Computer and Software Devices

Medical Devices Update 2008, Issue 3 With Permission from FDLI, www.fdli.org Computer and Software Devices FDA Seeks Framework for Regulation by M. Elizabeth Bierman and Michele L. Buenafe T he Food and Drug Administration (FDA) recently issued a proposed rule to down-classify computer and software-based products involved in the transmission, storage and display of electronic data from medical devices.1 But don’t let the “down-classification” language fool you. By its own admission, FDA has not been actively regulating these products,2 and is now seeking to bring these computer/software devices into its regulatory fold. If the proposed rule is finalized, certain telehealth and other computer/software products would become Class I medical devices, requiring manufacturers of such products to ensure compliance with FDA’s device regulations. Potentially dozens of new manufacturers will be added to FDA’s registration and listing databases as a result of this rulemaking. On the upside, the proposed classification, which FDA is calling Medical Device Data Systems or MDDS, may bring Ms. Bierman is a Partner with the law firm of Morgan, Lewis & Bockius, LLP, Washington, DC. much needed clarity and uniformity to the regulation of telehealth and other medical device data communication products. The proposed MDDS rule appears to be an initial step by FDA to create a new framework for regulation of computer and software devices, almost two decades after the agency first sought to regulate these products. While the agency has long considered many computer and software products to be subject to medical device regulation, FDA has failed to keep its policies and guidances current with the raging pace of technology. During these nearly 20 years, there has been tremendous growth in the use of computer and software-based devices in response to both improved technology and the need to lower healthcare costs. Examples include: ■ Communication devices that relay real-time, physiological information for hospital patients to nurses, allowing fewer nurses to be assigned to a floor. Ms. Buenafe is an Associate with the law firm of Morgan, Lewis & Bockius, LLP, Washington, DC. 8 Update May/June 2008 www.fdli.org Medical Devices ■ Home-use data transmission devices that allow patients to take their own vital signs and electronically transmit them to their physicians, thus reducing the need for doctor visits and hospital stays. ■ Advanced network communications used by physicians to collaborate and electronically share medical data with specialists at other locations, allowing for more efficient use of resources across different clinics. As a result of these and other technological developments, numerous questions have arisen regarding the regulation of computer- and software-based devices. However, FDA has lapsed in its obligation to both regulate and guide industry in this area. It is expected that the MDDS proposal, which is aimed at the simplest and lowest risk devices in the category, will be the first of multiple rulemakings. Subsequent rulemakings may address more complex devices, such as software programs with algorithms to analyze medical device data and assist physicians with diagnostic decisions, and remote monitoring systems with alarm functions to alert healthcare providers of patient emergencies. This article discusses the scope of the proposed Medical Device Data System classification, FDA’s historical regulation of computer/ software devices, and the implications of the proposed rule for manufacturers of telehealth and hospital IT systems not traditionally regulated by FDA. altering the function or parameters of any of the connected devices.3 This includes systems that maintain medical device data in its original format, or convert the data to another format in accordance with preset specifications (e.g., convert data to printable format).4 The proposed classification does not include devices that 1) alter the function or parameters of the connected devices; 2) are intended for real-time, active or proposed rule is finalized, MDDS devices will be down-classified to Class I, the lowest level of device regulation, and FDA will cease its practice of enforcement discretion for MDDS manufacturers.8 At that time, manufacturers of MDDS devices will need to comply with FDA’s Class I medical device requirements, including 1) establishment registration and device listing; 2) good manufacturing practices, as set forth in It is expected that the MDDS proposal, which is aimed at the simplest and lowest risk devices in the category, will be first of multiple rulemakings. Scope of Proposed MDDS Rule The proposed rule would classify as Class I those systems and networks that electronically transmit, transfer, store, retrieve or display data from medical devices (e.g., glucose meters, blood pressure devices, pulse oximeters) without FDLI online patient monitoring; 3) display, create or detect alarm conditions, or sound an alarm; or 4) have diagnostic or clinical decision-making functions.5 The approach proposed by the agency appears to be modeled after FDA’s classification of medical image management devices, where FDA classified devices for image storage and communication as Class I devices, but classified medical image digitizers, medical image hardcopy devices, and PACS systems as Class II.6 However, Medical Device Data Systems sweep across a broader array of data communication products than the prior medical image classifications. Although MDDS products currently are considered, by default, Class III medical devices (the highest level of device regulation), FDA states that it has not enforced the Class III requirements against MDDS manufacturers under a policy of enforcement discretion.7 If the the quality systems regulation (QSR); and 3) medical device reporting. Manufacturers also will need to obtain 510(k) premarket clearance from FDA for those MDDS products that are intended for use by lay persons (i.e., anyone who is not a healthcare professional), or perform irreversible data compression.9 FDA’s Historical Regulation of “Computer Products” The proposed MDDS classification appears to be the first step by FDA to revitalize its efforts to establish a clear regulatory framework for computer and software products that meet the definition of a “medical device” under the Federal Food, Drug and Cosmetic Act. The agency has long struggled with how to appropriately apply its medical device regulatory requirements to these types of products. FDA first issued regulatory May/June 2008 Update  Medical Devices guidance on computer products in 1989 in the form of a draft policy statement intended to advise how FDA “will determine whether a computer product is a medical device and if so how FDA will regulate it.”10 Although later withdrawn by the agency, this policy has been used to guide industry actions for nearly 20 years. As a first principle, the draft policy established that computer- or softwarebased components, parts, or accessories of any “parent device” will have the same product classification as the parent device. For stand-alone computer- or software-based products, the guidance set forth the following principles: ■ Computer products intended for use as traditional “library” functions such as storage, retrieval, and dissemination of medical information, regulation are not subject to FDA device regulations and authorities. ■ Computer products intended only for use as general accounting or communications functions, or intended solely for educational purposes, are not subject to FDA device regulations and authorities. ■ “Manufacturers of computer products (e.g., “expert” or “knowledge based” systems, artificial intelligence and other types of decision support systems) that are intended to involve competent human intervention before any impact on human health occurs (e.g., where clinical judgment and experience can be used to check and interpret a system’s output),” are considered manufacturers of medical devices, but will be exempt from FDA registration, listing, premarket notification and approval, and compliance with the Medical Device Reporting and GMP regulations.11 The agency also held a workshop on 20 the regulation of medical software in September 1996,12 following controversy surrounding a low-risk calculation software product that FDA initially had deemed a Class III device requiring a premarket approval application (PMA).13 As a result of this workshop, the agency issued a document that provided further guidance on those devices that are exempt from active medical device regulation because they involve “competent human intervention.” Specifically, this document stated: For software which simply automates a complex calculation, competent human intervention can be achieved by providing the algorithm to the user to allow for manual verification or challenge of the software results. … In general, to permit competent human intervention, the software decision process must be completely clear to the user, with a reasonable opportunity for challenging the results. There also must be adequate time for reflection on the results. For example, surgery or intensive care may not be settings wherein there is adequate time to challenge the results of decision support software.14 While the recently issued proposed rule does not address the decision support software programs described in FDA’s 1989 draft policy and 1996 workshop, these prior informal guidance documents foretell the positions FDA likely will take in future rulemakings on computer/software products. Bringing Uniformity to Telehealth Regulation? FDA’s failure to establish a clear regulatory framework for computer and software products over the past 20 years has led to significant complaints about the uneven competitive playing field for manufacturers of so-called “telehealth” and other basic remote monitoring sys- tems. A vast selection of such products is currently available, and the degree of FDA compliance for telehealth companies is as varied as the products they manufacture and market. For example, the more diligent telehealth companies may hold cleared 510(k)s for their products while, at the opposite end of the spectrum, some companies are not even aware that their products are subject to FDA’s medical device authority. Enforcement by the agency is similarly inconsistent. Although FDA states that it has been exercising enforcement discretion for MDDS manufacturers, at least a few companies have been caught up in sporadic enforcement episodes over the years. Those companies that strive to meet their regulatory obligations and avoid potential enforcement action often face frustration with competitors who are unrestrained by the burdens and expense of FDA compliance. The proposed MDDS rule may now level the playing field and also provide clarity for the regulation of telehealth products. The regulatory path and status for many of these products is currently unclear. For example, companies may try to fit their products into existing product classifications that were not intended for them, or try to market as device accessories or components and follow the regulatory pathway of the “parent” medical devices they are used with or connected to. A finalized MDDS classification will allow many telehealth manufacturers to market their products with certainty concerning their regulatory obligations. Uncertainties will remain, however, for those telehealth devices that fall outside the definition of Medical Device Data Systems. The proposed MDDS rule would cover only the simplest systems www.fdli.org Update May/June 2008 Medical Devices that handle medical device data, and would exclude those with any analytical functioning, such as alarms or decisionmaking algorithms. Until FDA initiates further rulemaking to clarify the regulatory status of these devices, many telehealth manufacturers will continue to face an uneven playing field. Is FDA Ready to Regulate IT? Although FDA’s intent with this first rulemaking is to address the simplest and lowest risk medical device data products, even this first proposal raises a number of complex issues. While the MDDS requirements may be straightforwardly applied to “closed-loop” systems, where data are transmitted directly from a medical device to a PC or other display system for physician review, the classification becomes more difficult to apply where medical device data are transmitted and stored across an extensive network that includes many other types of data. A hospital information system, for example, may transmit, store and retrieve medical device data in addition to administrative, financial, inventory, clinical, laboratory and other data. If FDA considers these broader networks and systems to be within the definition of Medical Device Data Systems, a number of practical difficulties may arise. First, both the agency and industry members will face tough jurisdictional questions on who qualifies as an MDDS manufacturer for network components installed in healthcare facilities. For example, will an IT company selling network products to hospitals and other healthcare facilities be considered a regulated MDDS device manufacturer? What if the IT company knows that the network may be used to store, transmit or retrieve FDLI medical device data? Will hospitals be considered MDDS device manufacturers if they assemble a network from off-the-shelf IT products that connects to and transmits data from medical devices? In addition, it may be difficult to determine who is responsible for ensuring that data are accurately transmitted, stored, retrieved and viewed. Hospital networks are often a patchwork of components from many different vendors, and, from a regulatory standpoint, it is unclear who holds the responsibility for ensuring all of these components work together to assure the integrity of data that pass through the system. Should the burden of validation fall on IT companies, or the manufacturers of medical devices (e.g., EKG monitoring machines) that transmit data to the network? And, if IT companies and other nontraditional device companies come under FDA’s regulatory umbrella through the proposed MDDS rule, these companies will face difficulties instituting the procedures and controls necessary to comply with medical device regulations. While FDA states that it believes most MDDS manufacturers already have quality systems in place and will be able to conform these systems to meet QSR requirements,15 FDA does not appear to have considered the difficulties non-traditional device companies will face in implementing appropriate complaint-handling and medical device reporting (MDR) systems. IT companies may receive hundreds, or even thousands, of complaints a day, many of which are unrelated to the use of their products for medical device data storage or transmission. These companies will have to institute controls to filter through these complaint reports, determine which relate to the MDDS use of their products, and then determine which require the submission of medical device reports to FDA. Conclusion In summary, the proposed MDDS classification raises many complicated issues that the agency should address before issuing a final rule. FDA’s initiation of a rulemaking for Medical Device Data Systems is a welcome and important first step in bringing improved clarity and consistency to the regulation of computer and software products. Many, more complex issues will need to be addressed, however, as the agency moves beyond these basic devices and proceeds to consider higher risk products. FDLI 1 Devices: General Hospital and Personal Use Devices; Reclassification of Medical Device Data System, 73 Fed. Reg. 7498 (proposed Feb. 8, 2008) (to be codified at 21 C.F.R. pt. 880). Id. at 7501. Id. at 7503. Id. Id. See FDA, Guidance for the Submission of Premarket Notifications for Medical Image Management Devices, 6-8 (July 7, 2000). See also 21 C.F.R. §§ 892.2010, 892.2020, 892.2030, 892.2040, 892.2050. 73 Fed. Reg. at 7501. Id. Id. at 7503. FDA Policy for the Regulation of Computer Products (Draft), Nov. 13, 1989, available at http://www. fda.gov/cdrh/ode/351.pdf Id. M-D-D-I Reports (“The Gray Sheet”), Dec. 23, 1996, at I&W-4-5. The manufacturer filed a PMA for the software product at FDA’s instruction, because the product was considered an accessory to an alpha-fetoprotein or “AFP” assay, a Class III device. However, when the PMA was presented to an outside advisory panel for review, the panel questioned why this relatively low risk software product—described as a calculator—was considered a Class III device. Ultimately, FDA classified the product as a calculator (a Class II device), and, upon the manufacturer’s submission of a 510(k), cleared the device for marketing. See K953652 (filed by Base Ten Systems, Inc.) (calculator/data processing module, for clinical use). Food and Drug Administration, FDA Software Policy Workshop (Sept. 1996). 73 Fed. Reg. at 7502. 2 3 4 5 6 7 8 9 10 11 12 13 14 15 May/June 2008 Update 2