Eudamed delayed, but MDR not delayed – now what?

Eudamed scream catYou may have already heard it from many directions: Eudamed is delayed with two years.

Time to party now because you can shelve your MDR implementation project for two years and go back to do other things? Nope, unfortunately most probably not – read on.

After some pretty mysterious statements of Commission officials in public around the end of October 2019 to the effect that the first tranche of Eudamed might perhaps not be ready to be launched in March 2020 suddenly the text of the Commission information page on Eudamed was changed with the following little block of text:

“The Commission concluded that it will only be possible to make EUDAMED operational once the entire system and its different modules have achieved full functionality and have been subject to an independent audit. Therefore EUDAMED’s launch will be done together for medical and in-vitro medical devices, at the original date foreseen for in-vitro medical devices i.e. May 2022.

The date of application of the MDR remains May 2020.”

What does that mean? What follows below is my own analysis from the situation that I could not validate from official sources other than the MDR text itself and the CAMD MDR FAQ. And I have heard a lot of different interpretations and speculation of course.

Eudamed is delayed but the MDR is not

First and foremost it means that only Eudamed is delayed, but not the rest of the MDR. The Commission literally says on the website: the date of application of the MDR remains May 2020. It seems that it would not follow from the fact that you cannot upload documentation that the MDR requires does not mean that you shouldn’t prepare them as of the date of application of the MDR. In the CAMD MDR FAQ the member states say:

“The different Articles listed in Art. 123 para 3 d (= dealing with e.g. the registration of devices and economic operators, clinical investigations, notified bodies, vigilance, post-market surveillance, market surveillance) are not fully postponed with regard to their application but generally remain applicable from the DoA. However, their application is postponed as far as the obligations and requirements within these Articles relate to EUDAMED (which is not fully functional yet). To that extent they shall apply from the date corresponding to 6 months after the date of notice of full functionality.
Meanwhile (until EUDAMED is fully functional) the corresponding provisions of the Directives regarding exchange of information continue to apply.
The principle is that the derogation applies to the electronic exchange of information/upload to EUDAMED. If the derogation is applicable this does not necessarily mean that the information itself does not need to be prepared/exchanged. This exchange of information e.g. reports will have to be done by other means in lieu of exchange via EUDAMED (Directives regime). The underlying idea behind this paragraph was to ensure compliance with the new obligations and requirements via the “old” systems as far as possible.”

(underlining added – “not necessarily not” is a key concept here , because this means that it may also be decided / interpreted differently at a later stage)

and of course

“The actual practical implication of this concept with regard to the different Articles listed in Art. 123 para 3 d MDR needs a closer look and further guidance, which is in progress.”

Yay! CAMD to the rescue – guidance is coming! Oh, hang on … If we look in the rolling guidance plan it says: “Eudamed Group yet to be established under MDCG, ongoing work falls under the scope of the Eudamed implementation Steering Committee”. That’s a hopeful sign of guidance coming soon.

Let this sink in, in case you or your colleagues have let out a sigh of relief, you maybe have done a little departmental celebratory line dance to celebrate that the pressure is off and this whole MDR thing has been moved two years into the future, because it has not been. So, get your colleagues off of the hands that they may have immediately been starting to sit on again, safeguard your budgets that management may have immediately cut: this MDR thing is happening, even if Eudamed is not happening yet. If your management thinks delay means nothing is happening anymore, slam their fingers in a door while yelling “NO DELAY OF MDR!!!” to condition them to the inevitable reality that they keep forgetting. Reporting and registration into Eudamed is delayed, the other things are not and they might need to go elsewhere for the moment.

The MDR even makes provision for the situation that Eudamed might not be ready (see article 123 (3) (d) MDR about the ‘unforeseen circumstances’ that by now were totally foreseen but that’s another story), so it is happening, Eudamed or not. It may not be happening as smoothly as envisaged (I guarantee you that it will not) but the date of application for the MDR does not change. In case anyone in your organisation thinks otherwise: they are wrong and are putting your company at risk.

Why no phased introduction anymore?

It means that the Commission seems to have understood how the MDR works regarding Eudamed, and that it is not possible to say that Eudamed is ready when in fact only the first stage is ready and other stages are to follow, as they were planning when it became clear that Eudamed would not be available fully in time. Perhaps the Commission’s Legal Service has woken up somehow and decided that you cannot declare something that is completely ready when only a slice of it is ready, who knows. Article 34 (2) MDR is pretty clear that Eudamed can only be declared ready based on an independent audit that full functionality has been achieved. Even legal interpretation of rules has its limits.

So what happens now / article 123 (3) (d) and the art of non-Eudamed application

What happens now is that the MDR enters into force exactly as planned (don’t tell me I haven’t been warning you for several years that there would not be a moving of deadlines), but without Eudamed and the MDR provisions regarding the possible situation that Eudamed would not be ready in time (which were always there from the start and which I have been warning companies about for quite some years in the mean time as well) will be applicable – I present to you the staggeringly complex article 123 (3) MDR. These provisions are (unfortunately) not very well written nor easy to distil a very clear set of manufacturer obligations from. In the following I have tried to do some distilling for you. This is my best effort at this moment because a lot of things are unclear. You would almost wish that the Commission would provide timely guidance on the subject (oh… never mind).

I think it’s relatively safe summarize as follows:

  • Delay of Eudamed does not mean that the MDR is off the table for the moment (so obvious I’m not explaining this further);
  • Delay of Eudamed does not mean that preparation for Eudamed can stop;
  • Eudamed will still be implemented at some point because the MDR and IVDR cannot function very well without it;
  • You better find a way to track and keep data that should have been going into Eudamed from the start because it is likely that you’ll need to upload it retrospectively when Eudamed goes live and you need to find a way to provide it to the right member state authority (unless we hear differently when the we hear if there are any exceptions to the principle that “this does not necessarily mean that the information itself does not need to be prepared/exchanged”.

So, Confusion Everywhere anyone? Or rather Chaos Everywhere? I’m not sure which one it is these days.

Delay of Eudamed does not mean preparation can stop

The delay of Eudamed does not not mean that preparation can stop for the moment, because reporting and registration into Eudamed is delayed, while all the other things are not. Did I say all things other than registration and reporting into Eudamed are not delayed? That’s because they are not unless we hear differently in specific cases (which we have not for the moment).

This means that the underlying MDR related obligations that lead to reportable and registrable documents still apply.

So you cannot stop work on Eudamed preparation. In fact, you will likely need to step up preparation work. Let me explain why:

The delay results in you having to do multiple things at the same time now:

  • first, continue developing the Eudamed interface for your company and getting your device data ready for being uploaded into Eudamed, especially if it’s a machine to machine interface;
  • secondly, ensure that device data that is MDR relevant and that is created after the date of application (26 May 2020) is reported under the old regime insofar required (article 123 (3) (d) MDR) but also is put in a Eudamed ready format so it can be uploaded into Eudamed when Eudamed becomes available because you will likely have to do that. It means keeping track of everything that should have gone into Eudamed from the start until Eudamed goes live, so including vigilance data, device iterations, all that (and will be data for two years!!). This will be a big IT challenge.  You have to create a spreadsheet or database that approximates expected Eudamed specifications as close as possible so you can upload the data at some point, which will still be a huge job; and
  • thirdly, deal with any new national Eudamed like initiatives that member states may maintain or make mandatory pending Eudamed’s delay.

And in addition, you need to do MDR with (AI)MDD tools:

Delay of Eudamed means that existing systems must be kept operational longer

Delay of Eudamed means that you need to report MDR using (AI)MDD systems available at the member states. Sounds like a square peg in a round hole situation? I’m sure it will be like that. Member states may change things around as well as they are preparing too for Eudamed, or maybe lose trust in the project altogether. Quite a few member states have decided that they wanted to run parallel databases of their own and see their decision to do so strengthened by the developments, because patient safety waits for no one. So be prepared to (continue to) work with a variety of non-standardised member state situations, because this was exactly what Eudamed was supposed to fix.

Eudamed for IVDs

So you would think: ah, but for IVDs this is not an issue. Because Eudamed is happening when the IVDR happens. Pfew! Well, maybe think about this in more detail. Article 30 of the IVDR that deals with Eudamed operates on the assumption that Eudamed is already up and running by the time that the IVDR becomes applicable. This means that all Eudamed obligations under the IVDR become applicable simultaneously with (as things are looking now) the date that Eudamed is launched, because the IVDR’s ‘Eudamed is not ready’ regime in article 113 (3) (f) only applies when Eudamed is not fully functional by the date of application of the IVDR. This will also be the date on which the whole rest of the medical devices industry will be uploading their two years worth of data into Eudamed – as things are looking now. This cannot possibly go wrong, right? Scenario anyone?

The sad reality of it

The sad reality of this situation that all of this has the potential to become a total train wreck of unclarity. I have urged companies before to make scenarios for contingent situations. Brexit, Swixit, etc. This is also one of those contingent situations – article 123 (3) was in the MDR since May 2017. Did you not have a “Eudamed is not up yet” scenario? Better start working on it and think about improving your QMS’ ability to deal with regulatory contingencies.

Pending guidance from the Commission nobody has all the final answers, and there are diverging interpretations of what the Eudamed delay will mean. The above is my best interpretation based on the materials I have available and the time I’ve had to dedicate to figure this out. There are different interpretations than mine around, and mine might even be wrong. Of course I will write more about the Eudamed delay on this blog as things develop and hopefully become more clear. The ball for that is very much in the Commission’s court and I hear that guidance is under development.

But doing nothing is always a bad idea under all circumstances. Just ask the hedgehog crossing the road and rolling up when a car comes. So get in gear and stay ahead of this thing as much as you can.

Counting down to the MDR date of application, and the legal stuff to get right before May 2020

MDR in mirror closer than you thinkDo you know that feeling that things look far away, but when you think about it are a lot closer than you think?

This is the feeling that the first medical devices companies are having because are facing the reality that they might not be in time any more  to have a valid CE mark by the date of application, either because they did not timely renew their old CE mark, or because they are with a notified body that will likely not be accredited in time to process their conformity assessment application for an MDR CE mark before the date of application. This is the reality of this moment.

Like with Brexit I see companies that are prepared and have secured the first CE certificates under the MDR. As far as we know publicly now TÜV SÜD and BSI have issues the first CE certificates early September, BSI for a class IIa inhaler and TÜV SÜD for class III software. But after this proof of concept by two of the five notified bodies notified for the MDR we do not know at what speed MDR conformity assessments are being conducted and at what capacity notified bodies are operating. At this time there are two MDR notified bodies in the waiting period to be published in Nando and another two are in the MDCG procedure to be endorsed (according to the Commission verbally at the RMD 2019 yesterday), which will probably bring us at nine notified bodies by the end of the year. This will probably not be enough conformity assessment capacity to reliably serve the MDR system, which may lead to some tough political questions to be answered.

I also see companies spinning the roulette and putting all their chips on ‘not prepared’, hoping that developments will somehow save them from themselves. For example, still 1/6 of all certificates issued by UK notified bodies has not been transferred to an EU27 notified body, although the Commission has been urging companies to do so since January 2018. Competent authorities are telling me they are not going to give these companies a break.

As you will see in my below presentation at the Advamed MedTech conference in Boston recently a lot is happening at the moment:

At the RMD 2019 conference in Brussels yesterday the Commission made the deadpan remark that resources and expertise remain a point of concern at member state level. This does not bode well for the member states capacity to deal with regulatory contingencies.  You can imagine that companies that put their chips on ‘not prepared’ will not be met with understanding by the national authorities and will not find themselves on top of the ‘we will work with you as fast as we can’ pile.

Change is the constant

Major parts of the MDR system are falling into place now at a quickening pace, with the fifth notified body designated for the MDR in the mean time and more and more new MDCG guidance dropping, such as for the PRRC, the Summary of Safety and Clinical Performance and for Software as Medical Device recently. In the background the notified body designation procedure has been streamlined as to not make it dependent on the MDCG meetings anymore.

A new Corrigendum?

There are persistent rumors that there is a second Corrigendum in the works that will be much more exciting than the first one in April this year.

This Corrigendum may actually contain a moving of deadlines for some or all devices that are currently class I and will need a CE certificate under the MDR because of up-classification or the new reusable surgical instruments Ir certificate.

I’ve heard that the Corrigendum is in process at Council level now and will soon be passed to the Parliament for sign-off, but I will believe it when I see it.

Knowns and unknowns

Should you sit on your hands now? Better not. As you will see below there are still a lot of known unknowns and unknown unknowns.

Schermafbeelding 2019-10-29 om 11.50.39

 

 

 

 

 

 

Brexit has been ‘averted’ until 31 January 2020, and immediately the British Parliament took the measures that are the most unhelpful to solve the political impasse in the UK and make it as unlikely as possible that the UK will solve the problem by itself within three months. Member states that were still patient with the UK (some at considerable self restraint, like the French)  might regret this now and decide to force the UK out by 31 January after all if only as a favour, so you should still plan for the possibility of a hard Brexit.

Smart companies will be learning from the experience gained in the first QMS audits conducted by the first notified bodies, so they know what to prepare for. Did you know for example that notified bodies will look at how your PRRC is set up and whether you have sufficient financial coverage for product liability for the devices you place on the market?

And there are other pertinent questions:

  • Do you understand Eudamed and how your company will likely work with it?
  • Which modules will likely be available by March 2020 and which ones not? Or is the more and more persistent rumor true that Eudamed will be delayed with two years altogether? In that case you need to understand the rather complex article 123 (3) (d) MDR which says what you obligations are in that case.
  • Are you ready for the ever more likely hard Brexit by the end of (in the mean time) end of January 2020?
  • Are you ready for Switzerland and Turkey potentially not implementing the MDR and IVDR in time? It looks like this might actually happen and that would affect companies with supply chains running through Switzerland and Turkey because those would, just like the UK after a hard Brexit, not be part of the Union in which the MDR applies.

The legal stuff

And then there are the ‘legal’ and contractual consequences and things to get in place before DoA. The MDR requires putting in place new contracts and revisiting a lot of existing ones, which I’ve  conveniently summarised for you in my below presentation at the RMD 2019 conference in Brussels yesterday:

If you look at it, there are quite a number of ‘legal’ things the legal department of your company should look at, maybe do something with and in any event understand the following (non-exhaustively listed) items:

  • How does the economic operator regime influence the contracts in your supply chain? Are you using your supply chain to collect PMCF data efficiently? Do you understand who has what role and what responsibility goes with that? Concepts as importer used for transfer pricing purposes do not mean the same in the MDR for example.
  • How has your authorised representative agreement changed?
  • How have you embedded the PRRC in your organisation and what does that person’s contract state?
  • Has the certification agreement with your notified body been updated for post-May 2020 services?
  • How will the agreement with your OEM change and have you moved from an OBL agreement to a virtual manufacturing agreement? If you do branded distribution, do you have an article 16 (1) (a) MDR agreement in place?
  • Do you have a perspective on all the legal things that will be subject of QMS audit by your notified body, like the newly mandatory product liability coverage under article 10 (16) MDR?
  • Is your M&A activity taking into account how to integrate or acquire targets with (AI)MDD certificates after May 2020 in a way that this transaction or integration does not give rise to a significant change that causes the certificate to be invalid and disrupt market access of the products concerned? This may completely skew the assumptions underlying the deal so kind of important. I see companies and investors already start to get this wrong and end up paying more than double for the target because it will take a lot of time to pivot from an invalid MDD certificate to a granted MDR CE certificate if you are not planning for that. I bet your deal financials turn out different if you find that you are suddenly faced with a market access disruption of about two years that you were not planning for. I am planning to discuss this in more depth in a follow up post discussing my presentation about medical devices M&A and MDR at the last RAPS Regulatory Convergence conference.

And the list of items goes on. Time to get your legal department on board if they are not already, and time for them to become MDR specialists!

It will end May 2020 before you know it.

 

 

 

New sort of applicable economic operators regulation: the Market Surveillance Regulation

American chopper EOsAttentive attendees of my presentations will have remarked in my presentations about economic operators that essential parts of the general Goods Package were being amended and that this may affect companies in the medical devices space.

I now present to you Regulation (EU) 1020/2019 of 20 June 2019 on market surveillance and compliance of products and amending Directive 2004/42/EC and Regulations (EC) No 765/2008 and (EU) No 305/2011, the Market Surveillance Regulation. This regulation replaces part of Regulation 765/2008 (articles 15 to 29 to be precise), the regulation that set up the economic operator regime as we know it under the MDR and IVDR, and supplements lots of other EU CE marking directives and regulations too.

This new regulation’s objective is a uniform framework for market surveillance for products at Union level by

strengthening market surveillance, providing economic operators with clear, transparent and comprehensive rules, intensifying compliance controls and promoting closer cross-border cooperation among enforcement authorities, including through cooperation with customs authorities.”

But hang on, didn’t we have a regime for economic operators, compliance controls and market surveillance in the MDR and IVDR? Didn’t we have just spend loads of money understanding these regimes and now we get this? This cannot possibly apply to the medical devices industry, right?

Well… it depends – I’ll explain right after you’ve enjoyed my latest presentation about economic operator regime developments at the Q1 3rd annual EU MDR implementation conference in affluent Alexandria close to Washington DC in the US last month:

Only insofar as it depends

The regulation applies and does not apply to medical devices and IVDs. It does apply because Annex I to the regulation contains all medical devices and IVD regulations and directives that the regulation applies to in so far as there are no specific provisions with the same objective in the Union har­monisation legislation (except strangely the MDD and AIMDD), which regulate in a more specific manner particular aspects of market surveillance and enforcement (article 2).

It does not apply insofar as (see its recital 4):

“[…] in accordance with the principle of lex specialis, this Regulation should apply only in so far as there are no specific provisions with the same objective, nature or effect in Union harmonisation legislation. The corresponding provisions of this Regulation should therefore not apply in the areas covered by such specific provisions, for instance those set out in Regulations (EC) No 1223/2009 (3), (EU) 2017/745 (4) and (EU) 2017/746 (5), including as regards the use of the European database on medical devices (EUDAMED), and (EU) 2018/858 (6) of the European Parliament and of the Council.”

You can understand that a sentence like “in accordance with the principle of lex specialis, this Regulation should apply only in so far as there are no specific provisions with the same objective, nature or effect in Union harmonisation legislation” makes my lawyer pulse go up considerably. However, it’s not a super clear demarkation criterion. It basically says: whatever is in this regulation but not in the MDR/IVDR by ‘objective, nature or effect’ is still governed by the Market Surveillance Regulation. Up to now I would look into the fantastic Blue Guide to understand whatever is not clear in the MDR and IVDR in terms of CE marking and economic operators. Now we also have this additional regulation to inform and bind us, because obviously this regulation will affect how the corresponding rules in the MDR and IVDR will be interpreted. Also, the regulation contains additional items that apply in addition to the MDR and IVDR, as we will see later on in this blog.

And, finally, don’t forget that the Market Surveillance Regulation applies to other EU regulations and directives than the MDR and IVDR that devices are also covered by, such as the REACH Regulation (chemicals) and the RoHS Directive (hazardous substances). Take a look in Annex 1 of the regulation for the whole list of directives and regulations covered by the Market Surveillance Regulation.

So, happy times – let’s take a tour of the new Market Surveillance Regulation and see how this may impact what we know about EO regime and other devices related under the MDR and IVDR.

Fulfillment service providers (article 4)

The definition of economic operator in the MDR and IVDR do not include fulfillment service providers, but the Blue Guide mentions under the heading of distributors that fulfillment service providers doing more than mere box moving could qualify as economic operator. In that regard it is important to know who qualifies as a fulfillment service that can be a distributor. Article 3 (11) of the Market Surveillance Regulation defines fulfillment services provider as:

 “any natural or legal person offering, in the course of commercial activity, at least two of the following services:

  • warehousing, packaging, addressing and dispatching, without having ownership of the products involved, excluding postal services as defined in point 1 of Article 2 of Directive 97/67/EC of the European Parliament and of the Council,

  • parcel delivery services as defined in point 2 of Article 2 of Regulation (EU) 2018/644 of the European Parliament and of the Council, and

  • any other postal services or freight transport services;” (underlining added)

This is much more detailed than the Blue Guide’s description of “the activities of fulfillment service providers as described above go beyond those of parcel service providers that provide clearance services, sorting, transport and delivery of parcels.”. So, now we have a better picture of what a fulfillment service provider looks like. 

Distance sales (article 6)

Article 6 of the MDR and IVDR specifies that devices offered to natural and legal persons in the Union must comply with those regulations. The new market surveillance regulation adds that making available (the term missing in article 6 MDR and IVDR, which merely use ‘offer’) occurs if the offer is targeted at end users in the Union. An offer for sale is considered to be targeted at end users in the Union if the relevant economic operator directs, by any means, its activities to a Member State. This can be assumed, for example, when the website is available in a language spoken only in that member state.

This is quite relevant for companies that offer the sale of tests or other devices at a distance to end users in the EU, and shows that the concept of making available in the Blue Guide does not require an actual sale to be made (as you would already know from the Blue Guide, so this is not new), offering for sale is sufficient.

Another feature of the Market Surveillance Regulation is that the fulfillment service provider becomes responsible for the device when there is no representative in the EU (manufacturer, importer or authorized representative). This means that it becomes important for fulfillment service providers to establish if the devices that they are delivering comply in terms of economic operator organization. In cases where the non-Union established manufacturer thinks he’s safe, the fulfillment services provider in the EU now becomes an enforcement target.

Small bombshell in article 11 (9): Lycocentre revisited

In the Lycocentre case the EU Court stated that incomplete harmonization in the medical devices field in the EU allowed for member states to reach very different conclusions regarding regulatory compliance of the same device. Well, that’s mostly over now with the Market Surveillance Regulation, which provides in article 11 (9) that

“Without prejudice to any Union safeguard procedure pursuant to the applicable Union harmonisation legislation, products that have been deemed to be non-compliant on the basis of a decision of a market surveillance authority in one Member State shall be presumed to be non-compliant by market surveillance authorities in other Member States, unless a relevant market surveillance authority in another Member State concluded the contrary on the basis of its own investigation, taking into account the input, if any, provided by an economic operator.”

In other words, if one authority decides that the device is non-compliant (for example, as in Lycocentre) because the authority thinks it’s a medicinal product rather than a device, all other authorities must assume non-compliance too (the regulation does not say it should be on those same grounds, but this seems implied). This would only be different if they conclude otherwise in their own investigation, whether or not after input of the economic operator.  As you can imagine, this will be interesting and potentially complex for manufacturers, because of the very different views national authorities can have about qualification and classification of devices alone already.

This provision in the Market Surveillance Regulation has interacts with article 4 MDR and 3 IVDR (Regulatory Status of Products), which allow the Commission to take qualification decisions about products by means of implementing act on its own initiative or upon a member state’s request. Where the non-compliance concerns qualification this provision can be used to overrule a situation where member states still want to maintain a divergent qualification, but you or a member state will need to win the Commission over first.

Recovery of costs by market surveillance authorities (article 15)

In addition to the possibility to levy fees in relation to the application of the MDR and IVDR, the regulation allows member states to authorise their market surveillance authorities to reclaim from the relevant economic operator the totality of the costs of their activities with respect to instances of non-compliance. These costs may include the costs of carrying out testing, the costs of taking measures in accordance with customs holds, the costs of storage and the costs of activities relating to products that are found to be non-compliant and are subject to corrective action prior to their release for free circulation or their placing on the market.

For example, it would seem that this provision in the Market Surveillance Directive allows competent authorities to charge costs for evaluation of devices suspected of presenting an unacceptable risk or other non-compliance under article 94 MDR / 89 IVDR and costs of measures implemented to deal with devices presenting an unacceptable risk to health and safety under article 95 MDR / 90 IVDR. 

Procedural rights of economic operators (article 18)

The Market Surveillance Regulation also contains one provision of procedural rights relevant under the MDR and IVDR: before any measure, decision or order taken or made by market surveillance authorities the economic operator concerned must be given the opportunity to be heard within an appropriate period of not less than 10 working days, (unless that is not possible because of the urgency of the measure, decision or order, based on health or safety requirements or other grounds relating to the public interests covered by the relevant Union harmonisation legislation). This would be additional to the market surveillance provisions in the MDR and IVDR, which do not contain this 10 working day minimum period. Where member states do not have this period built into their procedural law for the authorities concerned, they will have to take this period into account.

Market surveillance

The Market Surveillance Regulation makes changes in the market surveillance regime for products, of which some general items are already covered in the MDR/IVDR and others are not, as set out in this approximative table:

Market Surveillance Regulation

MDR/IVDR

Market surveillance national authorities are granted strengthened powers

Covered, chapter VII section 3 (Market Surveillance)

The tasks of market surveillance are defined and powers like taking samples and imposing penalties are harmonized

Covered, chapter VII section 3 (Market Surveillance)

Market surveillance authorities may reclaim all cost of their activities in case of non-compliant products

Not covered in market surveillance section

Harmonized approach for surveillance at EU borders by customs and surveillance authorities

Not covered in regulations

A Union Product Compliance Network (UPCN) to be set up by January 1, 2021

Covered, MDCG and electronic system on market surveillance (part of Eudamed)

The items not covered in the MDR/IVDR will be governed by the Market Surveillance Regulation and implementing national law for that regulation.

Date of application

The Market Surveillance Regulation has already entered into force last month and it applies from 16 July 2021, except for some provisions related to implementation by the authorities. So, more on your plate to figure out for the MDR and IVDR.

Questions?

Questions about this new regulation or the MDR or IVDR? I will be speaking about several subjects (including M&A and the MDR/IVDR, MDR implementation and IVDR implementation) at the upcoming RAPS Regulatory Convergence in Philadelphia from 21 to 24 September and about the MDR at the Medtech Conference in Boston from 23 to 25 September.

€ 500 per data subject – a quantification of why GDPR matters

500-euros-banknote-1-1Clients often ask me why they should invest in General Data Protection Regulation (GDPR) compliance so much. For medical devices and medicines regulatory compliance, they get it to an extent. Non-compliant devices carry risk of enforcement, which can lead to them being taken off the market. Devices off the market = collapse of cash flow and bad press. Both are bad for the company. And then there is the product liability risk for non-compliant devices or medicines that harm patients. More bad press and of course you don’t want to harm patients.

Data, seriously?

But data, seriously? For personal data related non-compliance companies often reason differently. They see personal data (and personal data concerning health) often as a surplus that can be harvested and put to their use: as their data rather than the data that is governed by rights of the data subjects concerned. Compliance to EU GDPR is costly, complex and follows alien logic. It’s my surplus right? It’s generated by my devices, generated in my trials and stored on my servers that I have secured as well as I think is necessary. It’s not like we are harming people if there is a data breach or if we send the data to the US (or the UK after hard Brexit). Look at company statements when a data breach happens: the first statement that a company makes is that they have no indication that the data were used for any detrimental purpose by bad guys (if any).

So why all this costly and complex hassle? Companies generally understand there are rules enforced by data protection authorities, and that these authorities may enforce these rules in case of non-compliance. So then the question is: what is the risk of enforcement and disruption of operations? That seems to be the only risk that is really considered. There is no product liability in data protection – it seems. Data protection authorities are comfortably under resourced so risk of enforcement and imposition of the ginormous penalties that we were warned about when the GDPR entered into force is relatively small. And a data breach (other risk) may be bad publicity but it always blows over – Facebook can tell you all about that. So,  what’s the problem right?

A small legal case

A small legal case in the Netherlands may serve as a powerful example of where things are heading with the GDPR, and to show that the GDPR is serious about the intrinsic value of personal data to the data subject that they relate to. Personal data is not surplus. A data subject does not only have an interest in bad guys not going to town with their breached data and pillaging their bank account or selling their genetic data, or third parties using their data in non-compliant ways by aggregating it into profiles about you that follow you around with ads about stuff you already bought. A Dutch court recently held that non-compliance under the GDPR harms the data subject’s interests in control over his or her personal data, which is a fundamental, personal right. And this personal right is exactly what article 82 GDPR protects when it states that:

“Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”

So what non-material damage could a person suffer as a result of an infringement of the GDPR? The Dutch case concerned local government officials sending emails to inform each other about the fact that a person filed a request for disclosure of certain data. This was done not in accordance with compliant procedure and therefore constituted a data protection law infringement. The infringement seemed innocent enough on its own merits, like

  • doctors whatsapping each other images of patients’ wounds or statuses (so useful and quick),
  • maintenance personnel making copies of all treatment session data on a medical device on to their laptop for further analysis without covering this in the services agreement (very efficient),
  • support staff doing root level remote log-ins from services centers outside the EU on medical capital equipment and having access to all data on the equipment without a processing agreement with the hospital (good service),
  • hospitals scrapping devices without deleting diagnostic data on them (how should we know there’s data on these things),
  • companies far and wide transferring personal data concerning health outside the EU for further processing without adducing compliant safeguards (crazy Europeans have rules for that?).

And the list goes on.  And what’s the harm, right? We were only trying to help, only running our business, just getting things done – this GDPR business that starts with privacy by design just makes things way too complicated. We already have other rules to worry about.

Privacy by design

Yet, privacy by design is so important, because for example regarding devices security design the GDPR places regulatory emphasis one half of the below model, and the MDR/IVDR on the other half:

Schermafbeelding 2019-07-25 om 11.51.55

This model comes from BSI’s very interesting white paper on cybersecurity, which you can download here from their page with a lot of other interesting and relevant white papers for MDR and IVDR. This serves to show how data protection requirements under the GDPR and GDPRs under the MDR and IVDR for software form different sides of the same coin and must therefore be equally considered in design and risk management. They must be parts of an overall integrated strategy to get this right. And we all know what can happen with badly designed products / services: if they don’t harm someone they’ll compromise their data or both.

Loss of control over personal data

Where’s the harm when personal data are lost or wrongly processed? Nobody re-sold the data (yet), nobody plundered bank accounts (yet) so what’s your problem data subject?

The problem of the data subject is – as the Dutch court phrased it – loss of control over personal data as a result of the non-compliance. Non-compliant processing leads to loss of control over personal data, which constitutes non-material damage in the meaning of article 82 GDPR. The Dutch court quantified this non-material damage to € 500 for the person concerned, taking into account that the decision to engage in non-compliant processing did not contain a justification (by the way this is why I always have been telling companies from the start of the GDPR to take the often mandatory Data Protection Impact Assessment (DPIA), which should contain such argumentation, very seriously). Especially when someone processes your special categories of data (concerning health, genetic data and biometric data among other things) you have very very much an expectation, even a fundamental right, to privacy as data subject. This is also a circumstance that could give rise to another quantification of non-material damage under the GDPR, because the € 500 was determined in a case where the personal data were not of the exciting kind. Imagine that you are a company offering genetic testing services and have a database of whole genomes and related hereditary disease risk factors of your customers that a disgruntled employee makes off with and then sells on the dark web. I bet that the amount of non-material damage for the data subjects will be more than € 500. And there are other conceivable factors that could influence the amount.

It adds up

500 Euros may not sound like much, but this is a per data subject amount. When you have a large user base, the number quickly adds up. When you are a multinational company with millions of users, things get really serious. And when the users concerned combine into a class action, you are in a world of trouble.

Not only the controller is in trouble, but also the processor – service provider may be. A processor is liable for the damage caused by processing where it has not complied with GDPR obligations specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller, for example because the processor has not not implemented the level of security required under the processing agreement with the controller. Processing agreements are just a stupid formality that your lawyer spends too much time on nerding about clever wording? Maybe time to take another look at yours.

Because let’s say you have a million users in the EU and your service suffers a catastrophic data breach because your processor’s systems are hacked and you were processing health data in the US without proper transfer mechanism. Or you were processing data of extra-EU data subjects in your EU operations not realizing that this means that these people suddenly are covered by the GDPR and have the same rights as EU citizens under the GDPR as a result.

Or something less spectacular: you sell the user database in an asset transaction when divesting that service from your company (without prior data subject consent or with another GDPR compliance issue that clever people in the due diligence warned you for but you do it anyway).

Or even yet more unspectacular: you have misunderstood (as so many companies crossing my desk do) the difference between anonymous data and pseudonomised data and as a result you are processing personal when thinking you do not. Especially US companies are very prone to this mistake due to local US concepts of what anonymisation is and I have many heated debates with insufficiently informed US company lawyers about that the GDPR really uses different logic in this regard. The same is true for many institutions and persons in medical research: they think that a coded dataset is anonymised just because of the distributed key, while for legal purposes it really is not because the whole point of a key is that the coding is reversible.

Or even still less spectacular: you decide to do performance evaluation for your IVD on a biobank of samples that you still had somewhere for other purposes because the IVDR is coming and you need more data because your did not do PMS for your self certified IVD like most companies in the market.

The above are all realistic scenarios that happen all the time.

So congratulations: someone makes a small and perhaps totally avoidable mistake and you have just racked up a potential liability of € 500.000.000 in our realistic examples (yes, half a billion Euro) for your company, of which the fuse can be lit by any data subject concerned clever enough to make this into a major problem for you by starting a class action. Dutch class action law and the GDPR provide that a data subject can be represented by a class action vehicle and the GDPR provides that a data subject can sue a controller or processor in every EU member state in which the company has an establishment. So if fundamental rights and enforcement risk by authorities are not enough reason to takes GDPR compliance seriously, maybe the risk of a major class action is.

Stacking of the legal deck

The Dutch court decision is being appealed I understand, and appeal means it may be reversed or it may not. But this case shows how the deck is stacked legally, and why data protection is serious business.

So maybe give this GDPR business just a bit more consideration than you are currently doing – if only because it’s prudent risk management and, quite frankly, the right thing to do because we are talking about fundamental rights here.

 

PRRC guidance under MDR and IVDR published

European CommissionThe MDCG has just published its guidance on the PRRC, MDCG 2019-7 “Guidance on Article 15 of the Medical Device Regulation (MDR) and in vitro Diagnostic Device Regulation (IVDR) regarding a ‘person responsible for regulatory compliance’ (PRRC)”.

The guidance is largely unsurprising but I would like to highlight some points that are relevant to companies operating internationally and that have structured their PRRC functions by pooling or combining resources, such as combining the manufacturer and authorised representative in a single person or locating the PRRC outside the Union.

Points relevant for extra EU-manufacturers

The guidance clarifies some points relevant to international companies, which are not clearly defined in the MDR/IVDR and which may prompt companies to need to change their current PRRC implementation in an international (extra-Union) context:

  • The PRRC for the manufacturer and for the AR cannot be the same person (see p. 5) – although this is not explicit in the MDR and IVDR, it is evident that with the increased supervisory role of the AR combination of these separate roles in one person would create a conflict of interest. For micro and small enterprises (who do not need to employ a PRRC for the manufacturer pursuant to article 15 (2) MDR and IVDR) this translates to the situation that not only can the PRRC for the manufacturer and AR not be the same person, they can also not be provided by the same consultancy organisation (p. 5), which will add to costs and complexity for smaller companies;
  • The PRRC for the AR must be located in the EU because the AR is located in the EU – this is not an explicit requirement in the MDR/IVDR but has been clarified now (p. 3). The manufacturer PRRC can however be located outside the EU; and
  • The PRRC qualifications must be proven by demonstrated member state equivalency, meaning that the company will need to check the recognition of any non-EU diplomas by member states and document this for the PRRC (p. 1).

What else the guidance clarifies

The guidance provides a level of detail with regard to the cross-links between the manufacturer responsibilities under article 10 MDR/IVDR and the PRRC minimum responsibilities set out in article 15 (3) MDR/IVDR. This is helpful and convenient for drafting QMS procedures for implementing the PRRC function in the manufacturer organisation.

The guidance further clarifies that the manufacturer PRRC must be employed, except when the manufacturer is a micro or small enterprise.

If a company has multiple (“legal”) manufacturers under a single parent company then each of these must appoint its own PRRC. The guidance does not specify if these multiple PRRC functions cannot be combined in the same person or distributed over the same group of people if the manufacturers share a QMS or if this is implemented with quality agreements. I would assume however that this is possible.

What the guidance does not clarify

One of the big questions remains unanswered: the potential liability of the PRRC, which is important with regard to the structuring of the PRRC’s mandate and possible indemnification by the company, as well as how to structure that the PRRC does not suffer disadvantage of proper fulfilment of his/her duties. Since this is not explicitly addressed in the MDR/IVDR, it becomes relevant in the implementation of the MDR and IVDR in national law.

For example, the Dutch legislative proposal for the MDR/IVDR implementation provides without any clarification (that I have been able to find in the legislative history for the implementation act) that infringement of article 15 (3) MDR/IVDR (which sets out the PRRC responsibilities) is subject to competent authority enforcement by means of administrative fines and penalty payments. It is unclear (to me anyway) whether this enforcement may be directed against the company (I would assume so) or also against the PRRC (when not exercising responsibility for the functions that the PRRC should at least assume responsibility for). Hopefully this will be cleared up at some point because under the current circumstances it makes it potentially rather unattractive and risky to be a company’s PRRC in the Netherlands.

 

Bottleneck of bottlenecks for notified body capacity

Frank Drebin nothing to see.gifPeople that are downplaying the notified body bottleneck may need to start to revisit their position with notified body LRQA now also dropping out of the notified body pool for medical devices and IVDs. This is especially a problem with respect to IVDs, as LRQA is one of the notified bodies traditionally handling a large share of the currently CE certified IVDs in the EU. This expertise and capacity will now be lost and not be available for the IVDR transition and for soft transition under the IVDR. And the general medical devices capacity is also lost of course too.

The case of LRQA

The case of LRQA shows that notified bodies are not only suffering in the end of the long tail, but also at the beginning of the tail. Three things are happening now.

Schermafbeelding 2019-06-13 om 13.03.20

First, LRQA is ceasing its MDD and IVDD services – this means that its current customers need to transfer to another notified body. Customers that had relied on LRQA to support them for soft transition (2020-2024 under MDD or 2022-2024 under IVDD) have to find another currently notified notified body to support them. Since LRQA was servicing a large part of the IVD industry that need CE certificates currently, this will be difficult and a bottleneck in itself. A transfer to another notified body may take longer than you have until the date of application for the MDR (26 May 2020). Also, customers of LRQA will need to transfer as soon as they can, because when a notified body closes down, the certificates will be withdrawn – regardless of the expiry date on the certificate (this is something that many manufacturers still misunderstand). It means that customers of LRQA may need to massively apply for orphaning protection with competent authorities if they cannot complete their transfer before LRQA closes its doors for the directives (90 days as of 12 June 2019).

Secondly, LRQA is abandoning its pursuit of a notified body in the Netherlands – this means that their Brexit hedge is terminated and less of the current capacity of notified bodies in the UK ends up being transferred to the EU27, so less total capacity available.

Finally, they announce that they are not pursuing their MDR and IVDR notification. This means that this capacity will not be available for the IVDR transition, which is a pity given the enormous amount of currently non-CE certified IVDs that need to be CE certified under the IVDR.

LRQA will probably not be the last

Bladerunner tears in the rain.jpgSo, we are faced with the scenario that notified body capacity is rapidly decreasing, and a lot faster than new capacity is being added. In fact, new capacity is not being added because no new notified bodies are entering the market for certification services under the MDR and IVDR – the only new ones are UK notified bodies transferring to EU27, of which LRQA was one. NSF, the only really new NB on the block that I knew about, has abandoned its IVDR application in the mean time. 9 of of the 22 Team-NB IVDD notified bodies will not apply for IVDR, and the rest is in various stages of application or considering to apply for IVDR. MDR figures are also looking bleak.

You do not need to be a mathematical genius to see that with a projected increase of notified body workload of 780% (source: MedTech Europe) and a rapidly decreasing installed base of capacity of notified bodies, there will a bottleneck of bottlenecks. I predict that LRQA will not be the last notified body to abandon medical devices altogether.

Some Member States are getting kind of worried too. The Germans and Irish drew attention to the bottleneck recently asked for attention to this at the Employment, Social Policy, Health and Consumer Affairs Council session on 14 June 2019 in the general context of implementation of the MDR and IVDR (which, as I have blogged, is far from ideal to begin with):

“[…] based on the number of notified bodies which are expected to be available on time, there will still be significantly fewer notified bodies than currently exist. In addition, data is not available on the capacity these designated bodies will afford the system.

[…] The concerns expressed are that these products cannot continue to be placed on the market under their existing Directive certificate up until 2024, like most other existing medical devices and that this will lead to market shortages.”

In other words – I will translate these euphemisms for you – we are feeling our way along in the coal mine of the new unfinished regulatory system, a cage with a bunch of dead canaries in our hand, and we have no idea if what we are doing is going to produce the regulatory approval capacity we need.

MedTech Europe has recently used uncharacteristically strong language in this regard in an open letter to the European Commission:

“This situation is clearly untenable, and time has run out to build a functioning regulatory system. This set of circumstances will profoundly disrupt the medical technology internal market and create yet another significant ‘Cliff Edge’ putting patient safety, healthcare services and EU healthcare environment in a major disarray.”

I agree completely with them. In the end, this is about continuity of healthcare services – should be kind of important to member states as well.

What to do

For devices companies this means that more than ever you – apart from having your MDR/IVDR transition totally sorted out and on track – have to vigilant to signals from your notified body that they may be closing down, and be in absolute shipshape with your compliance in order to have a chance of a quick transfer to another notified body. In addition, you need to understand how the orphaning process works in case you need it. So plan for different scenarios, and include the worst in them. As I have told several CEOs of devices companies downplaying things in the mean time “It’s only core business – how can that ever be relevant to the company, right?”

 

 

 

National MDR and IVDR implementation news – Netherlands implementation decree consultation

Schermafbeelding 2019-05-12 om 03.11.22While nothing much comes out at EU level and member states seem to wait until the last moment with implementing legislation (because the people needed for that are caught up in the gridlocked Brussels MDR and IVDR implementation process as a result of structural under-resourcing of medical devices oversight) some member states are really on the ball – I give you the case of the Netherlands:

Netherlands implementing decree

The Netherlands is putting in place the last bits of its MDR and IVDR implementing legislation with the amended Medical Devices Act in the senate for sign-off (slated for first examination on 14 May) and is currently consulting on the draft implementing decree until 24 May, which contains the juicy substantive bits of the MDR and IVDR policy options to be exercised by the Netherlands (in addition to the surveillance options that I discussed in a recent seminar – up to 10% of turnover in fines possible and additional criminal liability, people!).

The Dutch draft decree provides an interesting insight as to how an EU member state would implement the MDR and IVDR as regards:

  • implant card;
  • details on reprocessing of single use devices (which ones may not be reprocessed and mandatory procedures for reprocessing);
  • details on reprocessing of re-usable invasive devices (requirements and procedures for health institutions engaging in this); and
  • labelling of sterile devices.

If these items are important to your company in the Dutch market and you would like to know more or if you need help responding to the consultation, let me know. The consultation ends on 24 May, so any reaction has to be submitted by that date.

Not covered in the decree

There is also a lot not in the implementing decree, like for example what type of in-house developed medical devices and IVDs are not allowed. In fact, the implementing decree does not cover any of the national policy options under the IVDR (not that there are many though).

Also, the decree (as well as the implementing act on which the decree is based) is silent on what every manufacturer, importer and autorised representative wants to know at this point in time: how, where and when can I obtain my Single Registration Number (SRN), and how long will it take? The SRN is mandatory for communication with the Eudamed database and for making a conformity assessment application under the MDR and IVDR, so kind of crucial.

 

%d bloggers like this: