HIMSS weighs in on FDA software pre-cert program

As the agency considers a lighter touch for regulating iterative versions of software-as-a-medical device, it should also stay focused on patient-centeredness, cybersecurity and more, HIMSS says.
By Mike Miliard
03:55 PM

The FDA's software precertification program aims to take a new approach to regulation for a health technology space that's evolving at dizzying speed. It's meant to offer a voluntary pathway that can keep tabs on the safety and efficacy of new software and devices without stifling innovation or hindering patient access.

For vendors that have demonstrated an ongoing "culture of quality and organizational excellence," FDA is exploring ways to take a lighter regulatory approach toward mobile apps meant to treat, diagnose, cure, mitigate or prevent disease – technology it calls software as a medical device, or SaMD.

FDA realizes that its traditional way of regulating hardware-based devices is at odds with the "faster, iterative design, development and type of validation" used for SaMD, according to the agency.

"Unlike manufacturers of hardware devices who modify their products every few months to years, developers of SaMD modify their products in response to real world performance and user feedback every few weeks to months," according to FDA. "An agile regulatory paradigm is necessary to accommodate the faster rate of development and potential for innovation in software-based products."

[UPDATE: FDA's second draft shows Pre-Cert is coming along, still has a ways to go]

So, as part of its Software Precertification Pilot Program, FDA is looking to develop a trust-based approach to regulation for those vendors that have shown that they embrace a culture of safety and accountability.

For instance, "employing the pre-cert approach to AI may allow a firm to make certain minor changes to its devices without having to make submissions each time," said FDA Commissioner Scott Gottleib, MD, in a speech this past month. "And, we’ll make sure that other aspects of our regulatory framework, such as new software validation tools, are sufficiently flexible to keep pace with the unique attributes of this rapidly advancing field."

FDA has designed the pre-cert pilot program to be an "iterative, collaborative experience," he added – noting that continual industry feedback is "key to its success."

This week, HIMSS North America Board Chair Denise Hines and HIMSS CEO Hal Wolf wrote Gottlieb a letter, offering their feedback on the software pre-cert program. HIMSS is in support of new modernized approach to SaMD regulation, but asked FDA to keep a few big things in mind as the new framework evolves.

Patient-centeredness

"We encourage FDA to recognize and support the changing nature of healthcare delivery when considering evolving regulatory schemes," wrote Hines and Wolf. "Demographic pressures of an aging population are driving a shift in healthcare from a paternalistic, diagnosis and treatment-based model to a collaborative, prevention and wellness-based model. We encourage FDA to recognize that this change requires more participation by individuals in the planning and delivery of their own healthcare. And that all medical devices, whether SaMD or hardware-based will ultimately be used by, on behalf of, or along with patients themselves."

They asked FDA to assess manufacturers' ability to show commitment to "patient-centered design principles, patient access to data collected or generated by the device and ongoing support for patients using these devices."

Clarity and efficiency

FDA should "continue to encourage new manufacturers and innovators to enter the medical device marketplace in order to accelerate the availability of affordable devices for patients," according HIMSS. But the letter raised concerns that the proposed regulatory framework – "two certification levels for organizations, certification at the business-unit level, and nine different risk profiles for devices" – suggest an approval process of "sufficient complexity that new market entrants or those comfortable with existing pathways may forego applying for certification entirely."

The letter also suggested that FDA "should also avoid attempting to establish product-specific requirements under the precertification program. Given the pace of innovation in health IT, product-specific requirements under the Precertification Program. Given the pace of innovation in health IT, product-specific requirements would be time-intensive to create and prone to falling out of step with advancing technology."

Quality management

"HIMSS applauds FDA for recognizing that precertification program can be valuable for companies with a culture of excellence but with limited experience in medical device manufacture," wrote Hines and Wolf. "As part of this recognition, we encourage FDA to look positively upon companies that deploy and follow recognized quality systems, even those which are not medical device-specific. These can include companies with ISO 9000-3-based systems or organizations following ISO/IEC 25010-based systems, both specifically designed to support quality software development."

They also recommended that the agency "consider favorably companies that have relied on their quality systems when presented with negative events to demonstrate their commitment to determining root causes and instituting change based on these investigations."

Cybersecurity

HIMSS suggested that FDA separate health and medical risk determination and cybersecurity assessments. For the pre-cert program, "the medical risk of the intended use of the device should be the sole element considered for eligibility of a particular product to follow the accelerated pathway to market." The letter recommends that FDA take a "holistic approach to the cybersecurity assessment not just of individual products, but as part of the criteria for a manufacturer’s demonstration of a culture of excellence for their inclusion in the precertification program in the first place.

After all, Hines and Wolf point out, "even low-risk products can be compromised and misused in ways that elevate their overall risk. Strong security requires more than just the implementation of certain features in a particular product and begins with product conception and design and continues through surveillance and updates once a product is delivered to the end-user. These are organizational characteristics that a manufacturer must possess at all levels, and a strong culture of excellence in this area should lead to meaningful risk assessment and mitigation within individual products."

Twitter: @MikeMiliardHITN
Email the writer: mike.miliard@himssmedia.com

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.