Date of Entry into Force plus three years and a little bit

Kermit

MDR DoA moved: industry be like

 Last week  we went past DoE (Date of Entry into force) of the MDR plus three years, and the date on which the MDR was supposed to have become applicable.

As you, my dear readers, will all know by now, the date of application (DoA) has been moved with a year now as the outcome of a thrilling rollercoaster that I described on this blog in much detail. It was kind of silent on the blog afterwards because from a legal perspective nothing much interesting has happenend since: the MDR was amended with the amending regulation and the DoA was moved up as projected. The consolidated version of the MDR with the changes incorporated is here. And I was very busy with all kinds of questions resulting from this move.

As I have blogged, the amending regulation does more than just move the DoA of the MDR, it also creates some unprecedented new powers for the Commission to take emergency approval measures under the existing directives and it even seemed to make it possible that Eudamed could be launched according to the agenda as planned.
So where does this leave us?

Industry response

Part of industry was quite happy with itself, because “it had won” – yay! Those with some formal education will be familiar with the concept of Pyrrhic victory, because that is what this is. It is merely delaying the inevitable. And those that have dealt with that know that the inevitable always happens.

Many other more responsible companies were very annoyed with the situation, as they had worked like crazy to be in time for the DoA, only to find that it had been moved up. For them this creates budget and resource problems, as staff needs to remain available to MDR projects for an additional year, which was not foreseen in the often hard fought MDR budgets and project timelines.

Rest assured that the DoA was not moved to give industry more time, it was moved to give notified bodies and competent authorities more time to complete the rollout and certificates conversion that they were much behind with. The enormous disruption of business as usual caused by COVID-19 created the political momentum for the change, because the Commission and member states realised that the epidemic would delay things so much it would be embarrassing and unworkable.

Quite some companies responded with the short term reaction that is characteristic for a three month horizon: many MDR projects were shelved and MDR transitions teams were disbanded or decimated because the ‘resources’ had been allocated to other projects and the company was not going to pivot on this. The DoA is a year away again, so why make the best of the extra time, right? In the end it’s only core business, so how could that be important. So many things you can do in one year, and so many loose ends to tie.

A lot of companies seem under the impression that the move of the DoA means that all the other subsequent deadlines at the end moved up with one year too. Wrong! The other deadlines of May 2024 and May 2025 did not move at all. So one year more until DoA is one year less of the four years of transition to convert the last MDD declarations of conformity and (AI) MDD certificates into MDR certificates and MDR Declarations of Conformity:

Schermafbeelding 2020-06-01 om 21.51.17

 

Does the delay help?

Yes and no, and in different ways than you might think. I invite you to watch Amanda Maxwell’s interview with Bassil Akra, Gert Bos and me for different perspectives on this matter, kindly made publicly available by MedTech Insight:

In the extra year authorities are working on completing the outstanding agenda of implementing and delegated acts, Commons Specifications (Q4 2020 for Annex XVI products now and Q3 2020 for reprocessing of SUDs), MDCG guidances and, of course, Eudamed. The medical devices website will be transferred from DG GROW to DG SANTE, not a minute to soon since devices have been back with DG SANTE for a while now.

The notified bodies that are notified under the MDR will likely have a very limited add-on effect to the existing capacity, because they will be severely limited in what they can do. Apart from the ramp-up time to come to full capacity, they cannot travel or go to sites due to the COVID-19 epidemic, which means that they cannot complete new conformity assessment applications under the MDR. Yes: the new guidance on remote audits does not apply to MDR and it does not apply to new assessment applications in any event. Things will have to get worse before this gets better.

Notified bodies that were at risk of not completing pending re-certification under the (AI)MDD prior to DoA as to enable the manufacturer to benefit from the soft transition (and their customers) are the ones that seem to benefit the most from the move of the DoA. That is, if they had not planned for the DoA to not move. As you know, all existing notified body designations under the (AI)MDD would have become void by 25 May. With this deadline in sight, you can bet that notified bodies and their staff have done some planning of their own, resulting in staff having given notice already before the DoA move was even announced on 25 March 2020 and notified bodies having planned not to be designated by that date. The fact that notified bodies whose designation would otherwise have ended in the additional year can be conveniently renewed up to 26 May 2021 under a quickly adopted change of law, for which you find the guidance here (MDCG 2020-11), does not mean that these notified bodies can just scale up again if they had actually planned to close down or continue with a skeleton staff sufficient to do only surveillance of the (AI)MDD certificates during the soft transition period. The amended designation regulation also does not allow for designation of new notified bodies. The question remains therefore how much notified body capacity was really saved with the DoA move.

The notified bodies that already had their MDR designation (14 in total now) will also have had planning issues that makes it more difficult for them to stay at capacity (or increase this) for (AI)MDD. Also for them it was a reality that the (AI)MDD assessment business would switch to surveillance only by 26 May 2020 and they planned for that as well. New staff was trained only at MDR, and therefore only qualified for MDR. All the same, you say? Not how the law sees it. Just look at how many different classes of driver’s licenses or pilot licenses exist, even though it’s all sitting in a vehicle and steering in two or three dimensions. Different vehicles require different qualifications. Therefore, given everyone’s planning and the limited options created by the surprise additional of the extra year, your best option as manufacturer is to follow your original planning with the notified body and in cases where you would not have had your (AI)MDD certificates renewed in time, enjoy the possibility that the notified body may still be able to pull it off.

It helps the Commission and the MDCG

The delay does help the MDCG and the Commission. Important planning was immediately amended: more room to complete guidance for expert panels under the MDR and more time to make them function, still in 2020 or who knows when by now. The first MDCG guidances are starting to appear in version 2 and the MDCG and Commission are cranking out guidances like there’s no tomorrow. Just in May and April this year nineteen (19!) guidance documents were issued on top of a bunch of other MDR related documents.

The delay of expert panels obviously does not help manufacturers that must follow the clinical evaluation consultation procedure. Article 120 (7) MDR literally says that as long as there are no expert panels, the procedure for new high risk devices subject to additional EU level scrutiny cannot be completed.

The delay also gives the Commission and the member states more time to clear the congested queue of MDR notified body designation. Remember: we have 44 applications, which so far resulted in only 14 designations. This means that there are still 30 (thirty!) notified bodies backed up in the application procedure. Obviously this is not completely the fault of the authorities, because many notified bodies did not apply at the first opportunity (26 November 2017) and quite a number took significant time to clear their CAPAs, but nonetheless: here we all are.

Standards

The extra year will not be enough to complete the standardisation mandate for the MDR / IVDR that has been put to CEN and Cenelec. Their decision whether they accept the standardisation mandate finally made officially on 15 May is foreseen now for 17 June, and even if CEN / Cenelec accept the mandate (which some parties have recommended that they actually don’t) it will most likely not be before the MDR DoA that the standards will be harmonised. Better plan to go into the MDR without harmonised standards.

The Article 59 powers

The amendment proposal allows for one interesting innovation and that is the applicability of article 59 MDR to the devices under the directives prior to the DoA. In other words, when a member state issues an emergency measure allowing a non-CE marked device on the market, the Commission may extend this measure to the whole EU on a mandatory basis by means of an implementing act, see below for my embedded presentation on this point:

Guidance for how the Commission will work with this exemption regime has also been published in the mean time, which confirms that this will really only be used in exceptional circumstances for indispensable devices, and is clearly not intended as a CE mark bypass or bottleneck management mechanism.

We will need to see now how the system works in practice.

Eudamed

As I have mentioned the amending regulation seems to make Eudamed phase-in as envisaged possible but only one year later. The Commission has taken the view that this is not what is going to happen: the fact that the deadline has been moved does not mean that its plans have changed. Also the most recent version of the Rolling Plan sets “2022” as Eudamed go live date.

So it will still be a phased ‘voluntary’ introduction of modules, with the actors module going first some months before the new MDR DoA (likely March 2021). We still don’t know whether the investment in the voluntary elements will not have to be re-done later at some point. However, it would be a very good opportunity to test company machine to machine interfaces and, more general, the company’s Eudamed procedures because you can start interaction with Eudamed likely as from March 2021.

The actor module gives the option for  manufacturers, authorized representatives, importers as well as systems and procedure pack producers to enter their data in Eudamed and to acquire a Single Registration Number (SRN). The SRN is a very crucial element in Eudamed and under the MDR in general as you will need it for declarations of conformity and certificates. Since it is important that the SRN can be obtained before the date of application of the MDR, the actor module will be first and before the new DoA. May 2021 is expected to bring two more modules: the UDI/Device Registration module and the Certificate/Notified Body module, which are also required for data entry and for data on certificates. The rest of the modules (clinical investigations, incident reporting and market surveillance) will follow later as these are intended as tools for communication about devices and actors. As envisaged under article 123 (3) MDR existing systems will be used for this until Eudamed is fully functional.

IVDs: a crisis in the making

I’ve said it before and will keep repeating it: the IVDR is a crisis in the making. Several developments conspire to make this a really big crisis that may put a serious dent in healthcare. Maybe some people noticed that in these epidemic times it is pretty sweet and kind of essential to have in vitro diagnostic tests that are actually validated. So why miss all these opportunities to plan ahead?

We had some guidance about COVID-19 test development under the current IVDD, which was a nice reiteration of what every serious IVD company that takes performance evaluation seriously should know already. If you’re an IVD company, it might be good to put your existing technical documentation along that ruler because this is the bare minimum that a notified body will expect under IVDD standards (as you know the IVDR will be a step up, with additional clinical performance data required).

At the moment there are de facto only two notified bodies designated for the IVDR (three in NANDO at the moment, but BSI has one in the Netherlands and one in the UK, the latter of which will lose its designation end of this year as a result of Brexit). It is not exactly clear how much of the required capacity these two notified bodies represent but given that there are still 12 notified bodies in the pipeline according to official figures, this is probably not as much as needed (the capacity that applied represents 62% out of the original number of NBs for the IVDD says the Commission, counting one extra new applicant, which is likely NSF that also abandoned its application again).

If you count back from the DoA of the IVDR, manufacturers must have an IVDR conformity assessment application in the door at a notified body by the end of 2020 in order to have a good chance of an IVDR CE certificate before IVDR DoA. As I have explained on previous occasions, the IVDR is different from the MDR in that most manufacturers on the market do not already have a CE certificate under the IVDD, while the large majority of them will need that under the IVDR and they have two notified bodies to choose from. This means that if you’re an IVD manufacturer you must plan for an IVDR conformity assessment application before the end this year. Let’s just hope more notified body capacity becomes available, but I am not optimistic. This means that when the two current IVDR NBs are full, the rest is largely out of luck. Yet, the sense of urgency seems to be missing, both on the side of industry in general and on the side of the authorities.

The IVDR has been structurally left out of any COVID-19 motivated emergency measures, such as the extension of article 59 MDR to the directives. It would have been a small matter legally to have included article 54 IVDR in this as well, thus allowing for emergency possibilities for IVDs. This would be extra important in the light of the bottleneck for IVDs going into the IVDR. Yet, apparently all eyes appear to be on the MDR at the moment.

So far no substantial guidance has appeared for the IVDR and half of the IVDR guidance on the planning is not even scheduled for 2020. This is why I am personally very happy with the new MedTech Europe guidance document “Clinical Evidence Requirements for CE certification under the in vitro Diagnostic Regulation in the European Union”, This document is a collection of questions and answers designed to help manufacturers navigate their performance evaluation obligations under the IVDR.

So what to do?

If I were a devices manufacturer I would not treat this extra year as an extra year of MDR DoA delay because it really isn’t. At best you have some months extra to fine tune and that may be welcome. Your MDR specialist might take some well-deserved holidays, but keep your eyes on the ball and don’t forget that everything moves slower in an ongoing pandemic so what would normally get done in the same amount of time will now take longer.

If I were an IVD manufacturer I would go full pull to have my technical documentation for my IVDs ready for the IVDR on the triple double and make sure to have my first conformity assessment applications in the door at a notified body this autumn to be ahead of the big congestion that is coming. Same is true here: expect things to move slower than normal because of the pandemic. We may even get a second wave that’s worse. Have you planned for that? Scenario anyone?

MDR date of application move: politically a done deal now

With the overwhelming vote in the Parliament in favor of the Commission proposal to amend the MDR it is politically basically a done deal now that the MDR will be amended.

After the vote there were people that immediately stated that the amendment was formally approved – not so. We are looking at law making in the ordinary legislative procedure, which is co-decision making between the Council and the Parliament – they each need to adapt a position in first reading and then compare notes to see if further conciliation is needed. To speed things up to the maximum extent the Council gave a mandate in which it outlined what would be acceptable to the Council.

The Parliament’s vote for its first reading seems to fit this mandate perfectly, which means that the Council can now also adopt its position in first reading (which it will likely do special proceedings via the COREPER, because normally it would need to convene in person). Then the agreed amendment needs to go past the ECOSOC (who is already prepared to be part of the solution and ready to go) and the Committee of the Regions. Normally there would also be eight weeks for national parliaments to have an opinion, which has been skipped this time. Only then can the proposal be published and enter into force on the day of publication.

The Council has confirmed in the mean time that the Parliament’s first reading corresponds to what the Council would agree to, so the Council’s first reading confirmation is impending, bringing the first reading phase to a close and paving the way for adoption of the proposal after ECOSOC and Committee of the Regions consultation. I expect the Council to formally close its first reading in the course of coming week. ECOSOC and the Regions will go as fast as they go, ECOSOC even had its position ready last Friday, the day of the Parliament vote, supporting the amendment but making the critical note that

“the EESC would like to reiterate the request made in its previous opinion on this topic, namely that the functioning of the Regulation should be formally reviewed, jointly by authorities and stakeholders from civil society, three years after its entry into force, to ensure that its objectives are being met.” 

Complexity? Rather underestimation and under-resourcing

The recital 4 to the amending Regulation state that:

“Given the unprecedented magnitude of the current challenges, and taking into account the complexity of Regulation (EU) 2017/745, it is very likely that Member States, health institutions, economic operators and other relevant parties will not be in a position to ensure the proper implementation and application of that Regulation from 26 May 2020 as laid down therein.”

OK, the MDR is complex, but it was not a surprise except to those that deliberately chose to stay uninformed. Implementation was not that complex because it was a regulation, of which the whole idea is that there is not that much to implement. Many responsible companies attacked the problem with a lot of energy and at considerable costs and were as ready as they could be in Q1 2020, prepared to give this their best shot. Many others chose to do differently, to which I can only say that staying uninformed was a choice in this case.

The elephant in the room here, obviously, is how the Commission and the Member States failed to ensure proper implementation, as has been discussed on this blog over the more than nine years that I am tracking the MDR and IVDR. Essential guidance, Common Specifications and implementing acts late or delayed. Almost none of the Member States has their implementing legislation ready. It shows that the authorities, both at EU and national level have structurally underestimated and under-resourced the MDR and IVDR implementation. This will not be fixed in the year and I am quite certain that still many actions outstanding in the Rolling Plan and the Ongoing Guidance development document will not be completed in time, because the root cause has not changed.

The only difference is the move of the medical devices policy from DG GROWTH to DG Health and Food Safety (DG SANTE), which may make something of a difference – hopefully.

Moving load between communicating vessels?

It is always nice to be able to celebrate a success, but what will this amendment actually achieve? Will it avoid a situation of ‘Dead on Arrival’? The move of the DoA creates time here and there, but it does not create extra capacity. A basic principle of load balancing is that if you move load to relieve a bottleneck, there must be capacity elsewhere in the infrastructure that the load can be moved to, otherwise you just create another bottleneck elsewhere. 

COVID-19 has

“a significant impact on various areas covered by Regulation (EU) 2017/745, such as the designation and work of notified bodies and the placing on the market and making available on the market of medical devices in the Union” (recital 2 of the proposal)

Granted, the additional year does give authorities, economic operators and notified bodies one more year to prepare for the MDR, but it does not create more capacity.

The year eats into the four year period to transfer the renewed (AI)MDD certificates that the market went all in on with one year. So now there will be more (AI)MDD certificates to renew to the MDR in less time. Also, notified bodies will still not function as normal. In fact, they will function less than normal because they cannot audit under normal circumstances. Yes, they can do part of their audit remotely now, but this is not exactly creating extra capacity. More notified bodies can be notified under the MDR before the DoA, but a notified body needs time (about 6 months) to get to full operating capacity and a conformity assessment procedure mostly takes 8 months at least, so any notified bodies  designated in this extra year will not make a difference for the MDR pre-DoA. The only net win is that these notified bodies have more time to issue (AI)MDD certificates that must be renewed very soon (within less than four years).

What will the move of the DoA allow manufactures to achieve? They will have less time to convert old (AI)MDD certificates to MDR certificates (three years instead of four years). – capacity problems may ensue at manufacturers and notified bodies. They have more time to finish preparing their QMS for article 120 (3) life (MDR QMS partially and no significant changes). The good part for innovation here is that the time frame in which no significant changes are allowed is shortened.  One more year to change notified body or start up new conformity assessment under the (AI)MDD pre DoA? Don’t bet on it, because notified bodies are generally still not taking new customers or staring new conformity assessments for (AI)MDD certificates because they did not suddenly get extra capacity.

Article 59 pre-DoA

The application of article 59 pre-DoA has the consequence that any essential medical devices that (still) do not make it for the new DoA can be pseudo-CE marked with a pan-Union emergency implementing act. However, this immediately begs the question as to capacity at the European Commission to crank out implementing acts. Given the track record of the Commisison in adopting implementing acts under the MDR and IVDR, this is not a happy picture. Nobody wants to rely on article 59 MDR as a magic bullet as it currently looks like and only as a last resort, but we’ll have to see how the Commission and the other institutional actors operationalise the article 59 MDR procedure. 

I still think it was a mistake not to use this opportunity to also bring article 54 IVDR (the analogue in the IVDR) forward to be able to have a pan European approval mechanism for COVID-19 tests, of which there are shortages everywhere at the moment.  

Eudamed consequences?

The proposal moves dates for Eudamed in a way that it will be possible for Eudamed to be phased in as was originally intended, but then one year later. This begs the question whether the Commission actually intends to depart from its plan to launch Eudamed at the date of application of the IVDR. While the dates change, the legal basis for the Commission to wait until it is ready (article 123 (3) MDR – the ‘what if Eudamed is not ready in time’ provision) has not changed, so the Commission can decide to already default against the change date of 25 March 2021 as latest date for the ‘Eudamed is ready’ notice and 26 May 2021 as date on which Eudamed should go live by the letter of the amended MDR.

It would be very helpful for the market to know what the Commission will do. Does the Commission  intended to stick to the December 2019 plan (default no matter what, and go live end May 2022) or is there a possibility that it will try to get back to the default launch trajectory as now amended? There is a year between the two possible go live dates so that would be helpful to know, as it is less evident for us on the outside which of these options the Commission is planning for.

By the way, we’re still waiting for clarification promised last December about how to work with Eudamed when it’s not live yet after the DoA. The Commission could helpfully clarify all these things in one go!

The Xits

I have blogged before about the effect of the move of the DoA on the three country eXits from the Union.

Swiss Medtech immediately issued a press release after the Parliament vote that this means one year more business as usual under the existing MRA between the EU and Switzerland. The same would be true for Turkey, but not for the UK, as the UK has left the Union beginning this year and looks like it will not rely on the option to extend the transitional regime for Union law beyond 31 December 2020.

Timing

The adopted proposal will need to be published in the Official Journal for it to enter onto force. The good news it will enter into force upon the date of publication, which should be before 26 May 2020 in order to avoid a legally very awkward situation of the MDR becoming applicable only for the date of application to be moved retroactively.

I expect the publication will be very soon after adoption of the first reading by the Council, which I expect second half of the week of 20 April.

This would mean that the amending regulation could be published, and enter into force, soon after.

 

New MDCG guidance on temporary extraordinary measures related to medical device Notified Body audits during COVID-19 quarantine orders and travel restrictions

Schermafbeelding 2020-04-08 om 20.32.53When it rains guidance, it pours. The MDCG just released Guidance on temporary extraordinary measures related to medical devices Notified Body audits during COVID-19 quarantine orders and travel restrictions. The guidance takes immediate effect and is valid for the whole period of duration of the pandemic COVID-19 as declared by the World Health Organisation.

It addresses alternative solutions to carrying out on-site audits by notified bodies under the medical devices directives and under circumstances the MDR and IVDR under specific circumstances, which includes the possibility to perform remote audits under certain conditions.

Covered audits

Although

“this guidance applies to the medical device Directives only, for Regulations (EU) 2017/745 (MDR) and 2017/746 (IVDR) in the event that the availability of devices is affected by COVID-19 restrictions the principles in this guidance may apply.”

The guidance covers the following audits:

  • surveillance audits under the medical devices Directives,
  • audits conducted for re-certification purposes under the medical devices
    Directives,
  • in cases where a manufacturer submits a change notification to a notified body that would typically require on-site audit or verification,
  • in cases where a manufacturer terminates (voluntarily or involuntarily) its contract with a notified body and enters into a contract with another notified body in respect of the conformity assessment of the same device(s).

IVDR is covered ‘in principle’! This is the first time I see something positive in guidance in relation to the IVDR. IVD companies, make this count and use this time to not give up on or start conformity assessment with the few notified bodies there are for the IVDR before these are completely crowded. This will also help fast track clearance for self-tests for COVID-19 under the IVDD and IVDR covered COIVD-19 tests. Hurrah!

Not covered audits

Generally initial certification audits or audits to extend the scope of certification under the Directives should not be performed using these temporary extraordinary measures. However, notified bodies may apply these extraordinary measures on a case-by-case basis for such audits in cases where devices are considered relevant to ensure medical care, especially if clinically necessary during the period of COVID-19 restrictions.

How?

Within the confines of audits covered and not covered the notified bodies have wide discretion on how to work, provided that the measures are covered by appropriate procedures. The guidance gives a number of examples of temporary alternative extraordinary measures and arrangements to on-site audits. The procedures should be carefully assessed and documented by notified bodies on a case-by-case basis and performed using a risk-based approach. This risk-based approach should be based on a review of the notified body’s

“files relating to the status and operations of the manufacturer related to the audit in question, for example the activities conducted at the site to be audited, its quality management system, and its level of compliance from previous audits. Following this review, a risk analysis should be made as to whether or not the audit could be performed with alternative measures. Where a postponement cannot be justified, the notified body should assess which alternative extraordinary measure should be performed (e.g. remote audit; off-site document review; conference calls with relevant personnel of the manufacturer).”

More detail coming

The guidances mentions that the MDCG NBO working group is tasked with the development of guidance to define the operational implementation details of this guidance document. More detail will no doubt follow.

MDR amendment proposal article 120 (3) oversight set to be fixed by Council

Kermit mysteryIt’s always a risk to put out a theory about legislative oversight after a Sherlock Homes investigation that eliminates all other options as I did in my last blog about the MDR amendment proposal.

Recent development seem to confirm that I was right in assuming that not touching the two dates of application of 26 May 2020 in article 120 (3) of the MDR were indeed an oversight after all.

The Council’s fix

The Council has now moved swiftly and put in a proposal to fix this. Informal discussions were concluded at the Presidency and the proposal was discussed with particular attention to the oversight with regard to article 120 (3) MDR. Based on these consultations, the Presidency believes now that a large majority of delegations can support the Council’s fix.

The fix contains an amendment to article 1 (6) of the proposal by adding a new Article 1 (6) (aa) that moves the date of application in article 120 (3) MDR to 26 May 2021 as well:

Article 1 6) (aa)Article 120 is amended as follows:

paragraph 3 is replaced by the following:

“By way of derogation from Article 5 of this Regulation, a device which is a class I device pursuant to Directive 93/42/EEC, for which the declaration of conformity was drawn up prior to 26 May 2021 and for which the conformity assessment procedure pursuant to this Regulation requires the involvement of a notified body, or which has a certificate that was issued in accordance with Directive 90/385/EEC or Directive 93/42/EEC and that is valid by virtue of paragraph 2 of this Article, may be placed on the market or put into service until 26 May 2024, provided that from 26 May 2021 it continues to comply with either of those Directives, and provided there are no significant changes in the design and intended purpose. However, the requirements of this Regulation relating to post-market surveillance, market surveillance, vigilance, registration of economic operators and of devices shall apply in place of the corresponding requirements in those Directives.,”

Still only a proposed amendment to a proposal, but at least the proposal as a whole is consistent now.

What’s next

Stay tuned for further developments! The Council document referenced sets out the further steps to the legislative procedure:

  1. The Permanent Representatives Committee is invited to agree on a mandate based on the Presidency text set out in Annex I at its meeting on 8 April. The mandate will then be transmitted to the European Parliament in a letter in which the Chair of the Committee informs the Parliament about the Council intention to reach an agreement at first reading.
  2. The European Parliament is expected to vote its position at first reading already at its plenary on 16 April.
  3. After the vote in the European Parliament, the Permanent Representatives Committee will be invited to examine the Parliament’s position and agree if it corresponds to the Council mandate. Should that be the case, a written procedure will be used to invite the Council:
    – to approve the Parliament’s position, and
    – to agree to derogate from the eight-week period foreseen for scrutiny by the national parliaments.
  4. Consultation of the European Economic and Social Committee and the Committee of the Regions is compulsory, as this proposal concerns public health. Both consultations must be finished before the Regulation amending Regulation (EU) 2017/745 is adopted. The Council mentions that both Committees have been contacted with the aim of speeding up the consultation.

And then the proposal is hopefully published in time. Because it can enter into force on the day of publication, hopefully that will be in time before 26 May 2020.

The MDR amendment proposal: more than meets the eye

Open one jobOn Friday 3 April 2020 it finally happened: the Commission proposal for amendment of the MDR to defer the date of application with a year that everyone was waiting for and was in the works for some time was finally published.

As I have heard from many directions immediately after the announcement of the proposal being in the works people far and wide sighed “told you this would happen” or “inevitable”, and then dropped MDR preparatory work. The joke’s on the silly Europeans, of course they would never let it come to the DoA situation (jokingly called Dead On Arrival instead of Date of Application) that the MDR was heading for. Pfew, business as usual – now let’s concentrate on the COVID-19 pandemic.

Don’t forget however that it’s exactly this pandemic that led to this proposal. If you have been banking on the DoA being moved all along, you have been putting your company’s business on the roulette table. This proposal would not have happened if the COVID-19 epidemic had not taken place to compound access to devices related problems. Actually, this is how bad things needed to get before the EU would even consider this move.

Dropping all MDR work is still the worst choice you can make under the circumstances. This is a proposal. It’s not law yet. Although it is likely that the proposal will make it, it is also possible that it does not. While there is a lot of can-do mentality in politics these days, there is also a lot of zero sum mentality. So don’t count your blessings just yet – this may still not play out as expected.

If you are a smart company, read the ISO 31000 standard and learn a thing or two about risk management with respect to company plans regarding regulatory changes (I will blog about this at a later moment too). Scenario anyone? It would be the responsible thing to do under these circumstances.

More detailed table analysis

I have set up the analysis underlying this blog in a far more detailed table based analysis that ports every amendment to subject and MDR clause affected, consequences and my comments. My clients and good friends are very welcome to send me a request for this underlying detailed table analysis.

For everyone else, the following is a summary of this table based analysis, which does not cover every single aspect of the proposal. For example, this blog does not cover the proposed measures in the field of devices manufactured using non-viable tissues, cells or derivatives of animal or human origin.

When making this analysis I found that there is a lot that does not meet the eye immediately with this proposal, and I may have missed things as well. The proposal really affects a lot of different things, and does much more than just move the DoA with one year.

Objectives of the proposal

The proposal has three broad objectives:

  1. deferring application for provisions of Regulation (EU) 2017/745 that would otherwise start to apply from 26 May 2020 (see recital 6);
  2. it is also necessary to adapt certain transitional provisions of Regulation (EU) 2017/745 that would otherwise no longer apply as from the date of application of those provisions (see also recital 6); and
  3. giving the Commission the possibility to apply article 59 MDR before the DoA so it can start taking Union wide central measures as soon as possible to address all kinds of problems both COVID-19 and MDR bottleneck related.

See for details on all three objectives in the following, where you will also see that there are some Easter eggs in there, for example as regards EUDAMED.

The proposal ONLY covers the MDR, not the IVDR. Did I say already that the IVDs are on their own right now and that this is another crisis in the making? Yes I did. But I also provided a solution for the IVDR, which could be implemented by means of a similar amendment as to article 59 MDR and associated provisions in this proposal to the article 54 and associated provisions in the IVDR. Not addressing the IVDR bottleneck in this proposal is – in my opinion – a terrible mistake that will cost us lives. Shortage of COVID-19 tests everywhere, so let’s not fix the devices shortages for the IVDR. Makes perfect sense, right?

Annex XVI devices – more time for CS

For the Annex XVI devices all 26 May 2020 dates move to 26 May 2021. This means that Common Specifications for Annex XVI devices can still be adopted ‘in time’ before the new DoA of 21 May 2021, or six month after the date that they are adopted on after DoA.

Reprocessing of SUDs – more time for CS

Similarly, the date for adoption of CS for reprocessing of SUDs will be moved to 26 May 2021. More time to adopt those too.

If the CS have not been adopted by the new DoA, alternative standards apply (relevant harmonised standards and national provisions).

EUDAMED – Big Bang launch back on the table?

Everyone’s favorite super complex moving target! What happens with EUDAMED is one of the really interesting things in the proposal. Because of the way the dates concerning Eudamed are moved, a Big Bang launch of EUDAMED on the (new) date of application as originally intended in the MDR is suddenly back on the table. With the dates moved the whole original itinerary of EUDAMED phase-in is possible again, including a ‘EUDAMED is ready’-notice on 25 March 2021. Now that would be news, wouldn’t it?

This means that if the proposal is adopted and the MDR amended accordingly there is a perfectly legal alternative to the Commission’s December 2019 move of the date of EUDAMED going live to coincide with the IVDR DoA. The proposal and other public materials (like the Commission press release about the proposal) are completely silent on this point. So this is one to watch: EUDAMED for MDR goes live on 26 May 2021 (new DoA) or on 26 May 2022 (as deferred by the Commission)! And what will happen in the mean time with the phased making available of voluntary use of modules, starting with the actor module? What will it be? Scenario anyone?

EU wide conformity assessment derogations – NEW

This is another real change brought about by the proposal. As the explanatory text to the proposal mentions, when adopted the article 59 MDR procedure that allows national measures exempting groups of devices from the normal conformity assessment requirements will also apply ahead of DoA. As a result the Commission will have a shiny new pan-Union instrument that is badly needed in the COVID-19 times, which is one of the proposal’s core objective.

The Commission would be allowed to roll out a national measure for the whole Union (not just the EU, but the Union in which the MDR applies, which is relevant for the Brexit, Swixit and Turkxit – more about that below) by means of implementing act.

This new instrument will allow the Commission to implement the policy of which the outlines were set out in the Recommendation of 16 March 2020.

Sanctions – more time for Member States

The date at which the Member States should have informed the Commission about the sanctions they impose on MDR infringement will be moved to 25 February 2021, giving Member States more time to finish their implementing legislation for the MDR.

Since many Member States have not finished their implementing legislation, this is a welcome delay.

Notified bodies – More time for MDR certificates pre-DoA and (AI)MDD renewals, but less time for MDR certificates pre 2024

The move of DoA and related dates with one year to 26 May 2021 gives the Commission and the Member States one more year to designate notified bodies for the MDR, and it gives the notified bodies already designated for the MDR more time to issue more MDR certificates, as well as renew more AIMDD and MDD certificates that were still in the pipeline for renewal to profit from the article 120 (3) soft transition period. 

On the other hand, there is less time for notified bodies to convert AIMDD and MDD certificates to MDR certificates during the soft transition period, which can create other problems because the market went all in on extension of old certificates rather than the issue of MDR certificates pre-DoA, because there was not enough capacity for pre-DoA certificates. This will mess with everyone’s 2020-2024 planning, including yours. For a very detailed overview of how everyone’s planning will be affected from the perspective of a notified body, I refer you to Bassil Akra’s (TÜV SÜD) analysis. This analysis also contains a lot of good tips for interaction with your notified body and what notified bodies will be doing in case the proposal is adopted. Maybe read ISO 31000 and make a scenario or two.

Article 120 (3) MDR ???

The proposal does not move the date of 26 May 2020 mentioned twice in article 120 (3) MDR, which creates some urgent problems.

First, the consequence of not changing this date is that it partially undermines the second Corrigendum, which was intended to allow up-classified class I devices and the new category of reusable surgical instruments in class I the same benefit of article 120 (3) MDR as was granted to devices with a CE certificate under the AIMDD and the MDD. The consequence of the proposal being adopted as is would be that there is a year (between 26 May 2020 and 26 May 2021) during which the MDR does not apply, but up-classified class I devices and reusable surgical instruments are already subject to soft transition requirements (no significant chances and MDR QMS elements) before the (new) DoA, which was not how the Corrigendum 2 intended things to work and which is not how the article 120 (3) exemption system was set up. However, this is where we will  be if the proposal is adopted as is.

My theory is that someone did not have his or her consolidated version of the MDR at hand, because the pre-Corrigendum 2 MDR text for article 120 (3) does not contain that date, and therefore would not need amending based solely on that text. Sometimes legal issues are as simple as that, but they can create massive problems. If you do a full text search through the MDR, the only “26 May 2020” date that was in the pre-Corrigendum 2 MDR text that did not get addressed in the proposal is the Annex I 10.4.3 provided 26 May 2020 final date for the SCHEER mandate to prepare guidelines on phthalates. This date did not need to be moved because the guidelines have been prepared already – they were adopted on 18 June 2019 so there was no need to move this date. Really, the explanation may be that banale but I’m open to other theories because those would be a much better story than administrative oversight.

Secondly, the soft transition period for devices with a CE certificate before 26 May 2020 is impacted, which would have run from 26 May 2020 to 26 May 2024, so the logical thing to happen would have been to change the second date of 26 May 2020 in article 120 (3) MDR to 26 May 2021, which did not happen, thus shortening the soft transition period from four years max to three years max, like happened with the sell-off period in article 120 (4) MDR, discussed below. Like with the up-classified class I devices, this creates a year during which the MDR does not yet apply, but the article 120 (3) MDR regime does and similarly it does not make sense here either.

However, also this apparent oversight can be explained by the fact that the second date of 20 May 2020 just did not feature in the pre-Corrigendum 2 MDR text and someone apparently did not look at the consolidated text when drafting the proposal (see above explanation). It also does not make sense to not change the date in article 120 (3) for existing AIMDD and MDD certificates because article 120 (1) MDR is changed in the proposal (article 1 (6) (a) of the proposal) to keep the notified bodies that otherwise would be de-notified by 26 May 2020 notified for another year so they can continue as usual. Recital 6 of the proposal states that:

“The application should be deferred for provisions of Regulation (EU) 2017/745 that would otherwise start to apply from 26 May 2020.”

That would mean all provisions (since no reservation was made, e.g. by using ‘certain provisions’) starting to apply on 26 May 2020 are intended to be deferred, including those in article 120 (3) MDR. In my view this further supports the theory that this is an unfortunate oversight. The Commission intends to keep the notified bodies supporting existing MDD and AIMDD certificates notified for another year (which they would not be during the article 120 (3) period), which makes no sense logically if the article 120 (3) period would not be shortened accordingly.

If these two issues with article 120 (3) MDR are really not intended, this is obviously sloppy work on the part of the Commission. They had one job, and and it would be very sloppy if they had used an obsolete legal text for that.

If these issues are intended, the logic behind them escapes me completely because they serve no other purpose than to complicate things enormously and are a recipe for confusion everywhere. Again, any theory better than mine is welcome!

Sell-off period – shortened

While The DoA is moved to 26 May 2021 with a change of article 120 (4) MDR the end date of the sell-off period does not change (27 May 2025). This means that economic operators will have less time to sell off devices that have entered in the supply chain before the date of application.

Date of Application – moved

Obviously the date of application will be changed – this was the whole point of the proposal. But mind you, since so many things are connected (remember, CE means Connected Everything under the MDR), a lot of other things start to move as well. I have mapped all of these in the detailed table for clients and friends referred to above.

UDI carrier – much ado about nothing

A lot changes in the text relating to UDI carrier timing, but the net result is zero.

Because of the move of the DoA, the date on which class III and implantable devices have to start applying UDI carriers on label and packaging is now on DoA and not one year after anymore. The textual changes are necessary to make this work.

Entry into force of proposal and procedure – let’s hope it all works

Several measures have been taken to fast-track this proposal as much as possible. Article 2 of the proposal provides that it enters into force upon publication in the Official Journal, while this would normally be 20 days after publication. Together with the eight weeks saved by foregoing the national parliaments procedure (see recital 12 of the proposal) the proposal can be accelerated by almost 11 weeks. The amended voting procedures for Parliament and Council that do not require voting by personal presence can lead to further acceleration, as well as some other tweaks in procedural formalities that would be out of the question under normal circumstances.

For the rest, the Commission is betting on nobody being difficult basically, as the Commission says understatedly in the press release:

“The proposal would need the full support of the European Parliament and the Council through an accelerated co-decision procedure.” 

So let’s hope nobody is difficult. Because if they are, this proposal may well not make it in time to make a difference and then it will likely be off the table altogether. For example, if the issues discussed in relation to article 120 (3) MDR are indeed not intentional, we will need amendments. The reality of amendment is that they time, because there are procedures to be followed so everybody can say what they think about them. And the Commission must be in a position to still make amendments. Let’s hope that the Commission finds a way in this case, because otherwise we need to sit through the first reading first before amendments can be made. This might jeopardize timely adoption of the proposal.

Brexit, Swixit, Turkxit

For the influence of the proposal on all these contingencies (scenario anyone? ISO 31000 says it’s the responsible thing to do) see my previous blog about this proposal’s announcement. The proposal, if adopted, would mean another year before the Swixit and Turkxit take effect, and effectively therefore another year to sort things out politically. That may or may not happen.

In addition I can say that the UK’s play to synch timing and substance of their own new devices legislation with that of the Union turns out not that well if the MDR does get moved. If there is a hard Brexit a the end of 2020 – which is the likely scenario in my view given how things are going – the UK will find itself in the truly weird place of having stricter and more complex devices rules than the Union. This is of course totally not what they intended, even if this situation will last only for a limited period of time. Welcome to the reality of being on the outside, UK.

Overall impression – will it blend?

I really hope that the proposal will pass the co-decision procedure swiftly.

In my view the proposal marks a welcome (in my view anyway, as I’m a passionate European) transfer of competence to the EU level. Subsidiarity is a very nice principle, but it really needs to be rethought in view of healthcare policy, as it made painfully obvious by the current situation.

If there is one thing that we can learn it is that market access for medical technology needs more central handling, because healthcare is too precious. We have the best healthcare systems in the world in the EU, and it would be a terrible mistake to cripple them by not arranging for more effective centralized market access for devices to make them function as intended. We would fail our citizens knowingly and deliberately. It’s only logical if we really want

“a robust, transparent, predictable and sustainable regulatory framework for medical devices, which guarantees a high level of protection of public health and patient safety and the smooth functioning of the internal market for such devices”

as set out in the proposal.

Other than a step in the right direction with article 59 MDR, there are some very critical observations that should be remedied in opinion.

Of course not arranging for the bottleneck in the IVDR to at least allow COVID-19 tests related national measures to go through the article 54 IVDR procedure in order to be able roll out central measures relating to tests I think is a missed opportunity that is going to cost us dearly in lives. Apparently that’s what it takes these days before we do something completely rational. What crazy times we live in.

Then there are the things that do not seem to have turned out right in the proposal, notably the not moving of the DoA in article 120 (3) MDR. If this was not intended, an amendment must be made and amendments normally take time because there should be opportunity to discuss them. This could jeopardize timely adoption of the proposal. Let’s hope nobody is difficult about any amendments either.

Commission working on proposal to postpone MDR date of application for one year

After a statement on a press conference today by Stefan De keersmaecker that had many people very excited quickly, the official announcement came later in the afternoon:

Schermafbeelding 2020-03-25 om 19.09.52

Here is what I think about this development.

Work on a proposal ongoing

The Commission announced that ‘work on a proposal to postpone the date of application’. This tells us something but not a lot.

A decision was reached. That sounds like the work has just started, but it is not excluded that the political foundation for the process was some time in the making.

I know that I have often said on this blog and in public that the date of application would not be moved and companies should not expect it. Now it looks like it’s happening anyway. Why is it happening now when I thought it would not happen before? It’s the corona virus pandemic that provided enough pressure for things to be fluid.

As I’ve been saying all along: the only way to the change the MDR is by means of the legislative procedure, which takes a long time under normal (normal) circumstances and requires all institutional actors to agree to stick to the proposal only and not propose any amendments that prolong the procedure.

We may have the ducks sufficiently in a row for this to succeed now but this is by no means certain, which is exactly why the Commission also uses careful and cautious wording and is by no means saying that this is a done deal.

Postpone application date for one year

What will postponement of the date of application mean? Will it mean that every date in the MDR after 26 May 2020 will also move up one year? We don’t know. I think it is unlikely to happen that every date will move, which essentially means that the four years (May 2020 – May 2024) that were originally intended to ensure

IVDR? Nothing is said about the IVDR, which would certainly benefit from a year breathing space as well, as MedTech Europe remarked very rightly in my view.

What will the status of the AIMDD and the MDD be during the postponement year? We don’t know. I have heard the first suggestions that the notified bodies will not continue to accept conformity assessment requests under these directives (in so far they were still doing that). You can also not automatically count on ongoing conformity assessments or remediations to be allowed to stretch pas the date of application. It would be welcome and logical if this would happen, but we will not know before we see the text of the proposal.

What about Brexit, Swixit and Turkxit?

If the MDR would be ‘postponed’ by a year in a way that the directives continue to be in force, then the logical consequence would be that Swixit and Turkxit are postponed too, because under the directives Switzerland and Turkey are Union, and will thus remain Union until the MDR becomes applicable one year later.  But this does not mean that the root causes for Swixit and Turkxit will be remedied during this year, as these are very political problems.

Brexit is different because the UK has opted to cease being Union by the end of the year no matter what, so this will not change as a result of the MDR’s date of application being moved. This would only change of the UK and the EU decide to together to prolong the transitional period with one or two years. This is politically difficult in the UK because prolonging the transitional period means that EU law applies longer in the UK and the UK has to contribute to the costs of the EU. The UK government has already stated in no uncertain terms this is not what they are planning to do. In other words, Brexit is likely not impacted by this – it still looks like an unfolding hard Brexit happening.

What don’t we know now?

Well, most importantly: we do not know what the proposal looks like. We also do not know if this will even work. That’s why we need to wait until early April to know what the proposal will really entail.

In the mean time, we also don’t know if the proposal will make it, so we have to plan for that eventuality as  well.

What should you do?

This is a plan of the Commission, not an adopted amendment yet. We hope it’s a silver bullet but we do not know yet. It might even be a lead bullet.

As I have said and will keep repeating: scenarios, scenarios and more scenarios. It may be that this whole thing does not even pan out. Then what? Better have a scenario. No imagination? I’ll be glad to help you.

What should you not do?

Treat this plan of the Commission as a done deal and immediately sit on your hands. That would be a bad idea.

While the statement says that ‘this decision will relieve pressure […] to fully focus on urgent priorities related to the corona virus’, it is not saying ‘you should just drop all MDR prep work’. The MDR is still coming and you don’t know what this amendment – if it is amended – will look like in all details.

Did I say scenarios already? One of these is that the whole thing does not happen, and some others are that it happens differently than expected.

 

 

 

The MDR and the Covid-19 recommendation – a possible template for fixing the MDR and IVDR bottleneck

problem-solved-spongebobOn 16 March 2020 the Commission published the Commission Recommendation (EU) 2020/403 of 13 March 2020 on conformity assessment and market surveillance procedures within the context of the COVID-19 threat.

While this recommendation has been flagged here and there as ‘this may be important’ without real further comment I have been thinking about this recommendation myself and here is my take on what it means and may lead to.

What is this recommendation about?

Obviously this recommendation is an attempt of the Commission to manage administative barriers to placing PPE (personal protective equipment) and medical devices on the market that would be needed in the struggle to get the current Covid-19 pandemic under control. In my view you can also see this as a template for the next pandemic that has already started to affect the medical devices industry: the bottleneck caused by date of application of the MDR.

Let’s see what the recommendation does: it addresses two kinds of administrative barriers: conformity assessment procedures and market surveillance procedures.

With regard to conformity assessment procedures the recommendation recommends member states to

“the possibility for Member States to authorise derogations from conformity assessment procedures should also be considered, according to Article 11(13) of Directive 93/42/EEC and Article 59 of Regulation (EU) 2017/745 once the latter becomes applicable, also when the intervention of a notified body is not required.”

In other words: please Member States, think about your options to propose national CE marking exemptions for devices that can be transformed into a pan-European measure by means of the article 59 MDR procedure. The Commission cannot take its own initiaves on this point but can recommend the membe states to do this. Article 59 MDR procedure allows the Commission to make measures taken by one member state mandatory for the whole Union, which is a pretty useful feature. If one member state decides to allow a device on the market without CE mark and notifies the Commission, the Commission can validate the exceptionality and need of the measure at Union law and make an implementing act to make the measure mandatory for the whole Union, which becomes applicable after the members states and the EU parliament allow it through the implementing act procedure.

With regard to market surveillance the recommendation recommends member states to:

  1. The relevant market surveillance authorities in the Member States should as a matter of priority focus on non-compliant PPE or medical devices raising serious risks as to the health and safety of their intended users.
  2. Where market surveillance authorities find that PPE or medical devices ensure an adequate level of health and safety in accordance with the essential requirements laid down in Regulation (EU) 2016/425 or the requirements of Directive 93/42/EEC or Regulation (EU) 2017/745, even though the conformity assessment procedures, including the affixing of CE marking have not been fully finalised according to the harmonised rules, they may authorise the making available of these products on the Union market for a limited period of time and while the necessary procedures are being carried out.
  3. PPE or medical devices not bearing the CE marking could also be assessed and part of a purchase organised by the relevant Member State authorities provided that is ensured that such products are only available for the healthcare workers for the duration of the current health crisis and that they are not entering the regular distribution channels and made available to other users.

The first point addresses dangerous non-compliant devices. I already see a spike in placebo medical devices and non-compliant Covid-19 self tests of which nobody knows where they come from or whether they even work for this intended purpose. Needless to say, authorities should clamp down on those.

The second point seems to be a reference to the article 97 (3) MDR procedure, under which the Commission can specify appropriate measures by implementing act for devices that are non-compliant administratively but do not present an unacceptable risk to health and safety of patients. This is an interesting procedure because unlike the article 59 procedure it allows for block exemptions.

The third option is also a good option: member states allow devices purchased according to certain specifications for the duration of the health crisis. This works especially well when devices are purchased via tenders.

So this recommendation, if you realize the at the Commission does not have any direct power under the MDR to take emergency measures, is really something. But it can also be a stepping stone for the way the EU handles the consequences of the bottleneck in medical devices approval caused by the way the MDR was set up, and which is now compounded by the Covid-19 health crisis.

What does/could this mean for the MDR and its date of application?

Everybody and their mother wants the date of application of the MDR moved for obvious reasons – with the Covid-19 pandemic happening notified body capacity is collapsing, and manufacturers have facilities closed down so are unable to receive physical audits. Even though everybody does what they can remotely, the processes are even more delayed and are delayed severely. We may not even out of lockdown in many place by the DoA of 26 May 2020.

The DoA, abbreviation for Date of Application, is starting to be cynically used as ‘Dead on Arrival’ by now. The situation is really getting out of control, even if everybody, including notified bodies, are doing their best to keep working the problem.

Yet, there is no mechanism in the MDR for moving up the DoA quickly because the EU is not set up this way. Clamoring for that is therefore not going to work.

A change of the DoA requires a legislative change, which cannot happen quickly. Reopening the MDR would lead to a situation where everybody would propose amendments or disagree, and that would bog down the process even more. Even if everyone agrees and does not propose amendments, the process takes several months. So that won’t work anymore now.

Emergency measures then? Since the EU is not a federation we have not delegated that much in terms of actual decision making power to the EU institutions, especially not in healthcare. The Commission is allowed to propose and the EU may adopt internal market measures that have a health dimension, but it is totally not allowed for the EU to intervene in emergency health situations on its own initiative with binding measures. Member states closely guard their national competence in that field and are not going to hand that over to Brussels. This pandemic shows that doing exactly that may not be such a bad idea – as they say, never waste a good crisis.

All emergency procedures in the MDR therefore start with a member state or an MDCG initiative, which is subsequently made binding by the Commission with an implementing act. The implementing act can always be blocked by member states or the Parliament. So this is how the EU works: nothing happens unless everyone agrees. Usually this works fine. In pandemics, it’s not so efficient.

The only way to move the MDR date of application is to start a new legislative procedure and change the date of application. Nobody wants to start a new legislative procedure at the moment however. Why? Because first, it is a slow process. Secondly, everybody will put in amendments because they can, slowing down the process enormously because nobody is going to agree with the amendments of everybody else just like that.

My thinking is that a version 2.0 of this recommendation would solve a lot of problems, without needing to go through a legislative procedure to amend the MDR. It would be appropriate too, because the Covid-19 pandemic and the date of application overlap and compound issues. Many of the bottleneck problems that we were having already with respect to notified body capacity have been steeply exacerbated by the Covid-19 pandemic.

A new recommendation drafted with the date of application in mind could provide the necessary coordinative template for member states to solve the unavailability of safe devices as a result of administrative problems, because the Commission does not have the power to do this. The recommendation 2.0 would provide a template for concerted and efficient use of the article 59 and 97 (3) MDR procedures. Everybody wins and the patients the most. Would’t that be great?

Again, why not the IVDs?

As we have seen with the Joint Implementation Plan, this Covid-19 recommendation also does NOT apply to IVDs – it only mentions medical devices under the MDD and the MDR. I don’t understand how you can ignore IVDs when the whole healthcare system is complaining about a lack of tests? In any pandemic, access to sufficient relevant tests is vital. I can for the life of me not understand how it is possible to ignore IVDs in this scenario.

Any recommendation 2.0 aimed at fixing the medical devices bottleneck should address IVDs too. The writing is on the wall that the bottleneck will be far worse for IVDs

A little side note on standards

Everybody is frustrated about the delay in harmonised standards for the MDR and IVDR, but this is no reason for delay as such. The recommendation reiterates in recital 18 that

compliance with the harmonised standards is not mandatory. Manufacturers are free to choose other technical solutions provided that the specific solution which is retained ensures that the medical device complies with the applicable essential health and safety requirements.”

So, absent the harmonised standards manufacturers must think about what the state of art really is, and how a GSPR can really be met by their solution. Good time to think out of the box. The recommendation impresses in recital 22 on notified bodies to be flexible in this, and not be hung up on standards per se.

So – outlines of a way out

Use the recommendation 2.0 route could be the best compromise under the circumstances – a tried remedy that everyone should be able to live with and has a good chance of solving a lot of problems related to the conformity assessment bottleneck exacerbated by the Covid-19 pandemic. A true European solution! Now we just have to do it.

New MDCG Class I Article 120 (3) and (4) MDR guidance – nothing new but nice summary of requirements

Class I guidance gullI have blogged before about the effects and possibilities of the Corrigendum of December 2019 for class I medical devices. I refer you to that blog for the background to this discussion, which covers the mechanics of timing. The draft corrigendum discussed in that blog was adopted as described. 

The new guidance

The MDCG has now (finally) published its guidance MDCG 2020-2 on the subject, which confirms everything in that blog in terms of the mechanics of timing, but adds important procedural requirements for a class I manufacturer about how to actually document things, what the state of the technical file and QMS should be and what the declaration of conformity should look like, because these are things that manufacturers of class I devices often do not right.

Contents of the declaration of conformity: guidance on the content of the Declaration of Conformity can be found, inter alia, in the “The ‘Blue Guide’ on the implementation of EU products rules 2016 (2016/C272/01)” and the standard EN ISO/IEC17050-1. That guidance was always there already (and this is yet another reason to read the Blue Guide, which everybody should do – it contains many of the answers that people keep asking me).

If you do amend your technical documentation and/or DoC, mind you that 

“Necessary amendments/updates to the technical documentation should be done in a transparent manner. Both the changes and the dates of when the changes were made should be recorded. On the basis of the Declaration of Conformity and the corresponding technical documentation, the manufacturer should be able to demonstrate that the Declaration of Conformity was lawfully  issued before 26 May 2020 and that, subsequently, there are no significant changes in the design or intended purpose in the meaning of Article 120(3) MDR.”

Also this requirement should not be a surprise, but here you have it again.

For whom?

For which manufacturers is this important? This is important for all manufacturers whose medical device would be up-classified under the MDR, such as including but not limited to (standalone) software, substance based devices and inhalers.

Can’t figure it out? This is the moment to dare to be wise and really understand this stuff, or ask someone to help you understand. That could be me or any other good medical devices expert out there. It’s busy times though as you may have noticed, so ask sooner rather than later. 

The MDCG cybersecurity guidance – a helpful rush job

Risk free by designIt has been some time since the MDCG guidance on cybersecurity for medical devices was released (MDCG 2019-16 December 2019), so everybody has probably had the opportunity to get used to the document by now.

While the document is by no means ideal or even flawless (congratulations MDCG on a glaring spelling mistake in the very title of the document (corrected later, just like the heading numbering mistakes)), it does provide helpful context on what the EU regulator would like to see in terms of cybersecurity for medical devices under the MDR and the IVDR, which concerns both standalone software and devices running software. The real value of the document is that it shows how different parts and requirements under the MDR and IVDR are interconnected via PMS and risk management, two areas in which the EU expects everyone to up their game considerably.

The document is based on IMDRF work on cybersecurity for medical devices, to which it often refers, specifically the very useful IMDRF’s Principles and Practices for Medical Device Cybersecurity document, which is currently under consultation.
The guidance comprises of

  • An introduction;
  • Basic cybersecurity concepts;
  • Secure design and manufacture;
  • Documentation and instructions for use;
  • PMS and vigilance;
  • Links to other EU and International legislation and guidance; and
  • Annexes with examples and reference material

Some context

As you will know the MDR and IVDR contain new (cyber)security GSPRs in GSPR 17 and 16 respectively, but did you know that the MDR and IVDR require a much broader perspective on cybersecurity? As in many aspects, the MDR and IVDR do not provide a finite list of specific stuff you need to do, which, I know, is a problem for many manufacturers and especially their software developers.

A lot of software was never or is not developed from the ground up with cybersecurity in mind, and certainly not in the context of a good risk management plan that take into account all the risks related to its use in the environment that it is used in, the hardware it is run on, the dependencies it has with other systems and the relationship with other legislation that also govern software or IT processes, like the General Data Protection Regulation (GDPR).

Software developers scrum and sprint all over the place, often without having a good idea of the end that they should have in mind in terms of development goals. Often development teams will focus on delivering ‘something that works’ rather than ‘the software specified that meets the requirements specified’ and may even tack on some security at the end. Also, post market surveillance is typically not one of the things that is top of mind. Or, as  researchers and authorities put it euphemistically (“MDMs” are medical devices manufacturers and MD is medical device):

“even if there is a clear regulatory framework for the introduction to the market of medical devices, the culture of cybersecurity is still very inconsistent among MDMs. MDMs fail to include cybersecurity in the MD design and development process as there is few guidelines or recommendations dedicated specifically to IT cybersecurity of medical devices.”

This approach will not do under the MDR and IVDR anymore. If there is one message that this guidance document gives, it’s that everything is connected (Connected Everything), that the MDR and IVDR require Consistency Everywhere (CE puns intended) and that the MDR acronym More Data Required also applies to cybersecurity, both pre- and post market.

What devices does this apply to? Well, to all devices governed under the MDR and IVDR, which includes standalone software that is a medical device under these two regulations, see MDCG 2019-11.

If you’d like to have an entertaining evening with cyber exploits of medical devices within a hospital, consider watching CSI Cyber’s Hack ER episode, in which a hacker takes control of all networked medical devices at a US hospital and threatens to kill one patient every hour if his demands are not met. Of course this is a fictional and much dramatized story, but the device and network exploits shown in it are all possible and do happen in reality. The ones in this episode are actually among the easier ones. This episode dates back to 2015 – hospitals are regularly hit by ransomware attacks and devices still get hacked all the time.

This may also be a good way to explain to your company’s management that lives are actually at stake if cyber risk management of the devices does not check out. Management is often less concerned with these technicalities and more focused on sales, as we’ve recently seen in the passenger aircraft industry: regulatory Cassandra and engineering Cassandra sound the alarm (this design is unsafe and does not meet requirements), regulatory Cassandra and engineering Cassandra are subsequently completely ignored or told to shut up, after which the risk does materialise and management bails with their golden parachute. Is that a responsible way to do things? As my grandmother would say: asking the question is answering it.

So let’s be responsible. Even if security by design is the best way to have safe technology, yet it is also an important concept under pressure because of the way technology is designed, developed and deployed. I have seen at many companies that design and development processes are just not set up or funded to deliver the best possible outcome in this regard. Under the MDR and IVDR this will not fly anymore, and substandard processes or outcomes will lead to non-conformities and/or enforcement.

An introduction

So how does cybersecurity function under the MDR and IVDR and how is everything interrelated? The below visual from the introductory chapter gives a nice overview.

Cybersecurity Act

This concerns a lot of processes, all of which are interrelated. I teach MDR these days by using the acronyms Connected Everything and Consistency Everywhere. This is definitely true for cybersecurity as well, because its requirements affect many processes and a lot of documentation horizontally and even diagonally:

  • Conformity assessment procedures: Article 52 MDR / 48 IVDR
  • Privacy and data protection: Article 62 (4) (h) MDR / 58 ((4) (h) IVDR: General requirements regarding clinical investigations conducted to demonstrate conformity of devices (this is not really addressed in the guidance but I’ve written something about it in this blog)
  • Post-market surveillance system of the manufacturer: Article 83 MDR / 78 IVDR
  • Post-market surveillance plan: Article 84 MDR / 79 IVDR
  • Post-market surveillance report: Article 85 MDR / 80 IVDR
  • Periodic safety update report: Article 86 MDR / 81 IVDR
  • Reporting of serious incidents and field safety corrective actions: Article 87 MDR / 82 IVDR
  • Trend reporting: Article 88 MDR  / 83 IVDR
  • Analysis of serious incidents and field safety corrective actions: Article 89 MDR / 84 IVDR
  • Technical documentation: Annex II MDR and IVDR
  • Technical documentation on post-market surveillance: Annex III MDR and IVDR
  • Clinical evaluation and post-market follow-up: MDR and IVDR  Chapter VI and Annex XIV MDR / XIII IVDR

Let’s take a look at risk management, because that is at the core of cybersecurity. Risk management is dealt with much more prescriptively in the MDR and IVDR than in the directive. GSPRs 1 to 8 in Annex I in both regulations hardwire risk management into the law much more prescriptively as happened under the directives, and there is a lot of risk management language scattered in the text of the regulations. You have to meet these requirements meet by default now (like the risk management system pursuant to article 10 (2) in both regulations).

The guidance ties the different parts of the MDR or IVDR that have to do with cybersecurity together, both visually and by means of a neat table, because everything is connected indeed.

General safety and performance requirements

The guidance also contains a convenient table for reference to Annex I related cybersecurity obligations. This is not the whole picture for the whole MDR and IVDR though, mind you, but it does show that the cybersecurity related measures are not only contained in sections 17 and 16 of Annex I of the MDR and IVDR respectively – and this table just shows the links within Annex I of the MDR and IVDR.

Table 1 Correspondence table between sections, relevant for this guidance, in MDR Annex I and IVDR Annex

Basic cybersecurity concepts

Chapter 2 of the guidance discusses a number of important concepts in cybersecurity. The guidance revolves around the well-known CIA concept (Confidentiality, Integrity and Accessibility) throughout the lifetime of the device. These requirements are described quite well in the BSI White Paper on Cybersecurity for Medical Devices.

Compromised CIA might impact medical purposes as specified in the medical device definition in MDR Article 2.
The guidance defines 8 security practices, which largely overlap with the premarket considerations set out in the IMDRF’s Principles and Practices for Medical Device Cybersecurity document that is currently under consultation.

Operating environment and other stakeholders

The relationship with the operating environment is discussed in a number of places in this chapter of the guidance and elsewhere in it. The manufacturer must have a good understanding of the operating environment in which the device will be deployed to be able to implement appropriate layered defense measures independent of and not affected by the operating environment, to ensure that the medical device is designed and manufactured in a way that ensures that the risks associated with reasonably foreseeable environmental conditions are removed or minimized. This is why GSPR 17.4 MDR and GSPR 16.4 IVDR require that the manufacturer addresses what operating environment conditions the device has been designed for in order to work safely as intended. This also applies to modification of a device! The guidance refers explicitly to the IMDRF Practices and Principles document here, and section 3.6 of the guidance goes into quite a lot of detail on the operating environment.

One of the important and interesting parts is the interface between manufacturer and other stakeholders (systems integrator, operator, end user) emphasizing joint responsibilities. While I think it is very important that the MDCG stresses that cybersecurity is a collective effort, the MDCG shows in this section that it does not always completely understand how contracts between manufacturers and customers work.
The operator section (2.6.2) does not mention the concept of health institution defined in the MDR and IVDR, although it seems to refer to this concept because it describes the operator as the party procuring the device, which is strange. It would have made sense to link this, as this does happen in the IMDRF’s Principles and Practices for Medical Device Cybersecurity document.

Secure design and manufacture

Secure design and manufacturing begins with the end in mind, which means managing risks from the very start and keep managing risks throughout the life cycle. Did I say already that risk management under the MDR and IVDR has become much more detailed and prescriptive?

Risk management

I find that many companies do not do a very good job at this. Security as a requirement is added to the process too late, or the development process is chaotic and badly documented and does not take security into account at all. Or, that happens too, nobody tells the software engineers about these requirements and they find out when the development cycle does not allow for sufficient time to get this right anymore.

Standards

One of the big problems with secure design and manufacture is that there are (stilll) no harmonised standards under the MDR available. This means that there are no standards that give an automatic presumption of conformity under the MDR and that manufacturers of MDR covered devices will need to do their own state of art assessment per GSPR, will need to include rationale in their technical documentation why the standard selected is the appropriate standard for the GSPR concerned and why the standard is state of art. Notified bodies will audit this rationale and will find non-conformity where the rationale is lacking.

COCIR has developed a convenient overview of relevant standards in its 2019 document Advancing Cybersecurity of Health and Digital Technologies:

PRE-MARKET

The guidance contains a list of standards in Annex III of the guidance, which largely overlaps with the above COCIR overview but mentions a number of additional standards as well, such as IEC 82304-1 Health Software Part 1: General requirements for Product Safety and of course the good old EN ISO 62366 / ISO 60601-4 Usability Engineering.

Documentation and instructions for use

The guidance makes it very clear that the system for risk management required under article 10 of the MDR and IVDR, which is laid down in the documentation of Annexes I (GSPRs), II (technical documentation, contains the GSPRs) and III (technical documentation on PMS).

In addition there is the information supplied with the device, sections 23 (MDR) and 20 (IVDR) of Annex I. The guidance contains a detailed overview of the requirements. Mind you that EU MDR and IVDR risk management is very specific and strict on first applying risk management as far as possible via design and risk reduction and only then managing the acceptable residual risk by providing user information.

PMS and vigilance

One of the important, but in my view also stil underdeveloped items in the guidance, is PMS and vigilance with respect to cybersecurity. This is the area where I expect the market to have the steepest learning curve.

Under the MDR and IVDR PMS is much a more prescriptively active lifecycle process that must be laid down in the PMS plan based on article 84 MDR and 79 IVDR, which means that the manufacturer must continuously evaluate whether the cybersecurity measures applied for the device remain state of art. Just passively reacting to user complaints is clearly not the way to meet this standard – a manufacturer that can not demonstrate having a PMS plan in place with the elements in Annex III, 1.1 (b) MDR and IVDR will not be seen as compliant and his devices will not be seen as safe.
As the IMDRF puts it in the Principles and Practices document:

“As vulnerabilities change over time, pre-market controls designed and implemented may be inadequate to maintain an acceptable risk profile; therefore, a post-market approach is necessary in which multiple stakeholders play a role. This post-market approach includes various elements and include: the operation of the device in the intended environment, information sharing, coordinated vulnerability disclosure, vulnerability remediation, incident response, and legacy devices.”

For devices that run software and that are software the cybersecurity section will be a very important part of the PSUR or PMS reports (article 85 and 86 MDR, articles 80 and 81 IVDR).

Vigilance processes at the manufacturer will need to be set up in a way that they can recognize cybersecurity issues and can get to the bottom of the root cause, and can do this very quickly. This is why the IMDRF Practices and Principles document recommends setting up

“an incident response management policy and build an incident response team based on its product portfolio. The aim of incident response team is to provide appropriate capacity for assessing, responding to and learning from cybersecurity incident, and providing the necessary coordination, management, feedback and communication, for timely and pertinent action during the next incident.
Preparedness includes establishing an incident management policy, developing detailed incident response plans, building an incident response team, routinely testing and exercising incident response, and continuously improving this capability through lessons learned.”

Or in the words of the guidance: An effective and successful post-market cybersecurity surveillance program should include the following aspects (section 6):

  • operation of the device in the intended environment;
  • sharing and dissemination of cybersecurity information and knowledge of cybersecurity vulnerabilities and threats across multiple sectors;
  • vulnerability remediation; and
  • incident response

The guidance emphasizes the active elements of PMS that are underlined in Annex III too, stating that this must include handling and remediation of cybersecurity incidents and vulnerabilities reported through the post- market surveillance and vigilance systems shall be carried out conforming to the methodologies described in section 3.2 of the guidance, with regards to:

  • Assess the need for reporting serious and non-serious incidents and of carrying-out field safety corrective actions;
  • Enhancing security capabilities;
  • Update the original Security Risk Assessment;
  • Update the Verification and Validation;
  • Update the original Security Benefit Risk Analysis; and
  • Update the Technical Documentation.

Can you see how these requirements are life cycle commitments to make the device and its risk management better? Welcome to the MDR and IVDR because that is the expectation. You will never be done improving your device and its cybersecurity.
The guidance goes into some detail describing vigilance reporting formalities. As I will discuss in relation to the GDPR below these processes will need to be linked into the GDPR incident procedures, such as notably data breach procedures. Mind you that the GDPR can require super fast reporting and even reporting to data subjects (patients). The link between devices cybersecurity and GDPR data security is also very evident in the section about legacy devices of the IMDRF Principles and Practices document (section 6.6) which is an area discussed under GDPR guidance years ago.

Companies often tend to focus on a patch as a corrective measure, but just pushing out a patch may not be enough and other compensating controls may need to be deployed. Also, a patch may create other vulnerabilities, so even the patch itself and the patch delivery process is subject to risk management (e.g. can you trust your user to administer the patch in a timely fashion proportionate to the risk and what if they don’t?). The IMDRF Practices and Principles document has a helpful section on patches and patch processes in the overall discussion of vulnerability remediation in section 6.4.

Cybersecurity in clinical trials

While the focus in the guidance is very much on cybersecurity for devices as part of CE marking, the MDR and IVDR also have cybersecurity requirements for clinical and performance trials that you do not really hear anyone about. Interestingly this is also not discussed in the MDCG guidance in any level of detail, although this is an important subject. It also goes to the heart of your clinical trial agreements and CRO agreements.
Article 72 (4) MDR and 68 (4) IVDR contain requirements for security and confidentiality of personal data of trial subjects, or more precisely: appropriate technical and organisational measures shall be implemented to protect information and personal data processed against unauthorised or unlawful access, disclosure, dissemination, alteration, or destruction or accidental loss, in particular where the processing involves transmission over a network.

These measures are not subject to notified body conformity assessment but rather to member states competent authorities oversight and actually their inspection (article 72 (5) MDR and 68 (5) IVDR). They do not only apply to trials where an investigational device is tested, but also concern the set-up of any devices trial involving other non-investigational devices, e.g. home monitoring of trial subjects with wearables and apps.

Because cybersecurity in clinic trials is also much focused on confidentiality of patient data, this means that any process of the manufacturer must be closely intertwined with software and software device security processes. Since these processes are often facilitated through third parties (CROs), everyone has a role in this. Where the device itself is investigational, it should already be up to standards from a cybersecurity perspective, which should be checked as part of the approval process (article 71 (3) (c) and (e) MDR and article 67 (3) (c) and (e) IVDR: whether the measures planned for the safe installation, putting into service and maintenance of the investigational device are adequate and whether the device meets the requirements for a safe clinical investigation device (which includes solid risk management).

All of these measures must be made transparent: the application dossier under Annex XV MDR or Annex XIV IVDR contains (Annex XV, 4.5 MDR or Annex XIV,4.5 IVDR) a description of the arrangements to comply with the applicable rules on the protection and confidentiality of personal data, in particular (so not limited to or only):

  • organisational and technical arrangements that will be implemented to avoid unauthorised access, disclosure, dissemination, alteration or loss of information and personal data processed;
  • a description of measures that will be implemented to ensure confidentiality of records and personal data of subjects; and
  • a description of measures that will be implemented in case of a data security breach in order to mitigate the possible adverse effects.

This means that also member states’ approval bodies need to be able to understand this.

Links to other EU and International legislation and guidance

The MDR and IVDR are not an island in how they prescribe cybersecurity requirements. The below overview of the Commission shows the whole picture, of which I will discuss some of the regulations and directives referred to.

European

GDPR

As we have seen above, the MDR and IVDR weave the GDPR in already where it comes to data and IT security in clinical trails, as well as for the investigational device design. But there is more.

The GDPR contains requirements regarding privacy by design and default (default being an interesting one in the light of Annex I 17.4 MDR and 16.4 IVDR about operating environment), which includes the security to ensure this, as you can see in the ENISA Handbook on Security of Personal Data Processing. For the English speakers, some ICO guidances on security under the GDPR can be found here, here and here. Mind you, the UK has left the EU, so the ICO has nothing more to say about the GDPR for the future so only past guidance is of any use. There is also more security related guidance under the GDPR at the Commission’s website.

The GDPR furthermore requires reporting and investigating data breaches in a time frame much shorter than normal vigilance reporting deadlines under the MDR and IVDR and the sanctions for not meeting this deadline can be quite severe. In severe cases, companies are also obliged to communicate the data breach to all data subjects involved without undue delay and under 72 hours.

A data breach for GDPR purposes and a serious incident for devices regulation will often overlap, which means that a company should have interfacing procedures to ensure that it does not act inconsistently. As you can see in the Annex II to the guidance (Examples of cybersecurity incidents/serious incidents), many of the cybersecurity incidents mentioned also involve a data breach or other form of access/processing that was not as intended. Therefore there should also be a very good connection between the company Data Protection Officer and the PRRC under the MDR and IVDR, to ensure that data protection related risk management and devices related risk management is consistent and adequate. Reporting requirements under the GDPR and MDR/IVDR also vary, which has to be accounted for in the procedures.

Keep in mind that where there are a number of parties involved (e.g. devices company, third party cloud provider, third party installation and maintenance services provider, health institutions and patients) in different jurisdictions in different time zones, things can get very complicated very quickly if you have not planned in advance and 72 hours is very very short then. Also, your customers may have additional reporting obligations, for example under the NIS Directive if they are EU healthcare institutions.

NIS Directive

Healthcare institutions are likely to be subject to the security obligations foreseen by the NIS Directive. As explained here, the NIS Directive had to be implemented by the means of national legislation by member States before May 2018.

In fact though, several member States have envisaged delays in its transposition and some especially with regard to the identification requirement of Operators of Essential Services, which normally would include healthcare institutions. While the situation appears promising, a further coordinative effort at a European level might be needed, in order to ensure a more coherent implementative approach.

See here for a good overview of NIS Directive obligations. While the devices industry is not subject directly to these, its customers (healthcare institutions) often will be.

The guidance contains a convenient Annex I with Mapping of IT security requirements to NIS Directive Cooperation Group measures.

Cybersecurity act

The EU Cybersecurity Act envisages the creation of a pan-European cybersecurity certification framework for ICT products and services. The healthcare sector may be perceived as one of the key sectors to be covered by one or more ICT security certification schemes. Nonetheless, significant steps need still to be taken to this regard.
An overarching European Cybersecurity Certification Group will be established and each country will need to appoint a certification supervisory authority. Creating these structures may cause additional fragmentation of, and/or overlaps with, existing security policies.
Whereas the cybersecurity certification in principle is voluntary, this can be overruled by any Union or Member State law. As a consequence, a patchwork of regulatory requirements may appear, as Member States introduce their own requirements for cybersecurity certification.

Overall

The document is a helpful piece of guidance for a more wholistic picture of cybersecurity requirements under the MDR and IVDR put in context. It feels however put together hastily, which is evidenced by the first published version containing formatting errors and typos even in the title of the document on the cover page. The document does not fit together as systematically as it could, which shows to me that also for the MDCG this is a developing item.

Although the MDCG guidance has helpful visuals in it, the IMDRF Practices and Principles document is set up much better and more systematically, and contains many useful and precise examples. Used together these documents are very useful.

Manufacturers that already implement very solid state of art software design may find that they need to up their game somewhat (this will not be the majority),  but I am sure that there are many manufacturers that will need to make significant improvements, especially in the nexus with the GDPR and their PMS/vigilance procedures.

Health institutions would do well to understand the operator and end user dimensions of this, as knowledge and capacity is often lacking in my experience.

CROs and other service providers also need to understand these requirements.

This document should therefore be used in context with GDPR guidance, the other software guidance MDCG 2019-11 and the to be expected Guidance on clinical evaluation and performance evaluation of medical device software.

The MDCG MDR joint implementation plan

Archer Meme | DO YOU WANT SCENARIOS? THIS IS HOW YOU GET SCENARIOS | image tagged in memes,archer | made w/ Imgflip meme makerThe MDCG just published a joint implementation plan regarding the MDR. Here is my summary and analysis. It’s not a happy story.

Not the IVDR

This implementation plan is not about the IVDR, and the fact that it is not about the IVDR is information in itself. It means that the MDCG is not even thinking about the IVDR at the moment, because it needs all its resources to keep the MDR on track. At the end the document mentions: “It is also vital, following the 26 May 2020, to focus on the implementation of IVDR to ensure effective application as of 26 May 2022.” In other words: IVD industry, you are on your own for the moment. When the MDR applies it’s your turn with less than two years of transitional period left. That’s three good years of transitional period lost, like tears in the rain.

EUDAMED

The plan provides that

“the Commission services and Member States are working closely to identify harmonised administrative practices and technical solutions to facilitate the exchange of information until EUDAMED is functional, in particular for cases where such exchange would be difficult to achieve based on the corresponding provisions under the current Directives. Guidance documents are being prepared in this respect with the aim of being endorsed by MDCG before 26 May 2020. The Commission services are pursuing the development of EUDAMED with the highest priority to deliver the actor registration module by May 2020 and other modules in a gradual manner thereafter, working towards full functionality by May 2022. The actor module will be deployed from 26 May 2020 and an MDCG position paper is under preparation with the aim of explaining the issuing of Single Registration Numbers (SRNs) and to encourage a common approach across the EU to record actors’ data.” 

This is literally nothing new compared to the Commissioner’s statement in the December council meeting. I certainly hope that at least some progress was made in the background. 

From an operational perspective, the development of EUDAMED will continue based on the functional specifications made public in March 2019. Following the release of the actor module by 26 May 2020,  EUDAMED will be deployed in two phases:

  • First phase: UDI/devices registration, the notified bodies and certificates modules (when functional).
  • Second phase: vigilance, clinical investigation and performance studies and market surveillance. 

The document mentions that the Commission services are committed to keep MDCG regularly updated on the overall progress towards full functionality of EUDAMED. This would be a nice change. Remember the December 2019 Council meeting? The Member States were not at all happy about how they had been kept in the dark about where the Commission was with EUDAMED. Let’s hope that has improved now.

Turkxit and Swixit

The paper confirms what we already knew: Turkxit and Swixit are completely on the table still, and timely inclusion of the MDR and IVDR (Regulations is used in plural in the document) is unsure. 

The implementation plan also solves a question that I was asked by more than one company: do we need an AR for products of Swiss origin? Contrary to my own position and advice to clients so far I have seen some lawyers defend that you do not. The implementation plan now says univocally that you do need an AR:

“For products of Swiss origin or products from third countries having their authorised representative in Switzerland, EU authorised representatives and registration according to the MDR will be required.”

Did I ever say that this was the time to think about scenarios? Well, this is the time to think about scenario’s. And then I did not even mention Brexit scenarios. Because you’ll need a scenarios for that too. If you need help, let me know and amaze me with a scenario that I have not seen yet. You really have to understand the MDR economic operator regime at this time. If you don’t, there will be costly mistakes.

Exceptional emergencies

The MDCG reminds us about the procedure under article 59 (8) MDR and underlying national measures as a last resort. Yes, we know about that for a long time, if only because MedTech Europe told everybody about it last December. It would be rather nice if we would have known something about how the exception would be applied in practice. Now we just know that the Commission can extend a national exemption to a Union wide one under exceptional circumstances, which is literally what the law already says for years, since 5 May 2017 to be precise (date of publication of the MDR). This is not the kind of clarification we are looking for, MDCG!

Priority actions regarding placing on the market of devices

The implementation plan defined a number of priority actions and if the EU says “priority” and MDR in one sentence, then you know it’s urgent and it’s serious. Someone is on the ball and decisive action is taken!

Remember all the ‘priority’ guidance promised in December 2017? Still to arrive. What is disconcerting to me is that these actions are defined as priority actions to be taken, while I would think that most of them should be underway for years by now:

  • Endorse guidance on the application of the transitional period, notably in relation to the interpretation of conditions concerning “significant changes” in accordance to Article 120(3) of the MDR (MDCG) – this should have been there long ago.
  • Endorse guidance on the consultation of relevant authorities for legacy devices with ancillary substances or manufactured using TSE susceptible animal tissues (MDCG) – this should have been there in May 2017.
  • Endorse guidance on how affected manufacturers of some class I devices can make efficient use of the transitional provisions in Article 120 (3) and (4) of the MDR (MDCG) – fortunately I have written my version of guidance for you in a blog (the draft corrigendum described in that post turned out as expected).
  • Request regular reporting from industry and notified bodies and monitor market developments and activities performed by notified bodies aiming at detecting possible delays that could lead to shortage of devices on the market (Member States and Commission services) – at this point everybody is voluntarily shouting this at the Commission and especially MedTech Europe and COCIR have been more than vocal in this regard.
  • Examine different means to ensure availability of safe and critical medical devices and provide guidance, as appropriate (Member States and Commission services) – indeed, also the MDCG apparently does not seem to do a lot in terms of scenarios if they are only starting with this now.
  • Provide for mechanisms to communicate between Member States Authorities and the Commission on availability, potential risk of shortages and measures taken to ensure availability of safe and critical medical devices. (Member States and Commission services) – same comment as previous point.

So we have priority actions without deadlines and no further concrete implementation plan. If that does not inspire confidence I don’t know what will, pardon the cynicism.

Clinical

Several things are holding up clinical matters under the MDR.

First, we do not have operational expert committees for the application of the clinical evaluation consultation procedure (scrutiny procedure) – no expert panels yet, no internal procedures.

Secondly, we do not have guidance that has been forthcoming for a loooong time: on clinical evidence needed for medical devices previously certified under the MDD and AIMDD (the legacy medical devices) and on equivalence for well-established technologies.

The MDCG has been shockingly slow to deliver this. We now have timing for 26 May 2020.

Implementing acts and further guidance

There are implementing acts that are in place, and there are implementing acts underway, the plan helpfully informs us. Progress! We had no idea about this. The Implementing Decision for the standardisation request to CEN/CENELEC for MDR / IVDR harmonised standards, the Implementing Regulation on Common Specifications for the reprocessing of single-use medical devices and the Implementing act on devices without an intended medical purpose (Annex XVI MDR) are in the pipeline and may even be adopted by 26 May 2020, while this concerns essential foundational material that should have been adopted in 2017 because it was needed already then to make a difference for effective implantation by the market.

The MDCG refers to a number of the guidances on the roster that we knew about from the rolling guidance overview. No dates for delivery, so no new information.

After reading

I must say I felt rather disappointed and underwhelmed after reading this document, which did not contain anything new apart from a shocking lack of progress with implementing the MDR and confirmation of what I feared was happing: that the IVDR implementation was put on the back burner pending MDR resolution. I am not optimistic about the period up to 26 May, and I am not optimistic about IVDR implementation either, not in the least because the IVD industry also seems slow to catch on to the IVDR, which means trouble brewing.

 

%d bloggers like this: