Moses & Singer LLP

INSIGHT: Modernizing the Approach to Regulating Software as a Medical Device

June 10, 2019

By: Linda A. Malek, Jill E. Anderson, and Nora Lawrence Schmitt

Bloomberg Law

The use of software in medicine is growing and presenting unique regulatory challenges for the FDA, which has recently focused increased attention to the special class of Software as a Medical Device. Moses & Singer attorneys examine the agency’s recent actions and give advice for SaMD developers going forward.

The FDA has recently focused increased attention to its regulation of Software as a Medical Device (SaMD), citing a need to adapt its traditional medical device regulatory framework to accommodate the rapidly evolving and highly iterative nature of today’s SaMD market.

In particular, the FDA has emphasized the use of a more holistic, “total product lifecycle” approach to SaMD regulation. To comply with this regulatory approach, 
SaMD developers will need to devote more time and resources to larger operational issues than ever before.

It appears that the FDA is poised to take a step back from its traditional reliance on individual, product-based review and oversight, in favor of a more holistic, streamlined approach in which the quality of the company developing the SaMD is just as important as the quality of the SaMD itself. 

A Modernized Regulatory Framework

In early April, the FDA released a discussion paper focusing on the regulation of software that utilizes adaptive or continuous learning artificial intelligence/machine learning (AI/ML) algorithms. Unlike standard “locked” algorithms, adaptive AI/ML algorithms are programmed to continuously learn from real-world user data and experiences. These ongoing algorithmic changes can significantly impact the intended use, safety, and effectiveness of the SaMD, sometimes beyond the scope of its initial FDA approval.

The FDA has proposed a regulatory framework under which algorithmic changes would be implemented according to pre-specified performance objectives, defined protocols, and validation processes. SaMD developers would be assessed on a “culture of quality and organizational excellence” and an ability to provide “reasonable assurances” of the ongoing safety and effectiveness of the SaMD throughout its lifecycle.

Developers of AI/ML SaMD would have the option to submit a “pre-determined change control plan” during the initial pre-market review process, which would include information regarding the type of modifications the SaMD is likely to undergo during its lifecycle as well as the methods the developer will use to appropriately control the risks of these modifications. Once an AI/ML SaMD is on the market, developers would be expected to perform periodic product updates in accordance with their pre-determined change control plans, as well as transparent, real-world performance monitoring. The FDA is currently soliciting feedback on the proposed regulatory framework. 

Software Precertification Program

The FDA AI/ML discussion paper follows closely on the heels of the January release of the FDA’s new Working Model v1.0 (Working Model 1.0) for its Software Precertification Program. Under the Software Precertification Program, first launched in 2017, companies can apply for “pre-certification,” which, if granted, allows them to bypass the pre-market submission process for lower-risk SaMD products or qualify for a streamlined pre-market review process for higher risk devices.

Working Model 1.0 builds off prior versions of the model and aims to streamline the pre- and post-market review process and generally expedite the SaMD path to market by reducing regulatory burdens. In order to qualify for pre-certification under Working Model 1.0, an applicant company would undergo an Excellence Appraisal in which it must demonstrate a “culture of quality and organizational excellence” assessed in five categories: product quality, patient safety, clinical responsibility, cybersecurity responsibility, and proactive culture (e.g., a proactive approach to surveillance, assessment of user needs, and continuous learning).

Companies that successfully demonstrate these qualities would be eligible for the streamlined pre-market review process, which the FDA envisions as an interactive process that involves evaluating the SaMD’s analytical performance, clinical performance, and appropriate safety measures. SaMDs reviewed under Working Model 1.0 would be required to meet the same statutory standards as SaMDs that have followed the traditional path to market, but the depth of review would vary based on the risk of the product.

Implications for SaMD Developers

In response to FDA developments, SaMD developers should avoid focusing exclusively on product development and consider big picture organizational issues, such as operational transparency, risk management, and responsiveness to user feedback and real-world performance indicators.

For example, developers should ensure their company has written cybersecurity policies and procedures in place, and employees should receive training on how to prevent and respond to cybersecurity incidents. A standard protocol should exist for quickly responding to inquiries by both consumers and regulators and for efficiently distributing information in the wake of developments that potentially affect the use, safety, or efficacy of a product.

SaMD developers should also put functions in place to consistently monitor the safety and effectiveness of their products; plans for responding to technological and algorithmic modifications over time should be built into these functions.

In this modernized regulatory landscape, SaMD developers need to increase focus on creating and maintaining a proactive and fluid “culture of quality and organizational excellence” which adapts throughout the product’s lifecycle.

This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.

Author Information

Linda A. Malek is chair of the Healthcare and Privacy & Cybersecurity practices at Moses & Singer in New York. Jill E. Anderson is a partner in the Healthcare and Privacy & Cybersecurity practices. Nora Lawrence Schmitt is an associate in the Healthcare and Privacy & Cybersecurity practices.

Elizabeth O. Nwabueze, a law clerk with the firm, contributed to this article.


Reproduced with permission. Published June 10, 2019. Copyright 2019 The Bureau of National Affairs, Inc. 800-372- 1033. For further use, please visit http://www.bna.com/copyright-permission-request/

 

© 2019 Moses & Singer LLP. All Rights Reserved.