IVDR: How to Meet the Quality Management System Requirements of a Device

In this article, we will explain how to meet QMS requirements of a device under Regulation (EU) 2017/746 (IVDR).

Quality System Always Up-to-Date

For all manufacturers of in vitro diagnostic devices (IVD), including those who have self-certified IVDs, having a QMS compliant with IVDR has become a general obligation, as reported in point 8 of Article 10 of the IVDR. 

According to Article 10, manufacturers are required to "establish, document, implement, maintain, keep up to date and continually improve a quality management system that shall ensure compliance with this Regulation in the most effective manner that is proportionate to the risk class and the type of device”.

It is important to note how the IVDR emphasizes through the terms "maintain", "update", and "continually improve" the fact that the QMS needs to be continuously updated to take into account any kind of change, from modifications concerning standards or specifications, internal to the organization and/or to products/services, to the results of a process of review and continuous improvement of the QMS itself.

Elements Necessary for Compliance

According to Article 10 of the IVDR, to ensure that the QMS provides all the necessary elements for compliance, it shall include at least the following aspects:

1. A strategy for compliance with the regulations

2. Identification of the applicable general safety and performance requirements

3. Responsibility of the management

4. Resource management, including selection and control of suppliers and sub-contractors

5. Risk management

6. Performance evaluation, including PMPF

7. Product realization, including planning, design, development, production, and service provision

8. Verification of the UDI assignments

9. Setting-up, implementation, and maintenance of a post-market surveillance system;

10. Handling communication with competent authorities, notified bodies, other economic operators, customers, and/or other stakeholders

11. Processes for reporting of serious incidents and field safety corrective actions

12. Management of corrective and preventive actions and verification of their effectiveness

13. Processes for monitoring and measurement of output, data analysis, and product improvement.

How to Assess Compliance

The process of evaluating conformity varies according to the risk classification and excludes Class A devices in self-certification, for which manufacturers draw up a declaration of conformity. 

During this process, the manufacturer is required to submit the documentation on QMS itself to the Notified Body (NB), in addition to the technical documentation and the description of the procedures, underlining how these comply with the regulation.

As indicated in section 2 of Annex IX, the manufacturer shall lodge an application for assessment of its QMS to a Notified Body (NB). The manufacturer is tasked with providing a clear and detailed overview of its QMS in the documentation presented to the NB, demonstrating how it meets the requirements of the Regulation.

To certify compliance with IVDR requirements, the chosen NB conducts an on-site audit and, if the outcome is compliant, issues an EU Quality Management System certificate to the manufacturer. 

It is important to remember that if significant changes concerning the QMS or the device are necessary, the manufacturer, in accordance with section 2.4 of Annex IX, is required to communicate this to the NB, who will evaluate the proposed changes and the need to carry out further audits. If the changes are approved, the NB communicates this decision to the manufacturer and issues a supplement to the existing EU certificate.

Once certification is obtained, the manufacturer is subjected to surveillance, to ensure compliance with and adherence to the obligations deriving from the certified QMS. Maintenance audits are carried out at least once every 12 months, while every five years, the NB performs surprise audits on the manufacturer or its suppliers. 

The purpose of these audits is to test an adequate number of manufactured devices, present at the manufacturer's premises or collected from the market, or those in production, to verify their conformity with the technical documentation. 

In the event that the surveillance audit has a negative outcome, the NB can suspend or revoke the corresponding certificate or impose limitations regarding it.

ISO 13485:2016+A11:2021 Standard

The Regulation (EU) 2017/746 requires manufacturers to have a valid QMS, but does not provide explicit guidance on how to achieve it. However, for a manufacturer, structuring according to the requirements of ISO 13485 or obtaining certification in accordance with this standard ensures a presumption of conformity with the requirements of the regulation. 

ISO 13485 is a standard for quality systems specifically designed for companies involved in the design, production, storage, and distribution of medical/ in vitro diagnostic devices.

The EN ISO 13485:2016+A11:2021 (UNI EN ISO 13485:2021) is the corresponding harmonized technical standard at the European level, developed within the framework of the Commission’s standardization request M/575 of 14.4.2021 to provide a voluntary means to comply with the requirements of Regulation (EU) 2017/746. 

ISO 13485:2016+A11:2021 specifies the requirements for a QMS that can be used by an organization involved in one or more stages of the life cycle of a device and includes, among various annexes, Annex Zb, which precisely specifies the relationship between the European standard and the IVDR requirements to be met (Article 10, Annex IX, and Annex XI). 

Manufacturers and NBs must therefore integrate the QMS requirements envisaged by IVDR into the processes provided by the EN ISO 13485 standard. In fact, IVDR requires the integration of certain processes in the QMS, such as risk management, performance evaluation, post-market surveillance, and the assignment of UDI (Unique Device Identification).

Risk Management System

The risk management system, based on the type of device and its intrinsic risks, must be considered in the structuring of the QMS. In accordance with Article 10, point 2 of IVDR, it is the manufacturer's obligation to establish, document, implement, and maintain a risk management system as described in Annex I, point 3. 

This process involves identifying risks, their mitigation, with the aim of eliminating or reducing the risk as much as possible, and communicating any residual risk to the user. Overall, the risk must be reduced to demonstrate that the product's benefits outweigh any residual risk. 

From a QMS perspective, it must be ensured that the risk management process is applied throughout the entire lifecycle of the device and is not limited to the development and design phase of the product.

Performance Evaluation and Post-Market Surveillance

In accordance with Article 56 and Annex XIII, the performance evaluation, including the new post-market performance follow-up plan (PMPFP), must be defined within the QMS and varies according to the classification of the device. 

The PMPFP can be a stand-alone document or be part of the QMS as a procedure or template to be filled in for each product. The introduction of the plan is a strong indication that IVDR is moving towards a proactive type of post-market surveillance activity. 

Post-market surveillance activities, defined as,

[A]ll activities carried out by manufacturers in cooperation with other economic operators to institute and keep up to date a systematic procedure to proactively collect and review experience gained from devices they place on the market, make available on the market, or put into service, for the purpose of identifying any need to immediately apply any necessary corrective or preventive actions.

These activities must be established, implemented, and maintained in accordance with Article 78 and, as indicated in IVDR, must be an integral part of the QMS. 

The regulation provides for a series of links between this process and other areas of the QMS, including feedback from market, risk management, performance evaluation, updates to technical documentation, corrective and preventive actions (CAPA), reporting of adverse events, and monitoring of the process/product/service.

Unique Device Identification (UDI) System

Another requirement introduced by IVDR concerns the implementation of the unique device identification system pursuant to Article 24. From the QMS perspective, it is important to implement procedures and actions concerning the management of the UDI code. 

It is the manufacturer's responsibility to ensure that the numbers are assigned appropriately, that they are not reused or reissued, and that they are adequately maintained throughout the life cycle of the device.

Roles and Responsibilities

The IVDR has introduced, pursuant to Article 15, the role of the Person Responsible for Regulatory Compliance (PRRC), assigning him the task of ensuring that the conformity of devices is adequately controlled in accordance with the QMS under which the devices are manufactured.

In addition to the PRRC, IVDR has defined a series of responsibilities for the various economic operators (importers, distributors, and authorized representatives). The manufacturer must ensure that these different responsibilities, and their oversight, are documented as part of the QMS.

The Regulation also clearly requires that the management of the resources necessary for the implementation and execution of procedures and policies is defined within the QMS. Resource management also includes the selection and control of suppliers and subcontractors, with particular attention to critical suppliers based on risk.

Conclusion

Having and maintaining a robust QMS is not only a practical foundation for manufacturers in meeting regulatory obligations and requirements, but it also ensures a specific focus from each organization on the quality and safety of devices, aimed at protecting public health and individual patients' well-being.

This article was originally written by 1MED and is being republished here with permission.

1MED, is a leading European MedTech Contract Research Organization (CRO) offering global end-to-end development services. Founded in 2014, with headquarter in Agno, Switzerland, 1MED's mission is to provide the European MedTech market complete clinical research solutions to accelerate scientific outcomes to their clients. Their team of researchers utilize their vast expertise across all areas of clinical research and cutting-edge data solutions to support their customers across the clinical research continuum.