ISO 14155: What reviewers check before you submit the protocol
I reviewed a clinical investigation protocol last month. It followed ISO 14155 structurally. Every section was present. Every checkbox was ticked. The Notified Body rejected it on page two. The reason had nothing to do with formatting. It had everything to do with what the standard actually requires versus what teams think it requires.
In This Article
ISO 14155 is not a template. It is not a list of headings to fill. It is a framework that forces you to justify every decision you make in your clinical investigation design.
Most teams treat it like a compliance exercise. They match the structure. They complete the sections. Then they wait for feedback that reveals the real problem: the design does not answer the clinical question.
The standard requires something deeper. It requires clinical reasoning that connects device characteristics, intended use, risk profile, and study design into a coherent argument. Without that reasoning, your protocol is just a collection of procedures.
What ISO 14155 actually defines
ISO 14155 establishes the good clinical practice standard for clinical investigations of medical devices on human subjects. It applies to all interventional studies under MDR Article 62.
The standard addresses two audiences. It tells investigators what they must do during the study. It tells sponsors what they must plan, control, and document before the study starts.
Most deficiencies come from the second part. Teams underestimate how much justification the planning phase requires.
The protocol is not a procedural manual. It is a scientific argument. Every design choice must be defended. Every endpoint must be justified. Every statistical assumption must be traceable to a clinical rationale.
ISO 14155 compliance starts with the clinical evaluation report. If your CER does not identify clear gaps or uncertainties that require clinical data, your investigation design will lack justification. The protocol must answer questions the CER could not resolve with existing literature.
The protocol structure versus the protocol logic
Section 6 of ISO 14155 lists the required protocol contents. Teams use this list as a checklist. They produce a document that contains all required sections.
But reviewers do not check presence. They check coherence.
Here is what that means in practice. Your protocol might state the primary endpoint. It might describe the statistical method. It might list the inclusion criteria. But if these elements do not form a logical chain, the protocol fails.
The endpoint must be clinically meaningful for the intended use. The statistical method must be appropriate for the endpoint type and sample size. The inclusion criteria must select a population that represents the target users.
When one element contradicts another, the entire design becomes questionable.
Protocols often define a primary endpoint but power the study for a secondary endpoint. Or they claim the investigation addresses safety but select endpoints that only measure performance. Reviewers spot these inconsistencies immediately. They indicate that the design was assembled rather than reasoned.
Risk management and investigation design
ISO 14155 requires the protocol to address risks to subjects. This is not a summary of ISO 14971 outputs. It is a separate analysis.
You must identify risks specific to the investigational context. Risks from the clinical setting. Risks from the procedures required by the protocol. Risks from the patient population you are enrolling.
Then you must explain how the design mitigates those risks. Not generally. Specifically.
If your device is used in a high-risk population, your inclusion criteria must justify why that population is necessary. If your procedure requires additional imaging, you must justify the radiation exposure. If your follow-up visits are frequent, you must explain why the data cannot be collected less invasively.
This is where most protocols become vague. They list risks. They list mitigation measures. But they do not connect the two with clear reasoning.
Reviewers expect to see trade-offs acknowledged. Every design decision involves risk. The protocol must show you understand what you are accepting and why the benefit justifies it.
Sample size and statistical considerations
ISO 14155 requires you to justify your sample size. Not just calculate it. Justify it.
The calculation comes from assumptions. Effect size. Variability. Statistical power. Significance level. Each assumption must be defendable.
Where did your effect size come from? Clinical literature? Pilot data? Expert opinion? If it came from expert opinion, you must explain why no literature was available. If it came from literature, you must show the literature is relevant to your device and population.
Variability assumptions are harder to defend. If you assume low variability, you need data to support that. If you have no data, your sample size becomes speculative. Reviewers know this. They question small sample sizes immediately.
Then there is the question of feasibility. Can you actually enroll the calculated sample size? If your device is for a rare condition and you propose 200 subjects in 12 months, the timeline does not match the epidemiology.
Feasibility is not just about enrollment speed. It is about whether your assumptions fit the reality of your clinical context.
When your sample size is driven by feasibility rather than statistical need, say so explicitly. Explain what you can conclude with the achievable sample size and what you cannot. Reviewers respect transparency. They reject designs that claim statistical adequacy without justification.
Endpoints and clinical relevance
ISO 14155 does not tell you which endpoints to choose. It tells you the endpoints must be appropriate for the objectives.
This sounds obvious. It is not.
I see protocols where the objective is to demonstrate safety but the endpoints are all performance metrics. Or the objective is to show equivalence but the endpoint is a surrogate measure with no validated correlation to clinical outcomes.
The endpoint must directly address the clinical question. If your device claims to reduce infection risk, your primary endpoint should measure infection incidence. Not inflammatory markers. Not device adherence. Infection incidence.
Surrogate endpoints are acceptable when they are validated. But you must prove validation. You must cite literature showing the surrogate predicts the clinical outcome. Without that citation, the surrogate is speculative.
Secondary endpoints follow the same logic. They must add information that supports the clinical evaluation. They should not be exploratory unless you label them as such.
Exploratory endpoints do not require the same statistical rigor. But they must still be justified. Why are you collecting this data? How will it inform the clinical evaluation or post-market surveillance?
Every endpoint costs time, burden on subjects, and complexity in analysis. If you cannot explain why an endpoint matters, remove it.
The informed consent process
ISO 14155 dedicates significant attention to informed consent. The standard requires more than a signed form. It requires a process that ensures subjects understand what participation means.
Your protocol must describe this process. How will you present the information? How will you assess understanding? How will you document that consent was voluntary and informed?
The consent form itself must be clear and complete. It must describe the device, the procedures, the risks, the potential benefits, and the alternatives. It must explain that participation is voluntary and that withdrawal is possible at any time without penalty.
Most deficiencies here come from incomplete risk disclosure. Teams describe device risks from the risk management file but forget to describe procedural risks from the investigation itself.
If your protocol requires subjects to return for monthly visits for two years, that is a burden. If it requires blood draws, biopsies, or imaging beyond standard care, those are risks. The consent form must address them.
Reviewers cross-check the consent form against the protocol. Any risk mentioned in the protocol must appear in the consent form. Any procedure in the protocol must be explained in lay language in the consent document.
Consent forms often copy technical language from the protocol or the CER. Subjects cannot provide informed consent if they do not understand what they are consenting to. The language must be accessible without being patronizing. This balance is difficult and often overlooked.
Monitoring and oversight
ISO 14155 requires you to define how the investigation will be monitored. This is not optional. It is not something you add after the protocol is approved.
You must specify who will monitor, how often, and what they will check. You must define the role of the sponsor, the investigator, and any independent monitors or data safety monitoring boards.
For higher-risk devices or vulnerable populations, independent oversight is expected. If you do not include it, you must justify why it is not necessary.
Monitoring plans are often generic. They list standard activities without specifying how those activities apply to the particular investigation. Reviewers want specifics.
How will you verify informed consent? How will you check protocol adherence? How will you detect and report adverse events? What triggers a site visit versus a remote review?
The monitoring plan must match the risk profile of the device and the complexity of the protocol. A simple observational study with minimal intervention requires less intensive monitoring than a high-risk interventional trial.
Data management and quality control
ISO 14155 requires a data management plan. This plan must describe how data will be collected, recorded, verified, and stored.
The plan must address data quality. How will you ensure data accuracy? How will you handle missing data? How will you manage protocol deviations?
These are not administrative details. They affect the validity of your conclusions.
If your primary endpoint relies on a measurement and that measurement is inconsistent across sites, your data becomes unreliable. If you have high dropout rates and you do not predefine how you will handle missing data, your analysis becomes questionable.
Reviewers check whether your data management plan matches the complexity of your endpoints. If you are measuring quality of life with validated questionnaires, your plan must address questionnaire administration, translation validation, and scoring procedures.
If you are collecting imaging data, your plan must address image quality control, reader training, and inter-rater reliability.
Generic statements like
Frequently Asked Questions
What is a Clinical Evaluation Report (CER)?
A CER is a mandatory document under MDR 2017/745 that demonstrates the safety and performance of a medical device through systematic analysis of clinical data. It must be updated throughout the device lifecycle based on PMCF findings.
How often should the CER be updated?
The CER should be updated whenever significant new clinical data becomes available, after PMCF activities, when there are changes to the device or intended purpose, and at minimum during annual reviews as part of post-market surveillance.
What causes CER rejection by Notified Bodies?
Common reasons include inadequate equivalence demonstration, insufficient clinical data for claims, poorly structured SOTA analysis, missing gap analysis, and lack of clear benefit-risk determination. Structure and logical flow are as important as the data itself.
Which MDCG guidance documents are most relevant for clinical evaluation?
Key documents include MDCG 2020-5 (Equivalence), MDCG 2020-6 (Sufficient Clinical Evidence), MDCG 2020-13 (CEAR Template), MDCG 2020-7 (PMCF Plan), and MDCG 2020-8 (PMCF Evaluation Report). ISO 14155, MDR Article 62
Need Expert Help with Your Clinical Evaluation?
Get personalized guidance on MDR compliance, CER writing, and Notified Body preparation.
✌
Peace, Hatem
Your Clinical Evaluation Partner
Follow me for more insights and practical advice.
Deepen Your Knowledge
Read Complete Guide to Clinical Evaluation under EU MDR for a comprehensive overview of clinical evaluation under EU MDR 2017/745.
