Happy New Medical Devices Year!

19-009 Kerstkaart2017_DEFHappy New Year everybody – may your transition to the MDR and IVDR be unproblematic and timely.

May your management be convinced that making and selling medical devices is actually core business of the company and dedicate sufficient resources to your transition project.

Halfway point of MDR transition

2018 is the year in which we will see the halfway point of the MDR transitional period pass – if your company is not seriously working on transition, it risks serious disruptions in it EU business as of May 2020.

“But Erik, you start to sound like a broken record – we still have until 2024 under the soft transition.”

Well, yes: if you don’t mind that your device design is completely frozen after 2020 and you cannot change notified body or crucial supplier / subcontractors anymore. Only do this for non-essential devices or if you have no other options.

You will be captive to your crucial suppliers and notified body during that period. You won’t be able to significantly change the design of your device (e.g. when necessary as a CAPA). ‘Don’t postpone until tomorrow what you can do today’, my late grandmother would always say. She would tell you to be ready for the MDR sooner than later.

Are you with the notified body that you trust to have your back for certification of your devices under the MDR? Remember – no grandfathering – all devices on the EU market have to be recertified. Will the notified body be able to issue CE certificates under the MDR in time? It will be your problem if they are not and this may lead to significant business disruptions in the EU market. These are questions you should have answered last year already.

General Data Protection Regulation

2018 is the year in which the transition period of the GDPR ends (end of May) and all manufacturers must have implemented the new rules in the design of their devices, systems and software. This means among other things that risk management under the MDR and IVDR must be tied into cybersecurity measures under the GDPR. Medical devices IT design will have to cooperate with privacy compliance from the start of development of medical devices and related infrastructure. In a time of Meltdown and Spectre vulnerabilities going to the very core of your off the shelf components, how do you control your suppliers on these points? With cybersecurity more and more relevant, suppliers of off the shelf IT components may become crucial suppliers. You do not want to be the first medical devices company with a major data breach when the GDPR is applicable. And you should preferably not manage it like Uber did. The GDPR will really change a lot for medical devices companies.

Are you selling a medical devices company in 2018?

If you are selling a medical devices company in 2018 you should realize that the MDR and GDPR are your problem, even if you sell the company now.

The first thing that a buyer will look at in due diligence as gating items for EU compliance are a realistic MDR transition plan and readiness for the GDPR by May this year.

Prepare to have the sale price be discounted significantly or large parts of it deferred on the condition of MDR certification or GDPR readiness if your company has neither because in that case the regulatory risks are more than considerable.

It will be interesting

My prediction for 2018 is that we will start to see the first signs of companies realizing that they haven’t started in time and/or are not going to be ready in time, either because of their own planning or dependencies related e.g. to their notified body that will not be ready in time itself to process all the applications for conformity assessment under the MDR. It will be the year of early plan Bs and all the moving and shaking concerned with that.

The IVDR is still two years out, but IVD companies should be working on their (clinical) performance data like it’s 1999 because they risk running into the same issues, and they have the additional complexity that the notified body bottle neck will be even worse for the IVDR.

Also, 2018 will have the first big medical devices company data protection issue under the GDPR. Better make sure it’s not you.

A wave of MDR and IVDR rollout coming our way

Schermafbeelding 2017-11-24 om 21.31.26With the clock for the countdown to the end of transitional periods for the MDR and IVDR ticking away, everyone is of course very interested what the competent authorities are doing regarding implementation of the MDR and IVDR, since a lot needs to happen to implement the MDR and IVDR. The Dutch competent authority gave some insight in planning earlier this year at a seminar organised by my firm.

The work to be done concerns three main areas:

  • delegated and implementing acts defined in the MDR and IVDR to make the system work (such as regarding the functioning of Eudamed and UDI);
  • EU level guidance on the many new concepts and procedures; and
  • National implementation in the fields where there is national discretion in implementation (e.g. in the field of whether and how to permit reprocessing).

The competent authorities have been busy in the background and have now produced a roadmap for implementation, defining priorities for seven technical areas and some horizontal / cross cutting issues.

Wait what? With 1/6th of the MDR transitional period already passed they are only starting to define priorities for implementation now? With not everything high priority or with even a fixed date attached? Yes, indeed and unfortunately – so better keep a close watch on the development and be ready to act quickly when the documents become available.

The document gives a good overview of responsible parties for each of the items in the lists, allowing you to see the new governance structure under the MDCG at work. 26 N November is also a memorable date (not only because it’s the date on which notified bodies can apply for MDR accreditation) because it’s the date as of which the MDCG is formally operational (see article 103 jo 123 (1) (b) MDR) and can start to get stuff formally organised for the big rollout program for the MDR and IVDR. Yay! We will then soon know more about its members and it will allow the newly set up MDCG to take a number of actions that are currently brewing in the background, which can be any of the things the MDCG is allowed to do, see articles 103 and 105 MDR / 99 IVDR.

The seven priority areas are:

  1. Clinical Evaluation & Clinical Investigation (MD); Performance Evaluation & Performance Studies (IVD)
  2. Scope & Classification
  3. Notified Bodies & Conformity Assessment
  4. Post-Market Surveillance & Vigilance for both MD and IVD
  5. Eudamed & UDI
  6. Market Surveillance
  7. IVD-specific Issues 

Let’s take a look each of these, and then discuss the horizontal priorities at the end.

Clinical Evaluation & Clinical Investigation (MD); Performance Evaluation & Performance Studies (IVD)

The MDR is about More Data Really (and the IVDR too) – that data being specifically clinical (MDR) and clinical performance (IVDR) data. It’s not surprising therefore that an important part of the roadmap is concerned with clinical and performance data and how to deal with it for the purpose of evaluation, conformity assessment and post-market follow-up.

This section of the document is part is the product of the Clinical Investigation and Evaluation Working Group. The plan is to develop templates for several clinical related deliverables prescribed in the MDR and IVDR, and its high priority:

  • Summary of Safety and Clinical Performance (MD)
  • Summary of Safety and Performance (IVD)
  • Clinical Evaluation Assessment Report (MD)
  • Performance evaluation plan and performance evaluation report (IVD)
  • Clinical Investigation application form (MD)
  • CI Assessment Report (MD)
  • Performance study Application Form (IVD)
  • Performance Study Report (IVD)
  • SAE/device deficiency reports and timelines (MD and IVD)
  • PMCF plan and PMCF report (MD)
  • PMPF plan and PMPF report (IVD)

I have understood that the recent 6 November meeting of the working group confirmed that MEDDEV 2.1/1 rev 4 really is guidance and not to be religiously applied written in stone rules (basically endorsing the view TUV SUD took earlier this year).

Schermafbeelding 2017-11-24 om 22.17.06


Schermafbeelding 2017-11-24 om 22.17.14.png

The working group is working on a procedure for developing ‘device specific guidance’, which we should see as the precursor of new common specifications that can be issued under the MDR / IVDR. A draft of device specific guidance for drug eluting stents and bioresorbable stents is in the works. It’s not surprising that they started with stents, because some EU consensus on clinical evaluation of coronary stents already exists. Developing common specifications is also one of the actions under the roadmap’s clinical chapters.

Another item in the works is the development of template for the application dossiers and guidance incorporating medicinal products (MP) consultation, but this has low priority.

I hope this is the start of more harmonisation of clinical evaluation in the EU. We will see this come from the clinical evaluation consultation procedure (the procedure formerly known as scrutiny) and the development of common specifications, but any other harmonisation is welcome too, as it makes the CE marking process more predictable.

For more details, see the entire table in the roadmap document.

Scope & Classification

The items for scope and classification are as follows:

Schermafbeelding 2017-11-24 om 20.44.57.png

An interesting point about the combination products and guidance is the issue that the no grandfathering principle raised for MDR certification of existing combination products. Does that mean that the full procedure (210 days) for medicine consultation has to be followed as referred to in Annex IX, 5.2 sub (d) for conformity assessment of devices incorporating a medicinal substance, or is this a ‘change’ that takes 60 days under Annex IX, 5.2 sub (f)? Nobody is sure yet for lack of an official position.

Another interesting one is that there seems to be a developing consensus that the combination products procedure under Annex IX, 5.2 also applies to rule 21 substance based devices.

Notified Bodies & Conformity Assessment

By now it becomes more and more clear that a lot of the initial assumptions about what notified bodies were going to apply when for what regulation and what scope are very fluid with the 26 November application opening date around the corner. Traditional notified bodies are applying later or not, or in a limited scope and new notified bodies enter the scene, with even some consultancies and companies applying for targeted scopes.

What is standard is that the notified bodies currently in the market are routinely vague to the point of being misleading to their (potential) clients about what they are actually going to do, and no notified body is very happy to tell you the exact scope for which they are applying. This makes is basically impossible to compare notified bodies, which is one of the big points in the legislative history of the MDR and IVDR with respect to the notified bodies: they do not actually compete because prices are not transparent, but now there is this too. So I decided to file a freedom of information request with the Commission after 26 November to ask the Commission to disclose information on this point so we can all benefit from some transparency. Keep a watch on this blog for the results.

Schermafbeelding 2017-11-24 om 21.11.56

Not surprisingly many of the notified body related actions are high priority, like guidance to be issued on designation process for joint assessments under the new regulations. Yes, that would be nice – to have some guidance on this critical process. Better already too late than never right? The process of designation will be complex enough. Rather than create synergies the assessment under the MDR, the IVDR and the joint assessment for the current directives will happen each separately, putting an enormous strain on the limited competent authority resources.

An interesting one is the guidance on “What is a significant change?”. This will be crucial if you are going to rely on the ‘soft transition’ period, under which you can rely on a certificate under the old directives running past the date of application, provided that there is no ‘significant change’ to the device design or intended purpose. This is also an item below under the horizontal subjects. We know that there is some controversy between the member states on the exact interpretation of the concept of significant change, which may delay the formation of the guidance on this concept.

Guidance on procedure for notified bodies is also welcome, as it may provide much needed streamlining of conformity assessment for MDR and IVDR certificates towards the end of the transitional periods.

Post-Market Surveillance & Vigilance for both MD and IVD

In relation to post-market surveillance an important one is updated vigilance guidance (this will change compared to the current directives) and related terminology (you’ll need guidance indeed if you change so many well-established concepts – duh).

New template forms to replace the ones currently attached to MEDDEV 2.12-1 Rev 8 on vigilance will be developed too.

Schermafbeelding 2017-11-24 om 21.19.17

Eudamed & UDI

In relation to Eudamed the million Euro question is of course if Eudamed will be ready in time and actually work. The focus in the roadmap is on interaction with Eudamed and UDI operational matters. Don’t forget though that even if Eudamed is not ready, the only obligation that the manufacturers will not have is actually inputting information in Eudamed. All the other obligations, like obtaining SRNs (you need one for application for conformity assessment for example, see article 31 (3) MDR) and also assigning UDI to devices, because that obligation is independent of registering the device in the database under its UDI.

Schermafbeelding 2017-11-24 om 21.19.31

Schermafbeelding 2017-11-24 om 21.19.38

Market Surveillance

Nothing is urgent in market surveillance – what a relief. That doesn’t mean that not a lot is going to happen as the member states build up and tie together the whole EU enforcement backoffice. This is not a direct implementation issue for companies, but it is something to keep track of, for example to understand how the authorities will use clinical information as part of market surveillance, and how they will review clinical evaluation, performance evaluation and the post market data collection processes (last line under 6.5 below).

Schermafbeelding 2017-11-24 om 21.19.48

Schermafbeelding 2017-11-24 om 21.19.55

IVD-specific Issues 

Most of the IVD specific issues also feature in the other streams above as you can see in the table. The only urgent priority are the reference laboratories – their designation and their function (see also below under 8.7 at the horizontal issues). Indeed – they are a gating issue for all class D IVDs for which there are no common specifications yet (IVD ‘scrutiny’ procedure) and there will need to be a common standard for assessing those, which there currently is not. The reference labs also play an important role under the IVDR to verify by by laboratory testing for conformity testing purposes the performance claimed by the manufacturer and the compliance of devices presenting the highest risk with the applicable CS (when available), or with other solutions chosen by the manufacturer to ensure a level of safety and performance that is at least equivalent.

Schermafbeelding 2017-11-24 om 21.20.03

Schermafbeelding 2017-11-24 om 21.20.11

It’s good to see an action item for a template for performance studies documentation and how to prepare and perform them. Given that most of the IVDs currently self-certified will need to go through notified body assessment based on significantly more and better presented data than currently likely available, this guidance will be very useful. Also the classification guidance will be useful because the IVD sector will need to learn to work with the new classification rules under the IVDR.

Notified body expertise and capacity for IVDs under the IVDR will be a very big item as I have observed before, so to me it comes at no surprise that this is an item for the CAMD roadmap too.

Over-arching & Cross-cutting Priorities

While sections 1 to 7 of the roadmap were sort of known already since April the section 8 on the over-arching and cross-cutting priorities is new. They are indeed priorities because everything in this section is high priority or even – exceptionally – has a date assigned to it (that’s Eudamed being ready).

Schermafbeelding 2017-11-24 om 21.20.26

Schermafbeelding 2017-11-24 om 21.20.35

Schermafbeelding 2017-11-24 om 21.20.43

Interesting elements are the pre-date of application (DoA) and post-DoA questions, most of which have been raised on this blog already one way or another (I hope you’ve been paying attention). It will be good that there is guidance that companies can follow though in order to manage contingencies.

Contingency scenario development and planning is another interesting one, especially the supply problems that can take place in cases of low volume products. I would add to these the case of crucial healthcare software that is catapulted from class I to class III and does not manage to get certified in time and cannot benefit from the soft transition period. As things are in the software market single software suites can become a standard by themselves. If that software suddenly needs to be taken off the market as corrective measure (e.g. because of a critical patch that needs to be implement but cannot be because it changes the software installed base) or cannot be made available after the DoA this can have serious implications for health institutions.

How for do?

Please do not make the mistake to think that the fact that all of the above rollout and implementation roadmap is in development means that you can sit on your hands and wait until the documents have been released. You are smarter than an ostrich, right? A smart medical devices company is already doing what it can to be ready in time and sees all the guidance that will come out at some point as a welcome benchmarking exercise. If you start implementing by the time the guidance may be out (and we don’t know when that is), you will likely be too late to meaningfully act on it.

In way companies can see this roadmap as an overview of questions that they should be asking themselves in the frame of their transition program towards MDR and/or IVDR compliance. The specifics where guidance is developed are specifics that the company must pay extra attention to itself.

Companies that are underway with their transition process can take this in stride and supplement what they are doing already with the new guidance as and when it becomes available. Better pivot a little halfway than start too late to be in time, my late grandmother would say.


The new EU Medical Devices and IVD Regulations Workshop
In any event, if you’re based in the US, you could consider visiting the EU MDR and IVDR transition workshop that I’m giving at Advamed in Washington DC on 4 December to get the full picture and be prepared.

I will go into this stuff in a lot more detail in person too and you can ask any questions you have! Regardless of where you are in your transitioning process this workshop will be worth your while.

MDR and IVDR workshop at Advamed on 4 December

Schermafbeelding 2017-11-14 om 21.16.19At Advamed’s San Jose MedTech Conference this year it was quite a surprise for me to see how many US companies are still not doing what is necessary to become compliant with the MDR and the IVDR in time. In the EU MDR session at that conference about 5% of the audience raised their hand to the question what companies had a transition plan for these new regulations that they expected to finish in time before the end of the transition period.

This means that the rest of the companies represented do not expect to be ready in time, which is a problem since the MDR (and IVDR too) does not grandfather any products currently on the market. Companies just do not seem to understand this – every device currently on the market has to be CE marked again under the new rules. That’s a very big project, with very much at stake: essentially your European market as of June 2020 for medical devices and as of June 2022 for IVDs. We in the EU MDR session panel were stunned by this level of unpreparedness on the part of US medtech companies so I decided I wanted to do my best to remedy this.

How to make the transition and stay in the market?

I’m very proud and happy to announce that Advamed has decided to organize  an MDR and IVDR workshop at the Advamed offices in Washington DC on 4 December – quite soon already – which is called “The new EU Medical Devices and IVD Regulations: How to make the transition and stay in the EU market?”.

It’s a day-long workshop in which I will help your company make sense of the MDR and IVDR, define its transition goals and strategy, perform a gap assessment and come out compliant in time before the end of the transitional periods. It will be practical and there will be a lot of opportunity to ask questions. Also, I wil discuss how to develop your template documentation for a gap assessment and transition plan, provide starting material for that and discuss what moving parts to pay attention to as the EU is rolling out the MDR and IVDR.


Sounds good? You can register here. I promise you it won’t be boring – hope to see many of you then and there!


The notified body conundrum

ce_markIn my recent post about potential mass extinction in the EU IVD market as a result of the IVDR and the limited number of notified bodies that look to be applying for IVDR status (and the incredulous reactions that I received) I though it would be a good idea to update on notified bodies in general, and how they are doing with 26 November on the horizon.

You will have marked 26 November in your calendar, because this is the date that your notified body can apply for accreditation under the MDR and IVDR. It’s kind of essential that they do, because if they don’t, do it later or fail to make the cut you will find yourself in the proverbial chickenwire canoe in crocodile infested waters.

I have warned against notified bodies doing weird stuff in the advent of the MDR and IVDR, and now there is the Brexit too. I now see notified bodies now do exactly the kind of crazy stuff that predicted and then some. Customers are ignored or outright thrown under the bus while the notified body closes down, has its scope restricted allows certificates to lapse, is just unavailable to even explain decisions or schedule audits.

What do we see happen in the notified body market? I am not mentioning names on the record because I’m not looking forward to legal issues with any of them and I often don’t have multiple sources backing up the fact patterns. I am just describing what I see and what I’ve heard myself and what others have told me.

Abandoning codes

The EU is consulting about the new notified body NBOG codes. Notified bodies apply for a designation under these codes, which together define the scope of the notified body. Your notified body is also already designated on the basis of the current NBOG codes, which describe its current scope. Two things are happening right now:

  1. notified bodies are ditching current codes because they can no longer support them. I’ve seen at least one notified body has sent its customers a letter that it no longer will support a specific code and terminating the mandate unilaterally for the certificates in that scope on a few months notice.
  2. informing manufacturers that they will apply for a more limited scope under the MDR or IVDR than currently, which may mean that the notified body cannot support the client under the new regulations. Some notified bodies that currently do IVDs will not for example apply under the IVDR, or not immediately, and the same likely to happen under the MDR.

These things are happening for a number of possible reasons. The notified bodies are strapped for resources required under the MDR and IVDR and a lot of people are on the move. This may even result in notified bodies having to restrict their scope as a result of crucial staff leaves – most notified bodies are this thinly staffed for some of the more exotic areas.

Scenario 1 is not nice because you have to find a new notified body rapido for your continued compliance under the MDD. The limitation in scope may have all kinds of causes, but it does mean that if you don’t have a new notified body by the time that the notified body mandate terminates you are officially orphaned – which is a problem because there is no EU law or national provision that can help you.

Fortunately it appears as though the heads of agencies for medical devices have agreed to a procedure that allows you to enter the orphanage of temporary competent authority supervision to allow you to continue to place product on the market for up to 12 months while you find a new notified body. The first two agencies to apply this were the French and the Swiss. Not every competent authority for medical devices is equally clear about it but the Dutch one has published the procedure that was apparently agreed on its website in great detail (in Dutch unfortunately). This procedure seems to replace / amended the NBOG procedure for ‘enforced change’ of notified body that applied since 2006.

You will need to apply to the competent authority of the EU member state in which you are established as manufacturer or (if the manufacturer is not established in the EU) in which the authorised representative is established. You will have to prove to the authorities among other things that:

  • you will maintain the QMS until recertification by another notified body; and
  • that you are actively seeking the services of another notified body, including a summary of the status and the prospects of finding one that will re-certify the devices concerned and when.

You will also need to provide:

  • details of your PMS system, recent PMS reports and management review relating to PMS and vigilance; and
  • an overview of incidents everywhere in the world over the last 36 months (per country and number of products sold); and
  • an overview of open, started and finished CAPAs caused by incidents over the last 36 months (including cause, root cause analysis, conclusions and solutions).

Essentially you have to satisfy the competent authority that the safety of the medical devices concerned has been safeguarded pending the transition to another notified body. If you cannot convince them, you are an orphan without orphanage and will not be able to place the devices concerned on the market once the outgoing notified body mandate terminates.

Of course, during the transition under the supervision of the competent authority you cannot make any changes to the devices that would require notified body scrutiny or market a new device that was not covered by the certificate(s) at the outgoing notified body.

This is of course a really raw deal, especially since notified bodies have become very hesitant to accept ‘like for like’ or ‘transfer in good stead’ transfers in even the most amicable of scenarios, as they cannot be sure that the underlying file can be easily certified and in practice often don’t have the resources to do a new entry certification. Also, the NBOG guidance on enforced changes states specifically in cases of ‘foreseeable breakdown’ of a notified body that “[i]n this case a new certificate should not be issued solely on the basis of the previous NB’s documentation but a separate review of the manufacturer’s documentation and/or a site visit by the new NB may be necessary.” Also the new procedure published by the Dutch authorities seems to assume a full new entrance audit by the new notified body. This means that any notified body that is willing to accept you also needs to have the time available to do this, and in the short term.

Informing that the notified body will (probably) not apply under MDR / IVDR

Some notified bodies inform their clients that they (probably) will not apply for accreditation under the MDR and/or IVDR. That is a problem because this is not a notified body breakdown scenario of an ‘enforced change’ legally speaking because there is no ‘withdrawal of designation by the Designating Authority (partly or completely) or voluntarily abandons its designation (partly or completely)’ or liquidation of the notified body that causes the client to be orphaned.

The effect is however exactly the same as that in an orphaning scenario, except that you cannot ask for temporary under the umbrella of the competent authority temporarily.

This affects a large number of notified bodies. As discussed in an article in MedTech Insight on 18 September, notified body association Team NB expects that “at most 16-18 of its members will be ready to submit by late November. And given the potential for non-conformities to be identified in some of the applications, the association would be pleased to see 10 of its members get designated against the MDR/IVDR in the first wave.” I’m not sure if these numbers have changed since September.

This means that the association that previously said that all its members will apply at the same time so as to be designated all together at the same time has back-pedaled considerably on its members’ chances of making the MDR / IVDR cut. Five to seven members may not apply on 26 November, with the number of those that will not apply at all being unknown. I know of at least one that is already telling its clients it will not apply at all.

This is of course even more problematic in relation to IVDs because of the low number of notified bodies allegedly applying for accreditation under the IVDR (only five). Given the quantum leap of self-certified IVDs currently on he market that will need notified body certification under the IVDR (80-90% of the total IVDs will need notified body certification), it is already doubtful if the combined capacity of those notified bodies will suffice. The bottleneck that will occur under the MDR towards the end of the transitional period will likely be much worse IVDs.

[UPDATE: Team NB just published an overview of the intentions of each of its members regarding to application for MDR and/or IVDR accreditation, which now shows that all members intend to apply for MDR accreditation and 11 members for IVDR accreditation. As is clear from information on Team NB’s website this does not mean that all members will submit immediately. Some intend to submit in December and some intend to submit whenever.

Also, the intention of application as such does not say anything about the codes for which the notified bodies wil apply. It would have been helpful if we would have known if they intend to apply for the same scope or not. I’m very curious how these intentions relate to the earlier statement of Team NB itself and of course how they will translate to actual applications.

Finally, given the statements of some of the notified bodies themselves discussed in this article, I’m inclined to say: “seeing is believing” and would encourage all readers to check with their notified body (since all Team NB members intend to apply for the MDR at least) why they were making contrary or unclear statements before, whether they will really apply on 26 November, later or whenever and for what scope they will apply. Oh, and of course how they see their chances of actually getting accredited and when. Please share your findings in the comments to this blog post so the other readers can benefit too!]

Allowing certificates to lapse

Another particularly nasty scenario that I have observed happen to at least one client is just not respond to requests to please schedule the recertification audit and just letting the certificate lapse. This can happen either because the notified body has no personnel to actually do the audit or because it applies a proces of Verelendung (immiseration) on its clients to drive them away in the most negligent of ways.

Not applying at first opportunity

There are also notified bodies that will not apply for MDR and/or IVDR accreditation at the first opportunity on 26 November, but who will take their time to get ready. As is clear from the Team NB statement mentioned above, five to seven of its 23 members will not be ready to apply on 26 November or may not apply at all.

This may mean that they may suffer delays in being accredited (e.g. because they will not be in the first wave of joint audits) leaving less time to process manufacturers’ requests for  MDR / IVDR certification before the end of the transition period. Guess whose problem that will be when the notified body does not manage to get you certified in time.

Move to another jurisdiction

General unavailability may be influenced by a notified body having to literally reinvent itself because it is moving to another jurisdiction. The candidates for this are the UK notified bodies (because of the Brexit) and possibly the Swiss notified body (hedging with respect to renegotiation of the new Mutual Recognition Agreement between the EU and Switzerland). Having to move jurisdiction will mean a new notified body under new jurisdiction, and not keeping the old number. If your notified body moves before it is MDR / IVDR accredited you may need to change your labels twice. This is a realistic scenario for the UK notified bodies, because the Brexit transition period ends March 2019. At least one of them will go to the Netherlands (BSI) and I’ve heard rumors about Belgium, Ireland and Germany for others.

A move to another jurisdiction may also coincide with a limitation of the notified body’s original codes, because the new jurisdiction may not support the same scope. Also, a scope reduction may be necessary because the notified body looses crucially competent staff in the move to the other jurisdiction.


If you have a Turkish notified body there is yet another issue: Turkey is allowed to have notified bodies for the three medical devices directives because these three directives appear on an annex to a 2006 decision of the EU-Turkey Association Council, which lists the EU instruments for which Turkey will fully harmonise its laws with the EU directives.

Guess what: the MDR and IVDR are not on that annex (meaning that for the moment Turkey is officially not implementing the MDR / IVDR) and we don’t know if or when they ever will be on that annex.

Given the current tensions between the EU and Turkey, it may be that Turkey doesn’t even want to have notified bodies and/or the EU does not want Turkey to still have notified bodies for medical devices for the MDR and IVDR.

Bottom line: if you are relying on a Turkish notified body for an MDR or IVDR certificate, this may not be your best option.

General unavailability

I hear from many clients and others in the market that their notified body is struggling to respond to questions and simple requests, like ‘please explain why you took this decision’, ‘what does this mean’ and ‘what do you want’. This may be caused by a variety of reasons having to do with notified body operations, and it is very annoying because it costs time and creates insecurity for  the manufacturer waiting  to get clarity on sometimes even simple things. Time is especially scarce these days, with the transitional periods for the MDR and IVDR running.

So now what?

What if your notified body orphans you, immiserates you, just doesn’t apply for MDR / IVDR accrediting or does not certify you into the MDR / IVDR in time?

Will you sue them? It happens often that companies that do not get what they want ask me if they should sue the notified body. It’s a good way to help me buy a new Porsche – I’ve had my eyes on the new Panamera for some time. However, it’s a bad way to get where you want to be. Even if you manage to prove that the notified body acted grossly negligently in the way it handled your certification process (already not very likely that you manage), the chance that you will get the court to rule that the certificate should have been granted on the basis of the dossier supplied is virtually nil. The court will – in that case – hand the case back to the notified body for another look. In the mean time you will have wasted at least a year without a certificate that allows you to place devices on the market while I have my Panamera and your competitors have your market share.  The reason that I don’t have my Panamera yet now however is that I don’t advise companies to embark on legal procedures that do not serve the company’s goals. Diplomacy and having really good documentation and clinical data supporting the device(s) concerned is more likely to get you results and certificates. Better spend your money on excellent and convincing clinical data and technical documentation than on subsidizing my Porsche. Really.

The best you can do is to find a new notified body quickly and be pro-active about it. If you initiate a transfer that is voluntary the new notified body may accept the existing file without doing a full entrance audit. The better your files and data, the higher the chances that you succeed in the short term. If you need to change notified body or are thinking about it because your notified body seems to be on a road to nowhere lately, change sooner rather than later. Later in the transitional periods the notified bodies that do make the cut will be completely swamped by existing clients to have their existing devices certified into the MDR and IVDR. They will not be looking for new clients. The other notified bodies will have more time, but no MDR or IVDR certificates to grant.  The only thing they can do is to renew the existing certificate once for a limited period of time (and with the disadvantages of the so-called soft transition – no design changes, no certificate changes, no supplier changes, but full MDR / IVDR compliance required otherwise).

Once you are safely transferred to another notified body you might still try to sue your former notified body for damages though, but at least you can take your time for it. And we know from the EU Court in the mean time that notified bodies may be liable for negligent oversight. Betting on getting a court to replace the notified body decision with its own judgement is however unlikely to happen (provided that the court is even allowed to do so under local procedural law).

Interesting times, in which you should definitely not sit on your hands complaining that it’s all too complicated to know what to do. Better leave that to your competitors.

EU MDR / IVDR Regulatory Cassandra


Sometimes you have days that you feel like Cassandra. I had a Cassandra moment after moderating the MDR panel at the Advamed MedTech Conference on 25 September.

Cassandra was a lady from mythological heritage. She made the Greek god Apollo angry by changing her mind to be his girlfriend after he had granted her the power of clairvoyance to woo her. Because Apollo could not make the gift undone, he gave her another one: nobody would henceforth believe her. So she predicted several times that Troy would fall and nobody believed her. She even had a psychological syndrome named after her, described as “individuals who experience physical and emotional suffering as a result of distressing personal perceptions, and who are disbelieved when they attempt to share the cause of their suffering with others.”

Regulatory Cassandra syndrome

Schermafbeelding 2017-09-12 om 15.16.28After my panel at the Advamed MedTech Conference it dawned on me that the regulatory departments at medical devices companies in the US suffer from collective Cassandra syndrome: they mostly know that something big is coming their way, but are unable to get management attention for the big changes that are happening in the EU. If they communicate that something quite big and disruptive is up, they are disbelieved.

Management seems to be focused only on the next quarterly earnings but seems to completely forget that there will be no further quarterly earnings after the transitional periods for the MDR (end of May 2020) and IVDR (end of May 2022) expire without companies being ready with their recertification of devices under the new regulations. Because there is no grandfathering. There has not been, there is none and there will not be.

Show of hands

We as panel were very surprised about the show of hands that we had from US companies represented in the room:

  • not many people had read the new regulations;
  • even less understood the regulations or had undertaken a gap assessment to determine what this means for their company;
  • even less than that actually had a budget to do a gap assessment and implement the results of the gap assessment; and
  • almost none of the companies present in the room expected to be ready with their implementation and remediation for the new regulations.

This does not present an optimistic picture. MDR and IVDR denial and/or ignorance seems most prevalent with small and medium sized companies.

The future is closer than it appears

Chuck Norris kamikazeOne of the big factors that causes management to ignore transition is that there is a lot going on in the world as it is and that the deadlines are still years away, especially for IVDs. As we explained in the panel, that thinking is completely misguided. Companies have to literally reinvent their technical documentation, clinical evidence, quality system and much more. And they have one shot at getting it right, because we are not all Chuck Norris. Chuck Norris can be a kamikaze pilot 12 times. Most companies can only try be Chuck Norris once, and will most likely fail. Try to be like Chuck Norris but end up like While E Coyote.

Especially for legacy products, and even more in the case of currently self certified IVDs, the current state of technical documentation and clinical data will not be up to MDR and IVDR standards and will take a lot of work to remedy. Yes, and the concept “work” assumes resources deployed over time. Not putting in that effort is sort of kamikaze for the EU market and not everybody can expect to be of Chuck Norris equivalent resilience.

Companies need to take a close and critical look at their supply chain in the EU to get to grips with the new supply chain regulations.

So how do you get management attention for this? In the panel we suggested the following. Ask for the last year’s turnover of medical devices related turnover in the EU. Then ask for the turnover of all countries where regulatory approval depends on a valid CE mark for the devices concerned. Add this figure to the EU turnover. Then ask for the growth projections for the year 2020 (in the case of medical devices) or for 2022 (in the case of IVDs). Multiply total amount with growth projection. This gives you the first year loss following the end of the transitional period. Show this to management if they do not want to invest in MDR or IVDR transition. Are they willing to write this off and fire a lot of people that they cannot afford anymore as costs for sitting on hands? Then also add investments needed to recuperate market share after the company finally gets it right, because we all know what happens to market share if you cannot be on the market: it collapses and will need to be rebuilt from scratch. The company’s reputation with distributors and customers will be severely damaged.

If management is still not willing to move, propose that they should discuss this strategy on the next earnings call:

“We are going to be knowingly late with implementation of new EU law because we don’t believe our regulatory department and deliberately risk our CE mark dependent market for all our products because we fail to understand what ‘no’ means in ‘no grandfathering’.”

See if there will be resounding investor applause then. See if investors will be breaking down the door to throw money at the company. Probably not, but hey, that’s just me. In every merger or investment that involves a medical devices company with CE marks the first question these days is: show me your MDR/IVDR transition plan. Oh you don’t have one? Then we will have to heavily discount the (share) purchase price for all the remediation costs that have not been accounted for in your budget and we will have to vector in the risk that you are already too late to even make the transition in time. Maybe you’re not such a good investment after all.

What should companies be doing?

They should not be sitting on their hands waiting for reality to catch up with them, and definitely not sit and wait ‘for things to become clearer’. That’s like being a hedgehog on the road wondering what the light is that’s coming its way.

Make a plan and follow through: not only register that there is an issue but make sure that the resources are there to remedy it:

My takeaway from the panel was that US medical devices companies are generally woefully un(der)prepared for compliance with the new regulations, even though we are well into the transitional periods for both regulations, and that this is worse in the case of small and medium sized ones. The big multinationals seem to be doing a much better job.

So what can you do to understand the MDR and the IVDR? Lack of knowledge is not an excuse because there is lot of good material out there.

For example: MedTech Europe has just made two sets of flowcharts of the requirements under each regulation that I myself find very very useful, see here for the MDR one and here for the IVDR one. You can trust MedTech Europe to produce good materials.

You can try and understand the transitional regime and understand how to prepare and execute a transition project with the materials from the seminar that my firm recently organised about the subject.

You could have attended a conference that devotes a lot of time to this, like the recent RAPS Regulatory Convergence or go to a specialised consultancy’s seminar like this one from Qserve in California next month or you could have visited the seminar Factory and I organised in San Jose CA last week.

IVDR, IVDs and mass extinction


More interesting things from the RAPS Convergence conference.

If you do anything in the IVD sector in Europe and did not attend that conference, that’s a pity. The program on EU IVD regulation was truly outstanding. I do not often see such a good program on EU IVD regulation in one place – if you weren’t there you really missed out on an excellent program.  I really hope they repeat it again next year. Overall the EU medical devices regulation program was very very good, with a very high quality of extremely relevant speakers.

So let me summarise some things for you that the IVDR brings, taken from this program.

Regulatory quantum leap even more quantum than originally expected for IVDs


I have discussed the quantum leap in regulation for IVDs before on this blog and described it in the White Paper on the IVDR  that Gert Bos and I wrote for BSI. As you can see the current estimation of IVD manufacturers needing a notified body in the EU have gone up from the conservative 80% to now 90-95% as it becomes more transparent what legacy products manufacturers have in their portfolios. Will all these products make the cut of the IVDR? The expectation of the notified bodies and industry going on the record is that this will not be the case.

This is a good start to bridge the gap created by the leap:


Gap assessment

Are all the IVD companies working on gap assessments already like the sensible medical devices companies are? Nope. Some are, but most are not because they think that five years transition period is plenty long to get things in order and 2022 is not even on the horizon. Read on, and you will see that five years is very short for what you need to do, especially if you are a company with limited experience with notified body review of technical documentation for your products. Lucky you: we have developed gap assessment tools for IVDR as well in the mean time and will be happy to help you or leverage our network of technical experts to help you.

Portfolio rationalisation

“Anybody that is not seriously thinking about getting rid of products is overlooking things”, was one of the industry statements in the IVDR session by one of the companies that is well on its way with its IVDR work.

Portfolio rationalisation is the thing because you will quickly find that not every little self certified IVD with almost no data and half a technical file (if you’re lucky) is worth the investment of remediation to IVDR standards. You will need to set up end of life programs for the IVDs you retire.

People and notified bodies

One does not simply walk into the IVDRMore even than for general medical devices expertise of regulatory staff and retaining them is crucial because there are relatively few IVD professionals in the market.

The current expectation is that there will be five (5) notified bodies that will be accredited for the IVDR. That is not a lot for the tidal wave of applications that will come their way. Also with regard to the IVDR there is no grandfathering (see below for more in this regard). This means that a constant dialogue with your notified body will be crucial to make sure that you keep your place in the queue and have the best chance of understanding what is required.

If you have never dealt with a notified body before, start doing that immediately to make sure you’re in the priority line for boarding. You may well miss your flight if you start talking to them only when all the seats are sold, which they will be towards the end of the transition period. Notified bodies will focus on helping existing loyal customers and will be less focused on companies that say they might cost them some time. So you might already have your ISO audits done by the notified body of choice to make sure you have a foot in the door. Sounds logical right? Maybe it sounds even so logical that even your management can understand it.

Invest in structures now – PMS and clinical data

The IVDR will require much more in terms of structures than the IVD Directive, mostly in the field of post market follow up but also in the way the data is presented in your technical documentation.

The IVDR requires more in terms of keeping the technical documentation consistent with any other statement that you make about the product.

IMG_2578Your 510 (k) for an IVD will not be sufficient. It will contain some data but not enough and not in the right structure. The IVDR requires a lot of new things in terms of performance evaluation and how to structure that data. So better start collecting data now using you PMS procedures. The better they are the better this works.

The technical file also needs to be up to date as per the current date, and that date changes every day.  When did you last look at the data for your product? IMG_2579

Your current technical file structure will not be compliant under the IVDR, so there’s significant work to be done there. Organising all your current probably not super high quality self certification technical files in an IVDR compliant set of technical documentation takes more work than you think. Probably you do not have many people in your regulatory department for this because you never needed them before.

Timeline management and transition

Schermafbeelding 2017-09-12 om 15.16.28.pngIn the MDR universe a minority of self declared products cannot benefit from the so-called ‘soft transition’ that allows MDD/AIMDD or IVDD certificates to overrun the date of 25 May 2022. In MDR land this typically affects software (often class I) and low risk devices. But in the IVD universe most IVDs are currently self certified so do not have a certificate, which means no soft transition for currently self-declared IVDs. That is the vast majority. This a a potentially enormous bottleneck. If you are not on the bus of one of the five notified bodies for IVDR timely you will not have an IVDR certificate for your product before the end of the transitional period. This means no more placing of product on the market. You will be like While E Coyote going off the cliff, with your more survival oriented competitors picking up your market share quickly. That is not a nice place to bounce back from.

The new Class D IVDs are even more affected because the reference laboratories that need to look at those applications will not be designated until right at the end of the transition period.

The link with data protection legislation and the magic freezer

The IVDR has a link with EU legislation in the field of personal data, the General Data Protection Regulation (GDPR), which is applicable as of 25 May 2018. As was explained in the RAPS Convergence program, many companies have all kinds of samples lying around in their magic freezer because they never throw away good samples, which comes in handy when you need to de performance evaluation for the purposes of certifying your existing IVDs under the IVDR. But wait what – is that even allowed? See my presentation in the IVD program for answers:

It follows that implementation of the IVDR must go hand in hand with a serious implementation of the GDPR as well. The GDPR is just as relevant for samples that are not left over. Every time you use an IVDR regulated sample this raises a question of GDPR as well. As we saw in the session that I presented in there are big differences in this between the US and the EU.

Mass extinction

IMG_2580I bet you thought the title for this blog was kind of hyperbolic when you started reading. I hope you have a more nuanced perspective because there may very well be mass extinction. There are so many possible critical missteps. When missteps exist, missteps will happen – pardon the cynicism. Many companies will suffer because they will not make the cut. It is inevitable. So, as I told the audience during my presentations at the conference: choose whether the chaos that will inevitably happen is your chaos or someone else’s chaos. Because chaos will happen, whether you like it or not.

Transitioning to the IVDR is rocket science, there are not many IVD rocket scientists around (so hold on to the ones you have), the rocket certification bodies are few and will be very very busy. Get your application wrong and you’re back at the end of the launch queue. And if you’re not ready in time you miss your launch window, meaning that you lose market share that may be very difficult to recoup.

So, if you’re an IVD company with IVDs on the market in the EU: don’t be a dinosaur. We all know what happened to them.

Supply chain and economic operator regulation under the MDR and IVDR

CE Call Erik

Credits: Bassil Akra of TÜV SÜD

One of the interesting features of the new MDR and IVDR is the new chapter on economic operators (chapter II), which implements a completely new (to the medical devices industry at least) regime of supply chain regulation and related aspects.

The new supply chain regime was on the horizon for a long time because it was conceived in 2008 and has in the mean time been implemented for a number of product groups covered by EU legislation. It has now, totally expectedly, found its way to the devices sector via de MDR and IVDR.

A presentation about supply chain under MDR/IVDR

I presented about this at the RAPS Regulatory Convergence:

I find that many companies have difficulties in understanding this framework and do not realize that becoming compliant under the MDR and IVDR requires a close look at the supply chain leading into the EU, and identification of each entity up to the end user as one of the economic operators regulated under the regulations: the MAID (Manufacturer, Authorised Representative, Importer and Distributor).

We are used to the manufacturer having regulatory responsibility under the directives, but it’s new that the importer and distributor suddenly have important obligations in the supply chain and that the role of the authorised representative has changed a lot.

Economic operators 2017 RAPS Convergence


As you can see in the embedded presentation above and the slide below at the RAPS Convergence above importers and distributors now have their own responsibilities with respect to PMS and vigilance and in verification of compliance of the devices that they import/distribute.

Economic operators 2017 RAPS Convergence

Given these overlapping responsibilities it becomes more important than ever to organise your supply chain contractually in a way as to avoid surprises, e.g. because a distributor decides to issue a local recall for a not so profitable product that will be visible for every authority in the EU via Eudamed and may spin off into something of epic proportions.

Information sharing with(in) your supply chain becomes key, as well as division of responsibilities. I am pretty sure that your contracts can be improved because so far I have not seen any that are up to standards.

Regulatory is from Venus, tax is from Alpha Centauri and third party importer anyone?

These responsibilities and who has them should be part of your gap assessment for the MDR and IVDR. Companies organise their supply chain currently mainly based on tax considerations, but now they will need to add MDR/IVDR supply chain regulation considerations. It means making your regulatory department talk to your tax lawyers/accountants.

From my own experience these groups often find the other group’s work a form of esoteric voodoo because they use completely different definitions of the respective economic actors. The MDR/IVDR contain definitions for the MAID (which are described in a lot of detail in the bible of CE marking the Blue Guide) so it may take some time before your regulatory department has your MDR/IVDR supply chain regulatory ideas aligned with your tax planning, and you find out in the process that an importer for tax law purposes is not necessarily the same entity as the importer for MDR/IVDR purposes.

For example, many companies outsource warehousing in the EU to external parties, which often provide additional services like final labeling. That may make that external party an importer in the meaning of the MDR/IVDR, with all the regulatory obligations. That will likely lead to the third party asking you for more money for what they do, and you suddenly have a regulated external party in your supply chain that must refuse to import your devices if it comes to the conclusion that they may not be compliant.

Subsidiaries that must rat you out and run away

There are major problems with authorised representatives because the MDR/IVDR messes with corporate governance if you have your own AR in the EU, most often a company subsidiary. The MDR/IVDR make the AR into a sort of competent authority mole in your organization. It must monitor the manufacturer, admonish in case of non-compliance, report the manufacturer to the authorities in case of persistent non-compliance and then run away after terminating the AR agreement. That must be problematic for a subsidiary. Yet, the wise people that wrote the MDR and IVDR did not give this much thought.

Also the MDR and IVDR prescribe a mandatory format for the AR agreement and for a contractual handover regime in case of switch in AR.

Oh, and did you know the AR is product liable now for all of your devices in the EU jointly and severally with the manufacturer? Better not nominate a subsidiary with a lot of assets.


Because of the new distributor obligations you will want to revisit distribution agreements. And if you don’t your distributors will want to because they need to do a lot more to be able to distribute your products, like check compliance etc.

And there is more

With the new economic operator regime come a lot of other additional things that I presented about recently too at the MedTech Summit in Amsterdam, such as new advertising and marketing claims regulation and a new weird Frankenstein product liability regime:


“Immediately is already rather late”

As I sit here at the RAPS Convergence I see the companies that are trying to get their arms around this but most of them are already quite late in starting their work on transition. One of the lines that all the many notified bodies and competent authorities present are repeating over and over is: start now if you haven’t already. The gap is large. The impact enormous. Your EU market is at risk, as I have been saying myself too. One of the best statements I heard from the authorities and notified bodies was: “if you start immediately you are already rather late”.



%d bloggers like this: