The EU Court’s Schrems II judgement – urgent revisiting of international personal data transfer mechanisms required

IMG_1549Wasn’t the MDR about More Data Required, and the same for the IVDR? Aren’t more and more devices running software that processes patient and user data? Isn’t the medical devices industry a very international business? Indeed – so the ability for companies working with the MDR and IVDR to transfer personal data internationally for all kinds of purposes MDR and IVDR related such clinical investigations, PMCF/PMPF, usability testing, trouble shooting / support, registries, communication of dimensions of custom implants, training of AI, cloud storage of patient data, linking patients to samples, eHealth and mHealth solutions, moving of IVD test results from one place to the other – basically anything involving clinical data that is personal data – is an important thing.

Since data is the blood pumped around in the MDR and IVDR architecture, I address data protection issues on this blog to raise awareness (for example here (about data subject damages), here (about cybersecurity) and here (more general about MDR/IVDR and GDPR)). I find in practice that companies and service providers in the medical devices industry often can do a much better job at data protection compliance and do not design their products and services with data protection principles of privacy and security by design in mind. The MDR and IVDR require you to manage risks with safety principles in mind, and the EU’s General Data Protection Regulation (“GDPR”) is no different: like the MDR and IVDR it requires risk management as a design factor. For EU purposes both physicial integrity and privacy are fundamental rights of patients and users of devices, which is reflected in the requirements in the MDR and in the GDPR. This is why I advise companies to integrate design processeses under the MDR and IVDR with those under the GDPR and not treat devices RA/QA and privacy as different silos in the company. The MDR and IVDR on the one hand and the GDPR on the other hand share many important links between, so non-compliance with one of them will often imply non-compliance with the other, for example with regard to cybersecurity.

This blog is a co-production with my firm’s data protection expert Cécile van der Heijden, who wrote the biggest part of it, and it addresses the recent GDPR bombshell judgement of the European Court of Justice (“CJEU”) in the Schrems II case, of which the impact on internal transfers from the European Economic Area (“EEA”) to third countries can hardly be overstated. The CJEU press release about the Schrems II case can be found here.

International transfers and the Schrems case

The GDPR allows transfers of personal data to a third country outside of the EEA only if the transferring party has provided appropriate safeguards and ensured that enforceable data subject rights and effective legal remedies are available for data subjects. Every medical devices company or service provider to that industry that works internationally and has some kind of connection to substance outside the EEA, uses cloud services or engages service providers that transfer data outside of the EEA (for example because they use cloud service providers or entities outside the EEA) will be directly or indirectly transferring data internationally.

This is why the CJEU’s judgement of 16 July 2020 in the Schrems II case (or the second Facebook case as it is known too) was so much anticipated. The case concerns conditions for transfer of personal data out of the EEA to the United States under an adequacy decision (in this case the EU-US Privacy Shield Framework, (“Privacy Shield”)) and standard data protection clauses (“SCC”). More particularly, the Schrems II case concerns transfer of personal data from Facebook Ireland Ltd to Facebook Inc in the US for processing. The judgement was rendered in a preliminary reference procedure in which the CJEU has answered questions of the referring Irish court concerning:

  • the applicability of the GDPR to transfers of personal data to third countries outside of the EEA, focussing on the SCC laid down in Commission Decision 2010/87 (EU controller to non-EEA processor);
  • the level of protection the GDPR requires in relation to such transfer;
  • the obligations that are imposed on supervisory authorities in relation to such transfer; and
  • whether both Commission Decision 2010/87 and Commission Decision 2016/1250 (the adequacy decision concerning the EU-US Privacy Shield Framework) are valid.

GDPR applies to transfers of personal data to third countries outside of the EEA

The CJEU has confirmed in Schrems II that – unsurprisingly and contrary to what was argued in defense – the GDPR does apply to a commercial transfer of personal data between two economic operators (terminology that also can be found in the MDR), even if the personal data is also processed by the authorities of the third country in which the recipient is established for the purpose of public security, defence and national security, for example by intelligence services.

Privacy Shield invalid as legal basis for transfer

The CJEU declares the EU-US Privacy Shield framework invalid due to the absence of adequate level of data protection in the US due to the existence of extensive governmental surveillance programs that lack effective judicial review and do not protect the rights of data subjects established in the EEA. Most notably, these surveillance programs in the US concern the US Foreign Intelligence Surveillance Act (“FISA”) and US Executive Order 12333. Privacy Shield does not offer sufficient safeguards in relation thereto.

SCC valid as a legal basis for transfer, provided that country of import offers equivalent protection as GDPR

At the same time, the CJEU declares that the SCC (as laid down in Commission Decision 2010/87) are valid as a mechanism but cannot be regarded as a ‘tick the box’ exercise because  the rights offered to EEA data subjects abroad should be, at least, at an equivalent level to those guaranteed under the GDPR. This means that all transferring parties, regardless of whether the personal data is transferred by a controller or processor, have a responsibility. This requires a risk assessment by the parties involved in the transfer. They must verify on a case-by-case basis (where appropriate in collaboration with the extra-EEA recipient of the personal data) whether the laws of the third country to which the personal data are transferred offer adequate protection in line with the requirements of EU data protection law.

The way that the legal framework in the country where the recipient is established works may lead to a need to provide additional safeguards in addition to those documented in the SCC. It goes without saying that this holds relevance for all SCC adopted by the European Commission beyond those documented in Commission Decision 2010/87. As most companies transfer personal data under SCC in absence of an applicable adequacy decision, this decision of the CJEU directly impacts nearly all parties that transfer personal data to outside of the EEA.

The CJEU requires a case-by-case review whether the laws of the third country in which the recipient is established respect data subject rights at a similar level as the GDPR, including by allowing for judicial review where the authorities have access to the personal data, e.g. for intelligence purposes. Where such level of protection cannot be met, the transfer must be suspended or the agreement between the parties must be terminated.

Immediate consequences Schrems II

The primary consequence of Schrems II is that personal data can no longer be transferred to the US under the Privacy Shield, meaning that companies must suspend all such transfers until another permitted transfer measure under the GDPR has been applied. Although Schrems II only concerns the SCC documented in Commission Decision 2010/87, the criteria set for the use of SCC have broader applicability. As a result, all transfers under SCC, regardless of the exact country to which the personal data are transferred, require a thorough and adequately documented review of the legislation of the recipient country for the transferring party to be able to demonstrate a lawful transfer.

Schrems II shows that general legislation that allows processing of personal data in as far as is necessary in a democratic society to safeguard, inter alia, national security, defence and public security which is subject to effective judicial review is acceptable. However, far-reaching processing of personal data by public authorities (i.e. through intelligence surveillance programs) in a third country that is not subject to effective judicial review does not offer the required level of protection to EEA data subjects. For example, the US Ombudsman linked to the Privacy Shield has no effective control over EEA data subbjects’ data being processd by the US intelligence services. Based on these criteria the CJEU ruled that the US does not offer appropriate levels of protection of data subjects similar to those offered in the EEA.

Schrems II has far reaching consequences for all EEA-based companies who collaborate with US businesses (e.g. for research activities or for intra-group activities, such as internal transfer of pharmacovigilance data, clinical trial data or post market surveillance data), use US-based processors (service providers) certified under the EU-US Privacy Shield (including CROs, cloud providers and providers of cookies for company websites) and for all other EEA-based companies that use SCC to transfer personal data to recipients.

While it may be difficult to perform the required review of national law of the receiving country, Schrems II has created an immediate problem in relation to transfers of personal data to the US, even where such transfers take place under SCC if no additional measures are taken. As the CJEU has determined that the US currently does not offer an adequate level of protection in line with the level of protection offered in the EU under the GDPR in relation to Privacy Shield, it is difficult to imagine how a transfer to the US under SCC will be considered adequate as these transfers will be subject to the same controls in the US. Therefore, where FISA or Executive Order 123333 are applicable to personal data transferred to the US, Schrems II effectively endangers transfers of those personal data to the US due to the lack of adequate protection of data subjects subject to the GDPR without the transferring parties adopting additional measures. While the CJEU has performed an analysis of the level of data protection offered by the US, the same would apply to a transfer to any other country outside the EEA that is not subject to an adequacy finding and where processing of personal data by the government (including for surveillance purposes) takes place beyond what is reasonably necessary in a democratic society.

There is another issue with the use of SCC: even where the assessment required by Schrems II can be conducted in practice, the SCC available do not cover all possible transfers. For example, a transfer between an EEA-based processor and a controller based in a third country is not covered by any SCC model, albeit that a solution is allowed if an EEA-based controller signs the clauses with the receiving controller.

Currently, SCC have only been adopted for transfers between two controllers and for a transfer between an EEA-based controller and a processor established outside of the EEA. While certain supervisory authorities may be convinced to allow broader use of the existing standard data protection clauses outside of their original context, this is not a universally accepted solution. Consequently, this approach requires clearing with the relevant supervisory authorities to avoid non-compliance with the GDPR.

Are other transfer measures than Privacy Shield or SCCs possible?

SCCs are not the only appropriate safeguards that can be used in absence of an adequacy decision but are (in general) the only safeguards readily available. Many appropriate safeguards require prior approval of a national supervisory authority or even the involvement of the European Data Protection Board or the European Commission. For example, the waiting time for approval of binding corporate rules by the Dutch Data Protection Authority is currently three to five years. Additionally, barely any codes of conduct have been approved thus far and can therefore not offer any solace. Such appropriate safeguards are therefore not workable for any company that is currently already undertaking transfers and wishes to continue these transfers. However, it is to be expected that application of other safeguard measures under the GDPR is held to the same standard as the use of SCC.

Where it cannot be established that national law in the country where the recipient is based offers sufficient protection to data subjects, the transferring party may be able to base the transfer on one of the derogations of article 49 of the GDPR. The EDPB considers these derogations to be exemptions from the

“general principle that personal data may only be transferred to third countries if an adequate level of protection is provided for in the third country or if appropriate safeguards have been adduced and the data subjects enjoy enforceable and effective rights in order to continue to benefit from their fundamental rights and safeguards”.

However, as the EDPB has clarified, such transfers are limited to occasional, non-repetitive transfers and therefore offer no solution for large scale transfers.

Next steps for EU authorities and next steps for companies

It is expected that the collective supervisory authorities and the European Commission will provide additional guidance in relation to the consequences of Schrems II. We also expect the supervisory authorities to provide clarification on the exact parameters of required review of national law in the country where the receiving country is established as such extensive review will be difficult to realize for any company. The Dutch Supervisory Authority has indicated that the European Data Protection Board, in which all national supervisory authorities and the European Data Protection Supervisor are united, will soon provide guidance concerning the additional measures companies can include in the SCC. Authorities on both sides of the Atlantic need to quickly figure out what this judgment will mean for them, and how they will work with international data transfers in the future. The EU authorities will need to be more practical about what the required standard is, and other authorities will have the opportunity improve the quality of data protection regulation to take fundamental rights into account better.

We currently do not expect supervisory authorities to immediately begin enforcing Schrems II as the supervisory authorities are still reviewing the best manner to deal with Schrems II and how to apply the judgment in a practical manner. Nevertheless, we advise all companies transferring personal data to the US directly or via a (sub-) processor under Privacy Shield as well as companies using SCCs for data transfers to carefully map out any transfers that they are currently undertaking and make a best effort assessment whether the country of import offers protection of the rights of data subjects that can be considered adequate in the light of the GDPR (Schrems II does not require identical protection, but adequate protection).

Documentation is key for compliance after Schrems II. Companies should be transparent and document their analysis of national law in the country of import in detail. As a minimum, such analysis should include a review of:

  • the applicable data protection legislation in the country of import;
  • applicable legislation on surveillance by public authorities in the country of import, including in transit situations;
  • the availability of data subject rights, including judicial review of such processing activities by the public authorities in the country of import;
  • the scope, volume and application of the aforementioned measures.

Supervisory authorities or the European Commission may provide additional or different requirements for such analysis of national law in the country of import.

Regarding US transfers, there does not seem to be a way for data transfers to proceed legally in full compliance with the GDPR at the moment. To limit all risks companies may consider (temporarily) suspending personal data transfers from the EEA to the US until official guidance on the consequences of the Schrems II judgment becomes available. They should consider carefully which additional contractual safeguards can be incorporated under SCCs and have SCCs in place where they or their services providers relied on Privacy Shield. Where suspension of transfers is impossible in an individual case (for example in relation to ongoing treatment that cannot be postponed, ongoing participation in a clinical trial with an extra-EEA sponsor or manufacturing of a custom made implant outside the EEA), we advise to review whether such transfer can nevertheless take place under a specific derogation of article 49 of the GDPR. The information obligations of the transferring party in relation to the use of a derogation may increase due to Schrems II.

Where companies continue to transfer personal data under SCC or a derogation, rigorous application of the principle of data minimisation and to practice encryption may serve as a non-regulatory solution to provide a degree of technical protection against import country scrutiny of data. This would help in meeting the requirement to apply extra measures in addition to the SCC as referred to in Schrems II. Nonetheless, such measures by themselves do not constitute a legal basis for an adequate transfer in compliance with the GDPR.

Schrems II makes implementation of the basic principles of data protection in the GDPR very relevant, as this ruling emphasizes that ‘with big data comes great responsibility’. The more personal data that a company collects and exports, the more responsibility it takes on. Questions? Cécile and I are at your service.

Standardisation request for MDR and IVDR refused; now what?

No puedo con tantoA new blog post, a new step in the soap that is the non-transitional period of the MDR and the IVDR.

I have jokingly paraphrased the absurdist painter Magritte by saying “céci n’est pas une période de transition”. I’m contemplating starting a T-shirts business with memes for the MDR and IVDR, with that meme and others, like “Regulatory Cassandra” and “I worked myself into the ground to meet the MDR DoA and all I got was this one year delay which is not a delay actually”. And of course for the IVDR I’m still negotiating with the History Channel Ancient Aliens guy to use his portrait on the “Alien invasion scenario, anyone?” T-shirt for my IVD industry readers.

Not a soap, a telenovela

So what is the new episode in the soap you ask? I bet you have some idea from the spoiler in the title of this blog.

At this point I would not even call the MDR and IVDR transitional period a soap anymore, but rather a full blown telenovela. For those that think they know me: did you know I have South American roots (but contrary to popular belief am not a 65 year old Olympic sailor and Sjoerd’s twin brother)? Watching telenovelas with my thirteen year old daughter is one of my guiltiest pleasures. My predicament at the moment is that Netflix still has not released the last season of Jane the Virgin in the Netherlands. Not cool, Netflix – it’s been available elsewhere for a long time already.

Telenovelas are characterised by convoluted subplots involving three or four different settings and involve set archetypical scenarios with surprising plot twist using classic style figures, but overall narrate a set story arc. Contrary to soap operas, which normally have an open end and can last theoretically forever, a telenovela is planned for a specific period unless extended by unforeseen circumstances (such as pandemics, alien invasions or unexpected success).

Sound a lot like the MDR and IVDR transition, right? Let’s zoom in on the subplot of standardisation, since I already gave that much away in the title.

The standardisation sub-plot in the MDR / IVDR telenovela

As I mentioned in my last blog, the standardization bodies CEN / Cenelec would decide on the standardisation request for the MDR and IVDR by 17 June. I also mentioned that not everyone was happy with the request as it went in. It contained references to standards that would be outdated by completion (or even already were at the date of the request), the request was not complete, the request was (way too) late, etc. Those that did not openly critise the request were probably thinking an imperfect and late request was better than no request.

So 17 June came and went last week and we heard nothing. At least, not publicly. However, I was able to confirm from various sources by the end of last week that the request had in fact been rejected by CEN / Cenelec on 16 June (this was confirmed by the Commission in the MDCG subgroup on standards on 19 June and posted by a Commission official on LinkedIn) – they are not going to embark on this project and, procedurally, a new (amended) request will be necessary. This leaves the standardization project under the MDR and the IVDR without legal basis for the moment.

Schermfoto 2020-06-20 om 13.08.28

The background of these things is always kind of political but it seems that the main reason for rejection of the request can be found in the persisting tension between the Commission and the standardization bodies about the outcome of the standardization process: the Commission wants standards that are as close to what it sees as European requirements, and the standardization process delivers standards that are state of art according to the experts involved in the standardization process. As a result of EU court case law case the Commission has been on a mission of greater influence over the interaction between standards and regulations. So, my dear readers, as you will understand: this tension is only to be expected because relationship drama is a necessary ingredient of any telenovela.

We did learn that another iteration of harmonised standards under the directives is under preparation, likely to arrive end of this year. You can already put that on your planning. What? You disbanded your whole MDR transition team already and have no resources for this? Not so smart after all. 

What now?

Like in a telenovela, this is obviously a plot twist. As a company with some sense you had already planned (or finalized) your technical documentation without relying on a presumption of conformity against MDR harmonised standards, because this was a likely outcome of the scenarios that you had been planning for (if haven’t read the ISO 31000 standard, it’s still not too late). This is not your first telenovela, right?

If you’re in IVDs, maybe not count on harmonised standards being available in time – that’s a likely scenario. Why not you say? May 2022 is still far away? As you will have read in my last blog on this subject for the IVDR, it totally is not. And I guarantee you that we will not have harmonized standards under the IVDR before you need them this summer and autumn.

This means that under all circumstances anyone having to file a conformity assessment application under the IVDR or MDR soonish will not have harmonized standards to rely on, and can therefore not rely on a presumption of conformity under the MDR and IVDR.

Back to state of art – for the moment

Dios mio! No presumption of conformity! Why do we even have standards then? 

This development does not mean that you cannot rely on international standards at all. Actually, not relying on them at all will make things much more complicated because you lose a common frame of reference with your notified body.

What you will need to do is go back to basics for your GSPRs, as GSPR 1 both for the MDR and IVDR sets out: you will be ‘taking into account the generally acknowledged state of the art’. This means that for each of the standards you reference you will have to draft rationale that the requirement referred to in that standard is state of art for the GSPR that you reference it for. While you may think that the latest standard adopted necessarily reflects state of art, I recommend not to presume this. Check this approach with your notified body before you deploy it across the board. Notified bodies may have had other marching orders from their competent authorities, because those latter ones look at what they think are requirements, and may not necessarily agree that the latest adopted standard reflects those correctly. 

Notified bodies position?

It would be fantastic if notified bodies could be explicit publicly about whether they endorse the approach of ‘latest standard adopted = always state of art’ across the board, because that would make life a lot easier. It would be a kind of de facto presumption of conformity that companies can operate on until the harmonization request does yield harmonised standards.

Good news: it seems that there are ongoing efforts in that direction. Bad news: if that happens you may need to revisit your technical documentation for the Z annex gaps defined in the harmonized standards if and when these are finally adopted. I would recommend to keep thinking about what a Z annex might look like for a given standard, and how its adoption would affect the technical documentation.

Common specifications anyone?

We are in the telenovela space, so plot twists are always a possibility (as I tend to say: scenario anyone?). In the presentation to the MDCG standards subgroup the Commission seems to be hinting (or maybe making a veiled threat, depending on how you see it) at development of Common Specifications  (CS) under the MDR.

Schermfoto 2020-06-20 om 13.09.26

I must say that this is one of the options that came to mind for me as well when I heard the first rumors that the request had been rejected. However, if we look at the Commission’s less than stellar track record on adopting the only two CS that we actually must have under the MDR (one for reprocessing of single use devices and one for the non-medical Annex XVI devices) then the Commission and its chaotic family member the MDCG do not really seem capable of drafting and adopting the scope of the standards in the request plus the work that the HAS consultants would still need to do to draft the Z annexes to define the gaps between the standards and the requirements in the short term. I would chalk this option up to theoretically possible, but not likely.

More likely would be adoption of several targeted CS for some of the requirements under the MDR and IVDR where the EU is not happy with the available standards as being ‘insufficient’, which is exactly what the CS were intended for in the first place. So I would not dismiss the CS option altogether.

As is the rule with telenovelas however, you don’t find out the truth until the last five minutes of the series’ finale. COCIR predicted a decline in harmonised standards for medical devices, so it would not be surprising if this gap would be bridged with CS. 

¿Qué es lo siguiente?

What will be next in this riveting rollercoaster? So many sub plot options! The relationship drama between the standardization bodies and the Commission might take an unexpected turn with CS replacing standards, although this is not so likely I think. There may be lots of drama though as they sort things out. After all, this is a telenovela.

The Commission will go back to the drawing board and will work on a new request now, and will have to discuss with CEN / Cenelec how to arrive at a new request that can work for all involved. Since the drama between the standardization bodies and the Commission is in Annex III of the request, which describes the general and specific requirements for the harmonised standards, this is where the magic will need to happen:

Schermafbeelding 2020-06-20 om 13.42.35

I expect that this magic will include, specifically, some developments in the “information on the relevant applicable requirements or parts of the relevant applicable requirements that are not covered by it” (Annex III, part A sub 2) – the Z annex gaps – and in the way that the Commission thinks standardization for devices is supposed to function under the MDR and IVDR. Since telenovelas normally revolve around a family secret, we will also have to live with the thought that we will likely not get to the bottom of this completely as the family secrets are unfortunately never transparent.

The Commission may have to be a bit more like Rogelio in Jane the Virgin when he learned that Xo was pregnant with his arch nemesis’ baby: supportive of whatever choice she would make about it because it was her choice to make and not his. If you’re in it together because you are a public-private partnership, be part of the solution to make it work – a presumption of conformity, after all, does not define the legal standard as such. But, as Rogelio said himself: “If you knew anything about telenovelas, you’d know that everything is supposed to be dramatic!”

The urgency with IVDs and the IVDR

IVDR aliensMany people ask me these days: why the urgency with IVDs? The IVDR’s date of application (26 May 2022) is still almost two years away. Why the hurry?

The hurry has everything to do with simply counting back from the date of application and understanding the requirements of the IVDR.

Notified bodies are very scarce

By now, everybody will know that 85% of the IVDs under the IVDR need conformity assessment by a notified body as a result of a radically new classification mechanism – also the devices already on the market. Just like the MDR the IVDR does not do grandfathering. For those who have missed entirely what the IVDR is about, here is a summary:

Because the IVDR does not do grandfathering this means that unless your IVD is a class A IVD (instruments, specimen receptacles and general lab use products etc.) under the IVDR, you will need a notified body to perform a conformity assessment that hopefully results in a CE certificate.

Do notified bodies for the IVDR grow on trees? They certainly do not. In fact, there are very few of them – you would like them to go on trees. At the moment there are de facto only two (BSI and Dekra Germany at the moment), with two more in the pipeline for notification in the short term. If all notified bodies that applied for designation will finally be designated we will have about eight or nine. That is much less than we had for the IVDD (22), who were responsible for a much smaller share of the IVDs under the IVD Directive. In other words: much less notified bodies that have to do much more work. Sounds like a bit of planning to make sure that you are top of the list is a sensible thing to do.

Since a notified body needs time to perform a conformity assessment, you have to count back from the date of application to know when you should file your application for conformity assessment. Notified bodies will generally need a year from application to CE certificate, if there are no hick-ups and the dossier is completely impeccable.

This puts you in May 2021 for having handed in your IVD conformity assessment application, if you are going to cut it as close as possible and are not going to plan for any unforeseen delays in the assessment procedure (second wave of COVID 19 anyone?) and are willing to apply to a very limited number of notified bodies when everybody else is doing the same. Sounds like solid risk management, right? So maybe you want be apply earlier than that, say end 2020.

End 2020 you say? That’s end of this year! Indeed, and that is assuming that you have all the data required for the application. Chances are that you do not, so read on.

Clinical performance study data or justification of absence is needed

As a rule the IVDR requires clinical performance studies as a source of clinical performance data (article 56). The IVDD generally did not put that much emphasis on clinical performance data, but was more concerned with scientific validity and analytical performance data.

Clinical evidence

Overview of clinical evidence from MedTech Europe, “Clinical Evidence Requirements for CE certification under the In-Vitro Diagnostic Regulation in the European Union”, p. 16

This means that many IVD manufacturers have not done clinical performance studies, ever. At best they have some post market performance data that may or may not include clinical performance data. The rule is that they must do clinical performance studies unless it is duly justified to rely on other sources of clinical performance data. 

This means that a manufacturer

  1. needs to have an idea about the gap of clinical performance data,
  2. needs a plan to close the gap before submitting the conformity assessment application to the notified body and
  3. preferably has an idea about whether this plan is sufficient for the notified body, so will need to have engaged with the notfiied body about this.

If there is a gap (start with that as a safe assumption) then the manufacturer must either generate new clinical performance data for the IVDR conformity assessment application, even if the test has been on the market for many years under the IVD Directive. Maybe he can justify relying on other sources, like some data Rembrandts in the attic in the form of a hoard of post market (clinical) performance follow-up data that he has accumulated methodically over the years.

Where the manufacturer relies on literature searches or other data in the technical documentation of a legacy IVD (especially the self declared ones), it may be good to realize that the bar has gone up regarding presentation of that data as well. The MDCG guidance on clinical evidence for legacy devices refers to sections of MEDDEV 2.7/1 rev. 4 that are considered relevant to MDR as they contain helpful information regarding how to perform activities associated with clinical evaluation, including literature searches. While this guidance applies to the MDR only, it does give an insight in expectations of activities associated with clinical evaluation. A number of other MDCG guidance documents relating to clinical / performance evaluation explicitly apply to both the MDR and IVDR (such as MDCG 2020-1 on clinical/performance evaluation of software and there are non-clinical/performance evaluation ones that also apply to both, such as MDCG 2019-7 on the PRRC). Other guidance that is does not necessarily applies to clinical evaluation that only applies to the MDR may be relevant to take into account under the IVDR too.

This gives you the period between now and end of 2020 to compile, and if necessary, generate any performance data required and integrate it in your technical documentation for the conformity assessment application.

And if you need to do an additional clinical performance study to close the gap, can you do this in half a year? You might already be too late when you read this.

For a lot of detail and very practical guidance on clinical evidence requirements under the IVDR I suggest (again) that you absorb the excellent MedTech Europe document Clinical Evidence Requirements for CE certification under the In-Vitro Diagnostic Regulation in the European Union and make good use of it. 

EU GDPR compliance for performance studies required

Ah, but not to worry! We have performance data from samples, and worst case we still have access to old samples that we can run a study on.

However, there is a catch: samples relate to persons and personal data is protected in the EU – and the IVDR takes this very seriously. The performance study (including those using left over samples or relied on other secondary use of samples) must have been performed in accordance with the EU General Data Protection Regulation or its predecessor directive (article 57 (3) IVDR).

But, few – the samples were anonimised because they cannot be directly linked to patients anymore. This is actually not what anonimised means in Europe: as long as it is still possible to link a sample to a person (e.g. by using the key that the hospital has) then the data is not anonimised but pseudonomised and still subject to full data protection controls because the EU takes protection of personal data concerning health very seriously.

See about all of this a presentation of mine from a long time ago at the RAPS Convergence in Washington DC (September 2017), long ago at a time that we could still travel:

This was by the way also the conference at which people expressed absolute disbelief about the theory that there might be only five notified bodies for the IVDR. And with a window to reliably file before the end of this year, we now have two of them – so here we all are. Maybe I was not so wrong here after all.

Long story short: the notified body may inquire about how this data protection compliance has been arranged, and then you need to be able to demonstrate that you acquired the data lawfully.

Data protection authorities in the EU may also ask you to explain, and can prohibit the use of data not processed lawfully – and they know a lot more about lawful data processing than notified bodies.

In both cases, falling short of meeting the standards would be a setback, because the data will be useless.

This means deadlines in the future are closer than you think

So there you have it: the May 2022 deadline is actually around the corner.

“But Erik, they must move this deadline like they did with the MDR, right? There is no other option.”

Well, we needed the COVID-19 pandemic to happen just before the date of application for the MDR to move. By now however the COVID-19 restrictions are a given. And don’t forget, the IVDR already had a deliberately longer transitional period of five years (compared to three years under the MDR), starting more than three years ago by now. COVID-19 may be an excuse if the notified bodies cannot start a conformity assessment because of the restrictions (since remote audits are not possible for new applications – even if this guidance would be applied to the IVDR), but are you even at that point already?

Remember also with the MDR DoA move: only the DoA moved, but the end of the transitional regime did not move. This would mean for the IVDR that the May 2022 to May 2024 period of two years would shrink to one (1) year. One year for the few IVDR notified bodies to process all remaining applications, because everyone would file just before May 2023, right? Cramming all these assessments in just one year would create an enormous bottleneck and would not solve your problem.

Of course you can bet on the deadline being moved. If it’s all you have then it may be your only option. But if it’s not, I really recommend lighting a fire under your IVDR remediation. Who knows it will turn out that we need a full zombie apocalypse, AI singularity running amok or alien invasion for the IVDR DoA to move?

Date of Entry into Force plus three years and a little bit

Kermit

MDR DoA moved: industry be like

 Last week  we went past DoE (Date of Entry into force) of the MDR plus three years, and the date on which the MDR was supposed to have become applicable.

As you, my dear readers, will all know by now, the date of application (DoA) has been moved with a year now as the outcome of a thrilling rollercoaster that I described on this blog in much detail. It was kind of silent on the blog afterwards because from a legal perspective nothing much interesting has happenend since: the MDR was amended with the amending regulation and the DoA was moved up as projected. The consolidated version of the MDR with the changes incorporated is here. And I was very busy with all kinds of questions resulting from this move.

As I have blogged, the amending regulation does more than just move the DoA of the MDR, it also creates some unprecedented new powers for the Commission to take emergency approval measures under the existing directives and it even seemed to make it possible that Eudamed could be launched according to the agenda as planned.
So where does this leave us?

Industry response

Part of industry was quite happy with itself, because “it had won” – yay! Those with some formal education will be familiar with the concept of Pyrrhic victory, because that is what this is. It is merely delaying the inevitable. And those that have dealt with that know that the inevitable always happens.

Many other more responsible companies were very annoyed with the situation, as they had worked like crazy to be in time for the DoA, only to find that it had been moved up. For them this creates budget and resource problems, as staff needs to remain available to MDR projects for an additional year, which was not foreseen in the often hard fought MDR budgets and project timelines.

Rest assured that the DoA was not moved to give industry more time, it was moved to give notified bodies and competent authorities more time to complete the rollout and certificates conversion that they were much behind with. The enormous disruption of business as usual caused by COVID-19 created the political momentum for the change, because the Commission and member states realised that the epidemic would delay things so much it would be embarrassing and unworkable.

Quite some companies responded with the short term reaction that is characteristic for a three month horizon: many MDR projects were shelved and MDR transitions teams were disbanded or decimated because the ‘resources’ had been allocated to other projects and the company was not going to pivot on this. The DoA is a year away again, so why make the best of the extra time, right? In the end it’s only core business, so how could that be important. So many things you can do in one year, and so many loose ends to tie.

A lot of companies seem under the impression that the move of the DoA means that all the other subsequent deadlines at the end moved up with one year too. Wrong! The other deadlines of May 2024 and May 2025 did not move at all. So one year more until DoA is one year less of the four years of transition to convert the last MDD declarations of conformity and (AI) MDD certificates into MDR certificates and MDR Declarations of Conformity:

Schermafbeelding 2020-06-01 om 21.51.17

 

Does the delay help?

Yes and no, and in different ways than you might think. I invite you to watch Amanda Maxwell’s interview with Bassil Akra, Gert Bos and me for different perspectives on this matter, kindly made publicly available by MedTech Insight:

In the extra year authorities are working on completing the outstanding agenda of implementing and delegated acts, Commons Specifications (Q4 2020 for Annex XVI products now and Q3 2020 for reprocessing of SUDs), MDCG guidances and, of course, Eudamed. The medical devices website will be transferred from DG GROW to DG SANTE, not a minute to soon since devices have been back with DG SANTE for a while now.

The notified bodies that are notified under the MDR will likely have a very limited add-on effect to the existing capacity, because they will be severely limited in what they can do. Apart from the ramp-up time to come to full capacity, they cannot travel or go to sites due to the COVID-19 epidemic, which means that they cannot complete new conformity assessment applications under the MDR. Yes: the new guidance on remote audits does not apply to MDR and it does not apply to new assessment applications in any event. Things will have to get worse before this gets better.

Notified bodies that were at risk of not completing pending re-certification under the (AI)MDD prior to DoA as to enable the manufacturer to benefit from the soft transition (and their customers) are the ones that seem to benefit the most from the move of the DoA. That is, if they had not planned for the DoA to not move. As you know, all existing notified body designations under the (AI)MDD would have become void by 25 May. With this deadline in sight, you can bet that notified bodies and their staff have done some planning of their own, resulting in staff having given notice already before the DoA move was even announced on 25 March 2020 and notified bodies having planned not to be designated by that date. The fact that notified bodies whose designation would otherwise have ended in the additional year can be conveniently renewed up to 26 May 2021 under a quickly adopted change of law, for which you find the guidance here (MDCG 2020-11), does not mean that these notified bodies can just scale up again if they had actually planned to close down or continue with a skeleton staff sufficient to do only surveillance of the (AI)MDD certificates during the soft transition period. The amended designation regulation also does not allow for designation of new notified bodies. The question remains therefore how much notified body capacity was really saved with the DoA move.

The notified bodies that already had their MDR designation (14 in total now) will also have had planning issues that makes it more difficult for them to stay at capacity (or increase this) for (AI)MDD. Also for them it was a reality that the (AI)MDD assessment business would switch to surveillance only by 26 May 2020 and they planned for that as well. New staff was trained only at MDR, and therefore only qualified for MDR. All the same, you say? Not how the law sees it. Just look at how many different classes of driver’s licenses or pilot licenses exist, even though it’s all sitting in a vehicle and steering in two or three dimensions. Different vehicles require different qualifications. Therefore, given everyone’s planning and the limited options created by the surprise additional of the extra year, your best option as manufacturer is to follow your original planning with the notified body and in cases where you would not have had your (AI)MDD certificates renewed in time, enjoy the possibility that the notified body may still be able to pull it off.

It helps the Commission and the MDCG

The delay does help the MDCG and the Commission. Important planning was immediately amended: more room to complete guidance for expert panels under the MDR and more time to make them function, still in 2020 or who knows when by now. The first MDCG guidances are starting to appear in version 2 and the MDCG and Commission are cranking out guidances like there’s no tomorrow. Just in May and April this year nineteen (19!) guidance documents were issued on top of a bunch of other MDR related documents.

The delay of expert panels obviously does not help manufacturers that must follow the clinical evaluation consultation procedure. Article 120 (7) MDR literally says that as long as there are no expert panels, the procedure for new high risk devices subject to additional EU level scrutiny cannot be completed.

The delay also gives the Commission and the member states more time to clear the congested queue of MDR notified body designation. Remember: we have 44 applications, which so far resulted in only 14 designations. This means that there are still 30 (thirty!) notified bodies backed up in the application procedure. Obviously this is not completely the fault of the authorities, because many notified bodies did not apply at the first opportunity (26 November 2017) and quite a number took significant time to clear their CAPAs, but nonetheless: here we all are.

Standards

The extra year will not be enough to complete the standardisation mandate for the MDR / IVDR that has been put to CEN and Cenelec. Their decision whether they accept the standardisation mandate finally made officially on 15 May is foreseen now for 17 June, and even if CEN / Cenelec accept the mandate (which some parties have recommended that they actually don’t) it will most likely not be before the MDR DoA that the standards will be harmonised. Better plan to go into the MDR without harmonised standards.

The Article 59 powers

The amendment proposal allows for one interesting innovation and that is the applicability of article 59 MDR to the devices under the directives prior to the DoA. In other words, when a member state issues an emergency measure allowing a non-CE marked device on the market, the Commission may extend this measure to the whole EU on a mandatory basis by means of an implementing act, see below for my embedded presentation on this point:

Guidance for how the Commission will work with this exemption regime has also been published in the mean time, which confirms that this will really only be used in exceptional circumstances for indispensable devices, and is clearly not intended as a CE mark bypass or bottleneck management mechanism.

We will need to see now how the system works in practice.

Eudamed

As I have mentioned the amending regulation seems to make Eudamed phase-in as envisaged possible but only one year later. The Commission has taken the view that this is not what is going to happen: the fact that the deadline has been moved does not mean that its plans have changed. Also the most recent version of the Rolling Plan sets “2022” as Eudamed go live date.

So it will still be a phased ‘voluntary’ introduction of modules, with the actors module going first some months before the new MDR DoA (likely March 2021). We still don’t know whether the investment in the voluntary elements will not have to be re-done later at some point. However, it would be a very good opportunity to test company machine to machine interfaces and, more general, the company’s Eudamed procedures because you can start interaction with Eudamed likely as from March 2021.

The actor module gives the option for  manufacturers, authorized representatives, importers as well as systems and procedure pack producers to enter their data in Eudamed and to acquire a Single Registration Number (SRN). The SRN is a very crucial element in Eudamed and under the MDR in general as you will need it for declarations of conformity and certificates. Since it is important that the SRN can be obtained before the date of application of the MDR, the actor module will be first and before the new DoA. May 2021 is expected to bring two more modules: the UDI/Device Registration module and the Certificate/Notified Body module, which are also required for data entry and for data on certificates. The rest of the modules (clinical investigations, incident reporting and market surveillance) will follow later as these are intended as tools for communication about devices and actors. As envisaged under article 123 (3) MDR existing systems will be used for this until Eudamed is fully functional.

IVDs: a crisis in the making

I’ve said it before and will keep repeating it: the IVDR is a crisis in the making. Several developments conspire to make this a really big crisis that may put a serious dent in healthcare. Maybe some people noticed that in these epidemic times it is pretty sweet and kind of essential to have in vitro diagnostic tests that are actually validated. So why miss all these opportunities to plan ahead?

We had some guidance about COVID-19 test development under the current IVDD, which was a nice reiteration of what every serious IVD company that takes performance evaluation seriously should know already. If you’re an IVD company, it might be good to put your existing technical documentation along that ruler because this is the bare minimum that a notified body will expect under IVDD standards (as you know the IVDR will be a step up, with additional clinical performance data required).

At the moment there are de facto only two notified bodies designated for the IVDR (three in NANDO at the moment, but BSI has one in the Netherlands and one in the UK, the latter of which will lose its designation end of this year as a result of Brexit). It is not exactly clear how much of the required capacity these two notified bodies represent but given that there are still 12 notified bodies in the pipeline according to official figures, this is probably not as much as needed (the capacity that applied represents 62% out of the original number of NBs for the IVDD says the Commission, counting one extra new applicant, which is likely NSF that also abandoned its application again).

If you count back from the DoA of the IVDR, manufacturers must have an IVDR conformity assessment application in the door at a notified body by the end of 2020 in order to have a good chance of an IVDR CE certificate before IVDR DoA. As I have explained on previous occasions, the IVDR is different from the MDR in that most manufacturers on the market do not already have a CE certificate under the IVDD, while the large majority of them will need that under the IVDR and they have two notified bodies to choose from. This means that if you’re an IVD manufacturer you must plan for an IVDR conformity assessment application before the end this year. Let’s just hope more notified body capacity becomes available, but I am not optimistic. This means that when the two current IVDR NBs are full, the rest is largely out of luck. Yet, the sense of urgency seems to be missing, both on the side of industry in general and on the side of the authorities.

The IVDR has been structurally left out of any COVID-19 motivated emergency measures, such as the extension of article 59 MDR to the directives. It would have been a small matter legally to have included article 54 IVDR in this as well, thus allowing for emergency possibilities for IVDs. This would be extra important in the light of the bottleneck for IVDs going into the IVDR. Yet, apparently all eyes appear to be on the MDR at the moment.

So far no substantial guidance has appeared for the IVDR and half of the IVDR guidance on the planning is not even scheduled for 2020. This is why I am personally very happy with the new MedTech Europe guidance document “Clinical Evidence Requirements for CE certification under the in vitro Diagnostic Regulation in the European Union”, This document is a collection of questions and answers designed to help manufacturers navigate their performance evaluation obligations under the IVDR.

So what to do?

If I were a devices manufacturer I would not treat this extra year as an extra year of MDR DoA delay because it really isn’t. At best you have some months extra to fine tune and that may be welcome. Your MDR specialist might take some well-deserved holidays, but keep your eyes on the ball and don’t forget that everything moves slower in an ongoing pandemic so what would normally get done in the same amount of time will now take longer.

If I were an IVD manufacturer I would go full pull to have my technical documentation for my IVDs ready for the IVDR on the triple double and make sure to have my first conformity assessment applications in the door at a notified body this autumn to be ahead of the big congestion that is coming. Same is true here: expect things to move slower than normal because of the pandemic. We may even get a second wave that’s worse. Have you planned for that? Scenario anyone?

MDR date of application move: politically a done deal now

With the overwhelming vote in the Parliament in favor of the Commission proposal to amend the MDR it is politically basically a done deal now that the MDR will be amended.

After the vote there were people that immediately stated that the amendment was formally approved – not so. We are looking at law making in the ordinary legislative procedure, which is co-decision making between the Council and the Parliament – they each need to adapt a position in first reading and then compare notes to see if further conciliation is needed. To speed things up to the maximum extent the Council gave a mandate in which it outlined what would be acceptable to the Council.

The Parliament’s vote for its first reading seems to fit this mandate perfectly, which means that the Council can now also adopt its position in first reading (which it will likely do special proceedings via the COREPER, because normally it would need to convene in person). Then the agreed amendment needs to go past the ECOSOC (who is already prepared to be part of the solution and ready to go) and the Committee of the Regions. Normally there would also be eight weeks for national parliaments to have an opinion, which has been skipped this time. Only then can the proposal be published and enter into force on the day of publication.

The Council has confirmed in the mean time that the Parliament’s first reading corresponds to what the Council would agree to, so the Council’s first reading confirmation is impending, bringing the first reading phase to a close and paving the way for adoption of the proposal after ECOSOC and Committee of the Regions consultation. I expect the Council to formally close its first reading in the course of coming week. ECOSOC and the Regions will go as fast as they go, ECOSOC even had its position ready last Friday, the day of the Parliament vote, supporting the amendment but making the critical note that

“the EESC would like to reiterate the request made in its previous opinion on this topic, namely that the functioning of the Regulation should be formally reviewed, jointly by authorities and stakeholders from civil society, three years after its entry into force, to ensure that its objectives are being met.” 

Complexity? Rather underestimation and under-resourcing

The recital 4 to the amending Regulation state that:

“Given the unprecedented magnitude of the current challenges, and taking into account the complexity of Regulation (EU) 2017/745, it is very likely that Member States, health institutions, economic operators and other relevant parties will not be in a position to ensure the proper implementation and application of that Regulation from 26 May 2020 as laid down therein.”

OK, the MDR is complex, but it was not a surprise except to those that deliberately chose to stay uninformed. Implementation was not that complex because it was a regulation, of which the whole idea is that there is not that much to implement. Many responsible companies attacked the problem with a lot of energy and at considerable costs and were as ready as they could be in Q1 2020, prepared to give this their best shot. Many others chose to do differently, to which I can only say that staying uninformed was a choice in this case.

The elephant in the room here, obviously, is how the Commission and the Member States failed to ensure proper implementation, as has been discussed on this blog over the more than nine years that I am tracking the MDR and IVDR. Essential guidance, Common Specifications and implementing acts late or delayed. Almost none of the Member States has their implementing legislation ready. It shows that the authorities, both at EU and national level have structurally underestimated and under-resourced the MDR and IVDR implementation. This will not be fixed in the year and I am quite certain that still many actions outstanding in the Rolling Plan and the Ongoing Guidance development document will not be completed in time, because the root cause has not changed.

The only difference is the move of the medical devices policy from DG GROWTH to DG Health and Food Safety (DG SANTE), which may make something of a difference – hopefully.

Moving load between communicating vessels?

It is always nice to be able to celebrate a success, but what will this amendment actually achieve? Will it avoid a situation of ‘Dead on Arrival’? The move of the DoA creates time here and there, but it does not create extra capacity. A basic principle of load balancing is that if you move load to relieve a bottleneck, there must be capacity elsewhere in the infrastructure that the load can be moved to, otherwise you just create another bottleneck elsewhere. 

COVID-19 has

“a significant impact on various areas covered by Regulation (EU) 2017/745, such as the designation and work of notified bodies and the placing on the market and making available on the market of medical devices in the Union” (recital 2 of the proposal)

Granted, the additional year does give authorities, economic operators and notified bodies one more year to prepare for the MDR, but it does not create more capacity.

The year eats into the four year period to transfer the renewed (AI)MDD certificates that the market went all in on with one year. So now there will be more (AI)MDD certificates to renew to the MDR in less time. Also, notified bodies will still not function as normal. In fact, they will function less than normal because they cannot audit under normal circumstances. Yes, they can do part of their audit remotely now, but this is not exactly creating extra capacity. More notified bodies can be notified under the MDR before the DoA, but a notified body needs time (about 6 months) to get to full operating capacity and a conformity assessment procedure mostly takes 8 months at least, so any notified bodies  designated in this extra year will not make a difference for the MDR pre-DoA. The only net win is that these notified bodies have more time to issue (AI)MDD certificates that must be renewed very soon (within less than four years).

What will the move of the DoA allow manufactures to achieve? They will have less time to convert old (AI)MDD certificates to MDR certificates (three years instead of four years). – capacity problems may ensue at manufacturers and notified bodies. They have more time to finish preparing their QMS for article 120 (3) life (MDR QMS partially and no significant changes). The good part for innovation here is that the time frame in which no significant changes are allowed is shortened.  One more year to change notified body or start up new conformity assessment under the (AI)MDD pre DoA? Don’t bet on it, because notified bodies are generally still not taking new customers or staring new conformity assessments for (AI)MDD certificates because they did not suddenly get extra capacity.

Article 59 pre-DoA

The application of article 59 pre-DoA has the consequence that any essential medical devices that (still) do not make it for the new DoA can be pseudo-CE marked with a pan-Union emergency implementing act. However, this immediately begs the question as to capacity at the European Commission to crank out implementing acts. Given the track record of the Commisison in adopting implementing acts under the MDR and IVDR, this is not a happy picture. Nobody wants to rely on article 59 MDR as a magic bullet as it currently looks like and only as a last resort, but we’ll have to see how the Commission and the other institutional actors operationalise the article 59 MDR procedure. 

I still think it was a mistake not to use this opportunity to also bring article 54 IVDR (the analogue in the IVDR) forward to be able to have a pan European approval mechanism for COVID-19 tests, of which there are shortages everywhere at the moment.  

Eudamed consequences?

The proposal moves dates for Eudamed in a way that it will be possible for Eudamed to be phased in as was originally intended, but then one year later. This begs the question whether the Commission actually intends to depart from its plan to launch Eudamed at the date of application of the IVDR. While the dates change, the legal basis for the Commission to wait until it is ready (article 123 (3) MDR – the ‘what if Eudamed is not ready in time’ provision) has not changed, so the Commission can decide to already default against the change date of 25 March 2021 as latest date for the ‘Eudamed is ready’ notice and 26 May 2021 as date on which Eudamed should go live by the letter of the amended MDR.

It would be very helpful for the market to know what the Commission will do. Does the Commission  intended to stick to the December 2019 plan (default no matter what, and go live end May 2022) or is there a possibility that it will try to get back to the default launch trajectory as now amended? There is a year between the two possible go live dates so that would be helpful to know, as it is less evident for us on the outside which of these options the Commission is planning for.

By the way, we’re still waiting for clarification promised last December about how to work with Eudamed when it’s not live yet after the DoA. The Commission could helpfully clarify all these things in one go!

The Xits

I have blogged before about the effect of the move of the DoA on the three country eXits from the Union.

Swiss Medtech immediately issued a press release after the Parliament vote that this means one year more business as usual under the existing MRA between the EU and Switzerland. The same would be true for Turkey, but not for the UK, as the UK has left the Union beginning this year and looks like it will not rely on the option to extend the transitional regime for Union law beyond 31 December 2020.

Timing

The adopted proposal will need to be published in the Official Journal for it to enter onto force. The good news it will enter into force upon the date of publication, which should be before 26 May 2020 in order to avoid a legally very awkward situation of the MDR becoming applicable only for the date of application to be moved retroactively.

I expect the publication will be very soon after adoption of the first reading by the Council, which I expect second half of the week of 20 April.

This would mean that the amending regulation could be published, and enter into force, soon after.

 

New MDCG guidance on temporary extraordinary measures related to medical device Notified Body audits during COVID-19 quarantine orders and travel restrictions

Schermafbeelding 2020-04-08 om 20.32.53When it rains guidance, it pours. The MDCG just released Guidance on temporary extraordinary measures related to medical devices Notified Body audits during COVID-19 quarantine orders and travel restrictions. The guidance takes immediate effect and is valid for the whole period of duration of the pandemic COVID-19 as declared by the World Health Organisation.

It addresses alternative solutions to carrying out on-site audits by notified bodies under the medical devices directives and under circumstances the MDR and IVDR under specific circumstances, which includes the possibility to perform remote audits under certain conditions.

Covered audits

Although

“this guidance applies to the medical device Directives only, for Regulations (EU) 2017/745 (MDR) and 2017/746 (IVDR) in the event that the availability of devices is affected by COVID-19 restrictions the principles in this guidance may apply.”

The guidance covers the following audits:

  • surveillance audits under the medical devices Directives,
  • audits conducted for re-certification purposes under the medical devices
    Directives,
  • in cases where a manufacturer submits a change notification to a notified body that would typically require on-site audit or verification,
  • in cases where a manufacturer terminates (voluntarily or involuntarily) its contract with a notified body and enters into a contract with another notified body in respect of the conformity assessment of the same device(s).

IVDR is covered ‘in principle’! This is the first time I see something positive in guidance in relation to the IVDR. IVD companies, make this count and use this time to not give up on or start conformity assessment with the few notified bodies there are for the IVDR before these are completely crowded. This will also help fast track clearance for self-tests for COVID-19 under the IVDD and IVDR covered COIVD-19 tests. Hurrah!

Not covered audits

Generally initial certification audits or audits to extend the scope of certification under the Directives should not be performed using these temporary extraordinary measures. However, notified bodies may apply these extraordinary measures on a case-by-case basis for such audits in cases where devices are considered relevant to ensure medical care, especially if clinically necessary during the period of COVID-19 restrictions.

How?

Within the confines of audits covered and not covered the notified bodies have wide discretion on how to work, provided that the measures are covered by appropriate procedures. The guidance gives a number of examples of temporary alternative extraordinary measures and arrangements to on-site audits. The procedures should be carefully assessed and documented by notified bodies on a case-by-case basis and performed using a risk-based approach. This risk-based approach should be based on a review of the notified body’s

“files relating to the status and operations of the manufacturer related to the audit in question, for example the activities conducted at the site to be audited, its quality management system, and its level of compliance from previous audits. Following this review, a risk analysis should be made as to whether or not the audit could be performed with alternative measures. Where a postponement cannot be justified, the notified body should assess which alternative extraordinary measure should be performed (e.g. remote audit; off-site document review; conference calls with relevant personnel of the manufacturer).”

More detail coming

The guidances mentions that the MDCG NBO working group is tasked with the development of guidance to define the operational implementation details of this guidance document. More detail will no doubt follow.

MDR amendment proposal article 120 (3) oversight set to be fixed by Council

Kermit mysteryIt’s always a risk to put out a theory about legislative oversight after a Sherlock Homes investigation that eliminates all other options as I did in my last blog about the MDR amendment proposal.

Recent development seem to confirm that I was right in assuming that not touching the two dates of application of 26 May 2020 in article 120 (3) of the MDR were indeed an oversight after all.

The Council’s fix

The Council has now moved swiftly and put in a proposal to fix this. Informal discussions were concluded at the Presidency and the proposal was discussed with particular attention to the oversight with regard to article 120 (3) MDR. Based on these consultations, the Presidency believes now that a large majority of delegations can support the Council’s fix.

The fix contains an amendment to article 1 (6) of the proposal by adding a new Article 1 (6) (aa) that moves the date of application in article 120 (3) MDR to 26 May 2021 as well:

Article 1 6) (aa)Article 120 is amended as follows:

paragraph 3 is replaced by the following:

“By way of derogation from Article 5 of this Regulation, a device which is a class I device pursuant to Directive 93/42/EEC, for which the declaration of conformity was drawn up prior to 26 May 2021 and for which the conformity assessment procedure pursuant to this Regulation requires the involvement of a notified body, or which has a certificate that was issued in accordance with Directive 90/385/EEC or Directive 93/42/EEC and that is valid by virtue of paragraph 2 of this Article, may be placed on the market or put into service until 26 May 2024, provided that from 26 May 2021 it continues to comply with either of those Directives, and provided there are no significant changes in the design and intended purpose. However, the requirements of this Regulation relating to post-market surveillance, market surveillance, vigilance, registration of economic operators and of devices shall apply in place of the corresponding requirements in those Directives.,”

Still only a proposed amendment to a proposal, but at least the proposal as a whole is consistent now.

What’s next

Stay tuned for further developments! The Council document referenced sets out the further steps to the legislative procedure:

  1. The Permanent Representatives Committee is invited to agree on a mandate based on the Presidency text set out in Annex I at its meeting on 8 April. The mandate will then be transmitted to the European Parliament in a letter in which the Chair of the Committee informs the Parliament about the Council intention to reach an agreement at first reading.
  2. The European Parliament is expected to vote its position at first reading already at its plenary on 16 April.
  3. After the vote in the European Parliament, the Permanent Representatives Committee will be invited to examine the Parliament’s position and agree if it corresponds to the Council mandate. Should that be the case, a written procedure will be used to invite the Council:
    – to approve the Parliament’s position, and
    – to agree to derogate from the eight-week period foreseen for scrutiny by the national parliaments.
  4. Consultation of the European Economic and Social Committee and the Committee of the Regions is compulsory, as this proposal concerns public health. Both consultations must be finished before the Regulation amending Regulation (EU) 2017/745 is adopted. The Council mentions that both Committees have been contacted with the aim of speeding up the consultation.

And then the proposal is hopefully published in time. Because it can enter into force on the day of publication, hopefully that will be in time before 26 May 2020.

The MDR amendment proposal: more than meets the eye

Open one jobOn Friday 3 April 2020 it finally happened: the Commission proposal for amendment of the MDR to defer the date of application with a year that everyone was waiting for and was in the works for some time was finally published.

As I have heard from many directions immediately after the announcement of the proposal being in the works people far and wide sighed “told you this would happen” or “inevitable”, and then dropped MDR preparatory work. The joke’s on the silly Europeans, of course they would never let it come to the DoA situation (jokingly called Dead On Arrival instead of Date of Application) that the MDR was heading for. Pfew, business as usual – now let’s concentrate on the COVID-19 pandemic.

Don’t forget however that it’s exactly this pandemic that led to this proposal. If you have been banking on the DoA being moved all along, you have been putting your company’s business on the roulette table. This proposal would not have happened if the COVID-19 epidemic had not taken place to compound access to devices related problems. Actually, this is how bad things needed to get before the EU would even consider this move.

Dropping all MDR work is still the worst choice you can make under the circumstances. This is a proposal. It’s not law yet. Although it is likely that the proposal will make it, it is also possible that it does not. While there is a lot of can-do mentality in politics these days, there is also a lot of zero sum mentality. So don’t count your blessings just yet – this may still not play out as expected.

If you are a smart company, read the ISO 31000 standard and learn a thing or two about risk management with respect to company plans regarding regulatory changes (I will blog about this at a later moment too). Scenario anyone? It would be the responsible thing to do under these circumstances.

More detailed table analysis

I have set up the analysis underlying this blog in a far more detailed table based analysis that ports every amendment to subject and MDR clause affected, consequences and my comments. My clients and good friends are very welcome to send me a request for this underlying detailed table analysis.

For everyone else, the following is a summary of this table based analysis, which does not cover every single aspect of the proposal. For example, this blog does not cover the proposed measures in the field of devices manufactured using non-viable tissues, cells or derivatives of animal or human origin.

When making this analysis I found that there is a lot that does not meet the eye immediately with this proposal, and I may have missed things as well. The proposal really affects a lot of different things, and does much more than just move the DoA with one year.

Objectives of the proposal

The proposal has three broad objectives:

  1. deferring application for provisions of Regulation (EU) 2017/745 that would otherwise start to apply from 26 May 2020 (see recital 6);
  2. it is also necessary to adapt certain transitional provisions of Regulation (EU) 2017/745 that would otherwise no longer apply as from the date of application of those provisions (see also recital 6); and
  3. giving the Commission the possibility to apply article 59 MDR before the DoA so it can start taking Union wide central measures as soon as possible to address all kinds of problems both COVID-19 and MDR bottleneck related.

See for details on all three objectives in the following, where you will also see that there are some Easter eggs in there, for example as regards EUDAMED.

The proposal ONLY covers the MDR, not the IVDR. Did I say already that the IVDs are on their own right now and that this is another crisis in the making? Yes I did. But I also provided a solution for the IVDR, which could be implemented by means of a similar amendment as to article 59 MDR and associated provisions in this proposal to the article 54 and associated provisions in the IVDR. Not addressing the IVDR bottleneck in this proposal is – in my opinion – a terrible mistake that will cost us lives. Shortage of COVID-19 tests everywhere, so let’s not fix the devices shortages for the IVDR. Makes perfect sense, right?

Annex XVI devices – more time for CS

For the Annex XVI devices all 26 May 2020 dates move to 26 May 2021. This means that Common Specifications for Annex XVI devices can still be adopted ‘in time’ before the new DoA of 21 May 2021, or six month after the date that they are adopted on after DoA.

Reprocessing of SUDs – more time for CS

Similarly, the date for adoption of CS for reprocessing of SUDs will be moved to 26 May 2021. More time to adopt those too.

If the CS have not been adopted by the new DoA, alternative standards apply (relevant harmonised standards and national provisions).

EUDAMED – Big Bang launch back on the table?

Everyone’s favorite super complex moving target! What happens with EUDAMED is one of the really interesting things in the proposal. Because of the way the dates concerning Eudamed are moved, a Big Bang launch of EUDAMED on the (new) date of application as originally intended in the MDR is suddenly back on the table. With the dates moved the whole original itinerary of EUDAMED phase-in is possible again, including a ‘EUDAMED is ready’-notice on 25 March 2021. Now that would be news, wouldn’t it?

This means that if the proposal is adopted and the MDR amended accordingly there is a perfectly legal alternative to the Commission’s December 2019 move of the date of EUDAMED going live to coincide with the IVDR DoA. The proposal and other public materials (like the Commission press release about the proposal) are completely silent on this point. So this is one to watch: EUDAMED for MDR goes live on 26 May 2021 (new DoA) or on 26 May 2022 (as deferred by the Commission)! And what will happen in the mean time with the phased making available of voluntary use of modules, starting with the actor module? What will it be? Scenario anyone?

EU wide conformity assessment derogations – NEW

This is another real change brought about by the proposal. As the explanatory text to the proposal mentions, when adopted the article 59 MDR procedure that allows national measures exempting groups of devices from the normal conformity assessment requirements will also apply ahead of DoA. As a result the Commission will have a shiny new pan-Union instrument that is badly needed in the COVID-19 times, which is one of the proposal’s core objective.

The Commission would be allowed to roll out a national measure for the whole Union (not just the EU, but the Union in which the MDR applies, which is relevant for the Brexit, Swixit and Turkxit – more about that below) by means of implementing act.

This new instrument will allow the Commission to implement the policy of which the outlines were set out in the Recommendation of 16 March 2020.

Sanctions – more time for Member States

The date at which the Member States should have informed the Commission about the sanctions they impose on MDR infringement will be moved to 25 February 2021, giving Member States more time to finish their implementing legislation for the MDR.

Since many Member States have not finished their implementing legislation, this is a welcome delay.

Notified bodies – More time for MDR certificates pre-DoA and (AI)MDD renewals, but less time for MDR certificates pre 2024

The move of DoA and related dates with one year to 26 May 2021 gives the Commission and the Member States one more year to designate notified bodies for the MDR, and it gives the notified bodies already designated for the MDR more time to issue more MDR certificates, as well as renew more AIMDD and MDD certificates that were still in the pipeline for renewal to profit from the article 120 (3) soft transition period. 

On the other hand, there is less time for notified bodies to convert AIMDD and MDD certificates to MDR certificates during the soft transition period, which can create other problems because the market went all in on extension of old certificates rather than the issue of MDR certificates pre-DoA, because there was not enough capacity for pre-DoA certificates. This will mess with everyone’s 2020-2024 planning, including yours. For a very detailed overview of how everyone’s planning will be affected from the perspective of a notified body, I refer you to Bassil Akra’s (TÜV SÜD) analysis. This analysis also contains a lot of good tips for interaction with your notified body and what notified bodies will be doing in case the proposal is adopted. Maybe read ISO 31000 and make a scenario or two.

Article 120 (3) MDR ???

The proposal does not move the date of 26 May 2020 mentioned twice in article 120 (3) MDR, which creates some urgent problems.

First, the consequence of not changing this date is that it partially undermines the second Corrigendum, which was intended to allow up-classified class I devices and the new category of reusable surgical instruments in class I the same benefit of article 120 (3) MDR as was granted to devices with a CE certificate under the AIMDD and the MDD. The consequence of the proposal being adopted as is would be that there is a year (between 26 May 2020 and 26 May 2021) during which the MDR does not apply, but up-classified class I devices and reusable surgical instruments are already subject to soft transition requirements (no significant chances and MDR QMS elements) before the (new) DoA, which was not how the Corrigendum 2 intended things to work and which is not how the article 120 (3) exemption system was set up. However, this is where we will  be if the proposal is adopted as is.

My theory is that someone did not have his or her consolidated version of the MDR at hand, because the pre-Corrigendum 2 MDR text for article 120 (3) does not contain that date, and therefore would not need amending based solely on that text. Sometimes legal issues are as simple as that, but they can create massive problems. If you do a full text search through the MDR, the only “26 May 2020” date that was in the pre-Corrigendum 2 MDR text that did not get addressed in the proposal is the Annex I 10.4.3 provided 26 May 2020 final date for the SCHEER mandate to prepare guidelines on phthalates. This date did not need to be moved because the guidelines have been prepared already – they were adopted on 18 June 2019 so there was no need to move this date. Really, the explanation may be that banale but I’m open to other theories because those would be a much better story than administrative oversight.

Secondly, the soft transition period for devices with a CE certificate before 26 May 2020 is impacted, which would have run from 26 May 2020 to 26 May 2024, so the logical thing to happen would have been to change the second date of 26 May 2020 in article 120 (3) MDR to 26 May 2021, which did not happen, thus shortening the soft transition period from four years max to three years max, like happened with the sell-off period in article 120 (4) MDR, discussed below. Like with the up-classified class I devices, this creates a year during which the MDR does not yet apply, but the article 120 (3) MDR regime does and similarly it does not make sense here either.

However, also this apparent oversight can be explained by the fact that the second date of 20 May 2020 just did not feature in the pre-Corrigendum 2 MDR text and someone apparently did not look at the consolidated text when drafting the proposal (see above explanation). It also does not make sense to not change the date in article 120 (3) for existing AIMDD and MDD certificates because article 120 (1) MDR is changed in the proposal (article 1 (6) (a) of the proposal) to keep the notified bodies that otherwise would be de-notified by 26 May 2020 notified for another year so they can continue as usual. Recital 6 of the proposal states that:

“The application should be deferred for provisions of Regulation (EU) 2017/745 that would otherwise start to apply from 26 May 2020.”

That would mean all provisions (since no reservation was made, e.g. by using ‘certain provisions’) starting to apply on 26 May 2020 are intended to be deferred, including those in article 120 (3) MDR. In my view this further supports the theory that this is an unfortunate oversight. The Commission intends to keep the notified bodies supporting existing MDD and AIMDD certificates notified for another year (which they would not be during the article 120 (3) period), which makes no sense logically if the article 120 (3) period would not be shortened accordingly.

If these two issues with article 120 (3) MDR are really not intended, this is obviously sloppy work on the part of the Commission. They had one job, and and it would be very sloppy if they had used an obsolete legal text for that.

If these issues are intended, the logic behind them escapes me completely because they serve no other purpose than to complicate things enormously and are a recipe for confusion everywhere. Again, any theory better than mine is welcome!

Sell-off period – shortened

While The DoA is moved to 26 May 2021 with a change of article 120 (4) MDR the end date of the sell-off period does not change (27 May 2025). This means that economic operators will have less time to sell off devices that have entered in the supply chain before the date of application.

Date of Application – moved

Obviously the date of application will be changed – this was the whole point of the proposal. But mind you, since so many things are connected (remember, CE means Connected Everything under the MDR), a lot of other things start to move as well. I have mapped all of these in the detailed table for clients and friends referred to above.

UDI carrier – much ado about nothing

A lot changes in the text relating to UDI carrier timing, but the net result is zero.

Because of the move of the DoA, the date on which class III and implantable devices have to start applying UDI carriers on label and packaging is now on DoA and not one year after anymore. The textual changes are necessary to make this work.

Entry into force of proposal and procedure – let’s hope it all works

Several measures have been taken to fast-track this proposal as much as possible. Article 2 of the proposal provides that it enters into force upon publication in the Official Journal, while this would normally be 20 days after publication. Together with the eight weeks saved by foregoing the national parliaments procedure (see recital 12 of the proposal) the proposal can be accelerated by almost 11 weeks. The amended voting procedures for Parliament and Council that do not require voting by personal presence can lead to further acceleration, as well as some other tweaks in procedural formalities that would be out of the question under normal circumstances.

For the rest, the Commission is betting on nobody being difficult basically, as the Commission says understatedly in the press release:

“The proposal would need the full support of the European Parliament and the Council through an accelerated co-decision procedure.” 

So let’s hope nobody is difficult. Because if they are, this proposal may well not make it in time to make a difference and then it will likely be off the table altogether. For example, if the issues discussed in relation to article 120 (3) MDR are indeed not intentional, we will need amendments. The reality of amendment is that they time, because there are procedures to be followed so everybody can say what they think about them. And the Commission must be in a position to still make amendments. Let’s hope that the Commission finds a way in this case, because otherwise we need to sit through the first reading first before amendments can be made. This might jeopardize timely adoption of the proposal.

Brexit, Swixit, Turkxit

For the influence of the proposal on all these contingencies (scenario anyone? ISO 31000 says it’s the responsible thing to do) see my previous blog about this proposal’s announcement. The proposal, if adopted, would mean another year before the Swixit and Turkxit take effect, and effectively therefore another year to sort things out politically. That may or may not happen.

In addition I can say that the UK’s play to synch timing and substance of their own new devices legislation with that of the Union turns out not that well if the MDR does get moved. If there is a hard Brexit a the end of 2020 – which is the likely scenario in my view given how things are going – the UK will find itself in the truly weird place of having stricter and more complex devices rules than the Union. This is of course totally not what they intended, even if this situation will last only for a limited period of time. Welcome to the reality of being on the outside, UK.

Overall impression – will it blend?

I really hope that the proposal will pass the co-decision procedure swiftly.

In my view the proposal marks a welcome (in my view anyway, as I’m a passionate European) transfer of competence to the EU level. Subsidiarity is a very nice principle, but it really needs to be rethought in view of healthcare policy, as it made painfully obvious by the current situation.

If there is one thing that we can learn it is that market access for medical technology needs more central handling, because healthcare is too precious. We have the best healthcare systems in the world in the EU, and it would be a terrible mistake to cripple them by not arranging for more effective centralized market access for devices to make them function as intended. We would fail our citizens knowingly and deliberately. It’s only logical if we really want

“a robust, transparent, predictable and sustainable regulatory framework for medical devices, which guarantees a high level of protection of public health and patient safety and the smooth functioning of the internal market for such devices”

as set out in the proposal.

Other than a step in the right direction with article 59 MDR, there are some very critical observations that should be remedied in opinion.

Of course not arranging for the bottleneck in the IVDR to at least allow COVID-19 tests related national measures to go through the article 54 IVDR procedure in order to be able roll out central measures relating to tests I think is a missed opportunity that is going to cost us dearly in lives. Apparently that’s what it takes these days before we do something completely rational. What crazy times we live in.

Then there are the things that do not seem to have turned out right in the proposal, notably the not moving of the DoA in article 120 (3) MDR. If this was not intended, an amendment must be made and amendments normally take time because there should be opportunity to discuss them. This could jeopardize timely adoption of the proposal. Let’s hope nobody is difficult about any amendments either.

Commission working on proposal to postpone MDR date of application for one year

After a statement on a press conference today by Stefan De keersmaecker that had many people very excited quickly, the official announcement came later in the afternoon:

Schermafbeelding 2020-03-25 om 19.09.52

Here is what I think about this development.

Work on a proposal ongoing

The Commission announced that ‘work on a proposal to postpone the date of application’. This tells us something but not a lot.

A decision was reached. That sounds like the work has just started, but it is not excluded that the political foundation for the process was some time in the making.

I know that I have often said on this blog and in public that the date of application would not be moved and companies should not expect it. Now it looks like it’s happening anyway. Why is it happening now when I thought it would not happen before? It’s the corona virus pandemic that provided enough pressure for things to be fluid.

As I’ve been saying all along: the only way to the change the MDR is by means of the legislative procedure, which takes a long time under normal (normal) circumstances and requires all institutional actors to agree to stick to the proposal only and not propose any amendments that prolong the procedure.

We may have the ducks sufficiently in a row for this to succeed now but this is by no means certain, which is exactly why the Commission also uses careful and cautious wording and is by no means saying that this is a done deal.

Postpone application date for one year

What will postponement of the date of application mean? Will it mean that every date in the MDR after 26 May 2020 will also move up one year? We don’t know. I think it is unlikely to happen that every date will move, which essentially means that the four years (May 2020 – May 2024) that were originally intended to ensure

IVDR? Nothing is said about the IVDR, which would certainly benefit from a year breathing space as well, as MedTech Europe remarked very rightly in my view.

What will the status of the AIMDD and the MDD be during the postponement year? We don’t know. I have heard the first suggestions that the notified bodies will not continue to accept conformity assessment requests under these directives (in so far they were still doing that). You can also not automatically count on ongoing conformity assessments or remediations to be allowed to stretch pas the date of application. It would be welcome and logical if this would happen, but we will not know before we see the text of the proposal.

What about Brexit, Swixit and Turkxit?

If the MDR would be ‘postponed’ by a year in a way that the directives continue to be in force, then the logical consequence would be that Swixit and Turkxit are postponed too, because under the directives Switzerland and Turkey are Union, and will thus remain Union until the MDR becomes applicable one year later.  But this does not mean that the root causes for Swixit and Turkxit will be remedied during this year, as these are very political problems.

Brexit is different because the UK has opted to cease being Union by the end of the year no matter what, so this will not change as a result of the MDR’s date of application being moved. This would only change of the UK and the EU decide to together to prolong the transitional period with one or two years. This is politically difficult in the UK because prolonging the transitional period means that EU law applies longer in the UK and the UK has to contribute to the costs of the EU. The UK government has already stated in no uncertain terms this is not what they are planning to do. In other words, Brexit is likely not impacted by this – it still looks like an unfolding hard Brexit happening.

What don’t we know now?

Well, most importantly: we do not know what the proposal looks like. We also do not know if this will even work. That’s why we need to wait until early April to know what the proposal will really entail.

In the mean time, we also don’t know if the proposal will make it, so we have to plan for that eventuality as  well.

What should you do?

This is a plan of the Commission, not an adopted amendment yet. We hope it’s a silver bullet but we do not know yet. It might even be a lead bullet.

As I have said and will keep repeating: scenarios, scenarios and more scenarios. It may be that this whole thing does not even pan out. Then what? Better have a scenario. No imagination? I’ll be glad to help you.

What should you not do?

Treat this plan of the Commission as a done deal and immediately sit on your hands. That would be a bad idea.

While the statement says that ‘this decision will relieve pressure […] to fully focus on urgent priorities related to the corona virus’, it is not saying ‘you should just drop all MDR prep work’. The MDR is still coming and you don’t know what this amendment – if it is amended – will look like in all details.

Did I say scenarios already? One of these is that the whole thing does not happen, and some others are that it happens differently than expected.

 

 

 

The MDR and the Covid-19 recommendation – a possible template for fixing the MDR and IVDR bottleneck

problem-solved-spongebobOn 16 March 2020 the Commission published the Commission Recommendation (EU) 2020/403 of 13 March 2020 on conformity assessment and market surveillance procedures within the context of the COVID-19 threat.

While this recommendation has been flagged here and there as ‘this may be important’ without real further comment I have been thinking about this recommendation myself and here is my take on what it means and may lead to.

What is this recommendation about?

Obviously this recommendation is an attempt of the Commission to manage administative barriers to placing PPE (personal protective equipment) and medical devices on the market that would be needed in the struggle to get the current Covid-19 pandemic under control. In my view you can also see this as a template for the next pandemic that has already started to affect the medical devices industry: the bottleneck caused by date of application of the MDR.

Let’s see what the recommendation does: it addresses two kinds of administrative barriers: conformity assessment procedures and market surveillance procedures.

With regard to conformity assessment procedures the recommendation recommends member states to

“the possibility for Member States to authorise derogations from conformity assessment procedures should also be considered, according to Article 11(13) of Directive 93/42/EEC and Article 59 of Regulation (EU) 2017/745 once the latter becomes applicable, also when the intervention of a notified body is not required.”

In other words: please Member States, think about your options to propose national CE marking exemptions for devices that can be transformed into a pan-European measure by means of the article 59 MDR procedure. The Commission cannot take its own initiaves on this point but can recommend the membe states to do this. Article 59 MDR procedure allows the Commission to make measures taken by one member state mandatory for the whole Union, which is a pretty useful feature. If one member state decides to allow a device on the market without CE mark and notifies the Commission, the Commission can validate the exceptionality and need of the measure at Union law and make an implementing act to make the measure mandatory for the whole Union, which becomes applicable after the members states and the EU parliament allow it through the implementing act procedure.

With regard to market surveillance the recommendation recommends member states to:

  1. The relevant market surveillance authorities in the Member States should as a matter of priority focus on non-compliant PPE or medical devices raising serious risks as to the health and safety of their intended users.
  2. Where market surveillance authorities find that PPE or medical devices ensure an adequate level of health and safety in accordance with the essential requirements laid down in Regulation (EU) 2016/425 or the requirements of Directive 93/42/EEC or Regulation (EU) 2017/745, even though the conformity assessment procedures, including the affixing of CE marking have not been fully finalised according to the harmonised rules, they may authorise the making available of these products on the Union market for a limited period of time and while the necessary procedures are being carried out.
  3. PPE or medical devices not bearing the CE marking could also be assessed and part of a purchase organised by the relevant Member State authorities provided that is ensured that such products are only available for the healthcare workers for the duration of the current health crisis and that they are not entering the regular distribution channels and made available to other users.

The first point addresses dangerous non-compliant devices. I already see a spike in placebo medical devices and non-compliant Covid-19 self tests of which nobody knows where they come from or whether they even work for this intended purpose. Needless to say, authorities should clamp down on those.

The second point seems to be a reference to the article 97 (3) MDR procedure, under which the Commission can specify appropriate measures by implementing act for devices that are non-compliant administratively but do not present an unacceptable risk to health and safety of patients. This is an interesting procedure because unlike the article 59 procedure it allows for block exemptions.

The third option is also a good option: member states allow devices purchased according to certain specifications for the duration of the health crisis. This works especially well when devices are purchased via tenders.

So this recommendation, if you realize the at the Commission does not have any direct power under the MDR to take emergency measures, is really something. But it can also be a stepping stone for the way the EU handles the consequences of the bottleneck in medical devices approval caused by the way the MDR was set up, and which is now compounded by the Covid-19 health crisis.

What does/could this mean for the MDR and its date of application?

Everybody and their mother wants the date of application of the MDR moved for obvious reasons – with the Covid-19 pandemic happening notified body capacity is collapsing, and manufacturers have facilities closed down so are unable to receive physical audits. Even though everybody does what they can remotely, the processes are even more delayed and are delayed severely. We may not even out of lockdown in many place by the DoA of 26 May 2020.

The DoA, abbreviation for Date of Application, is starting to be cynically used as ‘Dead on Arrival’ by now. The situation is really getting out of control, even if everybody, including notified bodies, are doing their best to keep working the problem.

Yet, there is no mechanism in the MDR for moving up the DoA quickly because the EU is not set up this way. Clamoring for that is therefore not going to work.

A change of the DoA requires a legislative change, which cannot happen quickly. Reopening the MDR would lead to a situation where everybody would propose amendments or disagree, and that would bog down the process even more. Even if everyone agrees and does not propose amendments, the process takes several months. So that won’t work anymore now.

Emergency measures then? Since the EU is not a federation we have not delegated that much in terms of actual decision making power to the EU institutions, especially not in healthcare. The Commission is allowed to propose and the EU may adopt internal market measures that have a health dimension, but it is totally not allowed for the EU to intervene in emergency health situations on its own initiative with binding measures. Member states closely guard their national competence in that field and are not going to hand that over to Brussels. This pandemic shows that doing exactly that may not be such a bad idea – as they say, never waste a good crisis.

All emergency procedures in the MDR therefore start with a member state or an MDCG initiative, which is subsequently made binding by the Commission with an implementing act. The implementing act can always be blocked by member states or the Parliament. So this is how the EU works: nothing happens unless everyone agrees. Usually this works fine. In pandemics, it’s not so efficient.

The only way to move the MDR date of application is to start a new legislative procedure and change the date of application. Nobody wants to start a new legislative procedure at the moment however. Why? Because first, it is a slow process. Secondly, everybody will put in amendments because they can, slowing down the process enormously because nobody is going to agree with the amendments of everybody else just like that.

My thinking is that a version 2.0 of this recommendation would solve a lot of problems, without needing to go through a legislative procedure to amend the MDR. It would be appropriate too, because the Covid-19 pandemic and the date of application overlap and compound issues. Many of the bottleneck problems that we were having already with respect to notified body capacity have been steeply exacerbated by the Covid-19 pandemic.

A new recommendation drafted with the date of application in mind could provide the necessary coordinative template for member states to solve the unavailability of safe devices as a result of administrative problems, because the Commission does not have the power to do this. The recommendation 2.0 would provide a template for concerted and efficient use of the article 59 and 97 (3) MDR procedures. Everybody wins and the patients the most. Would’t that be great?

Again, why not the IVDs?

As we have seen with the Joint Implementation Plan, this Covid-19 recommendation also does NOT apply to IVDs – it only mentions medical devices under the MDD and the MDR. I don’t understand how you can ignore IVDs when the whole healthcare system is complaining about a lack of tests? In any pandemic, access to sufficient relevant tests is vital. I can for the life of me not understand how it is possible to ignore IVDs in this scenario.

Any recommendation 2.0 aimed at fixing the medical devices bottleneck should address IVDs too. The writing is on the wall that the bottleneck will be far worse for IVDs

A little side note on standards

Everybody is frustrated about the delay in harmonised standards for the MDR and IVDR, but this is no reason for delay as such. The recommendation reiterates in recital 18 that

compliance with the harmonised standards is not mandatory. Manufacturers are free to choose other technical solutions provided that the specific solution which is retained ensures that the medical device complies with the applicable essential health and safety requirements.”

So, absent the harmonised standards manufacturers must think about what the state of art really is, and how a GSPR can really be met by their solution. Good time to think out of the box. The recommendation impresses in recital 22 on notified bodies to be flexible in this, and not be hung up on standards per se.

So – outlines of a way out

Use the recommendation 2.0 route could be the best compromise under the circumstances – a tried remedy that everyone should be able to live with and has a good chance of solving a lot of problems related to the conformity assessment bottleneck exacerbated by the Covid-19 pandemic. A true European solution! Now we just have to do it.

%d bloggers like this: