Mind the Gap! The 3 Biggest Gaps Faced When Implementing IVDR

If you have traveled on the London Underground you may have noticed the “Mind the Gap” warnings on many platforms. These could also be wise words for the in vitro diagnostic (IVD) industry and should also be pasted on the message board of the European Union’s In Vitro Device Regulation (IVDR) transition teams.

This article discusses three of the largest gaps you should avoid falling into.

1. Intended Purpose
2. Risk Management
3. The Devil is in Detail!

Intended Purpose

Although the definition of intended purpose did not fundamentally change between the IVDD and IVDR, the IVDR has added clarity as to the required elements of intended purpose statements in the Annexes. IVDR Annex I General Safety and Performance Requirements (GSPR), 20.4.1(c) outlines the required elements to include in the intended purpose statement provided in the instructions for use (IFU) as follows:

(c) the device's intended purpose:

(i) what is detected and/or measured; (ii) its function (e.g. screening, monitoring, diagnosis or aid to diagnosis, prognosis, prediction, companion diagnostic; (iii) the specific information that is intended to be provided in the context of:

— a physiological or pathological state;

— congenital physical or mental impairments;

— the predisposition to a medical condition or a disease;

— the determination of the safety and compatibility with potential recipients;

— the prediction of treatment response or reactions;

— the definition or monitoring of therapeutic measures;

(iv) whether it is automated or not;

(v) whether it is qualitative, semi-quantitative or quantitative;

(vi) the type of specimen(s) required;

(vii) where applicable, the testing population; and

(viii) for companion diagnostics, the International Non-proprietary Name (INN) of the associated medicinal product for which it is a companion test.

Annex II, 1.1(c)(viii) further implies the intended purpose should include the intended user.

The most basic mistake being made is that the intended purpose does not meet each of these requirements. The Notified Body will check that each requirement has been met. If the information is not collated in a defined intended purpose section of the instructions for use, then the manufacturer has to map each requirement and it should be clear and not ambiguous.

The intended purpose is then a pivotal input into the Performance Evaluation including the Scientific Validity, Analytical and Clinical Performance as well as the state of the art for the device and risk management. If the intended purpose does not meet the requirements, then it is very likely that there will be findings in each of these sections. It is rather like pulling a thread in a jumper, if you pull the thread as the Notified Body, it unravels in multiple places to create a hole.

Only once the intended purpose is clear can the device classification be established.

This is a topic Qserve Group has been talking about for some time. See their post Go with the Flow. However, as the IVDR gathers momentum and Notified Bodies have started work, this is materialising as review findings.

Risk Management

Risk Management has been a core expectation of the IVDD since it started and is a cornerstone of most IVD regulations worldwide so it may be a surprise that this is a major issue under the IVDR.

In 2012 EN ISO 14971 was reissued with a revised Annex ZC that maps the standard to the IVDD. This annex also describes the expectations for the IVDD for risk management and where there is a deviation from the standard. The medical device industry went through a similar transition, so Notified Bodies are very familiar with the expectations. These expectations have been hard wired into the text of the GSPRs in the IVDR. Unfortunately, since approximately 80% of IVDs in the EU are self-certified and not reviewed by a Notified Body, many manufacturers have not made this transition and the following key issues have not been addressed:

1. There must be a benefit-risk decision for each hazard identified, not just an overall benefit-risk evaluation.
2. All risks should be reduced as far as possible so the as low as reasonably practical (ALARP) cannot be used where no further action is needed for low risks.
3. Manufacturers shall inform the user of any residual risk.
4. The probability of a risk cannot be reduced based on labeling alone.

In addition, many risk assessments do not consider the severity of harm. Harm is the actual impact on the patient. A wrong result, false positive or false negative result in itself is not a harm. It is what impact this incorrect result has on the patient that is the harm. For example, a falsely elevated glucose result from a test (hazard) not detected by the lab operator and reported to a clinician that accepts the value as true and administers an antiglycemic drug (hazardous situation) could lead to a coma (harm). To ensure that all possible scenarios are considered as part of risk management, clinical input is required to make this decision based on the care pathway when used according to its intended purpose.

Also, risk assessments are often not thorough enough; for example, they do not list hazards that are clearly indicated in the instructions for use. Notified Bodies will be interested to review how you scored these items, if you reduced risk based on probability alone and what control measures were put in place. 

Finally, many risk assessments were performed during the design of a device and have not been kept up to date. For example, the risk assessment cross references evidence that risk controls are effective. If the shelf life of a kit was extended a new stability report supporting the new expiration date will be generated and should be referenced.

The Devil is in Detail!

This neatly brings me to my final gap and that is detail. The IVDR states in Annex II:

The technical documentation and, if applicable, the summary thereof to be drawn up by the manufacturer shall be presented in a clear, organised, readily searchable and unambiguous manner and shall include in particular the elements listed in this Annex.

Keeping documents up to date will be a huge challenge and will require additional resources. Notified Bodies have to be pointed to the precise location of supporting evidence. If we take the example above, many companies simply reference stability studies and cite “see the design history file (DHF)” without referencing a specific report. This will not be acceptable; Notified Bodies do not have the time to search through multiple reports. Clear and unambiguous means to be specific and not doing so will result in a question or a finding.

Notified Bodies need to audit your conclusions and then review the supporting information. So how much data do you need to put in the Technical File?

A Technical File that only points to the DHF will not be sufficient; however, you do not need to send the entire DHF. This is where sensible use of the Analytical Performance Reports (APR) and Clinical Performance Reports (CPR) can be your friend. For example, in the stability section of the APR summarise the stability data and make a clear conclusion about compliance. The IVDR requires data on 3 batches so you will need to provide data for three batches. You will also need to consider on-board stability, open vial, transport, etc. as appropriate and make conclusions why the data shows compliance. The Notified Body could ask to see the full data; however, if the summary data tells the story it may be sufficient. Consider if you were participating in a design review how much data you would present at a phase review to demonstrate objectives have been met and use this as a guide for what is the right amount.

During early drafts of the IVDR some manufacturers thought it would not be necessary for low risk devices to provide specific detail and a high-level summary would be sufficient; however, this is not correct. Notified Bodies will review class B devices in a similar way to class C but they will sample fewer class B devices.

In a similar way, the General Safety and Performance Requirements (GSPR) checklist needs to reference specific documents and pages or sections and should refer to specific versions of standards and guidance documents. If a product was developed to a previous edition of a Clinical and Laboratory Standards Institute (CLSI) document and you are using this as part of your compliance strategy, then the difference between the editions should be described. If there is an impact to your device, consider and discuss how has this been bridged either with new studies or real-world data. Remember if a GSPR is not applicable, you have to also justify why it is not applicable. For example, electrical safety requirements are not applicable if the device is not an active device; however, you have to document this, the Notified Body cannot make the assumption for you.

Finally

These are three gaps to master from the outset. If you do not have a compliant intended purpose it is likely you will have to rework all your performance evaluation and risk management documents. Most manufacturers have understood that the transition between the IVDD and the IVDR will take time and resources; however, they are starting to find out that there is actually more work than they anticipated and very little time.

From my past Notified Body experience, many manufacturers often underestimate the maintenance of files to keep them up to date with changes in the state of the art and with the generation of new internal documentation. This will be identified when files are sampled. If the sampling occurs close to the renewal of a certificate it can lead to products being removed from the certificate or prevent certificate renewal. At best the certificate would be extended for six months until compliance is regained, which will threaten market access in Europe and the other countries where the certificate is used for compliance. It is therefore essential to really understand these issues now and configure your quality system to update files as changes occur so the file remains compliant. And finally, ensure that there are sufficient resources for ongoing maintenance. Note: This blog was based off a recent webinar presented by QServe Group and MasterControl for the Regulatory Affairs Professionals Society (RAPS). You can view the full webinar here.