Embed Size (px)
Citation preview
NEW LEGAL OBLIGATIONS UNDER MDR AND IVDR
Medtech Summit, Amsterdam19 June 2017
Erik Vollebregtwww.axonadvocaten.nl
Agenda
• Some of the “legal” stuff / obligations in the MDR/IVDR:
• New claims article
• Authorised representative
• Supply chain: obligations of the others
• Responsible person
• Liability and NCA facilitating liability claims
• Third parties: repacking/relabelling, parts & components
• National implementation of MDR/IVDR
• General Data Protection Regulation and its interface with Annex I
chapter 17 MDR / 16 IVDR
• Where does this fit into your overall transition plan?
Are you on your way with your transition plan, or are you still in denial?
Claims
Article 7 MDR / IVDR
In the labelling, instructions for use, making available, putting into service
and advertising of devices, it is prohibited to use text, names, trademarks,
pictures and figurative or other signs that may mislead the user or the
patient with regard to the device’s intended purpose, safety and
performance by:
(a) ascribing functions and properties to the product which the product
does not have;
(b) creating a false impression regarding treatment or diagnosis, functions
or properties which the product does not have;
(c) failing to inform of a likely risk associated with the use of the product in
line with its intended purpose;
(d) suggesting uses of the product other than those declared in the
intended purpose when the conformity assessment was carried out.
Claims
Provisions apply not only to advertising but also to other materials and
actions involving intended use:
• labelling,
• instructions for use,
• making available,
• putting into service, and
• advertising
Similar system as under Unfair B2C Commercial Practices Directive – look
at concept of ‘commercial practice’ (“any act, omission, course of conduct
or representation, commercial communication including advertising and
marketing, by a trader, directly connected with the promotion, sale or
supply of a product”)
Claims
• What does “prohibited” mean?
• NCAs can enforce (fines and retraction / rectification)
• Notified Body can write you up for a major non-conformity (e.g. if
the claim is made in the IFU or label)
• Under EU advertising law it means that competitors have a direct
action in court in the member states
• Will need to see how this affects current wide differences
between member states with regard to private enforcement of
claims regarding medical devices
Claims
What does it mean for the manufacturer?
• A lot easier for competitors to challenge claims in more places
• Need for careful vetting of supporting evidence in accuracy over time
•
• “failing to inform of a likely risk associated with the use of the product in
line with its intended purpose” is relevant for product liability as well (Art.
6 (1) Directive 85/374 defines a defect product as: ”when it does not
provide the safety which a person is entitled to expect, taking all
circumstances into account, including: (a) the presentation of the
product; (b) the use to which it could reasonably be expected that the
product would be put;”
• Tricky off-label use provision (“suggesting uses of the product other than
those declared in the intended purpose”) – normally active suggestions /
soliciting of off-label use is not allowed; how should we read
“suggesting” in this context?
Authorised representative
• Big changes for authorised representatives, both ‘in-house’ and external
• Implementation of AR MEDDEV
• Prescriptive rules for AR mandate and contract – like notified bodies ARs
are recruited into market surveillance
• AR must provide information, cooperate in investigation and verify that
appropriate conformity assessment procedure has been carried out by
the manufacturer
• AR must have person responsible for regulatory compliance
• Problematic:
• terminate the mandate if the manufacturer acts contrary to his
obligations
• In case of termination, notify CA and Notified Body of termination
and reasons for termination
Authorised representative
The modalities of a change of authorised representative shall be clearly
defined in an agreement between the manufacturer, where practicable the
outgoing authorised representative and the incoming authorised
representative (art. 12 MDR / IVDR)
This agreement shall address at least the following aspects:
(a) the date of termination and date of beginning of the mandates;
(b) the date until which the outgoing authorised representative may be
indicated in the information supplied by the manufacturer, including
any promotional material;
(c) the transfer of documents, including confidentiality aspects and
property rights;
(d) the obligation of the outgoing authorised representative after the
end of the mandate to forward to the manufacturer or incoming
authorised representative any complaints or reports that may be
incident related
Supply chain obligations
• Each link in the supply chain gets the responsibility to check compliance
of the previous one
• Review autonomous general obligations of importers and distributors
(articles 13-14 MDR / IVDR), e.g.
• verify compliance of the device,
• inform competent authority of non-compliance of the device
• implement corrective action
• amend contracts accordingly
Supply chain controls
Manufacturer Importer Distributor
End
UserPost market surveillance and vigilance
Regulatory compliance of device
Verify compliance Verify compliance
Supplier
Unannounced NB
inspections
Responsible person
• Looks like a pharma QP but isn’t
• Manufacturers shall have available within their organisation at least one
person responsible for regulatory compliance who possesses the
requisite expertise in the field of medical devices
• May be more; role(s) may be split over persons
• Qualifications necessary in MDR / IVDR
• Can you outsource the role?
• Unsure what “available within their organisation” means but
SMEs and ARs are not required to have the person
responsible for regulatory compliance within their organisation
but shall have such person permanently and continuously at
their disposal.
• Suggests that SMEs and ARs can outsource but bigger
companies / non-ARs cannot
Liability and NCA facilitating liability claims - manufacturerArticle 10 (16) MDR / IVDR : “Natural or legal persons may claim
compensation for damage caused by a defective device in accordance with
applicable Union and national law.
Manufacturers shall, in a manner that is proportionate to the risk class, type
of device and the size of the enterprise, have measures in place to provide
sufficient financial coverage in respect of their potential liability under
Directive 85/374/EEC, without prejudice to more protective measures
under national law.”
• “Sufficient financial coverage proportionate to risk class, type and size of
enterprise”
• How to interpret this reliably and predictably? How is size of the
enterprise relevant for example (PIP was a small company)?
• “Without prejudice to more protective measures under national law”
• What can those be? They cannot provide for anything that
detracts from the useful effect of Directive 85/374
Liability and NCA facilitating liability claims - ARArticle 11 (5) MDR / IVDR: “[…] where the manufacturer is not established
in any Member State, and has not complied with the obligations laid down
in Article 10 MDR/IVDR, the authorised representative shall be legally liable
for defective devices on the same basis as, jointly and severally with, the
manufacturer.
• Also in case the manufacturer misled the AR (think PIP)?
• “has not complied” – where and by whom is this determined?
• This will lead to a situation in which ARs will be even more trigger happy
to terminate agreements and manufacturers will have difficulties
engaging a new one
• AR agreements will be more and more sources of dispute
• AR costs base will change completely
NCA facilitating liability claims
Article 10 (14) last para MDR / IVDR: “If a competent authority considers or
has reason to believe that a device has caused damage, it shall, upon
request, facilitate the provision, of the information and documentation
referred to in the first sub-paragraph to the potentially injured patient or
user and, as appropriate, the patient's or user's successor in title, the
patient's or user's health insurance company or other third parties affected
by the damage caused to the patient or user, without prejudice to the data
protection rules and, unless there is an overriding public interest in
disclosure, without prejudice to the protection of intellectual property rights.
The competent authority need not comply with this obligation where
disclosure of the information referred to in the first subparagraph is
ordinarily dealt with in the context of legal proceedings.”
NCA facilitating liability claims
Some practical comments:
• “potentially injured” – what does that mean?
• ”caused damage” – not defect? broader than by a defective device?
• What information? “all the information and documentation necessary to
demonstrate the conformity of the device”, information regarding vigilance
and corrective action – non-conforming is not necessarily defective in the
meaning of Directive 85/374
• To whom? Basically everyone ‘affected by the damage caused to the patient
or user’ – that’s a broad class of persons and entities (this could have been
used in the Guidant pacemaker and ICD case (C-503/13) for example)
• Except if
• Data protection, except if public interest in disclosure (balance of
interests) – unpredictable and easily influenced, and what is the public
interest in a private liability claim?
• Intellectual property – what does an NCA know about this?
• Disclosure of the information is ordinarily dealt with in the context of
legal proceedings – it basically always is in liability suits
Liability and NCA facilitating liability claimsWhat does all of this mean for the market?
• Costs – insurance companies will be the laughing third party here
• More protection of patients? No, they could always sue for damage
resulting from defective devices and the NCAs’ facilitation will invoke
evasive manoeuvres all over the place, because the NCA would likely
see the information that the claimant receives
• Does it solve PIP type issues with manufacturer going bankrupt? No,
because insurance policies expire typically when a company goes
bankrupt.
Third parties: parts & components
Article 23 MDR / 20 IVDR: “1. Any natural or legal person who makes
available on the market an article intended specifically to replace an
identical or similar integral part or component of a device that is defective
or worn in order to maintain or re-establish the function of the device
without changing its performance or safety characteristics or its intended
purpose, shall ensure that the article does not adversely affect the safety
and performance of the device. Supporting evidence shall be kept available
to the competent authorities of the Member States.
2. An article that is intended specifically to replace a part or component of a
device and that significantly changes the performance or safety
characteristics or the intended purpose of the device shall be considered
as a device and shall meet the requirements laid down in this Regulation.
Third parties: parts & components
• Non-OEM replacement parts and components must have supporting
evidence that they do not adversely affect the safety and performance of
the device
• Standard of supporting evidence? Criterion presumes a validation
• Is OEM obliged to cooperate in validation?
• Non-OEM enhancement parts are devices
• How will that work in practice? – accessory type evaluation?
• Is manufacturer obliged to development of supporting evidence for
competing non-OEM parts/components?
• Printer cartridge competition law cases
Third parties: repacking & relabelling• Basically pharma repacking case law written down for devices
• Strangely enough stricter regime than outcome of the EU Court
Servoprax case (C-277/15)
• Article 17 (2) MDR / 16 (2) IVDR:
• Translation of IFU and other information and repacking do not
make someone a manufacturer
• Indicated person responsible for activity on the pack or
accompanying document
• Have notified body blessed QMS and vigilance for activity
• Reporting and mock-up to manufacturer and NCA for each time
repacked / relabelled device is made available
National implementation of MDR/IVDR• Many legal obligations will follow from national implementation of MDR
• E.g. national choices on fines and costs of surveillance
• Reprocessing allowed or not?
• Outsourced reprocessing allowed or not?
• Types of devices for hospital production?
• Require custom made devices manufacturers to submit lists of
devices made available
• Require HCPs and institutions to store UDI of implants
• Implementation of clinical trial provisions (e.g. require EU
representative appointment or not)
• Etc.
General Data Protection Regulation and its interface with Annex I chapter 17 MDR / 16 IVDR• Annex I chapter 17 MDR / 16 IVDR contains security rules in relation to
software (both embedded and stand alone)
• “17.2 / 16.2 For devices that incorporate software or for
software that are devices in themselves, the software shall be
developed and manufactured according to the state of the art
taking into account the principles of development life cycle, risk
management, including information security, verification and
validation.”
• GDPR requires compliance by design and default for any device
processing personal data
• If a device processes personal data (concerning health), it will have to
conform to design principles under two different regulations
Concurrent privacy by design requirements under GDPR• General Data Protection Regulation has already entered into force,
transitional period ending 25 May 2018
• Will apply to any device that processes personal data, both on hardware
and software level – possible overlaps with MDR
• Requires privacy by
• Design
• Default
• Requires cybersecurity measures, but so does the MDR
• GSPRs 17.1, 17.2 and 17.4
GDRP security thinking
Recital 81: “the controller should use only processors providing sufficient
guarantees, in particular in terms of expert knowledge, reliability and
resources, to implement technical and organisational measures which will
meet the requirements of this Regulation, including for the security of
processing. ”
GDPR security thinking
• Under the MDR / IVDR costs of implementation are irrelevant for risk
reduction (AFAP principle in GSPR 2)
Security requirements
Security design requirements (art. 32)Controller and the processor shall implement appropriate technical and
organisational measures to ensure a level of security appropriate to the
risk, including inter alia as appropriate:
(a) the pseudonymisation and encryption of personal data
(b) the ability to ensure the ongoing confidentiality, integrity, availability and
resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a
timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the
effectiveness of technical and organisational measures for ensuring the
security of the processing.
Take account of risks that are presented by processing, e.g. accidental or
unlawful destruction, loss, alteration, unauthorised disclosure of, or access
to personal data transmitted, stored or otherwise processed.
Overlap of risks and different approachesMDR / IVDR
• Security by design aimed to safeguard safety and performance (Safety,
Reliability and Availability (SRA) for cyber physical systems)
GDPR
• Security by design and default aimed at data integrity (Confidentiality–
Integrity–Availability (CIA) for corporate processes)
Map security risks under GDPR that are also (partially) safety and
performance risks under MDR / IVDR
• Those risks are subject to AFAP reduction by means of design insofar as
they concern the device (GSPR 2 and EN ISO 14971:2012 ZABC
annexes)
Overlap of risks and different approaches - nice model
GDPR orientation
MDR / IVDR orientation
www.axonlawyers.com
THANKS FOR YOUR ATTENTION
Erik Vollebregt
Axon Lawyers
Piet Heinkade 183
1019 HC Amsterdam
T +31 88 650 6500
M +31 6 47 180 683
@meddevlegal
B http://medicaldeviceslegal.com
READ MY BLOG:
http://medicaldeviceslegal.com
