The ability to collect and leverage data — whether be it from the patient or from provider — is transforming the medtech industry. Consider companies that once largely developed hardware-based products. Now they provide a more comprehensive view of how patients behave.
All of this creates new compliance challenges. How should they address those?
Medtech companies should have a team of FDA advisors at the ready to develop and implement pre- and post-market strategies, prevent and resolve pre- or post-market issues and guide lifecycle management, with a keen understanding of how FDA works and how to leverage regulatory mechanisms and pathways to achieve business objectives. Key topics identified for medtech companies include:
1. Use of real-world evidence in regulatory decision making
Real-world evidence (RWE) can be used for a variety of regulatory purposes, including to support bringing new devices to market, to evaluate the safety and effectiveness of existing devices for new uses, and to assess the continued performance and safety of marketed devices. Developers interested in utilizing RWE for regulatory purposes should select appropriate real-world data (RWD) sources based on their suitability to address specific regulatory questions. In particular, developers should consider the relevance and reliability of the sources and their specific elements as FDA assesses these factors in determining whether the RWD sources can be used to generate evidence that is sufficiently robust for a regulatory purpose.
2. Cybersecurity concerns and laws
Cybersecurity has become an area of increasing FDA scrutiny. In recent years, for example, FDA has issued a number of safety communications related to cybersecurity vulnerabilities. Further, a number of medtech companies have initiated recalls to correct cybersecurity vulnerabilities.
The FDA expects manufacturers to take a total product lifecycle approach to minimize cybersecurity vulnerabilities. Consider the following for developing and maintaining a cybersecurity risk management program:
- Premarket considerations
- Address cybersecurity during device design and development, including the establishment of design inputs related to cybersecurity and a cybersecurity vulnerability and management approach, as part of software validation and risk analysis.
- Understand the type of documentation related to cybersecurity to include in a premarket submission to FDA.
- Post-market considerations
- Implement a comprehensive cybersecurity risk management program to monitor, identify, and promptly address cybersecurity vulnerabilities and exploits.
- Understand whether changes to medical devices for cybersecurity vulnerabilities require reporting to FDA.
- Premarket considerations
3. Regulation and Categorization of Digital Health Products
With the generation of repositories of data comes potential opportunities for the development of new stand-alone digital health products. A threshold question for digital health product developers is whether such products are actively regulated by FDA. Digital health products fall into one of three regulatory categories:
- Not a medical device: Many digital health products do not meet the statutory definition of a “device” and, therefore, are not regulated by FDA. This includes, for example, certain types of clinical support software (CDS).
- Enforcement discretion: FDA has established a number of “enforcement discretion” policies, whereby FDA chooses not to actively enforce regulatory requirements applicable to medical devices. For example, FDA exercises enforcement discretion for a number of mobile medical applications that it views to be low-risk.
- Actively regulated medical devices: Though FDA continues to explore other potential approaches, it generally applies the traditional framework for regulation of medical devices to all other digital health products.
An understanding of these categories is essential as digital health products marketed without the requisite FDA marketing authorization may be, and have been, the subject of not only administrative action but also removal from distribution.
4. Unique Regulatory Concerns of AI/ML-Based Medical Devices
The FDA has stated on multiple occasions that the traditional paradigm of medical device regulation was not designed for adaptive AI/ML-based technologies, and it continues to consider multiple aspects of the regulatory framework for these technologies, including the following:
- Transparency of AI/ML-based devices
- Good ML practices
- Modifications to FDA-cleared AI/ML-based devices
Companies developing and marketing AI/ML-based devices should stay aware of FDA’s guidance on such technologies.
5. Nimble Adoption and Tracking of FDA Guidance
Stay aware of guidance relating to:
- Clinical Decision Support Software (Final Guidance; September 2022)
- Content of Premarket Submissions for Device Software Functions (Draft Guidance; November 2021)
- Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions (Draft Guidance; April 2022)
- Risk Categorization for Software as a Medical Device: FDA Interpretation, Policy, and Considerations (Draft Guidance; anticipated)
- Marketing Submission Recommendations for a Change Control Plan for AI/ML-Enabled Device Software Functions (Draft Guidance; anticipated)
Photo: Getty Images, Sarah Silbiger