This is it: MDR and IVDR texts now ready for final voting


The MDR and the IVDR in paper now that they finally final, printed on both sides mind you

The fat lady has her lines and is about to sing. After the lengthy legal linguist revision process (remember, these texts have to be consistent in 24 languages) the Council published the text for its first reading for the MDR and IVDR.


First reading only, after such a lengthy process in which we arrived at a ‘general approach’ sufficient for starting the trilogue.

After the trilogue we had many interesting last ditch lobby mini battles about some of the things that came out of the translation process and legal linguist review.

So now everybody (Council and Parliament) still needs to formally vote on this text but that should be – well – a formality now. Aim for entry into force this summer.

Texts and compares, and no changes?

If you haven’t got them already, the first reading texts are here for your download and perusal:

And here are the compares that I myself made versus the trilogue texts (warning: these are pdfs coming from a public Dropbox directory, so your security settings may not like this at all) – I hope they are useful:

Although the institutional actors in the legislative process keep saying nothing changed that was not in the trilogue agreed texts, I believe there was a bit more detail to this and so did others. Here we go:

No design dossier review after all for the class IIb active devices that transport medicines to and from the body

One of the things that came out of the legal linguist review and looked like more than minor goalpost moving was the unhappy surprise that class IIb active devices that transport medicines to and from the body would also be subjected to design dossier review under article 52(4) MDR. This was a very bad surprise for manufacturers of these devices, many of which are very well understood and proven technology. An important group of devices affected would only fall in the scope of this clause because of the (in my view weird) practice of qualification of gases used in medical setting as medicinal products.

However, this has been taken out again of the first reading text, likely after a last minute targeted lobby. Water under the regulatory bridge now.

But some changes in the transitional regime with potentially big consequences

Another interesting development that lead to a true change was the adaptation to the transitional regimes in articles 120(3) MDR and 110(3) IVDR and the associated recital 99 in both regulations. While these articles are new they clarify the transitional system that remained the same in the basis, except that reliance on the grace periods for certificates overrunning the date of application became a lot less attractive as a result.

The new provisions clarify requirements that apply to devices that are relying on the grace period of 4 (MDR) respectively 2 (IVDR) years with respect to PMS, market surveillance etc (MDR/IVDR instead of the old directives, which was unclear).

They also provide that during the grace period (and that’s an important one) no significant design or intended purpose changes are allowed anymore. In other words, the device is locked in its status quo at the date of application of the MDR/IVDR (the end of the transitional period).

This is very important for the manufacturers that will miss the boat for an MDR/IVDR certificate during the transitional period and will be forced to rely on a grace period MDD/AIMDD/IVDD certificate or are betting on using the grace period because they know that they won’t be ready for an MDR/IVDR certificate by the date of application. The penalty (or trade-off) for relying on that regime is that these devices cannot be subject to any significant changes in design or intended purpose (unless of course when the changed device is placed on the market under an MDR/IVDR certificate) for that period.

Manufacturers stuck in a grace period will therefore not be able to make any significant innovations or extend the scope of the device’s intended purpose until their notified body will be able to issue an MDR or IVDR certificate for the device. This is crucial for manufacturers in relation to transition planning: if you’re late in the day and won’t obtain your MDR / IVDR certificate during the transitional period and you are lucky enough to be able to extend your existing certificate past the date of application, your device innovation is essentially frozen until your notified body is able to issue an MDR / IVDR certificate. This will affect your competitive position in the market – see this article in MedTech Insight for more details on potential consequences of the choice to rely on the grace period.

Also, manfufacturers relying on the grace period must realise that they will be in a situation of concurrent application of MDR/IVDR and MDD/AIMDD/IVDD certificates. That means that the market can choose between competing products with an MDR/IVDR certificate or a MDD/AIMDD/IVDD certificate. Different standards, same intended purpose.  But some certificates may be more equal than others – what will you prefer if you are a hospital issuing a tender, or country in the Middle East or Asia relying on CE certificates? Certificates under the regulations or certificates under the directives? It will be interesting to see if the EU Court’s Medipac judgment (every CE marked device on the market is equally good from regulatory perspective and tendering entities may not discriminate between them) also holds when a hospital prefers MDR / IVDR certificates over ‘old’ certificates in a tender, given that it can be argued that the conformity assessment for MDR /IVDR certificates was to a higher standard (the whole idea of the new regulations in the first place). Moreover, while the Medipac judgment applies in the EU, it does not apply to tendering and regulating entities outside it.

schermafbeelding-2017-01-29-om-20-44-43Finally, don’t forget that the grace period referred to above is available only for devices with a notified body issued CE certificate – so not for all self-certified devices (which constitutes the majority of CE marked IVDs currently on the market for example). All self certified devices have to be compliant by the date of application of the MDR/IVDR – no grandfathering.

Manufacturers of self certified devices (class I MDD/self certified IVDs) also have to pay additional attention to whether their device remains self certified or not (not for most of the IVDs) in which case they have to be ready to deal with the bottlenecks at the end of the transitional period. For these manufacturers it will be sink or swim, because no MDR/IVDR certificate by date of application is no more placing of products on the market and off of the regulatory cliff you go.

IVD conformity assessment changes

Some amendments were made to conformity assessment for IVDs with respect to the procedures for companion diagnostics and class D devices – nothing shocking.

For companion diagnostics it was clarified that the notified body must consult a competent authority for medicines (makes sense for a companion diagnostic), as is set out in the new paragraph in article 48 (3):

“In addition to the procedures referred to in the first and second subparagraphs, for companion diagnostics, the notified body shall consult a competent authority designated by the Member States in accordance with Directive 2001/83/EC of the European Parliament and of the Council1 or the EMA, as applicable, in accordance with the procedure set out in Section 5.2 of Annex IX.”

It was further clarified that companion diagnostics need to go through the Assessment of the technical documentation procedure in Annex IX, 4.1-4.8 (see addition to Annex IX, 5.2 (a)).

None of this was new, but now it has been written down more clearly.

For class D devices it was clarified that:

“Manufacturers of class D devices, other than devices for performance study, may, instead of the conformity assessment procedure applicable pursuant to paragraph 3, choose to apply a conformity assessment as specified in Annex X coupled with a conformity assessment as specified in Annex XI.”

This is also not stunning new logic, as type examination combined with production quality assurance is a normal combination as alternative to full quality system based conformity assessment procedure for high risk devices (see article 52 (3) MDR in relation to class III devices, but also article 11 (1) (b) MDD provided this already – obviously the IVDD did not have this logic yet as it relied on another conformity assessment logic).

Other (little) details

I haven’t been able to go through both of the texts in complete detail but I spotted the some things that may be worth mentioning for each regulation – more may be forthcoming in future blogs. You will see that the numbering of articles and sections and even whole annexes has changed compared to the trilogue text, so we all will have to learn new numbering.


  • New recital 18 added that “this Regulation should include requirements for devices’ safety and performance characteristics which are developed in such a way as to prevent occupational injuries, including protection from radiation.”
  • Free nomenclature for use of Eudamed (recital 45)
  • Scientific advice is possible for the IIb devices that are also subject to the clinical  (recital 57 and article 61 (2) MDR)
  • “directly or indirectly” was taken out of rule 11 (classification of software) in Annex VIII – not sure what that means yet.
  • Article 52 (9), (10) and (11) conformity assessment procedures for device-drug combinations, devices incorporating tissues and cells and substance-based devices have been clarified
  • Article 78 (14) is new, giving member states more room not to apply the coordinated assessment procedure for multi-jurisdiction clinical trials yet.
  • New recital 73 stating that “the principles of replacement, reduction and refinement in the area of animal experimentation laid down in the Directive 2010/63/EU of the European Parliament and of the Council should be observed. In particular, the unnecessary duplication of tests and studies should be avoided.”, which is well and good except that this recital is not operationalised in the MDR.
  • New recital 99 reflecting the changes to article 120 (3) transitional regime described above.


  • New recital 16 that “this Regulation should include requirements for devices’ safety and performance characteristics which are developed in such a way as to prevent occupational injuries, including protection from radiation.”
  • Additional recital language on home brew IVDs (recitals 28 and 29)
  • Free nomenclature for use of Eudamed (recital 42)New recital 73 stating that “the principles of replacement, reduction and refinement in the area of animal experimentation laid down in the Directive 2010/63/EU of the European Parliament and of the Council should be observed. In particular, the unnecessary duplication of tests and studies should be avoided.”, which is well and good except that this recital is not operationalised in the MDR.
  • New recital 74 stating that “the principles of replacement, reduction and refinement in the area of animal experimentation laid down in the Directive 2010/63/EU of the European Parliament and of the Council should be observed. In particular, the unnecessary duplication of tests and studies should be avoided.”, which is well and good except that this recital is not operationalised in the IVDR.
  • Article 78 (14) is new, giving member states more room not to apply the coordinated assessment procedure for multi-jurisdiction clinical trials yet.
  • Changes to recitals 98 and 99 reflecting the changes to article 110 (3) transitional regime described above.

Full steam ahead!

So, now it’s full steam ahead to publication, entry into force, the implementation circus and the mother of all bottlenecks towards the end of the transitional period when the newly notified MDR/IVDR notified bodies will need to push as many devices already on the market as they can through certification, with the additional burden of the new devices entering the market towards the end of the transitional period. This will not look nice, especially not for the manufacturers that are not well-prepared. More about that in a next blog!

Where would we be without good people?

Nowhere of course – that’s why it’s so important to keep them motivated and retained.

My firm is organising a seminar in Amsterdam on 1 March on Motivation and Retention Strategies in the Life Sciences Industry, with a focus on possibilities under employment, corporate and tax law.

You are most cordially invited to attend with as many people as you like.

As always attendance is free, parking easy, presentations in English and the drinks afterwards will be good networking – just make sure to RSVP please so we can plan for space and catering (see details below).19-006-seminaruitnodiging_loyens_1b

EU Court decides TÜV Rheinland / PIP breast implants case

eu-court-460_998658cIt has been sort of hanging over the medical devices market for quite a long time: the TÜV Rheinland case about the PIP breast implants. This case is the direct result of the PIP breast implants scandal, which had a profound influence on the new EU MDR in the making.

We had the Advocate General’s opinion in this matter from 15 September 2016, which was already a very good pointer on where things would land at the EU Court.

The EU court delivered its much awaited judgment on 16 February.

Since the outcome is unsurprising in the light of the AG opinion and EU law as it currently stands, I feel comfortable starting this blog with a blatant spoiler.


For all the effect it has had on the MDR process, its outcome is in my opinion unsurprising, and I have predicted it from the start:

  1. a notified body is not under a under a general obligation to carry out unannounced inspections, to examine devices and/or to examine the manufacturer’s business records. However, in the face of evidence indicating that a medical device may not comply with the requirements laid down in Directive 93/42, the notified body must take all the steps necessary to ensure that it fulfils its obligations within the powers it has under the MDD; and
  2. national law determines the conditions under which culpable failure by that body to fulfill its obligations under the directive may give rise to liability vis-à-vis end users.

See the European Court’s convenient press release about the case for a succinct summary.

I have never found it a realistic possibility that the Court would rule that notified bodies are no-fault (or even fault based) product liable for the products that their manufacturers make. The Court has merely convinced that they have to exercise their duties diligently within the mandate that the law imposes on them.

But, I admit, crazy stuff has happened before with regard to product liability (product batch liability, authorised representatives jointly and severally liable with the manufacturer for product liability under the MDR), so you cannot be certain what to expect these days. Even if it’s unlikely.


What was this about again? French breast implant manufacturer PIP at some point decided that it was going to use industrial silicone rather than surgical grade silicone in its breast implants. The Court found that TÜV Rheinland, the notified body that granted the CE certificate for the breast implants concerned,

“in the course of its involvement during the period 1998 to 2008, […] made eight visits to the manufacturer’s premises, all of which were announced in advance. During that period, TÜV Rheinland never inspected business records or ordered that the devices be inspected.”

In 2010, the competent French authority established that the manufacturer in question had produced breast implants using industrial silicone which did not comply with quality standards.

The case that led to the referral to the EU Court was brought by a German citizen that had the implants concerned fitted in Germany end 2008, and had them removed in 2012. She claimed that TÜV Rheinland was liable for her damages (material and immaterial). She alleged that TÜV was liable because  it had not fulfilled its obligations satisfactorily, since (she claimed)

“an inspection of the delivery notes and invoices would have enabled TÜV Rheinland to ascertain that the manufacturer had not used an approved form of silicone.”

Her claims were rejected by the first and second instance courts in Germany because the purpose of a notified body’s activity is not to protect patients nor was TÜV culpable because TÜV Rheinland had made regular announced visits, which must be deemed sufficient in the absence of any suspicion of improper production practices. The second instance court did however refer questions of law to the European Court concerning the scope of a notified body’s duties

“in particular with regard to the level of supervision and scrutiny required of that body when it carries out inspection visits at the manufacturer’s premises”.

The questions referred by the German court were (essentially) as follows:

1)      Does a notified body, in the event of a culpable infringement of its obligations, have direct and unrestricted liability towards the patients concerned?

2)      Does a notified body have a general obligation to examine devices, or at least to examine them where there is due cause?

3)      Does it follow from the aforementioned sections of Annex II to Directive 93/42 that, in the case of Class III medical devices, the notified body responsible for auditing the quality system, examining the design of the product and surveillance is subject to a general obligation to examine the manufacturer’s business records and/or to carry out unannounced inspections, or at least to do so where there is due cause?’

All these questions were asked in the context of a class III medical device under Annex II, so also in the frame of the MDD obligations for these devices.

Duty to examine devices and/or to carry out unannounced inspections?

During the crazy wings on fire period of the MDR being amended by the European Parliament especially European Parliament members expressed surprise and indignation about the notified body not even inspecting the produced devices and not performing unannounced inspections. The ensuing political outrage resulted in the Commission recommendation for unannounced audits and the member states making notified bodies do this.

The Court found that while notified bodies must periodically undertake appropriate inspections and assessments under Annex II as it currently stands, but

“the provisions of Annex II to Directive 93/42 do not impose a general obligation on the notified body to carry out unannounced inspections, to examine devices and/or to examine the manufacturer’s business records.” (point 40)

Yet, what is the scope of what a notified body must do under Annex II? All parties concerned agreed that the scope of a notified body’s discretion is broad and that a notified body may conduct an unannounced audit based on Annex II 5.4, but differed on how this translated to actual duties.


“45 […], the obligations laid down in Article 16(6) of the directive and those set out in paragraph 41 above would be a dead letter if the degree of discretion knew no limits. The notified body would not be able to fulfil its function under the procedure relating to the EC declaration of conformity if it were free not to take any steps in the face of evidence indicating that a medical device might not comply with the requirements laid down in Directive 93/42.

46      Consequently, as they are required to establish whether EU certification may be maintained pursuant to Article 16(6) of Directive 93/42, notified bodies are under a general obligation to act with all due diligence when engaged in a procedure relating to the EC declaration of conformity.

47      It follows […] that a notified body is under a duty to be alert, with the result that, in the face of evidence indicating that a medical device may not comply with the requirements laid down in Directive 93/42, that body must take all steps necessary to ensure that it fulfils its obligations under Article 16(6) of the directive, as well as those set out in paragraph 41 above [paragraph 41 mentions: pursuant to Sections 3.2, 3.3 and 4.1 to 4.3 of Annex II to Directive 93/42, first, to analyse the application for examination of the design dossier lodged by the manufacturer, which must describe the design, manufacture and performance of the product in question and, second, to ascertain whether the application of the quality system contemplated by the manufacturer ensures that the products fulfil the relevant requirements under that directive. Moreover, it is apparent from Section 5.1 of that annex that the notified body must satisfy itself that the manufacturer duly fulfills the obligations imposed by the approved quality system].”

Conclusion: broad discretion on how to fulfill obligations, which makes it difficult in practice to determine if the notified body did or did not meet its obligations. Especially by national first instance judges in general courts who are not experts in these matters and never deal with this kind of case.

Direct liability vis-a-vis patients?

The Court makes some important points here that I have made myself before: the Member States have responsibilities with regard to market surveillance, but certification by notified bodies under the MDD is to ensure protection for the health and safety of persons too. That means that notified bodies do not work for manufacturers alone, they have a larger task in the overall protection of public health.

But, that does not make them liable vis-a-vis patients on the basis of the MDD just like that. It was already EU case law that:

“it does not necessarily follow from the fact that a directive imposes surveillance obligations on certain bodies or the fact that one of the objectives of the directive is to protect injured parties that the directive seeks to confer rights on such parties in the event that those bodies fail to fulfil their obligations, and that is the case especially if the directive does not contain any express rule granting such rights” (point 55)

The Court reiterated that the MDD does not contain any express liability regime and the Product Liability Directive allows for the application of other systems of contractual or non-contractual liability based on other grounds, such as fault. This is nothing new and we knew this from the Court’s quite steady case law in the field (see for example here in relation to the Court’s specific view on additional national liability rules concerning medical devices). Ergo, it’s a national matter said the EU Court, subject to the principles of equivalence and effectiveness. This case is now going to be decided on a national level with the Court’s guidance in mind.

Why did the claimant go after the notified body in the first place and not after the manufacturer for product liability? Product liability quickly became an irrelevant pathway to pursue as PIP, the manufacturer, quickly went bankrupt.

This means that for TÜV this case is way not finished – we have a lot of member states in the EU in which PIP implants were used. We also have a lot of national laws that have their own theories of culpability / fault based liability. This case can therefore play out differently in different member states. The various claimants in national cases will change tack insofar necessary (and if they have not already done this) and will pursue fault and/or lack of diligence based claims against TÜV in national courts, as was happening in the current case.

The current EU Court judgement may be helpful to those national cases to a point because it gives some guidance on the scope of MDD mandated tasks of notified bodies and the level of diligence they are to exercise in the fulfillment of these tasks, and in that notified bodies also have work for the public good, which includes the patients and end users. The national court will now need to look into whether TÜV was sufficiently diligent given that on the one hand

“the notified body is not under a general obligation to carry out unannounced inspections, to examine devices and/or to examine the manufacturer’s business records”

but that on the other hand

“in the face of evidence indicating that a medical device may not comply with the requirements laid down in Directive 93/42, the notified body must take all the steps necessary to ensure that it fulfils its obligations under Article 16(6) of the directive and Sections 3.2, 3.3, 4.1 to 4.3 and 5.1 of Annex II to the directive” (point 48).

Did TÜV take all necessary steps to ensure that it fulfilled its obligation? This may play out differently in different member states in which TÜV is being sued (which include France and Germany in any event). Hopefully the harmonisation of notified body requirements as a result of the joint assessment project and the more detailed requirements under the MDR will contribute somewhat to harmonisation of fault based liability of notified bodies. Is this liability new? Not in my view. It was never harmonised on EU level and therefore always existed in member states that provided for this. If notified bodies did not insure for this liability yet, they may have to and costs will increase. Notified bodies will seek to pass on these costs.

When the outcome of notified body fault based liability in member states will differ considerably from one member state to another this will have consequences.

Effects on the MDR

This case had profound effects on the MDR, but will not change the text anymore now the judgment been rendered. However, as far as I can see it did have a profound impact on the MDR in a number of ways. One of them fundamentally, others more specific.

How much did it change the MDR fundamentally?

An unknown effect is how much the PIP scandal in the end changed the MDR, which the Commission initially intended to be a modest mid-life update, because the MDD was performing very well and outcompeting other jurisdictions left and centre in time to market. This we will probably never know, because the Commission had to change tack on the double when the political outrage about the PIP scandal started. The result was the initial proposal for the MDR back in 2012. But we do know that the impact on the MDR must have been profound, for example because of ideas to get rid of CE marking altogether and just make medical devices pre-market access EMA competence.

I would go as far as saying the EU (and its member states) have finally started to see medical devices as an industry that deserves an upgrade in policy and associated resources. This however seems not to have resulted in allocation of significantly more resources on EU level. The medical devices unit at DG Growth is still woefully understaffed while the Commission’s duties under the MDR and IVDR are enormous.  It has to crank out a lot of delegated and implementing acts to even make the two regulations effective and make a plan to make sure that the process of redesignation of notified bodies under the MDR and IVDR and recertification of ALL devices on the market in the EU will not crash and burn in what looks like the mother of all transitional bottlenecks. Even competent authorities are publicly saying that this is a serious problem and that the Commission has to come up with a plan to make sure that these things unfold predictably and reliably.

Unannounced audits under MDR

One of the most direct effects on the MDR is the now hardwired obligation for notified bodies to conduct unannounced audits (article 52 and Annex VII, points 4.5.1 and 4.10 and Annex IX, point 3.4). Up to the MDR there is no real harmonised legal standard for unannounced audits except that there is a recommendation of the Commission to the Member States about what they might require from notified bodies in terms of unannounced audits.

Still, I remain unconvinced of how much the unannounced audits will do to prevent PIP type cases. Fraudsters be fraudsters, and as the Court reiterated in the TÜV case, notified bodies can ask for things if they have a suspicion, but they are not equipped nor authorised for market surveillance. If a company sets out to really go dark and hide things from a notified body, they will succeed. The first thing it will do is doctor precisely the documentation and locations that the claimant in the TÜV case argued that the notified body should have audited.

In my view, PIP remains a case that demonstrates very painfully how member states’ market surveillance failed the patients. It is disconcerting if you look at the facts of that case how little international cooperation there was between the competent authorities when the first signals of things being seriously wrong became available. That, I think, is the real scandal in this case. If you compare the resources allocated to medical devices market surveillance to those that went to medicines and other products surveillance at that time it’s not a pretty picture. And resources for surveillance are purely political choices. Blaming the notified body for doing exactly what it was supposed to do under applicable law feels a lot like wagging the dog to me.

That’s why unannounced audits still feels a bit like member states passing on the surveillance buck to notified bodies and I am not convinced at all we will prevent more PIP types cases of deliberate fraud that way. Yet, there may be some benefit. What we may achieve is that manufacturers will be more diligent in having their technical documentation and QMS in order all the time and closing out CAPAs quickly and according to plan, rather than allowing them to stay open for years because they know exactly when the next audit will be. The MDR also requires this (having all documentation in order and up to date all the time), and I think this certainly is progress.

Market surveillance under MDR

Member states have learned in the mean time and market surveillance is taken much more seriously under the MDR with more EU level capabilities and an (in theory so far) robust underlying IT infrastructure that allows competent authorities to quickly share information about infringements.

However, with all the new tools and possibilities there now are doubts about whether the Member States will be able to pony up the resources to actually staff the system and afford it. The MDR however contains a provision allowing member states to pass costs for market surveillance on to the market, as happens already in certain other industries (like financial services). I see some member states invest considerably in resources and pilot projects in view of the upcoming MDR and IVDR. A lot is happening in behind the scenes cooperation in order to get all the competent authorities at the same level.

Product liability under MDR

The PIP case influenced thinking about product liability for medical devices in the EU considerably. The only problem is that these thoughts had nowhere to go except into wishful statements.

With the political impossibility to amend the Product Liability Directive for medical devices alone (that directive is up for evaluation for a long time because is was not evaluated since its entry into force in 1985 but the project is  moving very very slowly) something else was needed for political gain. The EU legislator, motivated by ardent political wishes to ‘do something with this’ decided to include some provisions in the MDR regarding manufacturer and authorised representative product liability of which I have blogged that they are not well-thought out, see also this more recent presentation that includes a discussion of the clauses in the MDR.  Good for lawyers, bad for everybody else.

MDR status

By the way, the texts of the MDR and IVDR are still not completely final, but the agenda for adoption does not seem to have changed: still looking at entry into force this summer. However, there are still commas being moved. The fat lady still has not sung, but she’s close. When she finally has I will follow up with a blog on the last changes made before adoption. Prepare for some surprises: there are  some changes that still will affect some products considerably, like design dossier review requirements for class IIb active devices intended to administer or remove a medicinal product. This was already in the MDR for class IIb implantable devices but this has been extended to class IIb active devices intended to administer or remove a medicinal product.


An MDR and IVDR transition plan

fasten-seatbeltsThe year is off to a good start, and so should your company be with its MDR and/or IVDR transition plan.

Come again? You haven’t started looking at this yet because the MDR and IVDR are not yet final and the transitional period will run to approximately half 2020? Your management is not interested in making resources available?

Not so smart

That’s not so smart. It’s like doing a #Brexit without considering the consequences first and then hoping everybody else is nice enough to give you a good and quick trade agreement deal, because … well why not?

You may think everything can’t possibly be that complex – until you find out later that there is more to this whole thing that looked so simple at the moment when you were not really looking at it yet.

Your company may be one of the many companies expected to find out too late that some things took more time than expected, or were more contingent than they looked:

  • notified bodies that will not come online for certification of products before well after half of the transition period of three years has expired. And then they still have to start with pushing all existing medical devices on the EU market through an MDR / IVDR certification process (which is stricter than under MDD/IVDD).
  • additional clinical evidence may well be needed for your devices under the MDR. If you need to generate it in clinical trials, registries or other time consuming processes, you should know about it sooner or later. And your notified body will need to be on board with what you are going to do. Is yours already? I bet not.

These are just two contingencies that have a crucial impact on your MDR implementation strategy.

There are a lot of other dependencies too – like your suppliers that you need to control more, other jurisdictions that rely on the CE mark for your devices.

No grandfathering

Many companies think that there will be some process to slide in the devices that are already on the market and are not causing any problem, so that’s easy. There is not, so there is no easy solution there. There will be no grandfathering or similar process – any device that is not certified into the MDR or IVDR by the end of the transitional period and the various limited overrun periods can not be placed on the market any longer. It will be illegal to place such devices on the market. The only thing close to grandfathering is the five/three years period that you will have to still sell off devices that were compliant under the MDD/IVDD and were placed on the market before the date of application of the MDR/IVDR. Those can still be sold off to end users for another five/three years post date of application (so after the transition period of three/five years ends).


No placing on the market means no cash flow. No cash flow means bankruptcy sooner or later, or bought at a discount by a competitor or strategic investor. Strategic investors and acquisition driven companies are already on the prowl for companies that are candidates for not making the cut of the MDR/IVDR and will swoop in when opportune.

If you get this wrong or get it right too late your company goes off the cliff like While E Coyote, still wondering what went wrong all the way down. That’s why you need to start thinking now.

You’re into software and think you’re not placing software on the market because it’s made available as a service from outside the EU? They’ve got that covered too – if your software is a device by the new standards, it will have to meet MDR/IVDR requirements regardless of whether it’s placed on the market or not.

Transition plan – journey towards compliance

This one is for MDR transition – working on one for IVDR transition too:


Sfan-theories-coldwartart working on your transition plan – the journey towards compliance, like every journey, starts with the first step. Then you keep on going until you reach the end, and then stop. Like in the Lord of the Rings – it’s an easy journey conceptually (just take this ring to that mountain) but you’ll be slaying a lot of orcs and fighting monsters before you finally complete the quest.

By the way, even While E Coyote made plans. There’s no reason why you should be less clever than a cartoon figure.

The above picture is a single roadmap that you can put on a slide to explain to your organisation or management what the necessary steps are, where the journey begins and what you need resources for. This picture is based on the excellent General Data Protection Regulation game plan  (another project that you should be well on your way with by now  – the transitional period for that regulation ends 25 May 2018 and the GDPR has significant overlaps with the MDR/IVDR, e.g. on design requirements for devices (including standalone software) that process personal data).

IVDs largely similar

The roadmap for IVDs transition to the IVDR is largely similar, except that the transitional period is two years longer but the sell-off period is shorter.

Schermafdruk 2017-01-30 13.28.30.png

And the dependencies at the end are even more scary: the reference labs will not be appointed until four and a half years into the five years transition period. That means that there is almost no time for the highest risk IVDs to be certified into the IVDR during the transitional period.

For IVDs the chance that companies underestimate the necessary efforts are even bigger, because the large majority of IVDs are currently self certified, regardless of their associated risks. The IVDR will turn this upside down and notified body certification will be the rule for the large majority of IVDs. This is a huge quantum leap in regulatory burden. It means that for the majority of IVDs a third party will take a critical look at the underlying technical documentation and performance data for the very first time. You can imagine that not all technical documentation may be in the shape that the IVDR expects. The IVDR will require a lot more and different types of data to substantiate performance, and will require more clinical data too. Producing data costs time. It costs money. It requires planning. I cannot under-emphasize how important it is for the IVD industry to engage on this. Your company does not want to be the puff of smoke that remains if While E Coyote goes off the cliff.

Start now!

Each of the items described in the roadmap has a lot of detail to it, which leads companies to typically underestimate the effort. The gap assessment, impact assessment and remediation take a lot of time. It means you will have to more or less completely revisit each and every device that your company has on the market and in the pipeline, as Gert Bos and I have explained in BSI’s white papers on the MDR and IVDR. BSI has a good white paper on MDR transition too.

Detail takes time, and detail takes resources – don’t forget. Use the resources on this blog, use others of the plentiful resources that are available publicly on this subject.

Talk to your trade association, participate in the discussions at MedTech Europe, COCIR, Advamed, your local trade association, etc. so you know how other companies are dealing with this.

Make sure that your management does not underestimate this process. Hey, it’s only about company core products and core processes so why would that not merit the resources it needs, right? My apologies to be somewhat cynical but I see a lot of companies (also big and sophisticated ones) underestimate this completely. And if I’m wrong – tell me in a few years time and I’ll gladly apologise for crying wolf then while congratulating your company on being compliant well in time.

And, finally, my firm and its network is there. We are helping many companies wrap their head around it and will gladly help you too.

But do something now and don’t wait – at the very least start by understanding what this is about and what it will mean for your organisation. Your competitors are working on this already.

Festive alert! Change is on its way.

Change is on its way – medical devices law will not be the same again as of next year.

Panic soccer

The authorities are not your friend anymore.

Notified bodies are engaging in massive ‘panic soccer’ (Dutch expression) dropping companies like they’re hot.

If you have not implemented the new clinical evaluation MEDDEV fully by now this should have your utter undivided attention. Otherwise, count on your CE certificate for the device(s) affected being suspended without warning after the next notified body audit. And make sure to watch that your notified body does not enthusiastically suspend the entire certificate for all your devices by mistake and then runs away to hide under a rock while you can go deal with the fall-out. I’ve seen this happen already. Panic soccer – be prepared and make sure you keep your eyes on the ball.

Super nova

You should already be well into your transition work for the MDR and IVDR, or at least have a plan about what to do when. The EU will not grandfather, so do not count on this to happen. For every device on the market you need to take a decision to

  • remediate (bring it into compliance with the MDR/IVDR),
  • replace (replace it with a device that is or will be compliant the MDR/IVDR), or
  • retire the device (investment too high to phase it into the new requirements).

EU medical devices legislation will go supernova to more than six times its current size halfway 2017. Is your company prepared for that?

Data protection

Have you thought about the impact of the General Data Protection Regulation? It’s not devices law per se but its privacy by design obligations impact your new software design requirements under the MDR, just to mention one thing. You need to prepare for its data portability requirements. If your medical device or related service has any IoT functionality, it will be affected by the hateful eight that this new EU law brings. It will impact severely on your clinical data processes (as it deals with protection of personal data concerning health). It is already in effect, and its transitional period will end on 25 May 2018. Can you redesign your data processing hardware and software before that time, and do you need to? Just one of the questions you should be asking yourself now.

Busy times ahead

Yet, I wish you quiet, joyful and festive holidays for the moment (no implied warranties). Recharge, and keep your eyes on the ball in 2017.


Privacy by design and data portability

all_you_base_are_belong_to_usI’ve often warned medical devices companies that they need to start looking at privacy by design obligations under the General Data Protection Regulation, the GDPR. Engineers at a company where I gave an in-company presentation earlier this year were seriously unhappy that privacy by design obligations can affect both hard and software and that the deadline for transition expires on 25 May 2018. They were surprised, annoyed and then in panic (in that order) because of the time it takes to redesign capital equipment and clouds that these devices feed into. That’s right, by end of May 2018 all the hardware and software that processes personal data and personal data concerning health of EU data subjects must comply with these rules. If it doesn’t, it cannot be used to process that data because it’s non-compliant.

Did you know already that the maximum fine under the GDPR is 4% of the total worldwide annual turnover of the preceding financial year of a company? Happy times if you have to break the news to your boss that your department singlehandedly evaporated last year’s profit for the entire company everywhere.

Pacemaker and other device data

One example of data portability in practice is the ongoing discussion between patients and companies about if the patient can receive the data in their medical device, e.g. pacemaker or continuous blood glucose monitoring system. Manufacturers would routinely say no, but cannot maintain that position anymore when the GDPR is fully applicable in 2018. That means that by then their devices and systems must have been redesigned to accommodate requests for data portability.

Hateful eight

This is why I have dubbed data portability as one of the ‘hateful eight’ of the GDPR innovations with regards to connected health (see slide 10) because it is a nasty one to implement, and will require quite some adaptation to devices and software to make this happen in practice:

I was recently speaking again about implementation of the GDPR in relation to data subjects’ access rights in relation to clinical data for medical devices. Companies present were seeing quite a lot of problems in implementing data portability rights for data subject with respect to clinical data that related to them.

Article 29 WP guidance

The Article 29 Working Party has now issued guidance on how this should work in practice:

“As a good practice, data controllers should start developing the means that will contribute to answer data portability requests, such as download tools and Application Programming Interfaces. They should guarantee that personal data are transmitted in a structured, commonly used and machine-readable format, and they should be encouraged to ensure the interoperability of the data format provided in the exercise of a data portability request.”

Yes, you are reading that correctly:

  • download tools and APIs;
  • personal data that are transmitted in a structured, commonly used and machine-readable format; and
  • interoperable data formats.


“Article 20 of the General Data Protection Regulation (GDPR) introduces the new right of data portability. This right allows for data subjects to receive the personal data, which they have provided to a data controller, in a structured, commonly used and machine-readable format, and to transmit those data to another data controller without hindrance. This right, which applies subject to certain conditions, supports user choice, user control and consumer empowerment. […] The new right to data portability aims at empowering data subjects regarding their own personal data as it facilitates their ability to move, copy or transmit personal data easily from one IT environment to another.

This is not – ahem – where industry in medical devices and connected health is orginally coming from although a lot has been improved over the last years.

Main elements of data portability

What rights will data subjects have and must your systems be able to facilitate? Even if you are not the controller, the GDPR obliges processors (which you will be then) to be able to assist the controller in implementing these rights. There are, according to the 29 WP guidance:

  • Right to receive (as complement to the right of access);
  • Right to transmit personal data from one data controller to another data controller;
  • Data portability tools that allow not only for direct downloads, but also for direct transmission to another controller.

The data concerned (the data that must be provided) is all data that the data subject provided, e.g. by virtue of the use of the device. Data that results from operations on that data (inferred and derived data) do not have to be provided, like for example a algorithmic model of the patient concerned created based on the data provided. Privacy by design would require implementing technical means to separate these data from personal data, because if this is not possible, everything must be provided.

IP rights do not as such constitute a ground for refusal, although a potential business risk might. In the words of the Article 29 WP:

“The right to data portability is not a right for an individual to misuse the information in a way that could be qualified as an unfair practice or that would constitute a violation of intellectual property rights. A potential business risk cannot, however, in and of itself serve as the basis for a refusal to answer the portability request and data controllers can transfer the personal data provided by data subjects in a form that does not release information covered by trade secrets or intellectual property rights.”


Data controllers must inform the data subjects regarding the availability of the new right to portability.

It’s the controller’s problem if the data set is large. It has to be provided within one month and in any event with undue delay.

The request can only be made subject to a fee in case of requests that are manifestly unfounded or excessive. That means that the controller is not allowed to use fees as a means to pay for the technical means it must develop to meet its obligations.

Personal data are expected to be provided in formats, which have a high level of abstraction. As such, data portability implies an additional layer of data processing by data controllers, in order to extract data from the platform and filter out personal data outside the scope of portability (such as user passwords, payment data, biometric patterns, etc.). This additional data processing will be considered as an accessory to the main data processing, since it is not performed to achieve a new purpose defined by the data controller.

Happy redesigning!

Did I already say that all of this must be ready by 25 May 2018 at the latest? Better start if you have not started yet. And remember, whatever you implement by means of privacy by design may impact your new design obligations under the MDR (the new chapter 14 on software that applies to any software (both standalone and embedded), which addresses e.g. security requirements that may be impacted by a convenient API that allows a user to export their own data). Security requirements for data protection compliance purposes and for the new MDR software securities design requirements are another happy overlap in this respect (see the Hateful Eight presentation framed above).

The authorities are not your friend anymore; and neither are notified bodies


Have you seen Mr Robot? If not, watch that series.

With the MDR and IVDR adoption in sight (currently scheduled for Q1 2017) I see a number of developments in the market, all converging on the higher standards that will be imposed under these new regulations.

By way of update, there is movement in the dossiers of the MDR and IVDR. The first drafts of the translations have been circulated for consultation in the mean time (I have the Dutch versions for example) with final numbering (123 articles) – there may be some small additions / changes too – we’ll have to see. I will write more about this in a later post soon.

Back however to the converging developments. First, I see notified bodies do more and more ‘unexpected’ things that affect manufacturers profoundly and take them by surprise. Secondly, I see authorities get tougher on the market especially in the Netherlands, by imposing high fines without warning for easily remediable non-conformities in the documentation for class I medical devices and self certifiable IVDs.

The following is my own personal perspective, but I have heard and hear it echoed by many companies, consultants and other stakeholders in the market.

Regulators! Let’s dance

In the Netherlands we see a development towards truly punitive enforcement of medical devices regulation, specifically in the areas of software as medical device and IVDs.

The authorities in the Netherlands have decided that they are going to raise the bar and come down punitively on manufacturers. We see more an more cases in which companies are fined quite substantial amounts that can easily bankrupt an SME (we see amounts from about € 50,000 to around 150,000) for non-conformities in relation to class I medical devices and self certifiable IVDs that a notified body looking at much higher risk products would issue a non-conformity with remediation period for. That’s right: in the Netherlands it’s currently way riskier from enforcement perspective to be in class I devices and self certifiable IVDs than in the highest risk devices conceivable. A large factor here are the Healthcare Inspectorate’s guidelines for the imposition of fines, which it applies in a way that many non-conformities are subject to fine without possibility of remediation and warning.

This would not be so bad if there would not be so many formality errors committed on the part of the authorities, for example being very unclear about when inspection proceeds into enforcement. At that precise moment a company needs to be told that it is no longer obliged to cooperate. Fundamental rights and good enforcement procedure, just a small detail. It leads to situations where companies enthusiastically cooperate in incriminating themselves because they want to remedy the non-conformity observed and cooperate with the Inspectorate to that end, but are not aware that the Inspectorate is already collecting facts to fine them. And they will. A few months later, suddenly, a letter arrives in the mail stating that the Inspectorate will fine the company for tens of thousands of Euros while the company was under the impression that the Inspectorate was just being helpful. So, if you are subject to an Inspectorate visit, no matter how friendly it unfolds: make sure that you put the inspector on notice that he/she should be more than abundantly clear about when the discussion moves to fact finding for the purpose of enforcement. This is just one of the issues we currently see in enforcement in the Netherlands.

Of course companies should adhere to the law, there’s no discussion about that. I just want to raise awareness for the fact that enforcement in the Netherlands has gotten some disproportionately punitive characteristics which worry me and – quite frankly – do not serve anyone except lawyers. Like mentioned, it’s kind of strange that you can get a big penalty for non-conformities that your notified body would just allow you some time to remedy in case of higher risk products.

We are now routinely appealing these decisions, and there are more and more of them coming in. The Dutch Inspectorate has clearly decided that it is coming down on the market and enforce it into compliance with a vengeance. We are also collecting enforcement/inspection experiences of medical devices companies in the Netherlands in order to start a dialogue with the government to seek to arrive at a more proportionate policy of oversight.

Do you have experiences with the Dutch IGZ in medical devices or IVD oversight under the new penalty guidelines? Let us know.

Notified bodies – drop it like it’s hot

The notified bodies have gone through a rigorous process of joint assessments that culled already many of the notified bodies in the market for AIMDD, MDD and IVDD certification (53 left at the moment, with the number still declining). As a result the notified bodies have also been given clearer marching orders as to how to deal with customer files that their notifying authorities see as problematic, for example because the clinical evidence is not up to standards.

This situation has led to what I have started to call the ‘drop it like it’s hot’ strategy on the part of notified bodies. I see that especially smaller notified bodies often adopt the extremely nasty and onerous tactic of letting a certificate expire, and subsequently confront the manufacturer with a de novo certification against a much higher (clinical) standard, with the notified body refusing to explain where this comes from nor being interested at all in the situation that this will disrupt the manufacturer’s business severely (especially in the case of SMEs that have only one or just a few products on the market).

This typically unfolds as follows: date of recertification approaches, manufacturer sends increasingly urgent sounding messages to notified body about planning of recertification audit (which are ignored by notified body), manufacturer trusts that notified body will however not allow certificate to expire just like that, notified body does exactly that, notified body informs manufacturer he must now obtain a de novo certification against suddenly much higher standards that the notified body refuses to explain.

I think it’s a shame that authorities are not supervising this better but instead seem to just push out marching orders to notified bodies regarding clinical data requirements. It is truly frustrating to see notified bodies using their delegated state authority of certification this way, especially since there are much more proportional ways to handle this. One such more proportional way would be to re-certify with a new PMCF plan.

In this regard it is especially onerous for manufacturers that current medical devices legislation does not provide for clear legal recourse against notified bodies, nor for clear rules about transferring from one notified body to another. In practice there is little you can do against a notified body decision. Some member states allow administrative appeal, but the authorities are – in my experience – very deferent to notified bodies and give them virtually unlimited discretional power. Notified bodies, for their part, have no to little experience in exercising government authority in accordance with basic principles of rule of law. This leads to routine infringement of core principles of good administration like e.g.

  • non-arbitrary decision making (giving reasons to support a decision)
  • proportionality (imposing a measure at is least burdensome for the company, like PMCF instead of certificate expiry)

Yet, manufacturers have no effective recourse against this. The MDR and IVDR will contain a very rudimentary regime for the scenarios that a notified body ceases activities or its designation is restricted, suspended or withdrawn.

You can imagine this this will become more pressing during the MDR and IVDR transitional periods, during which the notified bodies will be under extreme pressure resource wise because not only must they themselves be re-notified, they must also hire more in-house staff and in the mean time certify all of their customers devices on the market into the new system, while dealing with the normal workload of surveillance and re-certification audits. This will become an ugly mess, and that is a big understatement.

Notified bodies – clinical evaluation circus

Another issue we see happening now is the urgency that is being put on notified bodies to push through clinical data standards that go towards the new MDR level as quickly as possible. This early summer (June 2016) we have seen the new clinical evaluation MEDDEV being adopted, without transitional period. Presently we start to see notified bodies beginning to suspend / refuse to renew certificates if they find in a surveillance or recertification audit that the clinical evaluation for the device concerned is not fully up to the standards of the new MEDDEV. Yes, immediate suspension – not a minor, not a major, but cease placing on the market with immediate effect. We have even seen notified bodies take this to the level of suspending a certificate with multiple devices on it for all devices, just because the clinical evaluation for one of them (which was not even being placed on the market anymore at the time) was not at the level of the new MEDDEV.

Once the certificate has been suspended or needs to be renewed, there is no way to make a notified body hurry up and even act quickly to correct manifest mistakes (like suspending a certificate for all products if only one product is affected by the non-conformity) or otherwise even adhere to basic principles of good administration discussed above. The lack of legal recourse here is truly disconcerting, given the enormous damage manufacturers suffer as a result.

Notified body liability is already an issue subject to appeal to the European Court in the TUV Rheinland case, but that case is about no-fault liability for damage resulting from defective products that get on the market and the notified body audits did not prevent this. Here we are dealing with other liability, in my view for negligent or unconstitutional use of delegated government power (official ability to issue certificates with legal effect). The Advocate General makes a compelling argument in the TUV Rheinland (PIP implants) case about liability in cases of notified body failing to fulfill obligations. She argues in para 39 of her opinion:

“Given the crucial role played by notified bodies in the procedure leading to the placing on the market of medical devices governed by Directive 93/42 and bearing in mind, in particular, the high level of protection to patients and users that that directive aims to provide (30) and the risks associated with the devices in relation to which they are required to carry out their examination, it seems to me entirely appropriate that those bodies should in principle be capable of bearing liability under national law to those patients and users for a culpable failure to fulfil their obligations thereunder, provided always that the principles of equivalence and effectiveness are respected.”

The AG concludes that it is therefore possible under the directive that a notified body can be liable vis-a-vis patients and users for failing to fulfill obligations. I think that the same applies with respect to manufacturers when these suffer damage as a result of a notified body failing to fulfill basic duties of good administrative law practice that a government agency would need to fulfill. Remember, notified bodies are almost like an emanation of state in how they operate and are controlled by their notifying member states. This liability will apply regardless of what the contact of the notified body says, because it would be quite something if a notified body could contract out liability for gross negligence  in the way it fulfills tasks delegated to it by law.

However, given the state of harmonization of EU medical devices law, this will be a matter for national courts to determine because the medical devices directives are silent on this point. The forum to go to is the competent court in the jurisdiction that notified the notified body concerned. It will be interesting to see what the European Court will decide. Given the complete lack of effective recourse against notified bodies under the new MDR and IVDR, this problem will persist into the future and become far worse in the messy and choppy transitional period that we have on the horizon with less notified body capacity but more need for it.

Let us know

Do you have bad experiences like discussed with your notified body? Let us and/or MedTech Europe know. We are working on collecting information to raise awareness for this at the Commission and at the national notifying authorities, but we need actual experiences to demonstrate what is happening. The more we have, the more impact we can make.

It will be interesting

to see where all of this goes. It is quite clear however that manufacturers have to pay closer attention to compliance formalities and remediate quicker, also in the lower risk product ranges. With the new MDR / IVDR associated remediation / transition and possibilities for non-conformities manufacturers need to prepare for a rough period ahead in the next years.




%d bloggers like this: