When a product under review by FDA performs at least one function that is regulated as a medical device and at least one that falls outside of the agency’s oversight jurisdiction, where is the line FDA can’t cross during its assessment? A new agency guidance document attempts to answer this increasingly common question in the age of digital health.
Fundamental to FDA’s role as a regulator is setting out clear rules to define what products and product uses are subject to regulation as a medical device, including premarket review, and what situations fall outside of FDA’s realm of oversight. But things can get complicated when a product coming before the agency’s reviewers contains components in both of those buckets.
FDA must of course review the functions of a product that are in a regulated category, but in this type of multi-function device, companies and policymakers worry about jurisdiction creep—the potential for the agency to ask for information and data about tools and applications that it has no authority over or that it has previously established as 510(k)-exempt or under enforcement discretion. This is a particularly salient topic in the context of the mushrooming field of digital health. A company, for instance, may develop an app or tool tied to the functioning of a smartphone, or it might add on a clinical tool to a hospital software system that otherwise just records patient information. The iPhone and its full operating system or a basic hospital electronic medical record aren’t subject to FDA review, but where does FDA draw the line when these non-regulated systems contain or are combined with regulated uses?
“The higher the degree of separation, the easier it is to independently review the safety and effectiveness of the device function-under-review,” FDA states in the guidance.
The agency issued a guidance document July 28 to answer that question, called “Multiple Function Device Products: Policy and Considerations.” As part of the 21st Century Cures Act of 2016, Congress drew clear lines around what types of software do not qualify as FDA-regulated devices, including, for instance, administrative-support software and software for encouraging a healthy lifestyle. As part of that requirement, the Cures Act made clear that FDA should not review non-device software functions that are included in multiple function devices, except as to assess the impact of those components on the regulated device functions. The new guidance teases out how the agency plans to accomplish that balance, both for software and for any multi-function device with at least one non-regulated function even if it isn’t software.
FDA made a first attempt in a draft version of the guidance issued in 2018, but device firms expressed concerns about some of the broad language in that document and the potential for reviewers to seek information about “other” non-regulated functions in an inconsistent manner. The agency clearly tried to respond to that feedback. The 27-page final guidance came in nine pages longer than the draft, including more detailed language setting out when information about “other functions” needs to be included in a premarket submission and when it doesn’t.
The gist: companies must include any information about the potential for increased risk or an adverse event due to the combination of the other function and the device function in its premarket submission. The manufacturer should also include information about a positive, beneficial effect (e.g., it improves efficiency, usability) that the “other function” adds to the device function if it is a benefit that the manufacturer plans to include on the device labeling.
On other hand, if the assessment finds no impacts or only positive impacts that will not be included on product labeling, no information about the non-regulated function needs to be addressed in the premarket review, FDA states. Nonetheless, FDA says, all impact assessments must be documented as part of design controls and are subject to FDA to review during a facility inspection.
The agency also added language in the final guidance to make clear it will “not review a device function subject to an enforcement discretion policy merely because it is part of a multiple function device product.” And the agency added a flow chart to the guidance that maps out each decision point for a company when determining whether information about a non-regulated function needs to be part of a submission.
Security and the Separation Line
When it comes to software, one major consideration for a company when deciding if the “other” function impacts the device function negatively is cybersecurity. That is a topic that wasn’t given much attention in the draft guidance, but it gets more of a focus in the final document.
“When assessing the cybersecurity risks of ‘other functions’ on the device function-under-review, it should be assumed that the ‘other function(s)’ may be employed (maliciously or unintentionally) to cause an adverse impact on the device function-under-review (e.g., as a result of a cyberattack),” FDA’s guidance states. “Some level of separation of the device function-under-review from the ‘other function(s)’ in design and implementation may be necessary to mitigate cybersecurity risks to the device function-under-review.”
In general, the better that a company can keep walls around the regulated and non-regulated functions of a system, the less complicated the review will be for the sponsor, the guidance suggests. FDA recommends product developers should make decisions, such as with software architecture, early in the design cycle to facilitate optimal separate and segregation between functions.
“The higher the degree of separation,” the guidance states, “the easier it is to independently review the safety and effectiveness of the device function-under-review.”
Trial MyStrategist.com and unlock 7-days of exclusive subscriber-only access to the medical device industry's most trusted strategic publications: MedTech Strategist & Market Pathways. For more information on our demographics and current readership click here.