The ability to collect and utilize data – whether from the patient or from the provider – is transforming the medical industry. Consider companies that once largely developed hardware-based products. Now they provide a more comprehensive picture of how patients behave.
All this creates new compliance challenges. How should they deal with them?
Medtech companies should have a team of FDA advisors ready to develop and implement pre- and post-market strategies, prevent and resolve pre- or post-market issues, and guide lifecycle management with a deep understanding of how the FDA works and how one utilizes regulatory mechanisms and pathways to achieve business goals. Key topics identified for medtech companies include:
1. Using real-world evidence in legislative decision-making
Real-world evidence (RWE) can be used for a number of regulatory purposes, including to support bringing new devices to market, to evaluate the safety and efficacy of existing devices for new uses, and to assess the continued performance and safety of marketed units. Developers interested in using RWE for regulatory purposes should select appropriate sources of real-world data (RWD) based on their suitability to address specific regulatory issues. In particular, developers should consider relevance and reliability of the sources and their specific elements, as FDA evaluates these factors to determine whether the RWD sources can be used to generate evidence sufficiently robust for a regulatory purpose.
2. Cyber Security Issues and Laws
Cybersecurity has become an area of increasing FDA scrutiny. In recent years, for example, the FDA has issued a number of security notices related to cybersecurity vulnerabilities. Additionally, a number of medtech companies have initiated recalls to fix cybersecurity vulnerabilities.
The FDA expects manufacturers to take a total product lifecycle approach to minimize cybersecurity vulnerabilities. To develop and maintain a cybersecurity risk management program, consider the following:
- Premarket considerations
- Address cybersecurity during device design and development, including establishing design input related to cybersecurity and a cybersecurity vulnerability and management approach, as part of software validation and risk analysis.
- Understand the type of documentation related to cybersecurity that must be included in a preliminary submission to the FDA.
- Post-market considerations
- Implement a comprehensive cybersecurity risk management program to monitor, identify, and promptly address cybersecurity vulnerabilities and exploits.
- Understand whether medical device modifications for cybersecurity vulnerabilities require reporting to the FDA.
- Premarket considerations
3. Regulation and categorization of digital health products
With the generation of data repositories comes potential opportunities for the development of new independent digital health products. A threshold question for developers of digital health products is whether such products are actively regulated by the FDA. Digital health products fall into one of three regulatory categories:
- Not a medical device: Many digital health products do not meet the statutory definition of a “device” and are therefore not regulated by the FDA. This includes e.g. certain types of clinical support software (CDS).
- Enforcement Estimates: The FDA has established a number of “enforcement provisions” policies in which the FDA chooses not to actively enforce regulatory requirements applicable to medical devices. The FDA exercises e.g. enforcement powers for a number of mobile medical applications that it considers to be low risk.
- Actively regulated medical devices: Although the FDA continues to explore other potential approaches, it generally applies the traditional medical device regulatory framework to all other digital health products.
An understanding of these categories is critical, as digital health products marketed without the necessary FDA marketing authorization can be and have been subject not only to administrative actions, but also to removal from distribution.
4. Unique regulatory concerns for AI/ML-based medical devices
The FDA has stated on several occasions that the traditional paradigm of medical device regulation was not designed for adaptive AI/ML-based technologies, and it continues to consider several aspects of the regulatory framework for these technologies, including the following:
- Transparency of AI/ML-based devices
- Good ML practice
- Changes to FDA-approved AI/ML-based devices
Companies developing and marketing AI/ML-based devices should be aware of the FDA’s guidance on such technologies.
5. Easy adoption and tracking of FDA guidance
Pay attention to guidance regarding:
- Clinical Decision Support Software (Final Guidance; September 2022)
- Content of Premarket Submissions for Device Software Features (Draft Guidance; November 2021)
- Cybersecurity in medical devices: quality system considerations and content of premarket submissions (draft guidance; April 2022)
- Risk Categorization for Software as Medical Devices: FDA Interpretation, Policy, and Considerations (Draft Guidance; Expected)
- Marketing Submission Recommendations for a Change Control Plan for AI/ML-Enabled Device Software Features (Draft Guidance; Expected)
Photo: Getty Images, Sarah Silbiger