Many people ask about the liability of individuals, management, and the company. After all, it is not only the Medical Devices Regulations that impose fines and imprisonment. The question of liability also arises for development service providers.
Liability in Germany: Differentiating between criminal and civil law
Civil law: Parties involved
In civil law, the question of liability arises between the parties involved and is usually based on their contracts:
- The medical device manufacturer has a purchase contract with the customers, e.g., the hospitals
- The hospitals have treatment contracts with the patients
- The employees of the medical device manufacturers have employment contracts with their employer
- The medical device manufacturers have awarded development contracts to service providers and have regulated this in contracts
Question of liability in case 1: Error of the development service provider ultimately leads to patient harm
In this example, let’s assume that the software developed by the development service provider is faulty, resulting in a defective medical device, which ultimately causes patient harm.
From a civil law (and usually also from a criminal law) perspective, liability remains with the person/organization placing products on the market, i.e., the medical device manufacturer. This means that the medical device manufacturer would be responsible for any harm caused by a faulty medical device.
Manufacturers could claim damages from their service providers if the latter have not fulfilled all contractual obligations, for example, if an agreed validation of the software has not been carried out or has not been carried out to the agreed quality (e.g., defined via coverage grades).
However, it is possible that the criminal liability of development service providers or their employees could arise if the latter have negligently failed to meet their obligations and knowingly accepted harm. For example, development service providers may have used a software item (SOUP) that they learned (perhaps even after delivering the software including the SOUP) was defective and could, therefore, ultimately cause harm to patients. If development service providers, or more precisely, the responsible developer or risk manager, fail to react, this can have consequences under criminal law. Dependent on the jurisdiction criminal law is directed against individuals, not institutions.
Another liability issue arises in the context of the review of service providers. If a service provider does not have a certified QM system, the manufacturer is even obliged to conduct a supplier audit in order not to undermine the effectiveness of its own QM system.
How to conduct such a supplier audit is described in our audit guide, which, by the way, was requested by notified bodies.
You can order the audit guide here.
Question of liability in case 2: Defect directly caused by the person placing on the market
If the manufacturer caused the error that ultimately led to the patient’s harm, the company is also initially liable under civil law. The company can consider claims from its managers and other employees if necessary. Employee liability depends on the degree of negligence. In the case of slight negligence, the employee is not liable. At the other end of the scale, liability remains with the employee who act with malice aforethought.
