The devices have landed – and some promotion

European CommissionSo, it took a while but the devices have finally landed. During the EPSCO council of 1 December it was confirmed that the medical devices policy has indeed moved to DG ENTR. I have also heard Commission officials tasked with medical devices at DG SANCO say they are in transition now.

It also became clear that the ambitious Italian pre-pack first reading plan had failed because no common position was reached. The progress report for the meeting was approved and the Italian presidency expressed the hope that the Latvian presidency can build on its work.

The Dutch in 2016

Since it became already clear that the Latvian and Luxemburg presidencies do not have great ambitions in this matter, the scenario that I have sketched that the Dutch presidency in the first half of 2016 will try to make a difference becomes more and more likely.

As you can see in the progress report, there is still a lot of work to be done. Even though all chapters of the proposed regulations have been tossed repeatedly like a regulatory salade niçoise (every chapter and every annex of both proposals (20 chapters, 187 articles and 29 annexes) have been discussed two times each at the end of the Presidency), no agreement was reached and a number of political bones of contention remain, which include:

- Aesthetic devices;

- Ingested products;

- Reprocessing of single-use devices;

- the Unique Device Identification System (“UDI”);

- Mechanisms for surveillance and appointment of the Notified Bodies responsible for conformity assessment of Medical devices and In vitro diagnostic medical devices;

- the Scrutiny mechanism for certain high risk devices;

- Clinical investigations;

- Post-Market Surveillance;

- Tasks of the proposed Medical Device Coordination Group; and

- Role of expert panels and reference laboratories.

The progress report will show you exactly where the differences are for each of these categories. The politically most difficult ones are MDCG, UDI, notified bodies’ role and post market surveillance.

Impact assessment

One of the interesting statements during the EPSCO council was the statement of the Dutch delegation that they thought that with all the amendments on the table it would be a very good idea to revise the impact assessment underlying the original proposals. I cannot applaud that enough, because as I have argued time and again, the so far fact-free amendments of the Parliament should have a basis in reality and it should be made clear what these amendments mean for industry, costs of healthcare and the patient/payor. It would be very interesting to see what the Parliament’s amendments amount to when they are assessed for impact. It will probably show, for example, that the hazardous substances amendment will add nothing in terms of safety but will only cost a lot in terms of compliance for compliance sake exercises.

Prediction for 2015

My prediction for next year (2015) is a year of quiet diplomacy in the background to pre-cook a final agreement during the Dutch presidency. It may happen that the trilogue finally kicks off during the last half of 2015, now that the Parliament voted to be ready for it on 5 November 2014. 2015 will also be the year of eHealth and mHealth, with the Commission starting to translate the feedback to the Green Paper on mHealth into policy actions, part of which may be fed back into the discussions regarding the medical devices regulations, e.g. on the definition of ‘medical device’. The Council and the Commission may also realise how ill-equipped the current proposals for the medical devices and IVD regulations are to deal with modern devices as a service, standalone software and the nexus with

Also, the unannounced audits will become established practice and the notified bodies will continue to increase their clinical evidence requirements as a result of the joint audits under the Joint Action Plan.

Finally, new production techniques like 3D printing will need to find a place in the regulations one way or the other, or we will need to accept that from a regulatory perspective there is no difference.

So how to keep track of all that?

Here are some suggestions

for the end and beginning of the year, to stay on top of all these developments:

I hope to see you at one or more of these very worthwhile events!

EU Council also thinks genetic testing amendment in IVD regulation proposal is outside competence EU

380px-EU_Consilium_Logo.svgIn a previous blog I have addressed the genetic testing amendment to the IVD regulation proposal and have provided argumentation why this proposal is outside the scope of the legislative competence of the EU. To make it interesting I have also explicitly challenged the author of the amendment, rapporteur for the IVD regulation proposal Peter Liese, to prove me and my colleague Julian Hitchcock wrong in our conclusions (executive summary here).

We were actually right

Nothing happened and nobody challenged our conclusions. That may be because we were actually right. So we were not challenged by the University of Passau that admitted that their report’s conclusion that provided the foundation for the Parliament’s amendment was wrong (which it is, and the report was commissioned because the rapporteur himself also doubted that the EU had this competence in the first place). Nor did Mr Liese admit that he had misjudged EU competence.

Rather, the EU’s sovereign member states comprising the Council backed us up. The Dutch government recently stated in answers to the Dutch Parliament (in Dutch, sorry – we’re working on a translation) that a majority of member states in the EU Counsel consider this proposal outside the scope of EU legislative competence, on the exact same grounds that Julian and I concluded in our report: subsidiarity and proportionality prevent posing medical-ethical requirements for national practice of medicine with genetic testing.


The Dutch government states that it looks like the Counsel can accept a compromise to the effect that member states may deal with this matter themselves at national level, much like where things look to be  going with respect to reprocessing of medical devices.

Insufficient attention for IVDs

Also, the Dutch confirm a point that I have lamented often on this blog: the lack of attention for the IVD regulation in the legislative process. The Dutch say that the negotiation process regarding the IVD regulation is though going (“moeizaam“), and that there has been little attention for IVDs in the whole revision process so far because priority is given to the medical devices regulation. This is also painfully obvious in the progress report of the Counsel for preparation of the Employment, Social Policy, Health and Consumers Council meeting on 1 December 2014 (more about this progress report in a future blog).

Cause for concern

The Netherlands thinks that this is a cause for concern and will give efforts to ensure that sufficient time is dedicated to this important subject during this presidency and the following ones. I agree. It would be useful if there would be more attention for the IVD regulation. Not only will there be very big changes for the IVD industry as a result of the IVD regulation proposal, but the importance of IVDs in modern personalized medicine is enormous. IVDs are just too important for society to be overlooked and underprioritised this way.

What happens next?

Well, the Parliament may realize that you cannot conjure competence to legislate out of thin air under rule of law and revoke its proposal because it has no legal basis to be adopted.

Except that this is not how politics work, because this amendment will of course not be revoked but will go in the big horse trading mix between the Commission, the Council and the Parliament. Let’s hope that the Commission and the Council keep in mind that negotiation can only take place with bargaining chips that actually exist and that there really is nothing to negotiate on this point: the comprise on the table is actually just explicit codification of the current situation at member state level.

In, on and near body networks EU regulation

Medica logoI had the pleasure of being invited to speak at the Health IT forum at the MEDICA conference last week on regulation of in, on and near body networks. Most of my day at the MEDICA I spent in the health IT hall, catching up on developments, particularly in the interesting Wearable Technology Pavillion with all its cool gadgets, and talking to clients with booths in the hall or out and about there.

The Health IT forum session about “Healthcare in the age of IOTS. Exploring the added Value of IOTS in Healthcare research, policy and service delivery” put me on a panel with SAP, Microsoft, IBM, Bosch, the illustrious Fraunhofer Institute and my friends at the Continua Health Alliance. It was a lot of fun. The MEDICA will probably put the video recording on its site sooner or later.

Here is my presentation (it was pretty difficult to jam it into 15 minutes but I managed by excluding all the breathing pauses), focusing on what I think are currently the three hot regulatory issues in healthcare and the Internet of Things (IOTS): medical devices regulation, cybersecurity / draft NIS directive and personal (health) data:

So let’s look at each of these three categories in a bit more detail and context.

Medical devices regulation

In terms of medical devices regulation there is the of course by now completely worn out record of the medical devices regulations (at least on this blog it is), which are getting interesting again now that the Italian presidency is rumored to be engaged in a major push behind the scenes to still clinch the pre-pack first reading that they were planning. Also, the Commission has in the mean time published what they think of the Parliament’s first reading on the medical devices and IVDs regulation proposals and has, among other things, no problems with the ill-considered (if you ask me) expanded definition of ‘medical device’ that will include everything with an indirect medical intended purpose. This will redefine the concept of regulatory burden for the industry and expand the scope of medical devices regulation to include many many things that were never intended to be regulated as medical devices, something even the European Court of Justice warned against in the Brain Products case. So good luck, potentially every device that does anything related to a person that may in any way be beneficial for general health in the long run (like a step counter for example) will be sucked into the scope of medical devices regulation. Will that make the world a safer place for patients? Probably not.

Cybersecurity / draft NIS directive

At first sight it seems that there is not much currently in EU medical devices regulation with respect to cybersecurity if you compare this to the new FDA guidance on the subject, but if you look closer there are some design requirements that can be drawn from the EN 62304 standard (see slide 11 of the presentation above). You could even argue that networking aspects are addressed by the mentioning of authentication, authorisation and communication integrity, which is the main security Achilles heel of many of the networked medical devices on the market currently. On the other hand, there does not seem to be a lot of interest at EU level for this subject. All policy documentation that touches upon medical devices and mHealth approaches security from the angle of protection of personal (health) data, a perfectly valid concern but not an adequate approach to security at all.

The draft NIS directive stands to impact substantially on networked medical devices (slide 13) because it will apply to basically all IoT enabled medical devices. It triggers design and organisational obligations in the field of security as well as breach notification obligations (yes, additional to and conveniently diverging from any breach notification obligation under EU data protection law).

More about cybersecurity for devices in my next post on this blog!

Personal (health) data

Personal (health) data remains a problem with the current framework being in a state of hot mess and the new framework under the General Data Protection Regulation being in a state of legislative limbo in the sense that the Commission says it’s all very urgent and a high priority and must be finished this presidency, an end result is still not clearly visible on the horizon. Yet, the GDPR will remedy a lot of the deficiencies of the current directive – that is, if it turns out looking more or less like the first reading of the Parliament. There are a lot of crucial issues in the air, like regulatory one-stop-shopping, exemption for extra-institution outsourced processing of health data and extra-EU international data transfers, just to mention a few that are critical to business models for service providers in the healthcare business that operate services that use IoT enabled devices to collect personal health data from patients in and outside the clinic and process it using cloud services (isn’t everybody doing (or wishing to be doing) that?). Just read the statement of the Healthcare Coalition on Data Protection backed by not the slightest of organisations, and you wil agree with me that it’s a bleak picture for business if there are no drastic changes made to the GDPR (which it currently looks there will not be).


Should we be worried? Yes, I think so. As I have blogged before, Europe has a tendency to be the ‘department of no’ when it comes to regulating this type of technology. Companies understand very well of course  that there has to be regulation of safety and performance, but how about making sure that such regulation is coherent, up to date, consistently applied across the EU and proportionate so they can actually work with it and plan ahead? The EU is losing itself far too much in politics and its weird love/hate relationship with anything ‘innovative’ as has been more than clear in the medical devices and GDPR dossiers, which makes for sub-optimal regulation for everyone involved.

Where have the devices gone?

keep-calm-it-will-happen-14It’s been a matter of a lot of speculation where the devices policy and HTA policy will finally end up in the European Commission.

When the Commission-elect was presented, one of the interesting elements was that medicinal products and medical devices policy were going (back) to DG Enterprise. Remember that the new rapporteur for the medical devices regulation, Glennis Willmott, was very much against this and vowed to bring devices policy back in the fold of DG SANCO. In the mean time the Commission has been elected, but it’s still not clear where the devices will end up.

Something of a concession

Some time ago it already became clear that president Juncker had made something of a concession to the European Parliament with regard to medicinal products and medical devices policy on 22 October:

“Responsibility for medicines and pharmaceutical products will stay with the Directorate-General for Health because I agree with you that medicines are not goods like any other,” he said, adding that Andriukaitis and Bieńkowska will develop the relevant policy jointly. (EurActiv)

But it was not very clear what that concession was exactly because what are “medicines and pharmaceutical products” if not more of the same? Or was something lost in translation resulting in this tautology? Was  everthing that was plannend to be moved (back) to DG Enterprise going back to DG SANCO?

Hey, and what about medical devices – they’re not goods like any other either, right? Or are they? This is really a less than well-chosen statement by President Juncker that the Parliament will probably hurl right back at the Commission as ammunition to support some of its more politically motivated amendments in the legislative procedure for the medical devices and IVD regulations.

Clinica permutations

As matters stand currently, it looks like medicinal products may actually go back (again) to DG SANCO and that HTA plus devices will stay with DG Enterprise. At least, that says Clinica now on 31 October. But Clinica has in the mean time reported every possible permutation in this story as final.

No final word it seems

MedTech Europe is still reserving its position on that same date.

Schermafbeelding 2014-11-01 om 12.30.13 The final word, it seems therefore, has not been given yet.

What would it mean?

What would it mean if devices and HTA would go to / stay with DG Enterprise? As I have blogged, devices started out as a typical internal market policy and this move may signify a re-orientation on the market for medical devices with potentially more attention to innovation friendly policies.

A slip of the tongue that would lead to conclude that President Juncker sees devices as goods like any other contrary to medicinal products may tentatively support this. Such re-ortientation would for one benefit the eHealth industry, which the Commission has put a lot of cards on for its healthcare policy.

Another benefit of more emphasis on internal market might be some efforts of the Commission to deal with the consequences of the Lycocentre judgment that confirmed that there actually is no internal market for medical devices because every member state may qualify a product differently based on different scientific argumentation.

Keep calm

And carry on – the EU’s devices policy will sort itself out sooner or later, possibly next week already. In the mean time, enjoy all the speculation and join the fray it you like!

Surprise! More on unannounced audits, this time on software

Nobo policeFurther to my recent posts on unannounced audits I have been thinking about how unannounced audits could play out in an area that becomes more and more important: standalone software.

Software medical devices

The majority of standalone software under the medical devices directive falls in the scope of rule 12 of Annex IX of the MDD and is therefore subject to self-certification (so no notified body oversight and no unannounced audits).

However, there is also a growing group of higher risk software that is certified by notified bodies. This group is mainly comprised of software controlling or influencing the use of higher risk devices (implementing rule 2.3 of Annex IX of the MDD) or monitoring / providing direct diagnosis of vital physiological parameters (rule 10 of Annex IX of the MDD).

eHealth Law & Policy article

I wrote an article on the subject in the August 2014 issue of the journal eHealth Law & Policy, which I am happy to be able to provide to you now through my blog with the kind permission of the publisher. You can download the article as pdf here. If you like it, there is more similar quality content in that journal well worth your while.

Article unannounced audits
Manage your crucials and criticals, also in software

As you will see in the article, managing your relations with external software developers is critical because they will almost always qualify as crucial suppliers or critical subcontractor, which your notified body may also audit unannounced. For more detail on how you should manage this relation and what should be in your contract with them, see here and here.

Especially in software development it is usually not top of mind to agree with your external developer that they should be able to accomodate an unannounced audit. Yet, you should really have that taken care of that as manufacturer if you do not want to put the certificate for the software concerned at risk.

Any experience with unannounced software audits?

If you have any experience with unannounced audits of software I would be very interested to hear about it. The notified bodies I spoke to recently all said they had not concluded audits on software medical devices yet, but were planning them and were thinking about how to implement them.

Current and mostly future UDI developments in the EU

2014-RAPS-LogoI gave a presentation on current and future developments in UDI at the RAPS 2014 conference in Austin last week, sitting on a panel on global developments in UDI with presentations on developments also in the US and China.

This will be a short post on the subject of UDI, because most of the information will be in my presentation, which you can view right here:

As you can see in the presentation and by way of summary, the EU is not doing a lot presently pending the medical devices regulations revision process (which will feature UDI) except undertaking efforts to make sure that the individual member states do not go out on a limb and impose their own national and divergent UDI systems.

The EU will also will be vigilant not to put anything in place that is very different from what the US is putting in place because that would really drive a nasty compliance wedge in the international medical devices market.

When the regulations finally complete, UDI will be phased in for groups of devices based on their risk profile and a lot is still to be implemented by so-called delegated acts. And, of course, if and when UDI will actually work in the EU will also depend on the completion of the Eudamed cathedral.

Surprise! More about unannounced audits

Nobo policeIf you’ve missed the 2014 RAPS conference you’ve missed out on the opportunity to learn a lot about unannounced audits by notified bodies. Not only were the notified bodies themselves out and about at the conference and very approachable to discuss all kinds of technicalities, there were also several very practical sessions with a lot of good information on the subject, notably the enforcement / unannounced audits session and the product sampling during unannounced audits session were very informative.

If there is one thing that I took away from these sessions it’s the absolute need to take a good look at your relations with critical suppliers and crucial subcontractors. Sounds like a broken record, but it keeps being confirmed.

Here are my main takeaways from the conference sessions on unannounced audits:


Don’t forget to inform your notified body about critical supplier’s production windows, otherwise the notified body shows up there and can’t complete the audit if production is not ongoing that day – result: suspension of your certificate. Also make sure your critical supplier tells you so you can inform the notified body, otherwise: same result.

And how about production locations? Make sure that your critical supplier does not change production locations for a raw material or component without telling you because the notified body will show up in the wrong place and will not be able to complete the audit, resulting in suspension of your device certificate and it’s likely a non-conformity in your QMS if your supplier can do this without telling you. This an actual example from one of the notified bodies I spoke with at  the conference, by the way. In that case you can only hope that the critical supplier did not move the production too far away and the notified body can quickly get there and complete the audit after all.


Not only do you have to have a procedure for unannounced audits (otherwise it’s a QMS non-conformity for which you will be written up by your notified body), also your critical supplier has to have one. You may be written up for a non-conformity if they don’t.

Your own procedure and that of your critical supplier should typically cover these three main subjects:

  • Notification of notified body of production windows and changes
  • Coordination with supplier / manufacturer
  • Training of staff regarding responsibilities and requirements during unannounced audits


Unannounced audits can happen at night if the device is (also) produced in night shifts. Sounds obvious but it means that your management has to be available at night too and your unannounced audits process has to accommodate this. They may not like it, but you have to make provision for management to be on call 24/7 if you or your critical suppliers also produce at night and in the weekend.


Since the unannounced audits are product sampling audits that involve testing, it is actually possible to agree testing methods with your notified body beforehand. Even though you cannot define the sampling criteria, you can define the test methods used, e.g. by reference to the ones you are using already in your production. If those are good already, why subject your devices to something else that may produce unexpected results, right? This may be well worth your while as it takes a degree of unpredictability and risk out of the equation. If the testing method is unclear or not agreed, the notified body will need to haul off the samples and test elsewhere. The same applies for the critical supplier test methods for their production process.

Authorised reps

An authorised representative can also be a crucial subcontractor, depending on what they take on in terms of roles and responsibilities, especially where they do vigilance cases reporting for the manufacturer (as this impacts performance and safety of the device).

Supply agreements

How to deal with suppliers that refuse unannounced audits? As I have blogged here and here, you should have changed your supply contracts with critical suppliers by now to accommodate unannounced audits.

But what if the supplier doesn’t want to cooperate because they just see it as hassle (for example because you are just a small customer compared to the rest of their customers)? That happens even to the biggest of devices companies, we learned at the RAPS conference. The only thing you can do then is work with the critical supplier to find a value proposition that triggers the supplier, and this can differ from one supplier to the other. The problem is that suppliers may know that you have to agree with them or source from elsewhere, so be prepared for some arm-twisting in the negotiations.

Change management regarding the supplied material is vital: make sure that you know when the critical supplier changes material specs or production methods, also if you are too of a small customer to influence this choice, because may have to be reflected in the tech file.

Since the notified body will audit the critical supplier, the supplier had better have their documentation in order, and you have to make sure they do, so cover this in the supply / quality agreement.


Get every new post delivered to your Inbox.

Join 3,852 other followers

%d bloggers like this: