Have you seen Mr Robot? If not, watch that series.
With the MDR and IVDR adoption in sight (currently scheduled for Q1 2017) I see a number of developments in the market, all converging on the higher standards that will be imposed under these new regulations.
By way of update, there is movement in the dossiers of the MDR and IVDR. The first drafts of the translations have been circulated for consultation in the mean time (I have the Dutch versions for example) with final numbering (123 articles) – there may be some small additions / changes too – we’ll have to see. I will write more about this in a later post soon.
Back however to the converging developments. First, I see notified bodies do more and more ‘unexpected’ things that affect manufacturers profoundly and take them by surprise. Secondly, I see authorities get tougher on the market especially in the Netherlands, by imposing high fines without warning for easily remediable non-conformities in the documentation for class I medical devices and self certifiable IVDs.
The following is my own personal perspective, but I have heard and hear it echoed by many companies, consultants and other stakeholders in the market.
Regulators! Let’s dance
In the Netherlands we see a development towards truly punitive enforcement of medical devices regulation, specifically in the areas of software as medical device and IVDs.
The authorities in the Netherlands have decided that they are going to raise the bar and come down punitively on manufacturers. We see more an more cases in which companies are fined quite substantial amounts that can easily bankrupt an SME (we see amounts from about € 50,000 to around 150,000) for non-conformities in relation to class I medical devices and self certifiable IVDs that a notified body looking at much higher risk products would issue a non-conformity with remediation period for. That’s right: in the Netherlands it’s currently way riskier from enforcement perspective to be in class I devices and self certifiable IVDs than in the highest risk devices conceivable. A large factor here are the Healthcare Inspectorate’s guidelines for the imposition of fines, which it applies in a way that many non-conformities are subject to fine without possibility of remediation and warning.
This would not be so bad if there would not be so many formality errors committed on the part of the authorities, for example being very unclear about when inspection proceeds into enforcement. At that precise moment a company needs to be told that it is no longer obliged to cooperate. Fundamental rights and good enforcement procedure, just a small detail. It leads to situations where companies enthusiastically cooperate in incriminating themselves because they want to remedy the non-conformity observed and cooperate with the Inspectorate to that end, but are not aware that the Inspectorate is already collecting facts to fine them. And they will. A few months later, suddenly, a letter arrives in the mail stating that the Inspectorate will fine the company for tens of thousands of Euros while the company was under the impression that the Inspectorate was just being helpful. So, if you are subject to an Inspectorate visit, no matter how friendly it unfolds: make sure that you put the inspector on notice that he/she should be more than abundantly clear about when the discussion moves to fact finding for the purpose of enforcement. This is just one of the issues we currently see in enforcement in the Netherlands.
Of course companies should adhere to the law, there’s no discussion about that. I just want to raise awareness for the fact that enforcement in the Netherlands has gotten some disproportionately punitive characteristics which worry me and – quite frankly – do not serve anyone except lawyers. Like mentioned, it’s kind of strange that you can get a big penalty for non-conformities that your notified body would just allow you some time to remedy in case of higher risk products.
We are now routinely appealing these decisions, and there are more and more of them coming in. The Dutch Inspectorate has clearly decided that it is coming down on the market and enforce it into compliance with a vengeance. We are also collecting enforcement/inspection experiences of medical devices companies in the Netherlands in order to start a dialogue with the government to seek to arrive at a more proportionate policy of oversight.
Do you have experiences with the Dutch IGZ in medical devices or IVD oversight under the new penalty guidelines? Let us know.
Notified bodies – drop it like it’s hot
The notified bodies have gone through a rigorous process of joint assessments that culled already many of the notified bodies in the market for AIMDD, MDD and IVDD certification (53 left at the moment, with the number still declining). As a result the notified bodies have also been given clearer marching orders as to how to deal with customer files that their notifying authorities see as problematic, for example because the clinical evidence is not up to standards.
This situation has led to what I have started to call the ‘drop it like it’s hot’ strategy on the part of notified bodies. I see that especially smaller notified bodies often adopt the extremely nasty and onerous tactic of letting a certificate expire, and subsequently confront the manufacturer with a de novo certification against a much higher (clinical) standard, with the notified body refusing to explain where this comes from nor being interested at all in the situation that this will disrupt the manufacturer’s business severely (especially in the case of SMEs that have only one or just a few products on the market).
This typically unfolds as follows: date of recertification approaches, manufacturer sends increasingly urgent sounding messages to notified body about planning of recertification audit (which are ignored by notified body), manufacturer trusts that notified body will however not allow certificate to expire just like that, notified body does exactly that, notified body informs manufacturer he must now obtain a de novo certification against suddenly much higher standards that the notified body refuses to explain.
I think it’s a shame that authorities are not supervising this better but instead seem to just push out marching orders to notified bodies regarding clinical data requirements. It is truly frustrating to see notified bodies using their delegated state authority of certification this way, especially since there are much more proportional ways to handle this. One such more proportional way would be to re-certify with a new PMCF plan.
In this regard it is especially onerous for manufacturers that current medical devices legislation does not provide for clear legal recourse against notified bodies, nor for clear rules about transferring from one notified body to another. In practice there is little you can do against a notified body decision. Some member states allow administrative appeal, but the authorities are – in my experience – very deferent to notified bodies and give them virtually unlimited discretional power. Notified bodies, for their part, have no to little experience in exercising government authority in accordance with basic principles of rule of law. This leads to routine infringement of core principles of good administration like e.g.
- non-arbitrary decision making (giving reasons to support a decision)
- proportionality (imposing a measure at is least burdensome for the company, like PMCF instead of certificate expiry)
Yet, manufacturers have no effective recourse against this. The MDR and IVDR will contain a very rudimentary regime for the scenarios that a notified body ceases activities or its designation is restricted, suspended or withdrawn.
You can imagine this this will become more pressing during the MDR and IVDR transitional periods, during which the notified bodies will be under extreme pressure resource wise because not only must they themselves be re-notified, they must also hire more in-house staff and in the mean time certify all of their customers devices on the market into the new system, while dealing with the normal workload of surveillance and re-certification audits. This will become an ugly mess, and that is a big understatement.
Notified bodies – clinical evaluation circus
Another issue we see happening now is the urgency that is being put on notified bodies to push through clinical data standards that go towards the new MDR level as quickly as possible. This early summer (June 2016) we have seen the new clinical evaluation MEDDEV being adopted, without transitional period. Presently we start to see notified bodies beginning to suspend / refuse to renew certificates if they find in a surveillance or recertification audit that the clinical evaluation for the device concerned is not fully up to the standards of the new MEDDEV. Yes, immediate suspension – not a minor, not a major, but cease placing on the market with immediate effect. We have even seen notified bodies take this to the level of suspending a certificate with multiple devices on it for all devices, just because the clinical evaluation for one of them (which was not even being placed on the market anymore at the time) was not at the level of the new MEDDEV.
Once the certificate has been suspended or needs to be renewed, there is no way to make a notified body hurry up and even act quickly to correct manifest mistakes (like suspending a certificate for all products if only one product is affected by the non-conformity) or otherwise even adhere to basic principles of good administration discussed above. The lack of legal recourse here is truly disconcerting, given the enormous damage manufacturers suffer as a result.
Notified body liability is already an issue subject to appeal to the European Court in the TUV Rheinland case, but that case is about no-fault liability for damage resulting from defective products that get on the market and the notified body audits did not prevent this. Here we are dealing with other liability, in my view for negligent or unconstitutional use of delegated government power (official ability to issue certificates with legal effect). The Advocate General makes a compelling argument in the TUV Rheinland (PIP implants) case about liability in cases of notified body failing to fulfill obligations. She argues in para 39 of her opinion:
“Given the crucial role played by notified bodies in the procedure leading to the placing on the market of medical devices governed by Directive 93/42 and bearing in mind, in particular, the high level of protection to patients and users that that directive aims to provide (30) and the risks associated with the devices in relation to which they are required to carry out their examination, it seems to me entirely appropriate that those bodies should in principle be capable of bearing liability under national law to those patients and users for a culpable failure to fulfil their obligations thereunder, provided always that the principles of equivalence and effectiveness are respected.”
The AG concludes that it is therefore possible under the directive that a notified body can be liable vis-a-vis patients and users for failing to fulfill obligations. I think that the same applies with respect to manufacturers when these suffer damage as a result of a notified body failing to fulfill basic duties of good administrative law practice that a government agency would need to fulfill. Remember, notified bodies are almost like an emanation of state in how they operate and are controlled by their notifying member states. This liability will apply regardless of what the contact of the notified body says, because it would be quite something if a notified body could contract out liability for gross negligence in the way it fulfills tasks delegated to it by law.
However, given the state of harmonization of EU medical devices law, this will be a matter for national courts to determine because the medical devices directives are silent on this point. The forum to go to is the competent court in the jurisdiction that notified the notified body concerned. It will be interesting to see what the European Court will decide. Given the complete lack of effective recourse against notified bodies under the new MDR and IVDR, this problem will persist into the future and become far worse in the messy and choppy transitional period that we have on the horizon with less notified body capacity but more need for it.
Let us know
Do you have bad experiences like discussed with your notified body? Let us and/or MedTech Europe know. We are working on collecting information to raise awareness for this at the Commission and at the national notifying authorities, but we need actual experiences to demonstrate what is happening. The more we have, the more impact we can make.
It will be interesting
to see where all of this goes. It is quite clear however that manufacturers have to pay closer attention to compliance formalities and remediate quicker, also in the lower risk product ranges. With the new MDR / IVDR associated remediation / transition and possibilities for non-conformities manufacturers need to prepare for a rough period ahead in the next years.
medicaldeviceslegal 
Dear Erik,
Your description and analysis is completely right. We have had cases with clients that go exactly in this direction. How many thousand jobs in one of the last industry sectors Europe is a leading player in the world market from an innovation perspective will be lost before this will be corrected. (I am not sure whether delegated and implementing acts can serve to correct those major errors in the system once it is in place.)
Europe created a Monster with NBs that can do whatever they want. (Not all, but many of them) It is great time for a mandatory price list and a mandatory service level agreement applicable to all NBs, part of the designation process with a quick deciding recours gremium.
Thanks a lot for bringing this subject to the community with your blog!
Best
Michael Maier / Medidee Services SA
Thanks Michael – if you could report any of these cases to MedTech Europe that would be great. They will compile them and raise awareness at the Commission and member states.
Thanks Erik – really useful. You said you “see a development towards truly punitive enforcement of medical devices regulation, specifically in the areas of software as medical device and IVDs”. Are regulators already going beyond the safety management expectations of a Class I device for software?
Hi Marc, not that we see. But they enforce punitively on paper dossier non-conformities, like for example combining clinical evaluation for several modules of a software suite together so it is not immediately evident that each module has its own clinical evaluation document.
Dear Erik,
thank you for this interesting and frightening post. You asked for other experiences with NBs. Here is one:
A German NB (DEKRA) was well known in the past for not requiring any clinical evaluation report (CER) in the Technical Documentation (TD), or accepted TDs and issued certificates for TDs for Class III devices with a CER of 1 – 3 pages, written by a company employee or a physician being an important customer of the company. The same NB required immediately after publication of MEDDEV 2.7.1 rev4 to see a CER according to this brand new revision. Very comprehensive CERs according rev3 have been available. One can really question, whether a complying CER according rev3 does not already demonstrates adequately “safety and performance of the product in clinical practice”? Not to mention how at least unfair it is, to require compliance with a new revision a few days after publishing.
I hope, this “NB experience” will find a good place in your collection of NB behaviors.
Best regards
Konstantin
Dr. Konstantin von Martius MTC Medical Technology Consultants GmbH Zuccalistr. 19 80639 München Tel: +49 89 176782 Mobile: +49 (0)172 852 3552 Email: kvmartius@t-online.de http://www.mtc-consultants.com
*************************************************************************** MTC GmbH, Zuccalistr. 19, D-80639 München, Deutschland Geschäftsführer: Dr. Konstantin von Martius Registergericht: Amtsgericht München, GmbH, HRB 180737
***************************************************************************
Thanks for sharing this experience Konstantin!
Incredibly helpful information. Can’t thank you enough.
I would like to share a pet-peeve. Certification is a 3rd party activity. NB’s and laboratories issue certificates. Manufacturers (1st parties) issue declarations. As certification is a 3rd part activity it is not possible for a manufacturer to self-certify. A manufacturer self-declares. I know, I have spent too many years working in a laboratory that issues certificates. I’ll go away now.
Wishing you happy holidays. Again, thank you for all your work and for keeping us all informed of progress on the MDR/IVDR and the evolving situations in the EU.
Kind regards,
Christine
Hello
I’m having a similar experience with a Technical File submited during June 2016 to the NB (ITC) with a CER acc.to MEDDEV 2.7.1 Rev.3.The NB started the review of the file end of November 2016.The file is stuck now stuck since the CER is not written acc.to MEDDEV 2.7.1 Rev.4 .