FDA's Medical Device Software Regulation Strategy: 2-Day In-Person Seminar
(by Ex-FDA Official)
By: Casper E. Uldriks, Former Associate Center Director of FDA's CDRH
The growth of the medical software industry outpaces the design of FDA´s regulatory process. In some instances clinicians have weighed the risk of software failure against the benefits of using a device at all. Device software is often used in conjunction with other software-based devices, but their interoperability was never anticipated.
How can you anticipate and defend against the malicious remote hacking and shut down of an insulin infusion pump?
Can one software program defeat the performance capability or back up safety features of another software program?
When interoperability surface, which software manufacturer takes the lead to solve the problem and deal with proprietary software issues?
This seminar will focus on addressing these concerns and educating participants on FDA’s recent medical device software regulation strategies.
The medical device trade and healthcare professionals remain plagued by other issues, such as the interoperability of devices from different manufacturers, or software validation that is limited to the immediate use of the software rather than its performance with other software programs, and software hacking protection applications. In case of software malfunction, fixing the malfunction or bug can get more difficult as software gets increasingly sophisticated, customized by users and placed in a network system. Under these circumstances, it is difficult to decide who is responsible for managing and fixing software problems.
This seminar will help those involved in overcoming these commercial and regulatory obstacles. It will highlight the need for firms to remain current with technological tools and strategy to remain competitive, and ideally, outside FDA’s regulatory radar. Going further, it will instruct participants on how to apply these tools and strategies to ensure the following factors:
For those who have addressed these issues to meet FDA’s regulatory expectations, the course instructor, a former FDA official, will help identify a basic centering point to build a regulatory profile for your software products.
- Understanding FDA legal authority
- Applying FDA classifications / risk controls
- Understanding FDA and NIST software guidance
- Identifying the quality system regulation for risk management, software verification and validation
- Identifying cybersecurity issues and developing a planned response
- Identifying and resolving interoperability issues
- Figuring out the scope of FDA’s mobile apps regulation
- Learning about bug updates classified as recalls by FDA
- Future device software applications
The development and application of medical device software expands faster than can be managed by one federal agency. Although FDA relies on its own experience and expertise, input from other federal organizations, voluntary standards organizations and partnerships with industry has become a collaborative effort. At the same time, the device software industry needs to look beyond FDA itself to understand where FDA will eventually go in regulating software.
The evolution of software has created unprecedented progress and unprecedented risks to the public. The management of the unprecedented risks requires the device industry to rely on more than just FDA’s guidance to comply with its regulatory expectations. FDA can expect developers to apply voluntary standards, such as ANSI, AAMI, IEC and ISO, all of which provide information on software verification and validation. The National Institute of Standards and Technology (NIST) has taken a leading role in publishing reports concerning the benefits and risks of third-party mobile applications. FDA has partnered with NIST in this effort. Likewise, NIST has published a report on cybersecurity management and wireless technology.
FDA recently published a draft guidance to help the industry address software issues in premarket submissions. The guidance sets out a baseline from which to show the adequacy of the software, but it is not an endpoint for you. Are you prepared to integrate and apply new software risk management tools for your devices?
FDA's risk classification will gradually clarify how it intends to manage the health risks. Risk factors include areas such as the following:
- Mobile medical apps
- Home use
- Remote use
Software problems represent one of the most common root causes for recalls and have been associated with deaths and serious injuries as well. FDA sees firms revise software only to have it create more problems rather than solve them. The infusion pump industry is a classic example.
FDA's Medical Device Software Regulation
Strategy Course Outline:
Day 1 (8:30 AM – 4:30 PM)
Registration Process: 8:30 AM – 9:00 AM
Session Start Time: 9:00 AM
FDA Authority and Regulatory Program
Types of Software Devices
Function and outcome
Medical Device Data Systems (MDDS)
Office of the National Coordinator (ONC) for Health Information Protection
Software Regulatory Applications
Quality System Regulation (QSR)
Design verification and validation
Corrective and prevent action plans
Service / maintenance / recall
Corrections and Removals Reporting
Updates: FDA vs. Non-FDA
Compatibility by Design
Instructions for use
Use of Voluntary Standards
Failure Management / Follow Up
User’s vs. Manufacturer’s Legal Responsibility
Environment of use
Day 2 (8:30 AM – 4:30 PM)
Device Vulnerabilities: Malfunction and Failure
Corrective action for software
Disclosure to users
National Institute of Science and Technology Report
Medical Mobile Applications (Mobile Apps)
Mobile Apps Defined as a Device
FDA Regulatory Strategy
National Institute of Science and Technology Report and Collaboration
Updates (FDA vs. Non-FDA Updates)
Criteria for corrective and preventive action deemed recalls
Reports of corrections and removals
Reports of adverse events
Professional vs. Lay Use / Home Use
Labeling: Instructions for Use and Precautions
Environment of Use
FDA Regulation of Accessories
Federal Communications Commission (FCC) Regulation