5 key parts of the FDA Medical Device Safety Action Plan
As part of the plan, the agency wants authority to impose new premarket and postmarket requirements.
The FDA's strategic plan to improve medical device safety seeks to protect innovation and address unmet medical needs.
It's an ambitious task.
The Medical Device Safety Action Plan includes integrating the Center for Devices and Radiological Health’s premarket and postmarket offices to allow for a total lifecycle approach to device regulation.
Other features include creation of a robust medical device patient safety net, exploring regulatory options to streamline and modernize postmarket risk mitigation and incentivize the development of safer devices. FDA also seeks to bolster device cybersecurity by requiring companies to incorporate security updates and patch capabilities into initial product designs and establishing a public-private partnership focused on cyber threats and vulnerabilities.
“The plan represents a paradigm shift and reordering of priorities, but appears to be within the ambit of what FDA generally does,” says Kim Lee, director of privacy and security at health IT group HIMSS.
Now open for public comment until August 17 of this year, the blueprint comes as FDA device approvals reached a new high last year and a number of first-in-kind products are reaching the market. Among those are the first automated insulin delivery device for type 1 diabetes and a blood test to evaluate traumatic brain injury.
Here are five things to know about the agency's device safety plan.
1. Total product lifecycle approach
Rapid advancements in medical technology are challenging the FDA’s traditional approach to device regulation. Ensuring device safety and quality requires new levels of communication and collaboration to keep pace with the changing science and ecosystem needs.
“Historically, FDA’s medical devices center, CDRH, has been organized largely according to the stage of the product’s life cycle — premarket review, postmarket surveillance, and compliance — rather than holistically by the type of product being regulated,” the safety plan says.
While that approach allows FDA staff to specialize according to function, it doesn’t suit today’s regulatory needs in the fast-evolving and innovative medical device sphere.
To improve the efficiency and agility of FDA oversight, the agency would restructure CDRH into a single unit comprised of seven smaller device-specific offices, each responsible for premarket review, postmarket surveillance, manufacturing and device quality and enforcement. The unit would also include a new office devoted to clinical evidence and analysis. Within that office, teams would be responsible for clinical evidence policy, evidence synthesis and analysis, biostatistics, bioresearch compliance and collaboration with and outreach to researchers outside the FDA.
“The new office’s objectives would include advancing the generation of more informative data across the TPLC about the benefits and risks of new devices that would help inform regulatory decisions of CDRH staff throughout the TPLC organization,” the plan states.
2. Patient safety net
The plan also calls for a robust medical device patient safety net utilizing the public-private National Evaluation System for health Technology (NEST) to link and synthesize data from different electronic health information sources such as device registries, EHRs, medical claims and patient-generated data.
To support that goal, FDA plans to pump $6 million annually in user fees into NEST over the next six years. NEST’s board has estimated it will require $40 million to $50 million a year to become fully operational. “To that end, the FY 2019 President’s Budget seeks to fund a New Medical Data Enterprise, including dedicated funding to support NEST and to support FDA postmarket studies that address device-specific safety concerns,” according to the plan.
The plan would also create the Women’s Health Technologies Strategically Coordinated Registry Network to address evidence gaps in women’s health and improve interoperability and capture of real-world data on clinical issues that are unique to women.
3. Postmarket surveillance
Another aspect of the plan would explore regulatory options to streamline and modernize “timely implementation” of postmarket risk mitigations, including whether FDA has the authority to impose special controls for specific devices under “umbrella” regulations when new or increased risks become known. This could involve additional training or user education to protect patients from harm in the wake of a revised benefit-risk profile.
FDA says the change is needed because special controls such as labeling updates currently require rulemaking, which impedes its efforts to impose mitigations quickly.
In announcing the plan, FDA Commissioner Scott Gottlieb said the agency may also on a case-by-case basis “consider invoking restricted device authority” to increase patient protection for the highest-risk devices. This would enable FDA to tack additional requirements onto specific products while still allowing access to the patients who need them.
If a mechanism for quickly responding to new safety information isn’t available under current authority, the plan says FDA could seek new authority to do so.
Expect industry pushback on this aspect.
Bradley Merrill Thompson, a device attorney with Epstein Becker & Green, says the assertion that rulemaking is too cumbersome and should be eased in certain situations threatens to undermine industry safeguards against onerous and unwarranted regulation.
“Of course it’s cumbersome. It’s supposed to be cumbersome,” he tells Healthcare Dive. “Because of the inherent subjectivity and conservatism at FDA, FDA is supposed to have to go through rulemaking. The agency is not supposed to be able to micromanage industry through the entire product lifecycle at the agency’s whim. FDA’s power was deliberately concentrated at the point of market entry.”
4. Foster device innovation
FDA will explore ways to spur innovation toward technologies that enhance the safety of devices and their use, such as greater premarket interactions with FDA staff and focusing the agency’s research activities on safety. Another option would be to create new streamlined pathways for comparative safety claims.
FDA also plans to create a new voluntary 510(k) pathway for demonstrating safety and effectiveness of certain moderate-risk devices using objective performance criteria recognized by the agency's equivalent to modern technologies. Allowing for products to be measured against modern performance criteria could drive competition to develop better and safer devices, the plan says.
Finally, FDA will pilot a progressive maturity model approach to assess participants’ organizational excellence, identify gaps and recognize when performance exceeds a compliance baseline. The goal is to establish organizational performance and device quality metrics for use in continuous monitoring and enhanced visibility around safety.
In comments on the proposal, Vizient urged FDA to also consider “measures that will not only increase innovation in how a device is developed, but how it is managed throughout the TPLC. Potential options might include cyber penetration testing tools specific to devices, and an open source ecosystem of components and platforms that allows for product maturity capabilities for devices with a longer TPLC.
“Innovation directed at the governance of connected devices must have equal footing if we are to increase patient safety and reduce risk,” the company adds.
5. Improve medtech cybersecurity
As the number of connected medical devices increases, so does the threat that a hacker could disrupt or disable products and put patients at risk. To increase cybersecurity, FDA is considering new premarket authorities to require companies to build in capabilities to update and patch device security at the product design stage. Manufacturers would also have to include a “Software Bill of Materials” in product submissions and make that information available to customers and users.
On the postmarket end, the agency is considering new authority that would require companies to have policies and procedures for disclosing vulnerabilities as they are identified.
Lastly, a public-private partnership — the CyberMed Safety (Expert) Analysis Board — would assess vulnerabilities and patient safety risks, adjudicate disputes, evaluate possible mitigations and advise organizations negotiating the coordinated disclosure process.
The board could also be deployed to investigate suspected or confirmed device compromise situations in the field. Funding for CYMSAB is included in the FY 2019 budget proposal.