In June 2018 the FDA released an update to its working model of the Software Precertification Program that addresses 10 areas of comments received as a result of the earlier call for public input. In an usual step, these comment driven changes are clearly identified in the document, rather than leaving it to reader to figure out what is new or different. I will briefly address each of these ten areas.
1. The FDA has reiterated that Pre-Cert can apply to organizations of any size. This isn’t new.
2. The FDA notes that it agrees with the principle that there should be flexibility in the “excellence” appraisals that will be applied to organization seeking certification. However, we might also note that flexibility inherently means inconsistency such that comparisons of two or more versions of being excellent may be difficult.
3.The FDA clarified that the Pre-Cert program only applies to software that is a medical device. This is hardly surprising since things that aren’t medical devices are not within the relevant component of FDA’s purview. If a software product is not a medical device some other agency may or not have jurisdiction (eg FTC). None-the-less, the FDA is currently studying non-medical device software as directed by the 21st Century Cures Act.
4. The FDA has said that it indeed will apply least burdensome considerations in establishing excellence models. This is also not surprising since least burdensome is part of FDA’s mandate and the agency routinely describes everything it does as being least burdensome.
5. The FDA says it will allow organizations to self-identify business units for the purpose of certification. This allows larger organizations to separate their applicable software activities (and establish “excellence”), while segregating other parts of the organization (that perhaps aren’t excellent?).
6. The Pre-Cert program will incorporate the International Medical Device Regulators Forum (IMDRF) N23 document entitled Software as Medical Device (SaMD): Application of Quality Management. I don’t think this is new, but it may now be more explicit. On the other hand a separate note says that the IMDRF-SaMD definitions may include things that aren’t medical devices in the U.S. but this does not mean they would become FDA regulated.
7. The FDA has clarified two levels of excellence that might be certified. This allows for being certified to be perhaps somewhat excellent (Level 2) and not-quite-so-excellent (Level 1 ). Level 1 will allow lower risk SaMDs to avoid review or follow a streamlined review. Level 2 ups the ante to lower and moderate risk SaMDs. Note that moderate risk is as high as Pre-Cert goes. Another way to look at this is that at Level 1 the FDA trusts you but only if what you are doing isn’t important, and at Level 2 the FDA trusts you a little bit more. Public disclosure of trust levels may be interesting and noted in this previous post here.
8. Some clarification is provided with regard to risk assessment for eligibility for Pre-Cert. This will include the significance of the information provided by the SaMD to healthcare decision making and the state of the healthcare situation or condition to which it applies. Note that SaMD cannot go beyond an informational output, i.e., it can’t actually do anything because if it did there would be associated hardware. Additional risk assessment elements include the core functionality of the SaMD along with a device description including key technological characteristics. Other elements related to confidence are the organization’s Pre-Cert level and other information related to organizational excellence, and real-world performance information about the SaMD. The product must also comply with all applicable privacy and disclosure laws, including user privacy and manufacturer intellectual property rights. I’m not quite sure what all this means but in time the FDA will presumably tell us.
9. The FDA has added further discussion of how the FDA will evaluate SaMD under Pre-Cert, including that it will conduct an interactive review supported by automated analysis, where appropriate, and aspires to provide a decision on the marketing of a Pre-Cert SaMD product within a shorter timeline than other premarket review processes. No timeline goals have been identified. Turnaround time can be a bigger issue for one product start-ups than for bigger companies that actually have an income. This is a further disadvantage of being small and new.
10. The FDA has commented further on the use of real-world performance of earlier products as a measure of quality. This clearly implies that there will be a significant advantage for vendors with earlier success, and a corresponding disadvantage to first-product start-ups. Being prepared to collect real-world data, although having not yet done so, may also be relevant.
How Pre-Cert will eventually work is hardly a closed discussion since the pilot program is underway and the public comment docket is still open. The report discussed here also is annotated with respect to areas the FDA would like additional input on.
However it all works out, it remains the case that software has managed to pull-off a self-declaration that its development is different from the development of hardware, and that it therefore cannot be held to the same mechanisms of regulatory review as those old-fogy technologies like electronics. Moreover, congress and the FDA, have bought into this perception with FDA noting that “iterative design” (otherwise known as make-it-up-as-you-go-along) is somehow an essential element of software as opposed to simply a practice. Similarly, we have the ongoing idea that we are to expect software to have flaws, and that an “upgrade” can mean fixing something that wasn’t right in the first place.