The Regulation (EU) 2017/746 on in-vitro diagnostic medical devices (IVDR) sets the framework and requirements for – obviously – diagnostic medical devices. In this article I am trying to give a broad overview on the essential requirements you need to fulfill in order to be compliant. We will take a look into the classification system, the general obligations of manufacturers and the conformity assessment routes.
Disclaimer: The world of IVDs is very diverse and I focus on software as an in-vitro diagnostic medical device.
What is an in-vitro diagnostic medical device?
Let’s take a direct look into the definitions section of the IVDR (sorry for the long quote):
“‘in vitro diagnostic medical device’ means any medical device which is a reagent, reagent product, calibrator, control material, kit, instrument, apparatus, piece of equipment, software or system, whether used alone or in combination, intended by the manufacturer to be used in vitro for the examination of specimens, including blood and tissue donations, derived from the human body, solely or principally for the purpose of providing information on one or more of the following:
(a) concerning a physiological or pathological process or state;
(b) concerning congenital physical or mental impairments;
(c) concerning the predisposition to a medical condition or a disease;
(d) to determine the safety and compatibility with potential recipients;
(e) to predict treatment response or reactions;
(f) to define or monitoring therapeutic measures.
Specimen receptacles shall also be deemed to be in vitro diagnostic medical devices.”
If your device matches one of the above mentioned definitions: Congratulations, you have an IVD!
If your device does not match one of the above mentioned definitions: You can stop reading this article 😛
What is software?
Software is defined as…well, the IVDR does not define the term “software”. Wow. But we can take a look into the MDCG 2019-11 on Qualification and Classification of Software in Regulation (EU) 2017/746:
For the purpose of this guidance, “software” is defined as a set of instructions that processes input data and creates output data.
Alright.
The regulation distinguishes between stand-alone software also called “Medical Device Software” and “Software driving or influencing the use of a device”. These softwares drive the use of a (hardware) medical device and does not have or perform a medical purpose on its own, nor does it create information on its own.
Examples:
The software that drives the PCR machine.
Software with built-in electronic controls for IVD quality control procedures.
This kind of software is not relevant for this article so we will focus on stand alone software that is intended to be used, alone or in combination, for a purpose defined in the IVDR.
Examples:
MDSW that uses maternal parameters such as age, concentration of serum markers and information
obtained through fetal ultrasound examination for evaluating the risk of trisomy 21.
Mass Spectrometry MDSW intended to analyse LC-MS/MS data to be used for microorganism
identification and detection of antibiotic resistance.
Note: MDCG 2019-11 includes a very good decision tree that helps you determine if your software is a medical device according to the IVDR.
1. Risk Classification: from A to D
The IVDR is a class society. Based on the intended purpose of the IVD you identify the risk class based on the classification rules described in Annex VIII. I will keep this paragraph very brief because you can read more details and find examples in my article on the IVDR classification system. Class A IVDs do not require the involvement of a notified body (we will come to this later) and you can self-declare conformity with the IVDR.
This table summarizes the four risk classes with some examples:
Risk class | Description | Example | Notified Body involved? |
A | Low personal riskLow public health risk | The analyser and the software driving and influencing an ELISA assay. | No. |
B | Moderate/Low personal riskLow public health risk | Devices for the detection of pregnancy. | Yes. |
C | High personal riskModerate/Low public health risk | Medical device software for high-resolution analysis of HLA sequencing data, for transplantation purposes. | |
D | High personal riskHigh public health risk | Devices intended for the detection of Hepatitis B virus. |
The higher the risk class the higher the regulatory requirements that we will explore in the next section.
2. Core requirements for regulatory conformity
Although the risk classes are different and also the conformity assessment routes are different there are core requirements for all IVDs. Let’s look at them individually:
Article 10 – Your obligations as a manufacturer
Article 10 lists and references the most important obligations of manufacturers. You can use it as a starting point to further explore and understand the IVDR. In a nutshell you will need to:
- implement a risk management system (ISO 14971)
- conduct a performance evaluation (Article 56 and Annex XIII)
- set up the technical documentation according to Annex II and Annex III (see below)
- sign the declaration of conformity (Article 17)
- assign a UDI to your device (Article 24)
- use harmonized standards (EU Commission)
- set up a Quality Management System (the IVDR also lists the specific procedures that you need. I recommend using ISO 13485 to fulfill these requirements)
- incident documentation and reporting (Article 82 & Article 83).
Article 15 – The person responsible for everything
The IVDR wants you to assign a person responsible for regulatory compliance (PRRC) in your organization. Micro and small companies can also outsource this responsibility (e.g. to us). The PRRC ensures that:
- the conformity of the devices is appropriately checked,
- the technical documentation and the EU declaration of conformity are drawn up and kept up-to-date,
- the post-market surveillance obligations are complied,
- the reporting obligations referred to in Articles 82 to 86 are fulfilled.
Annex I – GSPRs
The General Safety and Performance Requirements (GSPRs) is a set of obligations that need to be fulfilled by every medical device. The Annex I is further divided into three subchapters:
Chapter 1 – General requirements
This is the shortest chapter, focusing primarily on risks and their mitigation. It includes the following key points:
- Devices must function according to their intended design.
- They should not endanger the health or safety of patients, users, or anyone else associated with the device.
- Risks should be minimized as much as possible without adversely affecting the risk-benefit ratio.
- Manufacturers must implement and maintain a comprehensive, well-documented, and evaluative risk management system that is continuously updated throughout the device’s lifecycle.
- Designers and manufacturers must incorporate necessary measures to protect users when risks cannot be entirely eliminated.
- Manufacturers must inform users of any remaining risks. This information should be clear, easy to understand, and tailored to the users’ technical knowledge, use environment, and any relevant medical conditions.
- Devices must endure normal use throughout their lifecycle and be designed, manufactured, and packaged to prevent damage during transport and storage.
- For known and foreseeable risks and side effects, designers and manufacturers must make every effort to minimize negative outcomes and ensure that the potential risks are acceptable when compared to the potential benefits to users.
Chapter 2 – Requirements regarding design and manufacture
The GSPRs also provide key details regarding specific information about the performance, design and manufacture of medical devices. The IVDR provides highly detailed requirements relating to a device’s technical information.
Chapter 3 – Requirements regarding the information supplied with the device
This chapter addresses the specific information that manufacturers must provide with their devices, a crucial aspect of governance within the GSPRs. According to the general requirements, “Each device shall be accompanied by the information needed to identify the device and its manufacturer, as well as any safety and performance information relevant to the user or any other person, as appropriate.” The requirements specify the necessary information and its location, including:
- The device label, which must include its UDI.
- The user instructions.
- The packaging of a device intended to maintain its sterile condition.
The chapter is very detailed and the requirements are quite straightforward.
Annex II – The Technical Documentation
Annex II of the IVDR outlines the requirements for the technical documentation that manufacturers must compile and maintain for each medical device they produce. This technical documentation is crucial for demonstrating that a device complies with the IVDR and is safe and effective for its intended use.
The Annex includes six subchapters including, labeling, verification & validation as well as necessary information on device description.
Annex III – Post-market surveillance
After bringing your device to market you will need to surveille its performance and safety. The system of this post-market surveillance is described in Annex III. You can read more about PMS in the context of IVDs in my article “How do we ensure PMS under the IVDR?” and in my “Ultimate PMS Guidance”.
Now that we know what we need we take a look into the ways by which we push our IVD through the conformity assessment.
3. Conformity assessment routes
Based on the risk classification you can choose different conformity assessment routes. The conformity assessment is actually only applicable to class B, C and D IVDs because only these involve a notified body assessment.
There are two conformity assessment routes as laid down in Annex IX and Annex X of the IVDR. You can choose (partially) the way to go. I recommend the conformity assessment route via Annex IX. It is the classical one 😛
Option 1: Conformity assessment based on QMS and TD (ANNEX IX)
The Notified Body will assess and evaluate your QMS according to Article 10 and the ISO 13485. In addition, they will evaluate the technical documentation of your medical device. This way is possible for all risk classes.
Option 2: Conformity assessment based on type examination (ANNEX X) & Conformity assessment based product quality assurance (ANNEX XI)
Annex X contains one half of the conformity assessment route typically chosen by manufacturers who choose not to fulfill the quality management system requirements of Annex IX. The manufacturer provides the notified body with the technical documentation, the clinical evidence and, as appropriate, samples of the device for testing. If the application is successful, the Notified Body issues an “EU type-examination certificate”.
Let’s summarize this in our table:
Risk class | Minimum regulatory requirements | Conformity assessment route A | Conformity assessment route B | Notified Body involved? |
A | Annex I – General safety and performance requirementsAnnex II – Technical documentationAnnex III – Post-market surveillance | Prepare the TD outlined in Annex II and III; self-declare conformity with the IVDR | No alternative option. | No. |
B | Full QMS compliant with Annex IX & Random sampling of TD | No alternative option. | Yes. | |
C | Full QMS compliant with Annex IX & Random sampling of TD | Undergo EC-type examination in accordance with Annex X&Assessment of production quality assurance in accordance with Annex XI | ||
D | Full QMS compliant with Annex IX & Random sampling of TD &Product testing at EU reference laboratory | Undergo EC-type examination in accordance with Annex X&Product testing at EU reference laboratory |