Evolving Guidance for FDA Medical Device Approval Process
Medtech has been evolving fast over the past several years, fueled largely by better connectivity, smaller batteries, and healthcare organizations’ desire to lower costs. The pandemic also accelerated demand, as the need for remote monitoring of patients increased. This rapid pace of change has prompted evolving guidance for the FDA Medical Device approval process.
Today, software, not just hardware, plays a key role in the medtech landscape, such as the software that performs image post-processing to help detect breast cancer or the app that allows a doctor to view MRIs for diagnostic purposes. These are examples of Software as a Medical Device (SaMD), defined as “software intended to be used for one or more medical purposes that perform these purposes without being part of a hardware medical device.”
SaMD is different than software in a medical device (SiMD) or software used to manufacture a medical device.
Digital therapeutics (DTx) fall under the SaMD FDA umbrella and are a growing market, estimated to hit $7.1 billion globally by 2025. Digital therapeutics are evidence-based, portable products that deliver medical interventions and therapies to patients at home and often require a doctor’s prescription. They treat a host of chronic diseases — from diabetes and hypertension to mental health disorders — by collecting and analyzing health data via artificial intelligence (AI) and machine learning (ML). The information they collect helps provide guidance to change patient behaviors.
The impact of SaMD on patient care and engagement is huge. But the interconnectivity of these software-driven devices also poses risks in cybersecurity. In addition, software updates as well as the ability of ML to learn and adapt can potentially affect product safety and effectiveness.
To foster continued innovation in digital health technologies while also ensuring product safety, the FDA has created pre- and post-market guidance to help companies meet regulations, also known as Quality System Requirements (QSRs).
As the FDA medical device guidance continues to be updated in key areas, are your regulatory and engineering teams prepared to navigate the FDA medical device approval process?
FDA Regulatory Pathway for DTx Products
Based on the digital therapeutic product’s intended use and level of risk, each device is currently subject to varying degrees of oversight. This could range from full 510(k) clearance by the FDA’s Center for Devices and Radiological Health (CDRH) division to enforcement discretion.
Medtech companies who plan to market a DTx device first need to determine what class it falls into. There are three FDA regulatory classes of medical devices:
Class I: Low risk, such as software that displays readings from a continuous glucose monitor
Class II: Moderate risk, such as software tools that analyze medical images
Class III: High risk, products that support or sustain life, like pacemakers
Next, companies must determine the level to which they are subject. Most class I and some class II devices are exempt from review if they are similar to other products already cleared by the FDA.
However, companies of DTx products that fall under class II will likely have to submit a 510(k) if they are:
- Introducing a device into commercial distribution for the first time that is “substantially equivalent” to an existing device on the market.
- Changing or modifying a device the FDA states could significantly affect its safety or effectiveness. For example, a manufacturer who changes the design of the device or modifies the software to an existing device might need to submit a new 510(k), depending on the impact of those changes.
You can find out more from the FDA on when to submit a 510(k) and when a new 510(k) is required for modifications to a device.
In cases where a low- to moderate-risk product is new (novel) and therefore not similar to other FDA-cleared products on the market, manufacturers may be able to submit a De Novo classification request. For example, in 2020, the FDA cleared the first game-based DTx for children with attention deficit hyperactivity disorder (ADHD) through the De Novo preview market pathway.
For Class III devices, companies will have to submit a Premarket Approval application.
The FDA has relaxed regulatory requirements during the pandemic for some DTx products, such as computerized behavior therapy (CBT) devices, where a 510(k) submission is not required. The new policy governs digital health devices for treating psychiatric orders only and is still in effect.
Guidance from the Digital Health Center of Excellence
The FDA founded the Digital Health Center of Excellence (DHCoE) in September 2020 to foster the rapid development and review of responsible, high-quality digital health technologies. Based in the CDRH, it provides a comprehensive approach to regulatory oversight of digital health technology across the FDA by setting priorities, launching initiatives, and empowering stakeholders through partnerships and knowledge sharing.
The DHCoE provides services in a number of areas, including digital health policy, AI/ML, medical device cybersecurity, regulatory review support and coordination, advanced manufacturing, and real-world evidence and clinical studies.
For SaMD developers, the DHCoE is involved in three items of particular interest:
- Overhaul of Premarket Submissions for SaMD and SiMD
The FDA is replacing its 2005 guidance that regulates device software functions — both SaMD and SiMD — so that it aligns with current standards and best practices. The FDA released a draft of this guidance in November 2021 and is taking comments through Feb. 2. 2022. The FDA expects to deliver final guidance no later than 12 months after the close of the public comment period.
2. AI/ML-Based SaMD Action Plan
Published in January 2021, the AI/ML-Based SaMD Action Plan is based on stakeholder feedback the FDA received on a 2019 discussion paper that described the agency’s potential approach to premarket review for AI and ML-driven software modifications.
The plan presents five primary actions the FDA will take:
- Update the proposed framework for AI/ML-based SaMD outlined in the 2019 discussion paper
- Encourage AI/ML best practices
- Hold a public workshop on how FDA medical device labeling supports transparency for users and enhances trust in AI/ML devices
- Support regulatory science efforts to develop methodology for the evaluation and improvement of ML algorithms
- Work with stakeholders to pilot real-world performance monitoring of AI/ML-based SaMD
The FDA expects the action plan will continue to evolve but does not provide any dates on when these actions would take place.
3. Software Precertification (Pre-Cert) Program
The DHCoE is developing a working model for the Pre-Cert Program, which the FDA created in 2019 to fast-track software-based medical devices to market by removing regulatory hurdles. The program has a unique approach: it would pre-certify the manufacturer or developer of a device rather than the device itself.
To be eligible, companies would not only have to demonstrate a culture of quality and organizational excellence, but also continuously monitor real-world performance of their products once those hit the market.
The FDA launched a Pre-Cert pilot with Fitbit, Apple, Johnson & Johnson, Roche and five other companies. The goal of the pilot is to help the FDA evaluate the model on which to establish the program. The pilot is ongoing.
Most recently, the FDA published an update on the program in September 2020. The program is still in the testing phase and will need congressional approval to move forward.
Software Bill of Materials (SBOM)
The FDA has discussed the concept of a software bill of materials (SBOM) for some time, but an executive order (EO) signed by President Biden in May 2021 to improve the nation’s cybersecurity posture moved the concept closer to reality.
The FDA SBOM is a machine-readable inventory of a device’s third-party software components, including (but not limited to) commercial, open source or off-the-shelf software. The federal government views SBOMs as key to enhancing software supply chain security. The EO specifically cites as concerning the lack of transparency in the development of commercial software and its lack of adequate controls to prevent cyberattacks.
In the case of medical devices or SaMD, an FDA SBOM in premarket submissions would demonstrate the device can be updated and patched. Post-market, an SBOM would allow a healthcare provider to know which of their medical devices are vulnerable, assess risk, and take measures to mitigate that risk in a timely fashion.
The National Telecommunications and Information Administration (NTIA) under the Department of Commerce is heading up the SBOM effort. In July 2021, it released a report on the minimum elements needed for an SBOM: data fields, automation support, and practices and processes.
The FDA does not currently mandate an SBOM as part of premarket submissions. However, in its Premarket Cybersecurity Guidance draft from 2018, the agency does recommend that manufacturers include it (albeit referred to as Cyber Bill of Materials), depending on a device’s cybersecurity risk.
Cybersecurity FDA Advice
Biden’s EO may have generated a great deal of discussion about an SBOM, but it’s for good reason. Medical devices have an average of 6.2 vulnerabilities each, according to Open Source Cybersecurity Intelligence Network and Resource (OSCINR).
Cybersecurity risks can potentially impact the lives of patients. For example, the FDA alerted healthcare providers to discontinue use of an infusion pump that could allegedly be exploited via a healthcare provider’s Ethernet or wireless network and deliver the wrong dose to a patient.
The agency also issued recalls of almost half a million pacemakers when the medical device manufacturer did not address cybersecurity flaws that could potentially harm patients.
However, it is a myth that the FDA tests medical devices for cybersecurity or validates updates. Rather, it is the responsibility of medical device manufacturers to comply with federal regulations to manage cybersecurity in their devices and therefore protect public health.
The 2018 premarket guidance mentioned previously regarding SBOMs would update cybersecurity FDA guidance, but it is still in draft form. Both the 2014 premarket guidance and the 2016 post-market guidance for cybersecurity management still stand.
In summary, the complexities of medtech evolve and with them, FDA medical device guidance and recommendations. To make sure you are keeping up, reach out to the Advantu Risk Mitigation team of FDA experts to discuss your upcoming medtech projects. We keep up with all the latest requirements so you have the peace of mind that your medical devices will be delivered to the market with the quality that your customers know and trust.