New sort of applicable economic operators regulation: the Market Surveillance Regulation

American chopper EOsAttentive attendees of my presentations will have remarked in my presentations about economic operators that essential parts of the general Goods Package were being amended and that this may affect companies in the medical devices space.

I now present to you Regulation (EU) 1020/2019 of 20 June 2019 on market surveillance and compliance of products and amending Directive 2004/42/EC and Regulations (EC) No 765/2008 and (EU) No 305/2011, the Market Surveillance Regulation. This regulation replaces part of Regulation 765/2008 (articles 15 to 29 to be precise), the regulation that set up the economic operator regime as we know it under the MDR and IVDR, and supplements lots of other EU CE marking directives and regulations too.

This new regulation’s objective is a uniform framework for market surveillance for products at Union level by

strengthening market surveillance, providing economic operators with clear, transparent and comprehensive rules, intensifying compliance controls and promoting closer cross-border cooperation among enforcement authorities, including through cooperation with customs authorities.”

But hang on, didn’t we have a regime for economic operators, compliance controls and market surveillance in the MDR and IVDR? Didn’t we have just spend loads of money understanding these regimes and now we get this? This cannot possibly apply to the medical devices industry, right?

Well… it depends – I’ll explain right after you’ve enjoyed my latest presentation about economic operator regime developments at the Q1 3rd annual EU MDR implementation conference in affluent Alexandria close to Washington DC in the US last month:

Only insofar as it depends

The regulation applies and does not apply to medical devices and IVDs. It does apply because Annex I to the regulation contains all medical devices and IVD regulations and directives that the regulation applies to in so far as there are no specific provisions with the same objective in the Union har­monisation legislation (except strangely the MDD and AIMDD), which regulate in a more specific manner particular aspects of market surveillance and enforcement (article 2).

It does not apply insofar as (see its recital 4):

“[…] in accordance with the principle of lex specialis, this Regulation should apply only in so far as there are no specific provisions with the same objective, nature or effect in Union harmonisation legislation. The corresponding provisions of this Regulation should therefore not apply in the areas covered by such specific provisions, for instance those set out in Regulations (EC) No 1223/2009 (3), (EU) 2017/745 (4) and (EU) 2017/746 (5), including as regards the use of the European database on medical devices (EUDAMED), and (EU) 2018/858 (6) of the European Parliament and of the Council.”

You can understand that a sentence like “in accordance with the principle of lex specialis, this Regulation should apply only in so far as there are no specific provisions with the same objective, nature or effect in Union harmonisation legislation” makes my lawyer pulse go up considerably. However, it’s not a super clear demarkation criterion. It basically says: whatever is in this regulation but not in the MDR/IVDR by ‘objective, nature or effect’ is still governed by the Market Surveillance Regulation. Up to now I would look into the fantastic Blue Guide to understand whatever is not clear in the MDR and IVDR in terms of CE marking and economic operators. Now we also have this additional regulation to inform and bind us, because obviously this regulation will affect how the corresponding rules in the MDR and IVDR will be interpreted. Also, the regulation contains additional items that apply in addition to the MDR and IVDR, as we will see later on in this blog.

And, finally, don’t forget that the Market Surveillance Regulation applies to other EU regulations and directives than the MDR and IVDR that devices are also covered by, such as the REACH Regulation (chemicals) and the RoHS Directive (hazardous substances). Take a look in Annex 1 of the regulation for the whole list of directives and regulations covered by the Market Surveillance Regulation.

So, happy times – let’s take a tour of the new Market Surveillance Regulation and see how this may impact what we know about EO regime and other devices related under the MDR and IVDR.

Fulfillment service providers (article 4)

The definition of economic operator in the MDR and IVDR do not include fulfillment service providers, but the Blue Guide mentions under the heading of distributors that fulfillment service providers doing more than mere box moving could qualify as economic operator. In that regard it is important to know who qualifies as a fulfillment service that can be a distributor. Article 3 (11) of the Market Surveillance Regulation defines fulfillment services provider as:

 “any natural or legal person offering, in the course of commercial activity, at least two of the following services:

  • warehousing, packaging, addressing and dispatching, without having ownership of the products involved, excluding postal services as defined in point 1 of Article 2 of Directive 97/67/EC of the European Parliament and of the Council,

  • parcel delivery services as defined in point 2 of Article 2 of Regulation (EU) 2018/644 of the European Parliament and of the Council, and

  • any other postal services or freight transport services;” (underlining added)

This is much more detailed than the Blue Guide’s description of “the activities of fulfillment service providers as described above go beyond those of parcel service providers that provide clearance services, sorting, transport and delivery of parcels.”. So, now we have a better picture of what a fulfillment service provider looks like. 

Distance sales (article 6)

Article 6 of the MDR and IVDR specifies that devices offered to natural and legal persons in the Union must comply with those regulations. The new market surveillance regulation adds that making available (the term missing in article 6 MDR and IVDR, which merely use ‘offer’) occurs if the offer is targeted at end users in the Union. An offer for sale is considered to be targeted at end users in the Union if the relevant economic operator directs, by any means, its activities to a Member State. This can be assumed, for example, when the website is available in a language spoken only in that member state.

This is quite relevant for companies that offer the sale of tests or other devices at a distance to end users in the EU, and shows that the concept of making available in the Blue Guide does not require an actual sale to be made (as you would already know from the Blue Guide, so this is not new), offering for sale is sufficient.

Another feature of the Market Surveillance Regulation is that the fulfillment service provider becomes responsible for the device when there is no representative in the EU (manufacturer, importer or authorized representative). This means that it becomes important for fulfillment service providers to establish if the devices that they are delivering comply in terms of economic operator organization. In cases where the non-Union established manufacturer thinks he’s safe, the fulfillment services provider in the EU now becomes an enforcement target.

Small bombshell in article 11 (9): Lycocentre revisited

In the Lycocentre case the EU Court stated that incomplete harmonization in the medical devices field in the EU allowed for member states to reach very different conclusions regarding regulatory compliance of the same device. Well, that’s mostly over now with the Market Surveillance Regulation, which provides in article 11 (9) that

“Without prejudice to any Union safeguard procedure pursuant to the applicable Union harmonisation legislation, products that have been deemed to be non-compliant on the basis of a decision of a market surveillance authority in one Member State shall be presumed to be non-compliant by market surveillance authorities in other Member States, unless a relevant market surveillance authority in another Member State concluded the contrary on the basis of its own investigation, taking into account the input, if any, provided by an economic operator.”

In other words, if one authority decides that the device is non-compliant (for example, as in Lycocentre) because the authority thinks it’s a medicinal product rather than a device, all other authorities must assume non-compliance too (the regulation does not say it should be on those same grounds, but this seems implied). This would only be different if they conclude otherwise in their own investigation, whether or not after input of the economic operator.  As you can imagine, this will be interesting and potentially complex for manufacturers, because of the very different views national authorities can have about qualification and classification of devices alone already.

This provision in the Market Surveillance Regulation has interacts with article 4 MDR and 3 IVDR (Regulatory Status of Products), which allow the Commission to take qualification decisions about products by means of implementing act on its own initiative or upon a member state’s request. Where the non-compliance concerns qualification this provision can be used to overrule a situation where member states still want to maintain a divergent qualification, but you or a member state will need to win the Commission over first.

Recovery of costs by market surveillance authorities (article 15)

In addition to the possibility to levy fees in relation to the application of the MDR and IVDR, the regulation allows member states to authorise their market surveillance authorities to reclaim from the relevant economic operator the totality of the costs of their activities with respect to instances of non-compliance. These costs may include the costs of carrying out testing, the costs of taking measures in accordance with customs holds, the costs of storage and the costs of activities relating to products that are found to be non-compliant and are subject to corrective action prior to their release for free circulation or their placing on the market.

For example, it would seem that this provision in the Market Surveillance Directive allows competent authorities to charge costs for evaluation of devices suspected of presenting an unacceptable risk or other non-compliance under article 94 MDR / 89 IVDR and costs of measures implemented to deal with devices presenting an unacceptable risk to health and safety under article 95 MDR / 90 IVDR. 

Procedural rights of economic operators (article 18)

The Market Surveillance Regulation also contains one provision of procedural rights relevant under the MDR and IVDR: before any measure, decision or order taken or made by market surveillance authorities the economic operator concerned must be given the opportunity to be heard within an appropriate period of not less than 10 working days, (unless that is not possible because of the urgency of the measure, decision or order, based on health or safety requirements or other grounds relating to the public interests covered by the relevant Union harmonisation legislation). This would be additional to the market surveillance provisions in the MDR and IVDR, which do not contain this 10 working day minimum period. Where member states do not have this period built into their procedural law for the authorities concerned, they will have to take this period into account.

Market surveillance

The Market Surveillance Regulation makes changes in the market surveillance regime for products, of which some general items are already covered in the MDR/IVDR and others are not, as set out in this approximative table:

Market Surveillance Regulation

MDR/IVDR

Market surveillance national authorities are granted strengthened powers

Covered, chapter VII section 3 (Market Surveillance)

The tasks of market surveillance are defined and powers like taking samples and imposing penalties are harmonized

Covered, chapter VII section 3 (Market Surveillance)

Market surveillance authorities may reclaim all cost of their activities in case of non-compliant products

Not covered in market surveillance section

Harmonized approach for surveillance at EU borders by customs and surveillance authorities

Not covered in regulations

A Union Product Compliance Network (UPCN) to be set up by January 1, 2021

Covered, MDCG and electronic system on market surveillance (part of Eudamed)

The items not covered in the MDR/IVDR will be governed by the Market Surveillance Regulation and implementing national law for that regulation.

Date of application

The Market Surveillance Regulation has already entered into force last month and it applies from 16 July 2021, except for some provisions related to implementation by the authorities. So, more on your plate to figure out for the MDR and IVDR.

Questions?

Questions about this new regulation or the MDR or IVDR? I will be speaking about several subjects (including M&A and the MDR/IVDR, MDR implementation and IVDR implementation) at the upcoming RAPS Regulatory Convergence in Philadelphia from 21 to 24 September and about the MDR at the Medtech Conference in Boston from 23 to 25 September.

€ 500 per data subject – a quantification of why GDPR matters

500-euros-banknote-1-1Clients often ask me why they should invest in General Data Protection Regulation (GDPR) compliance so much. For medical devices and medicines regulatory compliance, they get it to an extent. Non-compliant devices carry risk of enforcement, which can lead to them being taken off the market. Devices off the market = collapse of cash flow and bad press. Both are bad for the company. And then there is the product liability risk for non-compliant devices or medicines that harm patients. More bad press and of course you don’t want to harm patients.

Data, seriously?

But data, seriously? For personal data related non-compliance companies often reason differently. They see personal data (and personal data concerning health) often as a surplus that can be harvested and put to their use: as their data rather than the data that is governed by rights of the data subjects concerned. Compliance to EU GDPR is costly, complex and follows alien logic. It’s my surplus right? It’s generated by my devices, generated in my trials and stored on my servers that I have secured as well as I think is necessary. It’s not like we are harming people if there is a data breach or if we send the data to the US (or the UK after hard Brexit). Look at company statements when a data breach happens: the first statement that a company makes is that they have no indication that the data were used for any detrimental purpose by bad guys (if any).

So why all this costly and complex hassle? Companies generally understand there are rules enforced by data protection authorities, and that these authorities may enforce these rules in case of non-compliance. So then the question is: what is the risk of enforcement and disruption of operations? That seems to be the only risk that is really considered. There is no product liability in data protection – it seems. Data protection authorities are comfortably under resourced so risk of enforcement and imposition of the ginormous penalties that we were warned about when the GDPR entered into force is relatively small. And a data breach (other risk) may be bad publicity but it always blows over – Facebook can tell you all about that. So,  what’s the problem right?

A small legal case

A small legal case in the Netherlands may serve as a powerful example of where things are heading with the GDPR, and to show that the GDPR is serious about the intrinsic value of personal data to the data subject that they relate to. Personal data is not surplus. A data subject does not only have an interest in bad guys not going to town with their breached data and pillaging their bank account or selling their genetic data, or third parties using their data in non-compliant ways by aggregating it into profiles about you that follow you around with ads about stuff you already bought. A Dutch court recently held that non-compliance under the GDPR harms the data subject’s interests in control over his or her personal data, which is a fundamental, personal right. And this personal right is exactly what article 82 GDPR protects when it states that:

“Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”

So what non-material damage could a person suffer as a result of an infringement of the GDPR? The Dutch case concerned local government officials sending emails to inform each other about the fact that a person filed a request for disclosure of certain data. This was done not in accordance with compliant procedure and therefore constituted a data protection law infringement. The infringement seemed innocent enough on its own merits, like

  • doctors whatsapping each other images of patients’ wounds or statuses (so useful and quick),
  • maintenance personnel making copies of all treatment session data on a medical device on to their laptop for further analysis without covering this in the services agreement (very efficient),
  • support staff doing root level remote log-ins from services centers outside the EU on medical capital equipment and having access to all data on the equipment without a processing agreement with the hospital (good service),
  • hospitals scrapping devices without deleting diagnostic data on them (how should we know there’s data on these things),
  • companies far and wide transferring personal data concerning health outside the EU for further processing without adducing compliant safeguards (crazy Europeans have rules for that?).

And the list goes on.  And what’s the harm, right? We were only trying to help, only running our business, just getting things done – this GDPR business that starts with privacy by design just makes things way too complicated. We already have other rules to worry about.

Privacy by design

Yet, privacy by design is so important, because for example regarding devices security design the GDPR places regulatory emphasis one half of the below model, and the MDR/IVDR on the other half:

Schermafbeelding 2019-07-25 om 11.51.55

This model comes from BSI’s very interesting white paper on cybersecurity, which you can download here from their page with a lot of other interesting and relevant white papers for MDR and IVDR. This serves to show how data protection requirements under the GDPR and GDPRs under the MDR and IVDR for software form different sides of the same coin and must therefore be equally considered in design and risk management. They must be parts of an overall integrated strategy to get this right. And we all know what can happen with badly designed products / services: if they don’t harm someone they’ll compromise their data or both.

Loss of control over personal data

Where’s the harm when personal data are lost or wrongly processed? Nobody re-sold the data (yet), nobody plundered bank accounts (yet) so what’s your problem data subject?

The problem of the data subject is – as the Dutch court phrased it – loss of control over personal data as a result of the non-compliance. Non-compliant processing leads to loss of control over personal data, which constitutes non-material damage in the meaning of article 82 GDPR. The Dutch court quantified this non-material damage to € 500 for the person concerned, taking into account that the decision to engage in non-compliant processing did not contain a justification (by the way this is why I always have been telling companies from the start of the GDPR to take the often mandatory Data Protection Impact Assessment (DPIA), which should contain such argumentation, very seriously). Especially when someone processes your special categories of data (concerning health, genetic data and biometric data among other things) you have very very much an expectation, even a fundamental right, to privacy as data subject. This is also a circumstance that could give rise to another quantification of non-material damage under the GDPR, because the € 500 was determined in a case where the personal data were not of the exciting kind. Imagine that you are a company offering genetic testing services and have a database of whole genomes and related hereditary disease risk factors of your customers that a disgruntled employee makes off with and then sells on the dark web. I bet that the amount of non-material damage for the data subjects will be more than € 500. And there are other conceivable factors that could influence the amount.

It adds up

500 Euros may not sound like much, but this is a per data subject amount. When you have a large user base, the number quickly adds up. When you are a multinational company with millions of users, things get really serious. And when the users concerned combine into a class action, you are in a world of trouble.

Not only the controller is in trouble, but also the processor – service provider may be. A processor is liable for the damage caused by processing where it has not complied with GDPR obligations specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller, for example because the processor has not not implemented the level of security required under the processing agreement with the controller. Processing agreements are just a stupid formality that your lawyer spends too much time on nerding about clever wording? Maybe time to take another look at yours.

Because let’s say you have a million users in the EU and your service suffers a catastrophic data breach because your processor’s systems are hacked and you were processing health data in the US without proper transfer mechanism. Or you were processing data of extra-EU data subjects in your EU operations not realizing that this means that these people suddenly are covered by the GDPR and have the same rights as EU citizens under the GDPR as a result.

Or something less spectacular: you sell the user database in an asset transaction when divesting that service from your company (without prior data subject consent or with another GDPR compliance issue that clever people in the due diligence warned you for but you do it anyway).

Or even yet more unspectacular: you have misunderstood (as so many companies crossing my desk do) the difference between anonymous data and pseudonomised data and as a result you are processing personal when thinking you do not. Especially US companies are very prone to this mistake due to local US concepts of what anonymisation is and I have many heated debates with insufficiently informed US company lawyers about that the GDPR really uses different logic in this regard. The same is true for many institutions and persons in medical research: they think that a coded dataset is anonymised just because of the distributed key, while for legal purposes it really is not because the whole point of a key is that the coding is reversible.

Or even still less spectacular: you decide to do performance evaluation for your IVD on a biobank of samples that you still had somewhere for other purposes because the IVDR is coming and you need more data because your did not do PMS for your self certified IVD like most companies in the market.

The above are all realistic scenarios that happen all the time.

So congratulations: someone makes a small and perhaps totally avoidable mistake and you have just racked up a potential liability of € 500.000.000 in our realistic examples (yes, half a billion Euro) for your company, of which the fuse can be lit by any data subject concerned clever enough to make this into a major problem for you by starting a class action. Dutch class action law and the GDPR provide that a data subject can be represented by a class action vehicle and the GDPR provides that a data subject can sue a controller or processor in every EU member state in which the company has an establishment. So if fundamental rights and enforcement risk by authorities are not enough reason to takes GDPR compliance seriously, maybe the risk of a major class action is.

Stacking of the legal deck

The Dutch court decision is being appealed I understand, and appeal means it may be reversed or it may not. But this case shows how the deck is stacked legally, and why data protection is serious business.

So maybe give this GDPR business just a bit more consideration than you are currently doing – if only because it’s prudent risk management and, quite frankly, the right thing to do because we are talking about fundamental rights here.

 

PRRC guidance under MDR and IVDR published

European CommissionThe MDCG has just published its guidance on the PRRC, MDCG 2019-7 “Guidance on Article 15 of the Medical Device Regulation (MDR) and in vitro Diagnostic Device Regulation (IVDR) regarding a ‘person responsible for regulatory compliance’ (PRRC)”.

The guidance is largely unsurprising but I would like to highlight some points that are relevant to companies operating internationally and that have structured their PRRC functions by pooling or combining resources, such as combining the manufacturer and authorised representative in a single person or locating the PRRC outside the Union.

Points relevant for extra EU-manufacturers

The guidance clarifies some points relevant to international companies, which are not clearly defined in the MDR/IVDR and which may prompt companies to need to change their current PRRC implementation in an international (extra-Union) context:

  • The PRRC for the manufacturer and for the AR cannot be the same person (see p. 5) – although this is not explicit in the MDR and IVDR, it is evident that with the increased supervisory role of the AR combination of these separate roles in one person would create a conflict of interest. For micro and small enterprises (who do not need to employ a PRRC for the manufacturer pursuant to article 15 (2) MDR and IVDR) this translates to the situation that not only can the PRRC for the manufacturer and AR not be the same person, they can also not be provided by the same consultancy organisation (p. 5), which will add to costs and complexity for smaller companies;
  • The PRRC for the AR must be located in the EU because the AR is located in the EU – this is not an explicit requirement in the MDR/IVDR but has been clarified now (p. 3). The manufacturer PRRC can however be located outside the EU; and
  • The PRRC qualifications must be proven by demonstrated member state equivalency, meaning that the company will need to check the recognition of any non-EU diplomas by member states and document this for the PRRC (p. 1).

What else the guidance clarifies

The guidance provides a level of detail with regard to the cross-links between the manufacturer responsibilities under article 10 MDR/IVDR and the PRRC minimum responsibilities set out in article 15 (3) MDR/IVDR. This is helpful and convenient for drafting QMS procedures for implementing the PRRC function in the manufacturer organisation.

The guidance further clarifies that the manufacturer PRRC must be employed, except when the manufacturer is a micro or small enterprise.

If a company has multiple (“legal”) manufacturers under a single parent company then each of these must appoint its own PRRC. The guidance does not specify if these multiple PRRC functions cannot be combined in the same person or distributed over the same group of people if the manufacturers share a QMS or if this is implemented with quality agreements. I would assume however that this is possible.

What the guidance does not clarify

One of the big questions remains unanswered: the potential liability of the PRRC, which is important with regard to the structuring of the PRRC’s mandate and possible indemnification by the company, as well as how to structure that the PRRC does not suffer disadvantage of proper fulfilment of his/her duties. Since this is not explicitly addressed in the MDR/IVDR, it becomes relevant in the implementation of the MDR and IVDR in national law.

For example, the Dutch legislative proposal for the MDR/IVDR implementation provides without any clarification (that I have been able to find in the legislative history for the implementation act) that infringement of article 15 (3) MDR/IVDR (which sets out the PRRC responsibilities) is subject to competent authority enforcement by means of administrative fines and penalty payments. It is unclear (to me anyway) whether this enforcement may be directed against the company (I would assume so) or also against the PRRC (when not exercising responsibility for the functions that the PRRC should at least assume responsibility for). Hopefully this will be cleared up at some point because under the current circumstances it makes it potentially rather unattractive and risky to be a company’s PRRC in the Netherlands.

 

Bottleneck of bottlenecks for notified body capacity

Frank Drebin nothing to see.gifPeople that are downplaying the notified body bottleneck may need to start to revisit their position with notified body LRQA now also dropping out of the notified body pool for medical devices and IVDs. This is especially a problem with respect to IVDs, as LRQA is one of the notified bodies traditionally handling a large share of the currently CE certified IVDs in the EU. This expertise and capacity will now be lost and not be available for the IVDR transition and for soft transition under the IVDR. And the general medical devices capacity is also lost of course too.

The case of LRQA

The case of LRQA shows that notified bodies are not only suffering in the end of the long tail, but also at the beginning of the tail. Three things are happening now.

Schermafbeelding 2019-06-13 om 13.03.20

First, LRQA is ceasing its MDD and IVDD services – this means that its current customers need to transfer to another notified body. Customers that had relied on LRQA to support them for soft transition (2020-2024 under MDD or 2022-2024 under IVDD) have to find another currently notified notified body to support them. Since LRQA was servicing a large part of the IVD industry that need CE certificates currently, this will be difficult and a bottleneck in itself. A transfer to another notified body may take longer than you have until the date of application for the MDR (26 May 2020). Also, customers of LRQA will need to transfer as soon as they can, because when a notified body closes down, the certificates will be withdrawn – regardless of the expiry date on the certificate (this is something that many manufacturers still misunderstand). It means that customers of LRQA may need to massively apply for orphaning protection with competent authorities if they cannot complete their transfer before LRQA closes its doors for the directives (90 days as of 12 June 2019).

Secondly, LRQA is abandoning its pursuit of a notified body in the Netherlands – this means that their Brexit hedge is terminated and less of the current capacity of notified bodies in the UK ends up being transferred to the EU27, so less total capacity available.

Finally, they announce that they are not pursuing their MDR and IVDR notification. This means that this capacity will not be available for the IVDR transition, which is a pity given the enormous amount of currently non-CE certified IVDs that need to be CE certified under the IVDR.

LRQA will probably not be the last

Bladerunner tears in the rain.jpgSo, we are faced with the scenario that notified body capacity is rapidly decreasing, and a lot faster than new capacity is being added. In fact, new capacity is not being added because no new notified bodies are entering the market for certification services under the MDR and IVDR – the only new ones are UK notified bodies transferring to EU27, of which LRQA was one. NSF, the only really new NB on the block that I knew about, has abandoned its IVDR application in the mean time. 9 of of the 22 Team-NB IVDD notified bodies will not apply for IVDR, and the rest is in various stages of application or considering to apply for IVDR. MDR figures are also looking bleak.

You do not need to be a mathematical genius to see that with a projected increase of notified body workload of 780% (source: MedTech Europe) and a rapidly decreasing installed base of capacity of notified bodies, there will a bottleneck of bottlenecks. I predict that LRQA will not be the last notified body to abandon medical devices altogether.

Some Member States are getting kind of worried too. The Germans and Irish drew attention to the bottleneck recently asked for attention to this at the Employment, Social Policy, Health and Consumer Affairs Council session on 14 June 2019 in the general context of implementation of the MDR and IVDR (which, as I have blogged, is far from ideal to begin with):

“[…] based on the number of notified bodies which are expected to be available on time, there will still be significantly fewer notified bodies than currently exist. In addition, data is not available on the capacity these designated bodies will afford the system.

[…] The concerns expressed are that these products cannot continue to be placed on the market under their existing Directive certificate up until 2024, like most other existing medical devices and that this will lead to market shortages.”

In other words – I will translate these euphemisms for you – we are feeling our way along in the coal mine of the new unfinished regulatory system, a cage with a bunch of dead canaries in our hand, and we have no idea if what we are doing is going to produce the regulatory approval capacity we need.

MedTech Europe has recently used uncharacteristically strong language in this regard in an open letter to the European Commission:

“This situation is clearly untenable, and time has run out to build a functioning regulatory system. This set of circumstances will profoundly disrupt the medical technology internal market and create yet another significant ‘Cliff Edge’ putting patient safety, healthcare services and EU healthcare environment in a major disarray.”

I agree completely with them. In the end, this is about continuity of healthcare services – should be kind of important to member states as well.

What to do

For devices companies this means that more than ever you – apart from having your MDR/IVDR transition totally sorted out and on track – have to vigilant to signals from your notified body that they may be closing down, and be in absolute shipshape with your compliance in order to have a chance of a quick transfer to another notified body. In addition, you need to understand how the orphaning process works in case you need it. So plan for different scenarios, and include the worst in them. As I have told several CEOs of devices companies downplaying things in the mean time “It’s only core business – how can that ever be relevant to the company, right?”

 

 

 

National MDR and IVDR implementation news – Netherlands implementation decree consultation

Schermafbeelding 2019-05-12 om 03.11.22While nothing much comes out at EU level and member states seem to wait until the last moment with implementing legislation (because the people needed for that are caught up in the gridlocked Brussels MDR and IVDR implementation process as a result of structural under-resourcing of medical devices oversight) some member states are really on the ball – I give you the case of the Netherlands:

Netherlands implementing decree

The Netherlands is putting in place the last bits of its MDR and IVDR implementing legislation with the amended Medical Devices Act in the senate for sign-off (slated for first examination on 14 May) and is currently consulting on the draft implementing decree until 24 May, which contains the juicy substantive bits of the MDR and IVDR policy options to be exercised by the Netherlands (in addition to the surveillance options that I discussed in a recent seminar – up to 10% of turnover in fines possible and additional criminal liability, people!).

The Dutch draft decree provides an interesting insight as to how an EU member state would implement the MDR and IVDR as regards:

  • implant card;
  • details on reprocessing of single use devices (which ones may not be reprocessed and mandatory procedures for reprocessing);
  • details on reprocessing of re-usable invasive devices (requirements and procedures for health institutions engaging in this); and
  • labelling of sterile devices.

If these items are important to your company in the Dutch market and you would like to know more or if you need help responding to the consultation, let me know. The consultation ends on 24 May, so any reaction has to be submitted by that date.

Not covered in the decree

There is also a lot not in the implementing decree, like for example what type of in-house developed medical devices and IVDs are not allowed. In fact, the implementing decree does not cover any of the national policy options under the IVDR (not that there are many though).

Also, the decree (as well as the implementing act on which the decree is based) is silent on what every manufacturer, importer and autorised representative wants to know at this point in time: how, where and when can I obtain my Single Registration Number (SRN), and how long will it take? The SRN is mandatory for communication with the Eudamed database and for making a conformity assessment application under the MDR and IVDR, so kind of crucial.

 

IVDR, in-house developed tests and the state of MDR/IVDR implementation

Schermafbeelding 2016-06-30 om 20.13.42In several posts on this blog I have discussed the severe impact that the IVDR will have on the IVD industry selling in the EU (just click on IVDR in the tag cloud on the bottom right of the page).

My firm has organised multiple seminars and I have spoken about this on more conferences and occasions than I can remember.

Yet, at the Molecular Diagnostics Europe conference this last week it turned out that at this stage still really only the big IVD companies really know something about the IVDR. Small and mid-size companies and the investors in these companies mostly have no idea whatsoever how to approach the IVDR (if they have heard about it at all), if they know about its existence in the first place. Health institutions are generally not aware that the IVDR will have enormous consequences for their in-house produced diagnostics installed base and going forward.

Here is my presentation at that conference, which raised a lot of eyebrows in surprise:

 

 

The IVDR stands to be an even bigger bottleneck I think than the MDR, for several reasons:

  • the regulatory paradigm shift is bigger than for the MDR – because of the reclassification of IVDs most IVDs will need a CE certificate issued by a notified body and they will need it by the date of application if they did not have a CE certificate under the IVDD (the vast majority of IVDs)
  • While the IVDR is projected to lead to an increase in notified body capacity needed of 780% (says MedTech Europe) there certainly is no increase of 780% in notified body capacity available to the market. In fact, not a single notified body as been accredited for the IVDR at this moment and the pipeline of notified bodies under review shows a decrease in notified bodies available to the market (less than under the IVDD).

Needless to say, this will cause a really really disruptive bottleneck that may lead to disruptions in healthcare because tests relied on on a continuous basis may suddenly not be available any more for shorter or longer periods. These tests cannot quickly be replaced by in-house developed tests as the requirements for these tests have also increased a lot (see below). Or the other way around: in-house developed tests are suddenly not available anymore because the health institution has been sitting on its hands and did not do its article 5 (5) IVDR homework and cannot quickly replace the tests by CE marked ones. This will likely be a major issue in my country (the Netherlands) where in-house developed tests form a large part of the health institutions’ portfolio of tests.

Stalling implementation increases IVDR bottleneck too

This bottleneck is only increased by the continued absence of the vast majority of implementing guidance and legislation that is still necessary to make the IVDR and (at a much earlier time) the MDR work. IVD companies should be hard at work on their implementation and should have their first conformity assessment applications in the works to gain experience with it. Except that they can’t because there is no notified body available yet.

MedTech Europe is quite right to keep raising this with the European Commission in the strongest wording possible. COCIR has also been very vocal about the delay in harmonized standards. As I have blogged on occasions: it certainly is not good legislative and administrative practice to deliver an incomplete new regulatory system and then spend the transitional period foreseen for the addressees to implement the rest of it while the addressees remain incapable of knowing what the rules actually are, frustrating their useful implementation the rules for their products. It will not do to tell industry it has to do much better and then fail at providing the necessary rules for industry to do better by. Indeed, we are two years into the transitional periods under the MDR and IVDR with scandalously little to show for it on the part of the authorities.

This situation punishes companies that try to be compliant with the new rules quickly and it leads to calculated prisoners dilemma behaviour in other companies that hope to get away with not implementing unfinished and unclear rules. This is not the kind of orderly transition you would like to see in a regulated space where human lives depending on the products concerned, and the availability of the products concerned depends regulation being available.

GDPR

Implementation of the IVDR, and the possibly enormous amounts of data required for performance evaluation to the new standards, necessitate a precise and thorough understanding of the General Data Protection Regulation (GDPR) in order to be compliant with that regulation as well, as is explained in the presentation above.

The GDPR is woven into the IVDR, and has to be taken into account in dealing with performance data for the purpose of the performance data requirements under the IVDR. The GDPR has its own strict regime for data concerning health (e.g. patient related data about a patient sample that tested positive for syphilis) and genetic data (another category of data very relevant in molecular diagnostics). Compliance by design is therefore not only an IVDR thing, but implementation of the IVDR necessitates co-implementation of the GDPR (which requires privacy by design) if your company is processing plain personal data, personal data concerning health or genetic data. And with the very broad GDPR concept of personal data this is sooner than you think. Not a week passes in which I am not explaining to a (mostly US) company that taking off some identifiers does not (I repeat NOT) render personal data anonymous for EU GDPR purposes when the coding is reversible (and even if the key is held by a third party) so it remains personal data regulated under the GDPR.

Labs, healthcare institutions and home brews

One of the subjects not addressed in the presentation but in my experience a major subject of misunderstanding by healthcare institutions is the non-grandfathering of the existing home brew/lab developed test base currently in use in healthcare institutions and labs. The fact that these tests are currently being used does not automatically mean that nothing needs to happen under the IVDR. Since the IVD Directive currently explicitly excludes them from its scope, they have never been placed on the market for the purposes of EU IVD legislation, and are therefore not subject to the transition regime provided by the IVDR. The IVDR contains a regulatory regime for these products in article 5 (5) that applies as of the date of application of the regulation. Since these devices are subject to national regulation and are excluded from the IVD Directive (IVDD), they are not yet placed on the market or put into service under the IVDD. They become devices regulated under the IVDR as of 26 May 2022 and that means that article 5 (5) IVDR (which applies to devices manufactured and used in health institutions) is fully applicable without transitional regime, and also to the current installed base.

In order to keep using the installed base health institutions need meet the requirements in the IVDR (Annex I technical documentation and article 5 (5) requirements), which will be quite some work. This is a rather strict interpretation of the IVDR, but by the letter of the IVDR in my opinon the only right one, as the Blue Guide logic that a device a product that has been put into service under national law does not automatically count as already put into service for the purposes of the IVDR, as the IVDR did not apply yet and neither did the IVDD.

The only way out of this conundrum is for the member states to clarify that the installed base of in house produced IVDs put into service before the date of application counts as already legally put into service and therefore does not need to meet the article 5 (5) requirements by the date of application. The Commission cannot do this because the LDTs were always excluded from the IVDD. This would be a strange step to have to take  though because you would have expected these devices to have been included in the sell-off provision under article 110 (4) IVDR until 2025 or otherwise addressed in the transitional regime. That provision however only applies to devices placed on the market before the date of application and still in the supply chain, but not to those put into service before that date (because in-house developed tests were never placed on the market).

Recognising the in-house developed installed base as placed on the market already or put into service already would lead to the strange situation that we would be dealing with two groups of in-house developed tests for possibly years and years: the formerly unregulated ones that remain subject to national law and the ones regulated under the IVDR, which would be subject to wildly diverging rules. In addition, every new device put into service of the same type of in-house developed test after the date of application (26 May 2022) would need to meet the article 5 (5) IVDR requirements anyhow (which more or less amount to meeting the IVDR requirements for a self-certified IVD).

In addition and importantly, the health institution needs to prove as of that date that its in-house tests are better than equivalent CE marked tests on the market. This requirement applies throughout the life cycle of the in-house test (like the other article 5 (5) IVDr requirements for in-house developed tests), so the health institution must monitor equivalent CE marked tests in the market on a continuous basis and switch when a better commercial CE marked test becomes available.

At best the transitional regime is – in my view – currently very unclear for in-house developed tests. Better get it clarified with your local competent authority. This competent authority will (or should) be able to also let you know whether it plans to restrict the manufacture and use of any specific in-house developed test as article 5 (5) IVDR allows.

So

Companies in IVDs: do not postpone IVDR transition and do not ignore GDPR. Two years of the transitional period for the IVDR have already passed, and it is 26 May 2022 before you know it, especially if you are on the bottom of the pile at an IVDR accredited notified body or if you need to get your performance data in shape to meet the new requirements. The GDPR is already fully applicable since 25 May 2018, so authorities have no patience whatsoever with companies that start to understand this only now.

Labs in health institutions: the IVDR also applies to you. Clarify the regulatory status of your existing installed base of LDTs (and start working on your article 5 (5) IVDR dossiers and QMS) and prepare to have to continuously justify the use of an in-house developed test against what is available as equivalent CE marked tests on the market, which (I agree) may make investing in LDT development more problematic. Yet, the IVDR is set in stone since more than two years and you won’t change it any more at this stage.

Conferences!

If you are a US company in IVDs or medical devices and w/should like to know more about the MDR and the IVDR, consider visiting the RMD2019 USA conference in New Brunswick NJ on 13 and 14 June. This conference deals both with the MDR and the IVDR and is directed specifically to US companies – and I will be speaking there so you can ask me and the other experts any questions that you have.

Alternatively, join me at the Q1 3rd Annual EU MDR Implementation Conference on 16-17 July 2019 in Alexandria, VA, which is about the MDR only. You can meet me and other experts there in person to have your questions answered.

This was not the Corrigendum you were looking for

UnvollendeteSo, we have had yet another couple of weeks with many things happening, so you may enjoy the two core slides from a recent presentation of mine at the NEN MDR conference in the Netherlands.

In addition we had other interesting developments too: more guidance from the MDCG, this time about the scope of device covered by the clinical evaluation consultation procedure (formerly known as scrutiny) and of course a Brexit situation that gets crazier every couple of days it seems.

(Un)known (un)knowns

Implementing the Unvollendete (unfinished) symphony of the MDR is working with (un)known (un)knowns. This will help you get a better overview of the (un)known (un)knowns we are facing at the moment:

schermafbeelding-2019-03-22-om-21.30.44-e1553286765460.png

schermafbeelding-2019-03-22-om-21.30.32-e1553286855153.png

If you still don’t feel a sense of urgency, that’s fine. Either you are on collision course with reality or you have your MDR sorted out. In the latter case, high five and kudos to you

Corrigenda

So the Corrigendum was published, here for MDR and here for IVDR – for consultation among the member states. These were not the corrigenda many people have been hoping for, as there was not moving with the implementations at all. Happy scrolling, as all the languages have been included in one single document. For people that speak only one language, this is a nice moment to reconsider and marvel at the diversity of languages we have in the EU.

What stood out for me in the MDR corrigendum was:

  • animal origin products in article 1 (6)(f) MDR: they are now excluded from the transition provision in article 120 (10) MDR so they cannot be placed on the market anymore after the DoA in member states that allowed them before DoA.
  • accessories to Annex XVI non-medical devices are not classified in their own right anymore (see amendment to implementing rule 3.2).

The only real point in the IVDR corrigendum was that it is specified that the QMS assessment under Annex IX (full QMS and assessment of technical documentation) includes class B devices in section 2.3 (“Moreover, in the case of class B and C devices, the quality management system assessment shall be accompanied by the assessment of the technical documentation for devices selected on a representative basis as specified in Section 4.”). Class B devices are now also subject, of course, to notified body surveillance under section 3.5 of Annex IX.

Scrutiny scope guidance

More guidance was published: the MDCG published guidance on the clinical evaluation consultation procedure, the procedure formerly known as scrutiny, which interprets the three criteria that exempt devices from the pre-market clinical evaluation consultation procedure with the involvement of expert panels. The notice clarifies whether also devices already marketed under the (AI)MDD are exempt from scrutiny, which was a major point of concern with the expert panels not being up yet and notified bodies not accepting applications for MDR conformity assessment. This has now been clarified as that “the expression “device already marketed” cannot be intended to refer to a device already marketed uniquely under the new Regulation”. In other words, scrutiny is only for devices that are new at the time of the conformity assessment application for the MDR. That is for the better indeed, because otherwise the MDCG would have been completely clogged with the applications for existing devices, causing an enormous bottleneck.

Brexit and national exemption measures in EU27

No news article these days is complete without a Brexit reference. While the UK contorts itself inside out in an attempt to wiggle itself out of the corner it painted itself into with not wanting a hard Brexit but not  the deal that it negotiated with the EU either (yes, that is as incredulous as it sounds), the UK managed to get two weeks of delay to man up and face the music of the inevitable corner it painted itself into. In the mean time the UK politicians seem more interested in jockeying for each other’s positions rather than extracting the country from the brink of cliff edge Brexit.

Since all the real Brexit remediation needs to happen at national level, I would like to take you through the way my country, the Netherlands, did this. We are blessed (and this is not meant sarcastically) with competent people in the Ministry of Health and sufficient capacity at the competent authority the Healthcare Inspectorate. The Netherlands will set up a procedure to deal with the situation of companies that are in the process of transferring away from a UK notified body at the moment of a hard Brexit.

Schermafbeelding 2019-03-28 om 13.05.19

Although they do not posses the EU27 notified body certificate yet manufacturers can qualify for a six month exemption allowing them to sell devices in the Netherlands provided that they can demonstrate that there are no or insufficient alternatives for their product in the EU and there is a risk to the ensured continuity of healthcare in the Netherlands. And there are other formalities and requirements, such as that the manufacturer needs to prove that a transfer to an EU27 notified body was underway at the moment of the Brexit.

This means that the exemption is only available for manufacturers with indispensable devices that meet the other requirements as well. The rest has a big problem. I would assume that other EU member states are setting up or have set up similar procedures, but that may not necessarily be the case. Also, note that this is not an EU procedure, neither in the Netherlands nor anywhere else. This means that even in the lucky situation that you would qualify for an exemption in the Netherlands, you have to string your exemptions together on a per-member state basis using procedures that are not necessarily the same everywhere and may not lead to the same result everywhere.

%d bloggers like this: