FDA reneged on its promise to take a risk-based approach to CDS software

By Bradley Merrill Thompson
01:23 pm

About the Author: Bradley Merrill Thompson is a member of the firm at Epstein Becker & Green, P.C. There, he counsels medical device, drug, and combination product companies on a wide range of FDA regulatory, reimbursement, and clinical trial issues.

Since the Medical Device Amendments of 1976, a hallmark of FDA’s regulation of medical devices has been the agency’s risk-based approach. Medical technology covers everything from tongue depressors to pacemakers, so one size of regulation simply does not fit all. By law, FDA is supposed to focus its limited resources on higher risk technologies both to maximize public health protection, and at the same time to avoid stifling innovation where regulation is unnecessary. Unfortunately, in developing its new approach to regulating clinical decision support (CDS) software, FDA has chosen to ignore that basic principle as well as a promise the agency made to Congress and the public.

FDA’s promise to Congress came in response to section 618 of the 2012 Food and Drug Administration Safety and Innovation Act (FDASIA).  That Act required FDA, working with the Office of the National Coordinator and the Federal Communications Commission, to post on FDA’s website, “a report that contains a proposed strategy and recommendations on an appropriate, risk-based regulatory framework pertaining to health information technology, including mobile medical applications, that promotes innovation, protects patient safety, and avoids regulatory duplication.” 

To prepare that report, FDASIA authorized FDA to create a working group of all the various stakeholders including health IT vendors, patient groups, healthcare providers, payers and others to get input. FDA convened that working group in 2013, and I served as chairman of the Regulatory Subgroup.  Among other things, that stakeholder Working Group recommended that FDA publish a guidance clarifying the dividing line between regulated and unregulated CDS. 

After getting the Working Group’s input over the course of about 30 meetings, in 2014 FDA published on the agency’s website a draft of its so-called “FDASIA Report” that laid out the approach FDA planned to take with regard to CDS. 


The FDASIA Report explained that FDA had already begun drafting a guidance that would clarify the dividing line between high and low risk CDS even before the 2012 FDASIA legislation. To provide context for the agency’s planned approach to the guidance, the FDASIA Report commented on the clinical importance of CDS, noting that “CDS can contribute to increased quality of care and enhanced health outcomes, avoidance of errors and adverse events, improved efficiency, reduced costs, and enhanced provider and patient satisfaction.”

The challenge in developing a regulatory approach to CDS is that, according to the FDASIA Report, CDS software varies considerably in risk, depending on such factors as “the quality and reliability of the information and evidence, the analysis and customization underlying its implementation, and their transparency to users.” To address that risk spectrum, the FDASIA Report noted: “In applying a risk-based approach, FDA does not intend to focus its regulatory oversight on … [low risk] products/functionalities, even if they meet the statutory definition of a medical device.”

The report then went on to list nine examples of low risk CDS that do not merit FDA regulation, including software that offers:

  • “Facilitation of access to treatment guidelines and other reference material that can provide  information relevant to particular patients;
  • Calculation of prediction rules and severity of illness assessments (e.g., APACHE score, AHRQ Pneumonia Severity Index, Charlson Index): …
  • Suggestions for possible diagnoses based on patient-specific information retrieved from a patient’s EHR.”

The FDASIA Report continued:

“The FDASIA Workgroup and other health IT stakeholders have stated that some CDS software – those that are medical devices and present higher risks -- warrant FDA’s continued focus and oversight. Examples of medical device CDS currently regulated by FDA include but are not limited to:

  • Computer aided detection/diagnostic software;
  • Remote display or notification of real-time alarms (physiological, technical, advisory) from bedside monitors;
  • Radiation treatment planning; …

Consistent with the recommendation of the FDASIA Workgroup, FDA will work with federal and private stakeholders to clarify the types of medical device clinical decision support that should be the focus of FDA’s oversight.” (Emphasis added.)

FDA concluded its discussion of CDS with the following passage on page 27 of the report:

"Most clinical decision support (CDS) functionalities can be categorized as health management health IT, [a category that FDA had defined in section 5 of the Report as low risk]. FDA does not intend to focus its oversight on CDS [in that low risk category]. … For the small subset of CDS software that are medical device health IT functionality, present higher risks, and generally have been subject to active oversight by FDA, such active oversight should be continued. FDA will work with federal and private stakeholders to clarify the types of medical device clinical decision support that should be the focus of FDA’s oversight.

The Agencies seek public input on the following questions related to clinical decision support (CDS):

• What types of CDS functionality should be subject to the health management health IT framework [for low risk CDS]? Which types should be the focus of FDA oversight?

• Are there additional safeguards for CDS, such as greater transparency with respect to CDS rules and information sources that are needed to appropriately balance patient safety and the promotion of innovation?"

The discussion regarding the use of transparency led to section 3060 of the 21st Century Cures Act in 2016. In that legislation, to clarify the jurisdictional line between FDA and state regulators with authority over the practice of medicine, Congress delineated what it means for software to be transparent.

But as to the risk-based stratification, in the FDASIA Report FDA squarely promised Congress and the rest of the world that in concert with stakeholders the agency would develop a guidance document that would differentiate high from low risk CDS, and focus its regulatory resources only on high risk CDS. Indeed the agency observed that the effort was already underway prior to FDASIA.
2014 through 2017

FDA gave every indication in the years since the FDASIA Report that it would follow through on its promise, putting the development of a draft CDS guidance in its category A, top priority, for the Center for Devices and Radiological Health over the years 2015 and 2016.

In 2017, after President Trump won the White House and installed Commissioner Scott Gottlieb, the new Commissioner repeatedly promised that FDA would follow through and focus it CDS regulation only on high risk software. Consider:

  • On June 15, 2017, Dr. Gottlieb published a blog post entitled, “Fostering Digital Innovation: A Plan for Digital Health Devices,” in which he indicates that FDA will take a risk-based approach to digital health regulation.  Referencing the need to encourage innovation, but also ensure products are safe and effective, Dr. Gottlieb observed: “FDA will provide new guidance on other technologies that, although not addressed in the 21st Century Cures Act, present low enough risks that FDA does not intend to subject them to certain pre-market regulatory requirements.”
  • In the agency’s Digital Health Innovation Action Plan released in July 2017, the agency flat out promised that “FDA intends to issue a new draft guidance that delineates the clinical decision support software that is no longer under FDA’s jurisdiction."
  • Additionally, in a recent CNBC interview, Dr. Gottlieb noted the following with regard to digital health products: “From a regulatory perspective, we are trying to take a risk-based approach. Some of these products are low risk and we'll think differently about them (than medical devices) and take some out of pre-market review process."

Proposed CDS Guidance

Then it happened. After six long years, FDA published its proposed CDS guidance in December 2017. 

But to the shock of industry, the proposed guidance omitted any discussion of risk. Instead the guidance laid out the agency’s apparent intent to regulate all CDS that falls into the literal medical device definition, with the exception that the agency intends to apply enforcement discretion to certain transparent software directed to patients. Other than observing that the FDA’s Mobile Medical App guidance had carved out some professional use software for enforcement discretion in 2013, and other than acknowledging the transparency provisions of new section 3060 of the 21st Century Cures Act, the proposal conveyed FDA’s apparent intent to regulate all professional CDS, no matter how low the risk.

Industry was simply stunned. After all the discussion in connection with FDASIA regarding the need to not simply apply the statute but rather to use risk-based determinations to carve out software that did not merit FDA oversight, the agency apparently did an about-face and proposed that all CDS be regulated, even if low risk. In fact, it appears that all of those low risk categories of software listed in the FDASIA Report itself that the agency said would be unregulated will be regulated, except for those already specifically carved out in the Mobile Medical App guidance.

How could this have happened? How could FDA participate for years in the FDASIA policymaking process, and then turn around and do the exact opposite of what the agency had promised?

Only FDA knows the answer.

What makes this particularly perplexing is that during the same time that FDA was engaged in the FDASIA process, the agency participated in, and actually chaired, the International Medical Device Regulators Forum to come up with a framework for a risk-based stratification of CDS. And the agency succeeded to build a consensus with the other major regulators around the world, in 2014 producing a framework entitled “Software as a Medical Device: Possible Framework for Risk Categorization and Corresponding Considerations.”

That framework, ironically signed by CDRH Director Jeff Shuren as the Chair of IMDRF,   addresses the tough questions about how  to stratify software  based on risks such as (1) the seriousness of the disease or condition being  treated or diagnosed, and (2) the role of the software in the decision-making.

All I can do is speculate that the agency simply de-prioritized the CDS guidance in favor of other  projects.  While the international framework represented the toughest work, almost certainly numerous internal FDA discussions would need to take place to translate that framework into an FDA guidance on CDS. And during 2017, FDA got busy on other digital health projects including the precertification program for standalone software. My guess is the agency simply turned its attention to other tasks in digital health, and ran out of bandwidth to translate the international risk framework into the CDS guidance for the US.

FDA might argue that industry should be saying “thank you.” Industry should thank them, they might suggest, for working on big, profound stuff like a whole new way of regulating software.  While there is some truth to that, companies that are trying to innovate low risk CDS are unlikely to say thank you, when frankly they believe they shouldn’t even be subject to FDA regulation in the first place. Honestly those companies could care less whether FDA’s approach to regulating software is improved or not, since no intelligent regulatory system, they would argue, should encompass their software.

In comments on the proposal on behalf of the CDS Coalition (which I wrote), the Coalition noted that there are dozens of low risk forms of CDS that have been on the market for years if not decades without any apparent harm. This software now may well be swept up in FDA regulation, potentially requiring that the software be removed from the marketplace. Given how widely-used some of these programs are, the disruption would be enormous.


The FDA December 2017 CDS guidance is only a proposal, so it may be premature to play taps for the CDS industry. But the problem is that FDA can’t simply add the risk-based stratification when the agency publishes its final version. The public has the right to comment on a new risk-based framework, and couldn’t do that since the framework was not included in the proposal. The only approach FDA can use at this juncture is to re-propose the guidance with a new approach that includes a risk-based stratification and allow another round of comments. We shall have to wait to see whether FDA decides to honor the promise it made Congress and the public at large, but it is truly disheartening that after seven years public discussion, FDA has thus far turned its back on commitments the agency made.

More regional news

Person in a telemedicine visit at home

(Photo credit: Alistair Berg/Getty Images) 

Piggy Bank

(Photo Credit: Kwanchai Lettanpunyaporn/Getty Images) 



The latest news in digital health delivered daily to your inbox.

Thank you for subscribing!
Error! Something went wrong!