data stream. Every reading from a connected blood pressure monitor or pulse oximeter is a data point for your PMCF study. It provides an automated, auditable, and continuous flow of the very information Article 83 of the MDR requires. Attempting to gather this data manually through surveys or registries is expensive, slow, and often results in poor-quality data. A built-in RPM platform makes this process an automated function of the device's intended use. When an auditor from a Notified Body reviews our CE technical file, the first thing they see is that our connected devices, by their very nature, are designed to fulfill the ongoing clinical evidence requirements found in the EU MDR.

What documentation should I demand to verify a vendor's cybersecurity posture?

For any connected device, "HIPAA compliant" is just the marketing slogan. For an RA Manager preparing a 510(k) submission, the FDA demands far more. In my experience preparing these submissions, the FDA reviewers will go straight to the cybersecurity section of the technical file.

You must demand more than just a certificate. Ask for the hard documents:

• The Threat Model: A document that identifies credible cybersecurity risks and the specific design features and controls that mitigate them.
• The Vulnerability Management Plan: The vendor's documented process for monitoring, identifying, and patching vulnerabilities after the product is on the market.
• The Software Bill of Materials (SBOM): A complete inventory of all third-party software components used in the device, including open-source libraries. This is critical for assessing supply chain risk.

If a vendor cannot produce these documents, their device is not ready for a serious FDA review, and it represents a significant compliance risk to your organization.

Can an RPM platform simplify my ISO 13485 audit process?

Yes, significantly. A core principle of the ISO 13485:2016 standard is the analysis of data to drive quality improvements. Specifically, I look at two clauses: Clause 8.2.1 (Customer Feedback) and Clause 8.4 (Analysis of Data).

An RPM platform provides a direct, auditable firehose of data for both. Error codes, transmission failures, and low-battery warnings are no longer just anecdotal patient complaints; they become structured data that can be analyzed for trends. Usage patterns can identify if a device is too complex or if instructions are unclear. This automates a huge part of the data collection required to demonstrate a living, breathing Quality Management System to your auditor. When BSI audits our facility for our certificate (No. FS 738429), we can show them the dashboard that provides this data in real time. It is the ultimate proof of a closed-loop quality system.

Your Regulatory Due Diligence Checklist

Based on my 18 years of navigating these submissions, this is my non-negotiable checklist for vetting a new device platform vendor. I will not approve a partnership until I have satisfactory answers for every item.

• ISO 13485 Certificate: Is it current, valid, and from a reputable notified body (e.g., BSI, TÜV SÜD)? I ask for the certificate number and verify it online.
• CE Mark Certificate: Is it issued under the new EU MDR 2017/745, or the obsolete MDD? This is a critical distinction that many vendors try to obscure.
• FDA Clearance: Can they provide the 510(k) clearance letter from the FDA? "FDA Registered" or "FDA Compliant" is not the same as "FDA Cleared."
• Clinical Evaluation Report (CER): Can they provide the full CER? It must be compliant with MEDDEV 2.7/1 rev. 4 and the MDR. I review this document personally.
• Cybersecurity File: Can they provide, under NDA, their threat model and vulnerability management plan?
• Signed BAA: Will they sign a Business Associate Agreement demonstrating their commitment to handling PHI under HIPAA?

About the Author
Jian Wang (王健), RAC serves as Vice President, Quality & Regulatory Affairs at VistaMed Technologies. As a certified Regulatory Affairs professional (RAC) with over 18 years of experience, he masterfully navigates the complex landscape of international medical device regulations. Jian has personally led the efforts for VistaMed to secure and maintain critical certifications, including FDA 510(k) Clearance, CE Mark under EU MDR 2017/745, and the ISO 13485:2016 quality management system certification (BSI Certificate No. FS 738429). This guide draws on his extensive, first-hand experience in vetting device partners and preparing successful regulatory submissions across the globe.

Clinically & Regulatory Reviewed By: Dr. Michael Bauer, PhD, Head of Clinical Research

The information provided is for informational purposes and intended for a B2B audience of healthcare professionals and procurement decision-makers. It is not a substitute for professional medical or financial advice. TCO and ROI results may vary based on facility size, usage patterns, and local market conditions. All certifications and regulatory clearances referenced are accurate as of the date of publication. Please contact VistaMed Technologies for the most current documentation.