IVD manufacturers have had to make significant improvements to their risk files since the days of IVDD. What was once the reality—static and often incomplete files that hardly changed after being placed on the market—is no longer acceptable. However, despite making major headway in recent years, risk management is among the top issues IVD manufacturers are facing when it comes to IVDR compliance.
The Status Quo Under IVDD
The IVDD did not explicitly require manufacturers to have a risk management system. In reality, however, both notified bodies and competent authorities expected manufacturers to implement a risk management system based on EN ISO 14971, the harmonized standard for risk management for medical devices.
However, with the vast majority (more than 90 percent) of IVD manufacturers able to self-certify under IVDD, there were a lot of gaps when it came to compliance. Self-certification meant that while manufacturers were still expected to comply with EN ISO 14971, little to no notified body scrutiny resulted in the quality of risk management files being highly varied.
Devices intended for self-testing, including some pregnancy and cholesterol tests, were subject to initial design examination by notified bodies, but they were hardly ever scrutinized over the certificate cycle, leaving risk management often unchecked. Only the limited number of Annex II list A and B devices, such as HIV tests, devices intended for blood grouping, and blood glucose tests, for example, had full scrutiny of risk management on a technical level.
The result is that many manufacturers are starting the transition to IVDR with many gaps in their risk management files. Whereas poor risk management files often went unnoticed under the IVDD, the IVDR does not allow for grandfathering, and it explicitly requires manufacturers to document, implement, and maintain a risk management system as outlined in Annex I Chapter I (3).
→ Many manufacturers are struggling with all of the new requirements under IVDR. Learn how to overcome the biggest challenges facing manufacturers by watching our on-demand webinar: “Strategies for Overcoming the Biggest Challenges in Achieving IVDR Compliance.”
The New Reality of IVDR Compliance
Under IVDR, most of the devices that were previously self-certified now require notified body certification, which means that the vast majority of these devices will undergo notified body conformity assessment for the very first time. Technical reviewers at notified bodies look at the product-specific design, production, and end user risks in detail, which is a new experience for many manufacturers.
Global manufacturers may be better positioned for the IVDR transition. They often have products on the market in regions that previously had higher standards, and they were also more likely to have some level of notified body scrutiny due to their diverse product portfolios. Additionally, large IVD companies are typically better resourced and have access to a stronger regulatory team trained on risk and ISO 14971 compliance. Their risk documentation could be more robust as a result; however, this is not always the norm.
Small and medium-sized IVD companies may face a steeper learning curve because they may not have the necessary resources with the skills and experience required to prepare compliant risk management files that stand up to IVDR scrutiny. In either case, compliance is mandatory.
The Biggest Risk Management Challenges
Regardless of the size of the company or its IVD portfolio, many manufacturers are facing challenges with respect to risk management.
Mandatory Risk Management Systems
IVDR is based primarily on risk, and the requirements are now explicitly described under Annex I Chapter I (3), “Manufacturers shall establish, document, implement, and maintain a system for risk management.” Under IVDD, compliance with the harmonized ISO 14971 standard was assumed, but under IVDR, there is now the legal text, which is clearly aligned with the risk management standard.
While having this clarity is beneficial to manufacturers, some companies—particularly those that were previously able to self-certify—may have more work to do in order to achieve compliance.
Please note that at the time of writing this blog post, the Z Annexes (required for standard harmonization in the EU) had been published and were on the verge of being harmonized to the MDR and IVDR. Therefore, BS EN ISO 14971:2019+A11:2021 will become the version of the standard that will need to be referenced in all official documentation for EU compliance, including your technical documentation.
Compliance for Large Portfolios
Large IVD manufacturers with hundreds or thousands of products across a range of risk classifications, technologies, and intended purposes must be strategic about their risk management systems. IVDR requires a risk management plan for each device, but this does not preclude opportunities to group similar devices or those belonging to the same family, where appropriate.
The challenge is how to adapt your risk management plan to be suitable for the entire portfolio without putting an unnecessary burden on resources. The plan must be proportionate to the device risk to ensure that it aligns with the device(s) classification without requiring more burden than necessary. Grouping devices into product families is appropriate for IVDs and is often the only way manufacturers with large portfolios can ensure compliance beyond product conception throughout the lifecycle of the devices. Strategic planning is key for successfully managing risk.
Adapting Risk Management Teams
Even companies that have risk management teams in place will need to adapt to the new reality under IVDR. In the past, companies could get away with ignoring risk management files past product conception because there was very limited notified body oversight for the vast majority of products, but this is no longer the case. Now, there is a clear mandate for notified bodies to conduct annual technical documentation assessments over the certificate cycle—together with reviews of PSURs and SSPs, for example—which are intrinsically linked to risk management.
Risk management teams will need to adopt a new cadence through the product lifecycle to ensure IVDR compliance across the entire portfolio. Additionally, risk files must be updated in the post-market phase with real-world data arising from complaints, post-market use, and other data as it comes in.
Lack of Alignment Between Risk Management and Other Teams
Even the most engaged and qualified risk management teams face challenges when it comes to technical documentation compliance. One of the most significant is a lack of integration with other departments, which results in outputs that do not align with other sections of the technical documentation such as the PEP, PER, IFU, SSP, and so on. This leads to notified body nonconformities and a longer approval process. An integrated approach to compliance will streamline the submission process and result in fewer questions and delays.
Discrepancies Between the Device Classification and Risk Analysis
Much as the risk management plan must be proportionate to the risk of the device, the risk analysis must also align. With IVDR using a rule-based system for device classification, notified bodies are challenging discrepancies between how a manufacturer classified their device compared to the outputs of the risk documentation. For example, an IVD that is classified as Class B (which is a device that does not typically have a life-threatening element) but shows a potential outcome of death outlined in the risk analysis could see their classification rationale being challenged by the notified body. This could ultimately result in a higher classification under Class C Rule 3, for example.
Failure to Include Specific Risk Analyses
With former notified body leaders at RQM+ and many successful submissions already under our belts, we have learned a lot about what might trigger notified body questions. In the case of risk management, failure to consider the impact of a delayed result is often missed in the risk analysis and is a common finding. This is information notified bodies expect to see, especially for the highest-risk devices. A delay in diagnosis in a critical care setting, for example, can have severe consequences for patients.
Manufacturers also fail to address the specific risks that arise from the intended user and use environment. For self-tests and near-patient tests, for example, it is crucial that risk management recognizes the user profile (i.e., a non-laboratory professional) and the settings in which the device is likely to be used (e.g., at home, at the patient’s bedside, in an emergency room, in an ambulance, and so on.).
How RQM+ Helps
RQM+ offers a full suite of IVDR transition services that deliver business-balanced solutions. We provide a dedicated team of former notified body leaders, risk management professionals, and expert implementers. We start with an IVDR impact assessment, including risk management files, to help you determine how ready you are. We also provide support for identifying the product family groupings that make the most sense, perform gap analyses and mock technical assessments for remediation planning, and create systems for integrating risk management with other teams.
When it comes time to implement, we provide client-specific training programs at all levels. Our team is also here to provide ongoing support for creating compliant risk management files at every stage of the product lifecycle.
Risk management is just one of the many challenges IVD manufacturers are facing as deadlines loom. To learn more about how your team can prepare, watch our on-demand webinar, “Strategies for Overcoming the Biggest Challenges in Achieving IVDR Compliance.”