In my recent post about potential mass extinction in the EU IVD market as a result of the IVDR and the limited number of notified bodies that look to be applying for IVDR status (and the incredulous reactions that I received) I though it would be a good idea to update on notified bodies in general, and how they are doing with 26 November on the horizon.
You will have marked 26 November in your calendar, because this is the date that your notified body can apply for accreditation under the MDR and IVDR. It’s kind of essential that they do, because if they don’t, do it later or fail to make the cut you will find yourself in the proverbial chickenwire canoe in crocodile infested waters.
I have warned against notified bodies doing weird stuff in the advent of the MDR and IVDR, and now there is the Brexit too. I now see notified bodies now do exactly the kind of crazy stuff that predicted and then some. Customers are ignored or outright thrown under the bus while the notified body closes down, has its scope restricted allows certificates to lapse, is just unavailable to even explain decisions or schedule audits.
What do we see happen in the notified body market? I am not mentioning names on the record because I’m not looking forward to legal issues with any of them and I often don’t have multiple sources backing up the fact patterns. I am just describing what I see and what I’ve heard myself and what others have told me.
The EU is consulting about the new notified body NBOG codes. Notified bodies apply for a designation under these codes, which together define the scope of the notified body. Your notified body is also already designated on the basis of the current NBOG codes, which describe its current scope. Two things are happening right now:
- notified bodies are ditching current codes because they can no longer support them. I’ve seen at least one notified body has sent its customers a letter that it no longer will support a specific code and terminating the mandate unilaterally for the certificates in that scope on a few months notice.
- informing manufacturers that they will apply for a more limited scope under the MDR or IVDR than currently, which may mean that the notified body cannot support the client under the new regulations. Some notified bodies that currently do IVDs will not for example apply under the IVDR, or not immediately, and the same likely to happen under the MDR.
These things are happening for a number of possible reasons. The notified bodies are strapped for resources required under the MDR and IVDR and a lot of people are on the move. This may even result in notified bodies having to restrict their scope as a result of crucial staff leaves – most notified bodies are this thinly staffed for some of the more exotic areas.
Scenario 1 is not nice because you have to find a new notified body rapido for your continued compliance under the MDD. The limitation in scope may have all kinds of causes, but it does mean that if you don’t have a new notified body by the time that the notified body mandate terminates you are officially orphaned – which is a problem because there is no EU law or national provision that can help you.
Fortunately it appears as though the heads of agencies for medical devices have agreed to a procedure that allows you to enter the orphanage of temporary competent authority supervision to allow you to continue to place product on the market for up to 12 months while you find a new notified body. The first two agencies to apply this were the French and the Swiss. Not every competent authority for medical devices is equally clear about it but the Dutch one has published the procedure that was apparently agreed on its website in great detail (in Dutch unfortunately). This procedure seems to replace / amended the NBOG procedure for ‘enforced change’ of notified body that applied since 2006.
You will need to apply to the competent authority of the EU member state in which you are established as manufacturer or (if the manufacturer is not established in the EU) in which the authorised representative is established. You will have to prove to the authorities among other things that:
- you will maintain the QMS until recertification by another notified body; and
- that you are actively seeking the services of another notified body, including a summary of the status and the prospects of finding one that will re-certify the devices concerned and when.
You will also need to provide:
- details of your PMS system, recent PMS reports and management review relating to PMS and vigilance; and
- an overview of incidents everywhere in the world over the last 36 months (per country and number of products sold); and
- an overview of open, started and finished CAPAs caused by incidents over the last 36 months (including cause, root cause analysis, conclusions and solutions).
Essentially you have to satisfy the competent authority that the safety of the medical devices concerned has been safeguarded pending the transition to another notified body. If you cannot convince them, you are an orphan without orphanage and will not be able to place the devices concerned on the market once the outgoing notified body mandate terminates.
Of course, during the transition under the supervision of the competent authority you cannot make any changes to the devices that would require notified body scrutiny or market a new device that was not covered by the certificate(s) at the outgoing notified body.
This is of course a really raw deal, especially since notified bodies have become very hesitant to accept ‘like for like’ or ‘transfer in good stead’ transfers in even the most amicable of scenarios, as they cannot be sure that the underlying file can be easily certified and in practice often don’t have the resources to do a new entry certification. Also, the NBOG guidance on enforced changes states specifically in cases of ‘foreseeable breakdown’ of a notified body that “[i]n this case a new certificate should not be issued solely on the basis of the previous NB’s documentation but a separate review of the manufacturer’s documentation and/or a site visit by the new NB may be necessary.” Also the new procedure published by the Dutch authorities seems to assume a full new entrance audit by the new notified body. This means that any notified body that is willing to accept you also needs to have the time available to do this, and in the short term.
Informing that the notified body will (probably) not apply under MDR / IVDR
Some notified bodies inform their clients that they (probably) will not apply for accreditation under the MDR and/or IVDR. That is a problem because this is not a notified body breakdown scenario of an ‘enforced change’ legally speaking because there is no ‘withdrawal of designation by the Designating Authority (partly or completely) or voluntarily abandons its designation (partly or completely)’ or liquidation of the notified body that causes the client to be orphaned.
The effect is however exactly the same as that in an orphaning scenario, except that you cannot ask for temporary under the umbrella of the competent authority temporarily.
This affects a large number of notified bodies. As discussed in an article in MedTech Insight on 18 September, notified body association Team NB expects that “at most 16-18 of its members will be ready to submit by late November. And given the potential for non-conformities to be identified in some of the applications, the association would be pleased to see 10 of its members get designated against the MDR/IVDR in the first wave.” I’m not sure if these numbers have changed since September.
This means that the association that previously said that all its members will apply at the same time so as to be designated all together at the same time has back-pedaled considerably on its members’ chances of making the MDR / IVDR cut. Five to seven members may not apply on 26 November, with the number of those that will not apply at all being unknown. I know of at least one that is already telling its clients it will not apply at all.
This is of course even more problematic in relation to IVDs because of the low number of notified bodies allegedly applying for accreditation under the IVDR (only five). Given the quantum leap of self-certified IVDs currently on he market that will need notified body certification under the IVDR (80-90% of the total IVDs will need notified body certification), it is already doubtful if the combined capacity of those notified bodies will suffice. The bottleneck that will occur under the MDR towards the end of the transitional period will likely be much worse IVDs.
[UPDATE: Team NB just published an overview of the intentions of each of its members regarding to application for MDR and/or IVDR accreditation, which now shows that all members intend to apply for MDR accreditation and 11 members for IVDR accreditation. As is clear from information on Team NB’s website this does not mean that all members will submit immediately. Some intend to submit in December and some intend to submit whenever.
Also, the intention of application as such does not say anything about the codes for which the notified bodies wil apply. It would have been helpful if we would have known if they intend to apply for the same scope or not. I’m very curious how these intentions relate to the earlier statement of Team NB itself and of course how they will translate to actual applications.
Finally, given the statements of some of the notified bodies themselves discussed in this article, I’m inclined to say: “seeing is believing” and would encourage all readers to check with their notified body (since all Team NB members intend to apply for the MDR at least) why they were making contrary or unclear statements before, whether they will really apply on 26 November, later or whenever and for what scope they will apply. Oh, and of course how they see their chances of actually getting accredited and when. Please share your findings in the comments to this blog post so the other readers can benefit too!]
Allowing certificates to lapse
Another particularly nasty scenario that I have observed happen to at least one client is just not respond to requests to please schedule the recertification audit and just letting the certificate lapse. This can happen either because the notified body has no personnel to actually do the audit or because it applies a proces of Verelendung (immiseration) on its clients to drive them away in the most negligent of ways.
Not applying at first opportunity
There are also notified bodies that will not apply for MDR and/or IVDR accreditation at the first opportunity on 26 November, but who will take their time to get ready. As is clear from the Team NB statement mentioned above, five to seven of its 23 members will not be ready to apply on 26 November or may not apply at all.
This may mean that they may suffer delays in being accredited (e.g. because they will not be in the first wave of joint audits) leaving less time to process manufacturers’ requests for MDR / IVDR certification before the end of the transition period. Guess whose problem that will be when the notified body does not manage to get you certified in time.
Move to another jurisdiction
General unavailability may be influenced by a notified body having to literally reinvent itself because it is moving to another jurisdiction. The candidates for this are the UK notified bodies (because of the Brexit) and possibly the Swiss notified body (hedging with respect to renegotiation of the new Mutual Recognition Agreement between the EU and Switzerland). Having to move jurisdiction will mean a new notified body under new jurisdiction, and not keeping the old number. If your notified body moves before it is MDR / IVDR accredited you may need to change your labels twice. This is a realistic scenario for the UK notified bodies, because the Brexit transition period ends March 2019. At least one of them will go to the Netherlands (BSI) and I’ve heard rumors about Belgium, Ireland and Germany for others.
A move to another jurisdiction may also coincide with a limitation of the notified body’s original codes, because the new jurisdiction may not support the same scope. Also, a scope reduction may be necessary because the notified body looses crucially competent staff in the move to the other jurisdiction.
If you have a Turkish notified body there is yet another issue: Turkey is allowed to have notified bodies for the three medical devices directives because these three directives appear on an annex to a 2006 decision of the EU-Turkey Association Council, which lists the EU instruments for which Turkey will fully harmonise its laws with the EU directives.
Guess what: the MDR and IVDR are not on that annex (meaning that for the moment Turkey is officially not implementing the MDR / IVDR) and we don’t know if or when they ever will be on that annex.
Given the current tensions between the EU and Turkey, it may be that Turkey doesn’t even want to have notified bodies and/or the EU does not want Turkey to still have notified bodies for medical devices for the MDR and IVDR.
Bottom line: if you are relying on a Turkish notified body for an MDR or IVDR certificate, this may not be your best option.
I hear from many clients and others in the market that their notified body is struggling to respond to questions and simple requests, like ‘please explain why you took this decision’, ‘what does this mean’ and ‘what do you want’. This may be caused by a variety of reasons having to do with notified body operations, and it is very annoying because it costs time and creates insecurity for the manufacturer waiting to get clarity on sometimes even simple things. Time is especially scarce these days, with the transitional periods for the MDR and IVDR running.
So now what?
What if your notified body orphans you, immiserates you, just doesn’t apply for MDR / IVDR accrediting or does not certify you into the MDR / IVDR in time?
Will you sue them? It happens often that companies that do not get what they want ask me if they should sue the notified body. It’s a good way to help me buy a new Porsche – I’ve had my eyes on the new Panamera for some time. However, it’s a bad way to get where you want to be. Even if you manage to prove that the notified body acted grossly negligently in the way it handled your certification process (already not very likely that you manage), the chance that you will get the court to rule that the certificate should have been granted on the basis of the dossier supplied is virtually nil. The court will – in that case – hand the case back to the notified body for another look. In the mean time you will have wasted at least a year without a certificate that allows you to place devices on the market while I have my Panamera and your competitors have your market share. The reason that I don’t have my Panamera yet now however is that I don’t advise companies to embark on legal procedures that do not serve the company’s goals. Diplomacy and having really good documentation and clinical data supporting the device(s) concerned is more likely to get you results and certificates. Better spend your money on excellent and convincing clinical data and technical documentation than on subsidizing my Porsche. Really.
The best you can do is to find a new notified body quickly and be pro-active about it. If you initiate a transfer that is voluntary the new notified body may accept the existing file without doing a full entrance audit. The better your files and data, the higher the chances that you succeed in the short term. If you need to change notified body or are thinking about it because your notified body seems to be on a road to nowhere lately, change sooner rather than later. Later in the transitional periods the notified bodies that do make the cut will be completely swamped by existing clients to have their existing devices certified into the MDR and IVDR. They will not be looking for new clients. The other notified bodies will have more time, but no MDR or IVDR certificates to grant. The only thing they can do is to renew the existing certificate once for a limited period of time (and with the disadvantages of the so-called soft transition – no design changes, no certificate changes, no supplier changes, but full MDR / IVDR compliance required otherwise).
Once you are safely transferred to another notified body you might still try to sue your former notified body for damages though, but at least you can take your time for it. And we know from the EU Court in the mean time that notified bodies may be liable for negligent oversight. Betting on getting a court to replace the notified body decision with its own judgement is however unlikely to happen (provided that the court is even allowed to do so under local procedural law).
Interesting times, in which you should definitely not sit on your hands complaining that it’s all too complicated to know what to do. Better leave that to your competitors.