FDA Software Precertification Program: Fast Track to Regulating “Software as a Medical Device?”

October 24, 2017 by Kimberly C. Metzger, Partner
FDA Software Precertification Program: Fast Track to Regulating “Software as a Medical Device?”

In July, the Food and Drug Administration (FDA) announced its innovative Software Precertification Pilot Program (#FDAPreCert on social media) to evaluate a more efficient, risk-based approach to regulating digital health technology (DHT). The program is limited to software as a medical device (SaMD), software that performs its intended medical purpose independently of a hardware medical device. This is not to be confused with software in a medical device (SiMD, software embedded in a medical device) or medical device data systems (MDDS, technologies that receive, transmit, store, or display data from medical devices). The pilot will test precertification of a limited pool of SaMD developers with a demonstrated record of high-quality software design and testing.
 
The Software Precertification Pilot Program is a component of FDA’s Digital Health Innovation Action Plan, the agency’s efforts to “reimagine” an approach for ensuring all health care customers have timely access to high-quality, safe, and effective DHT products. FDA recognizes its traditional regulatory track for moderate- to higher-risk, hardware-based medical devices is not sufficiently agile to allow software iterations and changes to occur in a timely fashion. The agency seeks a “modern and tailored” approach to foster innovation and access without sacrificing quality, safety, or efficacy.
 
As currently envisioned, the Software Precertification Pilot Program will offer a voluntary pathway for a more streamlined and efficient regulatory review of SaMD products from manufacturers with a robust culture of quality and organizational excellence. As initially envisioned, the pilot will look like this:
 
  • Composed of three key components: precertification, streamlined pre-market review, and FDA access to post-market data.
  • Framework for developing SaMD regulatory policies based on International Medical Device Regulators Forum (IMDRF) guidance documents.
  • Multiple precertification levels. For example, Level 1 = developers with a robust quality system but little or no demonstrated health care experience; Level 2 = developers with both a robust quality system and demonstrated health care experience.
  • Precertification based on the FDA evaluation of five key principles defining a Culture of Quality and Organizational Excellence (CQOE): patient safety, product quality, clinical responsibility, cybersecurity responsibility, and proactive culture.
  • Risk associated with the SaMD will be categorized as Level I-IV according to two criteria:  severity of health care situation or condition (e.g. critical, serious, non-serious) and significance of information provided by SaMD (e.g. treat or diagnose, drive clinical management, inform clinical management).
How will the Software Precertification Pilot Program advance the ball? FDA will use the pilot to engineer a new approach to SaMD regulation that focuses on the developer rather than the product. Working with a small group of volunteer participants, FDA will develop a CQOE collection plan, collect CQOE data from participants, consolidate CQOE measures, update CQOE/Key Performance Indicators, determine the participants’ pre-certification status, develop a product review plan (e.g., risk-categorize the product and develop a post-market data collection plan), and review the product prototype. During participant debriefing, FDA will develop lessons learned and refine CQOE measures and the product review pathway. The pilot will also explore using external software development standards to reduce the premarket documentation burden. The goal is to allow precertification to either take the place of traditional premarket review or to significantly streamline the process for approved developers. FDA may also explore establishing a third-party precertification program that will further expand consumer access and conserve agency resources for higher-risk products and technologies.
 
FDA sought up to nine pilot participants meeting the following criteria:
 
  • Developing, or planning to develop, a SaMD product;
  • Demonstrating a track record for developing, testing, and maintaining software products within a “culture of quality and organizational excellence” measured and tracked by Key Performance Indicators or similar measures;
  • Committing, during the pilot, to providing access to KPIs or similar measures; collecting and providing real-world performance data; being available for site visits and real-time consultations with FDA; and providing information about the developers quality management system.

More than 100 SaMD developers applied, and FDA selected nine to participate in the pilot: Apple, Fitbit, Johnson & Johnson, Pear Therapeutics, Phosphorus, Roche, Samsung, Tidepool, and Verily. FDA sought a “range of perspectives on digital health technology development” and considered such criteria as size, demonstrated record of excellence, clinical focus area, and risk profile of product under consideration.
 
There have been significant criticisms of the Software Precertification Pilot Program, most notably that device compatibility and interoperability will suffer, vulnerabilities will remain unknown, and the "rush" will result in healthcare risks. One potential solution under discussion is an independent cyber-validation program. FDA plans a webinar in January 2018 to discuss preliminary results.

For more information, contact Kim Metzger or another member of our Data Security and Privacy Practice.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.



View Full Site View Mobile Optimized