MDR date of application next month – and the book

Finally! Another post on this blog. You would think that I would write a lot on a blog like this just before the date of application of the MDR next month, right? Well, I did – just not on the blog but I was working hard to finish my book on the MDR and IVDR before the date of application of the MDR – see below for more detail. Also, I was and remain overwhelmed with last minute advice requests about the MDR which is about to become applicable next month.

And in the end not even that many new or surprising things happened over the last months. Unsurprisingly, the date of application of the MDR was not moved again, so the date of application is really next month, and we will need to work with what we’ve got.

MDR applicable next month

What weird times right? We’ve not been at the point of being able to say that the MDR would be applicable next month so far – less than 50 days from now. Last year the date of application was moved just a little before we were able to say ‘next month’, but no such luck this year (as I’ve been predicting) so it is happening for real.

MDR roll-out has been happening slowly and still not so surely, see the latest version of the Rolling Plan. Still no harmonised standards, still no Common Specifications other than SUD reprocessing, etc. but rather a lot of cans being kicked own the road to the next quarter. Nothing out of the ordinary there.

Eudamed’s actor module is up on a voluntary basis for some time now, since December 2020. I have been able to play around with it and have been able to see that the promises around personal data protection are definitely not met. If you want the (mobile) phone number of a PRRC for a given manufacturer or importer, scraping it out of Eudamed is just way too easy. If I were a recruiter in the devices industry or looking to hire my competitor’s PRRC, this is where I’d look. If I were a manufacturer, I’d think a bit harder about creating a prrc@manufacturer.medtech email address and not having them put in their mobile phone number, for example.

The transitional regime of the MDR still keeps causing problems for many companies, and this will increase over the next months. On the one hand because it is truly kind of complex, on the other hand because companies have often not been planning ahead very well and are now finding that that have truly and irreversibly painted themselves in a corner.

And then there is of course the unproductive situation that some member states now allow their notified bodies to do remote audits for the MDR (e.g. Netherlands) and some do not (e.g. Germany). This shows how far we still are from an EU Health Union. Come on, if member states can’t even agree on this, how should they face the even bigger challenges that we will no doubt face down the road? My true European heart breaks in face of this pointless divergence.

Another problem is that (I am finding) the economic operator regime and the transitional regime in the MDR are still very badly understood by many economic operators, which leads to some specific problems in M&A.

Economic operators

A large part of the issues with economic operators come from companies not understanding the concepts of ‘placing on the market’ and ‘making available’. This is the result of simply not reading the Blue Guide. “Does an importer need to physically touch the products?” – no, it says so clearly in the Blue Guide. “Does an importer need to own the products?” – it says so clearly in the Blue Guide. I’ll happily trade advice for money because that’s sort of my business model as lawyer, but you can really help yourself as well and I love more complex questions than this. So dare to be wise and read the Blue Guide.

Other concepts that companies do not seem to understand is that economic operators under the MDR and IVDR cannot be appointed (except for the authorised representative, who is mandated). The MDR and IVDR define roles, and company fits this role or it does not, regardless of how much appointing you do. Unless the appointment itself changes the fact pattern in a way that the company fits the economic operator definition concerned (e.g. importer by changing the supply chain in a way that that the entity that a manufacturer would like to be importer also becomes importer.).

How does it work if the manufacturer ships directly to customers in the Union? This is more tricky, and a business model of many companies. Companies sell direct to the Union customer and deliver the device via a fullfilment service provider in the Union. This is not a clearcut scenario under the MDR or IVDR, but it is clear cut under the Market Surveillance Regulation (Regulation 1020/2019), which is applicable as of 16 July 2021 and supplements the MDR and IVDR in terms of market surveillance on the points that the MDR and the IVDR do not address (like the above example). It requires that for supply scenarios in which there is no importer in the Union another economic operator must take responsibility (in our example the fulfillment service provider) for the product in order for the product to be placed on the market lawfully. In other words, happy times negotiating with your fulfillment service provider or other economic operators, because otherwise they cannot place the products on the market lawfully. And there is more, as I have explained before.

Transitional regime

One of the biggest favors you can do yourself is under the transitional regime in article 120 (3) MDR. Why? Well, it’s complex and many others in the devices field don’t understand it either. Like they say: in the land of the blind the one-eyed man/woman is absolute monarch. The transitional regime still holds many interesting questions, mostly as regards obligations relating to legacy devices (do articles 6, 7 and 11 to 18, 22 and 23 MDR (distance sales, claims, importers, distributors, PRRC, repacking, reprocessing, implant card, systems/procedure packs and parts/components) apply to them or not? – I think so, but there are others that disagree), and many interesting surprises that can really ruin your day as a company (see below for example under Mergers and acquistions). More detail on this subject in a podcast with Gert Bos and me via Qserve.

Also interesting to keep in mind that the only really detailed guidance we have for the transitional regime comes from the CAMD, which incidentally has no formal role under the MDR and IVDR and no formal competence to issue MDR or IVDR guidance. Only the MDCG has this role under the MDR (see article 105), but the MDCG never issued such guidance.

Many countries that award a special status to the CE mark in their national market access procedures have difficulties understanding the transitional regime as well. Quite a few of these countries start to treat MDR certificates different and to refuse legacy devices certificates as a basis for registration locally. You may claim that your legacy certificate is just as valid as an MDR certificate, to which you will get the reply that it’s not just as good for outside of Union purposes. And outside the Union not as valid, because that is not a matter of EU law but of local law. The Commission is said to have done a roadshow at some point to explain this, but it has not convinced everybody, that’s for sure.

Mergers and acquisitions

One area where all the problems with the transitional regime and economic operators come together to create a complex and tricky stew that can invalidate the underlying assumptions for any M&A deal if poorly understood.

One the most wide-spread misunderstandings is that you can transfer CE marks, because you cannot. Either you transfer shares in the entity that has a CE certificate (share transaction), or you apply for a new CE certificate with the same or another notified body (asset transaction). Now this is where it gets interesting when you structure a transaction in a way that a new CE certificate must be issued to a new legal entity in an asset deal or a deal that is part asset deal. We know from Team NB that most of the manufacturers have gone all out in MDD and AIMDD certificates that will expire somewhere in the grace period between 26 May 2021 and 26 May 2024 in reliance on article 120 (3) MDR, with most expiring right at the back of this period:

But what has two thumbs and cannot be reissued after a significant change during the grace period? Indeed, your (AI)MDD certificate that has undergone a significant change because of the way you implemented the transaction or because you thought that you could transfer the CE mark as a asset (which you cannot) and then needed to have a new one, which cannot be issued during the grace period. You are stuck with needing to obtain an MDR certificate instead, which will cost you at least a year even if you are able to get on board at a notified body during this incredibly busy time. If you were relying on the company staying on the market during that period, the joke’s on you and your acquistion’s financial model has completely changed for the worse. And it was completely avoidable!

But there are other ways in which an M&A transaction as described in the management presentation can result in a siginificant change, even if you do not try to transfer a CE mark (because you cannot). The management presentation will often state things these days that are not possible because they would result in a significant change if they were to take place. In other words, management presentations occassionally claim things that cannot be true for the EU market, and should be written more carefully for companies relying on (AI)MDD certificates for (part of) the grace period.

For example, say I want to sell a medical software company that has several software medical devices, some on a CE certificate as class IIa or IIb, and some self certified class I. The company has kicked the MDR can all the way down the road with CE certificates expiring on 25 May 2024, has a plan to have MDR CE certificates in Q1 2024 and has a valid declaration of conformity for the self declared software, allowing this to also benefit maximally from the grace period. The management presentation states that the company will expand its software functionalities signifcantly for the class IIa and IIb software in the next two years to capture a specific service market before the competitors do. The company will also will port its self declared software to other operating systems. Would you believe this if you read it? You should at the very least have some very big question marks as to whether this is even possible. All of these plans will most likely consitute significant changes in the meaning of MDCG 2020-3 on significant changes. Implementing these changes will invalidate the company’s CE certificate(s) and the declaration of conformity for the self declared software, necessitating the company to have CE marks under the MDR well before it planned to during the busiest period for notified bodies. In other words: if the company implements this commerical strategy, it will not have access to the Union market for considerable time, while it scrambles to make its notified body issue the MDR CE certificates earlier than planned (which it is under no obligation to do and will likely not have time for). Thus, the commercial strategy in the Union depends on regulatory understanding of the constraints posed by an MDR strategy that relies heavily on the grace period. So would you now still pay the same amount for this company? Probably not, because now you understand why this company is actually overpriced and the management presentation presenting a strategy that the company will not be able to execute.

So, this is how you should read management presentations of devices companies with CE marks these days. Also, where possible: don’t rely on ‘transfers’ or need to re-issue (AI)MDD certificates in the name of a new manufacturer during the grace period – because you cannot. This should impact the content of management presentations and structuring of M&A transactions in the medical device sector. If it does not, now you know how to read them.

For wider context on M&A and MDR/IVDR transitional regime, check out the Medical Devices Made Easy podcast, which will soon feature a podcast in which Monir and I discuss M&A and transitional regime.

Brexit, Swixit and Turkxit

We are in a Union for medical devices that shrinks faster than it grows these days. It makes my European heart sad. For context, see my recent presentation at the Select Sciences webinar about commercial readiness for the IVDR:

Swixit is happening next month. It can now safely be said that Switzerland and the EU will not be aligned on the Institutional Framework Agreement before the date of application, which mean that Switzerland is out of the Union for the purpose of the MDR next month. Swiss Medtech has made a convenient overview of what this means and recommends that everyone plan for a Swixit.

Out of the MDR Union, but not yet out of the IVDR Union – the transitional regime in the MRA keeps covering the last remaining year of the IVDD until 26 May 2022. If the IFA has not been signed by May 2022, we will have another Swixit but this time for IVDs as well.

Things are not going well between the EU and Turkey, with as most recent sad events sofagate and Turkey canceling the Istanbul Convention about domestic violence and equality for women. The relationship with Turkey is getting less and less stable, more defined by political opportunism and Turkey is clearly on a path of less and less endorsing European values, which makes it harder and harder to have it as part of the Union market. Turkxit looks exactly like Swixit from a legal perspective: by 26 May 2021 general medical devices exit, by 26 May 2022 IVDs exit. Plan for Turkxit to happen too, as it is a realistic scenario.

Brexit happened in the mean time. Yet, I still see many companies that have not understood that it actually means something when a country leaves the EU – it’s back to WTO level relationships. It means a lot of extra work to access this much smaller market, having to complete a lot more formalities to also be on the market in the UK, essentially a duplication of compliance infrastructure with associated costs. It means new trouble in Northern Ireland. That’s what Brexiteers would call progress.

IVDR applicable sooner than you think – you may already be too late for a timely CE mark

Companies with IVDs are waking up to the fact that the IVDR is on the horizon. This is sad, because many are too late already to get on board with a notified body in order to obtain a timely certification under the IVDR. Although this has been more than made clear you would think, companies still don’t seem to understand the quantum leap that people have been warned for for a couple of years now. The IVDR does not grandfather and does not contain the additional options for grace period that the MDR has been amended for end 2019. So if you have a currently self-certified IVDD IVD that is not class A under the IVDR, you must have a CE certificated under the IVDR by 26 May 2022. If you are going to start this process only now, you are most likely already going to miss that deadline. Well, it’s only core business as I routinely say to companies. Why make timely plans for effective market access in one of the biggest markets in the world, right?

For IVDRs we did receive some guidance on transitional provisions for class D devices (MDCG 2021-4), which answers the usual questions that you get if the roll-out of a new regulatory system is severely delayed but the system will still be applicable. In this case it’s about the delayed IVDR expert panels and reference laboratories needed for the approval of class D devices.

An important point made in the guidance is the confirmation that

“During the transition period, as long as no EURL has yet been designated for that specific device, category or group of device, the notified bodies may accept applications for a class D IVD and issue the corresponding certificate(s).”

When the class D device is re-certified after expiry of the initial certificate the reference lab procedure needs to followed. While this looks helpful to get class D devices on the market, it creates a big what if when the reference laboratory does not agree with the work of the notified body for the initial certification cycle.

The book

So what have I been been writing if I haven’t been writing on this blog? I have been writing my ‘Enriched MDR and IVDR’ book, which I started in 2017. It is now good enough for publication and has gone to layout. I am self-publishing it electronically as of half May 2021 (also next month, conveniently just before the date of application of the MDR), so watch this space. It will be available as a watermarked pdf and ePub format. I’m still exploring options for distribution platforms and would welcome tips from other self published authors. Further details will be announced on this blog and I’m not taking any pre-orders for the moment.

The book is an enriched version of the MDR and IVDR as per the state of art end of March 2021, meaning that it consists of an introductory chapter discussing the MDR and IVDR generally, a mostly annotated MDR (clause by clause annotation of most articles and recitals, which was a lot of work) and a mainly annotated IVDR (clause by clause and recitals too, but with a lot of references back to the MDR because there is so much overlap).

Here is a sneak peak of two of the proofing pages for the lay-out concept (don’t mind the typos please – they’re proofing pages):

The book also contains a number of convenient tables to show overlaps between the MDR and the IVDR, the MDR/IVDR clincal investigation regime and the medicines clinical trial regulation etc. It contains many flowcharts (I love flowcharts) and graphics. And it can be yours for the price of just a couple of ISO or IEC standards (the exact number depending on where you buy them, as the price can differ considerably – I say give it up for the Estonian Centre for Standardisation and Accreditation that will never overcharge you for a European harmonised standard).

The second edition, which I’m planning for Q1 2022 now, will feature more IVDR content and of course additional MDR content as we are about to learn a lot about the MDR over the rest of 2021 when it will be applied in practice.

Finally remote initial audits, or not (yet)?

When the Commission recently published the Notice on the application of Sections 2.3 and 3.3 of Annex IX to Regulation (EU) 2017/745 and Regulation (EU) 2017/746 with regard to notified bodies’ audits performed in the context of quality management system assessment on 11 January, there was much rejoicing in the medical devices community. Yay!

It looked like one of the big stumbling blocks of hold up of issuance of MDR certificates was finally cleared. But, this is actually not the case. Or, it depends how you look at it. More precisely, it depends how the member states authorities look at it.

What was the problem again?

What was the problem again? There is this COVID pandemic going on, which tends to cause a lot of restrictions in the movement of persons as a result of national measures to prevent it from spreading. At the same time the MDR and the IVDR require site visits as a condition for the notified body to grant an MDR or IVDR certificate (see sections 2.3 and 3.3 of Annex IX in either regulation). No travel is no site visit, and no site visit is no MDR or IVDR certificate. As the epidemic persists and the date of application of the MDR and IVDR creep closer, you don’t need to be a rocket scientist to see that this will create a big problem.

In 2020 the MDCG had already issued guidance on remote audits (discussed on this blog here about MDCG 2020-4 that was further clarified in MDCG 2020-17), but this did not (fully) cover the MDR and the IVDR and moreover it did not cover initial audits, which are the audits everybody needs for their first MDR and IVDR certificates. So, too bad so sad – no remote audit for you in case of an initial application until the auditors can physically travel again.

In the mean time in the medicines field

In the mean time the authorities for medicinal products were surprisingly more lenient and practical in allowing first GMP audits. The HMA notice of 20 April 2020 on the subject (see paragraph 2.2) is quite clear about that

“For new sites/facilities in the EEA that have never been inspected and authorised, a distant assessment may be conducted in order to evaluate if the site could be authorised without a pre-approval inspection. In such cases, it should be indicated that the certificate has been granted on the basis of a distant assessment. Moreover, an on-site inspection should be conducted when circumstances permit.”

and

“For new sites/facilities in third countries where an inspection is required, and where there is no operational mutual recognition agreement (MRA) or the scope is not covered by the MRA, a distant assessment by an EEA supervisory authority may be conducted. A GMP certificate may be granted depending on the outcome of the assessment. In such cases, it should be indicated that the certificate has been granted on the basis of a distant assessment. Moreover, an on-site inspection should be conducted when circumstances permit.”

And if circumstances do not permit to do a distant assessment, there is a clock stop until they do. The notice furthermore contains some good guidance on how to make the risk assessment to determine if the circumstances so permit, for example whether the manufacturer concerned has been naughty or nice in the past, and how to actually implement a remote audit in a practical way.

The EMA Guidance on remote GCP inspections during the COVID- 19 pandemic (dated 20 May 2020) even contains a complete template and roadmap for how to set up a functioning remote audit and also contains more detail on the risk assessment of the manufacturer audited.

So the Heads of Medicines Agencies in the EU and the EMA are very aligned on this, and had no issues in drafting a pretty clear notice that applies across the board. Enter the world of devices, in which things are completely different for no apparent reason.

The MDR and IVDR notice

The notice of the Commission is really kind of a non-notice. It turned out this way because it is very clear that the member states could not agree on this like they were able to do for medicines. Because, you know, medicines are really important. Ventilators, IC beds, COVID tests, who needs those in these times – right? Like in the Brexit agreement that fails to address devices but does address medicines also with respect to remote audits the lack of ambition on the part of member states is striking. It’s like member states still haven’t discovered devices as the crucial pillar underneath the healthcare system that they are. If the member states would have been aligned, we would have had MDCG guidance, which would apply across the board. But they are not, and here we are.

So what does the notice really say? You can see that the Commission had a difficult situation to work with, and tried to do the best it could under the circumstances. The notice reiterates legal requirements and the needs for remote audits under the circumstances, but then goes on to state that this is really a member state game, because

“the national authorities responsible for notified bodies shall monitor the notified bodies established on their territory and their subsidiaries and subcontractors, to ensure on-going compliance with the requirements and the fulfilment of obligations set out in the medical devices Regulations.”

which is legally completely correct. In other words, because the member states can’t align between themselves in the MDCG, it’s every member state for itself for as long as they cannot agree. This means that, as we are seeing, some member states are willing to allow remote audits, and others do not.

While the Commission does give outlines of a framework for determining if a remote audit can take place in the notice, this is a lot less practical than the HMA and EMA guidances discussed above for medicines. Personally, for the life of me I cannot see why this could not be harmonised better. In many member states the authority for medical devices and IVDs is even the same as the one for medicines. Not everywhere, I know that, but even then they can talk to each other you would think. So what the [beep] is the major malfunction here?

The Commission ends the notice with a call on the member states to at least keep the Commission involved of what they are doing and how they implement this. That’s the best that could be achieved under the circumstances, apparently.

What to do now?

This weird situation means that the possibilities will differ from one notified body to the next, depending on how the notified body fills in the broad criteria, which in turn is based on what the notified body’s notifying member state is willing to allow. EU harmonisation at its finest! Team NB is working on at least seeing if it can align its own members in this respect, and aims to have this done by end January. Let’s see what this brings, but in the mean time the clock is relentlessly and mercilessly ticking towards the date of application.

So what can you do as manufacturer? You do what Brian Boytano’d do: you make and plan and you follow through. Be proactive, and engage with your notified body about how whether and how it will apply this because you cannot assume that there will be aligned standard practices across notified bodies (except maybe if they are notified by the same member state). If they are waiting for alignment via Team NB, indicate your willingness to receive a remote audit. Look at the criteria in the Commission notice and in the HMA GMP and EMA GCP inspections notices, think about how you can demonstrate why a remote audit would be justified and that your case passes the required risk assessment, and think about what you can offer the notified body to make the remote audit practical (what would they want to see in normal circumstances, and how can you show this remotely in a way that they can consider it audited sufficiently?).

In terms of legal recourse you could, in extreme cases, consider taking legal action against a member state that does not allow its notified body/ies to do remote audits or imposes disproportionate measures compared to other member states or compared to the medicines notices.

You might find yourself in a situation that the certificate really does not arrive in time and new products can no longer be placed on the market, under which you could be forced to consider a local exemption or article 59 MDR based exemption, although the criteria for the latter option are very strict.

Try to stay positive

Personally, I am not rejoicing very much in view of this development and have a hard time staying optimistic about it. I had a spike of enthusiasm when I saw that a notice about this had been published. And then the disappointment came. Now I’m just trying to stay positive and hope this sorts itself out for the best. Maybe there will be alignment after all in the last months before the date of application – oh, wait. Thats where we are already.

To me it seems we need a change of culture in the EU because this non-notice shows how the member states are failing the patients, failing them badly. This is low hanging fruit. There is a precedent in medicines. What more do you need?

If there is one thing that the COVID epidemic has shown that one the one hand member states are ill-equipped to deal with bigger healthcare challenges by themselves, but on the other hand are too stubborn to equip the Commission with the tools to at least create aligned policies. This goes back to article 168 TFEU, which provides that medicines and devices are basically to regulated as widgets in the internal market, with secondary healthcare aspects. But otherwise the EU should stay off of any real healthcare policy (this is a bit simplified, but essentially what it comes down to). Yes, there is some movement with joint vaccine procurement and a very general healthcare policy, but this is not very much and certainly not a revision of article 168 TFEU.

At the same time we see member states under-resource national competent authorities for medical devices because we have European laws and a system that sort of took care of itself historically, right? This leads to the terrible situation where the lame (the Commission with insufficient competences to make a difference) has to herd the blind running all over the place doing their own thing (the member states that don’t see the need for a coordinated healthcare policy and underresource national devices authorities) – which is not productive at all. And how can this be explained to patients? That’s quite a challenge if you ask me. The reality now is that for example German restrictions on their notified bodies may lead to Swedish patients not having access to certain essential devices. That is the reality of the internal market and the reason why this problem is bigger than any single member state. By necessity, this means that the solution must also be bigger than any single member state, and that, unfortunately, requires a culture change that I have been advocating for a long time.

The notice contains an almost cynical closing statement by the Commission in relation to a request for member states to at least inform the Commission:

“In particular, given the difficulties to fully quantify the extent of the problem in advance, namely the need to recourse to extraordinary temporary measures in order to ensure continuous availability of devices and prevent the potential risk of shortages, it is vital to carefully follow how these measures are applied in practice.”

So, member states, please show some ambition here and know your limitations. If the problem is bigger than you can handle yourself, enable action at EU level. Europe is supposed to have the best healthcare system in the world, but looking at this mess you would really not think that. Nothing to be proud of, especially since a proven solution is right in front of you.

But before I get too cynical (this epidemic takes its toll on everyone including me these days) let’s see how things develop. The best thing to hope for is quick alignment between member states after all, and a very clear and detailed MDCG guidance. If the member states can agree about this stuff for medicines, why not for devices?

Let see if we can make this work for the better, rather than have it disfunction for no apparent reason.

Outlook for 2021 – and happy new year!

Something new for the end of the year: a new year’s vlog with my rough 2021 outlook.

This outlook is far from complete and not comprehensive at all, and it leaves out many other important things. Make sure to stay informed (or as Kant the philosopher said: dare to be wise)!

If you like this vlog and would like more vlogs instead of text, be sure to let me know.

Happy 2021, put it to good use, stay safe and stay sane!

Links to content discussed in the vlog:

Team NB paper on expiring certificates

MHRA medical devices regulation page

My post on the brexit deal

My post on Schrems II and GDPR

My post on the Market Surveillance Regulation

My post on the urgency with the IVDR

My post on to-dos for class I devices manufacturers

The Brexit ‘deal’ – what’s (not) in it for the medical devices industry?

Spoiler: at the moment basically nothing except more paperwork and trade barriers. It’s still a hard Brexit with a little sugar on top, essentially.

Or, if you are a more glass half full kind of person: at least not all the way back to WTO rules but a just one step above that.

After a long, slow process with many twists and turns the Brexit deal finally dropped the day before Christmas. This ‘deal’ is nothing less than a somewhat controlled full reset of the entire EU-UK relationship because this was the best parties could achieve under the circumstances.

In my view this ‘deal’ and the negotiation process represent every problem that the EU was set up to solve, so in that regard it will be an interesting experiment to see what life is like on the outside for a former member state. Unfortunately history is too kind these days for people that stake their country’s economy on the roulette table of populism for short term electoral purposes (my strong personal opinion about root cause here), so I don’t expect this experiment to yield any reliable conclusion in the end because nobody is going to admit this was a terrible idea, even if everyone agrees that it was.

Mainly goods, mostly not services

The deal is mainly about goods, and almost not about services (a little bit about financial services though). If you provide services additional to devices, there’s basically nothing in it.

General principles about trade in goods have been agreed, but need to be firmed up over time. More specifc arrangements have been made for medicines for example, but not for medical devices. These facilitations for other specific products of mutual interest, such as automotive, wine, organics, pharmaceuticals and chemicals do not include medical devices. Medical devices are part of the ‘general’ arrangements for all CE marked goods, which means that as of 1 January (when the extended transition period after the UK’s leaving the EU on 31 January 2020 ends) medical devices trade between the EU and the UK is fully subject to the  general goods regime in the new agreement. 

What this means has been painfully clear from the very beginning: the UK may choose to accept CE marked devices on its market (and has announced it will do so because it has no choice), but the EU will not do the reverse. Consequently, all UK established devices businesses will be working with double regulatory standards as of 1 January, and with the formalities that go with that situation (see here for a rundown of the UK MHRA for regulatory formalities and transition on the UK side). In that sense the situation set out in the Commission’s January 2018 notice on trade in industrial products, restated in 2020, has now materialised.

In more detail – what could the future look like?

An important part of the Brexit negotiations were about who has the final word on (regulatory) standards. Positions taken in this regard will set the boundaries for future cooperation. 

For the EU, mutual recognition arrangements are only possible if the European Court of Justice has the final word about the interpretation of EU law exported via the mutual recognition agreement. Since export of regulatory standards is a major source of power for the EU, this will not be negotiable. However, this is precisely not what the current UK government wants (‘take back control’), which means that the UK is far removed from a Switzerland-like mutual recognition agreement and even further from more seamless cooperation (like the EEA agreement). The UK seems to have landed on ‘Canada plus’ as a result of the specifics of the agreement on customs formalities (although no customs union) and tariffs.

Unless that changes, the future will be one of separate regulatory silos, with some basic rules on tariffs and customs formalities. For the moment, UK businesses (and international companies doing business in Europe via UK businesses) are stuck with having to accept standards in the EU that the UK has no more influence over and hoping that the UK does not diverge in its own standards to the point that it will become costly to comply with the additional regulatory system created by the UK for itself. Politicians will try to sell this as progress. Sure, diverging standards might give UK businesses an edge, but only for the UK market. In the end the devices developed will still need to meet standards outside the UK too: the UK will still follow international standards like ISO and IEC in order to be able to sell its products abroad. Also, diverging to the point that it would lead to unfair competition would lead to unilateral EU countermeasures.

For those that like to look for themselves: devices go in the ‘trade in goods’ bucket under Part Two, Heading One: Trade, Title One: Trade in Goods (there will be basic goods trade just above WTO standards), Title X Good Regulatory Practice (there will be regulatory cooperation on a voluntary basis) and Title XI Level Playing Field (subject to EU precautionary principle). As you can see, there is not much there compared to the acquis of internal market regulation. 

Notified bodies

For the remaining UK notified bodies for devices the Brexit now means that they lose their notification for the EU directives and new regulations and that their remaining certificates are invalid as of 1 January, unless timely re-issued by an EU-27 notified body. It also means that these bodies will not be able to do surveillance for directive certicates after the date of application of the MDR (and later IVDR) because the certificates have become invalid. This writing has been on the wall since early 2018

Placing on the market

For companies in regulatory problems understanding the concept of placing on the market again becomes paramount.

Devices placed on the market in the EU by 31 December 2020 (which still includes the UK until that date) will be able to circulate in the internal market freely. Device placed on the market as of 1 January will be faced with the new situation: no free movement between the UK and the Union. Also this writing was on the wall for a very long time already and will be or have been relevant if your company has a supply chain running through the UK.

Data protection for data processing devices and services

For devices companies that process personal data in the meaning of the GDPR in the UK, note that the adequacy finding for the UK has been explicitly been excluded from the agreement. That means that by 1 January the UK is fully in the Schrems II boat as a non-EU jurisdiction: you will need a transfer basis like standard contractual clauses but with additional due diligence / upgraded standard contractual clauses or explicit consent for non-structural transfers.

Update 14 January 2021: I had initially missed the 6 months transfer provision in the Brexit agreement, meaning that until 30 June 2021 transfers between the EU and the UK do not count as third country transfers. If there is no adequacy decision about the UK data protection regime by that date (which is not unlikely at all) then as of 1 July 2021 these transfers are third country transfers, as clarified in the European Data Protection Board’s updated note of 13 January.

Conclusion for the moment

The analysis in this blog is far from complete as I haven’t been able to read the complete package yet that forms ‘the deal’, so stay tuned for more (for example on the complex situation of Northern Ireland).

Also, the ‘deal’ is a deal between negotiators. This is a stage where we’ve been before just over a year ago and then the UK parliament decided that it had sent a negotiator without sufficient mandate, which set back the process enormously. This could happen again.

From the EU side, the whole formal ratification mechanism still has to take its course. So far I am very impressed by the degree of organisation and unity on the part of the EU and its Member States, which is usually very different in other dossiers. 

The EU Court’s Schrems II judgement – urgent revisiting of international personal data transfer mechanisms required

IMG_1549Wasn’t the MDR about More Data Required, and the same for the IVDR? Aren’t more and more devices running software that processes patient and user data? Isn’t the medical devices industry a very international business? Indeed – so the ability for companies working with the MDR and IVDR to transfer personal data internationally for all kinds of purposes MDR and IVDR related such clinical investigations, PMCF/PMPF, usability testing, trouble shooting / support, registries, communication of dimensions of custom implants, training of AI, cloud storage of patient data, linking patients to samples, eHealth and mHealth solutions, moving of IVD test results from one place to the other – basically anything involving clinical data that is personal data – is an important thing.

Since data is the blood pumped around in the MDR and IVDR architecture, I address data protection issues on this blog to raise awareness (for example here (about data subject damages), here (about cybersecurity) and here (more general about MDR/IVDR and GDPR)). I find in practice that companies and service providers in the medical devices industry often can do a much better job at data protection compliance and do not design their products and services with data protection principles of privacy and security by design in mind. The MDR and IVDR require you to manage risks with safety principles in mind, and the EU’s General Data Protection Regulation (“GDPR”) is no different: like the MDR and IVDR it requires risk management as a design factor. For EU purposes both physicial integrity and privacy are fundamental rights of patients and users of devices, which is reflected in the requirements in the MDR and in the GDPR. This is why I advise companies to integrate design processeses under the MDR and IVDR with those under the GDPR and not treat devices RA/QA and privacy as different silos in the company. The MDR and IVDR on the one hand and the GDPR on the other hand share many important links between, so non-compliance with one of them will often imply non-compliance with the other, for example with regard to cybersecurity.

This blog is a co-production with my firm’s data protection expert Cécile van der Heijden, who wrote the biggest part of it, and it addresses the recent GDPR bombshell judgement of the European Court of Justice (“CJEU”) in the Schrems II case, of which the impact on internal transfers from the European Economic Area (“EEA”) to third countries can hardly be overstated. The CJEU press release about the Schrems II case can be found here.

International transfers and the Schrems case

The GDPR allows transfers of personal data to a third country outside of the EEA only if the transferring party has provided appropriate safeguards and ensured that enforceable data subject rights and effective legal remedies are available for data subjects. Every medical devices company or service provider to that industry that works internationally and has some kind of connection to substance outside the EEA, uses cloud services or engages service providers that transfer data outside of the EEA (for example because they use cloud service providers or entities outside the EEA) will be directly or indirectly transferring data internationally.

This is why the CJEU’s judgement of 16 July 2020 in the Schrems II case (or the second Facebook case as it is known too) was so much anticipated. The case concerns conditions for transfer of personal data out of the EEA to the United States under an adequacy decision (in this case the EU-US Privacy Shield Framework, (“Privacy Shield”)) and standard data protection clauses (“SCC”). More particularly, the Schrems II case concerns transfer of personal data from Facebook Ireland Ltd to Facebook Inc in the US for processing. The judgement was rendered in a preliminary reference procedure in which the CJEU has answered questions of the referring Irish court concerning:

  • the applicability of the GDPR to transfers of personal data to third countries outside of the EEA, focussing on the SCC laid down in Commission Decision 2010/87 (EU controller to non-EEA processor);
  • the level of protection the GDPR requires in relation to such transfer;
  • the obligations that are imposed on supervisory authorities in relation to such transfer; and
  • whether both Commission Decision 2010/87 and Commission Decision 2016/1250 (the adequacy decision concerning the EU-US Privacy Shield Framework) are valid.

GDPR applies to transfers of personal data to third countries outside of the EEA

The CJEU has confirmed in Schrems II that – unsurprisingly and contrary to what was argued in defense – the GDPR does apply to a commercial transfer of personal data between two economic operators (terminology that also can be found in the MDR), even if the personal data is also processed by the authorities of the third country in which the recipient is established for the purpose of public security, defence and national security, for example by intelligence services.

Privacy Shield invalid as legal basis for transfer

The CJEU declares the EU-US Privacy Shield framework invalid due to the absence of adequate level of data protection in the US due to the existence of extensive governmental surveillance programs that lack effective judicial review and do not protect the rights of data subjects established in the EEA. Most notably, these surveillance programs in the US concern the US Foreign Intelligence Surveillance Act (“FISA”) and US Executive Order 12333. Privacy Shield does not offer sufficient safeguards in relation thereto.

SCC valid as a legal basis for transfer, provided that country of import offers equivalent protection as GDPR

At the same time, the CJEU declares that the SCC (as laid down in Commission Decision 2010/87) are valid as a mechanism but cannot be regarded as a ‘tick the box’ exercise because  the rights offered to EEA data subjects abroad should be, at least, at an equivalent level to those guaranteed under the GDPR. This means that all transferring parties, regardless of whether the personal data is transferred by a controller or processor, have a responsibility. This requires a risk assessment by the parties involved in the transfer. They must verify on a case-by-case basis (where appropriate in collaboration with the extra-EEA recipient of the personal data) whether the laws of the third country to which the personal data are transferred offer adequate protection in line with the requirements of EU data protection law.

The way that the legal framework in the country where the recipient is established works may lead to a need to provide additional safeguards in addition to those documented in the SCC. It goes without saying that this holds relevance for all SCC adopted by the European Commission beyond those documented in Commission Decision 2010/87. As most companies transfer personal data under SCC in absence of an applicable adequacy decision, this decision of the CJEU directly impacts nearly all parties that transfer personal data to outside of the EEA.

The CJEU requires a case-by-case review whether the laws of the third country in which the recipient is established respect data subject rights at a similar level as the GDPR, including by allowing for judicial review where the authorities have access to the personal data, e.g. for intelligence purposes. Where such level of protection cannot be met, the transfer must be suspended or the agreement between the parties must be terminated.

Immediate consequences Schrems II

The primary consequence of Schrems II is that personal data can no longer be transferred to the US under the Privacy Shield, meaning that companies must suspend all such transfers until another permitted transfer measure under the GDPR has been applied. Although Schrems II only concerns the SCC documented in Commission Decision 2010/87, the criteria set for the use of SCC have broader applicability. As a result, all transfers under SCC, regardless of the exact country to which the personal data are transferred, require a thorough and adequately documented review of the legislation of the recipient country for the transferring party to be able to demonstrate a lawful transfer.

Schrems II shows that general legislation that allows processing of personal data in as far as is necessary in a democratic society to safeguard, inter alia, national security, defence and public security which is subject to effective judicial review is acceptable. However, far-reaching processing of personal data by public authorities (i.e. through intelligence surveillance programs) in a third country that is not subject to effective judicial review does not offer the required level of protection to EEA data subjects. For example, the US Ombudsman linked to the Privacy Shield has no effective control over EEA data subbjects’ data being processd by the US intelligence services. Based on these criteria the CJEU ruled that the US does not offer appropriate levels of protection of data subjects similar to those offered in the EEA.

Schrems II has far reaching consequences for all EEA-based companies who collaborate with US businesses (e.g. for research activities or for intra-group activities, such as internal transfer of pharmacovigilance data, clinical trial data or post market surveillance data), use US-based processors (service providers) certified under the EU-US Privacy Shield (including CROs, cloud providers and providers of cookies for company websites) and for all other EEA-based companies that use SCC to transfer personal data to recipients.

While it may be difficult to perform the required review of national law of the receiving country, Schrems II has created an immediate problem in relation to transfers of personal data to the US, even where such transfers take place under SCC if no additional measures are taken. As the CJEU has determined that the US currently does not offer an adequate level of protection in line with the level of protection offered in the EU under the GDPR in relation to Privacy Shield, it is difficult to imagine how a transfer to the US under SCC will be considered adequate as these transfers will be subject to the same controls in the US. Therefore, where FISA or Executive Order 123333 are applicable to personal data transferred to the US, Schrems II effectively endangers transfers of those personal data to the US due to the lack of adequate protection of data subjects subject to the GDPR without the transferring parties adopting additional measures. While the CJEU has performed an analysis of the level of data protection offered by the US, the same would apply to a transfer to any other country outside the EEA that is not subject to an adequacy finding and where processing of personal data by the government (including for surveillance purposes) takes place beyond what is reasonably necessary in a democratic society.

There is another issue with the use of SCC: even where the assessment required by Schrems II can be conducted in practice, the SCC available do not cover all possible transfers. For example, a transfer between an EEA-based processor and a controller based in a third country is not covered by any SCC model, albeit that a solution is allowed if an EEA-based controller signs the clauses with the receiving controller.

Currently, SCC have only been adopted for transfers between two controllers and for a transfer between an EEA-based controller and a processor established outside of the EEA. While certain supervisory authorities may be convinced to allow broader use of the existing standard data protection clauses outside of their original context, this is not a universally accepted solution. Consequently, this approach requires clearing with the relevant supervisory authorities to avoid non-compliance with the GDPR.

Are other transfer measures than Privacy Shield or SCCs possible?

SCCs are not the only appropriate safeguards that can be used in absence of an adequacy decision but are (in general) the only safeguards readily available. Many appropriate safeguards require prior approval of a national supervisory authority or even the involvement of the European Data Protection Board or the European Commission. For example, the waiting time for approval of binding corporate rules by the Dutch Data Protection Authority is currently three to five years. Additionally, barely any codes of conduct have been approved thus far and can therefore not offer any solace. Such appropriate safeguards are therefore not workable for any company that is currently already undertaking transfers and wishes to continue these transfers. However, it is to be expected that application of other safeguard measures under the GDPR is held to the same standard as the use of SCC.

Where it cannot be established that national law in the country where the recipient is based offers sufficient protection to data subjects, the transferring party may be able to base the transfer on one of the derogations of article 49 of the GDPR. The EDPB considers these derogations to be exemptions from the

“general principle that personal data may only be transferred to third countries if an adequate level of protection is provided for in the third country or if appropriate safeguards have been adduced and the data subjects enjoy enforceable and effective rights in order to continue to benefit from their fundamental rights and safeguards”.

However, as the EDPB has clarified, such transfers are limited to occasional, non-repetitive transfers and therefore offer no solution for large scale transfers.

Next steps for EU authorities and next steps for companies

It is expected that the collective supervisory authorities and the European Commission will provide additional guidance in relation to the consequences of Schrems II. We also expect the supervisory authorities to provide clarification on the exact parameters of required review of national law in the country where the receiving country is established as such extensive review will be difficult to realize for any company. The Dutch Supervisory Authority has indicated that the European Data Protection Board, in which all national supervisory authorities and the European Data Protection Supervisor are united, will soon provide guidance concerning the additional measures companies can include in the SCC. Authorities on both sides of the Atlantic need to quickly figure out what this judgment will mean for them, and how they will work with international data transfers in the future. The EU authorities will need to be more practical about what the required standard is, and other authorities will have the opportunity improve the quality of data protection regulation to take fundamental rights into account better.

We currently do not expect supervisory authorities to immediately begin enforcing Schrems II as the supervisory authorities are still reviewing the best manner to deal with Schrems II and how to apply the judgment in a practical manner. Nevertheless, we advise all companies transferring personal data to the US directly or via a (sub-) processor under Privacy Shield as well as companies using SCCs for data transfers to carefully map out any transfers that they are currently undertaking and make a best effort assessment whether the country of import offers protection of the rights of data subjects that can be considered adequate in the light of the GDPR (Schrems II does not require identical protection, but adequate protection).

Documentation is key for compliance after Schrems II. Companies should be transparent and document their analysis of national law in the country of import in detail. As a minimum, such analysis should include a review of:

  • the applicable data protection legislation in the country of import;
  • applicable legislation on surveillance by public authorities in the country of import, including in transit situations;
  • the availability of data subject rights, including judicial review of such processing activities by the public authorities in the country of import;
  • the scope, volume and application of the aforementioned measures.

Supervisory authorities or the European Commission may provide additional or different requirements for such analysis of national law in the country of import.

Regarding US transfers, there does not seem to be a way for data transfers to proceed legally in full compliance with the GDPR at the moment. To limit all risks companies may consider (temporarily) suspending personal data transfers from the EEA to the US until official guidance on the consequences of the Schrems II judgment becomes available. They should consider carefully which additional contractual safeguards can be incorporated under SCCs and have SCCs in place where they or their services providers relied on Privacy Shield. Where suspension of transfers is impossible in an individual case (for example in relation to ongoing treatment that cannot be postponed, ongoing participation in a clinical trial with an extra-EEA sponsor or manufacturing of a custom made implant outside the EEA), we advise to review whether such transfer can nevertheless take place under a specific derogation of article 49 of the GDPR. The information obligations of the transferring party in relation to the use of a derogation may increase due to Schrems II.

Where companies continue to transfer personal data under SCC or a derogation, rigorous application of the principle of data minimisation and to practice encryption may serve as a non-regulatory solution to provide a degree of technical protection against import country scrutiny of data. This would help in meeting the requirement to apply extra measures in addition to the SCC as referred to in Schrems II. Nonetheless, such measures by themselves do not constitute a legal basis for an adequate transfer in compliance with the GDPR.

Schrems II makes implementation of the basic principles of data protection in the GDPR very relevant, as this ruling emphasizes that ‘with big data comes great responsibility’. The more personal data that a company collects and exports, the more responsibility it takes on. Questions? Cécile and I are at your service.

Standardisation request for MDR and IVDR refused; now what?

No puedo con tantoA new blog post, a new step in the soap that is the non-transitional period of the MDR and the IVDR.

I have jokingly paraphrased the absurdist painter Magritte by saying “céci n’est pas une période de transition”. I’m contemplating starting a T-shirts business with memes for the MDR and IVDR, with that meme and others, like “Regulatory Cassandra” and “I worked myself into the ground to meet the MDR DoA and all I got was this one year delay which is not a delay actually”. And of course for the IVDR I’m still negotiating with the History Channel Ancient Aliens guy to use his portrait on the “Alien invasion scenario, anyone?” T-shirt for my IVD industry readers.

Not a soap, a telenovela

So what is the new episode in the soap you ask? I bet you have some idea from the spoiler in the title of this blog.

At this point I would not even call the MDR and IVDR transitional period a soap anymore, but rather a full blown telenovela. For those that think they know me: did you know I have South American roots (but contrary to popular belief am not a 65 year old Olympic sailor and Sjoerd’s twin brother)? Watching telenovelas with my thirteen year old daughter is one of my guiltiest pleasures. My predicament at the moment is that Netflix still has not released the last season of Jane the Virgin in the Netherlands. Not cool, Netflix – it’s been available elsewhere for a long time already.

Telenovelas are characterised by convoluted subplots involving three or four different settings and involve set archetypical scenarios with surprising plot twist using classic style figures, but overall narrate a set story arc. Contrary to soap operas, which normally have an open end and can last theoretically forever, a telenovela is planned for a specific period unless extended by unforeseen circumstances (such as pandemics, alien invasions or unexpected success).

Sound a lot like the MDR and IVDR transition, right? Let’s zoom in on the subplot of standardisation, since I already gave that much away in the title.

The standardisation sub-plot in the MDR / IVDR telenovela

As I mentioned in my last blog, the standardization bodies CEN / Cenelec would decide on the standardisation request for the MDR and IVDR by 17 June. I also mentioned that not everyone was happy with the request as it went in. It contained references to standards that would be outdated by completion (or even already were at the date of the request), the request was not complete, the request was (way too) late, etc. Those that did not openly critise the request were probably thinking an imperfect and late request was better than no request.

So 17 June came and went last week and we heard nothing. At least, not publicly. However, I was able to confirm from various sources by the end of last week that the request had in fact been rejected by CEN / Cenelec on 16 June (this was confirmed by the Commission in the MDCG subgroup on standards on 19 June and posted by a Commission official on LinkedIn) – they are not going to embark on this project and, procedurally, a new (amended) request will be necessary. This leaves the standardization project under the MDR and the IVDR without legal basis for the moment.

Schermfoto 2020-06-20 om 13.08.28

The background of these things is always kind of political but it seems that the main reason for rejection of the request can be found in the persisting tension between the Commission and the standardization bodies about the outcome of the standardization process: the Commission wants standards that are as close to what it sees as European requirements, and the standardization process delivers standards that are state of art according to the experts involved in the standardization process. As a result of EU court case law case the Commission has been on a mission of greater influence over the interaction between standards and regulations. So, my dear readers, as you will understand: this tension is only to be expected because relationship drama is a necessary ingredient of any telenovela.

We did learn that another iteration of harmonised standards under the directives is under preparation, likely to arrive end of this year. You can already put that on your planning. What? You disbanded your whole MDR transition team already and have no resources for this? Not so smart after all. 

What now?

Like in a telenovela, this is obviously a plot twist. As a company with some sense you had already planned (or finalized) your technical documentation without relying on a presumption of conformity against MDR harmonised standards, because this was a likely outcome of the scenarios that you had been planning for (if haven’t read the ISO 31000 standard, it’s still not too late). This is not your first telenovela, right?

If you’re in IVDs, maybe not count on harmonised standards being available in time – that’s a likely scenario. Why not you say? May 2022 is still far away? As you will have read in my last blog on this subject for the IVDR, it totally is not. And I guarantee you that we will not have harmonized standards under the IVDR before you need them this summer and autumn.

This means that under all circumstances anyone having to file a conformity assessment application under the IVDR or MDR soonish will not have harmonized standards to rely on, and can therefore not rely on a presumption of conformity under the MDR and IVDR.

Back to state of art – for the moment

Dios mio! No presumption of conformity! Why do we even have standards then? 

This development does not mean that you cannot rely on international standards at all. Actually, not relying on them at all will make things much more complicated because you lose a common frame of reference with your notified body.

What you will need to do is go back to basics for your GSPRs, as GSPR 1 both for the MDR and IVDR sets out: you will be ‘taking into account the generally acknowledged state of the art’. This means that for each of the standards you reference you will have to draft rationale that the requirement referred to in that standard is state of art for the GSPR that you reference it for. While you may think that the latest standard adopted necessarily reflects state of art, I recommend not to presume this. Check this approach with your notified body before you deploy it across the board. Notified bodies may have had other marching orders from their competent authorities, because those latter ones look at what they think are requirements, and may not necessarily agree that the latest adopted standard reflects those correctly. 

Notified bodies position?

It would be fantastic if notified bodies could be explicit publicly about whether they endorse the approach of ‘latest standard adopted = always state of art’ across the board, because that would make life a lot easier. It would be a kind of de facto presumption of conformity that companies can operate on until the harmonization request does yield harmonised standards.

Good news: it seems that there are ongoing efforts in that direction. Bad news: if that happens you may need to revisit your technical documentation for the Z annex gaps defined in the harmonized standards if and when these are finally adopted. I would recommend to keep thinking about what a Z annex might look like for a given standard, and how its adoption would affect the technical documentation.

Common specifications anyone?

We are in the telenovela space, so plot twists are always a possibility (as I tend to say: scenario anyone?). In the presentation to the MDCG standards subgroup the Commission seems to be hinting (or maybe making a veiled threat, depending on how you see it) at development of Common Specifications  (CS) under the MDR.

Schermfoto 2020-06-20 om 13.09.26

I must say that this is one of the options that came to mind for me as well when I heard the first rumors that the request had been rejected. However, if we look at the Commission’s less than stellar track record on adopting the only two CS that we actually must have under the MDR (one for reprocessing of single use devices and one for the non-medical Annex XVI devices) then the Commission and its chaotic family member the MDCG do not really seem capable of drafting and adopting the scope of the standards in the request plus the work that the HAS consultants would still need to do to draft the Z annexes to define the gaps between the standards and the requirements in the short term. I would chalk this option up to theoretically possible, but not likely.

More likely would be adoption of several targeted CS for some of the requirements under the MDR and IVDR where the EU is not happy with the available standards as being ‘insufficient’, which is exactly what the CS were intended for in the first place. So I would not dismiss the CS option altogether.

As is the rule with telenovelas however, you don’t find out the truth until the last five minutes of the series’ finale. COCIR predicted a decline in harmonised standards for medical devices, so it would not be surprising if this gap would be bridged with CS. 

¿Qué es lo siguiente?

What will be next in this riveting rollercoaster? So many sub plot options! The relationship drama between the standardization bodies and the Commission might take an unexpected turn with CS replacing standards, although this is not so likely I think. There may be lots of drama though as they sort things out. After all, this is a telenovela.

The Commission will go back to the drawing board and will work on a new request now, and will have to discuss with CEN / Cenelec how to arrive at a new request that can work for all involved. Since the drama between the standardization bodies and the Commission is in Annex III of the request, which describes the general and specific requirements for the harmonised standards, this is where the magic will need to happen:

Schermafbeelding 2020-06-20 om 13.42.35

I expect that this magic will include, specifically, some developments in the “information on the relevant applicable requirements or parts of the relevant applicable requirements that are not covered by it” (Annex III, part A sub 2) – the Z annex gaps – and in the way that the Commission thinks standardization for devices is supposed to function under the MDR and IVDR. Since telenovelas normally revolve around a family secret, we will also have to live with the thought that we will likely not get to the bottom of this completely as the family secrets are unfortunately never transparent.

The Commission may have to be a bit more like Rogelio in Jane the Virgin when he learned that Xo was pregnant with his arch nemesis’ baby: supportive of whatever choice she would make about it because it was her choice to make and not his. If you’re in it together because you are a public-private partnership, be part of the solution to make it work – a presumption of conformity, after all, does not define the legal standard as such. But, as Rogelio said himself: “If you knew anything about telenovelas, you’d know that everything is supposed to be dramatic!”

The urgency with IVDs and the IVDR

IVDR aliensMany people ask me these days: why the urgency with IVDs? The IVDR’s date of application (26 May 2022) is still almost two years away. Why the hurry?

The hurry has everything to do with simply counting back from the date of application and understanding the requirements of the IVDR.

Notified bodies are very scarce

By now, everybody will know that 85% of the IVDs under the IVDR need conformity assessment by a notified body as a result of a radically new classification mechanism – also the devices already on the market. Just like the MDR the IVDR does not do grandfathering. For those who have missed entirely what the IVDR is about, here is a summary:

Because the IVDR does not do grandfathering this means that unless your IVD is a class A IVD (instruments, specimen receptacles and general lab use products etc.) under the IVDR, you will need a notified body to perform a conformity assessment that hopefully results in a CE certificate.

Do notified bodies for the IVDR grow on trees? They certainly do not. In fact, there are very few of them – you would like them to go on trees. At the moment there are de facto only two (BSI and Dekra Germany at the moment), with two more in the pipeline for notification in the short term. If all notified bodies that applied for designation will finally be designated we will have about eight or nine. That is much less than we had for the IVDD (22), who were responsible for a much smaller share of the IVDs under the IVD Directive. In other words: much less notified bodies that have to do much more work. Sounds like a bit of planning to make sure that you are top of the list is a sensible thing to do.

Since a notified body needs time to perform a conformity assessment, you have to count back from the date of application to know when you should file your application for conformity assessment. Notified bodies will generally need a year from application to CE certificate, if there are no hick-ups and the dossier is completely impeccable.

This puts you in May 2021 for having handed in your IVD conformity assessment application, if you are going to cut it as close as possible and are not going to plan for any unforeseen delays in the assessment procedure (second wave of COVID 19 anyone?) and are willing to apply to a very limited number of notified bodies when everybody else is doing the same. Sounds like solid risk management, right? So maybe you want be apply earlier than that, say end 2020.

End 2020 you say? That’s end of this year! Indeed, and that is assuming that you have all the data required for the application. Chances are that you do not, so read on.

Clinical performance study data or justification of absence is needed

As a rule the IVDR requires clinical performance studies as a source of clinical performance data (article 56). The IVDD generally did not put that much emphasis on clinical performance data, but was more concerned with scientific validity and analytical performance data.

Clinical evidence

Overview of clinical evidence from MedTech Europe, “Clinical Evidence Requirements for CE certification under the In-Vitro Diagnostic Regulation in the European Union”, p. 16

This means that many IVD manufacturers have not done clinical performance studies, ever. At best they have some post market performance data that may or may not include clinical performance data. The rule is that they must do clinical performance studies unless it is duly justified to rely on other sources of clinical performance data. 

This means that a manufacturer

  1. needs to have an idea about the gap of clinical performance data,
  2. needs a plan to close the gap before submitting the conformity assessment application to the notified body and
  3. preferably has an idea about whether this plan is sufficient for the notified body, so will need to have engaged with the notfiied body about this.

If there is a gap (start with that as a safe assumption) then the manufacturer must either generate new clinical performance data for the IVDR conformity assessment application, even if the test has been on the market for many years under the IVD Directive. Maybe he can justify relying on other sources, like some data Rembrandts in the attic in the form of a hoard of post market (clinical) performance follow-up data that he has accumulated methodically over the years.

Where the manufacturer relies on literature searches or other data in the technical documentation of a legacy IVD (especially the self declared ones), it may be good to realize that the bar has gone up regarding presentation of that data as well. The MDCG guidance on clinical evidence for legacy devices refers to sections of MEDDEV 2.7/1 rev. 4 that are considered relevant to MDR as they contain helpful information regarding how to perform activities associated with clinical evaluation, including literature searches. While this guidance applies to the MDR only, it does give an insight in expectations of activities associated with clinical evaluation. A number of other MDCG guidance documents relating to clinical / performance evaluation explicitly apply to both the MDR and IVDR (such as MDCG 2020-1 on clinical/performance evaluation of software and there are non-clinical/performance evaluation ones that also apply to both, such as MDCG 2019-7 on the PRRC). Other guidance that is does not necessarily applies to clinical evaluation that only applies to the MDR may be relevant to take into account under the IVDR too.

This gives you the period between now and end of 2020 to compile, and if necessary, generate any performance data required and integrate it in your technical documentation for the conformity assessment application.

And if you need to do an additional clinical performance study to close the gap, can you do this in half a year? You might already be too late when you read this.

For a lot of detail and very practical guidance on clinical evidence requirements under the IVDR I suggest (again) that you absorb the excellent MedTech Europe document Clinical Evidence Requirements for CE certification under the In-Vitro Diagnostic Regulation in the European Union and make good use of it. 

EU GDPR compliance for performance studies required

Ah, but not to worry! We have performance data from samples, and worst case we still have access to old samples that we can run a study on.

However, there is a catch: samples relate to persons and personal data is protected in the EU – and the IVDR takes this very seriously. The performance study (including those using left over samples or relied on other secondary use of samples) must have been performed in accordance with the EU General Data Protection Regulation or its predecessor directive (article 57 (3) IVDR).

But, few – the samples were anonimised because they cannot be directly linked to patients anymore. This is actually not what anonimised means in Europe: as long as it is still possible to link a sample to a person (e.g. by using the key that the hospital has) then the data is not anonimised but pseudonomised and still subject to full data protection controls because the EU takes protection of personal data concerning health very seriously.

See about all of this a presentation of mine from a long time ago at the RAPS Convergence in Washington DC (September 2017), long ago at a time that we could still travel:

This was by the way also the conference at which people expressed absolute disbelief about the theory that there might be only five notified bodies for the IVDR. And with a window to reliably file before the end of this year, we now have two of them – so here we all are. Maybe I was not so wrong here after all.

Long story short: the notified body may inquire about how this data protection compliance has been arranged, and then you need to be able to demonstrate that you acquired the data lawfully.

Data protection authorities in the EU may also ask you to explain, and can prohibit the use of data not processed lawfully – and they know a lot more about lawful data processing than notified bodies.

In both cases, falling short of meeting the standards would be a setback, because the data will be useless.

This means deadlines in the future are closer than you think

So there you have it: the May 2022 deadline is actually around the corner.

“But Erik, they must move this deadline like they did with the MDR, right? There is no other option.”

Well, we needed the COVID-19 pandemic to happen just before the date of application for the MDR to move. By now however the COVID-19 restrictions are a given. And don’t forget, the IVDR already had a deliberately longer transitional period of five years (compared to three years under the MDR), starting more than three years ago by now. COVID-19 may be an excuse if the notified bodies cannot start a conformity assessment because of the restrictions (since remote audits are not possible for new applications – even if this guidance would be applied to the IVDR), but are you even at that point already?

Remember also with the MDR DoA move: only the DoA moved, but the end of the transitional regime did not move. This would mean for the IVDR that the May 2022 to May 2024 period of two years would shrink to one (1) year. One year for the few IVDR notified bodies to process all remaining applications, because everyone would file just before May 2023, right? Cramming all these assessments in just one year would create an enormous bottleneck and would not solve your problem.

Of course you can bet on the deadline being moved. If it’s all you have then it may be your only option. But if it’s not, I really recommend lighting a fire under your IVDR remediation. Who knows it will turn out that we need a full zombie apocalypse, AI singularity running amok or alien invasion for the IVDR DoA to move?

Date of Entry into Force plus three years and a little bit

Kermit

MDR DoA moved: industry be like

 Last week  we went past DoE (Date of Entry into force) of the MDR plus three years, and the date on which the MDR was supposed to have become applicable.

As you, my dear readers, will all know by now, the date of application (DoA) has been moved with a year now as the outcome of a thrilling rollercoaster that I described on this blog in much detail. It was kind of silent on the blog afterwards because from a legal perspective nothing much interesting has happenend since: the MDR was amended with the amending regulation and the DoA was moved up as projected. The consolidated version of the MDR with the changes incorporated is here. And I was very busy with all kinds of questions resulting from this move.

As I have blogged, the amending regulation does more than just move the DoA of the MDR, it also creates some unprecedented new powers for the Commission to take emergency approval measures under the existing directives and it even seemed to make it possible that Eudamed could be launched according to the agenda as planned.
So where does this leave us?

Industry response

Part of industry was quite happy with itself, because “it had won” – yay! Those with some formal education will be familiar with the concept of Pyrrhic victory, because that is what this is. It is merely delaying the inevitable. And those that have dealt with that know that the inevitable always happens.

Many other more responsible companies were very annoyed with the situation, as they had worked like crazy to be in time for the DoA, only to find that it had been moved up. For them this creates budget and resource problems, as staff needs to remain available to MDR projects for an additional year, which was not foreseen in the often hard fought MDR budgets and project timelines.

Rest assured that the DoA was not moved to give industry more time, it was moved to give notified bodies and competent authorities more time to complete the rollout and certificates conversion that they were much behind with. The enormous disruption of business as usual caused by COVID-19 created the political momentum for the change, because the Commission and member states realised that the epidemic would delay things so much it would be embarrassing and unworkable.

Quite some companies responded with the short term reaction that is characteristic for a three month horizon: many MDR projects were shelved and MDR transitions teams were disbanded or decimated because the ‘resources’ had been allocated to other projects and the company was not going to pivot on this. The DoA is a year away again, so why make the best of the extra time, right? In the end it’s only core business, so how could that be important. So many things you can do in one year, and so many loose ends to tie.

A lot of companies seem under the impression that the move of the DoA means that all the other subsequent deadlines at the end moved up with one year too. Wrong! The other deadlines of May 2024 and May 2025 did not move at all. So one year more until DoA is one year less of the four years of transition to convert the last MDD declarations of conformity and (AI) MDD certificates into MDR certificates and MDR Declarations of Conformity:

Schermafbeelding 2020-06-01 om 21.51.17

 

Does the delay help?

Yes and no, and in different ways than you might think. I invite you to watch Amanda Maxwell’s interview with Bassil Akra, Gert Bos and me for different perspectives on this matter, kindly made publicly available by MedTech Insight:

In the extra year authorities are working on completing the outstanding agenda of implementing and delegated acts, Commons Specifications (Q4 2020 for Annex XVI products now and Q3 2020 for reprocessing of SUDs), MDCG guidances and, of course, Eudamed. The medical devices website will be transferred from DG GROW to DG SANTE, not a minute to soon since devices have been back with DG SANTE for a while now.

The notified bodies that are notified under the MDR will likely have a very limited add-on effect to the existing capacity, because they will be severely limited in what they can do. Apart from the ramp-up time to come to full capacity, they cannot travel or go to sites due to the COVID-19 epidemic, which means that they cannot complete new conformity assessment applications under the MDR. Yes: the new guidance on remote audits does not apply to MDR and it does not apply to new assessment applications in any event. Things will have to get worse before this gets better.

Notified bodies that were at risk of not completing pending re-certification under the (AI)MDD prior to DoA as to enable the manufacturer to benefit from the soft transition (and their customers) are the ones that seem to benefit the most from the move of the DoA. That is, if they had not planned for the DoA to not move. As you know, all existing notified body designations under the (AI)MDD would have become void by 25 May. With this deadline in sight, you can bet that notified bodies and their staff have done some planning of their own, resulting in staff having given notice already before the DoA move was even announced on 25 March 2020 and notified bodies having planned not to be designated by that date. The fact that notified bodies whose designation would otherwise have ended in the additional year can be conveniently renewed up to 26 May 2021 under a quickly adopted change of law, for which you find the guidance here (MDCG 2020-11), does not mean that these notified bodies can just scale up again if they had actually planned to close down or continue with a skeleton staff sufficient to do only surveillance of the (AI)MDD certificates during the soft transition period. The amended designation regulation also does not allow for designation of new notified bodies. The question remains therefore how much notified body capacity was really saved with the DoA move.

The notified bodies that already had their MDR designation (14 in total now) will also have had planning issues that makes it more difficult for them to stay at capacity (or increase this) for (AI)MDD. Also for them it was a reality that the (AI)MDD assessment business would switch to surveillance only by 26 May 2020 and they planned for that as well. New staff was trained only at MDR, and therefore only qualified for MDR. All the same, you say? Not how the law sees it. Just look at how many different classes of driver’s licenses or pilot licenses exist, even though it’s all sitting in a vehicle and steering in two or three dimensions. Different vehicles require different qualifications. Therefore, given everyone’s planning and the limited options created by the surprise additional of the extra year, your best option as manufacturer is to follow your original planning with the notified body and in cases where you would not have had your (AI)MDD certificates renewed in time, enjoy the possibility that the notified body may still be able to pull it off.

It helps the Commission and the MDCG

The delay does help the MDCG and the Commission. Important planning was immediately amended: more room to complete guidance for expert panels under the MDR and more time to make them function, still in 2020 or who knows when by now. The first MDCG guidances are starting to appear in version 2 and the MDCG and Commission are cranking out guidances like there’s no tomorrow. Just in May and April this year nineteen (19!) guidance documents were issued on top of a bunch of other MDR related documents.

The delay of expert panels obviously does not help manufacturers that must follow the clinical evaluation consultation procedure. Article 120 (7) MDR literally says that as long as there are no expert panels, the procedure for new high risk devices subject to additional EU level scrutiny cannot be completed.

The delay also gives the Commission and the member states more time to clear the congested queue of MDR notified body designation. Remember: we have 44 applications, which so far resulted in only 14 designations. This means that there are still 30 (thirty!) notified bodies backed up in the application procedure. Obviously this is not completely the fault of the authorities, because many notified bodies did not apply at the first opportunity (26 November 2017) and quite a number took significant time to clear their CAPAs, but nonetheless: here we all are.

Standards

The extra year will not be enough to complete the standardisation mandate for the MDR / IVDR that has been put to CEN and Cenelec. Their decision whether they accept the standardisation mandate finally made officially on 15 May is foreseen now for 17 June, and even if CEN / Cenelec accept the mandate (which some parties have recommended that they actually don’t) it will most likely not be before the MDR DoA that the standards will be harmonised. Better plan to go into the MDR without harmonised standards.

The Article 59 powers

The amendment proposal allows for one interesting innovation and that is the applicability of article 59 MDR to the devices under the directives prior to the DoA. In other words, when a member state issues an emergency measure allowing a non-CE marked device on the market, the Commission may extend this measure to the whole EU on a mandatory basis by means of an implementing act, see below for my embedded presentation on this point:

Guidance for how the Commission will work with this exemption regime has also been published in the mean time, which confirms that this will really only be used in exceptional circumstances for indispensable devices, and is clearly not intended as a CE mark bypass or bottleneck management mechanism.

We will need to see now how the system works in practice.

Eudamed

As I have mentioned the amending regulation seems to make Eudamed phase-in as envisaged possible but only one year later. The Commission has taken the view that this is not what is going to happen: the fact that the deadline has been moved does not mean that its plans have changed. Also the most recent version of the Rolling Plan sets “2022” as Eudamed go live date.

So it will still be a phased ‘voluntary’ introduction of modules, with the actors module going first some months before the new MDR DoA (likely March 2021). We still don’t know whether the investment in the voluntary elements will not have to be re-done later at some point. However, it would be a very good opportunity to test company machine to machine interfaces and, more general, the company’s Eudamed procedures because you can start interaction with Eudamed likely as from March 2021.

The actor module gives the option for  manufacturers, authorized representatives, importers as well as systems and procedure pack producers to enter their data in Eudamed and to acquire a Single Registration Number (SRN). The SRN is a very crucial element in Eudamed and under the MDR in general as you will need it for declarations of conformity and certificates. Since it is important that the SRN can be obtained before the date of application of the MDR, the actor module will be first and before the new DoA. May 2021 is expected to bring two more modules: the UDI/Device Registration module and the Certificate/Notified Body module, which are also required for data entry and for data on certificates. The rest of the modules (clinical investigations, incident reporting and market surveillance) will follow later as these are intended as tools for communication about devices and actors. As envisaged under article 123 (3) MDR existing systems will be used for this until Eudamed is fully functional.

IVDs: a crisis in the making

I’ve said it before and will keep repeating it: the IVDR is a crisis in the making. Several developments conspire to make this a really big crisis that may put a serious dent in healthcare. Maybe some people noticed that in these epidemic times it is pretty sweet and kind of essential to have in vitro diagnostic tests that are actually validated. So why miss all these opportunities to plan ahead?

We had some guidance about COVID-19 test development under the current IVDD, which was a nice reiteration of what every serious IVD company that takes performance evaluation seriously should know already. If you’re an IVD company, it might be good to put your existing technical documentation along that ruler because this is the bare minimum that a notified body will expect under IVDD standards (as you know the IVDR will be a step up, with additional clinical performance data required).

At the moment there are de facto only two notified bodies designated for the IVDR (three in NANDO at the moment, but BSI has one in the Netherlands and one in the UK, the latter of which will lose its designation end of this year as a result of Brexit). It is not exactly clear how much of the required capacity these two notified bodies represent but given that there are still 12 notified bodies in the pipeline according to official figures, this is probably not as much as needed (the capacity that applied represents 62% out of the original number of NBs for the IVDD says the Commission, counting one extra new applicant, which is likely NSF that also abandoned its application again).

If you count back from the DoA of the IVDR, manufacturers must have an IVDR conformity assessment application in the door at a notified body by the end of 2020 in order to have a good chance of an IVDR CE certificate before IVDR DoA. As I have explained on previous occasions, the IVDR is different from the MDR in that most manufacturers on the market do not already have a CE certificate under the IVDD, while the large majority of them will need that under the IVDR and they have two notified bodies to choose from. This means that if you’re an IVD manufacturer you must plan for an IVDR conformity assessment application before the end this year. Let’s just hope more notified body capacity becomes available, but I am not optimistic. This means that when the two current IVDR NBs are full, the rest is largely out of luck. Yet, the sense of urgency seems to be missing, both on the side of industry in general and on the side of the authorities.

The IVDR has been structurally left out of any COVID-19 motivated emergency measures, such as the extension of article 59 MDR to the directives. It would have been a small matter legally to have included article 54 IVDR in this as well, thus allowing for emergency possibilities for IVDs. This would be extra important in the light of the bottleneck for IVDs going into the IVDR. Yet, apparently all eyes appear to be on the MDR at the moment.

So far no substantial guidance has appeared for the IVDR and half of the IVDR guidance on the planning is not even scheduled for 2020. This is why I am personally very happy with the new MedTech Europe guidance document “Clinical Evidence Requirements for CE certification under the in vitro Diagnostic Regulation in the European Union”, This document is a collection of questions and answers designed to help manufacturers navigate their performance evaluation obligations under the IVDR.

So what to do?

If I were a devices manufacturer I would not treat this extra year as an extra year of MDR DoA delay because it really isn’t. At best you have some months extra to fine tune and that may be welcome. Your MDR specialist might take some well-deserved holidays, but keep your eyes on the ball and don’t forget that everything moves slower in an ongoing pandemic so what would normally get done in the same amount of time will now take longer.

If I were an IVD manufacturer I would go full pull to have my technical documentation for my IVDs ready for the IVDR on the triple double and make sure to have my first conformity assessment applications in the door at a notified body this autumn to be ahead of the big congestion that is coming. Same is true here: expect things to move slower than normal because of the pandemic. We may even get a second wave that’s worse. Have you planned for that? Scenario anyone?

MDR date of application move: politically a done deal now

With the overwhelming vote in the Parliament in favor of the Commission proposal to amend the MDR it is politically basically a done deal now that the MDR will be amended.

After the vote there were people that immediately stated that the amendment was formally approved – not so. We are looking at law making in the ordinary legislative procedure, which is co-decision making between the Council and the Parliament – they each need to adapt a position in first reading and then compare notes to see if further conciliation is needed. To speed things up to the maximum extent the Council gave a mandate in which it outlined what would be acceptable to the Council.

The Parliament’s vote for its first reading seems to fit this mandate perfectly, which means that the Council can now also adopt its position in first reading (which it will likely do special proceedings via the COREPER, because normally it would need to convene in person). Then the agreed amendment needs to go past the ECOSOC (who is already prepared to be part of the solution and ready to go) and the Committee of the Regions. Normally there would also be eight weeks for national parliaments to have an opinion, which has been skipped this time. Only then can the proposal be published and enter into force on the day of publication.

The Council has confirmed in the mean time that the Parliament’s first reading corresponds to what the Council would agree to, so the Council’s first reading confirmation is impending, bringing the first reading phase to a close and paving the way for adoption of the proposal after ECOSOC and Committee of the Regions consultation. I expect the Council to formally close its first reading in the course of coming week. ECOSOC and the Regions will go as fast as they go, ECOSOC even had its position ready last Friday, the day of the Parliament vote, supporting the amendment but making the critical note that

“the EESC would like to reiterate the request made in its previous opinion on this topic, namely that the functioning of the Regulation should be formally reviewed, jointly by authorities and stakeholders from civil society, three years after its entry into force, to ensure that its objectives are being met.” 

Complexity? Rather underestimation and under-resourcing

The recital 4 to the amending Regulation state that:

“Given the unprecedented magnitude of the current challenges, and taking into account the complexity of Regulation (EU) 2017/745, it is very likely that Member States, health institutions, economic operators and other relevant parties will not be in a position to ensure the proper implementation and application of that Regulation from 26 May 2020 as laid down therein.”

OK, the MDR is complex, but it was not a surprise except to those that deliberately chose to stay uninformed. Implementation was not that complex because it was a regulation, of which the whole idea is that there is not that much to implement. Many responsible companies attacked the problem with a lot of energy and at considerable costs and were as ready as they could be in Q1 2020, prepared to give this their best shot. Many others chose to do differently, to which I can only say that staying uninformed was a choice in this case.

The elephant in the room here, obviously, is how the Commission and the Member States failed to ensure proper implementation, as has been discussed on this blog over the more than nine years that I am tracking the MDR and IVDR. Essential guidance, Common Specifications and implementing acts late or delayed. Almost none of the Member States has their implementing legislation ready. It shows that the authorities, both at EU and national level have structurally underestimated and under-resourced the MDR and IVDR implementation. This will not be fixed in the year and I am quite certain that still many actions outstanding in the Rolling Plan and the Ongoing Guidance development document will not be completed in time, because the root cause has not changed.

The only difference is the move of the medical devices policy from DG GROWTH to DG Health and Food Safety (DG SANTE), which may make something of a difference – hopefully.

Moving load between communicating vessels?

It is always nice to be able to celebrate a success, but what will this amendment actually achieve? Will it avoid a situation of ‘Dead on Arrival’? The move of the DoA creates time here and there, but it does not create extra capacity. A basic principle of load balancing is that if you move load to relieve a bottleneck, there must be capacity elsewhere in the infrastructure that the load can be moved to, otherwise you just create another bottleneck elsewhere. 

COVID-19 has

“a significant impact on various areas covered by Regulation (EU) 2017/745, such as the designation and work of notified bodies and the placing on the market and making available on the market of medical devices in the Union” (recital 2 of the proposal)

Granted, the additional year does give authorities, economic operators and notified bodies one more year to prepare for the MDR, but it does not create more capacity.

The year eats into the four year period to transfer the renewed (AI)MDD certificates that the market went all in on with one year. So now there will be more (AI)MDD certificates to renew to the MDR in less time. Also, notified bodies will still not function as normal. In fact, they will function less than normal because they cannot audit under normal circumstances. Yes, they can do part of their audit remotely now, but this is not exactly creating extra capacity. More notified bodies can be notified under the MDR before the DoA, but a notified body needs time (about 6 months) to get to full operating capacity and a conformity assessment procedure mostly takes 8 months at least, so any notified bodies  designated in this extra year will not make a difference for the MDR pre-DoA. The only net win is that these notified bodies have more time to issue (AI)MDD certificates that must be renewed very soon (within less than four years).

What will the move of the DoA allow manufactures to achieve? They will have less time to convert old (AI)MDD certificates to MDR certificates (three years instead of four years). – capacity problems may ensue at manufacturers and notified bodies. They have more time to finish preparing their QMS for article 120 (3) life (MDR QMS partially and no significant changes). The good part for innovation here is that the time frame in which no significant changes are allowed is shortened.  One more year to change notified body or start up new conformity assessment under the (AI)MDD pre DoA? Don’t bet on it, because notified bodies are generally still not taking new customers or staring new conformity assessments for (AI)MDD certificates because they did not suddenly get extra capacity.

Article 59 pre-DoA

The application of article 59 pre-DoA has the consequence that any essential medical devices that (still) do not make it for the new DoA can be pseudo-CE marked with a pan-Union emergency implementing act. However, this immediately begs the question as to capacity at the European Commission to crank out implementing acts. Given the track record of the Commisison in adopting implementing acts under the MDR and IVDR, this is not a happy picture. Nobody wants to rely on article 59 MDR as a magic bullet as it currently looks like and only as a last resort, but we’ll have to see how the Commission and the other institutional actors operationalise the article 59 MDR procedure. 

I still think it was a mistake not to use this opportunity to also bring article 54 IVDR (the analogue in the IVDR) forward to be able to have a pan European approval mechanism for COVID-19 tests, of which there are shortages everywhere at the moment.  

Eudamed consequences?

The proposal moves dates for Eudamed in a way that it will be possible for Eudamed to be phased in as was originally intended, but then one year later. This begs the question whether the Commission actually intends to depart from its plan to launch Eudamed at the date of application of the IVDR. While the dates change, the legal basis for the Commission to wait until it is ready (article 123 (3) MDR – the ‘what if Eudamed is not ready in time’ provision) has not changed, so the Commission can decide to already default against the change date of 25 March 2021 as latest date for the ‘Eudamed is ready’ notice and 26 May 2021 as date on which Eudamed should go live by the letter of the amended MDR.

It would be very helpful for the market to know what the Commission will do. Does the Commission  intended to stick to the December 2019 plan (default no matter what, and go live end May 2022) or is there a possibility that it will try to get back to the default launch trajectory as now amended? There is a year between the two possible go live dates so that would be helpful to know, as it is less evident for us on the outside which of these options the Commission is planning for.

By the way, we’re still waiting for clarification promised last December about how to work with Eudamed when it’s not live yet after the DoA. The Commission could helpfully clarify all these things in one go!

The Xits

I have blogged before about the effect of the move of the DoA on the three country eXits from the Union.

Swiss Medtech immediately issued a press release after the Parliament vote that this means one year more business as usual under the existing MRA between the EU and Switzerland. The same would be true for Turkey, but not for the UK, as the UK has left the Union beginning this year and looks like it will not rely on the option to extend the transitional regime for Union law beyond 31 December 2020.

Timing

The adopted proposal will need to be published in the Official Journal for it to enter onto force. The good news it will enter into force upon the date of publication, which should be before 26 May 2020 in order to avoid a legally very awkward situation of the MDR becoming applicable only for the date of application to be moved retroactively.

I expect the publication will be very soon after adoption of the first reading by the Council, which I expect second half of the week of 20 April.

This would mean that the amending regulation could be published, and enter into force, soon after.

 

New MDCG guidance on temporary extraordinary measures related to medical device Notified Body audits during COVID-19 quarantine orders and travel restrictions

Schermafbeelding 2020-04-08 om 20.32.53When it rains guidance, it pours. The MDCG just released Guidance on temporary extraordinary measures related to medical devices Notified Body audits during COVID-19 quarantine orders and travel restrictions. The guidance takes immediate effect and is valid for the whole period of duration of the pandemic COVID-19 as declared by the World Health Organisation.

It addresses alternative solutions to carrying out on-site audits by notified bodies under the medical devices directives and under circumstances the MDR and IVDR under specific circumstances, which includes the possibility to perform remote audits under certain conditions.

Covered audits

Although

“this guidance applies to the medical device Directives only, for Regulations (EU) 2017/745 (MDR) and 2017/746 (IVDR) in the event that the availability of devices is affected by COVID-19 restrictions the principles in this guidance may apply.”

The guidance covers the following audits:

  • surveillance audits under the medical devices Directives,
  • audits conducted for re-certification purposes under the medical devices
    Directives,
  • in cases where a manufacturer submits a change notification to a notified body that would typically require on-site audit or verification,
  • in cases where a manufacturer terminates (voluntarily or involuntarily) its contract with a notified body and enters into a contract with another notified body in respect of the conformity assessment of the same device(s).

IVDR is covered ‘in principle’! This is the first time I see something positive in guidance in relation to the IVDR. IVD companies, make this count and use this time to not give up on or start conformity assessment with the few notified bodies there are for the IVDR before these are completely crowded. This will also help fast track clearance for self-tests for COVID-19 under the IVDD and IVDR covered COIVD-19 tests. Hurrah!

Not covered audits

Generally initial certification audits or audits to extend the scope of certification under the Directives should not be performed using these temporary extraordinary measures. However, notified bodies may apply these extraordinary measures on a case-by-case basis for such audits in cases where devices are considered relevant to ensure medical care, especially if clinically necessary during the period of COVID-19 restrictions.

How?

Within the confines of audits covered and not covered the notified bodies have wide discretion on how to work, provided that the measures are covered by appropriate procedures. The guidance gives a number of examples of temporary alternative extraordinary measures and arrangements to on-site audits. The procedures should be carefully assessed and documented by notified bodies on a case-by-case basis and performed using a risk-based approach. This risk-based approach should be based on a review of the notified body’s

“files relating to the status and operations of the manufacturer related to the audit in question, for example the activities conducted at the site to be audited, its quality management system, and its level of compliance from previous audits. Following this review, a risk analysis should be made as to whether or not the audit could be performed with alternative measures. Where a postponement cannot be justified, the notified body should assess which alternative extraordinary measure should be performed (e.g. remote audit; off-site document review; conference calls with relevant personnel of the manufacturer).”

More detail coming

The guidances mentions that the MDCG NBO working group is tasked with the development of guidance to define the operational implementation details of this guidance document. More detail will no doubt follow.

%d bloggers like this: