New MEDDEV on authorised representatives: everything you know is wrong

Last week the Commission released a new MEDDEV guidance document on authorised representative as part of the package announced at the beginning of this year and this one is disruptive, especially if you did not see it coming.

Step back: what is an authorised representative and why would you need one? The authorised representative is “any natural or legal person established in the Community who, explicitly designated by the manufacturer, acts and may be addressed by authorities and bodies in the Community instead of the manufacturer with regard to the latter’s obligations under [the Medical Devices Directive]”. You need one if “a manufacturer who places a device on the market under his own name does not have a registered place of business in a Member State”. So an authorised representative can be an internal or external function, depending how your company is organised. Some companies hire a consultant(cy) in the EU to be their authorised representative, others nominate a legal entity in their corporate group that happens to be established in the EU. EU law enables a manufacturer to delegate the performance of certain medical devices requirements to his designated authorized representative. EU law requires an authorised representative so the authorities can address the authorised representative for the purpose of post marketing surveillance with respect to the devices concerned. There is more, but that’s described in a lot of detail in the MEDDEV and it’s not new.

Now, what is new about this new MEDDEV? First, there are the requirements that are expected for authorised representative agreements of which I am very sure that almost no authorised representative agreement in place in the EU meets at this moment. Secondly, there is the ‘supervision’ of these agreements, which is delegated to notified bodies.

As to the first point: the MEDDEV makes it clear that the relationship between the manufacturer and authorised representative is one of delegated powers, which means that the authorised representative is expected to step up and exercise these powers with a certain degree of independence. Below are the items that the member states authorities expect in an authorised representative agreement. This has consequences for agreements currently in place, because from my own experience with authorised rep agreements I know that almost none of the agreements out there complies with the requirements that follow below that I have put in a bit stripped down language for easy reading:

Information

authorised representative is obliged to inform the manufacturer of

  • decisions of a Member State in respect of refusal or restriction of the placing on the market or any making available or putting into service of a device;
  • incidents brought to his knowledge.

manufacturer is obliged to inform the authorised representative of

  • all matters that may be connected to the devices placed on the EU market.

Division of responsibilities

Relation between manufacturer and AR / flow of information

– “The authorised representative should be able to assess whether the manufacturer has the ability to fulfil his regulatory obligations. In order to carry out the assessment the authorised representative should have access to the technical documentation.”

– “The authorised representatives should be in a position to verify that the required information / documentation exists with their manufacturer and that the necessary processes (e.g. for post market surveillance) are established.”

– “The authorised representative must possess appropriate knowledge, expertise and resources to assess and verify the above.”

Competence AR

– “A Member State must be able to assume, when it addresses an authorised representative, that it will receive all the information that it requests.”

Information to be provided to authorities on request

– “A Member State can expect an authorised representative to provide on request the following information:

i) Declaration of conformity,

ii) Copy of the label, packaging and instructions for use (in all languages requested by the countries where the device is marketed),

iii) Notified Body certificates (where relevant),

iv) Post market surveillance process and data, vigilance reports and complaints, processes and data,

v) Technical documentation relevant to market surveillance investigation being undertaken by the Member State,

vi) Relevant clinical data / notification,

vii) Details of any distributors / suppliers putting the CE marked devices on the market,

viii) Incident reports and reports on corrective actions taken.”

Disagreement and non-compliance

– “In the event of a disagreement, where the authorised representative considers that the manufacturer is not complying with the requirements of the Directives, it has a duty to communicate this to the manufacturer. If the disagreement continues, the matter should be submitted to the authorised representative’s Competent Authority for decision. The authorised representative may opt to rescind the contract.”

– “In the event of a clear non-compliance by the manufacturer that could engage the responsibility of the authorised representative and which the manufacturer refuses to correct, the authorised representative has the right to rescind his contract with the manufacturer. The authorised representative has even the obligation to rescind the contract if the non-fulfilment of the manufacturer’s obligations causes him to infringe national law. It should then notify his Competent Authority and the manufacturer’s Notified Body of this.”

This last quote is what member states expect from the parties involved. I really wonder how they see this applied in practice: they want an authorised representative to act contrary to national contract law based on – yes indeed – the non-binding guidance that a MEDDEV is. Apparently they rely on the fact that an authorised representative would be able to defend itself in court by arguing: “I had to break my contract based on an obligation in non-binding EU guidance”. That could lead to the following conversation. “Is there a basis for this obligation in the law? Does the Medical Devices Directive require member states to implement this in their contract law?”, the court would ask. “No, but the Commission says in a MEDDEV that the member states expect it”. “OK, so it’s expected says someone else, even an obligation, and there is no legal basis?”, the court would reply with a question and subsequently order damages and/or specific performance on the part of the authorised representative. Everyone would be the richer for an interesting experience, but you can’t create an enforceable obligation with a MEDDEV as the law now stands.

Would a court act contrary to the principle of Community loyalty enshrined in the EU treaty if it just applied its contract law in this case as described above? I am not so sure as there is no legal basis in the medical devices directives to resolve this conflict. Another question is whether the authorities and notified bodies would help an authorised representative in a scenario like this, e.g. would the authorities intervene in a contractual dispute between a manufacturer and an authorised representative? I think that is very unlikely. So, although this looks nice on paper, it is set up in a way that is asking for trouble from a legal perspective.

Supervision

Another interesting item in the MEDDEV is the supervisory task that is now specifically put on the notified bodies: “The Notified Bodies should verify that a manufacturer who does not have a place of business in the EU, has designated an authorised representative and that the appropriate contract demonstrating delegation of appropriate responsibilities is available.”, says the MEDDEV. Those are a lot of ‘appropriates’ in one sentence. Again, there is a problem that jumps out to me as a lawyer: how will a notified body (who are not lawyers) determine if a contract is ‘appropriate’ and divides responsibilities ‘appropriately’? If the expected criteria above are the criterion, a notified body would need to do legal due diligence on the contract. I have a very well-founded suspicion that notified body auditors are not well equipped at the moment to assess control over subcontractors in subcontractor agreements and do not engage in-house or external lawyers for this, so it is fair to say they are not well equipped to assess the appropriateness of the authorised rep contracts either. This might be a point of improvement for notified bodies – they can also always challenge the manufacturer to explain its contract to the auditor but then the auditor must still be able to understand it.

Conclusion

If you are manufacturer, you should review you authorised representative agreement(s). Otherwise your notified body should challenge you for non-conformity if they find the agreements that are the market standard currently. Authorised representatives should think about how they will exercise the extra responsibility they have now and how to carve out the freedom to do so in their agreements. And notified bodies should think about how they will assess the appropriateness of these agreements. That means lots of homework for everyone. Need help? Let me know.

New EU guidance on Post Market Clinical Follow-Up Studies published and other MEDDEV guidance announced

The EU just released its first MEDDEV of a number that were agreed upon in the recent MDEG meeting. More are expected to trickle onto the Commission’s devices web pages in the coming days/weeks. It is a veritable guidance bonanza that will be discussed on this weblog in the weeks to follow. Some of the documents were truly much anticipated (or much overdue, if you’re more cynically inclined).

Agreed documents are:

  1. Revised guidelines on a Medical Device Vigilance system (MEDDEV 2.12-1 rev.7 ) have been reviewed and updated to include the new Manufacturers  Incident Report Form and the FSCA Form (listed as Annex 3 & 4).
  2. In addition, templates for Manufacturers Trend Reporting and Manufacturers Periodic Summary Reporting (Annex 7 & 8) are being introduced.
  3. Amended guidance on Post Market Clinical Follow-Up (“PMCF”) studies (MEDDEV 2.12-2 rev.2), discussed in more detail below.
  4. A new guideline has been established for Authorized Representatives (MEDDEV 2.5/10)
  5. A new guideline on IVF ART (MEDDEV 2.2/4)
  6. The guidance on Medical Device – Borderline and Classification issues on IVD (MEDDEV 2.14/1 rev.2) has been updated once again and revised to include more detail on some essential qualification criteria and classification issues.
  7. The new guideline on the qualification and classification of stand-alone software used in healthcare (no number assigned yet) within the regulatory framework for medical devices was agreed upon after two years of discussion.

In the following I would like to take a closer look of the first one published on the Commission website, the  guidance on Post Market Clinical Follow-Up (PMCF) studies. It is an update from the 2004 version and provides guidance to manufacturers and Notified Bodies and gives guidance on how to implement section 1.1.c of Annex X of the Medical Device Directive (MDD), which provides that

The clinical evaluation and its documentation must be actively updated with data obtained from the post-market surveillance. Where post-market clinical follow-up as part of the post-market surveillance plan for the device is not deemed necessary, this must be duly justified and documented.

The new MEDDDEV gives pointers as how to do this, see under points 1-7 below.

The new document follows the GHTF guidance, US FDA guidance and adds details on EU legislation. It emphasizes the increased need for PMCF studies to be considered in drafting the risk-based PMS plans in the light of the increased focus on clinical data introduced by 2007/47/EC revision of the MDD and AIMD directives.This increased focus largely boils down to manufacturers having to take post marketing surveillance seriously as a duty to actively collect post marketing information as part of the clinical evaluation cycle implemented in the medical devices directives, as I and my colleague Alex Denoon have argued many times. We cannot emphasize enough the importance of conducting a good legal risk review of the manufacturer’s subcontracting and supply agreements, and perhaps even social media chatter about a manufacturer’s devices. In general it is a good idea for a manufacturer to beef up its clinical post marketing data, if only to be able to substantiate comparative claims in litigation and have a meaningful discussion with healthcare insurance funds. Registry studies however are not addressed in any detail in this document, but may be addressed in subsequent guidance.

The guidance clearly but somewhat superfluously states that ISO 14155:2011 should be basis for clinical studies.

The important part in my view is that it provides details on the evaluation of PMCF by Notified Bodies (“NB”) because that provides the actual homework for the manufacturers as this is what the notified bodies will need to check with respect to PMCF. The NB shall as part of its assessment of a specific medical device (and therefore the manufacturer must itself – prior to that assessment):

  1. verify that the manufacturer has appropriately considered the need for PMCF as part of post market surveillance based on the residual risks including those identified from the results of the clinical evaluation and from the characteristics of the medical device in accordance with section 5 of the guidance;
  2. verify that PMCF is conducted when clinical evaluation was based exclusively on clinical data from equivalent devices for initial conformity in accordance with Annex II.4, Annex II.7, Annex III, Annex V.6 and Annex VI.6 of Directive 93/42/EEC and Annex II.4, Annex II.7, Annex III and Annex V.6 of Directive 90/385/EEC assessment and  that PMCF addresses the residual risks identified for the equivalent devices;
  3. assess the appropriateness of any justification presented by a manufacturer for not conducting a specific PMCF plan as part of post market surveillance and seek appropriate remedy where the justification is not valid;
  4. assess the appropriateness of the proposed PMCF plan in demonstrating the manufacturer’s stated objectives and addressing the residual risks and issues of long term clinical performance and safety identified for the specific device;
  5. verify that data gathered by the manufacturer from PMCF, whether favourable or unfavourable, is being used to actively update the clinical  evaluation (as well as the risk management system);
  6. consider whether, based on the specific device assessment, data obtained from PMCF should be transmitted to the NB between scheduled assessment activities (e.g. surveillance audit, recertification assessment); and
  7. consider an appropriate period for certification of the product in order to set a particular time point at which PMCF data will be assessed by the NB or specific conditions relating to certification for subsequent follow up. (This decision may be based on the residual risks, the characteristics presented in section 5 and the clinical evaluation presented at the time of initial assessment. Conditions the NB may consider could include the need for the manufacturer to submit interim reports between certification reviews, of the clinical data generated from the PMCF and post-market surveillance system).

As you see, this is homework for manufacturers as notified bodies will be expected to phase in compliance with these requirements and challenge manufactures when they have not yet complied by the time the next audit is up.

More general guidance on PMCF and its relation to legislation and interaction and cooperation with registries will be provided in subsequent guidance that will be drafted, according to a press release from BSi, which also mentions that attempts are ongoing to better embed PMCF and PMS planning into the future legislative framework in EU – as I have reported too from the mouth of the responsible persons at the Commission.

The new Blue Guide is here

Schermafbeelding 2014-04-04 om 22.38.34

After a royal time of suspense, the new Blue Guide has finally arrived. Was it worth the wait and what is new and noteworthy in medical devices? Let’s see. I will take you through this substantial document in a number of blogs, of which this is the first.

Some history

But first, for those who are not familiar with the Blue Guide, a little bit of history:

“The Guide to the implementation of directives based on the New Approach and the Global Approach (the “Blue Guide”) was published in 2000. Since then, it has become one of the main reference documents explaining how to implement the legislation based on the New Approach, now covered by the New Legislative Framework.

Much of the 2000 edition of the “Blue Guide” is still valid but it requires updating to cover new developments and to ensure the broadest possible common understanding on implementation of the New Legislative Framework (NLF) for the marketing of products. It is also necessary to take account of the changes introduced by the Lisbon Treaty (in force since 1st December 2009) with regard to the legal references and terminology applicable to EU-related documents, procedures, etc.”

To me the Blue Guide from 2000 has been immensely helpful for interpretation of crucial concepts in medical devices legislation, like ‘manufacturer’, ‘authorized representative’ and ‘placing on the market’, just to name some. And its fabulous flow charts outlining conformity assessment procedures made things a lot more transparent.

What is new?

The Blue Guide itself says:

“This new version of the Guide will therefore build on the past edition, but include new chapters, for example on the obligations of economic operators or accreditation, or completely revised chapters such as those on standardisation or market surveillance. The Guide has also been given a new title reflecting the fact that the New Legislative Framework is likely to be used, at least in part, by all types of Union harmonisation legislation and not only by the so-called “New Approach” directives.”

But there is more. I was very happy to find a relatively comprehensive guidance on international aspects in the form of pretty detailed discussions of international (with that I mean: outside of the EU) aspects of CE marking, including mutual recognition and geographic scope in chapters 2.8 and 9. This was already addressed in the old Blue Guide, but this update is current now and more detailed.

The chapter 7 on market surveillance contains a discussion of the new (not so new anymore) provisions on customs competences with regard to CE marked goods. Always convenient to know if you consider enlisting customs to help achieve your purposes which we love to do as litigious people that lawyers are.

There is a new 1 page chapter (chapter 8) on Free Movement of Products Within the EU, which discusses the free movement clause and restrictions / limits that the member states still impose. It is unfortunate (to say the very very least) that the Commission has not been able to include a discussion on the consequences of the Lycocentre-case. This EU court  judgment, as I have blogged, puts a major stick in the wheel of free movement of medical devices in the EU internal market. A discussion of its consequences for free movement would have been more than welcome in this chapter. Also, this big flaw in the internal market for medical devices something that could still be fixed in the proposals for the IVD and medical device regulation, which include limited powers for the Commission to make central qualification decisions. However, this limited step forward will not protect companies against the often very poorly supported reasoning that member states use to qualify products differently. The scientific quality of qualification decisions by member states can be disappointingly low and sometimes is just downright and objectively wrong. The Lycocentre case makes it much easier for member states to get away with their version of science. Going to court over what the correct scientific conclusion must be is, as you can imagine, not a nice prospect because judges are not scientists either and are inclined to give authorities the benefit of the doubt if their are not manifestly besides the point.

What is interesting –  authorised reps

As I have blogged before, the legal status of authorised representatives under the medical devices regime has my special attention at the moment. Consequently, I was puzzled to see the following statement casually scuffled away in footnote 57 on page 19:

“Please note that in the area of medical devices, the role of the authorised representative is reinforced and he is the primary interlocutor of market surveillance authorities for products for third countries.”

What is meant by “reinforced” here? I am pretty sure I have not missed an amendment of the medical devices directive and subsequent amendment of national law since the last amendment in 2007 in directive 2007/47. I am also pretty sure this is not a reference to the definition of the concept in Regulation 765/2008, which, admittedly, does define the concept differently but does so in a general way, and not specifically for medical devices. Also, regulation 765/2008 actually seems to do the reverse of reinforcing by using the words “act on his behalf in relation to specified tasks” rather than the wording of  “acts and may be addressed […] instead of the manufacturer” used in directive 93/42 (which the Dutch authorities have taken to mean now that you can enforce against and fine the authorized representative for whatever regulatory mistake the manufacturer makes).

765/2008 Directive 93/42
‘authorised representative’ shall mean any natural or legal person established within the Community who has received a written mandate from a manufacturer to act on his behalf in relation to specified tasks with regard to the latter’s obligations under the relevant Community legislation; ‘authorised representative’ means any natural or legal person  established in the Community who, explicitly designated by the manufacturer, acts and may be addressed by authorities and bodies in the Community instead of the manufacturer with regard to the latter’s obligations under this Directive;

 

Perhaps the reference is to the MEDDEV on authorised representative? But that MEDDEV starts with a disclaimer that it is not legally binding and that it reflects “positions taken by representatives of interested parties in the MEDICAL DEVICEs sector”. It does provide for some additional guidance in the section B. Member States’ Expectations in which member states’ expectations in some scenarios of noncompliance by the manufacturer are discussed:

“- In the event of a disagreement, where the authorised representative considers that the manufacturer is not complying with the requirements of the Directives, it has a duty to communicate this to the manufacturer. If the disagreement continues, the matter should be submitted to the authorised representative’s Competent Authority for decision. The authorised representative may opt to rescind the contract.

– In the event of a clear non-compliance by the manufacturer that could engage the responsibility of the authorised representative and which the manufacturer refuses to correct, the authorised representative has the right to rescind his contract with the manufacturer. The authorised representative has even the obligation to rescind the contract if the non-fulfilment of the manufacturer’s obligations causes him to infringe national law. It should then notify his Competent Authority and the manufacturer’s Notified Body of this.”

It is unclear to me however how this ‘reinforces’  the authorised representative role, because it just says that member states expect authorised representatives to structure their contracts to include specific agreements. It also suggests that authorised representatives have certain rights to terminate their contract, which, as I have blogged, utterly lacks legal basis because a MEDDEV cannot intervene in national contract law and therefore cannot ‘reinforce’ their rights.

To conclude, I am very interested to understand what the Commission means with what looks to me like a slip of the keyboard. Anyone of you readers that can help me understand this?

More to come

This was the first of my series of blogs on the new Blue Guide. Watch this space for more.

Netherlands medical devices compliance update

Rijksoverheid_logo_02Last week I attended the Eucomed Compliance Committee meeting in Brussels, and presented on some of the compliance developments going on in the Netherlands with respect to medical devices. Just like all other member states, the Netherlands had to play their part in executing the Joint Immediate Action Plan. Also, they have some ideas of their own, some of which they want to lobby into the medical devices and IVD regulations that are currently underway in the EU legislative process.

My presentation is here and the summary of what I presented follows right after:


What are they up to?

So what are the Dutch up to these days? The Dutch have clearly decided that they are going to make a difference in the medical devices space, which I much applaud as there was certainly room for improvement. The Dutch have taken a very sensible stance in the revision project, and are clearly serious about applying more intensive scrutiny to the Dutch market. The competent authority is increasing its staff for medical devices, which is a good thing because so far it was really strapped for recourses in devices enforcement. However, as we will see below, I think that they sometimes put the focus on the wrong things or color outside the lines of the law in their enthusiasm.

European lobby to incorporate HCP interaction regulation in the EU regulations

The Dutch have started a lobby in Brussels to incorporate HCP interaction regulation in the regulation proposals, as was confirmed by a communication of the Dutch Healthcare Minister to Parliament on 19 December 2013. At present this subject is harmonised up to an extent at EU level by branch associations codes (Eucomed, COCIR, EDMA), but these are not law and the Dutch would like to have these standards hardwired in EU law. Yes, notwithstanding that this is royally late in the day of the legislative process (they haven’t gotten much traction so far, the Minister writes herself) and notwithstanding that the Dutch government has just leaned on industry to set up its own self-regulatory system for the Netherlands in a very short time frame, which it is now seems to be proposing to make obsolete again.

Given that the Dutch are not gaining much traction in Brussels and that they are probably betting on the regulation proposals not being finished in time before the elections, they have a plan B and are planning to incorporate HCP interaction rules in the Dutch act on medical devices in any event. The Minister of Health indicated that she will make a proposal in 2014, with a view to entry into force early 2016.

Double jeopardy in clinical investigations

There seems to be a development of the Dutch competent authority not being very satisfied with the work of the Ethics Committees (yes, the very committees that the Parliament wants in the loop for clinical investigation approval according to its amendments to the medical devices regulation) with respect to clinical investigation approvals.

Currently the medical devices directive contains a notification requirement for approved studies in article 15 (1) of the Medical Devices Directive. The Dutch competent authorities seem to have started the policy that they will use this notification requirement as a basis for a second approval of clinical studies. They have started to send companies letters that they can’t start their already Ethics Committee approved investigation until they have satisfied additional competent authority requirements set out in the letter, which may overlap with what the Ethics Committee already did and/or address completely new subjects.

This is not only in contravention of the Medical Devices Directive mechanism for clinical trial approval, but also against the Dutch Clinical Trials Act itself, which provides for the division of competence between the Ethics Committees and the competent authority and is pretty explicit about the competence of approval of clinical trials with medical devices being reserved to the Ethics Committees. Granted, the competent authorities can enforce after a clinical trial has started on grounds of violation of GCP, but that’s something very different from an additional test as a condition to start a clinical trial.

This new way of doing things is administrative practice, which does not have a basis in law (since there is no attribution of competence to do this), so it may just be the competent authority asserting its authority to the market and doing its best to bend the rules to find a solution for their problem. However, this is an extremely onerous practice to be confronted with as a company and I have also heard that the body responsible for the Ethics Committees, CCMO, is very annoyed about this second-guessing of Ethics Committees.

Should you be confronted with this practice as manufacturer: keep in mind that the competent authority has no legal basis to require this. Maybe the Commission’s SANCO department (I hope they are listening) could tell them that this is an incorrect way of implementing EU medical devices law.

Authorised representatives in the crosshairs

A disturbing  development in the same vein is the competent authority’s (what seems to start to look like) policy to enforce against authorized representatives rather than against the manufacturers that they represent. I have seen ARs getting warning letters with huge fines threatened for things they have not done themselves and cannot even influence.

This practice seems to be based on a misunderstanding by the competent authority of the definition of authorized representative as it was ambiguously translated into the Dutch language version of the Medical Devices Directive and subsequently wrongly transposed in Dutch medical devices law in a way that it looks like the AR may be enforced against for manufacturer actions. It’s like the whispering game where you have to convey a sentence via a number of people that in the end comes out garbled. Big fun at children’s parties but not so much if legal certainty is at stake for a company in AR services or a manufacturer dealing with a freaked out AR that is being enforced against.

If you carefully read EU law and guidance on the subject of ARs, like the Authorised Representative MEDDEV, Regulation 765/2008 that (re)defines the concept as part of the Goods Package, the Blue Guide (the bible on CE marking), just to mention a few sources, there is absolutely no basis whatsoever to interpret the concept of AR in the sense that the AR can be fined under medical devices law for non-compliance of the manufacturer. Granted, they’re an easy target for enforcement – a proverbial sitting duck because they have to notify themselves to the authorities – but that does not mean that they can become a regulatory bullseye just because they’re a convenient target for the authorities.

This is another prima facie contravention of the Medical Devices Directive by the Dutch competent authority (the Commission should talk to the Dutch about that too). The concept of AR is defined at European level in several different instruments, so the Dutch competent authority does not have the final word on this and most definitely not on a manifestly wrong implementation of the medical devices directive. Maybe the ARs should start a class action for all the damages resulting from wrongful enforcement, as this practice is  obviously contrary to European law and therefore unlawful. In any event the ARs should seriously consider a complaint to the Commission (which I would be happy to help with, by the way). If you are an AR or manufacturer with this problem: I have already given the issue a lot of legal and regulatory thought. I would recommend that the Minister, if she is changing the law anyway to put in extra stuff, fixes this problem as well and just copies the Dutch language version of the definition of AR in Regulation 765/2008.

Sunshine in devices

Like in France and Denmark, the Netherlands is also going to require publication of HCP interactions in a public register, timing: by 2015. What interactions will be in there? Not with respect to certain groups of devices or anything above a particular value (that would be way too precise) but rather initially only “interactions relevant to the patient”. What does that mean? Good question! The Dutch minister explains it to Parliament like this:

“Ties that the HCP could have with a manufacturer of rubber gloves are not relevant to a patient. Ties of a manufacturer of pacemakers or hip implants are relevant to the patient. […] We will start with ties for devices which the patient has a very close relationship with in treatment, but for which the HCP decides on the choice of the device. An example are implants.”

Do I smell some bias here against the implants side of industry? There has indeed been a lot of buzz in Parliament about the naughty implants industry and their consultancy contacts in 2013. But what is relevant to me as a patient? If you have an internal exam or ultrasound, you bet that the HCP interaction with the gloves / transducer cover manufacturer is just as relevant for a patient as with implants. An HCP selecting the new extra thin glove that ruptures more easily because he receives a kickback is of course also a big health risk too. Or what about endoscope cleaning fluid? Hepatitis C is really not that fun to contract.

This argument of the Minister of ‘relevance to patients’  is not very well though out and has a strong ‘some animals are inherently more ethical than others’-feel about it,which in my view makes the argument not convincing at all. If you want a phase-in of reporting for different classes of devices, one can do much better than this in defining categories, like for example by the value of the contract or by risk class of the devices concerned. Anyway, as this is still under development, the government will have the opportunity to set this up in a more objective way.

“Interesting”

Interesting developments in the Netherlands, however some of which are probably not the most promising when it comes to the Dutch interpretation of how to implement the Joint Immediate Action Plan and EU medical devices law. I think a reality check on EU law compliance is in order – hopefully the Commission is watching too and will invite the Dutch competent authority for a meeting on the correct application of EU medical devices law.

For the rest, start to prepare for sunshine compliance in the Netherlands – it’s coming your way one way or the other.

“E” is for economic operator – you know: the MAID

In the series of articles on this blog discussing parts of the proposed EU medical devices and IVD regulations I am taking a look now at economic operators, or as Maurizio Suppo calls them in an interesting analysis of the IVD regulation proposal: the MAID (manufacturer, authorized representative, importer, and distributor). Both the IVD and medical devices regulation lumps all of these together in a single section of the proposal, along the methodology of Decision 786/2008 on a common framework for the marketing of products, which forms the template for regulating the supply chain in EU regulation for CE marked products. Since the economic operators are regulated identically under both the MDR and the IVDR proposals, everything below applies to both. The party line in this respect is the Commission’s attempt to make the supply chain a closed system, much like the Commission has also tried with the Falsified Medicines Directive, by requiring that each link in the chain checks compliance of the previous one and by imposing autonomous regulatory obligations on the respective actors in the supply chain. Both of these elements are new compared to current medical devices and IVD rules and are a departure of the principle that the manufacturer is the focal point of all regulatory responsibility.

For an overview you can download the presentation I gave on this, among other subjects, at a recent medical devices regulation seminar organised by my law firm. This post is also not the exhaustive word on the MAID under the proposals – there is more to follow, for example on authorised representatives, which I already discussed in detail recently, and will discuss in detail again in another post.

Manufacturer

I’m not going to go through the entire manufacturer concept, but will rather focus on some things that jumped out at me. As a point on which there is a significant departure of the current system I’d like to take you to article 14 in the MDR and IVDR, called “Cases in which obligations of manufacturers apply to importers, distributors or other persons”. A distributor, importer or other natural or legal person shall assume the obligations incumbent on manufacturers if he does any of the following:

(a) makes available on the market a device under his name, registered trade name or registered trade mark;

(b) changes the intended purpose of a device already placed on the market or put into service;

(c) modifies a device already placed on the market or put into service in such a way that compliance with the applicable requirements may be affected.

So far no really big departures to the current rules. But then there is the translation and pack changes provision in section 2, which imposes some very new things:

  1. Translations and pack changes by others than the original manufacturer  must be subject to quality system that is notified body certified; and
  2. Prior to making the relabelled or repackaged device available, the manufacturer and authorities must be informed and (upon request) be provided with a sample or a mock-up of the relabelled or repackaged device, including any translated label and instructions for use.

To me these changes make a lot of sense, but they do not do a good job of accounting for European Court of Justice case law regarding repackaging of medicinal  products. Point 2 was the subject of bitter  and protracted litigation in that field, and the EU Court delivered a number of judgements setting out how the manufacturer and repacker should behave towards each other, of which you can find a helpful overview right here and the latest judgment in the series over here. Since recital 25 IVDR and 30 MDR explicitly refer to the last judgment mentioned for guidance, we will have to assume that the Commission intends this case law to apply to the medical devices and IVD field. That automatically means that there is a lot more nuance to repacking and translating than is presently set out in the proposals themselves. Important case law on the effect on the manufacturer intellectual property rights relating to the packaging, such as the distinctive character of the manufacturer trademarks, is not addressed in the operative part of the proposals (and, according to EU Court case law, cannot serve as rules directly prescribed by the regulation). Since these trademarks will appear on the changed pack, this would normally be trademark infringement – or in other words: something that the manufacturer should have a say about. The pharmaceutical industry has fought for years and years about this and it might just be that the Commission is trying to quietly fly this one in under the radar for the medical devices industry, because in the MDR and IVDR proposal the only right that the manufacturer has is to be “informed”, whereas the trademark owner with respect to a medicinal products is much better protected. Of course we don’t know if “informed” is a term that denotes that this is the only remedy the manufacturer has, but on the other hand it does not give any detail to the contrary either. Although the proposals have tried to incorporate the original five so-called BMS conditions developed in the case law discussed, the further refinement and regard for the trademark owner’s reputation set out in that case law (e.g. the division of the burden of proof about damage to the reputation of the trademark of the manufacturer) has not been put in the proposals. As an IP litigator I am intrigued by the opportunities for me but not happy for industry.

Importers

Importers must ensure that:

  1. the appropriate conformity assessment procedure has been carried out by the manufacturer;
  2. an authorized representative in accordance with Article 9 has been designated by the manufacturer;
  3. the EU declaration of conformity and the technical documentation have been drawn up by the manufacturer;
  4. the device bears the required CE marking of conformity;
  5. the device is correctly labeled and accompanied by the required instructions for use and EU declaration of conformity; and
  6. a Unique Device Identification has been assigned.

They must  furthermore:

  1.  Be able to identify any economic operator to whom they have supplied a device, any economic operator who has supplied them with a device and any health institution or healthcare professional to whom they have supplied a device for a period of five years;
  2. Label the device with their contact details;
  3. Take corrective action (a.o. recalls and report to authorities) autonomously;
  4. Engage in post-market surveillance (among other things report complaints); and
  5. Refuse to import devices of which he has reason to believe are not in conformity with the requirements.

Just some remarks here. How is an importer going to “ensure” that the ” appropriate” conformity assessment procedure has been carried out by the manufacturer and that the device bears the “required” CE marking of conformity and is “correctly” labeled? It seems that the Commission is intending the importer to be a notified body of sorts. Of course the importer can check if certain paperwork is in place, but making the importer autonomously responsible for second guessing the notified body’s work, that’s serious stuff I think. You might say this is justified for class I devices (where a notified body has not been involved) but for class III devices? Perhaps I’m reading too much in these qualifiers and we only need to look at what they trigger (article 11 (2) MDR and IVDR):

“Where an importer considers or has reason to believe that a device is not in conformity with the requirements of this Regulation, he shall not place the device on the market until it has been brought into conformity. Where the device presents a risk, the importer shall inform the manufacturer and his authorised representative to that effect, as well as the competent authority of the Member State in which he is established.”

So if there is only a need to inform in case of suspected non-compliance, why does the statute stipulate a duty to “ensure” compliance? This can only mean that the authorities can enforce against an importer of which they believe he has not done enough to “ensure” compliance and this will have a lot of consequences for the agreements in the supply chain, because importers are faced with a new and substantial risk that must be accounted for in the agreement. But if “not enough” was intended, why not phrase it as such? Now it’s phrased as a binary obligation rather than a duty of care, so essentially a no-fault liability – and one without legal recourse on the manufacturer, at least not on the basis of the MDR and IVDR. If there is anything I’d be lobbying on as industry to get out of the proposal, it would be something like this. However, it looks like the industry will be stuck with it, as the proposals implement the exact template of economic operator supervision set up in Decision 768/2008. That doesn’t mean that these things are not picked up by the market. Orgalime for example mentioned problems with applying the “ensure” criterion in the supply chain in 2010 already. Eucomed is flagging the issue again now in its brand new position paper on the MDR.

Distributor

Distributors must verify that:

  1.  the product bears the required CE marking of conformity;
  2. the product is accompanied by the information to be supplied by the manufacturer; and
  3. the manufacturer and, where applicable, the importer have complied with the rules.

They must furthermore:

  1. Label the device with their contact details;
  2. Take corrective action (among other things undertake recalls and report to authorities) autonomously; and
  3. Engage in post-market surveillance (i.e., report complaints)

The same applies as for importers with regard to the terms”required” and “complied with the rules”.

Confidential information

You will see some common themes here: each link has to check compliance of the previous links. Sounds very nice in theory. As discussed the no-fault liability for another party’s behaviour is nothing to look forward to. But there is more to meeting these obligations.

In practice this will involve exchange of a lot of confidential information that nobody likes to just give to someone else. As Mr Suppo puts it: “Rules are rather unclear on how access should be granted to technical documentation for economic operators other than the manufacturer.” I would take a further step back, because this statement assumes that economic operators would be granting each other access to tech files for the purpose of allowing the other to check compliance. Being quite familiar with supply chain contracts (imports and distribution) in the medical devices industry I have not come across agreements that allow the distributor or importer full access to the technical file of the manufacturer. Both under the current directives and the proposals a tech file as such would be confidential information. Moreover, why grant only access to the technical file then? The quality system documentation is also an important pillar for compliance. I have double-checked the proposals but could not find a proposed requirement for companies to give each other access to tech files. Also, this would not solve the no-fault liability that I discussed – the importer and distributor may disagree with the manufacturer, and even with the manufacturer’s notified body. Should the system be set up in a way that economic operators have to second-guess notified bodies to manage their own potential liability? I think that undermines the core of the CE marking system: you have to be able to always rely on certificates of conformity. My contention is that distributors and importers duty’s on the no-fault liability part should not extend beyond verification of the certificate of conformity and corresponding declaration of conformity (except in the case of class I devices, in which case only verification of a declaration of conformity should suffice).

Well…

Here it is: a tip of the iceberg with regard to economic operators. As discussed, companies in the medtech sector should really watch where this is going. Importers and distributors have to start thinking about upping their game in regulatory compliance. Companies should account for this in long term contracts that may run beyond the transitional period set out in the proposals. Etc. More to follow!

New EU medical devices regulations proposals out – first impression: nothing unexpected but devil is in the details

Today was a big day with a half hour press conference by Commissioner Dalli (for Twitter summaries see here and here) to festively launch the two much anticipated EU medical devices regulation proposals (one for general medical devices, including active implantables, and one for IVDs).

The generalities of the proposals, as you can read in the press release and the Commission’s communication on the subject, are not a surprise given what we already know. However, the devil is in the details and there are some significant changes in specific matters. For those not interested in details: see the ultra short summary by Reuters. For those that are interested in some gems already unearthed, check Robert van Boxtel’s timeline on twitter.

I hope you will forgive me that the below analysis is not comprehensive: the entire proposal for the general medical devices regulation alone is 194 pages and I am sure I have missed a few points. I won’t discuss the new IVD regulation proposal in this post, but I could establish that my earlier blog on what I expected it to be was pretty accurate and will discuss that at a later occasion.

I am planning to do a series of blogs to discuss distinct parts of the regulation, so this is just a first and very personal impression of what jumped out at me in the proposal for the general medical devices regulation (MDR).

In a nutshell the aim of the MDR is that supervision of notified bodies, conformity assessment procedures, clinical investigations and clinical evaluation, vigilance and market surveillance are significantly reinforced, whilst provisions ensuring transparency and traceability regarding devices are introduced. Eucomed is happy with it because much stays the same (no PMA) except for the scrutiny procedure (see below), but their worst fears may still come true in the legislative process that the proposal has now entered.

Political dimensions

The political dimension is quite apparent. The Commission makes a big point of referring to its eHealth strategy in the explanatory memorandum to the MDR proposal, as well as referring to international harmonization via the GTHF and contributing indirectly to public health under its new Lisbon Treaty competences acquired by integrating clinical trials rules into the regulation (now that they did not make it to the proposal for the revised clinical trial directive). And of course there is the fact that the Commission is quite done with the member states’ sometimes really different way of looking at things and make a mess of the internal market that way, and therefore forces everyone in line now with a directly applicable regulation.

Scope

The non-viable human tissue gap is closed by stipulating that substantially manipulated tissues and cells that are not covered by the ATMP regulation are in scope of the MDR, just like finished products from cells and tissues covered by the EU Tissues and Cells Directive. Human tissues and cells that are not substantially manipulated and products derived from such tissues and cells, should not be covered by the MDR. Anyone (including me) that has worked with the ATMP regulation knows what a bone of contention and disagreement the “substantially manipulated” criterion is and how different member states apply it to the detriment of innovative therapies, so brace for stubborn persistence of the current borderline problems here.

Also added to the scope are implantable or other invasive products without a medical purpose that are similar to medical devices in terms of characteristics and risk profile (e.g. non corrective contact lenses, implants for aesthetic purposes).

Demarcation provisions for products that contain or consist of viable biological substances (e.g. living microorganisms) and food have been included.

A special regime has been added for products that cause real borderline headaches, i.e. products composed of substances or combinations of substances that are intended to be ingested, inhaled or administered rectally or vaginally and that are absorbed by or dispersed in the human body, such as the lactic acid tampons. In short, they are classified in the highest risk class and should comply with the relevant requirements of Annex I of Medicinal Products Directive 2001/83/EC.

The producers of software, handhelds and other devices that, whilst not being medical devices, can be used in combination with them should beware that the accessory definition has been significantly expanded by adding the word “assist” in the definition (“an article which, whilst not being a medical device, is intended by its manufacturer to be used together with one or several particular medical device(s) to specifically enable or assist the device(s) to be used in accordance with its/their intended purpose(s)”). Obviously, “assist” is something different than “enable”, signifying that the accessory does not need to be a conditio sine qua non (as “enable” would suggest) for intended purpose but merely being helpful in some way might be enough for the product to be regulated as medical device.

Entry into force

It applies from three years after entry into force (entry into force being moment T for what follows, which I postulate two years from now based on normal duration of the legislative procedure). However, the requirements for manufacturers and importers to submit devices to Eudamed for registration and for notified bodies to enter certificate details in Eudamed  apply from 18 months after date of application (i.e. as of T plus three years plus 18 months). Furthermore the section on designation of notified bodies and the establishment of the Medical Device Coordination Group (MDCG) shall apply from six months after entry into force (so as of T plus 6 months). However, prior to T plus three years , the obligations on notified bodies emanating from the accreditation provisions shall apply only to those notified bodies which submit an application for notification, so the newly notified notified bodies.

Geographic scope

Apart from to the EU countries the MDR also applies to the countries that have entered into international agreements with the EU which confer on that country the same status as a Member State for the purpose of application of this Regulation, as it is currently the case with the EEA (Norway, Liechstenstein, Iceland), the Agreement between the European Community and Switzerland on mutual recognition in relation to conformity assessment and the Agreement of 12 September 1963 establishing an association between the European Economic Community and Turkey from 1963.

Governance

The proposal provides for a legal basis for the MDGC to remedy the lack of democratic foundation for currently operating committees such as CMC and MDEG in which member states cooperate with respect to certain aspect of the current MDD. The MDGC consist of member state representatives chaired by the Commission and will have as tasks:

(a) to contribute to the assessment of applicant conformity assessment bodies and notified bodies;

(b) to contribute to the scrutiny of certain conformity assessments under the scrutiny procedure;

(c) to contribute to the development of guidance aimed at ensuring effective and harmonised implementation of this Regulation, in particular regarding the designation and monitoring of notified bodies, application of the general safety and performance requirements and conduct of the clinical evaluation by manufacturers and the assessment by notified bodies;

(d) to assist the competent authorities of the Member States in their coordination activities in the fields of clinical investigations, vigilance and market surveillance;

(e) to provide advice and assist the Commission, at its request, in its assessment of any issue related to the implementation of this Regulation;

(f) to contribute to harmonised administrative practice with regard to medical devices in the Member States.

Supervision of notified bodies

Unsurprisingly in the light of the PIP scandal and the subsequent Commissioner Dalli Plan to improve market surveillance, the MDR includes much beefed up requirements for the accreditation and supervision of notified bodies. One important one is quality control for outsourced auditing work.

Classification and conformity assessment

This includes procedures for resolving classification disputes between manufacturer and notified body by member states, overseen by the Commission, the dreaded scrutiny procedure for applications for conformity assessments for devices classified as class III, with the exception of applications to supplement or renew existing certificates. The procedure will delay the grant of certificates but there does not seem to be an outright veto by the MDCG, as the notified body shall give due consideration to any comments received and It shall convey to the Commission an explanation of how they have been taken into consideration, including any due justification for not following the comments received, and its final decision regarding the conformity assessment in question. The Commission may define other categories of devices than class III to which the scrutiny procedure will apply during a predefined period of time.

Quality system

A requirement has been introduced that within the manufacturer’s organization a ‘qualified person’ should be responsible for regulatory compliance. Similar requirements exist in EU legislation on medicinal products and in the national laws transposing the AIMDD/MDD in some Member States. A similar requirement applies for authorized representatives.

Clinical trials

The Commission seems to be planning to set up a parallel system for devices clinical trials including database (why not use the existing EudraCT medicinal products database?). Because the new clinical trail directive proposal does not include medical devices, the Commission has mirrored that directive in the MDR, including provisions for international multi-centre trials. The MDR includes a procedure for post marketing clinical follow up trials within the scope of the CE mark. However, there remains a lot to be addressed, which the Commission reserves the right for to do in implementing acts. That it nothing to look forward to because this has not spelled good news for the ATMP regulation and never worked under the current MDD. If the implementing acts are not finalized well before the date of application, clinical trial planning and execution will be at risk as these require long term planning.

Vigilance and marketing surveillance

As was to be expected, there will be a regulation 765/2008 type supply chain control mechanism as we have already seen in the new Toy Directive that obliges each link in the chain to verify that the previous one was compliant. Each link will have their own regulatory responsibility for compliance related to their role in the supply chain.

Much of the vigilance MEDDEV is taken on board into the MDR.

A lot of procedural rules are added in which the member states authorities play a crucial role. Given that the lack of resources for medical devices market surveillance on national level is one of the big points that the MDR will not solve, you can see where this is going: market surveillance may well not improve as long. The good (ahem) news is that member states get the express competence to levy fees for their work to implement the MDR, so they might use this to levy some additional resources for much needed additional FTEs.

Combination products

Device/drug combinations are addressed with an amended procedure with as big novelty that the EMA/competent authority can now veto a certificate being provided by the notified body, which is not currently the case.

The MDR also amends the medicinal products regulation with a procedure for drug/device combinations, to the effect that “the marketing authorisation dossier shall include, where available, the results of the assessment of the conformity of the device part with the relevant general safety and performance requirements of Annex I of that Regulation contained in the manufacturer’s EU declaration of conformity or the relevant certificate issued by a notified body allowing the manufacturer to affix a CE marking to the medical device. If the dossier does not include the results of the conformity assessment referred to in the first subparagraph and where for the conformity assessment of the device, if used separately, the involvement of a notified body is required in accordance with [the MDR], the authority shall require the applicant to provide an opinion on the conformity of the device part with the relevant general safety and performance requirements of Annex I of that Regulation issued by a notified body designated in accordance with that Regulation for the type of device in question, unless the authority is advised by its experts for medical devices that involvement of a notified body is not required.”

Software

There is a new essential requirement section for software, both incorporated and standalone. There is even a requirement for software intended to be used in combination with mobile computing platforms: that shall be designed and manufactured taking into account

the specific features of the mobile platform and the external factors related to their use. There is no definition of “mobile computing platform”, contrary to the draft FDA guidelines for mobile medical apps that – although heavily criticised in the US – did a much better job in this respect. Also, software is explicitly taken into account in design and risk management rules.

And there is of course the new accessory definition to take into account, because accessories have to meet all device requirements. Any software that “assists” a medical device might become regulated as a medical device itself.

Single use and reprocessing

Reprocessing of single-use devices is considered as manufacture of new devices so that the reprocessors must satisfy the obligations incumbent on manufacturers. The reprocessing of single-use devices for critical use (e.g. devices for surgically invasive procedures) will be prohibited.

Transparency

There are a number of measures to improve the rightly criticized lack of transparency of the EU system:

• a requirement that economic operators must be able to identify who supplied them and to whom they have supplied medical devices;

• a requirement that manufacturers fit their devices with a Unique Device Identification (UDI) which allows traceability. The UDI system will be implemented gradually and proportionate to the risk class of the devices;

• a requirement that manufacturers/authorised representatives and importers must register themselves and the devices they place on the EU market in a central European database (likely Eudamed);

• an obligation for manufacturers of high-risk devices to make publicly available a summary of safety and performance with key elements of the supporting clinical data;

• and the further development of Eudamed, which will contain integrated electronic systems on a European UDI, on registration of devices, relevant economic operators and certificates issued by notified bodies, on clinical investigations, on vigilance and on market surveillance. A large part of the information in Eudamed will become publicly available in accordance with the provisions regarding each electronic system.

So… why not ask if me if you’re not sure

This is my first impression. I’m sure you’ll find lots of other first impressions that focus on different things. As announced, I am planning to write about the respective elements of the proposal in a lot more detail in future posts so you can expect those in the near future.

For the moment, if you have questions or just want to test a hypothesis, my firm has now implemented Question Time on the website, a feature that allows you to plan a 15 minute telephone, Skype or FaceTime meeting in our calendars to talk to us about whatever subject in EU medical device law (or pharmaceuticals, or biotech, or food law), at completely no cost. We figured we would try this as experiment to allow companies to have a sense of whether something might really be an actual problem that needs lawyer attention before they start paying fees. Mind you, some necessary terms apply, e.g. to manage possible conflicts of interest. If you are interested in this experiment, why not book yourself a slot to try it out. My colleagues and I are looking forward to speak with you.

EU Regulation on e-Labeling of Medical Devices expected to enter into force end this year

On 8 June the European Commission published a draft regulation on e-labeling as part of their WTO Technical Barriers Trade activities.

Up to now, e-labelling was problematic and regulated in a fragmented way. It was allowed up to an extent for IVDs within the guidance provided by a MEDDEV. This proposed regulation does not seem to change the rules for IVD e-labeling because the regulation explicitly applies only to the labelling of devices under directives 93/42 and 90/385. New IVD e-labelling rules may be taken on board in the currently pending revision of the IVD directive.

According to the Commission summary the scope of the draft regulation as follows:

to set out conditions according to which instructions for use in paper form may be replaced by electronic instructions for use. The regulation will limit the possibility of providing instructions for use in electronic form to defined medical devices and accessories intended to be used in specific conditions. Furthermore, it contains a range of procedural safeguards. Thus instructions for use have to be provided in paper form on request, and a specific risk assessment by the manufacturer and information on how to access to the instructions for use is needed.

This summary of course oversimplifies what the proposed regulation will actually do, so let’s take a look at it in a bit more detail. As you will see, e-labelling is not for the meek and entails a lot of organisation. In addition, there is an important e-privacy angle to it that I predict many companies will overlook.

Paper push on request obligation

First of all, manufacturers will always remain subject to paper push upon request by user, for the duration of the data retention periods discussed below, and within maximum 7 calendar days or at delivery of the device.

Scope

The regulation will impact on four things:

  1. full e-labelling, whether via a carrier provided with the device or via a website
  2. e-labelling additional to paper IFU
  3. instructions for use provided via the device itself (e.g. via the GUI)
  4. labeling of the device itself

It will only regulate this for devices intended exclusively for professional users for use by other users is not reasonably foreseeable and that fall in either of the four below categories:

  • (active) implantable medical devices and their accessories intended to be used exclusively for the implantation or programming of a defined (active) implantable medical device;
  • fixed installed medical devices covered by Directive 93/42/EEC (fixed installed medical devices being defined as “devices and their accessories which are intended to be installed, fastened or otherwise secured at a specific location in a healthcare facility so that they cannot be moved from this location or detached without using tools or apparatus, and which are not specifically intended to be used within a mobile healthcare facility”); and
  • (active implantable) medical devices and their accessories with a built-in system visually displaying the instructions for use; and
  • stand alone software covered by Directive 93/42/EEC.

Obligations for full e-labelling

As a precondition manufacturers must perform a risk assessment on their e-labelling, the outcome of which must be that “providing instructions for use in electronic form maintains or improves the level of safety obtained by providing the instructions for use in paper form” and it must “at least” include as elements:

  1. knowledge and experience of the intended users in particular regarding the use of the device and user needs;
  2. characteristics of the environment in which the device will be used;
  3. knowledge and experience of the intended user of the hardware and software needed to display the instructions for use in electronic form;
  4. access of the user to the reasonably foreseeable electronic resources needed at the time of use;
  5. performance of safeguards to ensure that the electronic data and content are protected from tampering;
  6. safety and back-up mechanisms in the event of a hardware or software fault, particularly if the instructions for use in electronic form are integrated within the device;
  7. foreseeable medical emergency situations requiring the provision of information in paper form;
  8. impact caused by the temporary unavailability of the specific website or of the internet in general, or of their access in the healthcare facility as well as the safety measures available to cope with such a situation;
  9. evaluation of the time period within which the instructions for use shall be provided in paper form at the users request.

The risk assessment must be updated with PMS information as and when that comes available, so manufacturers will need to include this in their PMS information feedback loop. As with the paper IFU the manufacturer must have a system in place to clearly indicate when the instructions for use have been revised. The regulation imposes an interesting mandatory vigilance obligation on this point: manufacturers must inform each user of the device of revisions of the IFU if the revision was necessary for safety reasons. It does not state how the users should be informed.

The regulation does not allow optional e-labelling per member state, unless justified by the outcome of the risk assessment. That means that e-labelling must be handled the same for each EU member state, unless it would be justified to make exceptions based on the risk assessment.

The regulation imposes data retention obligations and obligation to keep the e-IFU available for users :

  • for devices with a defined expiry date, except implantable devices, for at least two years after the end of the expiry date of the last produced device;
  • for devices without a defined expiry date and for implantable devices, for a period of fifteen years after the last device has been manufactured.

Since e-labelling must be fool-proof, the regulation sets out requirements for the instructions for use for the e-label.

Except for class I medical devices the notified body of the manufacturer must review the manufacturer’s fulfillment of the e-labeling requirements during the p conformity assessment. The review must be based on a specific sampling method adapted to the class and the complexity of the product.

Website

A full e-labelling website must comply with the following requirements:

  1. the instructions for use shall be provided in a commonly used format that can be read with freely available software (e.g. pdf);
  2. it shall be protected against hardware and software intrusion;
  3. it shall be provided in such a way that the server downtime and display errors are reduced as far as possible;
  4. it shall mention in which Union languages the manufacturer provides the instructions for use in electronic form;
  5. it shall fulfil the requirements of Directive 95/46/EC (privacy and data protection, see for more detail about that below);
  6. the internet address shall be stable and directly accessible during the data retention periods (see above);
  7. all previous versions of the instructions for use issued in electronic form and their date of publication shall be available on the website.

Additional e-labelling

Instructions for use in electronic form may also be provided in addition to complete instructions for use in paper form. In that case they must be “consistent” with the content of the instructions for use in paper form. If they are provided through a website, this website must fulfill part of the requirements for a full e-labelling webiste. Strangely enough the verification of consistency is not subject to ex ante notified body scrutiny as with the full e-labelling option. It will of course be subject to ex post notified body supervision in the framework of audits, so manufacturers might plan for this.

Impact on labeling of the devices themselves

Manufacturers must clearly indicate that the instructions for use of the device are supplied in electronic form instead of in paper form and that the user may request and shall obtain at no additional cost the instructions for use in paper form at any time during the retention periods set out above. That information shall be provided on the packaging for each unit or, where appropriate, on the sales packaging. In the case of fixed installed medical devices, that information shall also be provided on the device itself.

The manufacturer must provide

  • information on how to access the instructions for use in electronic form on the packaging for each unit or, where appropriate, onthe sales packaging or, in the case of fixed installed medical devices, also on the device itself. If all of that is not practicable, the information must be supplied in a paper document supplied with each device;
  • in the device or on a leaflet, information on foreseeable medical emergency situations and, for devices fitted with a built-in system visually displaying the instructions for use, information on how to start the device; and
  • in the catalogue or in other appropriate device information support, information on software and hardware requirements needed to display the instructions for use (my guess is that this could also well be done somewhere in the documents comprising the label).

e-Labelling via the built-in GUI of a device

The draft regulation also deals with provision of instructions for use in electronic form by the device itself. Apart from that this is subject to all of the above, manufacturers of medical devices fitted with a built-in system visually displaying the instructions for use must ensure that displaying the instructions for use does not impede the safe use of the device, in particular life-monitoring or life-supporting functions. I think an example of this would be pop-ups with ‘useful’ troubleshooting tips that obscure vital information on the screen and cannot be easily closed. Fulfillment of this requirement will certainly impose additional emphasis on usability engineering requirements of the GUI of these devices and application of risk management to the software design process. Also,  the instructions for use in electronic form must also be made accessible to the users through a website, to which all of the above criteria apply.

Don’t forget the personal data rules impact

The draft regulation contains multiple references to the EU directive on the protection of personal data. This is to be expected because there will inevitably be an exchange of personal data between the manufacturer and a doctor or other HCP for the purpose of the provision of e-labelling and the PMS process related to that. That means that the processing of the personal data acquired has to meet all these general requirements, like no export from the EU except if allowed, use of data only within the scope of consent, procedures for correcting data, etc.

But let’s not forget about other important data protection issues apart from the legacy EU data protection directive. The  revised e-Privacy Directive that entered into force last May establishes, apart from all the upheaval about its cookie acceptance rules, for the first time in the EU, a mandatory personal data breach notification framework. This framework applies by the letter only to providers of publicly available electronic communications services (e.g., communications and Internet access providers). However, the EU Commission has already indicated that it will soon propose e-privacy legislation that will cover the entire scope of the providers regulated under the broader EU Data Protection Directive (yes, 95/46/EC, the one referred to in the draft regulation). Furthermore, recital 59 of the e-Privacy Directive encourages EU member states, while new EU Commission rules are in the pipeline, to apply the new data breach rules very liberally, “regardless of the sector, or the type, of data concerned.” – ergo, e-labelling by medical devices manufacturers will soon fall under the e-Privacy directive and may already do so, depending on what EU member state you ask. I would say that compliance with the data breach rules will also need to be looked at by the notified body in the framework of its assessment of a manufacturer’s e-labelling as this is very clearly a safety and PMS issue.

Under the new rules, providers must notify — without undue delay — individuals and authorities when they suffer a data breach. Individuals must be notified if the breach is likely to adversely affect the personal data or privacy of such individual. Regardless of the potential harm, all data breaches must be reported to the authorities. The notification should describe the nature of the breach, list the provider’s contact information and recommend measures to mitigate possible adverse effects. The notification to the competent national authority must also describe steps taken by the provider to address the breach.

Notification of a personal data breach to an individual is not required, however, if:

  • the provider has demonstrated to the satisfaction of the competent authority (in this case the one for data protection, but a manufacturer will need to inform the notified body too and that may too have an opinion on this) that it has implemented appropriate technological protection measures;
  • the provider applied those measures to the data impacted by the security breach; and
  • the technological protection measures render the data unintelligible to any person not authorized to access it.

Both the scope of providers covered by the reporting requirements and the appropriateness of the technological protection measures are expected to diverge in implementation by the various Member States, making the jurisdictional issues very important because forum shopping may become an attractive option until these concepts are further harmonized.

Time path for entry into force

The regulation is proposed be adopted on 14 december this year and to apply as of 1 year after that date. This transitional period should be used by e.g. the manufacturers that are impacted by the user interface requirements to update the functioning of the GUIs and to get their e-labelling procedures in order.

%d bloggers like this: