US healthcare system is heavily controlled both on federal and national level. Medical devices and software are subject to certification against stringent requirements laid down by regulatory agencies. Certification process is time and resource consuming that is why the recent announcement of software Precertification Program by the U.S. Food and Drug Administration (FDA) got a lot of play. How great will be the changes and will they be really business-friendly?
What Is Precertification?
Digital technology is the key driver of transformation and innovation in healthcare – mobile medical apps, wearables and telehealth have already changed a lot the way care is delivered.
Digital health technologies can benefit both patients and care providers as they facilitate making more informed decisions for patients and provide new options for healthcare professionals enabling prevention, early diagnosis, and chronic conditions management both inside and outside hospitals. Medical software and technologies have already proven its advantages in building more efficient practice through managing workflows, facilitating diagnosis and treatment, analyzing medical data and storing and sharing health data.
Digital technologies brought into health care market new participants who create new products – medical devices and software – using new technologies and manufacturing processes. These new technologies allow frequent modifications and updates to make products safer and more effective. At that benefits are accompanied by real threats for consumers – the challenges of cyber security and interoperability with other medical systems and equipment.
The digital products market develops and introduces new technologies fast, that’s why the traditional approaches to medical devices certification with long-term trials and procedures do not suit for software-based medical technologies which demand faster validation and certification for FDA approved software.
According to Digital Health Innovation Action Plan published by FDA, the Digital Health Program established five years ago includes practical policies and approaches towards certain digital health products which is to balance the benefits and risks to patients and accelerate disruption of digital applications and software in healthcare. What has changed?
- FDA shifted its focus on only those mobile medical apps that present higher risk to patients.
- FDA “confirmed the intention to not focus oversight on technologies that receive, transmit, store or display data from medical devices” aka Medical Device Data Systems (MDDS).
- FDA moderated control on products that only promote general wellness.
- FDA outlined its expectations on cyber security.
- In collaboration with other federal agencies FDA published the Food and Drug Administration Safety and Innovation Act (FDASIA) Health IT report proposing a new framework for Health IT.
For the purpose to replace the need for a premarket submission for certain products and allow for decreased submission content and/or faster review of the marketing submission for other products FDA launched a new precertification program. This Software Precertification (Pre-Cert) Pilot Program is aimed at developing a regulatory model “to assess the safety and effectiveness of software technologies without inhibiting patient access to these technologies”. This software precertification pilot program is based on a new approach for a risk-based and accelerated review of digital health products by “looking first at the software developer or digital health technology developer, not the product”.
The goal of the program as stated by the FDA is to create less complicated regulatory oversight to assess organizations which manufacture software as medical device products to ensure they have a culture of quality and organizational excellence allowing manufacturing of high-quality products, establish transparency of organizational excellence and product performance across the entire product lifecycle, establish and use a tailored streamlined premarket review to verify the continued safety, effectiveness, and performance of such software.
Digital Health Software Precertification – How It Started and Who Is in Play
FDA launched the program to pre-certify medical software developers based on their software development, validation and maintenance practices last year. The first version of the program, Pre-Cert 1.0, is limited to manufacturers of software as a medical device (SaMD). Though the agency announced its plan to expand eligibility to developers of software in a medical device (SiMD) and other software that is considered an accessory to hardware-based devices in 2019 based on the insights gained from the 1.0 version of the program.
In September 2017, while developing a software precertification program, FDA selected nine companies to be the first participants of FDA precertification program. The pilot participants, including small startups and large companies, are the representatives of digital health sector which manufacture high- and low-risk medical device software products, medical products and develop medical software. Participants of the pilot program are:
- Johnson & Johnson
- Pear Therapeutics
- Google’s Verily
As a part of the pilot program participants provided access to measures they currently use to develop, test and maintain their software products, including the collection of post-market data. This data were collected to evaluate organizational excellence key performance indicators (KPIs) and measures. FDA staff was also granted access to participants’ sites and provided with information about participants’ quality measurement system.
In June 2018 FDA updated the working model of software precertification pilot program. The vision of the program is to develop “Precertification Program for the assessment of companies that perform high-quality software design and testing”. “Software developers would be assessed by FDA or an accredited third party for the quality of their software design, testing, clinical practices, real-world performance monitoring, and other appropriate capabilities to qualify for a more streamlined premarket review while better leveraging postmarket data collection on the device’s safety and effectiveness”.
According to the working model, the FDA evaluation process is based on five culture of quality and organizational excellence (CQOE) principles:
Product Quality – Demonstration of excellence in the development, testing, and maintenance necessary to deliver SaMD products at the highest level of quality.
Patient Safety – Demonstration of excellence in providing a safe patient experience and emphasizing patient safety as a critical factor in all decisionmaking processes.
Clinical Responsibility – Demonstration of excellence in responsibly conducting clinical evaluation and ensuring that patient-centric issues, including labeling and human factors, are appropriately addressed.
Cybersecurity Responsibility – Demonstration of excellence in protecting cybersecurity and proactively addressing cybersecurity issues through active engagement with stakeholders and peers.
Proactive Culture – Demonstration of excellence in a proactive approach to surveillance, assessment of user needs, and continuous learning.
The Program is divided into four key program components:
- Excellence Appraisal and Precertification (Component 1). This component is to develop the process of precertification and identify process elements necessary to evaluate organizational elements based on objective, observable evidence.
- Review Pathway Determination (Component 2). This component is to develop a risk-based framework so precertified organizations developing SaMD can determine the premarket review pathway for their products.
- Streamlined Premarket Review Process (Component 3). The companies that have successfully gone through excellence appraisal are allowed to apply streamlined premarket review. This refers to the “precertified organizations who have made available to the public, end users, and FDA, key elements of their SaMD, including a robust description of the SaMD, and who have also demonstrated excellence in and showing a capacity for real-world performance analytics”. This components includes determining elements necessary for assuring safety and effectiveness in premarket review, such as a 510(k) Submission Software-related Review Elements.
- Real-World Performance (Component 4). According to FDA’s paper, “this program component is to identify and address expectations for use of real-world performance analytics (RWPA) by both precertified organizations and FDA in the Pre-Cert Program”.
The anticipated benefits of the Program are:
- Enhanced confidence in organizations developing SaMD products
- Improved quality/safety/proactivity to address known and emerging risks
- Timely availability of solutions to patients
- Enhanced regulatory simplicity and experience
- Business simplicity - faster/timely market access
The Market Reaction
The industry reaction is more positive than negative, though there are a lot of questions to be answered. The positive reactions come both from large market players and small ones and startups as the new program is also meant for startups, newcomers, and small companies.
Zach Rothstein, the digital health lead at medical device trade group AdvaMed in his interview for Politico mentioned he was pleased with the implementation timeline and the possibility of “interactive” reviews, which as he suggests might include a company demoing a product in collaboration with reviewers. Mari Savickis, the vice president for federal affairs at CHIME, is content with the inclusion of cybersecurity element, which some level of cybersecurity competence to be shown by a company to be deemed worthy of pre-certification.
The feedback of Healthcare Information and Management Systems Society (HIMMS) specialists on the software pre-cert program was also rather positive, however, they mentioned that the program should also stay focused on patient-centeredness, cybersecurity, efficiency and quality management. The Healthcare IT News gave some details on the letter written by HIMSS North America Board Chair Denise Hines and HIMSS CEO Hal Wolf regarding the FDA precertification program. They mentioned that “precertification program can be valuable for companies with a culture of excellence but with limited experience in medical device manufacture." Hines and Wolf also touched the problem of patient-centeredness, as to their opinion "Demographic pressures of an aging population are driving a shift in healthcare from a paternalistic, diagnosis and treatment-based model to a collaborative, prevention and wellness-based model” They stress on necessity of more participation by individuals in the planning and delivery of their own healthcare.
HIMMS supposes that FDA should "continue to encourage new manufacturers and innovators to enter the medical device marketplace in order to accelerate the availability of affordable devices for patients." The letter says that “recognizing that precertification program can be valuable for companies with a culture of excellence but with limited experience in medical device manufacture” is especially valuable as this allows “companies that deploy and follow recognized quality systems, even those which are not medical device-specific”, to get into medical software market and offer high-quality products. As for cybersecurity element, the HIMMS recommendations was “hat FDA take a "holistic approach to the cybersecurity assessment not just of individual products, but as part of the criteria for a manufacturer’s demonstration of a culture of excellence for their inclusion in the precertification program in the first place”.
Yet, there are contrary opinions. Bradley Merrill Thompson from Epstein Becker & Green suggests that the precertification program may be bad for business. He provided his reasons in the commentary for Mobi Health News. Mr. Thompson suggests that the devil is in details as the proposed program is complex and some details haven’t been revealed by FDA yet.
The key feature of the program is to shift FDA review from focusing exclusively on the product, to focusing primarily on the company and less on the product. I.e. it is supposed that if the company proves that it will reliably produce safe and effective software medical devices, FDA does not need to focus as much on the product itself. The existing medical device companies that make class II or class III medical devices and have received 510(k) clearance or PMA approval for a medical device can apply for precertification but they might not pass the stage of excellence appraisal. Just as those companies operate today, Thompson suggests, “the vast majority of existing medical device companies would not qualify under new standards to participate in the program”.
Post-market decision making section of the program also raised a flag for Thompson as the decisions on whether a product needs to be recalled or a notification sent to customers are quite subjective. The opinions of FDA and companies as to recall and notification decisions often vary a lot, and then again recalls are expensive and deadly for brands. Market performance of a medical device always requires a lot of data and certain context which can be lost in the process of FDA evaluation.
FDA precertification program includes the element of data collection and sharing with FDA and public. FDA will use the collected data to evaluate the proper management of the product during postmarket phase. As Thompson says “If a company doesn’t conduct a recall or other corrective action on its own without being told by the FDA to do so, if the FDA ultimately later concludes that the company should have taken action, the agency can remove the company from the precert program”.
Transparency to the public to gain public confidence is another goal claimed by the agency. This means companies will have to share a much more information about their marketed products with the public and this should be done on the terms stated by FDA, not the company’s terms. And here the Freedom of Information Act takes the stage, i.e. once a document is in FDA’s possession, the agency must share that information publicly unless the information constitutes confidential commercial information or trade secrets.
Moreover the scope of software FDA plans to regulate is not exactly defined.
The agency is not quite clear about low risk clinical decision support software, which earlier was not regulated by FDA. The FDA scope of ability to inspect medical device establishments is also not very clear. For now, the agency’s access to medical device company records is limited by section 704 of the Federal Food, Drug and Cosmetic Act – FDA has access to only those records that are necessary to validate compliance with FDA requirements such as the quality system. The scope of obligations of the company is also not clear enough.
At the moment the continuing obligations are regulated by the part 820 quality system requirements, adverse event reporting, recalls and corrective action reporting and other regulatory requirements. And one more question when the precertification program will be implemented in full and what additional legal grounding it will need?
These questions are to be answered yet. Though if you are going to develop medical software and with an eye to apply for this new precertification program, you have to select a developer with high level of excellence and quality measurement system in place.
Archer Software is a premier software development company, partnering for success with the most dynamic and successful start-ups and enterprises in healthcare domain and developing software products meeting strict requirements of healthcare industry standards. To get more information about our services contact us at email@example.com or managers +1 609 228 5787.