--- title: Customer Training Programs for Medical Devices Under MDR description: When customer training is a risk control under MDR, how to build compliant training programs, and how to document evidence that will survive audit. authors: Tibor Zechmeister, Felix Lenhard category: Team Building, Operations & Scaling primary_keyword: customer training programs MDR canonical_url: https://zechmeister-solutions.com/en/blog/customer-training-programs-mdr source: zechmeister-solutions.com license: All rights reserved. Content may be cited with attribution and a link to the canonical URL. --- # Customer Training Programs for Medical Devices Under MDR *By Tibor Zechmeister (EU MDR Expert, Notified Body Lead Auditor) and Felix Lenhard.* > **Customer training is a nice-to-have until it becomes a risk control. Once your risk management file states that a hazardous use error is mitigated by training, that training becomes a regulated deliverable under MDR Annex I GSPR 5 and 23, EN 62366-1:2015+A1:2020 and EN ISO 14971:2019+A11:2021. Every attendee record becomes evidence your notified body will ask to see.** **By Tibor Zechmeister and Felix Lenhard.** ## TL;DR - MDR Annex I GSPR 5 requires manufacturers to eliminate or reduce risks related to use error, taking into account the technical knowledge and training of intended users. - MDR Annex I Section 23 requires the instructions for use to contain all the information users need to operate the device safely, including any necessary training. - EN 62366-1:2015+A1:2020 is the usability engineering standard referenced by the MDR for use error mitigation. - If your risk management file lists training as a risk control, the training becomes a validated deliverable and training records become part of the quality system. - Virtual training is acceptable under MDR if it can demonstrably achieve the same risk reduction as in-person training; the burden of proof is on the manufacturer. ## The moment training stops being marketing There is a decision in every risk management file that changes what "customer training" means. A team is reviewing the hazardous situations for a new device. They find one where the user could misinterpret a signal and administer an incorrect dose. The residual risk after design and labelling mitigations is still too high. Someone says: "We will train the users." They tick the box. The risk moves from red to green. The file is signed. In that moment, training became a risk control. And the moment training becomes a risk control, it moves from marketing department to quality system. Under EN ISO 14971:2019+A11:2021, risk controls must be verified as implemented and must be verified as effective. Under EN 62366-1:2015+A1:2020, training is an acceptable risk mitigation only if the training is validated to achieve the intended risk reduction. Under MDR Annex I Chapter III Section 23, the instructions for use must specify the training required. Under EN ISO 13485:2016+A11:2021 clause 7.5.1, the delivery of services under controlled conditions applies. None of that is optional. Startups that get this wrong sign a risk file that claims training as a control, then deliver training as a pitch deck with no attendance tracking, no competence check, and no validation that users can actually operate the device safely after attending. When the notified body asks to see the training and its evidence, the startup cannot produce any. The CAPA that follows is painful and usually slows the next audit cycle. ## What MDR actually says about training Four regulatory anchors matter. **MDR Annex I GSPR 1** requires devices to achieve their intended performance and to be designed and manufactured in such a way that, during normal conditions of use, they are suitable for their intended purpose. They must be safe and effective and must not compromise the clinical condition or the safety of patients, users or others. **MDR Annex I GSPR 5** addresses risks related to use error. Manufacturers must reduce as far as possible the risks related to the ergonomic features of the device and the environment in which the device is intended to be used, taking into account the technical knowledge, experience, education and training of the intended users. The phrase "training of the intended users" is the hook: the regulation explicitly anticipates training as a factor in risk control. **MDR Annex I Chapter III Section 23** governs the information supplied by the manufacturer. Section 23.4 lists the content the instructions for use must contain, which includes any required user training and any qualifications required of users. If your IFU states that the device may only be used after completion of manufacturer-provided training, that statement is a binding regulatory claim. The training must exist, must be delivered, and must produce records. **EN 62366-1:2015+A1:2020** is the harmonised usability engineering standard. It sets out how to apply usability engineering to medical device design, how to identify use-related hazards, how to establish use scenarios, how to conduct formative and summative evaluations, and how to decide when a risk related to use is acceptably controlled. Under EN 62366-1, training is recognised as a risk control of last resort: you use it when inherent safety through design and protective measures are not sufficient. The standard requires that, when training is used as a control, the effectiveness of the training must be validated. Together these instruments mean: you can use training as a risk control, but you must say so in the risk file, document it in the IFU, validate its effectiveness under EN 62366-1, deliver it under a controlled procedure, and keep records of who received it and what they demonstrated. ## A worked example: infusion pump for home use A startup develops an infusion pump intended for home use by patient caregivers. The usability evaluation under EN 62366-1 identifies three critical use errors: incorrect priming, incorrect dose programming, and failure to recognise an occlusion alarm. Design changes reduce the severity of two of these. The third — incorrect dose programming — cannot be designed out without an unacceptable trade-off. The team decides that a mandatory caregiver training program will be the primary mitigation. What does that training look like once it is a risk control? The risk management file lists training explicitly as a control for the dose-programming hazardous situation, with a cross-reference to the training procedure in the QMS. The IFU under Annex I Section 23 states: "This device may only be used by caregivers who have completed the manufacturer's certified training program." The training procedure lives in the QMS as a controlled document, with a defined objective, scope, content, delivery method, assessment method, pass criteria and record. The training is delivered in two formats: an in-person session for the first hundred customers, and a validated virtual training for scale. Before the virtual training is allowed to substitute for in-person training, a validation study under EN 62366-1 summative evaluation principles shows that caregivers who complete the virtual format make use errors at a rate statistically equivalent to caregivers who completed the in-person session. That validation study becomes part of the usability engineering file. Every caregiver who completes training signs a record. The record captures their identity, the device serial number they will use, the date, the version of the training material, the assessment score, and the signature of the trainer. Records live in the same system as complaint handling and PMS data, linked to device serial number. When a complaint arrives about dose programming, the first thing the complaint handler can see is whether the caregiver completed training and when. A notified body auditor asks two questions. First: show me that your IFU statement about required training is true. The team produces the procedure, the validation study and a sample of records. Second: show me a complaint involving a trained caregiver and tell me what you learned. The team produces a complaint record, the linked training record, and a PMS analysis that drove a small update to the training material three months earlier. None of this is expensive. All of it is mandatory once training is in the risk file. ## The Subtract to Ship playbook The question you must answer first, and in writing, is this: is training a risk control for my device, yes or no? If the answer is no, training is a commercial deliverable. It must still be truthful (no misleading claims under Article 7), but it does not carry the full weight of the QMS. If the answer is yes, follow this minimum path. **State it in the risk file.** The decision to use training as a control must be explicit in the risk management file under EN ISO 14971:2019+A11:2021. Cross-reference the training procedure in the QMS. **State it in the IFU.** Under MDR Annex I Section 23.4, the IFU must state that training is required, who may use the device, and what qualifications or training completion are prerequisites. Do not over-promise: if the IFU says "certified", every record must reflect certification. **Validate training effectiveness.** Under EN 62366-1:2015+A1:2020, a risk control via training is acceptable only if its effectiveness is validated. For a startup, this can be a small summative evaluation: a defined number of representative users, a defined scenario, an observed error rate below the threshold that the risk file accepts. The study is a document in the usability engineering file. **Control the training as a QMS process.** Create a controlled training procedure. Version the training material. When the material changes, trigger a change control and re-validate if the change is substantive. Under EN ISO 13485:2016+A11:2021, this is a clause 4.2.4 document control question. **Record every delivery.** Each training event generates records with named attendees, date, version of material, assessment outcome, and signature. Records must be linkable to device serial numbers where the device is assigned to a specific user. **Choose virtual carefully.** Virtual training is not prohibited under MDR, and for scaling startups it is essential. But if your risk file relies on training as a control, the virtual format must be validated to achieve at least the same risk reduction as the in-person format. Keep the validation evidence. **Feed training data into PMS.** Under MDR Articles 83 to 86, training completion rates, assessment failure rates, and user questions received during training are legitimate PMS data sources. Name them in the PMS plan under Annex III. ## Reality Check 1. Does your risk management file explicitly state whether training is a risk control for any hazardous situation? 2. If training is a risk control, does your IFU state this clearly under Annex I Section 23? 3. Have you conducted a summative evaluation under EN 62366-1:2015+A1:2020 that validates training effectiveness? 4. Is your training procedure a controlled QMS document with a named owner and version history? 5. For every attendee in the last twelve months, can you produce a training record with assessment outcome? 6. If you use virtual training, do you have documented evidence it achieves the same risk reduction as in-person delivery? 7. When training material changes, do you trigger change control and re-validation? 8. Does your PMS plan name training data as a data source? ## Frequently Asked Questions **Is customer training required for every medical device under MDR?** No. MDR Annex I Section 23 requires the IFU to contain the information users need for safe use, which may or may not include formal training. Training becomes mandatory when it is designated as a risk control, when the intended users cannot safely operate the device without it, or when the IFU states that training is required. **Can I promise training on my website but not deliver a controlled program?** No. Under MDR Article 7, promotional material must not be misleading. If your promotional material or IFU promises certified or mandatory training, the training must exist under the quality system and must produce records. **What is the difference between training as a risk control and training as support?** Risk control means your risk file assumes the training will reduce the probability or severity of a specific hazardous situation. Support means the training helps users get more value but is not relied upon for safety. Risk control carries QMS, validation and record-keeping obligations. Support does not, though it must still be truthful. **Is online self-paced training sufficient?** It can be, if validated under EN 62366-1:2015+A1:2020 to achieve the required risk reduction. The format is not the issue. The evidence of effectiveness is. **Who owns training records in a startup?** The quality management system. The training records are quality records and must be controlled under EN ISO 13485:2016+A11:2021. The person who signs them off should be the PRRC or a named quality owner. **How do notified bodies audit customer training?** They read the risk file, look for training as a control, check the IFU statement, ask to see the training procedure, the validation evidence, a sample of records, and the link between training records and any relevant complaints. A weak link anywhere in the chain becomes a finding. ## Related reading - [Patient information and lay users under MDR](/blog/patient-information-lay-users-mdr) — when your users are patients, not professionals. - [Instructions for use: MDR compliant](/blog/instructions-for-use-mdr-compliant) — how training claims sit inside the IFU. - [MDR competence requirements under ISO 13485](/blog/mdr-competence-requirements-iso-13485) — internal training is governed by the same system. - [Post-market service and support operations](/blog/postmarket-service-support-operations) — training data as a PMS input. - [MDR Annex I general safety and performance requirements](/blog/mdr-annex-i-gspr) — the GSPR framework training must satisfy. ## Sources 1. Regulation (EU) 2017/745 on medical devices, consolidated text. Annex I Chapter I (GSPR 1, GSPR 5), Annex I Chapter III Section 23. 2. EN 62366-1:2015+A1:2020 — Medical devices — Part 1: Application of usability engineering to medical devices. 3. EN ISO 14971:2019+A11:2021 — Medical devices — Application of risk management to medical devices. 4. EN ISO 13485:2016+A11:2021 — Medical devices — Quality management systems — Requirements for regulatory purposes, clauses 4.2.4, 6.2, 7.5.1. --- *This post is part of the [Team Building, Operations & Scaling](https://zechmeister-solutions.com/en/blog/category/team-operations) cluster in the [Subtract to Ship: MDR Blog](https://zechmeister-solutions.com/en/blog). For EU MDR certification consulting, see [zechmeister-solutions.com](https://zechmeister-solutions.com).*