The FDA continues to move at a fast pace to develop and, soon, implement its pre-certification program for medical software development. Yesterday the agency released a second draft of its Pre-Cert framework, incorporating some of the comments it received about the April first draft and seeking additional comments on other parts of the framework.
The basic goal of the Pre-Cert program, which sets it apart from previous FDA regulatory ventures, is that it will focus not on particular products but on firms and developers. If the FDA is satisfied that the firm is responsible and safe in its development, then it won't need to regulate each product from that firm. Additionally, the FDA will rely on real-world data to keep tabs on devices once they're been approved.
Changes from the first draft are mostly iterative. The FDA has clarified that the framework is intended for companies of all sizes. It explicitly excludes some categories of software, namely software "for administrative support of a health care facility, for maintaining or encouraging a healthy lifestyle, to serve as electronic patient records, for transferring, storing, converting formats, or displaying data, or to provide certain limited clinical decision support." It allows companies to designate the business unit or group within their organization that will be reviewed.
The FDA also lays out 12 categories that the agency can look at when evaluating an organization, and asked specifically for comments on the list, which includes leadership, transparency, people, infrastructure and work environment, risk management, configuration management/change control, measurement and continuous improvement, outsourced processes, requirements management, design and development, verification and validation, and deployment and maintenance. The agency intends to create Key Performance Indicators (KPIs) in each of these categories.
While the April guidance proposed two different levels of pre-certification, one for companies with experience putting out SaMD, and one for companies deploying SaMD for the first time, the new guidance suggests that this line be drawn less sharply, with standards that allow companies to test into either category regardless of whether they already have a device on the market.
Epstein Becker Green's Bradley Merrill Thompson expressed concerns in an email to MobiHealthNews that, as the framework evolves, it's beginning to raise questions about how the FDA will derive the authority to change the process of medical device regulation so drastically. It's especially worrying given the agency hopes to have a pilot up and running by 2019.
"There is absolutely no way this program can go forward without changes at least two regulations, if not statute," Thompson wrote. "The 510(k) regulation is pretty specific, and based on a pretty specific statute. None of the stuff that they are talking about doing in this precertification program is within the 510(k) regulation."
Thompson sees this as part of a larger problem with how the FDA has been operating for some time around medical devices — overusing the concept of enforcement discretion to avoid real rulemaking. Similarly, he thinks the agency could be using the idea of a voluntary program in a similar way.
"The topic FDA really has not confronted is what it means for a program to be voluntary versus mandatory," he said. "I assume that FDA believes that by making it voluntary, it can somehow adopt the program without changing the underlying statutes and regulations. As I said above, I don't see how that's possible. Even if it's voluntary, the agency has to have statutory authority to do whatever it does. And this program has not been authorized by statute. Further, it expressly conflicts with the FDA's own existing 510(k) in classification regulations. It cannot ignore statutes and regulations just by declaring that it's a voluntary program."
The FDA will accept comments on this draft until July 19.