<< alesolano.xyz/healthcare

Notified Bodies: friends or enemies? [draft]

December 2022

Hi, my name is Ale and I'm on a personal mission to help accelerate innovation in healthcare. I dream of a world where shipping health products is as seamless as shipping software, while always maintaining safety and effectiveness. This post is an attempt to understand better the current obstacles to innovation and what we can do about it.
Today: compliance.

If you are building a medical device and you want to operate in the European market, hold on tight because you need a CE mark. This CE mark is a certificate that guarantees that your medical device has been assessed and found to meet the requirements set out in the EU 2017/745 law, aka the Medical Devices Regulation, aka MDR.

This is great for everybody! We all deserve a guarantee that products intended to increase our health are indeed safe and effective. [1]

The bad news is that, well, it can take 18 months to get that CE mark. This kills projects and therefore kills innovation.

When it takes a product 18 months to make its first euro of revenue, that product becomes a capital intensive product. Just visualize 18 months of only expenses and zero revenue. Even if your product is a software medical device developed by a tiny team, that lengthy time-to-market makes it capital intensive.

This is backwards. The real revolution of software is that everybody can cheaply create value. Anybody can spot a problem, build a solution in a matter of days——or even hours!——and check whether their proposal makes sense or not. Can you imagine this speed in healthcare? Software medical devices allow any research group to cheaply turn a paper into a product; a therapy into a DiGA. Every scientist, every doctor or every patient could cheaply contribute. This is the world I dream of.

Sadly, today only people with access to capital will be able to participate. Not because of technology. The real obstacle is compliance. [2]

But why does it take so long? Is there something we can do about it? And most importantly: if a solution arrives, will the world embrace it or oppose it? Is the incentive system built to encourage speed of approval, or are some stakeholders making more money because of this 18 month delay?

To answer these questions, let's meet the rulers of the MDR land: notified bodies.

Notified Bodies

Notified bodies are the only entities that can issue CE marks. They are 35 organizations spread throughout Europe with the power of evaluating medical devices and sealing them with the coveted CE mark. They are in charge of reviewing your documentation and auditing your company, thus deciding if your medical device is safe enough to be used by Europeans.

They are also the main bottleneck in compliance. Here you can see that it takes long months for notified bodies to review documentation and auditing companies. Also, you can see how lots of them are not even accepting new customers! They are collapsed by the high demand of CE marks and their inability to keep up with it.

This collapse is being called the MDR fiasco. After the approval of the MDR in 2017, all devices previously certified under the previous regulation, MDD, need to reapply for the CE mark. So there you have a big wave of work for notified bodies. Additionally, lots of previously class I devices——which did not require a review of technical documentation——, now correspond to class IIa devices——which do require the review. The big wave became a tsunami.

And while the demand for a CE mark is very high, the supply of notified bodies is still small.

The MDR fiasco is not notified bodies' fault. But that does not mean that the process is full of inefficiencies. Solving these inefficiencies can allow notified bodies to handle more applications.

The CE process

The work that notified bodies do can be divided into two main tasks: (1) review your technical documentation and (2) audit your quality management system.

Step (1) is the longest step of the process. And the most uncertain. According to BerlinCert, reviewing the clinical and technical documentation can last from 3 to 12 months, depending on the quality and quantity of the documents.

Step (2) does not fall short either. It takes notified bodies 5 months to audit your quality management system.

And I just skipped a tiny detail: there's a step (0). It's called "accept your application" and it consists of two actions:

  1. Read your email. This can take months or never happen.
  2. Check if they are authorized to assess your medical device. Not all notified bodies can review, let's say, a medical device completely built with software. Notified bodies offer a "short questionnaire" to determine if they can do the job. It can take them between 1 and 2 months to read the questionnaire.

Yep, the whole process looks extremely inefficient. Though the collapse is understandable because of the MDR fiasco, it's unacceptable that it takes 2 months to read a questionnaire or 5 months to do a QMS audit. And I'm also sure that the techdoc review, though seemingly more complex, can be highly optimized.

Overall, there's room for a lot of improvement here. I'm sure that technology can help a lot here and maybe reduce these times to a matter of weeks. The question now is if notified bodies would adopt these techonologies—maybe even invest in them—or they would oppose them. Their incentives will tell us if they are friends or enemies of innovation.

Incentives

Let's make that extremely clear: first and foremost, their incentives should be aligned with the safety of patients above anything else. Notified bodies should be incentivized to only approve those medical devices that rightfully comply with the MDR law. That's their purpose and their biggest source of value. Safety first.

But again, safety should work harmoniously with speed of innovation. So to boost innovation in healthcare, notified bodies should also be incentivized by speed of approval. Is this the case?

Notified bodies are——mostly——private organizations. This implies that they seek to maximize profits. Given two options they will be inclined to choose the one that gets them more money.

Now, do they get more revenue when the job is done quick or when it is delayed months and months? Are their incentives aligned with speed of approval?

Here's BerlinCert's pricing list:

  1. TechDoc: they charge by the hour. They charge 300€/hour to review your documentation. They are dangerously incentivized to delay this review for months and months. To better align incentives, they should charge a fixed price for the complete review.
  2. Audit: again, they charge by the day. Precisely, 2000€/day for auditing your QMS. If it takes them more days, they charge you more, soooo they are incentivized again to delay the process. To better align incentives, they should charge a fixed price for the complete audit.

Other notified bodies, like Kiwa Cermet Italy, have similar pricing lists. Charging by the hour or by the day.

Not looking good, but not everything is lost. There's hope that, at some point, a notified body wants to compete offering a different pricing system. A notified body that has speed as their value proposition.

Competition

The idea behind notified bodies is that evaluation is decentralized. In contrast with medicines, where evaluation can only be done by a single governmental entity——the EMA——, here we have 35 organizations with the same authority to grant CE marks. And more notified bodies can appear in the future, sparking further competition.

This is interesting. And not because the potential emergence of more notified bodies can reduce the collapse——that's a very slow solution and would only solve step (0). But because maybe one of the 35 current notified bodies decides to compete with the rest in terms of efficiency.

We just need one notified body to unlock this. One whose incentives are aligned with speed of approval. Once this first mover starts embracing technology to speed up the process, all manufacturers may ignore the rest of notified bodies and stick with the efficient one.

Ideas

I'm sure that technology can help us speed up the process of obtaining the CE mark. Here are some ideas that may work.

Automatic tests

Let's agree on a series of automatic tests that the technical documentation should pass in order to comply with MDR.

Imagine uploading your technical documentation to a notified body and instantly have feedback about the documents you are missing, sections that have been filled incorrectly or maybe an early indication that the clinical literature is weak. The amount of time that could be saved! Of course, not everything will be able to be automatically tested, but I'm sure there is a lot of simple stuff that manufacturers get wrong over and over.

A great example is what Vanta has built for security compliance. A platform built alongside auditors where companies can run tests on their software, fill documentation and gather all feedback that a particular standard requirement is met. I'm sure that this can also be done for medical devices.

Standard QMS software

Why does every company create their QMS from scratch? Every company is building their QMS on Google Drive in a rather unique way, and notified bodies are forced to spend time auditing every single one to check if they've done it correctly.

Time to build one that notified bodies widely accept so they can finish their online audit in a matter of seconds. A QMS software where it's impossible to not comply with ISO 13485.

Formwork is getting close to this, but QMS audits still take months to complete.

An open-source software medical device

This idea came from Oliver Eidel.

With an open-source software medical device that has achieved the CE mark, builders can just fork the code, adapt it for their intended use and apply for the CE mark. Given that most of the product and documentation is exactly the same, notified bodies should have an easier time reviewing everything.

Open call for notified bodies

None of these ideas will thrive without the collaboration of notified bodies. We need them——or at least one of them——to build the best solutions for this collapse and to finally accelerate innovation in healthcare.

If you work on a notified body and have some thoughts/feedback or simply want to say hi, please send me an email to asolanopf@gmail.com or find me on LinkedIn.

Let's make compliance easy and efficient. I want to help.




Notes

[1] It's also great for companies. A.H. Robins Company, founded in 1866 declared bankruptcy in 1985 after its intrauterine device Dalkon Shield killed more than 20 women and severely damaged 90,000. This disaster accelerated the enactment of the Medical Device Regulation Act in the U.S.
Interestingly, A.H. Robins did not develop the device: they acquired the rights from a smaller, younger company. 119 years of legacy destroyed by an extremely unsafe product, that they didn't even create.

[2] Yes, you can raise capital from a VC fund, but that means you are forced to create a high growth company. What if you just want to create a sustainable business?