Last month I outlined the triggers that could cause an ordinary mobile phone to become an FDA-regulated medical mobile phone. This month, in the second of six planned articles, I will outline the FDA requirements that would apply to a mobile phone that crosses that line.
To summarize the July 13 article on "FDA may regulate certain mobile phones, accessories", a mobile phone could become a regulated medical device if the manufacturer, through its words and deeds, conveys an intention that the phone be used in medical applications. I also pointed out that medical devices come in at least three different flavors: (1) standalone medical devices, (2) accessories and (3) components to such devices.
Premarket clearance or approval
In contrast to components that are simply sold to another manufacturer, standalone medical devices and accessories sold to end users may require some form of premarket clearance or approval. Once you know you have an FDA-regulated device or accessory, here's how you figure that out, following a five-step process.
Step one. Figure out the most appropriate classification for your product.
There is a bit of both art and science to this. FDA has published about 1700 classification regulations. Each of those regulations has a description or "identification" of the types of devices covered by that regulation. FDA has a searchable database of these regulations accessible through their website.
Some articles of hardware and software are so important that FDA has separately classified them, and you can find them directly through searching. The regulations are organized by clinical application so all of the orthopedic devices, for example, are in one part of the regulations. So you might get lucky and find one that directly describes your product. A quick search of the regulations revealed that the word "computer" appears in 225 regulations, "software" in 431 and "network" in 43. There is, for example, a classification for remote medication management systems in 21 CFR 880.6315.
But if you can't find one that directly describes your product, perhaps it's because FDA considers your product to be merely an accessory to a "parent" device. I'll give you an example. Last month FDA cleared an updated version of the Polytel glucose meter accessory, which is a small module that plugs into the port of a glucose meter, receives data from the meter and transfers it wirelessly to an Internet capable communication device like a cell phone or an APT. In clearing the device, FDA agreed with its classification in 21 CFR 862.1345, which covers all glucose test systems, including the "parent" glucose meters.
Step two. Read the second half of the classification regulation to see how FDA regulates that particular article.
FDA will assign each product into one of three classifications, cleverly called class I, II and III. Class I devices represent the least risk, while class III represent the greatest. Associated with those classifications are specific regulatory requirements. Many class I devices will be exempt from premarket clearance, and some products will be exempt from other regulatory requirements that I'll describe in a minute. Some class I and most class II devices require filing a premarket notification (or 510(k)) with FDA. These submissions are manageable documents that compare the new device to those lawfully on the market. The specific data requirements are discuss below.
The highest risk devices-class III-usually require premarket approval (PMA) from FDA, which can cost millions. Most IT devices can avoid that, unless they are an accessory to a high risk device. If your device is classified as an accessory, it is subject to all of the regulatory requirements applicable to the parent device.
Step three. Research the requirements.
FDA has published scads of guidance documents on its website that cover many different aspects of the technologies they regulate. There are guidance documents on using wireless technologies, off-the-shelf software, and specific medical technologies such as blood glucose meters. It's important you find all of these so-called "special controls" because you'll need to make sure that your product complies with those technical standards.
Step four. Consider your options.
Even once you know how a device is classified and the specific regulatory requirements, you may well have options for how you get marketing clearance. Let's say your device is in class II, and some sort of premarket notification or so-called 510(k) is required. 510(k)s come in lots of different flavors, including traditional, special and abbreviated. For some, as an alternative to filing at the FDA, you can seek to have your device reviewed by an independent third-party who then certifies its review to the FDA. Going through each of those options is beyond the scope of this article, but it's important to understand that you have options. I have tried to illustrate the major options in Diagram 1 below.
Step five. Determine the type of evidence needed for FDA clearance.
Even more choices need to be made here. The amount and type of data needed to secure approval depends directly on the types of claims you want to make. In many cases, you might have the option to merely make a "tool" claim: a claim that your product simply does a specific function. In the accessory example I gave above regarding the Polytel product, the company makes a tool claim that its article merely connects one medical device to the Internet.
You might also wish to make an outcome type claim: a claim that your device will help treat or diagnose a specific disease or condition. For example: "Using this device to transmit your blood glucose readings to your physician typically allows for better control of diabetes and will help you wean yourself of dependency on insulin."
The types of data you need to provide FDA will depend on which type of claim you make and indeed on the exact wording of the claim. Typically, you could support a tool type claim with bench testing or other non-clinical evaluation. Basically you need to prove that your tool works. If you choose to make outcome-based claims, you'll need to prove that the device indeed achieves those outcomes. That's much harder, and requires testing in a clinical setting.
If you are following the 510(k) pathway, the fundamental standard is whether your device is substantially equivalent to other lawful devices. So most submissions follow a comparative format where the submitter compares his device to others in the marketplace.
In addition to the premarket clearance or approval question, devices must comply with other FDA requirements, as described below.
Quality system requirements
The other big hurdle is ensuring compliance with the quality system regulations. As the name suggests, these requirements are focused on ensuring manufacturers produce quality products commensurate with the risks associated with using the device. So the exact nature of the quality system will depend on the intended use of the article. For companies that are ISO 13485 certified, becoming compliant with the quality system regulations is mostly a matter of creating documentation systems so that you can prove your compliance. More substantial changes are required if the company is only ISO 9001 certified.
These quality system regulations apply cradle-to-grave, so the minute you begin the design process, the design controls must be observed. Design Controls specify the process used and the records to be created during the design, development, and manufacturing scale-up of a device. They extend all the way to postmarket issues such as complaint handling, risk management, and failure analysis and feedback to the design and manufacturing organizations.
In the medical device world, component suppliers are exempt from these regulatory requirements (though sometimes they are contractually required). That doesn't mean the components need not be high quality, but rather it means that the finished device manufacturer has the regulatory burden of assuring the quality of the components it uses. While this could mean incoming inspections of raw materials, components and subassemblies, it more often means that a device manufacturer must apply all necessary controls on a supplier-by-supplier basis to make sure that any controls the supplier is missing, the device manufacturer provides.
Adverse event reporting
As kind of a belt and suspenders, in addition to requiring premarket review of the product and imposing quality system requirements, FDA expects companies to be vigilant for reports of people getting hurt or products malfunctioning. In some cases those incidents might rise to the level of needing to be reported to FDA. These so-called Medical Device Reports are time sensitive (an assessment is due in a matter of days or weeks), and require the company to have in place systems for reviewing all relevant incoming information to assess the potential of each report to be categorized as an Adverse Event. If the company decides to take corrective action, in some cases the company needs to notify FDA.
Other regulatory requirements
FDA has a variety of other requirements that may apply, including such things as registering manufacturing facilities, listing the products manufactured, specific requirements for investigating the safety and effectiveness of an unapproved device, export and import restrictions, and labeling and advertising requirements. FDA also has a variety of requirements that apply to postmarket distribution to ensure that products can be identified and traced back.
There is no doubt that these requirements can be quite burdensome. But to state the obvious, thousands of companies have found it possible and worthwhile to enter the medical device realm. In the coming months, building on the first two articles, I will explore the unique aspects of FDA regulation of software, a business assessment of whether entering the FDA-regulated realm is worthwhile, options for staying out of regulated territory, and some thoughts on where future FDA regulation could go in this space. I hope you'll find the series useful.