An MDR and IVDR transition plan

fasten-seatbeltsThe year is off to a good start, and so should your company be with its MDR and/or IVDR transition plan.

Come again? You haven’t started looking at this yet because the MDR and IVDR are not yet final and the transitional period will run to approximately half 2020? Your management is not interested in making resources available?

Not so smart

That’s not so smart. It’s like doing a #Brexit without considering the consequences first and then hoping everybody else is nice enough to give you a good and quick trade agreement deal, because … well why not?

You may think everything can’t possibly be that complex – until you find out later that there is more to this whole thing that looked so simple at the moment when you were not really looking at it yet.

Your company may be one of the many companies expected to find out too late that some things took more time than expected, or were more contingent than they looked:

  • notified bodies that will not come online for certification of products before well after half of the transition period of three years has expired. And then they still have to start with pushing all existing medical devices on the EU market through an MDR / IVDR certification process (which is stricter than under MDD/IVDD).
  • additional clinical evidence may well be needed for your devices under the MDR. If you need to generate it in clinical trials, registries or other time consuming processes, you should know about it sooner or later. And your notified body will need to be on board with what you are going to do. Is yours already? I bet not.

These are just two contingencies that have a crucial impact on your MDR implementation strategy.

There are a lot of other dependencies too – like your suppliers that you need to control more, other jurisdictions that rely on the CE mark for your devices.

No grandfathering

Many companies think that there will be some process to slide in the devices that are already on the market and are not causing any problem, so that’s easy. There is not, so there is no easy solution there. There will be no grandfathering or similar process – any device that is not certified into the MDR or IVDR by the end of the transitional period and the various limited overrun periods can not be placed on the market any longer. It will be illegal to place such devices on the market. The only thing close to grandfathering is the five/three years period that you will have to still sell off devices that were compliant under the MDD/IVDD and were placed on the market before the date of application of the MDR/IVDR. Those can still be sold off to end users for another five/three years post date of application (so after the transition period of three/five years ends).


No placing on the market means no cash flow. No cash flow means bankruptcy sooner or later, or bought at a discount by a competitor or strategic investor. Strategic investors and acquisition driven companies are already on the prowl for companies that are candidates for not making the cut of the MDR/IVDR and will swoop in when opportune.

If you get this wrong or get it right too late your company goes off the cliff like While E Coyote, still wondering what went wrong all the way down. That’s why you need to start thinking now.

You’re into software and think you’re not placing software on the market because it’s made available as a service from outside the EU? They’ve got that covered too – if your software is a device by the new standards, it will have to meet MDR/IVDR requirements regardless of whether it’s placed on the market or not.

Transition plan – journey towards compliance

This one is for MDR transition – working on one for IVDR transition too:


Sfan-theories-coldwartart working on your transition plan – the journey towards compliance, like every journey, starts with the first step. Then you keep on going until you reach the end, and then stop. Like in the Lord of the Rings – it’s an easy journey conceptually (just take this ring to that mountain) but you’ll be slaying a lot of orcs and fighting monsters before you finally complete the quest.

By the way, even While E Coyote made plans. There’s no reason why you should be less clever than a cartoon figure.

The above picture is a single roadmap that you can put on a slide to explain to your organisation or management what the necessary steps are, where the journey begins and what you need resources for. This picture is based on the excellent General Data Protection Regulation game plan  (another project that you should be well on your way with by now  – the transitional period for that regulation ends 25 May 2018 and the GDPR has significant overlaps with the MDR/IVDR, e.g. on design requirements for devices (including standalone software) that process personal data).

IVDs largely similar

The roadmap for IVDs transition to the IVDR is largely similar, except that the transitional period is two years longer but the sell-off period is shorter.

Schermafdruk 2017-01-30 13.28.30.png

And the dependencies at the end are even more scary: the reference labs will not be appointed until four and a half years into the five years transition period. That means that there is almost no time for the highest risk IVDs to be certified into the IVDR during the transitional period.

For IVDs the chance that companies underestimate the necessary efforts are even bigger, because the large majority of IVDs are currently self certified, regardless of their associated risks. The IVDR will turn this upside down and notified body certification will be the rule for the large majority of IVDs. This is a huge quantum leap in regulatory burden. It means that for the majority of IVDs a third party will take a critical look at the underlying technical documentation and performance data for the very first time. You can imagine that not all technical documentation may be in the shape that the IVDR expects. The IVDR will require a lot more and different types of data to substantiate performance, and will require more clinical data too. Producing data costs time. It costs money. It requires planning. I cannot under-emphasize how important it is for the IVD industry to engage on this. Your company does not want to be the puff of smoke that remains if While E Coyote goes off the cliff.

Start now!

Each of the items described in the roadmap has a lot of detail to it, which leads companies to typically underestimate the effort. The gap assessment, impact assessment and remediation take a lot of time. It means you will have to more or less completely revisit each and every device that your company has on the market and in the pipeline, as Gert Bos and I have explained in BSI’s white papers on the MDR and IVDR. BSI has a good white paper on MDR transition too.

Detail takes time, and detail takes resources – don’t forget. Use the resources on this blog, use others of the plentiful resources that are available publicly on this subject.

Talk to your trade association, participate in the discussions at MedTech Europe, COCIR, Advamed, your local trade association, etc. so you know how other companies are dealing with this.

Make sure that your management does not underestimate this process. Hey, it’s only about company core products and core processes so why would that not merit the resources it needs, right? My apologies to be somewhat cynical but I see a lot of companies (also big and sophisticated ones) underestimate this completely. And if I’m wrong – tell me in a few years time and I’ll gladly apologise for crying wolf then while congratulating your company on being compliant well in time.

And, finally, my firm and its network is there. We are helping many companies wrap their head around it and will gladly help you too.

But do something now and don’t wait – at the very least start by understanding what this is about and what it will mean for your organisation. Your competitors are working on this already.

Festive alert! Change is on its way.

Change is on its way – medical devices law will not be the same again as of next year.

Panic soccer

The authorities are not your friend anymore.

Notified bodies are engaging in massive ‘panic soccer’ (Dutch expression) dropping companies like they’re hot.

If you have not implemented the new clinical evaluation MEDDEV fully by now this should have your utter undivided attention. Otherwise, count on your CE certificate for the device(s) affected being suspended without warning after the next notified body audit. And make sure to watch that your notified body does not enthusiastically suspend the entire certificate for all your devices by mistake and then runs away to hide under a rock while you can go deal with the fall-out. I’ve seen this happen already. Panic soccer – be prepared and make sure you keep your eyes on the ball.

Super nova

You should already be well into your transition work for the MDR and IVDR, or at least have a plan about what to do when. The EU will not grandfather, so do not count on this to happen. For every device on the market you need to take a decision to

  • remediate (bring it into compliance with the MDR/IVDR),
  • replace (replace it with a device that is or will be compliant the MDR/IVDR), or
  • retire the device (investment too high to phase it into the new requirements).

EU medical devices legislation will go supernova to more than six times its current size halfway 2017. Is your company prepared for that?

Data protection

Have you thought about the impact of the General Data Protection Regulation? It’s not devices law per se but its privacy by design obligations impact your new software design requirements under the MDR, just to mention one thing. You need to prepare for its data portability requirements. If your medical device or related service has any IoT functionality, it will be affected by the hateful eight that this new EU law brings. It will impact severely on your clinical data processes (as it deals with protection of personal data concerning health). It is already in effect, and its transitional period will end on 25 May 2018. Can you redesign your data processing hardware and software before that time, and do you need to? Just one of the questions you should be asking yourself now.

Busy times ahead

Yet, I wish you quiet, joyful and festive holidays for the moment (no implied warranties). Recharge, and keep your eyes on the ball in 2017.


Privacy by design and data portability

all_you_base_are_belong_to_usI’ve often warned medical devices companies that they need to start looking at privacy by design obligations under the General Data Protection Regulation, the GDPR. Engineers at a company where I gave an in-company presentation earlier this year were seriously unhappy that privacy by design obligations can affect both hard and software and that the deadline for transition expires on 25 May 2018. They were surprised, annoyed and then in panic (in that order) because of the time it takes to redesign capital equipment and clouds that these devices feed into. That’s right, by end of May 2018 all the hardware and software that processes personal data and personal data concerning health of EU data subjects must comply with these rules. If it doesn’t, it cannot be used to process that data because it’s non-compliant.

Did you know already that the maximum fine under the GDPR is 4% of the total worldwide annual turnover of the preceding financial year of a company? Happy times if you have to break the news to your boss that your department singlehandedly evaporated last year’s profit for the entire company everywhere.

Pacemaker and other device data

One example of data portability in practice is the ongoing discussion between patients and companies about if the patient can receive the data in their medical device, e.g. pacemaker or continuous blood glucose monitoring system. Manufacturers would routinely say no, but cannot maintain that position anymore when the GDPR is fully applicable in 2018. That means that by then their devices and systems must have been redesigned to accommodate requests for data portability.

Hateful eight

This is why I have dubbed data portability as one of the ‘hateful eight’ of the GDPR innovations with regards to connected health (see slide 10) because it is a nasty one to implement, and will require quite some adaptation to devices and software to make this happen in practice:

I was recently speaking again about implementation of the GDPR in relation to data subjects’ access rights in relation to clinical data for medical devices. Companies present were seeing quite a lot of problems in implementing data portability rights for data subject with respect to clinical data that related to them.

Article 29 WP guidance

The Article 29 Working Party has now issued guidance on how this should work in practice:

“As a good practice, data controllers should start developing the means that will contribute to answer data portability requests, such as download tools and Application Programming Interfaces. They should guarantee that personal data are transmitted in a structured, commonly used and machine-readable format, and they should be encouraged to ensure the interoperability of the data format provided in the exercise of a data portability request.”

Yes, you are reading that correctly:

  • download tools and APIs;
  • personal data that are transmitted in a structured, commonly used and machine-readable format; and
  • interoperable data formats.


“Article 20 of the General Data Protection Regulation (GDPR) introduces the new right of data portability. This right allows for data subjects to receive the personal data, which they have provided to a data controller, in a structured, commonly used and machine-readable format, and to transmit those data to another data controller without hindrance. This right, which applies subject to certain conditions, supports user choice, user control and consumer empowerment. […] The new right to data portability aims at empowering data subjects regarding their own personal data as it facilitates their ability to move, copy or transmit personal data easily from one IT environment to another.

This is not – ahem – where industry in medical devices and connected health is orginally coming from although a lot has been improved over the last years.

Main elements of data portability

What rights will data subjects have and must your systems be able to facilitate? Even if you are not the controller, the GDPR obliges processors (which you will be then) to be able to assist the controller in implementing these rights. There are, according to the 29 WP guidance:

  • Right to receive (as complement to the right of access);
  • Right to transmit personal data from one data controller to another data controller;
  • Data portability tools that allow not only for direct downloads, but also for direct transmission to another controller.

The data concerned (the data that must be provided) is all data that the data subject provided, e.g. by virtue of the use of the device. Data that results from operations on that data (inferred and derived data) do not have to be provided, like for example a algorithmic model of the patient concerned created based on the data provided. Privacy by design would require implementing technical means to separate these data from personal data, because if this is not possible, everything must be provided.

IP rights do not as such constitute a ground for refusal, although a potential business risk might. In the words of the Article 29 WP:

“The right to data portability is not a right for an individual to misuse the information in a way that could be qualified as an unfair practice or that would constitute a violation of intellectual property rights. A potential business risk cannot, however, in and of itself serve as the basis for a refusal to answer the portability request and data controllers can transfer the personal data provided by data subjects in a form that does not release information covered by trade secrets or intellectual property rights.”


Data controllers must inform the data subjects regarding the availability of the new right to portability.

It’s the controller’s problem if the data set is large. It has to be provided within one month and in any event with undue delay.

The request can only be made subject to a fee in case of requests that are manifestly unfounded or excessive. That means that the controller is not allowed to use fees as a means to pay for the technical means it must develop to meet its obligations.

Personal data are expected to be provided in formats, which have a high level of abstraction. As such, data portability implies an additional layer of data processing by data controllers, in order to extract data from the platform and filter out personal data outside the scope of portability (such as user passwords, payment data, biometric patterns, etc.). This additional data processing will be considered as an accessory to the main data processing, since it is not performed to achieve a new purpose defined by the data controller.

Happy redesigning!

Did I already say that all of this must be ready by 25 May 2018 at the latest? Better start if you have not started yet. And remember, whatever you implement by means of privacy by design may impact your new design obligations under the MDR (the new chapter 14 on software that applies to any software (both standalone and embedded), which addresses e.g. security requirements that may be impacted by a convenient API that allows a user to export their own data). Security requirements for data protection compliance purposes and for the new MDR software securities design requirements are another happy overlap in this respect (see the Hateful Eight presentation framed above).

The authorities are not your friend anymore; and neither are notified bodies


Have you seen Mr Robot? If not, watch that series.

With the MDR and IVDR adoption in sight (currently scheduled for Q1 2017) I see a number of developments in the market, all converging on the higher standards that will be imposed under these new regulations.

By way of update, there is movement in the dossiers of the MDR and IVDR. The first drafts of the translations have been circulated for consultation in the mean time (I have the Dutch versions for example) with final numbering (123 articles) – there may be some small additions / changes too – we’ll have to see. I will write more about this in a later post soon.

Back however to the converging developments. First, I see notified bodies do more and more ‘unexpected’ things that affect manufacturers profoundly and take them by surprise. Secondly, I see authorities get tougher on the market especially in the Netherlands, by imposing high fines without warning for easily remediable non-conformities in the documentation for class I medical devices and self certifiable IVDs.

The following is my own personal perspective, but I have heard and hear it echoed by many companies, consultants and other stakeholders in the market.

Regulators! Let’s dance

In the Netherlands we see a development towards truly punitive enforcement of medical devices regulation, specifically in the areas of software as medical device and IVDs.

The authorities in the Netherlands have decided that they are going to raise the bar and come down punitively on manufacturers. We see more an more cases in which companies are fined quite substantial amounts that can easily bankrupt an SME (we see amounts from about € 50,000 to around 150,000) for non-conformities in relation to class I medical devices and self certifiable IVDs that a notified body looking at much higher risk products would issue a non-conformity with remediation period for. That’s right: in the Netherlands it’s currently way riskier from enforcement perspective to be in class I devices and self certifiable IVDs than in the highest risk devices conceivable. A large factor here are the Healthcare Inspectorate’s guidelines for the imposition of fines, which it applies in a way that many non-conformities are subject to fine without possibility of remediation and warning.

This would not be so bad if there would not be so many formality errors committed on the part of the authorities, for example being very unclear about when inspection proceeds into enforcement. At that precise moment a company needs to be told that it is no longer obliged to cooperate. Fundamental rights and good enforcement procedure, just a small detail. It leads to situations where companies enthusiastically cooperate in incriminating themselves because they want to remedy the non-conformity observed and cooperate with the Inspectorate to that end, but are not aware that the Inspectorate is already collecting facts to fine them. And they will. A few months later, suddenly, a letter arrives in the mail stating that the Inspectorate will fine the company for tens of thousands of Euros while the company was under the impression that the Inspectorate was just being helpful. So, if you are subject to an Inspectorate visit, no matter how friendly it unfolds: make sure that you put the inspector on notice that he/she should be more than abundantly clear about when the discussion moves to fact finding for the purpose of enforcement. This is just one of the issues we currently see in enforcement in the Netherlands.

Of course companies should adhere to the law, there’s no discussion about that. I just want to raise awareness for the fact that enforcement in the Netherlands has gotten some disproportionately punitive characteristics which worry me and – quite frankly – do not serve anyone except lawyers. Like mentioned, it’s kind of strange that you can get a big penalty for non-conformities that your notified body would just allow you some time to remedy in case of higher risk products.

We are now routinely appealing these decisions, and there are more and more of them coming in. The Dutch Inspectorate has clearly decided that it is coming down on the market and enforce it into compliance with a vengeance. We are also collecting enforcement/inspection experiences of medical devices companies in the Netherlands in order to start a dialogue with the government to seek to arrive at a more proportionate policy of oversight.

Do you have experiences with the Dutch IGZ in medical devices or IVD oversight under the new penalty guidelines? Let us know.

Notified bodies – drop it like it’s hot

The notified bodies have gone through a rigorous process of joint assessments that culled already many of the notified bodies in the market for AIMDD, MDD and IVDD certification (53 left at the moment, with the number still declining). As a result the notified bodies have also been given clearer marching orders as to how to deal with customer files that their notifying authorities see as problematic, for example because the clinical evidence is not up to standards.

This situation has led to what I have started to call the ‘drop it like it’s hot’ strategy on the part of notified bodies. I see that especially smaller notified bodies often adopt the extremely nasty and onerous tactic of letting a certificate expire, and subsequently confront the manufacturer with a de novo certification against a much higher (clinical) standard, with the notified body refusing to explain where this comes from nor being interested at all in the situation that this will disrupt the manufacturer’s business severely (especially in the case of SMEs that have only one or just a few products on the market).

This typically unfolds as follows: date of recertification approaches, manufacturer sends increasingly urgent sounding messages to notified body about planning of recertification audit (which are ignored by notified body), manufacturer trusts that notified body will however not allow certificate to expire just like that, notified body does exactly that, notified body informs manufacturer he must now obtain a de novo certification against suddenly much higher standards that the notified body refuses to explain.

I think it’s a shame that authorities are not supervising this better but instead seem to just push out marching orders to notified bodies regarding clinical data requirements. It is truly frustrating to see notified bodies using their delegated state authority of certification this way, especially since there are much more proportional ways to handle this. One such more proportional way would be to re-certify with a new PMCF plan.

In this regard it is especially onerous for manufacturers that current medical devices legislation does not provide for clear legal recourse against notified bodies, nor for clear rules about transferring from one notified body to another. In practice there is little you can do against a notified body decision. Some member states allow administrative appeal, but the authorities are – in my experience – very deferent to notified bodies and give them virtually unlimited discretional power. Notified bodies, for their part, have no to little experience in exercising government authority in accordance with basic principles of rule of law. This leads to routine infringement of core principles of good administration like e.g.

  • non-arbitrary decision making (giving reasons to support a decision)
  • proportionality (imposing a measure at is least burdensome for the company, like PMCF instead of certificate expiry)

Yet, manufacturers have no effective recourse against this. The MDR and IVDR will contain a very rudimentary regime for the scenarios that a notified body ceases activities or its designation is restricted, suspended or withdrawn.

You can imagine this this will become more pressing during the MDR and IVDR transitional periods, during which the notified bodies will be under extreme pressure resource wise because not only must they themselves be re-notified, they must also hire more in-house staff and in the mean time certify all of their customers devices on the market into the new system, while dealing with the normal workload of surveillance and re-certification audits. This will become an ugly mess, and that is a big understatement.

Notified bodies – clinical evaluation circus

Another issue we see happening now is the urgency that is being put on notified bodies to push through clinical data standards that go towards the new MDR level as quickly as possible. This early summer (June 2016) we have seen the new clinical evaluation MEDDEV being adopted, without transitional period. Presently we start to see notified bodies beginning to suspend / refuse to renew certificates if they find in a surveillance or recertification audit that the clinical evaluation for the device concerned is not fully up to the standards of the new MEDDEV. Yes, immediate suspension – not a minor, not a major, but cease placing on the market with immediate effect. We have even seen notified bodies take this to the level of suspending a certificate with multiple devices on it for all devices, just because the clinical evaluation for one of them (which was not even being placed on the market anymore at the time) was not at the level of the new MEDDEV.

Once the certificate has been suspended or needs to be renewed, there is no way to make a notified body hurry up and even act quickly to correct manifest mistakes (like suspending a certificate for all products if only one product is affected by the non-conformity) or otherwise even adhere to basic principles of good administration discussed above. The lack of legal recourse here is truly disconcerting, given the enormous damage manufacturers suffer as a result.

Notified body liability is already an issue subject to appeal to the European Court in the TUV Rheinland case, but that case is about no-fault liability for damage resulting from defective products that get on the market and the notified body audits did not prevent this. Here we are dealing with other liability, in my view for negligent or unconstitutional use of delegated government power (official ability to issue certificates with legal effect). The Advocate General makes a compelling argument in the TUV Rheinland (PIP implants) case about liability in cases of notified body failing to fulfill obligations. She argues in para 39 of her opinion:

“Given the crucial role played by notified bodies in the procedure leading to the placing on the market of medical devices governed by Directive 93/42 and bearing in mind, in particular, the high level of protection to patients and users that that directive aims to provide (30) and the risks associated with the devices in relation to which they are required to carry out their examination, it seems to me entirely appropriate that those bodies should in principle be capable of bearing liability under national law to those patients and users for a culpable failure to fulfil their obligations thereunder, provided always that the principles of equivalence and effectiveness are respected.”

The AG concludes that it is therefore possible under the directive that a notified body can be liable vis-a-vis patients and users for failing to fulfill obligations. I think that the same applies with respect to manufacturers when these suffer damage as a result of a notified body failing to fulfill basic duties of good administrative law practice that a government agency would need to fulfill. Remember, notified bodies are almost like an emanation of state in how they operate and are controlled by their notifying member states. This liability will apply regardless of what the contact of the notified body says, because it would be quite something if a notified body could contract out liability for gross negligence  in the way it fulfills tasks delegated to it by law.

However, given the state of harmonization of EU medical devices law, this will be a matter for national courts to determine because the medical devices directives are silent on this point. The forum to go to is the competent court in the jurisdiction that notified the notified body concerned. It will be interesting to see what the European Court will decide. Given the complete lack of effective recourse against notified bodies under the new MDR and IVDR, this problem will persist into the future and become far worse in the messy and choppy transitional period that we have on the horizon with less notified body capacity but more need for it.

Let us know

Do you have bad experiences like discussed with your notified body? Let us and/or MedTech Europe know. We are working on collecting information to raise awareness for this at the Commission and at the national notifying authorities, but we need actual experiences to demonstrate what is happening. The more we have, the more impact we can make.

It will be interesting

to see where all of this goes. It is quite clear however that manufacturers have to pay closer attention to compliance formalities and remediate quicker, also in the lower risk product ranges. With the new MDR / IVDR associated remediation / transition and possibilities for non-conformities manufacturers need to prepare for a rough period ahead in the next years.




The MDR – where are we now?

fasten-seatbeltsThere seem to be a lot of misunderstandings in the market about the current status of the MDR. Some think it’s finished (it’s not, at least not formally) and there is a lot of insecurity about when it will enter into force.

Currently the MDR and IVDR are in the process of translation. The trilogue produced negotiated texts but these are still not perfect. Upon close reading one discovers typos and numbering issues as a result of the many amendments. When a group of people translates two very complex and partly overlapping texts in 23 languages from a negotiated text that still contains small mistakes and unclarities, there will be questions that arise about the interpretation of the texts. The texts may also require another look at them if that’s unclear. That is currently happening.

Also, the Council and the Parliament will have to give their formal blessing to the texts as follows:

  • Adoption of the Council’s first reading position end 2016
  • EP second-reading vote end 2016 / early 2017

When these approvals have been ensured, the MDR and IVDR official texts will be published in the Official Journal. These texts are final and will enter into force 20 days after publication. That will be the ‘date of entry into force’ in the regulations. And everything will unfold from there.

What were the big surprises coming out of the trilogue?

I have written a lot on this blog about how the MDR will work in general and have posted content that will provide you with a good high and even detail level of how the MDR works and what manufacturers should do to become compliant with it.

Some of the surprises in the MDR are also in the IVDR and I will not discuss them in this post (they were discussed in a previous post about the IVDR). These are:

  • advertising rules
  • competent authorities enlisted in liability cases

What then are the MDR specific items? These are the amended scrutiny procedure, a new classification rule for software and the last minute amendments to the transitional regime.

Scrutiny reloaded

The scrutiny procedure in the MDR has been revamped and is now called ‘mandatory clinical evaluation consultation procedure’. This ’new’ procedure is essentially repackaging of the scrutiny procedure and it now covers implantable class III devices and class IIb active devices intended to administer and/or remove a medicinal product for which no common specifications have been established. Article 44, which used to be the scrutiny procedure, has been rewritten into a sort of safeguard procure that the competent authorities can use if they feel that the CE marked device should not have been on the market as CE marked after all.

The final scope of devices subject to the scrutiny procedure (implantable devices classified as class III, and class IIb active devices intended to administer and/or remove a medicinal product) was also something of a surprise. Earliest versions of the text of the MDR showed a much larger scope of devices subject to scrutiny and the proposed scope diverged immensely between Commission, Parliament and Council. In that light it is actually not so surprising that the end result of the scope was unexpected.

Software classification

If your company sells clinical decision support or monitoring software, brace for impact because a new classification rule especially for that kind of software was inserted during the trilogue so we did not see it coming. Rule 10a reads as follows:

“Software intended to provide information which is used to take decisions with diagnosis or therapeutic purposes, is in class IIa, except if such decisions have an impact that may directly or indirectly cause:

– the death or an irreversible deterioration of the state of health, in which case it is in class III;

– a serious deterioration of the state of health or a surgical intervention, in which case it is in class IIb.

Software intended to monitor physiological processes is in class IIa, except if it is intended for monitoring of vital physiological parameters, where the nature of variations is such that it could result in immediate danger to the patient, in which case it is in class IIb.

All other software is in class I. “

Rule 10a consists of three parts that apply to three categories of software:

  1. Software intended to provide information which is used to take decisions with diagnosis or therapeutic purposes – will now always be class IIa or higher
  2. Software intended to monitor physiological processes – will be class I, IIa or IIb
  3. All other software – class I

This rule will increase the burden for software and app vendors considerably if their software is currently a class I medical device under rule 12 of Annex IX MDD and has either clinical decision support or monitoring functionality. This is the case for most clinical decision support software, which is now specifically targeted by the first part of rule 10a. This software will be classified in any of  the other available risk classes, which means that clinical decision support software will always be subject to notified body oversight under the MDR. Under the MDR manufacturers and notified bodies classifying such software will need to look at the risks associated with false positives and false negatives that the software can produce. The MDR does not define serious or irreversible deterioration in the state of health, but MEDDEV 2/12 rev. 8 on vigilance does define it. An example of a serious deterioration in the state of health is indirect harm (see paragraphs 5.1.1 and 4.11 of that MEDDEV), which may constitute of misdiagnosis or inappropriate treatment as a result of false positives or false negatives.

The second part of rule 10a is current rule 10 but then applied specifically to software. The reason for this is probably the current unclarity regarding the current rule 10’s application to standalone software.

The third part concerns ‘everything else’, so essentially current rule 12 that most of the standalone software on the market is benefiting from, minus monitoring and clinical decision support software.

I made a nice little flowchart for the application of the rule:


A surprise within the surprise is that this classification clause is not mirrored in the IVDR, because also in the IVD field decision support software (the expert system functionality mentioned in MEDDEV 2.1/6, of which a new version has just been published by the way) becomes more and more important. I would have thought that software for the support of decisions based on interpretation of various IVD results could also have different risk profiles. Software for interpreting genetic test results for life threatening hereditary diseases would have a different risk profile than software for interpreting test results for the presence of pregnancy associated hormones. With the absence of a rule 10a analogue in the IVDR stand alone software will need to be qualified not by its functionality but what test results it tests for.

If you are interested in more detail about this classification rule, check out my article in eHealth Law and Policy in which I describe the rule and its consequences in detail.

Transitional regime

As expected a ‘solution’ was found to address the constraints preventing all medical devices to be transferred into the new system before the end of the transitional period, such as lack of notified body capacity, limited remainder of transitional period after re-notification of notified bodies, etc.

To that end the MDR contains the following transitional regime:

  • There is a three years transitional period running from the date of entry into force to the date of application (article 97 (2));
  • Certificates issued by notified bodies in accordance with Directives 90/385/EEC and 93/42/EEC prior to the entry into force of the Regulation shall remain valid until the end of the period indicated on the certificate, except for certificates issued in accordance with Annex 4 of Directive 90/385/EEC or Annex IV of Directive 93/42/EEC which shall become void at the latest two years after the date of application of the Regulation (article 94 (2)).
  • Certificates issued by notified bodies in accordance with Directives 90/385/EEC and 93/42/EEC after the entry into force of the Regulation shall remain valid until the end of the period indicated on the certificate, which shall not exceed five years from its delivery. They shall however become void at the latest four years after the date of application of the Regulation (article 94 (2) 2nd paragraph).
  • Devices which were lawfully placed on the market pursuant to Directives 90/385/EEC and 93/42/EEC prior to the date referred to in Article 97(2) may continue to be made available on the market or put into service until five years after that date (article 94 (3a)).

Devices that benefit from transitional provisions that allow MDD or AIMDD covered devices on the market after the date of application remain covered by these directives as regards vigilance, registration of manufacturer and authorised representative, Eudamed contents for the devices concerned and clinical investigations with these devices (article 96). Not sure how this works in practice, especially because the MDR is not clear about whether they are covered by the MDR for the other aspects – if that would be the case, the manufacturers of these devices would nonetheless be faced with a lot of new obligations, for example the new PMS obligations. If the MDR does not apply for the other items, then these devices would exist in a relative regulatory empty space, which would be unlikely to be intended. This is one of the big known unknowns under the MDR.

When you lay it out on a timeline I think the options in the transitional regime look a bit like this:

This slideshow requires JavaScript.

In the mean time, there are also other grave concerns

Governance and surveillance

There are serious concerns (by member states themselves no less) about the ability of member states to be able to staff all the functions required under the MDR, like staffing the MDCG, looking in the EUDAMED database, doing things with information from the EUDAMED database, etc. We will need to see how this plays out. Member states have traditionally been reluctant to allocate sufficient resources to medical devices surveillance and policy, so now is the time for them to step up and put their resources where their mouth is.

Notified bodies

The notifications under the MDD will remain in place during the transitional period so notified bodies will still be able to issue certificates under the transitional rules under the MDD and AIMDD, but there is no telling what notified bodies will be notified under the MDR when. More and more are going bankrupt or just ceasing business. An application for notification will remain voluntary and while the assessment of the application is not the member state’s sole prerogative, there is also no deadline for completing the process.

Nobody has any idea how long it will take for notified bodies to be notified under the MDR – I hear estimates ranging from 12 to 18 months. This means that for one third to half of the transitional period no certificates under the MDR will be issued and that the first certificates will be issued towards the end of the transitional period. This means that the capacity of notified bodies for certificates that are planned during the transitional period will be very limited. If your company’s transition strategy revolves around this, make sure that you keep your notified body very very close in your planning and execution of your company’s transition strategy.

Transition plan

Your company should by now be planning for the transition of its products and doing a gap assessment on what is needed to go from the MDD/AIMDD to the MDR. This is not something to be underestimated, because if you do it may cause severe disruptions: certificates expiring with no new certificate on the horizon. New clinical data to be generated that is not there, new procedures to be implemented that no one knows were necessary, devices being classified in higher classes (especially software (rule 10a) and substance based devices (rule 21)).

If you don’t know where to start, start with the BSI white papers on the MDR – I’m mentioning these because I know they are good quality and have contributed to several of them. BSI recently published a white paper on how to do a transition plan, which is a good overview of what is needed. You can also visit the panel I am moderating at the Advamed Conference in Minneapolis tomorrow (2.15 to 3.30 pm), which will concentrate on this.


Missed the session? I’m working on MDR transition plans for several big and small(er) manufacturers and would be happy to help leverage that knowledge for the benefit of your company – just let me know.


Software MEDDEV ‘updated’

EU flagThe Commission issued an updated version of the MEDDEV 2.1/6 regarding standalone software on 15 July. After all the rumors around the difficult discussions surrounding the revision process I was very curious about the changes finally implemented.

Unfortunately these changes turned out to be very limited and in my view do not change the scope of the document or even bring anything new. Essentially what happened is that the Commission added some definitions and slightly amended the flow chart for qualification under the Medical Devices Directive by amending the first decision node of the flow chart.

Definitions and flow chart

The definition of software has been changed to a “set of instructions that processes input data and creates output data“. The new definition of software is used in the new question in decision node 1 in the Medical Devices Directive flow chart (“Is the product a software?”).

The MEDDEV  defines the concepts of input data (“any data provided to software in order to obtain output data after computation of this data“) and output data (“any data produced by a software“) embedded in the new definition of software. The MEDDEV provides for a non-exhaustive list of examples of input data (data given through human interface input devices, documents and data received from / transmitted by devices) and output data (e.g. screen, print or audio data; digital documents). Nothing really surprising.

The MEDDEV now includes the definition of “Software as a Medical Device” (SaMD) from the IMDRF work item on software, but the definition is not operationalized anywhere in the MEDDEV, because the document only refers to the separately defined term “software”. The definition has no apparent function in the MEDDEV other than seemingly paying tribute to the IMDRF work on software.

Mobile apps

The new MEDDEV version contain a new statement to the effect that “The criteria specified in this document apply also to mobile applications.”. Again, not surprising because we knew that already since mobile apps were always software in scope of the MEDDEV. It’s a pity though that the revised MEDDEV does not contain any actual guidance specifically for mobile apps. That means we’re left with the guidance on mobile apps in the Manual on Borderline and Classification, which looks to be further expanded on ad hoc basis as the Manual evolves.


Is this progress? Well, somewhat. However, to me it’s disappointing that the EU does not have more additional guidance to account for after four and a half years of experience with the software MEDDEV. It shows that the expert group working on the MEDDEV had a very difficult job in coming to agreement on what to put into the revised version because there are more than enough questions that could have been addressed. A missed opportunity, given the importance of the subject.

The final text of the IVDR: first impressions

Schermafbeelding 2016-06-30 om 20.13.42The IVDR text that the Council, Commission and Parliament reached agreement on is finally public (since 15 June). I’ve had the time to read it now.

I am not going to draft a long summarizing article that describes the IVDR in detail. For that I refer you to the new BSI white paper on the IVDR  that was just published and that I co-authored with Gert Bos. This white paper provides an overview and to-do list for manufacturers on a chapter by chapter basis, like the one on the MDR published earlier this year (which we will need to update now for the final text of the MDR).

What I will do in this post is describe some last minute surprises that were introduced in the IVDR during the trilogue negotiations compared to the Council general approach. These are the following.

Genetic testing

There were changes to the genetic testing clause, as I had hoped and argued should take place. The Parliament had an ardent wish to regulate informed consent procedures with respect to genetic testing in a lot of detail, which it does not have competence to do under the TFEU, as Julian Hitchcock and I have argued on behalf of companies providing genetic testing services.

The compromise now is that there is an information requirement and access to counseling requirement, except “where a diagnosis of a medical condition and/or a disease which the individual being tested is already known to have is confirmed by a genetic test or in cases where a companion diagnostic is used”.

Scrutiny revamped

The new IVDR mandatory clinical evaluation consultation procedure is a nice bit of repackaging of the scrutiny procedure. It applies to class D IVDs for which no Common Specifications are available and if it is the first certification for that type of device. What used to be the scrutiny procedure has been changed to a sort of emergency backstop that the authorities use to prevent the product from entering the market if they’re not happy with the CE marked end result.

Transitional regime

The transitional regime (2 years grace period of existing IVDD certs and devices which were lawfully placed on the market pursuant to Directive 98/79/EC prior to the date referred to in Article 90(2) may continue to be made available on the market or put into service until three years after that date).

How does it work with the devices that may continue to be made available for three years? Apparently there is no requirement for a valid certificate anymore, otherwise it would fall in the two years bucket. This would mean that there theoretically is no notified body overseeing the device anymore during that period, so no unannounced audits and no surveillance audits. And it is unclear what regime applies to the IVD: the old IVDD or the new IVDR. Very unclear this.

Self-testing devices

There is a sudden down-classification of certain self-testing devices (for the detection of pregnancy, for fertility testing and for determining cholesterol level, and devices for the detection of glucose, erythrocytes, leucocytes and bacteria in urine) from class C to class B. This means that the IVDs concerned will still be subject to notified body oversight, just subject to other conformity assessment procedure.

The principle behind the IVDR and MDR classification logic seems to be that the only way is up, but this is the only example I have come across so far of down-classification.


I don’t understand the absence of a classification rule for software analogous to rule 10a under the MDR (that’s a surprise in the MDR). Especially the clinical decision support functionality that rule 10a MDR up classifies is also an important item in the IVD space, because more and more expert systems become available.

The new classification rule 10a in the MDR will result in all clinical decision support software and monitoring software that is currently mostly in class I to be bumped up to class IIa or higher. This will affect a lot of software devices currently on the market.

All of these devices will need to be certified by notified bodies under the MDR, while notified bodies have almost no experts on software. It’s also strange that clinical decision decision support software has no similar rule under the IVDR.

Claims/advertising regime

There suddenly is a new claims/advertising regime in the new article 5a. This we will now finally have EU harmonized rules for claims and advertising of medical devices:

“Article 5a Claims

In the labelling, instructions for use, making available, putting into service and advertising of devices, it is prohibited to use text, names, trademarks, pictures and figurative or other signs that may mislead the user or the patient with regard to the device’s intended purpose, safety and performance by:

(a) ascribing functions and properties to the product which the product does not have;

(b) creating a false impression regarding treatment or diagnosis, functions or properties which the product does not have;

(c) failing to inform of a likely risk associated with the use of the product in line with its intended purpose;

(d) suggesting uses of the product other than those declared in the intended purpose when the conformity assessment was carried out. “

However, I think the new rules are rather superfluous because they mirror exactly what is already in the Unfair Business to Consumer Unfair Commercial Practices Directive (2005/29/EC) or could be prohibited based on the Misleading and Comparative Advertising Directive (2006/114, its B2B cousin).

Sub c), however, is additional and a tricky one because it makes unimaginative risk management a violation of the law. Essentially you would need to list any likely risk, which reminds me of the patient leaflets for medicinal products that list even the most rare of possible side effects for the product.

Since there is no qualification of how likely the risk has to be in order for it to be listed (something which they actually do consider for medicinal products SPCs side effects listing), any risk with a likelihood of occurring seems to be a candidate for the IFU, but also for inclusion in advertising (it says “and advertising” so I interpret that grammatically as a duty to include all likely risks in advertising) there will be a lot of small print that none will be the wiser for. TV advertisements will need rattle off all the likely risks that viewers will do their best to ignore. More information is not always better protection if you ask me.

Maybe this is a too strict interpretation, but how then how to interpret “likely risk associated with” (not caused by, which is also more narrow)?

CAs enlisted in product liability and other claims

The new article 8 (9) allows member state CAs to request information from manufacturers on behalf of others in product liability and other damage claims:

“If a competent authority considers or has reason to believe that a device has caused damage, it shall, upon request, facilitate the provision, of the information and documentation referred to in the first sub-paragraph to the potentially injured patient or user and, as appropriate, the patient’s or user’s successor in title, the patient’s or user’s health insurance company or other third parties affected by the damage caused to the patient or user, without prejudice to the data protection rules and, unless there is an overriding public interest in disclosure, without prejudice to the protection of intellectual property rights. The competent authority need not comply with this obligation where disclosure of the information referred to in the first sub-paragraph is ordinarily dealt with in the context of legal proceedings.”

This is a matter of concern for industry because of the obvious risks of widely divergent application of this by member states and fishing expeditions by competitors and the wide scope of persons that can request this information. The “other third parties affected by the damage caused to the patient or user” would for example in my view include me as an employer if one of my employees was injured and my employee would be on prolonged sick leave. Mind you, this is not limited to product liability cases only, because in that case the scope would have been limited to ‘defective’ devices. This concerns any kind of damage caused by a device, regardless of whether it’s defective or not.

There are corrections on data protection and protection of intellectual property rights but it really remains to be seen how national competent authorities will implement this since the application is under full discretion of the national authorities.

Person responsible for regulatory compliance

It’s interesting that the person responsible for regulatory compliance can now be split into multiple persons, provided that their areas of responsibility are properly documented.

This documentation will be important to keep a good eye on for manufacturers and will tie into their QMS obligations as well. They will be written up by their notified body if the roles are not properly defined and accurately laid down at any moment in time.

Transparency of clinical data

There are now provisions for sharing raw clinical / performance data on a voluntary basis, where the Parliament was planning to force this off by means of the proposed recital 39a without corresponding provision in the texts of the Regulations that stipulated that the whole set of under clinical data would be non-confidential.

We now instead have an obligation to publish the clinical investigation report and a summary into Eudamed within a year after the trial, which will become public upon CE marking and immediately in case of halt or termination of the study. If the device is not CE marked within a year after entry into Eudamed of the report and summary, then the report and summary become automatically publicly available in Eudamed.

Now what?

Over the summer the text will be looked at by the EU’s lawyer-linguists who will translate the IVDR in each of the official languages of the EU. Since that process may still reveal textual issues in the agreed English language text that will be ironed out, so be prepared for some very minor changes that may happen still. There won’t be surprises though, unless some things were written down in a very ambiguous way.

The text will then be published in the Official Journal of the EU in all official language versions and enter into force shortly after. This will likely happen this autumn.

Stay tuned, also for a next post on surprises in the final MDR text.


%d bloggers like this: