COVID-19: Considerations for organisations manufacturing ventilators
This article was co-authored with Jenny Yu, Chemical & Life Sciences Practice Leader for the UK and Ireland at Marsh. As this is a fast moving topic, please note that this article is current as at 23/04/20. For further information, please contact Paula Margolis, Samantha Silver, or Jenny Yu.
The UK Government is calling on organisations from a variety of industries to help solve the country’s COVID-19 ventilator shortage. Here are some key points an organisation, especially if it is a non-medical organisation, should consider when considering manufacturing ventilators.
Regulation of medical devices in Europe
Medical devices in countries within the EU, including the UK during the Brexit transition period, are subject to EU legislation. Generally, EU regulations require devices to bear a CE mark, which indicates they conform to health, safety, and environmental standards. In the context of medical devices, the CE mark shows that the device conforms to the requirements of the Medical Devices Directive (MDD).
The MDD has since been superseded by the EU Medical Device Regulation 2017/745 (MDR), which came into force in May 2017, but includes a three-year transitional period. The MDR was due to apply fully in EU Member States from 26 May 2020, however, the European Commission recently confirmed that it is working on a proposal to postpone the application of the MDR for one year in light of the COVID-19 outbreak.
As a Class IIb medical device - one classed as medium to high risk - ventilators require clinical evaluation before they can bear a CE mark and be placed on the commercial market. To gain a CE marking, developers must also carry out extensive quality assurance tests and examinations to ensure that the devices conform to EU guidelines. The extensive regulations are one of the main reasons why, in normal times, ventilators and other Class IIb medical devices can take months, and sometimes years, to go from design to the commercial market.
Exemptions from medical devices regulation during the COVID-19 outbreak
On 25 March, the UK Government published Guidance on Exemptions from Devices regulations during the coronavirus (COVID-19) outbreak, permitting the Medicines and Healthcare Products Regulatory Agency (MHRA) to authorise the supply of a non-CE marked device in the interest of the protection of health. While ventilators manufactured and supplied will still require approval from the MHRA under the “exceptional use” route, they do not need to be CE marked.
The MHRA has however confirmed, in this published Guidance on Specification for ventilators to be used in UK hospitals during the coronavirus (COVID-19) outbreak, that “compliance with the essential safety standards must be demonstrated for patient safety”.
It is also important to note that the MHRA advises that once the current emergency has passed, devices approved via the “exceptional use” route will not be usable for routine care unless they have been CE marked through the Medical Device Regulations.
Patient safety concerns
There may be potential risks to patient safety, according to Helen Hughs, chief executive of Patient Safety Learning, relating to:
- Speed of manufacture
- Existing safety issues relating to multiple designs and ways of using these products
- The proposed relaxation of standards.
There may also be risks for the clinicians using the equipment - especially those who may be inexperienced or untrained in the use of ventilators, particularly while wearing personal protective equipment (PPE).
The liability of producers for personal injury and damage to consumer property caused by defective products is governed by the EU Product Liability Directive 85/374/EC. The consumer Protection Act 1987 (CPA) implements the Directive into UK law.
Under the Directive and the CPA, a producer is subject to no fault liability for injury or damage caused by a defective product. In determining whether a product is defective or not, the court will assess the appropriate level of safety, taking into account the facts and circumstances before it. The COVID-19 emergency may well be one of those circumstances.
Subject to the national laws of the relevant EU Member State, a consumer can also bring a parallel claim in negligence.
Claims brought in respect of an allegedly defective product must be brought within three years from the date on which the claimant became aware or reasonably could have become aware of the damage and its cause; the defect; and the identity of the producer. In addition, a claim cannot be brought more than 10 years after the product was put into circulation.
It has recently been announced that the UK Government will provide an indemnity to designers and contract manufacturers of new non-CE marked ventilators in respect of product liability and breach of third party intellectual property (IP) rights, although it is unclear if there is a cap on the liabilities covered by the indemnities. This move will certainly offer comfort to non- medical manufacturers of new ventilators. It will also ease the burden on insurers who would have been at risk of receiving an increased number of claims made in respect of these products.
Medical devices are one of the biggest targets for cyber attacks and considered an easy entry point. There have been many cybersecurity incidents affecting a broad range of medical devices, including pacemakers, infusion pumps, ventilators, and many others. Cybercriminals have also begun to actively exploit the COVID-19 crisis, which could lead to even more heightened cybersecurity risks for medical devices.
The MDR requires manufacturers to design, develop, manufacture, and upgrade their products across their lifecycle taking into account the principles of risk management, which includes information security. Consideration should be given to minimum requirements concerning IT security measures, including protection against unauthorised access.
The EU Network and Information Security directive (the NIS Directive), which was the first piece of EU-wide cybersecurity legislation, was adopted in 2016 to enhance cybersecurity across the EU. In addition to the requirements of the MDR, manufacturers should also adopt good practices as regards to cybersecurity for NIS Directive compliance.
The General Data Protection Regulation regulates the processing by an individual, a company or an organisation of personal data relating to individuals in the EU. Although medical devices do not contain any patient data themselves, it is important to note that they could be used to access to other networks.
Organisations need to think about a range of issues in relation to the manufacture of medical devices if this is a new area of business.