The Food and Drug Administration (FDA or the Agency), the US regulating authority in the sphere of healthcare products, has published a guidance document dedicated to device software functions and mobile medical applications. Apart from other aspects, the document highlights the main points related to the applicable regulatory requirements to which such products are subject.
It is important to mention that guidance documents issued by the FDA are non-binding in their nature and are intended to provide additional clarifications and recommendations to be considered by the parties involved rather than introduce new rules and requirements. Hence, the approach described in this guidance is one suggested by the FDA. Interested parties may apply an alternative approach, provided it complies with the applicable regulatory requirements and has been approved by the authority in advance.
The document itself is intended to assist medical device manufacturers in determining whether the product they are responsible for meets the definition of a medical device and thus should be subject to regulation under the medical device’s framework. For this purpose, the guidance describes how the provisions of the applicable legislation should be interpreted in order to achieve and sustain compliance with any and all regulatory requirements set forth therein.
According to the document, the particular regulatory requirements to be applied depend on how the product in question is classified under the current US risk-based classification for medical devices. The document further describes the applicable regulatory requirements as follows:
- Class I devices: General Controls, including:
- Establishment registration, and Medical Device listing (21 CFR Part 807);
- Quality System (QS) regulation (21 CFR Part 820);
- Labeling Requirements (21 CFR Part 801);
- Medical Device Reporting (21 CFR Part 803);
- Premarket Notification (21 CFR Part 807);
- Reporting Corrections and Removals (21 CFR Part 806); and
- Investigational Device Exemption (IDE) requirements for clinical studies of investigational devices (21 CFR Part 812).
- Class II devices: General Controls (as described for Class I), Special Controls, and (for most Class II devices) Premarket Notification.
- Class III devices: General Controls (as described for Class I), and Premarket Approval (21 CFR Part 814).
Requirements in Detail
The abovementioned requirements are described in detail in Appendix E to the appropriate guidance. However, the FDA also states that the description provided therein is not exhaustive and encourages medical device manufacturers (software developers) to consider additional clarifications provided in other guidance documents dedicated to the matter.
- Registration of an establishment and listing of a medical device. According to the applicable legislation, medical device manufacturers are obliged to pass registration with the regulating authority on an annual basis and also to inform the authority about the medical devices they are supplying. These measures are intended to keep the authority informed of any and all entities involved in manufacturing medical devices and placing them on the US market, including the particular types of products.
- IDE requirements. According to the Investigational Device Exemption (IDE) framework, a new medical device could be used in the course of a clinical study carried out for collecting additional data which later would be used when applying for a marketing approval under one of the applicable frameworks (a Premarket Approval (PMA) application or a Premarket Notification 510(k) submission). Should the device intended to be used in such clinical studies be associated with the high risk for patients’ health, the studies should be subject to prior approval by the Agency, as well as by an Institutional Review Board. For the lower-risk studies, the approval of the latter would be sufficient. The authority also mentions that the medical software developers engaged in creating software products based on novel technologies are encouraged to participate in early collaboration meetings to be carried out in order to determine the optimal regulatory approach.
- Labeling requirements. The labeling for medical devices should comply with the applicable regulatory requirements depending on the type of medical device in question.
- Premarket submission. It is also stated that medical device manufacturers should also be responsible for determining the class of a medical device under the risk-based classification. In case of doubts, the manufacturer can also request classification from the FDA. It is important to mention that in case of discrepancies in classification, the one determined by the regulating authority shall prevail.
- Quality System Regulation (QS Regulation) outlines the general principles upon which the manufacturing process should be based. In particular, it describes the approach to be applied by the manufacturer when developing processes and procedures to be implemented in order to ensure consistent safety, effectiveness, and quality of medical devices designed and manufactured. In the case of software, the manufacturer (developer) shall establish an approach to the validation of the functions of the software.
- Medical Device Reporting (MDR) constitutes an important element of post-market activities. According to the applicable regulations, the parties responsible for medical devices should duly notify the authority about reportable events associated with the products placed on the market in accordance with the specific rules and requirements. The legislation outlines the scope of reportable events depending on the harm caused and/or risks the patients are exposed to. Additionally, the manufacturer is obliged to carry out an investigation in order to identify the underlying issues resulting in the adverse event to be able to take measures necessary to mitigate the risks. The analysis should be based on the information collected by the manufacturer itself or provided by other parties involved in operations with medical devices.
- Correcting problems. Once the manufacturer has identified specific issues associated with a medical device and impacting its safety and performance, it should duly implement the measures reasonably necessary to correct the problem. Usually, such measures are implemented on a voluntary basis. However, if the issue exposes patients to significant hazards, the regulating authority may require the manufacturer to take action accordingly. Once such actions have been taken, the appropriate report should be provided to the FDA. Under the applicable legislation, a report on corrective actions taken should be submitted to the FDA no later than 10 business days from the date such actions usually took place. The Agency additionally emphasizes that medical device manufacturers are obliged to report any and all actions taken to mitigate the risks and address identified safety issues. At the same time, certain modifications, for example, the ones intended to improve the quality of a mobile app without impacting its safety and performance, are not subject to reporting. However, such changes should be duly documented by the medical device manufacturer (software developer), and the appropriate records should be kept to be provided to the authority upon request.
In summary, the present FDA guidance provides an overview of the regulatory requirements medical software could be subject to depending on its functions and features. The document also highlights specific aspects associated with applying general requirements for medical devices to software products (including mobile apps).
How Can RegDesk Help?
RegDesk is a next-generation web-based software for medical device and IVD companies. Our cutting-edge platform uses machine learning to provide regulatory intelligence, application preparation, submission, and approvals management globally. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Applications that normally take 6 months to prepare can now be prepared within 6 days using RegDesk Dash(TM). Global expansion has never been this simple.