Managing the 2024 MDR danger zone – and outlines of a potential solution in MDCG 2022-11

Archer, season 1 episode 3

We live in interesting times for medical devices in the Union – some have said we are headed for a cliff edge at the end of the grace period. I would personally prefer to say that we are in the danger zone, which would be a zone of danger (Archer pun on Top Gun), but still with some options. If you still need to see the new Top Gun movie: there are spoilers ahead, but only in the conclusion.

But I digress already – back to the story of this blog. 

Not so long ago, in a galaxy not so far away before the date of application, everybody and their mother enthusiastically went all in on what we later understood to be legacy devices and (AI)MDD certificates were extended well into (or often all the way for) the ‘grace period’ provided under Article 120 (3) MDR. My analysis with hindsight knowledge is that many went into this in good faith, hoping that the issues plaguing the MDR as unfinished symphony with insufficient notified bdoy capacity would have been fixed by the time the legacy device certificates would expire. Others will have been happy to kick the can down the road and see where things are at by that time. Authorities and notified bodies will probably have been happy with the additional time to finalise the system.

And now here we are with a system that has still not been finalised and is not at capacity to pass the bulge of legacy certificates that need to be re-issued under the MDR, many of which will expire at the last possible date under the grace period. Already in 2020 the MDCG had attention for this problem in the Joint Implementation Plan for the MDR, but was then still in the groove that there was not enough data.

This became increasingly supported by evidence in several Team NB publications, with the latest one painting a dire picture that, regardless of notified body efforts to scale as much as they could, not even (roughly speaking) half of the total capacity required for 2024 would be available:

Medical Device Survey 2021 Data from all members (end 2021), slide 33

The authorities reacted first through a relatively mellow CAMD statement on the occasion of the CAMD’s 50th meeting (let’s all work together to fix this but the MDCG should take the lead), but then followed this up via the MDCG (which includes the voice of the Commission that presides the MDCG) with position paper MDCG 2022-11 that has a very different tone.

‘Sweeping your own little street clean’

The MDCG 2022-11 position paper document that was recently issued is certainly something else. There is some serious fingerpointing going on the document (it was not called ‘Notice to manufacturers to ensure timely compliance with MDR requirements’ for nothing) with the MDCG suggesting that many manufacturers are applying to notified bodies too late and/or with substandard quality submissions:

“The transition period intends to give further time to the system to prepare and to get ready, for example time for manufacturers to prepare their quality management system (QMS) and technical documentation before applying to a notified body. This step should not be perceived as a “grace period” to postpone the entering into application of the new rules. At this stage, data collected by notified bodies, and presented to competent authorities in December 2021, shows that nearly 37% of manufacturers’ applications have been refused on the basis of incomplete applications, underlining an overall lack of manufacturers’ preparedness. In April 2022, 75% of notified bodies indicated that more than 50% of the submitted applications were deemed incomplete.”

MDCG 2022-11, p. 2

In other words: you industry, stop sitting on yours hands and cease misunderstanding requirements! Grace periods are not for idling but for sorting out your problems so you don’t make them ours too. You can do better than this and have yourself to blame as much as you’re blaming others.

The paper is a nice exercise in political plausible deniability, or as we would say in Dutch in literal translation: ‘sweeping your own little street clean’.

Of course this does not mean that the MDCG is not right in saying that everyone is in this together, and that hurrying up and taking the transition to the MDR seriously is a very good idea under all circumstances. I personally still see too many companies where the sense of urgency has not really caught on yet, especially not with management. But then again, I also see a regulatory system that is excellent in its underlying concepts but implemented rather sub-optimally, which also causes all kinds of issues that the MDCG could have done a much better job at solving.

Some seeming light at the end of some tunnel

However, it’s not all bad news : MDCG 2022-11 gives us an insight in how the MDCG (which includes the Commission) thinks to solve the issues, which was not clear in the latest CAMD document or any other document before that.

The MDCG position paper implies that anyone that was hoping for a blanket extension of the grace period can stop hoping now: it’s not going to happen. I’ve been informing clients in this vein for some time now but now you can take some else’s word for it too. 

Also, national and European exemptions under Article 59 MDR and national equivalents always have been an option, but only to support basic healthcare in Member States, not as an exemption for a regulatory pathway. It exceptional character was already clear in the guidance on Article 59, for example MDCG 2020-9, and this is now spelled out very clearly by the MDCG:

“Derogation from the conformity assessment procedure in accordance with Article 59 of the MDR has been mentioned as a possible remedy in case transition from  AIMDD/MDD to MDR is not completed in time. It is important to stress that derogations may be granted by competent authorities only if the use of the device concerned is in the interest of public health, patient safety or patient health. This mechanism should not be considered as a solution for cases of late application to a notified body for conformity assessment or delays in the conformity assessment procedure. Economic grounds alone cannot justify a derogation under Article 59 MDR either.”

MDCG 2022-11, p. 3

But there seems to be something else in the works: the MDCG 2022-11 documents pretty explicitly hints at an implementing act under Article 97 (3) MDR in the works, putting the new market surveillance provisions and their harmonisation options in the MDR to good use:

“Also other mechanisms provided by the MDR in chapter VII (e.g. to deal with formal non-compliant products) will only be applicable for devices for which the manufacturer can demonstrate that he has undertaken all reasonable efforts to successfully conclude the transition to the MDR, including update of its QMS, in time. In this context, it is expected that the manufacturer has submitted an application to a notified body for certification in compliance with the MDR at least one year before the expiry date of the MDD/AIMDD certificate.”

MDCG 2022-11, p. 3

The reference to formal non-compliant products is a clear reference to the heading of Article 97 MDR, which provides in section 1:

“that a device does not comply with the requirements laid down in this Regulation but does not present an unacceptable risk to the health or safety of patients, users or other persons, or to other aspects of the protection of public health, they shall require the relevant economic operator to bring the non-compliance concerned to an end within a reasonable period that is clearly defined and communicated to the economic operator and that is proportionate to the non-compliance.”

Article 97 (1) MDR

Section 3 of Article 97 MDR provides the legal basis for the implementing act that seems to be under consideration:

“In order to ensure the uniform application of this Article, the Commission may, by means of implementing acts, specify appropriate measures to be taken by competent authorities to address given types of non-compliance. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 114(3).”

Article 97 (3) MDR

An implementing act is a streamlined way to implement non-essential elements of EU regulation, while still giving the Parliament and the Council a degree of control over the Commission proposal. This is especially the case of implementing acts under Article 97 (3), which are subject to the heaviest comitology procedure, the examination procedure. Implementing act procedures are described in my book in a fair amount of detail – I recommend looking at the commentary to Article 114 MDR if you want to know more.

Unclear aspects remaining

However, some aspects in the outline given in MDCG 2022-11 still remain unclear.

For one, it is unclear when an application ‘has been submitted to a notified body’, especially given the large number of applications deemed incomplete as referenced by the MDCG. An implementing act should solve the issue with respect to the quality of the application and perhaps the manufacturer’s track record. If the implementing act merely requires an application ‘in the door’ at least one year before 26 May 2024 I can predict that a lot of not very high quality applications will be received at notified bodies on 25 May 2023. Applications eligible for exemption should probably have been validated somehow by the notified body or the competent authority, like you would normally see with marketing authorisation applications for medicinal products. Also, since the competent authorities would effectively be orphaning devices after expiry of the (AI)MDD certificate, I would expect that they would only do this for devices with an exemplary vigilance and safety record. How else would you meet the Article 97 (1) MDR requirement that the device does not present an unacceptable risk? Someone needs to make that call. That means that we can also expect an implementing act to contain requirements similar to those for orphaning of devices when the notified body lays down service or collapses uncontrolledly. Maybe the implementing act exemption would be combined with an orphaning-like application at national level, who knows.

Also, I hear more and more that notified bodies delay the either signing of the certification agreement or of validation of the application, in order to surprise manufacturers that think that they are on board with a message that the notified body is not going to process their application after all. If you look at the MDR closely (Annex VII 4.3 1st and 2nd para) on this subject, it is not clear how the certification agreement and the ‘formal’ application relate to each other. It’s clear that you cannot have one without the other, but the chicken and egg problem (which comes first) is not resolved clearly in the MDR. Any implementing act planned should resolve this. This is also especially relevant because Annex IX 2.1 requires the manufacturer to commit to the notified body exclusively when the application is made, leaving the manufacturer without alternatives. 

Another problem is that the implementing act should not leave manufacturers out to dry when they submit a timely good faith application, in which the notified body still finds a minor flaw and tosses out the application for its own load management purposes at a moment where timely application to another notified body is not possible anymore because all will be occupied. This is connected to another problem: where will the notified bodies get the capacity to quickly validate all these new applications that will inevitably find their way to them early 2023 and how to avoid that this leads to crowding out of new applications for new devices even more than is already the case? Already now I see an increase in notified bodies telling manufacturers that they will just not have the capacity to process their MDR application.

Yet another unclear aspect is for how long notified bodies and manufacturers could expect any exemption under an implementing under Article 97 (3) to last, because Article 97 (1) MDR requires that the exemption is limited in time. Theoretically this could be ‘for as long as the notified body takes to finish the process’, but perhaps the MDCG would like a qualified backstop date in there not to draw out the process indefinitely.

Finally, hair-splitting lawyers with a passion for constitutionally correct legislative procedure like myself could wonder if Article 97 (3) MDR indeed has a constitutionally sufficiently strong basis to put in place an emergency valve in the transitional regime for the MDR. I personally am not sure if the delegation set out in Article 97 (3) MDR indeed was intended to include this type of measures but was aimed at a more modest harmonization of national market surveillance policies. On the other hand we’ve seen crazier actions from a constitutional perspective than this to fix MDR transition problems, like the bail-out of the class I up-classified classifieds by means of a corrigendum in December 2019. If there’s one thing that the history of the MDR has shown is that when push comes to shove, everybody will play along and is willing to get very creative.

Consultation during the summer?

By the standards of the Better Regulation Toolbox initiative that the Commission has imposed on itself, also implementing acts are subject to consultation (see Chapter 7, p. 439). So please Commission, make sure to engage in consultation and don’t do it in the summer holidays but preferably before.

I’m pretty sure some things have been overlooked that could benefit from consultation. Skipping consultation altogether would be not very nice by the Commission’s own standards.

But what about new, innovative devices?

Will the expected draft implementing act or other solution do anything for new devices with new applications, in other words: the non-legacy devices? What we are currently seeing in real life is that a growing number of companies, especially SMEs, is not getting on board with notified bodies because they are refused for lack of capacity. In other words, is MDCG 2022-11 announcing that a solution will only be available to manufacturers with legacy devices?

The Dutch competent authority IGJ seemed to suggest in a recent LinkedIn post alerting the market about MDCG 2022-11 that manufacturers with other than legacy devices will not be part of the solution hinted at in MDCG 2022-11, while MDGC 2022-11 clearly addresses all manufacturers:

“it is essential that all manufacturers adjust their system, finalise transition to the MDR and apply to a notified body, submitting complete and compliant applications, as soon as possible and well in advance of the end of the transition period to ensure timely compliance with the MDR”

MDCG 2022-11, p. 3

This does not necessarily mean that there might not be a solution for them in the works as well, but it would be nice to have clarity on that, right?

If there would not be a solution in the works for these devices, this would be extremely unfair in my opinon. Not only manufacturers with legacy devices currently have problems with notified bodies handling their applications timely. In fact many companies, often small and medium-sized enterprises, do not get on board at all with notified bodies at the moment and would be disadvantaged compared to manufacturers with legacy devices, for which the applications under the implementing act would contribute to the crowding out of applications for new devices. More often than with legacy devices, these are innovative devices that can add a lot of value for patients – it’s called innovation.

I have immediately asked the Dutch authorities how they see this but silence on that end so far.

Time is of the essence

I understand from reliable sources that something is already in the works at the Commission, which is very good news. However, this also means that manufacturers that do not have a validated MDR application for a legacy device in the works at a notified body at this moment must understand that time is now truly of the essence. Count back with me:

  • Application must be made (or have been validated, we don’t know yet) one year before 26 May 2024 so by 25 May 2023 OR before the expiry date of the legacy device certificate (which may be sooner – 25 May 2023 is the very last date possible but your certificate expiry date may be sooner);
  • This means that in the best possible scenario you have until 25 May 2023 to have an application going (about 11 months from now) and in the worse case much shorter, depending on actual certificate expiry date. Can you have ship shape application ready in no time if you’ve been sitting on your hands playing chicken with the system until now? It’s going to be an exciting and challenging ride, I can tell you that much.

This means that if you still need to file for your MDR application, you are in the danger zone. Which is a zone of danger – and you might consider calling Kenny Loggins (more Archer puns totally intended). And what is your plan B and plan C if this fails? Scenario anyone?

Time is of the essence for the Commission too, because any implementing act will still take time to trickle through the comitology procedure and we’ll need something proposed more than ASAP if the industry and notified bodies are to be informed about their options in any way that is still somewhat timely and meaningful to do something with the options offered (see left limb in the below diagram for examination procedure):

Comitology regulation flowchart from Council website

The need for speed

We have an interesting summer ahead in which all manufacturers, whether with legacy devices or not, are in the danger zone. 

And as the saying goes in the new Top Gun movie (which prominently figures Kenny Loggins’ Danger Zone song): it’s not the plane, it’s the pilot.

So now it’s up to the brave pilots of industry regulatory departments to scramble whatever your company provides as operational jets (I know that not everyone can even hope for a latest version F-18 or better equivalent) and perform two miracles in a row like in that new Top Gun movie: first finalise your MDR applications in an impossibly tight time frame and then launch the applications into the notified body’s narrow application window in a veritable Death Star approach. 

The same is true for the brave pilots at the Commission, who will need to scramble even faster to put the implementing act and/or whatever else is in the works according to MDCG 2022-11 together and shepherd it through the examination procedure because we will need to know where to go in order to be able to end up there. 

And finally, there are the brave pilots at the notified bodies, who will be once again be pulling 9 G turns solving everybody else’s problems, having to see through the load of applications made in a transitional regime in which the goalposts keep being moved.

I hope everyone feels the need – the need for speed, because we’re is going to need it.

MDCG guidance as pseudo-legislation

The MDR has been applicable for some time and the IVDR just became applicable.

The MDCG has, since both regulations entered into force, issued more guidance documents for the MDR and the IVDR in a few years than were ever issued for the old directives in several decades. Sounds like progress! High fives all around in the MDCG. Look at us crank out guidance by the truckload for all mankind!

Also, the effect of using regulations instead of directives and a more centralised governance structure like the MDCG would lead to a more unitary interpretation than before. And MDCG guidance helps for unitary interpretation! More progress!

But as always, it doesn’t matter so much what you have but it’s what you do with it that counts. I am seeing a disturbing and rather unlawful development in the way the member states in the MDCG impose guidance on stakeholders as binding rules, regardless of the huge disclaimer on every MDCG guidance that ‘any views expressed in this document are not legally binding and only the Court of Justice of the European Union can give binding interpretations of Union law’ (this is actually a legally incorrect disclaimer by the way, because all Union courts and competent authorities can give binding interpretations of Union law; the Court of Justice is the highest appeal instance in the Union for binding interpretations of Union law).

‘Binding’ MDCG guidance

The development that I see in relation to guidance is the MDCG’s tendency to legislate by means of guidance, and the MDCG member member states’ tendency to interpret guidance as ‘mandatory’, which means that they impose it on notified bodies and industry as ‘mandatory’. This, in turn, leads notified bodies to raise non-conformities against guidance itself, rather than against binding regulatory requirements or to flatout ever want to discuss an interpretation set out in MDCG guidance as an option and not a mandatory solution.

As a lawyer that hurts my constitutional feelings because it’s a constitutional no-no. It’s not allowed. If you want to make binding rules, you have to follow the procedures that we have for this in a democratic legal operating system like the EU. That’s rule of law 101. If you don’t, you add to the – in this case justified – criticism that Brussels imposes rules undemocratically. If the mandatory rules are unclear, make better rules and not guidance that is imposed as if it is binding.

European Court of Justice says guidance itself is NEVER binding

Do you know who else’s constitutional feelings are hurt by this? The European Court of Justice in Luxemburg, the end boss for interpretation of binding law in the Union.

The CJEU has ruled on several occasions in no uncertain terms that guidance on the interpretation of EU law as such cannot be a source of binding law, but can only assist in its interpretation. In each of these cases it concerned a EU institution or a Member State authority seeking to rely directly on EU issued guidance for interpretation of a legal standard, which prompted the CJEU to rule in the famous Chemische Fabrik Kreussler case:

“23. In that regard, it must be stated that, in itself, that guidance document drawn up by the Commission’s services, which is not one of the legal acts of the European Union referred to in Article 288 TFEU, cannot be of a legally binding nature or enforceable against individuals.

24. That is moreover apparent from that document, which states that it is not legally binding since only the Court of Justice has the jurisdiction to give a binding interpretation of European Union law.

25. As stated by the guidance document on the demarcation between the Cosmetic Products Directive and the Medicinal Products Directive in its introduction, the fact remains that, inasmuch as that document was drawn up by group of experts from the national authorities, the Commission’s services and professional associations from industry, it may provide useful information for the interpretation of the relevant provisions of European Union law and therefore contribute to ensuring that they are applied uniformly.

26. Consequently, the national court may, in order to apply the term ‘pharmacological action’ within the meaning of Article 1(2)(b) of Directive 2001/83, take account of that document. In doing so, it must nevertheless ensure that the interpretation thus derived was derived in a manner consistent with the criteria laid down by the case-law relating to the interpretation of European Union legal acts, including those concerning the division of jurisdiction between the national courts and the Court in the context of preliminary ruling proceedings.”

Chemische Fabrik Kreussler, points 23-26

This means that:

– The MDCG should/shall (pun intended, see below) not write guidance in the expectation of it being followed to the letter;

⁃ Member States should/shall (same pun) not impose mandatory literal use of guidance on notified bodies;

⁃ Member States themselves should/shall (still the same pun) refer to guidance as a literal source of binding rules and impose them on stakeholders as law; and

⁃ Notified bodies cannot raise non-conformities directly against guidance only because guidance is not a binding rule.

A proper and legally correct finding of non-conformity cites the legal basis in the law (an article and subclause (if any) – not a recital), case law (because mandatory) and perhaps harmonized standards after a discussion why the solution offered by the manufacturer is not as good as the one in the harmonized standard. But the finding never refers only to non-binding guidance just because it’s practical for the competent authority or notified body. Non-binding guidance is, by its very nature, not a ‘requirement’ that a non-conformity can be raised against. ISO 17021 is pretty clear about that for notified bodies. It could only be seen as a requirement if there is a legal basis for it to be a requirement, which there is not according to the CJEU. Because if guidance it’s not as such a requirement, because it’s not binding.

One of the areas in which I think we are going to see more of this in the short term is the area of borderline products, for which the MDCG has just produced a shiny new MDCG guidance (MDCG 2022-5) that took years for member states to align on, so they will very likely try to impose this to the letter, regardless of the CJEU’s case law that says they don’t need to (e.g. the Lycocentre case). But that would be illegal, as was confirmed by the CJEU in – ironically – a case about guidance about borderline products and specifically about the interpretation of the concept of pharmacological action (Chemische Fabrik Kreussler, points 29-30). Rather, for each product the borderline needs to be substantiated, because

“products containing a substance having a physiological effect cannot automatically be classified as medicinal products by function unless the competent administration has made an assessment, with due diligence, of each product individually, taking account, in particular, of that product’s specific pharmacological, immunological or metabolic properties, to the extent to which they can be established in the present state of scientific knowledge.”

Hecht Pharma, point 40

Using guidance as law definitely will also not pass the Commission’s own Better Regulation criteria. I certainly appreciate the need and wish of the MDCG (and the Commission, which actually chairs the MDCG) to operationalise the MDR and IVDR efficiently. I really do. But what I do not appreciate as a lawyer is to promote guidance to mandatory rules to compensate for unclear legislation.

Examples

But Erik, you are such a hair-splitting lawyer you may say. The MDCG guidances never contain anything but a fair reflection and practical operationalisation of vague concepts in the law. Well, that’s actually precisely the problem. Our legislation in the MDR and IVDR is often not specific enough because it was designed as a not necessarily complete framework that was good enough to start with and would subsequently be filled in by means of delegated and implementing acts. But making it more specific by means of guidance risks that requirements are provided in guidance that are not actually required by the law, which is exactly what the CJEU rules is unconstitutional because we have democratic legislative procedures to create binding legislation. This is exacerbated by absence of proper legal review / appeal options against notified body decisions, which is a more general legal problem perpetuated in the MDR and IVDR.

Example: I give you the double importer check in MDCG 2021-27 (question 7), which is literally nowhere to be found in the law, but is put in the guidance as something that importers should do. I raised this as imposing an additonal requirement without legal basis in a previous blog and subsequently the Commission confirms to me alone that it is in fact optional, not mandatory. Yet, this is not how the guidance puts it and how notified bodies may enforce this guidance against manufacturers. Based on how the guidance is worded, a competent authority may well use this as a basis for enforcement. This puts the finger exactly on the problem that MDCG guidance is not necessarily what the law prescribes.

Another example is the overly legalistic and frankly illogical interpretation interpretation of rule 8 regarding accessories to active implants in MDGC 2021-24 on classification. Because the AIMDD did not contain a separate concept of accessory, rule 8 of Annex VIII now states

“All implantable devices and long-term surgically invasive devices are classified as class IIb unless they: 

[…]

— are active implantable devices or their accessories, in which cases they are classified as class III;” 

Rule 8, Annex VIII MDR

Admittedly, this is not the best legal drafting ever seen in a regulation. However, this is a rule about implantable devices, in the implantable devices chapter of the classification annex of the MDR, and it would be entirely logical that it applies only to implantable accessories. Why? Because the implementing rules in Annex VIII that explain the logic behind classification state that

“Accessories for a medical device and for a product listed in Annex XVI shall be classified in their own right separately from the device with which they are used.”

Implementing rule 3.2, Annex VIII MDR

In other words, non-implantable accessories should be classified in their own right, and not automatically in the same risk class as the active implantable device itself. Yet, MDCG 2021-24 states that in scope of this rule are:

“Accessories to active implantable devices (with or without contact to the heart), be it implantable or non-implantable active or not: 
– torque wrench for implantable pulse generator / implantable cardioverter defibrillator
– cables for programmer / pacing system analyser
– magnet for Implantable Pulse Generator / Implantable Cardioverter Generator
– programmer or an external transmitter intended for activating or controlling the implantable part of the device
– implantable pacemaker leads”

MDCG 2021-24, p. 38

Implantable pacemaker leads covered by a classification rule about implantable devices? Totally agree. You know why? Because they are implantable so it’s logical that they are covered by a rule on implantable devices.

Magnet or torque wrench? Baloney! These would be class I devices if classified in their own right, as they should be according to MDR classification logic under implementing rule 3.2.

The interpretation is not practical, it was not even initially chosen by notified bodies and is now imposed on notified bodies, some of which had to change their interpretation affecting certificates already issued. Does that serve patient safety better? Does it improve the performance of the devices concerned?

To put it euphemistically: I am not convinced at all that this is an improvement. So now we have class III magnets and torque wrenches. We get to do a PSUR for a torque wrench or a magnet. At least we can consult an expert panel with a proposal for clinical investigation (placebo magnets anyone? that will be fun in the cath lab). And we get to justify why there is no need clinical investigation for a magnet or torque wrench. It is kind of weird that you don’t need clinical investigation for an implantable wedge, screw, plate, etc., but you have to justify it for a new magnet or torque wrench. Again, is this logical? No. Is it conducive to device performance or patent safety? I don’t think so. Is it overly legalistic and does it create more red tape? Absolutely. And only because the notified bodies are ordered to apply this guidance to the letter, which – according to the case law of the CJEU – is blatantly unlawful.

And it’s not that the law cannot be amended to be more specific or precise: the MDR and IVDR are riddled with delegated responsibility for the Commission to propose amendments to make the law more practical or adapt it to current state of affairs by means of delegated and implementing acts. Also, when needed the EU has shown that it is willing to amend medical devices regulation even by corrigendum (also doubtful from a constitutional perspective, but no one was going to complain about it this time).

Should / shall

The frequent use of the word ‘should’ in MDCG guidance denotes that at least the good people at the Commission legal service know better than to say ‘shall’ in the guidance – they’re lawyers too, and very good ones at that. But they cannot help the MDCG enforcing should like it says shall. Maybe they should have a chat with the MDCG to explain this at some point… and then also rewrite the disclaimer for the MDCG guidances.

It is kind of cynical to demand literal application of guidance (“shall”) with a disclaimer on the front that says it’s not binding and contains optional rather than mandatory regulatory requirements and write in the guidance that you should (which is really different from ‘shall’), wouldn’t you say? It is really falling in the Platonic trap described in Plato’s Phaedrus dialogue in which Socrates warns against believing that something is true just because it was written down by someone thinking he knows what he’s talking about (Plato, Phaedrus, 275a-c). And this is the CJEU’s point: you may only assume this in case of actual law applied to the actual situation in view of an actual analysis of this specific product and all the other positions, for example those stated in abstracto in guidance, are always up for debate:

“the competent administration has made an assessment, with due diligence, of each product individually, taking account, in particular, of that product’s specific pharmacological, immunological or metabolic properties, to the extent to which they can be established in the present state of scientific knowledge”

(Chemische Fabrik Kreussler, point 33)

Formalities

But if you are going to treat guidance as binding rules / pseudo legislation, then some things should at least be provided which are baseline requirements for real legislation (so sort of best practice for binding rule making you could say):

  • a transitional period for the new rule or interpretation of a rule to apply; and
  • a process for quick amendment of guidance, where mistakes or other issues are identified (such as the importer double check non-requirement)

At present all MDCG guidance is always immediately applicable without any transition, which is totally frowned upon in case of new rules imposed in legislation. There are examples of MEDDEV guidance for which notified bodies were allowed to use a transitional period, so why not for MDCG guidance?

Well, I can think of one reason: because every MDCG guidance ever issued was already (way) too late for the transitional regime to have practical use and time is of the essence for the MDCG once they have finally managed to agree on a new guidance document, which may take years in some cases. Still, that is not an excuse for rule making that does not comply with basic principles of rule making in a democratic society.

The Platonic trap

So … let’s not fall in the Platonic trap of the MDCG guidances together, and assume that they are wisdom just because they were written down by other people and to believe that they are law even if enacted outside of the correct process for enacting binding rules. This wisdom is thousands of years old.

And moreover the CJEU says you don’t have to! Competent authorities and notified bodies owe stakeholders better reasoned decisions and non-conformities than basing them on a mere reference to guidance, even if they are in a hurry or if it’s not that convenient.

The MDCG owes us better quality guidance that is actually guiding rather than mandatory because it’s unlawful. And guidance that is actually guiding to solutions, not imposing them to the letter in a legalistic one size fits all. Not even harmonised standards and common specifications do this and they actually do have a legal basis for providing presumption of conformity.

Rather, let’s be logical and practical with patient safety in mind. Let’s use our thinking brains and not be overly legalistic, or – if we want to be – let’s have a proper legal basis for it. It’s not like we don’t have enough issues with the MDR and the IVDR.

UPDATE 6 June 2022

Silly me – I overlooked that even the MDCG itself has stated in MDCG 2019-6 that in relation to the use of guidance in accordance with Annex VII, 4.5.1 (see also Annex VII, 1.6.2 with a similar requirement to ‘take guidance into consideration’) that:

“For instance, in order to assess if the solutions adopted by the manufacturer are state of the art and in line with expectations, the CAB need to use the available guidance documents and standards. It should be noted that non-conformities will not be raised against standards or guidance but need to be phrased against legal requirements.”

MDCG 2019-6 Rev. 3 Questions and answers: Requirements relating to notified bodies, IV.11

Anyway, this underlines and confirms everything said above in this post. Except that it makes it even more problematic that notified bodies would be instructed to treat guidance as law and competent authorities refuse to discuss guidance as guidance.

Happy IVDR day!

Happy IVDR day my readers! My apologies for the low level of activity on this blog the last time. I’ve been very busy with MDR and IVDR work.

And of course I have been working hard on the second edition of the big book, the Enriched MDR and IVDR, which is nearing completion and will additionally cover regulation amendments, new guidance, amended guidance and other developments during the period of early April 2021 to the date of application of the IVDR. Hundreds of pages of additional content, outdated content revised, updated graphics, updated flowcharts, added flowcharts, added graphics, added tables – it was (and at the moment still is) a lot of work. When the content is ready we’ll do another InDesign pass for numbering and layout issues in the first edition, have it reviewed by the fabulous group of people that reviewed the first edition, and then we’ll have something interesting and worthwhile I hope. When, you ask? Well, soon. People that have bought the first edition have received a code for a reduction on the second edition. Competent authorities (not notified bodies) will get a free copy if they ask for it, just like with the first edition.

Something old, something new, something legacy

Happy IVDR day – the IVDR is now applicable and that means that the world will not be the same as before. As a result of the legislative change in January 2022 the IVDR has gone all out in legacy devices without an IVDD certificate during the staggered risk class determined grace periods, more so than the MDR. Given the relatively low number of IVDs that already had a CE certificate under the IVDD (and of course the low number of IVDR certified IVDs), becoming a legacy device has become sort of the rule under the IVDR.

As of now, the IVD world in the Union is devided in three IVD categories (see MDCG 2022-8 on legacy devices):

  • Old devices (devices placed on the market under the IVDD before the date of application);
  • New devices (devices placed on the market under the IVDR, regardless of the date of application); and
  • Legacy devices (devices with an IVDD CE certifcate valid past the date of application and IVDD devices with a valid declaration of conformity issued before the date of application).

Note that the IVDR applies differently to each of these three categories! So it’s pretty important that you know in which category your device falls. MDCG 2022-8 describes in quite a lot of detail what parts of the IVDR apply for what group of devices. Essentially it comes down to this:

CategoryIVDR parts applying
Old devices“IVDR provisions should generally apply if they do not directly impact the device, its documentation or the conditions for the placing or making available of devices on the market” (MDCG 2022—8) this means market surveillance (article 88-95 IVDR) as well as reporting and analysis of serious incidents and field safety corrective actions occurring after 26 May 2022 (article 82 and 84 IVDR)
Legacy devicesArticle 110 (3) IVDR requirements: the relevant requirements set out in Chapter VII of the IVDR on post-market surveillance, market surveillance and vigilance (see for much more detail on what these are exactly in MDCG 2022-8 and specifically its table annex – you will see that there is a lot of IVDR QMS elements and economic operator requirements that already need to be implemented or apply)
New devicesThe whole enchilada of the IVDR

To determine if your device is an old device or a legacy device it is pretty important to get the details on placing on the market of the device right. Not a week goes by that I am not advising MDR and IVDR clients on placing on the market. It’s a complex and often misunderstood concept, as you can see in my discussion of it here.

A legacy device is not a walk in the park, as I’ve seen first hand being underestimated by manufacturers. Often the grace period was mistaken for a ‘delay’ in which the manufacturer did not do much, but this is mistaken. You should compare a legacy device to a large passenger airplane that is almost out of fuel: you want it on the ground safely as soon as you can, but landing a machine like that is a process that takes time. You do not continue flying at cruising altitude until the fuel gauge reaches zero and then hope you’ll magically find yourself safely on the ground.

Significant changes

Just before the date of application the MDCG released guidance on significant changes for IVDs specifically (MDCG 2022-6). Although on the rather late side, it was nevertheless useful to have this guidance for two reasons:

  • Operationalisation of the concept of significant change specifically for IVDs;
  • Some little steps of evolution in thinking on the part of the MDCG about formalities around significant changes.

In terms of evolution of MDCG thinking about signifiant changes there were two little gems in the MDCG 2022-8 document that stood out for me: one footnote and one little piece of text conspicuously left out. 

First: in footnote 5 there is a significant statement stating in relation to the requirement that legacy device certificates must remain valid during the grace period:

“This does not exclude the possibility that during the transition period an EC certificate for the manufacturer’s approved quality system issued in accordance with Annex IV or Annex VII IVDD, which has become invalid, is replaced by a EU QMS certificate issued in accordance with Annex IX, chapter 1, IVDR, provided that the EC design examination certificate issued under Annex IV, section 4, IVDD or EC type-examination certificate issued under Annex V IVDD remains valid.”

This is an important statement because it shows that the MDCG thinks that is is possible to exchange an expired QMS certificate for a legacy device with a new QMS certificate under the IVDR. This is not only relevant for the IVDR but also under the MDR, since footnote 6 of that same guidance mentions that the MDCG 2020-3 guidance should be aligned with MDCG 2022-6, where needed. This makes me somewhat optimistic that this will also be allowed under the MDR now, as I have seen more than one client get in trouble because the legacy QMS certificate supporting a legacy design examination certificate expired or otherwise became invalid. This would be an important development because I have experienced notified bodies categorically stating that this is not possible. Well, now it is.

The second interesting point is an omission of which I hope that it is significant, concerning administrative changes that are allowed, specifically in relation to M&A or corporate reorganization. MDCG 2020-3 under the MDR stated that permitted administrative change is:

“administrative changes of organisations are considered in principle as non-significant. This includes changes of the manufacturer’s name, address or legal form (legal entity remains) or changes of the authorised representative.”

MDCG 2022-6 phrases this as:

“changes of the manufacturer’s name, address or legal form, including a merger or acquisition involving the manufacturer;”

Why is this relevant? I have seen companies structure M&A projects wrong in the way that the legal entity of the manufacturer did not ‘remain’ and suffer the consequences: notified body did not want to cooperate with certification of new legal entity become manufacturer for a complete business unit that otherwise remained intact. It seems that the leaving out of the requirement that the legal entity remains could (might) be reason for optimism that this requirements has been dropped, thus making asset transactions that involve a new legal manufacturer possible without triggering a significant change (dear devices unit of the Commission, if I’m wrong on this point, would you kindly correct me please?)

Then there is the substance on what is considered a change to the intended purpose or design of the device, specifically operationalized for IVDs in MDCG 2022-6. The below table is a combination of MDCG 2020-3 extrapolation and MDCG 2022-8 added wisdom setting out a non-exhaustive overview of changes that are prima facie candidates for significant changes, conveniently put together for you:

Change of what?What makes it significant?Example of significant change
Intended purposeExtension of intended purpose (limitation of the scope of the intended purpose is not a significant change)– See also Chart A in MDCG 2020-3 and MDCG 2022-6 concerning change of intended purpose
– Change or extension of patient population
– Addition regarding what is detected or measured
– Additional functions of the device (screening, monitoring, diagnosis)
– Addition of specimen type(s)
– For companion diagnostics: extension of associated medicinal product, of target population or of the tissue type
– Change in assay type (e.g. qualitative to quantitative assay)
– Change of the intended user (e.g. professional to lay user)
– Change of operation (e.g. automatic to manual)
– Change of specimen type(s)
DesignChanges in design that alter device’s operating principle– Change from immunofluorescence to enzyme-linked immunoasorbent assay (change from immunofluorescence to ELISA);
– Change from immunochromatography with subjective visual detection to immunochromatography with detection by automated reader;
– Change from high-performance liquid chromatography (HPLC) coupled with time-of-flight mass spectrometry to HPLC coupled with orbitrap mass spectrometry;
– Change from photometric measurement into liquid chromatographic based or proton nuclear magnetic resonance spectroscopy (NMR) measurement;
– Change from immunoturbidimetry measurement to colorimetric measurement.

Changes in design that affect the safety or performance and negatively affect the risk/benefit ratio of the device– See also Chart B in MDCG 2020-3 and MDCG 2022-6 regarding changes of design or performance specification
– Change of IFU to refer to reduced sensitivity of the device (based on PMS)

Change of ingredient or material that affects the safety or performance and negatively affects the risk/benefit ratio of the device– See also flowchart D in MDCG 2020-3 concerning change of a material
– Substitution of a chemical substance in order to comply with the REACH regulation resulting in an adverse impact on performance of the device

Change of ingredient or material that is essential for device’s operating principle– See also flowchart D in MDCG 2020-3 and MDCG 2022-6 concerning change of a material
– Changes of an ingredient or material that is essential for the operating principle of the device (primers for PCR; capture antibodies / antigens for immunoassay; detection marker (e.g. fluorescent, chromogenic, chemiluminescent marker) for chromatography)
– Changes of an ingredient or material that adversely affect the safety or performance and that negatively affect the risk/benefit ratio of the device (substitution of a chemical substance in order to comply with the REACH regulation with an adverse impact on performance of the device)

Software changes– See flowchart C in MDCG 2020-3 and MDCG 2022-6 concerning software
– New or major change of operating system or any component ·       new or major modification of architecture or database structure, change of algorithm
– Addition of a new database with new content that is used to compare genetic assay results with
– Required user input replaced by closed loop algorithm
– Presentation of medical data in a new format or by a new dimension or measuring unit

Sterilization changes– See flowchart E in MDCG 2020-3 and MDCG 2022-6 concerning sterilization
– change of sterilisation method
– changing a device from ‘nonsterile’ to changes in the design or packaging that adversely affect the sterility assurance or the effectiveness of the sterilisation (e.g. integrity of a seal).

In-house produced devices

There is another group of actors that is sucked into the IVDR, in kicking and screaming denial: the health institutions for the in-house produced devices. Kicking and screaming, you say, it can’t be that bad? Yes it is, I’ve seen from personal experience that this new group of addresses of the IVDR is mostly stuck somewhere on the low end of the Kübler Ross curve of acceptance of a dramatic situation that they did not choose for themselves, but on the other hand allowed to happen to them in all the worse ways because they never saw it coming and subsequently denied that it existed or downplayed the effort needed. 

Specifically I’ve seen very vocal arguments for example that ISO 15189 compliance basically covers most of the gaps (spoiler: it most certainly does not) and more specifically, that ISO 15189 is an appropriate production quality system for devices (as required in article 5 (5) (b) IVDR), which it is not. Any person advocating that position is very welcome to engage me in discussion and point out to me where in ISO 15189 manufacturing quality management system requirements are imposed. I have not come across them in this standard, because the standard is not concerned with manufacturing quality but with testing quality and competence, which is not manufacturing quality. Lab activities, not manufacturing activities. It specifies how to set up and run a test lab and procure outside materials used in the lab for testing, but not how to actually manufacture tests. Receipt and storage of tests, yes. Acceptance testing of tests, sure. But not actual manufacturing of the tests! Fortunately MDCG guidance on in-house produced tests is imminent now, and we’ll see who is right on this point.

Article 5 (5) IVDR applies to in-house produced devices, which were not in scope of the IVDD, and imposes a ‘CE marking light’ regime on them, basically regulating in-house produced devices roughly speaking somewhat like class A self certified devices under national competent authority supervision (with optional national exemptions). However, that does not mean that the requirements are a light regulatory touch. For example, each in-house produced device needs to have documentation showing compliance to Annex I General Safety and Performance Requirements of the IVDR, which is a substantial regulatory task to complete.

In the January 2022 amendment of the IVDR some, but not all, of the regulatory deadlines for in-house produced devices were moved. This means that some of the requirements (actually the ones causing the most work) apply already, and since the IVDR does not grandfather the installed base, must also be applied to in-house produced tests that were developed before the date of application but still produced and used after the date of application. See below for my handwritten overview of deadlines (you need to put 26 May before each year mentioned):

Article 5 (5) IVDR

So, regardless of whether health institutions are happy with these rules or not, the regime already applies partially and health institutions not meeting the requirements that already apply can be enforced against for non-compliance. They will also need to inform their liability insurance that they are applying non-compliant tests (if they are) and any incidents with patients suffering damage as a result of non-compliant in-house devices will normally be outside the health institution’s insurance policy cover. Maybe that is sufficient for hospital management to make this more urgent agenda item.

It’s funny with these things how stakeholders like to shoot the messenger rather than fix non-compliance in their own situation. I’ve actually been accused of raising these issues just to make money. How rude – it just shows powerless frustration about the situation.  

Bye bye Switzerland – yet another Swixit, this time for IVDR

Completely as expected and right on schedule we received the Commission’s Notice to Stakeholders that Switzerland is out of the Union for yet another MRA (the one concerning the IVDD) and will not be part of the Union for the IVDR as of the date of application, which is quite unfortunate. Would you like to know the back story? Check out my analysis of the Swixit for the MDR. It’s a pity that Swiss politicians have sold the advantages of being part of the internal market to badly at home. But then again, this is something you can say about a lot of EEA and Turkish politicians too unfortunately.

The Swiss will fix their legislation to mimic the IVDR as closely as possible just like they did for the MDR, and hope for the best.

But no Turkxit

Just like with the MDR, there is no Turkxit for the IVDR – meaning that Turkey is also part of the Union for the purpose of IVDR just like it is for the purpose of the MDR, as was confirmed in another Notice to Stakeholders. Mind you, Turkey is not a member state of the European Union, but it is part of the Union for the purpose of the MDR. 

It shows that people that refer to the MDR’s and IVDR’s geographic scope as EU have mistaken conception of the scope of the geographic scope of the Union: the EEA member states (which includes all EU member states plus non-EU member states Iceland, Norway and Liechtenstein) plus Turkey, which is four more countries than the EU. So next time someone refers to the EU as place where the MDR and the IVDR apply you can ask them why they ignore Icelanders, Norwegians, Liechtensteiners and Turks.

So don’t sell the Union short please, people, and please stop using the actually pretty offensive term ‘rest of world’ to denote that you can’t be bothered to understand what is going on internationally. It is really not that complicated.

The capacity elephant

Whenever there is something to celebrate on a party there is also an elephant in the room, like an uncle that always gets just a little too drunk and ruins the party for everyone. In this case it is the notified body capacity elephant, which stands to put a serious dent in the IVDR project, regardless of the measures taken with the recent amendment. If you want to read and weep, you can read the updated (post amendment) Joint Implementation Plan for the IVDR. If you want your hair to stand up, read the recently published 2021 member survey of Team NB. It basically contains all the data that the MDCG says in the Joint Implementation Plan that they do not have. What do we learn from the Team NB document?

Well, first of all IVD manufacturers have not at all started to apply under the IVDR en masse. The IVD sector seems very much bent on making the same mistakes as MDR manufacturers, although the low number of applications may also be caused by the low availability of slots at notified bodies.

Another worrying development is that at least half of the submissions to notified bodies are incomplete. Apparently either notified bodies explain badly what they need, or manufacturers are bad at making complete applications. Either way, there is a serious disconnect that is costing everybody time.

Capacity, capacity, capacity is the theme. The notified bodies indicate that it will not be possible to issue a number of certificates under the MDR that is even close the number of still to expire in 2024. Team NB states ominously:

“There is a risk to the continuous availability of some device with expiring certificates in 2024. To avoid this risk, solutions have to be found as it will not be feasible to issue 14 063 certificates in a year.” [estimated capacity for 2024 is 6 300 per year]

Press release Team-NB sector survey 2021, p. 8

Regardless of the recent change to the IVDR, the IVDR will be in the same boat by 26 May 2025, when the first grace period under the IVDR expires. With the number of notified bodies notified for the IVDR, and the speed at which this happens, I predict the exact same issues with the IVDR. At some point MedTech Europe had calculated that we needed a 780% increase in notified body capacity for the IVDR, while at this point we are still working to have the same notified bodies notified again under the IVDR, of which not all actually applied, and not even half of the applicants have been notified at this point. As we can see from the most recent overview of notified body notification process for IVDR, it will take quite a while before the next IVDR notified body will be notified. As you can see in the overview the next two notified bodies are stuck in the JAT CAPA review phase, which can easily take a year, and the others are not even at that stage. Not a good sign.

So

Happy IVDR day – there is a lot to do for industry, notified bodies, competent authorities and the Commission. Let’s not disappoint the health system and the patients!

More on placing on the market

After my blog about guidance document MDCG 2021-27 in which I argued why in my view it defines placing on the market wrongly by requiring transfer of a property right as a condition for placing on the market, a lot of discussion started.

I even received an email from the European Commission commenting on the blog post, explaining that the idea with MDCG 2021-27 was not to make any changes to any existing interpretation of the concept of placing on the market in existing guidance (and, by the way, that the importer double check with the manufacturer in case of re-importation under question 7 that I criticized as a new obligation was meant as a suggestion, not as a new obligation).

There were also people that helpfully informed me that the Blue Guide literally uses the words ‘property right’ in relation to placing on the market, so what was my problem? Some of them also defended the theory that it was only appropriate that (contrary to making available) placing on the market as a first logistic step into the Union would comprise a change of title/ownership but did not provide a good argument for why it would be appropriate – so my inner Shania Twain was not yet impressed.

Still, I could not parse why the concept of making available, which is nested in the concept of placing on the market, should be interpreted differently depending on the economic operator. I cannot find a good reason why ‘any (other) property right’ should be transferred to an importer, while ‘any (other) right’ would do for a transfer to a distributor. That just did not make sense to me.

I had not read the Blue Guide often enough – in other languages

Have I ever mentioned how much, in my experience, speaking several languages enriches my experience of the world? I am fluent in quite a few languages and can get by passively in a number of others. Suddenly it hit me: whenever someone says it’s in the text, better check if it’s in the text in all language versions of the text. In the EU we proceed from the principle that all languages in which official documents are available are equally important. So it may well be that the English text that most people seem to read as only source may actually not represent the guidance intended to be given by the Commission correctly. 

And there we had it: I always tease people that they should read the Blue Guide more and then realized that I myself had only ever read it in English – clearly I had not read it enough myself either – not in enough languages! So I started checking languages within my command and quickly found out that the French and German versions of the Blue Guide indeed are phrased differently as to NOT require transfer of a property right for placing on the market.

See for yourself:

The German version of the Blue Guide formulates the sentence in the English version that contains the requirement of ‘any other property right’ as follows:

“Das Inverkehrbringen eines Produkts setzt ein Angebot oder eine (schriftliche oder mündliche) Vereinbarung zwischen zwei oder mehr juristischen oder natürlichen Personen in Bezug auf die Übertragung des Eigentums, des Besitzes oder sonstiger Rechte hinsichtlich des betreffenden Produkts nach dessen Herstellung voraus.” (emphasis added)

Blue Guide 2016 – German, section 2.3, 3rd paragraph

The French version formulates the same sentence as follows:

“La mise sur le marché d’un produit exige une offre ou un accord (écrit ou verbal) entre deux ou plusieurs personnes physiques ou morales en vue du transfert de la propriété, de la possession ou de tout autre droit concernant le produit en cause après la phase de fabrication.” (emphasis added)

Blue Guide 2016 – French, section 2.3, 3rd paragraph

As is evident from the above quotes in German and in French, neither of these versions of the text requires transfer of a ‘property’ right because both unambiguously speak about ‘any other right’. That is literally what “sonstige Rechte” and “toute autre droit” mean.

And this is fully consistent with how the Blue Guide defines making available, making the Blue Guide texts in French and German fully logically coherent.

As I checked more languages I found that also the Swedish version does not require a property right transfer either (“någon annan rättighet”, which also literally means ‘any other right’). But the Dutch, Italian and Spanish ones do refer to property right in this context.

CE in action – Confusion Everywhere! So now what – Germans, Swedes and French crazy? Others crazy? Who to believe?

European Court to the rescue

The European Court of Justice (CJEU) has seen issues like this before, because the EU translates a lot of documentation in a lot of languages, so inconsistencies are bound to arise occasionally, even though we have fantastic translation processes with extremely highly qualified translators that translate texts in the weirdest language combinations. A hat tip to you, dear EU institution translators! Your work preserves the treasure of European linguistic diversity and the cultural heritage associated. Too often I hear people speaking only one language say that all these different languages make things too complicated – I vehemently disagree with that. But I digress.

So how do we solve this puzzle of interpretation? The CJEU comes to the rescue. It has helpfully ruled in its case law (see for example C-558/11 Kurcums Metal ECLI:EU:C:2012:721 (para. 48)) that if language versions of a given EU text differ, you cannot automatically assume that one of them is correct and the other is wrong – there is no trump language for any official document. Or in the wording of the CJEU:

“It is settled case‑law that the wording used in one language version of a provision of European Union law cannot serve as the sole basis for the interpretation of that provision, or be made to override the other language versions in that regard. Such an approach would be incompatible with the requirement for uniform application of European Union law.”

C-558/11 Kurcums Metal, para 48

This is very logical indeed because no language is more important than another. So in our puzzle we have English version (and some others) versus German and French versions (and some others). In that case, the CJEU says, you need to chose the interpretation that best reconciles the text and purpose of the rules concerned. Or, as the CJEU puts it

“Where there is a divergence between the various language versions, the provision in question must thus be interpreted by reference to the general scheme and the purpose of the rules of which it forms part.”

C-558/11 Kurcums Metal, para 48

Obviously, (as I have defended in my previous blog) the most logical interpretation and the one best fitting the logic and meaning of the New Legislative Framework legislation described in the Blue Guide is that the definition of the MDR and IVDR defined concept of making available is interpreted consistently between its use as a standalone concept and its use as element of the MDR and IVDR defined concept placing on the market. Unless someone has a convincing argument about why this should not be the case and a reason why we do need a property right for placing on the market for an unknown reason – so far I have not seen any convincing arguments to that effect. The Commission seemed to agree with me on this point, stating to me that the definitions in the Blue Guide as such are not fully congruent.

Blue Guide may still be amended for this

The good news is that the 2016 version of the Blue Guide is (still) under revision, so this point can (still) be taken on board by the Commission in the revision process. Call me a silly nitpicker but I think it’s always a good idea that one of the crucial concepts of a broad legislative framework like the NLF is explained consistently in a crucial guide document and moreover in the same way in all language versions. If the Commission indeed decides to amend the Blue Guide on this point, there is no reason not to also amend 2021-27 to account for this as well – this is by the way also what the Commission told me that they indeed intend to do if the Blue Guide is amended this way. In the mean time, in my view, industry can rely on the interpretation offered by me based on the incongruence between language versions, which means that the English version cannot be considered to reflect the guidance given correctly. The French and German version provide (in my view) the better interpretation.

So, we will need to see if the Commission agrees that taking out ‘property’ right should be uncontroversial and the logical choice because it is actually in the Blue Guide already, depending on the language version that you read. My modest suggestion for the next Blue Guide edition: go for the logical interpretation across languages, i.e. making available does not require any ‘property right’ transfer, neither separately nor when nested in the definition of placing on the market.

Why is this so important?

You could wonder why I am making such a fuss out of this. Well, I am doing this because a correct interpretation of the concept of placing on the market is absolutely and utterly crucial for being compliant with the MDR and the IVDR. CE marking legislation revolves around this concept.

For example, the concept determines if a device is covered by a temporal exemption like the grace period under the MDR or not. And now with the amended IVDR (here is my blog about it, adopted version here) the majority if IVDs for the European market are also subject to grace periods. It determines qualification and obligations of economic operators. And much more – just do a search of where placing on the market pops up in the MDR and IVDR – you will be amazed. That’s why its importance for the MDR and IVDR cannot easily be overstated and why it is so important that it is interpreted correctly.

MDCG 2021-27 Q&A on importers and distributors – sort of box of chocolates

Life, as they say, is like a box of chocolates: you never know what you’re going to get. MDCG guidance documents are very much like that too. Even if you’ve seen them coming in the consultation phase the end result may still surprise you. Some are really good, some are really good and complex, some are sub-optimal, and then there are the ones that raise more questions than they answer.

MDCG 2021-27 Questions and Answers on Articles 13 & 14 of Regulation (EU) 2017/745 and Regulation (EU) 2017/746 is in that last category.

Rather than summarize what the guidance does, there are two distinct points in the guidance that I would like to highlight and discuss: the interpretation of ‘placing on the market’ that it offers and the introduction of a new obligation for importers. All the other Q&A are basically not that new if you’ve read the Blue Guide. Did I mention already that people should read the Blue Guide more often? It answers so many questions about CE marking. If only people would read it more often. I will helpfully tag it a lot in this post, so you cannot miss it. Also look out for the new and improved version that is scheduled to come out hopefully soon and addresses unresolved questions on distance sales and dropshipping.

Precisely because the Blue Guide answers so many questions relating to economic operators already, it is very important that guidance on questions mostly already answered in the Blue Guide is consistent with the Blue Guide and other product or sector specific guidance (for example the Guide to Application of the Machinery Directive). This is even more important because the MDR and IVDR are explicitly intended to be consistent with the other New Legislative Framework (NLF) legislation (recital 26 MDR and 23 IVDR), for which the Blue Guide provides horizontal guidance, so horizontal consistency of principles used in NLF legislation is of the essence. What is NLF legislation, you ask? You can read all about it in section 1.2 of the Blue Guide – simplified: it is the regulatory template underlying all CE marking legislation (“all the elements required for a comprehensive regulatory framework to operate effectively for the safety and compliance of industrial products with the requirements adopted to protect the various public interests and for the proper functioning of the single market”).

Placing on the market – transfer of a ‘property right’ required?

There is definitely a need for guidance on the interpretation of the MDR and IVDR defined concept of ‘placing on the market’, which determines if a specific person or legal entity is an importer for the purposes of the MDR or IVDR. As the Blue Guide states, ‘placing on the market’ is the most crucial term in NLF legislation, so better understand it well. And in my experience the term is generally not understood very well because I receive a lot of questions about its interpretation.

However, the term is also explained in a great level of detail in the Blue Guide (which I encourage everyone to read). For this reason, you would expect that the MDCG would be very careful with providing interpretation on widely used horizontal NLF concepts like placing on the market, to avoid inconsistencies. Unfortunately, the MDCG did not seem to be so precise in this guidance.

Close reading of the guidance shows that either the MDCG is limiting the interpretation of placing on the market a lot compared to the Blue Guide and defined concept of placing on the market in the law, or the MDCG has left crucial typos in the guidance. For the moment I am betting on option two.

The MDCG defines placing on the market in the guidance in the answers to questions 2 and 3 as: 

“if a legal entity established in the Union obtains (via a transfer of ownership, possession or any other property right, which does not necessarily require the physical handover of the product) a device from an economic operator established in a third country and places an individual device on the Union market (i.e. the first making available), that entity is acting as an importer of the individual device.” (emphasis added)

The emphasized word “property” does not appear in the Blue Guide as a condition for placing on the market, does not appear in the definition of placing on the market in the MDR, IVDR, Market Surveillance Regulation nor does it appear in any other NLF legal act or guidance of which I am aware that defines and/or clarifies placing on the market. The Guide to Application of the Machinery Directive for example, which discusses placing on the market (and even contractual aspects of placing on the market) in quite some detail, does not mention the requirement of transfer of a property right either.

The Blue Guide explains making available (the crucial element in the concept of placing on the market) as

The making available of a product supposes an offer or an agreement (written or verbal) between two or more legal or natural persons for the transfer of ownership, possession or any other right (other than intellectual property right) concerning the product in question after the stage of manufacture has taken place. The transfer does not necessarily require the physical handover of the product.

This transfer can be for payment or free of charge, and it can be based on any type of legal instrument. Thus, a transfer of a product is considered to have taken place, for instance, in the circumstances of sale, loan, hire, leasing and gift. Transfer of ownership implies that the product is intended to be placed at the disposal of another legal or natural person.

(see Blue Guide 2016, section 2.2)

The Guide on Application of the Machinery Directive, which even has a helpful section § 74 discussing ‘The legal and contractual forms of placing on the market’ states:

“Placing on the market is defined as making machinery available with a view to distribution or use. Making machinery available implies that the machinery will be transferred from the manufacturer to another person such as a distributor or a user. However, it could be that the distribution operation is part of the manufacturer’s own business, in which case it is when the item moves from the production area/factory to the distribution warehouse ready to be supplied. There is no restriction as to the legal or contractual form of this transfer.
In many cases, but not exclusively, placing on the market involves a transfer of the ownership of the machinery from the manufacturer to the distributor or user in exchange for payment (for example, sale or hire-purchase). In other cases, placing on the market may take other contractual forms (such as, for example, lease or rental). In such cases, the right to use the machinery is granted in exchange for payment, without transfer of ownership. The Machinery Directive applies to such machinery when it is first subject to a lease or rental contract in the EU.” (emphasis added)

Guide on Application of the Machinery Directive, § 74

See: no ‘property right’ required, because otherwise transfer by ‘any other right’ would not have been possible. Requiring a ‘property right’ as a necessary condition would would limit the interpretation given in the Blue Guide considerably and it would restrict contractual forms of transfer of which the Guide to Application of the Machinery Directive says are unrestricted, but it does appear in the answers to questions 2, 3 and 9 in MDCG 2021-27. Yet, in the answers to questions 2 and 10 the MDCG correctly refers to “any other right” in relation to making available (the crucial element of placing on the market) as explained in the Blue Guide rather than any ‘property’ right, and thus refers to the Blue Guide and defined term in the MDR, IVDR, Market Surveillance Regulation and other CE directive and regulations correctly. But since ‘making available’ is defined separately in the MDR (article 2 (27)) / IVDR (article 2 (20)) and is an element of the definition of placing on the market in article 2 (28) MDR / article 2 (21) IVDR, it cannot mean different things in relation to an importer and a distributor because it is one and the same defined concept. This is however precisely what the guidance does in its use of property right in relation to (first) making available by importers and not using property right in relation to making available by distributors.

This means that we have inconsistent use of the definition of placing on the market in the guidance document, which creates a rather confusing situation. Not only is this interpretation inconsistent with basically every other CE instrument, horizontal guidance (the Blue Guide), old guidance specifically for medical devices (the Commission’s old notice on placing on the market of medical devices) and other NLF specific guidance (like the the Guide to Application of the Machinery Directive), but it also upsets existing tax planning of devices companies. Requiring a transfer of ‘property right’ as a condition for placing on the market will have severe consequences for the supply chain tax planning of a lot of international companies. These companies often rely on retention of title by legal entities outside the Union far beyond the point of placing on the market as a matter of tax planning. If these companies really need to transfer title or ‘any other property right’ to the devices placed on the market to the MDR/IVDR importer as a necessary condition for placing on the market, this is a big change to the existing situation that the MDCG might really have spelled out more clearly in the guidance. It will require costly revisions of tax structure for many manufacturers that will take time to implement.

No surprise therefore that I have had several clients and other interested parties asking why the MDCG seems to be limiting the scope of the concept of placing on the market for no apparent reason, which is what I’ve been wondering myself too. Basically there is no conclusive answer to this question at the moment. Given the inconsistent use of the terms ‘any other right’ (correct) and ‘any other property right’ (incorrect) in the guidance document itself this seems like an oversight on the MDCG’s part. Maybe they can fix it in an update of the guidance document. It’s not like the MDCG has not released new versions of guidance documents before. However, if the MDCG’s intention indeed is to limit the interpretation of the concept of placing on the market compared to the law and every other official EU guidance document out there, and moreover in a way that it will require many devices companies to revisit their current supply chain tax planning, it would be nice to have some more guidance about the special status of the concept of placing on the market under the MDR and IVDR compared to other NLF regulation.

Importer (re-)labeling?

Another interesting point is made in the answer to question 7 in the guidance (“What should an importer do in the case where an individual device already mentions another importer’s details on its packaging?”). In the answer the MDCG states:

“In the unusual case where details of another importer already appear on the packaging of an individual device (for example, the individual device has been exported and then re-introduced to the Union market), the importer should verify if the individual device has previously been placed on the Union market. This may be done by contacting the manufacturer. The importer should replace any previous importer details with their own, if having investigated the issue, they determine themselves to be the correct importer. The label with the previous details will be void.

If having investigated the issue, they determine the other importer already mentioned on the packaging as the entity that placed the devices on the market, they will assume the role of distributor for this device and thus should comply with Article 14 of the Regulations.”

Declaring a label ‘void’ is an interesting and very legal choice of words that pushes my lawyer buttons. Void means ‘not having validity anymore’, which I’m not sure is a qualification that you can use with respect to a label. A label as such does not have legal effect (like a contract, or a binding offer) so can not be (in)valid or void; it can only be compliant because it meets a legal requirement (or not). Rather the MDCG might have specified that the label with the previous details is non-compliant and should be removed or the device with the non-compliant label should be made available further. This would have tied in much better with the terms in which the importer obligations are formulated in article 13 MDR/IVDR.

So how does an importer determine if he is ‘the correct importer’? Simple: read the definitions of importer in the MDR/IVDR (and of course guidance in the Blue Guide) and the answer is obvious: you can only be an importer if you place a device on the market (i.e. make it available for the first time). Accordingly, if the device was already placed on the market before export, then it already has an importer and it is not placed on the market for the purpose of CE marking / NLF legislation again if it is re-imported in the Union (see specific guidance on this point in – you guessed it – the Blue Guide). In that scenario the previous importer is the ‘correct’ importer and the second ‘importer’ is not an importer for the purposes of the MDR/IVDR but a distributor for the purposes of the MDR/IVDR (which is correctly clarified in MDCG 2021-27 under question 7) – even though the second ‘importer’ may be an importer for customs law purposes, but customs law is a different legislative system with its own divergent definitions. The customs law importer is not necessarily the same entity as the MDR/IVDR defined importer – important point because I see many people not understand this in practice.

The requirement for the importer to verify status of the device with the manufacturer in case of an already applied importer label is an interesting and actually new requirement that does not have a specific basis in article 13 or elsewhere in the MDR or IVDR (nor is mentioned in the Blue Guide or other NLF regulation guidance that I am aware of). So where does this come from? It might be that the MDCG considers this a specific application of the importer duty to cooperate with the manufacturer to achieve an appropriate level of traceability (article 25 (1) MDR / 22 (1) IVDR). It might also be that the MDCG considers this part of the verification duty of the importer in article 13 last para MDR/IVDR, because the importer is deemed to have reason to believe that the device is not in conformity in this case and must then inform the manufacturer. Either way, good guidance would have specified a specific legal basis for a new requirement rather than magically pull it out of a hat like this. If we would have had a specific legal basis, it would have added weight to the binding nature of the requirement rather than just being a statement in a guidance document with a disclaimer on its cover page that it is not legally binding. In my view, this is not how good guidance should be written. One would rather start with an existing requirement that has a legal basis, and then clarify that requirement. One would not invent a requirement that seems practical for one’s own purposes and then make it look like it is official without mentioning a legal basis. Guidance is about clarifying rules, not making them up.

The question is also how helpful verification with the manufacturer is, because the manufacturer (in the scenarios where you need an importer) is not placing devices on the market – so how would the manufacturer know if the device was placed on the market previously? The manufacturer may be able to identify the economic operator to whom he supplied the device (as he must be able to do pursuant to article 25 (2) MDR / 22 (2) IVDR) but the manufacturer does not control whether the importer places the device on the market or not (for example because the importer decides to reserve the device for export without informing the manufacturer). Rather, the importer could just verify in Eudamed if the device has already been registered with an importer in accordance with article 13 (4) MDR/IVDR because that would answer the question conclusively – but wait … Eudamed is not so functional yet unfortunately and the necessary modules are only available on voluntary basis at the moment. Let’s hope it will be functional at some point so these things can be done more reliably. Current timeline for full functionality not known – the rolling plan does not commit to a timeline so it really depends on who you ask. Some say somewhere 2022, some say somewhere 2023.

So – room for improvement

Guidance is supposed to clarify, not to confuse or make new rules. In that light, MDCG 2021-27 can certainly be improved and be made consistent with definitions in binding law, as well as horizontal guidance (Blue Guide anyone?)

Unless I am completely mistaken about the need for a transfer of title or property right as a necessary condition for placing on the market the MDCG 2021-27 is up for a clarification of whether the MDCG changes the scope of the concept of placing on the market or not. Transfer of title or property is certainly not a necessary condition for placing on the market in my opinion. It would be too easy for the MDCG to rely on the self declared non-binding nature of the guidance (see the disclaimer on the cover page) and leave it to the market to sort out this confusing use of the term, especially given the consequences for companies’ supply chain tax planning.

The importer verification requirement is new, so it would have been nice to explicitly link it to a clause in the law. Otherwise it’s non binding guidance that just leads to discussion with competent authorities and notified bodies that actually in practice do apply MDCG guidance like it is law.

Several MDCG guidance documents are already in second or even third iteration by now. This one deserves a place in that group as soon as possible.

And, by the way, happy holidays everyone! I wish you a lot of correctly answered questions about the MDR and IVDR in 2022.

IVDR amendment proposal update: moving on up to adoption

I recently reported about the proposal to amend the IVDR immediately when it came out – please excuse the initial inaccuracies in the post on the subject of amendments to article 5 (5) IVDR (in-house produced devices) due to my enthusiasm to get the news out quickly. In the mean time I have fixed these in the text of the blog post. If you have been emailed the text of the initial post about the proposal in the normal blog mailing, please check again on this blog online for the latest (and now accurate) text.

Legislative procedure progress

In the mean time the IVDR amendment proposal has been flying under the radar in an accelerated legislative procedure that will take a major step in the  Employment, Social Policy, Health and Consumer Affairs Council (EPSCO Council) meeting on 6-7 December, where the proposal will be summarily dealt with under the heading of other business. The Council has decided not to amend the text proposed by the Commission and will therefore approve the EP’s first reading position in case it would also decide to adopt the regulation as put forward by the Commission. Obviously this is important information because this basically fixes the final text of the amendment unless the Parliament is going to propose amendments, which would slow down the proposal considerably.

At this time I know that the Parliament’s ENVI Committee has been looking at the proposal but has not taken a decision yet on first reading. This means that the eyes are on the ENVI Committee because at Council level the proposal is a done deal and the text could be adopted very quickly now.

Grace periods and sell-off periods

In the mean time I’ve had the opportunity to look a bit more closely at the stacked grace periods set up under the proposal under amended article 110 (3) IVDR, which graphically look as follows:

As you can see above the stacking involves stacked grace periods in all cases except class A non-sterile devices – they have to meet the IVDR requirements in full as of 26 May 2022, which remains the date of application for the IVDR.

The year-extra sell-off period for devices placed on the market lawfully during the grace period, which we know from the MDR has been implemented in the IVDR for the respective grace periods, except that this did not lead to an additional year in the case of devices with an IVDD CE certificate, these could already be sold off until 26 May 2025 under current article 110 (3) IVDR.

In-house produced devices

In the mean time the amendments to Article 5 (5) IVDR (in-house produced devices – often but inaccurately referred to as LDTs) are hotly debated, because contrary to what many health institutions / labs (still) believe not all requirements of Article 5 (5) IVDR are delayed (see my previous post about the proposal for more detail on the delays proposed for certain, but not all requirements).

The introductory paragraph of Article 5 (5) (GSPRs in Annex I apply), Article 5 (5) (a) (no transfer between legal entities) and the final two paragraphs of Article 5 (5) regarding competent authority oversight and the prohibition to manufacture at industrial scale will apply immediately as of the date of application of 26 May 2022, without grandfathering. 

National requirements on reporting and possible prohibitions on certain categories of in-house devices can kick in as of that date and health institutions should make sure that they are aware of those.

No delay!

For those that were still hoping that the IVDR would be delayed, now is the time that this will not happen. At best your device is subject to a grace period or for the in-house produced devices a partial exception to the requirements, which gives you more time to transition and to spread resources, but the date of application is firm. Given the persisting lack of notified bodies for the IVDR and the relatively large amount of IVDs needing a first CE certificate compared to available notified body capacity, there is no time to sit on your hands during the grace period, or even before the date of application, as I have often written on this blog.

Proposal to manage IVDR

It had been been in the works for some time, although it also seemed unlikely for quite some time that this would happen. The implementation of the IVDR had been the slow little, neglected sister of the MDR implementation with greatly insufficient notified body capacity becoming available, and crucial elements of regulatory infrastructure (like the reference labs) still missing.

The MDCG published the Joint Implementation Plan for the IVDR in which it stated that there were serious issues with the IVDR that needed resolution.

Then the Council requested the Commission to prepare a legislative solution to deal with the problems plaguing the IVDR at the EPSCO Council of 15 June 2021. And also the European Parliament asked for a solution.

After an assessment of data on market readiness collected by the European Commission during the first half of 2021 the Commission concluded that Member States, health institutions, notified bodies and economic operators will not be in a position to ensure the proper implementation and application of the Regulation from 26 May 2022.

Now the proposal has been made public.

Let’s take a closer look at the proposal and see what we can say at this stage:

Is the proposal the anticipated “delay”?

Many have been hoping for a ‘delay’, often without being very clear of what they hoped that the delay would look like. The proposal is not a delay (because the date of application of the IVDR does not change – remains 26 May 2022), but something much more sophisticated and certainly not a one size fits all solution. The proposal does not simply move the date of application with one year as happened with the MDR (although there were additional tweaks too with the MDR). Given:

“the limited notified body capacity, the number of devices that need to undergo a conformity assessment involving a notified body should be spread over a longer period, allowing for a gradual phase-in of the new Regulation’s requirements while prioritising high-risk in vitro diagnostics. This can be achieved by amending Article 110 of the Regulation on transitional provisions, providing a period for existing higher risk class devices that is shorter than the one for existing lower risk class devices. At the same time, the existing transitional period for devices covered by notified body certificates issued under Directive 98/79/EC should be extended by 1 year until 26 May 2025. This will avoid that the transitional periods under Regulation (EU) 2017/745 and Regulation (EU) 2017/746 end at the same time and lessen the strain on Member States’ competent authorities, notified bodies, manufacturers, health institutions and other actors who deal with both medical devices and in vitro diagnostics.”

Proposal, p.4

Accordingly, the proposal is a combination of measures:

  • IVDR risk class based phase-in (much like happened under the December 2019 MDR corrigendum for up-classified class I devices); and
  • moving the backstop date of the IVDR grace period (to “lessen the strain on Member States’ competent authorities, notified bodies, manufacturers, health institutions and other actors who deal with both medical devices and in vitro diagnostics “, Proposal, p. 4).

These changes are made in article 110 IVDR, the article that sets out the transitional regime. If you apply track changes to the text of article 110 (2) – (4) IVDR as the proposal changes them this looks as follows:

Tracked changes overview of amendments proposed to Article 110 (2) – (4) IVDR

No provisions seem to be made for ‘normal’ class A devices (only for sterile ones), which means that the date of application is set in stone at 26 May 2022 for normal class A devices, for example the lab instruments. Special categories of devices, such as companion diagnostics, seem to be addressed in the proposal by their risk class (which would be C for companion diagnostics).

As said and as you will have seen, the proposal is not a one size fits all solution. This means that every IVD company (manufacturers, but also importers and distributors (see below under legacy devices) )will need to check for each of its IVDs in which class it will end up in order to be able to see what the consequences of the proposal are (provided that the proposal is not altered in the legislative procedure of course). This means that you get to work with the MDCG IVDR classification guidance, which has been described in a lot of detail in the annotation of Annex VIII of the IVDR in my book The Enriched MDR and IVDR.

Legacy devices under IVDR

The result of the proposal is that unlike as originally intended under the IVDR there will now be a pretty large group of legacy devices on the market that will need to apply certain parts of the IVDR already as per date of application. The parts of the IVDR that have to applied for legacy devices will be bigger than is evident at sight, because an MDCG task force has issued an internal document in September stating that legacy devices under the MDR are subject to for example most parts of article 13 (importers) and 14 (distributors) MDR as well, which means that the same will apply for the IVDR. Unfortunately this document is not public (yet). It will however serve as input for other MDCG guidance, such as (I would expect) the impending MDCG guidance Q&A on importers and distributors.

While the document does not explicitly address the IVDR it would not be logical if it would not apply to the IVDR in the same way, since the economic operator provisions are identical and supposed to be interpreted the same. So, if you were betting on your legacy devices being out of scope of economic operator provisions of the MDR and IVDR, think again.

As I have seen with the MDR, manufacturers of legacy devices have found it very difficult to apply the article 120 (3) mandated parts of the MDR QMS that amended article 110 (3) IVDR would impose:

“the requirements of this Regulation relating to post-market surveillance, market surveillance, vigilance, registration of economic operators and of devices shall apply to devices referred to in the first, second and third subparagraph instead of the corresponding requirements in Directive 98/79/EC”.

Article 110 (3) IVDR

In addition, the legacy devices cannot undergo any significant changes until thy are IVDR CE marked (see for the MDCG guidance for the MDR on significant changes (not yet ported to the IVDR – MDCG?). This means a lot more than most people think. For example, you will not be able to do important software upgrades to a software IVD device as this will almost always trigger a significant change. If you implement your merger or acquisition wrong, you may well trigger a significant change that may invalidate the commercial rationale for the merger or acquisition. If you think you are buying an IVD company with legacy devices and the seller advertises that the company will implement important upgrades to their legacy devices in the coming years, this will likely not be possible due to the significant change restrictions, so buyer beware!

In-house produced devices

The Commission proposes more time to transition for the in-house produced devices regime under article 5 (5) IVDR:

“As, since its outbreak, many health institutions, in particular hospitals, have had to focus all their efforts on dealing with COVID-19, the Commission proposes to also introduce a transitional period for the requirements for devices manufactured and used within the same health institution (‘in-house devices’). This will give health institutions extra time to comply with the new requirements and ensure that in-house tests, which are often essential –especially for rare diseases, can continue to be developed in clinical laboratories.”

Proposal, p. 3

This extra time is implemented by changing Article 113(3) IVDR, the article that manages what provisions are delayed applicable, by adding points (i) and (j): ‘

  • Article 5(5), points (b), (c) and (e) to (i), shall apply from 26 May 2024; 
  • Article 5(5), point (d), shall apply from 26 May 2028.’. 

In non-lawyers language this means that most of the points of article 5 (5) are delayed until 26 May 2024 and one until 2028, but not all of them! Article 5 (5) (a), the introductory paragraph of Article 5 (5) (GSPRs in Annex I apply) and the final two paragraphs of Article 5 (5) will apply immediately as of the date of application of 26 May 2022.

This means that health institutions, while they do not have to have a suitable QMS ready for in-house devices by the date of application, the first restrictions on in-house devices are a fact by 26 May 2022: no more transferring to another legal entity, Annex I GSPRs documented, no industrial scale production and Member State controls on notification and type of in-house devices manufactured and used.

Preliminary discussion

Personally I still think it is surprising how long it took the MDCG, the Council and the Commission to arrive at the conclusion that the IVDR was in dire straits, heading to a situation of creating significant collateral damage in the transition. I have also marveled at how badly prepared health institutions have consistently been for the IVDR and how hard it has been for them to come to grips with being directly regulated under the MDR and the IVDR.

The proposal will need to take its time now to go through the legislative procedure, which is normally a process of at least a year. However, as we have seen with he MDR delay proposal last year, this can go a lot faster with the right amount of political alignment having taken place beforehand (two and a half months give or take). The question is of course if the political alignment is there. While the European Parliament has asked for a ‘delay’ this may not be exactly what they had been looking for. Also, the European Parliament had felt kind of ambushed with the MDR delay situation, and expressed a wish to have more time the next time around (which is this time). This defines the window as anything between two and a half months from now and the date of application of the IVDR.

Will this proposal, if it makes it into law, save the IVDR’s transition?

It will, first of all, depend on critical infrastructure being delivered on time. Eudamed is still a total tricky headache, even if modest steps are made and more modules are available on a voluntary basis now (devices and certificates come online beginning of October). The current experience is with the MDR, but the IVDR is still somewhat different so lots of new issues to discover. It would help if sufficient reference lab capacity is available timely. There is still a lack of guidance on the IVDR, although a lot of the MDR guidance can be leveraged to understand similar mechanisms in the IVDR (I have made convenient comparison tables for this in my book).

Secondly, a necessary condition is that the IVDR does not fall in the same trap as the MDR with a huge pile-up of legacy devices at the end of the transitional period that has a good chance of not making it to a regulation certificate because of lack of capacity, see the Team-NB position paper on expiring certificates, which shows the huge bulge at the end of the grace period:

Position paper
Directives expiring certificates (Team-NB)

The staggered phase-in of IVDs by class will hopefully make somewhat of a difference for the IVDR, but in the end it depends on when the notified body capacity is available. As we have seen with the MDR, you cannot kick the can down the road and then bet on sufficient capacity being available later – which is precisely what happened for the MDR. And now the question is whether the system can pass this huge stone without too much collateral damage.

Thirdly, more notified bodies capacity is needed than there currently is. There is nothing that this proposal does to improve this. This capacity will not only need to be able to deal with the enormous amount of manufacturers that has never dealt with a notified body before (and will make every time consuming mistake in the book) but also with new manufacturer coming to the market with new products. I personally see in my practice for the MDR and IVDR at this moment that new manufacturers (especially the small and medium sized ones) needing a notified body basically have very little chance of getting on board at a notified body, impacting their time to market.

So, early days to say if this proposal will save the day. It will really depend if the MDCG, the Commission and the Member States will put the necessary resources on the table to make the transition a success and whether industry and health institution will also commit the resources to understand and apply the rules timely. Rules without resources are basically wishful thinking.

Can you drop preparation and sit on your hands now as manufacturer? Better not, this is a proposal – it may not make it. If not, you will be faced with the current implementation schedule. So continue on your timelines for the moment. If you are an importer or distributor of legacy IVD devices, start learning because you will have a role to play in the system as well.

Happy MDR DoA and Swixit / noTurkxit day!

As they say: this is the first day of the rest of your life, and in a way it is. The MDD is dead, long live the MDR!

The (AI)MDD is no more now, but is it?

Three important events happened today that are all relevant to this question: the MDR became applicable, the Swixit that seemed to be entirely avoidable happened anyway by the Swiss throwing their medical devices industry under the bus by walking out on the last minute negotiations to avoid a really hard swixit (my impression of the chain of events) and mysteriously Turkxit did not happen.

Net result: we have a newly applicable MDR, for a smaller Union (minus Switzerland), and the (AI)MDD is still around.

MDR applicable

With the MDR becoming applicable we have now entered the period that many people call the ‘grace period’, which may turn out to be a period of fierce grace to many, during which the MDD and the MDR will actually co-exist much like the Siamese twin monster from Sesame Street, for several years to come. Notified bodies that are not notified anymore for the directives still remain alive for surveillance of these certificates, and these devices may not be subjected to a significant change, as that will lead to termination of the certificate.

During this period, it is crucial for every economic operator dealing with the MDR to understand the legalese part in the back of the MDR: articles 120-123.

Article 120 (3) MDR, as the heading of article 120 suggest, provides for transitional provisions. These apply to devices that have a CE certificate under the AIMDD and the MDD with a validity beyond the date of application of the MDR or a declaration of conformity for a device that would need a notified body assessment under the MDR. All other devices must be fully compliant with the MDR as of today.

Article 120 (3) MDR provides that these devices may ride out the CE certificate or declaration of conformity, provided that the manufacturer already implements certain elements of the MDR: post-market surveillance, market surveillance, vigi­lance, registration of economic operators and of devices in place of the corresponding requirements of the Directives. Article 120 (3) is silent on what the manufacturer needs to do with the all the additional elements of the MDR, such as importer and distributor requirements in articles 13 and 14, the PRRC and the implant card in article 18.

One way to look at it is to say that article 120 (3) intends to create a self-contained bubble of an exemption regime for legacy devices within the universe of the MDR, valid between the date of application and 26 May 2024, but this is not unambiguously stated in the text of the MDR – a kind of space/time anomaly as we know from Star Trek, in which normal rules of MDR physics do not apply.

Another way to look at it is to say that what is not delayed, is not delayed. Article 123 MDR governs the entry into force and date of application of (parts) of the MDR. Notably, article 123 (3) contains a list of derogations from the principle that everything in the MDR is applicable as of 26 May 2021. Some articles referred to in article 123.3 apply before that date (e.g. the articles on national authorities for the MDR and the formation of the MDCG) while others are deferred to later dates, notably article 123 (3) (d) that delays application of everything to do with Eudamed until a later date now that Eudamed is not fully functional before 26 May 2021. Since article 123 (3)is the exemption to everything applying as of 26 May 2021, one must assume that everything not delayed under article 123 (3) is not delayed. The provisions not delayed include articles 13 – 18 MDR, as these are not mentioned in article 123 (3).

If you’d like more detail, check out this podcast in which I discuss these options with Gert Bos.

Given these two seemingly conflicting theories, how can a manufacturer reconcile his obligations for legacy devices?

There are two options.

The first option is to treat article 120 (3) as a self-contained regime within the MDR (the space/time anomaly theory), in which the old provisions of the Directives continue to apply, plus only the MDR elements explicitly mentioned in article 120 (3), imprecise though as these are described there. This option requires that the manufacturer is able to run parallel QMSes for legacy and MDR products for the duration that he still places legacy devices on the Union market. Also, it requires that his supply chain can tell legacy devices and MDR devices apart and treats them differently, because in the space/time anomaly articles 13 (importers) and 14 (distributors) and 25 (traceability of devices) do not apply, but the obligations for registration of devices and economic operators do (see article 120 (3)). You can imagine that this is not for everyone and that many manufacturers that I know choose to just not make this difference.

The second option is to adopt the not delayed MDR obligations ‘early’ and also adopt the MDR elements that are not explicitly mentioned in article 120 (3) but which are also not delayed under article 123 (3) and which are not relevant to MDR conformity assessment only – remember, you don’t have to redo conformity assessment for a legacy device. This allows the manufacturer to transition to a single QMS for all devices, which will not only be practical internally but also for the supply chain. This is also the position adopted by several competent authorities and is supported by recital 98 of the MDR. Recital 98 states that the Directives should  be  repealed  to  ensure  that  only  one  set  of  rules  applies  to  the placing  of  medical  devices  on  the  market  and  the  related  aspects  covered  by  this  Regulation. Of course you could still argue that this one set then makes an exemption for legacy devices, creating the space/time anomaly – but still I think this is not the most logical interpretation.

Which one to choose? I know that this has still not been decided upon in guidance (none of the legacy devices guidance documents addresses this, only registration in Eudamed, see here and here) and that there are different schools of thought on this subject.

The authorities that I spoke with seem to favor option 2 and this is also the option that I think is the more logical of the two.

Swixit

The last couple of days were a wild ride: the Commission and the Swiss were negotiating about an amendment to the Mutual Recognition Agreement (MRA) to avert the worst consequences of Swixit, and the Swiss walked out of these negotiations at the very last day (my impression of events). The more nuanced version of the Commission:

“However, and although we do not expect potential disruptions in the health sector during the COVID-19 pandemic, on 30 March 2021 the EU proposed to Switzerland as a precautionary measure a limited modification of the medical devices chapter of the MRA providing for a transitional validity period for existing devices with Swiss certificates until 26 May 2024 (at the latest) and the same transitional validity for certificates issued in the EU. Despite consistent efforts and EU readiness to conclude such a transitional arrangement, the proposed modification was not agreed ahead of 26 May 2021.

As a result, until a potential agreement on the proposed modification to the MRA is reached, the trade facilitating effects of the MRA for medical devices, including the mutual recognition of conformity assessment results, the absence of the need for an authorised representative and the alignment of technical regulations, cease to apply as from today Wednesday 26 May 2021.”

In other words, remember Brexit? Yep, this is the similar except limited to the devices regulatory framework. For the moment, because absent a comprehensive agreement for Switzerland’s relationship with the EU (the Institutional Framework Agreement, process started in 2014, agreement reached in 2019 and Switzerland refusing to implement it ever since – sounds like Brexit, no?) the EU will push Switzerland out of the internal market one MRA at a time by refusing to renew every MRA that expires because the legislation subject of the MRA changes.

Consequences please! Oh yeah, see this stakeholder notice for that:

  • For all new devices, Swiss manufacturers will be treated as any other third country manufacturer intending to place their devices on the EU market. In particular, new Swiss medium and high-risk devices must be certified by conformity assessment bodies established within the EU.
  • Existing certificates issued under the MRA by conformity assessment bodies established in Switzerland will no longer be recognised as valid in the EU.
  • For existing certificates issued under the MRA by conformity assessment bodies established in the EU, Swiss manufacturers and third country manufacturers whose authorised representative was previously established in Switzerland, must designate an authorised representative established in the EU.
  • On 19 May 2021, the Swiss Federal Council adopted an amendment to the Swiss Ordinance on Medical Devices establishing conditions for trade of medical devices covered by EU issued certificates on the Swiss market. This includes the recognition of existing certificates issued under the MRA by conformity assessment bodies established in the EU and transitional timelines for the designation of a representative in Switzerland for EU/EEA manufacturers of medical devices.

Market participants (e.g. affected manufacturers, EU importers and distributors, authorised representatives) as well as EU market surveillance and customs authorities in Member States must now:

  • (since existing certificates issued under the MRA by conformity assessment bodies established in Switzerland will no longer be recognised as valid in the EU as of 26 May 2021) ensure that medical devices are certified by an EU conformity assessment body where such certification is required on the basis of the applicable conformity assessment procedure;
  • ensure compliance with the requirements for economic operators, in particular the need for an EU authorised representative;
  • comply with the requirements on registration and labelling of products.

And this is not all, just what the Commission can tell us today. More consequences still potentially to follow.

No Turkxit

There is basically no public information about the Turkxit having been averted for devices, but I can tell you that the Commission informed the member states that the last steps that were needed to solve the ‘personal data protection issue’ have now formally been taken, and that Turkey is now continuing to be a Union member state for the purposes of the MDR and IVDR.

This will likely have everything to do with Turkey having access to all the personal data in Eudamed, but we will need to see this confirmed in public communication – developing story as they would say in the press.

Turkey had its MDR and IVDR legislation ready to go, and is now a continued valued member of the Union market in which devices can freely circulate once placed on the market lawfully.

Onwards and upwards

Are we discouraged by all this complexity? Of course not.

We have now gone through the looking glass of the MDR, and have found ourselves in the wondrous universe of the MDR that we will need to work with for the coming decades, saying “Curiouser and curiouser!” and sometimes believing as many as six impossible things before breakfast – we may even be agreeing that we’re all mad here.

Personally I’m with the Dodo, who said that “the best way to explain it is to do it.” Onwards and upwards!

The Enriched MDR and IVDR – finally available

Finally and just in time for the date of application of the MDR: here it is, the book that I’ve been working on for a long long time.

It turns out that writing books while having a more than full-time job running a law firm and being a busy lawyer is a bit of a challenge.

I chose not to do this via a publisher but rather self-publish because in my long career as a publishing legal writer I have been consistently underwhelmed and sometimes badly disappointed by what a publisher does for an author (the good people at RAPS being the positive exception by the way). 

But here we are now and there you have it: the first book that I am aware of about the MDR and IVDR that contains this degree of commentary on the entire MDR and IVDR at state of the art around the date of application of the MDR, available as a stamped PDF (like when you buy an ISO standard) or as an ePub format eBook that you will be able to read on your tablet of choice with basically every e-reader software. I recommend using a good quality tablet with a color screen to read the book, because it has nice colors and high resolution flow charts and diagrams in it.

An esthetically pleasing tool

The book is set up as claimed in the title (intended purpose, right): it’s an enriched of the MDR and IVDR texts in that it provides:

  • An introductory chapter describing the history of the medical devices directives and EU medical devices policy, explains why the MDR and IVDR turned out the way they did and discusses them on a high level (part 1);
  • The current text of the MDR including annexes with comments on an article by article and clause by clause  basis for both the regulation and the annexes (not all articles and clauses have been commented yet, but this will grow over time). All implementing acts, MDCG and CAMD guidance, European Court medical devices case law and a lot of notified body and branch association guidance are all discussed in context of the articles and clauses of the MDR (part 2);
  • Same for the IVDR (part 3);
  • A section with sources of reference materials, helpful for staying informed and finding furthter information (part 4); and
  • A section with a number of useful tables, such as a comparison table between the MDR and IVDR (so the IVD industry readers can easily see which wheels have already been invented in the general devices world) and a comparison table between the clinical investigation provisions in the MDR and the Clinical Trials Regulation (since the legislator’s intent was that they should align to a high degree) (part 5). 

I’ve tried to write this book as a tool that I like to use in daily practice myself, and not as a pretty paperweight.

This is why I decided to go digital only for the moment and make the book easy to navigate with crosslinks from the table of content to every article in the MDR and IVDR and make as much content as possible on the internet directly accessible from the book as URLs, so you can quickly get to the underlying sources. Of course this can be improved and it will be in future editions.

Since it is all digital text, it’s full text searchable! Very convenient compared to paper books.

Last argument against paper (I’ve looked into print-to-order possibilities) is that the book would become prohibitively expensive if you want a book of nearly 1200 pages (the PDF version) printed and bound in good quality that can take a beating in daily use. However, if there is a big ask for paper versions, I can explore a paper option.

Most legal and regulatory books are intensely boring, not very appealing to look at and underwhelming from a design perspective. I wanted something different and more appealing so I’ve invested in a specific design language for the book. My law firm’s designer Hamid Sallali (http://thisishamid.com) did a great job on the design and coached me through the development process with a lot of patience and humor – if you need great digital graphic design he’s your man. I believe that a book should be esthetically pleasing and easy on the eyes. For that reason we have payed extra attention to layout with a non-standard and beautiful font that is specifically easy to read on a screen, good quality images in colour and appealing design elements for separator pages. 

Of course there are still things that can be improved, and they will be in later editions. Please send any feedback to erik.vollebregt@axonlawyers.com.

Kudos!

No person is an island, and neither am I. This book was proofread at various stages of completion by a group of people that I hold in high regard in the medical devices field: Sabina Hoekstra-Van den Bosch, Amélie Chollet, Kees Macquelin, Bassil Akra and Ronald Boumans.

They each provided very valuable input and useful different perspectives on purely personal title. All remaining mistakes and inaccuracies are my own of course. 

And then there is the contribution of two other people that I have the privilege of working with on a daily basis: my awesome colleague Cécile van der Heijden who was instrumental for the data protection (GDPR) and clinical investigation entries and my fantastic paralegal Thijs Mooren who continuously helped tame the ever expanding manuscript, made sure that the right information ended up in the right place, made flowcharts and took care of all horizontal referencing between the MDR, IVDR and old directives and other features that make the book more usable and useful.

Developments and discounts

One of the advantages and disadvantages of a book is that it is fixed content: you can easily carry it around in your tablet or computer without need for connectivity, but it is fixed content. Please be mindful of this when using the book. The MDR and IVDR are in full flux still and there is a lot happening in the field of horizontal legislation, like Turkxit apparently having been averted in the last days before DOA, Swixit still under hectic negotiation, the Market Surveillance Regulation becoming applicable as of 16 July, the proposal for the AI Regulation, the proposal for product liability class actions in the medical devices and IVD space, notified bodies being held liable for insufficient surveillance of manufacturers, revision of the GDPR and so on.

Documents on the internet may move, links may be broken (one of the reasons for delay of the book was that I had to correct a lot of links in footnotes that turned out not to be valid anymore). Even some new MDCG guidance became available in May 2021 that I was not able to process for the book anymore.

Accordingly, the book (while up to date as per beginning of April 2021) will not capture developments after that date.

A next edition will close that gap of course, and readers that buy this first edition in the first two months after the date of application of the MDR (so before 26 July 2021) will receive a discount code for a 20% discount that can be applied to their purchase of the second edition.

Competent authorities

If you are working for a competent authority or another public institution involved in the devices field, I know that you will probably not have any budget to buy flashy eBooks but may still be interested in this book.

If you think it would be useful to have this book for your work, please send me an email (erik.vollebregt@axonlawyers.com) and I will provide you with a copy for free.

Universities

If you are a university or other teaching institution and would like to include the book in your curriculum, that would be awesome! Send me an email and I will make sure that your students will get a good deal. 

Come and get it!

Oh, and finally – you can get the book here in PDF (to use on whatever PDF reader on any device that you like) and in ePub format (to use specifically on eReaders):

I hope that the book will be useful for you and that you’ll enjoy using it. If you like it, tell others – if you don’t, tell me.

The new EU AI regulation proposal, medical devices and IVDs

Now this is fun: at a time just before the date of application of the MDR when we do not even have harmonised standards for the new software requirements in Annex I, section 17 MDR and Annex I, section 16 IVDR, the Commission proposes new mandatory regulation to supplement the the MDR and the IVDR that overlaps mostly with the MDR and IVDR.

Ladies and gentlemen, I give you the proposal for a a regulation laying down harmonised rules on artificial intelligence (the Artificial Intelligence Act for short, or the AIA for even shorter).

This post is a first quick impression of the proposal, especially with respect to its effects in the medical devices and IVD space. It’s fairly long and winding, because I did not have time to write something more concise.

Background

Nobody wants to be left behind when it comes to AI and its regulation, and everybody still wants their jurisdiction to be attractive to innovation. The AIA is part of the EU’s artificial intelligence strategy that covers many aspects of AI, such as legal personality for artificial beings, liability, copyright and ethics for AI deployment and functioning.

The AIA is intended to underpin the risk and benefits aspects when deployed in the world, as to ensure that AI remains trustworthy and in service of humans (‘human-centric’, as the proposal calls it), as well as operate within the boundaries of the law. In healthcare this would look like the proverbial holodoc AI from Star Trek Discovery (which show has, apart from the worst character ever developed in the Star Trek universe (Neelix), also epic characters such as Captain Janeway).

We knew that this proposal was coming, because the Commission had announced in its White Paper on AI that EU product legislation would be impacted, and mentioned medical devices regulation specifically in that context:

“The proposal sets harmonised rules for the development, placement on the market and use of AI systems in the Union following a proportionate risk-based approach. It proposes a single future-proof definition of AI. Certain particularly harmful AI practices are prohibited as contravening Union values, while specific restrictions and safeguards are proposed in relation to certain uses of remote biometric identification systems for the purpose of law enforcement. The proposal lays down a solid risk methodology to define “high-risk” AI systems that pose significant risks to the health and safety or fundamental rights of persons. Those AI systems will have to comply with a set of horizontal mandatory requirements for trustworthy AI and follow conformity assessment procedures before those systems can be placed on the Union market. Predictable, proportionate and clear obligations are also placed on providers and users of those systems to ensure safety and respect of existing legislation protecting fundamental rights throughout the whole AI systems’ lifecycle. For some specific AI systems, only minimum transparency obligations are proposed, in particular when chatbots or ‘deep fakes’ are used.” (P. 3 proposal)

Keywords of the proposal are ‘trust’, ‘safety’ and ‘human-centric’: 

“If AI is to be a tool for genuine public good, then the public must understand it. As well as promoting transparency and explainability, national governments and international bodies like the EU should be investing in skills. Not so we know the minutiae of how every AI application works but so we can trust, based on evidence, that its impact is positive.”

From EURACTIV: https://www.euractiv.com/section/digital/opinion/ai-rules-must-help-increase-public-trust/

As we have seen with other tools for genuine public good like vaccines, this will be a very hard sell to the public. The public is showing time and again that it is not very good at understanding even well-understood technology for good, often assisted in utter misguidedness by the very companies that stand to be regulated by this proposal (yes, you, Facebook, for example).

Also, as long as we have large data breaches in the news every day and companies hoarding data are evidently not doing this for the public good, this will be an even harder sell. 

All the sci-fi movies about evil AI that decides that its first post singularity to-do item is to rid the world of humanity have probably not helped very much either.

Finally, member states are generally totally lacking in teaching the skills humans need to understand IT services that they consume (positive exception: the Finnish, that left the EU the Elements of AI course as a gift after the last Finnish presidency – that a was a cool course to do and I enjoyed it, thanks very much!). 

So, before I start picking this proposal apart to discuss how it could be improved, let me say that it is very difficult to put together a piece of horizonal legislation that is supposed to regulate very complex technology that few people really understand, and then regulate it in a way that its use produces net benefits for society. This regulation could be a project much like the GDPR (as you will read below it has a lot of overlaps with it) which was supposed to curb companies (like Facebook) that were not planning to do anything good for society at all, but rather use it as raw material for their own purposes. The difference with the GDPR is that the GDPR is very much principle based regulation (requiring a lot of clarification in guidance and notoriously imprecise and the AIA is technical essentially goods legislation, relying more on standards and conformity assessment (and probably still requiring a lot of guidance).

CE squared – two integrated overlapping conformity assessments

The AIA sets up a system of conformity asssessment for artificial intelligence systems, which, given the definition of AI system, will almost always double as medical device under the MDR if deployed for medical intended purpose. The conformity assessment will also involve notified bodies like under the MDR.

The ‘provider’ of an articial intelligence system will also have post-market monitoring obligations to proactively collect and review experience gained from the use of AI systems they place on the market or put into service for the purpose of identifying any need to immediately apply any necessary corrective or preventive actions, very much like PMS under the MDR.

The AIA prohibits certain AI practices that mainly have to do with transparency, but these does not seem to interfere with deployment in healthcare.

All software that qualifies as medical device under the MDR or medical devices running software with an AI component will be classified as a high risk AI system under the AIA because it is

“the product whose safety component is the AI system, or the AI system itself as a product”

covered by the MDR or the IVDR (article 6 (1) AIA). This definition seems to have been chosen with a concept of direct actuation in the human world (bad decision -> human interacting with product dead) but this definition ignores the indirect and more insidious effects of harm that we know from IVDs for example, that do not interact directly with a human. The definition of ‘safety component’ (“a component of a product or of a system which fulfils a safety function for that product or system or the failure or malfunctioning of which endangers the health and safety of persons or property”) does not seem to have been written with diagnostics firmly in mind, although you could say that a failure of an AI system interpreting IVD instrument data could endanger health of persons by means of generating false positives or false negatives which means that this would be covered. But what about AI systems deployed in drug discovery leading to ‘discovery’ of a medicinal compound with much more than necessary side effects? This is an entirely different degree of causality.

Anyway, medical devices / IVDs in scope of the MDR and IVDR will in basically all cases constitute high-risk AI systems in the meaning of the AIA. This means that they will be subject to the requirements of among other things

  • Risk management system (similar to MDR and IVDR) (article 9)
  • Data governance and data management practices (similar to MDR/IVDR and GDPR) (article 10)
  • Technical documentation (similar to MDR/IVDR article 11)
  • Logging capabilities (similar to GDPR) (article 12)
  • Transparancy and information to users (similar to GDPR) (article 13)
  • Human oversight requirements (similar to MDR/IVDR) (article 14)
  • Accuracy, robustness and cybersecurity (similar to MDR/IVDR and GDPR) (article 15)
  • Obligations very much like article 10 MDR/IVDR (device manufacturer obligations plus QMS) (articles 16 and 17)
  • Economic operator requirements (similar to MDR/IVDR) (articles 25 to 28)
  • MDR and IVDR PMS systems must integrate AIA PMS elements (Article 61 (4))

The proposal mentions in the discussion of stakeholder input that

“several stakeholders warn the Commission to avoid duplication, conflicting obligations and overregulation”.

I think these stakeholders are right. While the AIA says in recital 85 that it is supposed to amend the MDR and the IVDR, it is quite hard to see where the actual amendments are in the avalanche of overlap, as indicated in the list above. Some measures are taken to avoid the worst of overlap, such as the option to provide a single set of technical documentation for the AI systems that are also devices in the meaning of the MDR and IVDR (article 11 (2)). Otherwise this is remains quite the puzzle.

Article 24 AIA contains strange overlap provision:

“Where a high-risk AI system related to products to which the [MDR or IVDR ] apply, is placed on the market or put into service together with the product manufactured in accordance with those legal acts and under the name of the product manufacturer, the manufacturer of the product shall take the responsibility of the compliance of the AI system with this Regulation and, as far as the AI system is concerned, have the same obligations imposed by the present Regulation on the provider.”

This seems to be a kind of system / kit provision intended to manage exactly the cases caught under … systems and kit provisions already provided for under the MDR and IVDR. So more overlap, not necessarily consistent.

Article 43 (3) AIA manages overlap and conformity assessment re overlap, providing that where AI systems that are devices or are part of a device can be assessed under the MDR or IVDR conformity assessment producedure, with some AIA extras. This begs the question how will that work with notified bodies? Do they need accreditation under the AIA as well to do a full MDR or IVDR AI system / device assessment? Under what MDR / IVDR code would that notified body competence be covered? Would it be possible to split the device / AI system by having the AI part evaluated by an AIA notified body and the device part by an MDR / IVDR notified body? Or what if (theoretically) an MDD class I software device also needs to obtain an AIA certification before May 2024 – would that be a significant change in the meaning of article 120 (3) MDR? Interesting puzzle to figure out.

The AIA is not very clear about the result of conformity assessment under overlapping assessment and how this will be reflected in a final declaration of conformity. The result under the AIA would be an EU technical documentation certificate (article 44 AIA) which seems to be complementary to an MDR / IVDR certificate and, according to the MDR / IVDR, might be accounted for in a single declaration of conformity for the AI system under both regulations (AIA and your choice of MDR or IVDR) – see article 48 (3) AIA.

Article 63 (3) AIA provides that the MDR and IVDR competent authorities shall be market surveillance authorities for AIA. This made me raise an eyebrow or too, as this solution is too ‘practical’ to be realistic. With the structural understaffing of Member States’ competent authorities for medical devices and IVDs as it is, it will be very interesting to see where they will get the expertise in AI needed for proper market surveillance and enforcement. This would require Member States to take medical devices as a policy area more serious and invest in competent oversight with sufficient capacity, which will of course not happen if the MDR and IVDR are any measure for this. It seems that the ‘competent’ in competent authority will be a tenuous claim for AI in the EU, thus at least not ticking that box for the EU’s AI strategy. Good legislation is one thing, but actually competent authorities is another if you want to achieve the goals of legislation like the AIA.

Seriously, lobby and trust

There is also the category of ‘seriously?’, which contains provisions like the user obligations under article 29, which entail among other things that users of high-risk AI systems shall use such systems in accordance with the instructions of use accompanying the systems (article 29 (1) AIA). This provision is rather alien in the universe of CE marking legislation, where the user does not have direct obligations because the scope of deployment of the AI system would be limited by the scope of the CE marked intended use anyhow (like is the case under the MDR and IVDR). A separate obligation on the user to only use the system in accordance with the IFU creates an entirely extra layer of regulation for AI systems that are also a medical device.

The first traces of lobby are also visible in the proposal, for example where it says that

“Users of high-risk AI systems shall keep the logs automatically generated by that high-risk AI system, to the extent such logs are under their control.” (article 29 (5) AIA)

If there is anything that would inspire trust it would be that the logs generated are always under control of the user, especially since that provision does not mention who must keep the logs if they are not under control of the user, which is a major regulatory oversight in my opinion.

Some trust enhancing measures for medical AI systems can be found in article 7 MDR and IVDR, which pose limitations on the (marketing and advertising) claims that can be made for devices, and consequently for AI systems that are also devices.

And then there are the GDPR overlaps / dovetails as well. See below fro more discussion of the resulting three-dimensional problems that this produces.

Better legal recourse against notified body decisions re AI system certification, but not if they’re medical devices

Genuinely new in the AIA is a first step to better legal recourse against notified body decisions, which is news for me as a lawyer. This is different from the MDR / IVDR. Article 45 AIA provides that

“Member States shall ensure that an appeal procedure against decisions of the notified bodies is available to parties having a legitimate interest in that decision.”

This kind of provision is sorely missing in the MDR and IVDR, and was one of my criticisms on the MDR and IVDR, as these provide for legal recourse against notified body decisions only via the certification agreement and a requirement for the notified body to have an internal appeal process. Some member states provide for extra legal recourse pathways because they treat notified bodies as emanations of state or similar entitites. The provision in the AIA does not limit recourse to the parties of the certification agreement alone, which is also an interesting development. Just like under proper administrative law licensing procedures, interested third parties should be able to appeal a certifciation decision under the AIA.

Does this now mean that a decision concerning an MDR / IVDR certificate covering an AI system can be challenged under this provision? No, because it would be an MDR / IVDR certificate, which would seem to mean that an AI system provider is worse off for legal protection under the MDR / IVDR than under the AIA because the AI system is also a medical device. On the other hand, the AI system provider has nothing to worry about in terms of interested third parties appealing the certification decision, which could be a problem under the AIA.

Transparency

Article 52 provides for an ‘anti-holodoc’ transparency obligation:

“Providers shall ensure that AI systems intended to interact with natural persons are designed and developed in such a way that natural persons are informed that they are interacting with an AI system, unless this is obvious from the circumstances and the context of use.“

AI systems posing as a doctor for example will need to clearly be in the uncanny valley in order to be compliant, or must be very clear about their status. Fortunately the holodoc was never short of drama about what it was like to be an AI-powered hologram confined to the sick bay, but this will almost need to be a feature.

An AIA-MDR/IVDR-GDPR Rubik’s cube

The proposal contains many implicit and explicit links with the GDPR, such as that users of high-risk AI systems shall use the information provided under Article 13 to comply with their obligation to carry out a data protection impact assessment under the GDPR (article 29 (6) AIA). This provision seems to assume that a DPIA is always required in this context, which is not necessarily true. Another interesting link with the GDPR is the provision of a legal basis for bias monitoring (article 10 (5) AIA) for the functioning of the AIA. I would assume that this legal basis extends to the context of clinical data for devices that often does not take account of the lack of clinical data for women and children, and is often biased for adult men, which the AI system would be too if trained on such biased data.

Implicit links exist where we are talking privacy by design and and security by design under the GDPR, and risk management under the MDR / IVDR. The AIA adds a third dimension which will make designing and deploying AI systems even more complex, as you will be dealing with three regulatory dimensions. I have described in a lot of detail how the MDR / IVDR risk management requirements and the GDPR design requirements interact (see for example here, specifically slide 34).

The result would be now that you would have overlapping technical documentation for the AIA and MDR/IVDR requirements and a GDPR DPIA and system design documentation for the purpose of the GDPR, which all need to be consistent with each other over time. Speaking of three dimensions, it will be like continuously working a regulatory Rubrik’s cube between parts of the company that typically do not engage every much with each other.

This is just a very short summary specifically for medical devices and IVDs and there is a lot more to say about the AIA links with the GDPR than this.

Is this proposal one in the category of putting the NO in innovation?

As has happened with the MDR and IVDR, the software industry will be slow to catch on to this, wait too long with starting preparations and be engaged in a last minute scramble for compliance. Dear industry, now you know – time to start preparing. This regulation will happen, one way or the other because politicians have decided it is needed and it will look a lot like this proposal. You only have yourself to blame if you wait too long.

A big question is who will be the notified bodies that can certify AI systems that are also medical devices or IVDs. This will be done by MDR / IVDR notified bodies that have been assessed for an AI systems competence top up (article 43 (3) juncto article 33 (4), (9) and (10) AIA). Given that it took the average notified body about two years to go through notification for the MDR and IVDR and that the major bottleneck was approval of the NB CAPA plan after joint audit, this will be interesting. Of course the MDR and IVDR notified bodies will have their QMS up and running so hopefully this application could be handled swiftly. On the other hand, we do have enormous bottlenecks for MDR and IVDR NB capacity and that did nothing to move things along any faster. I cannot begin to emphasize in how bad of a situation we are with notified body capacity for the IVDR, and not these few notified have just gotten extra tasks for AI systems in these IVD space. Like I’ve said before: why would we need effective IVD market access policy in these pandemic times, right? It’s not like we need to do large scale testing for any purpose or something or would need AI systems to be able to help identify new mutations of corona viruses or something useful like that any time soon – pardon the sarcasm.

Another interesting question is how the AIA relates to the in-house exemption under articles 5 (5) MDR and IVDR, as this is not addressed in the AIA. This would mean that health institutions developing their own home-brew AI systems for deployment in the health institution will need to certify them as high-risk AI systems with a notified body that is not necessarily competent in AI in healthcare because there is no obligation to go to an MDR or IVDR notified body with an AIA top-up. This is very likely to limit innovation in health institutions, because the whole idea of the in-house exemption is to forego CE marking of the in-house device. It is also not clear if the existence of a commerically CE marked AI system would pre-empt health institutions for deploying their own AI system (article 5 (5) (d) MDR and IVDR).

Will this proposal make the EU a world leader in AI by setting clear guidelines? In its current form I think it will not.

Although the proposal can definitely be improved, my worry is the execution. We are right back at the glaring undercapacity of market access procedures and lack of expertise at competent authorities level, which in the end is caused by the Member States on the one hand refusing to cede competence to the Commission (and properly fund the Commission for this) and on the other hand the Member States’ inability to properly resource their part of the regulatory system. While the Commission is probably doing what it can with the instruments that it has, this kind of thing is not something you can make work with a pretty technical regulation that follows conventional CE logic but relies on a market access system that is proven to be under-resourced for years to come.

You actually need a functioning regulatory infrastructure with a market access mechanism with sufficient capacity and predictability which is simply not there at the moment. We are utterly lacking that for the MDR and IVDR, and as a consequence for the AIA in the medical space. If this problem is not solved, the AIA will not live up to expectations in the health space and will become a disappointment.

%d bloggers like this: