Counting down to the MDR date of application, and the legal stuff to get right before May 2020

MDR in mirror closer than you thinkDo you know that feeling that things look far away, but when you think about it are a lot closer than you think?

This is the feeling that the first medical devices companies are having because are facing the reality that they might not be in time any more  to have a valid CE mark by the date of application, either because they did not timely renew their old CE mark, or because they are with a notified body that will likely not be accredited in time to process their conformity assessment application for an MDR CE mark before the date of application. This is the reality of this moment.

Like with Brexit I see companies that are prepared and have secured the first CE certificates under the MDR. As far as we know publicly now TÜV SÜD and BSI have issues the first CE certificates early September, BSI for a class IIa inhaler and TÜV SÜD for class III software. But after this proof of concept by two of the five notified bodies notified for the MDR we do not know at what speed MDR conformity assessments are being conducted and at what capacity notified bodies are operating. At this time there are two MDR notified bodies in the waiting period to be published in Nando and another two are in the MDCG procedure to be endorsed (according to the Commission verbally at the RMD 2019 yesterday), which will probably bring us at nine notified bodies by the end of the year. This will probably not be enough conformity assessment capacity to reliably serve the MDR system, which may lead to some tough political questions to be answered.

I also see companies spinning the roulette and putting all their chips on ‘not prepared’, hoping that developments will somehow save them from themselves. For example, still 1/6 of all certificates issued by UK notified bodies has not been transferred to an EU27 notified body, although the Commission has been urging companies to do so since January 2018. Competent authorities are telling me they are not going to give these companies a break.

As you will see in my below presentation at the Advamed MedTech conference in Boston recently a lot is happening at the moment:

At the RMD 2019 conference in Brussels yesterday the Commission made the deadpan remark that resources and expertise remain a point of concern at member state level. This does not bode well for the member states capacity to deal with regulatory contingencies.  You can imagine that companies that put their chips on ‘not prepared’ will not be met with understanding by the national authorities and will not find themselves on top of the ‘we will work with you as fast as we can’ pile.

Change is the constant

Major parts of the MDR system are falling into place now at a quickening pace, with the fifth notified body designated for the MDR in the mean time and more and more new MDCG guidance dropping, such as for the PRRC, the Summary of Safety and Clinical Performance and for Software as Medical Device recently. In the background the notified body designation procedure has been streamlined as to not make it dependent on the MDCG meetings anymore.

A new Corrigendum?

There are persistent rumors that there is a second Corrigendum in the works that will be much more exciting than the first one in April this year.

This Corrigendum may actually contain a moving of deadlines for some or all devices that are currently class I and will need a CE certificate under the MDR because of up-classification or the new reusable surgical instruments Ir certificate.

I’ve heard that the Corrigendum is in process at Council level now and will soon be passed to the Parliament for sign-off, but I will believe it when I see it.

Knowns and unknowns

Should you sit on your hands now? Better not. As you will see below there are still a lot of known unknowns and unknown unknowns.

Schermafbeelding 2019-10-29 om 11.50.39

 

 

 

 

 

 

Brexit has been ‘averted’ until 31 January 2020, and immediately the British Parliament took the measures that are the most unhelpful to solve the political impasse in the UK and make it as unlikely as possible that the UK will solve the problem by itself within three months. Member states that were still patient with the UK (some at considerable self restraint, like the French)  might regret this now and decide to force the UK out by 31 January after all if only as a favour, so you should still plan for the possibility of a hard Brexit.

Smart companies will be learning from the experience gained in the first QMS audits conducted by the first notified bodies, so they know what to prepare for. Did you know for example that notified bodies will look at how your PRRC is set up and whether you have sufficient financial coverage for product liability for the devices you place on the market?

And there are other pertinent questions:

  • Do you understand Eudamed and how your company will likely work with it?
  • Which modules will likely be available by March 2020 and which ones not? Or is the more and more persistent rumor true that Eudamed will be delayed with two years altogether? In that case you need to understand the rather complex article 123 (3) (d) MDR which says what you obligations are in that case.
  • Are you ready for the ever more likely hard Brexit by the end of (in the mean time) end of January 2020?
  • Are you ready for Switzerland and Turkey potentially not implementing the MDR and IVDR in time? It looks like this might actually happen and that would affect companies with supply chains running through Switzerland and Turkey because those would, just like the UK after a hard Brexit, not be part of the Union in which the MDR applies.

The legal stuff

And then there are the ‘legal’ and contractual consequences and things to get in place before DoA. The MDR requires putting in place new contracts and revisiting a lot of existing ones, which I’ve  conveniently summarised for you in my below presentation at the RMD 2019 conference in Brussels yesterday:

If you look at it, there are quite a number of ‘legal’ things the legal department of your company should look at, maybe do something with and in any event understand the following (non-exhaustively listed) items:

  • How does the economic operator regime influence the contracts in your supply chain? Are you using your supply chain to collect PMCF data efficiently? Do you understand who has what role and what responsibility goes with that? Concepts as importer used for transfer pricing purposes do not mean the same in the MDR for example.
  • How has your authorised representative agreement changed?
  • How have you embedded the PRRC in your organisation and what does that person’s contract state?
  • Has the certification agreement with your notified body been updated for post-May 2020 services?
  • How will the agreement with your OEM change and have you moved from an OBL agreement to a virtual manufacturing agreement? If you do branded distribution, do you have an article 16 (1) (a) MDR agreement in place?
  • Do you have a perspective on all the legal things that will be subject of QMS audit by your notified body, like the newly mandatory product liability coverage under article 10 (16) MDR?
  • Is your M&A activity taking into account how to integrate or acquire targets with (AI)MDD certificates after May 2020 in a way that this transaction or integration does not give rise to a significant change that causes the certificate to be invalid and disrupt market access of the products concerned? This may completely skew the assumptions underlying the deal so kind of important. I see companies and investors already start to get this wrong and end up paying more than double for the target because it will take a lot of time to pivot from an invalid MDD certificate to a granted MDR CE certificate if you are not planning for that. I bet your deal financials turn out different if you find that you are suddenly faced with a market access disruption of about two years that you were not planning for. I am planning to discuss this in more depth in a follow up post discussing my presentation about medical devices M&A and MDR at the last RAPS Regulatory Convergence conference.

And the list of items goes on. Time to get your legal department on board if they are not already, and time for them to become MDR specialists!

It will end May 2020 before you know it.

 

 

 

New sort of applicable economic operators regulation: the Market Surveillance Regulation

American chopper EOsAttentive attendees of my presentations will have remarked in my presentations about economic operators that essential parts of the general Goods Package were being amended and that this may affect companies in the medical devices space.

I now present to you Regulation (EU) 1020/2019 of 20 June 2019 on market surveillance and compliance of products and amending Directive 2004/42/EC and Regulations (EC) No 765/2008 and (EU) No 305/2011, the Market Surveillance Regulation. This regulation replaces part of Regulation 765/2008 (articles 15 to 29 to be precise), the regulation that set up the economic operator regime as we know it under the MDR and IVDR, and supplements lots of other EU CE marking directives and regulations too.

This new regulation’s objective is a uniform framework for market surveillance for products at Union level by

strengthening market surveillance, providing economic operators with clear, transparent and comprehensive rules, intensifying compliance controls and promoting closer cross-border cooperation among enforcement authorities, including through cooperation with customs authorities.”

But hang on, didn’t we have a regime for economic operators, compliance controls and market surveillance in the MDR and IVDR? Didn’t we have just spend loads of money understanding these regimes and now we get this? This cannot possibly apply to the medical devices industry, right?

Well… it depends – I’ll explain right after you’ve enjoyed my latest presentation about economic operator regime developments at the Q1 3rd annual EU MDR implementation conference in affluent Alexandria close to Washington DC in the US last month:

Only insofar as it depends

The regulation applies and does not apply to medical devices and IVDs. It does apply because Annex I to the regulation contains all medical devices and IVD regulations and directives that the regulation applies to in so far as there are no specific provisions with the same objective in the Union har­monisation legislation (except strangely the MDD and AIMDD), which regulate in a more specific manner particular aspects of market surveillance and enforcement (article 2).

It does not apply insofar as (see its recital 4):

“[…] in accordance with the principle of lex specialis, this Regulation should apply only in so far as there are no specific provisions with the same objective, nature or effect in Union harmonisation legislation. The corresponding provisions of this Regulation should therefore not apply in the areas covered by such specific provisions, for instance those set out in Regulations (EC) No 1223/2009 (3), (EU) 2017/745 (4) and (EU) 2017/746 (5), including as regards the use of the European database on medical devices (EUDAMED), and (EU) 2018/858 (6) of the European Parliament and of the Council.”

You can understand that a sentence like “in accordance with the principle of lex specialis, this Regulation should apply only in so far as there are no specific provisions with the same objective, nature or effect in Union harmonisation legislation” makes my lawyer pulse go up considerably. However, it’s not a super clear demarkation criterion. It basically says: whatever is in this regulation but not in the MDR/IVDR by ‘objective, nature or effect’ is still governed by the Market Surveillance Regulation. Up to now I would look into the fantastic Blue Guide to understand whatever is not clear in the MDR and IVDR in terms of CE marking and economic operators. Now we also have this additional regulation to inform and bind us, because obviously this regulation will affect how the corresponding rules in the MDR and IVDR will be interpreted. Also, the regulation contains additional items that apply in addition to the MDR and IVDR, as we will see later on in this blog.

And, finally, don’t forget that the Market Surveillance Regulation applies to other EU regulations and directives than the MDR and IVDR that devices are also covered by, such as the REACH Regulation (chemicals) and the RoHS Directive (hazardous substances). Take a look in Annex 1 of the regulation for the whole list of directives and regulations covered by the Market Surveillance Regulation.

So, happy times – let’s take a tour of the new Market Surveillance Regulation and see how this may impact what we know about EO regime and other devices related under the MDR and IVDR.

Fulfillment service providers (article 4)

The definition of economic operator in the MDR and IVDR do not include fulfillment service providers, but the Blue Guide mentions under the heading of distributors that fulfillment service providers doing more than mere box moving could qualify as economic operator. In that regard it is important to know who qualifies as a fulfillment service that can be a distributor. Article 3 (11) of the Market Surveillance Regulation defines fulfillment services provider as:

 “any natural or legal person offering, in the course of commercial activity, at least two of the following services:

  • warehousing, packaging, addressing and dispatching, without having ownership of the products involved, excluding postal services as defined in point 1 of Article 2 of Directive 97/67/EC of the European Parliament and of the Council,

  • parcel delivery services as defined in point 2 of Article 2 of Regulation (EU) 2018/644 of the European Parliament and of the Council, and

  • any other postal services or freight transport services;” (underlining added)

This is much more detailed than the Blue Guide’s description of “the activities of fulfillment service providers as described above go beyond those of parcel service providers that provide clearance services, sorting, transport and delivery of parcels.”. So, now we have a better picture of what a fulfillment service provider looks like. 

Distance sales (article 6)

Article 6 of the MDR and IVDR specifies that devices offered to natural and legal persons in the Union must comply with those regulations. The new market surveillance regulation adds that making available (the term missing in article 6 MDR and IVDR, which merely use ‘offer’) occurs if the offer is targeted at end users in the Union. An offer for sale is considered to be targeted at end users in the Union if the relevant economic operator directs, by any means, its activities to a Member State. This can be assumed, for example, when the website is available in a language spoken only in that member state.

This is quite relevant for companies that offer the sale of tests or other devices at a distance to end users in the EU, and shows that the concept of making available in the Blue Guide does not require an actual sale to be made (as you would already know from the Blue Guide, so this is not new), offering for sale is sufficient.

Another feature of the Market Surveillance Regulation is that the fulfillment service provider becomes responsible for the device when there is no representative in the EU (manufacturer, importer or authorized representative). This means that it becomes important for fulfillment service providers to establish if the devices that they are delivering comply in terms of economic operator organization. In cases where the non-Union established manufacturer thinks he’s safe, the fulfillment services provider in the EU now becomes an enforcement target.

Small bombshell in article 11 (9): Lycocentre revisited

In the Lycocentre case the EU Court stated that incomplete harmonization in the medical devices field in the EU allowed for member states to reach very different conclusions regarding regulatory compliance of the same device. Well, that’s mostly over now with the Market Surveillance Regulation, which provides in article 11 (9) that

“Without prejudice to any Union safeguard procedure pursuant to the applicable Union harmonisation legislation, products that have been deemed to be non-compliant on the basis of a decision of a market surveillance authority in one Member State shall be presumed to be non-compliant by market surveillance authorities in other Member States, unless a relevant market surveillance authority in another Member State concluded the contrary on the basis of its own investigation, taking into account the input, if any, provided by an economic operator.”

In other words, if one authority decides that the device is non-compliant (for example, as in Lycocentre) because the authority thinks it’s a medicinal product rather than a device, all other authorities must assume non-compliance too (the regulation does not say it should be on those same grounds, but this seems implied). This would only be different if they conclude otherwise in their own investigation, whether or not after input of the economic operator.  As you can imagine, this will be interesting and potentially complex for manufacturers, because of the very different views national authorities can have about qualification and classification of devices alone already.

This provision in the Market Surveillance Regulation has interacts with article 4 MDR and 3 IVDR (Regulatory Status of Products), which allow the Commission to take qualification decisions about products by means of implementing act on its own initiative or upon a member state’s request. Where the non-compliance concerns qualification this provision can be used to overrule a situation where member states still want to maintain a divergent qualification, but you or a member state will need to win the Commission over first.

Recovery of costs by market surveillance authorities (article 15)

In addition to the possibility to levy fees in relation to the application of the MDR and IVDR, the regulation allows member states to authorise their market surveillance authorities to reclaim from the relevant economic operator the totality of the costs of their activities with respect to instances of non-compliance. These costs may include the costs of carrying out testing, the costs of taking measures in accordance with customs holds, the costs of storage and the costs of activities relating to products that are found to be non-compliant and are subject to corrective action prior to their release for free circulation or their placing on the market.

For example, it would seem that this provision in the Market Surveillance Directive allows competent authorities to charge costs for evaluation of devices suspected of presenting an unacceptable risk or other non-compliance under article 94 MDR / 89 IVDR and costs of measures implemented to deal with devices presenting an unacceptable risk to health and safety under article 95 MDR / 90 IVDR. 

Procedural rights of economic operators (article 18)

The Market Surveillance Regulation also contains one provision of procedural rights relevant under the MDR and IVDR: before any measure, decision or order taken or made by market surveillance authorities the economic operator concerned must be given the opportunity to be heard within an appropriate period of not less than 10 working days, (unless that is not possible because of the urgency of the measure, decision or order, based on health or safety requirements or other grounds relating to the public interests covered by the relevant Union harmonisation legislation). This would be additional to the market surveillance provisions in the MDR and IVDR, which do not contain this 10 working day minimum period. Where member states do not have this period built into their procedural law for the authorities concerned, they will have to take this period into account.

Market surveillance

The Market Surveillance Regulation makes changes in the market surveillance regime for products, of which some general items are already covered in the MDR/IVDR and others are not, as set out in this approximative table:

Market Surveillance Regulation

MDR/IVDR

Market surveillance national authorities are granted strengthened powers

Covered, chapter VII section 3 (Market Surveillance)

The tasks of market surveillance are defined and powers like taking samples and imposing penalties are harmonized

Covered, chapter VII section 3 (Market Surveillance)

Market surveillance authorities may reclaim all cost of their activities in case of non-compliant products

Not covered in market surveillance section

Harmonized approach for surveillance at EU borders by customs and surveillance authorities

Not covered in regulations

A Union Product Compliance Network (UPCN) to be set up by January 1, 2021

Covered, MDCG and electronic system on market surveillance (part of Eudamed)

The items not covered in the MDR/IVDR will be governed by the Market Surveillance Regulation and implementing national law for that regulation.

Date of application

The Market Surveillance Regulation has already entered into force last month and it applies from 16 July 2021, except for some provisions related to implementation by the authorities. So, more on your plate to figure out for the MDR and IVDR.

Questions?

Questions about this new regulation or the MDR or IVDR? I will be speaking about several subjects (including M&A and the MDR/IVDR, MDR implementation and IVDR implementation) at the upcoming RAPS Regulatory Convergence in Philadelphia from 21 to 24 September and about the MDR at the Medtech Conference in Boston from 23 to 25 September.

€ 500 per data subject – a quantification of why GDPR matters

500-euros-banknote-1-1Clients often ask me why they should invest in General Data Protection Regulation (GDPR) compliance so much. For medical devices and medicines regulatory compliance, they get it to an extent. Non-compliant devices carry risk of enforcement, which can lead to them being taken off the market. Devices off the market = collapse of cash flow and bad press. Both are bad for the company. And then there is the product liability risk for non-compliant devices or medicines that harm patients. More bad press and of course you don’t want to harm patients.

Data, seriously?

But data, seriously? For personal data related non-compliance companies often reason differently. They see personal data (and personal data concerning health) often as a surplus that can be harvested and put to their use: as their data rather than the data that is governed by rights of the data subjects concerned. Compliance to EU GDPR is costly, complex and follows alien logic. It’s my surplus right? It’s generated by my devices, generated in my trials and stored on my servers that I have secured as well as I think is necessary. It’s not like we are harming people if there is a data breach or if we send the data to the US (or the UK after hard Brexit). Look at company statements when a data breach happens: the first statement that a company makes is that they have no indication that the data were used for any detrimental purpose by bad guys (if any).

So why all this costly and complex hassle? Companies generally understand there are rules enforced by data protection authorities, and that these authorities may enforce these rules in case of non-compliance. So then the question is: what is the risk of enforcement and disruption of operations? That seems to be the only risk that is really considered. There is no product liability in data protection – it seems. Data protection authorities are comfortably under resourced so risk of enforcement and imposition of the ginormous penalties that we were warned about when the GDPR entered into force is relatively small. And a data breach (other risk) may be bad publicity but it always blows over – Facebook can tell you all about that. So,  what’s the problem right?

A small legal case

A small legal case in the Netherlands may serve as a powerful example of where things are heading with the GDPR, and to show that the GDPR is serious about the intrinsic value of personal data to the data subject that they relate to. Personal data is not surplus. A data subject does not only have an interest in bad guys not going to town with their breached data and pillaging their bank account or selling their genetic data, or third parties using their data in non-compliant ways by aggregating it into profiles about you that follow you around with ads about stuff you already bought. A Dutch court recently held that non-compliance under the GDPR harms the data subject’s interests in control over his or her personal data, which is a fundamental, personal right. And this personal right is exactly what article 82 GDPR protects when it states that:

“Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”

So what non-material damage could a person suffer as a result of an infringement of the GDPR? The Dutch case concerned local government officials sending emails to inform each other about the fact that a person filed a request for disclosure of certain data. This was done not in accordance with compliant procedure and therefore constituted a data protection law infringement. The infringement seemed innocent enough on its own merits, like

  • doctors whatsapping each other images of patients’ wounds or statuses (so useful and quick),
  • maintenance personnel making copies of all treatment session data on a medical device on to their laptop for further analysis without covering this in the services agreement (very efficient),
  • support staff doing root level remote log-ins from services centers outside the EU on medical capital equipment and having access to all data on the equipment without a processing agreement with the hospital (good service),
  • hospitals scrapping devices without deleting diagnostic data on them (how should we know there’s data on these things),
  • companies far and wide transferring personal data concerning health outside the EU for further processing without adducing compliant safeguards (crazy Europeans have rules for that?).

And the list goes on.  And what’s the harm, right? We were only trying to help, only running our business, just getting things done – this GDPR business that starts with privacy by design just makes things way too complicated. We already have other rules to worry about.

Privacy by design

Yet, privacy by design is so important, because for example regarding devices security design the GDPR places regulatory emphasis one half of the below model, and the MDR/IVDR on the other half:

Schermafbeelding 2019-07-25 om 11.51.55

This model comes from BSI’s very interesting white paper on cybersecurity, which you can download here from their page with a lot of other interesting and relevant white papers for MDR and IVDR. This serves to show how data protection requirements under the GDPR and GDPRs under the MDR and IVDR for software form different sides of the same coin and must therefore be equally considered in design and risk management. They must be parts of an overall integrated strategy to get this right. And we all know what can happen with badly designed products / services: if they don’t harm someone they’ll compromise their data or both.

Loss of control over personal data

Where’s the harm when personal data are lost or wrongly processed? Nobody re-sold the data (yet), nobody plundered bank accounts (yet) so what’s your problem data subject?

The problem of the data subject is – as the Dutch court phrased it – loss of control over personal data as a result of the non-compliance. Non-compliant processing leads to loss of control over personal data, which constitutes non-material damage in the meaning of article 82 GDPR. The Dutch court quantified this non-material damage to € 500 for the person concerned, taking into account that the decision to engage in non-compliant processing did not contain a justification (by the way this is why I always have been telling companies from the start of the GDPR to take the often mandatory Data Protection Impact Assessment (DPIA), which should contain such argumentation, very seriously). Especially when someone processes your special categories of data (concerning health, genetic data and biometric data among other things) you have very very much an expectation, even a fundamental right, to privacy as data subject. This is also a circumstance that could give rise to another quantification of non-material damage under the GDPR, because the € 500 was determined in a case where the personal data were not of the exciting kind. Imagine that you are a company offering genetic testing services and have a database of whole genomes and related hereditary disease risk factors of your customers that a disgruntled employee makes off with and then sells on the dark web. I bet that the amount of non-material damage for the data subjects will be more than € 500. And there are other conceivable factors that could influence the amount.

It adds up

500 Euros may not sound like much, but this is a per data subject amount. When you have a large user base, the number quickly adds up. When you are a multinational company with millions of users, things get really serious. And when the users concerned combine into a class action, you are in a world of trouble.

Not only the controller is in trouble, but also the processor – service provider may be. A processor is liable for the damage caused by processing where it has not complied with GDPR obligations specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller, for example because the processor has not not implemented the level of security required under the processing agreement with the controller. Processing agreements are just a stupid formality that your lawyer spends too much time on nerding about clever wording? Maybe time to take another look at yours.

Because let’s say you have a million users in the EU and your service suffers a catastrophic data breach because your processor’s systems are hacked and you were processing health data in the US without proper transfer mechanism. Or you were processing data of extra-EU data subjects in your EU operations not realizing that this means that these people suddenly are covered by the GDPR and have the same rights as EU citizens under the GDPR as a result.

Or something less spectacular: you sell the user database in an asset transaction when divesting that service from your company (without prior data subject consent or with another GDPR compliance issue that clever people in the due diligence warned you for but you do it anyway).

Or even yet more unspectacular: you have misunderstood (as so many companies crossing my desk do) the difference between anonymous data and pseudonomised data and as a result you are processing personal when thinking you do not. Especially US companies are very prone to this mistake due to local US concepts of what anonymisation is and I have many heated debates with insufficiently informed US company lawyers about that the GDPR really uses different logic in this regard. The same is true for many institutions and persons in medical research: they think that a coded dataset is anonymised just because of the distributed key, while for legal purposes it really is not because the whole point of a key is that the coding is reversible.

Or even still less spectacular: you decide to do performance evaluation for your IVD on a biobank of samples that you still had somewhere for other purposes because the IVDR is coming and you need more data because your did not do PMS for your self certified IVD like most companies in the market.

The above are all realistic scenarios that happen all the time.

So congratulations: someone makes a small and perhaps totally avoidable mistake and you have just racked up a potential liability of € 500.000.000 in our realistic examples (yes, half a billion Euro) for your company, of which the fuse can be lit by any data subject concerned clever enough to make this into a major problem for you by starting a class action. Dutch class action law and the GDPR provide that a data subject can be represented by a class action vehicle and the GDPR provides that a data subject can sue a controller or processor in every EU member state in which the company has an establishment. So if fundamental rights and enforcement risk by authorities are not enough reason to takes GDPR compliance seriously, maybe the risk of a major class action is.

Stacking of the legal deck

The Dutch court decision is being appealed I understand, and appeal means it may be reversed or it may not. But this case shows how the deck is stacked legally, and why data protection is serious business.

So maybe give this GDPR business just a bit more consideration than you are currently doing – if only because it’s prudent risk management and, quite frankly, the right thing to do because we are talking about fundamental rights here.

 

PRRC guidance under MDR and IVDR published

European CommissionThe MDCG has just published its guidance on the PRRC, MDCG 2019-7 “Guidance on Article 15 of the Medical Device Regulation (MDR) and in vitro Diagnostic Device Regulation (IVDR) regarding a ‘person responsible for regulatory compliance’ (PRRC)”.

The guidance is largely unsurprising but I would like to highlight some points that are relevant to companies operating internationally and that have structured their PRRC functions by pooling or combining resources, such as combining the manufacturer and authorised representative in a single person or locating the PRRC outside the Union.

Points relevant for extra EU-manufacturers

The guidance clarifies some points relevant to international companies, which are not clearly defined in the MDR/IVDR and which may prompt companies to need to change their current PRRC implementation in an international (extra-Union) context:

  • The PRRC for the manufacturer and for the AR cannot be the same person (see p. 5) – although this is not explicit in the MDR and IVDR, it is evident that with the increased supervisory role of the AR combination of these separate roles in one person would create a conflict of interest. For micro and small enterprises (who do not need to employ a PRRC for the manufacturer pursuant to article 15 (2) MDR and IVDR) this translates to the situation that not only can the PRRC for the manufacturer and AR not be the same person, they can also not be provided by the same consultancy organisation (p. 5), which will add to costs and complexity for smaller companies;
  • The PRRC for the AR must be located in the EU because the AR is located in the EU – this is not an explicit requirement in the MDR/IVDR but has been clarified now (p. 3). The manufacturer PRRC can however be located outside the EU; and
  • The PRRC qualifications must be proven by demonstrated member state equivalency, meaning that the company will need to check the recognition of any non-EU diplomas by member states and document this for the PRRC (p. 1).

What else the guidance clarifies

The guidance provides a level of detail with regard to the cross-links between the manufacturer responsibilities under article 10 MDR/IVDR and the PRRC minimum responsibilities set out in article 15 (3) MDR/IVDR. This is helpful and convenient for drafting QMS procedures for implementing the PRRC function in the manufacturer organisation.

The guidance further clarifies that the manufacturer PRRC must be employed, except when the manufacturer is a micro or small enterprise.

If a company has multiple (“legal”) manufacturers under a single parent company then each of these must appoint its own PRRC. The guidance does not specify if these multiple PRRC functions cannot be combined in the same person or distributed over the same group of people if the manufacturers share a QMS or if this is implemented with quality agreements. I would assume however that this is possible.

What the guidance does not clarify

One of the big questions remains unanswered: the potential liability of the PRRC, which is important with regard to the structuring of the PRRC’s mandate and possible indemnification by the company, as well as how to structure that the PRRC does not suffer disadvantage of proper fulfilment of his/her duties. Since this is not explicitly addressed in the MDR/IVDR, it becomes relevant in the implementation of the MDR and IVDR in national law.

For example, the Dutch legislative proposal for the MDR/IVDR implementation provides without any clarification (that I have been able to find in the legislative history for the implementation act) that infringement of article 15 (3) MDR/IVDR (which sets out the PRRC responsibilities) is subject to competent authority enforcement by means of administrative fines and penalty payments. It is unclear (to me anyway) whether this enforcement may be directed against the company (I would assume so) or also against the PRRC (when not exercising responsibility for the functions that the PRRC should at least assume responsibility for). Hopefully this will be cleared up at some point because under the current circumstances it makes it potentially rather unattractive and risky to be a company’s PRRC in the Netherlands.

 

Bottleneck of bottlenecks for notified body capacity

Frank Drebin nothing to see.gifPeople that are downplaying the notified body bottleneck may need to start to revisit their position with notified body LRQA now also dropping out of the notified body pool for medical devices and IVDs. This is especially a problem with respect to IVDs, as LRQA is one of the notified bodies traditionally handling a large share of the currently CE certified IVDs in the EU. This expertise and capacity will now be lost and not be available for the IVDR transition and for soft transition under the IVDR. And the general medical devices capacity is also lost of course too.

The case of LRQA

The case of LRQA shows that notified bodies are not only suffering in the end of the long tail, but also at the beginning of the tail. Three things are happening now.

Schermafbeelding 2019-06-13 om 13.03.20

First, LRQA is ceasing its MDD and IVDD services – this means that its current customers need to transfer to another notified body. Customers that had relied on LRQA to support them for soft transition (2020-2024 under MDD or 2022-2024 under IVDD) have to find another currently notified notified body to support them. Since LRQA was servicing a large part of the IVD industry that need CE certificates currently, this will be difficult and a bottleneck in itself. A transfer to another notified body may take longer than you have until the date of application for the MDR (26 May 2020). Also, customers of LRQA will need to transfer as soon as they can, because when a notified body closes down, the certificates will be withdrawn – regardless of the expiry date on the certificate (this is something that many manufacturers still misunderstand). It means that customers of LRQA may need to massively apply for orphaning protection with competent authorities if they cannot complete their transfer before LRQA closes its doors for the directives (90 days as of 12 June 2019).

Secondly, LRQA is abandoning its pursuit of a notified body in the Netherlands – this means that their Brexit hedge is terminated and less of the current capacity of notified bodies in the UK ends up being transferred to the EU27, so less total capacity available.

Finally, they announce that they are not pursuing their MDR and IVDR notification. This means that this capacity will not be available for the IVDR transition, which is a pity given the enormous amount of currently non-CE certified IVDs that need to be CE certified under the IVDR.

LRQA will probably not be the last

Bladerunner tears in the rain.jpgSo, we are faced with the scenario that notified body capacity is rapidly decreasing, and a lot faster than new capacity is being added. In fact, new capacity is not being added because no new notified bodies are entering the market for certification services under the MDR and IVDR – the only new ones are UK notified bodies transferring to EU27, of which LRQA was one. NSF, the only really new NB on the block that I knew about, has abandoned its IVDR application in the mean time. 9 of of the 22 Team-NB IVDD notified bodies will not apply for IVDR, and the rest is in various stages of application or considering to apply for IVDR. MDR figures are also looking bleak.

You do not need to be a mathematical genius to see that with a projected increase of notified body workload of 780% (source: MedTech Europe) and a rapidly decreasing installed base of capacity of notified bodies, there will a bottleneck of bottlenecks. I predict that LRQA will not be the last notified body to abandon medical devices altogether.

Some Member States are getting kind of worried too. The Germans and Irish drew attention to the bottleneck recently asked for attention to this at the Employment, Social Policy, Health and Consumer Affairs Council session on 14 June 2019 in the general context of implementation of the MDR and IVDR (which, as I have blogged, is far from ideal to begin with):

“[…] based on the number of notified bodies which are expected to be available on time, there will still be significantly fewer notified bodies than currently exist. In addition, data is not available on the capacity these designated bodies will afford the system.

[…] The concerns expressed are that these products cannot continue to be placed on the market under their existing Directive certificate up until 2024, like most other existing medical devices and that this will lead to market shortages.”

In other words – I will translate these euphemisms for you – we are feeling our way along in the coal mine of the new unfinished regulatory system, a cage with a bunch of dead canaries in our hand, and we have no idea if what we are doing is going to produce the regulatory approval capacity we need.

MedTech Europe has recently used uncharacteristically strong language in this regard in an open letter to the European Commission:

“This situation is clearly untenable, and time has run out to build a functioning regulatory system. This set of circumstances will profoundly disrupt the medical technology internal market and create yet another significant ‘Cliff Edge’ putting patient safety, healthcare services and EU healthcare environment in a major disarray.”

I agree completely with them. In the end, this is about continuity of healthcare services – should be kind of important to member states as well.

What to do

For devices companies this means that more than ever you – apart from having your MDR/IVDR transition totally sorted out and on track – have to vigilant to signals from your notified body that they may be closing down, and be in absolute shipshape with your compliance in order to have a chance of a quick transfer to another notified body. In addition, you need to understand how the orphaning process works in case you need it. So plan for different scenarios, and include the worst in them. As I have told several CEOs of devices companies downplaying things in the mean time “It’s only core business – how can that ever be relevant to the company, right?”

 

 

 

National MDR and IVDR implementation news – Netherlands implementation decree consultation

Schermafbeelding 2019-05-12 om 03.11.22While nothing much comes out at EU level and member states seem to wait until the last moment with implementing legislation (because the people needed for that are caught up in the gridlocked Brussels MDR and IVDR implementation process as a result of structural under-resourcing of medical devices oversight) some member states are really on the ball – I give you the case of the Netherlands:

Netherlands implementing decree

The Netherlands is putting in place the last bits of its MDR and IVDR implementing legislation with the amended Medical Devices Act in the senate for sign-off (slated for first examination on 14 May) and is currently consulting on the draft implementing decree until 24 May, which contains the juicy substantive bits of the MDR and IVDR policy options to be exercised by the Netherlands (in addition to the surveillance options that I discussed in a recent seminar – up to 10% of turnover in fines possible and additional criminal liability, people!).

The Dutch draft decree provides an interesting insight as to how an EU member state would implement the MDR and IVDR as regards:

  • implant card;
  • details on reprocessing of single use devices (which ones may not be reprocessed and mandatory procedures for reprocessing);
  • details on reprocessing of re-usable invasive devices (requirements and procedures for health institutions engaging in this); and
  • labelling of sterile devices.

If these items are important to your company in the Dutch market and you would like to know more or if you need help responding to the consultation, let me know. The consultation ends on 24 May, so any reaction has to be submitted by that date.

Not covered in the decree

There is also a lot not in the implementing decree, like for example what type of in-house developed medical devices and IVDs are not allowed. In fact, the implementing decree does not cover any of the national policy options under the IVDR (not that there are many though).

Also, the decree (as well as the implementing act on which the decree is based) is silent on what every manufacturer, importer and autorised representative wants to know at this point in time: how, where and when can I obtain my Single Registration Number (SRN), and how long will it take? The SRN is mandatory for communication with the Eudamed database and for making a conformity assessment application under the MDR and IVDR, so kind of crucial.

 

IVDR, in-house developed tests and the state of MDR/IVDR implementation

Schermafbeelding 2016-06-30 om 20.13.42In several posts on this blog I have discussed the severe impact that the IVDR will have on the IVD industry selling in the EU (just click on IVDR in the tag cloud on the bottom right of the page).

My firm has organised multiple seminars and I have spoken about this on more conferences and occasions than I can remember.

Yet, at the Molecular Diagnostics Europe conference this last week it turned out that at this stage still really only the big IVD companies really know something about the IVDR. Small and mid-size companies and the investors in these companies mostly have no idea whatsoever how to approach the IVDR (if they have heard about it at all), if they know about its existence in the first place. Health institutions are generally not aware that the IVDR will have enormous consequences for their in-house produced diagnostics installed base and going forward.

Here is my presentation at that conference, which raised a lot of eyebrows in surprise:

 

 

The IVDR stands to be an even bigger bottleneck I think than the MDR, for several reasons:

  • the regulatory paradigm shift is bigger than for the MDR – because of the reclassification of IVDs most IVDs will need a CE certificate issued by a notified body and they will need it by the date of application if they did not have a CE certificate under the IVDD (the vast majority of IVDs)
  • While the IVDR is projected to lead to an increase in notified body capacity needed of 780% (says MedTech Europe) there certainly is no increase of 780% in notified body capacity available to the market. In fact, not a single notified body as been accredited for the IVDR at this moment and the pipeline of notified bodies under review shows a decrease in notified bodies available to the market (less than under the IVDD).

Needless to say, this will cause a really really disruptive bottleneck that may lead to disruptions in healthcare because tests relied on on a continuous basis may suddenly not be available any more for shorter or longer periods. These tests cannot quickly be replaced by in-house developed tests as the requirements for these tests have also increased a lot (see below). Or the other way around: in-house developed tests are suddenly not available anymore because the health institution has been sitting on its hands and did not do its article 5 (5) IVDR homework and cannot quickly replace the tests by CE marked ones. This will likely be a major issue in my country (the Netherlands) where in-house developed tests form a large part of the health institutions’ portfolio of tests.

Stalling implementation increases IVDR bottleneck too

This bottleneck is only increased by the continued absence of the vast majority of implementing guidance and legislation that is still necessary to make the IVDR and (at a much earlier time) the MDR work. IVD companies should be hard at work on their implementation and should have their first conformity assessment applications in the works to gain experience with it. Except that they can’t because there is no notified body available yet.

MedTech Europe is quite right to keep raising this with the European Commission in the strongest wording possible. COCIR has also been very vocal about the delay in harmonized standards. As I have blogged on occasions: it certainly is not good legislative and administrative practice to deliver an incomplete new regulatory system and then spend the transitional period foreseen for the addressees to implement the rest of it while the addressees remain incapable of knowing what the rules actually are, frustrating their useful implementation the rules for their products. It will not do to tell industry it has to do much better and then fail at providing the necessary rules for industry to do better by. Indeed, we are two years into the transitional periods under the MDR and IVDR with scandalously little to show for it on the part of the authorities.

This situation punishes companies that try to be compliant with the new rules quickly and it leads to calculated prisoners dilemma behaviour in other companies that hope to get away with not implementing unfinished and unclear rules. This is not the kind of orderly transition you would like to see in a regulated space where human lives depending on the products concerned, and the availability of the products concerned depends regulation being available.

GDPR

Implementation of the IVDR, and the possibly enormous amounts of data required for performance evaluation to the new standards, necessitate a precise and thorough understanding of the General Data Protection Regulation (GDPR) in order to be compliant with that regulation as well, as is explained in the presentation above.

The GDPR is woven into the IVDR, and has to be taken into account in dealing with performance data for the purpose of the performance data requirements under the IVDR. The GDPR has its own strict regime for data concerning health (e.g. patient related data about a patient sample that tested positive for syphilis) and genetic data (another category of data very relevant in molecular diagnostics). Compliance by design is therefore not only an IVDR thing, but implementation of the IVDR necessitates co-implementation of the GDPR (which requires privacy by design) if your company is processing plain personal data, personal data concerning health or genetic data. And with the very broad GDPR concept of personal data this is sooner than you think. Not a week passes in which I am not explaining to a (mostly US) company that taking off some identifiers does not (I repeat NOT) render personal data anonymous for EU GDPR purposes when the coding is reversible (and even if the key is held by a third party) so it remains personal data regulated under the GDPR.

Labs, healthcare institutions and home brews

One of the subjects not addressed in the presentation but in my experience a major subject of misunderstanding by healthcare institutions is the non-grandfathering of the existing home brew/lab developed test base currently in use in healthcare institutions and labs. The fact that these tests are currently being used does not automatically mean that nothing needs to happen under the IVDR. Since the IVD Directive currently explicitly excludes them from its scope, they have never been placed on the market for the purposes of EU IVD legislation, and are therefore not subject to the transition regime provided by the IVDR. The IVDR contains a regulatory regime for these products in article 5 (5) that applies as of the date of application of the regulation. Since these devices are subject to national regulation and are excluded from the IVD Directive (IVDD), they are not yet placed on the market or put into service under the IVDD. They become devices regulated under the IVDR as of 26 May 2022 and that means that article 5 (5) IVDR (which applies to devices manufactured and used in health institutions) is fully applicable without transitional regime, and also to the current installed base.

In order to keep using the installed base health institutions need meet the requirements in the IVDR (Annex I technical documentation and article 5 (5) requirements), which will be quite some work. This is a rather strict interpretation of the IVDR, but by the letter of the IVDR in my opinon the only right one, as the Blue Guide logic that a device a product that has been put into service under national law does not automatically count as already put into service for the purposes of the IVDR, as the IVDR did not apply yet and neither did the IVDD.

The only way out of this conundrum is for the member states to clarify that the installed base of in house produced IVDs put into service before the date of application counts as already legally put into service and therefore does not need to meet the article 5 (5) requirements by the date of application. The Commission cannot do this because the LDTs were always excluded from the IVDD. This would be a strange step to have to take  though because you would have expected these devices to have been included in the sell-off provision under article 110 (4) IVDR until 2025 or otherwise addressed in the transitional regime. That provision however only applies to devices placed on the market before the date of application and still in the supply chain, but not to those put into service before that date (because in-house developed tests were never placed on the market).

Recognising the in-house developed installed base as placed on the market already or put into service already would lead to the strange situation that we would be dealing with two groups of in-house developed tests for possibly years and years: the formerly unregulated ones that remain subject to national law and the ones regulated under the IVDR, which would be subject to wildly diverging rules. In addition, every new device put into service of the same type of in-house developed test after the date of application (26 May 2022) would need to meet the article 5 (5) IVDR requirements anyhow (which more or less amount to meeting the IVDR requirements for a self-certified IVD).

In addition and importantly, the health institution needs to prove as of that date that its in-house tests are better than equivalent CE marked tests on the market. This requirement applies throughout the life cycle of the in-house test (like the other article 5 (5) IVDr requirements for in-house developed tests), so the health institution must monitor equivalent CE marked tests in the market on a continuous basis and switch when a better commercial CE marked test becomes available.

At best the transitional regime is – in my view – currently very unclear for in-house developed tests. Better get it clarified with your local competent authority. This competent authority will (or should) be able to also let you know whether it plans to restrict the manufacture and use of any specific in-house developed test as article 5 (5) IVDR allows.

So

Companies in IVDs: do not postpone IVDR transition and do not ignore GDPR. Two years of the transitional period for the IVDR have already passed, and it is 26 May 2022 before you know it, especially if you are on the bottom of the pile at an IVDR accredited notified body or if you need to get your performance data in shape to meet the new requirements. The GDPR is already fully applicable since 25 May 2018, so authorities have no patience whatsoever with companies that start to understand this only now.

Labs in health institutions: the IVDR also applies to you. Clarify the regulatory status of your existing installed base of LDTs (and start working on your article 5 (5) IVDR dossiers and QMS) and prepare to have to continuously justify the use of an in-house developed test against what is available as equivalent CE marked tests on the market, which (I agree) may make investing in LDT development more problematic. Yet, the IVDR is set in stone since more than two years and you won’t change it any more at this stage.

Conferences!

If you are a US company in IVDs or medical devices and w/should like to know more about the MDR and the IVDR, consider visiting the RMD2019 USA conference in New Brunswick NJ on 13 and 14 June. This conference deals both with the MDR and the IVDR and is directed specifically to US companies – and I will be speaking there so you can ask me and the other experts any questions that you have.

Alternatively, join me at the Q1 3rd Annual EU MDR Implementation Conference on 16-17 July 2019 in Alexandria, VA, which is about the MDR only. You can meet me and other experts there in person to have your questions answered.

%d bloggers like this: