The final text of the IVDR: first impressions
The IVDR text that the Council, Commission and Parliament reached agreement on is finally public (since 15 June). I’ve had the time to read it now.
I am not going to draft a long summarizing article that describes the IVDR in detail. For that I refer you to the new BSI white paper on the IVDR that was just published and that I co-authored with Gert Bos. This white paper provides an overview and to-do list for manufacturers on a chapter by chapter basis, like the one on the MDR published earlier this year (which we will need to update now for the final text of the MDR).
What I will do in this post is describe some last minute surprises that were introduced in the IVDR during the trilogue negotiations compared to the Council general approach. These are the following.
There were changes to the genetic testing clause, as I had hoped and argued should take place. The Parliament had an ardent wish to regulate informed consent procedures with respect to genetic testing in a lot of detail, which it does not have competence to do under the TFEU, as Julian Hitchcock and I have argued on behalf of companies providing genetic testing services.
The compromise now is that there is an information requirement and access to counseling requirement, except “where a diagnosis of a medical condition and/or a disease which the individual being tested is already known to have is confirmed by a genetic test or in cases where a companion diagnostic is used”.
The new IVDR mandatory clinical evaluation consultation procedure is a nice bit of repackaging of the scrutiny procedure. It applies to class D IVDs for which no Common Specifications are available and if it is the first certification for that type of device. What used to be the scrutiny procedure has been changed to a sort of emergency backstop that the authorities use to prevent the product from entering the market if they’re not happy with the CE marked end result.
The transitional regime (2 years grace period of existing IVDD certs and devices which were lawfully placed on the market pursuant to Directive 98/79/EC prior to the date referred to in Article 90(2) may continue to be made available on the market or put into service until three years after that date).
How does it work with the devices that may continue to be made available for three years? Apparently there is no requirement for a valid certificate anymore, otherwise it would fall in the two years bucket. This would mean that there theoretically is no notified body overseeing the device anymore during that period, so no unannounced audits and no surveillance audits. And it is unclear what regime applies to the IVD: the old IVDD or the new IVDR. Very unclear this.
There is a sudden down-classification of certain self-testing devices (for the detection of pregnancy, for fertility testing and for determining cholesterol level, and devices for the detection of glucose, erythrocytes, leucocytes and bacteria in urine) from class C to class B. This means that the IVDs concerned will still be subject to notified body oversight, just subject to other conformity assessment procedure.
The principle behind the IVDR and MDR classification logic seems to be that the only way is up, but this is the only example I have come across so far of down-classification.
I don’t understand the absence of a classification rule for software analogous to rule 10a under the MDR (that’s a surprise in the MDR). Especially the clinical decision support functionality that rule 10a MDR up classifies is also an important item in the IVD space, because more and more expert systems become available.
The new classification rule 10a in the MDR will result in all clinical decision support software and monitoring software that is currently mostly in class I to be bumped up to class IIa or higher. This will affect a lot of software devices currently on the market.
All of these devices will need to be certified by notified bodies under the MDR, while notified bodies have almost no experts on software. It’s also strange that clinical decision decision support software has no similar rule under the IVDR.
There suddenly is a new claims/advertising regime in the new article 5a. This we will now finally have EU harmonized rules for claims and advertising of medical devices:
“Article 5a Claims
In the labelling, instructions for use, making available, putting into service and advertising of devices, it is prohibited to use text, names, trademarks, pictures and figurative or other signs that may mislead the user or the patient with regard to the device’s intended purpose, safety and performance by:
(a) ascribing functions and properties to the product which the product does not have;
(b) creating a false impression regarding treatment or diagnosis, functions or properties which the product does not have;
(c) failing to inform of a likely risk associated with the use of the product in line with its intended purpose;
(d) suggesting uses of the product other than those declared in the intended purpose when the conformity assessment was carried out. “
However, I think the new rules are rather superfluous because they mirror exactly what is already in the Unfair Business to Consumer Unfair Commercial Practices Directive (2005/29/EC) or could be prohibited based on the Misleading and Comparative Advertising Directive (2006/114, its B2B cousin).
Sub c), however, is additional and a tricky one because it makes unimaginative risk management a violation of the law. Essentially you would need to list any likely risk, which reminds me of the patient leaflets for medicinal products that list even the most rare of possible side effects for the product.
Since there is no qualification of how likely the risk has to be in order for it to be listed (something which they actually do consider for medicinal products SPCs side effects listing), any risk with a likelihood of occurring seems to be a candidate for the IFU, but also for inclusion in advertising (it says “and advertising” so I interpret that grammatically as a duty to include all likely risks in advertising) there will be a lot of small print that none will be the wiser for. TV advertisements will need rattle off all the likely risks that viewers will do their best to ignore. More information is not always better protection if you ask me.
Maybe this is a too strict interpretation, but how then how to interpret “likely risk associated with” (not caused by, which is also more narrow)?
CAs enlisted in product liability and other claims
The new article 8 (9) allows member state CAs to request information from manufacturers on behalf of others in product liability and other damage claims:
“If a competent authority considers or has reason to believe that a device has caused damage, it shall, upon request, facilitate the provision, of the information and documentation referred to in the first sub-paragraph to the potentially injured patient or user and, as appropriate, the patient’s or user’s successor in title, the patient’s or user’s health insurance company or other third parties affected by the damage caused to the patient or user, without prejudice to the data protection rules and, unless there is an overriding public interest in disclosure, without prejudice to the protection of intellectual property rights. The competent authority need not comply with this obligation where disclosure of the information referred to in the first sub-paragraph is ordinarily dealt with in the context of legal proceedings.”
This is a matter of concern for industry because of the obvious risks of widely divergent application of this by member states and fishing expeditions by competitors and the wide scope of persons that can request this information. The “other third parties affected by the damage caused to the patient or user” would for example in my view include me as an employer if one of my employees was injured and my employee would be on prolonged sick leave. Mind you, this is not limited to product liability cases only, because in that case the scope would have been limited to ‘defective’ devices. This concerns any kind of damage caused by a device, regardless of whether it’s defective or not.
There are corrections on data protection and protection of intellectual property rights but it really remains to be seen how national competent authorities will implement this since the application is under full discretion of the national authorities.
Person responsible for regulatory compliance
It’s interesting that the person responsible for regulatory compliance can now be split into multiple persons, provided that their areas of responsibility are properly documented.
This documentation will be important to keep a good eye on for manufacturers and will tie into their QMS obligations as well. They will be written up by their notified body if the roles are not properly defined and accurately laid down at any moment in time.
Transparency of clinical data
There are now provisions for sharing raw clinical / performance data on a voluntary basis, where the Parliament was planning to force this off by means of the proposed recital 39a without corresponding provision in the texts of the Regulations that stipulated that the whole set of under clinical data would be non-confidential.
We now instead have an obligation to publish the clinical investigation report and a summary into Eudamed within a year after the trial, which will become public upon CE marking and immediately in case of halt or termination of the study. If the device is not CE marked within a year after entry into Eudamed of the report and summary, then the report and summary become automatically publicly available in Eudamed.
Over the summer the text will be looked at by the EU’s lawyer-linguists who will translate the IVDR in each of the official languages of the EU. Since that process may still reveal textual issues in the agreed English language text that will be ironed out, so be prepared for some very minor changes that may happen still. There won’t be surprises though, unless some things were written down in a very ambiguous way.
The text will then be published in the Official Journal of the EU in all official language versions and enter into force shortly after. This will likely happen this autumn.
Stay tuned, also for a next post on surprises in the final MDR text.