Use case Medtech · Hamburg-Mitte · MDR + IEC 62304 + MHRA

MDR vigilance tickets in 15 days - severity-classified, BfArM-reporting-ready, Notified Body audit-ready. MHRA + FDA bridge handled.

MDR vigilance tickets from 64 countries within 15-day deadline. Severity classification, BfArM reporting, IEC 62304, ISO 13485. Notified Body audit-ready. MHRA post-Brexit + FDA 21 CFR bridge.

Workshop at Grindelberg All 7 use cases ←

Chapter 1 — The 15-day deadline as bottleneck

80 service tickets per day from 64 countries. Severity classification within 15 days mandatory.

Hamburg medtech manufacturers (endoscopy focus, ~1,200 staff, of which 240 in worldwide service/field) process 80 service tickets per day from 64 countries. English main channel with local-language mix: Spanish from Latin America, Portuguese from Brazil, Japanese. MDR EU 2017/745 Art. 87 requires severity classification and BfArM reporting within 15 days for serious incidents, 30 days for trends. For UK-market access post-Brexit: MHRA equivalent reporting under UK MDR 2002 (as amended) within similar window.

Current practice: 4 full-time compliance team staff, weekend on-call critical. Severity classification per MDCG 2019-11 (B/C/D scale). At severity B (serious incident: death, life-threatening, permanent impairment) automatic BfArM reporting. At severity D (reportable field safety corrective action) field-safety-corrective-action path with Notified Body notification.

Decision-Layer split typical for MDR vigilance triage: 50 percent RULES (15-day deadline status, BfArM classification trees, mandatory field validation product/serial/incident), 30 percent AI AUTONOMOUS (language detection, severity match against risk-management file, symptom classification), 20 percent HUMAN (incident assessment severity B, Notified Body escalation, trend analysis on repeated incidents).

In February 2026 the Hamburg data protection authority published a catalogue of requirements on AI in medical devices - algorithm transparency for image diagnostics, audit trail over training data, Notified-Body-certified risk assessment. Decision-Layer architecture meets these requirements architecturally. For UK market via MHRA: AI Airlock pilot framework parallel-applies.

Chapter 2 — Decision-Record for an MDR vigilance ticket

How an incoming service ticket from São Paulo is triaged in the Decision-Layer.

Anonymised decision-record for an incoming service ticket from Brazil (São Paulo) at a Hamburg endoscopy manufacturer. Ticket intake Day 1 of 15. Severity classification and BfArM reporting preparation. Same workflow works for UK MHRA reporting if UK product registration applies.

VIG-2026-05-15-BR-SP-EN450-014

Service ticket · Endoscope EN450 · São Paulo BR · Intake 15.05.2026 09:18 · Day 1 of 15

Result Severity B suspected · BfArM reporting initiated
  1. 01 REGEL

    Intake validation + deadline start

    Ticket from Brazil (São Paulo service centre) per standard form. Mandatory fields product (EN450), serial number (SN-2024-0488123), incident description in PT-BR. Deadline start 15.05.2026 09:18, Day 1 of 15. Rule vig_intake_v3.4.

    ✓ Intake valid
  2. 02 KI

    Language detection + translation

    Incident description in PT-BR (Portuguese Brazil) detected. Translation to EN for internal triage. Original PT-BR remains for audit trail. Model multilingual-medtech-v3.1.

    Confidence 0.96 · threshold 0.85

    ✓ Translated
  3. 03 KI

    Symptom classification against risk-management file

    Described symptom (endoscope overheating during procedure, patient injury grade 2) mapped against risk-management file of product EN450. Match: Risk-ID R-EN450-007 (thermal hazard). Model medtech-symptom-classifier-v2.5.

    Confidence 0.91 · threshold 0.85

    ✓ Risk R-EN450-007
  4. 04 REGEL

    MDCG 2019-11 classification

    Patient injury grade 2 + thermal hazard + procedure-relevant = severity B (serious incident: permanent impairment possible). Classification tree per MDCG 2019-11. Rule mdcg_2019_11_v1.7.

    ▲ Severity B
  5. 05 MENSCH

    Compliance officer mandatory review

    Mandatory stop at severity B suspicion. Compliance officer Ms B. (MDR-certified) receives structured data set with symptom, Risk-ID, original language and classification reasoning. Confirms severity B after 35 min review. Documented with timestamp.

    ✓ Severity B confirmed
  6. 06 REGEL

    BfArM reporting preparation

    Severity B triggers BfArM reporting within 15 days (Day 1 running). Structured data set for BfArM mandatory form generated (product, serial number, incident, patient status, risk classification, manufacturer measures). Parallel MHRA form prepared if UK product registration exists. Rule bfarm_mhra_reporting_v4.2.

    ✓ BfArM + MHRA forms pre-filled
  7. 07 KI

    Trend analysis against past-incident database

    Symptom + product + Risk-ID compared against last 24 months incidents. 2 similar incidents (Lima 2024-11, Frankfurt 2025-08). Trend indicator: 'growing' not met (3/24 months < trend threshold 5/24). Model trend-analyzer-v2.0.

    ✓ No trend
  8. 08 REGEL

    PMS update + Notified Body pre-notification

    Incident integrated into Post-Market Surveillance Plan. PSUR update for next period flagged. TÜV SÜD (Notified Body for EN450) receives pre-notification with tracking ID (mandatory at severity B). For UK market: BSI UK as UK-Approved Body parallel notified. Rule pms_psur_v3.1.

    ✓ PMS updated
  9. 09 REGEL

    Audit trail + ISO 13485 QMS persist

    Complete decision-record with model versions, input hashes, human intervention (Ms B. timestamp + reasoning), BfArM/MHRA reporting status persisted. Audit trail view for Notified Body surveillance audit. ISO 13485 QMS record automatically created. Rule iso13485_audit_v1.4.

    ✓ Audit trail persisted

Chapter 3 — IEC 62304 + Notified Body workshop at Grindelberg

Head office Hallerstraße 8 - 12 min to Hamburg-Mitte medtech cluster.

Head office Hallerstraße 8 is 12 min by car to the Hamburg-Mitte medtech cluster (endoscopy manufacturers, imaging specialists, hospital suppliers). On-site meetings at compliance officers or Notified Body auditors same-day reachable. Engineering counterpart sits in Hamburg, knows MDR reality, not Berlin or Munich. For UK clients with German subsidiary: workshop spans MDR + UK MDR 2002 dual-stack.

IEC 62304 software lifecycle: Decision-Layer is classified as software within the QMS (not external). Software safety class set in discovery workshop - typically Class B for vigilance workflow tools (no-injury direct, but possible indirect impact). Verification + Validation records automated, risk-management-file updates structured-generated. On firmware updates of the medtech product, the Decision-Layer carries the lifecycle documentation update in parallel.

Workshop at Grindelberg addresses Notified Body reality: TÜV SÜD/BSI/DEKRA auditor trainings in separate room with live audit-trail demo. Compliance officer with MDR vigilance classification walk-through. ISO 13485 QMS integration with mock surveillance audit. For UK market: dedicated session on MHRA UKCA + AI Airlock + MHRA conformity assessment. Source code of Decision-Layer transferred to medtech manufacturer at repository handover - including QMS documentation for Notified Body surveillance.

Optional medtech co-pilot: On request, we bring Notified-Body-experienced compliance consultancy (e.g. Johner Institut partnership, MT-Procons) as co-pilot to the workshop - for QMS conformity assessment, MDR audit prep, IEC 62304 reviews, MHRA UK conversion. Decision-Layer remains Gosign space, compliance consultancy is co-pilot.

Related use cases

Frequently asked questions

Which MDR regulations does the Decision-Layer cover?
MDR EU 2017/745 (Medical Device Regulation), in particular Art. 87 (vigilance reporting with 15-day deadline for serious incidents, 30 days for trends), MDCG 2019-11 (MDSW Medical Device Software classification), IEC 62304 (software lifecycle), ISO 13485 (Medical Device Quality Management), Post-Market Surveillance Plan (PMS) per Art. 83-86. Plus FDA 21 CFR Part 820 for US-market vigilance if the Hamburg medtech manufacturer holds a US licence. Plus UK MHRA UK Conformity Assessed (UKCA) parallel if UK market access required - MHRA operates similar 15-day window post-Brexit but with UK Notified Body requirement. Notified Body audits by TÜV SÜD, BSI, DEKRA with annual surveillance + 5-year re-certification.
How is the 15-day deadline for severity classification met?
Service tickets from 64 countries incoming, often in English with local-language mix (Spanish from Latin America, Portuguese from Brazil, Japanese). Decision-Layer pattern: RULES step checks deadline status (Day 1 of 15) and mandatory fields (product, serial number, incident description). AI AUTONOMOUS classifies severity per MDCG 2019-11 (B/C/D scale), language detection, symptom-match against risk management file. HUMAN required at severity B (serious incident) - compliance officer reviews, BfArM reporting prepared. At severity D (reportable field safety corrective action) automatic escalation path.
How is IEC 62304 software lifecycle handled for firmware updates?
Endoscope firmware update means IEC 62304 software-lifecycle documentation update, risk reassessment, Notified Body notification. Current lead time: 14 weeks per update, customers waiting. Decision-Layer stores IEC 62304 software safety class (A/B/C) as constraint, automates Verification + Validation records, generates risk-management-file updates. Notified Body notification structured with audit trail. Human required at risk-acceptance decision by risk manager.
What about the HmbBfDI February 2026 catalogue on AI in medical devices?
The Hamburg data protection authority published a catalogue of requirements in February 2026 on algorithm transparency for AI-supported image diagnostics. Requirements: explainability of diagnostic decisions, audit trail over training data, Notified-Body-certified risk assessment. Decision-Layer architecture meets these requirements: every AI image evaluation with model version, input hash, confidence score, escalation path to radiologist on low confidence. Plus GDPR Art. 22 right of challenge for affected patients. UK parallel: MHRA AI Airlock pilot + ICO Article 22 require equivalent transparency on UK market.
Does the Decision-Layer also address Notified Body audit preparation with ISO 13485?
Yes. ISO 13485 is mandatory QMS standard for CE-certified medical devices. Decision-Layer is classified as software within the QMS (not external). IEC 62304 software safety class set in discovery workshop (typically Class B for vigilance workflow tools). MDR Annex IX/X conformity assessment documented. Post-Market Surveillance Plan (PMS), PSUR and trending integrated. At Notified Body audit (TÜV SÜD/BSI/DEKRA) 1-click export of audit-trail view is possible. For dual EU+UK market: parallel audit trail satisfies both MDR Annex IX and MHRA UKCA requirements.

Schedule workshop at Grindelberg

3-day discovery: Day 1 process analysis, Day 2 Decision-Layer mapping, Day 3 use-case prioritisation. Concrete deliverable.

Schedule meeting

Discovery workshop below EUR 10,000. Pilot fixed price discussed after the workshop.

← Back to overview: AI Agents Hamburg (7 use cases)