The MDR and the Covid-19 recommendation – a possible template for fixing the MDR and IVDR bottleneck

problem-solved-spongebobOn 16 March 2020 the Commission published the Commission Recommendation (EU) 2020/403 of 13 March 2020 on conformity assessment and market surveillance procedures within the context of the COVID-19 threat.

While this recommendation has been flagged here and there as ‘this may be important’ without real further comment I have been thinking about this recommendation myself and here is my take on what it means and may lead to.

What is this recommendation about?

Obviously this recommendation is an attempt of the Commission to manage administative barriers to placing PPE (personal protective equipment) and medical devices on the market that would be needed in the struggle to get the current Covid-19 pandemic under control. In my view you can also see this as a template for the next pandemic that has already started to affect the medical devices industry: the bottleneck caused by date of application of the MDR.

Let’s see what the recommendation does: it addresses two kinds of administrative barriers: conformity assessment procedures and market surveillance procedures.

With regard to conformity assessment procedures the recommendation recommends member states to

“the possibility for Member States to authorise derogations from conformity assessment procedures should also be considered, according to Article 11(13) of Directive 93/42/EEC and Article 59 of Regulation (EU) 2017/745 once the latter becomes applicable, also when the intervention of a notified body is not required.”

In other words: please Member States, think about your options to propose national CE marking exemptions for devices that can be transformed into a pan-European measure by means of the article 59 MDR procedure. The Commission cannot take its own initiaves on this point but can recommend the membe states to do this. Article 59 MDR procedure allows the Commission to make measures taken by one member state mandatory for the whole Union, which is a pretty useful feature. If one member state decides to allow a device on the market without CE mark and notifies the Commission, the Commission can validate the exceptionality and need of the measure at Union law and make an implementing act to make the measure mandatory for the whole Union, which becomes applicable after the members states and the EU parliament allow it through the implementing act procedure.

With regard to market surveillance the recommendation recommends member states to:

  1. The relevant market surveillance authorities in the Member States should as a matter of priority focus on non-compliant PPE or medical devices raising serious risks as to the health and safety of their intended users.
  2. Where market surveillance authorities find that PPE or medical devices ensure an adequate level of health and safety in accordance with the essential requirements laid down in Regulation (EU) 2016/425 or the requirements of Directive 93/42/EEC or Regulation (EU) 2017/745, even though the conformity assessment procedures, including the affixing of CE marking have not been fully finalised according to the harmonised rules, they may authorise the making available of these products on the Union market for a limited period of time and while the necessary procedures are being carried out.
  3. PPE or medical devices not bearing the CE marking could also be assessed and part of a purchase organised by the relevant Member State authorities provided that is ensured that such products are only available for the healthcare workers for the duration of the current health crisis and that they are not entering the regular distribution channels and made available to other users.

The first point addresses dangerous non-compliant devices. I already see a spike in placebo medical devices and non-compliant Covid-19 self tests of which nobody knows where they come from or whether they even work for this intended purpose. Needless to say, authorities should clamp down on those.

The second point seems to be a reference to the article 97 (3) MDR procedure, under which the Commission can specify appropriate measures by implementing act for devices that are non-compliant administratively but do not present an unacceptable risk to health and safety of patients. This is an interesting procedure because unlike the article 59 procedure it allows for block exemptions.

The third option is also a good option: member states allow devices purchased according to certain specifications for the duration of the health crisis. This works especially well when devices are purchased via tenders.

So this recommendation, if you realize the at the Commission does not have any direct power under the MDR to take emergency measures, is really something. But it can also be a stepping stone for the way the EU handles the consequences of the bottleneck in medical devices approval caused by the way the MDR was set up, and which is now compounded by the Covid-19 health crisis.

What does/could this mean for the MDR and its date of application?

Everybody and their mother wants the date of application of the MDR moved for obvious reasons – with the Covid-19 pandemic happening notified body capacity is collapsing, and manufacturers have facilities closed down so are unable to receive physical audits. Even though everybody does what they can remotely, the processes are even more delayed and are delayed severely. We may not even out of lockdown in many place by the DoA of 26 May 2020.

The DoA, abbreviation for Date of Application, is starting to be cynically used as ‘Dead on Arrival’ by now. The situation is really getting out of control, even if everybody, including notified bodies, are doing their best to keep working the problem.

Yet, there is no mechanism in the MDR for moving up the DoA quickly because the EU is not set up this way. Clamoring for that is therefore not going to work.

A change of the DoA requires a legislative change, which cannot happen quickly. Reopening the MDR would lead to a situation where everybody would propose amendments or disagree, and that would bog down the process even more. Even if everyone agrees and does not propose amendments, the process takes several months. So that won’t work anymore now.

Emergency measures then? Since the EU is not a federation we have not delegated that much in terms of actual decision making power to the EU institutions, especially not in healthcare. The Commission is allowed to propose and the EU may adopt internal market measures that have a health dimension, but it is totally not allowed for the EU to intervene in emergency health situations on its own initiative with binding measures. Member states closely guard their national competence in that field and are not going to hand that over to Brussels. This pandemic shows that doing exactly that may not be such a bad idea – as they say, never waste a good crisis.

All emergency procedures in the MDR therefore start with a member state or an MDCG initiative, which is subsequently made binding by the Commission with an implementing act. The implementing act can always be blocked by member states or the Parliament. So this is how the EU works: nothing happens unless everyone agrees. Usually this works fine. In pandemics, it’s not so efficient.

The only way to move the MDR date of application is to start a new legislative procedure and change the date of application. Nobody wants to start a new legislative procedure at the moment however. Why? Because first, it is a slow process. Secondly, everybody will put in amendments because they can, slowing down the process enormously because nobody is going to agree with the amendments of everybody else just like that.

My thinking is that a version 2.0 of this recommendation would solve a lot of problems, without needing to go through a legislative procedure to amend the MDR. It would be appropriate too, because the Covid-19 pandemic and the date of application overlap and compound issues. Many of the bottleneck problems that we were having already with respect to notified body capacity have been steeply exacerbated by the Covid-19 pandemic.

A new recommendation drafted with the date of application in mind could provide the necessary coordinative template for member states to solve the unavailability of safe devices as a result of administrative problems, because the Commission does not have the power to do this. The recommendation 2.0 would provide a template for concerted and efficient use of the article 59 and 97 (3) MDR procedures. Everybody wins and the patients the most. Would’t that be great?

Again, why not the IVDs?

As we have seen with the Joint Implementation Plan, this Covid-19 recommendation also does NOT apply to IVDs – it only mentions medical devices under the MDD and the MDR. I don’t understand how you can ignore IVDs when the whole healthcare system is complaining about a lack of tests? In any pandemic, access to sufficient relevant tests is vital. I can for the life of me not understand how it is possible to ignore IVDs in this scenario.

Any recommendation 2.0 aimed at fixing the medical devices bottleneck should address IVDs too. The writing is on the wall that the bottleneck will be far worse for IVDs

A little side note on standards

Everybody is frustrated about the delay in harmonised standards for the MDR and IVDR, but this is no reason for delay as such. The recommendation reiterates in recital 18 that

compliance with the harmonised standards is not mandatory. Manufacturers are free to choose other technical solutions provided that the specific solution which is retained ensures that the medical device complies with the applicable essential health and safety requirements.”

So, absent the harmonised standards manufacturers must think about what the state of art really is, and how a GSPR can really be met by their solution. Good time to think out of the box. The recommendation impresses in recital 22 on notified bodies to be flexible in this, and not be hung up on standards per se.

So – outlines of a way out

Use the recommendation 2.0 route could be the best compromise under the circumstances – a tried remedy that everyone should be able to live with and has a good chance of solving a lot of problems related to the conformity assessment bottleneck exacerbated by the Covid-19 pandemic. A true European solution! Now we just have to do it.

New MDCG Class I Article 120 (3) and (4) MDR guidance – nothing new but nice summary of requirements

Class I guidance gullI have blogged before about the effects and possibilities of the Corrigendum of December 2019 for class I medical devices. I refer you to that blog for the background to this discussion, which covers the mechanics of timing. The draft corrigendum discussed in that blog was adopted as described. 

The new guidance

The MDCG has now (finally) published its guidance MDCG 2020-2 on the subject, which confirms everything in that blog in terms of the mechanics of timing, but adds important procedural requirements for a class I manufacturer about how to actually document things, what the state of the technical file and QMS should be and what the declaration of conformity should look like, because these are things that manufacturers of class I devices often do not right.

Contents of the declaration of conformity: guidance on the content of the Declaration of Conformity can be found, inter alia, in the “The ‘Blue Guide’ on the implementation of EU products rules 2016 (2016/C272/01)” and the standard EN ISO/IEC17050-1. That guidance was always there already (and this is yet another reason to read the Blue Guide, which everybody should do – it contains many of the answers that people keep asking me).

If you do amend your technical documentation and/or DoC, mind you that 

“Necessary amendments/updates to the technical documentation should be done in a transparent manner. Both the changes and the dates of when the changes were made should be recorded. On the basis of the Declaration of Conformity and the corresponding technical documentation, the manufacturer should be able to demonstrate that the Declaration of Conformity was lawfully  issued before 26 May 2020 and that, subsequently, there are no significant changes in the design or intended purpose in the meaning of Article 120(3) MDR.”

Also this requirement should not be a surprise, but here you have it again.

For whom?

For which manufacturers is this important? This is important for all manufacturers whose medical device would be up-classified under the MDR, such as including but not limited to (standalone) software, substance based devices and inhalers.

Can’t figure it out? This is the moment to dare to be wise and really understand this stuff, or ask someone to help you understand. That could be me or any other good medical devices expert out there. It’s busy times though as you may have noticed, so ask sooner rather than later. 

The MDCG cybersecurity guidance – a helpful rush job

Risk free by designIt has been some time since the MDCG guidance on cybersecurity for medical devices was released (MDCG 2019-16 December 2019), so everybody has probably had the opportunity to get used to the document by now.

While the document is by no means ideal or even flawless (congratulations MDCG on a glaring spelling mistake in the very title of the document (corrected later, just like the heading numbering mistakes)), it does provide helpful context on what the EU regulator would like to see in terms of cybersecurity for medical devices under the MDR and the IVDR, which concerns both standalone software and devices running software. The real value of the document is that it shows how different parts and requirements under the MDR and IVDR are interconnected via PMS and risk management, two areas in which the EU expects everyone to up their game considerably.

The document is based on IMDRF work on cybersecurity for medical devices, to which it often refers, specifically the very useful IMDRF’s Principles and Practices for Medical Device Cybersecurity document, which is currently under consultation.
The guidance comprises of

  • An introduction;
  • Basic cybersecurity concepts;
  • Secure design and manufacture;
  • Documentation and instructions for use;
  • PMS and vigilance;
  • Links to other EU and International legislation and guidance; and
  • Annexes with examples and reference material

Some context

As you will know the MDR and IVDR contain new (cyber)security GSPRs in GSPR 17 and 16 respectively, but did you know that the MDR and IVDR require a much broader perspective on cybersecurity? As in many aspects, the MDR and IVDR do not provide a finite list of specific stuff you need to do, which, I know, is a problem for many manufacturers and especially their software developers.

A lot of software was never or is not developed from the ground up with cybersecurity in mind, and certainly not in the context of a good risk management plan that take into account all the risks related to its use in the environment that it is used in, the hardware it is run on, the dependencies it has with other systems and the relationship with other legislation that also govern software or IT processes, like the General Data Protection Regulation (GDPR).

Software developers scrum and sprint all over the place, often without having a good idea of the end that they should have in mind in terms of development goals. Often development teams will focus on delivering ‘something that works’ rather than ‘the software specified that meets the requirements specified’ and may even tack on some security at the end. Also, post market surveillance is typically not one of the things that is top of mind. Or, as  researchers and authorities put it euphemistically (“MDMs” are medical devices manufacturers and MD is medical device):

“even if there is a clear regulatory framework for the introduction to the market of medical devices, the culture of cybersecurity is still very inconsistent among MDMs. MDMs fail to include cybersecurity in the MD design and development process as there is few guidelines or recommendations dedicated specifically to IT cybersecurity of medical devices.”

This approach will not do under the MDR and IVDR anymore. If there is one message that this guidance document gives, it’s that everything is connected (Connected Everything), that the MDR and IVDR require Consistency Everywhere (CE puns intended) and that the MDR acronym More Data Required also applies to cybersecurity, both pre- and post market.

What devices does this apply to? Well, to all devices governed under the MDR and IVDR, which includes standalone software that is a medical device under these two regulations, see MDCG 2019-11.

If you’d like to have an entertaining evening with cyber exploits of medical devices within a hospital, consider watching CSI Cyber’s Hack ER episode, in which a hacker takes control of all networked medical devices at a US hospital and threatens to kill one patient every hour if his demands are not met. Of course this is a fictional and much dramatized story, but the device and network exploits shown in it are all possible and do happen in reality. The ones in this episode are actually among the easier ones. This episode dates back to 2015 – hospitals are regularly hit by ransomware attacks and devices still get hacked all the time.

This may also be a good way to explain to your company’s management that lives are actually at stake if cyber risk management of the devices does not check out. Management is often less concerned with these technicalities and more focused on sales, as we’ve recently seen in the passenger aircraft industry: regulatory Cassandra and engineering Cassandra sound the alarm (this design is unsafe and does not meet requirements), regulatory Cassandra and engineering Cassandra are subsequently completely ignored or told to shut up, after which the risk does materialise and management bails with their golden parachute. Is that a responsible way to do things? As my grandmother would say: asking the question is answering it.

So let’s be responsible. Even if security by design is the best way to have safe technology, yet it is also an important concept under pressure because of the way technology is designed, developed and deployed. I have seen at many companies that design and development processes are just not set up or funded to deliver the best possible outcome in this regard. Under the MDR and IVDR this will not fly anymore, and substandard processes or outcomes will lead to non-conformities and/or enforcement.

An introduction

So how does cybersecurity function under the MDR and IVDR and how is everything interrelated? The below visual from the introductory chapter gives a nice overview.

Cybersecurity Act

This concerns a lot of processes, all of which are interrelated. I teach MDR these days by using the acronyms Connected Everything and Consistency Everywhere. This is definitely true for cybersecurity as well, because its requirements affect many processes and a lot of documentation horizontally and even diagonally:

  • Conformity assessment procedures: Article 52 MDR / 48 IVDR
  • Privacy and data protection: Article 62 (4) (h) MDR / 58 ((4) (h) IVDR: General requirements regarding clinical investigations conducted to demonstrate conformity of devices (this is not really addressed in the guidance but I’ve written something about it in this blog)
  • Post-market surveillance system of the manufacturer: Article 83 MDR / 78 IVDR
  • Post-market surveillance plan: Article 84 MDR / 79 IVDR
  • Post-market surveillance report: Article 85 MDR / 80 IVDR
  • Periodic safety update report: Article 86 MDR / 81 IVDR
  • Reporting of serious incidents and field safety corrective actions: Article 87 MDR / 82 IVDR
  • Trend reporting: Article 88 MDR  / 83 IVDR
  • Analysis of serious incidents and field safety corrective actions: Article 89 MDR / 84 IVDR
  • Technical documentation: Annex II MDR and IVDR
  • Technical documentation on post-market surveillance: Annex III MDR and IVDR
  • Clinical evaluation and post-market follow-up: MDR and IVDR  Chapter VI and Annex XIV MDR / XIII IVDR

Let’s take a look at risk management, because that is at the core of cybersecurity. Risk management is dealt with much more prescriptively in the MDR and IVDR than in the directive. GSPRs 1 to 8 in Annex I in both regulations hardwire risk management into the law much more prescriptively as happened under the directives, and there is a lot of risk management language scattered in the text of the regulations. You have to meet these requirements meet by default now (like the risk management system pursuant to article 10 (2) in both regulations).

The guidance ties the different parts of the MDR or IVDR that have to do with cybersecurity together, both visually and by means of a neat table, because everything is connected indeed.

General safety and performance requirements

The guidance also contains a convenient table for reference to Annex I related cybersecurity obligations. This is not the whole picture for the whole MDR and IVDR though, mind you, but it does show that the cybersecurity related measures are not only contained in sections 17 and 16 of Annex I of the MDR and IVDR respectively – and this table just shows the links within Annex I of the MDR and IVDR.

Table 1 Correspondence table between sections, relevant for this guidance, in MDR Annex I and IVDR Annex

Basic cybersecurity concepts

Chapter 2 of the guidance discusses a number of important concepts in cybersecurity. The guidance revolves around the well-known CIA concept (Confidentiality, Integrity and Accessibility) throughout the lifetime of the device. These requirements are described quite well in the BSI White Paper on Cybersecurity for Medical Devices.

Compromised CIA might impact medical purposes as specified in the medical device definition in MDR Article 2.
The guidance defines 8 security practices, which largely overlap with the premarket considerations set out in the IMDRF’s Principles and Practices for Medical Device Cybersecurity document that is currently under consultation.

Operating environment and other stakeholders

The relationship with the operating environment is discussed in a number of places in this chapter of the guidance and elsewhere in it. The manufacturer must have a good understanding of the operating environment in which the device will be deployed to be able to implement appropriate layered defense measures independent of and not affected by the operating environment, to ensure that the medical device is designed and manufactured in a way that ensures that the risks associated with reasonably foreseeable environmental conditions are removed or minimized. This is why GSPR 17.4 MDR and GSPR 16.4 IVDR require that the manufacturer addresses what operating environment conditions the device has been designed for in order to work safely as intended. This also applies to modification of a device! The guidance refers explicitly to the IMDRF Practices and Principles document here, and section 3.6 of the guidance goes into quite a lot of detail on the operating environment.

One of the important and interesting parts is the interface between manufacturer and other stakeholders (systems integrator, operator, end user) emphasizing joint responsibilities. While I think it is very important that the MDCG stresses that cybersecurity is a collective effort, the MDCG shows in this section that it does not always completely understand how contracts between manufacturers and customers work.
The operator section (2.6.2) does not mention the concept of health institution defined in the MDR and IVDR, although it seems to refer to this concept because it describes the operator as the party procuring the device, which is strange. It would have made sense to link this, as this does happen in the IMDRF’s Principles and Practices for Medical Device Cybersecurity document.

Secure design and manufacture

Secure design and manufacturing begins with the end in mind, which means managing risks from the very start and keep managing risks throughout the life cycle. Did I say already that risk management under the MDR and IVDR has become much more detailed and prescriptive?

Risk management

I find that many companies do not do a very good job at this. Security as a requirement is added to the process too late, or the development process is chaotic and badly documented and does not take security into account at all. Or, that happens too, nobody tells the software engineers about these requirements and they find out when the development cycle does not allow for sufficient time to get this right anymore.


One of the big problems with secure design and manufacture is that there are (stilll) no harmonised standards under the MDR available. This means that there are no standards that give an automatic presumption of conformity under the MDR and that manufacturers of MDR covered devices will need to do their own state of art assessment per GSPR, will need to include rationale in their technical documentation why the standard selected is the appropriate standard for the GSPR concerned and why the standard is state of art. Notified bodies will audit this rationale and will find non-conformity where the rationale is lacking.

COCIR has developed a convenient overview of relevant standards in its 2019 document Advancing Cybersecurity of Health and Digital Technologies:


The guidance contains a list of standards in Annex III of the guidance, which largely overlaps with the above COCIR overview but mentions a number of additional standards as well, such as IEC 82304-1 Health Software Part 1: General requirements for Product Safety and of course the good old EN ISO 62366 / ISO 60601-4 Usability Engineering.

Documentation and instructions for use

The guidance makes it very clear that the system for risk management required under article 10 of the MDR and IVDR, which is laid down in the documentation of Annexes I (GSPRs), II (technical documentation, contains the GSPRs) and III (technical documentation on PMS).

In addition there is the information supplied with the device, sections 23 (MDR) and 20 (IVDR) of Annex I. The guidance contains a detailed overview of the requirements. Mind you that EU MDR and IVDR risk management is very specific and strict on first applying risk management as far as possible via design and risk reduction and only then managing the acceptable residual risk by providing user information.

PMS and vigilance

One of the important, but in my view also stil underdeveloped items in the guidance, is PMS and vigilance with respect to cybersecurity. This is the area where I expect the market to have the steepest learning curve.

Under the MDR and IVDR PMS is much a more prescriptively active lifecycle process that must be laid down in the PMS plan based on article 84 MDR and 79 IVDR, which means that the manufacturer must continuously evaluate whether the cybersecurity measures applied for the device remain state of art. Just passively reacting to user complaints is clearly not the way to meet this standard – a manufacturer that can not demonstrate having a PMS plan in place with the elements in Annex III, 1.1 (b) MDR and IVDR will not be seen as compliant and his devices will not be seen as safe.
As the IMDRF puts it in the Principles and Practices document:

“As vulnerabilities change over time, pre-market controls designed and implemented may be inadequate to maintain an acceptable risk profile; therefore, a post-market approach is necessary in which multiple stakeholders play a role. This post-market approach includes various elements and include: the operation of the device in the intended environment, information sharing, coordinated vulnerability disclosure, vulnerability remediation, incident response, and legacy devices.”

For devices that run software and that are software the cybersecurity section will be a very important part of the PSUR or PMS reports (article 85 and 86 MDR, articles 80 and 81 IVDR).

Vigilance processes at the manufacturer will need to be set up in a way that they can recognize cybersecurity issues and can get to the bottom of the root cause, and can do this very quickly. This is why the IMDRF Practices and Principles document recommends setting up

“an incident response management policy and build an incident response team based on its product portfolio. The aim of incident response team is to provide appropriate capacity for assessing, responding to and learning from cybersecurity incident, and providing the necessary coordination, management, feedback and communication, for timely and pertinent action during the next incident.
Preparedness includes establishing an incident management policy, developing detailed incident response plans, building an incident response team, routinely testing and exercising incident response, and continuously improving this capability through lessons learned.”

Or in the words of the guidance: An effective and successful post-market cybersecurity surveillance program should include the following aspects (section 6):

  • operation of the device in the intended environment;
  • sharing and dissemination of cybersecurity information and knowledge of cybersecurity vulnerabilities and threats across multiple sectors;
  • vulnerability remediation; and
  • incident response

The guidance emphasizes the active elements of PMS that are underlined in Annex III too, stating that this must include handling and remediation of cybersecurity incidents and vulnerabilities reported through the post- market surveillance and vigilance systems shall be carried out conforming to the methodologies described in section 3.2 of the guidance, with regards to:

  • Assess the need for reporting serious and non-serious incidents and of carrying-out field safety corrective actions;
  • Enhancing security capabilities;
  • Update the original Security Risk Assessment;
  • Update the Verification and Validation;
  • Update the original Security Benefit Risk Analysis; and
  • Update the Technical Documentation.

Can you see how these requirements are life cycle commitments to make the device and its risk management better? Welcome to the MDR and IVDR because that is the expectation. You will never be done improving your device and its cybersecurity.
The guidance goes into some detail describing vigilance reporting formalities. As I will discuss in relation to the GDPR below these processes will need to be linked into the GDPR incident procedures, such as notably data breach procedures. Mind you that the GDPR can require super fast reporting and even reporting to data subjects (patients). The link between devices cybersecurity and GDPR data security is also very evident in the section about legacy devices of the IMDRF Principles and Practices document (section 6.6) which is an area discussed under GDPR guidance years ago.

Companies often tend to focus on a patch as a corrective measure, but just pushing out a patch may not be enough and other compensating controls may need to be deployed. Also, a patch may create other vulnerabilities, so even the patch itself and the patch delivery process is subject to risk management (e.g. can you trust your user to administer the patch in a timely fashion proportionate to the risk and what if they don’t?). The IMDRF Practices and Principles document has a helpful section on patches and patch processes in the overall discussion of vulnerability remediation in section 6.4.

Cybersecurity in clinical trials

While the focus in the guidance is very much on cybersecurity for devices as part of CE marking, the MDR and IVDR also have cybersecurity requirements for clinical and performance trials that you do not really hear anyone about. Interestingly this is also not discussed in the MDCG guidance in any level of detail, although this is an important subject. It also goes to the heart of your clinical trial agreements and CRO agreements.
Article 72 (4) MDR and 68 (4) IVDR contain requirements for security and confidentiality of personal data of trial subjects, or more precisely: appropriate technical and organisational measures shall be implemented to protect information and personal data processed against unauthorised or unlawful access, disclosure, dissemination, alteration, or destruction or accidental loss, in particular where the processing involves transmission over a network.

These measures are not subject to notified body conformity assessment but rather to member states competent authorities oversight and actually their inspection (article 72 (5) MDR and 68 (5) IVDR). They do not only apply to trials where an investigational device is tested, but also concern the set-up of any devices trial involving other non-investigational devices, e.g. home monitoring of trial subjects with wearables and apps.

Because cybersecurity in clinic trials is also much focused on confidentiality of patient data, this means that any process of the manufacturer must be closely intertwined with software and software device security processes. Since these processes are often facilitated through third parties (CROs), everyone has a role in this. Where the device itself is investigational, it should already be up to standards from a cybersecurity perspective, which should be checked as part of the approval process (article 71 (3) (c) and (e) MDR and article 67 (3) (c) and (e) IVDR: whether the measures planned for the safe installation, putting into service and maintenance of the investigational device are adequate and whether the device meets the requirements for a safe clinical investigation device (which includes solid risk management).

All of these measures must be made transparent: the application dossier under Annex XV MDR or Annex XIV IVDR contains (Annex XV, 4.5 MDR or Annex XIV,4.5 IVDR) a description of the arrangements to comply with the applicable rules on the protection and confidentiality of personal data, in particular (so not limited to or only):

  • organisational and technical arrangements that will be implemented to avoid unauthorised access, disclosure, dissemination, alteration or loss of information and personal data processed;
  • a description of measures that will be implemented to ensure confidentiality of records and personal data of subjects; and
  • a description of measures that will be implemented in case of a data security breach in order to mitigate the possible adverse effects.

This means that also member states’ approval bodies need to be able to understand this.

Links to other EU and International legislation and guidance

The MDR and IVDR are not an island in how they prescribe cybersecurity requirements. The below overview of the Commission shows the whole picture, of which I will discuss some of the regulations and directives referred to.



As we have seen above, the MDR and IVDR weave the GDPR in already where it comes to data and IT security in clinical trails, as well as for the investigational device design. But there is more.

The GDPR contains requirements regarding privacy by design and default (default being an interesting one in the light of Annex I 17.4 MDR and 16.4 IVDR about operating environment), which includes the security to ensure this, as you can see in the ENISA Handbook on Security of Personal Data Processing. For the English speakers, some ICO guidances on security under the GDPR can be found here, here and here. Mind you, the UK has left the EU, so the ICO has nothing more to say about the GDPR for the future so only past guidance is of any use. There is also more security related guidance under the GDPR at the Commission’s website.

The GDPR furthermore requires reporting and investigating data breaches in a time frame much shorter than normal vigilance reporting deadlines under the MDR and IVDR and the sanctions for not meeting this deadline can be quite severe. In severe cases, companies are also obliged to communicate the data breach to all data subjects involved without undue delay and under 72 hours.

A data breach for GDPR purposes and a serious incident for devices regulation will often overlap, which means that a company should have interfacing procedures to ensure that it does not act inconsistently. As you can see in the Annex II to the guidance (Examples of cybersecurity incidents/serious incidents), many of the cybersecurity incidents mentioned also involve a data breach or other form of access/processing that was not as intended. Therefore there should also be a very good connection between the company Data Protection Officer and the PRRC under the MDR and IVDR, to ensure that data protection related risk management and devices related risk management is consistent and adequate. Reporting requirements under the GDPR and MDR/IVDR also vary, which has to be accounted for in the procedures.

Keep in mind that where there are a number of parties involved (e.g. devices company, third party cloud provider, third party installation and maintenance services provider, health institutions and patients) in different jurisdictions in different time zones, things can get very complicated very quickly if you have not planned in advance and 72 hours is very very short then. Also, your customers may have additional reporting obligations, for example under the NIS Directive if they are EU healthcare institutions.

NIS Directive

Healthcare institutions are likely to be subject to the security obligations foreseen by the NIS Directive. As explained here, the NIS Directive had to be implemented by the means of national legislation by member States before May 2018.

In fact though, several member States have envisaged delays in its transposition and some especially with regard to the identification requirement of Operators of Essential Services, which normally would include healthcare institutions. While the situation appears promising, a further coordinative effort at a European level might be needed, in order to ensure a more coherent implementative approach.

See here for a good overview of NIS Directive obligations. While the devices industry is not subject directly to these, its customers (healthcare institutions) often will be.

The guidance contains a convenient Annex I with Mapping of IT security requirements to NIS Directive Cooperation Group measures.

Cybersecurity act

The EU Cybersecurity Act envisages the creation of a pan-European cybersecurity certification framework for ICT products and services. The healthcare sector may be perceived as one of the key sectors to be covered by one or more ICT security certification schemes. Nonetheless, significant steps need still to be taken to this regard.
An overarching European Cybersecurity Certification Group will be established and each country will need to appoint a certification supervisory authority. Creating these structures may cause additional fragmentation of, and/or overlaps with, existing security policies.
Whereas the cybersecurity certification in principle is voluntary, this can be overruled by any Union or Member State law. As a consequence, a patchwork of regulatory requirements may appear, as Member States introduce their own requirements for cybersecurity certification.


The document is a helpful piece of guidance for a more wholistic picture of cybersecurity requirements under the MDR and IVDR put in context. It feels however put together hastily, which is evidenced by the first published version containing formatting errors and typos even in the title of the document on the cover page. The document does not fit together as systematically as it could, which shows to me that also for the MDCG this is a developing item.

Although the MDCG guidance has helpful visuals in it, the IMDRF Practices and Principles document is set up much better and more systematically, and contains many useful and precise examples. Used together these documents are very useful.

Manufacturers that already implement very solid state of art software design may find that they need to up their game somewhat (this will not be the majority),  but I am sure that there are many manufacturers that will need to make significant improvements, especially in the nexus with the GDPR and their PMS/vigilance procedures.

Health institutions would do well to understand the operator and end user dimensions of this, as knowledge and capacity is often lacking in my experience.

CROs and other service providers also need to understand these requirements.

This document should therefore be used in context with GDPR guidance, the other software guidance MDCG 2019-11 and the to be expected Guidance on clinical evaluation and performance evaluation of medical device software.

The MDCG MDR joint implementation plan

Archer Meme | DO YOU WANT SCENARIOS? THIS IS HOW YOU GET SCENARIOS | image tagged in memes,archer | made w/ Imgflip meme makerThe MDCG just published a joint implementation plan regarding the MDR. Here is my summary and analysis. It’s not a happy story.

Not the IVDR

This implementation plan is not about the IVDR, and the fact that it is not about the IVDR is information in itself. It means that the MDCG is not even thinking about the IVDR at the moment, because it needs all its resources to keep the MDR on track. At the end the document mentions: “It is also vital, following the 26 May 2020, to focus on the implementation of IVDR to ensure effective application as of 26 May 2022.” In other words: IVD industry, you are on your own for the moment. When the MDR applies it’s your turn with less than two years of transitional period left. That’s three good years of transitional period lost, like tears in the rain.


The plan provides that

“the Commission services and Member States are working closely to identify harmonised administrative practices and technical solutions to facilitate the exchange of information until EUDAMED is functional, in particular for cases where such exchange would be difficult to achieve based on the corresponding provisions under the current Directives. Guidance documents are being prepared in this respect with the aim of being endorsed by MDCG before 26 May 2020. The Commission services are pursuing the development of EUDAMED with the highest priority to deliver the actor registration module by May 2020 and other modules in a gradual manner thereafter, working towards full functionality by May 2022. The actor module will be deployed from 26 May 2020 and an MDCG position paper is under preparation with the aim of explaining the issuing of Single Registration Numbers (SRNs) and to encourage a common approach across the EU to record actors’ data.” 

This is literally nothing new compared to the Commissioner’s statement in the December council meeting. I certainly hope that at least some progress was made in the background. 

From an operational perspective, the development of EUDAMED will continue based on the functional specifications made public in March 2019. Following the release of the actor module by 26 May 2020,  EUDAMED will be deployed in two phases:

  • First phase: UDI/devices registration, the notified bodies and certificates modules (when functional).
  • Second phase: vigilance, clinical investigation and performance studies and market surveillance. 

The document mentions that the Commission services are committed to keep MDCG regularly updated on the overall progress towards full functionality of EUDAMED. This would be a nice change. Remember the December 2019 Council meeting? The Member States were not at all happy about how they had been kept in the dark about where the Commission was with EUDAMED. Let’s hope that has improved now.

Turkxit and Swixit

The paper confirms what we already knew: Turkxit and Swixit are completely on the table still, and timely inclusion of the MDR and IVDR (Regulations is used in plural in the document) is unsure. 

The implementation plan also solves a question that I was asked by more than one company: do we need an AR for products of Swiss origin? Contrary to my own position and advice to clients so far I have seen some lawyers defend that you do not. The implementation plan now says univocally that you do need an AR:

“For products of Swiss origin or products from third countries having their authorised representative in Switzerland, EU authorised representatives and registration according to the MDR will be required.”

Did I ever say that this was the time to think about scenarios? Well, this is the time to think about scenario’s. And then I did not even mention Brexit scenarios. Because you’ll need a scenarios for that too. If you need help, let me know and amaze me with a scenario that I have not seen yet. You really have to understand the MDR economic operator regime at this time. If you don’t, there will be costly mistakes.

Exceptional emergencies

The MDCG reminds us about the procedure under article 59 (8) MDR and underlying national measures as a last resort. Yes, we know about that for a long time, if only because MedTech Europe told everybody about it last December. It would be rather nice if we would have known something about how the exception would be applied in practice. Now we just know that the Commission can extend a national exemption to a Union wide one under exceptional circumstances, which is literally what the law already says for years, since 5 May 2017 to be precise (date of publication of the MDR). This is not the kind of clarification we are looking for, MDCG!

Priority actions regarding placing on the market of devices

The implementation plan defined a number of priority actions and if the EU says “priority” and MDR in one sentence, then you know it’s urgent and it’s serious. Someone is on the ball and decisive action is taken!

Remember all the ‘priority’ guidance promised in December 2017? Still to arrive. What is disconcerting to me is that these actions are defined as priority actions to be taken, while I would think that most of them should be underway for years by now:

  • Endorse guidance on the application of the transitional period, notably in relation to the interpretation of conditions concerning “significant changes” in accordance to Article 120(3) of the MDR (MDCG) – this should have been there long ago.
  • Endorse guidance on the consultation of relevant authorities for legacy devices with ancillary substances or manufactured using TSE susceptible animal tissues (MDCG) – this should have been there in May 2017.
  • Endorse guidance on how affected manufacturers of some class I devices can make efficient use of the transitional provisions in Article 120 (3) and (4) of the MDR (MDCG) – fortunately I have written my version of guidance for you in a blog (the draft corrigendum described in that post turned out as expected).
  • Request regular reporting from industry and notified bodies and monitor market developments and activities performed by notified bodies aiming at detecting possible delays that could lead to shortage of devices on the market (Member States and Commission services) – at this point everybody is voluntarily shouting this at the Commission and especially MedTech Europe and COCIR have been more than vocal in this regard.
  • Examine different means to ensure availability of safe and critical medical devices and provide guidance, as appropriate (Member States and Commission services) – indeed, also the MDCG apparently does not seem to do a lot in terms of scenarios if they are only starting with this now.
  • Provide for mechanisms to communicate between Member States Authorities and the Commission on availability, potential risk of shortages and measures taken to ensure availability of safe and critical medical devices. (Member States and Commission services) – same comment as previous point.

So we have priority actions without deadlines and no further concrete implementation plan. If that does not inspire confidence I don’t know what will, pardon the cynicism.


Several things are holding up clinical matters under the MDR.

First, we do not have operational expert committees for the application of the clinical evaluation consultation procedure (scrutiny procedure) – no expert panels yet, no internal procedures.

Secondly, we do not have guidance that has been forthcoming for a loooong time: on clinical evidence needed for medical devices previously certified under the MDD and AIMDD (the legacy medical devices) and on equivalence for well-established technologies.

The MDCG has been shockingly slow to deliver this. We now have timing for 26 May 2020.

Implementing acts and further guidance

There are implementing acts that are in place, and there are implementing acts underway, the plan helpfully informs us. Progress! We had no idea about this. The Implementing Decision for the standardisation request to CEN/CENELEC for MDR / IVDR harmonised standards, the Implementing Regulation on Common Specifications for the reprocessing of single-use medical devices and the Implementing act on devices without an intended medical purpose (Annex XVI MDR) are in the pipeline and may even be adopted by 26 May 2020, while this concerns essential foundational material that should have been adopted in 2017 because it was needed already then to make a difference for effective implantation by the market.

The MDCG refers to a number of the guidances on the roster that we knew about from the rolling guidance overview. No dates for delivery, so no new information.

After reading

I must say I felt rather disappointed and underwhelmed after reading this document, which did not contain anything new apart from a shocking lack of progress with implementing the MDR and confirmation of what I feared was happing: that the IVDR implementation was put on the back burner pending MDR resolution. I am not optimistic about the period up to 26 May, and I am not optimistic about IVDR implementation either, not in the least because the IVD industry also seems slow to catch on to the IVDR, which means trouble brewing.


Brexit is a fact – now deal with it

so-long-farewell-and-auf-wiedersehen-goodbyeFollowing the European Parliament’s vote, the Council has now also agreed to the Brexit with its decision on the conclusion of the withdrawal agreement on behalf of the EU. The EU Parliamentarians sang off the UK members and celebrated that they never have to speak to Nigel Farage again. UK EU civil servants are clearing out their desks at the EU institutions.

This means that the UK will now, after a long and winding process, finally leave the EU by 31 January – which is tomorrow.

But will it really? In fact, the UK will become a third country in which EU law applies for possibly years to come, but that sounds a lot less glamorous of course.

I am getting questions from all directions again so let me reiterate for you how this thing works, on top of my earlier blogs on the subject or mentioning the subject. I will also put in some political analysis.

To understand the Brexit you have to realise that it’s a multistage thing:

Stage one: UK = 3rd country with EU law per 31 January

The withdrawal agreement will enter into force upon the UK’s exit from the EU, on 31 January 2020 at midnight CET. From that time on, the UK will no longer be an EU member state and will be considered a “third country”. But that does not mean they are “out” yet. Or in terms of the MDR: that they have ceased to form part of the Union for the purposes of the MDR and existing directives. This is not the case yet because EU law continues to apply.

By 31 January midnight the Brits can say that they escaped the tyranny of the EU because they are independent again and the British tabloids will run patriotic hyperboles about the UK having regained control over its own destiny again. Except the UK is not independent yet, likely not for years to come.

Stage two: transitional period from 1 February to 31 December

From 1 February to 31 December 2020 there will be a transitional period, to provide more time for citizens and businesses to adapt.

During the transition period, the UK will continue to apply Union law but it will no longer be represented in the EU institutions. In other words, nothing changes except that the UK continues to apply EU law and has even less to say about creating and interpretation of EU law than Liechtenstein or Iceland. Many companies will sit on their hands as usual and not prepare for the Brexit at the end of the year.

In the mean time, the EU and the UK will try to put their ‘future relationship’ in international agreements and law, along the lines of the political declaration of October 2019. The negotiations on the future partnership between the EU and the UK will start once the UK has left the EU.  These negotiations concern many difficult subjects, like fishing rights and free movement of persons, that may well not be resolved before the end of the year, most likely leading to stage two and a half (see below).

Anticipating phase 3 (see below) the UK will want to conclude all the fabulous trade deals with other third countries that it has promised its population. However, in practice it will find itself bullied by the US and the Chinese now that the UK is much smaller than it was as EU member while trying to stay connected to the EU market at the same time.

Being fiercely independent while securing maximum access to the EU internal market will be a complex game of chess on multiple boards that so far has not gone well for for example the Swiss, who are now ground up between their voters and the EU because these two cannot seem to align and find themselves in the by now completely realistic Swixit scenario in which Switzerland will (temporarily . They have been negotiating for six years almost about what the UK would try to do before the end of the year. Given the record of the UK internal chaos when even coming to a Brexit this will never happen in time. Also, these new deals cannot enter into force during the transitional period.

The transition period can be extended once for a period of up to one or two years, if both sides agree to this before 1 July 2020. This is the likely scenario, because the UK is way not ready to leave without a lot of open ends by end of the year and the EU has shown to be sensitive to a chaotic exit, so the scenario I expect this to happen unless the EU is done with the UK at some point and refuses to extend.

Stage Two and a half: extended transitional period

The most likely option therefore is extension of the transitional period. The UK will continue to apply EU law. It will be worse off than Norway, Iceland or Liechtenstein because just applies EU law without even sitting at the table without having nothing to say.

This will be a two year extension. Companies that were sitting on their hands will start to believe that it will never happen and sit on their hands even more.

After the two years, the UK will truly be out because EU law will no longer apply and the MDR/IVDR will not apply for the UK any more.

Maybe there will be a transitional regime at the end of the extended transitional period, but nothing’s certain. The UK may have implemented the MDR and the IVDR but the EU may not recognize UK MDR and IVDR absent a mutual recognition arrangement, of which we do not know what it will look like.

EU law may continue to apply because of an extension of the extension, as described in the following scenario two and three quarters. If that scenario does not happen, go to stage three.

Stage two and three quarters, four fifths, nine tenths etc

Theoretically, there is nothing to prevent the UK from not getting its act together in the additional two years. In fact, this is likely to happen given the track record of UK negotiating with the EU without internal mandate or a mandate that turns out not to be a mandate.

It may therefore be that the transitional period is extended, possibly repeatedly, as the UK and the EU prolong the transitional period to avoid a chaotic no-deal Brexit that nobody wants. However, EU law will still apply during this period.

Then, at some point, the UK and the EU will decide that enough is enough and that the exit is deemed manageable. The UK leaves and EU law ceases to apply in the UK. Companies that are still not prepared by then will suffer the consequences.

Stage three: the UK finds out its place in the world and who’s next?

This is the UK endgame that the whole thing was about in the first place, in which statues of famous Brexiteers show up on squares in the UK and Britain is made great again. The UK is alone in the world and will likely quickly find out that the smaller you are, the more likely it is that you are pushed around by richer and/or more powerful countries that are only your friend when it serves their own purposes.

The Chinese and oil money from the Middle East will buy most of the UK, while the Americans will bully the UK into great deals that are far less advantageous for the UK than thought originally. The UK will find out that China is a lot bigger than they thought.

The Chinese and US will increase their efforts to prying the next member state(s) loose from the EU, because the best EU for the rest of the world is a weakened non-unified EU. This process is already well underway but will be played out more in the open. The EU, for its part, will do its best to keep the remaining member states in a row and counteract external and internal forces of division that would weaken the EU. Being a citizen of one of the founding member states and having an international outlook, I of course hope that they prevail.

In stage three anything can happen, for example:

  • The UK is Union and applies the MDR and IVDR, UK manufactured or imported devices may circulate freely in the EU market; or
  • The UK is fully third country, and uses its own certification scheme. The UK and EU may mutually recognize certifications; or
  • The UK and the EU don’t get along very well, and there is no mutual recognition. UK manufacturers and importers will need to obtain additional CE marking for the Union market.

Scenario anyone?

As you can see, it’s not a binary process of leaving but rather a gradual one and as I have been saying you should prepare for this by having plans for various scenarios – including the ones I came up with in this blog and possibly others. Everything I have written on this blog in relation to Brexit (also here and here) is still relevant, unfortunately we just don’t know when. Read up on old and new guidance. Questions? Confused? Angry rants? Let me know.




Welcome to 2020 – year of the proof of the MDR pudding

Tom Hanks golden globes MDR.jpgWelcome to 2020 – happy new year everyone. I don’t care if your conventions do not allow me to wish you best wishes after a certain date anymore. I wish you a happy 2020 because I genuinely hope you will have it. If you are a reader of this blog and you have a happy 2020, it will mean that a lot more went right in the MDR roll-out than I would expect based on the outlook at this moment.

Over the Christmas holidays I wrote my contribution to the Dutch Health Law Association’s 2020 periodical book discussing developments in healthcare regulation  (in case you read Dutch: Preadvies van de Vereniging Gezondheidsrecht), which is about medical devices law this year. It will be published spring 2020 and my conclusion is not different from my not so happy Christmas carol post just during the Christmas holidays 2019 (which I wrote as I was writing the contribution to the book).

The reality of things

HandThe reality of things is that things are heading to an urgent critical mass (or mess, pun intended), because there is less and less time to make a meaningful difference.

We have about five months to go to the date of application of the MDR. Five is not much. It’s the amount of fingers on your hand – I’ll borrow you mine to make the point. See: only five fingers. Not that many. A fast typical conformity assessment under normal circumstances takes at least six months. Six is more than five. This means that even theoretically no additional notified body added in Q1 2020 will make a a difference before May 2020.

When I wrote the Not so happy Christmas carol post last December some people thought I was being overly negative and I even started believing that myself at some point.

But then I resumed work after the holidays and the reality of the devices world washed over me again with clients asking my advice in an avalanche of problems and with signals that I see in the market:

  • clients facing massive delays in any interaction with notified bodies;
  • clients approaching notified bodies for the first time are not able to find any notified body that will onboard them;
  • clients facing notified bodies ‘offering solutions’ that will costs them double or more just for the notified body to renew a certificate in time for it not to expire;
  • notified bodies ‘notifiedbodysplaining’ how their capacity is tied up to the extent that they are unable to make any predictions about certification decisions, not for (AI)MDD recertification and not at all about MDR certification;
  • health institutions being mostly oblivious about what the MDR and the IVDR will mean for them (or in vicious state of denial about the in-house production regime);
  • class I manufacturers mostly having absolutely no idea what the MDR will mean for them and not understand at all that there is a large gap to cross;
  • independent distributors far and wide not wanting to touch the MDR with a 10 meter pole (yes, that’s more than 10 feet as the expression is originally phrased) and distributors calling themselves ‘wholesalers’ flat out denying that they are in scope of the MDR and IVDR, even though they evidently are;

And the list goes on. My pessimism is back.

The system is not antifragile and has an agency problem

Schermafbeelding 2020-01-10 om 09.18.41.pngWe ended 2019 with the new Commissioner for Health jedi mindwaving the member states about the status of Eudamed and notified bodies and what that means for availability of medical devices on the EU market. Nobody seemed willing to admit publicly that the EU regulatory system for medical devices has not been designed to deal with the enormous spike in notified body and authority capacity needed for the transition to the MDR and to the IVDR. The system can just about operate at nominal capacity in its fragile equilibrium of structural under-resourcing, but the MDR and IVDR did nothing to make the system antifragile (i.e. capable of becoming sufficiently robust under stress) enough to deal with the efforts required for the enormous bulge in the pipeline resulting from the fact that all notified bodies needed a new accreditation and all certificates need to be re-issued under new criteria. In essence the MDR and IVDR have been set up as a massive agency problem waiting to happen, and that’s exactly how it unfolded, or in the words of Nassim Nicholas Taleb describing the agency problem:

“Situation in which the manager of a business is not the true owner, so he follows a strategy that cosmetically seems to be sound, but in a hidden way benefits him and makes him antifragile at the expense (fragility) of the true owners or society. When he is right, he collects large benefits; when he is wrong, others pay the price. Typically this problem leads to fragility, as it is easy to hide risks. It also affects politicians and academics. A major source of fragility.”

It also affects politicians – and indeed it does for the MDR and IVDR.

The lack of capacity is being felt keenly an acutely by stakeholders, and is mostly managed badly for a lack of options and resources. I have come up with a thought experiment that I would encourage everybody (and especially authorities) to apply to any situation MDR or IVDR related to expose the agency problem. Ask yourself in every situation: “Would we be OK with medicines agencies operating this way?”. Think about it. In many situations ‘the world would be too small’ (paraphrased Dutch expression) because it would be inconceivable in relation to medicines that the system or the government agency responsible operates this way. Notified bodies, however, are almost never government agencies, but they do exercise government authority.  Some examples I have come across, for your consideration:

  • After accepting your application the registration authority says it will double registration fees and otherwise not finish your application process in time for your existing authorization to expire.
  • The registration authority says it is not going to finish your application in the time frame promised, because it can actually not promise anything because it’s so busy and literally tells you that if you don’t like it, you are welcome to go to another agency.

Would we like the EMA or the national medicines agencies to operate this way? Hands up if we do, and please send in a comment if you think this is a good idea so we can propose amendments to basic principles of good administrative practice.

The bottlenecks summed up (again)

Schermafbeelding 2020-01-10 om 12.03.34The reality of things is that even if the Commission is emphasizing the small successes (yay, another notified body accredited or look here, another guidance document published) and the Member States are doing their absolute utmost to trust the Commission when it is totally Jedi mind waving them, they’re not fooling anyone else.

MedTech Europe published a very clear and accurate paper that sums up all the bottlenecks, and shows that each of the possible ways to have devices on the market post May 2020 (an MDR certificate, a renewed (AI)MDD certificate or a national/Union-wide exemption) is affected one way or the other by the critical lack of capacity. They also point to potential solutions for each bottleneck, which I am not repeating here – please read the paper, it’s important. Spoiler alert: most of the solutions are to deliver as soon as possible on what should have been delivered years ago. This is also not new, but more urgent than ever.

I will summarise the bottlenecks (again) and invite you to read the MedTech Europe paper for the solutions.

MDR certificates

There are insufficient MDR notified bodies accredited to make the difference, essential guidance is lacking and the system is not ready in many respects and for certain devices. It takes notified bodies considerable time to get up to full accreditation speed after they have been accredited and even under the best of circumstances it takes at least half a year to process a conformity assessment application. The fact that a notified body has been accredited does not mean that it will be able to make the difference before 26 May 2020. The notified bodies accredited in Q1 2020 (including the remaining eight promised for 2019) will likely not issue a single certificate before the date of application of the MDR.

Renewed (AI)MDD certificates

There is not even enough capacity to renew all the existing certificates for the 2020-2024 grace period, and there is complete unclarity about what the duties of notified bodies overseeing these certificates past May 2020 are. As things stand, they can give any manufacturer three months notice, leaving the manufacturer in a situation where it will never ever be able to have an MDR certificate at another notified body (too busy, and takes (much) more than three months) and it is uncertain whether the orphaning procedure in article 46 MDR applies only to MDR certificates or also to (AI)MDD certificates valid past May 2020 based on article 120 (3) MDR. And there is still the uncertainty around the interpretation of the concept of significant change, which can invalidate certificates just like that. The fact that the guidance promised by the CAMD in December 2017 is still not here is quite frankly astounding.

Also, there is (still) no solution for notified bodies not renewing a certificate in time, or refuse to accept the renewal application.

National and EU exemptions

As under the old directives the primate of exemptions to CE marking remains with the Member States under the MDR. There is a possibility for extending a national exemption to the whole Union territory pursuant to article 59 (3) MDR – which means that there must first be a national exemption that applies to one Member State. Each member state may use their own criteria for that, which often involve that the exemption is the exception, i.e. not intended as a general alternative market access mechanism for everyone that could benefit from it. You will also often need to show that you are on board with a notified body already, which is kind of problematic because most are not accepting new customers at the moment.

Subsequent extension of the exemption to the whole Union (so the manufacturer does not have to make an application in each Member State) based on article 59 MDR is limited to ‘exceptional cases relating to public health or patient safety or health’, so not intended as a general exemption for everyone in trouble it would seem. And each exemption needs its own implementing act under the MDR to be adopted under the examination procedure, which looks like this:

adoption implementing act examination procedure.jpg

As you can see, not complicated and slow at all – not. Quickly change the MDR for a more streamlined and quicker process perhaps? Not enough time to do this before May 2020.

Furthermore, it is not clear whether it is allowed for devices exempted this way to affix (or keep affixed) CE marking. If this is not allowed, this will  severely impact exports to third countries that allow devices on their markets based on CE marking.

You finally really seem to be doing it

Planet of the apes MDROne of the most powerful images that I can come up to underline the sense of urgency of this all is the final scene of the first Planet of the Apes movie.

Charles Heston’s character realizes at the end of the movie that the barren and primitive place in which he found himself the whole movie was in fact the post-apocalyptic earth. Would we like a health system just as barren as that of the planet of the apes? Maybe watch the movie for yourself to get an impression but (spoiler alert): the planet of the apes is missing a lot of nice to have and innovative medical technology that used to be available because it is kind of primitive. Of course this is a dramatic example, but I am running out of ways to express the urgency of the problem.

MedTech Europe politely captions its paper with “A Call to Action” because they have to be polite. I have less constraints and will be less polity because I am a (potential) patient myself, I have family members that depend on medical technology for their life, and others for their quality of life. And I am truly upset and disappointed about what we have to show for the MDR implementation at this moment (and don’t even get me started about the IVDR). I would like the best regulatory system so everyone can have access to the best and most innovative medical technology, not to the bare necessities only because we could not be bothered to make the regulatory system work.

Of course in the end the politicians will say it is nobody’s fault (agency problem anyone?), except that this would be wrong. The writing of things coming to this critical mass has been on the wall for a very long time, just read back this blog three years.

Let’s realize that we are all (potential) patients and want the best for our loved ones, ourselves and why not society at large, and make this thing work by adding clearly needed antifragility now that there still is some time. All the solutions are there, we know them, MedTech Europe helpfully repeated them. And the rest is politics.

A not so happy MDR and IVDR Christmas Carol

MTE MDR 123.3d workshop

MDR and Article 123 (3) (d) cookies courtesy of Medtech Europe’s Katalin Maté who baked them for a meeting – they were delicious!

Just before the Christmas holidays the Commission updated its rolling plan and the MDCG ongoing guidance overview.

As the year draws to an end, the date of application of the MDR is very close now and I see more and more things happen that everybody could see coming for a long time, I would like to take a few moments to give you my version of Dickens’ Christmas Carol story applied to the MDR and the IVDR. This is – as always – a very personal perspective and although I am a very optimistic person by nature I have found that there is not a lot to be optimistic about with respect to the MDR and IVDR at the moment.

Unless there we have some positive surprises in the months to come of course, of which we have not had that many so far. I have a hard time coming up with examples.

While I’d love to write a positive and uplifting story telling everyone that if they just do their best and apply themselves they can tackle this thing but that would just not be true given the circumstances. We are now at a stage that things are necessarly going to fall by the wayside and collateral damage will occur.

Christmas past – confusion everywhere

Confusion everywhere – the expression we used jokingly to refer to the imperfect but working system. This is the baseline that we came from. The MDR and IVDR were supposed to lead to a more coherent EU devices policy and lead to safer devices with better supported clinical benefits.

We had a regulatory system that was not ideal but that performed really very well for the very limited investments that the Commission and the Member States had to make. Compared to the medicinal products system the medical devices system costs very little to maintain. The market mostly paid for market approval directly via the notified bodies, and Member States invested little in enforcement and market surveillance. Coordination in Brussels was opportunistic: we coordinate interpretation in guidance documents, but will never commit to binding coordination other than under literal text of the directives. This is why we for example had a Borderline and Classification group that could not even agree on what a pharmacological mode of action was, and harmonisation so loosely that the ECJ could come to judgments like Lycocentre. Confusion everywhere – not ideal, but manageable.

Because of fraud with implants (which could just as well have been handled under the old system) and because of a perception that clinical evidence that could be better for implants (equivalency issues that could also have been handled under the old system) we decided to shake up things with new but foremost ‘better’ and ‘stricter’ regulation: enter the MDR and the IVDR. Because we partially blamed the notified bodies (‘they work for manufacturers so cannot be impartial’ ) we wanted all of them re-reviewed to higher standards, even though we could just as well have come to the same result under the old directives (and we largely did already as a result of the joint audits of notified bodies).

We embarked on an implementation trajectory in May 2017 for which the competent authorities and the Commission unfortuantely have little to show today, with six months to go to the end of the transitional period, which takes us from the Christmas past to today: Christmas present.

Christmas present – chaos everywhere

Normally you would enter a transitional period for a radical game changer of regulation with most of the regulations and supporting systems complete: everybody can get used to using the new systems, kinks can be ironed out before everybody must comply and all addressees of the new rules can implement the new rules in their organisations. Makes a lot of sense. This is not the choice that was made for the MDR and the IVDR, probably because of the political momentum that required a fix of a system perceived as broken. The Commission and the Member States embarked on a ambitious implementation calendar for implementing acts, common specifications, guidance and accreditation of notified bodies and then failed to deliver sufficiently for the system to work for all actors involved.

At this moment the Commission seems overwhelmed and has started kicking the can down the road with delaying Eudamed for two years (but not at the same being clear about the consequences) and delaying the need for CE certificates for class I devices that would be in a higher risk class under the MDR via the Corrigendum 2. The Commission now states in the December 2019 update of the Rolling Plan:

“It should be noted that, as a result of the Commission’s obligation to verify under a unique procedure the full functionality of the new database (including all relevant modules), the deployment of a fully functional Eudamed is expected by  mid-2022. The Commission is currently working together with Member States to provide guidance related to how certain new MDR provisions will apply in the absence of Eudamed. In order to support harmonisation during the interim period the Commission intends to deliver the actor registration module by May 2020 on a voluntary basis.”

It also states that the ‘Eudamed is ready’- notice (the article 34 MDR notice) is planned to be published in Q2 2022.

In other words: there will be something of Eudamed in 2020, we don’t know how to work with that and what this will mean. Voluntary use – does that mean that this use can be used later? Actor registration means SRNs, but how will voluntary SRNs work? Can they be converted in mandatory SRNs later? Many Eudamed questions remain, with a lot at stake. But guidance is underway – … OK, nevermind. I would really like to believe that the guidance will arrive on time and will be useful except that we are still waiting for most so much guidance.

The Commission and the Member States started the MDR and IVDR accreditation process for notified bodies later rather than earlier (it was not possible to apply before 26 November 2017, well into the transitional period). I have never understood why this process did not get more priority. It took a long time for the first notified bodies to become available (the first one in the second half of January 2019). During 2019 the Commission kept promising that there would be 20 notified bodies accredited (which includes double counting between the MDR and IVDR, so a notified body accredited under both counts as two for the Commission).

By Christmas 2019 we have 12 (Dekra Netherlands appeared as IVDR notified body in NANDO on 24 December 2019 and MedCert on 25 December 2019). The Commission notes in its Rolling Plan of December 2019:

“Ten notifications completed (8 for MDR and 2 for IVDR). Two more expected before the end of 2019  (1 MDR and 1 IVDR). About 20 designations expected to be completed in the course of Q1 2020. About half of existing certificates are covered by the notified bodies that will have a valid MDR designation in NANDO by the end of the year”

This means we have one more notified body to go this year, if the Commission’s statement is true. All of this would be nice except that it takes notified bodies about 300 days from designation to get to full certification speed. This means that the statement about certificates covered looks nice, but it also means that

  • the other half of the certificates are not covered in time (except insofar they have managed to renew existing (AI)MDD certificates);
  • of those certificates that are covered it is not certain what percentage will receive their certificate in time (300 days ramp up, remember –  almost a year) because an MDR accreditation requires a new review of QMS and technical documentation, so not something that is completed in a few months;
  • the manufacturers that are with a notified body that cannot certify in time have no way to move to another notified body that is either MDR accredited or can still renew an existing (AI)MDD certificate (and takes on new customers because basically none is doing that at the moment)

Even if we have 50% of the certificates covered by notified bodies that applied for MDR in Q1 2020, this is not going to avoid the situation that we will have many manufacturers without certificates by the end of May 2020 for various reasons. In some cases they will have themselves to blame, in some cases they will have been dealt bad cards by the system (e.g. they bet on MDR because their notified body says it will be accredited, then find out that their notified body is either not going to be accredited in time or at all, with no possibility any more to transfer in time). These are the cases that are landing on my desk right now. And there are the cases of the companies with certificates in soft transition – they will be facing the situation of their notified body closing business (three months notice, no other requirements) and having to still apply for an MDR assessment that must be completed before end May 2024. And this is a big wave of manufacturers needing this, because either their notified body or the company itself was not ready for an MDR certification.

Since notified bodies are commercial entities and governed by the market, several things happen now that are typical for sellers’ markets where supply is restricted and demand is greater than supply capacity: prices go up, notified bodies choose their clients carefully and it’s very hard to get commitment to delivery dates. Smaller companies have less bargaining power and I see with some notified bodies that these have even more difficulties in dealing with their notified body.  This system is not designed for surges in load and doing the re-accreditation of notified bodies at the same time as re-evaluation of devices for MDR/IVDR compliance was, certainly with hindsight, not a good idea. The temporary spike in regulatory load requires investments in capacity that cannot be recouped and will likely not be needed after the spike, so will likely not be made. Also, it requires capacity that was never needed, and can therefore not be scaled up just like that. Training enough notified body personnel takes years. In the mean time my reality is that I see more and more companies struggle to have a meaningful connection with a notified body in time to meaningfully meet the deadlines. If you want to change notified body now, prepare to wait until autumn next year. And it’s the small ones that suffer the most because they have the least weight to throw around to secure a scarce slot at a notified body.

Regardless of the notified bodies, if you have an Annex XVI device: good luck getting that certified under the MDR by May 2020 because the Common Specifications have still not been established which means that no-one can even start to evaluate these products, nor is it possible to procedure compliant technical documentation. If you need a notified body for your Annex XVI device, there is literally no way that I see that you can be certified in time. Bad news for the contact lenses for example, or for dermal fillers or for laser hair removal devices.

The fact that there are still no definite harmonised standards for the MDR is perhaps the least of our problems. At least you can declare compliance based on state of art.

Then there is all the remaining guidance promised of which the innovation in the December updated ongoing guidance overview is that the MDCG is now planning to issue it – hold on to your seat – mostly in 2020. When in 2020? Good question. So far the guidance development process was characterised by moving goalposts and known unknowns.

To me this looks like a difficult 2020 with potentially many devices that can not possibly be compliant in time. How will the competent authorities of the Member States deal with this? We don’t know that either. Some have been recruiting, like everywbody else. It will have been a tall order for them to meet their recruitment goals as they are fishing in the pond that everybody else is fishing in too.

Rumour has it that some authoroties are talking about harmonisation of possible exemption policy with respect to companies and products that fail to be compliant in time in. Still, imagine having to request national exemptions in each member state based on different, or only partially harmonised policy, based on different forms. This would be integration reversed. And I did warn on this blog: this is a realistic scenario. And then the question remains whether the national authorities have sufficient staff to handle all these applications in a reasonable time frame? And what criteria will they use? How will they avoid that freeriding is discouraged and what would they like to see in terms of good faith efforts to be compliant in time? If they provide exemptions only for devices that are essential to patient care, that will lead to a impoverishment of the scope of medical devices on the market, and not for the right reasons. Impoverishment and shortages, this is I think what Christmas future may look like, and that’s earlier than you think.

Christmas future – catastrophe everywhere?

Will Christmas future (with Christmas 2020 already as a first Christmas future) be a situation of catastrophy everywhere? I hope not but it might be.

I have seen regulatory changes in the life sciences field turn out very bad, especially for the more innovative SMEs. A case in point that unfolded under my eyes is the ATMP Regulation that was supposed provide better and harmonised regulation for tissue, gene and cell therapy products ended up in impoverishment of the EU biotech medicines industry.  The approval process (which for this regulation was ready in time by the way) turned out to be so complex and expensive that almost no-one company was able to see a new product through to authorisation in an industry that – at the time – was characterised by mainly innovative SMEs. This became so bad that the EMA offered to give additional assistance to companies only to encourage applications on top of its normal SME benefits program, just to have something to show for this regualtory pathway. SMEs in the mean time rather chose to sell themselves to bigger companies as soon as they could, or set up outside the EU. The medical devices industry is even more characterised by many SMEs, and I think we risk the same happening in the medical devices industry.

This SME effect may be strongest in IVDs, where the percentage of companies that will need a notified body is much larger and many of these companies are SMEs with a relatively large number of products compared to the ‘general’ medical devices industry. So we have three IVDR notified bodies now out of a total of 11 applications. There do not seem to have been any additional IVDR notified body applications or we probably would have heard about it. The impoverishment effect could therefore be even stronger in the IVD sector because relatively more work needs to happen with less resources, in an industry that I see not yet generally act like they’ve heard the starting gun.

The same is true for the healthcare institutions, which have obligations too and in my experience are also slow to catch on to those kicking in by end of May 2020.

And there are the class I product manufacturers, that also generally do not seem to have much of a clue what it means to be fully MDR compliant by May 2020. The recently published class I devices guidance does not do a lot to instil a sense of urgency as it does nothing to describe the large gaps between MDD class I and MDR class I requirements.

Independent distributors – same thing: general unawareness.

What will this mean for the patients? I will make a safe prediction: there will not be more innovation, not more availability and not better healthcare because of the stress on the system and the insecurity that goes with it. Hopefully all actors, working together, will be able to avoid that the shortages of devices and difficulties of getting new technology on the market because the system is overloaded and clogged with re-approvals of old devices affect the standard of care too much.

MDR and IVDR goals at risk

In the end, it seems to me that the goals of the MDR and IVDR (“to establish a robust, transparent, predictable and sustainable regulatory framework for medical devices which ensures a high level of safety and health whilst supporting innovation” (recital 1 of the MDR)) are starting to become at risk with the way things are developing, at least for the coming few years. It is starting to become more and more clear that the structures in place and under development are not able to support the change process undertaken at the level we would have wanted.

The policy option chosen at the time (I have reread the original impact assessment for the MDR and the IVDR again) was ‘evolution’ of the then current system.

Evolution by the hand of the blind watchmaker is by necessity a brutal process with a lot of collateral damage, because nature is not a moral theatre. But this is not how we would like to work with a regulatory system for an innovative industry that we should be proud of that is supposed to deliver devices for patients that deserve the best possible care available.

Food for thought. I wish you happy holidays, a good start of the new year and as my late grandmother would wish me: “good luck and wisdom”.

And really hope I will be proven wrong over the next year(s) about this gloomy picture.

More on the PRRC

Schermafbeelding 2019-12-07 om 18.03.19.pngI have written about the PRRC before, when the MDCG PRRC guidelines came out earlier this year.

With more experience with the subject in the mean time and everybody working to understand the subject, I thought it was a good idea to revisit the subject. And another good reason was that I had to look into it again because of the presentation I did at the Q1 EU Medical Devices & Diagnostic Quality Management Conference in Frankfurt last week. If you were not there, you’ve missed a good conference with among other things interesting exchange of experiences on how the first notified body QMS audits have been and how to work with the economic operator requirements in your QMS.

Surveillance interest in PRRC implementation

Below is my contribution to the MDR and IVDR QMS discussion, regarding the PRRC. Interestingly experience with QMS audits for the MDR shows that notified bodies take a lot of interest in the PRRC and the way that function is embedded in the manufacturer’s QMS. I have heard that competent authorities see the PRRC as an important compliance promoting factor and that they have instructed notified bodies to pay specific attention to it. Thus, it is clear that everyone on the suveillance side expects a lot from the PRRC and wants to see manufacturers take this position seriously, which should be reflected in the way the position is implemented in the QMS.

PRRC = sort of DPO

I have personally found that one of the better models to use for implementation of the PRRC may actually not be the pharma QP/QPPV but rather the General Data Protection Regulation’s Data Protection Officer. The way that the GDPR provides that the DPO must be implemented in a company shows a lot of parallels with what the authorities seem to have in mind for the PRRC under the MDR and IVDR. Especially the connection between management and the DPO has created a lot of positive and much needed awareness in data processing companies. This is – in my view – what the authorities are looking for with the PRRC as well: an increase in compliance awareness culture.

Curious about the more detailed version? Take a look right here:

PRRC guidance to be ‘updated’

Interesting news is that the not super well drafted PRRC Guidance of the MDCG is now slated to be updated somewhere next year, according to the Commission’s rolling guidance forecast. We know by now how much timing is worth when it comes to development of guidance, so it may also be later. It shows in any event that the MDCG has realised that the guidance needs revision.Schermafbeelding 2019-12-07 om 17.56.55.png

Work in progress

The PRRC is a work in progress, but nothing prevents companies to implement it as best as they can already. Be prepared to implement the PRRC as something more as a token function, because this is not what the notified bodies and authorities seem to be looking for.


The Commission and the Council on the MDR state of affairs

logo.pngThe public part of the Employment, Social Policy, Health and Consumer Affairs Council meeting on last Monday, 9 December 2019 gave an interesting peek into how the Commission and the Council see the state of affairs with the MDR and IVDR implementation at the moment, and notably as well the delay of Eudamed implementation. The Commission was asked to provide an update of affairs to the Council, which was visibly ruffled and concerned about how the implementation of the MDR and IVDR were progressing. If you’re interested, you can watch it via this link.

So what’s the news? In case you are not curious enough to sit through the whole meeting, here is my summary.

Commission: ‘it will be bumpy’

12 notified bodies, not 20.jpgThe Commission, represented by the commissioner for health Stella Kyriakides herself, started off by mentioning the 20 notified bodies that it had been promising for this year actually turn out to be 12, which will include the double counted ones for the IVDR (that’s not what the Commission said, but that it how the Commission has been counting them so far). This means three additional notified bodies this year, but no mentioning of the way this works with the double count. I suspect that Dekra Netherlands is in the pipeline and one of these three. Rumor has it that NSAI may be another one. The other one could well an IVDR notified body. But, the Commission said, we will have 20 notified bodies by Q1 2020. By now I am quite tempted to say that seeing is believing.

The Commission further announced that Eudamed’s delay did not mean that the MDR will be delayed, like I mentioned already. If you did not believe me so far, maybe you will believe the Commission. If you believed the Commission when they said it would be 20 notified bodies this year – wait a second…. anyway. The Commission mentioned that it has started on the operational details of non-Eudamed information exchange as required under the MDR when Eudamed is not ready for some reason of the other, just as the ‘what if Eudamed is not ready’ regime in the MDR prescribes. So, the ‘Eudamed without Eudamed structure’, if you will, is under construction as we speak and there seems to be a central plan behind it. This is tentative good news in an otherwise not so good situation.

But, the Commission is looking into making the actor registration module available to the market on a voluntary basis by May 2020, seemingly in an attempt to help the market prepare for Eudamed going fully live at some point. This would seem to allow the economic actors to register themselves on a voluntary basis, but not yet their devices (because that is another Eudamed module).

After all the Member States had spoken as Council members (see below) the Commission finished by stating that the MDR was happening by end of May – Eudamed not being available was foreseen, so the MDR could go ahead without alternative plan. So, for the people that still do not believe it: no delay of the MDR. The Commissioner repeated this commitment in the press conference afterwards, and made the epic understatement that it would be a bumpy road to end of May 2020. I’m sure we all agree with this.

Council: ‘speed this thing up’

The Member States in the Council seemed somewhat exasperated and mostly echoed Sweden and Ireland in that the Commission should really intensify its efforts, provide a readiness check early 2020 and set up a dedicated MDCG group to deal with this and keep the Member States informed better. Clearly the Member States are not very happy with the way things are going although this was not what they admitted during the press conference afterwards. In the press conference afterwards the Finnish Presidency did not answer the question of a journalist who asked what the readiness check would look like. The Commissioner did not commit to this either and just said the Commission would keep the Member States informed.

Almost every Member State expressed concerns about the Eudamed delay, and here it was also interesting what was mostly not said and what the German delegate did say: Member States are worried about the level at which the Commission is doing Eudamed by itself and does not involve them to the level they would like. This confirms what I have heard earlier: that the Eudamed delay was also a surprise for the Member States because they were not that well informed. Some Member States (Hungary and Estonia) stated how this interfered with their national implementation process.

Other Member States stated other concerns that you would expect: why are there not enough notified bodies, why are the implementing acts still not there, where are the Common Specifications for reprocessing and Annex XVI devices.

The Netherlands, pragmatic as always, was advocating that parts of Eudamed should be adopted immediately when they were ready. Pragmatic, sure – but not how the MDR works. So those modules could, at best, be made available on a voluntary basis because still nobody want to re-open the legislative procedure for actual changes to the MDR. It would be a possible help for the companies that otherwise would need to find a way to be able to store and make available later into Eudamed two years worth of MDR related data and reports.

Bumpy road

As the Commissioner said in the press conference: it will be a bumpy road. Let’s just hope it gets us there.

Corrigendum 2 and the (potential) consequences for class I devices

Schermafbeelding 2019-12-08 om 17.43.09.pngEverybody has been in enormous suspense about how the second corrigendum to the MDR and IVDR would turn out. The version that came out of the European Parliament’s ENVI committee vote contains a number of very technical points that I will not elaborate on. But it also contains the big break for certain class I devices, the ones that are either up-classified under the MDR (and need a CE certificate under the MDR as a result) and the re-usable surgical instruments (which need a CE certificate for the reusability aspects under the MDR).

At this moment, the corrigendum has not been finally approved. This is supposed to happen somewhere before Christmas, so the class I devices industry may get a nice Christmas present under the tree – or not. If the corrigendum is still shot down on the finish line, this will be too bad as most of the class I devices that are unclassified under the MDR will likely not be able to find a notified body in time and will need to temporarily or permanently leave the market.

Class I MDR only, not IVDR

It concerns MDR devices only? Yes, this corrigendum does not contain any provisions with regard to up-classified IVDs, which comprises basically 85% of all IVDs currently on the market. This is why IVD manufacturers should still go full speed ahead with their IVDR implementation. I think it is unlikley that there will be a change in transitional regime for this large a group under the IVDR, because that would essentially change the nature of the transitional regime. But what do I know? It might still happen if the bottleneck for the IVDR is as severe as I predicted.

In the below presentation I have set out the consequences for class I devices of the corrigendum as I see them currently. I explain them in person in a lot more detail on the Medical Device Made Easy podcast about this exact subject (this is the first part of two parts about class I devices and the MDR, next one to follow later). I recommend that you follow this podcast for everything MDR and IVDr related, because like this blog that series of podcasts is starting to form a very nice body of knowledge and training material on EU devices regulation under the MDR and IVDR and provides a lot of expert knowledge on it. And it is very very practical.

The corrigendum creates two classes of class I devices:

  • the ones subject to the corrigendum and thus included in the article 120 (3) and (4) MDR regime; and
  • the ones for which it is business as usual and that must meet the full MDR requirements by the date of application (26 May 2020).

Subject to corrigendum devices (“upclassifieds”)

The class I devices subject to the corrigendum are all devices that are up-classified under the MDR under Annex VIII, notably software (rule 11), devices with nanomaterial (rule 19), inhalers (rule 20) and substance based devices (rule 21) and the re-usable surgical instruments. These devices are subject to the transitional regimes in article 120 (3) and (4) MDR provided that they have a valid declaration of conformity before 26 May 2020. They can then

  • Be placed on the market under that declaration of conformity until 26 May 2024 – provided that there is no signficant change to intended purpose or design (more about significant changes below); and
  • Be sold to end users until 27 May 2025 (so the devices placed on the market before 26 may 2024 have another year to make their way to the end user).

And they must be covered by an MDR CE certificate that a notified body must issue by 26 May 2024, in order to continue to be placed on the market after that date.

See in the embedded presentation above what these devices must do under article 120 (3) MDR, and all of that is minus Eudamed for the moment.

Word of advice: some clients of mine in this boat are already saying “Yay! We can postpone our CE certification for the MDR until 2024!” and I am telling them “No, unless you change the name of your MDR project into Project Kamikaze and put a note in your calendar for 1 April 2024 saying ‘Erik told us in 2019 that this would be a bad idea and now we owe him a bottle of good champagne.’.”.

Why is it a bad idea? By the end of the article 120 (3) MDR  soft transition period everybody and their mother, the extended family and all cousins too need a CE certificate as well. Not only will there be the normal MDR certificates demand at the level of normal market conditions, but also all AIDD and MDD certified devices that need MDR certificates by then. And the difference is: these manufacturers will already be existing customers of the notified bodies, so they will go first and even for them it is not sure that there will be enough notified body capacity by then. So if you wait until the end of the transition period you will be lucky if a notified body will even pick up the phone by then to tell you that they are not accepting new customers. Better plan your inevitable transition to an MDR certificate way before 2024, preferably 2021 or 2022 as this will likely be a less busy period. Planning it at the last moment possible is a recipe for trouble – you’ll have no one to blame except yourself when you wait until the last moment to find out that all the notified body capacity is spoken for. I will quote you Kant, one of my favorite philosophers: “Sapere Aude” (‘dare to be wise’).

Signifcant change

The significant change under article 120 (3) MDR is kind of a landmine of a concept that can really mess things up for you as a class I manufacturer. That’s why it is really important to know what a significant change is. Fortunately there is guidance on the way! Oh, wait…:

Schermafbeelding 2019-12-08 om 17.46.12.png

Yes, you are seeing this right. In the last version of the ongoing guidance development document the task force for this (the concept has somewhat of a sense of urgency to it) still had to be set up and planned release is TBD. How is that for a sense of urgency?

The consequence of a significant change is that your declaration of conformity will not be valid for the article 120 (3) regime anymore, which means your CE mark is instantly invalid, causing non compliance for every every next device that you place on the market.

But things can be even worse if the significant change affects the installed base of devices already at customers. A totally non-hypothetical scenario that I am sure will happen is that of a software update to a manufacturer’s software installed in hospitals turns out to be a significant change, e.g. because it is a line extension of the installed software, adding addition convenient functionality or is a fundamental redesign for the software to be able to run on 64 bit operating systems too. Especially in the last case the IT department may roll-out the update without thinking because nothing changes. In both cases releasing the update will constitute a significant change. In order to help you decide if a change to software is a significant change LNE/G-MED’s guidance on significant change has a helpful flowchart (no 5) in it for software. The guidance has other helpful flowcharts too. But, this is what LNE/G-MED thinks, and as class I device manufacturer you are dealing with competent authorities and not with notified bodies.

Full MDR by 26 May 2020 devices

Schermafbeelding 2019-12-08 om 19.12.19The devices that are not subject to the corrigendum are going to have to be fully compliant by 26 May 2020. These device are subject to the full MDR (minus Eudamed for the moment).

This is a big step up for class I device manufacturers that have been operating under an MDD Annex VII QMS, because they are going to an ISO 13485:2016 plus QMS. Also, these manufacturers will run into the alternative meanings of CE and MDR: Clinical Evidence and More Data Really. You will not only need to redo all of your clinical evaluations, but you will need more data as input (which you will likely not have if you have not been doing active post market surveillance as many class I manufacturers have not been doing).

The above presentation provides an overview of what you can expect as a class I device manufacturer under the MDR. If you start to figure all of this out only now, you will have a very steep learning curve and a lot to do in very little time.

Suspense suspense

We’ll have to see if the corrigendum 2 is a done deal or not. If it is, it temporarily solves the predicament of the class I devices that are unclassified or need a reusability certificate under the MDR. But, it’s just kicking the can down the road – don’t forget that these devices need an MDR certificate by 26 May 2024, so better start with that sooner rather than later. And all the other class I devices: be prepared – you’re on for 26 May 2020.

%d bloggers like this: