Up to now, e-labelling was problematic and regulated in a fragmented way. It was allowed up to an extent for IVDs within the guidance provided by a MEDDEV. This proposed regulation does not seem to change the rules for IVD e-labeling because the regulation explicitly applies only to the labelling of devices under directives 93/42 and 90/385. New IVD e-labelling rules may be taken on board in the currently pending revision of the IVD directive.
According to the Commission summary the scope of the draft regulation as follows:
to set out conditions according to which instructions for use in paper form may be replaced by electronic instructions for use. The regulation will limit the possibility of providing instructions for use in electronic form to defined medical devices and accessories intended to be used in specific conditions. Furthermore, it contains a range of procedural safeguards. Thus instructions for use have to be provided in paper form on request, and a specific risk assessment by the manufacturer and information on how to access to the instructions for use is needed.
This summary of course oversimplifies what the proposed regulation will actually do, so let’s take a look at it in a bit more detail. As you will see, e-labelling is not for the meek and entails a lot of organisation. In addition, there is an important e-privacy angle to it that I predict many companies will overlook.
Paper push on request obligation
First of all, manufacturers will always remain subject to paper push upon request by user, for the duration of the data retention periods discussed below, and within maximum 7 calendar days or at delivery of the device.
The regulation will impact on four things:
- full e-labelling, whether via a carrier provided with the device or via a website
- e-labelling additional to paper IFU
- instructions for use provided via the device itself (e.g. via the GUI)
- labeling of the device itself
It will only regulate this for devices intended exclusively for professional users for use by other users is not reasonably foreseeable and that fall in either of the four below categories:
- (active) implantable medical devices and their accessories intended to be used exclusively for the implantation or programming of a defined (active) implantable medical device;
- fixed installed medical devices covered by Directive 93/42/EEC (fixed installed medical devices being defined as “devices and their accessories which are intended to be installed, fastened or otherwise secured at a specific location in a healthcare facility so that they cannot be moved from this location or detached without using tools or apparatus, and which are not specifically intended to be used within a mobile healthcare facility”); and
- (active implantable) medical devices and their accessories with a built-in system visually displaying the instructions for use; and
- stand alone software covered by Directive 93/42/EEC.
Obligations for full e-labelling
As a precondition manufacturers must perform a risk assessment on their e-labelling, the outcome of which must be that “providing instructions for use in electronic form maintains or improves the level of safety obtained by providing the instructions for use in paper form” and it must “at least” include as elements:
- knowledge and experience of the intended users in particular regarding the use of the device and user needs;
- characteristics of the environment in which the device will be used;
- knowledge and experience of the intended user of the hardware and software needed to display the instructions for use in electronic form;
- access of the user to the reasonably foreseeable electronic resources needed at the time of use;
- performance of safeguards to ensure that the electronic data and content are protected from tampering;
- safety and back-up mechanisms in the event of a hardware or software fault, particularly if the instructions for use in electronic form are integrated within the device;
- foreseeable medical emergency situations requiring the provision of information in paper form;
- impact caused by the temporary unavailability of the specific website or of the internet in general, or of their access in the healthcare facility as well as the safety measures available to cope with such a situation;
- evaluation of the time period within which the instructions for use shall be provided in paper form at the users request.
The risk assessment must be updated with PMS information as and when that comes available, so manufacturers will need to include this in their PMS information feedback loop. As with the paper IFU the manufacturer must have a system in place to clearly indicate when the instructions for use have been revised. The regulation imposes an interesting mandatory vigilance obligation on this point: manufacturers must inform each user of the device of revisions of the IFU if the revision was necessary for safety reasons. It does not state how the users should be informed.
The regulation does not allow optional e-labelling per member state, unless justified by the outcome of the risk assessment. That means that e-labelling must be handled the same for each EU member state, unless it would be justified to make exceptions based on the risk assessment.
The regulation imposes data retention obligations and obligation to keep the e-IFU available for users :
- for devices with a defined expiry date, except implantable devices, for at least two years after the end of the expiry date of the last produced device;
- for devices without a defined expiry date and for implantable devices, for a period of fifteen years after the last device has been manufactured.
Since e-labelling must be fool-proof, the regulation sets out requirements for the instructions for use for the e-label.
Except for class I medical devices the notified body of the manufacturer must review the manufacturer’s fulfillment of the e-labeling requirements during the p conformity assessment. The review must be based on a specific sampling method adapted to the class and the complexity of the product.
A full e-labelling website must comply with the following requirements:
- the instructions for use shall be provided in a commonly used format that can be read with freely available software (e.g. pdf);
- it shall be protected against hardware and software intrusion;
- it shall be provided in such a way that the server downtime and display errors are reduced as far as possible;
- it shall mention in which Union languages the manufacturer provides the instructions for use in electronic form;
- it shall fulfil the requirements of Directive 95/46/EC (privacy and data protection, see for more detail about that below);
- the internet address shall be stable and directly accessible during the data retention periods (see above);
- all previous versions of the instructions for use issued in electronic form and their date of publication shall be available on the website.
Instructions for use in electronic form may also be provided in addition to complete instructions for use in paper form. In that case they must be “consistent” with the content of the instructions for use in paper form. If they are provided through a website, this website must fulfill part of the requirements for a full e-labelling webiste. Strangely enough the verification of consistency is not subject to ex ante notified body scrutiny as with the full e-labelling option. It will of course be subject to ex post notified body supervision in the framework of audits, so manufacturers might plan for this.
Impact on labeling of the devices themselves
Manufacturers must clearly indicate that the instructions for use of the device are supplied in electronic form instead of in paper form and that the user may request and shall obtain at no additional cost the instructions for use in paper form at any time during the retention periods set out above. That information shall be provided on the packaging for each unit or, where appropriate, on the sales packaging. In the case of fixed installed medical devices, that information shall also be provided on the device itself.
The manufacturer must provide
- information on how to access the instructions for use in electronic form on the packaging for each unit or, where appropriate, onthe sales packaging or, in the case of fixed installed medical devices, also on the device itself. If all of that is not practicable, the information must be supplied in a paper document supplied with each device;
- in the device or on a leaflet, information on foreseeable medical emergency situations and, for devices fitted with a built-in system visually displaying the instructions for use, information on how to start the device; and
- in the catalogue or in other appropriate device information support, information on software and hardware requirements needed to display the instructions for use (my guess is that this could also well be done somewhere in the documents comprising the label).
e-Labelling via the built-in GUI of a device
The draft regulation also deals with provision of instructions for use in electronic form by the device itself. Apart from that this is subject to all of the above, manufacturers of medical devices fitted with a built-in system visually displaying the instructions for use must ensure that displaying the instructions for use does not impede the safe use of the device, in particular life-monitoring or life-supporting functions. I think an example of this would be pop-ups with ‘useful’ troubleshooting tips that obscure vital information on the screen and cannot be easily closed. Fulfillment of this requirement will certainly impose additional emphasis on usability engineering requirements of the GUI of these devices and application of risk management to the software design process. Also, the instructions for use in electronic form must also be made accessible to the users through a website, to which all of the above criteria apply.
Don’t forget the personal data rules impact
The draft regulation contains multiple references to the EU directive on the protection of personal data. This is to be expected because there will inevitably be an exchange of personal data between the manufacturer and a doctor or other HCP for the purpose of the provision of e-labelling and the PMS process related to that. That means that the processing of the personal data acquired has to meet all these general requirements, like no export from the EU except if allowed, use of data only within the scope of consent, procedures for correcting data, etc.
But let’s not forget about other important data protection issues apart from the legacy EU data protection directive. The revised e-Privacy Directive that entered into force last May establishes, apart from all the upheaval about its cookie acceptance rules, for the first time in the EU, a mandatory personal data breach notification framework. This framework applies by the letter only to providers of publicly available electronic communications services (e.g., communications and Internet access providers). However, the EU Commission has already indicated that it will soon propose e-privacy legislation that will cover the entire scope of the providers regulated under the broader EU Data Protection Directive (yes, 95/46/EC, the one referred to in the draft regulation). Furthermore, recital 59 of the e-Privacy Directive encourages EU member states, while new EU Commission rules are in the pipeline, to apply the new data breach rules very liberally, “regardless of the sector, or the type, of data concerned.” – ergo, e-labelling by medical devices manufacturers will soon fall under the e-Privacy directive and may already do so, depending on what EU member state you ask. I would say that compliance with the data breach rules will also need to be looked at by the notified body in the framework of its assessment of a manufacturer’s e-labelling as this is very clearly a safety and PMS issue.
Under the new rules, providers must notify — without undue delay — individuals and authorities when they suffer a data breach. Individuals must be notified if the breach is likely to adversely affect the personal data or privacy of such individual. Regardless of the potential harm, all data breaches must be reported to the authorities. The notification should describe the nature of the breach, list the provider’s contact information and recommend measures to mitigate possible adverse effects. The notification to the competent national authority must also describe steps taken by the provider to address the breach.
Notification of a personal data breach to an individual is not required, however, if:
- the provider has demonstrated to the satisfaction of the competent authority (in this case the one for data protection, but a manufacturer will need to inform the notified body too and that may too have an opinion on this) that it has implemented appropriate technological protection measures;
- the provider applied those measures to the data impacted by the security breach; and
- the technological protection measures render the data unintelligible to any person not authorized to access it.
Both the scope of providers covered by the reporting requirements and the appropriateness of the technological protection measures are expected to diverge in implementation by the various Member States, making the jurisdictional issues very important because forum shopping may become an attractive option until these concepts are further harmonized.
Time path for entry into force
The regulation is proposed be adopted on 14 december this year and to apply as of 1 year after that date. This transitional period should be used by e.g. the manufacturers that are impacted by the user interface requirements to update the functioning of the GUIs and to get their e-labelling procedures in order.