Part 1: Exploring EUDAMED Requirements for EU MDR
Highlights:
The goal of EUDAMED has been to create transparency and traceability. The enhanced transparency is helpful for the patients in choosing a medical product, it is helpful
Entering the data intro EUDAMED can be a challenging task. It is recommended that companies develop their MDR strategy and stay MDR compliant through the various delays.
Memorable Quotes:
“It is the tightest security in my 25 plus years in IT that I've ever seen, every other system I've ever worked on, even on systems in the Commission.” - Richard Houlihan
“I think it's very helpful for the accreditation body of the specific country. You can go in EUDAMED and have a look on certificates that were not issued from another notified body and so on. You can now have a look on that and perhaps then some notified bodies the accreditation will be questioned.” - Dr. Christiana Hofmann
“Which is also another reason why the notified bodies are being so picky, with the manufacturers, because if they get it wrong, they're in trouble. And they've, I mean, the notified body investment in getting this accreditation is huge. So they can't gamble on that.” - Richard Houlihan
Show Links:
Contact Richard Houlihan: https://eudamed.com/
Dr. Hofmann can be reached at: anteris-medical.com
Transcript:
Intro - 00:00:04: Welcome to The Factor, a global medical device podcast series powered by Agilis by Kymanox. Today's episode is hosted by Shannon Hoste, president of Agilis by Kymanox, and Assistant Professor in the Quality Education Program at Pathway for Patient Health. With Shannon today are Dr. Christiana Hofmann and Richard Houlihan. Christiana is an executive consultant and business development manager with anteris by Kymanox, and Richard Houlihan is the former IT consultant for the European Commission. And since then, he has started his own company called EirMed, which is the leading EUDAMED data submission software provider. On the show, they uncover the transparency challenges and opportunities brought about by the EUDAMED requirements, and they explore how the delay in MDR implementation impacted the industry. Here's Shannon.
Shannon Hoste - 00:00:56: I have been learning more about the changes with the delay with regards to MDR and hearing more about the EUDAMED requirements and the rollout of all of that. So Christiana, let me start with you. What are you seeing with regards to the MDR delays?
Christiana Hofmann - 00:01:14: I think the MDR delay was perhaps not the best decision to take, because it's only postponing the problems or the issues, or again, the curve we will have to take, or say the wave, because you need the resources, and actually you don't need the resources right now. You must build up your MDR strategy and already register at a notified body to get MDR compliant, and all the other topics, you must do it now. It's only a shift and a delay. And I think it does not help anyone. You can see it with the notified bodies, there is a kind of flattening the curve, also in the consultancy service. I don't know if it's the same as you Richard. I think it will get very tricky.
Shannon Hoste - 00:02:19: Yeah, so don't take your foot off the gas. Keep going. I'm seeing the same thing on my side with regards to companies when, when the, postponement gave a little bit of breathing room, but I don't think it should slow anyone down, definitely a keep going situation.
Richard Houlihan - 00:02:36: But that breathing room was supposed to be for the notified bodies.
Shannon Hoste - 00:02:40: Exactly.
Richard Houlihan - 00:02:40: It wasn't supposed to be for the manufacturers. And they have just gone and relaxed against some of them.
Shannon Hoste - 00:02:46: Very good point. Yeah, and then a lot of the concerns were even, there were even supply chain concerns, correct, with the current schedule.
Richard Houlihan - 00:02:52: The Commissioner, when she was talking, she even brought Ukraine into it. Ukraine had nothing to do with the medical device side of things. The medical device issues had been flagged five, six years ago and nobody did anything about it. But still, I think they blamed COVID for the last delay, which again, didn't really have that big an impact on the EUDAMED side at least.
Christiana Hofmann - 00:03:15: Perhaps it was to bring together the timing of EUDAMED and MDR a little bit closer.
Richard Houlihan - 00:03:23: This was all supposed to, EUDAMED was supposed to have been released in March 2020.
Christiana Hofmann - 00:03:27: Yeah.
Richard Houlihan - 00:03:28: And then in May 2020, then that's when MDR applied. Initially, notified bodies and the competent authorities, they were given three months, or the competent authorities were given three months where they were going to have to approve all the actor registrations. Three months. And I was at the working groups when some of these guys were arguing with the Commission going, look, it's impossible. And here we are. Three years later, some of the competent authorities take months, to approve. Others are quite quick, but, It's still a big ask on a lot of people.
Christiana Hofmann - 00:04:06: Absolutely. So may I ask a question to you or you are working for the Commission, the IT compartment for EUDAMED is this correct?
Richard Houlihan - 00:04:18: I was, I left the Commission in April 2019 and I was managing the IT teams that were creating EUDAMED.
Shannon Hoste - 00:04:29: So you mentioned minimally viable. So with regards to EUDAMED, can we step back and maybe let's start with, the overall goal, of EUDAMED, kind of the, in our vision. What's it's very, it's very exciting, kind of a audacious goal. I'm excited to see it when we fully get there. What's the the overall goal of it, and then let's step back and talk about, what that minimally viable, solution is kind of where we'll start probably in the next year.
[History of EUDAMED]
Richard Houlihan - 00:05:02: The overall goal from the Commission's point of view, well, publicly from the Commission's point of view was transparency, because a lot of the decisions that were made stemmed from the PIP case with the industrial silicone in 2012, 2011, 2012. And I was actually looking after an earlier version of EUDAMED, because EUDAMED has been there since the late 90s. It was a copy of a DIMDI system, and they asked him, could we use this? And this became EUDAMED. Then in 2011, EUDAMED 2 came along. Now, publicly, what you're seeing now is really EUDAMED 3, but it's just called EUDAMED, because the other two were hidden from view. So I was looking after EUDAMED 2 since 2011. I was sitting in a place in Ireland, in the Commission Building in Ireland, and that evening sitting in my apartment watching some political show or other, and they were complaining about the PIP case. I know you're kind of half asleep watching some of these, you might catch the odd word here and there, suddenly they started complaining about the European Commission and the database that they have for tracking medical devices, I thought, hang on a second, that's the thing I'm involved in, never comprehended how big the impact of this particular thing is because as far as I'm concerned, it's just data, a piece of software that needs to run, people log in, they do something. That's all I could see at that time. So then I see these guys complaining about this. And I thought, okay, so this is a little bit more important than I thought. Then I go to a working group meeting where all the little flags are on the table and it's nicely intimidating and I was supposed to do 20 minutes, and I ended up doing an hour and a half, bantering with the member states and the competent authorities. Now, the regulations are to control one side of things, to make sure that everybody does everything right.
But the goal of EUDAMED was always about transparency. It was always so you can see things. Because when the PIP case came. Nobody had anywhere to look. Nobody could find any details on it. Now, I don't know if we'd have met with the PIP case, probably not, but, It would certainly have helped with some of the devices over the years that were less than ethical, we shall say. But the other side of, EUDAMED, as the most the public won't understand it anyway, is quite. It's a bit of a downside. Sometimes you get transparency. You get so much information, makes no sense to you. And that's also what they've done with a lot of the documents regarding EUDAMED and the fields of where to find Information. They've given it in so many different ways. People are lost and confused. But with regards to the transparency side. When somebody goes to their doctor, they're going to get a hip replacement. They've got to get a hip replacement, they'll be able to look up EUDAMED and find out about this particular replacement. And then when all the data is in there, they'll also be able to find out about the vigilance issues. No, obviously confidential fields here and there, but they're able to get a good idea of what's going on. And if this thing looks like it's a disaster, at least the people will be able to say, Can you find me a different one? Because I'm not happy with that.
One of the downsides of the transparency and one of the downsides of EUDAMED is its versioning. Because in theory, when you change device. You're supposed to upload a new version. And this gives you version two, version three, version four, and that's publicly visible. But if you've made a mistake in the data. Somebody didn't double check one of the free text fields and there's a wrong size typed in. We have to create a new version because that's the only way to edit the field. So then you're in version two, version three and your product's only three months old, to the public, they will see this three month old product on version three. And the first thing they're going to think about is, oh my God, why did they need three versions? What was wrong with the other products? Because the Commission never allowed a field to explain the difference in versions. It's just the versions of the data, but they don't explain it. So the whole transparency side of things, I think is brilliant. I think. It will theoretically force companies to behave a little bit.
I saw one commentary from a lawyer in the US where he said, when he's involved in the medical device lawsuits, one of the biggest issues he always had was trying to find out who owned the product. Now, the product will be traced right back, because it doesn't matter if you're an OEM manufacturer, if you're whatever kind of manufacturer, you can no longer hide. So he reckons that he will be able to download virtually all the Information he needs from EUDAMED. Downside is from the manufacturer's point of view, that they will not be able to hide. On the legal side of things, it will possibly cut years off some of these cases. No, hopefully these cases are going to get less and less, but you're always going to have something that's just not right.
Transparency is also, a marketing possibility for companies. What we've actually seen already is some of the importers and distributors, searching EUDAMED like it's a product catalog, which was a bit of a surprise. Never, I never expected that one. The other thing, there's a free text field in there for a URL. Just direct Information about the product. A lot of companies aren't using it, foolishly not using it, because when the patients go in, even when they're with the doctor and the doctor's trying to explain the extra feels and stuff like that, when that link is there. They're going to click on it. So on the other side of that link, you need the nice pretty faces with the nice white teeth going, that product was just brilliant. And that would also help with the importers, the selling of the product, etc. So the ultimate goal, transparency.
What will happen in the long run with so many players? I don't know, because every time the Commission, of a new version, they take a little bit more control. That first EUDAMED from DIMDI. DIMDI were obviously delighted, it was a compliment to what they've done and the Commission adopted it, the next version, which was several years later, they take a little bit more control where you have to submit certain data to the competent authorities who used to upload it. And here we are with the third version, where now they're taking really strong control over the whole industry. So what's going to come in the fourth version, fifth version? I don't know, are you gonna have to update it for all your Production runs? Are you gonna have to have that level of detail in there? If you do, EUDAMED has got to become a north of beast. Very transparent.
Christiana Hofmann - 00:12:17: Absolutely agree. But would you also agree that another key word is traceability? Traceability of Device Data and Information. I think this is also a goal of EUDAMED.
Richard Houlihan - 00:12:31: As much as possible.
Christiana Hofmann - 00:12:33: I think this just always comes in my mind when I'm thinking of EUDAMED and yeah at least as you meant for the PIP scandal it's more or less to ensure the safe devices on the market and therefore they develop this kind of reports the PSUR, the SSCP and yeah this is also everything going in the direction to make the products and medical devices safe. And therefore we need a platform and the platform is EUDAMED and the platform has a lot of tasks and yeah, therefore it's huge.
Richard Houlihan - 00:13:11: I mean, I remember sitting with some of the developers when we were trying to estimate the amount of days to do the clinical investigations module. It was over double the other modules. It's an entire ecosystem. This thing is absolutely monstrous. I'm delighted. I was, I'm delighted. I was never coding on it. It was just. It's just huge. But one of the things with the previous incarnations, there was never going to be data transfer. They were never going to move data across everything that's going into EUDAMED now, clean data, the level of rules that they have put in place. And I mean, some of them are ridiculous, but it means the data going in will always have to be as perfect as you can get it. But if you put in perfect data, when the reporting comes along, and the statistics that come out. It's going to be very, very interesting to see some of these things. Some of the things I found when I was working in the Irish side, I got to sit with the medical device auditors, the guys that you score on, the notified bodies, etc. I asked the head guy, I said, look, what do you actually do? So he sat me down, very, very nice Northern Irish gentleman. He sat me down and he started going through everything. He said, see this certificate. I said, yeah. He said, that name there. I said, who is it? What's their background? What gives that person the right to sign that certificate? And he went from there, and it was nearly a forensic exercise. He went from there, went all the way backwards, right back to this person's experience, questioned their education. And he says at the moment, he says, we cannot de-designate notified bodies.
[Notified Bodies]
Christiana Hofmann - 00:14:56: You absolutely can.
Richard Houlihan - 00:14:57: And there was.
Christiana Hofmann - 00:15:00: I was working for Notified Bodies for six years, so I know what's going on.
Richard Houlihan - 00:15:07: But they did notice a lot of shopping around of things, certain devices are more likely to get signed off going to certain places. There was one in particular, it was a knee implant, I think it was, and the UK had refused it, they'd refuse it with a list of things. Everything was wrong. Their technical documentation was just terrible, but that company then went to another notified body, and they were given the certificate. Now, the UK jumped up and down. The MHRA, I have to give them 10 out of 10. When we worked with them inside the Commission, at least on the working groups, brilliant. But the MHRA jumped up and down, and that certificate was taken away, should never have been given a certificate. So again, things like that will appear in the statistics if you see a cohort of companies going to Country X.
Christiana Hofmann - 00:16:03: Yeah.
Richard Houlihan - 00:16:04: But yet you can get the same certificate countrywide, but nobody goes there, then that will trigger a very interesting investigation to see why. And again, on the certificate side, most of that or all of that is also going to be public. So you will be able to go see it. You will be able to go see the history. The refuse certificates, they will also be there.
Christiana Hofmann - 00:16:27: I think it's very helpful for the accreditation body of the specific country. You can go in EUDAMED and have a look on certificates that were not issued from another notified body and so on. You can now have a look on that and perhaps then some notified bodies, the accreditation will be questioned.
Richard Houlihan - 00:16:51: Yeah, I know he told me at the time that there was one or two notified bodies. If they could have pulled the plug straight away, they would have done it, but at the time the legislation wasn't there to allow them to do it. But now it's there, and now these guys have real teeth, which is also another reason why the notified bodies are being so picky, with the manufacturers, because if they get it wrong, they're in trouble. And they've, I mean, the notified body investment in getting this accreditation is huge. So they can't gamble on that.
Christiana Hofmann - 00:17:24: But it's a little bit contradictory now because we need more and more notified bodies on the one hand. And on the other hand, we have to be or the accreditation body must be very critical on the new notified bodies. So it's also as always like a political decision.
Richard Houlihan - 00:17:42: Yeah. Oh, yeah.
Christiana Hofmann - 00:17:43: Accreditation and also for the country, it's very challenging.
Richard Houlihan - 00:17:49: I remember talking with Erica, she was with BSI on the IVDR side. Stay heard, to employ PhD level people just to sit there and do nothing, just to show that they had the people to do the accreditation when the time came. But the investment in having people sit there and do nothing is huge. So someone has to pay. I know the manufacturers, and again, I don't know why I stick up for notified bodies, but sometimes the manufacturers are just really irritated at the level of cost. I could completely understand it, someone has to pay the notified bodies. And ultimate person to pay is going to be the taxpayer in the various countries. So it's. Bit of a tough one.
Shannon Hoste - 00:18:39: So as you talk about all of the data, but also the way to build the system so that data can be mined to answer different questions. You talked about, again, I'm always coming at it from a human factors perspective. You've got patients, delay users, end users, general public. You've got clinicians as users of the system and looking at this data in a different way. And you have regulatory bodies looking at this data in a different way, even to the level of checking and making sure that the process is working, overall. When I think about the architecture that you would have to build into that system or that level of data and the level of 3 things the amount of data that's in there, the ability to look at that data from all of those different perspectives, and the constant potential updates and changes and additional requirements and having an architecture that you can hang those in without, overhauling everything. That's huge.
[Legacy Devices]
Richard Houlihan - 00:19:40: It is huge. And I'm laughing because when we initially started designing this, were looking at the regulations. The legacy devices were never supposed to be in there. There was never going to be transfer from EUDAMED to EUDAMED. So, what that meant to us on the IT side, is that it's no directive devices. So we just ignored it. So the initial infrastructure, or the initial database keys, would have been your basic UDI and your UDI-DI. Simple. But. Then the member states started getting a little bit uppity, a little bit angry with some of these things. And there was, at some of the MDCG meetings, they had discussions around but we want to see the legacy devices in there. And the Commission kept pushing back. But eventually, the MDCG put their foot down, the member states put their foot down. These are the people who pay the bills. So the Commission had to say, okay, look, we'll figure something. And it was thrown back to IT. And we were like, oh my God, how do you do this?
First of all, the regulation devices can have multiple UDIs, under one basic. Whereas the legacy devices in Europe, not all of them even had UDIs. And some of them did have UDIs, which causes two different problems, but none of them had the concept of a basic UDI. That just didn't exist. We sat around this, absolutely pulling our hair out. See, this is what happened. This is what happened with this thing.
So. Eventually we came around the idea of a fake basic UDI. Take your existing UDI and just put a B- in front of it. And then if it's a real UDI, you just leave it with the correct issuing entity. If it's a fake, you put it with a D hyphen and use EUDAMED as the issuing entity, and it allowed us to mess with the system. No, it's very, very secure. It works beautifully now. And the other thing that you had to look at there as well is the relationships, the history.
This is another Marketing thing, by the way. A lot of companies have decided that they're just going putting the regulation devices in. That argument is kind of changing a little bit, which we'll get to in a second about the whole extensions and things, but a lot of our clients, were saying no legacy devices were just calling regulation all the way. That's fine, the market start date for your regulation device, when you got your certificate, not when you started selling the device 20 years ago. It's when you get your certificate. So then your history starts from say May 31st. But if someone is coming in, an importer coming in or a distributor, all on the public side, they're coming in to have a look for new products. Your history is two months old, but if you have put your legacy device in there. One of the things we did, when we were working out this basic UDI, et cetera, is connecting the two, because you're allowed to reuse the same UDI. Now, there's a lot of checks done on the data to make sure it is the same device. It's not infallible, but it's very, very close. But, by adding the legacy device with the regulation device, then the end user can tick the little box that goes all versions and you say, oh, so this has been on sale for 20 years, look it's got no vigilance or whatever the case may be. So it looks very attractive.
Database itself is huge. And you have to split it. So you want for the public, you want to use one public side, one private side. The private side is to allow you guys, the competent authorities, the notified bodies to constantly update, add, whatever, but then there's the public side and you have to separate the two out, because of hackers, because of site scrapers, and things like that.
[EUDEMED Security]
Just mentioning the side scrapers, I had a contact recently from someone who was absolutely furious and she was talking about the European Commission selling the email addresses of the people within EUDAMED. They don't. I can guarantee beyond a shadow of a doubt, the Commission don't do that, of what is happening, these site scrapers are going to the public site. They're searching all the actors, pull the email address out, all the PRRCs, pull the email address out, and then they get Marketing, Spammed, con, whatever. So the one word of warning to everybody, don't put in your own email address. Put in a functional email address that you can lock things out because some people are getting really, really heavily spammed with this, but getting back to the infrastructure. It is, the tightest security in my 25 plus years in IT that I've ever seen, every other system I've ever worked on, even on systems in the Commission. I could go look at the database. If there's something wrong, you go in, oh, that's the bit of data that's wrong. I'll fix that very quickly. Away you go. On EUDAMED, there was three people who had direct access to the database. Everybody had it to development, that's fine. But to production, there was three people with Dongles who had to Sign In for everything and sign everything off, that data in there. It's an IT system connected to the Internet, no matter which way you look at it. I would never say anything's unhackable because everything is hackable. But it's as secure as you can make it. Real black box stuff, nobody gets in. I'm fairly sure there's plenty of people who have tried but I'd say it's probably as secure, if not more secure, than banks at this stage.
Outro - 00:25:42: Shannon, Christiana, and Richard are going to hit the pause button there for now. Next time, they'll discuss the complexities of UDI compliance and the impact of AI on data reporting. So look out for that soon. In the meantime, check out Christiana and Richard's websites at anteris-medical.com and eudamed.com. This episode was edited and produced by Earfluence. We'll talk to you again soon on The Factor.
Stay tuned next week for the conclusion of this interview with Richard Houilhan and Dr. Christiana Hofmann.
Like this episode?
