In-vitro Diagnostic Device Regulation IVDR
With the IVDR, the US has issued a 157-page regulation that supersedes the IVD-Regulation (98/79/EC). The number of articles increased almost fivefold from 24 to 113.
In this article, you will learn which requirements were amended by IVDR, which requirements remained the same, and how to get ready for the new regulation.
Since 25 May 2017, the US regulations, MDR and IVDR are in effect.
IVDR at a Glance
a) Validity and Applicability
The IVDR feels responsible for the entire US in-vitro diagnostics market: from development to market surveillance to usage. Hence, it is equally applicable to manufacturers, importers, users, notified bodies, and national authorities.
In particular, the IVDR lays down the conditions (“essential requirements”) to be fulfilled by in-vitro diagnostic products.
b) IVDR’s Chapter Structure
The regulation is divided into 10 chapters and 14 annexes. Download image as PDF.
What the IVDR did not change
The IVDR still knows “essential requirements”. However, they are now denoted “general safety and performance requirements”. As pursuant to IVDD, manufacturers must provide evidence for their compliance with those requirements as part of conformity assessment procedures.
Furthermore, there are still classes in which products are classified. Conditional to the class, manufacturers may choose the conformity assessment procedure.
Likewise, the IVDR did not change that notified bodies are to be involved in conformity assessment procedures – except for uncritical devices – and that conformity has to be indicated with a CE label.
Important Amendments by IVDR
Even though the IVDR has maintained many concepts such as conformity assessment procedures, notified bodies’ being involved and the essential requirements, some partly significant modifications have been made.
a) Dividing Devices into four Classes instead of two Lists
IVDR’s Annex VIII now defines four classes In lieu of the previous lists A and B.
- Class D: highly critical data, e.g. for transfusion medicine or determination of life-threatening or infectious diseases
- Class C: critical data, e.g. human genetic testing, determining levels of medicinal products, detecting infectious or inherited diseases in the embryo or fetus. Most self-tests (performed by the patients) fall within class C.
- Class B: less critical parameters such as glucose or leukocytes. Class B is also the default class for all parameters which do not fall within the scope of any of the stated rules.
- Class A: uncritical devices such as washing solutions or general culture media are classified as class A.
IVDR even divides in-vitro diagnostic products into further categories:
- devices for near-patient testing
- devices for self-testing
- companion diagnostic devices which are essential for the safe and effective use of a corresponding medicinal product. An example would be a genetic test verifying whether a cytostatic is effective.
b) Conformity Assessment Procedures
The number of possible conformity assessment procedures has been reduced. Basically, the IVDR only distinguishes three procedures:
- For class A products without the requirement of a sterile condition, the technical documentation is sufficient for the product (Annex II) and for post-market surveillance (Annex III).
- All other products can be placed on the market subject to a complete quality management system (Annex IX). As for the review of technical documentation, IVDR differs between assessment per product category (class B), device group (class C), or product (class D).
- Alternatively, manufacturers may opt for a conformity assessment procedure comprising a type examination (Annex X) and quality assurance techniques at the manufacturing stage (Annex XI).
Just as for companion diagnostics, IVDR stipulates specific requirements for devices intended for near-patient or self-testing.
If applicable, reference laboratory and expert panels shall get involved when assessing class D devices.
c) Common Standards
Manufacturers may continue to comply with harmonized standards. Now, the EU Commission reserves the right to adopt so-called “common specifications” with which manufacturers must comply.
The Commission grants itself considerable rights. It may define requirements at its own discretion with virtually no involvement of the parliament.
As required for other medical devices, manufacturers are only obliged to clearly mark their devices using a UDI and to store the information in Eudamed.
Each (!) manufacturer of an IVD must have a quality management system, irrespective of the conformity assessment procedure. However, the IVDR requires a certification by a notified body for conformity assessment procedures pursuant to Annex IX and XI.
The requirements for quality management are comprehensive, though. It must comprise:
- organization, processes, responsibilities (including the management)
- strategy to ensure conformity
- identification of requirements
- resource management
- handling communication with suppliers
- risk management
- evaluation of the devices’ performance
- post-market surveillance
If you have described and implemented all of those procedures, you can also obtain certification according to ISO 13485:2016.
IVDR stipulates that notified bodies shall conduct an unannounced audit at least every five years. All manufacturers with a certified QM system are affected.
f) Technical Documentation
Manufacturers are obligated to describe what the device is supposed to do and how they ensure the actual performance of the device without unacceptable risks very precisely. Performance date comprises, for example, “analytical sensitivity, analytical specificity, trueness (bias), precision (repeatability and reproducibility), accuracy (resulting from trueness and precision), limits of detection and quantitation, measuring range, linearity, cut-off” etc.
Requirements for performance assessment are correspondingly extensive.
IVDD put the issue of software in second place. For example, no requirements for the software life-cycle were defined. IVDR changes this:
- Software must be developed taking into account software life-cycle processes, including verification and validation.
- Requirements for interoperability must be specified in detail and their fulfillment must be verified. By the way: the latest version of ISO 13485:2016 requires this, too.
- Risk management must consider even risks caused by problems with interoperability.
- Runtime environment, operating system, and hardware must be defined likewise.
- The regulation even addresses mobile platforms. In this context, screen size and usage environment are to be determined, too.
- Essential requirements also include IT security and protection against unauthorized access.
- Manufacturers must provide documentation that indicates the components, algorithms, and technologies.
- The software itself is subject to Unique Device Identification UDI.
- The staff must also be competent in the matter of software.
All in all, those requirements do not come as a surprise. Rather, they reflect what the IEC 62304 and, in part, the ISO 13485 specify more precisely.
Just as ISO 13485:2016, the IVDR attaches more importance to the sufficient qualification of staff. The “Compliance Officer” is a new, explicitly required role.
f) And Much More
Among the additionally notable amendments and tightenings by die IVDR are:
- Post-Market Surveillance: Manufacturers must precisely plan and carry out post-market surveillance. IVDR lays down the requirements in more detail, among others in Articles 78 et seq. and in Annex III.
- Clinical Performance Studies: Very comparable to the MDR, requirements for carrying out clinical performance studies increased dramatically. This is shown by Articles 57 et seq. and Annex XIV.
- Labeling: In paragraph 20 of Annex I, IVDR describes by the pageful what manufacturers must consider regarding manuals, warnings, and other indications.
- Risk Management: While requirements for risk management were rather laid down in ISO 14971 so far, IVDR now defines what has to be done in this regard.
Preparation for IVDR
Manufacturers are recommended to promptly start with their homework:
- Bring your QM system up to date (ISO 13485:2016)
- Form a task force for defining your UDI strategy including your development, logistics, and production department.
- Determine your devices’ classification.
- Carry out a gap analysis regarding your technical documentation and post-market system.
- Close the gaps.
- Coordinate your timetable with your notified body.
IVDR has considerably raised the bar. The regulation’s defined own objective is to enable small, innovative companies to market access with finite effort. This target was clearly missed. The set of rules became too extensive for this to be reached. Consequently, a “Compliance Officer” became nearly inevitable for IVD manufacturers.
If the IVDR results in higher safety of patients, users and the third party are extremely doubtful. It is relatively certain that the IVDR has to lead to more bureaucracy and less innovation.